Questions for the Case

1. Who is Joe Jacob's supplier of marijuana and what is the address listed for t
he supplier?
From the main screen click File Analysis and check out what files you can see.
The file that we are most interested in is the JimmyJungle.doc
Export the file to
your desktop.
Open it up in Open Office.
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

2. What crucial data is available within the coverpage.jpg file and why is this
data crucial?
In the same File Analysis
Under Hex click report.
Lets note the size

screen lets analyze the coverpage.

Size: 15585 bytes (0x3ce1)

Now lets move over to Image Detail on the top tabs.
pw=goodtimes
hmm wonder what that could mean.
There is another way that we could pull this out. Click display under Hex at the
top of the screen. To me this is a bit easier to see and go through. The passw
ord was hidden away in the slackspace of the file.

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
For this next question lets go back to the File Analysis
led Visits.exe .

screen and click on

Schedu

Something that stands out almost immediately is the Scheduled Visits.xls there is
an excel spreadsheet in there. Something tells me that this is not an executabl
e. To find out whether this is or not, we need to look at the file signature.
Under ASCII click report
The information that we are interested in is the Sectors 104 105
As well as the Fi
le Type notice it says empty (Zip archive data, at least v2.0 to extract)
Lets go
back to the Image Details screen and scroll to the bottom.
We want to look at sectors 104
108. Here is the ASCII contents of sectors 104
10
8. To figure out the file signature we need to look at the Hex. Click on displa
y under Hex.
Our file starts at 104 and we are currently viewing Sectors 104
108, so we don t r
eally need to hunt around in the hex. What we need to pay attention too is the
first 4 bytes. Zip files have a file signature of 50 4B 03 04 or PK.. (that s P K
<dot> <dot>). For a list of different file signatures visit (http://www.garyke

ssler.net/library/file_sigs.html ). What do we see? The very top of the Hex dum

p 504b0304 and PK
Looks like it is a zip file. Export the file and change the f
ile extension from .exe to .zip.
continue on page 33

4. For each file, what processes were taken by the suspect to mask them from oth
ers?
5. What processes did you (the investigator) use to successfully examine the ent
ire contents of each file?
6. What Microsoft program was used to create the Cover Page file. What is your p
roof (Proof is the key to getting this question right, not just making a guess).