Scribd
Upload
220 views

CSE 469 In-Class Lab3 Names: Steven Tran, Jason Truong, Kshitiz Singh, ID: 1210776512

This document provides instructions for an in-class lab involving recovering modified file extensions and headers. Students will use the tool ProDiscover to analyze a disk image and recover a hidden photo disguised as an .exe file using an online hex editor. They will then examine the photo's EXIF data to determine details like the camera used and date taken. Finally, students will investigate an intellectual property theft case by analyzing clues in a provided disk image to recover a stolen image of a new boat design.

Uploaded by

Steven Tran
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
220 views

CSE 469 In-Class Lab3 Names: Steven Tran, Jason Truong, Kshitiz Singh, ID: 1210776512

This document provides instructions for an in-class lab involving recovering modified file extensions and headers. Students will use the tool ProDiscover to analyze a disk image and recover a hidden photo disguised as an .exe file using an online hex editor. They will then examine the photo's EXIF data to determine details like the camera used and date taken. Finally, students will investigate an intellectual property theft case by analyzing clues in a provided disk image to recover a stolen image of a new boat design.

Uploaded by

Steven Tran
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

CSE 469 In-Class Lab3

Names: Steven Tran, Jason Truong, Kshitiz Singh , ID: 1210776512


Overview
1. Recover the modified file extension and header
2. Creating and Analyzing the image using tool “ProDiscover”
3. Discovering and recovering the Photo using online hex editor https://hexed.it/
4. Reading the EXIF information
Prerequisites: Windows 10 compatible, 32 or 64 bits
1. Download and install:
1) ProDiscover: https://prodiscover-basic.software.informer.com/download/
(Install and Run as Administrator)
2. USB memory stick (128 MB+), or you can download the pre-made image test1.eve from lab3.zip
3. Download and unzip the test files at https://www.dropbox.com/s/ucenui00jh65cy4/lab3.zip?dl=0
4. Submit the result of this form as pdf to Gradscope https://www.gradescope.com/courses/79694/
deadline is at beginning next class.

Finding the intellectual property and recover it


Step1.
Exercise the example (lab3.mp4 at Piazza or Canvas Resources)
- Make the see2.exe with see.jpg
- Create the image of the target USB using ProDiscover and recover the see2.jpg using
https://hexed.it (you can use the test1.eve image file instead of physical USB)

Check the EXIF information of the recovered image(see2.jpg)

- What is the normal header value (10 bytes)?


FF D8 FF E0 00

- What is the size (KB) of see2.jpg?


2738 kB

- What is the name of the camera maker and model in EXIF information?
Maker: iPhone
Model: Apple iPhone 11 Pro

- When was the photo taken?


9/23/2019 at 8:46AM
Step2.
Please investigate an IP (Intellectual Property) theft by a contract employee of Exotic Mountain Tour
Service (EMTS). Recover the stolen IP.

Clue #1: We have seized the employee’s hard disk and created an disk image (name: test2.eve) using
ProDiscover for you to download. It is believed that a picture of a newly designed boat was stolen.

Clue #2: All valid JPEG files have an end of image mark of ff d9. And the header should start with “ff
d8 ff e0 00 10 4a 46 49 46”

Clue #3: It is believed the employee disguised the JPEG file as a Windows executable (.exe) and
altered the image’s header. You can analyzing it with https://hexed.it/ .

- What was the modified header 10 bytes?

7A 7A 7A 7A 00

- What is the file name and size (KB) of the IP ?

Gametour2.exe
Size: 202 KB

- What is the name of the camera maker and model in EXIF information?
Camera maker: Minolta Co.
Model: Minolta Co. Ltd. Dimage 2330 Zoom

- When was the photo taken?


2001 08:05 14:50:07

- Attach the IP images here:

You might also like