Notifications
Clear all

Zip Files

15 Posts
9 Users
0 Likes
1,788 Views
mark777
(@mark777)
Posts: 101
Estimable Member
Topic starter
 

Should possibly be in the Software forum, if so i apologise.

I am doing a CP case where i am recovering thousands of CP images including some that the suspect has taken himself (apparently) using a digital camera.

I have recovered one zip file that when activating requires a password to open. Once opened (I know the password) there are 110 jpg files in it all of which have names that seem to relate to the first name of the young daughter of a family friend of the suspects. (You can see what I am thinking here) I am a bit concerned as to why, with so many illegal in clear view, these are protected. Each of the 110 jpg files are themselves password protected but not with the same one as the zip file.

PRTK does nothing at all with the zip file even though the dictionary used contains the known password for it.

I have conducted the following experiment

1. Create zip file and place 1 file in it passworded with FRED
2 Create zip file and put 1 file in it passworded with TEST
3. Create zip file and put two files in it one passworded with FRED and the other with TEST

Then ran all files through PRTK

1 above was cracked in seconds.
2 above was cracked in seconds
3 above is still running and has been for ever it seems with no results.

It appears PRTK is unable to deal with zip files with more than one password involved.

I have also tried to export using EnCase and FTK the individual jpg files to attack then individually but am unable to do so without the password.

I would really appreciate any advice that any one could give me to try and resolve this problem and gin access to the images.

Whislt I have more than enough evidence and images to ensure a good result I am concerned that I may be missing the opportunity to identify a possible victim if I am unable to access the zip file images

 
Posted : 03/05/2007 4:38 pm
mark777
(@mark777)
Posts: 101
Estimable Member
Topic starter
 

Aologies for the spelling mistake third line up from the bottom of the above post.

Gin is what I need but gain is what I intended to write

 
Posted : 03/05/2007 4:41 pm
Alan
 Alan
(@alan)
Posts: 53
Trusted Member
 

Hi Mark,

have you contacted AccessData regarding the problem, they should be able to provide some guidence.

A

 
Posted : 03/05/2007 4:55 pm
mark777
(@mark777)
Posts: 101
Estimable Member
Topic starter
 

Alan

Yeah several postings and messages to Jessica. Have spent the last two days, installing, unistalling, activating and deactivating everything in sight but as yet nothing that works. Have sent her another message re the latest episodes but I assume that in the USA she will still be in bed.

Time constraints mean I need to get on with the rest of the computers he had ( 1 Mac - 450 DVD 3 160 Gb HDD and 28 Camera cards and he is on bail till next week!!!!) so I thought I would ask on here to see if anyone had any ideas. Hopefully if I can get the individual jpgs out I can attack them individually.

Other concern was that the zip password and the file password are somehow interlinked and I cannot do them individually even if i can get them out.

Plan is, if all else fails to slap the case on the desk in interview and ask him what the password is but I would rather get it myself than look like I don't know what I'm doing (do I know what I'm doing I hear you ask) to be honest.

Thanks for replying

cry

 
Posted : 03/05/2007 5:03 pm
Alan
 Alan
(@alan)
Posts: 53
Trusted Member
 

Mark,

What ZIP utility did he use? I have seen files Zipped with secure zip from PKware which uses very strong encryption routines. I don’t think the normal zip utilities would cause such as problem as you described!

Another possibility is that the zip file could be corrupt?

Alan

 
Posted : 03/05/2007 5:13 pm
mark777
(@mark777)
Posts: 101
Estimable Member
Topic starter
 

Alan

I have found WINRar but not winzip. Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows. The .zip file i am talking about is in a folder called macbackup so will need to look there as well.

The fella is a geek so that says it all about his set up really.

Have also found several .vmc and .vhd files re virtual on the drives as well.

Havent even tried anything with them yet.

I wouldn't have thought the .zip file was corrupted as when you click it it opens and then when you put the password in it displays the files inside to you - just doesnt let me get at them.

Never mind, will keep going. Its all a good learning curve.

Mark wink

 
Posted : 03/05/2007 8:43 pm
(@marat)
Posts: 31
Eminent Member
 

mark777,

Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows.

you can try to determine *.zip file metadata(like version of archiving tool,OS where *.zip is created etc.)

 
Posted : 03/05/2007 9:51 pm
(@chris2792)
Posts: 33
Eminent Member
 

It appears PRTK is unable to deal with zip files with more than one password involved

Perhaps that's an issue of Winzip. Winzip let you enter a password once, then every operation will be done using that password until the archive is closed.

If you have a ZIP-Archive with 2 different passwords you'll have to extract one file, close the archive, reopen it and extract the other file.

 
Posted : 04/05/2007 4:05 pm
(@mitch)
Posts: 135
Estimable Member
 

Mark

If the suspect has taken any photos of CP himself, have you sieze all digital cameras, because if you have the memory cards, you could tie up the camera with the images via EXIF info. (dont mean to be rude but hey ive know it to be missed)

also pm you mark

Simon

 
Posted : 04/05/2007 6:36 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

I am a bit concerned as to why, with so many illegal in clear view, these are protected.

Yes - that's a valid concern. I'm glad you are persisting!

Each of the 110 jpg files are themselves password protected but not with the same one as the zip file.

When you look at the zip file are the file names there in plain text?
Are there other files than the 110 pics in there?

A possibility would be to edit the zip file so that you only have the files that you can not access in there. Then run PRTK on it.

 
Posted : 04/05/2007 7:54 pm
Page 1 / 2
Share: