±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36632
New Yesterday: 3 Visitors: 147

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Zip Files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

mark777
Senior Member
 

Zip Files

Post Posted: May 03, 07 16:38

Should possibly be in the Software forum, if so i apologise.

I am doing a CP case where i am recovering thousands of CP images including some that the suspect has taken himself (apparently) using a digital camera.

I have recovered one zip file that when activating requires a password to open. Once opened (I know the password) there are 110 jpg files in it all of which have names that seem to relate to the first name of the young daughter of a family friend of the suspects. (You can see what I am thinking here) I am a bit concerned as to why, with so many illegal in clear view, these are protected. Each of the 110 jpg files are themselves password protected but not with the same one as the zip file.

PRTK does nothing at all with the zip file even though the dictionary used contains the known password for it.

I have conducted the following experiment

1. Create zip file and place 1 file in it passworded with FRED
2 Create zip file and put 1 file in it passworded with TEST
3. Create zip file and put two files in it one passworded with FRED and the other with TEST

Then ran all files through PRTK

1 above was cracked in seconds.
2 above was cracked in seconds
3 above is still running and has been for ever it seems with no results.

It appears PRTK is unable to deal with zip files with more than one password involved.

I have also tried to export using EnCase and FTK the individual jpg files to attack then individually but am unable to do so without the password.

I would really appreciate any advice that any one could give me to try and resolve this problem and gin access to the images.

Whislt I have more than enough evidence and images to ensure a good result I am concerned that I may be missing the opportunity to identify a possible victim if I am unable to access the zip file images
_________________
Mark 
 
  

mark777
Senior Member
 

Re: Zip Files

Post Posted: May 03, 07 16:41

Aologies for the spelling mistake third line up from the bottom of the above post.

Gin is what I need but gain is what I intended to write
_________________
Mark 
 
  

Alan
Senior Member
 

Re: Zip Files

Post Posted: May 03, 07 16:55

Hi Mark,

have you contacted AccessData regarding the problem, they should be able to provide some guidence.

A  
 
  

mark777
Senior Member
 

Re: Zip Files

Post Posted: May 03, 07 17:03

Alan

Yeah several postings and messages to Jessica. Have spent the last two days, installing, unistalling, activating and deactivating everything in sight but as yet nothing that works. Have sent her another message re the latest episodes but I assume that in the USA she will still be in bed.

Time constraints mean I need to get on with the rest of the computers he had ( 1 Mac - 450 DVD 3 160 Gb HDD and 28 Camera cards and he is on bail till next week!!!!) so I thought I would ask on here to see if anyone had any ideas. Hopefully if I can get the individual jpgs out I can attack them individually.

Other concern was that the zip password and the file password are somehow interlinked and I cannot do them individually even if i can get them out.

Plan is, if all else fails to slap the case on the desk in interview and ask him what the password is but I would rather get it myself than look like I don't know what I'm doing (do I know what I'm doing I hear you ask) to be honest.

Thanks for replying

Crying or Very sad
_________________
Mark 
 
  

Alan
Senior Member
 

Re: Zip Files

Post Posted: May 03, 07 17:13

Mark,

What ZIP utility did he use? I have seen files Zipped with secure zip from PKware which uses very strong encryption routines. I don’t think the normal zip utilities would cause such as problem as you described!

Another possibility is that the zip file could be corrupt?

Alan  
 
  

mark777
Senior Member
 

Re: Zip Files

Post Posted: May 03, 07 20:43

Alan

I have found WINRar but not winzip. Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows. The .zip file i am talking about is in a folder called macbackup so will need to look there as well.

The fella is a geek so that says it all about his set up really.

Have also found several .vmc and .vhd files re virtual on the drives as well.

Havent even tried anything with them yet.

I wouldn't have thought the .zip file was corrupted as when you click it it opens and then when you put the password in it displays the files inside to you - just doesnt let me get at them.

Never mind, will keep going. Its all a good learning curve.

Mark Wink
_________________
Mark 
 
  

Marat
Member
 

Re: Zip Files

Post Posted: May 03, 07 21:51

mark777,
Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows.

you can try to determine *.zip file metadata(like version of archiving tool,OS where *.zip is created etc.)  
 

Page 1 of 3
Page 1, 2, 3  Next