Can Autopsy and Enc...
 
Notifications
Clear all

Can Autopsy and Encase search through PAK and bin files?

4 Posts
2 Users
0 Likes
1,770 Views
(@obiwanabe95)
Posts: 2
New Member
Topic starter
 

Hi Everyone

I'm currently studying Computer Security with Forensics at university and im doing my dissertation, Im trying to analyse PAK and bin files to see if i can get any type of media file out or any other type of information but everytime I put the PAK and bin files into Encase and Autopsy all I get is just simple hex data and thats it. So im wondering am I doing something wrong or do these tools not have the ability to search through these tools? If they do, can someone guide me on how to search through them or provide me a link which explains how to. I'm using Encase 8 and the latest version of Autopsy and adding the files as local files.

If you need more information let me know

Regards

Obi

 
Posted : 11/01/2018 6:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If you need more information let me know

You'll need to define both "PAK" and "bin" files.

If you are talking of file extensions

.pak is a file extension used often for packed files, but not necessarily it is of a given format, sometimes they are simply .zip files with the extension changed, but they could well be something else.

.bin is used (but again not necessarily) often to indicate "binary" (actually "raw hex") data.

If you don't know what actual file format they are or which program created them, you can try using file (Linux) or TriD (windows) to attempt identifying the file format.

https://linux.die.net/man/1/file
http//mark0.net/soft-trid-e.html

I am not sure to understand the "generic approach" however, *any* file - unless it has a documented format and the specific tool (Encase, Autopsy, *whatever*) has a parser for that format (and the right parser is auto-detected) will appear to be "simple hex data".

jaclaz

 
Posted : 11/01/2018 8:47 pm
(@obiwanabe95)
Posts: 2
New Member
Topic starter
 

Hi Jaclaz

I used the TrID tool but it seems to think that the PAK file is an ABR file which is strange and the .BIN file as an Inno setup archive, which is the tool i used to create an installer for the files. If it helps I used Unreal Engine to create the PAK file but not sure as to why its saying its an ABR file.

Hope this helps

Obi

 
Posted : 11/01/2018 10:42 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Jaclaz

I used the TrID tool but it seems to think that the PAK file is an ABR file which is strange and the .BIN file as an Inno setup archive, which is the tool i used to create an installer for the files. If it helps I used Unreal Engine to create the PAK file but not sure as to why its saying its an ABR file.

Hope this helps

Obi

I don't know.
I mean, I still don't understand what you are up to/trying to test/demonstrate.

You created yourself the files with some uncommon and specific software.

Then you threw Encase and Autopsy on these binary files (in a proprietary and uncommon format).

What would you have expected to happen?

How what happened differs from the expectations you had?

TriD, file (and similar) attempt to identify files based on "patterns", typically in "headers" and "footers", but not only.
Of course specific files may have a "very distinctive" header (or footer, or both) whilst other ones have very generic ones.
Namely, the ABR has a (if I am allowed) "ridiculous" header of 00 😯
http//file-extension.net/seeker/file_extension_abr
so it doesn't particularly surprise me that it came out as a possible filetype for the file you provided, most probably after having attempted to identify the file with the more "definite" patterns it used the "low-low-specific" one that happens to be connected with ABR files.

jaclaz

 
Posted : 12/01/2018 11:51 am
Share: