±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34614
New Yesterday: 0 Visitors: 174

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Can Autopsy and Encase search through PAK and bin files?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Can Autopsy and Encase search through PAK and bin files?

Post Posted: Thu Jan 11, 2018 1:39 pm

Hi Everyone

I'm currently studying Computer Security with Forensics at university and im doing my dissertation, Im trying to analyse PAK and bin files to see if i can get any type of media file out or any other type of information but everytime I put the PAK and bin files into Encase and Autopsy all I get is just simple hex data and thats it. So im wondering am I doing something wrong or do these tools not have the ability to search through these tools? If they do, can someone guide me on how to search through them or provide me a link which explains how to. I'm using Encase 8 and the latest version of Autopsy and adding the files as local files.

If you need more information let me know

Regards

Obi  

obiwanabe95
Newbie
 
 
  

Re: Can Autopsy and Encase search through PAK and bin files?

Post Posted: Thu Jan 11, 2018 3:47 pm

- obiwanabe95

If you need more information let me know


You'll need to define both "PAK" and "bin" files.

If you are talking of file extensions:

.pak is a file extension used often for packed files, but not necessarily it is of a given format, sometimes they are simply .zip files with the extension changed, but they could well be something else.

.bin is used (but again not necessarily) often to indicate "binary" (actually "raw hex") data.

If you don't know what actual file format they are or which program created them, you can try using file (Linux) or TriD (windows) to attempt identifying the file format.

linux.die.net/man/1/file
mark0.net/soft-trid-e.html

I am not sure to understand the "generic approach" however, *any* file - unless it has a documented format and the specific tool (Encase, Autopsy, *whatever*) has a parser for that format (and the right parser is auto-detected) will appear to be "simple hex data".


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Can Autopsy and Encase search through PAK and bin files?

Post Posted: Thu Jan 11, 2018 5:42 pm

Hi Jaclaz

I used the TrID tool but it seems to think that the PAK file is an ABR file which is strange and the .BIN file as an Inno setup archive, which is the tool i used to create an installer for the files. If it helps I used Unreal Engine to create the PAK file but not sure as to why its saying its an ABR file.

Hope this helps

Obi  

obiwanabe95
Newbie
 
 
  

Re: Can Autopsy and Encase search through PAK and bin files?

Post Posted: Fri Jan 12, 2018 6:51 am

- obiwanabe95
Hi Jaclaz

I used the TrID tool but it seems to think that the PAK file is an ABR file which is strange and the .BIN file as an Inno setup archive, which is the tool i used to create an installer for the files. If it helps I used Unreal Engine to create the PAK file but not sure as to why its saying its an ABR file.

Hope this helps

Obi

I don't know.
I mean, I still don't understand what you are up to/trying to test/demonstrate.

You created yourself the files with some uncommon and specific software.

Then you threw Encase and Autopsy on these binary files (in a proprietary and uncommon format).

What would you have expected to happen?

How what happened differs from the expectations you had?

TriD, file (and similar) attempt to identify files based on "patterns", typically in "headers" and "footers", but not only.
Of course specific files may have a "very distinctive" header (or footer, or both) whilst other ones have very generic ones.
Namely, the ABR has a (if I am allowed) "ridiculous" header of 00 Shocked :
file-extension.net/see...ension_abr
so it doesn't particularly surprise me that it came out as a possible filetype for the file you provided, most probably after having attempted to identify the file with the more "definite" patterns it used the "low-low-specific" one that happens to be connected with ABR files.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 1