EnCase: Mount passw...
 
Notifications
Clear all

EnCase: Mount password protected zip file

9 Posts
4 Users
0 Likes
2,567 Views
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

I have a zip file with password protection in my evidence file. But every time I type in different password, I can mount the file with View File Structure even though the password is wrong. Did anyone encounter this too? What can I do to stop this from happening? As I want to check if I have applied a correct password or not. Thank you.

 
Posted : 03/10/2019 9:58 am
(@rich2005)
Posts: 535
Honorable Member
 

Is the problem perhaps that you've got an archive where the filenames aren't encrypted, so EnCase can "open" it, regardless of the password?
Can you view the content of the files, and not just their names, (in a readable form) with the wrong password?

 
Posted : 03/10/2019 10:21 am
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

I can’t view the content of the file even though I can export it after mounting the file.

 
Posted : 03/10/2019 10:31 am
(@rich2005)
Posts: 535
Honorable Member
 

So it sounds like what I described (if I'm understanding you correctly). I.e. you've got an archive where the filenames aren't encrypted, so you can view the content listing, but not extract the contents of them properly without the correct password.

 
Posted : 03/10/2019 1:42 pm
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

Yes. I can view the content listing, and I can even export the file but I cannot view the content. I am trying to develop an EnScript so that I can apply different password from a list to the zip file but I am not sure whether it can be done with EnScript


void checkCredential(EntryClass e, String password){
EntryFileClass file = new EntryFileClass();
CredentialClass cred();
cred.SetPassword(password);

if (file.Open(e, 0, cred)) {
switch (cred.ErrorType()) {
case CredentialClassNONE
Console.WriteLine("File can be decrypted {0}, password {1}", file.Name(), password);// no errors
break;
case CredentialClassBAD_EVIDENCE_FILE_PASSWORD
Console.WriteLine("Unable to decrypt file Bad Evidence File Password {0} , password {1}", file.Name() , password);
break;
case CredentialClassBAD_PASSWORD
Console.WriteLine("Unable to decrypt file Bad password {0} , password {1}", file.Name() , password);
break;
case CredentialClassBAD_CREDENTIALS
Console.WriteLine("Unable to decrypt file Bad Credentials {0}, password {1}", file.Name(), password);
break;
case CredentialClassBAD_NEED_MORE_INFO
Console.WriteLine("Unable to decrypt file No Credentials {0}, password {1}", file.Name(), password);
break;
}

}

 
Posted : 03/10/2019 2:17 pm
(@rich2005)
Posts: 535
Honorable Member
 

Ah. I'm no EnScript expert, and it's been quite a while since I've used EnCase regularly, but I would have thought this is the sort of thing Simon Key would be able to tell you. He was the EnScript wizard from what I remember and would likely know if this is possible (or if something's already been created to do what you want - or similar code). A quick Google shows he's still at Guidance (now OpenText). Might be worth trying to contact him for a quick question to save you some time.

 
Posted : 03/10/2019 3:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Excuse me, as I do not know what a "normal" Encase workflow is, nor what is your specific workflow/procedure, but wouldn't it be easier to extract the archive from the Encase evidence file, process it "normally" (with a batch/bash script or any "try passwords from list program"), and once you have found which among the candidates is the correct password use it inside Encase?

jaclaz

 
Posted : 03/10/2019 4:28 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

Unless the structure of the zip archive has altered the local file header, which precedes each files compressed data, is in plain text. Part of the local file header includes the path and name of the file in the archive. EnCase is showing you the structure since that is in plain text, whereas you will not see decompressed file contents since as yet you have not supplied the correct credentials.

This should be similar behaviour to when you open the same archive in WinZip, you should see the structure - paths and filename. However to extract/decompress you need to supply credentials.

If you are trying this with EnScript, it maybe best to post on the EnScript part of OpenText MySupport (you should find it under the security forum).

Regards

 
Posted : 03/10/2019 6:29 pm
(@ckwongkennyw)
Posts: 16
Active Member
Topic starter
 

Thank you all ) It seems better to export it and try it with powershell or batch script.

 
Posted : 05/10/2019 2:53 am
Share: