[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] unzipping an encrypted zip file

Subject: [ale] unzipping an encrypted zip file
From: greg.freemyer at gmail.com (Greg Freemyer)
Date: Thu, 6 Aug 2009 19:11:21 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

Mike,

At first it was truly corrupt.  Once I had a good file, I did get the
"unsupported compression method 99" error and the name of the one file
in the zip file.

Greg

On Thu, Aug 6, 2009 at 6:30 PM, Michael H. Warfield<mhw at wittsend.com> wrote:
> On Thu, 2009-08-06 at 17:59 -0400, Richard Bronosky wrote:
>> That's an AES Encrypted Zip file http://www.winzip.com/aes_info.htm To
>> my knowledge it is a WinZip only format. Awesome huh?
>
> ? ? ? ?The page you link to indicates they maintained compatibility with past
> formats and merely added aes-1 and aes-2 to the "compression" types.
> But if that were true, I wouldn't think he would be getting the errors
> he's seeing because the central directory is still in the clear. ?The
> AES not supported errors are something like "compression type 99 not
> supported" or some such.
>
> ? ? ? ?In any case, you might try p7zip.
>
> ? ? ? ?http://sourceforge.net/projects/p7zip/
>
> ? ? ? ?Caveat... ?I have not tried it. ?And I would love to know if that
> works.
>
> ? ? ? ?Looks like it's in the Debian repositories.
>
> ? ? ? ?http://packages.debian.org/unstable/utils/p7zip
>
> ? ? ? ?Fedora and other rpms, it may be available from other sources or you
> may have top build it yourself. ?I can't access the links to the .rpm's
> at this time.
>
> ? ? ? ?Mike
>
>> On Thu, Aug 6, 2009 at 5:44 PM, Greg Freemyer<greg.freemyer at gmail.com> wrote:
>> > On Thu, Aug 6, 2009 at 4:20 PM, Michael H. Warfield<mhw at wittsend.com> wrote:
>> >> On Thu, 2009-08-06 at 15:36 -0400, Greg Freemyer wrote:
>> >>> All,
>> >>
>> >>> I need to unzip an encrypted zip file. ?What tool should I use. ?(And
>> >>> yes windows is available, but I hate to give in and ask a co-worker to
>> >>> do it for me.)
>> >>
>> >>> First attempt:
>> >>> $ unzip fileserver_sec_log.zip
>> >>> Archive: ?fileserver_sec_log.zip
>> >>> ? End-of-central-directory signature not found. ?Either this file is not
>> >>> ? a zipfile, or it constitutes one disk of a multi-part archive. ?In the
>> >>> ? latter case the central directory and zipfile comment will be found on
>> >>> ? the last disk(s) of this archive.
>> >>> unzip: ?cannot find zipfile directory in one of fileserver_sec_log.zip or
>> >>> ? ? ? ? fileserver_sec_log.zip.zip, and cannot find
>> >>> fileserver_sec_log.zip.ZIP, period.
>> >>
>> >> ? ? ? ?What is it "encrypted" with? ?I deal with encrypted zip files all the
>> >> time (generally malware samples to study) and simply running unzip -l on
>> >> the archive will still give you a listing of the archive (the "central
>> >> directory" is not encrypted) but you need the password to extract the
>> >> files. ?This sounds like it's either externally encrypted or corrupt or
>> >> there's a new zip encryption method in town.
>> >>
>> >>> Greg
>> >>
>> >> ? ? ? ?Mike
>> >
>> > Mike,
>> >
>> > Turns out the zip file was corrupted when I pulled it off the email somehow.
>> >
>> > How I get:
>> >
>> > # unzip fileserver_sec_log.zip
>> > Archive: ?fileserver_sec_log.zip
>> > ? skipping: fileserver_genetics_sec_log.txt ?unsupported compression method 99
>> >
>> > The file was zipped with a current version of winzip I believe. ?I
>> > actually gave up and unzipped it via my co-workers pc / winzip. ?It
>> > worked fine, but I'm still curious.
>> >
>> > Greg
>> > --
>> > Greg Freemyer
>> > Head of EDD Tape Extraction and Processing team
>> > Litigation Triage Solutions Specialist
>> > http://www.linkedin.com/in/gregfreemyer
>> > Preservation and Forensic processing of Exchange Repositories White Paper -
>> > <http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>
>> >
>> > The Norcross Group
>> > The Intersection of Evidence & Technology
>> > http://www.norcrossgroup.com
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> >
>>
>>
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | ?mhw at WittsEnd.com
> ? /\/\|=mhw=|\/\/ ? ? ? ? ?| (678) 463-0932 | ?http://www.wittsend.com/mhw/
> ? NIC whois: MHW9 ? ? ? ? ?| An optimist believes we live in the best of all
> ?PGP Key: 0xDF1DD471 ? ? ? ?| possible worlds. ?A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
<http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

References:
- [ale] unzipping an encrypted zip file
  - From: greg.freemyer at gmail.com (Greg Freemyer)
- [ale] unzipping an encrypted zip file
  - From: mhw at WittsEnd.com (Michael H. Warfield)
- [ale] unzipping an encrypted zip file
  - From: greg.freemyer at gmail.com (Greg Freemyer)
- [ale] unzipping an encrypted zip file
  - From: Richard at Bronosky.com (Richard Bronosky)
- [ale] unzipping an encrypted zip file
  - From: mhw at WittsEnd.com (Michael H. Warfield)

Prev by Date: [ale] unzipping an encrypted zip file
Next by Date: [ale] Dead Motherboard?
Previous by thread: [ale] unzipping an encrypted zip file
Next by thread: [ale] unzipping an encrypted zip file
Index(es):
- Date
- Thread