[ale] unzipping an encrypted zip file

Michael H. Warfield mhw at WittsEnd.com
Thu Aug 6 18:30:09 EDT 2009 

On Thu, 2009-08-06 at 17:59 -0400, Richard Bronosky wrote:
> That's an AES Encrypted Zip file http://www.winzip.com/aes_info.htm To
> my knowledge it is a WinZip only format. Awesome huh?

	The page you link to indicates they maintained compatibility with past
formats and merely added aes-1 and aes-2 to the "compression" types.
But if that were true, I wouldn't think he would be getting the errors
he's seeing because the central directory is still in the clear.  The
AES not supported errors are something like "compression type 99 not
supported" or some such.

	In any case, you might try p7zip.

	http://sourceforge.net/projects/p7zip/

	Caveat...  I have not tried it.  And I would love to know if that
works.

	Looks like it's in the Debian repositories.

	http://packages.debian.org/unstable/utils/p7zip

	Fedora and other rpms, it may be available from other sources or you
may have top build it yourself.  I can't access the links to the .rpm's
at this time.

	Mike

> On Thu, Aug 6, 2009 at 5:44 PM, Greg Freemyer<greg.freemyer at gmail.com> wrote:
> > On Thu, Aug 6, 2009 at 4:20 PM, Michael H. Warfield<mhw at wittsend.com> wrote:
> >> On Thu, 2009-08-06 at 15:36 -0400, Greg Freemyer wrote:
> >>> All,
> >>
> >>> I need to unzip an encrypted zip file.  What tool should I use.  (And
> >>> yes windows is available, but I hate to give in and ask a co-worker to
> >>> do it for me.)
> >>
> >>> First attempt:
> >>> $ unzip fileserver_sec_log.zip
> >>> Archive:  fileserver_sec_log.zip
> >>>   End-of-central-directory signature not found.  Either this file is not
> >>>   a zipfile, or it constitutes one disk of a multi-part archive.  In the
> >>>   latter case the central directory and zipfile comment will be found on
> >>>   the last disk(s) of this archive.
> >>> unzip:  cannot find zipfile directory in one of fileserver_sec_log.zip or
> >>>         fileserver_sec_log.zip.zip, and cannot find
> >>> fileserver_sec_log.zip.ZIP, period.
> >>
> >>        What is it "encrypted" with?  I deal with encrypted zip files all the
> >> time (generally malware samples to study) and simply running unzip -l on
> >> the archive will still give you a listing of the archive (the "central
> >> directory" is not encrypted) but you need the password to extract the
> >> files.  This sounds like it's either externally encrypted or corrupt or
> >> there's a new zip encryption method in town.
> >>
> >>> Greg
> >>
> >>        Mike
> >
> > Mike,
> >
> > Turns out the zip file was corrupted when I pulled it off the email somehow.
> >
> > How I get:
> >
> > # unzip fileserver_sec_log.zip
> > Archive:  fileserver_sec_log.zip
> >   skipping: fileserver_genetics_sec_log.txt  unsupported compression method 99
> >
> > The file was zipped with a current version of winzip I believe.  I
> > actually gave up and unzipped it via my co-workers pc / winzip.  It
> > worked fine, but I'm still curious.
> >
> > Greg
> > --
> > Greg Freemyer
> > Head of EDD Tape Extraction and Processing team
> > Litigation Triage Solutions Specialist
> > http://www.linkedin.com/in/gregfreemyer
> > Preservation and Forensic processing of Exchange Repositories White Paper -
> > <http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>
> >
> > The Norcross Group
> > The Intersection of Evidence & Technology
> > http://www.norcrossgroup.com
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> >
> 
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090806/fdb08a25/attachment.bin

More information about the Ale mailing list