[ale] unzipping an encrypted zip file

Greg Freemyer greg.freemyer at gmail.com
Thu Aug 6 19:11:21 EDT 2009 

Mike,

At first it was truly corrupt.  Once I had a good file, I did get the
"unsupported compression method 99" error and the name of the one file
in the zip file.

Greg

On Thu, Aug 6, 2009 at 6:30 PM, Michael H. Warfield<mhw at wittsend.com> wrote:
> On Thu, 2009-08-06 at 17:59 -0400, Richard Bronosky wrote:
>> That's an AES Encrypted Zip file http://www.winzip.com/aes_info.htm To
>> my knowledge it is a WinZip only format. Awesome huh?
>
>        The page you link to indicates they maintained compatibility with past
> formats and merely added aes-1 and aes-2 to the "compression" types.
> But if that were true, I wouldn't think he would be getting the errors
> he's seeing because the central directory is still in the clear.  The
> AES not supported errors are something like "compression type 99 not
> supported" or some such.
>
>        In any case, you might try p7zip.
>
>        http://sourceforge.net/projects/p7zip/
>
>        Caveat...  I have not tried it.  And I would love to know if that
> works.
>
>        Looks like it's in the Debian repositories.
>
>        http://packages.debian.org/unstable/utils/p7zip
>
>        Fedora and other rpms, it may be available from other sources or you
> may have top build it yourself.  I can't access the links to the .rpm's
> at this time.
>
>        Mike
>
>> On Thu, Aug 6, 2009 at 5:44 PM, Greg Freemyer<greg.freemyer at gmail.com> wrote:
>> > On Thu, Aug 6, 2009 at 4:20 PM, Michael H. Warfield<mhw at wittsend.com> wrote:
>> >> On Thu, 2009-08-06 at 15:36 -0400, Greg Freemyer wrote:
>> >>> All,
>> >>
>> >>> I need to unzip an encrypted zip file.  What tool should I use.  (And
>> >>> yes windows is available, but I hate to give in and ask a co-worker to
>> >>> do it for me.)
>> >>
>> >>> First attempt:
>> >>> $ unzip fileserver_sec_log.zip
>> >>> Archive:  fileserver_sec_log.zip
>> >>>   End-of-central-directory signature not found.  Either this file is not
>> >>>   a zipfile, or it constitutes one disk of a multi-part archive.  In the
>> >>>   latter case the central directory and zipfile comment will be found on
>> >>>   the last disk(s) of this archive.
>> >>> unzip:  cannot find zipfile directory in one of fileserver_sec_log.zip or
>> >>>         fileserver_sec_log.zip.zip, and cannot find
>> >>> fileserver_sec_log.zip.ZIP, period.
>> >>
>> >>        What is it "encrypted" with?  I deal with encrypted zip files all the
>> >> time (generally malware samples to study) and simply running unzip -l on
>> >> the archive will still give you a listing of the archive (the "central
>> >> directory" is not encrypted) but you need the password to extract the
>> >> files.  This sounds like it's either externally encrypted or corrupt or
>> >> there's a new zip encryption method in town.
>> >>
>> >>> Greg
>> >>
>> >>        Mike
>> >
>> > Mike,
>> >
>> > Turns out the zip file was corrupted when I pulled it off the email somehow.
>> >
>> > How I get:
>> >
>> > # unzip fileserver_sec_log.zip
>> > Archive:  fileserver_sec_log.zip
>> >   skipping: fileserver_genetics_sec_log.txt  unsupported compression method 99
>> >
>> > The file was zipped with a current version of winzip I believe.  I
>> > actually gave up and unzipped it via my co-workers pc / winzip.  It
>> > worked fine, but I'm still curious.
>> >
>> > Greg
>> > --
>> > Greg Freemyer
>> > Head of EDD Tape Extraction and Processing team
>> > Litigation Triage Solutions Specialist
>> > http://www.linkedin.com/in/gregfreemyer
>> > Preservation and Forensic processing of Exchange Repositories White Paper -
>> > <http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>
>> >
>> > The Norcross Group
>> > The Intersection of Evidence & Technology
>> > http://www.norcrossgroup.com
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> >
>>
>>
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
<http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

More information about the Ale mailing list