Include Contents of Zip and RAR archives etc.

WinHex & X-Ways

Include Contents of Zip and RAR Archives etc.

 

Part of volume snapshot refinement.

 

A forensic license allows to include the contents of ZIP, RAR, ARJ, GZ, TAR, 7Zip, and BZIP archives in the volume snapshot, so that files in such archives can be separately listed, examined, searched, etc., in their decompressed state, as long as the archives are not encrypted. Theoretically, there is no limit to the number of nested levels that can be processed (i.e. archives within archives within archives…). If the files are encrypted in the archive, they are marked with "e" in the attribute column and the archive itself with "e!". This allows to easily focus on such files using the attribute filter.

 

Document files of MS Office 2007/2010/2013, LibreOffice, OpenOffice, and iWork are typically Zip archives, too, technically, and if so are processed in the same way by default. You can choose to not process those files if you or the recipients of evidence file containers that you prepare only wish to see the documents as a whole, no embedded pictures or XML files separately, and don't need to extract metadata from these XML files and can recognize nested documents (documents embedded in other documents) themselves if necessary. There are many, many other file types that are technically subtypes of Zip that are processed optionally. Zip subtypes whose contents are usually irrelevant are for example .jar, .apk and .ipa, though special interest groups like malware investigators might think otherwise, so the choice is yours.

 

X-Ways Forensics tries to detect and protect itself against of zip bombs as well as recursive zip and gz archives and possibly other recursive archive types. Protection means that processing will stop at a certain level once the malicious nature of the archive is detected. Archives identified in this fashion will be marked as already processed and added to a special internal report table. Please note that if afterwards you wish to manually dig deeper than the level at which the recursive automatic exploration stops, you can do so by marking the inner-most archive reached as still to be processed (by pressing Ctrl+Del) and then applying the Explore command in the context menu to it manually.

 

Note that for Zip archives with non-ASCII characters in filenames to be processed correctly, you need to pick the correct code page in the case properties first. E.g. for Zip archives created under Linux, that's likely UTF-8. For Zip archives created under Windows with WinZip, that's likely a regional code page. Note also that split/spanned/segmented archives are not supported.

 

Encrypted Zip, RAR, and 7z file archives can also be processed, provided that the password is known or can be guessed. X-Ways Forensics will try any password listed in either the password collection of the current case or a general password collection. You can edit the list right from within the dialog window with the options for archive processing. The case-specific password collection can also be edited from within the case properties, and it is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". The general password collection is stored in a file of the same name in the installation directory or in your Windows user profile directory. Almost all Unicode characters are supported, including space characters and Chinese characters etc. Passwords are usually case-sensitive. If the collection contains the right password for a particular file archive, that password will be remembered in that file's extracted metadata and taken directly from there instead of the password collection if needed again later to read files in the archive. Alternatively, you can provide a specific password for a particular file archive manually and directly by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". (Note to French users: No space before the colon.) Files within encrypted file archives are not treated and shown as encrypted ("e" attribute) if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.