Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

ZIP Index Entry Finder

This EnScript will search for, and bookmark, ZIP-file index-entries. It was designed for the recovery of data from deleted ZIP files that can't otherwise be recovered, either because they're partially overwritten or fragmented.

Each file in a ZIP file has a 'central' and 'local' ZIP-index-entry. Amongst the data contained in each index-entry is the file's relative path and file-name, last-modified date, compressed size, uncompressed size and CRC-32 value. The central index-entry for a file also has a comment field. The CRC-32 and file-length index-values for internal ZIP folders are always set to zero.

The user has the option of extracting the results into a tab-delimited file, which can be opened using Microsoft Excel, or if there are a large number of entries, imported into Microsoft Access.

In addition to extracting the index details, the user can also opt to extract the data comprising each local index and the compressed stream that follows.

The extracted data will be written into a pseudo ZIP file that the script can attempt to repair if so requested.

The name of each pseudo file will be in the following format -

<Extraction Index>_<Evidence Name>_<Entry Name>_<Offset>_<Length>.zip

Should the repair of a given file fail, it may still be possible to repair it using an application such as WinRAR. This particular application can repair multiple archives at the same time.

Corrupt ZIP archives can also be repaired by EnCase. To facilitate this, the output of the script can be written into a logical evidence file (LEF).

The script has an in-built filtering capability, which allows the examiner to process only those index-entries that match the filter-criteria specified by the examiner.

These criteria can specify the relative-path/name, last-modified date, decompressed size and CRC-32 value. Note that the filter-dialog presents the CRC-32 value as a string rather than an integer value. This avoids the examiner having to enter it either as a decimal value or a hex value preceded by '0x'.

All settings (including the filter criteria) are remembered for later use.

Use of this script is demonstrated on the Guidance Software Inc. DF320 Advanced Analysis of Windows Artifacts with EnCase training course where it's used to recover the component parts of a deleted Microsoft Word document.

Download Now



Version: 5.0.0
Tested with:
EnCase Forensic 8.05
Developer: Simon Key
Category: Utility

2489 DOWNLOADS

YOU MAY ALSO LIKE

Utility

Registry Viewer Plugin

This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon Key
764 Downloads
App
Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that ship with EnCase.
By Simon Key
346 Downloads
App
Utility

Export Result-Set to Project VIC

This script is designed to extract a user-specified result-set to a Project VIC data-set.
By Simon Key
31 Downloads
App
Utility

Multiple Date Range Filter - Entries Only (EnFilter)

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon Key
25 Downloads
App