ZIP Index Entry Finder
This EnScript will search for, and bookmark, ZIP-file index-entries. It was designed for the recovery of data from deleted ZIP files that can't otherwise be recovered, either because they're partially overwritten or fragmented.
Each file in a ZIP file has a 'central' and 'local' ZIP-index-entry. Amongst the data contained in each index-entry is the file's relative path and file-name, last-modified date, compressed size, uncompressed size and CRC-32 value. The central index-entry for a file also has a comment field. The CRC-32 and file-length index-values for internal ZIP folders are always set to zero.
The user has the option of extracting the results into a tab-delimited file, which can be opened using Microsoft Excel, or if there are a large number of entries, imported into Microsoft Access.
In addition to extracting the index details, the user can also opt to extract the data comprising each local index and the compressed stream that follows.
The extracted data will be written into a pseudo ZIP file that the script can attempt to repair if so requested.
The name of each pseudo file will be in the following format -
<Extraction Index>_<Evidence Name>_<Entry Name>_<Offset>_<Length>.zip
Should the repair of a given file fail, it may still be possible to repair it using an application such as WinRAR. This particular application can repair multiple archives at the same time.
Corrupt ZIP archives can also be repaired by EnCase. To facilitate this, the output of the script can be written into a logical evidence file (LEF).
The script has an in-built filtering capability, which allows the examiner to process only those index-entries that match the filter-criteria specified by the examiner.
These criteria can specify the relative-path/name, last-modified date, decompressed size and CRC-32 value. Note that the filter-dialog presents the CRC-32 value as a string rather than an integer value. This avoids the examiner having to enter it either as a decimal value or a hex value preceded by '0x'.
All settings (including the filter criteria) are remembered for later use.
Use of this script is demonstrated on the Guidance Software Inc. DF320 Advanced Analysis of Windows Artifacts with EnCase training course where it's used to recover the component parts of a deleted Microsoft Word document.
YOU MAY ALSO LIKE