Join Us!

EnCase: Mount passw...
 
Notifications
Clear all

EnCase: Mount password protected zip file  

  RSS
ckwongkennyw
(@ckwongkennyw)
New Member

I have a zip file with password protection in my evidence file. But every time I type in different password, I can mount the file with View File Structure even though the password is wrong. Did anyone encounter this too? What can I do to stop this from happening? As I want to check if I have applied a correct password or not. Thank you.

Quote
Posted : 03/10/2019 10:58 am
Rich2005
(@rich2005)
Senior Member

Is the problem perhaps that you've got an archive where the filenames aren't encrypted, so EnCase can "open" it, regardless of the password?
Can you view the content of the files, and not just their names, (in a readable form) with the wrong password?

ReplyQuote
Posted : 03/10/2019 11:21 am
ckwongkennyw
(@ckwongkennyw)
New Member

I can’t view the content of the file even though I can export it after mounting the file.

ReplyQuote
Posted : 03/10/2019 11:31 am
Rich2005
(@rich2005)
Senior Member

So it sounds like what I described (if I'm understanding you correctly). I.e. you've got an archive where the filenames aren't encrypted, so you can view the content listing, but not extract the contents of them properly without the correct password.

ReplyQuote
Posted : 03/10/2019 2:42 pm
ckwongkennyw
(@ckwongkennyw)
New Member

Yes. I can view the content listing, and I can even export the file but I cannot view the content. I am trying to develop an EnScript so that I can apply different password from a list to the zip file but I am not sure whether it can be done with EnScript


void checkCredential(EntryClass e, String password){
EntryFileClass file = new EntryFileClass();
CredentialClass cred();
cred.SetPassword(password);

if (file.Open(e, 0, cred)) {
switch (cred.ErrorType()) {
case CredentialClassNONE
Console.WriteLine("File can be decrypted {0}, password {1}", file.Name(), password);// no errors
break;
case CredentialClassBAD_EVIDENCE_FILE_PASSWORD
Console.WriteLine("Unable to decrypt file Bad Evidence File Password {0} , password {1}", file.Name() , password);
break;
case CredentialClassBAD_PASSWORD
Console.WriteLine("Unable to decrypt file Bad password {0} , password {1}", file.Name() , password);
break;
case CredentialClassBAD_CREDENTIALS
Console.WriteLine("Unable to decrypt file Bad Credentials {0}, password {1}", file.Name(), password);
break;
case CredentialClassBAD_NEED_MORE_INFO
Console.WriteLine("Unable to decrypt file No Credentials {0}, password {1}", file.Name(), password);
break;
}

}

ReplyQuote
Posted : 03/10/2019 3:17 pm
Rich2005
(@rich2005)
Senior Member

Ah. I'm no EnScript expert, and it's been quite a while since I've used EnCase regularly, but I would have thought this is the sort of thing Simon Key would be able to tell you. He was the EnScript wizard from what I remember and would likely know if this is possible (or if something's already been created to do what you want - or similar code). A quick Google shows he's still at Guidance (now OpenText). Might be worth trying to contact him for a quick question to save you some time.

ReplyQuote
Posted : 03/10/2019 4:22 pm
jaclaz
(@jaclaz)
Community Legend

Excuse me, as I do not know what a "normal" Encase workflow is, nor what is your specific workflow/procedure, but wouldn't it be easier to extract the archive from the Encase evidence file, process it "normally" (with a batch/bash script or any "try passwords from list program"), and once you have found which among the candidates is the correct password use it inside Encase?

jaclaz

ReplyQuote
Posted : 03/10/2019 5:28 pm
hommy0
(@hommy0)
Member

Hi,

Unless the structure of the zip archive has altered the local file header, which precedes each files compressed data, is in plain text. Part of the local file header includes the path and name of the file in the archive. EnCase is showing you the structure since that is in plain text, whereas you will not see decompressed file contents since as yet you have not supplied the correct credentials.

This should be similar behaviour to when you open the same archive in WinZip, you should see the structure - paths and filename. However to extract/decompress you need to supply credentials.

If you are trying this with EnScript, it maybe best to post on the EnScript part of OpenText MySupport (you should find it under the security forum).

Regards

ReplyQuote
Posted : 03/10/2019 7:29 pm
ckwongkennyw
(@ckwongkennyw)
New Member

Thank you all ) It seems better to export it and try it with powershell or batch script.

ReplyQuote
Posted : 05/10/2019 3:53 am
Share: