Encrypted 7Z Archives in XWF

digital forensics

Ordinarily, X-Ways Forensics is capable of exploring archives. The details of this capability is documented in the manual, section 6.3.4.

I encountered a 7Z archive that I was not able to explore, despite knowing the password. After entering a known, valid, password, the decryption window would continue to popup.

To assure myself the archive’s password does work, I used an associated viewer program to open the archive with 7-Zip File Manager. I was able to validate that the password is correct, and view the archive’s contents.

When I attempted to open the archive via Windows explorer, a file list of the archive was not available. Ah ha. This consistent for encrypted archives created with “Encrypt file names” enabled.

When creating an encrypted 7Z archive with 7-Zip File Manager, an option is available to enable “Encrypt file names.” Checking this box will require a password to read the file list.
Contents of encrypted 7Z archive is viewable if “Encrypt file names” is not enabled.

The manual explicitly states that “RAR archives and 7Z archives in which not only the file contents, but also the names are encrypted are not currently supported.” Therefore, my initial observation of not being able to explore the archive within XWF is expected. Perhaps it may be supported in the future.

Applicable Lessons

After refining a volume snapshot, XWF may log notable events. These logged events may provide context, in the form of an automatically generated report table, for certain files that may warrant further examination (5.7, Report Tables). For this example, a report table, “Unable to explore,” was associated for the file, “7z_encrypt_file_names.7z.” This makes sense as it is known the file names are encrypted, too.

msglog.txt
The attribute, “e!”, indicates the file has “file type specific encryption/DRM”. The “A” is for the general NTFS property flag, archive (0x0020), within the $STANDARD_INFORMATION attribute at byte range 32-351.

To review these types of archives, the report table column may be filtered for “Unable to explore”. Additional filtering for items with the attribute, “e!” may be helpful.

To open the archive outside XWF, there are options:

  1. The archive may then be saved outside of XWF (Recover/Copy). The contents may be extracted with 7-Zip File Manager program from Windows explorer.
  2. The volume/evidence file container may be mounted as a drive letter (5.16, Mount As Drive Letter). Extract the contents with 7-Zip File Manager. The contents may be extracted with 7-Zip File Manager program from Windows explorer.
  3. The Directory Browser’s context menu may also used to open the encrypted archive with file name encryption with an associated program (Viewer Programs | Associated Program).

For encrypted archives without file name encryption enabled, the known password may be entered manually by editing the metadata from the Directory Browser’s context menu (6.3.4, Archive Exploration). With this method, XWF is able to explore the archive internally.

The decrypted contents of the 7Z archive after manually adding the password in the file’s metadata.

I’m glad I read the manual.

  1. Brian Carrier, File System Forensic Analysis (Upper Saddle River, NJ: Addison-Wesely, 2005), 360-361.
Advertisement

Published by Derek Eiri

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.