DFRWS 2007 Challenge　ZIP編

DFRWS 2007 Forensics Challenge

Zip format

  -------- ------ --------  -------- ------ --------- ------
 | zip    |      |        | zip     |      | centra   lend  |
 | file   | data |        | file    | data | Directory| of  |
 | header |      |        | header  |      |  (CD)    |file |
 |        |      |        |         |      |          |     |
  -------- ------ -------- --------  ------ --------- -----
                                          /          ＼
                                         /               ＼
                                        /                   ＼
                                        -------- -------- --------
                                       |  CD    |  CD    |  CD    |
                                       | file   | file   | file   |       
                                       | header | header | header |
                                       |        |        |        |
                                       -------- --------- --------

forensicのプロセス(zip)

対象イメージ走査後、central Directoryを特定し
central Directory内の情報によりzip file headerの場所を特定する
zip file header内情報から各アーカイブのデータ格納場所を特定し
サルベージを行う。

インデックスファイル作成

$ python zip_carver.py -c -i zip.idx ../dfrws-2007-challenge.img
Found ZipFileHeader in 45182679
Found ZipFileHeader in 61998274
Found ZipFileHeader in 149901830
Found ZipFileHeader in 183104516
Found EndCentralDirectory in 184153404
Found CDFileHeader in 184153338
Found EndCentralDirectory in 241807676
Found ZipFileHeader in 241807876
Found CDFileHeader in 241807610
Found ZipFileHeader in 326718001
{'EndCentralDirectory': [184153404, 241807676],
'ZipFileHeader': [45182679, 61998274, 149901830, 183104516, 241807876, 326718001],
'CDFileHeader': [184153338, 241807610]}

ZIP構築

ダメらしい。

$ python zip_carver.py -m -i zip.idx ../dfrws-2007-challenge.img
Traceback (most recent call last):
File "zip_carver.py", line 268, in ?
print_structs()
File "zip_carver.py", line 191, in print_structs
ecd = Zip.EndCentralDirectory(b)
File "/Users/luffy/Documents/TOOL/DigitalForensicResearchWorkshop/2007/dfrws/BasicFormats.py", line 210, in __init__
DataType.__init__(self,buffer,*args,**kwargs)
File "/Users/luffy/Documents/TOOL/DigitalForensicResearchWorkshop/2007/dfrws/format.py", line 138, in __init__
self.data=self.read()
File "/Users/luffy/Documents/TOOL/DigitalForensicResearchWorkshop/2007/dfrws/BasicFormats.py", line 264, in read
raise e.__class__("When parsing field %r of %s, %s" % (name, self.__class__,e))
RuntimeError: When parsing field 'magic' of Zip.EndCentralDirectory, Expected value 0x6054B50, got 0x504B0506

ZIP構築2

マップで指定してもダメだ。。

$ python zip_carver.py -e 184153404.zip -M 184153404.map ../dfrws-2007-challenge.img
Traceback (most recent call last):
File "zip_carver.py", line 125, in ?
required_len = min(c.points[-1] - c.readptr, 1024*1024)
IndexError: list index out of range