search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
953 stars 218 forks source link

Use SevenZipParser to expand Wim, Cab, Deb, Rpm, Nsis, Lzh files? #1827

Open lfcnassif opened 1 year ago

lfcnassif commented 1 year ago

I know SevenZipJBinding is able to expand many of those formats for a long time, but I didn't think it would be worth to expand them in the past. Maybe that decision could be revisited. Should we expand those formats, or some of them, by default?

lfcnassif commented 1 year ago

I think LZH expansion is worth to enable, I'll try to find samples to test. Not sure about WIM (it works, I tested it in the past and yesterday). The other formats are not worth to expand, I think...

wladimirleite commented 1 year ago

Hi @lfcnassif! Recently @felipecampanini and our colleague Barão mentioned that expanding CAB files would be useful in some malware related cases.

lfcnassif commented 1 year ago

Hi @lfcnassif! Recently @felipecampanini and our colleague Barão mentioned that expanding CAB files would be useful in some malware related cases.

Good to know! Let's add to the list then.

lfcnassif commented 1 year ago

I didn't find real cases LZH files. @tc-wleite, when you have time, could you take a look into São Paulo database?

And about WIM, should we expand it?

wladimirleite commented 1 year ago

I didn't find real cases LZH files. @tc-wleite, when you have time, could you take a look into São Paulo database?

Ok!

wladimirleite commented 1 year ago

I didn't find real cases LZH files. @tc-wleite, when you have time, could you take a look into São Paulo database?

Unfortunately, I couldn't find any LZH (also looked for LZA extension, which is mentioned in some online resources) in the cases we have here.

lfcnassif commented 1 year ago

Unfortunately, I couldn't find any LZH (also looked for LZA extension, which is mentioned in some online resources) in the cases we have here.

Thank you for searching @tc-wleite! Seems LZH/LZA are rare, being used by some Japanese softwares long ago, so I think it is not worth to add the support. Adding support without testing it is not good too. PS: We could generate artificial data, but testing with real data is important.

So, we can add support to expand CAB. And about WIM, is it worth to enable?

wladimirleite commented 1 year ago

And about WIM, is it worth to enable?

I am not sure about WIM.