There are many ways to find files embedded inside other files, one way is using binwalk to find embedded files inside another file.
This is how to use binwalk to list all embedded files inside a larger one. This takes a while with a multi-gigabyte file, but it does work.
┌──[jason@192.168.1.2]─[/mnt] └──╼ ╼ $ binwalk 50B5D447-8E0B-4BB2-9462-A35594ADF1C2 |
This is an example of the output I got.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | ┌──[jason@192.168.1.2]─[/mnt] └──╼ ╼ $ binwalk 50B5D447-8E0B-4BB2-9462-A35594ADF1C2 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 18900918 0x12067B6 MySQL MISAM compressed data file Version 6 38200253 0x246E3BD MySQL ISAM compressed data file Version 10 70375975 0x431DA27 MySQL ISAM compressed data file Version 4 81703980 0x4DEB42C MySQL MISAM compressed data file Version 10 137796983 0x8369D77 MySQL ISAM index file Version 2 156256915 0x9504A93 MySQL MISAM compressed data file Version 3 270769024 0x10239B80 Cisco IOS experimental microcode, for "v_JU1" 309020750 0x126B484E Uncompressed Adobe Flash SWF file, Version 55, File size (header included) 1011657224 325846152 0x136C0488 MySQL MISAM compressed data file Version 10 340195732 0x1446F994 Cisco IOS experimental microcode, for "" 366295561 0x15D53A09 COBALT boot rom data (Flat boot rom or file system) 420219557 0x190C0AA5 Zlib compressed data, compressed 427642418 0x197D4E32 gzip compressed data, has header CRC, has 23403 bytes of extra data, has comment, last modified: 2100-08-07 02:15:20 (bogus date) 456146851 0x1B303FA3 MySQL ISAM compressed data file Version 3 462509372 0x1B91553C MySQL MISAM compressed data file Version 6 475589043 0x1C58E9B3 Uncompressed Adobe Flash SWF file, Version 45, File size (header included) 304503068 476563380 0x1C67C7B4 GPG key trust database version 9 485681800 0x1CF2EA88 gzip compressed data, ASCII, has 10453 bytes of extra data, has comment, last modified: 2034-11-19 19:51:52 533086704 0x1FC641F0 Cisco IOS experimental microcode, for """ 533266915 0x1FC901E3 Uncompressed Adobe Flash SWF file, Version 48, File size (header included) 1536645409 550042371 0x20C8FB03 Uncompressed Adobe Flash SWF file, Version 38, File size (header included) 1136723045 560222613 0x21645195 MySQL ISAM compressed data file Version 8 587812966 0x23095066 MySQL ISAM index file Version 7 594009067 0x2367DBEB Uncompressed Adobe Flash SWF file, Version 117, File size (header included) 1278054150 594747331 0x23731FC3 MySQL MISAM compressed data file Version 10 633509859 0x25C297E3 Uncompressed Adobe Flash SWF file, Version 114, File size (header included) 1289049710 639405259 0x261C8CCB Uncompressed Adobe Flash SWF file, Version 43, File size (header included) 611000360 639830326 0x26230936 MySQL MISAM index file Version 10 682380549 0x28AC4D05 Uncompressed Adobe Flash SWF file, Version 125, File size (header included) 1655489999 687082419 0x28F40BB3 Uncompressed Adobe Flash SWF file, Version 1, File size (header included) 623043252 705075912 0x2A069AC8 StuffIt Deluxe Segment (data): f 736896739 0x2BEC26E3 Uncompressed Adobe Flash SWF file, Version 90, File size (header included) 150431693 738833837 0x2C09B5AD Uncompressed Adobe Flash SWF file, Version 45, File size (header included) 651271168 743770493 0x2C55097D Cisco IOS experimental microcode, for "" 764061440 0x2D8AA700 LZ4 compressed data, legacy |
To actually extract all files found in the file easily, use this command. The -C parameter defines a directory to place the extracted files. A subdirectory will be created to store the files as they are extracted.
┌──[jason@192.168.1.2]─[/mnt] └──╼ ╼ $ sudo binwalk -e 50B5D447-8E0B-4BB2-9462-A35594ADF1C2 -C ../root/ |
This directory was created under /root to store all extracted files.
drwxr-xr-x 2 root root 4.0K Jul 16 12:54 _50B5D447-8E0B-4BB2-9462-A35594ADF1C2.extracted |
This is the contents.
root@jason-desktop:~# ls -hula _50B5D447-8E0B-4BB2-9462-A35594ADF1C2.extracted/ total 11G drwxr-xr-x 2 root root 4.0K Jul 16 12:54 . drwx------ 12 root root 4.0K Jul 16 12:57 .. -rw-r--r-- 1 root root 0 Jul 16 12:48 190C0AA5 -rw-r--r-- 1 root root 2.1G Jul 16 12:48 190C0AA5.zlib -rw-r--r-- 1 root root 0 Jul 16 12:48 197D4E32 -rw-r--r-- 1 root root 2.1G Jul 16 12:48 197D4E32.gz -rw-r--r-- 1 root root 2.1G Jul 16 12:48 1CF2EA88.gz -rw-r--r-- 1 root root 1.9G Jul 16 12:49 2A069AC8.sit -rw-r--r-- 1 root root 1.4G Jul 16 12:51 498CAA0D.gz -rw-r--r-- 1 root root 1.2G Jul 16 12:51 565F9BAE.sit -rw-r--r-- 1 root root 325M Jul 16 12:54 894B5986.sit -rw-r--r-- 1 root root 174M Jul 16 12:54 92B75200.sit |
So I managed to extract the files just fine, but I need to try and extract the data now. But it was pretty successful I think, I managed to get to the point of extracting possibly usable data and I just need to sort through it all and see what I have.