Posted: . At: 1:03 PM. This was 3 years ago. Post ID: 15247
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


Performing forensics on files with Linux.

by

There are many ways to find files embedded inside other files, one way is using binwalk to find embedded files inside another file.

This is how to use binwalk to list all embedded files inside a larger one. This takes a while with a multi-gigabyte file, but it does work.

┌──[jason@192.168.1.2][/mnt]
└──╼  ╼ $ binwalk 50B5D447-8E0B-4BB2-9462-A35594ADF1C2

This is an example of the output I got.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

┌──[jason@192.168.1.2][/mnt]
└──╼  ╼ $ binwalk 50B5D447-8E0B-4BB2-9462-A35594ADF1C2
 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
18900918      0x12067B6       MySQL MISAM compressed data file Version 6
38200253      0x246E3BD       MySQL ISAM compressed data file Version 10
70375975      0x431DA27       MySQL ISAM compressed data file Version 4
81703980      0x4DEB42C       MySQL MISAM compressed data file Version 10
137796983     0x8369D77       MySQL ISAM index file Version 2
156256915     0x9504A93       MySQL MISAM compressed data file Version 3
270769024     0x10239B80      Cisco IOS experimental microcode, for "v_JU1"
309020750     0x126B484E      Uncompressed Adobe Flash SWF file, Version 55, File size (header included) 1011657224
325846152     0x136C0488      MySQL MISAM compressed data file Version 10
340195732     0x1446F994      Cisco IOS experimental microcode, for ""
366295561     0x15D53A09      COBALT boot rom data (Flat boot rom or file system)
420219557     0x190C0AA5      Zlib compressed data, compressed
427642418     0x197D4E32      gzip compressed data, has header CRC, has 23403 bytes of extra data, has comment, last modified: 2100-08-07 02:15:20 (bogus date)
456146851     0x1B303FA3      MySQL ISAM compressed data file Version 3
462509372     0x1B91553C      MySQL MISAM compressed data file Version 6
475589043     0x1C58E9B3      Uncompressed Adobe Flash SWF file, Version 45, File size (header included) 304503068
476563380     0x1C67C7B4      GPG key trust database version 9
485681800     0x1CF2EA88      gzip compressed data, ASCII, has 10453 bytes of extra data, has comment, last modified: 2034-11-19 19:51:52
533086704     0x1FC641F0      Cisco IOS experimental microcode, for """
533266915     0x1FC901E3      Uncompressed Adobe Flash SWF file, Version 48, File size (header included) 1536645409
550042371     0x20C8FB03      Uncompressed Adobe Flash SWF file, Version 38, File size (header included) 1136723045
560222613     0x21645195      MySQL ISAM compressed data file Version 8
587812966     0x23095066      MySQL ISAM index file Version 7
594009067     0x2367DBEB      Uncompressed Adobe Flash SWF file, Version 117, File size (header included) 1278054150
594747331     0x23731FC3      MySQL MISAM compressed data file Version 10
633509859     0x25C297E3      Uncompressed Adobe Flash SWF file, Version 114, File size (header included) 1289049710
639405259     0x261C8CCB      Uncompressed Adobe Flash SWF file, Version 43, File size (header included) 611000360
639830326     0x26230936      MySQL MISAM index file Version 10
682380549     0x28AC4D05      Uncompressed Adobe Flash SWF file, Version 125, File size (header included) 1655489999
687082419     0x28F40BB3      Uncompressed Adobe Flash SWF file, Version 1, File size (header included) 623043252
705075912     0x2A069AC8      StuffIt Deluxe Segment (data): f
736896739     0x2BEC26E3      Uncompressed Adobe Flash SWF file, Version 90, File size (header included) 150431693
738833837     0x2C09B5AD      Uncompressed Adobe Flash SWF file, Version 45, File size (header included) 651271168
743770493     0x2C55097D      Cisco IOS experimental microcode, for ""
764061440     0x2D8AA700      LZ4 compressed data, legacy

To actually extract all files found in the file easily, use this command. The -C parameter defines a directory to place the extracted files. A subdirectory will be created to store the files as they are extracted.

┌──[jason@192.168.1.2][/mnt]
└──╼  ╼ $ sudo binwalk -e  50B5D447-8E0B-4BB2-9462-A35594ADF1C2 -C ../root/

This directory was created under /root to store all extracted files.

drwxr-xr-x  2 root root 4.0K Jul 16 12:54 _50B5D447-8E0B-4BB2-9462-A35594ADF1C2.extracted

This is the contents.

root@jason-desktop:~# ls -hula _50B5D447-8E0B-4BB2-9462-A35594ADF1C2.extracted/
total 11G
drwxr-xr-x  2 root root 4.0K Jul 16 12:54 .
drwx------ 12 root root 4.0K Jul 16 12:57 ..
-rw-r--r--  1 root root    0 Jul 16 12:48 190C0AA5
-rw-r--r--  1 root root 2.1G Jul 16 12:48 190C0AA5.zlib
-rw-r--r--  1 root root    0 Jul 16 12:48 197D4E32
-rw-r--r--  1 root root 2.1G Jul 16 12:48 197D4E32.gz
-rw-r--r--  1 root root 2.1G Jul 16 12:48 1CF2EA88.gz
-rw-r--r--  1 root root 1.9G Jul 16 12:49 2A069AC8.sit
-rw-r--r--  1 root root 1.4G Jul 16 12:51 498CAA0D.gz
-rw-r--r--  1 root root 1.2G Jul 16 12:51 565F9BAE.sit
-rw-r--r--  1 root root 325M Jul 16 12:54 894B5986.sit
-rw-r--r--  1 root root 174M Jul 16 12:54 92B75200.sit

So I managed to extract the files just fine, but I need to try and extract the data now. But it was pretty successful I think, I managed to get to the point of extracting possibly usable data and I just need to sort through it all and see what I have.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.