This EnScript will search for, and bookmark, ZIP-file index-entries. It was designed for the recovery of data from deleted ZIP files (including MS Word *.DOCX files) that can't otherwise be recovered, either because they're partially overwritten or fragmented.

Each file in a ZIP file has a 'central' and 'local' ZIP-index-entry. Amongst the data contained in each entry is the file's relative path and file-name, last-modified date, compressed size, uncompressed size and CRC-32 value. The central index-entry for a file also has a comment field. The CRC-32 and file-length index-values for internal ZIP folders are always set to zero.

The user has the option of extracting the results into a tab-delimited file, which can be opened using Microsoft Excel, or if there are a large number of entries, imported into Microsoft Access.

In addition to extracting the index details, the user can also opt to extract the data comprising each local-index and the compressed stream that follows.

The extracted data will be written in the form of a pseudo ZIP file that the script can attempt to repair and decompress if so requested.

The name of each pseudo file will be in the following format -

• <Extraction Index>_<Evidence Name>_Raw_<Entry Name>_<Offset>_<Length>.zip

Each ZIP file that has been repaired will be named as follows -

• <Extraction Index>_<Evidence Name>_Repaired_<Entry Name>_<Offset>_<Length>.zip

If a repaired ZIP file can be decompressed, the resultant file will be named as follows -

• <Extraction Index>_<Evidence Name>_Decompressed_<Entry Name>_<Offset>_<Length>.<filename>

Should the repair of a given file fail, it may still be possible to repair it using an application such as WinRAR. This particular application can repair multiple archives at the same time.

Corrupt ZIP archives can also be repaired by EnCase. To facilitate this, the output of the script can be written into a logical evidence file (LEF).

The script has an in-built filtering capability, which allows the examiner to process only those index-entries that match the filter-criteria specified by the examiner.

These criteria can specify the relative-path/name, last-modified date, decompressed size and CRC-32 value. Note that the filter-dialog presents the CRC-32 value as a string rather than an integer value. This avoids the examiner having to enter it either as a decimal value or a hex value preceded by '0x'.

All settings (including the filter criteria) are remembered for later use.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training