by Dr. Radut

FCNS_RAR

FCNS_RAR is the EnScript for carving RAR baed on entropy.

FCNS RAR 01

Open the case or create new case, add evidence then launch this EnScript. The following options are available.

  • Target
    • Selected
    • Other: $LogFile, pagefile.sys, Unallocated Clusters, VSS: enable/disable by each check box
  • Filtering Option
    • Entropy Level (1.0-7.9): The value in deciding the end of data
    • Search only starting position of each sector
  • Export
    • LEF File: specify the file path for carving RAR
    • TSV File: specify the file path for carving RAR information
    • Add LEF to Current Case

Download

FCNS_RAR_0.8.EnPack (SHA1: 5777967fcd61bdaf30141e702478131ffd591038)

License

You may use the SOFTWARE freely for personal or commercial and NO WARRANTIES.

Requirements

EnCase 7.x

Background

Normal RAR has both header signature "\x52\x61\x72\x21\x1A\x07\x00" and footer signatre "\xC4\x3E\x7B\x00\x40\x07\x00", but there is no footer signature when it's encrypted. Encrypted RAR also be encrypted filename within it.

Some carving tools like foremost and EnCase File Carver determine the size based on user defined settings. The behavior tends to cause oversight or noisy-data.

Feature

FCNS_RAR makes use of entropy to determine the end of encrypted RAR. It searches following header signature.

\x52\x61\x72\x21\x1A\x07

When it finds the signature, then caluclates entropy value of every 512 bytes. Since entropy indicates randomness, compressed or encrypted data get high score. FCNS_RAR checks an entropy value of every 512 bytes, then considers score below "Entropy Level" the end of data.

EnCase has capable of calculation of entropy and this value ranges from 0 to 8. I have checked 512 bytes pattern of several encrypted RAR get scores over 7.5 so I set default Entropy Level is 7.35.

Carving information is recorded on TSV.

FCNS RAR 02

FirstEntropy means an entropy of starting 512 byte, and LastEntropy means an entropy of ending 512 byte.

FCNS RAR 03

Reference

Cyber GRID View vol.1 English Edition
http://www.lac.co.jp/security/report/2015/03/19_cgview_01.html

Carving Station – RAR Files
http://www.mandiant.com/blog/carving-station-rar-files/

file_rar.c (PhotoRec)
http://git.cgsecurity.org/cgit/testdisk/tree/src/file_rar.c

RAR 5.0 archive format
http://www.rarlab.com/technote.htm