Unexpected ZIP Detection

Concatenating a ZIP file onto another file, such as a JPEG, is a well-known method for attempting to hide files from inspection. Users can zip up their sensitive files, then concatenate them on to the other file by using something like the Windows copy command-line tool. The result is a file that acts like a JPEG when opened by a user, or inspected by security tools, but can also be successfully unzipped, retrieving the original sensitive files. In this way, a user without any knowledge of file formats, and only access to commonly installed programs, can create files that escape both human and automatic inspection.

File Content Extraction has an option to detect ZIP files that have been appended in this way, regardless of the initial mask file used.

To enable unexpected ZIP detection

  • In the Python API, call the method unexpected_zip_detection on your session configuration. For example:

    session.config.unexpected_zip_detection(True)

    File Content Extraction will throw an exception when it detects an unexpected zip file.

  • In formats.ini, set the following parameter to TRUE.

    [Options]
    UnexpectedZipDetection=TRUE

NOTE: Setting the option through the API overrides any settings in formats.ini.