My Road to Digital Forensics Excellence

Analysis of Encrypted ZIP Files

Posted by Paul Bobby on November 4, 2008

The following is a practical demonstration concerning the file structure of ZIP archives, specifically created by Winzip, and the possible identification of encryption involved.


For this I used Winzip9.0SR1, and created four separate ZIP files with a single file included in the archive. The first zip was unencrypted, the second used ZIP Encryption, the third 128bit AES and the fourth 256bit AES.

Is the ZIP file encrypted?



Bytes 7 and 8 are called the General Purpose Bit Flags. They are read little-endian, and if bit 0 is set to 1, then the contents of the ZIP file are encrypted.


With the General Purpose Bit Flag set to 1 and the Compression Method set to 99 (0x63), this ZIP file has been encrypted using AES.

Furthermore, the AES Header that is added to the file header for each file in the archive, contains data specific to the implementation of AES and the encryption of each file.


The AES Header signature (0x9901) is followed by the data size, vendor version and vendor ID values. Highlighted is the value of the Encryption Strength field:

  • 0x01 = 128bit
  • 0x02 = 192bit
  • 0x03 = 256bit

And finally the Compression Method field contains the real value that would otherwise have been in the local and central headers of the archive (0x0800 is deflated).

In Winzip9.0, AES is the only strong algorithm implemented. Newer versions allow for encrypting of the filenames within the archive, as well as a variety of cryptographic algorithms.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: