Detecting File Compression

Question

I have to read some data stored by a third party application in an Acess 2000 database. The vendor is no longer around to ask questions.

One table contains image data that appears to be compressed - because the original application can export the contents of the blob field to an embedded png image in a xls export file.

I have extracted the contents of the record using ADO and Delphi (TADOBlobStream), saved it to disk and opened it with a hex editor.

The first 100 characters in hex are as follows

F8 1B 00 00 07 C0 24 27 01 40 7F 20 EC 5D 24 2D 88 5C F0 A7 49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B D5 48 F8 1B 00 00 07 C0 24 27 01 40 7F 20 EC 5D 24 2D 88 5C F0 A7 49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B D5 48 1A 9A C8 D3 54 E3 A3 E4 F5 29 C6 97 22 95 6A 8E 10 BD 3E 4B 0B 11 AA 6D A8 C6 87 92

Can anyone tell me if this conforms to a commonly used compression algorithm. The 3rd party application would seems to use the zlib encoding method because of the presence of an encoding dll in its bin directory. But using zlib to decompress does not yield a PNG. FYI, the saved file is about 20% of the size of the PNG file embedded into the XLS.

Thanks

Answer 1

Universal Extractor can give you some answers. It is open source. http://legroom.net/software/uniextract

Answer 2

You said when you used zlib to decompress it that it wasn't a PNG. Have you checked to see if its some other image format? Maybe JPEG or GIF - maybe even a bitmap?

Answer 3

Thanks for the link to the Universal extractor - unfortunately it could not determine the compression type. I've also tried renaming the file and opening as a jpeg, bmp etc. No luck yet.

Answer 4

I'm not sure how to test it but Pkware at least used to market (presumably they still do but I haven't looked in ages) a compressor meant for incorporation into a program. It is designed to work on a raw stream of data in memory and thus it won't leave any obvious signature on the data it compresses.

I would try feeding your data stream to their decompressors (I'm aware of two very different versions) and see if they spit out something that looks more reasonable.

Their SDK's are here: http://www.pkware.com/software-developer-tools-margin/software-developer-kits

I used the old dos-era one, the Windows version was too expensive and I never dealt with it.

Answer 5

Try a differencing attack.

1. Extract two images from the database using the report / program as described.
2. Perform a binary difference on the PNG files.
3. Perform a binary difference on the source blobs in the database.

Compare the differences between the files in blob format and PNG format. This should help in determining if the blob data is a completely different format or just a wrapper.

Also try comparing two different image blobs to each other - see what changes and what (if anything) stays the same.

Answer 6

I was curious about this so I decided to take a look. I needed to get it into binary form, so to save the next guy some work, I did this in python. Hope it helps:

#!/usr/bin/python
from zlib import decompress; 

f = open('/tmp/data', 'w+'); 
s = "";
for b in [int(x, 16) for x in ("F8 1B 00 00 07 C0 24 27 01 40 7F 20 " +
 "EC 5D 24 2D 88 5C F0 A7 49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B " +
 "D5 48 F8 1B 00 00 07 C0 24 27 01 40 7F 20 EC 5D 24 2D 88 5C F0 A7 " +
 "49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B D5 48 1A 9A C8 D3 54 E3 " +
 "A3 E4 F5 29 C6 97 22 95 6A 8E 10 BD 3E 4B 0B 11 AA 6D A8 C6 87 92".split(" ")]:
  s += chr(b);

s = decompress(s);
f.write(s);
f.close();