Detecting File Compression

Question

I have to read some data stored by a third party application in an Acess 2000 database. The vendor is no longer around to ask questions.

One table contains image data that appears to be compressed - because the original application can export the contents of the blob field to an embedded png image in a xls export file.

I have extracted the contents of the record using ADO and Delphi (TADOBlobStream), saved it to disk and opened it with a hex editor.

The first 100 characters in hex are as follows

F8 1B 00 00 07 C0 24 27 01 40 7F 20 EC 5D 24 2D 88 5C F0 A7 49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B D5 48 F8 1B 00 00 07 C0 24 27 01 40 7F 20 EC 5D 24 2D 88 5C F0 A7 49 91 4A C4 EA 85 D2 98 6A B5 79 D7 B7 2B D5 48 1A 9A C8 D3 54 E3 A3 E4 F5 29 C6 97 22 95 6A 8E 10 BD 3E 4B 0B 11 AA 6D A8 C6 87 92

Can anyone tell me if this conforms to a commonly used compression algorithm. The 3rd party application would seems to use the zlib encoding method because of the presence of an encoding dll in its bin directory. But using zlib to decompress does not yield a PNG. FYI, the saved file is about 20% of the size of the PNG file embedded into the XLS.

Thanks

Answer 1

Try a differencing attack.

1. Extract two images from the database using the report / program as described.
2. Perform a binary difference on the PNG files.
3. Perform a binary difference on the source blobs in the database.

Compare the differences between the files in blob format and PNG format. This should help in determining if the blob data is a completely different format or just a wrapper.

Also try comparing two different image blobs to each other - see what changes and what (if anything) stays the same.