Investigating 7-Zip
15/11/2021 Monday
7-Zip is a free and open-source file archiver program that can compress files, store them in compressed containers called "archives", and can decompress them as well. 7-Zip has its archive format, 7z, with a .7z file extension, but it can also read and write a variety of other formats. 7-Zip was originally developed in 1999 by Igor Pavlov.
Digital Forensics Value of 7-Zip Artifacts
Nowadays, most people choose compressed files for sharing and transferring huge volumes of data. As a result, file compression programs can provide critical data to digital investigations that shouldn’t be overlooked, since they act as data containers storing several files and directories in a compressed format.
Location of 7-Zip Artifacts
7-Zip stores its artifacts within the NTUSER.DAT hive at: NTUSER.DAT\Software\7-Zip\
Structure of 7-Zip Artifacts
The NTUSER.DAT file is a registry hive file. The registry file format is a binary file like a filesystem with a group of keys, subkeys, and values. These files are used by the operating system to store user, system, and application configurations.
Analyzing 7-Zip Artifacts with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze 7-Zip artifacts from Windows
machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select 7-Zip artifacts:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of 7-Zip artifacts in ArtiFast Windows.
7-Zip Archived Files History Artifact
The artifact extracts the list of archived
files using Add to Archive window.
- Last Update - The date and time when the key was last updated.
- Archive Path - Archive file location.
7-Zip Folder History Artifact
The artifact extracts opened archived history.
- Last Update - The date and time when the key was last updated.
- Folder Path - Folder Path.
7-Zip Copy History Artifact
The artifact extracts folder locations where files were
extracted using the Copy button inside 7-zip.
- Last Update - The date and time when the key was last updated.
- Folder Path - Folder Path.
7-Zip Extract History Artifact
The artifact displays folder locations where files
were extracted using 'Extract' inside 7-zip or context menu.
- Last Update - The date and time when the key was last updated.
- Folder Path - Folder Path.
7-Zip Working Folder Option Artifact
The artifact parses working folder options.
- Last Update - The date and time when the key was last updated.
- Folder Type - Working folder type.
- Folder Path - Working folder location.
- Removable Drive Only - This shows if working folders are for removable drives only.
7-Zip Default Panels Path Artifact
The artifact shows the last folder the user
checked using 7-zip GUI.
- Last Update - The date and time when the key was last updated.
- Panel-1 Path - Main panel's last folder path.
- Panel-2 Path - Second panel's last folder path if two panels are enabled in view.
For more information or suggestions please contact: lina.alsoufi@forensafe.com
