Blog >> WinRAR

Investigating WinRAR

05/05/2023 Friday

WinRAR is a file archiver tool which is used to create and view archives in RAR and ZIP file formats. These two formats are widely used to create a lossless data compression version of a file; hence, allowing more efficient data transfer capability.

Digital Forensics Value of WinRAR

According to WinRAR’s official website, it has over than 500 million users worldwide. Given its popularity and wide usage, WinRAR’s can be considered as an important source of evidentiary information during investigations. Besides the left-behind registry information mentioned in the previous blog., WinRAR artifacts retain information related to the files accessed by the user as well as registration information.

Location of WinRAR Artifacts

In addition to the location mentioned in the previous blog, WinRAR artifacts can be found at the following location:

%Systempartititon%\%Username%\AppData\Local\Temp

Analyzing WinRAR Artifacts with ArtiFast

This section discusses how to use ArtiFast Windows to analyze WinRAR artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select WinRAR artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities.
Below is a detailed description of Windows WinRAR Accessed Files and WinRAR Registration Information artifacts. You can refer to the previous blog for the details related to WinRAR registry artifacts.

WinRAR Accessed Files

• File Name - The name and extension of the file.
• Folder Name - The name of the parent folder.
• File Path - The path of the file.
• Created Date/Time - The created date/time of the file in the file system.
• Last Accessed Date/Time - The last accessed date/time of the file in the file system.
• Last Modified Date/Time - The last modified date/time of the file in the file system.
• Size - The size of the file in bytes.

WinRAR Registration Information

• License Name - The name of the owner of the license.
• License Type - TThe type of the license.
• User ID - The user ID.

For more information or suggestions please contact: [email protected]