WinRAR is a file archiver tool which is used to create and view archives in RAR and ZIP file formats. These two formats are widely used to create a lossless data compression version of a file; hence, allowing more efficient data transfer capability.
According to WinRAR’s official website, it has over than 500 million users worldwide. Given its popularity and wide usage, WinRAR’s can be considered as an important source of evidentiary information during investigations. Besides the left-behind registry information mentioned in the previous blog., WinRAR artifacts retain information related to the files accessed by the user as well as registration information.
In addition to the location mentioned in the previous blog, WinRAR artifacts can be found at the following location:
%Systempartititon%\%Username%\AppData\Local\Temp
This section discusses how to use ArtiFast Windows to analyze WinRAR artifacts from Windows
machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select WinRAR artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed
via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities.
Below is a detailed description of Windows WinRAR Accessed Files and WinRAR Registration Information artifacts.
You can refer to the previous blog for the details related to WinRAR registry artifacts.
WinRAR Accessed Files
WinRAR Registration Information
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com