Blog >> WinRAR

Investigating WinRAR

01/11/2021 Monday

WinRAR is a file archiver program. It can combine and compress several files together into one archive file. WinRAR can create and view its archive format RAR, with a .rar file extension, or archives with the ZIP file formats, and can decompress multiple other archive file formats. WinRAR was originally developed in 1995 by Eugene Roshal.


Digital Forensics Value of WinRAR Artifacts


Nowadays, most people choose compressed files for sharing and transferring huge volumes of data. As a result, file compression programs can provide critical data to digital investigations that shouldn’t be overlooked, since they act as data containers storing several files and directories in a compressed format.


Location of WinRAR Artifacts


WinRAR stores its artifacts within the NTUSER.DAT hive at: NTUSER.DAT\Software\WinRAR\


Structure of WinRAR Artifacts


The NTUSER.DAT file is a registry hive file. The registry file format is a binary file like a filesystem with a group of keys, subkeys, and values. These files are used by the operating system to store user, system, and application configurations.


Analyzing WinRAR Artifacts with ArtiFast Windows


This section discusses how to use ArtiFast Windows to analyze WinRAR artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select WinRAR artifacts:






Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of WinRAR artifacts in ArtiFast Windows.


WinRAR Last Archived MRU Artifact

The artifact extracts the last archived file name in WinRAR using the Archive name and parameters window.


WinRAR Last Opened MRU Artifact

The artifact extracts the last opened file in WinRAR.



For more information or suggestions please contact: lina.alsoufi@forensafe.com