WinZip is a cross-platform trialware that helps users to zip, unzip, share, organize and manage files. WinZip was introduced in 1991 and developed based on MS-Dos PKZIP archive format, which Phil Katz invented. WinZip is one of the most popular file compression tools. Currently, it supports PDF editing and operating system optimizing features in addition to compression features.
Given its popularity and wide usage, WinZip is considered an essential source of evidentiary information during investigations. Forensic analysis of WinZip can mainly provide details about zipped, archived, and shared files.
WinZip artifacts are located at NTUSER.DAT\Software\ Nico Mak Computing
The figure below shows the WinZip artifact-related keys in the registry. WinZip artifact contains the user’s email address, extracted zip files, archived files, and user directories.
This section will discuss how to use ArtiFast Windows to extract WinZip artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select WinZip artifacts:
Once ArtiFast parser plugins complete processing the artifacts for analysis, they can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of WinZip artifacts in ArtiFast.
WinZip Account: This artifact shows the information about the user account.
WinZip Addresses: This artifact shows the receivers’ email addresses.
WinZip Extraction: This artifact shows the information about the extracted ZIP files.
WinZip Archives: This artifact shows the information about the Archived files.
For more information or suggestions please contact: firstname.lastname@example.org