Extracting Evidence from ZIP Files

  • Wednesday, 30 Sep 2020 5:30PM AEST (30 Sep 2020 07:30 UTC)
  • Speaker: Josh Lemon

How and when timestamps change on a Windows system are well documented, but what happens to timestamps when threat actors ZIP up all the data they have collected in your network and exfiltrate it?

Being able to accurately determine the original timestamps of the contents within a ZIP file could determine when the data was stolen and what else the threat actor was doing in your network at the same time.

Josh will walk you through new research that looks at what forensic artefacts you can extract from a ZIP file, what timestamps are useful and reliable, along with what tools will provide you with the answers you need to analyse a ZIP file forensically.