NEW SANS Stay Sharp Training - Live Online: Quickly sharpen your skills with 2-day management courses. Save 25% thru tomorrow!


To attend this webcast, login to your SANS Account or create your Account.

Extracting Evidence from ZIP Files

  • Wednesday, September 30, 2020 at 5:30 PM AEST (2020-09-30 07:30:00 UTC)
  • Josh Lemon

You can now attend the webcast using your mobile device!



How and when timestamps change on a Windows system are well documented, but what happens to timestamps when threat actors ZIP up all the data they have collected in your network and exfiltrate it?

Being able to accurately determine the original timestamps of the contents within a ZIP file could determine when the data was stolen and what else the threat actor was doing in your network at the same time.

Josh will walk you through new research that looks at what forensic artefacts you can extract from a ZIP file, what timestamps are useful and reliable, along with what tools will provide you with the answers you need to analyse a ZIP file forensically.

Speaker Bio

Josh Lemon

Josh Lemon is a Managing Director at Ankura, leading their Digitial Forensics and Incident Response practice in Australia where he assists government and commercial clients with sophisticated compromises, maturing their cyber defence and response programs, and threat hunting for malicious adversaries. He is also a Certified Instructor for the SANS Institute where he teaches the "Advanced Incident Response and Threat Hunting" (FOR508) and the "Advanced Network Forensics" (FOR572) courses.

Josh has over a decade of experience in the incident response and digital forensic industry, he previously worked as a Director at in their international Salesforce Security Response Centre (SSRC), where he headed up the team responsible for looking at new cutting edge ways to approach incident response at scale. He has also held the role of CSIRT Manager for the Commonwealth Bank of Australia, and as a Managing Consult for BAE Systems Applied Intelligence where he was responsible for all technical cybersecurity services for the Asia Pacific region, including, overseeing large and complex incident response and offensive security engagements.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.