Abstract
While the overall structure of ZIP files is defined, their detailed structure differs depending on the operating system and application creating the file. These characteristics are also affected by the environment in which the file was first created or later modified. Conversely, analyzing the structure of ZIP files allows the determination of the environment it was created in, and this can be the basis for determining where the file was created through analyzing and comparing the user's PC. In addition, the creation, modification, and access time values of decompressed files are set differently according to the application used for decompression and the structure of the ZIP file. ZIP files reflect not only the environment in which they are created but also the one in which they were decompressed. Thus, the ZIP files' detailed structures and characteristics should be analyzed forensically. In this paper, it is suggested that the environment of file creation and modification can be inferred by analyzing the detailed structure of a single file by file fingerprints, and the characteristics of decompression can be compared with the applications installed on the system.
| Original language | English |
|---|---|
| Article number | 301271 |
| Journal | Forensic Science International: Digital Investigation |
| Volume | 39 |
| DOIs | |
| Publication status | Published - 2021 Dec |
Bibliographical note
Publisher Copyright:© 2021 Elsevier Ltd
Keywords
- Compression and decompression characteristics
- File fingerprints
- User behavior
- ZIP file forensics
ASJC Scopus subject areas
- Computer Science Applications
- Information Systems
- Pathology and Forensic Medicine
- Law
- Medical Laboratory Technology