File fingerprinting of the ZIP format for identifying and tracking provenance

Minji Um, Jaehyeok Han, Sangjin Lee

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)


While the overall structure of ZIP files is defined, their detailed structure differs depending on the operating system and application creating the file. These characteristics are also affected by the environment in which the file was first created or later modified. Conversely, analyzing the structure of ZIP files allows the determination of the environment it was created in, and this can be the basis for determining where the file was created through analyzing and comparing the user's PC. In addition, the creation, modification, and access time values of decompressed files are set differently according to the application used for decompression and the structure of the ZIP file. ZIP files reflect not only the environment in which they are created but also the one in which they were decompressed. Thus, the ZIP files' detailed structures and characteristics should be analyzed forensically. In this paper, it is suggested that the environment of file creation and modification can be inferred by analyzing the detailed structure of a single file by file fingerprints, and the characteristics of decompression can be compared with the applications installed on the system.

Original languageEnglish
Article number301271
JournalForensic Science International: Digital Investigation
Publication statusPublished - 2021 Dec

Bibliographical note

Publisher Copyright:
© 2021 Elsevier Ltd


  • Compression and decompression characteristics
  • File fingerprints
  • User behavior
  • ZIP file forensics

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Pathology and Forensic Medicine
  • Law
  • Medical Laboratory Technology


Dive into the research topics of 'File fingerprinting of the ZIP format for identifying and tracking provenance'. Together they form a unique fingerprint.

Cite this