Digital Forensics for Compressed Files

How and when timestamps change on a Windows system are well documented, but what happens to timestamps when threat actors ZIP/RAR/CAB up all the data they have collected in your network and exfiltrate it?

Being able to accurately determine the original timestamps of the contents within a compressed file could determine when the data was stolen and what else the threat actor was doing in your network at the same time.

Josh will walk you through new research that looks at what forensic artefacts you can extract from a compressed file, what timestamps are useful and reliable, along with what tools will provide you with the answers you need to analyse compressed file forensically.