Forensically Analyzing ZIP & Compressed Files

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

Recently I went looking for some reference content on ZIP files and how timestamps behave in a ZIP along with what I could determine about files within a ZIP. Sadly I came up empty, either due to there being very little available online, or just my impatience. So I thought I'd spend some time writing up some research I did for the next person that is looking for reference content.

Essentially, I wanted to know how do timestamps behave when it comes to ZIP files, do any timestamps stay the same and what timestamps are lost when you archive a file. Secondly, I wanted to know what was reliable in terms of extracting timestamp information for digital forensics. Below is the research I conducted in determining this, which I soon discovered was only the tip of the iceberg when it came to compression files and digital forensics.

To begin with, I took a file that had timestamps a long way in the past, mainly to make it easier to identify while doing analysis, and a file that had all of it's $STANDARD_INFORMATION timestamps different to determine what may be lost in the process of creating a ZIP file.I ended up pulling out a file sample file from the SANS's FOR508 class that I also teach. Don't worry, what you're about to read isn't going to spoil any surprises in the course for you.

Here are the original timestamps for my sample file that I used for all the compression file testing that follows:

Created:	2018-07-30 04:39:20.868085300 (UTC)
File Modified:	2018-07-30 04:39:43.985342300 (UTC)
MFT Modified:	2018-08-28 21:43:00.956722900 (UTC)
Accessed:	2018-07-30 04:39:21.208656700 (UTC)

Compressed ZIP File

To start simple, I decided to see what happens when I use Windows 10's built-in ZIP utility, that's the where you right-click on a file select "Send to" then "Compressed (zipped) folder".

This, as you'd expect, resulted in a new file which is, by default, named the same as the file I just compressed except with a .ZIP extension. The timestamps on the ZIP file itself are not overly interesting, they are the time I create the new ZIP file, as I'd expect. However, it's not the outer timestamps on the ZIP file I'm interested in, it's the timestamps from the PDF that's inside that ZIP file.

I started with something simple and common, FTK Imager, in an attempt to view the timestamps from the PDF within my ZIP file. While FTK Imager will provide me with some details, unfortunately, they aren't very detailed, from a digital forensics perspective this isn't very helpful. FTK Imager will give me a timestamp that it's calling "Modified", and I'm guessing that's likely the Modified Timestamp from my original file. However, I can't tell because FTK Imager doesn't give me seconds, it's only accurate to the minute.

So I move on exiftool, surely that will provide me with something useful, but I instead run into an interesting issue. Exiftool does provide a metadata field called "Zip Modify Date", however, the date it gives is not precisely the same as any of the original timestamps. The closest date it has provided is the original Accessed Timestamp, but it's off by 1 second from the original file I start with. Or, it could be the original Created Timestamp, but that would make it off by 2 seconds.

ExifTool Version Number         : 10.11
File Name                       : Demon
Directory                       : .
File Size                       : 1743 kB
File Modification Date/Time     : 2020:09:16 10:38:51+00:00
File Access Date/Time           : 2020:09:16 10:38:51+00:00
File Creation Date/Time         : 2020:09:16 10:38:51+00:00
File Permissions                : rw-rw-rw-
File Type                       : ZIP
File Type Extension             : zip
MIME Type                       : application/zip
Zip Required Version            : 20
Zip Bit Flag                    : 0
Zip Compression                 : Deflated
Zip Modify Date                 : 2018:07:30 04:39:22
Zip CRC                         : 0xf9bd68be
Zip Compressed Size             : 1784847
Zip Uncompressed Size           : 1897876
Zip File Name                   : Demon Core.pdf

It's about this time I go looking for the ZIP file format to discover that the timestamps held for file contents inside a ZIP have their date and time encoded in standard MS-DOS format (Section 4.4.6). This means my time is only going to have a resolution of two seconds, which explains the inaccurate time above. Based on this information, the "Zip Modify Date" field from exiftool is showing me the original file's Accessed Timestamp.

Lastly, I decide to use 7-Zip to see if it will extract any more information than what I've already determined from exiftool. When I right-click on the ZIP file and select "Open Archive" 7-Zip will let me see the internal files along with a timestamp it calls "Modified", although only accurate to the minute. However, if I highlight the PDF file within 7-Zip and press "Info" it gives me additional details about the file along with a "Modified" timestamp that is accurate to the second. But again, the timestamp doesn't match any of the timestamps from my original PDF. The closest timestamp that matches is the original Modified Timestamp, except it's rounded up to the nearest even second, which fits in with the MS-DOS timestamp that has a 2 second resolution.

Compressed ZIP File - Conclusion

Based on an unencrypted ZIP using the built-in Windows Zip Compression function I can get the original files Last Modified Timestamp (+/- 1 second) from Z-Zip and the original file's Last Access Timestamp (+/- 1 second) from Exiftool.

Encrypted ZIP Files

Time to see what happens when I create a password protected ZIP. For this section, I'm going to stick with a ZIP file that allows me to see the contents within the file but doesn't allow me to extract them without a password. To test this I used 7-Zip on a Windows 10 system, along with the same original file "Demon Core.pdf", to create a ZIP file format so I can easily compare results from the above testing. I'll look further at the encryption and compression formats later.

I re-ran the same testing above with FTK Imager and Exiftool, both of which produced precisely the same results so I won't repeat them here. It was good to see there is consistency in both tools regardless of password protection or not on a ZIP file.

When I looked at the password protected ZIP file with 7-Zip things started to get a little more interesting. 7-Zip appears to be storing the Modified, Created, and Accessed time, but are they correct? Sadly, not entirely!

The Modified timestamp does correctly match the original files Modified timestamp, even better it's not in a 2 second resolution, it is the exact second from the original file. Even the "Accessed Timestamp" matches between what 7-Zip is showing and the original file, again to the exact second. But, the Create Timestamp is where things start to get a little strange, it does not match the original file, even worse, it seems like 7-Zip is reporting the Created Timestamp to be the same as the Accessed Timestamp. It appears that one of two things are occurring, either 7-Zip is reading the Accessed Timestamp by mistake or as part of the creation process for the password protected ZIP file, 7-Zip is inserting the Accessed Timestamp into the Created Timestamp.

Either way, the end result is that the Created Timestamp displayed in 7-Zip for password protected ZIP files is not the Created Timestamp from the original file.

Password Protected ZIP File - Conclusion

Exiftool will give us the original files Accessed Timestamp, but with only a 2 second resolution. 7-Zip will provide us with an accurate Modified, and Accessed timestamps for the internal files within a password protected ZIP file.

I also repeated the exact same test above except this time with Deflate64 Compression and with AES-256 Encryption. It produced identical results to the above with all three analysis tools.

Encrypted 7Z Files

Looking at 7Z files, produced by 7-ZIP, I honestly thought I wasn't going to find anything useful. I know 7Z files are pretty good at protecting their contents when you encrypt them.

So I looked at FTK Imager, which produced nothing useful.

I looked at Exiftool, which also produced nothing useful, even worse it told me the file type was unknown.

ExifTool Version Number         : 10.11
File Name                       : Demon Core.7z
Directory                       : .
File Size                       : 1515 kB
File Modification Date/Time     : 2020:09:17 12:18:45+00:00
File Access Date/Time           : 2020:09:17 12:18:45+00:00
File Creation Date/Time         : 2020:09:17 12:18:44+00:00
File Permissions                : rw-rw-rw-
Error                           : Unknown file type

I was expecting similar results when it came to 7-Zip, but to my surprise, it listed a Modified Timestamp. Not only did it give me a timestamp but it also listed the file name of the file within the 7Z file. Even better the Modified Timestamp matched the original file to the exact second.

Encrypted 7Z Files - Conclusion

The only tool that produces useful results, which would be helpful during an investigation or incident, was 7-ZIP which could give me the Last Modified Timestamp of the original file along with the filename.

Additionally, for this test with 7-Zip, I also checked WinRAR just to see if there was another tool to compare the results from 7-ZIP I was seeing. WinRAR only showed me the file name and Modified Timestamp, although, the timestamp didn't include seconds so I wouldn't recommend it as a useful tool for the analysis of a 7-Zip file.

WinRAR Files with a Password

Digital forensics research on ZIP, 7Z, or compressed files in general, wouldn't be complete without looking at WinRAR. Based on my experience, it's long been a favourite file format for threat actors, so I thought it only fair to include it in this research. Additionally, in my experience, threat actors tend to use WinRAR with a password, essentially to bypass IDS/IPS/NSM's or any type of network-based detection solution. So I'm only going to attempt research on RAR files with a password.

Creating a WinRAR file is relatively simple, I kept all the default settings, although, I did enable the "Encrypt file names" checkbox hoping it might make things a little more challenging.

Well, I'd met my match, by this point I couldn't even view the RAR file in anything other than a hex viewer, which was no help as everything was encrypted. All of the tools I'd used up to this point prompted me for a password. I know there are other tools which allow brute-forcing of the password, however, that's a little beyond the intent of this research.

Now in the spirit of what I was trying to achieve which was - as a DFIR person what evidence can I extract from a threat actor's ZIP/Compressed file - entering the password won't really help me in practice. Hopefully, this makes it pretty clear why tools like WinRAR have been a strong choice of threat actors.

In the name of "research", I still wanted to know what was held in that file if I did have the password and I could get into it. So once I opened the file with the password, I could see that it held the Last Modified Timestamp, again accurate to the second directly from the original file.

Using WinRAR to Maintain Timestamps

Now if I go back a few steps, there was something super interesting that I discovered in the creation of a RAR file using WinRAR. There was this tab called "Time" which allows you to decide if you want to store the Modified, Creation and Last Access Timestamps, along with an option for storing them in "High precision time format". Why would anyone not what high precision time format? After my initial shock that someone may have the ability to remove timestamps, I decided to test this out. Firstly to understand if they were even accurate from the original file if you chose to store all of them, and secondly what happens if I remove them all (insert evil laugh here).

If I enabled all three timestamps in WinRAR, I sort of get all of them. Similar to what I observed with an encrypted ZIP file, I get accurate Modified and Accessed Timestamps, but the Created Timestamp appears to be a copy of the Accessed Timestamp.

It was kind of at this point I thought 7-ZIP must be misreading the information for the Created Timestamp given it has incorrectly read the timestamp for two different file formats. I even thought, maybe there is some odd time rounding going on here, however, if that was the case then the Created Timestamp should have also been rounded up. Below is just a reminder of what the original timestamps were. All I knew for sure, based on this finding, is that Z-Zip 19.00 (x64) does not show the accurate Created Timestamp. Below is a reminder of what the timestamps from my original file were.

Created:	2018-07-30 04:39:20.868085300 (UTC)
File Modified:	2018-07-30 04:39:43.985342300 (UTC)
MFT Modified:	2018-08-28 21:43:00.956722900 (UTC)
Accessed:	2018-07-30 04:39:21.208656700 (UTC)

Using WinRAR to Remove Timestamps

Time to see what happens when I use WinRAR to remove all timestamps and drop its time precision.

Well as you'd expect I'm entirely blind to any timestamps from the inner files. The only thing that I can determine (once I've entered a password) is the filename, and that's about it.

CAB Files

Few people may know much about CAB files, they are another way to package several files together and compress them. The reason I've included them in this post is they are more often used by threat actors as a way of packaging up files for exfiltration. The reason threat actors are moving to this technique is it's built right into Windows, there is no additional install that is needed on a system, this allows threat actors to "Live off the Land" (LotL). I'm not going to go into the details of CAB files themselves, here is a Microsoft page that provides a lot more detail on them.

Making a CAB file can be as simple as taking a single file and putting it into a CAB file, or taking a list of files and putting them all into a CAB file. Below is an example of putting a single file into a CAB file, which is all I really needed.

C:\>makecab "Z:\Demon Core.pdf" "" /L "C:\Users\MyUserName\Desktop\CAB-single"

This time around with a CAB file Exiftool doesn't produce anything useful, it tells me it's an "Unknown file type". FTK Imager, on the other hand, does provide me with a Timestamp but doesn't tell me what the timestamp is actually for.

Moving back to 7-ZIP, I again get information that's very similar to a default ZIP file with no password. I only have a Modified Timestamp, but unfortunately, it appears to only have a 2 second resolution, so my Modified Timestamp from my original file has been rounded up to the nearest even second. Lastly, I also get the filename from the file the was compressed in the CAB file.

Overall Conclusion

If you need to do timestamp analysis of ZIP, 7Z, RAR, or CAB files, your best tool is 7-ZIP based on the research I've done above. 7-ZIP will at least provide you with two our of three correctly labelled timestamp fields, along with showing you a timestamp that includes seconds. Even better, 7-ZIP is a free tool. Just watch out for the Created Timestamp as that is not accurate in 7-ZIP, but in my testing, I didn't find another tool that would even display it.

I've provided below a summary of the timestamps you can retrieve from compressed files. I hope this proves helpful to others when you're conducting digital forensics or incident response work in the future.