Archive Evidence is a link to an archive that allows the user to examine its structure and contents.
All files/folders added to the archive can be viewed and examined in the same way as general file system evidence.
Electronic Evidence Examiner supports the following types of archives: rar, zip, jar, xpi, iso, chm, cab, msi, ppt, doc, xls, arj, bzip2, cpio, deb, gzip, lzh, msis, rpm, split, tar, z, wim, and 7z. Archives can be added as evidence whether they have been split to volumes or not.
Archive evidence can be examined not only as separate evidence but also as a part of file system evidence.
To add new archive evidence to the case:
1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).
2. The Add New Evidence window opens.
3. Select Other as the evidence category and Archive as its Source type.
4. In the standard Open window, navigate to the desired archive file. Click Open.
5. Enter the Evidence name (opened archive name by default) and click OK.
6. The archive data is added to the case.
7. Click the archive node. You are asked to enter the password. In the Please enter a password window, enter the correct password and click OK.
8. If the password is correct, the archive is decrypted. Click the folder in the Case Content pane (to the left). Its contents are displayed in the Data View pane (to the right).
9. If the password is not correct or you click Cancel in the Please enter a password window, you will be able to view only the structure of the archive but not its contents. Files stored in the archive will be of an unknown format.
The investigation of archive data evidence is possible with the following packages: