Support ZIP files as datasource?

[lfcnassif]

Currently if a ZIP file is passed through -d parameter, it is processed as a container and all its contents are copied to the case folder, kind duplicating the used space. On the other hand the case becomes independent of the original ZIP file.

Since we already have ZIP reading code to handle UFDR files, it shouldn't be hard to implement a new ZIP datasource reader. This would avoid duplicating ZIP contents to the case folder and would make the case dependent on the ZIP like any other supported datasource (dd, e01, ufdr).

Another point is that IPED in triage mode exports relevant files found to a ZIP, so it may make sense to support the generated ZIP as a datasource.

Is it worth to implement? Or should us continue to support ZIP files just as containers, not datasources?

[lfcnassif]

PS: ZIP is not the best format to export/acquire files in triage mode and we may switch to another format that allows to store more FS metadata (file owner, attributes, permissions, etc) and allows to randomly seek into huge items (it's not possible with ZIP, we must uncompressed the whole zip entry to read its final bytes...)

[rafael844]

https://www.dmares.com/maresware/articles/copy_that.htm this and other articles in this website are very good about forensic zip files. I talked with the author few years ago. In summary, winrar is the best to keep metadata. But I saw that 7zip with .win format and some parameters can keep good information: example "C:\Program Files\7-Zip\7z.exe" a -twim -sccUTF-8 -bb0 -bse0 -bsp2 -spf -ssp -sns "d:\test-folder\test.wim" "f:\folder\*"