Evidence: WinRAR History
Description: Enumerate WinRAR History
Category: Applications
Platform: windows
Short Name: wnrrhst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
WinRAR registry values track archived, extracted, opened archives and last folders. This data is essential for understanding archive usage and potential data exfiltration.
Data Collected
This collector gathers structured data about winrar history.
Collection Method
This collector enumerates WinRAR-related registry keys under HKLM/HKU per SID, across views, recording values and key last write times into WinRAR sections.
Forensic Value
This evidence is crucial for forensic investigations as it reveals user interactions with archives, including paths and timelines.
