WinRAR temporary folder artefacts

The WinRAR archiving program is widely used on the Internet (and elsewhere) to ‘package’ data for download and/or storage. Computer criminals have used this program to store and exchange illegal materials on the Internet, and computer intruders have used WinRAR when stealing data from a network. The use of WinRAR frequently produces temporary folder and file data in the ‘Temp’ folder associated with specified users. This data can in some circumstances remain as current data for extended periods of time, or in other circumstances can be recovered by the forensic analyst as deleted material. An understanding of some aspects of the functionality of these temporary WinRAR artefacts can contribute evidence concerning the past activity of computer users in relation to the WinRAR program.