zipmetadata7zip

Zip file metadata oddity – reasonable or suspicious?


create a directory D containing directory E. In E create files F1 and F2. Turn D into a zip file.

Examining this zip file using python and the zipfile module, or 7zip using the CLI flag to get technical info (ie. 7z -l -slt D.zip) shows you the same thing, two files and a directory. Using the 7z CLI, I get something like this:

Path = D\E
Folder = +
Size = 0
Packed Size = 0
Modified = 2024-05-11 19:32:56
[...]

Path = D\E\F1.txt
Folder = -
Size = 2
Packed Size = 2
Modified = 2024-05-11 19:26:06
[...]

Path = D\E\F2.txt
Folder = -
Size = 5
Packed Size = 5
Modified = 2024-05-11 19:26:24
[...]

So the two files F1 and F2 have a 'Modified' metadata field, but the important point here is, so does the folder E (the first in the list above).

Now the interesting stuff. I received a .zip file which is supposed to contain legal evidence. When extracted, it creates eight files in three subdirectories. The eight files have plausible 'Modified' metadata dates, but the three subdirectories have no date metadata (or any other), whether I look with python+zipfile or 7zip.

I am extremely interested in the creation dates of these three directories because I'm wondering if someone unzipped the original, deleted a file or two and then zipped them back up and sent them to me, stripping off the directory creation time to hide the fiddle.

Reading up on the format, it seems that metadata in .zip files is stored in two places

"The .ZIP format ... includes two copies of each entry metadata to provide greater protection against data loss"

https://en.wikipedia.org/wiki/ZIP_(file_format). So I guess the files are being read back using the local header data, but the directory/folder info would only live in the zipfile's Central Directory (CD).

I guess the CD is missing.

So the questions are:


Solution

  • A zip file is not required to contain entries for the subdirectories. It can simply have the files, with their paths, as entries. Then the subdirectory structure is implied by the paths for the files, with those subdirectories created accordingly when extracted.

    A zip file can have entries for the subdirectories. The entries will include the attributes of those subdirectories. Such entries are identified by the path names having a trailing slash, and they will be of zero length.

    You can tell which one of those your zip file was built with by simply listing the contents.

    No, it is not plausible that the central directory is intentionally missing. Your unzipper, whatever it is, would flag that as an error, and likely be incapable of extracting the zip file contents. Consequently, there is no zipper that would not produce a central directory, since any resulting zip files would be useless.

    zipdetails can provide an extremely detailed listing of the metadata contents of a zip file.