: Establishing a chronological sequence of events—from the initial creation of the "Tiki Party" folder to its eventual compression and potential staging for upload [3, 6].
: It serves as a "forensic image" of a specific set of user data, intended for practitioners to analyze using tools like Magnet AXIOM, Autopsy, or FTK Imager [2, 4]. Forensic Significance : Tiki.Party.7z
: In the context of the Tiki Party scenario, the archive often contains evidence of "Living off the Land" (LotL) techniques, where legitimate system tools are used for malicious purposes [3, 5]. : Establishing a chronological sequence of events—from the
: Investigating how the file was intended to be moved, such as via cloud storage (e.g., Dropbox, OneDrive) or external USB media [2, 5]. Educational Value or FTK Imager [2