ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
The gzip file (.gz) format consists of:
- a file header
- optional extra headers, such as the original file name,
- a body, containing a DEFLATE-compressed payload
- an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.
The file header is 10 bytes in size and contains:
|0||2||0x1f 0x8b||Signature (or identification byte 1 and 2)|
|4||4|| Last modification time |
Contains a POSIX timestamp.
|9||1|| Operating system |
Value that indicates on which operating system the gzip file was created.
|0 - 7||Reserved|
|8||"deflate"||zlib compressed data|
If compression method is 8 the following extra flags can be defined:
- 0x02 - compressor used maximum compression, slowest algorithm
- 0x04 - compressor used fastest algorithm