From ForensicsWiki
Revision as of 19:09, 2 April 2012 by Jamming (Talk | contribs)

Jump to: navigation, search

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.


The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1a21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE



The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:

  • 1.3 (Does not have the RAR! signature)
    • There is difficulty finding information regarding this sub-format. Please update if you know something.
  • 1.5
    • Considered the root model of subsequent formats.
    • A detailed list of information can be found here.
  • 2.0
  • 3.0
    • Utilizes the PPMII and Lempel-Ziv (LZSS)] algorithms.
    • Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).


This only way to create a RAR file is using the Winrar software. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:

  • RAR file unarchiver written in C
  • Easy implementation with a header file and the source code file
  • Information Link
  • Created by Eugene Roshal for opening up RAR files only
  • May not be used to reverse engineer the RAR file format and create RAR files
  • Source code provided for people to implement/integrate methods of opening RAR files
  • Additionally, implementations of UnRAR are available for a plethora of operating systems
  • Download Link
The Unarchiver
  • Utility made for Windows applications to open a multitude of files, including RAR files
  • Download Link

There is a lot more software to open RAR files, but have been omitted due to redundancy.

See Also