Difference between pages "Gzip" and "Zip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
 +
 +
.ZIP is an archive file format that supports lossless data compression.
  
 
== File format ==
 
== File format ==
The gzip file (.gz) format consists of:
 
* a file header
 
* optional headers
 
** extra fields
 
** original file name
 
** comment
 
** header checksum
 
* compressed data (commonly used compression method DEFLATE, without zlib header)
 
* a file footer
 
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 20: Line 13:
 
|-
 
|-
 
| Date and time values
 
| Date and time values
| Filetime in UTC
+
|  
 
|-
 
|-
 
| Character strings
 
| Character strings
| ISO 8859-1 (LATIN-1)
+
|
 
|}
 
|}
  
=== File header ===
+
=== Archived file header ===
The file header is 10 bytes in size and contains:
+
 
 +
==== Creator version ====
 +
The creator (or version made by) is 2 bytes of size and consists of:
 
{| class="wikitable"
 
{| class="wikitable"
 
! align="left"| Offset
 
! align="left"| Offset
Line 35: Line 30:
 
|-
 
|-
 
| 0
 
| 0
| 2
 
| 0x1f 0x8b
 
| Signature (or identification byte 1 and 2)
 
|-
 
| 2
 
 
| 1
 
| 1
|
+
| ZIP format version <br> The value is stored as: ( major number x 10 ) + minor number
| Compression Method
+
 
|-
 
|-
| 3
 
 
| 1
 
| 1
|
 
| Flags
 
|-
 
| 4
 
| 4
 
|
 
| Last modification time <br> Contains a POSIX timestamp.
 
|-
 
| 8
 
 
| 1
 
| 1
|
+
| Creator version system indicator
| Compression flags (or extra flags)
+
|-
+
| 9
+
| 1
+
|
+
| Operating system <br> Value that indicates on which operating system the gzip file was created.
+
 
|}
 
|}
  
==== Compression method ====
+
===== Creator version system indicator =====
 
+
 
{| class="wikitable"
 
{| class="wikitable"
 
! align="left"| Value
 
! align="left"| Value
Line 72: Line 44:
 
! Description
 
! Description
 
|-
 
|-
| 0 - 7
+
| 0
 
|  
 
|  
| Reserved
+
| MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
|-
+
| 8
+
| deflate
+
| deflate compressed data
+
|}
+
 
+
==== Flags ====
+
 
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x01
+
| FTEXT
+
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
+
|-
+
| 0x02
+
| FHCRC
+
| The file contains a header checksum (CRC-16)
+
|-
+
| 0x04
+
| FEXTRA
+
| The file contains extra fields
+
|-
+
| 0x08
+
| FNAME
+
| The file contains an original file name string
+
|-
+
| 0x10
+
| FCOMMENT
+
| The file contains comment
+
|-
+
| 0x20
+
|
+
| Reserved
+
|-
+
| 0x40
+
|
+
| Reserved
+
|-
+
| 0x80
+
|
+
| Reserved
+
|}
+
 
+
<b>Notes:</b>
+
* Reserved flags bits must be zero.
+
* The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
+
 
+
==== Compression flags ====
+
This value contains flags specific to the compression method.
+
 
+
===== Compression flags - deflate =====
+
If compression method value is 8 (deflate) the following compression flags can be used:
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x02
+
|
+
| compressor used maximum compression, slowest algorithm
+
|-
+
| 0x04
+
|
+
| compressor used fastest algorithm
+
|}
+
 
+
==== Operating System ====
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0
+
|
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
+
 
|-
 
|-
 
| 1
 
| 1
Line 160: Line 54:
 
| 2
 
| 2
 
|
 
|
| VMS (or OpenVMS)
+
| OpenVMS
 
|-
 
|-
 
| 3
 
| 3
 
|
 
|
| Unix
+
| UNIX
 
|-
 
|-
 
| 4
 
| 4
Line 172: Line 66:
 
| 5
 
| 5
 
|
 
|
| Atari TOS
+
| Atari ST
 
|-
 
|-
 
| 6
 
| 6
 
|
 
|
| HPFS filesystem (OS/2, NT)
+
| OS/2 H.P.F.S.
 
|-
 
|-
 
| 7
 
| 7
Line 192: Line 86:
 
| 10
 
| 10
 
|
 
|
| TOPS-20
+
| Windows NTFS
 
|-
 
|-
 
| 11
 
| 11
 
|
 
|
| NTFS filesystem (NT)
+
| MVS (OS/390 - Z/OS)
 
|-
 
|-
 
| 12
 
| 12
 
|
 
|
| QDOS
+
| VSE
 
|-
 
|-
 
| 13
 
| 13
 
|
 
|
| Acorn RISCOS
+
| Acorn Risc
 
|-
 
|-
| 255
+
| 14
 
|
 
|
| unknown
+
| VFAT
|}
+
 
+
=== Optional headers ===
+
==== Extra fields ====
+
This value is present in the file if the FEXTRA flag is set in the file header flags.
+
 
+
The extra field are variable of size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
 
|-
 
|-
| 0
+
| 15
| 2
+
|
|  
+
| alternate MVS
| Extra field data size <br> Value in bytes.
+
 
|-
 
|-
| 2
+
| 16
| ...
+
|
|
+
| BeOS
| Extra field data
+
|}
+
 
+
==== Original file name ====
+
This value is present in the file if the FNAME flag is set in the file header flags.
+
 
+
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
+
 
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
+
 
+
==== Comment ====
+
This value is present in the file if the FCOMMENT flag is set in the file header flags.
+
 
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
+
 
+
==== Header checksum ====
+
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
+
 
+
=== File footer ===
+
The file footer is 8 bytes in size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
 
|-
 
|-
| 0
+
| 17
| 4
+
 
|
 
|
| Checksum (CRC-32)
+
| Tandem
 
|-
 
|-
| 4
+
| 18
| 4
+
 
|
 
|
| Uncompressed data size <br> Value in bytes.
+
| OS/400
 +
|-
 +
| 19
 +
|
 +
| OS X (Darwin)
 +
|-
 +
| 20 - 255
 +
|
 +
| unused
 
|}
 
|}
 
== See Also ==
 
* [[bzip2]]
 
* [[tar]]
 
  
 
== External Links ==
 
== External Links ==
  
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
+
* [http://www.pkware.com/documents/casestudies/APPNOTE.TXT .ZIP File Format Specification], PKWARE Inc., September 1, 2012
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
+
* [http://en.wikipedia.org/wiki/Zip_(file_format) Wikipedia: Zip (file format)]
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
+
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
+
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 02:41, 1 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

.ZIP is an archive file format that supports lossless data compression.

File format

Characteristics Description
Byte order little-endian
Date and time values
Character strings

Archived file header

Creator version

The creator (or version made by) is 2 bytes of size and consists of:

Offset Size Value Description
0 1 ZIP format version
The value is stored as: ( major number x 10 ) + minor number
1 1 Creator version system indicator
Creator version system indicator
Value Identifier Description
0 MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
1 Amiga
2 OpenVMS
3 UNIX
4 VM/CMS
5 Atari ST
6 OS/2 H.P.F.S.
7 Macintosh
8 Z-System
9 CP/M
10 Windows NTFS
11 MVS (OS/390 - Z/OS)
12 VSE
13 Acorn Risc
14 VFAT
15 alternate MVS
16 BeOS
17 Tandem
18 OS/400
19 OS X (Darwin)
20 - 255 unused

External Links