Difference between pages "Upcoming events" and "Gzip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (On-going / Continuous Training)
 
(File format)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{expand}}
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
== File format ==
 +
The gzip file (.gz) format consists of:
 +
* a file header
 +
* optional headers
 +
** extra fields
 +
** original file name
 +
** comment
 +
** header checksum
 +
* a body, containing a DEFLATE-compressed payload
 +
* a file footer
  
This listing is divided into four sections (described as follows):<br>
+
The gzip format uses little-endian.
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>Scheduled Training Courses</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL)<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
{| class="wikitable"
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
! align="left"| Offset
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
! Characteristics
 
+
! Description
== Calls For Papers ==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Sep 15, 2007
+
|http://www.ifip119-kyoto.org/doku.php?id=cfp
+
|-
+
|2nd Small Scale Digital Device Forensics Journal
+
|Oct 31, 2007
+
|http://ssddfj.org/submit.asp
+
|-
+
|International Association of Forensic Science Annual Meeting
+
|Jan 01, 2008
+
|http://www.iafs2008.com/abstracts/intro.asp
+
 
|-
 
|-
|Usenix Annual Technical Conference
+
| Byte order
|Jan 07, 2008 (11:59PM PST)
+
| little-endian
|http://www.usenix.com/events/usenix08/cfp/
+
 
|-
 
|-
|Techno-Security 2008
+
| Date and time values
|May 04, 2008
+
| Filetime in UTC
|http://www.techsec.com/html/TechnoPapers.html
+
 
|-
 
|-
 +
| Character string
 +
| ISO 8859-1 (LATIN-1)
 
|}
 
|}
  
== Conferences ==
+
=== File header ===
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The file header is 10 bytes in size and contains:
|- style="background:#bfbfbf; font-weight: bold"
+
{| class="wikitable"
! Title
+
! align="left"| Offset
! Date/Location
+
! Size
! Website
+
! Value
 +
! Description
 
|-
 
|-
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
| 0
|Sep 10-14, Modena, Italy
+
| 2
|http://www.iciap2007.org
+
| 0x1f 0x8b
 +
| Signature (or identification byte 1 and 2)
 
|-
 
|-
|3rd International Conference on IT-Incident Management & IT-Forensics
+
| 2
|Sep 11-12, Stuttgart, Germany
+
| 1
|http://www.imf-conference.org/
+
|
 +
| Compression Method
 
|-
 
|-
|ForenSec Canada 2007
+
| 3
|Sep 17-18, Regina, Saskatchewan, Canada
+
| 1
|http://www.csiservices.ca/events.html#ForenSec
+
|
 +
| Flags
 
|-
 
|-
|SANS Network Security
+
| 4
|Sep 22-30, Las Vegas, NV
+
| 4
|http://www.sans.org/ns2007/?portal=69456f95660ade45be29c00b0c14aea1
+
|
 +
| Last modification time <br> Contains a POSIX timestamp.
 
|-
 
|-
|Black and White Ball
+
| 8
|Sep 25-28, London, UK
+
| 1
|http://www.theblackandwhiteball.co.uk/
+
|
 +
| Extra flags
 
|-
 
|-
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
| 9
|Sep 26-28, Milwaukee, WI
+
| 1
|http://www.byteoutofcrime.org
+
|
 +
| Operating system <br> Value that indicates on which operating system the gzip file was created.
 +
|}
 +
 
 +
==== Compression method ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
|6th Annual Internet Crimes Against Children National Conference
+
| 0 - 7
|Oct 15-18, San Jose, CA
+
|  
|http://www.icactraining.org/website/registration.html
+
| Reserved
 
|-
 
|-
|ToorCon 9
+
| 8
|Oct 19-21, San Diego, CA
+
| "deflate"
|http://toorcon.org/intro.php
+
| zlib compressed data
 +
|}
 +
 
 +
==== Flags ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
|BlackHat Japan - Briefings
+
| 0x01
|Oct 23-26, Tokyo, Japan
+
| FTEXT
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
 
|-
 
|-
|Global Conference on Economic and High-Tech Crime (NW3C Membership Required)
+
| 0x02
|Oct 24-26, Crystal City, VA
+
| FHCRC
|https://conference.nw3c.org/index.cfm
+
| The file contains a header checksum (CRC-16)
 
|-
 
|-
|European Network Forensic and Security Conference 2007
+
| 0x04
|Oct 24-26,  Zuyd University, Heerlen, Netherlands
+
| FEXTRA
|http://www.enfsc2007.com/
+
| The file contains extra fields
 
|-
 
|-
|Techno-Forensics Conference
+
| 0x08
|Oct 29 - 31, Rockville, MD
+
| FNAME
|http://www.techsec.com/html/TechnoForensics2007.html
+
| The file contains an original file name string
 
|-
 
|-
|Computer Security Institute Annual Meeting
+
| 0x10
|Nov 3-9, Arlington, VA
+
| FCOMMENT
|http://www.csiannual.com/
+
| The file contains comment
 
|-
 
|-
|First Forensic Forum Conference (F3 Conference)
+
| 0x20
|Nov 3-5, Tortworth, England
+
|  
|http://www.f3.org.uk/
+
| Reserved
 
|-
 
|-
|DeepSec IDSC
+
| 0x40
|Nov 22-24, Vienna, Austria
+
|  
|http://deepsec.net/
+
| Reserved
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|PacSec Applied Security Conference
+
|Nov 29-30, Tokyo, Japan
+
|http://www.pacsec.jp/index.html
+
|-
+
|HTCIA Asia Pacific Training Conference 2007
+
|Dec 12-14, Hong Kong
+
|http://2007.htcia.org.hk
+
|-
+
|SANS Security 2008
+
|Jan 11-19, New Orleans, LA
+
|http://www.sans.org/security08/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 27-30, Kyoto, Japan
+
|http://www.ifip119-kyoto.org/doku.php
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
 
|-
 
|-
 +
| 0x80
 +
|
 +
| Reserved
 
|}
 
|}
  
== On-going / Continuous Training ==
+
<b>Note:</b> The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
==== Extra flags ====
! Title
+
If compression method is 8 the following extra flags can be defined:
! Date/Location or Venue
+
{| class="wikitable"
! Website
+
! align="left"| Value
|-
+
! Identifier
|Basic Computer Examiner Course - Computer Forensic Training Online
+
! Description
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|-
+
|SANS System Forensics, Investigation & Response
+
|Once a month
+
|http://www.sans.org/training/description.php?mid=98&portal=7b06ddbc6d2924557f88c17e78348310
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
 
|-
 
|-
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
| 0x02
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|
|http://www.md5group.com
+
| compressor used maximum compression, slowest algorithm
 
|-
 
|-
 +
| 0x04
 +
|
 +
| compressor used fastest algorithm
 
|}
 
|}
  
== Scheduled Training Courses ==
+
==== Operating System ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
{| class="wikitable"
|- style="background:#bfbfbf; font-weight: bold"
+
! align="left"| Value
! Title
+
! Identifier
! Date/Location
+
! Description
! Website
+
! Limitation
+
 
|-
 
|-
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
| 0
|Sep 10-14, Potomac Falls, VA
+
|
|http://www.paraben-training.com/
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
 
|-
 
|-
|Paraben Advanced Cell Phone Forensics
+
| 1
|Sep 10-12, San Diego, CA
+
|
|http://www.paraben-training.com/
+
| Amiga
 
|-
 
|-
|EnCase v6 Computer Forensics II
+
| 2
|Sep 11-14, United Kingdom and Singapore
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| VMS (or OpenVMS)
 
|-
 
|-
|EnCase v6 Computer Forensics I
+
| 3
|Sep 11-14, Houston, TX and Washington, DC
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| Unix
 
|-
 
|-
|EnCase Enterprise v6 - Phase I
+
| 4
|Sep 11-14, Chicago, IL
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| VM/CMS
 
|-
 
|-
|EnCase v6 Computer Forensics I - Private Sector
+
| 5
|Sep 11-14, Los Angeles, CA
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| Atari TOS
 
|-
 
|-
|First Responder to Digital Evidence Program (FRDE)
+
| 6
|Sep 11-13, FLETC, Glynco, GA
+
|
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
| HPFS filesystem (OS/2, NT)
|Limited to Law Enforcement
+
 
|-
 
|-
|AccessData Applied Decryption
+
| 7
|Sep 11-13, Dallas, TX
+
|
|http://www.accessdata.com/training
+
| Macintosh
 
|-
 
|-
|Paraben Advanced SIM Card Forensics
+
| 8
|Sep 13-14, San Diego, CA
+
|
|http://www.paraben-training.com/
+
| Z-System
 
|-
 
|-
|Paraben Network Incident Response
+
| 9
|Sep 17-21, Potomac Falls, VA
+
|
|http://www.paraben-training.com/
+
| CP/M
 
|-
 
|-
|Enterprise Data Forensics
+
| 10
|Sep 17-19, Austin, TX
+
|
|http://asrdata.com/training/training2.html
+
| TOPS-20
 
|-
 
|-
|EnCase v6 Computer Forensics II – Private Sector
+
| 11
|Sep 18-21, Los Angeles, CA
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| NTFS filesystem (NT)
 
|-
 
|-
|EnCase v6 Computer Forensics II
+
| 12
|Sep 18-21, Houston, TX and Leipzig, Germany
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| QDOS
 
|-
 
|-
|EnCase v6 Advanced Computer Forensics
+
| 13
|Sep 18-21, Sydney, Australia and United Kingdom
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| Acorn RISCOS
 
|-
 
|-
|EnCase v6 Computer Forensics I
+
| 255
|Sep 18-21, Toronto, Canada
+
|
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| unknown
 +
|}
 +
 
 +
=== Optional headers ===
 +
==== Extra fields ====
 +
<b>TODO: add description</b>
 +
 
 +
The extra field are variable of size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|Paraben Cellular/GPS Signal Analysis
+
| 0
|Sep 20-21, San Diego, CA
+
| 2
|http://www.paraben-training.com/
+
|  
 +
| Extra field data size <br> Value in bytes.
 
|-
 
|-
|Internet Investigations Training Program (IITP)
+
| 2
|Sep 24-28, Glynco, GA
+
| ...
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|
|Limited to Law Enforcement
+
| Extra field data
 +
|}
 +
 
 +
==== Original file name ====
 +
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
 +
 
 +
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
 +
 
 +
==== Comment ====
 +
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
 +
 
 +
==== Header checksum ====
 +
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
 +
 
 +
=== File footer ===
 +
The file footer is 8 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|Macintosh Forensic Survival Course
+
| 0
|Sep 24-28, Santa Ana, CA
+
| 4
|http://www.phoenixdatagroup.com/cart/index.php
+
|
|-
+
| Checksum (CRC-32)
|BlackBag Introductory MacIntosh Forensics
+
|Sep 24-28, Richmond, VA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Sep 24-26, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Introduction to Cyber Crime
+
|Sep 24-26, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Sep 25-28, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Sep 25-28, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Sep 25-28, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Sep 25-28, Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Sep 26-28, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Sep 27-28, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Wireless Forensics
+
|Oct 01-03, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 02-05, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Oct 02-05, Los Angeles, CA, Washington, DC and Perth, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 02-05, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 02-05, The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 EnScript Programming - Phase II
+
|Oct 02-05, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 02-05, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Oct 04-05, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Oct 05-08, Denver, CO
+
|http://www.md5group.com
+
|-
+
|Paraben Handheld Forensic Course
+
|Oct 08-11, San Diego, CA and Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 09-12, Los Angeles, CA and The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Oct 09-12, Sydney, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 09-12, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 09-12, Washington, DC and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 09-12, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 09-12, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Oct 12-15, Dallas, TX
+
|http://www.md5group.com
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Oct 15-26, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 15-19, Tacoma, WA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
|Oct 15-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Macintosh Forensic Survival Course
+
|Oct 15-19, Philadelphia, PA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Oct 15-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Oct 15-17, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 16-19, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 16-19, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 16-19, Washington DC and Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 16-19, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase II
+
|Oct 16-19, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Oct 16-19, The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 16-19, Austin, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 EnScript Programming - Phase I
+
|Oct 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Oct 18-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|X-Ways Forensics
+
|Oct 22-24, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 23-26, Canberra, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 23-26, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 23-26, Los Angeles, CA and Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase eDiscovery with v6
+
|Oct 23-26, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 23-26, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Oct 29-Nov 9, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Oct 29-30, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 30-Nov 02, Los Angeles, CA and The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 30-Nov 02, Washington DC and Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 30-Nov 02, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 30-Nov 02, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase I
+
|Oct 30-Nov 02, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 30-Nov 02, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Handheld Forensic Course
+
|Nov 05-08, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Nov 05-08, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase II
+
|Nov 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Cyber Crime
+
|Nov 05-07, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Nov 06-09, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Nov 06-09, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Nov 06-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 06-09, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Nov 07-09, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Nov 13-16, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Nov 13-16, The Netherlands and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Nov 13-16, Sydney, Australia and Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Nov 13-16, Chicago, IL and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 13-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData BootCamp
+
|Nov 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 20-23, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Nov 20-23, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Nov 27-30, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Nov 27-30, Sydney, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Nov 27-30, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Nov 27-30, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase eDiscovery with v6
+
|Nov 27-30, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Network Investigation Training Program (CNITP)
+
|Dec 03-14, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Dec 03-07, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Dec 03-05, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics I
+
|Dec 04-07, Chicago, IL; Los Angeles, CA; Houston, TX; and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Dec 04-07, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Dec 04-07, Washington DC, Leipzig, Germany and Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Dec 04-07, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Dec 05-07, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Dec 10-13, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Computer Forensics II
+
|Dec 11-14, Chicago, IL; Houston, TX; Los Angeles, CA; United Kingdom; and Melbourne, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Dec 11-14, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|X-Ways Forensics
+
|Dec 17-19, Singapore
+
|http://www.x-ways.net/training/SGP.html
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Dec 17-20, Chicago, IL and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Dec 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Dec 17-20, Washington, DC and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Dec 17-20, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Dec 17-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Dec 18-21, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Dec 20-21, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
 
|-
 
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed data size <br> Value in bytes.
 
|}
 
|}
 +
 +
== See Also ==
 +
* [[bz2 file]]
 +
 +
== External Links ==
 +
 +
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
 +
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
 +
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
 +
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
 +
 +
[[Category:File Formats]]

Revision as of 23:22, 28 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional headers
    • extra fields
    • original file name
    • comment
    • header checksum
  • a body, containing a DEFLATE-compressed payload
  • a file footer

The gzip format uses little-endian.

Offset Characteristics Description
Byte order little-endian
Date and time values Filetime in UTC
Character string ISO 8859-1 (LATIN-1)

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Extra flags
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 "deflate" zlib compressed data

Flags

Value Identifier Description
0x01 FTEXT If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 FHCRC The file contains a header checksum (CRC-16)
0x04 FEXTRA The file contains extra fields
0x08 FNAME The file contains an original file name string
0x10 FCOMMENT The file contains comment
0x20 Reserved
0x40 Reserved
0x80 Reserved

Note: The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.

Extra flags

If compression method is 8 the following extra flags can be defined:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

Optional headers

Extra fields

TODO: add description

The extra field are variable of size and contains:

Offset Size Value Description
0 2 Extra field data size
Value in bytes.
2 ... Extra field data

Original file name

This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.

Comment

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.

Header checksum

The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.

File footer

The file footer is 8 bytes in size and contains:

Offset Size Value Description
0 4 Checksum (CRC-32)
4 4 Uncompressed data size
Value in bytes.

See Also

External Links