Difference between pages "Gzip" and "Blogs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Challenges (and test images))
 
Line 1: Line 1:
{{expand}}
+
[[Computer forensics]] related resources like: blogs, fora, tweets, tools and challenges (and test images).
  
== File format ==
+
= Blogs =
The gzip file (.gz) format consists of:
+
* a file header
+
* optional headers
+
** extra fields
+
** original file name
+
** comment
+
** header checksum
+
* compressed data (commonly used compression method DEFLATE, without zlib header)
+
* a file footer
+
  
{| class="wikitable"
+
== English ==
! align="left"| Characteristics
+
! Description
+
|-
+
| Byte order
+
| little-endian
+
|-
+
| Date and time values
+
| Filetime in UTC
+
|-
+
| Character string
+
| ISO 8859-1 (LATIN-1)
+
|}
+
  
=== File header ===
+
* [http://www.appleexaminer.com/ The Apple Examiner]
The file header is 10 bytes in size and contains:
+
* [http://computer.forensikblog.de/en/ Computer Forensics Blog], by [[Andreas Schuster]]
{| class="wikitable"
+
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
! align="left"| Offset
+
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
! Size
+
* [http://windowsir.blogspot.com/ Windows Incident Response Blog], by [[Harlan Carvey]]
! Value
+
* [http://geschonneck.com/ Computer Forensics Blog], by [[Alexander Geschonneck]]
! Description
+
* [http://forensicblog.org/ Computer Forensics Blog], by [[Michael Murr]]
|-
+
* [http://forenshick.blogspot.com/ Forensic news, Technology, TV, and more], by [[Jordan Farr]]
| 0
+
* [http://unixsadm.blogspot.com/ UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems], by [[Criveti Mihai]]
| 2
+
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
| 0x1f 0x8b
+
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Computer Forensic Glossary Blog, HOWTOs and other resources], by [[Andrew Hoog]]
| Signature (or identification byte 1 and 2)
+
* [http://secureartisan.wordpress.com/ Digital Forensics with a Focus on EnCase], by [[Paul Bobby]]
|-
+
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
| 2
+
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
| 1
+
* [http://integriography.wordpress.com Computer Forensics Blog], by [[David Kovar]]
|
+
* [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves], by [[Jesse Kornblum]]
| Compression Method
+
* [http://computer-forensics.sans.org/blog SANS Computer Forensics and Incident Response Blog by SANS Institute]
|-
+
* [http://www.digitalforensicsource.com Digital Forensic Source]
| 3
+
* [http://dfsforensics.blogspot.com/ Digital Forensics Solutions]
| 1
+
* [http://forensicaliente.blogspot.com/ Forensicaliente]
|
+
* [http://www.ericjhuber.com/ A Fistful of Dongles]
| Flags
+
* [http://gleeda.blogspot.com/ JL's stuff]
|-
+
* [http://4n6k.blogspot.com/ 4n6k]
| 4
+
* [http://justaskweg.com/ JustAskWeg], by [[Jimmy Weg]]
| 4
+
* [http://blog.kiddaland.net/ IR and forensic talk], by [[Kristinn Gudjonsson]]
|
+
* [http://c-skills.blogspot.ch/ c-skills], by [[Sebastian Krahmer]]
| Last modification time <br> Contains a POSIX timestamp.
+
* [http://sketchymoose.blogspot.ch/ Sketchymoose's Blog]
|-
+
* [http://www.swiftforensics.com/ All things forensic and security related], by [[Yogesh Khatri]]
| 8
+
| 1
+
|
+
| Compression flags (or extra flags)
+
|-
+
| 9
+
| 1
+
|
+
| Operating system <br> Value that indicates on which operating system the gzip file was created.
+
|}
+
  
==== Compression method ====
+
=== Windows ===
 +
* [http://blogs.msdn.com/b/ntdebugging/ ntdebugging - Advanced Windows Debugging and Troubleshooting]
  
{| class="wikitable"
+
== Dutch ==
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0 - 7
+
|
+
| Reserved
+
|-
+
| 8
+
| deflate
+
| deflate compressed data
+
|}
+
  
==== Flags ====
+
* [http://stam.blogs.com/8bits/ 8 bits], by [[Mark Stam]] (also contain English articles otherwise use [http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])
  
{| class="wikitable"
+
== French ==
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x01
+
| FTEXT
+
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
+
|-
+
| 0x02
+
| FHCRC
+
| The file contains a header checksum (CRC-16)
+
|-
+
| 0x04
+
| FEXTRA
+
| The file contains extra fields
+
|-
+
| 0x08
+
| FNAME
+
| The file contains an original file name string
+
|-
+
| 0x10
+
| FCOMMENT
+
| The file contains comment
+
|-
+
| 0x20
+
|
+
| Reserved
+
|-
+
| 0x40
+
|
+
| Reserved
+
|-
+
| 0x80
+
|
+
| Reserved
+
|}
+
  
<b>Notes:</b>
+
* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* Reserved flags bits must be zero.
+
* The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
+
  
==== Compression flags ====
+
== German ==
This value contains flags specific to the compression method.
+
  
===== Compression flags - deflate =====
+
* [http://computer.forensikblog.de/ Computer Forensik Blog Gesamtausgabe], by [[Andreas Schuster]] ([http://computer.forensikblog.de/en/ English version])
If compression method value is 8 (deflate) the following compression flags can be used:
+
* [http://computer-forensik.org computer-forensik.org], by [[Alexander Geschonneck]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
{| class="wikitable"
+
* [http://henrikbecker.blogspot.com Digitale Beweisführung], by [[Henrik Becker]] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x02
+
|
+
| compressor used maximum compression, slowest algorithm
+
|-
+
| 0x04
+
|
+
| compressor used fastest algorithm
+
|}
+
  
==== Operating System ====
+
== Spanish ==
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0
+
|
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
+
|-
+
| 1
+
|
+
| Amiga
+
|-
+
| 2
+
|
+
| VMS (or OpenVMS)
+
|-
+
| 3
+
|
+
| Unix
+
|-
+
| 4
+
|
+
| VM/CMS
+
|-
+
| 5
+
|
+
| Atari TOS
+
|-
+
| 6
+
|
+
| HPFS filesystem (OS/2, NT)
+
|-
+
| 7
+
|
+
| Macintosh
+
|-
+
| 8
+
|
+
| Z-System
+
|-
+
| 9
+
|
+
| CP/M
+
|-
+
| 10
+
|
+
| TOPS-20
+
|-
+
| 11
+
|
+
| NTFS filesystem (NT)
+
|-
+
| 12
+
|
+
| QDOS
+
|-
+
| 13
+
|
+
| Acorn RISCOS
+
|-
+
| 255
+
|
+
| unknown
+
|}
+
  
=== Optional headers ===
+
* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
==== Extra fields ====
+
* [http://www.inforenses.com InForenseS], by [[Javier Pages]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
This value is present in the file if the FEXTRA flag is set in the file header flags.
+
* [http://windowstips.wordpress.com El diario de Juanito]
 +
* [http://conexioninversa.blogspot.com Conexión inversa]
  
The extra field are variable of size and contains:
+
== Russian ==
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
|
+
| Extra field data size <br> Value in bytes.
+
|-
+
| 2
+
| ...
+
|
+
| Extra field data
+
|}
+
  
==== Original file name ====
+
* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]
This value is present in the file if the FNAME flag is set in the file header flags.
+
  
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
+
= Related blogs =
  
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
+
* [http://www.c64allstars.de C64Allstars Blog]
 +
* [http://www.emergentchaos.com/ Emergent Chaos], by [[Adam Shostack]]
 +
* [http://jeffjonas.typepad.com/ Inventor of NORA discusses privacy and all things digital], by [[Jeff Jonas]]
 +
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking], by [[Golden G. Richard III]]
  
==== Comment ====
+
= Circles/Fora/Groups =
This value is present in the file if the FCOMMENT flag is set in the file header flags.
+
* [http://forensicfocus.com/ Forensic Focus]
 +
* [http://tech.groups.yahoo.com/group/win4n6 Yahoo! groups: win4n6 · Windows Forensic Analysis]
  
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
+
= Tweets =
 +
* [http://twitter.com/#!/search/%23DFIR?q=%23DFIR #DFIR]
 +
* [http://twitter.com/#!/search/%23forensics #forensics]
  
==== Header checksum ====
+
= Tools =
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
+
* [http://www2.opensourceforensics.org/ Open Source Digital Forensics]
 +
* [http://forensiccontrol.com/resources/free-software/ Free computer forensic tools]
 +
* [http://code.google.com/p/libyal/ Yet another library library (and tools)]
  
=== File footer ===
+
= Challenges (and test images) =
The file footer is 8 bytes in size and contains:
+
* [http://www.dc3.mil/challenge/ DC3 Challenges]
{| class="wikitable"
+
* [http://testimages.wordpress.com/ Digital Forensics Test Images]
! align="left"| Offset
+
* [http://www.forensicfocus.com/images-and-challenges Forensic Focus - Test Images and Forensic Challenges]
! Size
+
* [https://www.honeynet.org/challenges/ Honeynet Project Challenges]
! Value
+
* [http://testimages.wordpress.com/ Digital Forensic Test Images]
! Description
+
* [http://secondlookforensics.com/linux-memory-images/ Second Look - Linux Memory Images]
|-
+
* [http://sourceforge.net/projects/nullconctf2014/ NullconCTF2014]
| 0
+
| 4
+
|
+
| Checksum (CRC-32)
+
|-
+
| 4
+
| 4
+
|
+
| Uncompressed data size <br> Value in bytes.
+
|}
+
  
== See Also ==
+
= Conferences =
* [[bzip2]]
+
See: [[:Category:Conferences|Conferences]]
  
== External Links ==
+
[[Category:Further information]]
 
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
+
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
+
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
+
 
+
[[Category:File Formats]]
+

Revision as of 01:52, 29 January 2014

Computer forensics related resources like: blogs, fora, tweets, tools and challenges (and test images).

Blogs

English

Windows

Dutch

French

German

Spanish

Russian

Related blogs

Circles/Fora/Groups

Tweets

Tools

Challenges (and test images)

Conferences

See: Conferences