Difference between revisions of "RAR"

From Forensics Wiki
Jump to: navigation, search
m (See Also)
Line 11: Line 11:
  
  
==Metadata==
+
===RAR File Format===
  
 +
Each Block has the following fields
 +
{| class="wikitable"
 +
|+ Block Fields
 +
! Name
 +
! Size (bytes)
 +
! Description
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| CRC of total block or block part
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Block type
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Block flags
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Block size
 +
|-
 +
| ADD_SIZE
 +
| 4
 +
| Optional field - added block size
 +
|}
  
 +
----
 +
There are certain block types
  
==Sub-formats==
+
{| class="wikitable"
 +
|+ Block Types
 +
! Head Type Signifier
 +
! Description
 +
|-
 +
| HEAD_TYPE=0x72
 +
| marker block
 +
|-
 +
| HEAD_TYPE=0x73
 +
| archive header
 +
|-
 +
| HEAD_TYPE=0x74
 +
| file header
 +
|-
 +
| HEAD_TYPE=0x75
 +
| old style comment header
 +
|-
 +
| HEAD_TYPE=0x76
 +
| old style authenticity information
 +
|-
 +
| HEAD_TYPE=0x77
 +
| old style subblock
 +
|-
 +
| HEAD_TYPE=0x78
 +
| old style recovery record
 +
|-
 +
| HEAD_TYPE=0x79
 +
| old style authenticity information
 +
|-
 +
| HEAD_TYPE=0x7a
 +
| subblock
 +
|}
 +
----
  
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
 
:* 1.3 (Does not have the RAR! signature)
 
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
 
:* 1.5
 
:** Utilizes a proprietary compression method that is not available to the public.
 
:** Considered the root model of subsequent formats.
 
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
 
:* 2.0
 
:** Utilizes a proprietary compression method that is not available to the public.
 
:** Based off of version 1.5 of the RAR file format.
 
:* 3.0
 
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
 
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
 
:** Based off of version 1.5 of the RAR file format.
 
  
 +
===Block Formats===
  
 +
Marker Block (MARK_HEAD)
  
==Software==
+
{| class="wikitable"
 +
|+ MARK_HEAD
 +
! Field Name
 +
! Size (bytes)
 +
! Possibilities
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| Always 0x6152
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Header type: 0x72
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Always 0x1a21
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Block size = 0x0007
 +
|}
  
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
+
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')
 
+
;unrarLib
+
 
+
:* RAR file unarchiver written in C
+
:* Easy implementation with a header file and the source code file
+
:* [http://www.unrarlib.org/ Information Link]
+
 
+
;WinRAR
+
 
+
:* Only software that can create and open a RAR file
+
:* Distributed by a proprietary license
+
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
+
 
+
;UnRAR
+
 
+
:* Created by Eugene Roshal for opening up RAR files only
+
:* May not be used to reverse engineer the RAR file format and create RAR files
+
:* Source code provided for people to implement/integrate methods of opening RAR files
+
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
+
:* [http://www.rarlab.com/rar_add.htm Download Link]
+
 
+
;The Unarchiver
+
 
+
:* Utility made for Mac OSX to open a multitude of files, including RAR files
+
:* Very handy for dealing with multiple file types
+
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
+
:* [http://unarchiver.c3.cx/ Information Website]
+
 
+
;7-Zip
+
 
+
:* Utility made for Windows applications to open a multitude of files, including RAR files
+
:* [http://www.7-zip.org/download.html Download Link]
+
 
+
 
+
There is a lot more software to open RAR files, but have been omitted due to redundancy.
+
==See Also==
+
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
+
* [http://acritum.com/winrar/rar-format RAR File Format Information]
+
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
+
 
+
[[Category:File Formats]]
+

Revision as of 09:34, 11 April 2012

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.

Format

The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1a21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE


RAR File Format

Each Block has the following fields

Block Fields
Name Size (bytes) Description
HEAD_CRC 2 CRC of total block or block part
HEAD_TYPE 1 Block type
HEAD_FLAGS 2 Block flags
HEAD_SIZE 2 Block size
ADD_SIZE 4 Optional field - added block size

There are certain block types

Block Types
Head Type Signifier Description
HEAD_TYPE=0x72 marker block
HEAD_TYPE=0x73 archive header
HEAD_TYPE=0x74 file header
HEAD_TYPE=0x75 old style comment header
HEAD_TYPE=0x76 old style authenticity information
HEAD_TYPE=0x77 old style subblock
HEAD_TYPE=0x78 old style recovery record
HEAD_TYPE=0x79 old style authenticity information
HEAD_TYPE=0x7a subblock


Block Formats

Marker Block (MARK_HEAD)

MARK_HEAD
Field Name Size (bytes) Possibilities
HEAD_CRC 2 Always 0x6152
HEAD_TYPE 1 Header type: 0x72
HEAD_FLAGS 2 Always 0x1a21
HEAD_SIZE 2 Block size = 0x0007
  • Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')