RAR

From ForensicsWiki
Revision as of 09:34, 11 April 2012 by Jamming (Talk | contribs)

Jump to: navigation, search

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.

Format

The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1a21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE


RAR File Format

Each Block has the following fields

Block Fields
Name Size (bytes) Description
HEAD_CRC 2 CRC of total block or block part
HEAD_TYPE 1 Block type
HEAD_FLAGS 2 Block flags
HEAD_SIZE 2 Block size
ADD_SIZE 4 Optional field - added block size

There are certain block types

Block Types
Head Type Signifier Description
HEAD_TYPE=0x72 marker block
HEAD_TYPE=0x73 archive header
HEAD_TYPE=0x74 file header
HEAD_TYPE=0x75 old style comment header
HEAD_TYPE=0x76 old style authenticity information
HEAD_TYPE=0x77 old style subblock
HEAD_TYPE=0x78 old style recovery record
HEAD_TYPE=0x79 old style authenticity information
HEAD_TYPE=0x7a subblock


Block Formats

Marker Block (MARK_HEAD)

MARK_HEAD
Field Name Size (bytes) Possibilities
HEAD_CRC 2 Always 0x6152
HEAD_TYPE 1 Header type: 0x72
HEAD_FLAGS 2 Always 0x1a21
HEAD_SIZE 2 Block size = 0x0007
  • Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')