Difference between pages "Oxygen Forensic Suite 2014" and "Gzip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Version update.)
 
 
Line 1: Line 1:
{| style="padding:0.3em; float:right; margin-left:15px; margin-bottom:8px; border:1px solid #A3B1BF; background:#f5faff; text-align:center; font-size:95%; line-height:1.5em;width:220px;"
+
{{expand}}
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;" | '''Current version'''
+
 
 +
== File format ==
 +
The gzip file (.gz) format consists of:
 +
* a file header
 +
* optional headers
 +
** extra fields
 +
** original file name
 +
** comment
 +
** header checksum
 +
* a body, containing a DEFLATE-compressed payload
 +
* an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.
 +
 
 +
=== File header ===
 +
The file header is 10 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|align="left"|
+
| 0
'''Version Number''': 3.6
+
| 2
 +
| 0x1f 0x8b
 +
| Signature (or identification byte 1 and 2)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Compression Method
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Flags
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Last modification time <br> Contains a POSIX timestamp.
 +
|-
 +
| 8
 +
| 1
 +
|
 +
| Extra flags
 +
|-
 +
| 9
 +
| 1
 +
|
 +
| Operating system <br> Value that indicates on which operating system the gzip file was created.
 +
|}
  
'''Date Released''': 13 October 2011
+
==== Compression method ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;" | '''Recent changes'''
+
| 0 - 7
 +
|
 +
| Reserved
 
|-
 
|-
|align="left"|
+
| 8
* Added rooting support for  Android OS 1.6-2.3.2 and 3.0-3.0.1
+
| "deflate"
* Licensing: Lifetime data extraction
+
| zlib compressed data
* Android: Added support for Dropbox, Skype, Google Maps, Web Browswer applications and MMS extraction
+
|}
* Apple: Added support for Dropbox, Skype 3.5 applications
+
 
* Added support for Nokia Series 30 phones
+
==== Flags ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;"|'''Screenshots'''
+
| 0x01
 +
| FTEXT
 +
| If set the uncompressed data needs to be treated as text instead of binary data. <br>
 +
| This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
 
|-
 
|-
 +
| 0x02
 +
| FHCRC
 +
| The file contains a header checksum (CRC16)
 +
|-
 +
| 0x04
 +
| FEXTRA
 +
| The file contains extra fields
 +
|-
 +
| 0x08
 +
| FNAME
 +
| The file contains an original file name string
 +
|-
 +
| 0x10
 +
| FCOMMENT
 +
| The file contains comment
 +
|-
 +
| 0x20
 +
|
 +
| Reserved
 +
|-
 +
| 0x40
 +
|
 +
| Reserved
 +
|-
 +
| 0x80
 +
|
 +
| Reserved
 +
|}
 +
 +
<b>Note:</b> The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
 +
 +
==== Extra flags ====
 +
If compression method is 8 the following extra flags can be defined:
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x02
 
|
 
|
[[Image:OFS2_01_Device.png|200px|thumb|center|Device summary]]
+
| compressor used maximum compression, slowest algorithm
[[Image:OFS2_05_PhoneActivity_Date.png|200px|thumb|center|Phone Activity]]
+
|-
[[Image:OFS2_04_LifeBlog.png|200px|thumb|center|Geo event positioning (LifeBlog) data]]
+
| 0x04
[[Image:OFS2_11_GeoFiles.png|200px|thumb|center|Camera shots with Geo data]]
+
|
[[Image:OFS2_03_SQLiteViewer_Deleted.png|200px|thumb|center|Deleted data recovery]]
+
| compressor used fastest algorithm
[[Image:OFS2_08_MessagesExportPDF.png|200px|thumb|center|Sample report]]
+
[http://www.oxygen-forensic.com/en/screenshots/ More screenshots ... ]
+
 
|}
 
|}
'''Oxygen Forensic Suite 2011''' is a mobile forensic software for logical analysis of [[cell phones]], [[SmartPhones|smartphones]] and [[PDAs]] developed by [[Oxygen Software]]. The suite can extract device information, contacts, calendar events, [[SMS]] messages, event logs, and files. In addition, the vendor claims the suite can extract metadata related to the above. As of September 2011 the suite supported more than 2,300 devices, including [[Nokia]], [[Apple iPhone]] series, [[Apple iPod Touch]], [[Apple iPad]], Vertu, [[Sony Ericsson]], Samsung, Motorola, [[BlackBerry|Blackberry]], Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate and other mobile phones. The suite also supports devices running [[symbian|Symbian OS]], [[Microsoft Windows Mobile|Windows Mobile 5/6]] and [[Android|Android OS devices]].
 
  
== Forensic Soundness ==
+
==== Operating System ====
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0
 +
|
 +
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
 +
|-
 +
| 1
 +
|
 +
| Amiga
 +
|-
 +
| 2
 +
|
 +
| VMS (or OpenVMS)
 +
|-
 +
| 3
 +
|
 +
| Unix
 +
|-
 +
| 4
 +
|
 +
| VM/CMS
 +
|-
 +
| 5
 +
|
 +
| Atari TOS
 +
|-
 +
| 6
 +
|
 +
| HPFS filesystem (OS/2, NT)
 +
|-
 +
| 7
 +
|
 +
| Macintosh
 +
|-
 +
| 8
 +
|
 +
| Z-System
 +
|-
 +
| 9
 +
|
 +
| CP/M
 +
|-
 +
| 10
 +
|
 +
| TOPS-20
 +
|-
 +
| 11
 +
|
 +
| NTFS filesystem (NT)
 +
|-
 +
| 12
 +
|
 +
| QDOS
 +
|-
 +
| 13
 +
|
 +
| Acorn RISCOS
 +
|-
 +
| 255
 +
|
 +
| unknown
 +
|}
  
The suite access devices using advanced proprietary protocols. Some devices like smartphones require an Agent installation. Installing software onto the device being examined can be treated as an impact of the forensic soundness of the investigation. But as not much information is obtainable by other means and the impact is documented, it may still be admissible under the [[Best Evidence Rule]].
+
=== Optional headers ===
 +
==== Extra fields ====
 +
<b>TODO: add description</b>
  
== Previous Names ==
+
==== Original file name ====
Oxygen Forensic Suite was previously marketed as "Oxygen Phone Manager II (Forensic Edition)".
+
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
 +
 
 +
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
 +
 
 +
==== Comment ====
 +
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
 +
 
 +
==== Header checksum ====
 +
The CRC16 of the header checksum consists of the two least significant bytes of the CRC32 for all bytes of the gzip header up to and not including the CRC16.
  
 
== External Links ==
 
== External Links ==
* [http://www.oxygen-forensic.com/ Official web site]
 
  
[[Category:Windows Mobile]]
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
[[Category:Mobile device tools]]
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
 +
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
 +
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
 +
 
 +
[[Category:File Formats]]

Revision as of 01:58, 28 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional headers
    • extra fields
    • original file name
    • comment
    • header checksum
  • a body, containing a DEFLATE-compressed payload
  • an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Extra flags
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 "deflate" zlib compressed data

Flags

Value Identifier Description
0x01 FTEXT If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 FHCRC The file contains a header checksum (CRC16)
0x04 FEXTRA The file contains extra fields
0x08 FNAME The file contains an original file name string
0x10 FCOMMENT The file contains comment
0x20 Reserved
0x40 Reserved
0x80 Reserved

Note: The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.

Extra flags

If compression method is 8 the following extra flags can be defined:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

Optional headers

Extra fields

TODO: add description

Original file name

This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.

Comment

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.

Header checksum

The CRC16 of the header checksum consists of the two least significant bytes of the CRC32 for all bytes of the gzip header up to and not including the CRC16.

External Links