From Forensics Wiki
Revision as of 01:31, 28 November 2013 by Joachim Metz
The gzip file (.gz) format consists of:
- a file header
- optional extra headers, such as the original file name,
- a body, containing a DEFLATE-compressed payload
- an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.
The file header is 10 bytes in size and contains:
|0||2||0x1f 0x8b||Signature (or identification byte 1 and 2)|
|4||4|| Last modification time |
Contains a POSIX timestamp.
|9||1|| Operating system |
Value that indicates on which operating system the gzip file was created.
If compression method is 8 the following extra flags can be defined:
- 0x02 - compressor used maximum compression, slowest algorithm
- 0x04 - compressor used fastest algorithm