Difference between pages "Forensic Live CD issues" and "RAR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Root file system spoofing)
 
m
 
Line 1: Line 1:
== The problem ==
+
RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
  
[[Tools#Forensics_Live_CDs | Forensic Linux Live CD distributions]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Community-developed distributions are not exception here, unfortunately. Finally, it turns out that many forensic Linux Live CD distributions are not tested properly and there are no suitable test cases developed.
+
==Format==
 +
The file has the magic number of:
 +
<pre>0x 52 61 72 21 1A 07 00</pre>
 +
which is a break down of the following to describe an Archive Header:
 +
:* 0x6152 - HEAD_CRC
 +
:* 0x72 - HEAD_TYPE
 +
:* 0x1A21 - HEAD_FLAGS
 +
:* 0x0007 - HEAD_SIZE
  
== Another side of the problem ==
+
----
 +
===RAR File Format===
  
Another side of the problem of insufficient testing of forensic Live CD distributions is that many users do not know what happens "under the hood" of such distributions and cannot adequately test them.
+
Each Block has the following fields
 +
{| class="wikitable"
 +
|+ Block Fields
 +
! Name
 +
! Size (bytes)
 +
! Description
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| CRC of total block or block part
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Block type
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Block flags
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Block size
 +
|-
 +
| ADD_SIZE
 +
| 4
 +
| Optional field - added block size
 +
|}
  
=== Example ===
+
----
 +
There are certain block types
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
{| class="wikitable"
 +
|+ Block Types
 +
! Head Type Signifier
 +
! Description
 +
|-
 +
| HEAD_TYPE=0x72
 +
| marker block
 +
|-
 +
| HEAD_TYPE=0x73
 +
| archive header
 +
|-
 +
| HEAD_TYPE=0x74
 +
| file header
 +
|-
 +
| HEAD_TYPE=0x75
 +
| old style comment header
 +
|-
 +
| HEAD_TYPE=0x76
 +
| old style authenticity information
 +
|-
 +
| HEAD_TYPE=0x77
 +
| old style subblock
 +
|-
 +
| HEAD_TYPE=0x78
 +
| old style recovery record
 +
|-
 +
| HEAD_TYPE=0x79
 +
| old style authenticity information
 +
|-
 +
| HEAD_TYPE=0x7a
 +
| subblock
 +
|}
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
----
 +
===Block Formats===
 +
There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
  
== Problems ==
 
  
Here is a list of common problems of forensic Linux Live CD distributions that can be used by developers and users for testing purposes. Each problem is followed by an up to date list of distributions affected.
+
----
 +
====Marker Block (MARK_HEAD)====
  
=== Journaling file systems updates ===
+
{| class="wikitable"
 +
|+ MARK_HEAD
 +
! Field Name
 +
! Size (bytes)
 +
! Possibilities
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| Always 0x6152
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Header type: 0x72
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Always 0x1A21
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Block size = 0x0007
 +
|}
  
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (which is seen as 'Rar!  ')
  
{| class="wikitable" border="1"
+
----
|-
+
====Archive Header (MAIN_HEAD)====
!  File system
+
!  When data writes happen
+
!  Notes
+
|-
+
|  Ext3
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  Ext4
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  ReiserFS
+
|  In most cases
+
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
+
|-
+
|  XFS
+
|  Always
+
|  "norecovery" flag does not help. To disable data writes: use "ro,loop" flags. The bug was fixed in recent 2.6 kernels.
+
|}
+
  
Incorrect mount flags can be used to mount a file system on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Linux Live CD distributions mount Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
{| class="wikitable"
 +
|+ MAIN_HEAD
 +
! Field Name
 +
! Size (bytes)
 +
! Description
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| CRC of fields HEAD_TYPE to RESERVED2
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Header Type: 0x73
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Archive header total size including archive comments
 +
|-
 +
| RESERVED1
 +
| 2
 +
| RESERVED
 +
|-
 +
| RESERVED2
 +
| 4
 +
| RESERVED
 +
|}
  
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
 
  
{| class="wikitable" border="1"
+
{| class="wikitable"
|-
+
|+ Bit Flags for MAIN_HEAD
! Distribution
+
! Flag (0x)
! Version
+
! Description
|-
+
|-
| Helix3
+
| 0001
| 2009R1
+
| Volume attribute (archive volume)
|-
+
|-
| SMART Linux (Ubuntu)
+
| 0002
| 2010-01-20
+
| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
|-
+
|-
| FCCU GNU/Linux Forensic Boot CD
+
| 0004
| 12.1
+
| Archive lock attribute
|-
+
|-
| SPADA
+
| 0008
| 4
+
| Solid attribute (solid archive)
|}
+
|-
 +
| 0010
 +
| New volume naming scheme ('volname.partN.rar')
 +
|-
 +
| 0020
 +
| Authenticity information present RAR 3.x does not set this flag.
 +
|-
 +
| 0040
 +
| Recovery record present
 +
|-
 +
| 0080
 +
| Block headers are encrypted
 +
|-
 +
| 0100
 +
| First volume (set only by RAR 3.0 and later)
 +
|}
 +
* Other bits in HEAD_FLAGS are reserved for internal use.
 +
----
  
=== Root file system spoofing ===
+
====File Header (File in Archive)====
 +
{| class="wikitable"
 +
|+ File Header
 +
! Field Name
 +
! Size (bytes)
 +
! Description
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| CRC of fields from HEAD_TYPE to FILEATTR and file name
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Header Type: 0x74
 +
|-
 +
| HEAD_FLAGS
 +
| 2
 +
| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| File header full size including file name and comments
 +
|-
 +
| PACK_SIZE
 +
| 4
 +
| Compressed file size
 +
|-
 +
| UNP_SIZE
 +
| 4
 +
| Uncompressed file size
 +
|-
 +
| HOST_OS
 +
| 1
 +
| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
 +
|-
 +
| FILE_CRC
 +
| 4
 +
| File CRC
 +
|-
 +
| FTIME
 +
| 4
 +
| Date and time in standard MS DOS format
 +
|-
 +
| UNP_VER
 +
| 1
 +
| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
 +
|-
 +
| METHOD
 +
| 1
 +
| Packing method (Please see 'Packing Method' table for all possibilities
 +
|-
 +
| NAME_SIZE
 +
| 2
 +
| File name size
 +
|-
 +
| ATTR
 +
| 4
 +
| File attributes
 +
|-
 +
| HIGH_PACK_SIZE
 +
| 4
 +
| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 +
|-
 +
| HIGH_UNP_SIZE
 +
| 4
 +
| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 +
|-
 +
| FILE_NAME
 +
| NAME_SIZE bytes
 +
| File name - string of NAME_SIZE bytes size
 +
|-
 +
| SALT
 +
| 8
 +
| present if (HEAD_FLAGS & 0x400) != 0
 +
|-
 +
| EXT_TIME
 +
| variable size
 +
| present if (HEAD_FLAGS & 0x1000) != 0
 +
|}
  
Most Ubuntu-based forensic Live CD distributions use Casper (set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
*other new fields may appear here.
  
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
 
  
List of Ubuntu-based distributions that allow root file system spoofing:
+
{| class="wikitable"
 +
|+ Bit Flags for Files in Archive
 +
! Flag (0x)
 +
! Description
 +
|-
 +
| 01
 +
| File continued from previous volume
 +
|-
 +
| 02
 +
| File continued in next volume
 +
|-
 +
| 04
 +
| File encrypted with password
 +
|-
 +
| 08
 +
| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
 +
|-
 +
| 10
 +
| Information from previous files is used (solid flag) (for RAR 2.0 and later)
 +
|-
 +
| Dictionary bits 7 6 5 (for RAR 2.0 and later)
 +
| Please see the 'Dictionary Bits' table for this descriptions
 +
|-
 +
| 100
 +
| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
 +
|-
 +
| 200
 +
| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
 +
|-
 +
| 400
 +
| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
 +
|-
 +
| 800
 +
| Version flag. It is an old file version, a version number is appended to file name as ';n'.
 +
|-
 +
| 1000
 +
| Extended time field present.
 +
|-
 +
| 8000
 +
| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
 +
|}
  
{| class="wikitable" border="1"
+
{| class="wikitable"
|-
+
|+Dictionary Bits
! Distribution
+
! Bits (7 6 5)
! Version
+
! Description
|-
+
! Size (KB)
| Helix3
+
|-
| 2009R1
+
| 0 0 0
|-
+
| Dictionary Size
| Helix3 Pro
+
| 64
| 2009R3
+
|-
|-
+
| 0 0 1
| CAINE
+
| Dictionary Size
| 1.5
+
| 128
|-
+
|-
| DEFT Linux
+
| 0 1 0
| 5
+
| Dictionary Size
|-
+
| 256
| Raptor
+
|-
| 20091026
+
| 0 1 1
|-
+
| Dictionary Size
| grml
+
| 512
| 2009.10
+
|-
|-
+
| 1 0 0
| BackTrack
+
| Dictionary Size
| 4
+
| 1024
|-
+
|-
| SMART Linux (Ubuntu)
+
| 1 0 1
| 2010-01-20
+
| Dictionary Size
|-
+
| 2048
| FCCU GNU/Linux Forensic Boot CD
+
|-
| 12.1
+
| 1 1 0
|}
+
| Dictionary Size
 +
| 4096
 +
|-
 +
| 1 1 1
 +
| file is a directory
 +
| N/A
 +
|}
  
Vulnerable Knoppix-based distributions include: SPADA, LinEn boot CD, BitFlare.
+
{| class="wikitable"
 +
|+ Operating System Indicators
 +
! Byte Indicator
 +
! Operating System
 +
|-
 +
| 0
 +
| MS DOS
 +
|-
 +
| 1
 +
| OS/2
 +
|-
 +
| 2
 +
| Windows
 +
|-
 +
| 3
 +
| Unix
 +
|-
 +
| 4
 +
| Mac OS
 +
|-
 +
| 5
 +
| BeOS
 +
|}
 +
----
  
=== Swap space activation ===
 
  
=== Incorrect automount policy for removable media ===
+
==Metadata==
  
=== Incorrect write-blocking approach ===
+
 
 +
 
 +
==Sub-formats==
 +
 
 +
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
 +
:* 1.3 (Does not have the RAR! signature)
 +
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
 +
:* 1.5
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Considered the root model of subsequent formats.
 +
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
 +
:* 2.0
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Based off of version 1.5 of the RAR file format.
 +
:* 3.0
 +
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
 +
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
 +
:** Based off of version 1.5 of the RAR file format.
 +
 
 +
 
 +
 
 +
==Software==
 +
 
 +
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
 +
 
 +
;unrarLib
 +
 
 +
:* RAR file unarchiver written in C
 +
:* Easy implementation with a header file and the source code file
 +
:* [http://www.unrarlib.org/ Information Link]
 +
 
 +
;WinRAR
 +
 
 +
:* Only software that can create and open a RAR file
 +
:* Distributed by a proprietary license
 +
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
 +
 
 +
;UnRAR
 +
 
 +
:* Created by Eugene Roshal for opening up RAR files only
 +
:* May not be used to reverse engineer the RAR file format and create RAR files
 +
:* Source code provided for people to implement/integrate methods of opening RAR files
 +
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
 +
:* [http://www.rarlab.com/rar_add.htm Download Link]
 +
 
 +
;The Unarchiver
 +
 
 +
:* Utility made for Mac OSX to open a multitude of files, including RAR files
 +
:* Very handy for dealing with multiple file types
 +
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
 +
:* [http://unarchiver.c3.cx/ Information Website]
 +
 
 +
;7-Zip
 +
 
 +
:* Utility made for Windows applications to open a multitude of files, including RAR files
 +
:* [http://www.7-zip.org/download.html Download Link]
 +
 
 +
 
 +
There is a lot more software to open RAR files, but have been omitted due to redundancy.
 +
==See Also==
 +
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
 +
* [http://acritum.com/winrar/rar-format RAR File Format Information]
 +
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
 +
 
 +
[[Category:File Formats]]

Revision as of 10:21, 13 April 2012

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.

Format

The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1A21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE

RAR File Format

Each Block has the following fields

Block Fields
Name Size (bytes) Description
HEAD_CRC 2 CRC of total block or block part
HEAD_TYPE 1 Block type
HEAD_FLAGS 2 Block flags
HEAD_SIZE 2 Block size
ADD_SIZE 4 Optional field - added block size

There are certain block types

Block Types
Head Type Signifier Description
HEAD_TYPE=0x72 marker block
HEAD_TYPE=0x73 archive header
HEAD_TYPE=0x74 file header
HEAD_TYPE=0x75 old style comment header
HEAD_TYPE=0x76 old style authenticity information
HEAD_TYPE=0x77 old style subblock
HEAD_TYPE=0x78 old style recovery record
HEAD_TYPE=0x79 old style authenticity information
HEAD_TYPE=0x7a subblock

Block Formats

There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.



Marker Block (MARK_HEAD)

MARK_HEAD
Field Name Size (bytes) Possibilities
HEAD_CRC 2 Always 0x6152
HEAD_TYPE 1 Header type: 0x72
HEAD_FLAGS 2 Always 0x1A21
HEAD_SIZE 2 Block size = 0x0007
  • Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (which is seen as 'Rar! ')

Archive Header (MAIN_HEAD)

MAIN_HEAD
Field Name Size (bytes) Description
HEAD_CRC 2 CRC of fields HEAD_TYPE to RESERVED2
HEAD_TYPE 1 Header Type: 0x73
HEAD_FLAGS 2 Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
HEAD_SIZE 2 Archive header total size including archive comments
RESERVED1 2 RESERVED
RESERVED2 4 RESERVED


Bit Flags for MAIN_HEAD
Flag (0x) Description
0001 Volume attribute (archive volume)
0002 Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
0004 Archive lock attribute
0008 Solid attribute (solid archive)
0010 New volume naming scheme ('volname.partN.rar')
0020 Authenticity information present RAR 3.x does not set this flag.
0040 Recovery record present
0080 Block headers are encrypted
0100 First volume (set only by RAR 3.0 and later)
  • Other bits in HEAD_FLAGS are reserved for internal use.

File Header (File in Archive)

File Header
Field Name Size (bytes) Description
HEAD_CRC 2 CRC of fields from HEAD_TYPE to FILEATTR and file name
HEAD_TYPE 1 Header Type: 0x74
HEAD_FLAGS 2 Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
HEAD_SIZE 2 File header full size including file name and comments
PACK_SIZE 4 Compressed file size
UNP_SIZE 4 Uncompressed file size
HOST_OS 1 Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
FILE_CRC 4 File CRC
FTIME 4 Date and time in standard MS DOS format
UNP_VER 1 RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
METHOD 1 Packing method (Please see 'Packing Method' table for all possibilities
NAME_SIZE 2 File name size
ATTR 4 File attributes
HIGH_PACK_SIZE 4 High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
HIGH_UNP_SIZE 4 High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
FILE_NAME NAME_SIZE bytes File name - string of NAME_SIZE bytes size
SALT 8 present if (HEAD_FLAGS & 0x400) != 0
EXT_TIME variable size present if (HEAD_FLAGS & 0x1000) != 0
  • other new fields may appear here.


Bit Flags for Files in Archive
Flag (0x) Description
01 File continued from previous volume
02 File continued in next volume
04 File encrypted with password
08 File comment present. RAR 3.x uses the separate comment block and does not set this flag.
10 Information from previous files is used (solid flag) (for RAR 2.0 and later)
Dictionary bits 7 6 5 (for RAR 2.0 and later) Please see the 'Dictionary Bits' table for this descriptions
100 HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
200 FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
400 The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
800 Version flag. It is an old file version, a version number is appended to file name as ';n'.
1000 Extended time field present.
8000 This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
Dictionary Bits
Bits (7 6 5) Description Size (KB)
0 0 0 Dictionary Size 64
0 0 1 Dictionary Size 128
0 1 0 Dictionary Size 256
0 1 1 Dictionary Size 512
1 0 0 Dictionary Size 1024
1 0 1 Dictionary Size 2048
1 1 0 Dictionary Size 4096
1 1 1 file is a directory N/A
Operating System Indicators
Byte Indicator Operating System
0 MS DOS
1 OS/2
2 Windows
3 Unix
4 Mac OS
5 BeOS


Metadata

Sub-formats

The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:

  • 1.3 (Does not have the RAR! signature)
    • There is difficulty finding information regarding this sub-format. Please update if you know something.
  • 1.5
    • Utilizes a proprietary compression method that is not available to the public.
    • Considered the root model of subsequent formats.
    • A detailed list of information can be found here.
  • 2.0
    • Utilizes a proprietary compression method that is not available to the public.
    • Based off of version 1.5 of the RAR file format.
  • 3.0
    • Utilizes the PPMII and Lempel-Ziv (LZSS)] algorithms.
    • Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
    • Based off of version 1.5 of the RAR file format.


Software

This only way to create a RAR file is using the Winrar software. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:

unrarLib
  • RAR file unarchiver written in C
  • Easy implementation with a header file and the source code file
  • Information Link
WinRAR
UnRAR
  • Created by Eugene Roshal for opening up RAR files only
  • May not be used to reverse engineer the RAR file format and create RAR files
  • Source code provided for people to implement/integrate methods of opening RAR files
  • Additionally, implementations of UnRAR are available for a plethora of operating systems
  • Download Link
The Unarchiver
7-Zip
  • Utility made for Windows applications to open a multitude of files, including RAR files
  • Download Link


There is a lot more software to open RAR files, but have been omitted due to redundancy.

See Also