Difference between pages "Upcoming events" and "RAR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
m
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
==Format==
 +
The file has the magic number of:
 +
<pre>0x 52 61 72 21 1A 07 00</pre>
 +
which is a break down of the following to describe an Archive Header:
 +
:* 0x6152 - HEAD_CRC
 +
:* 0x72 - HEAD_TYPE
 +
:* 0x1A21 - HEAD_FLAGS
 +
:* 0x0007 - HEAD_SIZE
  
This listing is divided into four sections (described as follows):<br>
+
----
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
===RAR File Format===
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
Each Block has the following fields
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
{| class="wikitable"
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
|+ Block Fields
 +
! Name
 +
! Size (bytes)  
 +
! Description
 +
|-
 +
| HEAD_CRC
 +
| 2
 +
| CRC of total block or block part
 +
|-
 +
| HEAD_TYPE
 +
| 1
 +
| Block type
 +
|-  
 +
| HEAD_FLAGS
 +
| 2
 +
| Block flags
 +
|-
 +
| HEAD_SIZE
 +
| 2
 +
| Block size
 +
|-
 +
| ADD_SIZE
 +
| 4
 +
| Optional field - added block size
 +
|}
 +
 
 +
----
 +
There are certain block types
  
== Calls For Papers ==
+
{| class="wikitable"
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|+ Block Types
|- style="background:#bfbfbf; font-weight: bold"
+
! Head Type Signifier
! width="30%|Title
+
! Description
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
 
|-
 
|-
|Blackhat Briefings - Washington DC
+
| HEAD_TYPE=0x72
|Jan 01, 2009
+
| marker block
|Jan 16, 1009
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html
+
 
|-
 
|-
|USENIX '09
+
| HEAD_TYPE=0x73
|Jan 09, 2009
+
| archive header
|Mar 13, 2009
+
|http://www.usenix.org/events/usenix09/cfp/
+
 
|-
 
|-
|Hacker Halted USA 2009
+
| HEAD_TYPE=0x74
|Jan 15, 2009
+
| file header
|Feb 15, 2009
+
|http://www.eccouncil.org/hhusa/papers/page6.html
+
 
|-
 
|-
|3rd Edition of Small Scale Digital Device Forensics Journal
+
| HEAD_TYPE=0x75
|Jan 31, 2009
+
| old style comment header
|
+
|http://www.ssddfj.org/Call.asp
+
 
|-
 
|-
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009)
+
| HEAD_TYPE=0x76
|Feb 01, 2009
+
| old style authenticity information
|
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
 
|-
 
|-
|Blackhat Briefings - Europe
+
| HEAD_TYPE=0x77
|Feb 01, 2009
+
| old style subblock
|Feb 15, 2009
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.
+
 
|-
 
|-
|Usenix Security 2009
+
| HEAD_TYPE=0x78
|Feb 04, 2009
+
| old style recovery record
|Apr 13, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
 
|-
 
|-
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
| HEAD_TYPE=0x79
|Feb 20, 2009
+
| old style authenticity information
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
 
|-
 
|-
|KDDD 2009
+
| HEAD_TYPE=0x7a
|Feb 02, 2009
+
| subblock
|Apr 10, 2009
+
|}
|http://www.sigkdd.org/kdd2009/
+
 
 +
----
 +
===Block Formats===
 +
There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
 +
 
 +
 
 +
----
 +
====Marker Block (MARK_HEAD)====
 +
 
 +
{| class="wikitable"
 +
|+ MARK_HEAD
 +
! Field Name
 +
! Size (bytes)
 +
! Possibilities
 
|-
 
|-
|DFRWS 2009
+
| HEAD_CRC
|Mar 16, 2009
+
| 2
|Apr 28, 2009
+
| Always 0x6152
|http://www.dfrws.org/2009/cfp.shtml
+
 
|-
 
|-
|Layer One - 2009
+
| HEAD_TYPE
|Apr 01, 2009
+
| 1
|Apr 15, 2009
+
| Header type: 0x72
|http://layerone.info/
+
 
|-
 
|-
|ACM CCS 2009
+
| HEAD_FLAGS
|Apr ?? 2009
+
| 2
|
+
| Always 0x1A21
|http://www.sigsac.org/ccs
+
 
|-
 
|-
|Usenix Lisa 2009
+
| HEAD_SIZE
|Apr 30, 2009
+
| 2
|
+
| Block size = 0x0007
|http://www.usenix.org/events/lisa09/cfp/
+
|}
 +
 
 +
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (which is seen as 'Rar!  ')
 +
 
 +
----
 +
====Archive Header (MAIN_HEAD)====
 +
 
 +
{| class="wikitable"
 +
|+ MAIN_HEAD
 +
! Field Name
 +
! Size (bytes)
 +
! Description
 
|-
 
|-
|New Security Paradigms Conference 2009
+
| HEAD_CRC
|Apr ?? 2009
+
| 2
|
+
| CRC of fields HEAD_TYPE to RESERVED2
|http://www.nspw.org/current/
+
 
|-
 
|-
|IEEE Symposium on Security and Privacy 2010
+
| HEAD_TYPE
|Nov ?? 2009
+
| 1
|
+
| Header Type: 0x73
 
|-
 
|-
|ShmooCon 2010
+
| HEAD_FLAGS
|Dec ??, 2008
+
| 2
|Jan ??, 2009
+
| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
|http://www.shmoocon.org/cfp.html
+
 
|-
 
|-
|AusCERT Conference 2010
+
| HEAD_SIZE
|Dec ??, 2008
+
| 2
|Jan ??, 2009
+
| Archive header total size including archive comments
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
 
|-
 
|-
 +
| RESERVED1
 +
| 2
 +
| RESERVED
 +
|-
 +
| RESERVED2
 +
| 4
 +
| RESERVED
 
|}
 
|}
  
== Conferences ==
+
 
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
{| class="wikitable"
|- style="background:#bfbfbf; font-weight: bold"
+
|+ Bit Flags for MAIN_HEAD
! width="40%"|Title
+
! Flag (0x)
! width="20%"|Date/Location
+
! Description
! width="40%"|Website
+
 
|-
 
|-
|2009 DoD Cyber Crime Conference
+
| 0001
|Jan 24-30<br>St. Louis, MO
+
| Volume attribute (archive volume)
|http://www.dodcybercrime.com/
+
 
|-
 
|-
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
| 0002
|Jan 25-28<br>Orlando, FL
+
| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
|http://www.ifip119.org/Conferences/
+
 
|-
 
|-
|ShmooCon 2009
+
| 0004
|Feb 06-08<br>Washington, DC
+
| Archive lock attribute
|http://www.shmoocon.org/
+
 
|-
 
|-
|American Academy of Forensic Sciences Annual Meeting
+
| 0008
|Feb 16-21<br>Denver, CO
+
| Solid attribute (solid archive)
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
 
|-
 
|-
|Blackhat DC
+
| 0010
|Feb 16-19<br>Washington, DC
+
| New volume naming scheme ('volname.partN.rar')
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html
+
 
|-
 
|-
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
| 0020
|Mar 08-12<br>Honolulu, HI
+
| Authenticity information present RAR 3.x does not set this flag.
|http://www.acm.org/conferences/sac/sac2009
+
 
|-
 
|-
|ARES 2009 Conference
+
| 0040
|Mar 16-19<br>Fukuoka, Japan
+
| Recovery record present
|http://www.ares-conference.eu/conf/
+
 
|-
 
|-
|Security Opus
+
| 0080
|Mar 17-18<br>San Francisco, CA
+
| Block headers are encrypted
|http://www.securityopus.com
+
 
|-
 
|-
|e-Crime Congress 2009
+
| 0100
|Mar 24-25<br>London, United Kingdom
+
| First volume (set only by RAR 3.0 and later)
|http://www.e-crimecongress.org/ecrime2009/
+
|}
 +
* Other bits in HEAD_FLAGS are reserved for internal use.
 +
----
 +
 
 +
====File Header (File in Archive)====
 +
{| class="wikitable"
 +
|+ File Header
 +
! Field Name
 +
! Size (bytes)
 +
! Description
 
|-
 
|-
|Blackhat Europe
+
| HEAD_CRC
|Apr 14-17<br>Amsterdam, The Netherlands
+
| 2
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html
+
| CRC of fields from HEAD_TYPE to FILEATTR and file name
 
|-
 
|-
|AusCERT2009
+
| HEAD_TYPE
|May 17-22<br>Gold Coast, Australia
+
| 1
|http://conference.auscert.org.au/conf2009/
+
| Header Type: 0x74
 
|-
 
|-
|Computer Security Institute: Security Exchange
+
| HEAD_FLAGS
|May 17-22<br>Las Vegas, NV
+
| 2
|http://www.csisx.com/
+
| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
 
|-
 
|-
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
| HEAD_SIZE
|May 20-22<br>Burlington, VT
+
| 2
|http://www.digitalforensics-conference.org
+
| File header full size including file name and comments
 
|-
 
|-
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
| PACK_SIZE
|May 22<br>Oakland, CA
+
| 4
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
| Compressed file size
 
|-
 
|-
|LayerOne 2009 Security Conference
+
| UNP_SIZE
|May 23-24<br>Anaheim, CA
+
| 4
|http://layerone.info/
+
| Uncompressed file size
 
|-
 
|-
|Mobile Forensics World 2009
+
| HOST_OS
|May 26-30<br>Chicago, IL
+
| 1
|http://www.mobileforensicsworld.com
+
| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
 
|-
 
|-
|2009 Techno Security Conference
+
| FILE_CRC
|May 31-Jun 03<br>Myrtle Beach, SC
+
| 4
|http://www.techsec.com/index.html
+
| File CRC
 
|-
 
|-
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
| FTIME
|Jun 14-18<br>Dresden, Germany
+
| 4
|http://www.ieee-icc.org/2009/
+
| Date and time in standard MS DOS format
 
|-
 
|-
|Blackhat USA 2009
+
| UNP_VER
|Jul 25-30<br>Las Vegas, NV
+
| 1
|https://www.blackhat.com/
+
| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
 
|-
 
|-
|DefCon 17
+
| METHOD
|Jul 31-Aug 02<br>Las Vegas, NV
+
| 1
|http://www.defcon.org/
+
| Packing method (Please see 'Packing Method' table for all possibilities
 
|-
 
|-
|Usenix Security Sypmosium
+
| NAME_SIZE
|Aug 10-14<br>Montreal, Quebec, Canada
+
| 2
|http://www.usenix.org/events/sec09/
+
| File name size
 
|-
 
|-
|Digital Forensic Research Workshop
+
| ATTR
|Aug 17-19<br>Montreal, Quebec, Canada
+
| 4
|http://www.dfrws.org
+
| File attributes
 
|-
 
|-
|Triennial Meeting of the European Academy of Forensic Science
+
| HIGH_PACK_SIZE
|Sep 08-11<br>Glasgow, Scotland, UK
+
| 4
|http://www.eafs2009.com/
+
| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
|-
|Hacker Halted USA 2009
+
| HIGH_UNP_SIZE
|Sep 20-24<br>Miami, FL
+
| 4
|http://www.hackerhalted.com/usa
+
| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
|-
 +
| FILE_NAME
 +
| NAME_SIZE bytes
 +
| File name - string of NAME_SIZE bytes size
 +
|-
 +
| SALT
 +
| 8
 +
| present if (HEAD_FLAGS & 0x400) != 0
 +
|-
 +
| EXT_TIME
 +
| variable size
 +
| present if (HEAD_FLAGS & 0x1000) != 0
 
|}
 
|}
  
== On-going / Continuous Training ==
+
*other new fields may appear here.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
 
! width="40%"|Title
+
{| class="wikitable"
! width="20%"|Date/Location
+
|+ Bit Flags for Files in Archive
! width="40%"|Website
+
! Flag (0x)
 +
! Description
 
|-
 
|-
|- style="background:pink;align:left"
+
| 01
! DISTANCE LEARNING
+
| File continued from previous volume
 
|-
 
|-
|Basic Computer Examiner Course - Computer Forensic Training Online
+
| 02
|Distance Learning Format
+
| File continued in next volume
|http://www.cftco.com
+
 
|-
 
|-
|Linux Data Forensics Training
+
| 04
|Distance Learning Format
+
| File encrypted with password
|http://www.crazytrain.com/training.html
+
 
|-
 
|-
|SANS On-Demand Training
+
| 08
|Distance Learning Format
+
| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
 
|-
 
|-
|- style="background:pink;align:left"
+
| 10
!RECURRING TRAINING
+
| Information from previous files is used (solid flag) (for RAR 2.0 and later)
 
|-
 
|-
|MaresWare Suite Training
+
| Dictionary bits 7 6 5 (for RAR 2.0 and later)
|First full week every month<br>Atlanta, GA
+
| Please see the 'Dictionary Bits' table for this descriptions
|http://www.maresware.com/maresware/training/maresware.htm
+
 
|-
 
|-
|Evidence Recovery for Windows Vista&trade;
+
| 100
|First full week every month<br>Brunswick, GA
+
| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
|http://www.internetcrimes.net
+
 
|-
 
|-
|Evidence Recovery for Windows Server&reg; 2003 R2
+
| 200
|Second full week every month<br>Brunswick, GA
+
| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
|http://www.internetcrimes.net
+
 
|-
 
|-
|Evidence Recovery for the Windows XP&trade; operating system
+
| 400
|Third full week every month<br>Brunswick, GA
+
| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
|http://www.internetcrimes.net
+
 
|-
 
|-
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
| 800
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
| Version flag. It is an old file version, a version number is appended to file name as ';n'.
|http://www.md5group.com
+
 
|-
 
|-
 +
| 1000
 +
| Extended time field present.
 +
|-
 +
| 8000
 +
| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
 
|}
 
|}
  
 +
{| class="wikitable"
 +
|+Dictionary Bits
 +
! Bits (7 6 5)
 +
! Description
 +
! Size (KB)
 +
|-
 +
| 0 0 0
 +
| Dictionary Size
 +
| 64
 +
|-
 +
| 0 0 1
 +
| Dictionary Size
 +
| 128
 +
|-
 +
| 0 1 0
 +
| Dictionary Size
 +
| 256
 +
|-
 +
| 0 1 1
 +
| Dictionary Size
 +
| 512
 +
|-
 +
| 1 0 0
 +
| Dictionary Size
 +
| 1024
 +
|-
 +
| 1 0 1
 +
| Dictionary Size
 +
| 2048
 +
|-
 +
| 1 1 0
 +
| Dictionary Size
 +
| 4096
 +
|-
 +
| 1 1 1
 +
| file is a directory
 +
| N/A
 +
|}
 +
 +
{| class="wikitable"
 +
|+ Operating System Indicators
 +
! Byte Indicator
 +
! Operating System
 +
|-
 +
| 0
 +
| MS DOS
 +
|-
 +
| 1
 +
| OS/2
 +
|-
 +
| 2
 +
| Windows
 +
|-
 +
| 3
 +
| Unix
 +
|-
 +
| 4
 +
| Mac OS
 +
|-
 +
| 5
 +
| BeOS
 +
|}
 +
----
 +
 +
 +
==Metadata==
 +
 +
 +
 +
==Sub-formats==
 +
 +
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
 +
:* 1.3 (Does not have the RAR! signature)
 +
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
 +
:* 1.5
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Considered the root model of subsequent formats.
 +
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
 +
:* 2.0
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Based off of version 1.5 of the RAR file format.
 +
:* 3.0
 +
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
 +
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
 +
:** Based off of version 1.5 of the RAR file format.
 +
 +
 +
 +
==Software==
 +
 +
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
 +
 +
;unrarLib
 +
 +
:* RAR file unarchiver written in C
 +
:* Easy implementation with a header file and the source code file
 +
:* [http://www.unrarlib.org/ Information Link]
 +
 +
;WinRAR
 +
 +
:* Only software that can create and open a RAR file
 +
:* Distributed by a proprietary license
 +
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
 +
 +
;UnRAR
 +
 +
:* Created by Eugene Roshal for opening up RAR files only
 +
:* May not be used to reverse engineer the RAR file format and create RAR files
 +
:* Source code provided for people to implement/integrate methods of opening RAR files
 +
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
 +
:* [http://www.rarlab.com/rar_add.htm Download Link]
 +
 +
;The Unarchiver
 +
 +
:* Utility made for Mac OSX to open a multitude of files, including RAR files
 +
:* Very handy for dealing with multiple file types
 +
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
 +
:* [http://unarchiver.c3.cx/ Information Website]
 +
 +
;7-Zip
 +
 +
:* Utility made for Windows applications to open a multitude of files, including RAR files
 +
:* [http://www.7-zip.org/download.html Download Link]
 +
 +
 +
There is a lot more software to open RAR files, but have been omitted due to redundancy.
 
==See Also==
 
==See Also==
* [[Scheduled Training Courses]]
+
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
==References==
+
* [http://acritum.com/winrar/rar-format RAR File Format Information]
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
 
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
[[Category:File Formats]]

Revision as of 09:21, 13 April 2012

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.

Format

The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1A21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE

RAR File Format

Each Block has the following fields

Block Fields
Name Size (bytes) Description
HEAD_CRC 2 CRC of total block or block part
HEAD_TYPE 1 Block type
HEAD_FLAGS 2 Block flags
HEAD_SIZE 2 Block size
ADD_SIZE 4 Optional field - added block size

There are certain block types

Block Types
Head Type Signifier Description
HEAD_TYPE=0x72 marker block
HEAD_TYPE=0x73 archive header
HEAD_TYPE=0x74 file header
HEAD_TYPE=0x75 old style comment header
HEAD_TYPE=0x76 old style authenticity information
HEAD_TYPE=0x77 old style subblock
HEAD_TYPE=0x78 old style recovery record
HEAD_TYPE=0x79 old style authenticity information
HEAD_TYPE=0x7a subblock

Block Formats

There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.



Marker Block (MARK_HEAD)

MARK_HEAD
Field Name Size (bytes) Possibilities
HEAD_CRC 2 Always 0x6152
HEAD_TYPE 1 Header type: 0x72
HEAD_FLAGS 2 Always 0x1A21
HEAD_SIZE 2 Block size = 0x0007
  • Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (which is seen as 'Rar! ')

Archive Header (MAIN_HEAD)

MAIN_HEAD
Field Name Size (bytes) Description
HEAD_CRC 2 CRC of fields HEAD_TYPE to RESERVED2
HEAD_TYPE 1 Header Type: 0x73
HEAD_FLAGS 2 Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
HEAD_SIZE 2 Archive header total size including archive comments
RESERVED1 2 RESERVED
RESERVED2 4 RESERVED


Bit Flags for MAIN_HEAD
Flag (0x) Description
0001 Volume attribute (archive volume)
0002 Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
0004 Archive lock attribute
0008 Solid attribute (solid archive)
0010 New volume naming scheme ('volname.partN.rar')
0020 Authenticity information present RAR 3.x does not set this flag.
0040 Recovery record present
0080 Block headers are encrypted
0100 First volume (set only by RAR 3.0 and later)
  • Other bits in HEAD_FLAGS are reserved for internal use.

File Header (File in Archive)

File Header
Field Name Size (bytes) Description
HEAD_CRC 2 CRC of fields from HEAD_TYPE to FILEATTR and file name
HEAD_TYPE 1 Header Type: 0x74
HEAD_FLAGS 2 Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
HEAD_SIZE 2 File header full size including file name and comments
PACK_SIZE 4 Compressed file size
UNP_SIZE 4 Uncompressed file size
HOST_OS 1 Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
FILE_CRC 4 File CRC
FTIME 4 Date and time in standard MS DOS format
UNP_VER 1 RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
METHOD 1 Packing method (Please see 'Packing Method' table for all possibilities
NAME_SIZE 2 File name size
ATTR 4 File attributes
HIGH_PACK_SIZE 4 High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
HIGH_UNP_SIZE 4 High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
FILE_NAME NAME_SIZE bytes File name - string of NAME_SIZE bytes size
SALT 8 present if (HEAD_FLAGS & 0x400) != 0
EXT_TIME variable size present if (HEAD_FLAGS & 0x1000) != 0
  • other new fields may appear here.


Bit Flags for Files in Archive
Flag (0x) Description
01 File continued from previous volume
02 File continued in next volume
04 File encrypted with password
08 File comment present. RAR 3.x uses the separate comment block and does not set this flag.
10 Information from previous files is used (solid flag) (for RAR 2.0 and later)
Dictionary bits 7 6 5 (for RAR 2.0 and later) Please see the 'Dictionary Bits' table for this descriptions
100 HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
200 FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
400 The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
800 Version flag. It is an old file version, a version number is appended to file name as ';n'.
1000 Extended time field present.
8000 This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
Dictionary Bits
Bits (7 6 5) Description Size (KB)
0 0 0 Dictionary Size 64
0 0 1 Dictionary Size 128
0 1 0 Dictionary Size 256
0 1 1 Dictionary Size 512
1 0 0 Dictionary Size 1024
1 0 1 Dictionary Size 2048
1 1 0 Dictionary Size 4096
1 1 1 file is a directory N/A
Operating System Indicators
Byte Indicator Operating System
0 MS DOS
1 OS/2
2 Windows
3 Unix
4 Mac OS
5 BeOS


Metadata

Sub-formats

The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:

  • 1.3 (Does not have the RAR! signature)
    • There is difficulty finding information regarding this sub-format. Please update if you know something.
  • 1.5
    • Utilizes a proprietary compression method that is not available to the public.
    • Considered the root model of subsequent formats.
    • A detailed list of information can be found here.
  • 2.0
    • Utilizes a proprietary compression method that is not available to the public.
    • Based off of version 1.5 of the RAR file format.
  • 3.0
    • Utilizes the PPMII and Lempel-Ziv (LZSS)] algorithms.
    • Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
    • Based off of version 1.5 of the RAR file format.


Software

This only way to create a RAR file is using the Winrar software. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:

unrarLib
  • RAR file unarchiver written in C
  • Easy implementation with a header file and the source code file
  • Information Link
WinRAR
UnRAR
  • Created by Eugene Roshal for opening up RAR files only
  • May not be used to reverse engineer the RAR file format and create RAR files
  • Source code provided for people to implement/integrate methods of opening RAR files
  • Additionally, implementations of UnRAR are available for a plethora of operating systems
  • Download Link
The Unarchiver
7-Zip
  • Utility made for Windows applications to open a multitude of files, including RAR files
  • Download Link


There is a lot more software to open RAR files, but have been omitted due to redundancy.

See Also