Difference between pages "RAR" and "File:Places-schema.png"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Maintenance script uploaded "File:Places-schema.png": Importing image file)
 
Line 1: Line 1:
RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
+
Graphical representation of the relationship between tables in the places.sqlite database file. Picture was gathered from irc.mozilla.org#places on April 15, 2008
 
+
==Format==
+
The file has the magic number of:
+
<pre>0x 52 61 72 21 1A 07 00</pre>
+
which is a break down of the following to describe an Archive Header:
+
:* 0x6152 - HEAD_CRC
+
:* 0x72 - HEAD_TYPE
+
:* 0x1a21 - HEAD_FLAGS
+
:* 0x0007 - HEAD_SIZE
+
 
+
----
+
===RAR File Format===
+
 
+
Each Block has the following fields
+
{| class="wikitable"
+
|+ Block Fields
+
! Name
+
! Size (bytes)
+
! Description
+
|-
+
| HEAD_CRC
+
| 2
+
| CRC of total block or block part
+
|-
+
| HEAD_TYPE
+
| 1
+
| Block type
+
|-
+
| HEAD_FLAGS
+
| 2
+
| Block flags
+
|-
+
| HEAD_SIZE
+
| 2
+
| Block size
+
|-
+
| ADD_SIZE
+
| 4
+
| Optional field - added block size
+
|}
+
 
+
----
+
There are certain block types
+
 
+
{| class="wikitable"
+
|+ Block Types
+
! Head Type Signifier
+
! Description
+
|-
+
| HEAD_TYPE=0x72
+
| marker block
+
|-
+
| HEAD_TYPE=0x73
+
| archive header
+
|-
+
| HEAD_TYPE=0x74
+
| file header
+
|-
+
| HEAD_TYPE=0x75
+
| old style comment header
+
|-
+
| HEAD_TYPE=0x76
+
| old style authenticity information
+
|-
+
| HEAD_TYPE=0x77
+
| old style subblock
+
|-
+
| HEAD_TYPE=0x78
+
| old style recovery record
+
|-
+
| HEAD_TYPE=0x79
+
| old style authenticity information
+
|-
+
| HEAD_TYPE=0x7a
+
| subblock
+
|}
+
 
+
----
+
===Block Formats===
+
There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
+
 
+
 
+
----
+
====Marker Block (MARK_HEAD)====
+
 
+
{| class="wikitable"
+
|+ MARK_HEAD
+
! Field Name
+
! Size (bytes)
+
! Possibilities
+
|-
+
| HEAD_CRC
+
| 2
+
| Always 0x6152
+
|-
+
| HEAD_TYPE
+
| 1
+
| Header type: 0x72
+
|-
+
| HEAD_FLAGS
+
| 2
+
| Always 0x1a21
+
|-
+
| HEAD_SIZE
+
| 2
+
| Block size = 0x0007
+
|}
+
 
+
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!  ')
+
 
+
----
+
====Archive Header (MAIN_HEAD)====
+
 
+
{| class="wikitable"
+
|+ MAIN_HEAD
+
! Field Name
+
! Size (bytes)
+
! Description
+
|-
+
| HEAD_CRC
+
| 2
+
| CRC of fields HEAD_TYPE to RESERVED2
+
|-
+
| HEAD_TYPE
+
| 1
+
| Header Type: 0x73
+
|-
+
| HEAD_FLAGS
+
| 2
+
| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
+
|-
+
| HEAD_SIZE
+
| 2
+
| Archive header total size including archive comments
+
|-
+
| RESERVED1
+
| 2
+
| RESERVED
+
|-
+
| RESERVED2
+
| 4
+
| RESERVED
+
|}
+
 
+
 
+
{| class="wikitable"
+
|+ Bit Flags for MAIN_HEAD
+
! Flag (0x)
+
! Description
+
|-
+
| 0001
+
| Volume attribute (archive volume)
+
|-
+
| 0002
+
| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
+
|-
+
| 0004
+
| Archive lock attribute
+
|-
+
| 0008
+
| Solid attribute (solid archive)
+
|-
+
| 0010
+
| New volume naming scheme ('volname.partN.rar')
+
|-
+
| 0020
+
| Authenticity information present RAR 3.x does not set this flag.
+
|-
+
| 0040
+
| Recovery record present
+
|-
+
| 0080
+
| Block headers are encrypted
+
|-
+
| 0100
+
| First volume (set only by RAR 3.0 and later)
+
|}
+
* Other bits in HEAD_FLAGS are reserved for internal use.
+
----
+
 
+
====File Header (File in Archive)====
+
{| class="wikitable"
+
|+ File Header
+
! Field Name
+
! Size (bytes)
+
! Description
+
|-
+
| HEAD_CRC
+
| 2
+
| CRC of fields from HEAD_TYPE to FILEATTR and file name
+
|-
+
| HEAD_TYPE
+
| 1
+
| Header Type: 0x74
+
|-
+
| HEAD_FLAGS
+
| 2
+
| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
+
|-
+
| HEAD_SIZE
+
| 2
+
| File header full size including file name and comments
+
|-
+
| PACK_SIZE
+
| 4
+
| Compressed file size
+
|-
+
| UNP_SIZE
+
| 4
+
| Uncompressed file size
+
|-
+
| HOST_OS
+
| 1
+
| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
+
|-
+
| FILE_CRC
+
| 4
+
| File CRC
+
|-
+
| FTIME
+
| 4
+
| Date and time in standard MS DOS format
+
|-
+
| UNP_VER
+
| 1
+
| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
+
|-
+
| METHOD
+
| 1
+
| Packing method (Please see 'Packing Method' table for all possibilities
+
|-
+
| NAME_SIZE
+
| 2
+
| File name size
+
|-
+
| ATTR
+
| 4
+
| File attributes
+
|-
+
| HIGH_PACK_SIZE
+
| 4
+
| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
+
|-
+
| HIGH_UNP_SIZE
+
| 4
+
| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
+
|-
+
| FILE_NAME
+
| NAME_SIZE bytes
+
| File name - string of NAME_SIZE bytes size
+
|-
+
| SALT
+
| 8
+
| present if (HEAD_FLAGS & 0x400) != 0
+
|-
+
| EXT_TIME
+
| variable size
+
| present if (HEAD_FLAGS & 0x1000) != 0
+
|}
+
 
+
*other new fields may appear here.
+
 
+
 
+
{| class="wikitable"
+
|+ Bit Flags for Files in Archive
+
! Flag (0x)
+
! Description
+
|-
+
| 01
+
| File continued from previous volume
+
|-
+
| 02
+
| File continued in next volume
+
|-
+
| 04
+
| File encrypted with password
+
|-
+
| 08
+
| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
+
|-
+
| 10
+
| Information from previous files is used (solid flag) (for RAR 2.0 and later)
+
|-
+
| Dictionary bits 7 6 5 (for RAR 2.0 and later)
+
| Please see the 'Dictionary Bits' table for this descriptions
+
|-
+
| 100
+
| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
+
|-
+
| 200
+
| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
+
|-
+
| 400
+
| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
+
|-
+
| 800
+
| Version flag. It is an old file version, a version number is appended to file name as ';n'.
+
|-
+
| 1000
+
| Extended time field present.
+
|-
+
| 8000
+
| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
+
|}
+
 
+
{| class="wikitable"
+
|+Dictionary Bits
+
! Bits (7 6 5)
+
! Description
+
! Size (KB)
+
|-
+
| 0 0 0
+
| Dictionary Size
+
| 64
+
|-
+
| 0 0 1
+
| Dictionary Size
+
| 128
+
|-
+
| 0 1 0
+
| Dictionary Size
+
| 256
+
|-
+
| 0 1 1
+
| Dictionary Size
+
| 512
+
|-
+
| 1 0 0
+
| Dictionary Size
+
| 1024
+
|-
+
| 1 0 1
+
| Dictionary Size
+
| 2048
+
|-
+
| 1 1 0
+
| Dictionary Size
+
| 4096
+
|-
+
| 1 1 1
+
| file is a directory
+
| N/A
+
|}
+
 
+
{| class="wikitable"
+
|+ Operating System Indicators
+
! Byte Indicator
+
! Operating System
+
|-
+
| 0
+
| MS DOS
+
|-
+
| 1
+
| OS/2
+
|-
+
| 2
+
| Windows
+
|-
+
| 3
+
| Unix
+
|-
+
| 4
+
| Mac OS
+
|-
+
| 5
+
| BeOS
+
|}
+
----
+
 
+
 
+
==Metadata==
+
 
+
 
+
 
+
==Sub-formats==
+
 
+
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
+
:* 1.3 (Does not have the RAR! signature)
+
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
+
:* 1.5
+
:** Utilizes a proprietary compression method that is not available to the public.
+
:** Considered the root model of subsequent formats.
+
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
+
:* 2.0
+
:** Utilizes a proprietary compression method that is not available to the public.
+
:** Based off of version 1.5 of the RAR file format.
+
:* 3.0
+
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
+
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
+
:** Based off of version 1.5 of the RAR file format.
+
 
+
 
+
 
+
==Software==
+
 
+
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
+
 
+
;unrarLib
+
 
+
:* RAR file unarchiver written in C
+
:* Easy implementation with a header file and the source code file
+
:* [http://www.unrarlib.org/ Information Link]
+
 
+
;WinRAR
+
 
+
:* Only software that can create and open a RAR file
+
:* Distributed by a proprietary license
+
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
+
 
+
;UnRAR
+
 
+
:* Created by Eugene Roshal for opening up RAR files only
+
:* May not be used to reverse engineer the RAR file format and create RAR files
+
:* Source code provided for people to implement/integrate methods of opening RAR files
+
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
+
:* [http://www.rarlab.com/rar_add.htm Download Link]
+
 
+
;The Unarchiver
+
 
+
:* Utility made for Mac OSX to open a multitude of files, including RAR files
+
:* Very handy for dealing with multiple file types
+
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
+
:* [http://unarchiver.c3.cx/ Information Website]
+
 
+
;7-Zip
+
 
+
:* Utility made for Windows applications to open a multitude of files, including RAR files
+
:* [http://www.7-zip.org/download.html Download Link]
+
 
+
 
+
There is a lot more software to open RAR files, but have been omitted due to redundancy.
+
==See Also==
+
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
+
* [http://acritum.com/winrar/rar-format RAR File Format Information]
+
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
+
 
+
[[Category:File Formats]]
+

Latest revision as of 22:43, 18 March 2013

Graphical representation of the relationship between tables in the places.sqlite database file. Picture was gathered from irc.mozilla.org#places on April 15, 2008