Difference between pages "RAR" and "File:Places-schema.png"

Latest revision as of 22:43, 18 March 2013

Graphical representation of the relationship between tables in the places.sqlite database file. Picture was gathered from irc.mozilla.org#places on April 15, 2008

Difference between pages "RAR" and "File:Places-schema.png"

Latest revision as of 22:43, 18 March 2013

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox

@@ Line 1: / Line 1: @@
-RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
+Graphical representation of the relationship between tables in the places.sqlite database file.  Picture was gathered from irc.mozilla.org#places on April 15, 2008
-==Format==
-The file has the magic number of:
-<pre>0x 52 61 72 21 1A 07 00</pre>
-which is a break down of the following to describe an Archive Header:
-:* 0x6152 - HEAD_CRC
-:* 0x72 - HEAD_TYPE
-:* 0x1a21 - HEAD_FLAGS
-:* 0x0007 - HEAD_SIZE
-----
-===RAR File Format===
-Each Block has the following fields
-{| class="wikitable"
-|+ Block Fields
-! Name
-! Size (bytes)
-! Description
-|-
-| HEAD_CRC
-| 2
-| CRC of total block or block part
-|-
-| HEAD_TYPE
-| 1
-| Block type
-|-
-| HEAD_FLAGS
-| 2
-| Block flags
-|-
-| HEAD_SIZE
-| 2
-| Block size
-|-
-| ADD_SIZE
-| 4
-| Optional field - added block size
-|}
-----
-There are certain block types
-{| class="wikitable"
-|+ Block Types
-! Head Type Signifier
-! Description
-|-
-| HEAD_TYPE=0x72
-| marker block
-|-
-| HEAD_TYPE=0x73
-| archive header
-|-
-| HEAD_TYPE=0x74
-| file header
-|-
-| HEAD_TYPE=0x75
-| old style comment header
-|-
-| HEAD_TYPE=0x76
-| old style authenticity information
-|-
-| HEAD_TYPE=0x77
-| old style subblock
-|-
-| HEAD_TYPE=0x78
-| old style recovery record
-|-
-| HEAD_TYPE=0x79
-| old style authenticity information
-|-
-| HEAD_TYPE=0x7a
-| subblock
-|}
-----
-===Block Formats===
-There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
-----
-====Marker Block (MARK_HEAD)====
-{| class="wikitable"
-|+ MARK_HEAD
-! Field Name
-! Size (bytes)
-! Possibilities
-|-
-| HEAD_CRC
-| 2
-| Always 0x6152
-|-
-| HEAD_TYPE
-| 1
-| Header type: 0x72
-|-
-| HEAD_FLAGS
-| 2
-| Always 0x1a21
-|-
-| HEAD_SIZE
-| 2
-| Block size = 0x0007
-|}
-* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!  ')
-----
-====Archive Header (MAIN_HEAD)====
-{| class="wikitable"
-|+ MAIN_HEAD
-! Field Name
-! Size (bytes)
-! Description
-|-
-| HEAD_CRC
-| 2
-| CRC of fields HEAD_TYPE to RESERVED2
-|-
-| HEAD_TYPE
-| 1
-| Header Type: 0x73
-|-
-| HEAD_FLAGS
-| 2
-| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
-|-
-| HEAD_SIZE
-| 2
-| Archive header total size including archive comments
-|-
-| RESERVED1
-| 2
-| RESERVED
-|-
-| RESERVED2
-| 4
-| RESERVED
-|}
-{| class="wikitable"
-|+ Bit Flags for MAIN_HEAD
-! Flag (0x)
-! Description
-|-
-| 0001
-| Volume attribute (archive volume)
-|-
-| 0002
-| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
-|-
-| 0004
-| Archive lock attribute
-|-
-| 0008
-| Solid attribute (solid archive)
-|-
-| 0010
-| New volume naming scheme ('volname.partN.rar')
-|-
-| 0020
-| Authenticity information present RAR 3.x does not set this flag.
-|-
-| 0040
-| Recovery record present
-|-
-| 0080
-| Block headers are encrypted
-|-
-| 0100
-| First volume (set only by RAR 3.0 and later)
-|}
-* Other bits in HEAD_FLAGS are reserved for internal use.
-----
-====File Header (File in Archive)====
-{| class="wikitable"
-|+ File Header
-! Field Name
-! Size (bytes)
-! Description
-|-
-| HEAD_CRC
-| 2
-| CRC of fields from HEAD_TYPE to FILEATTR and file name
-|-
-| HEAD_TYPE
-| 1
-| Header Type: 0x74
-|-
-| HEAD_FLAGS
-| 2
-| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
-|-
-| HEAD_SIZE
-| 2
-| File header full size including file name and comments
-|-
-| PACK_SIZE
-| 4
-| Compressed file size
-|-
-| UNP_SIZE
-| 4
-| Uncompressed file size
-|-
-| HOST_OS
-| 1
-| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
-|-
-| FILE_CRC
-| 4
-| File CRC
-|-
-| FTIME
-| 4
-| Date and time in standard MS DOS format
-|-
-| UNP_VER
-| 1
-| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
-|-
-| METHOD
-| 1
-| Packing method (Please see 'Packing Method' table for all possibilities
-|-
-| NAME_SIZE
-| 2
-| File name size
-|-
-| ATTR
-| 4
-| File attributes
-|-
-| HIGH_PACK_SIZE
-| 4
-| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
-|-
-| HIGH_UNP_SIZE
-| 4
-| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
-|-
-| FILE_NAME
-| NAME_SIZE bytes
-| File name - string of NAME_SIZE bytes size
-|-
-| SALT
-| 8
-| present if (HEAD_FLAGS & 0x400) != 0
-|-
-| EXT_TIME
-| variable size
-| present if (HEAD_FLAGS & 0x1000) != 0
-|}
-*other new fields may appear here.
-{| class="wikitable"
-|+ Bit Flags for Files in Archive
-! Flag (0x)
-! Description
-|-
-| 01
-| File continued from previous volume
-|-
-| 02
-| File continued in next volume
-|-
-| 04
-| File encrypted with password
-|-
-| 08
-| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
-|-
-| 10
-| Information from previous files is used (solid flag) (for RAR 2.0 and later)
-|-
-| Dictionary bits 7 6 5 (for RAR 2.0 and later)
-| Please see the 'Dictionary Bits' table for this descriptions
-|-
-| 100
-| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
-|-
-| 200
-| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
-|-
-| 400
-| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
-|-
-| 800
-| Version flag. It is an old file version, a version number is appended to file name as ';n'.
-|-
-| 1000
-| Extended time field present.
-|-
-| 8000
-| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
-|}
-{| class="wikitable"
-|+Dictionary Bits
-! Bits (7 6 5)
-! Description
-! Size (KB)
-|-
-| 0 0 0
-| Dictionary Size
-| 64
-|-
-| 0 0 1
-| Dictionary Size
-| 128
-|-
-| 0 1 0
-| Dictionary Size
-| 256
-|-
-| 0 1 1
-| Dictionary Size
-| 512
-|-
-| 1 0 0
-| Dictionary Size
-| 1024
-|-
-| 1 0 1
-| Dictionary Size
-| 2048
-|-
-| 1 1 0
-| Dictionary Size
-| 4096
-|-
-| 1 1 1
-| file is a directory
-| N/A
-|}
-{| class="wikitable"
-|+ Operating System Indicators
-! Byte Indicator
-! Operating System
-|-
-| 0
-| MS DOS
-|-
-| 1
-| OS/2
-|-
-| 2
-| Windows
-|-
-| 3
-| Unix
-|-
-| 4
-| Mac OS
-|-
-| 5
-| BeOS
-|}
-----
-==Metadata==
-==Sub-formats==
-The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
-:* 1.3 (Does not have the RAR! signature)
-:** There is difficulty finding information regarding this sub-format. Please update if you know something.
-:* 1.5
-:** Utilizes a proprietary compression method that is not available to the public.
-:** Considered the root model of subsequent formats.
-:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
-:* 2.0
-:** Utilizes a proprietary compression method that is not available to the public.
-:** Based off of version 1.5 of the RAR file format.
-:* 3.0
-:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
-:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
-:** Based off of version 1.5 of the RAR file format.
-==Software==
-This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
-;unrarLib
-:* RAR file unarchiver written in C
-:* Easy implementation with a header file and the source code file
-:* [http://www.unrarlib.org/ Information Link]
-;WinRAR
-:* Only software that can create and open a RAR file
-:* Distributed by a proprietary license
-:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
-;UnRAR
-:* Created by Eugene Roshal for opening up RAR files only
-:* May not be used to reverse engineer the RAR file format and create RAR files
-:* Source code provided for people to implement/integrate methods of opening RAR files
-:* Additionally, implementations of UnRAR are available for a plethora of operating systems
-:* [http://www.rarlab.com/rar_add.htm Download Link]
-;The Unarchiver
-:* Utility made for Mac OSX to open a multitude of files, including RAR files
-:* Very handy for dealing with multiple file types
-:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
-:* [http://unarchiver.c3.cx/ Information Website]
-;7-Zip
-:* Utility made for Windows applications to open a multitude of files, including RAR files
-:* [http://www.7-zip.org/download.html Download Link]
-There is a lot more software to open RAR files, but have been omitted due to redundancy.
-==See Also==
-* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
-* [http://acritum.com/winrar/rar-format RAR File Format Information]
-* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
-[[Category:File Formats]]