Difference between pages "RAR" and "File:ABCExportSelectAll.JPG"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Maintenance script uploaded "File:ABCExportSelectAll.JPG": Importing image file)
 
Line 1: Line 1:
RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
 
  
==Format==
 
The file has the magic number of:
 
<pre>0x 52 61 72 21 1A 07 00</pre>
 
which is a break down of the following to describe an Archive Header:
 
:* 0x6152 - HEAD_CRC
 
:* 0x72 - HEAD_TYPE
 
:* 0x1a21 - HEAD_FLAGS
 
:* 0x0007 - HEAD_SIZE
 
 
----
 
===RAR File Format===
 
 
Each Block has the following fields
 
{| class="wikitable"
 
|+ Block Fields
 
! Name
 
! Size (bytes)
 
! Description
 
|-
 
| HEAD_CRC
 
| 2
 
| CRC of total block or block part
 
|-
 
| HEAD_TYPE
 
| 1
 
| Block type
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Block flags
 
|-
 
| HEAD_SIZE
 
| 2
 
| Block size
 
|-
 
| ADD_SIZE
 
| 4
 
| Optional field - added block size
 
|}
 
 
----
 
There are certain block types
 
 
{| class="wikitable"
 
|+ Block Types
 
! Head Type Signifier
 
! Description
 
|-
 
| HEAD_TYPE=0x72
 
| marker block
 
|-
 
| HEAD_TYPE=0x73
 
| archive header
 
|-
 
| HEAD_TYPE=0x74
 
| file header
 
|-
 
| HEAD_TYPE=0x75
 
| old style comment header
 
|-
 
| HEAD_TYPE=0x76
 
| old style authenticity information
 
|-
 
| HEAD_TYPE=0x77
 
| old style subblock
 
|-
 
| HEAD_TYPE=0x78
 
| old style recovery record
 
|-
 
| HEAD_TYPE=0x79
 
| old style authenticity information
 
|-
 
| HEAD_TYPE=0x7a
 
| subblock
 
|}
 
 
----
 
===Block Formats===
 
There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
 
 
 
----
 
====Marker Block (MARK_HEAD)====
 
 
{| class="wikitable"
 
|+ MARK_HEAD
 
! Field Name
 
! Size (bytes)
 
! Possibilities
 
|-
 
| HEAD_CRC
 
| 2
 
| Always 0x6152
 
|-
 
| HEAD_TYPE
 
| 1
 
| Header type: 0x72
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Always 0x1a21
 
|-
 
| HEAD_SIZE
 
| 2
 
| Block size = 0x0007
 
|}
 
 
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!  ')
 
 
----
 
====Archive Header (MAIN_HEAD)====
 
 
{| class="wikitable"
 
|+ MAIN_HEAD
 
! Field Name
 
! Size (bytes)
 
! Description
 
|-
 
| HEAD_CRC
 
| 2
 
| CRC of fields HEAD_TYPE to RESERVED2
 
|-
 
| HEAD_TYPE
 
| 1
 
| Header Type: 0x73
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
 
|-
 
| HEAD_SIZE
 
| 2
 
| Archive header total size including archive comments
 
|-
 
| RESERVED1
 
| 2
 
| RESERVED
 
|-
 
| RESERVED2
 
| 4
 
| RESERVED
 
|}
 
 
 
{| class="wikitable"
 
|+ Bit Flags for MAIN_HEAD
 
! Flag (0x)
 
! Description
 
|-
 
| 0001
 
| Volume attribute (archive volume)
 
|-
 
| 0002
 
| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
 
|-
 
| 0004
 
| Archive lock attribute
 
|-
 
| 0008
 
| Solid attribute (solid archive)
 
|-
 
| 0010
 
| New volume naming scheme ('volname.partN.rar')
 
|-
 
| 0020
 
| Authenticity information present RAR 3.x does not set this flag.
 
|-
 
| 0040
 
| Recovery record present
 
|-
 
| 0080
 
| Block headers are encrypted
 
|-
 
| 0100
 
| First volume (set only by RAR 3.0 and later)
 
|}
 
* Other bits in HEAD_FLAGS are reserved for internal use.
 
----
 
 
====File Header (File in Archive)====
 
{| class="wikitable"
 
|+ File Header
 
! Field Name
 
! Size (bytes)
 
! Description
 
|-
 
| HEAD_CRC
 
| 2
 
| CRC of fields from HEAD_TYPE to FILEATTR and file name
 
|-
 
| HEAD_TYPE
 
| 1
 
| Header Type: 0x74
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
 
|-
 
| HEAD_SIZE
 
| 2
 
| File header full size including file name and comments
 
|-
 
| PACK_SIZE
 
| 4
 
| Compressed file size
 
|-
 
| UNP_SIZE
 
| 4
 
| Uncompressed file size
 
|-
 
| HOST_OS
 
| 1
 
| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
 
|-
 
| FILE_CRC
 
| 4
 
| File CRC
 
|-
 
| FTIME
 
| 4
 
| Date and time in standard MS DOS format
 
|-
 
| UNP_VER
 
| 1
 
| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
 
|-
 
| METHOD
 
| 1
 
| Packing method (Please see 'Packing Method' table for all possibilities
 
|-
 
| NAME_SIZE
 
| 2
 
| File name size
 
|-
 
| ATTR
 
| 4
 
| File attributes
 
|-
 
| HIGH_PACK_SIZE
 
| 4
 
| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
| HIGH_UNP_SIZE
 
| 4
 
| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
| FILE_NAME
 
| NAME_SIZE bytes
 
| File name - string of NAME_SIZE bytes size
 
|-
 
| SALT
 
| 8
 
| present if (HEAD_FLAGS & 0x400) != 0
 
|-
 
| EXT_TIME
 
| variable size
 
| present if (HEAD_FLAGS & 0x1000) != 0
 
|}
 
 
*other new fields may appear here.
 
 
 
{| class="wikitable"
 
|+ Bit Flags for Files in Archive
 
! Flag (0x)
 
! Description
 
|-
 
| 01
 
| File continued from previous volume
 
|-
 
| 02
 
| File continued in next volume
 
|-
 
| 04
 
| File encrypted with password
 
|-
 
| 08
 
| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
 
|-
 
| 10
 
| Information from previous files is used (solid flag) (for RAR 2.0 and later)
 
|-
 
| Dictionary bits 7 6 5 (for RAR 2.0 and later)
 
| Please see the 'Dictionary Bits' table for this descriptions
 
|-
 
| 100
 
| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
 
|-
 
| 200
 
| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
 
|-
 
| 400
 
| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
 
|-
 
| 800
 
| Version flag. It is an old file version, a version number is appended to file name as ';n'.
 
|-
 
| 1000
 
| Extended time field present.
 
|-
 
| 8000
 
| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
 
|}
 
 
{| class="wikitable"
 
|+Dictionary Bits
 
! Bits (7 6 5)
 
! Description
 
! Size (KB)
 
|-
 
| 0 0 0
 
| Dictionary Size
 
| 64
 
|-
 
| 0 0 1
 
| Dictionary Size
 
| 128
 
|-
 
| 0 1 0
 
| Dictionary Size
 
| 256
 
|-
 
| 0 1 1
 
| Dictionary Size
 
| 512
 
|-
 
| 1 0 0
 
| Dictionary Size
 
| 1024
 
|-
 
| 1 0 1
 
| Dictionary Size
 
| 2048
 
|-
 
| 1 1 0
 
| Dictionary Size
 
| 4096
 
|-
 
| 1 1 1
 
| file is a directory
 
| N/A
 
|}
 
 
{| class="wikitable"
 
|+ Operating System Indicators
 
! Byte Indicator
 
! Operating System
 
|-
 
| 0
 
| MS DOS
 
|-
 
| 1
 
| OS/2
 
|-
 
| 2
 
| Windows
 
|-
 
| 3
 
| Unix
 
|-
 
| 4
 
| Mac OS
 
|-
 
| 5
 
| BeOS
 
|}
 
----
 
 
 
==Metadata==
 
 
 
 
==Sub-formats==
 
 
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
 
:* 1.3 (Does not have the RAR! signature)
 
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
 
:* 1.5
 
:** Utilizes a proprietary compression method that is not available to the public.
 
:** Considered the root model of subsequent formats.
 
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
 
:* 2.0
 
:** Utilizes a proprietary compression method that is not available to the public.
 
:** Based off of version 1.5 of the RAR file format.
 
:* 3.0
 
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
 
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
 
:** Based off of version 1.5 of the RAR file format.
 
 
 
 
==Software==
 
 
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
 
 
;unrarLib
 
 
:* RAR file unarchiver written in C
 
:* Easy implementation with a header file and the source code file
 
:* [http://www.unrarlib.org/ Information Link]
 
 
;WinRAR
 
 
:* Only software that can create and open a RAR file
 
:* Distributed by a proprietary license
 
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
 
 
;UnRAR
 
 
:* Created by Eugene Roshal for opening up RAR files only
 
:* May not be used to reverse engineer the RAR file format and create RAR files
 
:* Source code provided for people to implement/integrate methods of opening RAR files
 
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
 
:* [http://www.rarlab.com/rar_add.htm Download Link]
 
 
;The Unarchiver
 
 
:* Utility made for Mac OSX to open a multitude of files, including RAR files
 
:* Very handy for dealing with multiple file types
 
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
 
:* [http://unarchiver.c3.cx/ Information Website]
 
 
;7-Zip
 
 
:* Utility made for Windows applications to open a multitude of files, including RAR files
 
:* [http://www.7-zip.org/download.html Download Link]
 
 
 
There is a lot more software to open RAR files, but have been omitted due to redundancy.
 
==See Also==
 
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
 
* [http://acritum.com/winrar/rar-format RAR File Format Information]
 
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
 
 
[[Category:File Formats]]
 

Latest revision as of 23:43, 18 March 2013