Difference between pages "Oxygen Forensic Suite 2013" and "Gzip"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Version update.)
 
(Flags)
 
Line 1: Line 1:
{| style="padding:0.3em; float:right; margin-left:15px; margin-bottom:8px; border:1px solid #A3B1BF; background:#f5faff; text-align:center; font-size:95%; line-height:1.5em;width:220px;"
+
{{expand}}
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;" | '''Current version'''
+
 
 +
== File format ==
 +
The gzip file (.gz) format consists of:
 +
* a file header
 +
* optional extra headers, such as the original file name,
 +
* a body, containing a DEFLATE-compressed payload
 +
* an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.
 +
 
 +
=== File header ===
 +
The file header is 10 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|align="left"|
+
| 0
'''Version Number''': 5.4
+
| 2
 +
| 0x1f 0x8b
 +
| Signature (or identification byte 1 and 2)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Compression Method
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Flags
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Last modification time <br> Contains a POSIX timestamp.
 +
|-
 +
| 8
 +
| 1
 +
|
 +
| Extra flags
 +
|-
 +
| 9
 +
| 1
 +
|
 +
| Operating system <br> Value that indicates on which operating system the gzip file was created.
 +
|}
  
'''Date Released''': 12 November 2013
+
==== Compression method ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;" | '''Recent changes'''
+
| 0 - 7
 +
|
 +
| Reserved
 
|-
 
|-
|align="left"|
+
| 8
*Support for Apple iPad Air, iPad Mini with Retina display
+
| "deflate"
*Extract data from passcode-locked iOS devices
+
| zlib compressed data
*Android analysis: physical dump, backup or OxyAgent utility approach
+
|}
*Analytical tasks button that allows performing common analytical tasks
+
*Ability to view device usage activity and find the most active days
+
  
 +
==== Flags ====
 +
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| style="padding:0.1em; font-size:1em; background-color:#cee0f2;"|'''Screenshots'''
+
| 0x01
 +
| FTEXT
 +
|  
 
|-
 
|-
 +
| 0x02
 +
| FHCRC
 +
|
 +
|-
 +
| 0x04
 +
| FEXTRA
 +
|
 +
|-
 +
| 0x08
 +
| FNAME
 +
| The file contains an original file name string.
 +
|-
 +
| 0x10
 +
| FCOMMENT
 +
|
 +
|-
 +
| 0x20
 +
|
 +
| Reserved
 +
|-
 +
| 0x40
 +
|
 +
| Reserved
 +
|-
 +
| 0x80
 +
|
 +
| Reserved
 +
|}
 +
 +
==== Extra flags ====
 +
If compression method is 8 the following extra flags can be defined:
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x02
 +
|
 +
| compressor used maximum compression, slowest algorithm
 +
|-
 +
| 0x04
 
|
 
|
[[Image:OFS2_01_Device.png|200px|thumb|center|Device summary]]
+
| compressor used fastest algorithm
[[Image:OFS2_05_PhoneActivity_Date.png|200px|thumb|center|Phone Activity]]
+
[[Image:OFS2_04_LifeBlog.png|200px|thumb|center|Geo event positioning data]]
+
[[Image:OFS2_11_GeoFiles.png|200px|thumb|center|Camera shots with Geo data]]
+
[[Image:OFS2012_CommStats_Diagram.png|200px|thumb|center|Communication Statistics]]
+
[[Image:OFS2_03_SQLiteViewer_Deleted.png|200px|thumb|center|Deleted data recovery]]
+
[[Image:OFS2_08_MessagesExportPDF.png|200px|thumb|center|Sample report]]
+
[http://www.oxygen-forensic.com/en/screenshots/ More screenshots ... ]
+
 
|}
 
|}
'''Oxygen Forensic Suite 2013''' is a mobile forensic software for logical analysis of [[cell phones]], [[SmartPhones|smartphones]] and [[PDAs]] developed by [[Oxygen Software]]. The suite can extract device information, contacts, calendar events, [[SMS]] messages, event logs, and files. In addition, the vendor claims the suite can extract metadata related to the above. As of October 2013 the suite supported more than 6,950 devices, including [[Nokia]], [[Apple iPhone]] series, [[Apple iPod Touch]], [[Apple iPad]], Vertu, [[Sony Ericsson]], Samsung, Motorola, [[BlackBerry|Blackberry]], Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate, Chinese (Mediatek) Phones and other mobile phones. The suite also supports devices running [[symbian|Symbian OS]], [[Microsoft Windows Mobile|Windows Mobile 5/6]], Microsoft Windows Phone 8 and [[Android|Android OS devices]].
 
  
== Forensic Soundness ==
+
==== Operating System ====
 
+
{| class="wikitable"
The suite access devices using advanced proprietary protocols. Some devices like smartphones require an Agent installation. Installing software onto the device being examined can be treated as an impact of the forensic soundness of the investigation. But as not much information is obtainable by other means and the impact is documented, it may still be admissible under the [[Best Evidence Rule]].
+
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0
 +
|
 +
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
 +
|-
 +
| 1
 +
|
 +
| Amiga
 +
|-
 +
| 2
 +
|
 +
| VMS (or OpenVMS)
 +
|-
 +
| 3
 +
|
 +
| Unix
 +
|-
 +
| 4
 +
|
 +
| VM/CMS
 +
|-
 +
| 5
 +
|
 +
| Atari TOS
 +
|-
 +
| 6
 +
|
 +
| HPFS filesystem (OS/2, NT)
 +
|-
 +
| 7
 +
|
 +
| Macintosh
 +
|-
 +
| 8
 +
|
 +
| Z-System
 +
|-
 +
| 9
 +
|
 +
| CP/M
 +
|-
 +
| 10
 +
|
 +
| TOPS-20
 +
|-
 +
| 11
 +
|
 +
| NTFS filesystem (NT)
 +
|-
 +
| 12
 +
|
 +
| QDOS
 +
|-
 +
| 13
 +
|
 +
| Acorn RISCOS
 +
|-
 +
| 255
 +
|
 +
| unknown
 +
|}
  
 
== External Links ==
 
== External Links ==
* [http://www.oxygen-forensic.com/ Official web site]
 
  
[[Category:Mobile device tools]]
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
[[Category:Windows Mobile]]
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
[[Category:Tools]]
+
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
 +
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
 +
 
 +
[[Category:File Formats]]

Revision as of 01:43, 28 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional extra headers, such as the original file name,
  • a body, containing a DEFLATE-compressed payload
  • an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Extra flags
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 "deflate" zlib compressed data

Flags

Value Identifier Description
0x01 FTEXT
0x02 FHCRC
0x04 FEXTRA
0x08 FNAME The file contains an original file name string.
0x10 FCOMMENT
0x20 Reserved
0x40 Reserved
0x80 Reserved

Extra flags

If compression method is 8 the following extra flags can be defined:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

External Links