Difference between pages "OLE Compound File" and "Gzip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Contents)
 
m (Flags)
 
Line 1: Line 1:
The '''Object Linking and Embedding (OLE) Compound File (CF)''' is used in other file formats as its underlying container file.
+
{{expand}}
It allows data to be stored in multiple streams.
+
  
The OLECF is also known as:
+
== File format ==
* Compound Binary File (current name used by [[Microsoft]])
+
The gzip file (.gz) format consists of:
* Compound Document File (name used by [[OpenOffice]])
+
* a file header
* OLE2 file
+
* optional extra headers, such as the original file name,
 +
* a body, containing a DEFLATE-compressed payload
 +
* an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.
  
== MIME types ==
+
=== File header ===
 +
The file header is 10 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
| 0x1f 0x8b
 +
| Signature (or identification byte 1 and 2)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Compression Method
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Flags
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Last modification time <br> Contains a POSIX timestamp.
 +
|-
 +
| 8
 +
| 1
 +
|
 +
| Extra flags
 +
|-
 +
| 9
 +
| 1
 +
|
 +
| Operating system <br> Value that indicates on which operating system the gzip file was created.
 +
|}
  
Because the OLECF by itself is just a container it does not use a mime type.
+
==== Compression method ====
A mime type assigned to an OLECF refers to its contents.
+
  
== File signature ==
+
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0 - 7
 +
|
 +
| Reserved
 +
|-
 +
| 8
 +
| "deflate"
 +
| zlib compressed data
 +
|}
  
The OLECF has the following file signature (as a hexadecimal byte sequence):
+
==== Flags ====
<pre>
+
d0 cf 11 e0 a1 b1 1a e1
+
</pre>
+
  
For earlier beta version of the format the following signature was used:
+
{| class="wikitable"
<pre>
+
! align="left"| Value
0e 11 fc 0d d0 cf 11 0e
+
! Identifier
</pre>
+
! Description
 +
|-
 +
| 0x01
 +
| FTEXT
 +
|
 +
|-
 +
| 0x02
 +
| FHCRC
 +
|
 +
|-
 +
| 0x04
 +
| FEXTRA
 +
|
 +
|-
 +
| 0x08
 +
| FNAME
 +
| The file contains an original file name string
 +
|-
 +
| 0x10
 +
| FCOMMENT
 +
|
 +
|-
 +
| 0x20
 +
|
 +
| Reserved
 +
|-
 +
| 0x40
 +
|
 +
| Reserved
 +
|-
 +
| 0x80
 +
|
 +
| Reserved
 +
|}
  
The OLECF has no distinct footer.
+
==== Extra flags ====
 +
If compression method is 8 the following extra flags can be defined:
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x02
 +
|
 +
| compressor used maximum compression, slowest algorithm
 +
|-
 +
| 0x04
 +
|
 +
| compressor used fastest algorithm
 +
|}
  
== Contents ==
+
==== Operating System ====
 
+
{| class="wikitable"
The OLECF uses a FAT-like file system to define blocks that are assigned to the stream using multiple allocation tables.
+
! align="left"| Value
It uses a directory structure to define the name of the streams.
+
! Identifier
 
+
! Description
The OLECF is used to store:
+
|-
* [[Microsoft Office]] 97-2003 documents:
+
| 0
** [[Word Document (DOC)]]
+
|
** [[Excel Spreadsheet (XLS)]]
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
** [[Powerpoint Presentation (PPT)]]
+
|-
* MSN (Toolbar) (C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\MSNe\msninfo.dat)
+
| 1
* [[Jump Lists]]
+
|
* StickyNotes.snt
+
| Amiga
* [[Thumbs.db]]
+
|-
* Windows Installer (.msi) and patch file (.msp)
+
| 2
* Windows Search (srchadm.msc)
+
|
 +
| VMS (or OpenVMS)
 +
|-
 +
| 3
 +
|
 +
| Unix
 +
|-
 +
| 4
 +
|
 +
| VM/CMS
 +
|-
 +
| 5
 +
|
 +
| Atari TOS
 +
|-
 +
| 6
 +
|
 +
| HPFS filesystem (OS/2, NT)
 +
|-
 +
| 7
 +
|
 +
| Macintosh
 +
|-
 +
| 8
 +
|
 +
| Z-System
 +
|-
 +
| 9
 +
|
 +
| CP/M
 +
|-
 +
| 10
 +
|
 +
| TOPS-20
 +
|-
 +
| 11
 +
|
 +
| NTFS filesystem (NT)
 +
|-
 +
| 12
 +
|
 +
| QDOS
 +
|-
 +
| 13
 +
|
 +
| Acorn RISCOS
 +
|-
 +
| 255
 +
|
 +
| unknown
 +
|}
  
 
== External Links ==
 
== External Links ==
* [http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf Compound Binary File Specification], by [[Microsoft]]. Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.
 
* [http://msdn.microsoft.com/en-us/library/dd942138.aspx MS-CFB: Compound File Binary File Format], by [[Microsoft]]
 
* [http://www.openoffice.org/sc/compdocfileformat.pdf Microsoft Compound Document File Format], by OpenOffice.org
 
* [https://googledrive.com/host/0B3fBvzttpiiSS0hEb0pjU2h6a2c/OLE%20Compound%20File%20format.pdf OLE Compound File format specification], by the [[libolecf|libolecf project]]
 
  
== Tools ==
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
* [[libolecf]]
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
* [http://www.mitec.cz/ssv.html MiTec Structured Storage Viewer]
+
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
 +
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 02:44, 28 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional extra headers, such as the original file name,
  • a body, containing a DEFLATE-compressed payload
  • an 8-byte footer, containing a CRC-32 checksum and the length of the original uncompressed data.

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Extra flags
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 "deflate" zlib compressed data

Flags

Value Identifier Description
0x01 FTEXT
0x02 FHCRC
0x04 FEXTRA
0x08 FNAME The file contains an original file name string
0x10 FCOMMENT
0x20 Reserved
0x40 Reserved
0x80 Reserved

Extra flags

If compression method is 8 the following extra flags can be defined:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

External Links