Difference between pages "Zip" and "Golden G. Richard III"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
{{expand}}
 
  
.ZIP is an archive file format that supports lossless data compression.
+
Golden G. Richard III is Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and done research in cybersecurity, operating systems internals, reverse engineering, and malware analysis since 1994.  Golden earned a Ph.D. in Computer Science from The Ohio State University in 1995.  He is also the Founder and Owner of Arcane Alloy, LLC, a private digital forensics and cybersecurity firm, the original author of the [[Scalpel]] file [[Carving|carving]] tool, a pioneer in applying high performance computing principles to digital forensics, and a professional music photographer.
  
<b>TODO</b> describe ZIP64
+
He maintains a [[Blogs|blog]] called "Outlook Purple" and can be found on Twitter at @nolaforensix.
  
== File format ==
+
== See Also ==
  
{| class="wikitable"
+
[[Forensics on GPUs]]
! align="left"| Characteristics
+
! Description
+
|-
+
| Byte order
+
| little-endian
+
|-
+
| Date and time values
+
|
+
|-
+
| Character strings
+
|
+
|}
+
 
+
=== Archived file header ===
+
The (central directory) archived file header is variable of size and consists of:
+
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| "PK\x01\x02"
+
| Signature
+
|-
+
| 4
+
| 2
+
|
+
| Creator version
+
|-
+
| 6
+
| 2
+
|
+
| Extractor version
+
|-
+
| 8
+
| 2
+
|
+
| Flags
+
|-
+
| 10
+
| 2
+
|
+
| Last modification time
+
|-
+
| 12
+
| 2
+
|
+
| Last modification date
+
|-
+
| 14
+
| 4
+
|
+
| Checksum (CRC-32)
+
|-
+
| 18
+
| 4
+
|
+
| Uncompressed data size
+
|-
+
| 22
+
| 4
+
|
+
| Compressed data size
+
|-
+
| 26
+
| 2
+
|
+
| File name size
+
|-
+
| 28
+
| 2
+
|
+
| Extra field size
+
|-
+
| 30
+
| 2
+
|
+
| File comment size
+
|-
+
| 32
+
| 2
+
|
+
| Segment file (disk) number
+
|-
+
| 34
+
| 2
+
|
+
| internal file attributes
+
|-
+
| 36
+
| 4
+
|
+
| external file attributes
+
|-
+
| 40
+
| 4
+
|
+
| local header offset <br> The offset of the local header relative to the start of the segment file it is stored in.
+
|-
+
| 44
+
| ...
+
|
+
| File name
+
|-
+
| ...
+
| ...
+
|
+
| Extra field
+
|-
+
| ...
+
| ...
+
|
+
| File comment
+
|}
+
 
+
==== Creator version ====
+
The creator (or version made by) is 2 bytes of size and consists of:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 1
+
|
+
| ZIP format version <br> The value is stored as: ( major number x 10 ) + minor number
+
|-
+
| 1
+
| 1
+
|
+
| Creator system indicator
+
|}
+
 
+
===== Creator system indicator =====
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0
+
|
+
| MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
+
|-
+
| 1
+
|
+
| Amiga
+
|-
+
| 2
+
|
+
| OpenVMS
+
|-
+
| 3
+
|
+
| UNIX
+
|-
+
| 4
+
|
+
| VM/CMS
+
|-
+
| 5
+
|
+
| Atari ST
+
|-
+
| 6
+
|
+
| OS/2 H.P.F.S.
+
|-
+
| 7
+
|
+
| Macintosh
+
|-
+
| 8
+
|
+
| Z-System
+
|-
+
| 9
+
|
+
| CP/M
+
|-
+
| 10
+
|
+
| Windows NTFS
+
|-
+
| 11
+
|
+
| MVS (OS/390 - Z/OS)
+
|-
+
| 12
+
|
+
| VSE
+
|-
+
| 13
+
|
+
| Acorn Risc
+
|-
+
| 14
+
|
+
| VFAT
+
|-
+
| 15
+
|
+
| alternate MVS
+
|-
+
| 16
+
|
+
| BeOS
+
|-
+
| 17
+
|
+
| Tandem
+
|-
+
| 18
+
|
+
| OS/400
+
|-
+
| 19
+
|
+
| OS X (Darwin)
+
|-
+
| 20 - 255
+
|
+
| unused
+
|}
+
 
+
==== Internal file attributes ====
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x01
+
|
+
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
+
|-
+
| 0x02
+
|
+
| If set the file contains control fields for mainframe data transfer support.
+
|}
+
  
 
== External Links ==
 
== External Links ==
  
* [http://www.pkware.com/documents/casestudies/APPNOTE.TXT .ZIP File Format Specification], PKWARE Inc., September 1, 2012
+
* [http://www.cs.uno.edu/~golden/ Official website]
* [http://en.wikipedia.org/wiki/Zip_(file_format) Wikipedia: Zip (file format)]
+
* [http://www.arcanealloy.com / Arcane Alloy, LLC]
 +
* [http://outlookpurple.blogspot.com / Outlook Purple]
 +
* [http://www.highisomusic.com / High ISO Music]
  
[[Category:File Formats]]
+
[[Category:People]]

Revision as of 15:32, 28 January 2014

Golden G. Richard III is Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and done research in cybersecurity, operating systems internals, reverse engineering, and malware analysis since 1994. Golden earned a Ph.D. in Computer Science from The Ohio State University in 1995. He is also the Founder and Owner of Arcane Alloy, LLC, a private digital forensics and cybersecurity firm, the original author of the Scalpel file carving tool, a pioneer in applying high performance computing principles to digital forensics, and a professional music photographer.

He maintains a blog called "Outlook Purple" and can be found on Twitter at @nolaforensix.

See Also

Forensics on GPUs

External Links