Difference between revisions of "ZIP"

From ForensicsWiki
Jump to: navigation, search
(Created page with "{{expand}} .ZIP is an archive file format that supports lossless data compression. == External Links == * [http://www.pkware.com/documents/casestudies/APPNOTE.TXT .ZIP File...")
 
m (File format: Added capability table ZIP v ZIP64, bit of structure detail)
 
(16 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
.ZIP is an archive file format that supports lossless data compression.
 
.ZIP is an archive file format that supports lossless data compression.
 +
 +
<b>TODO</b> describe ZIP64
 +
 +
== File format ==
 +
{| class="wikitable"
 +
|-
 +
! !! ZIP !! ZIP64
 +
|-
 +
|align="left"|  Maximum archive size (bytes)||align="right"| 4,294,967,295 ||align="right"|  18,446,755,073,709,551,615 ( 2<sup>64</sup>-1 )
 +
|-
 +
|align="left"|  Maximum object size in archive (bytes) ||align="right"|  4,294,967,295 ||align="right"|  18,446,755,073,709,551,615 ( 2<sup>64</sup>-1 )
 +
|-
 +
|align="left"|  Maximum objects in archive ||align="right"|  65,535 ||align="right"|  18,446,755,073,709,551,615 ( 2<sup>64</sup>-1 )
 +
|-
 +
|align="left"|  Maximum central directory size (bytes) ||align="right"|  4,294,967,295 ||align="right"|  18,446,755,073,709,551,615 ( 2<sup>64</sup>-1 )
 +
|-
 +
|align="left"|  Maximum spanned archive segments ||align="right"|  999 ||align="right"|  4,294,967,294
 +
|-
 +
|align="left"|  Maximum split archive segments ||align="right"|  65,535||align="right"|  4,294,967,294
 +
 +
|}
 +
 +
 +
{|class="wikitable"
 +
|-
 +
! Overall ZIP File Structure
 +
|-
 +
! Files
 +
|-
 +
|local file header 1
 +
|-
 +
|encryption header 1
 +
|-
 +
|file data 1
 +
|-
 +
|data descriptor 1
 +
|-
 +
|align="center"| ...
 +
|-
 +
|local file header ''n''
 +
|-
 +
|encryption header ''n''
 +
|-
 +
|file data ''n''
 +
|-
 +
|data descriptor ''n''
 +
|-
 +
! Central directory
 +
|-
 +
|archive decryption header
 +
|-
 +
|archive extra data record
 +
 +
|-
 +
|central directory header 1
 +
|-
 +
|align="center"| ...
 +
|-
 +
|central directory header ''n''
 +
|-
 +
|zip64 end of central directory record
 +
|-
 +
|zip64 end of central directory locator
 +
|-
 +
|end of central directory record
 +
 +
|}
 +
 +
 +
 +
 +
{| class="wikitable"
 +
! align="left"| Characteristics
 +
! Description
 +
|-
 +
| Byte order
 +
| little-endian
 +
|-
 +
| Date and time values
 +
|
 +
|-
 +
| Character strings
 +
|
 +
|}
 +
 +
=== Central directory (archived) file header ===
 +
The central directory (archived) file header is variable of size and consists of:
 +
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "PK\x01\x02"
 +
| Signature
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Creator version
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Extractor version
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Flags
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Last modification time
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Last modification date
 +
|-
 +
| 14
 +
| 4
 +
|
 +
| Checksum (CRC-32)
 +
|-
 +
| 18
 +
| 4
 +
|
 +
| Uncompressed data size
 +
|-
 +
| 22
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 26
 +
| 2
 +
|
 +
| File name size
 +
|-
 +
| 28
 +
| 2
 +
|
 +
| Extra field size
 +
|-
 +
| 30
 +
| 2
 +
|
 +
| File comment size
 +
|-
 +
| 32
 +
| 2
 +
|
 +
| Segment file (disk) number
 +
|-
 +
| 34
 +
| 2
 +
|
 +
| internal file attributes
 +
|-
 +
| 36
 +
| 4
 +
|
 +
| external file attributes
 +
|-
 +
| 40
 +
| 4
 +
|
 +
| local header offset <br> The offset of the local header relative to the start of the segment file it is stored in.
 +
|-
 +
| 44
 +
| ...
 +
|
 +
| File name
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Extra field
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| File comment
 +
|}
 +
 +
==== Creator version ====
 +
The creator (or version made by) is 2 bytes of size and consists of:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 1
 +
|
 +
| ZIP format version <br> The value is stored as: ( major number x 10 ) + minor number
 +
|-
 +
| 1
 +
| 1
 +
|
 +
| Creator system indicator
 +
|}
 +
 +
===== Creator system indicator =====
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0
 +
|
 +
| MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
 +
|-
 +
| 1
 +
|
 +
| Amiga
 +
|-
 +
| 2
 +
|
 +
| OpenVMS
 +
|-
 +
| 3
 +
|
 +
| UNIX
 +
|-
 +
| 4
 +
|
 +
| VM/CMS
 +
|-
 +
| 5
 +
|
 +
| Atari ST
 +
|-
 +
| 6
 +
|
 +
| OS/2 H.P.F.S.
 +
|-
 +
| 7
 +
|
 +
| Macintosh
 +
|-
 +
| 8
 +
|
 +
| Z-System
 +
|-
 +
| 9
 +
|
 +
| CP/M
 +
|-
 +
| 10
 +
|
 +
| Windows NTFS
 +
|-
 +
| 11
 +
|
 +
| MVS (OS/390 - Z/OS)
 +
|-
 +
| 12
 +
|
 +
| VSE
 +
|-
 +
| 13
 +
|
 +
| Acorn Risc
 +
|-
 +
| 14
 +
|
 +
| VFAT
 +
|-
 +
| 15
 +
|
 +
| alternate MVS
 +
|-
 +
| 16
 +
|
 +
| BeOS
 +
|-
 +
| 17
 +
|
 +
| Tandem
 +
|-
 +
| 18
 +
|
 +
| OS/400
 +
|-
 +
| 19
 +
|
 +
| OS X (Darwin)
 +
|-
 +
| 20 - 255
 +
|
 +
| unused
 +
|}
 +
 +
==== Internal file attributes ====
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x01
 +
|
 +
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
 +
|-
 +
| 0x02
 +
|
 +
| If set the file contains control fields for mainframe data transfer support.
 +
|}
 +
 +
==== External file attributes ====
 +
The external attributes are creator system dependent.
 +
 +
The external attributes MS-DOS (0) is 4 bytes of size and consists of:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 1
 +
|
 +
| FAT (MS-DOS) file attributes.
 +
|-
 +
| 1
 +
| 3
 +
|
 +
| Unknown
 +
|}
 +
 +
The external attributes UNIX (3) is 4 bytes of size and consists of:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 1
 +
|
 +
| FAT (MS-DOS) file attributes.
 +
|-
 +
| 1
 +
| 1
 +
|
 +
| Unknown
 +
|-
 +
| 2
 +
| 16 bits
 +
|
 +
| The UNIX mode (or permission). <br> The value seems to be similar to stat.st_mode value.
 +
|}
  
 
== External Links ==
 
== External Links ==
Line 9: Line 367:
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]
 +
[[Category:Archive File Formats]]

Latest revision as of 15:35, 30 December 2015

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

.ZIP is an archive file format that supports lossless data compression.

TODO describe ZIP64

File format

ZIP ZIP64
Maximum archive size (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum object size in archive (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum objects in archive 65,535 18,446,755,073,709,551,615 ( 264-1 )
Maximum central directory size (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum spanned archive segments 999 4,294,967,294
Maximum split archive segments 65,535 4,294,967,294


Overall ZIP File Structure
Files
local file header 1
encryption header 1
file data 1
data descriptor 1
...
local file header n
encryption header n
file data n
data descriptor n
Central directory
archive decryption header
archive extra data record
central directory header 1
...
central directory header n
zip64 end of central directory record
zip64 end of central directory locator
end of central directory record



Characteristics Description
Byte order little-endian
Date and time values
Character strings

Central directory (archived) file header

The central directory (archived) file header is variable of size and consists of:

Offset Size Value Description
0 4 "PK\x01\x02" Signature
4 2 Creator version
6 2 Extractor version
8 2 Flags
10 2 Last modification time
12 2 Last modification date
14 4 Checksum (CRC-32)
18 4 Uncompressed data size
22 4 Compressed data size
26 2 File name size
28 2 Extra field size
30 2 File comment size
32 2 Segment file (disk) number
34 2 internal file attributes
36 4 external file attributes
40 4 local header offset
The offset of the local header relative to the start of the segment file it is stored in.
44 ... File name
... ... Extra field
... ... File comment

Creator version

The creator (or version made by) is 2 bytes of size and consists of:

Offset Size Value Description
0 1 ZIP format version
The value is stored as: ( major number x 10 ) + minor number
1 1 Creator system indicator
Creator system indicator
Value Identifier Description
0 MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
1 Amiga
2 OpenVMS
3 UNIX
4 VM/CMS
5 Atari ST
6 OS/2 H.P.F.S.
7 Macintosh
8 Z-System
9 CP/M
10 Windows NTFS
11 MVS (OS/390 - Z/OS)
12 VSE
13 Acorn Risc
14 VFAT
15 alternate MVS
16 BeOS
17 Tandem
18 OS/400
19 OS X (Darwin)
20 - 255 unused

Internal file attributes

Value Identifier Description
0x01 If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 If set the file contains control fields for mainframe data transfer support.

External file attributes

The external attributes are creator system dependent.

The external attributes MS-DOS (0) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 3 Unknown

The external attributes UNIX (3) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 1 Unknown
2 16 bits The UNIX mode (or permission).
The value seems to be similar to stat.st_mode value.

External Links