Zip

From ForensicsWiki
Revision as of 02:57, 1 December 2013 by Joachim Metz (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

.ZIP is an archive file format that supports lossless data compression.

TODO ZIP64

File format

Characteristics Description
Byte order little-endian
Date and time values
Character strings

Archived file header

The (central directory) archived file header is variable of size and consists of:

Offset Size Value Description
0 4 "PK\x01\x02" Signature
4 2 Creator version
6 2 Extractor version
8 2 Flags
10 2 Last modification time
12 2 Last modification date
14 4 Checksum (CRC-32)
18 4 Uncompressed data size
22 4 Compressed data size
26 2 File name size
28 2 Extra field size
30 2 File comment size
32 2 Segment file (disk) number
34 2 internal file attributes
36 4 external file attributes
40 4 local header offset
The offset of the local header relative to the start of the segment file it is stored in.
44 ... File name
... ... Extra field
... ... File comment

Creator version

The creator (or version made by) is 2 bytes of size and consists of:

Offset Size Value Description
0 1 ZIP format version
The value is stored as: ( major number x 10 ) + minor number
1 1 Creator system indicator
Creator system indicator
Value Identifier Description
0 MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
1 Amiga
2 OpenVMS
3 UNIX
4 VM/CMS
5 Atari ST
6 OS/2 H.P.F.S.
7 Macintosh
8 Z-System
9 CP/M
10 Windows NTFS
11 MVS (OS/390 - Z/OS)
12 VSE
13 Acorn Risc
14 VFAT
15 alternate MVS
16 BeOS
17 Tandem
18 OS/400
19 OS X (Darwin)
20 - 255 unused

External Links