Zip

From ForensicsWiki
Revision as of 03:38, 1 December 2013 by Joachim Metz (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

.ZIP is an archive file format that supports lossless data compression.

TODO describe ZIP64

File format

Characteristics Description
Byte order little-endian
Date and time values
Character strings

Central directory (archived) file header

The central directory (archived) file header is variable of size and consists of:

Offset Size Value Description
0 4 "PK\x01\x02" Signature
4 2 Creator version
6 2 Extractor version
8 2 Flags
10 2 Last modification time
12 2 Last modification date
14 4 Checksum (CRC-32)
18 4 Uncompressed data size
22 4 Compressed data size
26 2 File name size
28 2 Extra field size
30 2 File comment size
32 2 Segment file (disk) number
34 2 internal file attributes
36 4 external file attributes
40 4 local header offset
The offset of the local header relative to the start of the segment file it is stored in.
44 ... File name
... ... Extra field
... ... File comment

Creator version

The creator (or version made by) is 2 bytes of size and consists of:

Offset Size Value Description
0 1 ZIP format version
The value is stored as: ( major number x 10 ) + minor number
1 1 Creator system indicator
Creator system indicator
Value Identifier Description
0 MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
1 Amiga
2 OpenVMS
3 UNIX
4 VM/CMS
5 Atari ST
6 OS/2 H.P.F.S.
7 Macintosh
8 Z-System
9 CP/M
10 Windows NTFS
11 MVS (OS/390 - Z/OS)
12 VSE
13 Acorn Risc
14 VFAT
15 alternate MVS
16 BeOS
17 Tandem
18 OS/400
19 OS X (Darwin)
20 - 255 unused

Internal file attributes

Value Identifier Description
0x01 If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 If set the file contains control fields for mainframe data transfer support.

External file attributes

The external attributes are creator system dependent.

The external attributes MS-DOS (0) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 3 Unknown

The external attributes UNIX (3) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 1 Unknown
2 12 bits The UNIX mode (or permission).
3.4 4 bits Unknown

External Links