Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn

ZIP

From Forensics Wiki
Jump to navigation Jump to search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

.ZIP is an archive file format that supports lossless data compression.

TODO describe ZIP64

File format

ZIP ZIP64
Maximum archive size (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum object size in archive (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum objects in archive 65,535 18,446,755,073,709,551,615 ( 264-1 )
Maximum central directory size (bytes) 4,294,967,295 18,446,755,073,709,551,615 ( 264-1 )
Maximum spanned archive segments 999 4,294,967,294
Maximum split archive segments 65,535 4,294,967,294


Overall ZIP File Structure
Files
local file header 1
encryption header 1
file data 1
data descriptor 1
...
local file header n
encryption header n
file data n
data descriptor n
Central directory
archive decryption header
archive extra data record
central directory header 1
...
central directory header n
zip64 end of central directory record
zip64 end of central directory locator
end of central directory record



Characteristics Description
Byte order little-endian
Date and time values
Character strings

Central directory (archived) file header

The central directory (archived) file header is variable of size and consists of:

Offset Size Value Description
0 4 "PK\x01\x02" Signature
4 2 Creator version
6 2 Extractor version
8 2 Flags
10 2 Last modification time
12 2 Last modification date
14 4 Checksum (CRC-32)
18 4 Uncompressed data size
22 4 Compressed data size
26 2 File name size
28 2 Extra field size
30 2 File comment size
32 2 Segment file (disk) number
34 2 internal file attributes
36 4 external file attributes
40 4 local header offset
The offset of the local header relative to the start of the segment file it is stored in.
44 ... File name
... ... Extra field
... ... File comment

Creator version

The creator (or version made by) is 2 bytes of size and consists of:

Offset Size Value Description
0 1 ZIP format version
The value is stored as: ( major number x 10 ) + minor number
1 1 Creator system indicator
Creator system indicator
Value Identifier Description
0 MS-DOS and OS/2 (FAT / VFAT / FAT32 file systems) or compatible systems
1 Amiga
2 OpenVMS
3 UNIX
4 VM/CMS
5 Atari ST
6 OS/2 H.P.F.S.
7 Macintosh
8 Z-System
9 CP/M
10 Windows NTFS
11 MVS (OS/390 - Z/OS)
12 VSE
13 Acorn Risc
14 VFAT
15 alternate MVS
16 BeOS
17 Tandem
18 OS/400
19 OS X (Darwin)
20 - 255 unused

Internal file attributes

Value Identifier Description
0x01 If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 If set the file contains control fields for mainframe data transfer support.

External file attributes

The external attributes are creator system dependent.

The external attributes MS-DOS (0) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 3 Unknown

The external attributes UNIX (3) is 4 bytes of size and consists of:

Offset Size Value Description
0 1 FAT (MS-DOS) file attributes.
1 1 Unknown
2 16 bits The UNIX mode (or permission).
The value seems to be similar to stat.st_mode value.

External Links

Retrieved from "https://forensicswiki.xyz/wiki/index.php?title=ZIP&oldid=14070"