Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Bzip2
Jump to navigation
Jump to search
|
|
Please help to improve this article by expanding it.
|
The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:
- The stream header.
The stream header is 4 bytes in size and contains:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | "BZ" | Signature (magic number) |
| 2 | 1 | Version 'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated) | |
| 3 | 1 | Block size Value is defined in increments of 100 kB '1'..'9' block-size 100 kB-900 kB (uncompressed) Note: currently assumed that kB should be kiB |
- followed by zero or more compressed blocks
.compressed_magic:48 = 0x314159265359 (BCD (pi))
.crc:32 = checksum for this block
.randomised:1 = 0=>normal, 1=>randomised (deprecated)
.origPtr:24 = starting pointer into BWT for after untransform
.huffman_used_map:16 = bitmap, of ranges of 16 bytes, present/not present
.huffman_used_bitmaps:0..256 = bitmap, of symbols used, present/not present (multiples of 16)
.huffman_groups:3 = 2..6 number of different Huffman tables in use
.selectors_used:15 = number of times that the Huffman tables are swapped (each 50 bytes)
*.selector_list:1..6 = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
.start_huffman_length:5 = 0..20 starting bit length for Huffman deltas
*.delta_bit_length:1..40 = 0=>next symbol; 1=>alter length
{ 1=>decrement length; 0=>increment length } (*(symbols+2)*groups)
.contents:2..∞ = Huffman encoded data stream until end of block
- immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
.eos_magic:48 = 0x177245385090 (BCD sqrt(pi)) .crc:32 = checksum for whole stream .padding:0..7 = align to whole byte
The compressed blocks are bit-aligned and no padding occurs.
