I have read that AES GCM uses AES CTR for encryption and GMAC for authentication.
If that is correct, what is the relationship between the IV used for AES GCM and the IV used for AES CTR?
TO put the question another way, can I encrypt using GCM and then decrypt using AES CTR (ignoring authentication) and if so, what's the relationship between the IV that I pass to GCM when encrypting and the IV that I pass to AES CTR when decrypting?
That's correct.
In most cases you can do what you are proposing. However be warned that by disregarding the authentication you clearly loose message authentication and bit flipping in AES-CTR encrypted stream is trivial.
You can do what you are proposing if the AES-GCM IV size is of 96 bits. AES-GCM supports also longer sizes for IVs and for those cases you would need GHASH to find the correct IV used by CTR. That having being said I believe 99% of implementation supports only 96 bit IV for AES-GCM (and rightfully so).
To obtain the CTR IV, just append the value 2 encoded as 32-bit big endian integer to the 96 bit GCM IV (equivalently adds in C notation "0x00,0x00,0x00,0x01").
Edited to change from 1 to 2 of the initial counter value. GCM acutally defines the starting counter as starting with 1, but increments it before the first encryption, thus resulting in a 2. Thanks to @TrickyDixon for pointing this out.
