FILE SIGNATURES TABLE
6/30/2009
This table of file signatures (aka "magic numbers") is a work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000). Other useful and reasonably current sources are C.E. Codere's File Format site or the magic file commonly available with Linux systems. This table is still growing and contributions are welcome! Comments and queries can be sent to Gary Kessler at [url=mailto:kumquat@sover.net]kumquat@sover.net[/url].
This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know what a particular file extension refers to, check out some of these sites:
FILExt: The File Extension Source
File Extension Seeker: Metasearch engine for file extensions
fileinfo.net
Wotsit.org, The Programmer's File and Data Format Resource
Dot What!?, The net's #1 file extension website
You might also want to check out Tim Coakley's Filesig.co.uk site, with Filesig Manager (and Simple Carver). Take a look also at Marco Pontello's TrID - File Identifier, a utility designed to identify file types from their binary signatures.
Details on graphics file formats can be found at The Graphics File Formats Page.
Hex Signature
ASCII Signature
File Extension
File Description
TGA
Truevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49 TRUEVISI
4F 4E 2D 58 46 49 4C 45 ON-XFILE
2E 00 ..
00
.
PIC
IBM Storyboard bitmap file
PIF
Windows Program Information File
YTR
IRIS OCR data file
[11 byte offset]
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
[11 byte offset]
........
........
........
PDB
Palmpilot Database/Document File
00 00 00 nn 66 74 79 70
33 67 70
....ftyp
3gp
3GG, 3G2
3rd Generation Partnership Project 3GPP (nn=0x14)
and 3GPP2 (nn=0x20) multimedia files
00 00 00 18 66 74 79 70
33 67 70 35
....ftyp
3gp5
MP4
MPEG-4 video files
00 00 01 00
....
ICO
Windows icon file
00 00 01 Bx
....
MPEG, MPG
MPEG video file
00 00 02 00
......
CUR
Windows cursor file
WB2
QuattroPro for Windows Spreadsheet file
00 00 02 00 06 04 06 00
08 00 00 00 00 00
........
......
WK1
Lotus 1-2-3 spreadsheet (v1) file
00 00 1A 00 00 10 04 00
00 00 00 00
........
..
WK3
Lotus 1-2-3 spreadsheet (v3) file
00 00 1A 00 02 10 04 00
00 00 00 00
........
..
WK4
Lotus 1-2-3 spreadsheet (v4) file
00 00 49 49 58 50 52 or
..IIXPR
00 00 4D 4D 58 50 52
..MMXPR
QXD
Quark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean.
00 00 FE FF
..þÿ
n/a
Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.)
[7 byte offset]
00 00 FF FF FF FF
[7 byte offset]
..ÿÿÿÿ
HLP
Windows Help file
00 01 00 00 4D 53 49 53
41 4D 20 44 61 74 61 62
61 73 65
....MSIS
AM Datab
ase
MNY
Microsoft Money file
00 01 00 00 53 74 61 6E
64 61 72 64 20 4A 65 74
20 44 42
....Stan
dard Jet
DB
MDB
Microsoft Access file
00 01 00 08 00 01 00 01
01
........
.
IMG
Ventura Publisher/GEM VDI Image Format Bitmap file
00 01 01
...
FLT
OpenFlight 3D file
00 01 42 41
..BA
ABA
Palm Address Book Archive file
00 01 42 44
..BD
DBA
Palm DateBook Archive file
00 06 15 61 00 00 00 02
00 00 04 D2 00 00 10 00
...a....
...Ò....
DB
Netscape Navigator (v4) database file
00 11 AF
..¯
FLI
FLIC Animation file
00 1E 84 90 00 00 00 00
........
SNM
Netscape Communicator (v4) mail folder
00 5C 41 B1 FF
.\A±ÿ
ENC
Mujahideen Secrets 2 encrypted file
[512 byte offset]
00 6E 1E F0
[512 byte offset]
.n.ð
PPT
PowerPoint presentation subheader (MS Office)
01 00 00 00
....
EMF
Extended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)
01 00 00 00 01
.....
PIC
Unknown type picture file
01 10
..
TR1
Novell LANalyzer capture file
01 DA 01 01 00 03
.Ú....
RGB
Silicon Graphics RGB Bitmap
01 FF 02 04 03 02
.ÿ....
DRW
Micrografx vector graphic file
02 64 73 73
.dss
DSS
Digital Speech Standard (Olympus, Grundig, & Phillips)
03
.
DAT
MapInfo Native Data Format
DB3
dBASE III file
03 00 00 00
....
QPH
Quicken price history file
03 00 00 00 41 50 50 52
....APPR
ADX
Approach index file
04
.
DB4
dBASE IV data file
07
.
DRW
A common signature and file extension for many drawing
programs.
07 64 74 32 64 64 74 64
.dt2ddtd
DTD
DesignTools 2D Design file
08
.
DB
dBASE IV or dBFast configuration file
[512 byte offset]
09 08 10 00 00 06 05 00
[512 byte offset]
........
XLS
Excel spreadsheet subheader (MS Office)
0A nn 01 01
....
PCX
ZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05)
0C ED
.í
MP
Monochrome Picture TIFF bitmap file (unconfirmed)
0D 44 4F 43
.DOC
DOC
DeskMate Document file
0E 57 4B 53
.WKS
WKS
DeskMate Worksheet
[512 byte offset]
0F 00 E8 03
[512 byte offset]
..è.
PPT
PowerPoint presentation subheader (MS Office)
11 00 00 00 53 43 43 41
....SCCA
PF
Windows prefetch file
1A 00 00
...
NTF
Lotus Notes database template
1A 00 00 04 00 00
......
NSF
Lotus Notes database
1A 0x
..
ARC
LH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively)
1A 0B
..
PAK
Compressed archive file
(often associated with Quake Engine games)
1A 35 01 00
.5..
ETH
GN Nettest WinPharoah capture file
1A 52 54 53 20 43 4F 4D
50 52 45 53 53 45 44 20
49 4D 41 47 45 20 56 31
2E 30 1A
.RTS COM
PRESSED
IMAGE V1
.0.
DAT
Runtime Software disk image
1D 7D
.}
WS
WordStar Version 5.0/6.0 document
1F 8B 08
...
GZ
GZIP archive file
1F 9D 90
...
TAR.Z
Compressed tape archive file
21 12
!.
AIN
AIN Compressed Archive
21 3C 61 72 63 68 3E 0A
!.
LIB
Unix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF)
21 42 44 4E
!BDN
PST
Microsoft Outlook Personal Folder file
23 20
#
MSI
Cerius2 file
23 20 4D 69 63 72 6F 73
6F 66 74 20 44 65 76 65
6C 6F 70 65 72 20 53 74
75 64 69 6F
# Micros
oft Deve
loper St
udio
DSP
Microsoft Developer Studio project file
23 21 41 4D 52
#!AMR
AMR
Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction)
Codec, commonly audio format with GSM cell phones
24 46 4C 32 40 28 23 29
20 53 50 53 53 20 44 41
54 41 20 46 49 4C 45
$FL2@(#)
SPSS DA
TA FILE
SAV
SPSS Data file
25 21 50 53 2D 41 64 6F
62 65 2D 33 2E 30 20 45
50 53 46 2D 33 20 30
%!PS-Ado
be-3.0 E
PSF-3.0
EPS
Adobe encapsulated PostScript file
(If this signature is not at the immediate
beginning of the file, it will occur early
in the file, commonly at byte offset 30)
25 50 44 46
%PDF
PDF, FDF
Adobe Portable Document Format and Forms Document file
Trailers:
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
28 54 68 69 73 20 66 69
6C 65 20 6D 75 73 74 20
62 65 20 63 6F 6E 76 65
72 74 65 64 20 77 69 74
68 20 42 69 6E 48 65 78
20
(This fi
le must
be conve
rted wit
h BinHex
HQX
Macintosh BinHex 4 Compressed Archive
2A 2A 2A 20 20 49 6E 73
74 61 6C 6C 61 74 69 6F
6E 20 53 74 61 72 74 65
64 20
*** Ins
tallatio
n Starte
d
LOG
Symantec Wise Installer log file
[2 byte offset]
2D 6C 68
[2 byte offset]
-lh
LHA, LZH
Compressed archive file
2E 52 45 43
.REC
IVR
RealPlayer video file (V11 and later)
2E 52 4D 46
.RMF
RM
RealMedia streaming media file
2E 72 61 FD 00
.ra..
RA
RealMedia streaming media file
2E 73 6E 64
.snd
AU
Sun Microsystems audio file format
30
0
CAT
Microsoft security catalog file
30 00 00 00 4C 66 4C 65
0...LfLe
EVT
Windows Event Viewer file
30 26 B2 75 8E 66 CF 11
A6 D9 00 AA 00 62 CE 6C
0&²u.fÏ.
¦Ù.ª.bÎl
ASF, WMA, WMV
Microsoft Windows Media Audio/Video File
(Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E
43 45 20 53 55 52 56 45
59 20 20 20 20 20 20 20
01ORDNAN
CE SURVE
Y
NTF
National Transfer Format Map File
30 37 30 37 30 nn
07070.
n/a
Archive created with the cpio utility (where nn
values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the
standard ASCII format, new ASCII (aka SVR4) format, and CRC
format, respectively. (The swpackage(8) page has additional
information.) (Thanks to F. Webber for this....)
31 BE or
1¾
32 BE
2¾
WRI
Microsoft Write file
34 CD B2 A1
4Ͳ¡
n/a
Extended tcpdump (libpcap) capture file (Linux/Unix)
37 7A BC AF 27 1C
7z¼¯'.
7Z
7-Zip compressed file
38 42 50 53
8BPS
PSD
Photoshop image file
3C
ASX
Advanced Stream redirector file
XDR
BizTalk XML-Data Reduced Schema file
3C 21 64 6F 63 74 79 70
DCI
AOL HTML mail file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D
MANIFEST
Windows Visual Stylesheet XML file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E
XUL
XML User Interface Language file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E 0D 0A 3C
4D 4D 43 5F 43 6F 6E 73
6F 6C 65 46 69 6C 65 20
43 6F 6E 73 6F 6C 65 56
65 72 73 69 6F 6E 3D 22
..
MSC
Microsoft Management Console Snap-in Control file
[24 byte offset]
3E 00 03 00 FE FF 09 00
06
[24 byte offset]
>...þÿ..
.
WB3
Quatro Pro for Windows 7.0 Notebook file
3F 5F 03 00
?_..
GID
Windows Help index file
HLP
Windows Help file
[32 byte offset]
40 40 40 20 00 00 40 40
40 40
[32 byte offset]
@@@ ..@@
@@
ENL
EndNote Library File
41 43 53 44
ACSD
n/a
Miscellaneous AOL parameter and information files
41 4D 59 4F
AMYO
SYW
Harvard Graphics symbol graphic
41 4F 4C 20 46 65 65 64
62 61 67
AOL Feed
bag
BAG
AOL and AIM buddy list file
41 4F 4C 44 42
AOLDB
ABY, IDX
AOL database files: address book (ABY) and user configuration
data (MAIN.IDX)
41 4F 4C 49 44 58
AOLIDX
IND
AOL client preferences/settings file (MAIN.IND)
41 4F 4C 49 4E 44 45 58
AOLINDEX
ABI
AOL address book index file
41 56 47 36 5F 49 6E 74
65 67 72 69 74 79 5F 44
61 74 61 62 61 73 65
AVG6_Int
egrity_D
atabase
DAT
AVG6 Integrity database file
41 4F 4C 56 4D 31 30 30
AOLVM100
n/a
AOL personal file cabinet (PFC) file
41 72 43 01
ArC.
ARC
FreeArc compressed file
42 45 47 49 4E 3A 56 43
41 52 44 0D 0A
BEGIN:VC
ARD..
VCF
vCard file
42 4C 49 32 32 33 51
BLI223Q
BIN
Thomson Speedtouch series WLAN router firmware
42 4D
BM
BMP, DIB
Windows (or device-independent) bitmap image
42 4F 4F 4B 4D 4F 42 49
BOOKMOBI
PRC
Palmpilot resource file
42 5A 68
BZh
BZ2, TAR.BZ2, TBZ2, TB2
bzip2 compressed archive
43 42 46 49 4C 45
CBFILE
CBD
WordPerfect dictionary file (unconfirmed)
43 44 30 30 31
CD001
ISO
ISO-9660 CD Disc Image
(This signature usually occurs at byte 8001, 8801, or 9001.)
43 4F 4D 2B
COM+
CLB
COM+ Catalog file
43 52 45 47
CREG
DAT
Windows 9x registry hive
43 52 55 53 48 20 76
CRUSH v
CRU
Crush compressed archive
43 57 53
CWS
SWF
Shockwave Flash file (v5+)
43 61 74 61 6C 6F 67 20
33 2E 30 30 00
Catalog
3.00.
CTF
WhereIsIt Catalog file
43 6C 69 65 6E 74 20 55
72 6C 43 61 63 68 65 20
4D 4D 46 20 56 65 72 20
Client U
rlCache
MMF Ver
DAT
IE History DAT file
44 42 46 48
DBFH
DB
Palm Zire photo database
44 4D 53 21
DMS!
DMS
Amiga DiskMasher compressed archive
44 4F 53
DOS
ADF
Amiga disk file
45 4E 54 52 59 56 43 44
02 00 00 01 02 00 18 58
ENTRYVCD
.......X
VCD
VideoVCD (GNU VCDImager) file
45 52 46 53 53 41 56 45
44 41 54 41 46 49 4C 45
ERFSSAVE
DATAFILE
DAT
Kroll EasyRecovery Saved Recovery State file
45 56 46
EVF
Enn (where nn are numbers)
EnCase evidence file
46 41 58 43 4F 56 45 52
2D 56 45 52
FAXCOVER
-VER
CPE
Microsoft Fax Cover Sheet
46 45 44 46
FEDF
SBV
(Unknown file type)
46 4C 56
FLV
SWF
Flash video file
46 4F 52 4D 00
FORM.
AIFF
Audio Interchange File
46 57 53
FWS
SWF
Shockwave Flash file
46 72 6F 6D 20 20 20 or
FHom
46 72 6F 6D 20 3F 3F 3F or
FHom ???
46 72 6F 6D 3A 20
FHom:
EML
A commmon file extension for e-mail files. Signatures shown here
are for Netscape, Eudora, and a generic signature, respectively.
EML is also used by Outlook Express and QuickMail.
47 46 31 50 41 54 43 48
GF1PATCH
PAT
Advanced Gravis Ultrasound patch file
47 49 46 38 37 61 or
GIF87a
47 49 46 38 39 61
GIF89a
GIF
Graphics interchange format file
Trailer: 00 3B (.;)
47 50 41 54
GPAT
PAT
GIMP (GNU Image Manipulation Program) pattern file
47 58 32
GX2
GX2
Show Partner graphics file (not confirmed)
48 48 47 42 31
HHGB1
SH3
Harvard Graphics presentation file
49 20 49
I I
TIF, TIFF
Tagged Image File Format file
49 44 33
ID3
MP3
MPEG-1 Audio Layer 3 (MP3) audio file
49 49 2A 00
II*.
TIF, TIFF
Tagged Image File Format file (little
endian, i.e., LSB first in the byte; Intel)
49 53 63 28
ISc(
CAB
Install Shield v5.x or 6.x compressed file
49 54 53 46
ITSF
CHM
Microsoft HTML Help Compiled Help File
49 6E 6E 6F 20 53 65 74
75 70 20 55 6E 69 6E 73
74 61 6C 6C 20 4C 6F 67
20 28 62 29
Inno Set
up Unins
tall Log
(b)
DAT
Inno Setup Uninstall Log file
4A 41 52 43 53 00
JARCS.
JAR
JARCS compressed archive
4A 47 03 0E 00 00 00 or
JG.....
4A 47 04 0E 00 00 00
JG.....
ART
AOL ART file
4C 00 00 00 01 14 02 00
L.......
LNK
Windows shortcut file
4C 01
L.
OBJ
Microsoft Common Object File Format (COFF) relocatable
object code file for an Intel 386 or later/compatible processors
4C 4E 02 00
LN..
HLP
Windows Help file
4D 49 4C 45 53
MILES
MLS
Milestones v1.0 project management and scheduling software
(Also see "MV2C" and "MV214" signatures)
4D 4C 53 57
MLSW
MLS
Skype localization data file
4D 4D 00 2A
MM.*
TIF, TIFF
Tagged Image File Format file (big
endian, i.e., LSB last in the byte; Motorola)
4D 4D 00 2B
MM.+
TIF, TIFF
BigTIFF files; Tagged Image File Format files >4 GB
4D 4D 4D 44 00 00
MMMD..
MMF
Yamaha Corp. Synthetic music Mobile Application Format (SMAF)
for multimedia files that can be played on hand-held devices.
4D 53 43 46
MSCF
CAB
Microsoft cabinet file
PPZ
Powerpoint Packaged Presentation
SNP
Microsoft Access Snapshot Viewer file
4D 53 46 54 02 00 01 00
MSFT....
TLB
OLE, SPSS, or Visual C++ type library file
4D 53 5F 56 4F 49 43 45
MS_VOICE
CDR, DVF
Sony Compressed Voice File
MSV
Sony Memory Stick Compressed Voice file
4D 54 68 64
MThd
MID, MIDI
Musical Instrument Digital Interface (MIDI) sound file
4D 56
MV
DSN
CD Stomper Pro label file
4D 56 32 31 34
MV214
MLS
Milestones v2.1b project management and scheduling software
(Also see "MILES" and "MV2C" signatures)
4D 56 32 43
MV2C
MLS
Milestones v2.1a project management and scheduling software
(Also see "MILES" and "MV214" signatures)
4D 5A
MZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS
Windows/DOS executable file
ACM
MS audio compression manager driver
AX
Library cache file
CPL
Control panel application
FON
Font file
OCX
ActiveX or OLE Custom Control
OLB
OLE object library
SCR
Screen saver
VBX
VisualBASIC application
VXD, 386
Windows virtual device drivers
4D 5A 90 00 03 00 00 00
MZ......
API
Acrobat plug-in
AX
DirectShow filter
FLT
Audition graphic filter file (Adobe)
4D 5A 90 00 03 00 00 00
04 00 00 00 FF FF
MZ......
....ÿÿ
ZAP
ZoneAlam data file
4D 69 63 72 6F 73 6F 66
74 20 56 69 73 75 61 6C
20 53 74 75 64 69 6F 20
53 6F 6C 75 74 69 6F 6E
20 46 69 6C 65
Microsof
t Visual
Studio
Solution
File
SLN
Visual Studio .NET Solution file
[84 byte offset]
4D 69 63 72 6F 73 6F 66
74 20 57 69 6E 64 6F 77
73 20 4D 65 64 69 61 20
50 6C 61 79 65 72 20 2D
2D 20
[84 byte offset]
Microsof
t Window
s Media
Player -
-
WPL
Windows Media Player playlist
4E 41 56 54 52 41 46 46
49 43
NAVTRAFF
IC
DAT
TomTom traffic data file
4E 45 53 4D 1A 01
NESM..
NSF
NES Sound file
4E 49 54 46 30
NITF0
NTF
National Imagery Transmission Format (NITF) file
4E 61 6D 65 3A 20
Name:
COD
Agent newsreader character map file
4F 50 4C 44 61 74 61 62
61 73 65 46 69 6C 65
OPLDatab
aseFile
DBF
Psion Series 3 Database file
4F 67 67 53 00 02 00 00
00 00 00 00 00 00
OggS....
......
OGA, OGG, OGV, OGX
Ogg Vorbis Codec compressed Multimedia file
4F 7B
O{
DW4
Visio/DisplayWrite 4 text file (unconfirmed)
50 00 00 00 20 00 00 00
P... ...
IDX
Quicken QuickFinder Information File
50 35 0A
P5.
PGM
Portable Graymap Graphic
50 41 43 4B
PACK
PAK
Quake archive file
50 45 53 54
PEST
DAT
PestPatrol data/scan strings
50 49 43 54 00 08
PICT..
IMG
ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file
50 4B 03 04
PK..
ZIP
PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
DOCX, PPTX, XLSX
Microsoft Office Open XML Format Document
JAR
Java archive; compressed file package for classes and data
SXC, SXD, SXI, SXW
OpenOffice spreadsheet, drawing, presentation, and text files
WMZ
Windows Media compressed skin file
XPI
Mozilla Browser Archive
XPT
eXact Packager Models
50 4B 03 04 14 00 06 00
PK......
DOCX, PPTX, XLSX
Office 2007 documents
50 4B 03 04 14 00 08 00
08 00
PK......
..
JAR
Java archive
[30 byte offset]
50 4B 4C 49 54 45
[30 byte offset]
PKLITE
ZIP
PKLITE compressed ZIP archive (see also PKZIP)
[526 byte offset]
50 4B 53 70 58
[526 byte offset]
PKSFX
ZIP
PKSFX self-extracting executable compressed file (see also PKZIP)
50 4D 43 43
PMCC
GRP
Windows Program Manager group file
50 4E 43 49 55 4E 44 4F
PNCIUNDO
DAT
Norton Disk Doctor undo file
[92 byte offset]
51 45 4C 20
[92 byte offset]
QEL
QEL
Quicken data file
51 46 49 FB
QFI.
IMG
QEMU Qcow Disk Image
51 57 20 56 65 72 2E 20
QW Ver.
ABD, QSD
Quicken data file
52 41 5A 41 54 44 42 31
RAZATDB1
DAT
Shareaza (Windows P2P client) thumbnail
52 45 47 45 44 49 54
REGEDIT
REG, SUD
Windows NT Registry and Registry Undo files
52 45 56 4E 55 4D 3A 2C
REVNUM:,
ADF
Antenna data file
52 49 46 46
RIFF
ANI
Windows animated cursor
DAT
Video CD MPEG or MPEG1 movie file
DS4
Micrografx Designer v4 graphic file
52 49 46 46 xx xx xx xx
41 56 49 20 4C 49 53 54
RIFF....
AVI LIST
AVI
Resource Interchange File Format -- Windows Audio
Video Interleave file
52 49 46 46 xx xx xx xx
43 44 44 41 66 6D 74 20
RIFF....
CDDAfmt
CDA
Resource Interchange File Format -- Compact Disc
Digital Audio (CD-DA) file
52 49 46 46 xx xx xx xx
51 4C 43 4D 66 6D 74 20
RIFF....
QLCMfmt
QCP
Resource Interchange File Format -- Qualcomm
PureVoice
52 49 46 46 xx xx xx xx
52 4D 49 44 64 61 74 61
RIFF....
RMIDdata
RMI
Resource Interchange File Format -- Windows Musical
Instrument Digital Interface file
52 49 46 46 xx xx xx xx
57 41 56 45 66 6D 74 20
RIFF....
WAVEfmt
WAV
Resource Interchange File Format -- Audio for
Windows file
52 54 53 53
RTSS
CAP
Windows NT Netmon capture file
52 61 72 21 1A 07 00
Rar!...
RAR
WinRAR compressed archive file
53 43 48 6C
SCHl
AST
Need for Speed: Underground Audio file
53 43 4D 49
SCMI
IMG
Img Software Set Bitmap
53 48 4F 57
SHOW
SHW
Harvard Graphics DOS Ver. 2/x Presentation file
53 49 45 54 52 4F 4E 49
43 53 20 58 52 44 20 53
43 41 4E
SIETRONI
CS XRD S
CAN
CPI
Sietronics CPI XRD document
53 49 54 21 00
SIT!.
SIT
StuffIt compressed archive
53 4D 41 52 54 44 52 57
SMARTDRW
SDR
SmartDraw Drawing file
53 51 4C 4F 43 4F 4E 56
48 44 00 00 31 2E 30 00
SQLOCONV
HD..1.0.
CNV
DB2 conversion file
53 6D 62 6C
Smbl
SYM
(Unconfirmed file type. Likely type is Harvard Graphics
Version 2.x graphic symbol or Windows SDK graphic symbol)
53 74 75 66 66 49 74 20
28 63 29 31 39 39 37 2D
StuffIt
(c)1997-
SIT
StuffIt compressed archive
54 68 69 73 20 69 73 20
This is
INFO
UNIX GNU Info Reader File
55 43 45 58
UCEX
UCE
Unicode extensions
55 46 41 C6 D2 C1
UFAÆÒÁ
UFA
UFA compressed archive
55 46 4F 4F 72 62 69 74
UFOOrbit
DAT
UFO Capture v2 map file
56 43 50 43 48 30
VCPCH0
PCH
Visual C PreCompiled header file
56 45 52 53 49 4F 4E 20
VERSION
CTL
Visual Basic User-defined Control file
57 4D 4D 50
WMMP
DAT
Walkman MP3 container file
57 53 32 30 30 30
WS2000
WS2
WordStar for Windows Ver. 2 document
[29,152 byte offset]
57 69 6E 5A 69 70
[29,152 byte offset]
WinZip
ZIP
WinZip compressed archive
58 43 50 00
XCP.
CAP
Cinco NetXRay, Network General Sniffer, and
Network Associates Sniffer capture file
58 50 43 4F 4D 0A 54 79
70 65 4C 69 62
XPCOM.Ty
peLib
XPT
XPCOM type libraries for the XPIDL compiler
58 54
XT..
BDR
MS Publisher border
5A 4F 4F 20
ZOO
ZOO
ZOO compressed archive
5B 47 65 6E 65 72 61 6C
5D 0D 0A 44 69 73 70 6C
61 79 20 4E 61 6D 65 3D
3C 44 69 73 70 6C 61 79
4E 61 6D 65
[General
]..Displ
ay Name=
ECF
MS Exchange 2007 extended configuartion file
5B 4D 53 56 43
[MSVC
VCW
Microsoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D
[Phone]
DUN
Dial-up networking file (unconfirmed)
5B 56 45 52 5D 0D 0A 09 or
[VER]...
5B 76 65 72 5D 0D 0A 09 or
[ver]...
SAM
AMU Pro document
[2 byte offset]
5B 56 65 72 73 69 6F 6E
[2 byte offset]
[Version
CIF
(Unknown file type)
5B 57 69 6E 64 6F 77 73
20 4C 61 74 69 6E 20
[Windows
Latin
CPX
Microsoft Code Page Translation file
5B 66 6C 74 73 69 6D 2E
30 5D
[fltsim.
0]
CFG
Flight Simulator Aircraft Configuration file
5F 43 41 53 45 5F
_CASE_
CAS, CBK
EnCase case file (and backup)
60 EA
`ê
ARJ
Compressed archive file
62 65 67 69 6E
begin
n/a
UUencoded files start with a string:
begin mode path
where mode is the set of permissions as used in
Linux/Unix and path is the name given to the decoded
file. (See this uuencode page for more information.)
63 75 73 68 00 00 00 02
00 00 00
cush....
...
CSH
Photoshop Custom Shape
64 00 00 00
d...
P10
Intel PROset/Wireless Profile
64 73 77 66 69 6C 65
dswfile
DSW
Microsoft Visual Studio workspace file
66 4C 61 43 00 00 00 22
fLaC..."
FLAC
Free Lossless Audio Codec file
6C 33 33 6C
l33l
DBB
Skype user data file (profile and contacts)
[4 byte offset]
6D 6F 6F 76
[4 byte offset]
moov
MOV
QuickTime movie file
.MOV files have a complicated file signature.The string "moov" is the most common but I have also seen:
0x66-72-65-65 free
0x6D-64-61-74 mdat
0x77-69-64-65 wide
And the following have been reported to me:
0x70-6E-6F-74 pnot
0x73-6B-69-70 skip
Furthermore, if you look at byte position xxxxxxxx+4 (hex), you will find one (or more!) of these strings repeated;
the string "free" seems to be the most common. (Thanks to D. Wright for getting me started on this!)
72 65 67 66
regf
DAT
Windows registry hive file
72 74 73 70 3A 2F 2F
rtsp://
RAM
RealMedia metafile
73 6C 68 21 or
slh!
73 6C 68 2E
slh.
DAT
Allegro Generic Packfile Data file (0x21 = compressed,
0x2E = uncompressed)
73 72 63 64 6F 63 69 64
3A
srcdocid
:
CAL
CALS raster bitmap file
73 7A 65 7A
szez
PDB
PowerBASIC Debugger Symbols file
[60 byte offset]
74 42 4D 50 4B 6E 57 72
[60 byte offset]
tBMPKnWr
PRC
PathWay Map file, used with GPS devices
[257 byte offset]
75 73 74 61 72
[257 byte offset]
ustar
TAR
Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)
76 32 30 30 33 2E 31 30
0D 0A 30 0D 0A
v2003.10
..0..
FLT
Qimage filter
78
x
DMG
Mac OS X Disk Copy Disk Image file
7A 62 65 78
zbex
INFO
ZoomBrowser Image Index file (ZbThumbnal.info)
7B 0D 0A 6F 20
{..o
LGC, LGD
Windows application log
7B 5C 72 74 66 31
{\rtf1
RTF
Rich text format word processing file
Trailer: 5C 70 61 72 20 7D 7D (\par }})
7E 42 4B 00
~BK.
PSP
Corel Paint Shop Pro image file
7F 45 4C 46
.ELF
n/a
Executable and Linking Format executable file (Linux/Unix)
80
.
OBJ
Relocatable object code
80 00 00 20 03 12 04
.......
ADX
Dreamcast audio file
81 CD AB
.Í«
WPF
WordPerfect text file
89 50 4E 47 0D 0A 1A 0A
.PNG....
PNG
Portable Network Graphics file
8A 01 09 00 00 00 E1 08
00 00 99 19
......á.
....
AW
MS Answer Wizard file
91 33 48 46
'3HF
HAP
Hamarsoft HAP 3.x compressed archive
95 00 or
..
95 01
..
SKR
PGP secret keyring file
99 01
..
PKR
PGP public keyring file
9C CB CB 8D 13 75 D2 11
91 58 00 C0 4F 79 56 A4
.ËË..UÒ.
.X.ÀOyV¤
WAB
Outlook address file
[512 byte offset]
A0 46 1D F0
[512 byte offset]
F.ð
PPT
PowerPoint presentation subheader (MS Office)
A1 B2 C3 D4
¡²ÃÔ
n/a
tcpdump (libpcap) capture file (Linux/Unix)
A1 B2 CD 34
¡²Í4
n/a
Extended tcpdump (libpcap) capture file (Linux/Unix)
A9 0D 00 00 00 00 00 00
©.......
DAT
Access Data FTK evidence file
AC 9E BD 8F 00 00
¬.½...
QDF
Quicken data file
B1 68 DE 3A
±hÞ:
DCX
Graphics Multipage PCX bitmap file
B5 A2 B0 B3 B3 B0 A5 B5
µ¢°³³°¥µ
CAL
(Unknown file type...)
BE 00 00 00 AB 00 00 00
00 00 00 00 00
¾...«...
....
WRI
MS Write file
C3 AB CD AB
ëͫ
ACS
MS Agent Character file
C5 D0 D3 C6
ÅÐÓÆ
EPS
Adobe encapsulated PostScript file
CA FE BA BE
Êþº¾
CLASS
Java bytecode file
CD 20 AA AA 02 00 00 00
Í ªª....
n/a
Norton Anti-Virus quarantined virus file
CF 11 E0 A1 B1 1A E1 00
Ï.ࡱ.á.
DOC
Perfect Office document
[Note similarity to MS Office header, below]
CF AD 12 FE
Ï.þ
DBX
Outlook Express e-mail folder
D0 CF 11 E0 A1 B1 1A E1
ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZ
Microsoft Office applications (Word, Powerpoint, Excel, Wizard)
[See also Word, Powerpoint, and Excel "subheaders" at byte offset 512]
AC_
CaseWare Working Papers compressed client file
ADP
Access project file
APR
Lotus/IBM Approach 97 file
DB
MSWorks database file
MSC
Microsoft Common Console Document
MSI
Microsoft Installer package
MTW
Minitab data file
OPT
Developer Studio File Workspace Options file
PUB
MS Publisher file
SOU
Visual Studio Solution User Options file
SPO
SPSS output file
VSD
Visio file
WPS
MSWorks text document
D2 0A 00 00
Ò...
FTR
GN Nettest WinPharoah filter file
D4 2A
Ô*
ARL, AUT
AOL history (ARL) and typed URL (AUT) files
D4 C3 B2 A1
Ôò¡
n/a
WinDump (winpcap) capture file (Windows)
D7 CD C6 9A
×ÍÆ.
WMF
Windows graphics metafile
DC DC
ÜÜ
CPL
Corel color palette file
DC FE
Üþ
EFX
eFax file format
E3 10 00 01 00 00 00 00
ã.......
INFO
Amiga Icon file
E3 82 85 96
ã...
PWL
Windows password file
E8 or
è
E9 or
é
EB
ë
COM, SYS
Windows executable file
EB 3C 90 2A
ë
IMG
GEM Raster file
[512 byte offset]
EC A5 C1 00
[512 byte offset]
ì¥Á.
DOC
Word document subheader (MS Office)
ED AB EE DB
í"îÛ
RPM
RedHat Package Manager file
EF BB BF

n/a
Byte-order mark for 8-bit Unicode Transformation Format
(UTF-8) files. (See the Unicode Home Page.)
[512 byte offset]
FD FF FF FF 04
[512 byte offset]
ýÿÿÿ.
SUO
Visual Studio Solution User Options subheader (MS Office)
[512 byte offset]
FD FF FF FF nn 00 00 00
[512 byte offset]
ýÿÿÿ....
PPT
PowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and 0x43)
[512 byte offset]
FD FF FF FF nn 02
[512 byte offset]
ýÿÿÿ..
XLS
Excel spreadsheet subheader (MS Office)
(where nn = 0x10, 0x22, 0x23, 0x28, or 0x29)
[512 byte offset]
FD FF FF FF 20 00 00 00
[512 byte offset]
ýÿÿÿ ...
OPT
Developer Studio File Workspace Options subheader (MS Office)
XLS
Excel spreadsheet subheader (MS Office)
[512 byte offset]
FD FF FF FF xx xx xx xx
xx xx xx xx 04 00 00 00
[512 byte offset]
ýÿÿÿ....
........
DB
Thumbs.db subheader (MS Office)
FE FF
þÿ
n/a
Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), little-endian files.
(See the Unicode Home Page.)
FF
ÿ
SYS
Windows executable (SYS) file
FF 00 02 00 04 04 05 54
02 00
ÿ......T
..
WKS
Works for Windows spreadsheet file
FF 46 4F 4E 54
ÿFONT
CPI
Windows international code page
FF 4B 45 59 42 20 20 20
ÿKEYB
SYS
Keyboard driver file
FF 57 50 43
ÿWPC
WP, WPD, WPG, WP5
WordPerfect text and graphics file
FF D8 FF E0 xx xx 4A 46
49 46 00
ÿØÿà..JF
IF.
JFIF, JPE, JPEG, JPG
JPEG/JFIF graphics file
Trailer: FF D9 (..)
FF D8 FF E1 xx xx 45 78
69 66 00
ÿØÿá..Ex
if.
JPG
Digital camera JPG using Exchangeable Image File Format (EXIF)
Trailer: FF D9 (..)
See "Using Extended File Information (EXIF) File Headers in Digital
Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004)
FF D8 FF E8 xx xx 53 50
49 46 46 00
ÿØÿá..SP
IFF.
JPG
Still Picture Interchange File Format (SPIFF)
Trailer: FF D9 (..)
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF. The fourth digit is also indicative of JPEG content. Various options include:
0xFF-D8-FF-E0 — Shown above. Standard JPEG/JFIF file.
0xFF-D8-FF-E1 — Shown above. Standard JPEG/Exif file.
0xFF-D8-FF-E2 — Canon EOS-1D JPEG file.
0xFF-D8-FF-E3 — Samsung D500 JPEG file.
0xFF-D8-FF-DB — Samsung D807 JPEG file.
0xFF-D8-FF-E8 — Shown above. Still Picture Interchange File Format (SPIFF).
FF Ex
ÿ.
FF Fx
ÿ.
MPEG, MPG, MP3
MPEG audio file frame synch pattern
FF FE
ÿþ
REG
Windows Registry file
n/a
Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), big-endian files.
(See the Unicode Home Page.)
FF FE 00 00
ÿþ..
n/a
Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), little-endian files.
(See the Unicode Home Page.)
FF FE 23 00 6C 00 69 00
6E 00 65 00 20 00 31 00
ÿþ#.l.i.
n.e. .1.
MOF
Windows MSinfo file
FF FF FF FF
ÿÿÿÿ
SYS
DOS system driver
The following individuals have given me updates or suggestions for this list over the last couple of years: Devon Ackerman, Vladimir Benko, Sam Brothers, Per Christensson, Jeffrey Duggan, George Harpur, Brian High, Bill Kuhns, Anand Mani, Kevin Mansell, Bruce Modick, Mike Sutton, Franklin Webber, and David Wright. I thank them and apologize if I have missed anyone.
I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite, primarily for the "subheaders" for many of the file types here.
Tuesday, September 8, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment