Tuesday, February 5, 2013


FILE SIGNATURES TABLE

21 October 2012


This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.
This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:
Some useful additional information:




Hex Signature   ASCII Signature
File ExtensionFile Description
TGATruevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49   TRUEVISI
4F 4E 2D 58 46 49 4C 45   ON-XFILE
2E 00                     ..
00.
PICIBM Storyboard bitmap file
MOVApple QuickTime movie file
PIFWindows Program Information File
SEAMac Stuffit Self-Extracting Archive
YTRIRIS OCR data file
[11 byte offset]
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
[11 byte offset]
........
........
........
PDBPalmpilot Database/Document File
[512 byte offset]
00 00 00 00 00 00 00 00
[512 byte offset]
........
RVTRevit Project File subheader
00 00 00 0C 6A 50 20 20
0D 0A
....jP
..
JP2Various JPEG-2000 image file formats
00 00 00 nn 66 74 79 70
33 67 70
....ftyp
3gp
3GG, 3GP, 3G23rd Generation Partnership Project 3GPP (nn=0x14)
and 3GPP2 (nn=0x20) multimedia files
00 00 00 14 66 74 79 70
69 73 6F 6D
....ftyp
isom
MP4ISO Base Media file (MPEG-4) v1
00 00 00 14 66 74 79 70
71 74 20 20
....ftyp
qt
MOVQuickTime movie file
00 00 00 18 66 74 79 70
33 67 70 35
....ftyp
3gp5
MP4MPEG-4 video files
00 00 00 18 66 74 79 70
6D 70 34 32
....ftyp
mp42
M4VMPEG-4 video/QuickTime file
00 00 00 1C 66 74 79 70
4D 53 4E 56 01 29 00 46
4D 53 4E 56 6D 70 34 32
....ftyp
MSNV.).F
MSNVmp42
MP4MPEG-4 video file
00 00 00 20 66 74 79 70
4D 34 41 20
... ftyp
M4A
M4AApple Lossless Audio Codec file
00 00 01 00....
ICOWindows icon file
SPLWindows NT/2000/XP printer spool file
00 00 01 Bx....
MPEG, MPGMPEG video file
Trailer:
00 00 01 B7 (...·)
00 00 01 BA....º
MPG, VOBDVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2
Trailer:
00 00 01 B9 (...¹)
00 00 02 00......
CURWindows cursor file
WB2QuattroPro for Windows Spreadsheet file
00 00 02 00 06 04 06 00
08 00 00 00 00 00
........
......
WK1Lotus 1-2-3 spreadsheet (v1) file
00 00 1A 00 00 10 04 00
00 00 00 00
........
....
WK3Lotus 1-2-3 spreadsheet (v3) file
00 00 1A 00 02 10 04 00
00 00 00 00
........
....
WK4, WK5Lotus 1-2-3 spreadsheet (v4, v5) file
00 00 1A 00 05 10 04.......
123Lotus 1-2-3 spreadsheet (v9) file
00 00 49 49 58 50 52 or..IIXPR
00 00 4D 4D 58 50 52..MMXPR
QXDQuark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean.
00 00 FE FF..þÿ
n/aByte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.)
[6 byte offset]
00 00 FF FF FF FF
[6 byte offset]
..ÿÿÿÿ
HLPWindows Help file
00 01 00 00 4D 53 49 53
41 4D 20 44 61 74 61 62
61 73 65
....MSIS
AM Datab
ase
MNYMicrosoft Money file
00 01 00 00 53 74 61 6E
64 61 72 64 20 41 43 45
20 44 42
....Stan
dard ACE
 DB
ACCDBMicrosoft Access 2007 file
00 01 00 00 53 74 61 6E
64 61 72 64 20 4A 65 74
20 44 42
....Stan
dard Jet
 DB
MDBMicrosoft Access file
00 01 00 08 00 01 00 01
01
........
.
IMGVentura Publisher/GEM VDI Image Format Bitmap file
00 01 01...
FLTOpenFlight 3D file
00 01 42 41..BA
ABAPalm Address Book Archive file
00 01 42 44..BD
DBAPalm DateBook Archive file
00 06 15 61 00 00 00 02
00 00 04 D2 00 00 10 00
...a....
...Ò....
DBNetscape Navigator (v4) database file
00 11 AF..¯
FLIFLIC Animation file
00 14 00 00 01 02 xx xx
03
........
.
n/aBIOS details in RAM images
00 1E 84 90 00 00 00 00..„.....
SNMNetscape Communicator (v4) mail folder
00 5C 41 B1 FF.\A±ÿ
ENCMujahideen Secrets 2 encrypted file
00 BF.¿
SOLAdobe Flash shared object file (e.g., Flash cookies)
[512 byte offset]
00 6E 1E F0
[512 byte offset]
.n.ð
PPTPowerPoint presentation subheader (MS Office)
00 FF FF FF FF FF FF FF
FF FF FF 00 00 02 00 01
.ÿÿÿÿÿÿÿ
ÿÿÿ.....
MDFAlcohol 120% CD image
01 00 00 00....
EMFExtended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)
01 00 00 00 01.....
PICUnknown type picture file
01 00 09 00 00 03......
WMFWindows Metadata file (Win 3.x format)
01 00 39 30..90
FDB, GDBFirebird and Interbase database files, respectively. See
IBPhoenix for more information.
01 0F 00 00....
MDFMicrosoft SQL Server 2000 database
01 10..
TR1Novell LANalyzer capture file
01 DA 01 01 00 03.Ú....
RGBSilicon Graphics RGB Bitmap
01 FF 02 04 03 02.ÿ....
DRWMicrografx vector graphic file
02 64 73 73.dss
DSSDigital Speech Standard (Olympus, Grundig, & Phillips)
03.
DATMapInfo Native Data Format
DB3dBASE III file
03 00 00 00....
QPHQuicken price history file
03 00 00 00 41 50 50 52....APPR
ADXApproach index file
04.
DB4dBASE IV data file
04 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00
 or
........
.... ...
05 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00
........
.... ...
n/aINFO2 Windows recycle bin file. NOTE: Bytes 12-13
indicate the size of each INFO2 record; the most common
value is 0x02-03 (0x0320 = 800 bytes).
07.
DRWA common signature and file extension for many drawing
programs.
07 53 4B 46.SKF
SKFSkinCrafter skin file
07 64 74 32 64 64 74 64.dt2ddtd
DTDDesignTools 2D Design file
08.
DBdBASE IV or dBFast configuration file
[512 byte offset]
09 08 10 00 00 06 05 00
[512 byte offset]
........
XLSExcel spreadsheet subheader (MS Office)
0A nn 01 01....
PCXZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05)
0C ED
MPMonochrome Picture TIFF bitmap file (unconfirmed)
0D 44 4F 43.DOC
DOCDeskMate Document file
0E 4E 65 72 6F 49 53 4F.NeroISO
NRINero CD Compilation
0E 57 4B 53.WKS
WKSDeskMate Worksheet
[512 byte offset]
0F 00 E8 03
[512 byte offset]
..è.
PPTPowerPoint presentation subheader (MS Office)
11 00 00 00 53 43 43 41....SCCA
PFWindows prefetch file
1A 00 00...
NTFLotus Notes database template
1A 00 00 04 00 00......
NSFLotus Notes database
1A 0x..
ARCLH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively)
1A 0B..
PAKCompressed archive file
(often associated with Quake Engine games)
1A 35 01 00.5..
ETHGN Nettest WinPharoah capture file
1A 45 DF A3 93 42 82 88
6D 61 74 72 6F 73 6B 61
.Eߣ“B‚ˆ
matroska
MKVMatroska stream file
1A 52 54 53 20 43 4F 4D
50 52 45 53 53 45 44 20
49 4D 41 47 45 20 56 31
2E 30 1A
.RTS COM
PRESSED
IMAGE V1
.0.
DATRuntime Software disk image
1D 7D.}
WSWordStar Version 5.0/6.0 document
1F 8B 08.‹.
GZ, TGZGZIP archive file
1F 9D..
TAR.ZCompressed tape archive file using standard (Lempel-Ziv-Welch) compression
1F A0
TAR.ZCompressed tape archive file using LZH (Lempel-Ziv-Huffman) compression
21!
BSBMapInfo Sea Chart
21 12!.
AINAIN Compressed Archive
21 3C 61 72 63 68 3E 0A!<arch>.
LIBUnix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF)
21 42 44 4E!BDN
PSTMicrosoft Outlook Personal Folder File
23 20#
MSICerius2 file
23 20 44 69 73 6B 20 44
65 73 63 72 69 70 74 6F
# Disk D
escripto
VMDKVMware 4 Virtual Disk description file (split disk)
23 20 4D 69 63 72 6F 73
6F 66 74 20 44 65 76 65
6C 6F 70 65 72 20 53 74
75 64 69 6F
# Micros
oft Deve
loper St
udio
DSPMicrosoft Developer Studio project file
23 21 41 4D 52#!AMR
AMRAdaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction)
Codec, commonly audio format with GSM cell phones. (See RFC 4867.)
23 3F 52 41 44 49 41 4E
43 45 0A
#?RADIAN
CE.
HDRRadiance High Dynamic Range image file
24 46 4C 32 40 28 23 29
20 53 50 53 53 20 44 41
54 41 20 46 49 4C 45
$FL2@(#)
 SPSS DA
TA FILE
SAVSPSS Data file
25 21 50 53 2D 41 64 6F
62 65 2D 33 2E 30 20 45
50 53 46 2D 33 20 30
%!PS-Ado
be-3.0 E
PSF-3.0
EPSAdobe encapsulated PostScript file
(If this signature is not at the immediate
beginning of the file, it will occur early
in the file, commonly at byte offset 30)
25 50 44 46%PDF
PDF, FDFAdobe Portable Document Format and Forms Document file
Trailers:
0A 25 25 45 4F 46 (.%%EOF)
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
NOTE: There may be multiple end-of-file marks within the
file. When carving, be sure to get the last one.
28 54 68 69 73 20 66 69
6C 65 20 6D 75 73 74 20
62 65 20 63 6F 6E 76 65
72 74 65 64 20 77 69 74
68 20 42 69 6E 48 65 78
20
(This fi
le must
be conve
rted wit
h BinHex
 
HQXMacintosh BinHex 4 Compressed Archive
2A 2A 2A 20 20 49 6E 73
74 61 6C 6C 61 74 69 6F
6E 20 53 74 61 72 74 65
64 20
***  Ins
tallatio
n Starte
d
LOGSymantec Wise Installer log file
[2 byte offset]
2D 6C 68
[2 byte offset]
-lh
LHA, LZHCompressed archive file
2E 52 45 43.REC
IVRRealPlayer video file (V11 and later)
2E 52 4D 46.RMF
RM, RMVBRealMedia streaming media file
2E 52 4D 46 00 00 00 12
00
.RMF....
.
RARealAudio file
2E 72 61 FD 00.raý.
RARealAudio streaming media file
2E 73 6E 64.snd
AUNeXT/Sun Microsystems µ-Law audio file
300
CATMicrosoft security catalog file
30 00 00 00 4C 66 4C 650...LfLe
EVTWindows Event Viewer file
30 26 B2 75 8E 66 CF 11
A6 D9 00 AA 00 62 CE 6C
0&²u.fÏ.
¦Ù.ª.bÎl
ASF, WMA, WMVMicrosoft Windows Media Audio/Video File
(Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E
43 45 20 53 55 52 56 45
59 20 20 20 20 20 20 20
01ORDNAN
CE SURVE
Y
NTFNational Transfer Format Map File
30 37 30 37 30 nn07070.
n/aArchive created with the cpio utility (where nn
values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the
standard ASCII format, new ASCII (aka SVR4) format, and CRC
format, respectively. (The swpackage(8) page has additional
information.) (Thanks to F. Webber for this....)
31 BE or
32 BE
WRIMicrosoft Write file
34 CD B2 A14Ͳ¡
n/aExtended tcpdump (libpcap) capture file (Linux/Unix)
37 7A BC AF 27 1C7z¼¯'.
7Z7-Zip compressed file
37 E4 53 96 C9 DB D6 077äS–ÛÖ.
n/azisofs compression format, recognized by some Linux kernels. See the
libburnia page for additional information.
38 42 50 538BPS
PSDPhotoshop image file
3A 56 45 52 53 49 4F 4E:VERSION
SLESurfplan kite project file
3C<
ASXAdvanced Stream redirector file
XDRBizTalk XML-Data Reduced Schema file
3C 21 64 6F 63 74 79 70<!doctyp
DCIAOL HTML mail file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D
<?xml ve
rsion=
MANIFESTWindows Visual Stylesheet XML file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E
<?xml ve
rsion="1
.0"?>
XULXML User Interface Language file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E 0D 0A 3C
4D 4D 43 5F 43 6F 6E 73
6F 6C 65 46 69 6C 65 20
43 6F 6E 73 6F 6C 65 56
65 72 73 69 6F 6E 3D 22
<?xml ve
rsion="1
.0"?>..<
MMC_Cons
oleFile
ConsoleV
ersion="
MSCMicrosoft Management Console Snap-in Control file
3C 4D 61 6B 65 72 46 69
6C 65 20
<MakerFi
le
FM, MIFAdobe FrameMaker file
[24 byte offset]
3E 00 03 00 FE FF 09 00
06
[24 byte offset]
>...þÿ..
.
WB3Quatro Pro for Windows 7.0 Notebook file
3F 5F 03 00?_..
GIDWindows Help index file
HLPWindows Help file
[32 byte offset]
40 40 40 20 00 00 40 40
40 40
[32 byte offset]
@@@ ..@@
@@
ENLEndNote Library File
41 43 31 30AC10
DWGGeneric AutoCAD drawing
NOTES on AutoCAD file headers: The 0x41-43-31-30 (AC10) is a generic header, occupying the first
four bytes in the file. The next two bytes give further indication about the version or subtype:
  • 0x30-32 (02) — AutoCAD R2.5
  • 0x30-33 (03) — AutoCAD R2.6
  • 0x30-34 (04) — AutoCAD R9
  • 0x30-36 (06) — AutoCAD R10
  • 0x30-39 (09) — AutoCAD R11/R12
  • 0x31-30 (10) — AutoCAD R13 (subtype 10)
  • 0x31-31 (11) — AutoCAD R13 (subtype 11)
  • 0x31-32 (12) — AutoCAD R13 (subtype 12)
  • 0x31-33 (13) — AutoCAD R14 (subtype 13)
  • 0x31-34 (14) — AutoCAD R14 (subtype 14)
  • 0x31-35 (15) — AutoCAD R2000
  • 0x31-38 (18) — AutoCAD R2004
  • 0x32-31 (21) — AutoCAD R2007
41 43 76ACL
SLESteganos Security Suite virtual secure drive
41 43 53 44ACSD
n/aMiscellaneous AOL parameter and information files
41 45 53AES
AESAES Crypt file format. (The fourth byte is the version number.)
41 4D 59 4FAMYO
SYWHarvard Graphics symbol graphic
41 4F 4C 20 46 65 65 64
62 61 67
AOL Feed
bag
BAGAOL and AIM buddy list file
41 4F 4C 44 42AOLDB
ABY, IDXAOL database files: address book (ABY) and user configuration
data (MAIN.IDX)
41 4F 4C 49 44 58AOLIDX
INDAOL client preferences/settings file (MAIN.IND)
41 4F 4C 49 4E 44 45 58AOLINDEX
ABIAOL address book index file
41 4F 4C 56 4D 31 30 30AOLVM100
ORG, PFCAOL personal file cabinet (PFC) file
41 56 47 36 5F 49 6E 74
65 67 72 69 74 79 5F 44
61 74 61 62 61 73 65
AVG6_Int
egrity_D
atabase
DATAVG6 Integrity database file
41 72 43 01ArC.
ARCFreeArc compressed file
42 41 41 44BAAD
n/aNTFS Master File Table (MFT) entry (1,024 bytes)
42 45 47 49 4E 3A 56 43
41 52 44 0D 0A
BEGIN:VC
ARD..
VCFvCard file
42 4C 49 32 32 33 51BLI223Q
BINThomson Speedtouch series WLAN router firmware
42 4DBM
BMP, DIBWindows (or device-independent) bitmap image
NOTE: Bytes 2-5 contain the file length in little-endian order.
42 4F 4F 4B 4D 4F 42 49BOOKMOBI
PRCPalmpilot resource file
42 5A 68BZh
BZ2, TAR.BZ2, TBZ2, TB2bzip2 compressed archive
43 23 2B 44 A4 43 4D A5
48 64 72
C#+D¤CM¥
Hdr
RTDRagTime document file
43 42 46 49 4C 45CBFILE
CBDWordPerfect dictionary file (unconfirmed)
43 44 30 30 31CD001
ISOISO-9660 CD Disc Image
This signature usually occurs at byte offset 32769 (0x8001),
34817 (0x8801), or 36865 (0x9001).
More information can be found at MacTech or at ECMA.
43 49 53 4FCISO
CSOCompressed ISO (CISO) CD image
43 4D 58 31CMX1
CLBCorel Binary metafile
43 4F 4D 2BCOM+
CLBCOM+ Catalog file
43 4F 57 44COWD
VMDKVMware 3 Virtual Disk (portion of a split disk) file
43 50 54 37 46 49 4C 45CPT7FILE
CPTCorel Photopaint file
43 50 54 46 49 4C 45CPTFILE
CPTCorel Photopaint file
43 52 45 47CREG
DATWindows 9x registry hive
43 52 55 53 48 20 76CRUSH v
CRUCrush compressed archive
43 57 53CWS
SWFShockwave Flash file (v5+)
43 61 74 61 6C 6F 67 20
33 2E 30 30 00
Catalog
3.00.
CTFWhereIsIt Catalog file
43 6C 69 65 6E 74 20 55
72 6C 43 61 63 68 65 20
4D 4D 46 20 56 65 72 20
Client U
rlCache
MMF Ver
DATIE History (index.dat) file
44 41 58 00DAX.
DAXDAX Compressed CD image
44 42 46 48DBFH
DBPalm Zire photo database
44 4D 53 21DMS!
DMSAmiga DiskMasher compressed archive
44 4F 53DOS
ADFAmiga disk file
44 56 44DVD
DVRDVR-Studio stream file
IFODVD info file
45 4C 49 54 45 20 43 6F
6D 6D 61 6E 64 65 72 20
ELITE Co
mmander
CDRElite Plus Commander saved game file
45 4E 54 52 59 56 43 44
02 00 00 01 02 00 18 58
ENTRYVCD
.......X
VCDVideoVCD (GNU VCDImager) file
45 52 46 53 53 41 56 45
44 41 54 41 46 49 4C 45
ERFSSAVE
DATAFILE
DATKroll EasyRecovery Saved Recovery State file
45 50EP
MDIMicrosoft Document Imaging file
45 56 46 09 0D 0A FF 00EVF...ÿ.
Enn (where nn are numbers)Expert Witness Compression Format (EWF) file, including EWF-E01
and EWF-S01, as used in EnCase and SMART evidence files.
See the EWF specification.
45 56 46 32 0D 0A 81EVF2...
Exnn (where nn are numbers)EnCase® Evidence File Format Version 2 (Ex01).
See the document.
45 6C 66 46 69 6C 65 00ElfFile.
EVTXWindows Vista event log file
45 86 00 00 06 00E†....
QBBIntuit QuickBooks backup file
46 41 58 43 4F 56 45 52
2D 56 45 52
FAXCOVER
-VER
CPEMicrosoft Fax Cover Sheet
46 44 42 48 00FDBH.
FDBFiasco database definition file
46 45 44 46FEDF
SBV(Unknown file type)
46 49 4C 45FILE
n/aNTFS Master File Table (MFT) entry (1,024 bytes)
46 4C 56 01FLV.
FLVFlash video file
46 4F 52 4D 00FORM.
AIFFAudio Interchange File
DAXDAKX Compressed Audio
46 57 53FWS
SWFMacromedia Shockwave Flash player file
46 72 6F 6D 20 20 20 orFrom
46 72 6F 6D 20 3F 3F 3F orFrom ???
46 72 6F 6D 3A 20From:
EMLA commmon file extension for e-mail files. Signatures shown here
are for Netscape, Eudora, and a generic signature, respectively.
EML is also used by Outlook Express and QuickMail.
47 46 31 50 41 54 43 48GF1PATCH
PATAdvanced Gravis Ultrasound patch file
47 49 46 38 37 61 orGIF87a
47 49 46 38 39 61GIF89a
GIFGraphics interchange format file
Trailer: 00 3B (.;)
47 50 41 54GPAT
PATGIMP (GNU Image Manipulation Program) pattern file
47 58 32GX2
GX2Show Partner graphics file (not confirmed)
47 65 6E 65 74 65 63 20
4F 6D 6E 69 63 61 73 74
Genetec
Omnicast
G64Genetec video archive
48 48 47 42 31HHGB1
SH3Harvard Graphics presentation file
49 20 49I I
TIF, TIFFTagged Image File Format file
49 44 33ID3
MP3MPEG-1 Audio Layer 3 (MP3) audio file
49 44 33 03 00 00 00ID3....
KOZSprint Music Store audio file (for mobile devices)
49 49 1A 00 00 00 48 45
41 50 43 43 44 52 02 00
II....HE
APCCDR..
CRWCanon digital camera RAW file
49 49 2A 00II*.
TIF, TIFFTagged Image File Format file (little
endian, i.e., LSB first in the byte; Intel)
49 49 2A 00 10 00 00 00
43 52
II*.....
CR
CR2Canon digital camera RAW file
49 53 63 28ISc(
CAB, HDRInstall Shield v5.x or 6.x compressed file
49 54 4F 4C 49 54 4C 53ITOLITLS
LITMicrosoft Reader eBook file
49 54 53 46ITSF
CHI, CHMMicrosoft Compiled HTML Help File
49 6E 6E 6F 20 53 65 74
75 70 20 55 6E 69 6E 73
74 61 6C 6C 20 4C 6F 67
20 28 62 29
Inno Set
up Unins
tall Log
 (b)
DATInno Setup Uninstall Log file
49 6E 74 65 72 40 63 74
69 76 65 20 50 61 67 65
Inter@ct
ive Page
IPDInter@ctive Pager Backup (BlackBerry) backup file
(See also IPD File Format page or IPD File for BlackBerry)
4A 41 52 43 53 00JARCS.
JARJARCS compressed archive
4A 47 03 0E orJG..
4A 47 04 0EJG..
ARTAOL ART file
Trailers:
For 0x4A-47-03-0E: D0 CB 00 00 (ÐË..)
For 0x4A-47-04-0E: CF C7 CB (ÏÇË)
4B 44 4DKDM
VMDKVMware 4 Virtual Disk (portion of a split disk) file
4B 44 4D 56KDMV
VMDKVMware 4 Virtual Disk (monolitic disk) file
4B 47 42 5F 61 72 63 68
20 2D
KGB_arch
 -
KGBKGB archive
4B 49 00 00KI..
SHDWindows 9x printer spool file
4B 57 41 4A 88 F0 27 D1KWAJˆð'Ñ
n/aKWAJ file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.)
4C 00 00 00 01 14 02 00L.......
LNKWindows shortcut file. See also The Meaning of Linkfiles in Forensic Examinations.
4C 01L.
OBJMicrosoft Common Object File Format (COFF) relocatable
object code file for an Intel 386 or later/compatible processors
4C 4E 02 00LN..
GIDWindows Help index file
HLPWindows Help file.
4C 56 46 09 0D 0A FF 00LVF...ÿ.
Enn (where nn are numbers)Logical File Evidence Format (EWF-L01) as used in later versions of
EnCase evidence files. See the EWF specification.
4D 2D 57 20 50 6F 63 6B
65 74 20 44 69 63 74 69
M-W Pock
et Dicti
PDBMerriam-Webster Pocket Dictionary file
4D 41 52 31 00MAR1.
MARMozilla archive
4D 41 52 43MARC
MARMicrosoft/MSN MARC archive
4D 41 72 30 00MAr0.
MARMAr compressed archive
4D 44 4D 50 93 A7MDMPҤ
HDMPWindows heap dump file
DMPWindows minidump file
4D 49 4C 45 53MILES
MLSMilestones v1.0 project management and scheduling software
(Also see "MV2C" and "MV214" signatures)
4D 4C 53 57MLSW
MLSSkype localization data file
4D 4D 00 2AMM.*
TIF, TIFFTagged Image File Format file (big
endian, i.e., LSB last in the byte; Motorola)
4D 4D 00 2BMM.+
TIF, TIFFBigTIFF files; Tagged Image File Format files >4 GB
4D 4D 4D 44 00 00MMMD..
MMFYamaha Corp. Synthetic music Mobile Application Format (SMAF)
for multimedia files that can be played on hand-held devices.
4D 52 56 4EMRVN
NVRAMVMware BIOS (non-volatile RAM) state file.
4D 53 43 46MSCF
CABMicrosoft cabinet file
PPZPowerpoint Packaged Presentation
SNPMicrosoft Access Snapshot Viewer file
4D 53 46 54 02 00 01 00MSFT....
TLBOLE, SPSS, or Visual C++ type library file
4D 53 5F 56 4F 49 43 45MS_VOICE
CDR, DVFSony Compressed Voice File
MSVSony Memory Stick Compressed Voice file
4D 54 68 64MThd
MID, MIDIMusical Instrument Digital Interface (MIDI) sound file
4D 56MV
DSNCD Stomper Pro label file
4D 56 32 31 34MV214
MLSMilestones v2.1b project management and scheduling software
(Also see "MILES" and "MV2C" signatures)
4D 56 32 43MV2C
MLSMilestones v2.1a project management and scheduling software
(Also see "MILES" and "MV214" signatures)
4D 5AMZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYSWindows/DOS executable file
(See The MZ EXE File Format page for the structure of an EXE file,
with coverage of NE, TLINK, PE, self-extracting archives, and more.)
ACMMS audio compression manager driver
AXLibrary cache file
CPLControl panel application
FONFont file
OCXActiveX or OLE Custom Control
OLBOLE object library
SCRScreen saver
VBXVisualBASIC application
VXD, 386Windows virtual device drivers
4D 5A 90 00 03 00 00 00MZ......
APIAcrobat plug-in
AXDirectShow filter
FLTAudition graphic filter file (Adobe)
4D 5A 90 00 03 00 00 00
04 00 00 00 FF FF
MZ......
....ÿÿ
ZAPZoneAlam data file
4D 69 63 72 6F 73 6F 66
74 20 43 2F 43 2B 2B 20
Microsof
t C/C++
PDBMicrosoft C++ debugging symbols file
4D 69 63 72 6F 73 6F 66
74 20 56 69 73 75 61 6C
20 53 74 75 64 69 6F 20
53 6F 6C 75 74 69 6F 6E
20 46 69 6C 65
Microsof
t Visual
 Studio
Solution
 File
SLNVisual Studio .NET Solution file
[84 byte offset]
4D 69 63 72 6F 73 6F 66
74 20 57 69 6E 64 6F 77
73 20 4D 65 64 69 61 20
50 6C 61 79 65 72 20 2D
2D 20
[84 byte offset]
Microsof
t Window
s Media
Player -
-
WPLWindows Media Player playlist
4D 73 52 63 66MsRcf
GDBVMapSource GPS Waypoint Database
4E 41 56 54 52 41 46 46
49 43
NAVTRAFF
IC
DATTomTom traffic data file
4E 42 2A 00NB*.
JNT, JTPMS Windows journal file
4E 45 53 4D 1A 01NESM..
NSFNES Sound file
4E 49 54 46 30NITF0
NTFNational Imagery Transmission Format (NITF) file
4E 61 6D 65 3A 20Name:
CODAgent newsreader character map file
4F 50 4C 44 61 74 61 62
61 73 65 46 69 6C 65
OPLDatab
aseFile
DBFPsion Series 3 Database file
4F 67 67 53 00 02 00 00
00 00 00 00 00 00
OggS....
......
OGA, OGG, OGV, OGXOgg Vorbis Codec compressed Multimedia file
4F 7BO{
DW4Visio/DisplayWrite 4 text file (unconfirmed)
50 00 00 00 20 00 00 00P... ...
IDXQuicken QuickFinder Information File
50 35 0AP5.
PGMPortable Graymap Graphic
50 41 43 4BPACK
PAKQuake archive file
50 41 47 45 44 55 36 34PAGEDU64
DMPWindows 64-bit memory dump
50 41 47 45 44 55 4D 50PAGEDUMP
DMPWindows memory dump
50 41 58PAX
PAXPAX password protected bitmap
50 45 53 54PEST
DATPestPatrol data/scan strings
50 47 50 64 4D 41 49 4EPGPdMAIN
PGDPGP disk image
50 49 43 54 00 08PICT..
IMGADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file
50 4B 03 04PK..
ZIPPKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
ZIPApple Mac OS X Dashboard Widget, Aston Shell theme, Oolite eXpansion Pack,
Opera Widget, Pivot Style Template, Rockbox Theme package, Simple Machines
Forums theme, SubEthaEdit Mode, Trillian zipped skin, Virtual Skipper skin
JARJava archive; compressed file package for classes and data
KMZGoogle Earth saved working session file
KWDKWord document
ODT, ODP, OTTOpenDocument text document, presentation, and text document template, respectively.
SXC, SXD, SXI, SXWOpenOffice spreadsheet (Calc), drawing (Draw), presentation (Impress),
and word processing (Writer) files, respectively.
SXCStarOffice spreadsheet
WMZWindows Media compressed skin file
XPIMozilla Browser Archive
XPSXML paper specification file
XPTeXact Packager Models
50 4B 03 04 14 00 01 00
63 00 00 00 00 00
PK......
c.....
ZIPZLock Pro encrypted ZIP
50 4B 03 04 14 00 06 00PK......
DOCX, PPTX, XLSXMicrosoft Office Open XML Format (OOXML) Document
NOTE: There is no subheader for MS OOXML files as there is with
DOC, PPT, and XLS files. To better understand the format of these files,
rename any OOXML file to have a .ZIP extension and then unZIP the file;
look at the resultant file named [Content_Types].xml to see the content
types. In particular, look for the <Override PartName= tag, where you
will find wordppt, or xl, respectively.

Trailer: Look for 50 4B 05 06 (PK..) followed by 18 additional bytes
at the end of the file.
50 4B 03 04 14 00 08 00
08 00
PK......
..
JARJava archive
50 4B 05 06PK..
50 4B 07 08PK..
ZIPPKZIP empty and multivolume archive file, respectively
[30 byte offset]
50 4B 4C 49 54 45
[30 byte offset]
PKLITE
ZIPPKLITE compressed ZIP archive (see also PKZIP)
[526 byte offset]
50 4B 53 70 58
[526 byte offset]
PKSFX
ZIPPKSFX self-extracting executable compressed file (see also PKZIP)
50 4D 43 43PMCC
GRPWindows Program Manager group file
50 4E 43 49 55 4E 44 4FPNCIUNDO
DATNorton Disk Doctor undo file
[92 byte offset]
51 45 4C 20
[92 byte offset]
QEL
QELQuicken data file
51 46 49 FBQFIû
IMGQEMU Qcow Disk Image
51 57 20 56 65 72 2E 20QW Ver.
ABD, QSDQuicken data file
52 41 5A 41 54 44 42 31RAZATDB1
DATShareaza (Windows P2P client) thumbnail
52 45 47 45 44 49 54REGEDIT
REG, SUDWindows NT Registry and Registry Undo files
52 45 56 4E 55 4D 3A 2CREVNUM:,
ADFAntenna data file
52 49 46 46RIFF
ANIWindows animated cursor
CMXCorel Presentation Exchange (Corel 10 CMX) Metafile
CDRCorelDraw document
DATVideo CD MPEG or MPEG1 movie file
DS4Micrografx Designer v4 graphic file
4XM4X Movie video
52 49 46 46 xx xx xx xx
41 56 49 20 4C 49 53 54
RIFF....
AVI LIST
AVIResource Interchange File Format -- Windows Audio
Video Interleave file
52 49 46 46 xx xx xx xx
43 44 44 41 66 6D 74 20
RIFF....
CDDAfmt
CDAResource Interchange File Format -- Compact Disc
Digital Audio (CD-DA) file
52 49 46 46 xx xx xx xx
51 4C 43 4D 66 6D 74 20
RIFF....
QLCMfmt
QCPResource Interchange File Format -- Qualcomm
PureVoice
52 49 46 46 xx xx xx xx
52 4D 49 44 64 61 74 61
RIFF....
RMIDdata
RMIResource Interchange File Format -- Windows Musical
Instrument Digital Interface file
52 49 46 46 xx xx xx xx
57 41 56 45 66 6D 74 20
RIFF....
WAVEfmt
WAVResource Interchange File Format -- Audio for
Windows file
52 54 53 53RTSS
CAPWindows NT Netmon capture file
52 61 72 21 1A 07 00Rar!...
RARWinRAR compressed archive file
52 65 74 75 72 6E 2D 50
61 74 68 3A 20
Return-P
ath:
EMLA commmon file extension for e-mail files.
53 43 48 6CSCHl
ASTNeed for Speed: Underground Audio file
53 43 4D 49SCMI
IMGImg Software Set Bitmap
53 48 4F 57SHOW
SHWHarvard Graphics DOS Ver. 2/x Presentation file
53 49 45 54 52 4F 4E 49
43 53 20 58 52 44 20 53
43 41 4E
SIETRONI
CS XRD S
CAN
CPISietronics CPI XRD document
53 49 54 21 00SIT!.
SITStuffIt compressed archive
53 4D 41 52 54 44 52 57SMARTDRW
SDRSmartDraw Drawing file
53 50 46 49 00SPFI.
SPFStorageCraft ShadownProtect backup file
53 51 4C 4F 43 4F 4E 56
48 44 00 00 31 2E 30 00
SQLOCONV
HD..1.0.
CNVDB2 conversion file
53 51 4C 69 74 65 20 66
6F 72 6D 61 74 20 33 00
SQLite f
ormat 3.
DBSQLite database file
53 5A 20 88 F0 27 33 D1SZ ˆð'3Ñ
n/aQBASIC SZDD file header variant. (See the SZDD or KWAJ format entries
for additional information.)
53 5A 44 44 88 F0 27 33SZDDˆð'3
n/aSZDD file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.)
53 6D 62 6CSmbl
SYM(Unconfirmed file type. Likely type is Harvard Graphics
Version 2.x graphic symbol or Windows SDK graphic symbol)
53 74 75 66 66 49 74 20
28 63 29 31 39 39 37 2D
StuffIt
(c)1997-
SITStuffIt compressed archive
53 75 70 65 72 43 61 6C
63
SuperCal
c
CALSuperCalc worksheet
54 68 69 73 20 69 73 20This is
INFOUNIX GNU Info Reader File
55 43 45 58UCEX
UCEUnicode extensions
55 46 41 C6 D2 C1UFAÆÒÁ
UFAUFA compressed archive
55 46 4F 4F 72 62 69 74UFOOrbit
DATUFO Capture v2 map file
56 43 50 43 48 30VCPCH0
PCHVisual C PreCompiled header file
56 45 52 53 49 4F 4E 20VERSION
CTLVisual Basic User-defined Control file
56 65 72 73 69 6F 6E 20Version
MIFMapInfo Interchange Format file
57 4D 4D 50WMMP
DATWalkman MP3 container file
57 53 32 30 30 30WS2000
WS2WordStar for Windows Ver. 2 document
[29,152 byte offset]
57 69 6E 5A 69 70
[29,152 byte offset]
WinZip
ZIPWinZip compressed archive
57 6F 72 64 50 72 6FWordPro
LWPLotus WordPro document.
58 2DX-
EMLA commmon file extension for e-mail files. This variant is
for Exchange.
58 43 50 00XCP.
CAPCinco NetXRay, Network General Sniffer, and
Network Associates Sniffer capture file
58 50 43 4F 4D 0A 54 79
70 65 4C 69 62
XPCOM.Ty
peLib
XPTXPCOM type libraries for the XPIDL compiler
58 54XT..
BDRMS Publisher border
5A 4F 4F 20ZOO
ZOOZOO compressed archive
5B 47 65 6E 65 72 61 6C
5D 0D 0A 44 69 73 70 6C
61 79 20 4E 61 6D 65 3D
3C 44 69 73 70 6C 61 79
4E 61 6D 65
[General
]..Displ
ay Name=
<Display
Name
ECFMS Exchange 2007 extended configuration file
5B 4D 53 56 43[MSVC
VCWMicrosoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D[Phone]
DUNDial-up networking file
5B 56 45 52 5D or[VER]
5B 76 65 72 5D or[ver]
SAMLotus AMI Pro document
[2 byte offset]
5B 56 65 72 73 69 6F 6E
[2 byte offset]
[Version
CIF(Unknown file type)
5B 57 69 6E 64 6F 77 73
20 4C 61 74 69 6E 20
[Windows
 Latin
CPXMicrosoft Code Page Translation file
5B 66 6C 74 73 69 6D 2E
30 5D
[fltsim.
0]
CFGFlight Simulator Aircraft Configuration file
5B 70 6C 61 79 6C 69 73
74 5D
[playlis
t]
PLSWinAmp Playlist file
5F 27 A8 89_'¨‰
JARJar archive
5F 43 41 53 45 5F_CASE_
CAS, CBKEnCase case file (and backup)
60 EA
ARJCompressed archive file
62 65 67 69 6Ebegin
n/aUUencoded files start with a string:
  begin mode path
where mode is the set of permissions as used in
Linux/Unix and path is the name given to the decoded
file. (See this uuencode page for more information.)
62 70 6C 69 73 74bplist
plistBinary property list (plist)
(NOTE: Next two bytes are the version number, currently
0x30-30, or "00")
63 6F 6E 65 63 74 69 78conectix
VHDVirtual PC Virtual HD image
63 75 73 68 00 00 00 02
00 00 00
cush....
...
CSHPhotoshop Custom Shape
64 00 00 00d...
P10Intel PROset/Wireless Profile
64 65 78 0A 30 30 39 00dex.009.
dexDalvik executable file (Android)
64 73 77 66 69 6C 65dswfile
DSWMicrosoft Visual Studio workspace file
64 6E 73 2Edns.
AUAudacity audio file
66 49 00 00fI..
-
SHDWindows NT printer spool file
66 4C 61 43 00 00 00 22fLaC..."
FLACFree Lossless Audio Codec file
67 49 00 00gI..
-
SHDWindows 2000/XP printer spool file
68 49 00 00hI..
-
SHDWindows Server 2003 printer spool file
6C 33 33 6Cl33l
DBBSkype user data file (profile and contacts)
[4 byte offset]
6D 6F 6F 76
[4 byte offset]
moov
MOVQuickTime movie file
.MOV files have a complicated file signature. The string "moov" is the most common but I have also seen:
  0x66-72-65-65   free
  0x6D-64-61-74   mdat
  0x77-69-64-65   wide

And the following have been reported to me:
  0x70-6E-6F-74   pnot
  0x73-6B-69-70   skip

Furthermore, if you look at byte position xxxxxxxx+4 (where xxxxxxxx is bytes 0-3 of the header), you
will find one (or more!) of these strings repeated; the string "freeseems to be the most common. For
more information, see the QuickTime File Format page. (Thanks to D. Wright for getting me started on this!)
6F 3Co<
n/aShort Message Service (SMS), or text, message stored on a
Subscriber Identification Module (SIM).
72 65 67 66regf
DATWindows NT registry hive file
72 69 66 66riff
ACDSonic Foundry Acid Music File (Sony)
72 74 73 70 3A 2F 2Frtsp://
RAMRealMedia metafile
73 6C 68 21 orslh!
73 6C 68 2Eslh.
DATAllegro Generic Packfile Data file (0x21 = compressed,
0x2E = uncompressed)
73 6D 5Fsm_
PDBPalmOS SuperMemo file
73 72 63 64 6F 63 69 64
3A
srcdocid
:
CALCALS raster bitmap file
73 7A 65 7Aszez
PDBPowerBASIC Debugger Symbols file
[60 byte offset]
74 42 4D 50 4B 6E 57 72
[60 byte offset]
tBMPKnWr
PRCPathWay Map file, used with GPS devices
[257 byte offset]
75 73 74 61 72
[257 byte offset]
ustar
TARTape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)
76 32 30 30 33 2E 31 30
0D 0A 30 0D 0A
v2003.10
..0..
FLTQimage filter
78x
DMGMac OS X Disk Copy Disk Image file
7A 62 65 78zbex
INFOZoomBrowser Image Index file (ZbThumbnal.info)
7B 0D 0A 6F 20{..o
LGC, LGDWindows application log
7B 5C 70 77 69{\pwi
PWIMicrosoft Windows Mobile personal note file
7B 5C 72 74 66 31{\rtf1
RTFRich text format word processing file
Trailer: 5C 70 61 72 20 7D 7D (\par }})
7E 42 4B 00~BK.
PSPCorel Paint Shop Pro image file
7F 45 4C 46.ELF
n/aExecutable and Linking Format executable file (Linux/Unix)
80.
OBJRelocatable object code
80 00 00 20 03 12 04.......
ADXDreamcast audio file
81 32 84 C1 85 05 D0 11
B2 90 00 AA 00 3C F6 76
.2„Á….Ð.
²..ª.<öv
WABOutlook Express address book (Win95)
81 CD AB.Í«
WPFWordPerfect text file
89 50 4E 47 0D 0A 1A 0A‰PNG....
PNGPortable Network Graphics file
Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚...)
8A 01 09 00 00 00 E1 08
00 00 99 19
Š.....á.
..™.
AWMS Answer Wizard file
91 33 48 46‘3HF
HAPHamarsoft HAP 3.x compressed archive
95 00 or•.
95 01•.
SKRPGP secret keyring file
99
GPGGNU Privacy Guard (GPG) public keyring
99 01™.
PKRPGP public keyring file
9C CB CB 8D 13 75 D2 11
91 58 00 C0 4F 79 56 A4
œËË..UÒ.
‘X.ÀOyV¤
WABOutlook address file
[512 byte offset]
A0 46 1D F0
[512 byte offset]
 F.ð
PPTPowerPoint presentation subheader (MS Office)
A1 B2 C3 D4¡²ÃÔ
n/atcpdump (libpcap) capture file (Linux/Unix)
A1 B2 CD 34¡²Í4
n/aExtended tcpdump (libpcap) capture file (Linux/Unix)
A9 0D 00 00 00 00 00 00©.......
DATAccess Data FTK evidence file
AC 9E BD 8F 00 00¬.½...
QDFQuicken data file
AC ED’
n/aJava serialization data (see Object Serialization Stream Protocol)
AC ED 00 05 73 72 00 12
62 67 62 6C 69 74 7A 2E
’..sr..
bgblitz.
PDBBGBlitz (professional Backgammon software) position database file
B0 4D 46 43°MFC
PWLWindows 95 password file
B1 68 DE 3A±hÞ:
DCXGraphics Multipage PCX bitmap file
B4 6E 68 44´nhd
TIBAcronis True Image file
B5 A2 B0 B3 B3 B0 A5 B5µ¢°³³°¥µ
CALWindows calendar file
BE 00 00 00 AB 00 00 00
00 00 00 00 00
¾...«...
....
WRIMS Write file
C3 AB CD ABëͫ
ACSMS Agent Character file
C5 D0 D3 C6ÅÐÓÆ
EPSAdobe encapsulated PostScript file
C8 00 79 00È.y.
LBKJeppesen FliteLog file
CA FE BA BEÊþº¾
CLASSJava bytecode file
CD 20 AA AA 02 00 00 00Í ªª....
n/aNorton Anti-Virus quarantined virus file
CF 11 E0 A1 B1 1A E1 00Ï.ࡱ.á.
DOCPerfect Office document
[Note similarity to MS Office header, below]
CF AD 12 FEÏ­.þ
DBXOutlook Express e-mail folder
D0 CF 11 E0 A1 B1 1A E1ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZMicrosoft Office applications (Word, Powerpoint, Excel, Wizard)
[See also Word, Powerpoint, and Excel "subheaders" at byte offset 512]
[Note the similarity between D0 CF 11 E0 and the word "docfile"!]
AC_CaseWare Working Papers compressed client file
ADPAccess project file
APRLotus/IBM Approach 97 file
DBMSWorks database file
MSCMicrosoft Common Console Document
MSIMicrosoft Installer package
MTWMinitab data file
OPTDeveloper Studio File Workspace Options file
PUBMS Publisher file
QBMQuickBooks Portable Company File
RVTRevit Project file
SOUVisual Studio Solution User Options file
SPOSPSS output file
VSDVisio file
WPSMSWorks text document
D2 0A 00 00Ò...
FTRGN Nettest WinPharoah filter file
D4 2AÔ*
ARL, AUTAOL history (ARL) and typed URL (AUT) files
D4 C3 B2 A1Ôò¡
n/aWinDump (winpcap) capture file (Windows)
D7 CD C6 9A×ÍÆš
WMFWindows graphics metafile
DB A5 2D 00Û¥-.
DOCWord 2.0 file
DC DCÜÜ
CPLCorel color palette file
DC FEÜþ
EFXeFax file format
E3 10 00 01 00 00 00 00ã.......
INFOAmiga Icon file
E3 82 85 96ã‚…–
PWLWindows 98 password file
E4 52 5C 7B 8C D8 A7 4D
AE B1 53 78 D0 29 96 D3
äR\{ŒØ§M
®±SxÐ)–Ó
ONEMicrosoft OneNote note
E8 orè
E9 oré
EBë
COM, SYSWindows executable file
EB 3C 90 2Aë<.*
IMGGEM Raster file
[512 byte offset]
EC A5 C1 00
[512 byte offset]
ì¥Á.
DOCWord document subheader (MS Office)
ED AB EE DBí«îÛ
RPMRedHat Package Manager file
EF BB BF
n/aByte-order mark for 8-bit Unicode Transformation Format
(UTF-8) files. (See the Unicode Home Page.)
[At a cluster boundary]
F0 FF FF
[At a cluster boundary]
ðÿÿ
n/aFAT12 File Allocation Table
[At a cluster boundary]
F8 FF FF FF
[At a cluster boundary]
øÿÿÿ
n/aFAT16 File Allocation Table
[At a cluster boundary]
F8 FF FF 0F FF FF FF FF
[At a cluster boundary]
øÿÿ.ÿÿÿÿ
n/aFAT32 File Allocation Table
[512 byte offset]
FD FF FF FF 04
[512 byte offset]
ýÿÿÿ.
QBMQuickBooks Portable Company File
SUOVisual Studio Solution User Options subheader (MS Office)
[512 byte offset]
FD FF FF FF nn 00 00 00
[512 byte offset]
ýÿÿÿ....
PPTPowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and 0x43)
[512 byte offset]
FD FF FF FF nn 00
[512 byte offset]
ýÿÿÿ..
or
[512 byte offset]
FD FF FF FF nn 02
[512 byte offset]
ýÿÿÿ..
XLSExcel spreadsheet subheader (MS Office)
(where nn = 0x10, 0x1F, 0x22, 0x23, 0x28, or 0x29)
[512 byte offset]
FD FF FF FF 20 00 00 00
[512 byte offset]
ýÿÿÿ ...
OPTDeveloper Studio File Workspace Options subheader (MS Office)
XLSExcel spreadsheet subheader (MS Office)
[512 byte offset]
FD FF FF FF xx xx xx xx
xx xx xx xx 04 00 00 00
[512 byte offset]
ýÿÿÿ....
........
DBThumbs.db subheader (MS Office)
FE EFþï
GHO, GHSSymantex Ghost image file
FE FFþÿ
n/aByte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), little-endian files.
(See the Unicode Home Page.)
FFÿ
SYSWindows executable (SYS) file
FF 00 02 00 04 04 05 54
02 00
ÿ......T
..
WKSWorks for Windows spreadsheet file
FF 46 4F 4E 54ÿFONT
CPIWindows international code page
FF 4B 45 59 42 20 20 20ÿKEYB
SYSKeyboard driver file
FF 57 50 43ÿWPC
WP, WPD, WPG, WPP, WP5, WP6WordPerfect text and graphics file
FF D8 FF E0 xx xx 4A 46
49 46 00
ÿØÿà..JF
IF.
JFIF, JPE, JPEG, JPGJPEG/JFIF graphics file
Trailer: FF D9 (ÿÙ)
FF D8 FF E1 xx xx 45 78
69 66 00
ÿØÿá..Ex
if.
JPGDigital camera JPG using Exchangeable Image File Format (EXIF)
Trailer: FF D9 (ÿÙ)
See "Using Extended File Information (EXIF) File Headers in Digital
Evidence Analysis"
 (P. Alvarez, IJDE2(3), Winter 2004) and
ExifTool Tag Names
FF D8 FF E8 xx xx 53 50
49 46 46 00
ÿØÿè..SP
IFF.
JPGStill Picture Interchange File Format (SPIFF)
Trailer: FF D9 (ÿÙ)
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF.
The fourth digit is also indicative of JPEG content. Various options include:
FF Exÿ.
FF Fxÿ.
MPEG, MPG, MP3MPEG audio file frame synch pattern
FF FEÿþ
REGWindows Registry file
n/aByte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), big-endian files.
(See the Unicode Home Page.)
FF FE 00 00ÿþ..
n/aByte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), little-endian files.
(See the Unicode Home Page.)
FF FE 23 00 6C 00 69 00
6E 00 65 00 20 00 31 00
ÿþ#.l.i.
n.e. .1.
MOFWindows MSinfo file
FF FF FF FFÿÿÿÿ
SYSDOS system driver



The following individuals have given me updates or suggestions for this list over the years: Devon Ackerman, Nazim Aliyev, Vladimir Benko, Arvin Bhatnagar, Sam Brothers, Per Christensson, Cornelis de Groot, Jeffrey Duggan, Jean-Pierre Fiset, Peter Almer Frederiksen, Tim Gardner, Paulo Guzmán, George Harpur, Brian High, Eric Huber, Broadus Jones, Axel Kesseler, Nick Khor, Bill Kuhns, Anand Mani, Kevin Mansell, Davyd McColl, Michal, Bruce Modick, Lee Nelson, Dan P., Jorge Paulhiac, Carlo Politi, Stanley Rainey, Cory Redfern, Bruce Robertson, Thomas Rösner, Mike Sutton, Matthias Sweertvaegher, Jason Wallace, Erik van de Burgwal, Franklin Webber, Gavin Williams, Mike Wilkinson, and David Wright. I thank them and apologize if I have missed anyone.I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite (primarily for the "subheaders" for many of the file types here), and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.

0 comments:

Post a Comment