Hex Signature | | ASCII Signature |
File Extension | | File Description |
TGA | | Truevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49 TRUEVISI
4F 4E 2D 58 46 49 4C 45 ON-XFILE
2E 00 .. |
00 | | . |
PIC | | IBM Storyboard bitmap file |
MOV | | Apple QuickTime movie file |
PIF | | Windows Program Information File |
SEA | | Mac Stuffit Self-Extracting Archive |
YTR | | IRIS OCR data file |
[11 byte offset] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | | [11 byte offset] ........ ........ ........ |
PDB | | Palmpilot Database/Document File |
[512 byte offset] 00 00 00 00 00 00 00 00 | | [512 byte offset] ........ |
RVT | | Revit Project File subheader |
00 00 00 0C 6A 50 20 20 0D 0A | | ....jP .. |
JP2 | | Various JPEG-2000 image file formats |
00 00 00 nn 66 74 79 70 33 67 70 | | ....ftyp 3gp |
3GG, 3GP, 3G2 | | 3rd Generation Partnership Project 3GPP (nn=0x14)
and 3GPP2 (nn=0x20) multimedia files |
00 00 00 14 66 74 79 70 69 73 6F 6D | | ....ftyp isom |
MP4 | | ISO Base Media file (MPEG-4) v1 |
00 00 00 14 66 74 79 70 71 74 20 20 | | ....ftyp qt |
MOV | | QuickTime movie file |
00 00 00 18 66 74 79 70 33 67 70 35 | | ....ftyp 3gp5 |
MP4 | | MPEG-4 video files |
00 00 00 18 66 74 79 70 6D 70 34 32 | | ....ftyp mp42 |
M4V | | MPEG-4 video/QuickTime file |
00 00 00 1C 66 74 79 70 4D 53 4E 56 01 29 00 46 4D 53 4E 56 6D 70 34 32 | | ....ftyp MSNV.).F MSNVmp42 |
MP4 | | MPEG-4 video file |
00 00 00 20 66 74 79 70 4D 34 41 20 | | ... ftyp M4A |
M4A | | Apple Lossless Audio Codec file |
00 00 01 00 | | .... |
ICO | | Windows icon file |
SPL | | Windows NT/2000/XP printer spool file |
00 00 01 Bx | | .... |
MPEG, MPG | | MPEG video file
Trailer:
00 00 01 B7 (...·) |
00 00 01 BA | | ....º |
MPG, VOB | | DVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2
Trailer:
00 00 01 B9 (...¹) |
00 00 02 00 | | ...... |
CUR | | Windows cursor file |
WB2 | | QuattroPro for Windows Spreadsheet file |
00 00 02 00 06 04 06 00 08 00 00 00 00 00 | | ........ ...... |
WK1 | | Lotus 1-2-3 spreadsheet (v1) file |
00 00 1A 00 00 10 04 00 00 00 00 00 | | ........ .... |
WK3 | | Lotus 1-2-3 spreadsheet (v3) file |
00 00 1A 00 02 10 04 00 00 00 00 00 | | ........ .... |
WK4, WK5 | | Lotus 1-2-3 spreadsheet (v4, v5) file |
00 00 1A 00 05 10 04 | | ....... |
123 | | Lotus 1-2-3 spreadsheet (v9) file |
00 00 49 49 58 50 52 or | | ..IIXPR |
00 00 4D 4D 58 50 52 | | ..MMXPR |
QXD | | Quark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean. |
00 00 FE FF | | ..þÿ |
n/a | | Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.) |
[6 byte offset] 00 00 FF FF FF FF | | [6 byte offset] ..ÿÿÿÿ |
HLP | | Windows Help file |
00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 | | ....MSIS AM Datab ase |
MNY | | Microsoft Money file |
00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 | | ....Stan dard ACE DB |
ACCDB | | Microsoft Access 2007 file |
00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 | | ....Stan dard Jet DB |
MDB | | Microsoft Access file |
00 01 00 08 00 01 00 01 01 | | ........ . |
IMG | | Ventura Publisher/GEM VDI Image Format Bitmap file |
00 01 01 | | ... |
FLT | | OpenFlight 3D file |
00 01 42 41 | | ..BA |
ABA | | Palm Address Book Archive file |
00 01 42 44 | | ..BD |
DBA | | Palm DateBook Archive file |
00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00 | | ...a.... ...Ò.... |
DB | | Netscape Navigator (v4) database file |
00 11 AF | | ..¯ |
FLI | | FLIC Animation file |
00 14 00 00 01 02 xx xx 03 | | ........ . |
n/a | | BIOS details in RAM images |
00 1E 84 90 00 00 00 00 | | ..„..... |
SNM | | Netscape Communicator (v4) mail folder |
00 5C 41 B1 FF | | .\A±ÿ |
ENC | | Mujahideen Secrets 2 encrypted file |
00 BF | | .¿ |
SOL | | Adobe Flash shared object file (e.g., Flash cookies) |
[512 byte offset] 00 6E 1E F0 | | [512 byte offset] .n.ð |
PPT | | PowerPoint presentation subheader (MS Office) |
00 FF FF FF FF FF FF FF FF FF FF 00 00 02 00 01 | | .ÿÿÿÿÿÿÿ ÿÿÿ..... |
MDF | | Alcohol 120% CD image |
01 00 00 00 | | .... |
EMF | | Extended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP) |
01 00 00 00 01 | | ..... |
PIC | | Unknown type picture file |
01 00 09 00 00 03 | | ...... |
WMF | | Windows Metadata file (Win 3.x format) |
01 00 39 30 | | ..90 |
FDB, GDB | | Firebird and Interbase database files, respectively. See
IBPhoenix for more information. |
01 0F 00 00 | | .... |
MDF | | Microsoft SQL Server 2000 database |
01 10 | | .. |
TR1 | | Novell LANalyzer capture file |
01 DA 01 01 00 03 | | .Ú.... |
RGB | | Silicon Graphics RGB Bitmap |
01 FF 02 04 03 02 | | .ÿ.... |
DRW | | Micrografx vector graphic file |
02 64 73 73 | | .dss |
DSS | | Digital Speech Standard (Olympus, Grundig, & Phillips) |
03 | | . |
DAT | | MapInfo Native Data Format |
DB3 | | dBASE III file |
03 00 00 00 | | .... |
QPH | | Quicken price history file |
03 00 00 00 41 50 50 52 | | ....APPR |
ADX | | Approach index file |
04 | | . |
DB4 | | dBASE IV data file |
04 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00 or | | ........ .... ... |
05 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00 | | ........ .... ... |
n/a | | INFO2 Windows recycle bin file. NOTE: Bytes 12-13
indicate the size of each INFO2 record; the most common
value is 0x02-03 (0x0320 = 800 bytes). |
07 | | . |
DRW | | A common signature and file extension for many drawing
programs. |
07 53 4B 46 | | .SKF |
SKF | | SkinCrafter skin file |
07 64 74 32 64 64 74 64 | | .dt2ddtd |
DTD | | DesignTools 2D Design file |
08 | | . |
DB | | dBASE IV or dBFast configuration file |
[512 byte offset] 09 08 10 00 00 06 05 00 | | [512 byte offset] ........ |
XLS | | Excel spreadsheet subheader (MS Office) |
0A nn 01 01 | | .... |
PCX | | ZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05) |
0C ED | | .í |
MP | | Monochrome Picture TIFF bitmap file (unconfirmed) |
0D 44 4F 43 | | .DOC |
DOC | | DeskMate Document file |
0E 4E 65 72 6F 49 53 4F | | .NeroISO |
NRI | | Nero CD Compilation |
0E 57 4B 53 | | .WKS |
WKS | | DeskMate Worksheet |
[512 byte offset] 0F 00 E8 03 | | [512 byte offset] ..è. |
PPT | | PowerPoint presentation subheader (MS Office) |
11 00 00 00 53 43 43 41 | | ....SCCA |
PF | | Windows prefetch file |
1A 00 00 | | ... |
NTF | | Lotus Notes database template |
1A 00 00 04 00 00 | | ...... |
NSF | | Lotus Notes database |
1A 0x | | .. |
ARC | | LH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively) |
1A 0B | | .. |
PAK | | Compressed archive file
(often associated with Quake Engine games) |
1A 35 01 00 | | .5.. |
ETH | | GN Nettest WinPharoah capture file |
1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 | | .Eߣ“B‚ˆ matroska |
MKV | | Matroska stream file |
1A 52 54 53 20 43 4F 4D 50 52 45 53 53 45 44 20 49 4D 41 47 45 20 56 31 2E 30 1A | | .RTS COM PRESSED IMAGE V1 .0. |
DAT | | Runtime Software disk image |
1D 7D | | .} |
WS | | WordStar Version 5.0/6.0 document |
1F 8B 08 | | .‹. |
GZ, TGZ | | GZIP archive file |
1F 9D | | .. |
TAR.Z | | Compressed tape archive file using standard (Lempel-Ziv-Welch) compression |
1F A0 | | . |
TAR.Z | | Compressed tape archive file using LZH (Lempel-Ziv-Huffman) compression |
21 | | ! |
BSB | | MapInfo Sea Chart |
21 12 | | !. |
AIN | | AIN Compressed Archive |
21 3C 61 72 63 68 3E 0A | | !<arch>. |
LIB | | Unix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF) |
21 42 44 4E | | !BDN |
PST | | Microsoft Outlook Personal Folder File |
23 20 | | # |
MSI | | Cerius2 file |
23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F | | # Disk D escripto |
VMDK | | VMware 4 Virtual Disk description file (split disk) |
23 20 4D 69 63 72 6F 73 6F 66 74 20 44 65 76 65 6C 6F 70 65 72 20 53 74 75 64 69 6F | | # Micros oft Deve loper St udio |
DSP | | Microsoft Developer Studio project file |
23 21 41 4D 52 | | #!AMR |
AMR | | Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction)
Codec, commonly audio format with GSM cell phones. (See RFC 4867.) |
23 3F 52 41 44 49 41 4E 43 45 0A | | #?RADIAN CE. |
HDR | | Radiance High Dynamic Range image file |
24 46 4C 32 40 28 23 29 20 53 50 53 53 20 44 41 54 41 20 46 49 4C 45 | | $FL2@(#) SPSS DA TA FILE |
SAV | | SPSS Data file |
25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30 | | %!PS-Ado be-3.0 E PSF-3.0 |
EPS | | Adobe encapsulated PostScript file
(If this signature is not at the immediate
beginning of the file, it will occur early
in the file, commonly at byte offset 30) |
25 50 44 46 | | %PDF |
PDF, FDF | | Adobe Portable Document Format and Forms Document file
Trailers:
0A 25 25 45 4F 46 (.%%EOF)
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
NOTE: There may be multiple end-of-file marks within the
file. When carving, be sure to get the last one. |
28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 | | (This fi le must be conve rted wit h BinHex |
HQX | | Macintosh BinHex 4 Compressed Archive |
2A 2A 2A 20 20 49 6E 73 74 61 6C 6C 61 74 69 6F 6E 20 53 74 61 72 74 65 64 20 | | *** Ins tallatio n Starte d |
LOG | | Symantec Wise Installer log file |
[2 byte offset] 2D 6C 68 | | [2 byte offset] -lh |
LHA, LZH | | Compressed archive file |
2E 52 45 43 | | .REC |
IVR | | RealPlayer video file (V11 and later) |
2E 52 4D 46 | | .RMF |
RM, RMVB | | RealMedia streaming media file |
2E 52 4D 46 00 00 00 12 00 | | .RMF.... . |
RA | | RealAudio file |
2E 72 61 FD 00 | | .raý. |
RA | | RealAudio streaming media file |
2E 73 6E 64 | | .snd |
AU | | NeXT/Sun Microsystems µ-Law audio file |
30 | | 0 |
CAT | | Microsoft security catalog file |
30 00 00 00 4C 66 4C 65 | | 0...LfLe |
EVT | | Windows Event Viewer file |
30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C | | 0&²u.fÏ. ¦Ù.ª.bÎl |
ASF, WMA, WMV | | Microsoft Windows Media Audio/Video File
(Advanced Streaming Format) |
30 31 4F 52 44 4E 41 4E 43 45 20 53 55 52 56 45 59 20 20 20 20 20 20 20 | | 01ORDNAN CE SURVE Y |
NTF | | National Transfer Format Map File |
30 37 30 37 30 nn | | 07070. |
n/a | | Archive created with the cpio utility (where nn
values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the
standard ASCII format, new ASCII (aka SVR4) format, and CRC
format, respectively. (The swpackage(8) page has additional
information.) (Thanks to F. Webber for this....) |
31 BE or | | 1¾ |
32 BE | | 2¾ |
WRI | | Microsoft Write file |
34 CD B2 A1 | | 4Ͳ¡ |
n/a | | Extended tcpdump (libpcap) capture file (Linux/Unix) |
37 7A BC AF 27 1C | | 7z¼¯'. |
7Z | | 7-Zip compressed file |
37 E4 53 96 C9 DB D6 07 | | 7äS–ÛÖ. |
n/a | | zisofs compression format, recognized by some Linux kernels. See the
libburnia page for additional information. |
38 42 50 53 | | 8BPS |
PSD | | Photoshop image file |
3A 56 45 52 53 49 4F 4E | | :VERSION |
SLE | | Surfplan kite project file |
3C | | < |
ASX | | Advanced Stream redirector file |
XDR | | BizTalk XML-Data Reduced Schema file |
3C 21 64 6F 63 74 79 70 | | <!doctyp |
DCI | | AOL HTML mail file |
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D | | <?xml ve rsion= |
MANIFEST | | Windows Visual Stylesheet XML file |
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E | | <?xml ve rsion="1 .0"?> |
XUL | | XML User Interface Language file |
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 0D 0A 3C 4D 4D 43 5F 43 6F 6E 73 6F 6C 65 46 69 6C 65 20 43 6F 6E 73 6F 6C 65 56 65 72 73 69 6F 6E 3D 22 | | <?xml ve rsion="1 .0"?>..< MMC_Cons oleFile ConsoleV ersion=" |
MSC | | Microsoft Management Console Snap-in Control file |
3C 4D 61 6B 65 72 46 69 6C 65 20 | | <MakerFi le |
FM, MIF | | Adobe FrameMaker file |
[24 byte offset] 3E 00 03 00 FE FF 09 00 06 | | [24 byte offset] >...þÿ.. . |
WB3 | | Quatro Pro for Windows 7.0 Notebook file |
3F 5F 03 00 | | ?_.. |
GID | | Windows Help index file |
HLP | | Windows Help file |
[32 byte offset] 40 40 40 20 00 00 40 40 40 40 | | [32 byte offset] @@@ ..@@ @@ |
ENL | | EndNote Library File |
41 43 31 30 | | AC10 |
DWG | | Generic AutoCAD drawing |
NOTES on AutoCAD file headers: The 0x41-43-31-30 (AC10) is a generic header, occupying the first
four bytes in the file. The next two bytes give further indication about the version or subtype:
- 0x30-32 (02) — AutoCAD R2.5
- 0x30-33 (03) — AutoCAD R2.6
- 0x30-34 (04) — AutoCAD R9
- 0x30-36 (06) — AutoCAD R10
- 0x30-39 (09) — AutoCAD R11/R12
- 0x31-30 (10) — AutoCAD R13 (subtype 10)
- 0x31-31 (11) — AutoCAD R13 (subtype 11)
- 0x31-32 (12) — AutoCAD R13 (subtype 12)
- 0x31-33 (13) — AutoCAD R14 (subtype 13)
- 0x31-34 (14) — AutoCAD R14 (subtype 14)
- 0x31-35 (15) — AutoCAD R2000
- 0x31-38 (18) — AutoCAD R2004
- 0x32-31 (21) — AutoCAD R2007
|
41 43 76 | | ACL |
SLE | | Steganos Security Suite virtual secure drive |
41 43 53 44 | | ACSD |
n/a | | Miscellaneous AOL parameter and information files |
41 45 53 | | AES |
AES | | AES Crypt file format. (The fourth byte is the version number.) |
41 4D 59 4F | | AMYO |
SYW | | Harvard Graphics symbol graphic |
41 4F 4C 20 46 65 65 64 62 61 67 | | AOL Feed bag |
BAG | | AOL and AIM buddy list file |
41 4F 4C 44 42 | | AOLDB |
ABY, IDX | | AOL database files: address book (ABY) and user configuration
data (MAIN.IDX) |
41 4F 4C 49 44 58 | | AOLIDX |
IND | | AOL client preferences/settings file (MAIN.IND) |
41 4F 4C 49 4E 44 45 58 | | AOLINDEX |
ABI | | AOL address book index file |
41 4F 4C 56 4D 31 30 30 | | AOLVM100 |
ORG, PFC | | AOL personal file cabinet (PFC) file |
41 56 47 36 5F 49 6E 74 65 67 72 69 74 79 5F 44 61 74 61 62 61 73 65 | | AVG6_Int egrity_D atabase |
DAT | | AVG6 Integrity database file |
41 72 43 01 | | ArC. |
ARC | | FreeArc compressed file |
42 41 41 44 | | BAAD |
n/a | | NTFS Master File Table (MFT) entry (1,024 bytes) |
42 45 47 49 4E 3A 56 43 41 52 44 0D 0A | | BEGIN:VC ARD.. |
VCF | | vCard file |
42 4C 49 32 32 33 51 | | BLI223Q |
BIN | | Thomson Speedtouch series WLAN router firmware |
42 4D | | BM |
BMP, DIB | | Windows (or device-independent) bitmap image
NOTE: Bytes 2-5 contain the file length in little-endian order. |
42 4F 4F 4B 4D 4F 42 49 | | BOOKMOBI |
PRC | | Palmpilot resource file |
42 5A 68 | | BZh |
BZ2, TAR.BZ2, TBZ2, TB2 | | bzip2 compressed archive |
43 23 2B 44 A4 43 4D A5 48 64 72 | | C#+D¤CM¥ Hdr |
RTD | | RagTime document file |
43 42 46 49 4C 45 | | CBFILE |
CBD | | WordPerfect dictionary file (unconfirmed) |
43 44 30 30 31 | | CD001 |
ISO | | ISO-9660 CD Disc Image
This signature usually occurs at byte offset 32769 (0x8001),
34817 (0x8801), or 36865 (0x9001).
More information can be found at MacTech or at ECMA. |
43 49 53 4F | | CISO |
CSO | | Compressed ISO (CISO) CD image |
43 4D 58 31 | | CMX1 |
CLB | | Corel Binary metafile |
43 4F 4D 2B | | COM+ |
CLB | | COM+ Catalog file |
43 4F 57 44 | | COWD |
VMDK | | VMware 3 Virtual Disk (portion of a split disk) file |
43 50 54 37 46 49 4C 45 | | CPT7FILE |
CPT | | Corel Photopaint file |
43 50 54 46 49 4C 45 | | CPTFILE |
CPT | | Corel Photopaint file |
43 52 45 47 | | CREG |
DAT | | Windows 9x registry hive |
43 52 55 53 48 20 76 | | CRUSH v |
CRU | | Crush compressed archive |
43 57 53 | | CWS |
SWF | | Shockwave Flash file (v5+) |
43 61 74 61 6C 6F 67 20 33 2E 30 30 00 | | Catalog 3.00. |
CTF | | WhereIsIt Catalog file |
43 6C 69 65 6E 74 20 55 72 6C 43 61 63 68 65 20 4D 4D 46 20 56 65 72 20 | | Client U rlCache MMF Ver |
DAT | | IE History (index.dat) file |
44 41 58 00 | | DAX. |
DAX | | DAX Compressed CD image |
44 42 46 48 | | DBFH |
DB | | Palm Zire photo database |
44 4D 53 21 | | DMS! |
DMS | | Amiga DiskMasher compressed archive |
44 4F 53 | | DOS |
ADF | | Amiga disk file |
44 56 44 | | DVD |
DVR | | DVR-Studio stream file |
IFO | | DVD info file |
45 4C 49 54 45 20 43 6F 6D 6D 61 6E 64 65 72 20 | | ELITE Co mmander |
CDR | | Elite Plus Commander saved game file |
45 4E 54 52 59 56 43 44 02 00 00 01 02 00 18 58 | | ENTRYVCD .......X |
VCD | | VideoVCD (GNU VCDImager) file |
45 52 46 53 53 41 56 45 44 41 54 41 46 49 4C 45 | | ERFSSAVE DATAFILE |
DAT | | Kroll EasyRecovery Saved Recovery State file |
45 50 | | EP |
MDI | | Microsoft Document Imaging file |
45 56 46 09 0D 0A FF 00 | | EVF...ÿ. |
Enn (where nn are numbers) | | Expert Witness Compression Format (EWF) file, including EWF-E01
and EWF-S01, as used in EnCase and SMART evidence files.
See the EWF specification. |
45 56 46 32 0D 0A 81 | | EVF2... |
Exnn (where nn are numbers) | | EnCase® Evidence File Format Version 2 (Ex01).
See the document. |
45 6C 66 46 69 6C 65 00 | | ElfFile. |
EVTX | | Windows Vista event log file |
45 86 00 00 06 00 | | E†.... |
QBB | | Intuit QuickBooks backup file |
46 41 58 43 4F 56 45 52 2D 56 45 52 | | FAXCOVER -VER |
CPE | | Microsoft Fax Cover Sheet |
46 44 42 48 00 | | FDBH. |
FDB | | Fiasco database definition file |
46 45 44 46 | | FEDF |
SBV | | (Unknown file type) |
46 49 4C 45 | | FILE |
n/a | | NTFS Master File Table (MFT) entry (1,024 bytes) |
46 4C 56 01 | | FLV. |
FLV | | Flash video file |
46 4F 52 4D 00 | | FORM. |
AIFF | | Audio Interchange File |
DAX | | DAKX Compressed Audio |
46 57 53 | | FWS |
SWF | | Macromedia Shockwave Flash player file |
46 72 6F 6D 20 20 20 or | | From |
46 72 6F 6D 20 3F 3F 3F or | | From ??? |
46 72 6F 6D 3A 20 | | From: |
EML | | A commmon file extension for e-mail files. Signatures shown here
are for Netscape, Eudora, and a generic signature, respectively.
EML is also used by Outlook Express and QuickMail. |
47 46 31 50 41 54 43 48 | | GF1PATCH |
PAT | | Advanced Gravis Ultrasound patch file |
47 49 46 38 37 61 or | | GIF87a |
47 49 46 38 39 61 | | GIF89a |
GIF | | Graphics interchange format file
Trailer: 00 3B (.;) |
47 50 41 54 | | GPAT |
PAT | | GIMP (GNU Image Manipulation Program) pattern file |
47 58 32 | | GX2 |
GX2 | | Show Partner graphics file (not confirmed) |
47 65 6E 65 74 65 63 20 4F 6D 6E 69 63 61 73 74 | | Genetec Omnicast |
G64 | | Genetec video archive |
48 48 47 42 31 | | HHGB1 |
SH3 | | Harvard Graphics presentation file |
49 20 49 | | I I |
TIF, TIFF | | Tagged Image File Format file |
49 44 33 | | ID3 |
MP3 | | MPEG-1 Audio Layer 3 (MP3) audio file |
49 44 33 03 00 00 00 | | ID3.... |
KOZ | | Sprint Music Store audio file (for mobile devices) |
49 49 1A 00 00 00 48 45 41 50 43 43 44 52 02 00 | | II....HE APCCDR.. |
CRW | | Canon digital camera RAW file |
49 49 2A 00 | | II*. |
TIF, TIFF | | Tagged Image File Format file (little
endian, i.e., LSB first in the byte; Intel) |
49 49 2A 00 10 00 00 00 43 52 | | II*..... CR |
CR2 | | Canon digital camera RAW file |
49 53 63 28 | | ISc( |
CAB, HDR | | Install Shield v5.x or 6.x compressed file |
49 54 4F 4C 49 54 4C 53 | | ITOLITLS |
LIT | | Microsoft Reader eBook file |
49 54 53 46 | | ITSF |
CHI, CHM | | Microsoft Compiled HTML Help File |
49 6E 6E 6F 20 53 65 74 75 70 20 55 6E 69 6E 73 74 61 6C 6C 20 4C 6F 67 20 28 62 29 | | Inno Set up Unins tall Log (b) |
DAT | | Inno Setup Uninstall Log file |
49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65 | | Inter@ct ive Page |
IPD | | Inter@ctive Pager Backup (BlackBerry) backup file
(See also IPD File Format page or IPD File for BlackBerry) |
4A 41 52 43 53 00 | | JARCS. |
JAR | | JARCS compressed archive |
4A 47 03 0E or | | JG.. |
4A 47 04 0E | | JG.. |
ART | | AOL ART file
Trailers:
For 0x4A-47-03-0E: D0 CB 00 00 (ÐË..)
For 0x4A-47-04-0E: CF C7 CB (ÏÇË) |
4B 44 4D | | KDM |
VMDK | | VMware 4 Virtual Disk (portion of a split disk) file |
4B 44 4D 56 | | KDMV |
VMDK | | VMware 4 Virtual Disk (monolitic disk) file |
4B 47 42 5F 61 72 63 68 20 2D | | KGB_arch - |
KGB | | KGB archive |
4B 49 00 00 | | KI.. |
SHD | | Windows 9x printer spool file |
4B 57 41 4A 88 F0 27 D1 | | KWAJˆð'Ñ |
n/a | | KWAJ file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.) |
4C 00 00 00 01 14 02 00 | | L....... |
LNK | | Windows shortcut file. See also The Meaning of Linkfiles in Forensic Examinations. |
4C 01 | | L. |
OBJ | | Microsoft Common Object File Format (COFF) relocatable
object code file for an Intel 386 or later/compatible processors |
4C 4E 02 00 | | LN.. |
GID | | Windows Help index file |
HLP | | Windows Help file. |
4C 56 46 09 0D 0A FF 00 | | LVF...ÿ. |
Enn (where nn are numbers) | | Logical File Evidence Format (EWF-L01) as used in later versions of
EnCase evidence files. See the EWF specification. |
4D 2D 57 20 50 6F 63 6B 65 74 20 44 69 63 74 69 | | M-W Pock et Dicti |
PDB | | Merriam-Webster Pocket Dictionary file |
4D 41 52 31 00 | | MAR1. |
MAR | | Mozilla archive |
4D 41 52 43 | | MARC |
MAR | | Microsoft/MSN MARC archive |
4D 41 72 30 00 | | MAr0. |
MAR | | MAr compressed archive |
4D 44 4D 50 93 A7 | | MDMPҤ |
HDMP | | Windows heap dump file |
DMP | | Windows minidump file |
4D 49 4C 45 53 | | MILES |
MLS | | Milestones v1.0 project management and scheduling software
(Also see "MV2C" and "MV214" signatures) |
4D 4C 53 57 | | MLSW |
MLS | | Skype localization data file |
4D 4D 00 2A | | MM.* |
TIF, TIFF | | Tagged Image File Format file (big
endian, i.e., LSB last in the byte; Motorola) |
4D 4D 00 2B | | MM.+ |
TIF, TIFF | | BigTIFF files; Tagged Image File Format files >4 GB |
4D 4D 4D 44 00 00 | | MMMD.. |
MMF | | Yamaha Corp. Synthetic music Mobile Application Format (SMAF)
for multimedia files that can be played on hand-held devices. |
4D 52 56 4E | | MRVN |
NVRAM | | VMware BIOS (non-volatile RAM) state file. |
4D 53 43 46 | | MSCF |
CAB | | Microsoft cabinet file |
PPZ | | Powerpoint Packaged Presentation |
SNP | | Microsoft Access Snapshot Viewer file |
4D 53 46 54 02 00 01 00 | | MSFT.... |
TLB | | OLE, SPSS, or Visual C++ type library file |
4D 53 5F 56 4F 49 43 45 | | MS_VOICE |
CDR, DVF | | Sony Compressed Voice File |
MSV | | Sony Memory Stick Compressed Voice file |
4D 54 68 64 | | MThd |
MID, MIDI | | Musical Instrument Digital Interface (MIDI) sound file |
4D 56 | | MV |
DSN | | CD Stomper Pro label file |
4D 56 32 31 34 | | MV214 |
MLS | | Milestones v2.1b project management and scheduling software
(Also see "MILES" and "MV2C" signatures) |
4D 56 32 43 | | MV2C |
MLS | | Milestones v2.1a project management and scheduling software
(Also see "MILES" and "MV214" signatures) |
4D 5A | | MZ |
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS | | Windows/DOS executable file
(See The MZ EXE File Format page for the structure of an EXE file,
with coverage of NE, TLINK, PE, self-extracting archives, and more.) |
ACM | | MS audio compression manager driver |
AX | | Library cache file |
CPL | | Control panel application |
FON | | Font file |
OCX | | ActiveX or OLE Custom Control |
OLB | | OLE object library |
SCR | | Screen saver |
VBX | | VisualBASIC application |
VXD, 386 | | Windows virtual device drivers |
4D 5A 90 00 03 00 00 00 | | MZ...... |
API | | Acrobat plug-in |
AX | | DirectShow filter |
FLT | | Audition graphic filter file (Adobe) |
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF | | MZ...... ....ÿÿ |
ZAP | | ZoneAlam data file |
4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20 | | Microsof t C/C++ |
PDB | | Microsoft C++ debugging symbols file |
4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65 | | Microsof t Visual Studio Solution File |
SLN | | Visual Studio .NET Solution file |
[84 byte offset] 4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4D 65 64 69 61 20 50 6C 61 79 65 72 20 2D 2D 20 | | [84 byte offset] Microsof t Window s Media Player - - |
WPL | | Windows Media Player playlist |
4D 73 52 63 66 | | MsRcf |
GDB | | VMapSource GPS Waypoint Database |
4E 41 56 54 52 41 46 46 49 43 | | NAVTRAFF IC |
DAT | | TomTom traffic data file |
4E 42 2A 00 | | NB*. |
JNT, JTP | | MS Windows journal file |
4E 45 53 4D 1A 01 | | NESM.. |
NSF | | NES Sound file |
4E 49 54 46 30 | | NITF0 |
NTF | | National Imagery Transmission Format (NITF) file |
4E 61 6D 65 3A 20 | | Name: |
COD | | Agent newsreader character map file |
4F 50 4C 44 61 74 61 62 61 73 65 46 69 6C 65 | | OPLDatab aseFile |
DBF | | Psion Series 3 Database file |
4F 67 67 53 00 02 00 00 00 00 00 00 00 00 | | OggS.... ...... |
OGA, OGG, OGV, OGX | | Ogg Vorbis Codec compressed Multimedia file |
4F 7B | | O{ |
DW4 | | Visio/DisplayWrite 4 text file (unconfirmed) |
50 00 00 00 20 00 00 00 | | P... ... |
IDX | | Quicken QuickFinder Information File |
50 35 0A | | P5. |
PGM | | Portable Graymap Graphic |
50 41 43 4B | | PACK |
PAK | | Quake archive file |
50 41 47 45 44 55 36 34 | | PAGEDU64 |
DMP | | Windows 64-bit memory dump |
50 41 47 45 44 55 4D 50 | | PAGEDUMP |
DMP | | Windows memory dump |
50 41 58 | | PAX |
PAX | | PAX password protected bitmap |
50 45 53 54 | | PEST |
DAT | | PestPatrol data/scan strings |
50 47 50 64 4D 41 49 4E | | PGPdMAIN |
PGD | | PGP disk image |
50 49 43 54 00 08 | | PICT.. |
IMG | | ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file |
50 4B 03 04 | | PK.. |
ZIP | | PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...) |
ZIP | | Apple Mac OS X Dashboard Widget, Aston Shell theme, Oolite eXpansion Pack,
Opera Widget, Pivot Style Template, Rockbox Theme package, Simple Machines
Forums theme, SubEthaEdit Mode, Trillian zipped skin, Virtual Skipper skin |
JAR | | Java archive; compressed file package for classes and data |
KMZ | | Google Earth saved working session file |
KWD | | KWord document |
ODT, ODP, OTT | | OpenDocument text document, presentation, and text document template, respectively. |
SXC, SXD, SXI, SXW | | OpenOffice spreadsheet (Calc), drawing (Draw), presentation (Impress),
and word processing (Writer) files, respectively. |
SXC | | StarOffice spreadsheet |
WMZ | | Windows Media compressed skin file |
XPI | | Mozilla Browser Archive |
XPS | | XML paper specification file |
XPT | | eXact Packager Models |
50 4B 03 04 14 00 01 00 63 00 00 00 00 00 | | PK...... c..... |
ZIP | | ZLock Pro encrypted ZIP |
50 4B 03 04 14 00 06 00 | | PK...... |
DOCX, PPTX, XLSX | | Microsoft Office Open XML Format (OOXML) Document
NOTE: There is no subheader for MS OOXML files as there is with
DOC, PPT, and XLS files. To better understand the format of these files,
rename any OOXML file to have a .ZIP extension and then unZIP the file;
look at the resultant file named [Content_Types].xml to see the content
types. In particular, look for the <Override PartName= tag, where you
will find word, ppt, or xl, respectively.
Trailer: Look for 50 4B 05 06 (PK..) followed by 18 additional bytes
at the end of the file. |
50 4B 03 04 14 00 08 00 08 00 | | PK...... .. |
JAR | | Java archive |
50 4B 05 06 | | PK.. |
50 4B 07 08 | | PK.. |
ZIP | | PKZIP empty and multivolume archive file, respectively |
[30 byte offset] 50 4B 4C 49 54 45 | | [30 byte offset] PKLITE |
ZIP | | PKLITE compressed ZIP archive (see also PKZIP) |
[526 byte offset] 50 4B 53 70 58 | | [526 byte offset] PKSFX |
ZIP | | PKSFX self-extracting executable compressed file (see also PKZIP) |
50 4D 43 43 | | PMCC |
GRP | | Windows Program Manager group file |
50 4E 43 49 55 4E 44 4F | | PNCIUNDO |
DAT | | Norton Disk Doctor undo file |
[92 byte offset] 51 45 4C 20 | | [92 byte offset] QEL |
QEL | | Quicken data file |
51 46 49 FB | | QFIû |
IMG | | QEMU Qcow Disk Image |
51 57 20 56 65 72 2E 20 | | QW Ver. |
ABD, QSD | | Quicken data file |
52 41 5A 41 54 44 42 31 | | RAZATDB1 |
DAT | | Shareaza (Windows P2P client) thumbnail |
52 45 47 45 44 49 54 | | REGEDIT |
REG, SUD | | Windows NT Registry and Registry Undo files |
52 45 56 4E 55 4D 3A 2C | | REVNUM:, |
ADF | | Antenna data file |
52 49 46 46 | | RIFF |
ANI | | Windows animated cursor |
CMX | | Corel Presentation Exchange (Corel 10 CMX) Metafile |
CDR | | CorelDraw document |
DAT | | Video CD MPEG or MPEG1 movie file |
DS4 | | Micrografx Designer v4 graphic file |
4XM | | 4X Movie video |
52 49 46 46 xx xx xx xx 41 56 49 20 4C 49 53 54 | | RIFF.... AVI LIST |
AVI | | Resource Interchange File Format -- Windows Audio Video Interleave file |
52 49 46 46 xx xx xx xx 43 44 44 41 66 6D 74 20 | | RIFF.... CDDAfmt |
CDA | | Resource Interchange File Format -- Compact Disc
Digital Audio (CD-DA) file |
52 49 46 46 xx xx xx xx 51 4C 43 4D 66 6D 74 20 | | RIFF.... QLCMfmt |
QCP | | Resource Interchange File Format -- Qualcomm
PureVoice |
52 49 46 46 xx xx xx xx 52 4D 49 44 64 61 74 61 | | RIFF.... RMIDdata |
RMI | | Resource Interchange File Format -- Windows Musical Instrument Digital Interface file |
52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 | | RIFF.... WAVEfmt |
WAV | | Resource Interchange File Format -- Audio for Windows file |
52 54 53 53 | | RTSS |
CAP | | Windows NT Netmon capture file |
52 61 72 21 1A 07 00 | | Rar!... |
RAR | | WinRAR compressed archive file |
52 65 74 75 72 6E 2D 50 61 74 68 3A 20 | | Return-P ath: |
EML | | A commmon file extension for e-mail files. |
53 43 48 6C | | SCHl |
AST | | Need for Speed: Underground Audio file |
53 43 4D 49 | | SCMI |
IMG | | Img Software Set Bitmap |
53 48 4F 57 | | SHOW |
SHW | | Harvard Graphics DOS Ver. 2/x Presentation file |
53 49 45 54 52 4F 4E 49 43 53 20 58 52 44 20 53 43 41 4E | | SIETRONI CS XRD S CAN |
CPI | | Sietronics CPI XRD document |
53 49 54 21 00 | | SIT!. |
SIT | | StuffIt compressed archive |
53 4D 41 52 54 44 52 57 | | SMARTDRW |
SDR | | SmartDraw Drawing file |
53 50 46 49 00 | | SPFI. |
SPF | | StorageCraft ShadownProtect backup file |
53 51 4C 4F 43 4F 4E 56 48 44 00 00 31 2E 30 00 | | SQLOCONV HD..1.0. |
CNV | | DB2 conversion file |
53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 | | SQLite f ormat 3. |
DB | | SQLite database file |
53 5A 20 88 F0 27 33 D1 | | SZ ˆð'3Ñ |
n/a | | QBASIC SZDD file header variant. (See the SZDD or KWAJ format entries
for additional information.) |
53 5A 44 44 88 F0 27 33 | | SZDDˆð'3 |
n/a | | SZDD file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.) |
53 6D 62 6C | | Smbl |
SYM | | (Unconfirmed file type. Likely type is Harvard Graphics
Version 2.x graphic symbol or Windows SDK graphic symbol) |
53 74 75 66 66 49 74 20 28 63 29 31 39 39 37 2D | | StuffIt (c)1997- |
SIT | | StuffIt compressed archive |
53 75 70 65 72 43 61 6C 63 | | SuperCal c |
CAL | | SuperCalc worksheet |
54 68 69 73 20 69 73 20 | | This is |
INFO | | UNIX GNU Info Reader File |
55 43 45 58 | | UCEX |
UCE | | Unicode extensions |
55 46 41 C6 D2 C1 | | UFAÆÒÁ |
UFA | | UFA compressed archive |
55 46 4F 4F 72 62 69 74 | | UFOOrbit |
DAT | | UFO Capture v2 map file |
56 43 50 43 48 30 | | VCPCH0 |
PCH | | Visual C PreCompiled header file |
56 45 52 53 49 4F 4E 20 | | VERSION |
CTL | | Visual Basic User-defined Control file |
56 65 72 73 69 6F 6E 20 | | Version |
MIF | | MapInfo Interchange Format file |
57 4D 4D 50 | | WMMP |
DAT | | Walkman MP3 container file |
57 53 32 30 30 30 | | WS2000 |
WS2 | | WordStar for Windows Ver. 2 document |
[29,152 byte offset] 57 69 6E 5A 69 70 | | [29,152 byte offset] WinZip |
ZIP | | WinZip compressed archive |
57 6F 72 64 50 72 6F | | WordPro |
LWP | | Lotus WordPro document. |
58 2D | | X- |
EML | | A commmon file extension for e-mail files. This variant is
for Exchange. |
58 43 50 00 | | XCP. |
CAP | | Cinco NetXRay, Network General Sniffer, and
Network Associates Sniffer capture file |
58 50 43 4F 4D 0A 54 79 70 65 4C 69 62 | | XPCOM.Ty peLib |
XPT | | XPCOM type libraries for the XPIDL compiler |
58 54 | | XT.. |
BDR | | MS Publisher border |
5A 4F 4F 20 | | ZOO |
ZOO | | ZOO compressed archive |
5B 47 65 6E 65 72 61 6C 5D 0D 0A 44 69 73 70 6C 61 79 20 4E 61 6D 65 3D 3C 44 69 73 70 6C 61 79 4E 61 6D 65 | | [General ]..Displ ay Name= <Display Name |
ECF | | MS Exchange 2007 extended configuration file |
5B 4D 53 56 43 | | [MSVC |
VCW | | Microsoft Visual C++ Workbench Information File |
5B 50 68 6F 6E 65 5D | | [Phone] |
DUN | | Dial-up networking file |
5B 56 45 52 5D or | | [VER] |
5B 76 65 72 5D or | | [ver] |
SAM | | Lotus AMI Pro document |
[2 byte offset] 5B 56 65 72 73 69 6F 6E | | [2 byte offset] [Version |
CIF | | (Unknown file type) |
5B 57 69 6E 64 6F 77 73 20 4C 61 74 69 6E 20 | | [Windows Latin |
CPX | | Microsoft Code Page Translation file |
5B 66 6C 74 73 69 6D 2E 30 5D | | [fltsim. 0] |
CFG | | Flight Simulator Aircraft Configuration file |
5B 70 6C 61 79 6C 69 73 74 5D | | [playlis t] |
PLS | | WinAmp Playlist file |
5F 27 A8 89 | | _'¨‰ |
JAR | | Jar archive |
5F 43 41 53 45 5F | | _CASE_ |
CAS, CBK | | EnCase case file (and backup) |
60 EA | | `ê |
ARJ | | Compressed archive file |
62 65 67 69 6E | | begin |
n/a | | UUencoded files start with a string:
begin mode path
where mode is the set of permissions as used in
Linux/Unix and path is the name given to the decoded
file. (See this uuencode page for more information.) |
62 70 6C 69 73 74 | | bplist |
plist | | Binary property list (plist)
(NOTE: Next two bytes are the version number, currently
0x30-30, or "00") |
63 6F 6E 65 63 74 69 78 | | conectix |
VHD | | Virtual PC Virtual HD image |
63 75 73 68 00 00 00 02 00 00 00 | | cush.... ... |
CSH | | Photoshop Custom Shape |
64 00 00 00 | | d... |
P10 | | Intel PROset/Wireless Profile |
64 65 78 0A 30 30 39 00 | | dex.009. |
dex | | Dalvik executable file (Android) |
64 73 77 66 69 6C 65 | | dswfile |
DSW | | Microsoft Visual Studio workspace file |
64 6E 73 2E | | dns. |
AU | | Audacity audio file |
66 49 00 00 | | fI.. - |
SHD | | Windows NT printer spool file |
66 4C 61 43 00 00 00 22 | | fLaC..." |
FLAC | | Free Lossless Audio Codec file |
67 49 00 00 | | gI.. - |
SHD | | Windows 2000/XP printer spool file |
68 49 00 00 | | hI.. - |
SHD | | Windows Server 2003 printer spool file |
6C 33 33 6C | | l33l |
DBB | | Skype user data file (profile and contacts) |
[4 byte offset] 6D 6F 6F 76 | | [4 byte offset] moov |
MOV | | QuickTime movie file |
.MOV files have a complicated file signature. The string "moov" is the most common but I have also seen:
0x66-72-65-65 free
0x6D-64-61-74 mdat
0x77-69-64-65 wide
And the following have been reported to me:
0x70-6E-6F-74 pnot
0x73-6B-69-70 skip
Furthermore, if you look at byte position xxxxxxxx+4 (where xxxxxxxx is bytes 0-3 of the header), you
will find one (or more!) of these strings repeated; the string "free" seems to be the most common. For
more information, see the QuickTime File Format page. (Thanks to D. Wright for getting me started on this!)
|
6F 3C | | o< |
n/a | | Short Message Service (SMS), or text, message stored on a
Subscriber Identification Module (SIM). |
72 65 67 66 | | regf |
DAT | | Windows NT registry hive file |
72 69 66 66 | | riff |
ACD | | Sonic Foundry Acid Music File (Sony) |
72 74 73 70 3A 2F 2F | | rtsp:// |
RAM | | RealMedia metafile |
73 6C 68 21 or | | slh! |
73 6C 68 2E | | slh. |
DAT | | Allegro Generic Packfile Data file (0x21 = compressed,
0x2E = uncompressed) |
73 6D 5F | | sm_ |
PDB | | PalmOS SuperMemo file |
73 72 63 64 6F 63 69 64 3A | | srcdocid : |
CAL | | CALS raster bitmap file |
73 7A 65 7A | | szez |
PDB | | PowerBASIC Debugger Symbols file |
[60 byte offset] 74 42 4D 50 4B 6E 57 72 | | [60 byte offset] tBMPKnWr |
PRC | | PathWay Map file, used with GPS devices |
[257 byte offset] 75 73 74 61 72 | | [257 byte offset] ustar |
TAR | | Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp) |
76 32 30 30 33 2E 31 30 0D 0A 30 0D 0A | | v2003.10 ..0.. |
FLT | | Qimage filter |
78 | | x |
DMG | | Mac OS X Disk Copy Disk Image file |
7A 62 65 78 | | zbex |
INFO | | ZoomBrowser Image Index file (ZbThumbnal.info) |
7B 0D 0A 6F 20 | | {..o |
LGC, LGD | | Windows application log |
7B 5C 70 77 69 | | {\pwi |
PWI | | Microsoft Windows Mobile personal note file |
7B 5C 72 74 66 31 | | {\rtf1 |
RTF | | Rich text format word processing file
Trailer: 5C 70 61 72 20 7D 7D (\par }}) |
7E 42 4B 00 | | ~BK. |
PSP | | Corel Paint Shop Pro image file |
7F 45 4C 46 | | .ELF |
n/a | | Executable and Linking Format executable file (Linux/Unix) |
80 | | . |
OBJ | | Relocatable object code |
80 00 00 20 03 12 04 | | ....... |
ADX | | Dreamcast audio file |
81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 | | .2„Á….Ð. ²..ª.<öv |
WAB | | Outlook Express address book (Win95) |
81 CD AB | | .Í« |
WPF | | WordPerfect text file |
89 50 4E 47 0D 0A 1A 0A | | ‰PNG.... |
PNG | | Portable Network Graphics file
Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚...) |
8A 01 09 00 00 00 E1 08 00 00 99 19 | | Š.....á. ..™. |
AW | | MS Answer Wizard file |
91 33 48 46 | | ‘3HF |
HAP | | Hamarsoft HAP 3.x compressed archive |
95 00 or | | •. |
95 01 | | •. |
SKR | | PGP secret keyring file |
99 | | ™ |
GPG | | GNU Privacy Guard (GPG) public keyring |
99 01 | | ™. |
PKR | | PGP public keyring file |
9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 | | œËË..UÒ. ‘X.ÀOyV¤ |
WAB | | Outlook address file |
[512 byte offset] A0 46 1D F0 | | [512 byte offset] F.ð |
PPT | | PowerPoint presentation subheader (MS Office) |
A1 B2 C3 D4 | | ¡²ÃÔ |
n/a | | tcpdump (libpcap) capture file (Linux/Unix) |
A1 B2 CD 34 | | ¡²Í4 |
n/a | | Extended tcpdump (libpcap) capture file (Linux/Unix) |
A9 0D 00 00 00 00 00 00 | | ©....... |
DAT | | Access Data FTK evidence file |
AC 9E BD 8F 00 00 | | ¬.½... |
QDF | | Quicken data file |
AC ED | | ’ |
n/a | | Java serialization data (see Object Serialization Stream Protocol) |
AC ED 00 05 73 72 00 12 62 67 62 6C 69 74 7A 2E | | ’..sr.. bgblitz. |
PDB | | BGBlitz (professional Backgammon software) position database file |
B0 4D 46 43 | | °MFC |
PWL | | Windows 95 password file |
B1 68 DE 3A | | ±hÞ: |
DCX | | Graphics Multipage PCX bitmap file |
B4 6E 68 44 | | ´nhd |
TIB | | Acronis True Image file |
B5 A2 B0 B3 B3 B0 A5 B5 | | µ¢°³³°¥µ |
CAL | | Windows calendar file |
BE 00 00 00 AB 00 00 00 00 00 00 00 00 | | ¾...«... .... |
WRI | | MS Write file |
C3 AB CD AB | | ëͫ |
ACS | | MS Agent Character file |
C5 D0 D3 C6 | | ÅÐÓÆ |
EPS | | Adobe encapsulated PostScript file |
C8 00 79 00 | | È.y. |
LBK | | Jeppesen FliteLog file |
CA FE BA BE | | Êþº¾ |
CLASS | | Java bytecode file |
CD 20 AA AA 02 00 00 00 | | Í ªª.... |
n/a | | Norton Anti-Virus quarantined virus file |
CF 11 E0 A1 B1 1A E1 00 | | Ï.ࡱ.á. |
DOC | | Perfect Office document
[Note similarity to MS Office header, below] |
CF AD 12 FE | | Ï.þ |
DBX | | Outlook Express e-mail folder |
D0 CF 11 E0 A1 B1 1A E1 | | ÐÏ.ࡱ.á |
DOC, DOT, PPS, PPT, XLA, XLS, WIZ | | Microsoft Office applications (Word, Powerpoint, Excel, Wizard)
[See also Word, Powerpoint, and Excel "subheaders" at byte offset 512]
[Note the similarity between D0 CF 11 E0 and the word "docfile"!] |
AC_ | | CaseWare Working Papers compressed client file |
ADP | | Access project file |
APR | | Lotus/IBM Approach 97 file |
DB | | MSWorks database file |
MSC | | Microsoft Common Console Document |
MSI | | Microsoft Installer package |
MTW | | Minitab data file |
OPT | | Developer Studio File Workspace Options file |
PUB | | MS Publisher file |
QBM | | QuickBooks Portable Company File |
RVT | | Revit Project file |
SOU | | Visual Studio Solution User Options file |
SPO | | SPSS output file |
VSD | | Visio file |
WPS | | MSWorks text document |
D2 0A 00 00 | | Ò... |
FTR | | GN Nettest WinPharoah filter file |
D4 2A | | Ô* |
ARL, AUT | | AOL history (ARL) and typed URL (AUT) files |
D4 C3 B2 A1 | | Ôò¡ |
n/a | | WinDump (winpcap) capture file (Windows) |
D7 CD C6 9A | | ×ÍÆš |
WMF | | Windows graphics metafile |
DB A5 2D 00 | | Û¥-. |
DOC | | Word 2.0 file |
DC DC | | ÜÜ |
CPL | | Corel color palette file |
DC FE | | Üþ |
EFX | | eFax file format |
E3 10 00 01 00 00 00 00 | | ã....... |
INFO | | Amiga Icon file |
E3 82 85 96 | | ã‚…– |
PWL | | Windows 98 password file |
E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 | | äR\{ŒØ§M ®±SxÐ)–Ó |
ONE | | Microsoft OneNote note |
E8 or | | è |
E9 or | | é |
EB | | ë |
COM, SYS | | Windows executable file |
EB 3C 90 2A | | ë<.* |
IMG | | GEM Raster file |
[512 byte offset] EC A5 C1 00 | | [512 byte offset] ì¥Á. |
DOC | | Word document subheader (MS Office) |
ED AB EE DB | | í«îÛ |
RPM | | RedHat Package Manager file |
EF BB BF | |  |
n/a | | Byte-order mark for 8-bit Unicode Transformation Format
(UTF-8) files. (See the Unicode Home Page.) |
[At a cluster boundary] F0 FF FF | | [At a cluster boundary] ðÿÿ |
n/a | | FAT12 File Allocation Table |
[At a cluster boundary] F8 FF FF FF | | [At a cluster boundary] øÿÿÿ |
n/a | | FAT16 File Allocation Table |
[At a cluster boundary] F8 FF FF 0F FF FF FF FF | | [At a cluster boundary] øÿÿ.ÿÿÿÿ |
n/a | | FAT32 File Allocation Table |
[512 byte offset] FD FF FF FF 04 | | [512 byte offset] ýÿÿÿ. |
QBM | | QuickBooks Portable Company File |
SUO | | Visual Studio Solution User Options subheader (MS Office) |
[512 byte offset] FD FF FF FF nn 00 00 00 | | [512 byte offset] ýÿÿÿ.... |
PPT | | PowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and 0x43) |
[512 byte offset] FD FF FF FF nn 00 | | [512 byte offset] ýÿÿÿ.. |
or |
[512 byte offset] FD FF FF FF nn 02 | | [512 byte offset] ýÿÿÿ.. |
XLS | | Excel spreadsheet subheader (MS Office)
(where nn = 0x10, 0x1F, 0x22, 0x23, 0x28, or 0x29) |
[512 byte offset] FD FF FF FF 20 00 00 00 | | [512 byte offset] ýÿÿÿ ... |
OPT | | Developer Studio File Workspace Options subheader (MS Office) |
XLS | | Excel spreadsheet subheader (MS Office) |
[512 byte offset] FD FF FF FF xx xx xx xx xx xx xx xx 04 00 00 00 | | [512 byte offset] ýÿÿÿ.... ........ |
DB | | Thumbs.db subheader (MS Office) |
FE EF | | þï |
GHO, GHS | | Symantex Ghost image file |
FE FF | | þÿ |
n/a | | Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), little-endian files.
(See the Unicode Home Page.) |
FF | | ÿ |
SYS | | Windows executable (SYS) file |
FF 00 02 00 04 04 05 54 02 00 | | ÿ......T .. |
WKS | | Works for Windows spreadsheet file |
FF 46 4F 4E 54 | | ÿFONT |
CPI | | Windows international code page |
FF 4B 45 59 42 20 20 20 | | ÿKEYB |
SYS | | Keyboard driver file |
FF 57 50 43 | | ÿWPC |
WP, WPD, WPG, WPP, WP5, WP6 | | WordPerfect text and graphics file |
FF D8 FF E0 xx xx 4A 46 49 46 00 | | ÿØÿà..JF IF. |
JFIF, JPE, JPEG, JPG | | JPEG/JFIF graphics file
Trailer: FF D9 (ÿÙ) |
FF D8 FF E1 xx xx 45 78 69 66 00 | | ÿØÿá..Ex if. |
JPG | | Digital camera JPG using Exchangeable Image File Format (EXIF)
Trailer: FF D9 (ÿÙ)
See "Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004) and ExifTool Tag Names |
FF D8 FF E8 xx xx 53 50 49 46 46 00 | | ÿØÿè..SP IFF. |
JPG | | Still Picture Interchange File Format (SPIFF)
Trailer: FF D9 (ÿÙ) |
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF.
The fourth digit is also indicative of JPEG content. Various options include:
|
FF Ex | | ÿ. |
FF Fx | | ÿ. |
MPEG, MPG, MP3 | | MPEG audio file frame synch pattern |
FF FE | | ÿþ |
REG | | Windows Registry file |
n/a | | Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), big-endian files.
(See the Unicode Home Page.) |
FF FE 00 00 | | ÿþ.. |
n/a | | Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), little-endian files.
(See the Unicode Home Page.) |
FF FE 23 00 6C 00 69 00 6E 00 65 00 20 00 31 00 | | ÿþ#.l.i. n.e. .1. |
MOF | | Windows MSinfo file |
FF FF FF FF | | ÿÿÿÿ |
SYS | | DOS system driver |
0 comments:
Post a Comment