This table of file signatures (aka "magic numbers") is a work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000). Other useful and reasonably current sources are C.E. Codere's File Format site or the magic file commonly available with Linux systems. This table is still growing and contributions are welcome! Comments and queries can be sent to Gary Kessler at kumquat@sover.net.
This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know what a particular file extension refers to, check out some of these sites:
- File Extension Seeker: Metasearch engine for file extensions
- FILExt: The File Extension Source
- fileinfo.net
- Wotsit.org, The Programmer's File and Data Format Resource
You might also want to check out Tim Coakley's Filesig.co.uk site, with Filesig Manager (and Simple Carver). Take a look also at Marco Pontello's TrID - File Identifier, a utility designed to identify file types from their binary signatures.
Details on graphics file formats can be found at The Graphics File Formats Page.
| Hex Signature | ASCII Signature | |
|---|---|---|
| File Extension | File Description |
|
| TGA | Truevision Targa Graphic file Trailer: 54 52 55 45 56 49 53 49 TRUEVISI 4F 4E 2D 58 46 49 4C 45 ON-XFILE 2E 00 .. |
|
| 00 | . | |
| PIC | IBM Storyboard bitmap file |
|
| 00 | . | |
| PIF | Windows Program Information File |
|
| [11 byte offset] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
[11 byte offset] ........ ........ ........ | |
| PDB | Palmpilot Database/Document File |
|
| 00 00 00 nn 66 74 79 70 | ....ftyp | |
| 3GG, 3G2 | 3rd Generation Partnership Project 3GPP (nn=0x14) and 3GPP2 (nn=0x20) multimedia files |
|
| 00 00 01 00 | .... | |
| ICO | Windows icon file |
|
| 00 00 01 Bx | .... | |
| MPG | MPEG video file |
|
| 00 00 02 00 | ...... | |
| CUR | Windows cursor file |
|
| 00 00 1A 00 10 04 | ...... | |
| WKS | Lotus MS Works document |
|
| 00 00 49 49 58 50 52 or | ..IIXPR | |
| 00 00 4D 4D 58 50 52 | ..MMXPR | |
| QXD | Quark Express document (Intel & Motorola, respectively) NOTE: It appears that the byte following the 0x52 ("R") is the language indicator; 0x33 ("3") seems to indicate English and 0x61 ("a") reportedly indicates Korean. |
|
| 00 00 FE FF | ..þÿ | |
| n/a | Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), big-endian files. (See the Unicode Home Page.) |
|
| [7 byte offset] 00 00 FF FF FF FF |
[7 byte offset] ..ÿÿÿÿ | |
| HLP | Windows Help file |
|
| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 |
....MSIS AM Datab ase | |
| MNY | Microsoft Money file |
|
| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |
....Stan dard Jet DB | |
| MDB | Microsoft Access file |
|
| 00 01 00 08 00 01 00 01 01 |
........ . | |
| IMG | Ventura Publisher/GEM VDI Image Format Bitmap file |
|
| 00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00 |
...a.... ...Ò.... | |
| DB | Netscape Navigator (v4) database file |
|
| 00 11 AF | ..¯ | |
| FLI | FLIC Animation file |
|
| 00 1E 84 90 00 00 00 00 | ........ | |
| SNM | Netscape Commuicator (v4) mail folder |
|
| [512 byte offset] 00 6E 1E F0 |
[512 byte offset] .n.ð | |
| PPT | PowerPoint presentation subheader (MS Office) |
|
| 01 00 00 00 | .... | |
| EMF | Extended (Enhanced) Windows Metafile Format, printer spool file (0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP) |
|
| 01 00 00 00 01 | ..... | |
| PIC | Unknown type picture file |
|
| 01 10 | .. | |
| TR1 | Novell LANalyzer capture file |
|
| 01 DA 01 01 00 03 | .Ú.... | |
| RGB | Silicon Graphics RGB Bitmap |
|
| 01 FF 02 04 03 02 | .ÿ.... | |
| DRW | Micrografx vector graphic file |
|
| 02 64 73 73 | .dss | |
| DSS | Digital Speech Standard (Olympus, Grundig, & Phillips) |
|
| 03 | . | |
| DB3 | dBASE III file |
|
| 03 00 00 00 | .... | |
| QPH | Quicken QPH file |
|
| 04 | . | |
| DB4 | dBASE IV data file |
|
| 07 | . | |
| DRW | A common signature and file extension for many drawing programs. |
|
| 08 | . | |
| DB | dBASE IV or dBFast configuration file |
|
| [512 byte offset] 09 08 10 00 00 06 05 00 |
[512 byte offset] ........ | |
| XLS | Excel spreadsheet subheader (MS Office) |
|
| 0A nn 01 01 | .... | |
| PCX | ZSOFT Paintbrush file (where nn = 0x02, 0x03, or 0x05) |
|
| 0C ED | .í | |
| MP | Monochrome Picture TIFF bitmap file (unconfirmed) |
|
| [512 byte offset] 0F 00 E8 03 |
[512 byte offset] ..è. | |
| PPT | PowerPoint presentation subheader (MS Office) |
|
| 11 00 00 00 53 43 43 41 | ....SCCA | |
| PF | Windows prefetch file |
|
| 1A 0x | .. | |
| ARC | LH archive file, old version (where x = 0x8 or 0x9) |
|
| 1A 0B | .. | |
| PAK | Compressed archive file (often associated with Quake Engine games) |
|
| 1A 35 01 00 | .5.. | |
| ETH | GN Nettest WinPharoah capture file |
|
| 1D 7D | .} | |
| WS | WordStar Version 5.0/6.0 document |
|
| 1F 8B 08 | ... | |
| GZ | GZIP archive file |
|
| 1F 9D 90 | ... | |
| TAR.Z | Compressed tape archive file |
|
| 21 3C 61 72 63 68 3E 0A | !<arch>. | |
| LIB | Unix archiver (ar) files and Microsoft Program Library Common Object File Format (COFF) |
|
| 21 42 44 4E | !BDN | |
| PST | Microsoft Outlook Personal Folder file |
|
| 23 20 | # | |
| MSI | Cerius2 file |
|
| 23 20 4D 69 63 72 6F 73 6F 66 74 20 44 65 76 65 6C 6F 70 65 72 20 53 74 75 64 69 6F |
# Micros oft Deve loper St udio | |
| DSP | Microsoft Developer Studio project file |
|
| 23 21 41 4D 52 | #!AMR | |
| AMR | Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction) Codec, commonly audio format with GSM cell phones |
|
| 24 46 4C 32 40 28 23 29 20 53 50 53 53 20 44 41 54 41 20 46 49 4C 45 |
$FL2@(#) SPSS DA TA FILE | |
| SAV | SPSS Data file |
|
| 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30 |
%!PS-Ado be-3.0 E PSF-3.0 | |
| EPS | Adobe encapsulated PostScript file (If this signature is not at the immediate beginning of the file, it will occur early in the file, commonly at byte offset 30) |
|
| 25 50 44 46 | ||
| PDF, FDF | Adobe Portable Document Format and Forms Document file Trailers: 0A 25 25 45 4F 46 0A (.%%EOF.) 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) 0D 25 25 45 4F 46 0D (.%%EOF.) |
|
| [2 byte offset] 2D 6C 68 |
[2 byte offset] -lh | |
| LZH | Compressed archive file |
|
| 2E 52 45 43 | .REC | |
| IVR | RealPlayer video file (V11 and later) |
|
| 2E 52 4D 46 | .RMF | |
| RM | Real media file |
|
| 30 00 00 00 4C 66 4C 65 | 0...LfLe | |
| EVT | Windows Event Viewer file |
|
| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |
0&²u.fÏ. ¦Ù.ª.bÎl | |
| ASF | Microsoft Media Audio/Video File (Advanced Streaming Format) |
|
| 31 BE or | 1¾ | |
| 32 BE | 2¾ | |
| WRI | Microsoft Write file |
|
| 34 CD B2 A1 | 4Ͳ¡ | |
| n/a | Extended tcpdump (libpcap) capture file (Linux/Unix) |
|
| 37 7A BC AF 27 1C | 7z¼¯'. | |
| 7Z | 7-Zip compressed file |
|
| 38 42 50 53 | 8BPS | |
| PSD | Photoshop image file |
|
| 3C 21 64 6F 63 74 79 70 | <!doctyp | |
| DCI | AOL HTML mail file |
|
| 3F 5F 03 | ?_. | |
| HLP | Windows Help file |
|
| 41 43 53 44 | ACSD | |
| n/a | Miscellaneous AOL parameter and information files |
|
| 41 4D 59 4F | AMYO | |
| SYW | Harvard Graphics symbol graphic |
|
| 41 4F 4C 20 46 65 65 64 62 61 67 |
AOL Feed bag | |
| BAG | AOL and AIM buddy list file |
|
| 41 4F 4C 44 42 | AOLDB | |
| ABY, IDX | AOL database files: address book (ABY) and user configuration data (MAIN.IDX) |
|
| 41 4F 4C 49 44 58 | AOLIDX | |
| IND | AOL client preferences/settings file (MAIN.IND) |
|
| 41 4F 4C 49 4E 44 45 58 | AOLINDEX | |
| ABI | AOL address book index file |
|
| 41 4F 4C 56 4D 31 30 30 | AOLVM100 | |
| n/a | AOL personal file cabinet (PFC) file |
|
| 42 4D | BM | |
| BMP, DIB | Windows bitmap image |
|
| 42 5A | BZ | |
| BZ2, TAR.BZ2, TBZ2, TB2 | bzip2 compressed archive |
|
| 43 42 46 49 4C 45 | CBFILE | |
| CBD | WordPerfect dictionary file (unconfirmed) |
|
| 43 44 30 30 31 | CD001 | |
| ISO | ISO-9660 CD Disc Image (This signature usually occurs at byte 8001, 8801, or 9001.) |
|
| 43 57 53 | CWS | |
| SWF | Shockwave Flash file (v5+) |
|
| 43 6C 69 65 6E 74 20 55 | Client U | |
| DAT | IE History DAT file |
|
| 45 52 46 53 53 41 56 45 44 41 54 41 46 49 4C 45 |
ERFSSAVE DATAFILE | |
| DAT | Kroll EasyRecovery Saved Recovery State file |
|
| 45 56 46 | EVF | |
| Enn (where nn are numbers) | EnCase evidence file |
|
| 46 41 58 43 4F 56 45 52 2D 56 45 52 |
FAXCOVER -VER | |
| CPE | Microsoft Fax Cover Sheet |
|
| 46 45 44 46 | FEDF | |
| SBV | (Unknown file type) |
|
| 46 4C 56 | FLV | |
| SWF | Flash video file |
|
| 46 57 53 | FWS | |
| SWF | Shockwave Flash file |
|
| 46 72 6F 6D 20 20 20 or | FHom | |
| 46 72 6F 6D 20 3F 3F 3F or | FHom ??? | |
| 46 72 6F 6D 3A 20 | FHom: | |
| EML | A commmon file extension for e-mail files. Signatures shown here are for Netscape, Eudora, and a generic signature, respectively. EML is also used by Outlook Express and QuickMail. |
|
| 47 46 31 50 41 54 43 48 | GF1PATCH | |
| PAT | Advanced Gravis Ultrasound patch File |
|
| 47 49 46 38 37 61 or | GIF87a | |
| 47 49 46 38 39 61 | GIF89a | |
| GIF | Graphics interchange format file Trailer: 00 3B (.;) |
|
| 47 50 41 54 | GPAT | |
| PAT | GIMP (GNU Image Manipulation Program) pattern file |
|
| 47 58 32 | GX2 | |
| GX2 | Show Partner graphics file (not confirmed) |
|
| 48 48 47 42 31 | HHGB1 | |
| SH3 | Harvard Graphics presentation file |
|
| 49 20 49 | I I | |
| TIF | Tag image file format (TIFF) file |
|
| 49 44 33 | ID3 | |
| MP3 | MPEG/MP3 audio file |
|
| 49 49 2A | II* | |
| TIF | Tag image file format (TIFF) file (little endian, i.e., LSB first in the byte; Intel) |
|
| 49 54 53 46 | ITSF | |
| CHM | Microsoft HTML Help Compiled Help File |
|
| 4A 47 03 0E 00 00 00 or | JG..... | |
| 4A 47 04 0E 00 00 00 | JG..... | |
| ART | AOL ART file |
|
| 4C 00 00 00 01 14 02 00 | L....... | |
| LNK | Windows shortcut file |
|
| 4C 01 | L. | |
| OBJ | Microsoft Common Object File Format (COFF) relocatable object code file for an Intel 386 or later/compatible processors |
|
| 4C 4E 02 00 | LN.. | |
| HLP | Windows Help file |
|
| 4D 49 4C 45 53 | MILES | |
| MLS | Milestones v1.0 project management and scheduling software (Also see "MV2C" and "MV214" signatures) |
|
| 4D 4C 53 57 | MLSW | |
| MLS | Skype localization data file |
|
| 4D 4D 00 2A | MM.* | |
| TIF | Tag image file format (TIFF) file (big endian, i.e., LSB last in the byte; Motorola) |
|
| 4D 4D 4D 44 00 00 | MMMD.. | |
| MMF | Yamaha Corp. Synthetic music Mobile Application Format (SMAF) for multimedia files that can be played on hand-held devices. |
|
| 4D 53 43 46 | MSCF | |
| CAB | Microsoft cabinet file | |
| PPZ | Powerpoint Packaged Presentation | |
| SNP | Microsoft Access Snapshot Viewer file |
|
| 4D 54 68 64 | MThd | |
| MID, MIDI | Musical Instrument Digital Interface (MIDI) sound file |
|
| 4D 56 | MV | |
| DSN | CD Stomper Pro label file |
|
| 4D 56 32 43 | MV2C | |
| MLS | Milestones v2.1a project management and scheduling software (Also see "MILES" and "MV214" signatures) |
|
| 4D 56 32 31 34 | MV214 | |
| MLS | Milestones v2.1b project management and scheduling software (Also see "MILES" and "MV2C" signatures) |
|
| 4D 5A | MZ | |
| COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS | Windows/DOS executable file | |
| AX | Library cache file | |
| CPL | Control panel application | |
| FON | Font file | |
| FLT | Graphic filter file | |
| OCX | ActiveX or OLE Custom Control | |
| OLB | OLE object library | |
| SCR | Screen saver | |
| VBX | VisualBASIC application | |
| VXD, 386 | Windows virtual device drivers |
|
| 4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65 |
Microsof t Visual Studio Solution File | |
| SLN | Visual Studio .NET Solution file |
|
| [84 byte offset] 4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4D 65 64 69 61 20 50 6C 61 79 65 72 20 2D 2D 20 |
[84 byte offset] Microsof t Window s Media Player - - | |
| WPL | Windows Media Player playlist |
|
| 4F 50 4C 44 61 74 61 62 61 73 65 46 69 6C 65 |
OPLDatab aseFile | |
| DBF | Psion Series 3 Database file |
|
| 4F 7B | O{ | |
| DW4 | Visio/DisplayWrite 4 text file (unconfirmed) |
|
| 50 00 00 00 20 00 00 00 | P... ... | |
| IDX | Quicken QuickFinder Information File |
|
| 50 35 0A | P5. | |
| PGM | Portable Graymap Graphic |
|
| 50 41 43 4B | PACK | |
| PAK | Quake archive file |
|
| 50 49 43 54 00 08 | PICT.. | |
| IMG | ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file |
|
| 50 4B 03 04 | PK.. | |
| ZIP | PKZIP archive file (Ref. 1 | Ref. 2) Trailer: filename 50 4B 17 characters 00 00 00 Trailer: (filename PK 17 characters ...) |
|
| JAR | Java archive; compressed file package for classes and data | |
| SXC, SXD, SXI, SXW | OpenOffice spreadsheet, drawing, presentation, and text files | |
| XPI | Mozilla Browser Archive |
|
| XPT | eXact Packager Models |
|
| 50 4B 03 04 14 00 06 00 | PK...... | |
| DOCX, PPTX, XLSX | Office 2007 documents |
|
| [30 byte offset] 50 4B 4C 49 54 45 |
[30 byte offset] PKLITE | |
| ZIP | PKLITE compressed ZIP archive (see also PKZIP) |
|
| [526 byte offset] 50 4B 53 70 58 |
[526 byte offset] PKSFX | |
| ZIP | PKSFX self-extracting executable compressed file (see also PKZIP) |
|
| 50 4D 43 43 | PMCC | |
| GRP | Windows Program Manager group file |
|
| [92 byte offset] 51 45 4C 20 |
[92 byte offset] QEL | |
| QEL | Quicken data file |
|
| 51 46 49 FB | QFI. | |
| IMG | QEMU Qcow Disk Image |
|
| 51 57 20 56 65 72 2E 20 | QW Ver. | |
| ABD, QSD | Quicken data file |
|
| 52 45 47 45 44 49 54 34 | REGEDIT4 | |
| REG, SUD | Windows NT Registry and Registry Undo files |
|
| 52 49 46 46 xx xx xx xx 41 43 4F 4E |
RIFF.... ACON | |
| ANI | Resource Interchange File Format -- Animated Cursor file |
|
| 52 49 46 46 xx xx xx xx 41 56 49 20 4C 49 53 54 |
RIFF.... AVI LIST | |
| AVI | Resource Interchange File Format -- Windows Audio Video Interleave file |
|
| 52 49 46 46 xx xx xx xx 43 44 44 41 66 6D 74 20 |
RIFF.... CDDAfmt | |
| CDA | Resource Interchange File Format -- Compact Disc Digital Audio (CD-DA) file |
|
| 52 49 46 46 xx xx xx xx 51 4C 43 4D 66 6D 74 20 |
RIFF.... QLCMfmt | |
| QCP | Resource Interchange File Format -- Qualcomm PureVoice |
|
| 52 49 46 46 xx xx xx xx 52 4D 49 44 64 61 74 61 |
RIFF.... RMIDdata | |
| RMI | Resource Interchange File Format -- Windows Musical Instrument Digital Interface file |
|
| 52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 |
RIFF.... WAVEfmt | |
| WAV | Resource Interchange File Format -- Audio for Windows file |
|
| 52 54 53 53 | RTSS | |
| CAP | Windows NT Netmon capture file |
|
| 52 61 72 21 1A 07 00 | Rar!... | |
| RAR | WinRAR compressed archive file |
|
| 53 43 4D 49 | SCMI | |
| IMG | Img Software Set Bitmap |
|
| 53 48 4F 57 | SHOW | |
| SHW | Harvard Graphics DOS Ver. 2/x Presentation file |
|
| 53 49 45 54 52 4F 4E 49 43 53 20 58 52 44 20 53 43 41 4E |
SIETRONI CS XRD S CAN | |
| CPI | Sietronics CPI XRD document |
|
| 53 4D 41 52 54 44 52 57 | SMARTDRW | |
| SDR | SmartDraw Drawing file |
|
| 53 6D 62 6C | Smbl | |
| SYM | (Unconfirmed file type. Likely type is Harvard Graphics Version 2.x graphic symbol or Windows SDK graphic symbol) |
|
| 56 43 50 43 48 30 | VCPCH0 | |
| PCH | Visual C PreCompiled header file |
|
| 57 53 32 30 30 30 | WS2000 | |
| WS2 | WordStar for Windows Ver. 2 document |
|
| [29,152 byte offset] 57 69 6E 5A 69 70 |
[29,152 byte offset] WinZip | |
| ZIP | WinZip compressed archive |
|
| 58 43 50 00 | XCP. | |
| CAP | Cinco NetXRay, Network General Sniffer, and Network Associates Sniffer capture file |
|
| 58 50 43 4F 4D 0A 54 79 70 65 4C 69 62 |
XPCOM.Ty peLib | |
| XPT | XPCOM type libraries for the XPIDL compiler |
|
| 5B 4D 53 56 43 | [MSVC | |
| VCW | Microsoft Visual C++ Workbench Information File |
|
| 5B 50 68 6F 6E 65 5D | [Phone] | |
| DUN | Dial-up networking file (unconfirmed) |
|
| 5B 56 45 52 5D 0D 0A 09 or | [VER]... | |
| 5B 76 65 72 5D 0D 0A 09 or | [ver]... | |
| SAM | AMU Pro document |
|
| [2 byte offset] 5B 56 65 72 73 69 6F 6E |
[2 byte offset] [Version | |
| CIF | (Unknown file type) |
|
| 5B 57 69 6E 64 6F 77 73 20 4C 61 74 69 6E 20 |
[Windows Latin | |
| CPX | Microsoft Code Page Translation file |
|
| 5F 43 41 53 45 5F | _CASE_ | |
| CAS, CBK | EnCase case file (and backup) |
|
| 60 EA | `ê | |
| ARJ | Compressed archive file |
|
| 62 65 67 69 6E | begin | |
| n/a | UUencoded files start with a string: begin mode path where mode is the set of permissions as used in Linux/Unix and path is the name given to the decoded file. (See this uuencode page for more information.) |
|
| 64 00 00 00 | d... | |
| P10 | Intel PROset/Wireless Profile |
|
| 64 73 77 66 69 6C 65 | dswfile | |
| DSW | Microsoft Visual Studio workspace file |
|
| 6C 33 33 6C | l33l | |
| DBB | Skype user data file (profile and contacts) |
|
| [4 byte offset] 6D 6F 6F 76 |
[4 byte offset] moov | |
| MOV | QuickTime movie file |
|
.MOV files have a complicated file signature.The string "moov" is the most common but I have also seen: |
||
| 72 65 67 66 | regf | |
| n/a | Windows registry hive file |
|
| 73 72 63 64 6F 63 69 64 3A |
srcdocid : | |
| CAL | CALS raster bitmap file |
|
| 73 7A 65 7A | szez | |
| PDB | PowerBASIC Debugger Symbols file |
|
| 7B 0D 0A 6F 20 | {..o | |
| LGC, LGD | Windows application log |
|
| 7B 5C 72 74 66 31 | {\rtf1 | |
| RTF | Rich text format word processing file Trailer: 5C 70 61 72 20 7D 7D (\par }}) |
|
| 7F 45 4C 46 | .ELF | |
| n/a | Executable and Linking Format executable file (Linux/Unix) |
|
| 80 | . | |
| OBJ | Relocatable object code |
|
| 81 CD AB | .Í« | |
| WPF | WordPerfect text file |
|
| 89 50 4E 47 0D 0A 1A 0A | .PNG.... | |
| PNG | Portable Network Graphics file |
|
| 95 00 or | .. | |
| 95 01 | .. | |
| SKR | PGP secret keyring file |
|
| 99 01 | .. | |
| PKR | PGP public keyring file |
|
| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |
.ËË..UÒ. .X.ÀOyV¤ | |
| WAB | Outlook address file |
|
| [512 byte offset] A0 46 1D F0 |
[512 byte offset] F.ð | |
| PPT | PowerPoint presentation subheader (MS Office) |
|
| A1 B2 C3 D4 | ¡²ÃÔ | |
| n/a | tcpdump (libpcap) capture file (Linux/Unix) |
|
| A1 B2 CD 34 | ¡²Í4 | |
| n/a | Extended tcpdump (libpcap) capture file (Linux/Unix) |
|
| A9 0D 00 00 00 00 00 00 | ©....... | |
| DAT | Access Data FTK evidence file |
|
| AC 9E BD 8F | ¬.½. | |
| QDF | Quicken data file |
|
| B5 A2 B0 B3 B3 B0 A5 B5 | µ¢°³³°¥µ | |
| CAL | (Unknown file type...) |
|
| C5 D0 D3 C6 | ÅÐÓÆ | |
| EPS | Adobe encapsulated PostScript file |
|
| CD 20 AA AA 02 00 00 00 | Í ªª.... | |
| n/a | Norton Anti-Virus quarantined virus file |
|
| CF 11 E0 A1 B1 1A E1 00 | Ï.ࡱ.á. | |
| DOC | Perfect Office document [Note similarity to MS Office header, below] |
|
| CF AD 12 FE | Ï.þ | |
| DBX | Outlook Express e-mail folder |
|
| D0 CF 11 E0 A1 B1 1A E1 | ÐÏ.ࡱ.á | |
| DOC, DOT, PPS, PPT, XLA, XLS, WIZ | Microsoft Office applications (Word, Powerpoint, Excel, Wizard) [See also Word, Powerpoint, and Excel "subheaders" at byte offset 512] |
|
| DB | MSWorks database file | |
| MSC | Microsoft Common Console Document | |
| MSI | Microsoft Installer package | |
| MTW | Minitab data file | |
| OPT | Developer Studio File Workspace Options file | |
| SOU | Visual Studio Solution User Options file | |
| SPO | SPSS output file | |
| VSD | Visio file | |
| WPS | MSWorks text document |
|
| D2 0A 00 00 | Ò... | |
| FTR | GN Nettest WinPharoah filter file |
|
| D4 2A | Ô* | |
| ARL, AUT | AOL history (ARL) and typed URL (AUT) files |
|
| D4 C3 B2 A1 | Ôò¡ | |
| n/a | WinDump (winpcap) capture file (Windows) |
|
| D7 CD C6 9A | ×ÍÆ. | |
| WMF | Windows graphics metafile |
|
| DC FE | Üþ | |
| EFX | eFax file format |
|
| E3 82 85 96 | ã... | |
| PWL | Windows password file |
|
| E8 or | è | |
| E9 or | é | |
| EB | ë | |
| COM, SYS | Windows executable file |
|
| EB 3C 90 2A | ë<.* | |
| IMG | GEM Raster file |
|
| [512 byte offset] EC A5 C1 00 |
[512 byte offset] ì¥Á. | |
| DOC | Word document subheader (MS Office) |
|
| ED AB EE DB | í"îÛ | |
| RPM | RedHat Package Manager file |
|
| EF BB BF |  | |
| n/a | Byte-order mark for 8-bit Unicode Transformation Format (UTF-8) files. (See the Unicode Home Page.) |
|
| [512 byte offset] FD FF FF FF 04 |
[512 byte offset] ýÿÿÿ. | |
| SUO | Visual Studio Solution User Options subheader (MS Office) |
|
| [512 byte offset] FD FF FF FF nn 00 00 00 |
[512 byte offset] ýÿÿÿ.... | |
| PPT | PowerPoint presentation subheader (MS Office) (where nn has been seen with values 0x0E, 0x1C, and 0x43) |
|
| [512 byte offset] FD FF FF FF nn 02 |
[512 byte offset] ýÿÿÿ.. | |
| XLS | Excel spreadsheet subheader (MS Office) (where nn = 0x10, 0x22, 0x23, 0x28, or 0x29) |
|
| [512 byte offset] FD FF FF FF 20 00 00 00 |
[512 byte offset] ýÿÿÿ ... | |
| OPT | Developer Studio File Workspace Options subheader (MS Office) | |
| XLS | Excel spreadsheet subheader (MS Office) |
|
| [512 byte offset] FD FF FF FF xx xx xx xx xx xx xx xx 04 00 00 00 |
[512 byte offset] ýÿÿÿ.... ........ | |
| DB | Thumbs.db subheader (MS Office) |
|
| FE FF | þÿ | |
| n/a | Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), little-endian files. (See the Unicode Home Page.) |
|
| FF | ÿ | |
| SYS | Windows executable (SYS) file |
|
| FF 00 02 00 04 04 05 54 02 00 |
ÿ......T .. | |
| WKS | Works for Windows spreadsheet file |
|
| FF 46 4F 4E 54 | ÿFONT | |
| CPI | Windows international code page |
|
| FF 4B 45 59 42 20 20 20 | ÿKEYB | |
| SYS | Keyboard driver file |
|
| FF 57 50 43 | ÿWPC | |
| WPD, WPG, WP5 | WordPerfect text and graphics file |
|
| FF D8 FF E0 xx xx 4A 46 49 46 00 |
ÿØÿà..JF IF. | |
| JFIF, JPE, JPEG, JPG | JPEG/JFIF graphics file Trailer: FF D9 (..) |
|
| FF D8 FF E1 xx xx 45 78 69 66 00 |
ÿØÿá..Ex if. | |
| JPG | Digital camera JPG using Exchangeable Image File Format (EXIF) Trailer: FF D9 (..) See "Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004) |
|
| FF Ex | ÿ. | |
| FF Fx | ÿ. | |
| MPEG, MPG, MP3 | MPEG audio file frame synch pattern |
|
| FF FE | ÿþ | |
| REG | Windows Registry file |
|
| n/a | Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), big-endian files. (See the Unicode Home Page.) |
|
| FF FE 00 00 | ÿþ.. | |
| n/a | Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), little-endian files. (See the Unicode Home Page.) |
|
| FF FE 23 00 6C 00 69 00 6E 00 65 00 20 00 31 00 |
ÿþ#.l.i. n.e. .1. | |
| MOF | Windows MSinfo file |
|
| FF FF FF FF | ÿÿÿÿ | |
| SYS | DOS system driver |
|
The following individuals have given me updates or suggestions for this list over the last couple of years: Vladimir Benko, Per Christensson, George Harpur, Bill Kuhns, Anand Mani, Kevin Mansell, Bruce Modick, Mike Sutton, Franklin Webber, and David Wright. I thank them and apologize if I have missed anyone.
I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite, primarily for the "subheaders" for many of the file types here.