FILE SIGNATURES TABLE

6/30/2009


This table of file signatures (aka "magic numbers") is a work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000). Other useful and reasonably current sources are C.E. Codere's File Format site or the magic file commonly available with Linux systems. This table is still growing and contributions are welcome! Comments and queries can be sent to Gary Kessler at kumquat@sover.net.

This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know what a particular file extension refers to, check out some of these sites:

You might also want to check out Tim Coakley's Filesig.co.uk site, with Filesig Manager (and Simple Carver). Take a look also at Marco Pontello's TrID - File Identifier, a utility designed to identify file types from their binary signatures.

Details on graphics file formats can be found at The Graphics File Formats Page.


Hex Signature     ASCII Signature
File Extension   File Description
TGA   Truevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49   TRUEVISI
4F 4E 2D 58 46 49 4C 45   ON-XFILE
2E 00                     ..
00   .
PIC   IBM Storyboard bitmap file
PIF   Windows Program Information File
YTR   IRIS OCR data file
[11 byte offset]
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00		   [11 byte offset]
........
........
........
PDB   Palmpilot Database/Document File
00 00 00 nn 66 74 79 70
33 67 70		   ....ftyp
3gp
3GG, 3G2   3rd Generation Partnership Project 3GPP (nn=0x14)
and 3GPP2 (nn=0x20) multimedia files
00 00 00 18 66 74 79 70
33 67 70 35		   ....ftyp
3gp5
MP4   MPEG-4 video files
00 00 01 00   ....
ICO   Windows icon file
00 00 01 Bx   ....
MPEG, MPG   MPEG video file
00 00 02 00   ......
CUR   Windows cursor file
WB2   QuattroPro for Windows Spreadsheet file
00 00 02 00 06 04 06 00
08 00 00 00 00 00		   ........
......
WK1   Lotus 1-2-3 spreadsheet (v1) file
00 00 1A 00 00 10 04 00
00 00 00 00		   ........
..
WK3   Lotus 1-2-3 spreadsheet (v3) file
00 00 1A 00 02 10 04 00
00 00 00 00		   ........
..
WK4   Lotus 1-2-3 spreadsheet (v4) file
00 00 49 49 58 50 52 or   ..IIXPR
00 00 4D 4D 58 50 52   ..MMXPR
QXD   Quark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean.
00 00 FE FF   ..þÿ
n/a   Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.)
[7 byte offset]
00 00 FF FF FF FF		   [7 byte offset]
..ÿÿÿÿ
HLP   Windows Help file
00 01 00 00 4D 53 49 53
41 4D 20 44 61 74 61 62
61 73 65		   ....MSIS
AM Datab
ase
MNY   Microsoft Money file
00 01 00 00 53 74 61 6E
64 61 72 64 20 4A 65 74
20 44 42		   ....Stan
dard Jet
 DB
MDB   Microsoft Access file
00 01 00 08 00 01 00 01
01		   ........
.
IMG   Ventura Publisher/GEM VDI Image Format Bitmap file
00 01 01   ...
FLT   OpenFlight 3D file
00 01 42 41   ..BA
ABA   Palm Address Book Archive file
00 01 42 44   ..BD
DBA   Palm DateBook Archive file
00 06 15 61 00 00 00 02
00 00 04 D2 00 00 10 00		   ...a....
...Ò....
DB   Netscape Navigator (v4) database file
00 11 AF   ..¯
FLI   FLIC Animation file
00 1E 84 90 00 00 00 00   ........
SNM   Netscape Communicator (v4) mail folder
00 5C 41 B1 FF   .\A±ÿ
ENC   Mujahideen Secrets 2 encrypted file
[512 byte offset]
00 6E 1E F0		   [512 byte offset]
.n.ð
PPT   PowerPoint presentation subheader (MS Office)
01 00 00 00   ....
EMF   Extended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)
01 00 00 00 01   .....
PIC   Unknown type picture file
01 10   ..
TR1   Novell LANalyzer capture file
01 DA 01 01 00 03   .Ú....
RGB   Silicon Graphics RGB Bitmap
01 FF 02 04 03 02   .ÿ....
DRW   Micrografx vector graphic file
02 64 73 73   .dss
DSS   Digital Speech Standard (Olympus, Grundig, & Phillips)
03   .
DAT   MapInfo Native Data Format
DB3   dBASE III file
03 00 00 00   ....
QPH   Quicken price history file
03 00 00 00 41 50 50 52   ....APPR
ADX   Approach index file
04   .
DB4   dBASE IV data file
07   .
DRW   A common signature and file extension for many drawing
programs.
07 64 74 32 64 64 74 64   .dt2ddtd
DTD   DesignTools 2D Design file
08   .
DB   dBASE IV or dBFast configuration file
[512 byte offset]
09 08 10 00 00 06 05 00		   [512 byte offset]
........
XLS   Excel spreadsheet subheader (MS Office)
0A nn 01 01   ....
PCX   ZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05)
0C ED  
MP   Monochrome Picture TIFF bitmap file (unconfirmed)
0D 44 4F 43   .DOC
DOC   DeskMate Document file
0E 57 4B 53   .WKS
WKS   DeskMate Worksheet
[512 byte offset]
0F 00 E8 03		   [512 byte offset]
..è.
PPT   PowerPoint presentation subheader (MS Office)
11 00 00 00 53 43 43 41   ....SCCA
PF   Windows prefetch file
1A 00 00   ...
NTF   Lotus Notes database template
1A 00 00 04 00 00   ......
NSF   Lotus Notes database
1A 0x   ..
ARC   LH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively)
1A 0B   ..
PAK   Compressed archive file
(often associated with Quake Engine games)
1A 35 01 00   .5..
ETH   GN Nettest WinPharoah capture file
1A 52 54 53 20 43 4F 4D
50 52 45 53 53 45 44 20
49 4D 41 47 45 20 56 31
2E 30 1A		   .RTS COM
PRESSED
IMAGE V1
.0.
DAT   Runtime Software disk image
1D 7D   .}
WS   WordStar Version 5.0/6.0 document
1F 8B 08   ...
GZ   GZIP archive file
1F 9D 90   ...
TAR.Z   Compressed tape archive file
21 12   !.
AIN   AIN Compressed Archive
21 3C 61 72 63 68 3E 0A   !<arch>.
LIB   Unix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF)
21 42 44 4E   !BDN
PST   Microsoft Outlook Personal Folder file
23 20   #
MSI   Cerius2 file
23 20 4D 69 63 72 6F 73
6F 66 74 20 44 65 76 65
6C 6F 70 65 72 20 53 74
75 64 69 6F		   # Micros
oft Deve
loper St
udio
DSP   Microsoft Developer Studio project file
23 21 41 4D 52   #!AMR
AMR   Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction)
Codec, commonly audio format with GSM cell phones
24 46 4C 32 40 28 23 29
20 53 50 53 53 20 44 41
54 41 20 46 49 4C 45		   $FL2@(#)
 SPSS DA
TA FILE
SAV   SPSS Data file
25 21 50 53 2D 41 64 6F
62 65 2D 33 2E 30 20 45
50 53 46 2D 33 20 30		   %!PS-Ado
be-3.0 E
PSF-3.0
EPS   Adobe encapsulated PostScript file
(If this signature is not at the immediate
beginning of the file, it will occur early
in the file, commonly at byte offset 30)
25 50 44 46   %PDF
PDF, FDF   Adobe Portable Document Format and Forms Document file
Trailers:
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
28 54 68 69 73 20 66 69
6C 65 20 6D 75 73 74 20
62 65 20 63 6F 6E 76 65
72 74 65 64 20 77 69 74
68 20 42 69 6E 48 65 78
20		   (This fi
le must
be conve
rted wit
h BinHex
 
HQX   Macintosh BinHex 4 Compressed Archive
2A 2A 2A 20 20 49 6E 73
74 61 6C 6C 61 74 69 6F
6E 20 53 74 61 72 74 65
64 20		   ***  Ins
tallatio
n Starte
d
LOG   Symantec Wise Installer log file
[2 byte offset]
2D 6C 68 		  [2 byte offset]
-lh
LHA, LZH   Compressed archive file
2E 52 45 43   .REC
IVR   RealPlayer video file (V11 and later)
2E 52 4D 46   .RMF
RM   RealMedia streaming media file
2E 72 61 FD 00   .ra..
RA   RealMedia streaming media file
2E 73 6E 64   .snd
AU   Sun Microsystems audio file format
30   0
CAT   Microsoft security catalog file
30 00 00 00 4C 66 4C 65   0...LfLe
EVT   Windows Event Viewer file
30 26 B2 75 8E 66 CF 11
A6 D9 00 AA 00 62 CE 6C		   0&²u.fÏ.
¦Ù.ª.bÎl
ASF, WMA, WMV   Microsoft Windows Media Audio/Video File
(Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E
43 45 20 53 55 52 56 45
59 20 20 20 20 20 20 20		   01ORDNAN
CE SURVE
Y
NTF   National Transfer Format Map File
30 37 30 37 30 nn   07070.
n/a   Archive created with the cpio utility (where nn
values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the
standard ASCII format, new ASCII (aka SVR4) format, and CRC
format, respectively. (The swpackage(8) page has additional
information.) (Thanks to F. Webber for this....)
31 BE or  
32 BE  
WRI   Microsoft Write file
34 CD B2 A1   4Ͳ¡
n/a   Extended tcpdump (libpcap) capture file (Linux/Unix)
37 7A BC AF 27 1C   7z¼¯'.
7Z   7-Zip compressed file
38 42 50 53   8BPS
PSD   Photoshop image file
3C   <
ASX   Advanced Stream redirector file
XDR   BizTalk XML-Data Reduced Schema file
3C 21 64 6F 63 74 79 70   <!doctyp
DCI   AOL HTML mail file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D		   <?xml ve
rsion=
MANIFEST   Windows Visual Stylesheet XML file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E		   <?xml ve
rsion="1
.0"?>
XUL   XML User Interface Language file
3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E 0D 0A 3C
4D 4D 43 5F 43 6F 6E 73
6F 6C 65 46 69 6C 65 20
43 6F 6E 73 6F 6C 65 56
65 72 73 69 6F 6E 3D 22		   <?xml ve
rsion="1
.0"?>..<
MMC_Cons
oleFile
ConsoleV
ersion="
MSC   Microsoft Management Console Snap-in Control file
[24 byte offset]
3E 00 03 00 FE FF 09 00
06		   [24 byte offset]
>...þÿ..
.
WB3   Quatro Pro for Windows 7.0 Notebook file
3F 5F 03 00   ?_..
GID   Windows Help index file
HLP   Windows Help file
[32 byte offset]
40 40 40 20 00 00 40 40
40 40		   [32 byte offset]
@@@ ..@@
@@
ENL   EndNote Library File
41 43 53 44   ACSD
n/a   Miscellaneous AOL parameter and information files
41 4D 59 4F   AMYO
SYW   Harvard Graphics symbol graphic
41 4F 4C 20 46 65 65 64
62 61 67		   AOL Feed
bag
BAG   AOL and AIM buddy list file
41 4F 4C 44 42   AOLDB
ABY, IDX   AOL database files: address book (ABY) and user configuration
data (MAIN.IDX)
41 4F 4C 49 44 58   AOLIDX
IND   AOL client preferences/settings file (MAIN.IND)
41 4F 4C 49 4E 44 45 58   AOLINDEX
ABI   AOL address book index file
41 56 47 36 5F 49 6E 74
65 67 72 69 74 79 5F 44
61 74 61 62 61 73 65		   AVG6_Int
egrity_D
atabase
DAT   AVG6 Integrity database file
41 4F 4C 56 4D 31 30 30   AOLVM100
n/a   AOL personal file cabinet (PFC) file
41 72 43 01   ArC.
ARC   FreeArc compressed file
42 45 47 49 4E 3A 56 43
41 52 44 0D 0A		   BEGIN:VC
ARD..
VCF   vCard file
42 4C 49 32 32 33 51   BLI223Q
BIN   Thomson Speedtouch series WLAN router firmware
42 4D   BM
BMP, DIB   Windows (or device-independent) bitmap image
42 4F 4F 4B 4D 4F 42 49   BOOKMOBI
PRC   Palmpilot resource file
42 5A 68   BZh
BZ2, TAR.BZ2, TBZ2, TB2   bzip2 compressed archive
43 42 46 49 4C 45   CBFILE
CBD   WordPerfect dictionary file (unconfirmed)
43 44 30 30 31   CD001
ISO   ISO-9660 CD Disc Image
(This signature usually occurs at byte 8001, 8801, or 9001.)
43 4F 4D 2B   COM+
CLB   COM+ Catalog file
43 52 45 47   CREG
DAT   Windows 9x registry hive
43 52 55 53 48 20 76   CRUSH v
CRU   Crush compressed archive
43 57 53   CWS
SWF   Shockwave Flash file (v5+)
43 61 74 61 6C 6F 67 20
33 2E 30 30 00		   Catalog
3.00.
CTF   WhereIsIt Catalog file
43 6C 69 65 6E 74 20 55
72 6C 43 61 63 68 65 20
4D 4D 46 20 56 65 72 20		   Client U
rlCache
MMF Ver
DAT   IE History DAT file
44 42 46 48   DBFH
DB   Palm Zire photo database
44 4D 53 21   DMS!
DMS   Amiga DiskMasher compressed archive
44 4F 53   DOS
ADF   Amiga disk file
45 4E 54 52 59 56 43 44
02 00 00 01 02 00 18 58		   ENTRYVCD
.......X
VCD   VideoVCD (GNU VCDImager) file
45 52 46 53 53 41 56 45
44 41 54 41 46 49 4C 45		   ERFSSAVE
DATAFILE
DAT   Kroll EasyRecovery Saved Recovery State file
45 56 46   EVF
Enn (where nn are numbers)   EnCase evidence file
46 41 58 43 4F 56 45 52
2D 56 45 52 		  FAXCOVER
-VER
CPE   Microsoft Fax Cover Sheet
46 45 44 46   FEDF
SBV   (Unknown file type)
46 4C 56   FLV
SWF   Flash video file
46 4F 52 4D 00   FORM.
AIFF   Audio Interchange File
46 57 53   FWS
SWF   Shockwave Flash file
46 72 6F 6D 20 20 20 or   FHom
46 72 6F 6D 20 3F 3F 3F or   FHom ???
46 72 6F 6D 3A 20   FHom:
EML   A commmon file extension for e-mail files. Signatures shown here
are for Netscape, Eudora, and a generic signature, respectively.
EML is also used by Outlook Express and QuickMail.
47 46 31 50 41 54 43 48   GF1PATCH
PAT   Advanced Gravis Ultrasound patch file
47 49 46 38 37 61 or   GIF87a
47 49 46 38 39 61   GIF89a
GIF   Graphics interchange format file
Trailer: 00 3B (.;)
47 50 41 54   GPAT
PAT   GIMP (GNU Image Manipulation Program) pattern file
47 58 32   GX2
GX2   Show Partner graphics file (not confirmed)
48 48 47 42 31   HHGB1
SH3   Harvard Graphics presentation file
49 20 49   I I
TIF, TIFF   Tagged Image File Format file
49 44 33   ID3
MP3   MPEG-1 Audio Layer 3 (MP3) audio file
49 49 2A 00   II*.
TIF, TIFF   Tagged Image File Format file (little
endian, i.e., LSB first in the byte; Intel)
49 53 63 28   ISc(
CAB   Install Shield v5.x or 6.x compressed file
49 54 53 46   ITSF
CHM   Microsoft HTML Help Compiled Help File
49 6E 6E 6F 20 53 65 74
75 70 20 55 6E 69 6E 73
74 61 6C 6C 20 4C 6F 67
20 28 62 29		   Inno Set
up Unins
tall Log
 (b)
DAT   Inno Setup Uninstall Log file
4A 41 52 43 53 00   JARCS.
JAR   JARCS compressed archive
4A 47 03 0E 00 00 00 or   JG.....
4A 47 04 0E 00 00 00   JG.....
ART   AOL ART file
4C 00 00 00 01 14 02 00   L.......
LNK   Windows shortcut file
4C 01   L.
OBJ   Microsoft Common Object File Format (COFF) relocatable
object code file for an Intel 386 or later/compatible processors

4C 4E 02 00   LN..
HLP   Windows Help file
4D 49 4C 45 53   MILES
MLS   Milestones v1.0 project management and scheduling software
(Also see "MV2C" and "MV214" signatures)
4D 4C 53 57   MLSW
MLS   Skype localization data file
4D 4D 00 2A   MM.*
TIF, TIFF   Tagged Image File Format file (big
endian, i.e., LSB last in the byte; Motorola)
4D 4D 00 2B   MM.+
TIF, TIFF   BigTIFF files; Tagged Image File Format files >4 GB
4D 4D 4D 44 00 00   MMMD..
MMF   Yamaha Corp. Synthetic music Mobile Application Format (SMAF)
for multimedia files that can be played on hand-held devices.
4D 53 43 46   MSCF
CAB   Microsoft cabinet file
PPZ   Powerpoint Packaged Presentation
SNP   Microsoft Access Snapshot Viewer file
4D 53 46 54 02 00 01 00   MSFT....
TLB   OLE, SPSS, or Visual C++ type library file
4D 53 5F 56 4F 49 43 45   MS_VOICE
CDR, DVF   Sony Compressed Voice File
MSV   Sony Memory Stick Compressed Voice file
4D 54 68 64   MThd
MID, MIDI   Musical Instrument Digital Interface (MIDI) sound file
4D 56   MV
DSN   CD Stomper Pro label file
4D 56 32 43   MV2C
MLS   Milestones v2.1a project management and scheduling software
(Also see "MILES" and "MV214" signatures)
4D 56 32 31 34   MV214
MLS   Milestones v2.1b project management and scheduling software
(Also see "MILES" and "MV2C" signatures)
4D 5A   MZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS   Windows/DOS executable file
ACM   MS audio compression manager driver
AX   Library cache file
CPL   Control panel application
FON   Font file
OCX   ActiveX or OLE Custom Control
OLB   OLE object library
SCR   Screen saver
VBX   VisualBASIC application
VXD, 386   Windows virtual device drivers
4D 5A 90 00 03 00 00 00   MZ......
API   Acrobat plug-in
AX   DirectShow filter
FLT   Audition graphic filter file (Adobe)
4D 5A 90 00 03 00 00 00
04 00 00 00 FF FF		   MZ......
....ÿÿ
ZAP   ZoneAlam data file
4D 69 63 72 6F 73 6F 66
74 20 56 69 73 75 61 6C
20 53 74 75 64 69 6F 20
53 6F 6C 75 74 69 6F 6E
20 46 69 6C 65		   Microsof
t Visual
 Studio
Solution
 File
SLN   Visual Studio .NET Solution file
[84 byte offset]
4D 69 63 72 6F 73 6F 66
74 20 57 69 6E 64 6F 77
73 20 4D 65 64 69 61 20
50 6C 61 79 65 72 20 2D
2D 20		   [84 byte offset]
Microsof
t Window
s Media
Player -
-
WPL   Windows Media Player playlist
4E 41 56 54 52 41 46 46
49 43		   NAVTRAFF
IC
DAT   TomTom traffic data file
4E 45 53 4D 1A 01   NESM..
NSF   NES Sound file
4E 49 54 46 30   NITF0
NTF   National Imagery Transmission Format (NITF) file
4E 61 6D 65 3A 20   Name:
COD   Agent newsreader character map file
4F 50 4C 44 61 74 61 62
61 73 65 46 69 6C 65		   OPLDatab
aseFile
DBF   Psion Series 3 Database file
4F 67 67 53 00 02 00 00
00 00 00 00 00 00		   OggS....
......
OGA, OGG, OGV, OGX   Ogg Vorbis Codec compressed Multimedia file
4F 7B   O{
DW4   Visio/DisplayWrite 4 text file (unconfirmed)
50 00 00 00 20 00 00 00   P... ...
IDX   Quicken QuickFinder Information File
50 35 0A   P5.
PGM   Portable Graymap Graphic
50 41 43 4B   PACK
PAK   Quake archive file
50 45 53 54   PEST
DAT   PestPatrol data/scan strings
50 49 43 54 00 08   PICT..
IMG   ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file
50 4B 03 04   PK..
ZIP   PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
DOCX, PPTX, XLSX   Microsoft Office Open XML Format Document
JAR   Java archive; compressed file package for classes and data
SXC, SXD, SXI, SXW   OpenOffice spreadsheet, drawing, presentation, and text files
WMZ   Windows Media compressed skin file
XPI   Mozilla Browser Archive
XPT   eXact Packager Models
50 4B 03 04 14 00 06 00   PK......
DOCX, PPTX, XLSX   Office 2007 documents
50 4B 03 04 14 00 08 00
08 00		   PK......
..
JAR   Java archive
[30 byte offset]
50 4B 4C 49 54 45		   [30 byte offset]
PKLITE
ZIP   PKLITE compressed ZIP archive (see also PKZIP)
[526 byte offset]
50 4B 53 70 58		   [526 byte offset]
PKSFX
ZIP   PKSFX self-extracting executable compressed file (see also PKZIP)
50 4D 43 43   PMCC
GRP   Windows Program Manager group file
50 4E 43 49 55 4E 44 4F   PNCIUNDO
DAT   Norton Disk Doctor undo file
[92 byte offset]
51 45 4C 20		   [92 byte offset]
QEL
QEL   Quicken data file
51 46 49 FB   QFI.
IMG   QEMU Qcow Disk Image
51 57 20 56 65 72 2E 20   QW Ver.
ABD, QSD   Quicken data file
52 41 5A 41 54 44 42 31   RAZATDB1
DAT   Shareaza (Windows P2P client) thumbnail
52 45 47 45 44 49 54   REGEDIT
REG, SUD   Windows NT Registry and Registry Undo files
52 45 56 4E 55 4D 3A 2C   REVNUM:,
ADF   Antenna data file
52 49 46 46   RIFF
ANI   Windows animated cursor
DAT   Video CD MPEG or MPEG1 movie file
DS4   Micrografx Designer v4 graphic file
52 49 46 46 xx xx xx xx
41 56 49 20 4C 49 53 54		   RIFF....
AVI LIST
AVI   Resource Interchange File Format -- Windows Audio
Video Interleave file
52 49 46 46 xx xx xx xx
43 44 44 41 66 6D 74 20		   RIFF....
CDDAfmt
CDA   Resource Interchange File Format -- Compact Disc
Digital Audio (CD-DA) file
52 49 46 46 xx xx xx xx
51 4C 43 4D 66 6D 74 20		   RIFF....
QLCMfmt
QCP   Resource Interchange File Format -- Qualcomm
PureVoice
52 49 46 46 xx xx xx xx
52 4D 49 44 64 61 74 61		   RIFF....
RMIDdata
RMI   Resource Interchange File Format -- Windows Musical
Instrument Digital Interface file
52 49 46 46 xx xx xx xx
57 41 56 45 66 6D 74 20		   RIFF....
WAVEfmt
WAV   Resource Interchange File Format -- Audio for
Windows file
52 54 53 53   RTSS
CAP   Windows NT Netmon capture file
52 61 72 21 1A 07 00   Rar!...
RAR   WinRAR compressed archive file
53 43 48 6C   SCHl
AST   Need for Speed: Underground Audio file
53 43 4D 49   SCMI
IMG   Img Software Set Bitmap
53 48 4F 57   SHOW
SHW   Harvard Graphics DOS Ver. 2/x Presentation file
53 49 45 54 52 4F 4E 49
43 53 20 58 52 44 20 53
43 41 4E		   SIETRONI
CS XRD S
CAN
CPI   Sietronics CPI XRD document
53 49 54 21 00   SIT!.
SIT   StuffIt compressed archive
53 4D 41 52 54 44 52 57   SMARTDRW
SDR   SmartDraw Drawing file
53 51 4C 4F 43 4F 4E 56
48 44 00 00 31 2E 30 00		   SQLOCONV
HD..1.0.
CNV   DB2 conversion file
53 6D 62 6C   Smbl
SYM   (Unconfirmed file type. Likely type is Harvard Graphics
Version 2.x graphic symbol or Windows SDK graphic symbol)
53 74 75 66 66 49 74 20
28 63 29 31 39 39 37 2D		   StuffIt
(c)1997-
SIT   StuffIt compressed archive
54 68 69 73 20 69 73 20   This is
INFO   UNIX GNU Info Reader File
55 43 45 58   UCEX
UCE   Unicode extensions
55 46 41 C6 D2 C1   UFAÆÒÁ
UFA   UFA compressed archive
55 46 4F 4F 72 62 69 74   UFOOrbit
DAT   UFO Capture v2 map file
56 43 50 43 48 30   VCPCH0
PCH   Visual C PreCompiled header file
56 45 52 53 49 4F 4E 20   VERSION
CTL   Visual Basic User-defined Control file
57 4D 4D 50   WMMP
DAT   Walkman MP3 container file
57 53 32 30 30 30   WS2000
WS2   WordStar for Windows Ver. 2 document
[29,152 byte offset]
57 69 6E 5A 69 70		   [29,152 byte offset]
WinZip
ZIP   WinZip compressed archive
58 43 50 00   XCP.
CAP   Cinco NetXRay, Network General Sniffer, and
Network Associates Sniffer capture file
58 50 43 4F 4D 0A 54 79
70 65 4C 69 62		   XPCOM.Ty
peLib
XPT   XPCOM type libraries for the XPIDL compiler
58 54   XT..
BDR   MS Publisher border
5A 4F 4F 20   ZOO
ZOO   ZOO compressed archive
5B 47 65 6E 65 72 61 6C
5D 0D 0A 44 69 73 70 6C
61 79 20 4E 61 6D 65 3D
3C 44 69 73 70 6C 61 79
4E 61 6D 65		   [General
]..Displ
ay Name=
<Display
Name
ECF   MS Exchange 2007 extended configuartion file
5B 4D 53 56 43   [MSVC
VCW   Microsoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D   [Phone]
DUN   Dial-up networking file (unconfirmed)
5B 56 45 52 5D 0D 0A 09 or   [VER]...
5B 76 65 72 5D 0D 0A 09 or   [ver]...
SAM   AMU Pro document
[2 byte offset]
5B 56 65 72 73 69 6F 6E		   [2 byte offset]
[Version
CIF   (Unknown file type)
5B 57 69 6E 64 6F 77 73
20 4C 61 74 69 6E 20		   [Windows
 Latin
CPX   Microsoft Code Page Translation file
5B 66 6C 74 73 69 6D 2E
30 5D		   [fltsim.
0]
CFG   Flight Simulator Aircraft Configuration file
5F 43 41 53 45 5F   _CASE_
CAS, CBK   EnCase case file (and backup)
60 EA  
ARJ   Compressed archive file
62 65 67 69 6E   begin
n/a   UUencoded files start with a string:
  begin mode path
where mode is the set of permissions as used in
Linux/Unix and path is the name given to the decoded
file. (See this uuencode page for more information.)

63 75 73 68 00 00 00 02
00 00 00		   cush....
...
CSH   Photoshop Custom Shape
64 00 00 00   d...
P10   Intel PROset/Wireless Profile
64 73 77 66 69 6C 65   dswfile
DSW   Microsoft Visual Studio workspace file
66 4C 61 43 00 00 00 22   fLaC..."
FLAC   Free Lossless Audio Codec file
6C 33 33 6C   l33l
DBB   Skype user data file (profile and contacts)
[4 byte offset]
6D 6F 6F 76 		  [4 byte offset]
moov
MOV   QuickTime movie file
.MOV files have a complicated file signature.The string "moov" is the most common but I have also seen:
  0x66-72-65-65   free
  0x6D-64-61-74   mdat
  0x77-69-64-65   wide

And the following have been reported to me:
  0x70-6E-6F-74   pnot
  0x73-6B-69-70   skip

Furthermore, if you look at byte position xxxxxxxx+4 (hex), you will find one (or more!) of these strings repeated;
the string "free" seems to be the most common. (Thanks to D. Wright for getting me started on this!)

72 65 67 66   regf
DAT   Windows registry hive file
72 74 73 70 3A 2F 2F   rtsp://
RAM   RealMedia metafile
73 6C 68 21 or   slh!
73 6C 68 2E   slh.
DAT   Allegro Generic Packfile Data file (0x21 = compressed,
0x2E = uncompressed)
73 72 63 64 6F 63 69 64
3A		   srcdocid
:
CAL   CALS raster bitmap file
73 7A 65 7A   szez
PDB   PowerBASIC Debugger Symbols file
[60 byte offset]
74 42 4D 50 4B 6E 57 72		   [60 byte offset]
tBMPKnWr
PRC   PathWay Map file, used with GPS devices
[257 byte offset]
75 73 74 61 72		   [257 byte offset]
ustar
TAR   Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)
76 32 30 30 33 2E 31 30
0D 0A 30 0D 0A		   v2003.10
..0..
FLT   Qimage filter
78   x
DMG   Mac OS X Disk Copy Disk Image file

7A 62 65 78   zbex
INFO   ZoomBrowser Image Index file (ZbThumbnal.info)
7B 0D 0A 6F 20   {..o
LGC, LGD   Windows application log
7B 5C 72 74 66 31   {\rtf1
RTF   Rich text format word processing file
Trailer: 5C 70 61 72 20 7D 7D (\par }})
7E 42 4B 00   ~BK.
PSP   Corel Paint Shop Pro image file
7F 45 4C 46   .ELF
n/a   Executable and Linking Format executable file (Linux/Unix)
80   .
OBJ   Relocatable object code
80 00 00 20 03 12 04   .......
ADX   Dreamcast audio file
81 CD AB   .Í«
WPF   WordPerfect text file
89 50 4E 47 0D 0A 1A 0A   .PNG....
PNG   Portable Network Graphics file
8A 01 09 00 00 00 E1 08
00 00 99 19		   ......á.
....
AW   MS Answer Wizard file
91 33 48 46   '3HF
HAP   Hamarsoft HAP 3.x compressed archive
95 00 or   ..
95 01   ..
SKR   PGP secret keyring file
99 01   ..
PKR   PGP public keyring file
9C CB CB 8D 13 75 D2 11
91 58 00 C0 4F 79 56 A4		   .ËË..UÒ.
.X.ÀOyV¤
WAB   Outlook address file
[512 byte offset]
A0 46 1D F0		   [512 byte offset]
 F.ð
PPT   PowerPoint presentation subheader (MS Office)
A1 B2 C3 D4   ¡²ÃÔ
n/a   tcpdump (libpcap) capture file (Linux/Unix)
A1 B2 CD 34   ¡²Í4
n/a   Extended tcpdump (libpcap) capture file (Linux/Unix)
A9 0D 00 00 00 00 00 00   ©.......
DAT   Access Data FTK evidence file
AC 9E BD 8F 00 00   ¬.½...
QDF   Quicken data file
B1 68 DE 3A   ±hÞ:
DCX   Graphics Multipage PCX bitmap file
B5 A2 B0 B3 B3 B0 A5 B5   µ¢°³³°¥µ
CAL   (Unknown file type...)
BE 00 00 00 AB 00 00 00
00 00 00 00 00		   ¾...«...
....
WRI   MS Write file
C3 AB CD AB   ëͫ
ACS   MS Agent Character file
C5 D0 D3 C6   ÅÐÓÆ
EPS   Adobe encapsulated PostScript file
CA FE BA BE   Êþº¾
CLASS   Java bytecode file
CD 20 AA AA 02 00 00 00   Í ªª....
n/a   Norton Anti-Virus quarantined virus file
CF 11 E0 A1 B1 1A E1 00   Ï.ࡱ.á.
DOC   Perfect Office document
[Note similarity to MS Office header, below]
CF AD 12 FE   Ï­.þ
DBX   Outlook Express e-mail folder
D0 CF 11 E0 A1 B1 1A E1   ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZ   Microsoft Office applications (Word, Powerpoint, Excel, Wizard)
[See also Word, Powerpoint, and Excel "subheaders" at byte offset 512]
AC_   CaseWare Working Papers compressed client file
ADP   Access project file
APR   Lotus/IBM Approach 97 file
DB   MSWorks database file
MSC   Microsoft Common Console Document
MSI   Microsoft Installer package
MTW   Minitab data file
OPT   Developer Studio File Workspace Options file
PUB   MS Publisher file
SOU   Visual Studio Solution User Options file
SPO   SPSS output file
VSD   Visio file
WPS   MSWorks text document
D2 0A 00 00   Ò...
FTR   GN Nettest WinPharoah filter file
D4 2A   Ô*
ARL, AUT   AOL history (ARL) and typed URL (AUT) files
D4 C3 B2 A1   Ôò¡
n/a   WinDump (winpcap) capture file (Windows)
D7 CD C6 9A   ×ÍÆ.
WMF   Windows graphics metafile
DC DC   ÜÜ
CPL   Corel color palette file
DC FE   Üþ
EFX   eFax file format
E3 10 00 01 00 00 00 00   ã.......
INFO   Amiga Icon file
E3 82 85 96   ã...
PWL   Windows password file
E8 or   è
E9 or   é
EB   ë
COM, SYS   Windows executable file
EB 3C 90 2A   ë<.*
IMG   GEM Raster file
[512 byte offset]
EC A5 C1 00		   [512 byte offset]
ì¥Á.
DOC   Word document subheader (MS Office)
ED AB EE DB   í"îÛ
RPM   RedHat Package Manager file
EF BB BF   
n/a   Byte-order mark for 8-bit Unicode Transformation Format
(UTF-8) files. (See the Unicode Home Page.)
[512 byte offset]
FD FF FF FF 04		   [512 byte offset]
ýÿÿÿ.
SUO   Visual Studio Solution User Options subheader (MS Office)
[512 byte offset]
FD FF FF FF nn 00 00 00		   [512 byte offset]
ýÿÿÿ....
PPT   PowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and 0x43)
[512 byte offset]
FD FF FF FF nn 02		   [512 byte offset]
ýÿÿÿ..
XLS   Excel spreadsheet subheader (MS Office)
(where nn = 0x10, 0x22, 0x23, 0x28, or 0x29)
[512 byte offset]
FD FF FF FF 20 00 00 00		   [512 byte offset]
ýÿÿÿ ...
OPT   Developer Studio File Workspace Options subheader (MS Office)
XLS   Excel spreadsheet subheader (MS Office)
[512 byte offset]
FD FF FF FF xx xx xx xx
xx xx xx xx 04 00 00 00		   [512 byte offset]
ýÿÿÿ....
........
DB   Thumbs.db subheader (MS Office)
FE FF   þÿ
n/a   Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), little-endian files.
(See the Unicode Home Page.)
FF   ÿ
SYS   Windows executable (SYS) file
FF 00 02 00 04 04 05 54
02 00		   ÿ......T
..
WKS   Works for Windows spreadsheet file
FF 46 4F 4E 54   ÿFONT
CPI   Windows international code page
FF 4B 45 59 42 20 20 20   ÿKEYB
SYS   Keyboard driver file
FF 57 50 43   ÿWPC
WP, WPD, WPG, WP5   WordPerfect text and graphics file
FF D8 FF E0 xx xx 4A 46
49 46 00		   ÿØÿà..JF
IF.
JFIF, JPE, JPEG, JPG   JPEG/JFIF graphics file
Trailer: FF D9 (..)
FF D8 FF E1 xx xx 45 78
69 66 00		   ÿØÿá..Ex
if.
JPG   Digital camera JPG using Exchangeable Image File Format (EXIF)
Trailer: FF D9 (..)
See "Using Extended File Information (EXIF) File Headers in Digital
Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004)
FF D8 FF E8 xx xx 53 50
49 46 46 00		   ÿØÿá..SP
IFF.
JPG   Still Picture Interchange File Format (SPIFF)
Trailer: FF D9 (..)
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF. The fourth digit is also indicative of JPEG content. Various options include:

FF Ex   ÿ.
FF Fx   ÿ.
MPEG, MPG, MP3   MPEG audio file frame synch pattern
FF FE   ÿþ
REG   Windows Registry file
n/a   Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), big-endian files.
(See the Unicode Home Page.)
FF FE 00 00   ÿþ..
n/a   Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), little-endian files.
(See the Unicode Home Page.)
FF FE 23 00 6C 00 69 00
6E 00 65 00 20 00 31 00		   ÿþ#.l.i.
n.e. .1.
MOF   Windows MSinfo file
FF FF FF FF   ÿÿÿÿ
SYS   DOS system driver

The following individuals have given me updates or suggestions for this list over the last couple of years: Devon Ackerman, Vladimir Benko, Sam Brothers, Per Christensson, Jeffrey Duggan, George Harpur, Brian High, Bill Kuhns, Anand Mani, Kevin Mansell, Bruce Modick, Mike Sutton, Franklin Webber, and David Wright. I thank them and apologize if I have missed anyone.

I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite, primarily for the "subheaders" for many of the file types here.