FILE SIGNATURES TABLE
16 December 2017
This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I had found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.
This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:
- File Extension Seeker: Metasearch engine for file extensions
- FILExt.com
- FileInfo.com
- Wotsit.org, The Programmer's File and Data Resource
- DOT.WHAT?
- File-Extensions.org
Some other useful information:
My software utility page contains a custom signature file based upon this list, for use with FTK, Scalpel, Simple Carver, Simple Carver Lite, and TrID.
The File Signatures Web site searches a database based upon file extension or file signature.
Tim Coakley's Filesig.co.uk site, with Filesig Manager and Simple Carver. Also, see Tim's SQLite Database Catalog page, "a repository of information used to identify specific SQLite databases and properties for research purposes."
Marco Pontello's TrID - File Identifier utility designed to identify file types from their binary signatures.
The National Archives' PRONOM site provides on-line information about data file formats and their supporting software products, as well as their multi-platform DROID (Digital Record Object Identification) software.
Additional details on graphics file formats can be found at The Graphics File Formats Page and the Sustainability of Digital Formats Planning for Library of Congress Collections site.
Additional details on audio and video file formats can be found at the Sustainability of Digital Formats Planning for Library of Congress Collections site.
Another collection of many types of file format specifications can be found at Alex Kirk's File Format Documentation Collection.
Shaul Zevin's Let's Solve the File Format Problem! page presents an ontology on which his Falstaff tool is built, a Web-based tool to classify a file by signature.
If you are using a Linux/Mac OS X/Unix system, you can use the file command to determine the file type based upon the file signature, per the system's magicfile.
And, one last and final item — if you are searching for network traffic in raw binary files (e.g., RAM or unallocated space), see Hints About Looking for Network Packet Fragments.
ACKNOWLEDGEMENTS & COPYRIGHT NOTICE
Hex Signature ASCII Signature File Extension File Description TGA Truevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49 TRUEVISI
4F 4E 2D 58 46 49 4C 45 ON-XFILE
2E 00 ..00 . PIC IBM Storyboard bitmap file MOV Apple QuickTime movie file PIF Windows Program Information File SEA Mac Stuffit Self-Extracting Archive YTR IRIS OCR data file 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00........
........XXX Compucon/Singer embroidery design file [11 byte offset]
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00[11 byte offset]
........
........
........PDB Palmpilot Database/Document File [512 (0x200) byte offset]
00 00 00 00 00 00 00 00[512 (0x200) byte offset]
........RVT Revit Project File subheader 00 00 00 00 14 00 00 00 ........ TBI Windows Disk Image file [8 byte offset]
00 00 00 00 62 31 05 00
09 00 00 00 00 20 00 00
00 09 00 00 00 00 00 00[8 byte offset]
....b1..
..... ..
........DAT Bitcoin Core wallet.dat file 00 00 00 0C 6A 50 20 20
0D 0A....jP
..JP2 Various JPEG-2000 image file formats 00 00 01 00 .... ICO Windows icon file SPL Windows NT/2000/XP printer spool file 00 00 01 Bx .... MPEG, MPG MPEG video file
Trailer:
00 00 01 B7 (...·)00 00 01 BA ....º MPG, VOB DVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2
Trailer:
00 00 01 B9 (...¹)00 00 02 00 ...... CUR Windows cursor file WB2 QuattroPro for Windows Spreadsheet file 00 00 02 00 06 04 06 00
08 00 00 00 00 00........
......WK1 Lotus 1-2-3 spreadsheet (v1) file 00 00 03 F3 ...ó n/a Amiga Hunk executable file 00 00 1A 00 00 10 04 00
00 00 00 00........
....WK3 Lotus 1-2-3 spreadsheet (v3) file 00 00 1A 00 02 10 04 00
00 00 00 00........
....WK4, WK5 Lotus 1-2-3 spreadsheet (v4, v5) file 00 00 1A 00 05 10 04 ....... 123 Lotus 1-2-3 spreadsheet (v9) file 00 00 49 49 58 50 52 or ..IIXPR 00 00 4D 4D 58 50 52 ..MMXPR QXD Quark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean.00 00 FE FF ..þÿ n/a Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.)[6 byte offset]
00 00 FF FF FF FF[6 byte offset]
..ÿÿÿÿHLP Windows Help file 00 01 00 00 00 ..... TTF TrueType font file 00 01 00 00 4D 53 49 53
41 4D 20 44 61 74 61 62
61 73 65....MSIS
AM Datab
aseMNY Microsoft Money file 00 01 00 00 53 74 61 6E
64 61 72 64 20 41 43 45
20 44 42....Stan
dard ACE
DBACCDB Microsoft Access 2007 file 00 01 00 00 53 74 61 6E
64 61 72 64 20 4A 65 74
20 44 42....Stan
dard Jet
DBMDB Microsoft Access file 00 01 00 08 00 01 00 01
01........
.IMG Ventura Publisher/GEM VDI Image Format Bitmap file 00 01 01 ... FLT OpenFlight 3D file 00 01 42 41 ..BA ABA Palm Address Book Archive file 00 01 42 44 ..BD DBA Palm DateBook Archive file 00 06 15 61 00 00 00 02
00 00 04 D2 00 00 10 00...a....
...Ò....DB Netscape Navigator (v4) database file 00 0D BB A0 ..» n/a Mbox table of contents file. (NOTE: The next four bytes
appear to be the number of e-mails in the associated mbox file.)00 11 AF ..¯ FLI FLIC Animation file 00 14 00 00 01 02 xx xx
03........
.n/a BIOS details in RAM images 00 1E 84 90 00 00 00 00 ..„..... SNM Netscape Communicator (v4) mail folder 00 20 AF 30 . ¯0 TPL Wii images container 00 5C 41 B1 FF .A±ÿ ENC Mujahideen Secrets 2 encrypted file [512 (0x200) byte offset]
00 6E 1E F0[512 (0x200) byte offset]
.n.ðPPT PowerPoint presentation subheader (MS Office) 00 BF .¿ SOL Adobe Flash shared object file (e.g., Flash cookies) 00 FF FF FF FF FF FF FF
FF FF FF 00 00 02 00 01.ÿÿÿÿÿÿÿ
ÿÿÿ.....MDF Alcohol 120% CD image 01 00 00 00 .... EMF Extended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)01 00 00 00 01 ..... PIC Unknown type picture file 01 00 09 00 00 03 ...... WMF Windows Metadata file (Win 3.x format) 01 00 02 00 .... ARF Webex Advanced Recording Format files. 01 00 39 30 ..90 FDB, GDB Firebird and Interbase database files, respectively. See
IBPhoenix for more information.01 01 47 19 A4 00 00 00
00 00 00 00..G.#xA4...
....TBI The Bat! secure e-mail Message Base Index file 01 0F 00 00 .... MDF Microsoft SQL Server 2000 database 01 10 .. TR1 Novell LANalyzer capture file 01 DA 01 01 00 03 .Ú.... RGB Silicon Graphics RGB Bitmap 01 FF 02 04 03 02 .ÿ.... DRW Micrografx vector graphic file 02 64 73 73 .dss DSS Digital Speech Standard (Olympus, Grundig, & Phillips) 03 . DAT MapInfo Native Data Format DB3 dBASE III file 03 00 00 00 .... QPH Quicken price history file 03 00 00 00 41 50 50 52 ....APPR ADX Approach index file 04 . DB4 dBASE IV data file 04 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00 or........
.... ...05 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00........
.... ...n/a INFO2 Windows recycle bin file. NOTE: Bytes 12-13
indicate the size of each INFO2 record; the most common
value is 0x20-03 (0x0320 = 800 bytes).06 06 ED F5 D8 1D 46 E5
BD 31 EF E7 FE 74 B7 1D..íõØ.Få
½1ïçþt·.INDD Adobe InDesign document 06 0E 2B 34 02 05 01 01
0D 01 02 01 01 02..+4....
......MXF Material Exchange Format file 07 . DRW A common signature and file extension for many drawing
programs.07 53 4B 46 .SKF SKF SkinCrafter skin file 07 64 74 32 64 64 74 64 .dt2ddtd DTD DesignTools 2D Design file 08 . DB dBASE IV or dBFast configuration file 08 00 45 ..E n/a Possibly, maybe, might be a fragment of an Ethernet frame carrying
an IPv4 packet. See Hints About Looking for Network Packet Fragments.[512 (0x200) byte offset]
09 08 10 00 00 06 05 00[512 (0x200) byte offset]
........XLS Excel spreadsheet subheader (MS Office) 0A nn 01 01 .... PCX ZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05)0A 16 6F 72 67 2E 62 69
74 63 6F 69 6E 2E 70 72..org.bi
tcoin.prWALLET MultiBit Bitcoin wallet file 0C ED .í MP Monochrome Picture TIFF bitmap file (unconfirmed) 0D 44 4F 43 .DOC DOC DeskMate Document file 0E 4E 65 72 6F 49 53 4F .NeroISO NRI Nero CD Compilation 0E 57 4B 53 .WKS WKS DeskMate Worksheet [512 (0x200) byte offset]
0F 00 E8 03[512 (0x200) byte offset]
..è.PPT PowerPoint presentation subheader (MS Office) 10 00 00 00 .... CL5 Easy CD Creator 5 Layout file 1A 00 00 ... NTF Lotus Notes database template 1A 00 00 04 00 00 ...... NSF Lotus Notes database 1A 0x .. ARC LH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively)1A 0B .. PAK Compressed archive file
(often associated with Quake Engine games)1A 35 01 00 .5.. ETH GN Nettest WinPharoah capture file 1A 45 DF A3 .Eߣ MKV Matroska stream file WEBM WebM video file 1A 52 54 53 20 43 4F 4D
50 52 45 53 53 45 44 20
49 4D 41 47 45 20 56 31
2E 30 1A.RTS COM
PRESSED
IMAGE V1
.0.DAT Runtime Software compressed disk image 1D 7D .} WS WordStar Version 5.0/6.0 document 1F 8B 08 .‹. GZ, TGZ GZIP archive file VLT VLC Player Skin file 1F 9D .. TAR.Z Compressed tape archive file using standard (Lempel-Ziv-Welch) compression 1F A0 . TAR.Z Compressed tape archive file using LZH (Lempel-Ziv-Huffman) compression 21 ! BSB MapInfo Sea Chart 21 12 !. AIN AIN Compressed Archive 21 3C 61 72 63 68 3E 0A !<arch>. LIB Unix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF)21 42 44 4E