File signature

파일 시그니처 모음 (Common File Signatures)

By proneer On October 23, 2009 · 21 Comments

파일은 파일 자체로는 의미가 없다. 파일이 담고 있는 데이터를 유용하게 사용하기 위해서는 관련된 소프트웨어가 필요하다. 이러한 소프트웨어들은 각각 자신만의 고유한 파일 포맷을 만들어 사용한다. 따라서 어떤 파일을 읽을 수 있다면(혹은 실행할 수 있다면) 해당 파일 포맷을 해석할 수 있다는 의미이다. (텍스트 파일 제외)

그림 파일(JPEG, PNG, TIFF, GIF 등) 또한 파일 포맷 별로 고유한 포맷을 가지고 있다. 알씨와 같은 그래픽 뷰어 소프트웨어를 통해 해당 파일을 볼 수 있는 이유는 알씨 소프트웨어에서 각 그림 파일 포맷을 해석할 수 있도록 프로그래밍되어 있기 때문이다.

이처럼 파일들은 각각 고유한 포맷을 가지고 있는데 포맷의 기본이 되는 내용이 파일 시그니처(File Signature)이다. 파일 시그니처는 파일의 가장 처음에 위치하는 특정 바이트들도 파일 포맷을 구분하기 위해 사용한다. 예를 들어, JPEG 파일은 다음과 같이 “FF D8 FF E0″의 시그니처를 갖는다. JPEG의 경우 디지털카메라로 캡쳐한 파일과 구분하기 위해  “FF D8 FF E1″ 시그니처도 사용한다.

파일 시그니처는 파일의 처음에만 존재하는 파일 포맷도 있지만 파일의 마지막에도 존재하는 포맷도 있다. 파일의 처음에 존재하는 시그니처는 보통 헤더(Header) 시그니처, 파일의 마지막에 존재하는 시그니처는 푸터(Footer or Tailer) 시그니처라고 부른다. 그리고 문서에 따라 시그니처를 매직 넘버(magic number) 라고 사용하는 경우도 있다.
파일 시그니처는 파일 포맷 분석, 악성코드 분석, 파일 복구 등에 중요하게 작용한다. 현재 파일 카빙(File Carving) 도구를 개발하고 있는데 파일 카빙 도구에서 파일 시그니처는 파일을 복구하기 위해 없어서는 안될 요소이다.

다음은 다양한 파일들을 대상으로 파일 헤더 시그니처를 조사한 내용이다. 찾고자 하는 시그니처가 있는 경우 ‘Ctrl + F’를 이용해 확장자 검색을 하기 바랍니다. 혹시 빠진 시그니처가 있다면 답글로 남겨주시기 바랍니다.

Header Signature (Hex)	File Type	Description
xx xx xx xx AF 11	FLI	Graphics – Autodesk Animator
xx xx xx xx AF 12	FLC	Graphics - Autodesk 3D Studio
xx xx 2D 6C 68 35 2D -   1   h   5  -	LZH	Archive – LHA Compressed Archive File
00	PIF PIC YTR	Windows – Program Information File Graphics – IBM Storyboard Bitmap File IRIS OCR Data File
00 00 00 02	MAC	Graphics – MAC Picture Format
00 00 00 nn 66 74 79 70 f   t   y   p 33 67 70 3  g  p	3GG 3G2	3rd Generation Partnership Project 3GPP (nn=0×14) 3GPP2 (nn=0×20) Multimedia File
00 00 00 18 66 74 79 70 f   t   y   p 33 67 70 35   3  g  p   5	MP4	MPEG-4 Video File
00 00 01 00	ICO	Graphics – Windows Icon Format
00 00 01 Bx	MPG	MPEG Video File
00 00 02 00	CUR WB2	Graphics – Windows Cursor File Spreadsheet  – QuattroPro
00 00 02 00 04 04	WKS	Spreadsheet – Lotus 1-2-3
00 00 02 00 05 04	WRK	Spreadsheet – Symphony
00 00 02 00 06 04	WK1 WR1	Spreadsheet – Lotus 1-2-3 Spreadsheet – Symphony
00 00 1A 00 00 10	WK3	Spreadsheet – Lotus 1-2-3
00 00 1A 00 02 10	WK4	Spreadsheet – Lotus 1-2-3
00 00 49 49 58 50 52 I   I   X  P  R	QXD	Quark Express Document (dependant endian) Note: It appears that the byte following the 0×52 (“R”) is the languate indicator; 0×33(“3″) seems to indicate English and 0×61(“a”) reportedly indicates Korean
00 00 49 49 58 50 52 M  M  X  P  R	QXD	Quark Express Document (dependant endian) Note: It appears that the byte following the 0×52 (“R”) is the languate indicator; 0×33(“3″) seems to indicate English and 0×61(“a”) reportedly indicates Korean
00 00 EF FF		Byte-order mark for 32-bit Unicode Transformation Format
00 01 00 00 4D 53 49 53 M  S   I  S 41 4D 20 44  61 74 61 74 A  M      D   a   t   a   b 61 62 61 73 65 a  s  e	MNY	Microsoft Money File
00 01 00 00 53 74 61 72 S   t   a  n 64 61 72 64 20 4A 65 74 d  a   r   d     J   e   t 20 44 42 D  B	MDB	Database – Microsoft Access File
00 01 00 08	IMG	Graphics - GEM Image Format
00 01 01	FLT	Graphics – OpenFlight 3D File
00 01 42 41 B  A	ABA	Palm Address Book Archive File
00 01 42 44 B  D	DBA	Palm DataBook Archive File
00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00	DB	Database – Netscape Navigator (v4)
01 11 AF	FLI	Graphics – FLIC Animation File
00 1E 84 90 00 00 00 00	SNM	Netscape Communicator (v4) Mail Folder
00 5C 41 B1 FF	ENC	Mujahideen Secrets 2 Encrypted File
00 6E 1E F0                    (offset : 512 bytes)	PPT	PowerPoint Presentation SubHeader
01 00 00 00	EMF PIC	Extended(Enhanced) Windows Metafile Format Printer Spool File (0×18-17 & 0xC4-36 : Win2K/NT, 0x5C0-1 : WinXP) Spreadsheet Graph – Lotus 1-2-3
01 10	TR1	Novell LANalyzer Capture File
01 DA 01 01 00 03	RGB	Graphics – Silicon Graphics RGB Bitmap File
01 FF 02 04 03 02	DRW	Graphics – Micrografx Vector Graphics File
02 64 73 73 d   s  s	DSS	Graphics – Digital Speech Standard (Olympus, Grundig & Phillips)
02	DBF	Database – dBASE II
03	DBF DAT	Database – dBASE III Database – dBASE IV MapInfo Native Data Format
03 00 00 00	QPH	Quicken Price Histroy File
03 00 00 00 41 50 50 52 A  P  P  R	ADX	Approach Index File
04	DB4	Database – dBASE IV Data File
07	DRW	A common signature may drawing programs
07 64 74 32 64 64 74 64 d   t   2  d  d   t   d	DTD	DesignTools 2D Design File
08	DB	Database – dBASE IV Database – dBFast Configuration File
09 00 04 00 07 00 01 00	XLW	Spreadsheet – Excel BIFF2
09 02 06 00 00 00 01 00	XLW	Spreadsheet – Excel BIFF3
09 03 06 00 00 04 00 01	XLW	Spreadsheet – Excel BIFF4
0A nn 01 01	PCX	Graphics – ZSOFT Paintbrush (nn = 0×02, 0×03, 0×05)
0C ED	MP	Graphics – Monochrome Picture TIFF Bitmap File
0D 44 4F 43 D  O  C	DOC	DeskMate Document File
0E 57 4B 53 W  K  S	WKS	DeskMate Worksheet
0F 00 E8 03                     (offset : 512 bytes)	PPT	PowerPoint Presentation SubHeader (MS Office)
11 00 00 00 53 43 43 41 S  C  C  A	PF	Windows Prefetch File
1A 00 00	NTF	Database – Lotus Notes Template File
1A 00 00 04 00 00	NSF	Database - Lotus Notes File
1A 0x	ARC	Archive – LH Achive File, Old Version (x = 0×02, 0×03, 0×04, 0×08, 0×09)
1A 0B	PAK	Archive – PAK Archive File
1A 35 01 00 5	ETH	GN Nettest WinPharoah Capture File
1A 52 54 53 20 43 4F 4D R  T  S      C  O  M 50 52 45 53 53 45 44 20 P  R  E  S  S  E  D 49 4D 41 47 45 20 56 31 I   M  A  G  E     V   1 2E 30 1A .   0	DAT	Graphics – Runtime Software Disk Image File
1D 7D	WS	WordStar Version 5.0/6.0 Document File
1F 8B 08	GZ	Archive – GZIP Archive File
1F 9D 90	TAR.Z	Archive – Tape Archive File
21 12 !	AIN	Archive - AIN Archive File
21 3C 61 72 63 68 3E 0A !   <  a   r   c  h  >	LIB	Archive – Unix Archiver(ar) Files Microsoft Program Library Common Object File Format (COFF)
21 42 44 4E !  B  D  N	PST	Microsoft Outlook File
23 20 #	MSI	Cerius2 File
23 20 4D 69 63 72 6F 73 #       M  i   c   r  o   s 6F 66 74 20 44 65 76 65 o  f    t      D   e   v  e 6C 6F 70 65 72 20 53 74 l   o   p   e  r      S  t 75 64 69 6F u  d   i   o	DSP	Microsoft Developer Studio Project File
23 21 41 4D 52 #   !   A  M  R	AMR	Adaptive Multi-Rate ACELP Codec Format
24 46 4C 32 40 28 23 29 $   F  L   2  @  (  #   ) 20 53 50 53 53 20 44 41 S  P  S  S      D  A 54 41 20 46 49 4C 45 T  A       F   I  L  E	SAV	SPSS Data File
25 21 50 53 2D 41 64 6F %  !   P  S  -   A  d  o 62 65 2D b  e  -	EPS	Adobe Encapsulated PostScript File
25 50 44 46 % P  D  F	PDF FDF	Adobe Portable Document Format File Forms Document File
28 54 68 69 73 20 66 69 (  T  h   i   s      f    i 6C 65 20 6D 75 73 74 20 l    e     m  u  s  t 62 65 20 63 6F 6E 76 65 b  e       c  o  n   v   e 72 74 65 64 20 77 69 74 r   t   e   d      w  i   t 68 20 42 69 6E 48 65 78 h  B   i   n   H  e  x 20	HQX	Archive - Macintosh BinHex 4 Archive
2A 2A 2A 20 20 49 6E 73 *   *   *           I   n   s 74 61 6C 6C 61 74 69 6F t   a   l   l    a   t   i   o 6E 20 53 74 61 72 74 65 n     S   t   a   r   t   e 64 20 d	LOG	Symantec Wise Installer Log File
2D 6C 68 -   l    h                           (offset : 2 bytes)	LHA, LZH	Archive – Compressed Archive File
2E 52 45 43 R  E  C	IVR	RealPlayer Video File (v11 and later)
2E 72 61 FD 00 r   a	RA	RealMedia Streaming Media File
2E 52 4D 46 .   R  M  F	RM	Real Media File
2E 73 6E 64 .   s   n  d	AU	Sound – NeXt/Sun Audio Format
30 0	CAT	Microsoft Security Catalog File
30 00 00 00 4C 66 4C 65 0              L   f   L   e	EVT	Windows Event Viewer File
30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C	ASF, WMA, WMV	Microsoft Windows Media Audio/Video File (Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E 0  1   O  R  D  N  A  N 43 45 20 53 55 52 56 45 C  E      S  U  R  V  E 59 20 20 20 20 20 20 20 Y	NTF	National Transfer Format Map File
31 BE 00 00 00 AB	DOC	Word processor – MS Word 4
3n BE 00 00 00 AB	WRI	Word processor – MS Write (n = 0×1, 0×2)
34 12	PIC	Graphics – PC Paint
37 7A BC AF 27 1C	7Z	Archive – 7-Zip Archive File
38 42 50 53 8  B  P  S	PSD	Graphics – Adobe Photoshop File
3A DE 68 B1	DCX	Graphics – CAS Fax Format
3C	ASX	Advanced Stream Redirector File
3C	XDR	BizTalk XML-Data Reduced Schema File
3C 21 64 6F 63 74 79 70 <    !   d  o  c   t   y   p	DCI	AOL HTML Mail File
3C 3F 78 6D 6C 20 76 65 <   ?   x  m   l        v  e 72 73 69 6F 6E 3D r   s  i   o   n  =	MANIFEST	Windows Visual Stylesheet XML File
3C 3F 78 6D 6C 20 76 65 <   ?   x  m   l        v  e 72 73 69 6F 6E 3D 22 31 r   s  i   o   n  =   “   1 2E 30 22 3F 3E .   0   “   ?   >	XUL	XML User Interface Language File
3C 3F 78 6D 6C 20 76 65 <   ?   x  m   l        v  e 72 73 69 6F 6E 3D 22 31 r   s  i   o   n  =   “   1 2E 30 22 3F 3E 0D 0A 3C .   0   “   ?   >           < 4D 4D 43 5F 43 6F 6E 73 M  M  C  _  C   o  n   s 6F 6C 65 46 69 6C 65 20 o   l   e  F   i   l   e 43 6F 6E 73 6F 6C 65 56 C   o  n   s  o   l   e   V 65 72 73 69 6F 6E 3D 22 e  r   s  i   o   n   =   “	MSC	Microsoft Management Console Snap-in Control File
3E 00 03 00 FE FF 09 00 06                                  (offset : 24 bytes)	WB3	Quatro Pro for Windows 7.0 Notebook File
3F 5F 03 00 ?  _	GID	Windows Help Index File
3F 5F 03 00 ?  _	HLP	Windows Help File
41 48 A  H	PAL, PIC	Graphics – Dr Halo Format
41 4C 5A 01 A  L   Z	ALZ	Archive – ESTsoft Alzip Archive File
40 40 40 20 00 00 40 40 @ @ @             @ @ 40 40 @ @	ENL	EndNote Library File
41 43 53 44 A  C  S  D		Miscellaneous AOL Parameter and Information File
41 4D 59 4F A  M  Y  O	SYW	Graphics – Hardvard Graphics Symbol Graphic
41 4F 4C 20 46 65 65 64 A  O  L       F   e   e  d 62 61 67 b  a  g	BAG	AOL and AIM Buddy List File
41 4F 4C 44 42 A  O   L  D  B	ABY, IDX	Database – AOL Database File (ABY, MAIN.IDX)
41 4F 4C 49 44 58 A  O  L    I   D  X	IND	AOL Client Preferences/Settings File (MAIN.IND)
41 4F 4C 49 4E 44 45 58 A  O  L    I   N  D  E  X	ABI	AOL Address Book Index File
41 56 47 36 5F 49 6E 74 A  V  G   6  _   I   n   t 65 67 72 69 74 79 5F 44 e  g  r   i    t   y  _  D 61 74 61 62 61 73 65 a  t   a   b  a  s  e	DAT	AVG6 Integrity Database File
41 56 49 20 4C 49 53 54 A  V   I       L   I   S  T		Audio/Video Interleaved File
41 4F 4C 56 4D 31 30 30 A  O  L   V  M   1  0  0		AOL Personal File Cabinet (PFC) File
41 72 43 01 A   r   C	ARC	Archive - FreeArc Archive File
42 45 47 49 4E 3A 56 43 B  E  G   I   N  :   V  C 41 52 44 0D 0A A  R  D	VCF	vCard File
42 4C 49 32 32 33 51 B   L   I   2   2  3  Q	BIN	Tomson Speedtouch Series WLAN Router Firmware File
42 4D B  M	BMP, DIB	Graphics – Windows Bitmap Format
42 4F 4F 4B 4D 4F 42 49 B  O  O  K  M  O  B   I	PRC	Palmpilot Resource File
42 5A 68 B  Z   h	BZ2, TAR, TBZ2, TB2	Archive – bzip2 Archive File
43 42 46 49 4C 45 C  B  F   I   L  E	CBD	WordPerfect Dictionary File
43 44 30 30 31 C  D   0   0  1	ISO	ISO-9660 CD Disc Image
43 4F 4D 2B C  O  M   +	CLB	COM+ Catalog File
43 52 45 47 C  R  E  G	DAT	Windows 9x Registry Files
43 52 55 53 48 20 76 C  R  U  S  H      v	CRU	Archive - Crush Archive File
43 54 4D 46 C  T  M  F	CMF	Sound – Creative Music Format
43 57 53 C  W  S	SWF	Shockwave Flash File (v5+)
43 61 74 61 6C 6F 67 20 C  a   t   a   l   o   g 33 2E 30 30 00 3   .   0   0	CTF	Wherelslt Catalog File
43 6C 69 65 6E 74 20 55 C   l    i   e   n   t      U 72 6C 43 61 63 68 65 20 r   l   C   a  c   h  e 4D 4D 46 20 56 65 72 20 M  M  F      V   e  r	DAT	IE History DAT File
43 72 65 61 74 69 76 65 C  r   e  a   t   i   v   e 20 56 6F 69 63 65 20 46 V  o   i   c   e      F 69 6C 65 1A i   l    e	VOC	Sound – Creative Voice Format
44 42 46 48 D  B  F  H	DB	Palm Zire Photo Database
44 4D 53 21 D  M  S  !	DMS	Archive - Amiga DiskMasher Archive File
44 4F 53 D  O  S	ADF	Amiga Disk File
44 61 6E 4D D  a   n  M	MSP	Graphics – Windows Paint
45 4E 54 52 59 56 43 44 E  N  T  R  Y  V  C  D 02 00 00 01 02 00 18 58 X	VCD	Video VCD (GNU VCDImager) File
45 54 46 53 53 41 56 45 E  R  F  S  S  A  V  E 44 41 54 41 46 49 4C 45 D  A  T  A  F   I   L  E	DAT	Kroll EasyRecovery Saved Recovery State File
45 56 46 E  V  F	Enn (nn = number)	EnCase Evidence File
45 59 45 53 E  Y  E  S	CE1, CE2	Graphics – ComputerEyes Format
46 4F 52 4D F  O  R  M	LBM	Graphics – Interchange File Format
46 41 58 43 4F 56 F  A  X  C  O  V 45 52 2D 56 45 52 E  R   -  V  E  R	CPE	Microsoft Fax Cover Sheet
46 45 44 46 F  E  D  F	SBV	Unkown File Type
46 4C 56	SWF	Flash Video File
46 4F 52 4D 00	AIFF	Audio – Audio Interchange File
46 57 53 F  W  S	SWF	Shockwave Flash File
46 72 6F 6D 20 20 20 F  H  o  m                      or 46 72 6F 6D 20 3F 3F 3F F  H  o  m      ?   ?   ?     or 46 72 6F 6D 3A 20 F  H  o  m   :	EML	A common File Extension for E-mail File
47 46 31 50 41 54 43 48 G  F   1  P  A  T  C  H	PAT	Advanced Gravis Ultrasound Patch File
47 49 46 38 37 61 G  I   F   8   7  a	GIF	Graphics – Graphics Interchange Format
47 49 46 38 39 61 G  I   F   8   9  a	GIF	Graphics – Graphics Interchange Format
47 50 41 54 G  P  A  T	PAT	GIMP (GNU Image Manipulation Program) Pattern File
47 58 32 G  X  2	GX2	Graphics – Show Partner Graphics File
48 48 47 42 31 H  H  G  B  1	SH3	Harvard Graphics Presentation File
49 49 2A I   I   *	TIF, TIFF	Graphics – Tagged Image File Format File (Little Endian)
4D 4D 2A M  M   *	TIF, TIFF	Graphics – Tag Image File Format (Big Endian)
49 42 4B 1A I  B  K	IBK	Sound – Soundblaster Instrument Bank
49 44 33 I   D  3	MP3	Sound – MPEG-1 Audio Layer 3 (MP3) Audio File
49 4D 44 43 I  M  D  C	IC1, IC2, IC3	Graphics – Atari Imagic Film Format
49 53 63 28 I   S  c  (	CAB	Archive - Install Shield (v5+) Archive File
49 54 53 46 I  T  S  F	CHM	Microsoft HTML Help Compiled File
49 6E 6E 6F 20 53 65 74 I   n   n   o      S  e  t 75 70 20 55 6E 69 6E 73 u   p     U  n   i   n  s 74 61 6C 6C 20 4C 6F 67 t   a   l   l        L   o   g 20 28 62 29 (  b   )	DAT	Inno Setup Uninstall Log File
4A 41 52 43 53 00 J  A  R  C  S	JAR	Archive - JARCS Archive File
4A 47 0n 0E 00 00 00	ART	AOL ART File (n = 0×3, 0×4)
4C 00 00 00 L	LNK	Microsoft Windows Shortcut File
4C 01 L	OBJ	Microsoft Common Object File Format (COFF) Relocatable Object Code File
4C 4E 02 00 L  N	HLP	Windows Help File
4C 69 6E 53 L   i   n  S	MSP	Graphics – Windows 3.x Paint
4D 47 43 M  G  C	CRD	Database – Windows 3.x Card File
4D 49 4C 45 53 M   I  L   E  S	MLS	Mailestones v1.0 Project Management and Scheduling Software (Also see “MV2C”, “MV214″)
4D 4C 53 57 M  L   S  W	MLS	Skype Localization Data File
4D 4D 00 2A M  M      *	TIF, TIFF	Graphics –  Big Tagged Image File Format (TIFF) (big endian)
4D 4D 00 2B M  M      +	TIF, TIFF	Graphics –  Big Tagged Image File Format (TIFF) File ( > 4GB)
4D 4D 4D 44 00 00 M  M  M  D	MMF	Yamaha Cynthetic Music Mobile Application Format (SMAF)
4D 53 43 46 M  S  C  F	CAB PPZ SNP	Microsoft Cabinet File Powerpoint Presentation Package Microsoft Access Snapshot Viewer File
4D 53 46 54 02 00 01 00 M  S  F  T	TLB	OLE, SPSS, Visual C++ Type Library File
4D 53 5F 56 4F 49 43 45 M  S  _   V  O   I  C  E	CDR, DVF, MSV	Sound – Sony Compressed Voice File Sound – Sony Memory Stick Compressed Voice File
4D 54 68 64 M  T   h  d	MID, MIDI	Sound – Standard Musical Instrument Digital Interface (MIDI) Format
4D 56 M  V	DSN	CD Stomper Pro Label File
4D 56 32 31 34 M  V   2   1  4	MLS	Milestones v2.1b Project Management and Scheduling Software (Also see “MILES”, “MV2C”)
4D 56 32 43 M  V   2  C	MLS	Milestones v2.1a Project Management and Scheduling Software (Also see “MILES”, “MV214″)
4D 5A M  Z	COM, DLL, DRV EXE, PIF, QTS QTX, SYS ACM, AX, CPL, FON, OCX, OLB, SCR, VBX, VXD	Windows/DOS Executable File MS Audio Compression Manage Driver Library Cache File Control Panel Application Font File ActiveX or OLE Custom Control OLE Object Library Screen Saver Visual Basic Application Windows Virtual Device Drivers
4D 5A 90 00 03 00 00 00 M  Z	API, AX, FLT	Acrobat Plug-in DirectShow Filter Adobe Audition Graphic Filter File
4D 5A 90 00 03 00 00 00 M  Z 04 00 00 00 FF FF	ZAP	ZoneAlam Data File
4D 69 63 72 6F 73 6F 66 M   i   c  r   o   s  o   f 74 20 56 69 73 75 61 6C t       V  i   s  u   a  l 20 53 74 75 64 69 6F 20 S   t   u   d  i   o 53 6F 6C 75 74 69 6F 6E S   o  l   u   t   i   o   n 20 46 69 6C 65 F   i   l   e	SLN	Visual Studio .NET Solution File
4D 69 63 72 6F 73 6F 66 M   i   c  r   o   s  o   f 74 20 57 69 6E 64 6F 77 t      W  i   n   d  o  w 73 20 4D 65 64 69 61 20 s      M  e  d   i  a 50 6C 61 79 65 72 20 2D P   l   a   y  e  r       - 2D 20 -                                    (offset : 84 bytes)	WPL	Windows Media Player Playlist
4E 41 56 54 52 41 46 46 N  A  V  T   R  A  F  F 49 43 I  C	DAT	TomTom Traffice Data File
4E 45 53 4D 1A 01 N  E  S  M	NFS	Sound – NES Sound File
4E 49 54 46 30 N   I  T  F   0	NTF	National Imagery Transmission Format (NIFF) File
4E 61 6D 65 3A 20 N  a  m  e   :	COD	Agent NewsReader Character Map File
4F 50 4C 44 61 74 61 62 O  P  L  D  a   t   a   b 61 73 65 46 69 6C 65 a  s  e  F   i   l   e	DBF	Psion Series 3 Database File
4F 67 67 53 00 02 00 00 O  g  g  s 00 00 00 00 00 00	OGA, OGG, OGV, OGX	Ogg Vorbis Codec Compressed Multimedia File
4F 7B O  {	DW4	Visio/DisplayWrite 4 Test File
50 00 00 00 20 00 00 00 P	IDX	Quicken QuickFinder Information File
50 35 0A P  5	PGM	Graphics – Portable Graymap Graphic
50 41 43 4B P  A  C  K	PAK	Archive - Quake Archive File
50 45 53 54 P  E  S  T	DAT	PestPatrol Data/Scan Strings
50 49 43 54 00 08 P  I  C  T	IMG	Graphics –  ADEX ChromaGraph Graphics Card Bitmap Graphics File
50 4B 03 04 P  K	ZIP, DOCX, PPTX, XLSX, JAR, SXC, SXD, SXI, SXW WMZ, XPI, XPT	Archive – Pkzip Archive File Microsoft Office Open XML Format Document Java Archive Package OpenOffice Spreadsheet, Drawing, Presentation Windows Media Compressed Skin File Mozila Browser Archive eXact Packager Models
50 4B 03 04 14 00 06 00 P  K	DOCX, PPTX, XLSX	Microsoft Office Open XML Format Document
50 4B 03 04 14 00 08 00 P  K	JAR	Java Archive
50 4B 4C 49 54 45 P  K  L   I  T  E               (offset : 30 bytes)	ZIP	Archive - PKLITE ZIP Archive (see also PKZIP)
50 4B 53 70 58 P  K  S  F  X                   (offset : 526 bytes)	ZIP	Archive – PKSFX Self-Extracting Executable Compressed File (see also PKZIP)
50 4D 43 43 P  M  C  C	GRP	Windows Program Manager Group File
50 4E 43 49 55 4E 44 4F P  N  C   I  U  N  D	DAT	Noton Disk Doctor Undo File
50 C3	CLP	Windows 3.x Clipboard
51 45 4C 20 Q  E  L  (offset : 92 bytes)	QEL	Quicken Data File
51 46 49 FB Q  F  I	IMG	QEMU Qcow Disk Image
51 57 20 56 65 72 2E 20 Q  W      V   e  r	ABD, QSD	Quicken Data File
52 41 5A 41 54 44 42 31 R  A  Z  A  T  D  B  1	DAT	Shareaza (Windows P2P Client) Thumbnail
52 45 47 45 44 49 54 R  E  G  E  D  I  T	REG, SUD	Windows NT Registry and Registry Undo Files
52 45 56 4E 55 4D 3A 2C R  E  V  N  U  M   :   ,	ADF	Antenna Data File
52 49  46  46 R   I   F   F	ANI DAT DS4	Windows Animated Cursof Video CD MPEG or MPEG1 Movie File Micrografx Designer v4 Graphic File
52 49 46 46 xx xx xx xx R  I  F  F 41 56 49 20 4C 49 53 54 A  V   I       L   I  S  T	AVI	Resource Interchange File Format - Windows Audio Video Interleave File
52 49 46 46 xx xx xx xx R   I   F  F 43 44 44 41 66 6D 74 20 C  D  D  A   f   m  t	CDA	Resource Interchange File Format - Compact Disc Digital Audio (CD-DA) File
52 49 46 46 xx xx xx xx R   I   F  F 51 4C 43 4D 66 6D 74 20 Q  L  C  M  f  m  t	QCP	Resource Interchange File Format - Qualcomm PureVoice
52 49 46 46 xx xx xx xx R   I   F  F 52 4D 49 44 64 61 74 61 R  M   I  D   d  a   t   a	RMI	Resource Interchange File Format - Windows Musical Instrument Digital Interface File
52 49 46 46 xx xx xx xx R   I   F  F 57 41 56 45 66 6D 74 20 W  A  V  E  f  m  t	WAV	Resource Interchange File Format - Audio for Windows File
52 54 53 53 R  T  S  S	CAP	Windows NT Netmon Capture File
52 61 72 21 1A 07 00 R  a  r  !	RAR	Archive – WinRAR Compressed Archive File
53 42 49 1A S  B   I	SBI	Soundblaster Instrument Format
53 43 48 6C S  C  H  l	AST	Audio – Need for Speed : Undergraound Audio File
53 43 4D 49 S  C  M  I	IMG	Img Software Set Bitmap File
53 48 4F 57 S  H  O  W	SHW	Harvard Graphics DOC v2/x Presentation File
53 49 45 54 52 4F 4F 49 S  I  E  T  R  O  N  I 43 53 20 58 52 44 20 53 C  S      X  R  D      S 43 41 4E C  A  N	CPI	Sietronics CPI XRD Document File
53 49 54 21 00 S   I   T  !	SIT	Archive – Stufflt Compressed Archive File
53 4D 41 52 54 44 52 57 S  M  A  R  T  D  R  W	SDR	SmartDraw Drawing File
53 51 4C 4F 43 4F 4E 56 S  Q  L  O  C  O  N  V 48 44 00 00 31 2E 30 00 H  D           1   .   0	CNV	DB2 Conversion File
53 6D 62 6C S  m  b  l	SYM	Harvard Graphics v2.x Graphics Symbol Windows SDK Graphics Symbol
53 74 75 66 66 49 74 20 S   t   u   f   f   I   t 28 63 29 31 39 39 37 2D (  c  )   1   9   9   7   -	SIT	Archive – Stufflt Compressed Archive File
54 43 53 4F 00 04 00 00 00 00 T  C  S  O                          (offset : 6 bytes)	SOL	Local Shared Object(LSO) File
54 68 69 73 20 69 73 20 T   h   i   s      i   s	INFO	UNIX GNU Info Reader File
55 43 45 58 U  C  E  X	UCE	Unicode Extensions
55 46 41 C6 D2 C1 U  F  A	UFA	Archive – UFA Compressed Archive File
55 46 4F 4F 72 62 69 74 U  F  O  O   r   b   i   t	DAT	UFO Capture v2 Map File
56 43 50 43 48 30 V  C  P  C  H  0	PCH	Visual C PreCompiled Header File
56 44 56 49 V  D  V   I	AVS	Intel Digital Video Interface
56 45 52 53 49 4F 4E 20 V  E  R  S   I   O  N	CTL	Visual Basic User-Defined Control File
57 4D 4D 50 W  M  M  P	DAT	Walkman MP3 Container File
57 53 32 30 30 30 W  S  2   0   0   0	WS2	WordStar for Windows v2 Document File
57 69 6E 5A 69 70 W  i  n  Z  i  p             (offset : 29, 152 bytes)	ZIP	Archive – WinZip Compressed Archive File
58 43 50 00 X  C  P	CAP	Cinco NetXRay, Network General Sniffer, and Network Associates Sniffer Capture File
58 50 43 4F 4D 0A 54 79 X  P  C  O  M      T  y 70 65 4C 69 62 p  e  L  i  b	XPT	XPCOM Type Libraries for The XPIDL Compiler
58 54 X  T	BDR	MS Publisher Border
59 A6 6A 95	RAS	SUN Raster Format
5A 4F 4F 20 Z  O  O	ZOO	Archive – ZOO Compressed Archive File
5B 47 65 6E 65 72 61 6C [  G   e   n   e   r   a   l 5D 0D 0A 44 69 73 70 6C ]           D   i   s   p   l 61 79 20 4E 61 6D 65 3D a   y     N  a  m   e  = 3C 44 69 73 70 6C 61 79 <  D   i   s  p   l   a   y 4E 61 6D 65 N  a  m  e	ECF	Microsoft Exchange 2007 Extended Configuration File
5B 4D 53 56 43 [  M  S  V  C	VCW	Microsoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D [  P   h   o   n   e  ]	DUN	Dial-Up Networking File
5B 56 45 52 5D 0D 0A 09 [  V  E  R  ]	SAM	AMU Pro Document
5B 76 65 72 0D 0A 09 [  v  e  r  ]	SAM	AMU Pro Document
5B 56 65 72 73 69 6F 6E [  V  e   r   s   i   o  n  ]    (offset : 2 bytes)	CIF	Unknown File Type
5B 57 69 6E 64 6F 77 73 [  W   i   n   d   o  w   s 20 4C 61 74 69 6E 20 L   a   t   i   n	CPX	Microsoft Code Page Translation File
5B 66 6C 74 73 69 6D 2E [   f    l   t   s   i   m 30 5D 0   ]	CFG	Flight Simulator Aircraft Configuration File
5F 43 41 53 45 5F _  C  A  S  E  _	CAS, CBK	EnCase v3 Case File EnCase v4, 5, 6 use OLE 2 Container File
60 EA	ARJ	Archive – ARJ Compressed Archive File
62 65 67 69 6E b  e  g  i  n		UUencoded File
63 75 73 68 00 00 00 02 c  u  s  h 00 00 00	CSH	Photoshop Custom Shape
64 00 00 00 d	P10	Intel PROset/Wireless Profile
64 73 77 66 69 6C 65 d  s  w  f   i   l   e	DSW	Microsoft Visual Studio Workspace File
66 4C 61 43 00 00 00 22 f   L  a  C              “	FLAC	Free Lossless Audio Codec File
6C 33 33 6C l   3   3   l	DBB	Skype User Data File
6D 6F 6F 76 m  o   o   v      or             (offset : 4 bytes) 66 72 65 65 f   r   e   e       or              (offset : 4 bytes) 6D 64 61 74 m  d   a   t      or              (offset : 4 bytes) 77 69 64 65 w  i   d   e      or               (offset : 4 bytes)	MOV	Apple QuickTime Movie File
72 65 67 66 r   e  g   f	DAT	Windows Registry Hive File
72 74 73 70 3A 2F 2F r   t   s   p   :   /   /	RAM	RealMedia Metafile
73 6C 68 21 s   l   h   !    or 73 6C 68 2E s   l   h   .	DAT	Allegro Generic Packfile Data File (0×21 = Compressed,  0x2E = Uncompressed )
73 72 63 64 6F 63 69 64 s   r   c   d  o  c  i   d 3A :	CAL	Graphics - CALS Raster Bitmap File
73 7A 65 7A s   z   e   z	PDB	PowerBASIC Debugger Symbols File
74 42 4D 50 4B 6E 57 72 t   B  M  P  K  n   W  r       (offset : 60 bytes)	PRC	PathWay Map File (used GPS devices)
75 73 74 61 72 u   s   t   a   r                   (offset : 257 bytes)	TAR	Archive – Tape Archive File
76 32 30 30 33 2E 31 30 v   2   0   0   3   .  1  0 0D 0A 30 0D 0A 0	FLT	Qimage Filter
78 x	DMG	Mac OS X Disk Copy Disk Image File
7A 62 65 78 z   b   e   x	INFO	ZoomBowser Image Index File (ZbThumbnal.info)
7B 0D 0A 6F 20 {            o	LGC, LGD	Windows Application Log File
7B	DBF	Database - dBASE IV
7B 5C 72 74 66 31 {     r   t   f   1	RTF	Word processor – Rich Text Format
7E 42 4B 00 ~  B  K	PSP	Graphics – Corel Paint Shop Pro Image File
7F 45 4C 46 E  L  F		Linux/Unix – Executable and Linking Format
80	OBJ	Relocatable Object Code
80 00 00 20 03 12 04	ADX	Dreamcase Audio File
81 CD AB	WPF	Word processor – WordPerfect Test File
83	DBF	Database – dBASE III
83	DBF	Database – dBASE IV
83	DBF	Database –  FoxPro
8B	DBF	Database – FoxPro
89 50 4E 47 0D 0A 1A 0A P  N  G	PNG	Graphics – Portable Network Graphics File
8A 01 09 00 00 00 E1 08 00 00 99 19	AW	MS Answer Wizard File
91 33 48 46	HAP	Archive – Hamarsoft HAP 3.x Compressed Archive
95 01	SKR	PGP Secret Key Ring
99 00	PKR	PGP Public Key Ring
99 01	PKR	PGP Public Key Ring
9B A5	DOC	Word processor – Winword 1.0
9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4	WAB	Outlook Address File
A0 46 1D F0                     (offset : 512 bytes)	PPT	PowerPoint Presentation SubHeader
A1 B2 C3 D4		tcpdump (libpcap) Capture File
A1 B2 CD 34		Extended tcpdump (libpcap) Capture File
A9 0D 00 00 00 00 00 00	DAT	Access Data FTK Evidence File
AC 9E BD 8F 00 00	QDF	Quicken Data File
B1 68 DE 3A	DCX	Graphics Multipage PCX Bitmap File
B5 A2 B0 B3 B3 B0 A2 B5	CAL	Windows 3.x Calendar
BA BE EB EA	ANI	NEOchrome Animation File
BE 00 00 00 AB 00 00 00 00 00 00 00 00	WRI	Microsoft Wirte File
C3 AB CD AB	ACS	Microsoft Agent Character File
C5 D0 D3 C6	EPS	Adobe Encapsulated PostScript File
C8 00 79 00	LBK	Jeppesen FiteLog File
CA FE BA BE	CLASS	Java Bytecode File
CD 20 AA AA 02 00 00 00		Norton Anti-Virus Quarantined Virus File
CF 11 E0 A1 B1 1A E1 00	DOC	Word processor – Perfect Office Document File
CF AD 12 FE	DBX	Microsoft Outlook Express E-mail File
D0 CF 11 E0 A1 B1 1A E1	HWP DOC, DOT, PPS PPT, XLA, XLS WIZ AC_ ADP APR DB MSC MSI MTW OPT PUB SOU SPO VSD WPS	HAANSOFT Compound Document File Microsoft Office Compound Document File CaseWare Working Papers Compressed Client File Access Project File Lotus/IBM Approach 97 File MSWorks Database File Microsoft Common Console Documet File Microsoft Installer Package Minitab Data File Developer Studio File Workspace Options File Microsoft Publisher File Visual Studio Solution User Options File SPSS Output File Visio File MSWorks Text Document File
D2 0A 00 00	FTR	GN Nettest WinPharoah Filter File
D4 2A	ARL, AUT	AOL History (ARL) and Typed URL (AUT) Files
D4 C3 B2 A1		WinDump (Winpcap) Capture File
D7 CD C6 9A	WMF	Graphics – Windows Metafile Format
DB A5	DOC	Word processor - Winword 2.0
DC DC	CPL	Corel Color Palette File
DC FE	EFX	eFax File Format
E3 10 00 01 00 00 00 00	INFO	Amiga Icon File
E3 82 85 96	PWL	Windows Password File
E8  or E9  or EB  or	COM, SYS	Windows Executable File
EB 3C 90 2A	IMG	GEM Raster File
EC A5 C1 00                   (offset : 512 bytes)	DOC	Word Document SubHeader
ED AB EE DB	RPM	RedHat Package Manager File
EF BB BF		Byte-order Mark for 8-bit Unicode Transformation Format (UTF-8) File
F5	DBF	FoxPro Database
FD FF FF FF 04                 (offset : 512 bytes)	SUO	Visual Studio Solution User Options SubHeader
FD FF FF FF nn 00 00 00    (offset : 512 bytes)	PPT	PowerPoint Presentation SubHeader (nn = 0x0E, 0x1C, 0×43)
FD FF FF FF nn 00   or      (offset : 512 bytes) FD FF FF FF nn 02            (offset : 512 bytes)	XLS	Excel Spreadsheet SubHeader (nn = 0×10, 0x1F, 0×22, 0×23, 0×28, 0×29)
FD FF FF FF 20 00 00 00    (offset : 512 bytes)	OPT XLS	Developer Studio File Workspace Options SubHeader Excel Spreadsheet SubHeader
FD FF FF FF xx xx xx xx xx xx xx xx 04 00 00 00    (offset : 512 bytes)	DB	Thumbs.db SubHeader
FE DB   or FE DC	SEQ	Cyber Paint
FE FF		Byte-order mark for 16-bit Unicode Transformation Format/2-octet Universal Character Set (UTF-16/UCS-2)
FF	SYS	Windows Executable Format File
FF 00 02 00 04 04 05 54 02 00	WKS	Windows Spreadsheet Work File
EF 46 4F 4E 54 F  O  N  T	CPI	Windows International Code Page
FF 4B 45 59 42 20 20 20 K  E  Y  B	SYS	Keyboard Driver File
FF 57 50 43 W  P  C	WP, WPD, WPG WP5	Word processor – WordPerfect Document and Graphic File
FF D8 FF E0 xx xx 4A 46 J  F 49 46 I   F	JPG	Graphics – JPEG/JFIF Format
FF D8 FF E1 xx xx 45 78 E  x 69 66 i   f	JPG	Graphics – JPEG/Exif Format – Digital Camera Exchangeable Image File Format (EXIF)
FF FF	GEM	GEM Metafile Format
FF D8 FF E8 xx xx 53 50 S  P 49 46 46 00 I  F  F	JPG	Graphics – Still Picture Interchange File Format (SPIFF)

 
Forensic Computing – A Practitioner’s Guide

http://www.garykessler.net/library/file_sigs.html

http://www.astro.keele.ac.uk/oldusers/rno/Computing/File_magic.html

http://en.wikipedia.org/wiki/Magic_number_(programming)

 

 

 

 

 

 

 

 

 

---

http://www.garykessler.net/library/file_sigs.html

FILE SIGNATURES TABLE

21 October 2012

 

This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.

This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:

• File Extension Seeker: Metasearch engine for file extensions
• FILExt.com
• FileInfo.com
• Wotsit.org, The Programmer's File and Data Resource
• DOT.WHAT?
• File-Extensions.org

Some useful additional information:

• Check out Tim Coakley's Filesig.co.uk site, with Filesig Manager and Simple Carver.

• See Marco Pontello's TrID - File Identifier, a utility designed to identify file types from their binary signatures.

• My software utility page contains a custom signature file based upon this list, for use with FTK, Scalpel, Simple Carver, and Simple Carver Lite.

• Additional details on graphics file formats can be found at The Graphics File Formats Page and the Sustainability of Digital Formats Planning for Library of Congress Collections site.

• Additional details on audio and video file formats can also be found at the Sustainability of Digital Formats Planning for Library of Congress Collections site.

---

ACKNOWLEDGEMENTS

---

Hex Signature		ASCII Signature
File Extension		File Description
TGA		Truevision Targa Graphic file Trailer: 54 52 55 45 56 49 53 49   TRUEVISI 4F 4E 2D 58 46 49 4C 45   ON-XFILE 2E 00                     ..
00		.
PIC		IBM Storyboard bitmap file
MOV		Apple QuickTime movie file
PIF		Windows Program Information File
SEA		Mac Stuffit Self-Extracting Archive
YTR		IRIS OCR data file
[11 byte offset] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00		[11 byte offset] ........ ........ ........
PDB		Palmpilot Database/Document File
[512 byte offset] 00 00 00 00 00 00 00 00		[512 byte offset] ........
RVT		Revit Project File subheader
00 00 00 0C 6A 50 20 20 0D 0A		....jP ..
JP2		Various JPEG-2000 image file formats
00 00 00 nn 66 74 79 70 33 67 70		....ftyp 3gp
3GG, 3GP, 3G2		3rd Generation Partnership Project 3GPP (nn=0x14) and 3GPP2 (nn=0x20) multimedia files
00 00 00 14 66 74 79 70 69 73 6F 6D		....ftyp isom
MP4		ISO Base Media file (MPEG-4) v1
00 00 00 14 66 74 79 70 71 74 20 20		....ftyp qt
MOV		QuickTime movie file
00 00 00 18 66 74 79 70 33 67 70 35		....ftyp 3gp5
MP4		MPEG-4 video files
00 00 00 18 66 74 79 70 6D 70 34 32		....ftyp mp42
M4V		MPEG-4 video/QuickTime file
00 00 00 1C 66 74 79 70 4D 53 4E 56 01 29 00 46 4D 53 4E 56 6D 70 34 32		....ftyp MSNV.).F MSNVmp42
MP4		MPEG-4 video file
00 00 00 20 66 74 79 70 4D 34 41 20		... ftyp M4A
M4A		Apple Lossless Audio Codec file
00 00 01 00		....
ICO		Windows icon file
SPL		Windows NT/2000/XP printer spool file
00 00 01 Bx		....
MPEG, MPG		MPEG video file Trailer: 00 00 01 B7 (...·)
00 00 01 BA		....º
MPG, VOB		DVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2 Trailer: 00 00 01 B9 (...¹)
00 00 02 00		......
CUR		Windows cursor file
WB2		QuattroPro for Windows Spreadsheet file
00 00 02 00 06 04 06 00 08 00 00 00 00 00		........ ......
WK1		Lotus 1-2-3 spreadsheet (v1) file
00 00 1A 00 00 10 04 00 00 00 00 00		........ ....
WK3		Lotus 1-2-3 spreadsheet (v3) file
00 00 1A 00 02 10 04 00 00 00 00 00		........ ....
WK4, WK5		Lotus 1-2-3 spreadsheet (v4, v5) file
00 00 1A 00 05 10 04		.......
123		Lotus 1-2-3 spreadsheet (v9) file
00 00 49 49 58 50 52 or		..IIXPR
00 00 4D 4D 58 50 52		..MMXPR
QXD		Quark Express document (Intel & Motorola, respectively) NOTE: It appears that the byte following the 0x52 ("R") is the language indicator; 0x33 ("3") seems to indicate English and 0x61 ("a") reportedly indicates Korean.
00 00 FE FF		..þÿ
n/a		Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), big-endian files. (See the Unicode Home Page.)
[6 byte offset] 00 00 FF FF FF FF		[6 byte offset] ..ÿÿÿÿ
HLP		Windows Help file
00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65		....MSIS AM Datab ase
MNY		Microsoft Money file
00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42		....Stan dard ACE  DB
ACCDB		Microsoft Access 2007 file
00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42		....Stan dard Jet  DB
MDB		Microsoft Access file
00 01 00 08 00 01 00 01 01		........ .
IMG		Ventura Publisher/GEM VDI Image Format Bitmap file
00 01 01		...
FLT		OpenFlight 3D file
00 01 42 41		..BA
ABA		Palm Address Book Archive file
00 01 42 44		..BD
DBA		Palm DateBook Archive file
00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00		...a.... ...Ò....
DB		Netscape Navigator (v4) database file
00 11 AF		..¯
FLI		FLIC Animation file
00 14 00 00 01 02 xx xx 03		........ .
n/a		BIOS details in RAM images
00 1E 84 90 00 00 00 00		..„.....
SNM		Netscape Communicator (v4) mail folder
00 5C 41 B1 FF		.\A±ÿ
ENC		Mujahideen Secrets 2 encrypted file
00 BF		.¿
SOL		Adobe Flash shared object file (e.g., Flash cookies)
[512 byte offset] 00 6E 1E F0		[512 byte offset] .n.ð
PPT		PowerPoint presentation subheader (MS Office)
00 FF FF FF FF FF FF FF FF FF FF 00 00 02 00 01		.ÿÿÿÿÿÿÿ ÿÿÿ.....
MDF		Alcohol 120% CD image
01 00 00 00		....
EMF		Extended (Enhanced) Windows Metafile Format, printer spool file (0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)
01 00 00 00 01		.....
PIC		Unknown type picture file
01 00 09 00 00 03		......
WMF		Windows Metadata file (Win 3.x format)
01 00 39 30		..90
FDB, GDB		Firebird and Interbase database files, respectively. See IBPhoenix for more information.
01 0F 00 00		....
MDF		Microsoft SQL Server 2000 database
01 10		..
TR1		Novell LANalyzer capture file
01 DA 01 01 00 03		.Ú....
RGB		Silicon Graphics RGB Bitmap
01 FF 02 04 03 02		.ÿ....
DRW		Micrografx vector graphic file
02 64 73 73		.dss
DSS		Digital Speech Standard (Olympus, Grundig, & Phillips)
03		.
DAT		MapInfo Native Data Format
DB3		dBASE III file
03 00 00 00		....
QPH		Quicken price history file
03 00 00 00 41 50 50 52		....APPR
ADX		Approach index file
04		.
DB4		dBASE IV data file
04 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00 or		........ .... ...
05 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00		........ .... ...
n/a		INFO2 Windows recycle bin file. NOTE: Bytes 12-13 indicate the size of each INFO2 record; the most common value is 0x02-03 (0x0320 = 800 bytes).
07		.
DRW		A common signature and file extension for many drawing programs.
07 53 4B 46		.SKF
SKF		SkinCrafter skin file
07 64 74 32 64 64 74 64		.dt2ddtd
DTD		DesignTools 2D Design file
08		.
DB		dBASE IV or dBFast configuration file
[512 byte offset] 09 08 10 00 00 06 05 00		[512 byte offset] ........
XLS		Excel spreadsheet subheader (MS Office)
0A nn 01 01		....
PCX		ZSOFT Paintbrush file (where nn = 0x02, 0x03, or 0x05)
0C ED		.í
MP		Monochrome Picture TIFF bitmap file (unconfirmed)
0D 44 4F 43		.DOC
DOC		DeskMate Document file
0E 4E 65 72 6F 49 53 4F		.NeroISO
NRI		Nero CD Compilation
0E 57 4B 53		.WKS
WKS		DeskMate Worksheet
[512 byte offset] 0F 00 E8 03		[512 byte offset] ..è.
PPT		PowerPoint presentation subheader (MS Office)
11 00 00 00 53 43 43 41		....SCCA
PF		Windows prefetch file
1A 00 00		...
NTF		Lotus Notes database template
1A 00 00 04 00 00		......
NSF		Lotus Notes database
1A 0x		..
ARC		LH archive file, old version (where x = 0x2, 0x3, 0x4, 0x8 or 0x9 for types 1-5, respectively)
1A 0B		..
PAK		Compressed archive file (often associated with Quake Engine games)
1A 35 01 00		.5..
ETH		GN Nettest WinPharoah capture file
1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61		.Eߣ“B‚ˆ matroska
MKV		Matroska stream file
1A 52 54 53 20 43 4F 4D 50 52 45 53 53 45 44 20 49 4D 41 47 45 20 56 31 2E 30 1A		.RTS COM PRESSED IMAGE V1 .0.
DAT		Runtime Software disk image
1D 7D		.}
WS		WordStar Version 5.0/6.0 document
1F 8B 08		.‹.
GZ, TGZ		GZIP archive file
1F 9D		..
TAR.Z		Compressed tape archive file using standard (Lempel-Ziv-Welch) compression
1F A0		.
TAR.Z		Compressed tape archive file using LZH (Lempel-Ziv-Huffman) compression
21		!
BSB		MapInfo Sea Chart
21 12		!.
AIN		AIN Compressed Archive
21 3C 61 72 63 68 3E 0A		!<arch>.
LIB		Unix archiver (ar) files and Microsoft Program Library Common Object File Format (COFF)
21 42 44 4E		!BDN
PST		Microsoft Outlook Personal Folder File
23 20		#
MSI		Cerius2 file
23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F		# Disk D escripto
VMDK		VMware 4 Virtual Disk description file (split disk)
23 20 4D 69 63 72 6F 73 6F 66 74 20 44 65 76 65 6C 6F 70 65 72 20 53 74 75 64 69 6F		# Micros oft Deve loper St udio
DSP		Microsoft Developer Studio project file
23 21 41 4D 52		#!AMR
AMR		Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction) Codec, commonly audio format with GSM cell phones. (See RFC 4867.)
23 3F 52 41 44 49 41 4E 43 45 0A		#?RADIAN CE.
HDR		Radiance High Dynamic Range image file
24 46 4C 32 40 28 23 29 20 53 50 53 53 20 44 41 54 41 20 46 49 4C 45		$FL2@(#)  SPSS DA TA FILE
SAV		SPSS Data file
25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30		%!PS-Ado be-3.0 E PSF-3.0
EPS		Adobe encapsulated PostScript file (If this signature is not at the immediate beginning of the file, it will occur early in the file, commonly at byte offset 30)
25 50 44 46		%PDF
PDF, FDF		Adobe Portable Document Format and Forms Document file Trailers: 0A 25 25 45 4F 46 (.%%EOF) 0A 25 25 45 4F 46 0A (.%%EOF.) 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) 0D 25 25 45 4F 46 0D (.%%EOF.) NOTE: There may be multiple end-of-file marks within the file. When carving, be sure to get the last one.
28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20		(This fi le must be conve rted wit h BinHex
HQX		Macintosh BinHex 4 Compressed Archive
2A 2A 2A 20 20 49 6E 73 74 61 6C 6C 61 74 69 6F 6E 20 53 74 61 72 74 65 64 20		***  Ins tallatio n Starte d
LOG		Symantec Wise Installer log file
[2 byte offset] 2D 6C 68		[2 byte offset] -lh
LHA, LZH		Compressed archive file
2E 52 45 43		.REC
IVR		RealPlayer video file (V11 and later)
2E 52 4D 46		.RMF
RM, RMVB		RealMedia streaming media file
2E 52 4D 46 00 00 00 12 00		.RMF.... .
RA		RealAudio file
2E 72 61 FD 00		.raý.
RA		RealAudio streaming media file
2E 73 6E 64		.snd
AU		NeXT/Sun Microsystems µ-Law audio file
30		0
CAT		Microsoft security catalog file
30 00 00 00 4C 66 4C 65		0...LfLe
EVT		Windows Event Viewer file
30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C		0&²u.fÏ. ¦Ù.ª.bÎl
ASF, WMA, WMV		Microsoft Windows Media Audio/Video File (Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E 43 45 20 53 55 52 56 45 59 20 20 20 20 20 20 20		01ORDNAN CE SURVE Y
NTF		National Transfer Format Map File
30 37 30 37 30 nn		07070.
n/a		Archive created with the cpio utility (where nn values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the standard ASCII format, new ASCII (aka SVR4) format, and CRC format, respectively. (The swpackage(8) page has additional information.) (Thanks to F. Webber for this....)
31 BE or		1¾
32 BE		2¾
WRI		Microsoft Write file
34 CD B2 A1		4Ͳ¡
n/a		Extended tcpdump (libpcap) capture file (Linux/Unix)
37 7A BC AF 27 1C		7z¼¯'.
7Z		7-Zip compressed file
37 E4 53 96 C9 DB D6 07		7äS–ÛÖ.
n/a		zisofs compression format, recognized by some Linux kernels. See the libburnia page for additional information.
38 42 50 53		8BPS
PSD		Photoshop image file
3A 56 45 52 53 49 4F 4E		:VERSION
SLE		Surfplan kite project file
3C		<
ASX		Advanced Stream redirector file
XDR		BizTalk XML-Data Reduced Schema file
3C 21 64 6F 63 74 79 70		<!doctyp
DCI		AOL HTML mail file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D		<?xml ve rsion=
MANIFEST		Windows Visual Stylesheet XML file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E		<?xml ve rsion="1 .0"?>
XUL		XML User Interface Language file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 0D 0A 3C 4D 4D 43 5F 43 6F 6E 73 6F 6C 65 46 69 6C 65 20 43 6F 6E 73 6F 6C 65 56 65 72 73 69 6F 6E 3D 22		<?xml ve rsion="1 .0"?>..< MMC_Cons oleFile ConsoleV ersion="
MSC		Microsoft Management Console Snap-in Control file
3C 4D 61 6B 65 72 46 69 6C 65 20		<MakerFi le
FM, MIF		Adobe FrameMaker file
[24 byte offset] 3E 00 03 00 FE FF 09 00 06		[24 byte offset] >...þÿ.. .
WB3		Quatro Pro for Windows 7.0 Notebook file
3F 5F 03 00		?_..
GID		Windows Help index file
HLP		Windows Help file
[32 byte offset] 40 40 40 20 00 00 40 40 40 40		[32 byte offset] @@@ ..@@ @@
ENL		EndNote Library File
41 43 31 30		AC10
DWG		Generic AutoCAD drawing
NOTES on AutoCAD file headers: The 0x41-43-31-30 (AC10) is a generic header, occupying the first four bytes in the file. The next two bytes give further indication about the version or subtype: 0x30-32 (02) — AutoCAD R2.5 0x30-33 (03) — AutoCAD R2.6 0x30-34 (04) — AutoCAD R9 0x30-36 (06) — AutoCAD R10 0x30-39 (09) — AutoCAD R11/R12 0x31-30 (10) — AutoCAD R13 (subtype 10) 0x31-31 (11) — AutoCAD R13 (subtype 11) 0x31-32 (12) — AutoCAD R13 (subtype 12) 0x31-33 (13) — AutoCAD R14 (subtype 13) 0x31-34 (14) — AutoCAD R14 (subtype 14) 0x31-35 (15) — AutoCAD R2000 0x31-38 (18) — AutoCAD R2004 0x32-31 (21) — AutoCAD R2007
41 43 76		ACL
SLE		Steganos Security Suite virtual secure drive
41 43 53 44		ACSD
n/a		Miscellaneous AOL parameter and information files
41 45 53		AES
AES		AES Crypt file format. (The fourth byte is the version number.)
41 4D 59 4F		AMYO
SYW		Harvard Graphics symbol graphic
41 4F 4C 20 46 65 65 64 62 61 67		AOL Feed bag
BAG		AOL and AIM buddy list file
41 4F 4C 44 42		AOLDB
ABY, IDX		AOL database files: address book (ABY) and user configuration data (MAIN.IDX)
41 4F 4C 49 44 58		AOLIDX
IND		AOL client preferences/settings file (MAIN.IND)
41 4F 4C 49 4E 44 45 58		AOLINDEX
ABI		AOL address book index file
41 4F 4C 56 4D 31 30 30		AOLVM100
ORG, PFC		AOL personal file cabinet (PFC) file
41 56 47 36 5F 49 6E 74 65 67 72 69 74 79 5F 44 61 74 61 62 61 73 65		AVG6_Int egrity_D atabase
DAT		AVG6 Integrity database file
41 72 43 01		ArC.
ARC		FreeArc compressed file
42 41 41 44		BAAD
n/a		NTFS Master File Table (MFT) entry (1,024 bytes)
42 45 47 49 4E 3A 56 43 41 52 44 0D 0A		BEGIN:VC ARD..
VCF		vCard file
42 4C 49 32 32 33 51		BLI223Q
BIN		Thomson Speedtouch series WLAN router firmware
42 4D		BM
BMP, DIB		Windows (or device-independent) bitmap image NOTE: Bytes 2-5 contain the file length in little-endian order.
42 4F 4F 4B 4D 4F 42 49		BOOKMOBI
PRC		Palmpilot resource file
42 5A 68		BZh
BZ2, TAR.BZ2, TBZ2, TB2		bzip2 compressed archive
43 23 2B 44 A4 43 4D A5 48 64 72		C#+D¤CM¥ Hdr
RTD		RagTime document file
43 42 46 49 4C 45		CBFILE
CBD		WordPerfect dictionary file (unconfirmed)
43 44 30 30 31		CD001
ISO		ISO-9660 CD Disc Image This signature usually occurs at byte offset 32769 (0x8001), 34817 (0x8801), or 36865 (0x9001). More information can be found at MacTech or at ECMA.
43 49 53 4F		CISO
CSO		Compressed ISO (CISO) CD image
43 4D 58 31		CMX1
CLB		Corel Binary metafile
43 4F 4D 2B		COM+
CLB		COM+ Catalog file
43 4F 57 44		COWD
VMDK		VMware 3 Virtual Disk (portion of a split disk) file
43 50 54 37 46 49 4C 45		CPT7FILE
CPT		Corel Photopaint file
43 50 54 46 49 4C 45		CPTFILE
CPT		Corel Photopaint file
43 52 45 47		CREG
DAT		Windows 9x registry hive
43 52 55 53 48 20 76		CRUSH v
CRU		Crush compressed archive
43 57 53		CWS
SWF		Shockwave Flash file (v5+)
43 61 74 61 6C 6F 67 20 33 2E 30 30 00		Catalog 3.00.
CTF		WhereIsIt Catalog file
43 6C 69 65 6E 74 20 55 72 6C 43 61 63 68 65 20 4D 4D 46 20 56 65 72 20		Client U rlCache MMF Ver
DAT		IE History (index.dat) file
44 41 58 00		DAX.
DAX		DAX Compressed CD image
44 42 46 48		DBFH
DB		Palm Zire photo database
44 4D 53 21		DMS!
DMS		Amiga DiskMasher compressed archive
44 4F 53		DOS
ADF		Amiga disk file
44 56 44		DVD
DVR		DVR-Studio stream file
IFO		DVD info file
45 4C 49 54 45 20 43 6F 6D 6D 61 6E 64 65 72 20		ELITE Co mmander
CDR		Elite Plus Commander saved game file
45 4E 54 52 59 56 43 44 02 00 00 01 02 00 18 58		ENTRYVCD .......X
VCD		VideoVCD (GNU VCDImager) file
45 52 46 53 53 41 56 45 44 41 54 41 46 49 4C 45		ERFSSAVE DATAFILE
DAT		Kroll EasyRecovery Saved Recovery State file
45 50		EP
MDI		Microsoft Document Imaging file
45 56 46 09 0D 0A FF 00		EVF...ÿ.
Enn (where nn are numbers)		Expert Witness Compression Format (EWF) file, including EWF-E01 and EWF-S01, as used in EnCase and SMART evidence files. See the EWF specification.
45 56 46 32 0D 0A 81		EVF2...
Exnn (where nn are numbers)		EnCase® Evidence File Format Version 2 (Ex01). See the document.
45 6C 66 46 69 6C 65 00		ElfFile.
EVTX		Windows Vista event log file
45 86 00 00 06 00		E†....
QBB		Intuit QuickBooks backup file
46 41 58 43 4F 56 45 52 2D 56 45 52		FAXCOVER -VER
CPE		Microsoft Fax Cover Sheet
46 44 42 48 00		FDBH.
FDB		Fiasco database definition file
46 45 44 46		FEDF
SBV		(Unknown file type)
46 49 4C 45		FILE
n/a		NTFS Master File Table (MFT) entry (1,024 bytes)
46 4C 56 01		FLV.
FLV		Flash video file
46 4F 52 4D 00		FORM.
AIFF		Audio Interchange File
DAX		DAKX Compressed Audio
46 57 53		FWS
SWF		Macromedia Shockwave Flash player file
46 72 6F 6D 20 20 20 or		From
46 72 6F 6D 20 3F 3F 3F or		From ???
46 72 6F 6D 3A 20		From:
EML		A commmon file extension for e-mail files. Signatures shown here are for Netscape, Eudora, and a generic signature, respectively. EML is also used by Outlook Express and QuickMail.
47 46 31 50 41 54 43 48		GF1PATCH
PAT		Advanced Gravis Ultrasound patch file
47 49 46 38 37 61 or		GIF87a
47 49 46 38 39 61		GIF89a
GIF		Graphics interchange format file Trailer: 00 3B (.;)
47 50 41 54		GPAT
PAT		GIMP (GNU Image Manipulation Program) pattern file
47 58 32		GX2
GX2		Show Partner graphics file (not confirmed)
47 65 6E 65 74 65 63 20 4F 6D 6E 69 63 61 73 74		Genetec Omnicast
G64		Genetec video archive
48 48 47 42 31		HHGB1
SH3		Harvard Graphics presentation file
49 20 49		I I
TIF, TIFF		Tagged Image File Format file
49 44 33		ID3
MP3		MPEG-1 Audio Layer 3 (MP3) audio file
49 44 33 03 00 00 00		ID3....
KOZ		Sprint Music Store audio file (for mobile devices)
49 49 1A 00 00 00 48 45 41 50 43 43 44 52 02 00		II....HE APCCDR..
CRW		Canon digital camera RAW file
49 49 2A 00		II*.
TIF, TIFF		Tagged Image File Format file (little endian, i.e., LSB first in the byte; Intel)
49 49 2A 00 10 00 00 00 43 52		II*..... CR
CR2		Canon digital camera RAW file
49 53 63 28		ISc(
CAB, HDR		Install Shield v5.x or 6.x compressed file
49 54 4F 4C 49 54 4C 53		ITOLITLS
LIT		Microsoft Reader eBook file
49 54 53 46		ITSF
CHI, CHM		Microsoft Compiled HTML Help File
49 6E 6E 6F 20 53 65 74 75 70 20 55 6E 69 6E 73 74 61 6C 6C 20 4C 6F 67 20 28 62 29		Inno Set up Unins tall Log  (b)
DAT		Inno Setup Uninstall Log file
49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65		Inter@ct ive Page
IPD		Inter@ctive Pager Backup (BlackBerry) backup file (See also IPD File Format page or IPD File for BlackBerry)
4A 41 52 43 53 00		JARCS.
JAR		JARCS compressed archive
4A 47 03 0E or		JG..
4A 47 04 0E		JG..
ART		AOL ART file Trailers: For 0x4A-47-03-0E: D0 CB 00 00 (ÐË..) For 0x4A-47-04-0E: CF C7 CB (ÏÇË)
4B 44 4D		KDM
VMDK		VMware 4 Virtual Disk (portion of a split disk) file
4B 44 4D 56		KDMV
VMDK		VMware 4 Virtual Disk (monolitic disk) file
4B 47 42 5F 61 72 63 68 20 2D		KGB_arch  -
KGB		KGB archive
4B 49 00 00		KI..
SHD		Windows 9x printer spool file
4B 57 41 4A 88 F0 27 D1		KWAJˆð'Ñ
n/a		KWAJ file format used by DOS COMPRESS.EXE and EXPAND.EXE commands. This command compresses a single file, replacing the last character in the file name with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or FOO.BA$. (See the SZDD/KWAJ page for more information.)
4C 00 00 00 01 14 02 00		L.......
LNK		Windows shortcut file. See also The Meaning of Linkfiles in Forensic Examinations.
4C 01		L.
OBJ		Microsoft Common Object File Format (COFF) relocatable object code file for an Intel 386 or later/compatible processors
4C 4E 02 00		LN..
GID		Windows Help index file
HLP		Windows Help file.
4C 56 46 09 0D 0A FF 00		LVF...ÿ.
Enn (where nn are numbers)		Logical File Evidence Format (EWF-L01) as used in later versions of EnCase evidence files. See the EWF specification.
4D 2D 57 20 50 6F 63 6B 65 74 20 44 69 63 74 69		M-W Pock et Dicti
PDB		Merriam-Webster Pocket Dictionary file
4D 41 52 31 00		MAR1.
MAR		Mozilla archive
4D 41 52 43		MARC
MAR		Microsoft/MSN MARC archive
4D 41 72 30 00		MAr0.
MAR		MAr compressed archive
4D 44 4D 50 93 A7		MDMPҤ
HDMP		Windows heap dump file
DMP		Windows minidump file
4D 49 4C 45 53		MILES
MLS		Milestones v1.0 project management and scheduling software (Also see "MV2C" and "MV214" signatures)
4D 4C 53 57		MLSW
MLS		Skype localization data file
4D 4D 00 2A		MM.*
TIF, TIFF		Tagged Image File Format file (big endian, i.e., LSB last in the byte; Motorola)
4D 4D 00 2B		MM.+
TIF, TIFF		BigTIFF files; Tagged Image File Format files >4 GB
4D 4D 4D 44 00 00		MMMD..
MMF		Yamaha Corp. Synthetic music Mobile Application Format (SMAF) for multimedia files that can be played on hand-held devices.
4D 52 56 4E		MRVN
NVRAM		VMware BIOS (non-volatile RAM) state file.
4D 53 43 46		MSCF
CAB		Microsoft cabinet file
PPZ		Powerpoint Packaged Presentation
SNP		Microsoft Access Snapshot Viewer file
4D 53 46 54 02 00 01 00		MSFT....
TLB		OLE, SPSS, or Visual C++ type library file
4D 53 5F 56 4F 49 43 45		MS_VOICE
CDR, DVF		Sony Compressed Voice File
MSV		Sony Memory Stick Compressed Voice file
4D 54 68 64		MThd
MID, MIDI		Musical Instrument Digital Interface (MIDI) sound file
4D 56		MV
DSN		CD Stomper Pro label file
4D 56 32 31 34		MV214
MLS		Milestones v2.1b project management and scheduling software (Also see "MILES" and "MV2C" signatures)
4D 56 32 43		MV2C
MLS		Milestones v2.1a project management and scheduling software (Also see "MILES" and "MV214" signatures)
4D 5A		MZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS		Windows/DOS executable file (See The MZ EXE File Format page for the structure of an EXE file, with coverage of NE, TLINK, PE, self-extracting archives, and more.)
ACM		MS audio compression manager driver
AX		Library cache file
CPL		Control panel application
FON		Font file
OCX		ActiveX or OLE Custom Control
OLB		OLE object library
SCR		Screen saver
VBX		VisualBASIC application
VXD, 386		Windows virtual device drivers
4D 5A 90 00 03 00 00 00		MZ......
API		Acrobat plug-in
AX		DirectShow filter
FLT		Audition graphic filter file (Adobe)
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF		MZ...... ....ÿÿ
ZAP		ZoneAlam data file
4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20		Microsof t C/C++
PDB		Microsoft C++ debugging symbols file
4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65		Microsof t Visual  Studio Solution  File
SLN		Visual Studio .NET Solution file
[84 byte offset] 4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4D 65 64 69 61 20 50 6C 61 79 65 72 20 2D 2D 20		[84 byte offset] Microsof t Window s Media Player - -
WPL		Windows Media Player playlist
4D 73 52 63 66		MsRcf
GDB		VMapSource GPS Waypoint Database
4E 41 56 54 52 41 46 46 49 43		NAVTRAFF IC
DAT		TomTom traffic data file
4E 42 2A 00		NB*.
JNT, JTP		MS Windows journal file
4E 45 53 4D 1A 01		NESM..
NSF		NES Sound file
4E 49 54 46 30		NITF0
NTF		National Imagery Transmission Format (NITF) file
4E 61 6D 65 3A 20		Name:
COD		Agent newsreader character map file
4F 50 4C 44 61 74 61 62 61 73 65 46 69 6C 65		OPLDatab aseFile
DBF		Psion Series 3 Database file
4F 67 67 53 00 02 00 00 00 00 00 00 00 00		OggS.... ......
OGA, OGG, OGV, OGX		Ogg Vorbis Codec compressed Multimedia file
4F 7B		O{
DW4		Visio/DisplayWrite 4 text file (unconfirmed)
50 00 00 00 20 00 00 00		P... ...
IDX		Quicken QuickFinder Information File
50 35 0A		P5.
PGM		Portable Graymap Graphic
50 41 43 4B		PACK
PAK		Quake archive file
50 41 47 45 44 55 36 34		PAGEDU64
DMP		Windows 64-bit memory dump
50 41 47 45 44 55 4D 50		PAGEDUMP
DMP		Windows memory dump
50 41 58		PAX
PAX		PAX password protected bitmap
50 45 53 54		PEST
DAT		PestPatrol data/scan strings
50 47 50 64 4D 41 49 4E		PGPdMAIN
PGD		PGP disk image
50 49 43 54 00 08		PICT..
IMG		ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file
50 4B 03 04		PK..
ZIP		PKZIP archive file (Ref. 1 | Ref. 2) Trailer: filename 50 4B 17 characters 00 00 00 Trailer: (filename PK 17 characters ...)
ZIP		Apple Mac OS X Dashboard Widget, Aston Shell theme, Oolite eXpansion Pack, Opera Widget, Pivot Style Template, Rockbox Theme package, Simple Machines Forums theme, SubEthaEdit Mode, Trillian zipped skin, Virtual Skipper skin
JAR		Java archive; compressed file package for classes and data
KMZ		Google Earth saved working session file
KWD		KWord document
ODT, ODP, OTT		OpenDocument text document, presentation, and text document template, respectively.
SXC, SXD, SXI, SXW		OpenOffice spreadsheet (Calc), drawing (Draw), presentation (Impress), and word processing (Writer) files, respectively.
SXC		StarOffice spreadsheet
WMZ		Windows Media compressed skin file
XPI		Mozilla Browser Archive
XPS		XML paper specification file
XPT		eXact Packager Models
50 4B 03 04 14 00 01 00 63 00 00 00 00 00		PK...... c.....
ZIP		ZLock Pro encrypted ZIP
50 4B 03 04 14 00 06 00		PK......
DOCX, PPTX, XLSX		Microsoft Office Open XML Format (OOXML) Document NOTE: There is no subheader for MS OOXML files as there is with DOC, PPT, and XLS files. To better understand the format of these files, rename any OOXML file to have a .ZIP extension and then unZIP the file; look at the resultant file named [Content_Types].xml to see the content types. In particular, look for the <Override PartName= tag, where you will find word, ppt, or xl, respectively. Trailer: Look for 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
50 4B 03 04 14 00 08 00 08 00		PK...... ..
JAR		Java archive
50 4B 05 06		PK..
50 4B 07 08		PK..
ZIP		PKZIP empty and multivolume archive file, respectively
[30 byte offset] 50 4B 4C 49 54 45		[30 byte offset] PKLITE
ZIP		PKLITE compressed ZIP archive (see also PKZIP)
[526 byte offset] 50 4B 53 70 58		[526 byte offset] PKSFX
ZIP		PKSFX self-extracting executable compressed file (see also PKZIP)
50 4D 43 43		PMCC
GRP		Windows Program Manager group file
50 4E 43 49 55 4E 44 4F		PNCIUNDO
DAT		Norton Disk Doctor undo file
[92 byte offset] 51 45 4C 20		[92 byte offset] QEL
QEL		Quicken data file
51 46 49 FB		QFIû
IMG		QEMU Qcow Disk Image
51 57 20 56 65 72 2E 20		QW Ver.
ABD, QSD		Quicken data file
52 41 5A 41 54 44 42 31		RAZATDB1
DAT		Shareaza (Windows P2P client) thumbnail
52 45 47 45 44 49 54		REGEDIT
REG, SUD		Windows NT Registry and Registry Undo files
52 45 56 4E 55 4D 3A 2C		REVNUM:,
ADF		Antenna data file
52 49 46 46		RIFF
ANI		Windows animated cursor
CMX		Corel Presentation Exchange (Corel 10 CMX) Metafile
CDR		CorelDraw document
DAT		Video CD MPEG or MPEG1 movie file
DS4		Micrografx Designer v4 graphic file
4XM		4X Movie video
52 49 46 46 xx xx xx xx 41 56 49 20 4C 49 53 54		RIFF.... AVI LIST
AVI		Resource Interchange File Format -- Windows Audio Video Interleave file
52 49 46 46 xx xx xx xx 43 44 44 41 66 6D 74 20		RIFF.... CDDAfmt
CDA		Resource Interchange File Format -- Compact Disc Digital Audio (CD-DA) file
52 49 46 46 xx xx xx xx 51 4C 43 4D 66 6D 74 20		RIFF.... QLCMfmt
QCP		Resource Interchange File Format -- Qualcomm PureVoice
52 49 46 46 xx xx xx xx 52 4D 49 44 64 61 74 61		RIFF.... RMIDdata
RMI		Resource Interchange File Format -- Windows Musical Instrument Digital Interface file
52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20		RIFF.... WAVEfmt
WAV		Resource Interchange File Format -- Audio for Windows file
52 54 53 53		RTSS
CAP		Windows NT Netmon capture file
52 61 72 21 1A 07 00		Rar!...
RAR		WinRAR compressed archive file
52 65 74 75 72 6E 2D 50 61 74 68 3A 20		Return-P ath:
EML		A commmon file extension for e-mail files.
53 43 48 6C		SCHl
AST		Need for Speed: Underground Audio file
53 43 4D 49		SCMI
IMG		Img Software Set Bitmap
53 48 4F 57		SHOW
SHW		Harvard Graphics DOS Ver. 2/x Presentation file
53 49 45 54 52 4F 4E 49 43 53 20 58 52 44 20 53 43 41 4E		SIETRONI CS XRD S CAN
CPI		Sietronics CPI XRD document
53 49 54 21 00		SIT!.
SIT		StuffIt compressed archive
53 4D 41 52 54 44 52 57		SMARTDRW
SDR		SmartDraw Drawing file
53 50 46 49 00		SPFI.
SPF		StorageCraft ShadownProtect backup file
53 51 4C 4F 43 4F 4E 56 48 44 00 00 31 2E 30 00		SQLOCONV HD..1.0.
CNV		DB2 conversion file
53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00		SQLite f ormat 3.
DB		SQLite database file
53 5A 20 88 F0 27 33 D1		SZ ˆð'3Ñ
n/a		QBASIC SZDD file header variant. (See the SZDD or KWAJ format entries for additional information.)
53 5A 44 44 88 F0 27 33		SZDDˆð'3
n/a		SZDD file format used by DOS COMPRESS.EXE and EXPAND.EXE commands. This command compresses a single file, replacing the last character in the file name with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or FOO.BA$. (See the SZDD/KWAJ page for more information.)
53 6D 62 6C		Smbl
SYM		(Unconfirmed file type. Likely type is Harvard Graphics Version 2.x graphic symbol or Windows SDK graphic symbol)
53 74 75 66 66 49 74 20 28 63 29 31 39 39 37 2D		StuffIt (c)1997-
SIT		StuffIt compressed archive
53 75 70 65 72 43 61 6C 63		SuperCal c
CAL		SuperCalc worksheet
54 68 69 73 20 69 73 20		This is
INFO		UNIX GNU Info Reader File
55 43 45 58		UCEX
UCE		Unicode extensions
55 46 41 C6 D2 C1		UFAÆÒÁ
UFA		UFA compressed archive
55 46 4F 4F 72 62 69 74		UFOOrbit
DAT		UFO Capture v2 map file
56 43 50 43 48 30		VCPCH0
PCH		Visual C PreCompiled header file
56 45 52 53 49 4F 4E 20		VERSION
CTL		Visual Basic User-defined Control file
56 65 72 73 69 6F 6E 20		Version
MIF		MapInfo Interchange Format file
57 4D 4D 50		WMMP
DAT		Walkman MP3 container file
57 53 32 30 30 30		WS2000
WS2		WordStar for Windows Ver. 2 document
[29,152 byte offset] 57 69 6E 5A 69 70		[29,152 byte offset] WinZip
ZIP		WinZip compressed archive
57 6F 72 64 50 72 6F		WordPro
LWP		Lotus WordPro document.
58 2D		X-
EML		A commmon file extension for e-mail files. This variant is for Exchange.
58 43 50 00		XCP.
CAP		Cinco NetXRay, Network General Sniffer, and Network Associates Sniffer capture file
58 50 43 4F 4D 0A 54 79 70 65 4C 69 62		XPCOM.Ty peLib
XPT		XPCOM type libraries for the XPIDL compiler
58 54		XT..
BDR		MS Publisher border
5A 4F 4F 20		ZOO
ZOO		ZOO compressed archive
5B 47 65 6E 65 72 61 6C 5D 0D 0A 44 69 73 70 6C 61 79 20 4E 61 6D 65 3D 3C 44 69 73 70 6C 61 79 4E 61 6D 65		[General ]..Displ ay Name= <Display Name
ECF		MS Exchange 2007 extended configuration file
5B 4D 53 56 43		[MSVC
VCW		Microsoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D		[Phone]
DUN		Dial-up networking file
5B 56 45 52 5D or		[VER]
5B 76 65 72 5D or		[ver]
SAM		Lotus AMI Pro document
[2 byte offset] 5B 56 65 72 73 69 6F 6E		[2 byte offset] [Version
CIF		(Unknown file type)
5B 57 69 6E 64 6F 77 73 20 4C 61 74 69 6E 20		[Windows  Latin
CPX		Microsoft Code Page Translation file
5B 66 6C 74 73 69 6D 2E 30 5D		[fltsim. 0]
CFG		Flight Simulator Aircraft Configuration file
5B 70 6C 61 79 6C 69 73 74 5D		[playlis t]
PLS		WinAmp Playlist file
5F 27 A8 89		_'¨‰
JAR		Jar archive
5F 43 41 53 45 5F		_CASE_
CAS, CBK		EnCase case file (and backup)
60 EA		`ê
ARJ		Compressed archive file
62 65 67 69 6E		begin
n/a		UUencoded files start with a string:   begin mode path where mode is the set of permissions as used in Linux/Unix and path is the name given to the decoded file. (See this uuencode page for more information.)
62 70 6C 69 73 74		bplist
plist		Binary property list (plist) (NOTE: Next two bytes are the version number, currently 0x30-30, or "00")
63 6F 6E 65 63 74 69 78		conectix
VHD		Virtual PC Virtual HD image
63 75 73 68 00 00 00 02 00 00 00		cush.... ...
CSH		Photoshop Custom Shape
64 00 00 00		d...
P10		Intel PROset/Wireless Profile
64 65 78 0A 30 30 39 00		dex.009.
dex		Dalvik executable file (Android)
64 73 77 66 69 6C 65		dswfile
DSW		Microsoft Visual Studio workspace file
64 6E 73 2E		dns.
AU		Audacity audio file
66 49 00 00		fI.. -
SHD		Windows NT printer spool file
66 4C 61 43 00 00 00 22		fLaC..."
FLAC		Free Lossless Audio Codec file
67 49 00 00		gI.. -
SHD		Windows 2000/XP printer spool file
68 49 00 00		hI.. -
SHD		Windows Server 2003 printer spool file
6C 33 33 6C		l33l
DBB		Skype user data file (profile and contacts)
[4 byte offset] 6D 6F 6F 76		[4 byte offset] moov
MOV		QuickTime movie file
.MOV files have a complicated file signature. The string "moov" is the most common but I have also seen:   0x66-72-65-65   free   0x6D-64-61-74   mdat   0x77-69-64-65   wide And the following have been reported to me:   0x70-6E-6F-74   pnot   0x73-6B-69-70   skip Furthermore, if you look at byte position xxxxxxxx+4 (where xxxxxxxx is bytes 0-3 of the header), you will find one (or more!) of these strings repeated; the string "free" seems to be the most common. For more information, see the QuickTime File Format page. (Thanks to D. Wright for getting me started on this!)
6F 3C		o<
n/a		Short Message Service (SMS), or text, message stored on a Subscriber Identification Module (SIM).
72 65 67 66		regf
DAT		Windows NT registry hive file
72 69 66 66		riff
ACD		Sonic Foundry Acid Music File (Sony)
72 74 73 70 3A 2F 2F		rtsp://
RAM		RealMedia metafile
73 6C 68 21 or		slh!
73 6C 68 2E		slh.
DAT		Allegro Generic Packfile Data file (0x21 = compressed, 0x2E = uncompressed)
73 6D 5F		sm_
PDB		PalmOS SuperMemo file
73 72 63 64 6F 63 69 64 3A		srcdocid :
CAL		CALS raster bitmap file
73 7A 65 7A		szez
PDB		PowerBASIC Debugger Symbols file
[60 byte offset] 74 42 4D 50 4B 6E 57 72		[60 byte offset] tBMPKnWr
PRC		PathWay Map file, used with GPS devices
[257 byte offset] 75 73 74 61 72		[257 byte offset] ustar
TAR		Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)
76 32 30 30 33 2E 31 30 0D 0A 30 0D 0A		v2003.10 ..0..
FLT		Qimage filter
78		x
DMG		Mac OS X Disk Copy Disk Image file
7A 62 65 78		zbex
INFO		ZoomBrowser Image Index file (ZbThumbnal.info)
7B 0D 0A 6F 20		{..o
LGC, LGD		Windows application log
7B 5C 70 77 69		{\pwi
PWI		Microsoft Windows Mobile personal note file
7B 5C 72 74 66 31		{\rtf1
RTF		Rich text format word processing file Trailer: 5C 70 61 72 20 7D 7D (\par }})
7E 42 4B 00		~BK.
PSP		Corel Paint Shop Pro image file
7F 45 4C 46		.ELF
n/a		Executable and Linking Format executable file (Linux/Unix)
80		.
OBJ		Relocatable object code
80 00 00 20 03 12 04		.......
ADX		Dreamcast audio file
81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76		.2„Á&#x85.Ð. ²..ª.<öv
WAB		Outlook Express address book (Win95)
81 CD AB		.Í«
WPF		WordPerfect text file
89 50 4E 47 0D 0A 1A 0A		‰PNG....
PNG		Portable Network Graphics file Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚...)
8A 01 09 00 00 00 E1 08 00 00 99 19		Š.....á. ..™.
AW		MS Answer Wizard file
91 33 48 46		‘3HF
HAP		Hamarsoft HAP 3.x compressed archive
95 00 or		•.
95 01		•.
SKR		PGP secret keyring file
99		™
GPG		GNU Privacy Guard (GPG) public keyring
99 01		™.
PKR		PGP public keyring file
9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4		œËË..UÒ. ‘X.ÀOyV¤
WAB		Outlook address file
[512 byte offset] A0 46 1D F0		[512 byte offset]  F.ð
PPT		PowerPoint presentation subheader (MS Office)
A1 B2 C3 D4		¡²ÃÔ
n/a		tcpdump (libpcap) capture file (Linux/Unix)
A1 B2 CD 34		¡²Í4
n/a		Extended tcpdump (libpcap) capture file (Linux/Unix)
A9 0D 00 00 00 00 00 00		©.......
DAT		Access Data FTK evidence file
AC 9E BD 8F 00 00		¬.½...
QDF		Quicken data file
AC ED		’
n/a		Java serialization data (see Object Serialization Stream Protocol)
AC ED 00 05 73 72 00 12 62 67 62 6C 69 74 7A 2E		’..sr.. bgblitz.
PDB		BGBlitz (professional Backgammon software) position database file
B0 4D 46 43		°MFC
PWL		Windows 95 password file
B1 68 DE 3A		±hÞ:
DCX		Graphics Multipage PCX bitmap file
B4 6E 68 44		´nhd
TIB		Acronis True Image file
B5 A2 B0 B3 B3 B0 A5 B5		µ¢°³³°¥µ
CAL		Windows calendar file
BE 00 00 00 AB 00 00 00 00 00 00 00 00		¾...«... ....
WRI		MS Write file
C3 AB CD AB		ëͫ
ACS		MS Agent Character file
C5 D0 D3 C6		ÅÐÓÆ
EPS		Adobe encapsulated PostScript file
C8 00 79 00		È.y.
LBK		Jeppesen FliteLog file
CA FE BA BE		Êþº¾
CLASS		Java bytecode file
CD 20 AA AA 02 00 00 00		Í ªª....
n/a		Norton Anti-Virus quarantined virus file
CF 11 E0 A1 B1 1A E1 00		Ï.ࡱ.á.
DOC		Perfect Office document [Note similarity to MS Office header, below]
CF AD 12 FE		Ï­.þ
DBX		Outlook Express e-mail folder
D0 CF 11 E0 A1 B1 1A E1		ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZ		Microsoft Office applications (Word, Powerpoint, Excel, Wizard) [See also Word, Powerpoint, and Excel "subheaders" at byte offset 512] [Note the similarity between D0 CF 11 E0 and the word "docfile"!]
AC_		CaseWare Working Papers compressed client file
ADP		Access project file
APR		Lotus/IBM Approach 97 file
DB		MSWorks database file
MSC		Microsoft Common Console Document
MSI		Microsoft Installer package
MTW		Minitab data file
OPT		Developer Studio File Workspace Options file
PUB		MS Publisher file
QBM		QuickBooks Portable Company File
RVT		Revit Project file
SOU		Visual Studio Solution User Options file
SPO		SPSS output file
VSD		Visio file
WPS		MSWorks text document
D2 0A 00 00		Ò...
FTR		GN Nettest WinPharoah filter file
D4 2A		Ô*
ARL, AUT		AOL history (ARL) and typed URL (AUT) files
D4 C3 B2 A1		Ôò¡
n/a		WinDump (winpcap) capture file (Windows)
D7 CD C6 9A		×ÍÆš
WMF		Windows graphics metafile
DB A5 2D 00		Û¥-.
DOC		Word 2.0 file
DC DC		ÜÜ
CPL		Corel color palette file
DC FE		Üþ
EFX		eFax file format
E3 10 00 01 00 00 00 00		ã.......
INFO		Amiga Icon file
E3 82 85 96		ã‚…–
PWL		Windows 98 password file
E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3		äR\{ŒØ§M ®±SxÐ)–Ó
ONE		Microsoft OneNote note
E8 or		è
E9 or		é
EB		ë
COM, SYS		Windows executable file
EB 3C 90 2A		ë<.*
IMG		GEM Raster file
[512 byte offset] EC A5 C1 00		[512 byte offset] ì¥Á.
DOC		Word document subheader (MS Office)
ED AB EE DB		í«îÛ
RPM		RedHat Package Manager file
EF BB BF		
n/a		Byte-order mark for 8-bit Unicode Transformation Format (UTF-8) files. (See the Unicode Home Page.)
[At a cluster boundary] F0 FF FF		[At a cluster boundary] ðÿÿ
n/a		FAT12 File Allocation Table
[At a cluster boundary] F8 FF FF FF		[At a cluster boundary] øÿÿÿ
n/a		FAT16 File Allocation Table
[At a cluster boundary] F8 FF FF 0F FF FF FF FF		[At a cluster boundary] øÿÿ.ÿÿÿÿ
n/a		FAT32 File Allocation Table
[512 byte offset] FD FF FF FF 04		[512 byte offset] ýÿÿÿ.
QBM		QuickBooks Portable Company File
SUO		Visual Studio Solution User Options subheader (MS Office)
[512 byte offset] FD FF FF FF nn 00 00 00		[512 byte offset] ýÿÿÿ....
PPT		PowerPoint presentation subheader (MS Office) (where nn has been seen with values 0x0E, 0x1C, and 0x43)
[512 byte offset] FD FF FF FF nn 00		[512 byte offset] ýÿÿÿ..
or
[512 byte offset] FD FF FF FF nn 02		[512 byte offset] ýÿÿÿ..
XLS		Excel spreadsheet subheader (MS Office) (where nn = 0x10, 0x1F, 0x22, 0x23, 0x28, or 0x29)
[512 byte offset] FD FF FF FF 20 00 00 00		[512 byte offset] ýÿÿÿ ...
OPT		Developer Studio File Workspace Options subheader (MS Office)
XLS		Excel spreadsheet subheader (MS Office)
[512 byte offset] FD FF FF FF xx xx xx xx xx xx xx xx 04 00 00 00		[512 byte offset] ýÿÿÿ.... ........
DB		Thumbs.db subheader (MS Office)
FE EF		þï
GHO, GHS		Symantex Ghost image file
FE FF		þÿ
n/a		Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), little-endian files. (See the Unicode Home Page.)
FF		ÿ
SYS		Windows executable (SYS) file
FF 00 02 00 04 04 05 54 02 00		ÿ......T ..
WKS		Works for Windows spreadsheet file
FF 46 4F 4E 54		ÿFONT
CPI		Windows international code page
FF 4B 45 59 42 20 20 20		ÿKEYB
SYS		Keyboard driver file
FF 57 50 43		ÿWPC
WP, WPD, WPG, WPP, WP5, WP6		WordPerfect text and graphics file
FF D8 FF E0 xx xx 4A 46 49 46 00		ÿØÿà..JF IF.
JFIF, JPE, JPEG, JPG		JPEG/JFIF graphics file Trailer: FF D9 (ÿÙ)
FF D8 FF E1 xx xx 45 78 69 66 00		ÿØÿá..Ex if.
JPG		Digital camera JPG using Exchangeable Image File Format (EXIF) Trailer: FF D9 (ÿÙ) See "Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004) and ExifTool Tag Names
FF D8 FF E8 xx xx 53 50 49 46 46 00		ÿØÿè..SP IFF.
JPG		Still Picture Interchange File Format (SPIFF) Trailer: FF D9 (ÿÙ)
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF. The fourth digit is also indicative of JPEG content. Various options include: 0xFF-D8-FF-DB — Samsung D807 JPEG file. 0xFF-D8-FF-E0 — Shown above. Standard JPEG/JFIF file. 0xFF-D8-FF-E1 — Shown above. Standard JPEG/Exif file. 0xFF-D8-FF-E2 — Canon EOS-1D JPEG file. 0xFF-D8-FF-E3 — Samsung D500 JPEG file. 0xFF-D8-FF-E8 — Shown above. Still Picture Interchange File Format (SPIFF).
FF Ex		ÿ.
FF Fx		ÿ.
MPEG, MPG, MP3		MPEG audio file frame synch pattern
FF FE		ÿþ
REG		Windows Registry file
n/a		Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), big-endian files. (See the Unicode Home Page.)
FF FE 00 00		ÿþ..
n/a		Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), little-endian files. (See the Unicode Home Page.)
FF FE 23 00 6C 00 69 00 6E 00 65 00 20 00 31 00		ÿþ#.l.i. n.e. .1.
MOF		Windows MSinfo file
FF FF FF FF		ÿÿÿÿ
SYS		DOS system driver

---

ACKNOWLEDGEMENTS

The following individuals have given me updates or suggestions for this list over the years: Devon Ackerman, Nazim Aliyev, Vladimir Benko, Arvin Bhatnagar, Sam Brothers, Per Christensson, Cornelis de Groot, Jeffrey Duggan, Jean-Pierre Fiset, Peter Almer Frederiksen, Tim Gardner, Paulo Guzmán, George Harpur, Brian High, Eric Huber, Broadus Jones, Axel Kesseler, Nick Khor, Bill Kuhns, Anand Mani, Kevin Mansell, Davyd McColl, Michal, Bruce Modick, Lee Nelson, Dan P., Jorge Paulhiac, Carlo Politi, Stanley Rainey, Cory Redfern, Bruce Robertson, Thomas Rösner, Mike Sutton, Matthias Sweertvaegher, Jason Wallace, Erik van de Burgwal, Franklin Webber, Gavin Williams, Mike Wilkinson, and David Wright. I thank them and apologize if I have missed anyone.

I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite (primarily for the "subheaders" for many of the file types here), and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.