리버싱 업무를 하면서 1년정도 지난것같다...1년 동안은 많이 배우고 발전했다고 느껴지고 있었다...

근래 들어서 무언가 막혔다..진척이 느껴지지 않는다고나 할까?? 그것이 무엇일까 생각했다..분명 무언가 부족하다..

그것을 한꺼플 볏겨준책이다. 초보리버서에게는 추천하지 않겠다. 초보리버서는 그 전에 나온 검은책과 기본적인 운영체제 및 어셈블리 명령을 통해서 구구단을 짜보길 바란다. 난 정말 운이 좋게 아무것도 모르는 시절 주입식 어셈과 운영체제를 배웠다. 학점은 개박살...ㅋㅋ 근데 그것이 이렇게 도움이 될줄 몰랐다. 이게 조금씩 개발을 해보려한다. 처음 개발은 절대 안하겠따는 생각을 버리고 조금씩 파보려한다. 그게 내가 내린 답이다. 리버싱을 잘하려면 그 사람의 의도 및 동작을 이해하기 위해서 개발은 필수라는것을 알게 된 것같다. 휴......또 몇년을 삽질해야할지 이래서 천재들은 좋겠구나..ㅋㅋ 예전에 교육받을때 카이스트 놈들 지들끼리 놀고 잘하던데...이제는 이해될것같아..다만..그것을 누를 수 없는건 아니다. 내가 부족하다는것을 채워 나간다면 그것 또한 그사람들에게 배우면 되는것이다. 배우는것은 부끄럽지 않다... 다만 그걸 쪽팔리다고 못물어봤을때, 그게 나에게 질문으로 왔을때 그 비참을 느끼게 되면 그것이 바로 쪽팔린것이다. 배우고 뻇어라, 누구든 어리든 나이가 있든, 그것은 쪽팔린것이 아니라 잘하는것이다.  

---------------------------------------------------------------------------------------------

그냥 술한잔 하고 한풀이다..답답하다. 나이가 적지않는 관계로 많은 생각을 하게 된다. 

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

아래 그림과 같이 mozlite3.dll 을 이용해 해당 쿼리를 날려 파이어폭스의 암호를 알아낸다고 한다. 

파이어 폭스의 계정 정보를 가지고 있는 파일은 prefs.js 이다. 해당 정보의 상위 주소로 가게 되면 해당 파일의 조건문

으로 되어있어 확인 후 계정 정보를 알아내려고 하는것을 알 수 있다

ida화면

추가 정보 

---------------------------------------------------------------------------------------------------------

북마크와 방문 기록

• places.sqlite

이 파일은 여러분의 모든 북마크와 이전에 방문했던 웹사이트들의 목록이 포함되어 있습니다. 더 많은 정보를 위해서는 북마크 를 참고하세요.

패스워드

여러분의 패스워드는 필요한 두개의 다른 파일에 저장되어 있습니다.

• key3.db - 이 파일은 여러분의 패스워드를 위한 데이터베이스 키가 저장되어 있습니다. 저장된 패스워드들을 옮기기 위해서는 반드시 이 파일과 아래 파일을 복사해야 합니다.

• signons.sqlite - 패스워드를 저장.

더 많은 정보를 위해서는 암호 기억하기 를 참고하세요.

사이트에 관한 설정

• permissions.sqlite

이 파일은 한 사이트에 기반하여 결정된 여러분의 Firefox 승인정보들을 담고 있습니다. 예를 들어, 어떤 사이트들이 쿠키 설정이나 확장기능 설치, 이미지 보기, 팝업 열기 등이 허용되었거나 불허되었는지에 대한 정보들을 저장하고 있습니다.

검색 사이트

• search.sqlite
• \searchplugins\ 폴더

만약 여러분이 검색 사이트를 추가하였다면 그것들은 \searchplugins\ 폴더에 저장됩니다.search.sqlite 파일은 Firefox에서 보여지는 검색 사이트들의 순서를 저장합니다. 더 많은 정보를 위해서는 검색 바 를 참고하세요.

개인 사전

• persdict.dat

이 파일은 여러분이 Firefox 사전에 추가한 단어들을 저장하고 있습니다. 만약 여러분이 한번도 Firefox사전에 단어를 추가한 적이 없다면 이 파일은 존재하지 않습니다. 더 많은 정보를 위해서는 맞춤법 검사 사용하기를 참고하세요.

자동완성 기록

• formhistory.sqlite

이 파일은 여러분이 Firefox 검색바에서 검색한 내용과 웹사이트의 폼에 입력한 정보들을 저장하고 있습니다. 더 많은 정보를 위해서는 폼 자동완성을 참고하세요.

쿠키

• cookies.sqlite

쿠키 는 이전에 로그인했던 웹사이트의 로그인 유지, 여러분이 허용한 웹사이트의 설정 저장, 이전에 방문한 특정 웹사이트들의 사용자 인증등의 다양한 목적으로 사용됩니다. 더 많은 정보를 위해서는 쿠키를 참고하세요.

보안 증명 설정들

• cert8.db

이 파일은 여러분의 모든 보안 증명 설정들과 여러분이 Firefox로 가져온 SSL 증명들을 저장합니다.

내려받기

• mimeTypes.rdf

이 파일은 알려진 파일타입에따라 어떤 행동을 했는지에 대한 여러분의 설정을 저장합니다. 더 많은 정보를 위해서는 파일 타입 관리하기를 참고하세요.

사용자 스타일

• \chrome\userChrome.css
• \chrome\userContent.css

만약 이 파일들이 존재한다면 이 파일들은 파이어폭스나 특정 웹사이트 또는 html 엘리먼트들의 행동이나 모습들에 대해 사용자가 임의로 정의한 변경 사항들을 저장합니다. 대부분의 사람들은 이 파일이 없습니다. 만약 여러분의 \chrome\ 폴더안에 userChrome-example.css 파일과userContent-example.css 파일이 있더라도 무시하여도 됩니다.

안티리버싱이라고 하기엔 좀 애매한 부분이 잇지만, 동적분석 및 분석을 방해하기 위해서 쓰이기 때문에 안티리버싱이라 하겠다. 이건 개인적인 소견이다~ㅎㅎ 

퍼온글과 내가 본 부분을 덧붙이겠다. 문제되면 비공개로 바꾸도록 하겠습니다.

------------------------------------------------------------------------------------

커널모드 드라이버를 사용하는 디버거들은 이름이 정해진 장치들과 통신하여 작동 됩니다. 그래서 이 장치이름으로 핸들을 얻기를 시도했을때 성공한다는 것은 디버거가 활성화 되어 있다는 의미는 아니더라도 현재 존재는 하고 있다는 뜻입니다. 이를 이용해 CreateFile() 함수의 dwCreationDisposition 파라메타에 OPEN_EXISTING 을 전달하고 다음 디바이스 이름들을 넣는 방식으로 디버거의 존재를 알 수 있습니다. 

HANDLE WINAPI CreateFile(
  _In_      LPCTSTR lpFileName,
  _In_      DWORD dwDesiredAccess,
  _In_      DWORD dwShareMode,
  _In_opt_  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  _In_      DWORD dwCreationDisposition,
  _In_      DWORD dwFlagsAndAttributes,
  _In_opt_  HANDLE hTemplateFile
); 

• SoftICE: \\.\SICE, \\.\SIWVID, \\.\NTICE
• RegMon: \\.\FILEVXG, \\.\REGSYS
• FileMon: \\.\FILEVXG, \\.\FILEM
• \\.\TRW
• SoftICE extender: \\.\ICEEXT

아래 그림은 해당 프로그램이 동작하는것을 확인하는 코드부분으로 해당 프로그램이 동작시 윈도우 메시지 창을 띄운다.

ida 코드부분

웅캬캬캬캬캬 퍼오기퍼오기퍼오기

FILE SIGNATURES TABLE

11 June 2012

This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.

This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:

• File Extension Seeker: Metasearch engine for file extensions
• FILExt.com
• FileInfo.com
• Wotsit.org, The Programmer's File and Data Resource
• DOT.WHAT?
• File-Extensions.org

Some useful additional information:

• Check out Tim Coakley's Filesig.co.uk site, with Filesig Manager and Simple Carver.

• See Marco Pontello's TrID - File Identifier, a utility designed to identify file types from their binary signatures.

• My software utility page contains a custom signature file based upon this list, for use with FTK, Scalpel, Simple Carver, and Simple Carver Lite.

• Additional details on graphics file formats can be found at The Graphics File Formats Page and the Sustainability of Digital Formats Planning for Library of Congress Collections site.

• Additional details on audio and video file formats can also be found at the Sustainability of Digital Formats Planning for Library of Congress Collections site.

---

ACKNOWLEDGEMENTS

---

Hex Signature		ASCII Signature
File Extension		File Description
TGA		Truevision Targa Graphic file Trailer: 54 52 55 45 56 49 53 49   TRUEVISI 4F 4E 2D 58 46 49 4C 45   ON-XFILE 2E 00                     ..
00		.
PIC		IBM Storyboard bitmap file
MOV		Apple QuickTime movie file
PIF		Windows Program Information File
SEA		Mac Stuffit Self-Extracting Archive
YTR		IRIS OCR data file
[11 byte offset] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00		[11 byte offset] ........ ........ ........
PDB		Palmpilot Database/Document File
[512 byte offset] 00 00 00 00 00 00 00 00		[512 byte offset] ........
RVT		Revit Project File subheader
00 00 00 0C 6A 50 20 20 0D 0A		....jP  ..
JP2		Various JPEG-2000 image file formats
00 00 00 nn 66 74 79 70 33 67 70		....ftyp 3gp
3GG, 3GP, 3G2		3rd Generation Partnership Project 3GPP (nn=0x14) and 3GPP2 (nn=0x20) multimedia files
00 00 00 14 66 74 79 70 69 73 6F 6D		....ftyp isom
MP4		ISO Base Media file (MPEG-4) v1
00 00 00 14 66 74 79 70 71 74 20 20		....ftyp qt
MOV		QuickTime movie file
00 00 00 18 66 74 79 70 33 67 70 35		....ftyp 3gp5
MP4		MPEG-4 video files
00 00 00 18 66 74 79 70 6D 70 34 32		... ftyp mp42
M4V		MPEG-4 video/QuickTime file
00 00 00 20 66 74 79 70 4D 34 41 20		... ftyp M4A
M4A		Apple Lossless Audio Codec file
00 00 01 00		....
ICO		Windows icon file
SPL		Windows NT/2000/XP printer spool file
00 00 01 Bx		....
MPEG, MPG		MPEG video file Trailer: 00 00 01 B7 (...·)
00 00 01 BA		....º
MPG, VOB		DVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2 Trailer: 00 00 01 B9 (...¹)
00 00 02 00		......
CUR		Windows cursor file
WB2		QuattroPro for Windows Spreadsheet file
00 00 02 00 06 04 06 00 08 00 00 00 00 00		........ ......
WK1		Lotus 1-2-3 spreadsheet (v1) file
00 00 1A 00 00 10 04 00 00 00 00 00		........ ....
WK3		Lotus 1-2-3 spreadsheet (v3) file
00 00 1A 00 02 10 04 00 00 00 00 00		........ ....
WK4, WK5		Lotus 1-2-3 spreadsheet (v4, v5) file
00 00 1A 00 05 10 04		.......
123		Lotus 1-2-3 spreadsheet (v9) file
00 00 49 49 58 50 52 or		..IIXPR
00 00 4D 4D 58 50 52		..MMXPR
QXD		Quark Express document (Intel & Motorola, respectively) NOTE: It appears that the byte following the 0x52 ("R") is the language indicator; 0x33 ("3") seems to indicate English and 0x61 ("a") reportedly indicates Korean.
00 00 FE FF		..þÿ
n/a		Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), big-endian files. (See the Unicode Home Page.)
[6 byte offset] 00 00 FF FF FF FF		[6 byte offset] ..ÿÿÿÿ
HLP		Windows Help file
00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65		....MSIS AM Datab ase
MNY		Microsoft Money file
00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42		....Stan dard ACE  DB
ACCDB		Microsoft Access 2007 file
00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42		....Stan dard Jet  DB
MDB		Microsoft Access file
00 01 00 08 00 01 00 01 01		........ .
IMG		Ventura Publisher/GEM VDI Image Format Bitmap file
00 01 01		...
FLT		OpenFlight 3D file
00 01 42 41		..BA
ABA		Palm Address Book Archive file
00 01 42 44		..BD
DBA		Palm DateBook Archive file
00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00		...a.... ...Ò....
DB		Netscape Navigator (v4) database file
00 11 AF		..¯
FLI		FLIC Animation file
00 14 00 00 01 02 xx xx 03		........ .
n/a		BIOS details in RAM images
00 1E 84 90 00 00 00 00		..„.....
SNM		Netscape Communicator (v4) mail folder
00 5C 41 B1 FF		.\A±ÿ
ENC		Mujahideen Secrets 2 encrypted file
00 BF		.¿
SOL		Adobe Flash shared object file (e.g., Flash cookies)
[512 byte offset] 00 6E 1E F0		[512 byte offset] .n.ð
PPT		PowerPoint presentation subheader (MS Office)
00 FF FF FF FF FF FF FF FF FF FF 00 00 02 00 01		.ÿÿÿÿÿÿÿ ÿÿÿ.....
MDF		Alcohol 120% CD image
01 00 00 00		....
EMF		Extended (Enhanced) Windows Metafile Format, printer spool file (0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)
01 00 00 00 01		.....
PIC		Unknown type picture file
01 00 09 00 00 03		......
WMF		Windows Metadata file (Win 3.x format)
01 00 39 30		..90
FDB, GDB		Firebird and Interbase database files, respectively. See IBPhoenix for more information.
01 0F 00 00		....
MDF		Microsoft SQL Server 2000 database
01 10		..
TR1		Novell LANalyzer capture file
01 DA 01 01 00 03		.Ú....
RGB		Silicon Graphics RGB Bitmap
01 FF 02 04 03 02		.ÿ....
DRW		Micrografx vector graphic file
02 64 73 73		.dss
DSS		Digital Speech Standard (Olympus, Grundig, & Phillips)
03		.
DAT		MapInfo Native Data Format
DB3		dBASE III file
03 00 00 00		....
QPH		Quicken price history file
03 00 00 00 41 50 50 52		....APPR
ADX		Approach index file
04		.
DB4		dBASE IV data file
04 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00 or		........ .... ...
05 00 00 00 xx xx xx xx xx xx xx xx 20 03 00 00		........ .... ...
n/a		INFO2 Windows recycle bin file. NOTE: Bytes 12-13 indicate the size of each INFO2 record; the most common value is 0x02-03 (0x0320 = 800 bytes).
07		.
DRW		A common signature and file extension for many drawing programs.
07 53 4B 46		.SKF
SKF		SkinCrafter skin file
07 64 74 32 64 64 74 64		.dt2ddtd
DTD		DesignTools 2D Design file
08		.
DB		dBASE IV or dBFast configuration file
[512 byte offset] 09 08 10 00 00 06 05 00		[512 byte offset] ........
XLS		Excel spreadsheet subheader (MS Office)
0A nn 01 01		....
PCX		ZSOFT Paintbrush file (where nn = 0x02, 0x03, or 0x05)
0C ED		.í
MP		Monochrome Picture TIFF bitmap file (unconfirmed)
0D 44 4F 43		.DOC
DOC		DeskMate Document file
0E 4E 65 72 6F 49 53 4F		.NeroISO
NRI		Nero CD Compilation
0E 57 4B 53		.WKS
WKS		DeskMate Worksheet
[512 byte offset] 0F 00 E8 03		[512 byte offset] ..è.
PPT		PowerPoint presentation subheader (MS Office)
11 00 00 00 53 43 43 41		....SCCA
PF		Windows prefetch file
1A 00 00		...
NTF		Lotus Notes database template
1A 00 00 04 00 00		......
NSF		Lotus Notes database
1A 0x		..
ARC		LH archive file, old version (where x = 0x2, 0x3, 0x4, 0x8 or 0x9 for types 1-5, respectively)
1A 0B		..
PAK		Compressed archive file (often associated with Quake Engine games)
1A 35 01 00		.5..
ETH		GN Nettest WinPharoah capture file
1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61		.Eߣ“B‚ˆ matroska
MKV		Matroska stream file
1A 52 54 53 20 43 4F 4D 50 52 45 53 53 45 44 20 49 4D 41 47 45 20 56 31 2E 30 1A		.RTS COM PRESSED  IMAGE V1 .0.
DAT		Runtime Software disk image
1D 7D		.}
WS		WordStar Version 5.0/6.0 document
1F 8B 08		.‹.
GZ, TGZ		GZIP archive file
1F 9D		..
TAR.Z		Compressed tape archive file using standard (Lempel-Ziv-Welch) compression
1F A0		.
TAR.Z		Compressed tape archive file using LZH (Lempel-Ziv-Huffman) compression
21		!
BSB		MapInfo Sea Chart
21 12		!.
AIN		AIN Compressed Archive
21 3C 61 72 63 68 3E 0A		!<arch>.
LIB		Unix archiver (ar) files and Microsoft Program Library Common Object File Format (COFF)
21 42 44 4E		!BDN
PST		Microsoft Outlook Personal Folder File
23 20		#
MSI		Cerius2 file
23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F		# Disk D escripto
VMDK		VMware 4 Virtual Disk description file (split disk)
23 20 4D 69 63 72 6F 73 6F 66 74 20 44 65 76 65 6C 6F 70 65 72 20 53 74 75 64 69 6F		# Micros oft Deve loper St udio
DSP		Microsoft Developer Studio project file
23 21 41 4D 52		#!AMR
AMR		Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction) Codec, commonly audio format with GSM cell phones. (See RFC 4867.)
23 3F 52 41 44 49 41 4E 43 45 0A		#?RADIAN CE.
HDR		Radiance High Dynamic Range image file
24 46 4C 32 40 28 23 29 20 53 50 53 53 20 44 41 54 41 20 46 49 4C 45		$FL2@(#)  SPSS DA TA FILE
SAV		SPSS Data file
25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30		%!PS-Ado be-3.0 E PSF-3.0
EPS		Adobe encapsulated PostScript file (If this signature is not at the immediate beginning of the file, it will occur early in the file, commonly at byte offset 30)
25 50 44 46		%PDF
PDF, FDF		Adobe Portable Document Format and Forms Document file Trailers: 0A 25 25 45 4F 46 (.%%EOF) 0A 25 25 45 4F 46 0A (.%%EOF.) 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) 0D 25 25 45 4F 46 0D (.%%EOF.) NOTE: There may be multiple end-of-file marks within the file. When carving, be sure to get the last one.
28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20		(This fi le must  be conve rted wit h BinHex
HQX		Macintosh BinHex 4 Compressed Archive
2A 2A 2A 20 20 49 6E 73 74 61 6C 6C 61 74 69 6F 6E 20 53 74 61 72 74 65 64 20		***  Ins tallatio n Starte d
LOG		Symantec Wise Installer log file
[2 byte offset] 2D 6C 68		[2 byte offset] -lh
LHA, LZH		Compressed archive file
2E 52 45 43		.REC
IVR		RealPlayer video file (V11 and later)
2E 52 4D 46		.RMF
RM, RMVB		RealMedia streaming media file
2E 52 4D 46 00 00 00 12 00		.RMF.... .
RA		RealAudio file
2E 72 61 FD 00		.raý.
RA		RealAudio streaming media file
2E 73 6E 64		.snd
AU		NeXT/Sun Microsystems µ-Law audio file
30		0
CAT		Microsoft security catalog file
30 00 00 00 4C 66 4C 65		0...LfLe
EVT		Windows Event Viewer file
30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C		0&²u.fÏ. ¦Ù.ª.bÎl
ASF, WMA, WMV		Microsoft Windows Media Audio/Video File (Advanced Streaming Format)
30 31 4F 52 44 4E 41 4E 43 45 20 53 55 52 56 45 59 20 20 20 20 20 20 20		01ORDNAN CE SURVE Y
NTF		National Transfer Format Map File
30 37 30 37 30 nn		07070.
n/a		Archive created with the cpio utility (where nn values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the standard ASCII format, new ASCII (aka SVR4) format, and CRC format, respectively. (The swpackage(8) page has additional information.) (Thanks to F. Webber for this....)
31 BE or		1¾
32 BE		2¾
WRI		Microsoft Write file
34 CD B2 A1		4Ͳ¡
n/a		Extended tcpdump (libpcap) capture file (Linux/Unix)
37 7A BC AF 27 1C		7z¼¯'.
7Z		7-Zip compressed file
37 E4 53 96 C9 DB D6 07		7äS–ÛÖ.
n/a		zisofs compression format, recognized by some Linux kernels. See the libburnia page for additional information.
38 42 50 53		8BPS
PSD		Photoshop image file
3A 56 45 52 53 49 4F 4E		:VERSION
SLE		Surfplan kite project file
3C		<
ASX		Advanced Stream redirector file
XDR		BizTalk XML-Data Reduced Schema file
3C 21 64 6F 63 74 79 70		<!doctyp
DCI		AOL HTML mail file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D		<?xml ve rsion=
MANIFEST		Windows Visual Stylesheet XML file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E		<?xml ve rsion="1 .0"?>
XUL		XML User Interface Language file
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 0D 0A 3C 4D 4D 43 5F 43 6F 6E 73 6F 6C 65 46 69 6C 65 20 43 6F 6E 73 6F 6C 65 56 65 72 73 69 6F 6E 3D 22		<?xml ve rsion="1 .0"?>..< MMC_Cons oleFile  ConsoleV ersion="
MSC		Microsoft Management Console Snap-in Control file
3C 4D 61 6B 65 72 46 69 6C 65 20		<MakerFi le
FM, MIF		Adobe FrameMaker file
[24 byte offset] 3E 00 03 00 FE FF 09 00 06		[24 byte offset] >...þÿ.. .
WB3		Quatro Pro for Windows 7.0 Notebook file
3F 5F 03 00		?_..
GID		Windows Help index file
HLP		Windows Help file
[32 byte offset] 40 40 40 20 00 00 40 40 40 40		[32 byte offset] @@@ ..@@ @@
ENL		EndNote Library File
41 43 31 30		AC10
DWG		Generic AutoCAD drawing
NOTES on AutoCAD file headers: The 0x41-43-31-30 (AC10) is a generic header, occupying the first four bytes in the file. The next two bytes give further indication about the version or subtype: 0x30-32 (02) — AutoCAD R2.5 0x30-33 (03) — AutoCAD R2.6 0x30-34 (04) — AutoCAD R9 0x30-36 (06) — AutoCAD R10 0x30-39 (09) — AutoCAD R11/R12 0x31-30 (10) — AutoCAD R13 (subtype 10) 0x31-31 (11) — AutoCAD R13 (subtype 11) 0x31-32 (12) — AutoCAD R13 (subtype 12) 0x31-33 (13) — AutoCAD R14 (subtype 13) 0x31-34 (14) — AutoCAD R14 (subtype 14) 0x31-35 (15) — AutoCAD R2000 0x31-38 (18) — AutoCAD R2004 0x32-31 (21) — AutoCAD R2007
41 43 76		ACL
SLE		Steganos Security Suite virtual secure drive
41 43 53 44		ACSD
n/a		Miscellaneous AOL parameter and information files
41 45 53		AES
AES		AES Crypt file format. (The fourth byte is the version number.)
41 4D 59 4F		AMYO
SYW		Harvard Graphics symbol graphic
41 4F 4C 20 46 65 65 64 62 61 67		AOL Feed bag
BAG		AOL and AIM buddy list file
41 4F 4C 44 42		AOLDB
ABY, IDX		AOL database files: address book (ABY) and user configuration data (MAIN.IDX)
41 4F 4C 49 44 58		AOLIDX
IND		AOL client preferences/settings file (MAIN.IND)
41 4F 4C 49 4E 44 45 58		AOLINDEX
ABI		AOL address book index file
41 4F 4C 56 4D 31 30 30		AOLVM100
ORG, PFC		AOL personal file cabinet (PFC) file
41 56 47 36 5F 49 6E 74 65 67 72 69 74 79 5F 44 61 74 61 62 61 73 65		AVG6_Int egrity_D atabase
DAT		AVG6 Integrity database file
41 72 43 01		ArC.
ARC		FreeArc compressed file
42 41 41 44		BAAD
n/a		NTFS Master File Table (MFT) entry (1,024 bytes)
42 45 47 49 4E 3A 56 43 41 52 44 0D 0A		BEGIN:VC ARD..
VCF		vCard file
42 4C 49 32 32 33 51		BLI223Q
BIN		Thomson Speedtouch series WLAN router firmware
42 4D		BM
BMP, DIB		Windows (or device-independent) bitmap image NOTE: Bytes 2-5 contain the file length in little-endian order.
42 4F 4F 4B 4D 4F 42 49		BOOKMOBI
PRC		Palmpilot resource file
42 5A 68		BZh
BZ2, TAR.BZ2, TBZ2, TB2		bzip2 compressed archive
43 23 2B 44 A4 43 4D A5 48 64 72		C#+D¤CM¥ Hdr
RTD		RagTime document file
43 42 46 49 4C 45		CBFILE
CBD		WordPerfect dictionary file (unconfirmed)
43 44 30 30 31		CD001
ISO		ISO-9660 CD Disc Image This signature usually occurs at byte offset 32769 (0x8001), 34817 (0x8801), or 36865 (0x9001). More information can be found at MacTech or at ECMA.
43 4D 58 31		CMX1
CLB		Corel Binary metafile
43 4F 4D 2B		COM+
CLB		COM+ Catalog file
43 4F 57 44		COWD
VMDK		VMware 3 Virtual Disk (portion of a split disk) file
43 50 54 37 46 49 4C 45		CPT7FILE
CPT		Corel Photopaint file
43 50 54 46 49 4C 45		CPTFILE
CPT		Corel Photopaint file
43 52 45 47		CREG
DAT		Windows 9x registry hive
43 52 55 53 48 20 76		CRUSH v
CRU		Crush compressed archive
43 57 53		CWS
SWF		Shockwave Flash file (v5+)
43 61 74 61 6C 6F 67 20 33 2E 30 30 00		Catalog  3.00.
CTF		WhereIsIt Catalog file
43 6C 69 65 6E 74 20 55 72 6C 43 61 63 68 65 20 4D 4D 46 20 56 65 72 20		Client U rlCache  MMF Ver
DAT		IE History (index.dat) file
44 42 46 48		DBFH
DB		Palm Zire photo database
44 4D 53 21		DMS!
DMS		Amiga DiskMasher compressed archive
44 4F 53		DOS
ADF		Amiga disk file
44 56 44		DVD
DVR		DVR-Studio stream file
IFO		DVD info file
45 4C 49 54 45 20 43 6F 6D 6D 61 6E 64 65 72 20		ELITE Co mmander
CDR		Elite Plus Commander saved game file
45 4E 54 52 59 56 43 44 02 00 00 01 02 00 18 58		ENTRYVCD .......X
VCD		VideoVCD (GNU VCDImager) file
45 52 46 53 53 41 56 45 44 41 54 41 46 49 4C 45		ERFSSAVE DATAFILE
DAT		Kroll EasyRecovery Saved Recovery State file
45 50		EP
MDI		Microsoft Document Imaging file
45 56 46 09 0D 0A FF 00		EVF...ÿ.
Enn (where nn are numbers)		Expert Witness Compression Format (EWF) file, including EWF-E01 and EWF-S01, as used in EnCase and SMART evidence files. See the EWF specification.
45 56 46 32 0D 0A 81		EVF2...
Exnn (where nn are numbers)		EnCase® Evidence File Format Version 2 (Ex01). See the document.
45 6C 66 46 69 6C 65 00		ElfFile.
EVTX		Windows Vista event log file
45 86 00 00 06 00		E†....
QBB		Intuit QuickBooks backup file
46 41 58 43 4F 56 45 52 2D 56 45 52		FAXCOVER -VER
CPE		Microsoft Fax Cover Sheet
46 44 42 48 00		FDBH.
FDB		Fiasco database definition file
46 45 44 46		FEDF
SBV		(Unknown file type)
46 49 4C 45		FILE
n/a		NTFS Master File Table (MFT) entry (1,024 bytes)
46 4C 56 01		FLV.
FLV		Flash video file
46 4F 52 4D 00		FORM.
AIFF		Audio Interchange File
46 57 53		FWS
SWF		Macromedia Shockwave Flash player file
46 72 6F 6D 20 20 20 or		From
46 72 6F 6D 20 3F 3F 3F or		From ???
46 72 6F 6D 3A 20		From:
EML		A commmon file extension for e-mail files. Signatures shown here are for Netscape, Eudora, and a generic signature, respectively. EML is also used by Outlook Express and QuickMail.
47 46 31 50 41 54 43 48		GF1PATCH
PAT		Advanced Gravis Ultrasound patch file
47 49 46 38 37 61 or		GIF87a
47 49 46 38 39 61		GIF89a
GIF		Graphics interchange format file Trailer: 00 3B (.;)
47 50 41 54		GPAT
PAT		GIMP (GNU Image Manipulation Program) pattern file
47 58 32		GX2
GX2		Show Partner graphics file (not confirmed)
47 65 6E 65 74 65 63 20 4F 6D 6E 69 63 61 73 74		Genetec  Omnicast
G64		Genetec video archive
48 48 47 42 31		HHGB1
SH3		Harvard Graphics presentation file
49 20 49		I I
TIF, TIFF		Tagged Image File Format file
49 44 33		ID3
MP3		MPEG-1 Audio Layer 3 (MP3) audio file
49 44 33 03 00 00 00		ID3....
KOZ		Sprint Music Store audio file (for mobile devices)
49 49 1A 00 00 00 48 45 41 50 43 43 44 52 02 00		II....HE APCCDR..
CRW		Canon digital camera RAW file
49 49 2A 00		II*.
TIF, TIFF		Tagged Image File Format file (little endian, i.e., LSB first in the byte; Intel)
49 49 2A 00 10 00 00 00 43 52		II*..... CR
CR2		Canon digital camera RAW file
49 53 63 28		ISc(
CAB, HDR		Install Shield v5.x or 6.x compressed file
49 54 4F 4C 49 54 4C 53		ITOLITLS
LIT		Microsoft Reader eBook file
49 54 53 46		ITSF
CHI, CHM		Microsoft Compiled HTML Help File
49 6E 6E 6F 20 53 65 74 75 70 20 55 6E 69 6E 73 74 61 6C 6C 20 4C 6F 67 20 28 62 29		Inno Set up Unins tall Log  (b)
DAT		Inno Setup Uninstall Log file
49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65		Inter@ct ive Page
IPD		Inter@ctive Pager Backup (BlackBerry) backup file (See also IPD File Format page or IPD File for BlackBerry)
4A 41 52 43 53 00		JARCS.
JAR		JARCS compressed archive
4A 47 03 0E or		JG..
4A 47 04 0E		JG..
ART		AOL ART file Trailers: For 0x4A-47-03-0E: D0 CB 00 00 (ÐË..) For 0x4A-47-04-0E: CF C7 CB (ÏÇË)
4B 44 4D		KDM
VMDK		VMware 4 Virtual Disk (portion of a split disk) file
4B 44 4D 56		KDMV
VMDK		VMware 4 Virtual Disk (monolitic disk) file
4B 47 42 5F 61 72 63 68 20 2D		KGB_arch  -
KGB		KGB archive
4B 49 00 00		KI..
SHD		Windows 9x printer spool file
4B 57 41 4A 88 F0 27 D1		KWAJˆð'Ñ
n/a		KWAJ file format used by DOS COMPRESS.EXE and EXPAND.EXE commands. This command compresses a single file, replacing the last character in the file name with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or FOO.BA$. (See the SZDD/KWAJ page for more information.)
4C 00 00 00 01 14 02 00		L.......
LNK		Windows shortcut file. See also The Meaning of Linkfiles in Forensic Examinations.
4C 01		L.
OBJ		Microsoft Common Object File Format (COFF) relocatable object code file for an Intel 386 or later/compatible processors
4C 4E 02 00		LN..
GID		Windows Help index file
HLP		Windows Help file.
4C 56 46 09 0D 0A FF 00		LVF...ÿ.
Enn (where nn are numbers)		Logical File Evidence Format (EWF-L01) as used in later versions of EnCase evidence files. See the EWF specification.
4D 2D 57 20 50 6F 63 6B 65 74 20 44 69 63 74 69		M-W Pock et Dicti
PDB		Merriam-Webster Pocket Dictionary file
4D 41 52 31 00		MAR1.
MAR		Mozilla archive
4D 41 52 43		MARC
MAR		Microsoft/MSN MARC archive
4D 41 72 30 00		MAr0.
MAR		MAr compressed archive
4D 44 4D 50 93 A7		MDMPҤ
HDMP		Windows heap dump file
DMP		Windows minidump file
4D 49 4C 45 53		MILES
MLS		Milestones v1.0 project management and scheduling software (Also see "MV2C" and "MV214" signatures)
4D 4C 53 57		MLSW
MLS		Skype localization data file
4D 4D 00 2A		MM.*
TIF, TIFF		Tagged Image File Format file (big endian, i.e., LSB last in the byte; Motorola)
4D 4D 00 2B		MM.+
TIF, TIFF		BigTIFF files; Tagged Image File Format files >4 GB
4D 4D 4D 44 00 00		MMMD..
MMF		Yamaha Corp. Synthetic music Mobile Application Format (SMAF) for multimedia files that can be played on hand-held devices.
4D 52 56 4E		MRVN
NVRAM		VMware BIOS (non-volatile RAM) state file.
4D 53 43 46		MSCF
CAB		Microsoft cabinet file
PPZ		Powerpoint Packaged Presentation
SNP		Microsoft Access Snapshot Viewer file
4D 53 46 54 02 00 01 00		MSFT....
TLB		OLE, SPSS, or Visual C++ type library file
4D 53 5F 56 4F 49 43 45		MS_VOICE
CDR, DVF		Sony Compressed Voice File
MSV		Sony Memory Stick Compressed Voice file
4D 54 68 64		MThd
MID, MIDI		Musical Instrument Digital Interface (MIDI) sound file
4D 56		MV
DSN		CD Stomper Pro label file
4D 56 32 31 34		MV214
MLS		Milestones v2.1b project management and scheduling software (Also see "MILES" and "MV2C" signatures)
4D 56 32 43		MV2C
MLS		Milestones v2.1a project management and scheduling software (Also see "MILES" and "MV214" signatures)
4D 5A		MZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS		Windows/DOS executable file (See The MZ EXE File Format page for the structure of an EXE file, with coverage of NE, TLINK, PE, self-extracting archives, and more.)
ACM		MS audio compression manager driver
AX		Library cache file
CPL		Control panel application
FON		Font file
OCX		ActiveX or OLE Custom Control
OLB		OLE object library
SCR		Screen saver
VBX		VisualBASIC application
VXD, 386		Windows virtual device drivers
4D 5A 90 00 03 00 00 00		MZ......
API		Acrobat plug-in
AX		DirectShow filter
FLT		Audition graphic filter file (Adobe)
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF		MZ...... ....ÿÿ
ZAP		ZoneAlam data file
4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20		Microsof t C/C++
PDB		Microsoft C++ debugging symbols file
4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65		Microsof t Visual  Studio  Solution  File
SLN		Visual Studio .NET Solution file
[84 byte offset] 4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4D 65 64 69 61 20 50 6C 61 79 65 72 20 2D 2D 20		[84 byte offset] Microsof t Window s Media  Player - -
WPL		Windows Media Player playlist
4D 73 52 63 66		MsRcf
GDB		VMapSource GPS Waypoint Database
4E 41 56 54 52 41 46 46 49 43		NAVTRAFF IC
DAT		TomTom traffic data file
4E 42 2A 00		NB*.
JNT, JTP		MS Windows journal file
4E 45 53 4D 1A 01		NESM..
NSF		NES Sound file
4E 49 54 46 30		NITF0
NTF		National Imagery Transmission Format (NITF) file
4E 61 6D 65 3A 20		Name:
COD		Agent newsreader character map file
4F 50 4C 44 61 74 61 62 61 73 65 46 69 6C 65		OPLDatab aseFile
DBF		Psion Series 3 Database file
4F 67 67 53 00 02 00 00 00 00 00 00 00 00		OggS.... ......
OGA, OGG, OGV, OGX		Ogg Vorbis Codec compressed Multimedia file
4F 7B		O{
DW4		Visio/DisplayWrite 4 text file (unconfirmed)
50 00 00 00 20 00 00 00		P... ...
IDX		Quicken QuickFinder Information File
50 35 0A		P5.
PGM		Portable Graymap Graphic
50 41 43 4B		PACK
PAK		Quake archive file
50 41 47 45 44 55 36 34		PAGEDU64
DMP		Windows 64-bit memory dump
50 41 47 45 44 55 4D 50		PAGEDUMP
DMP		Windows memory dump
50 41 58		PAX
PAX		PAX password protected bitmap
50 45 53 54		PEST
DAT		PestPatrol data/scan strings
50 47 50 64 4D 41 49 4E		PGPdMAIN
PGD		PGP disk image
50 49 43 54 00 08		PICT..
IMG		ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file
50 4B 03 04		PK..
ZIP		PKZIP archive file (Ref. 1 | Ref. 2) Trailer: filename 50 4B 17 characters 00 00 00 Trailer: (filename PK 17 characters ...)
ZIP		Apple Mac OS X Dashboard Widget, Aston Shell theme, Oolite eXpansion Pack, Opera Widget, Pivot Style Template, Rockbox Theme package, Simple Machines Forums theme, SubEthaEdit Mode, Trillian zipped skin, Virtual Skipper skin
JAR		Java archive; compressed file package for classes and data
KWD		KWord document
ODT, ODP, OTT		OpenDocument text document, presentation, and text document template, respectively.
SXC, SXD, SXI, SXW		OpenOffice spreadsheet (Calc), drawing (Draw), presentation (Impress), and word processing (Writer) files, respectively.
SXC		StarOffice spreadsheet
WMZ		Windows Media compressed skin file
XPI		Mozilla Browser Archive
XPS		XML paper specification file
XPT		eXact Packager Models
50 4B 03 04 14 00 01 00 63 00 00 00 00 00		PK...... c.....
ZIP		ZLock Pro encrypted ZIP
50 4B 03 04 14 00 06 00		PK......
DOCX, PPTX, XLSX		Microsoft Office Open XML Format (OOXML) Document NOTE: There is no subheader for MS OOXML files as there is with DOC, PPT, and XLS files. To better understand the format of these files, rename any OOXML file to have a .ZIP extension and then unZIP the file; look at the resultant file named [Content_Types].xml to see the content types. In particular, look for the <Override PartName= tag, where you will find word, ppt, or xl, respectively. Trailer: Look for 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
50 4B 03 04 14 00 08 00 08 00		PK...... ..
JAR		Java archive
50 4B 05 06		PK..
50 4B 07 08		PK..
ZIP		PKZIP empty and multivolume archive file, respectively
[30 byte offset] 50 4B 4C 49 54 45		[30 byte offset] PKLITE
ZIP		PKLITE compressed ZIP archive (see also PKZIP)
[526 byte offset] 50 4B 53 70 58		[526 byte offset] PKSFX
ZIP		PKSFX self-extracting executable compressed file (see also PKZIP)
50 4D 43 43		PMCC
GRP		Windows Program Manager group file
50 4E 43 49 55 4E 44 4F		PNCIUNDO
DAT		Norton Disk Doctor undo file
[92 byte offset] 51 45 4C 20		[92 byte offset] QEL
QEL		Quicken data file
51 46 49 FB		QFIû
IMG		QEMU Qcow Disk Image
51 57 20 56 65 72 2E 20		QW Ver.
ABD, QSD		Quicken data file
52 41 5A 41 54 44 42 31		RAZATDB1
DAT		Shareaza (Windows P2P client) thumbnail
52 45 47 45 44 49 54		REGEDIT
REG, SUD		Windows NT Registry and Registry Undo files
52 45 56 4E 55 4D 3A 2C		REVNUM:,
ADF		Antenna data file
52 49 46 46		RIFF
ANI		Windows animated cursor
CMX		Corel Presentation Exchange (Corel 10 CMX) Metafile
CDR		CorelDraw document
DAT		Video CD MPEG or MPEG1 movie file
DS4		Micrografx Designer v4 graphic file
4XM		4X Movie video
52 49 46 46 xx xx xx xx 41 56 49 20 4C 49 53 54		RIFF.... AVI LIST
AVI		Resource Interchange File Format -- Windows Audio Video Interleave file
52 49 46 46 xx xx xx xx 43 44 44 41 66 6D 74 20		RIFF.... CDDAfmt
CDA		Resource Interchange File Format -- Compact Disc Digital Audio (CD-DA) file
52 49 46 46 xx xx xx xx 51 4C 43 4D 66 6D 74 20		RIFF.... QLCMfmt
QCP		Resource Interchange File Format -- Qualcomm PureVoice
52 49 46 46 xx xx xx xx 52 4D 49 44 64 61 74 61		RIFF.... RMIDdata
RMI		Resource Interchange File Format -- Windows Musical Instrument Digital Interface file
52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20		RIFF.... WAVEfmt
WAV		Resource Interchange File Format -- Audio for Windows file
52 54 53 53		RTSS
CAP		Windows NT Netmon capture file
52 61 72 21 1A 07 00		Rar!...
RAR		WinRAR compressed archive file
52 65 74 75 72 6E 2D 50 61 74 68 3A 20		Return-P ath:
EML		A commmon file extension for e-mail files.
53 43 48 6C		SCHl
AST		Need for Speed: Underground Audio file
53 43 4D 49		SCMI
IMG		Img Software Set Bitmap
53 48 4F 57		SHOW
SHW		Harvard Graphics DOS Ver. 2/x Presentation file
53 49 45 54 52 4F 4E 49 43 53 20 58 52 44 20 53 43 41 4E		SIETRONI CS XRD S CAN
CPI		Sietronics CPI XRD document
53 49 54 21 00		SIT!.
SIT		StuffIt compressed archive
53 4D 41 52 54 44 52 57		SMARTDRW
SDR		SmartDraw Drawing file
53 50 46 49 00		SPFI.
SPF		StorageCraft ShadownProtect backup file
53 51 4C 4F 43 4F 4E 56 48 44 00 00 31 2E 30 00		SQLOCONV HD..1.0.
CNV		DB2 conversion file
53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00		SQLite f ormat 3.
DB		SQLite database file
53 5A 20 88 F0 27 33 D1		SZ ˆð'3Ñ
n/a		QBASIC SZDD file header variant. (See the SZDD or KWAJ format entries for additional information.)
53 5A 44 44 88 F0 27 33		SZDDˆð'3
n/a		SZDD file format used by DOS COMPRESS.EXE and EXPAND.EXE commands. This command compresses a single file, replacing the last character in the file name with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or FOO.BA$. (See the SZDD/KWAJ page for more information.)
53 6D 62 6C		Smbl
SYM		(Unconfirmed file type. Likely type is Harvard Graphics Version 2.x graphic symbol or Windows SDK graphic symbol)
53 74 75 66 66 49 74 20 28 63 29 31 39 39 37 2D		StuffIt  (c)1997-
SIT		StuffIt compressed archive
53 75 70 65 72 43 61 6C 63		SuperCal c
CAL		SuperCalc worksheet
54 68 69 73 20 69 73 20		This is
INFO		UNIX GNU Info Reader File
55 43 45 58		UCEX
UCE		Unicode extensions
55 46 41 C6 D2 C1		UFAÆÒÁ
UFA		UFA compressed archive
55 46 4F 4F 72 62 69 74		UFOOrbit
DAT		UFO Capture v2 map file
56 43 50 43 48 30		VCPCH0
PCH		Visual C PreCompiled header file
56 45 52 53 49 4F 4E 20		VERSION
CTL		Visual Basic User-defined Control file
56 65 72 73 69 6F 6E 20		Version
MIF		MapInfo Interchange Format file
57 4D 4D 50		WMMP
DAT		Walkman MP3 container file
57 53 32 30 30 30		WS2000
WS2		WordStar for Windows Ver. 2 document
[29,152 byte offset] 57 69 6E 5A 69 70		[29,152 byte offset] WinZip
ZIP		WinZip compressed archive
57 6F 72 64 50 72 6F		WordPro
LWP		Lotus WordPro document.
58 2D		X-
EML		A commmon file extension for e-mail files. This variant is for Exchange.
58 43 50 00		XCP.
CAP		Cinco NetXRay, Network General Sniffer, and Network Associates Sniffer capture file
58 50 43 4F 4D 0A 54 79 70 65 4C 69 62		XPCOM.Ty peLib
XPT		XPCOM type libraries for the XPIDL compiler
58 54		XT..
BDR		MS Publisher border
5A 4F 4F 20		ZOO
ZOO		ZOO compressed archive
5B 47 65 6E 65 72 61 6C 5D 0D 0A 44 69 73 70 6C 61 79 20 4E 61 6D 65 3D 3C 44 69 73 70 6C 61 79 4E 61 6D 65		[General ]..Displ ay Name= <Display Name
ECF		MS Exchange 2007 extended configuration file
5B 4D 53 56 43		[MSVC
VCW		Microsoft Visual C++ Workbench Information File
5B 50 68 6F 6E 65 5D		[Phone]
DUN		Dial-up networking file
5B 56 45 52 5D or		[VER]
5B 76 65 72 5D or		[ver]
SAM		Lotus AMI Pro document
[2 byte offset] 5B 56 65 72 73 69 6F 6E		[2 byte offset] [Version
CIF		(Unknown file type)
5B 57 69 6E 64 6F 77 73 20 4C 61 74 69 6E 20		[Windows  Latin
CPX		Microsoft Code Page Translation file
5B 66 6C 74 73 69 6D 2E 30 5D		[fltsim. 0]
CFG		Flight Simulator Aircraft Configuration file
5F 27 A8 89		_'¨‰
JAR		Jar archive
5F 43 41 53 45 5F		_CASE_
CAS, CBK		EnCase case file (and backup)
60 EA		`ê
ARJ		Compressed archive file
62 65 67 69 6E		begin
n/a		UUencoded files start with a string:   begin mode path where mode is the set of permissions as used in Linux/Unix and path is the name given to the decoded file. (See this uuencode page for more information.)
62 70 6C 69 73 74		bplist
plist		Binary property list (plist) (NOTE: Next two bytes are the version number, currently 0x30-30, or "00")
63 6F 6E 65 63 74 69 78		conectix
VHD		Virtual PC Virtual HD image
63 75 73 68 00 00 00 02 00 00 00		cush.... ...
CSH		Photoshop Custom Shape
64 00 00 00		d...
P10		Intel PROset/Wireless Profile
64 65 78 0A 30 30 39 00		dex.009.
dex		Dalvik executable file (Android)
64 73 77 66 69 6C 65		dswfile
DSW		Microsoft Visual Studio workspace file
64 6E 73 2E		dns.
AU		Audacity audio file
66 49 00 00		fI.. -
SHD		Windows NT printer spool file
66 4C 61 43 00 00 00 22		fLaC..."
FLAC		Free Lossless Audio Codec file
67 49 00 00		gI.. -
SHD		Windows 2000/XP printer spool file
68 49 00 00		hI.. -
SHD		Windows Server 2003 printer spool file
6C 33 33 6C		l33l
DBB		Skype user data file (profile and contacts)
[4 byte offset] 6D 6F 6F 76		[4 byte offset] moov
MOV		QuickTime movie file
.MOV files have a complicated file signature. The string "moov" is the most common but I have also seen:   0x66-72-65-65   free   0x6D-64-61-74   mdat   0x77-69-64-65   wide And the following have been reported to me:   0x70-6E-6F-74   pnot   0x73-6B-69-70   skip Furthermore, if you look at byte position xxxxxxxx+4 (where xxxxxxxx is bytes 0-3 of the header), you will find one (or more!) of these strings repeated; the string "free" seems to be the most common. For more information, see the QuickTime File Format page. (Thanks to D. Wright for getting me started on this!)
6F 3C		o<
n/a		Short Message Service (SMS), or text, message stored on a Subscriber Identification Module (SIM).
72 65 67 66		regf
DAT		Windows NT registry hive file
72 69 66 66		riff
ACD		Sonic Foundry Acid Music File (Sony)
72 74 73 70 3A 2F 2F		rtsp://
RAM		RealMedia metafile
73 6C 68 21 or		slh!
73 6C 68 2E		slh.
DAT		Allegro Generic Packfile Data file (0x21 = compressed, 0x2E = uncompressed)
73 6D 5F		sm_
PDB		PalmOS SuperMemo file
73 72 63 64 6F 63 69 64 3A		srcdocid :
CAL		CALS raster bitmap file
73 7A 65 7A		szez
PDB		PowerBASIC Debugger Symbols file
[60 byte offset] 74 42 4D 50 4B 6E 57 72		[60 byte offset] tBMPKnWr
PRC		PathWay Map file, used with GPS devices
[257 byte offset] 75 73 74 61 72		[257 byte offset] ustar
TAR		Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)
76 32 30 30 33 2E 31 30 0D 0A 30 0D 0A		v2003.10 ..0..
FLT		Qimage filter
78		x
DMG		Mac OS X Disk Copy Disk Image file
7A 62 65 78		zbex
INFO		ZoomBrowser Image Index file (ZbThumbnal.info)
7B 0D 0A 6F 20		{..o
LGC, LGD		Windows application log
7B 5C 70 77 69		{\pwi
PWI		Microsoft Windows Mobile personal note file
7B 5C 72 74 66 31		{\rtf1
RTF		Rich text format word processing file Trailer: 5C 70 61 72 20 7D 7D (\par }})
7E 42 4B 00		~BK.
PSP		Corel Paint Shop Pro image file
7F 45 4C 46		.ELF
n/a		Executable and Linking Format executable file (Linux/Unix)
80		.
OBJ		Relocatable object code
80 00 00 20 03 12 04		.......
ADX		Dreamcast audio file
81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76		.2„Á….Ð. ²..ª.<öv
WAB		Outlook Express address book (Win95)
81 CD AB		.Í«
WPF		WordPerfect text file
89 50 4E 47 0D 0A 1A 0A		‰PNG....
PNG		Portable Network Graphics file Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚...)
8A 01 09 00 00 00 E1 08 00 00 99 19		Š.....á. ..™.
AW		MS Answer Wizard file
91 33 48 46		‘3HF
HAP		Hamarsoft HAP 3.x compressed archive
95 00 or		•.
95 01		•.
SKR		PGP secret keyring file
99		™
GPG		GNU Privacy Guard (GPG) public keyring
99 01		™.
PKR		PGP public keyring file
9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4		œËË..UÒ. ‘X.ÀOyV¤
WAB		Outlook address file
[512 byte offset] A0 46 1D F0		[512 byte offset]  F.ð
PPT		PowerPoint presentation subheader (MS Office)
A1 B2 C3 D4		¡²ÃÔ
n/a		tcpdump (libpcap) capture file (Linux/Unix)
A1 B2 CD 34		¡²Í4
n/a		Extended tcpdump (libpcap) capture file (Linux/Unix)
A9 0D 00 00 00 00 00 00		©.......
DAT		Access Data FTK evidence file
AC 9E BD 8F 00 00		¬.½...
QDF		Quicken data file
AC ED		’
n/a		Java serialization data (see Object Serialization Stream Protocol)
AC ED 00 05 73 72 00 12 62 67 62 6C 69 74 7A 2E		’..sr.. bgblitz.
PDB		BGBlitz (professional Backgammon software) position database file
B0 4D 46 43		°MFC
PWL		Windows 95 password file
B1 68 DE 3A		±hÞ:
DCX		Graphics Multipage PCX bitmap file
B4 6E 68 44		´nhd
TIB		Acronis True Image file
B5 A2 B0 B3 B3 B0 A5 B5		µ¢°³³°¥µ
CAL		Windows calendar file
BE 00 00 00 AB 00 00 00 00 00 00 00 00		¾...«... ....
WRI		MS Write file
C3 AB CD AB		ëͫ
ACS		MS Agent Character file
C5 D0 D3 C6		ÅÐÓÆ
EPS		Adobe encapsulated PostScript file
C8 00 79 00		È.y.
LBK		Jeppesen FliteLog file
CA FE BA BE		Êþº¾
CLASS		Java bytecode file
CD 20 AA AA 02 00 00 00		Í ªª....
n/a		Norton Anti-Virus quarantined virus file
CF 11 E0 A1 B1 1A E1 00		Ï.ࡱ.á.
DOC		Perfect Office document [Note similarity to MS Office header, below]
CF AD 12 FE		Ï­.þ
DBX		Outlook Express e-mail folder
D0 CF 11 E0 A1 B1 1A E1		ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZ		Microsoft Office applications (Word, Powerpoint, Excel, Wizard) [See also Word, Powerpoint, and Excel "subheaders" at byte offset 512] [Note the similarity between D0 CF 11 E0 and the word "docfile"!]
AC_		CaseWare Working Papers compressed client file
ADP		Access project file
APR		Lotus/IBM Approach 97 file
DB		MSWorks database file
MSC		Microsoft Common Console Document
MSI		Microsoft Installer package
MTW		Minitab data file
OPT		Developer Studio File Workspace Options file
PUB		MS Publisher file
RVT		Revit Project file
SOU		Visual Studio Solution User Options file
SPO		SPSS output file
VSD		Visio file
WPS		MSWorks text document
D2 0A 00 00		Ò...
FTR		GN Nettest WinPharoah filter file
D4 2A		Ô*
ARL, AUT		AOL history (ARL) and typed URL (AUT) files
D4 C3 B2 A1		Ôò¡
n/a		WinDump (winpcap) capture file (Windows)
D7 CD C6 9A		×ÍÆš
WMF		Windows graphics metafile
DB A5 2D 00		Û¥-.
DOC		Word 2.0 file
DC DC		ÜÜ
CPL		Corel color palette file
DC FE		Üþ
EFX		eFax file format
E3 10 00 01 00 00 00 00		ã.......
INFO		Amiga Icon file
E3 82 85 96		ã‚…–
PWL		Windows 98 password file
E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3		äR\{ŒØ§M ®±SxÐ)–Ó
ONE		Microsoft OneNote note
E8 or		è
E9 or		é
EB		ë
COM, SYS		Windows executable file
EB 3C 90 2A		ë<.*
IMG		GEM Raster file
[512 byte offset] EC A5 C1 00		[512 byte offset] ì¥Á.
DOC		Word document subheader (MS Office)
ED AB EE DB		í«îÛ
RPM		RedHat Package Manager file
EF BB BF		
n/a		Byte-order mark for 8-bit Unicode Transformation Format (UTF-8) files. (See the Unicode Home Page.)
[At a cluster boundary] F0 FF FF		[At a cluster boundary] ðÿÿ
n/a		FAT12 File Allocation Table
[At a cluster boundary] F8 FF FF FF		[At a cluster boundary] øÿÿÿ
n/a		FAT16 File Allocation Table
[At a cluster boundary] F8 FF FF 0F FF FF FF FF		[At a cluster boundary] øÿÿ.ÿÿÿÿ
n/a		FAT32 File Allocation Table
[512 byte offset] FD FF FF FF 04		[512 byte offset] ýÿÿÿ.
SUO		Visual Studio Solution User Options subheader (MS Office)
[512 byte offset] FD FF FF FF nn 00 00 00		[512 byte offset] ýÿÿÿ....
PPT		PowerPoint presentation subheader (MS Office) (where nn has been seen with values 0x0E, 0x1C, and 0x43)
[512 byte offset] FD FF FF FF nn 00		[512 byte offset] ýÿÿÿ..
or
[512 byte offset] FD FF FF FF nn 02		[512 byte offset] ýÿÿÿ..
XLS		Excel spreadsheet subheader (MS Office) (where nn = 0x10, 0x1F, 0x22, 0x23, 0x28, or 0x29)
[512 byte offset] FD FF FF FF 20 00 00 00		[512 byte offset] ýÿÿÿ ...
OPT		Developer Studio File Workspace Options subheader (MS Office)
XLS		Excel spreadsheet subheader (MS Office)
[512 byte offset] FD FF FF FF xx xx xx xx xx xx xx xx 04 00 00 00		[512 byte offset] ýÿÿÿ.... ........
DB		Thumbs.db subheader (MS Office)
FE EF		þï
GHO, GHS		Symantex Ghost image file
FE FF		þÿ
n/a		Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), little-endian files. (See the Unicode Home Page.)
FF		ÿ
SYS		Windows executable (SYS) file
FF 00 02 00 04 04 05 54 02 00		ÿ......T ..
WKS		Works for Windows spreadsheet file
FF 46 4F 4E 54		ÿFONT
CPI		Windows international code page
FF 4B 45 59 42 20 20 20		ÿKEYB
SYS		Keyboard driver file
FF 57 50 43		ÿWPC
WP, WPD, WPG, WPP, WP5, WP6		WordPerfect text and graphics file
FF D8 FF E0 xx xx 4A 46 49 46 00		ÿØÿà..JF IF.
JFIF, JPE, JPEG, JPG		JPEG/JFIF graphics file Trailer: FF D9 (ÿÙ)
FF D8 FF E1 xx xx 45 78 69 66 00		ÿØÿá..Ex if.
JPG		Digital camera JPG using Exchangeable Image File Format (EXIF) Trailer: FF D9 (ÿÙ) See "Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis" (P. Alvarez, IJDE, 2(3), Winter 2004) and ExifTool Tag Names
FF D8 FF E8 xx xx 53 50 49 46 46 00		ÿØÿè..SP IFF.
JPG		Still Picture Interchange File Format (SPIFF) Trailer: FF D9 (ÿÙ)
NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF. The fourth digit is also indicative of JPEG content. Various options include: 0xFF-D8-FF-DB — Samsung D807 JPEG file. 0xFF-D8-FF-E0 — Shown above. Standard JPEG/JFIF file. 0xFF-D8-FF-E1 — Shown above. Standard JPEG/Exif file. 0xFF-D8-FF-E2 — Canon EOS-1D JPEG file. 0xFF-D8-FF-E3 — Samsung D500 JPEG file. 0xFF-D8-FF-E8 — Shown above. Still Picture Interchange File Format (SPIFF).
FF Ex		ÿ.
FF Fx		ÿ.
MPEG, MPG, MP3		MPEG audio file frame synch pattern
FF FE		ÿþ
REG		Windows Registry file
n/a		Byte-order mark for 16-bit Unicode Transformation Format/ 2-octet Universal Character Set (UTF-16/UCS-2), big-endian files. (See the Unicode Home Page.)
FF FE 00 00		ÿþ..
n/a		Byte-order mark for 32-bit Unicode Transformation Format/ 4-octet Universal Character Set (UTF-32/UCS-4), little-endian files. (See the Unicode Home Page.)
FF FE 23 00 6C 00 69 00 6E 00 65 00 20 00 31 00		ÿþ#.l.i. n.e. .1.
MOF		Windows MSinfo file
FF FF FF FF		ÿÿÿÿ
SYS		DOS system driver

---

ACKNOWLEDGEMENTS

The following individuals have given me updates or suggestions for this list over the years: Devon Ackerman, Nazim Aliyev, Vladimir Benko, Arvin Bhatnagar, Sam Brothers, Per Christensson, Cornelis de Groot, Jeffrey Duggan, Peter Almer Frederiksen, George Harpur, Brian High, Eric Huber, Broadus Jones, Axel Kesseler, Nick Khor, Bill Kuhns, Anand Mani, Kevin Mansell, Davyd McColl, Michal, Bruce Modick, Lee Nelson, Dan P., Jorge Paulhiac, Carlo Politi, Stanley Rainey, Cory Redfern, Bruce Robertson, Thomas Rösner, Mike Sutton, Matthias Sweertvaegher, Jason Wallace, Erik van de Burgwal, Franklin Webber, Gavin Williams, Mike Wilkinson, and David Wright. I thank them and apologize if I have missed anyone.

I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite (primarily for the "subheaders" for many of the file types here), and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.