Magic numbers are the first bytes of a file that uniquely identify the file type. This simplifies programming because there is no need to search through complex file structures to determine the file type.
For example, a JPEG file begins with ffd8 ffe0 0010 4a46 4946 0001 0101 0047 …… Jfif….. G — ffd8 indicates it is a JPEG file and ffe0 identifies a JFIF-type structure. There is an ASCII encoding of JFIF that comes after a length code, but that is not necessary to identify the file. The first 4 bytes do so uniquely.
This provides a running list of file magic numbers you can use in a forensic investigation.
Image Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| Bitmap Format | .bmp | 42 4d |
Bm |
| FITS Format | .fits | 53 49 4d 50 4c 45 |
SIMPLE |
| GIF Format | .gif | 47 49 46 38 |
GIF8 |
| Graphics Kernel System | .gks | 47 4b 53 4d |
GKSM |
| Iris RGB Format | .rgb | 01 da |
|
| ITC (CMU WM) Format | .itc | f1 00 40 bb |
|
| JPEG File Interchange Format | .jpg | ff d8 ff e0 |
|
| NIFF (Navy TIFF) | .nif | 49 49 4e 31 |
IIN1 |
| PM Format | .pm | 56 49 45 57 |
VIEW |
| PNG Format | .png | 89 50 4e 47 |
.PNG |
| PostScript Format | .eps | 25 21 |
%! |
| Sun Raster Map | .ras | 59 a6 6a 95 |
|
| Targa Format | .tga | xx xx xx xx |
|
| TIFF Format (Motorola – big endian) | .tif | 4d 4d 00 2a |
MM.* |
| TIFF Format (Intel – little endian) | .tif | 49 49 2a 00 |
II*. |
| X11 Bitmap Format | .xbm | xx xx xx |
|
| Gimp XCF Structure | .xcf | 67 69 6d 70 20 78 63 66 20 76 |
gimp xcf |
| Xfig Format | .fig | 23 46 49 47 |
#FIG |
| XPM Format | .xpm | 2f 2a 20 58 50 4d 20 2a 2f |
/* XPM */ |
Document Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| PDF Document | 25 50 44 46 |
%PDF |
|
| Word Document | .doc | D0 CF 11 E0 A1 B1 1A E1 |
|
| RTF Document | .rtf | 7B 5C 72 74 66 31 |
|
| Excel Document | .xls | D0 CF 11 E0 A1 B1 1A E1 |
|
| PowerPoint Document | .ppt | D0 CF 11 E0 A1 B1 1A E1 |
|
| Visio Document | .vsd | D0 CF 11 E0 A1 B1 1A E1 |
|
| DOCX (Office 2010) | .docx | 50 4B 03 04 |
PK |
| XLSX (Office 2010) | .xlsx | 50 4B 03 04 |
PK |
| PPTX (Office 2010) | .pptx | 50 4B 03 04 |
PK |
Compressed Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| Bzip | .bz | 42 5a |
Bz |
| Compress | .Z | 1f 9d |
|
| gzip Format | .gz | 1f 8b |
|
| pkzip Format | .zip | 50 4b 03 04 |
PK.. |
Archive Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| TAR (pre-POSIX) | .tar | xx xx xx |
(filename) |
| TAR (POSIX) | .tar | 75 73 74 61 72 |
ustar (offset 257 bytes) |
Executable Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| MS-DOS, OS/2 or MS Windows | 4d 5a |
MZ |
|
| Unix ELF | 7f 45 4c 46 |
.ELF |
Other Files
| File Type | Typical Ext. | Hex Digits | ASCII Digits |
|---|---|---|---|
| PGP Public Ring | 99 00 |
||
| PGP Security Ring | 95 01 |
||
| PGP Security Ring | 95 00 |
||
| PGP Encrypted Data | a6 00 |
Usage on Linux
A Linux command you can use to view the magic number of a file is the following:
xxd test.zip | head
We can also search for the specific magic numbers of a file using the grep command:
xxd output.png | grep PK
This will search for the magic numbers (PK is the ASCII equivalent of 50 4b) of a zip file within the hex output.
Sources: Github, Bill's security site
Leave a Comment
Comments are reviewed before publishing.