File Signature

Kail-KM
|2015. 9. 12. 17:04

출처 : http://forensic-proof.com/archives/300


 Header Signature (Hex) File Type Description
 xx xx xx xx AF 11 FLI Graphics – Autodesk Animator
 xx xx xx xx AF 12 FLC Graphics – Autodesk 3D Studio
 xx xx 2D 6C 68 35 2D

–   1   h   5  –

 LZH Archive – LHA Compressed Archive File
 00 PIF

PIC

YTR

 Windows – Program Information File

Graphics – IBM Storyboard Bitmap File

IRIS OCR Data File

 00 00 00 02 MAC Graphics – MAC Picture Format
 00 00 00 nn 66 74 79 70

f   t   y   p

33 67 70

3  g  p

 3GG

3G2

 3rd Generation Partnership Project 3GPP (nn=0x14)

3GPP2 (nn=0x20) Multimedia File

 00 00 00 18 66 74 79 70

f   t   y   p

33 67 70 35

  3  g  p   5

 MP4

 

 MPEG-4 Video File

 

 00 00 01 00 ICO Graphics – Windows Icon Format
 00 00 01 Bx MPG MPEG Video File
 00 00 02 00 CUR

WB2

 Graphics – Windows Cursor File

Spreadsheet  – QuattroPro

 00 00 02 00 04 04 WKS Spreadsheet – Lotus 1-2-3
 00 00 02 00 05 04 WRK Spreadsheet – Symphony
 00 00 02 00 06 04 WK1

WR1

 Spreadsheet – Lotus 1-2-3

Spreadsheet – Symphony

 00 00 1A 00 00 10 WK3 Spreadsheet – Lotus 1-2-3
 00 00 1A 00 02 10 WK4 Spreadsheet – Lotus 1-2-3
 00 00 49 49 58 50 52

I   I   X  P  R 

 QXD Quark Express Document (dependant endian)

Note: It appears that the byte following the 0x52

(“R”) is the languate indicator; 0x33(“3″) seems to

indicate English and 0x61(“a”) reportedly indicates

Korean

 00 00 49 49 58 50 52

M  M  X  P  R 

 QXD Quark Express Document (dependant endian)

Note: It appears that the byte following the 0x52

(“R”) is the languate indicator; 0x33(“3″) seems to

indicate English and 0x61(“a”) reportedly indicates

Korean

 00 00 EF FF Byte-order mark for 32-bit Unicode Transformation

Format

 00 01 00 00 4D 53 49 53

M  S   I  S

41 4D 20 44  61 74 61 74

A  M      D   a   t   a   b

61 62 61 73 65

a  s  e

 MNY

 

 Microsoft Money File

 

 00 01 00 00 53 74 61 72

S   t   a  n

64 61 72 64 20 4A 65 74

d  a   r   d     J   e   t

20 44 42

D  B

 MDB

 

 Database – Microsoft Access File

 

 00 01 00 08 IMG Graphics – GEM Image Format
 00 01 01 FLT Graphics – OpenFlight 3D File
 00 01 42 41

B  A

 ABA Palm Address Book Archive File
 00 01 42 44

B  D

 DBA Palm DataBook Archive File
 00 06 15 61 00 00 00 02

00 00 04 D2 00 00 10 00

 DB Database – Netscape Navigator (v4)
 01 11 AF FLI Graphics – FLIC Animation File
 00 1E 84 90 00 00 00 00 SNM Netscape Communicator (v4) Mail Folder
 00 5C 41 B1 FF ENC Mujahideen Secrets 2 Encrypted File
 00 6E 1E F0                    (offset : 512 bytes) PPT PowerPoint Presentation SubHeader
 01 00 00 00

 

 EMF
PIC
 Extended(Enhanced) Windows Metafile Format

Printer Spool File (0x18-17 & 0xC4-36 : Win2K/NT,

0x5C0-1 : WinXP)

Spreadsheet Graph – Lotus 1-2-3

 01 10 TR1 Novell LANalyzer Capture File
 01 DA 01 01 00 03 RGB Graphics – Silicon Graphics RGB Bitmap File
 01 FF 02 04 03 02 DRW Graphics – Micrografx Vector Graphics File
 02 64 73 73

d   s  s

 DSS Graphics – Digital Speech Standard

(Olympus, Grundig & Phillips)

 02 DBF Database – dBASE II
 03 DBF

DAT

 Database – dBASE III

Database – dBASE IV

MapInfo Native Data Format

 03 00 00 00 QPH Quicken Price Histroy File
 03 00 00 00 41 50 50 52

A  P  P  R

 ADX Approach Index File
 04 DB4 Database – dBASE IV Data File
 07 DRW A common signature may drawing programs
 07 64 74 32 64 64 74 64

d   t   2  d  d   t   d

 DTD DesignTools 2D Design File
 08 DB Database – dBASE IV

Database – dBFast Configuration File

 09 00 04 00 07 00 01 00 XLW Spreadsheet – Excel BIFF2
 09 02 06 00 00 00 01 00 XLW Spreadsheet – Excel BIFF3
 09 03 06 00 00 04 00 01 XLW Spreadsheet – Excel BIFF4
 0A nn 01 01 PCX Graphics – ZSOFT Paintbrush

(nn = 0x02, 0x03, 0x05)

 0C ED MP Graphics – Monochrome Picture TIFF Bitmap File
 0D 44 4F 43

D  O  C

 DOC DeskMate Document File
 0E 57 4B 53

W  K  S

 WKS DeskMate Worksheet
 0F 00 E8 03                     (offset : 512 bytes) PPT PowerPoint Presentation SubHeader (MS Office)
 11 00 00 00 53 43 43 41

S  C  C  A

 PF Windows Prefetch File
 1A 00 00 NTF Database – Lotus Notes Template File
 1A 00 00 04 00 00 NSF Database – Lotus Notes File
 1A 0x ARC Archive – LH Achive File, Old Version

(x = 0x02, 0x03, 0x04, 0x08, 0x09)

 1A 0B PAK Archive – PAK Archive File
 1A 35 01 00

5

 ETH GN Nettest WinPharoah Capture File
 1A 52 54 53 20 43 4F 4D

R  T  S      C  O  M

50 52 45 53 53 45 44 20

P  R  E  S  S  E  D

49 4D 41 47 45 20 56 31

I   M  A  G  E     V   1

2E 30 1A

.   0

 DAT

 

 Graphics – Runtime Software Disk Image File

 

 1D 7D WS WordStar Version 5.0/6.0 Document File
 1F 8B 08 GZ Archive – GZIP Archive File
 1F 9D 90 TAR.Z Archive – Tape Archive File
 21 12

!

 AIN Archive – AIN Archive File
 21 3C 61 72 63 68 3E 0A

!   <  a   r   c  h  >

 LIB Archive – Unix Archiver(ar) Files

Microsoft Program Library Common Object File

Format (COFF)

 21 42 44 4E

!  B  D  N

 PST Microsoft Outlook File
 23 20

#

 MSI Cerius2 File
 23 20 4D 69 63 72 6F 73

#       M  i   c   r  o   s

6F 66 74 20 44 65 76 65

o  f    t      D   e   v  e

6C 6F 70 65 72 20 53 74

l   o   p   e  r      S  t

75 64 69 6F

u  d   i   o

 DSP

 

 Microsoft Developer Studio Project File

 

 23 21 41 4D 52

#   !   A  M  R

 AMR Adaptive Multi-Rate ACELP Codec Format
 24 46 4C 32 40 28 23 29

$   F  L   2  @  (  #   )

20 53 50 53 53 20 44 41

S  P  S  S      D  A

54 41 20 46 49 4C 45

T  A       F   I  L  E

 SAV

 

 SPSS Data File

 

 25 21 50 53 2D 41 64 6F

%  !   P  S  –   A  d  o

62 65 2D

b  e  –

 EPS

 

 Adobe Encapsulated PostScript File

 

 25 50 44 46

% P  D  F

 PDF

FDF

 Adobe Portable Document Format File

Forms Document File

 28 54 68 69 73 20 66 69

(  T  h   i   s      f    i

6C 65 20 6D 75 73 74 20

l    e     m  u  s  t

62 65 20 63 6F 6E 76 65

b  e       c  o  n   v   e

72 74 65 64 20 77 69 74

r   t   e   d      w  i   t

68 20 42 69 6E 48 65 78

h  B   i   n   H  e  x

20

 HQX Archive – Macintosh BinHex 4 Archive
 2A 2A 2A 20 20 49 6E 73

*   *   *           I   n   s

74 61 6C 6C 61 74 69 6F

t   a   l   l    a   t   i   o

6E 20 53 74 61 72 74 65

n     S   t   a   r   t   e

64 20

d

 LOG

 

 Symantec Wise Installer Log File

 

 2D 6C 68

–   l    h                           (offset : 2 bytes)

 LHA, LZH Archive – Compressed Archive File
 2E 52 45 43

R  E  C

 IVR RealPlayer Video File (v11 and later)
 2E 72 61 FD 00

r   a

 RA RealMedia Streaming Media File
 2E 52 4D 46

.   R  M  F

 RM Real Media File
 2E 73 6E 64

.   s   n  d

 AU Sound – NeXt/Sun Audio Format
 30

0

 CAT Microsoft Security Catalog File
 30 00 00 00 4C 66 4C 65

0              L   f   L   e

 EVT Windows Event Viewer File
 30 26 B2 75 8E 66 CF 11

A6 D9 00 AA 00 62 CE 6C

 ASF, WMA,

WMV

 Microsoft Windows Media Audio/Video File

(Advanced Streaming Format)

 30 31 4F 52 44 4E 41 4E

0  1   O  R  D  N  A  N

43 45 20 53 55 52 56 45

C  E      S  U  R  V  E

59 20 20 20 20 20 20 20

Y

 NTF

 

 National Transfer Format Map File

 

 31 BE 00 00 00 AB DOC Word processor – MS Word 4
 3n BE 00 00 00 AB WRI Word processor – MS Write (n = 0x1, 0x2)
 34 12 PIC Graphics – PC Paint
 37 7A BC AF 27 1C 7Z Archive – 7-Zip Archive File
 38 42 50 53

8  B  P  S

 PSD Graphics – Adobe Photoshop File
 3A DE 68 B1 DCX Graphics – CAS Fax Format
 3C ASX Advanced Stream Redirector File
 3C XDR BizTalk XML-Data Reduced Schema File
 3C 21 64 6F 63 74 79 70

<    !   d  o  c   t   y   p

 DCI AOL HTML Mail File
 3C 3F 78 6D 6C 20 76 65

<   ?   x  m   l        v  e

72 73 69 6F 6E 3D

r   s  i   o   n  =

 MANIFEST

 

 Windows Visual Stylesheet XML File

 

 3C 3F 78 6D 6C 20 76 65

<   ?   x  m   l        v  e

72 73 69 6F 6E 3D 22 31

r   s  i   o   n  =   ”   1

2E 30 22 3F 3E

.   0   ”   ?   >

 XUL

 

 XML User Interface Language File

 

 3C 3F 78 6D 6C 20 76 65

<   ?   x  m   l        v  e

72 73 69 6F 6E 3D 22 31

r   s  i   o   n  =   ”   1

2E 30 22 3F 3E 0D 0A 3C

.   0   ”   ?   >           <

4D 4D 43 5F 43 6F 6E 73

M  M  C  _  C   o  n   s

6F 6C 65 46 69 6C 65 20

o   l   e  F   i   l   e

43 6F 6E 73 6F 6C 65 56

C   o  n   s  o   l   e   V

65 72 73 69 6F 6E 3D 22

e  r   s  i   o   n   =   “

 MSC

 

 Microsoft Management Console Snap-in Control

File

 3E 00 03 00 FE FF 09 00

06                                  (offset : 24 bytes)

 WB3 Quatro Pro for Windows 7.0 Notebook File
 3F 5F 03 00

?  _

 GID Windows Help Index File
 3F 5F 03 00

?  _

 HLP Windows Help File
 41 48

A  H

 PAL, PIC Graphics – Dr Halo Format
 41 4C 5A 01

A  L   Z

 ALZ Archive – ESTsoft Alzip Archive File
 40 40 40 20 00 00 40 40

@ @ @             @ @

40 40

@ @

 ENL

 

 EndNote Library File

 

 41 43 53 44

A  C  S  D

 Miscellaneous AOL Parameter and Information

File

 41 4D 59 4F

A  M  Y  O

 SYW Graphics – Hardvard Graphics Symbol Graphic
 41 4F 4C 20 46 65 65 64

A  O  L       F   e   e  d

62 61 67

b  a  g

 BAG

 

 AOL and AIM Buddy List File

 

 41 4F 4C 44 42

A  O   L  D  B

 ABY, IDX Database – AOL Database File (ABY, MAIN.IDX)
 41 4F 4C 49 44 58

A  O  L    I   D  X

 IND AOL Client Preferences/Settings File (MAIN.IND)
 41 4F 4C 49 4E 44 45 58

A  O  L    I   N  D  E  X

 ABI AOL Address Book Index File
 41 56 47 36 5F 49 6E 74

A  V  G   6  _   I   n   t

65 67 72 69 74 79 5F 44

e  g  r   i    t   y  _  D

61 74 61 62 61 73 65

a  t   a   b  a  s  e

 DAT

 

 AVG6 Integrity Database File

 

 41 56 49 20 4C 49 53 54

A  V   I       L   I   S  T

 Audio/Video Interleaved File
 41 4F 4C 56 4D 31 30 30

A  O  L   V  M   1  0  0

 AOL Personal File Cabinet (PFC) File
 41 72 43 01

A   r   C

 ARC Archive – FreeArc Archive File
 42 45 47 49 4E 3A 56 43

B  E  G   I   N  :   V  C

41 52 44 0D 0A

A  R  D

 VCF

 

 vCard File

 

 42 4C 49 32 32 33 51

B   L   I   2   2  3  Q

 BIN Tomson Speedtouch Series WLAN Router

Firmware File

 42 4D

B  M

 BMP, DIB Graphics – Windows Bitmap Format
 42 4F 4F 4B 4D 4F 42 49

B  O  O  K  M  O  B   I

 PRC Palmpilot Resource File
 42 5A 68

B  Z   h

 BZ2, TAR,

TBZ2, TB2

 Archive – bzip2 Archive File
 43 42 46 49 4C 45

C  B  F   I   L  E

 CBD WordPerfect Dictionary File
 43 44 30 30 31

C  D   0   0  1

 ISO ISO-9660 CD Disc Image
 43 4F 4D 2B

C  O  M   +

 CLB COM+ Catalog File
 43 52 45 47

C  R  E  G

 DAT Windows 9x Registry Files
 43 52 55 53 48 20 76

C  R  U  S  H      v

 CRU Archive – Crush Archive File
 43 54 4D 46

C  T  M  F

 CMF Sound – Creative Music Format
 43 57 53

C  W  S

 SWF Shockwave Flash File (v5+)
 43 61 74 61 6C 6F 67 20

C  a   t   a   l   o   g

33 2E 30 30 00

3   .   0   0

 CTF

 

 Wherelslt Catalog File

 

 43 6C 69 65 6E 74 20 55

C   l    i   e   n   t      U

72 6C 43 61 63 68 65 20

r   l   C   a  c   h  e

4D 4D 46 20 56 65 72 20

M  M  F      V   e  r

 DAT

 

 IE History DAT File

 

 43 72 65 61 74 69 76 65

C  r   e  a   t   i   v   e

20 56 6F 69 63 65 20 46

V  o   i   c   e      F

69 6C 65 1A

i   l    e

 VOC

 

 Sound – Creative Voice Format

 

 44 42 46 48

D  B  F  H

 DB Palm Zire Photo Database
 44 4D 53 21

D  M  S  !

 DMS Archive – Amiga DiskMasher Archive File
 44 4F 53

D  O  S

 ADF Amiga Disk File
 44 61 6E 4D

D  a   n  M

 MSP Graphics – Windows Paint
 45 4E 54 52 59 56 43 44

E  N  T  R  Y  V  C  D

02 00 00 01 02 00 18 58

X

 VCD

 

 Video VCD (GNU VCDImager) File

 

 45 54 46 53 53 41 56 45

E  R  F  S  S  A  V  E

44 41 54 41 46 49 4C 45

D  A  T  A  F   I   L  E

 DAT

 

 Kroll EasyRecovery Saved Recovery State File

 

 45 56 46

E  V  F

 Enn

(nn = number)

 EnCase Evidence File
 45 59 45 53

E  Y  E  S

 CE1, CE2 Graphics – ComputerEyes Format
 46 4F 52 4D

F  O  R  M

 LBM Graphics – Interchange File Format
 46 41 58 43 4F 56

F  A  X  C  O  V

45 52 2D 56 45 52

E  R   –  V  E  R

 CPE

 

 Microsoft Fax Cover Sheet

 

 46 45 44 46

F  E  D  F

 SBV Unkown File Type
 46 4C 56 SWF Flash Video File
 46 4F 52 4D 00 AIFF Audio – Audio Interchange File
 46 57 53

F  W  S

 SWF Shockwave Flash File
 46 72 6F 6D 20 20 20

F  H  o  m                      or

46 72 6F 6D 20 3F 3F 3F

F  H  o  m      ?   ?   ?     or

46 72 6F 6D 3A 20

F  H  o  m   :

 EML

 

 A common File Extension for E-mail File

 

 47 46 31 50 41 54 43 48

G  F   1  P  A  T  C  H

 PAT Advanced Gravis Ultrasound Patch File
 47 49 46 38 37 61

G  I   F   8   7  a

 GIF Graphics – Graphics Interchange Format
 47 49 46 38 39 61

G  I   F   8   9  a

 GIF Graphics – Graphics Interchange Format
 47 50 41 54

G  P  A  T

 PAT GIMP (GNU Image Manipulation Program) Pattern

File

 47 58 32

G  X  2

 GX2 Graphics – Show Partner Graphics File
 48 48 47 42 31

H  H  G  B  1

 SH3 Harvard Graphics Presentation File
 49 49 2A

I   I   *

 TIF, TIFF Graphics – Tagged Image File Format File

(Little Endian)

 4D 4D 2A

M  M   *

 TIF, TIFF Graphics – Tag Image File Format

(Big Endian)

 49 42 4B 1A

I  B  K

 IBK Sound – Soundblaster Instrument Bank
 49 44 33

I   D  3

 MP3 Sound – MPEG-1 Audio Layer 3 (MP3) Audio File
 49 4D 44 43

I  M  D  C

 IC1, IC2, IC3 Graphics – Atari Imagic Film Format
 49 53 63 28

I   S  c  (

 CAB Archive – Install Shield (v5+) Archive File
 49 54 53 46

I  T  S  F

 CHM Microsoft HTML Help Compiled File
 49 6E 6E 6F 20 53 65 74

I   n   n   o      S  e  t

75 70 20 55 6E 69 6E 73

u   p     U  n   i   n  s

74 61 6C 6C 20 4C 6F 67

t   a   l   l        L   o   g

20 28 62 29

(  b   )

 DAT

 

 Inno Setup Uninstall Log File

 

 4A 41 52 43 53 00

J  A  R  C  S

 JAR Archive – JARCS Archive File
 4A 47 0n 0E 00 00 00 ART AOL ART File (n = 0x3, 0x4)
 4C 00 00 00

L

 LNK Microsoft Windows Shortcut File
 4C 01

L

 OBJ Microsoft Common Object File Format (COFF)

Relocatable Object Code File

 4C 4E 02 00

L  N

 HLP Windows Help File
 4C 69 6E 53

L   i   n  S

 MSP Graphics – Windows 3.x Paint
 4D 47 43

M  G  C

 CRD Database – Windows 3.x Card File
 4D 49 4C 45 53

M   I  L   E  S

 MLS Mailestones v1.0 Project Management and

Scheduling Software (Also see “MV2C”, “MV214″)

 4D 4C 53 57

M  L   S  W

 MLS Skype Localization Data File
 4D 4D 00 2A

M  M      *

 TIF, TIFF Graphics –  Big Tagged Image File Format (TIFF)

(big endian)

 4D 4D 00 2B

M  M      +

 TIF, TIFF Graphics –  Big Tagged Image File Format (TIFF)

File ( > 4GB)

 4D 4D 4D 44 00 00

M  M  M  D

 MMF Yamaha Cynthetic Music Mobile Application

Format (SMAF)

 4D 53 43 46

M  S  C  F

 CAB

PPZ

SNP

 Microsoft Cabinet File

Powerpoint Presentation Package

Microsoft Access Snapshot Viewer File

 4D 53 46 54 02 00 01 00

M  S  F  T

 TLB OLE, SPSS, Visual C++ Type Library File
 4D 53 5F 56 4F 49 43 45

M  S  _   V  O   I  C  E

 CDR, DVF,

MSV

 Sound – Sony Compressed Voice File

Sound – Sony Memory Stick Compressed Voice

File

 4D 54 68 64

M  T   h  d

 MID, MIDI Sound – Standard Musical Instrument Digital

Interface (MIDI) Format

 4D 56

M  V

 DSN CD Stomper Pro Label File
 4D 56 32 31 34

M  V   2   1  4

 MLS Milestones v2.1b Project Management and

Scheduling Software (Also see “MILES”, “MV2C”)

 4D 56 32 43

M  V   2  C

 MLS Milestones v2.1a Project Management and

Scheduling Software (Also see “MILES”, “MV214″)

 4D 5A

M  Z

 COM, DLL, DRV

EXE, PIF, QTS

QTX, SYS

ACM,

AX,

CPL,

FON,

OCX,

OLB,

SCR,

VBX,

VXD

 Windows/DOS Executable File
MS Audio Compression Manage Driver

Library Cache File

Control Panel Application

Font File

ActiveX or OLE Custom Control

OLE Object Library

Screen Saver

Visual Basic Application

Windows Virtual Device Drivers

 4D 5A 90 00 03 00 00 00

M  Z

 API,

AX,

FLT

 Acrobat Plug-in

DirectShow Filter

Adobe Audition Graphic Filter File

 4D 5A 90 00 03 00 00 00

M  Z

04 00 00 00 FF FF

 ZAP ZoneAlam Data File
 4D 69 63 72 6F 73 6F 66

M   i   c  r   o   s  o   f

74 20 56 69 73 75 61 6C

t       V  i   s  u   a  l

20 53 74 75 64 69 6F 20

S   t   u   d  i   o

53 6F 6C 75 74 69 6F 6E

S   o  l   u   t   i   o   n

20 46 69 6C 65

F   i   l   e

 SLN

 

 Visual Studio .NET Solution File

 

 4D 69 63 72 6F 73 6F 66

M   i   c  r   o   s  o   f

74 20 57 69 6E 64 6F 77

t      W  i   n   d  o  w

73 20 4D 65 64 69 61 20

s      M  e  d   i  a

50 6C 61 79 65 72 20 2D

P   l   a   y  e  r       –

2D 20

–                                    (offset : 84 bytes)

 WPL

 

 Windows Media Player Playlist

 

 4E 41 56 54 52 41 46 46

N  A  V  T   R  A  F  F

49 43

I  C

 DAT

 

 TomTom Traffice Data File

 

 4E 45 53 4D 1A 01

N  E  S  M

 NFS Sound – NES Sound File
 4E 49 54 46 30

N   I  T  F   0

 NTF National Imagery Transmission Format (NIFF) File
 4E 61 6D 65 3A 20

N  a  m  e   :

 COD Agent NewsReader Character Map File
 4F 50 4C 44 61 74 61 62

O  P  L  D  a   t   a   b

61 73 65 46 69 6C 65

a  s  e  F   i   l   e

 DBF

 

 Psion Series 3 Database File

 

 4F 67 67 53 00 02 00 00

O  g  g  s

00 00 00 00 00 00

 OGA, OGG,

OGV, OGX

 Ogg Vorbis Codec Compressed Multimedia File
 4F 7B

O  {

 DW4 Visio/DisplayWrite 4 Test File
 50 00 00 00 20 00 00 00

P

 IDX Quicken QuickFinder Information File
 50 35 0A

P  5

 PGM Graphics – Portable Graymap Graphic
 50 41 43 4B

P  A  C  K

 PAK Archive – Quake Archive File
 50 45 53 54

P  E  S  T

 DAT PestPatrol Data/Scan Strings
 50 49 43 54 00 08

P  I  C  T

 IMG Graphics –  ADEX ChromaGraph Graphics Card

Bitmap Graphics File

 50 4B 03 04

P  K 

 ZIP,

DOCX, PPTX,

XLSX,

JAR,

SXC, SXD, SXI,

SXW

WMZ,

XPI,

XPT

 Archive – Pkzip Archive File

Microsoft Office Open XML Format Document Java Archive Package

OpenOffice Spreadsheet, Drawing, Presentation

Windows Media Compressed Skin File

Mozila Browser Archive

eXact Packager Models

 50 4B 03 04 14 00 06 00

P  K

 DOCX, PPTX,

XLSX

 Microsoft Office Open XML Format Document
 50 4B 03 04 14 00 08 00

P  K

 JAR Java Archive
 50 4B 4C 49 54 45

P  K  L   I  T  E               (offset : 30 bytes)

 ZIP Archive – PKLITE ZIP Archive (see also PKZIP)
 50 4B 53 70 58

P  K  S  F  X                   (offset : 526 bytes)

 ZIP Archive – PKSFX Self-Extracting Executable Compressed File (see also PKZIP)
 50 4D 43 43

P  M  C  C

 GRP Windows Program Manager Group File
 50 4E 43 49 55 4E 44 4F

P  N  C   I  U  N  D

 DAT Noton Disk Doctor Undo File
 50 C3 CLP Windows 3.x Clipboard
 51 45 4C 20

Q  E  L  (offset : 92 bytes)

 QEL Quicken Data File
 51 46 49 FB

Q  F  I

 IMG QEMU Qcow Disk Image
 51 57 20 56 65 72 2E 20

Q  W      V   e  r

 ABD, QSD Quicken Data File
 52 41 5A 41 54 44 42 31

R  A  Z  A  T  D  B  1

 DAT Shareaza (Windows P2P Client) Thumbnail
 52 45 47 45 44 49 54

R  E  G  E  D  I  T

 REG, SUD Windows NT Registry and Registry Undo Files
 52 45 56 4E 55 4D 3A 2C

R  E  V  N  U  M   :   ,

 ADF Antenna Data File
 52 49  46  46

R   I   F   F

 ANI

DAT

DS4

 Windows Animated Cursof

Video CD MPEG or MPEG1 Movie File

Micrografx Designer v4 Graphic File

 52 49 46 46 xx xx xx xx

R  I  F  F

41 56 49 20 4C 49 53 54

A  V   I       L   I  S  T

 AVI

 

 Resource Interchange File Format –

Windows Audio Video Interleave File

 52 49 46 46 xx xx xx xx

R   I   F  F

43 44 44 41 66 6D 74 20

C  D  D  A   f   m  t

 CDA

 

 Resource Interchange File Format –

Compact Disc Digital Audio (CD-DA) File

 52 49 46 46 xx xx xx xx

R   I   F  F

51 4C 43 4D 66 6D 74 20

Q  L  C  M  f  m  t

 QCP Resource Interchange File Format –

Qualcomm PureVoice

 52 49 46 46 xx xx xx xx

R   I   F  F

52 4D 49 44 64 61 74 61

R  M   I  D   d  a   t   a

 RMI

 

 Resource Interchange File Format –

Windows Musical Instrument Digital Interface File

 52 49 46 46 xx xx xx xx

R   I   F  F

57 41 56 45 66 6D 74 20

W  A  V  E  f  m  t

 WAV

 

 Resource Interchange File Format –

Audio for Windows File

 52 54 53 53

R  T  S  S

 CAP Windows NT Netmon Capture File
 52 61 72 21 1A 07 00

R  a  r  !

 RAR Archive – WinRAR Compressed Archive File
 53 42 49 1A

S  B   I

 SBI Soundblaster Instrument Format
 53 43 48 6C

S  C  H  l

 AST Audio – Need for Speed : Undergraound Audio File
 53 43 4D 49

S  C  M  I

 IMG Img Software Set Bitmap File
 53 48 4F 57

S  H  O  W

 SHW Harvard Graphics DOC v2/x Presentation File
 53 49 45 54 52 4F 4F 49

S  I  E  T  R  O  N  I

43 53 20 58 52 44 20 53

C  S      X  R  D      S

43 41 4E

C  A  N

 CPI

 

 Sietronics CPI XRD Document File

 

 53 49 54 21 00

S   I   T  !

 SIT Archive – Stufflt Compressed Archive File
 53 4D 41 52 54 44 52 57

S  M  A  R  T  D  R  W

 SDR SmartDraw Drawing File
 53 51 4C 4F 43 4F 4E 56

S  Q  L  O  C  O  N  V

48 44 00 00 31 2E 30 00

H  D           1   .   0

 CNV

 

 DB2 Conversion File

 

 53 6D 62 6C

S  m  b  l

 SYM Harvard Graphics v2.x Graphics Symbol

Windows SDK Graphics Symbol

 53 74 75 66 66 49 74 20

S   t   u   f   f   I   t

28 63 29 31 39 39 37 2D

(  c  )   1   9   9   7   –

 SIT

 

 Archive – Stufflt Compressed Archive File

 

 54 43 53 4F 00 04 00 00 00 00

T  C  S  O                          (offset : 6 bytes)

 SOL Local Shared Object(LSO) File
 54 68 69 73 20 69 73 20

T   h   i   s      i   s

 INFO UNIX GNU Info Reader File
 55 43 45 58

U  C  E  X

 UCE Unicode Extensions
 55 46 41 C6 D2 C1

U  F  A

 UFA Archive – UFA Compressed Archive File
 55 46 4F 4F 72 62 69 74

U  F  O  O   r   b   i   t

 DAT UFO Capture v2 Map File
 56 43 50 43 48 30

V  C  P  C  H  0

 PCH Visual C PreCompiled Header File
 56 44 56 49

V  D  V   I

 AVS Intel Digital Video Interface
 56 45 52 53 49 4F 4E 20

V  E  R  S   I   O  N

 CTL Visual Basic User-Defined Control File
 57 4D 4D 50

W  M  M  P

 DAT Walkman MP3 Container File
 57 53 32 30 30 30

W  S  2   0   0   0

 WS2 WordStar for Windows v2 Document File
 57 69 6E 5A 69 70

W  i  n  Z  i  p             (offset : 29, 152 bytes)

 ZIP Archive – WinZip Compressed Archive File
 58 43 50 00

X  C  P

 CAP Cinco NetXRay, Network General Sniffer, and

Network Associates Sniffer Capture File

 58 50 43 4F 4D 0A 54 79

X  P  C  O  M      T  y

70 65 4C 69 62

p  e  L  i  b

 XPT

 

 XPCOM Type Libraries for The XPIDL Compiler

 

 58 54

X  T

 BDR MS Publisher Border
 59 A6 6A 95 RAS SUN Raster Format
 5A 4F 4F 20

Z  O  O

 ZOO Archive – ZOO Compressed Archive File
 5B 47 65 6E 65 72 61 6C

[  G   e   n   e   r   a   l

5D 0D 0A 44 69 73 70 6C

]           D   i   s   p   l

61 79 20 4E 61 6D 65 3D

a   y     N  a  m   e  =

3C 44 69 73 70 6C 61 79

<  D   i   s  p   l   a   y

4E 61 6D 65

N  a  m  e

 ECF

 

 Microsoft Exchange 2007 Extended Configuration

File

 5B 4D 53 56 43

[  M  S  V  C

 VCW Microsoft Visual C++ Workbench Information File
 5B 50 68 6F 6E 65 5D

[  P   h   o   n   e  ]

 DUN Dial-Up Networking File
 5B 56 45 52 5D 0D 0A 09

[  V  E  R  ]

 SAM AMU Pro Document
 5B 76 65 72 0D 0A 09

[  v  e  r  ]

 SAM AMU Pro Document
 5B 56 65 72 73 69 6F 6E

[  V  e   r   s   i   o  n  ]    (offset : 2 bytes)

 CIF Unknown File Type
 5B 57 69 6E 64 6F 77 73

[  W   i   n   d   o  w   s

20 4C 61 74 69 6E 20

L   a   t   i   n

 CPX

 

 Microsoft Code Page Translation File

 

 5B 66 6C 74 73 69 6D 2E

[   f    l   t   s   i   m

30 5D

0   ]

 CFG

 

 Flight Simulator Aircraft Configuration File

 

 5F 43 41 53 45 5F

_  C  A  S  E  _

 CAS, CBK EnCase v3 Case File

EnCase v4, 5, 6 use OLE 2 Container File

 60 EA ARJ Archive – ARJ Compressed Archive File
 62 65 67 69 6E

b  e  g  i  n

 UUencoded File
 63 75 73 68 00 00 00 02

c  u  s  h

00 00 00

 CSH Photoshop Custom Shape
 64 00 00 00

d

 P10 Intel PROset/Wireless Profile
 64 73 77 66 69 6C 65

d  s  w  f   i   l   e

 DSW Microsoft Visual Studio Workspace File
 66 4C 61 43 00 00 00 22

f   L  a  C              “

 FLAC Free Lossless Audio Codec File
 6C 33 33 6C

l   3   3   l

 DBB Skype User Data File
 6D 6F 6F 76

m  o   o   v      or             (offset : 4 bytes)

66 72 65 65

f   r   e   e       or              (offset : 4 bytes)

6D 64 61 74

m  d   a   t      or              (offset : 4 bytes)

77 69 64 65

w  i   d   e      or               (offset : 4 bytes)

 MOV

 

 Apple QuickTime Movie File

 

 72 65 67 66

r   e  g   f

 DAT Windows Registry Hive File
 72 74 73 70 3A 2F 2F

r   t   s   p   :   /   /

 RAM RealMedia Metafile
 73 6C 68 21

s   l   h   !    or

73 6C 68 2E

s   l   h   .

 DAT

 

 Allegro Generic Packfile Data File

(0x21 = Compressed,  0x2E = Uncompressed )

 73 72 63 64 6F 63 69 64

s   r   c   d  o  c  i   d

3A

:

 CAL

 

 Graphics – CALS Raster Bitmap File

 

 73 7A 65 7A

s   z   e   z

 PDB PowerBASIC Debugger Symbols File
 74 42 4D 50 4B 6E 57 72

t   B  M  P  K  n   W  r       (offset : 60 bytes)

 PRC PathWay Map File (used GPS devices)
 75 73 74 61 72

u   s   t   a   r                   (offset : 257 bytes)

 TAR Archive – Tape Archive File
 76 32 30 30 33 2E 31 30

v   2   0   0   3   .  1  0

0D 0A 30 0D 0A

0

 FLT

 

 Qimage Filter

 

 78

x

 DMG Mac OS X Disk Copy Disk Image File
 7A 62 65 78

z   b   e   x

 INFO ZoomBowser Image Index File (ZbThumbnal.info)
 7B 0D 0A 6F 20

{            o

 LGC, LGD Windows Application Log File
 7B DBF Database – dBASE IV
 7B 5C 72 74 66 31

{     r   t   f   1

 RTF Word processor – Rich Text Format
 7E 42 4B 00

~  B  K

 PSP Graphics – Corel Paint Shop Pro Image File
 7F 45 4C 46

E  L  F

 Linux/Unix – Executable and Linking Format
 80 OBJ Relocatable Object Code
 80 00 00 20 03 12 04 ADX Dreamcase Audio File
 81 CD AB WPF Word processor – WordPerfect Test File
 83 DBF Database – dBASE III
 83 DBF Database – dBASE IV
 83 DBF Database –  FoxPro
 8B DBF Database – FoxPro
 89 50 4E 47 0D 0A 1A 0A

P  N  G

 PNG Graphics – Portable Network Graphics File
 8A 01 09 00 00 00 E1 08

00 00 99 19

 AW MS Answer Wizard File
 91 33 48 46 HAP Archive – Hamarsoft HAP 3.x Compressed Archive
 95 01 SKR PGP Secret Key Ring
 99 00 PKR PGP Public Key Ring
 99 01 PKR PGP Public Key Ring
 9B A5 DOC Word processor – Winword 1.0
 9C CB CB 8D 13 75 D2 11

91 58 00 C0 4F 79 56 A4

 WAB Outlook Address File
 A0 46 1D F0                     (offset : 512 bytes) PPT PowerPoint Presentation SubHeader
 A1 B2 C3 D4 tcpdump (libpcap) Capture File
 A1 B2 CD 34 Extended tcpdump (libpcap) Capture File
 A9 0D 00 00 00 00 00 00 DAT Access Data FTK Evidence File
 AC 9E BD 8F 00 00 QDF Quicken Data File
 B1 68 DE 3A DCX Graphics Multipage PCX Bitmap File
 B5 A2 B0 B3 B3 B0 A2 B5 CAL Windows 3.x Calendar
 BA BE EB EA ANI NEOchrome Animation File
 BE 00 00 00 AB 00 00 00

00 00 00 00 00

 WRI Microsoft Wirte File
 C3 AB CD AB ACS Microsoft Agent Character File
 C5 D0 D3 C6 EPS Adobe Encapsulated PostScript File
 C8 00 79 00 LBK Jeppesen FiteLog File
 CA FE BA BE CLASS Java Bytecode File
 CD 20 AA AA 02 00 00 00 Norton Anti-Virus Quarantined Virus File
 CF 11 E0 A1 B1 1A E1 00 DOC Word processor – Perfect Office Document File
 CF AD 12 FE DBX Microsoft Outlook Express E-mail File
 D0 CF 11 E0 A1 B1 1A E1 HWP

DOC, DOT, PPS

PPT, XLA, XLS

WIZ

AC_

ADP

APR

DB

MSC

MSI

MTW

OPT

PUB

SOU

SPO

VSD

WPS

 HAANSOFT Compound Document File

Microsoft Office Compound Document File
CaseWare Working Papers Compressed Client File

Access Project File

Lotus/IBM Approach 97 File

MSWorks Database File

Microsoft Common Console Documet File

Microsoft Installer Package

Minitab Data File

Developer Studio File Workspace Options File

Microsoft Publisher File

Visual Studio Solution User Options File

SPSS Output File

Visio File

MSWorks Text Document File

 D2 0A 00 00 FTR GN Nettest WinPharoah Filter File
 D4 2A ARL, AUT AOL History (ARL) and Typed URL (AUT) Files
 D4 C3 B2 A1 WinDump (Winpcap) Capture File
 D7 CD C6 9A WMF Graphics – Windows Metafile Format
 DB A5 DOC Word processor – Winword 2.0
 DC DC CPL Corel Color Palette File
 DC FE EFX eFax File Format
 E3 10 00 01 00 00 00 00 INFO Amiga Icon File
 E3 82 85 96 PWL Windows Password File
 E8  or

E9  or

EB  or

 COM, SYS Windows Executable File
 EB 3C 90 2A IMG GEM Raster File
 EC A5 C1 00                   (offset : 512 bytes) DOC Word Document SubHeader
 ED AB EE DB RPM RedHat Package Manager File
 EF BB BF Byte-order Mark for 8-bit Unicode Transformation

Format (UTF-8) File

 F5 DBF FoxPro Database
 FD FF FF FF 04                 (offset : 512 bytes) SUO Visual Studio Solution User Options SubHeader
 FD FF FF FF nn 00 00 00    (offset : 512 bytes) PPT PowerPoint Presentation SubHeader

(nn = 0x0E, 0x1C, 0x43)

 FD FF FF FF nn 00   or      (offset : 512 bytes)

FD FF FF FF nn 02            (offset : 512 bytes)

 XLS Excel Spreadsheet SubHeader

(nn = 0x10, 0x1F, 0x22, 0x23, 0x28, 0x29)

 FD FF FF FF 20 00 00 00    (offset : 512 bytes) OPT

XLS

 Developer Studio File Workspace Options

SubHeader

Excel Spreadsheet SubHeader

 FD FF FF FF xx xx xx xx

xx xx xx xx 04 00 00 00    (offset : 512 bytes)

 DB Thumbs.db SubHeader
 FE DB   or

FE DC

 SEQ Cyber Paint
 FE FF Byte-order mark for 16-bit Unicode Transformation

Format/2-octet Universal Character Set

(UTF-16/UCS-2)

 FF SYS Windows Executable Format File
 FF 00 02 00 04 04 05 54

02 00

 WKS Windows Spreadsheet Work File
 EF 46 4F 4E 54

F  O  N  T

 CPI Windows International Code Page
 FF 4B 45 59 42 20 20 20

K  E  Y  B

 SYS Keyboard Driver File
 FF 57 50 43

W  P  C

 WP, WPD, WPG

WP5

 Word processor – WordPerfect Document and

Graphic File

 FF D8 FF E0 xx xx 4A 46

J  F

49 46

I   F

 JPG

 

 Graphics – JPEG/JFIF Format

 

 FF D8 FF E1 xx xx 45 78

E  x

69 66

i   f

 JPG

 

 Graphics – JPEG/Exif Format – Digital Camera

Exchangeable Image File Format (EXIF)

 FF FF GEM GEM Metafile Format
 FF D8 FF E8 xx xx 53 50

S  P

49 46 46 00

I  F  F

 JPG

 

 Graphics – Still Picture Interchange File Format

(SPIFF)

 

'Forensic > Theory' 카테고리의 다른 글

Thumbnail Forensics (썸네일 분석)  (0) 2015.09.13
File Recovery  (2) 2015.09.12
Live Forensic 점검 항목  (0) 2015.09.11
Prefetch Format  (0) 2015.09.11
Live Response  (0) 2015.09.09