Magic Numbers in Files

Magic Numbers

Within digital forensics, we typically analyse disk systems for their contents. Often a key challenge is to identify the types of files on a system. For example we might look for graphics with file extensions of GIF, JPG and PNG. Files , though, can be deleted or their file extensions can be changed, so we need to find a way to find certain types of files. This normally involves doing a deep scan of the disk, looking for certain key byte sequences to identify the start of a file, which is also known as the magic number of a file.

The following table outlines some of these magic numbers. Packages such as Scalpel will find the start of a file using the magic numbers, and will then carve it out until it finds the end element (if possible). It is thus possible to find files, even if they have been deleted from the disk.

Description Extension Magic Number
Adobe Illustrator .ai 25 50 44 46 [%PDF]
Bitmap graphic .bmp 42 4D [BM]
Class File .class CA FE BA BE
JPEG graphic file .jpg FFD8
JPEG 2000 graphic file .jp2 0000000C6A5020200D0A [....jP..]
GIF graphic file .gif 47 49 46 38 [GIF89]
TIF graphic file .tif 49 49 [II]
PNG graphic file .png 89 50 4E 47 .PNG
Photoshop Graphics .psd 38 42 50 53 [8BPS]
Windows Meta File .wmf D7 CD C6 9A
MIDI file .mid 4D 54 68 64 [MThd]
Icon file .ico 00 00 01 00
MP3 file with ID3 identity tag .mp3 49 44 33 [ID3]
AVI video file .avi 52 49 46 46 [RIFF]
Flash Shockwave .swf 46 57 53 [FWS]
Flash Video .flv 46 4C 56 [FLV]
Mpeg 4 video file .mp4 00 00 00 18 66 74 79 70 6D 70 34 32 [....ftypmp42]
MOV video file .mov 6D 6F 6F 76 [....moov]
Windows Video file .wmv 30 26 B2 75 8E 66 CF
Windows Audio file .wma 30 26 B2 75 8E 66 CF
PKZip .zip 50 4B 03 04 [PK]
GZip .gz 1F 8B 08
Tar file .tar 75 73 74 61 72
Microsoft Installer .msi D0 CF 11 E0 A1 B1 1A E1
Object Code File .obj 4C 01
Dynamic Library .dll 4D 5A [MZ]
CAB Installer file .cab 4D 53 43 46 [MSCF]
Executable file .exe 4D 5A [MZ]
RAR file .rar 52 61 72 21 1A 07 00 [Rar!...]
SYS file .sys 4D 5A [MZ]
Help file .hlp 3F 5F 03 00 [?_..]
VMWare Disk file .vmdk 4B 44 4D 56 [KDMV]
Outlook Post Office file .pst 21 42 44 4E 42 [!BDNB]
PDF Document .pdf 25 50 44 46 [%PDF]
Word Document .doc D0 CF 11 E0 A1 B1 1A E1
RTF Document .rtf 7B 5C 72 74 66 31 [{ tf1]
Excel Document .xls D0 CF 11 E0 A1 B1 1A E1
PowerPoint Document .ppt D0 CF 11 E0 A1 B1 1A E1
Visio Document .vsd D0 CF 11 E0 A1 B1 1A E1
DOCX (Office 2010) .docx 50 4B 03 04 [PK]
XLSX (Office 2010) .xlsx 50 4B 03 04 [PK]
PPTX (Office 2010) .pptx 50 4B 03 04 [PK]
Microsoft Database .mdb 53 74 61 6E 64 61 72 64 20 4A 65 74
Postcript File .ps 25 21 [%!]
Outlook Message File .msg D0 CF 11 E0 A1 B1 1A E1
EPS File .eps 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30
Jar File .jar 50 4B 03 04 14 00 08 00 08 00
SLN File .sln 4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65

Presentation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s