Magic Numbers
Within digital forensics, we typically analyse disk systems for their contents. Often a key challenge is to identify the types of files on a system. For example we might look for graphics with file extensions of GIF, JPG and PNG. Files , though, can be deleted or their file extensions can be changed, so we need to find a way to find certain types of files. This normally involves doing a deep scan of the disk, looking for certain key byte sequences to identify the start of a file, which is also known as the magic number of a file.
The following table outlines some of these magic numbers. Packages such as Scalpel will find the start of a file using the magic numbers, and will then carve it out until it finds the end element (if possible). It is thus possible to find files, even if they have been deleted from the disk.
Description | Extension | Magic Number |
Adobe Illustrator | .ai | 25 50 44 46 [%PDF] |
Bitmap graphic | .bmp | 42 4D [BM] |
Class File | .class | CA FE BA BE |
JPEG graphic file | .jpg | FFD8 |
JPEG 2000 graphic file | .jp2 | 0000000C6A5020200D0A [….jP..] |
GIF graphic file | .gif | 47 49 46 38 [GIF89] |
TIF graphic file | .tif | 49 49 [II] |
PNG graphic file | .png | 89 50 4E 47 .PNG |
Photoshop Graphics | .psd | 38 42 50 53 [8BPS] |
Windows Meta File | .wmf | D7 CD C6 9A |
MIDI file | .mid | 4D 54 68 64 [MThd] |
Icon file | .ico | 00 00 01 00 |
MP3 file with ID3 identity tag | .mp3 | 49 44 33 [ID3] |
AVI video file | .avi | 52 49 46 46 [RIFF] |
Flash Shockwave | .swf | 46 57 53 [FWS] |
Flash Video | .flv | 46 4C 56 [FLV] |
Mpeg 4 video file | .mp4 | 00 00 00 18 66 74 79 70 6D 70 34 32 [….ftypmp42] |
MOV video file | .mov | 6D 6F 6F 76 [….moov] |
Windows Video file | .wmv | 30 26 B2 75 8E 66 CF |
Windows Audio file | .wma | 30 26 B2 75 8E 66 CF |
PKZip | .zip | 50 4B 03 04 [PK] |
GZip | .gz | 1F 8B 08 |
Tar file | .tar | 75 73 74 61 72 |
Microsoft Installer | .msi | D0 CF 11 E0 A1 B1 1A E1 |
Object Code File | .obj | 4C 01 |
Dynamic Library | .dll | 4D 5A [MZ] |
CAB Installer file | .cab | 4D 53 43 46 [MSCF] |
Executable file | .exe | 4D 5A [MZ] |
RAR file | .rar | 52 61 72 21 1A 07 00 [Rar!…] |
SYS file | .sys | 4D 5A [MZ] |
Help file | .hlp | 3F 5F 03 00 [?_..] |
VMWare Disk file | .vmdk | 4B 44 4D 56 [KDMV] |
Outlook Post Office file | .pst | 21 42 44 4E 42 [!BDNB] |
PDF Document | 25 50 44 46 [%PDF] | |
Word Document | .doc | D0 CF 11 E0 A1 B1 1A E1 |
RTF Document | .rtf | 7B 5C 72 74 66 31 [{ tf1] |
Excel Document | .xls | D0 CF 11 E0 A1 B1 1A E1 |
PowerPoint Document | .ppt | D0 CF 11 E0 A1 B1 1A E1 |
Visio Document | .vsd | D0 CF 11 E0 A1 B1 1A E1 |
DOCX (Office 2010) | .docx | 50 4B 03 04 [PK] |
XLSX (Office 2010) | .xlsx | 50 4B 03 04 [PK] |
PPTX (Office 2010) | .pptx | 50 4B 03 04 [PK] |
Microsoft Database | .mdb | 53 74 61 6E 64 61 72 64 20 4A 65 74 |
Postcript File | .ps | 25 21 [%!] |
Outlook Message File | .msg | D0 CF 11 E0 A1 B1 1A E1 |
EPS File | .eps | 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30 |
Jar File | .jar | 50 4B 03 04 14 00 08 00 08 00 |
SLN File | .sln | 4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65 |