Home
Graphics
File Signatures
A file signature is the starting and closing hex vaule of a type of file.
We will be looking at a few examples of file signatures to give you a better
understanding of the concept. Just as a note this guide assumes you already
know how to use a hex editor so if you don't already know I recommend going
to this link here How To Use A Hex Editor
before continuing through this guide. Also keep in mind that I will not be listing
every last file signature here if you wish to read into more file signatures I will
leave a link at the end of this page to where you can read deeper into it. This will
just be covering some of the most used extensions.
Difference Between File Extension and File Signature
A file extension is what most people see at the end of any given file.
Examples include, Progam.exe, File.txt, Image.jpg, and File.pdf. A file signature on
the other hand is the hex vaule that makes a file a jpg, an exe, or any other file
type out there.
A Few Examples
If you open up any jpg file with the hex editor you'll find that the hex
vaules at the begining of all jpg files will be FF D8 and all jpg files
will close with FF D9. Png files will begin with 89 50 4E 47 and will close
with 60 82. Mp3 files are intresting because the signature will vary from file
to file, but generally it will begin with either FF FB or 49 44 33. As for closing
the if the mp3 file started with FF FB it will end with 55 55, but if it started with
49 44 33 it will instead end with 01 0C. Although most people don't use mid
files these days it is still worth brining up so the starting vaule would be
4D 54 68 64 and the closing vaule would be 2F 00. Iso files can be a bit
tricky to deal with as many will be all 00s although your millage may vary on this
one. Finally we have exe files which will start with 4D 5A 90 00.
What about text documents and html/code files?
Despite what one may expect there are no file signatures for these type
of files, although if you know the hex vaules well enough for basic characters you
can use that knowledge to pinpoint where a certain file type might be.
For example if you find the combination of 3C 21 44 4F there's a good chance that this
is the start of an html file. Do beware though as just because these combinations are
visable this does not guarantee that the vaules start their associated file
extensions. In the case of txt files try looking for common words such as
74 68 65 or whatever buzz word you are looking for to pinpoint where a txt
file might be.
What is the point of this anyway
There are a few good reasons why you might want to look into this
concept. Most frequently this is used by forensics teams to catch criminals. For
those outside of that spectrum and instead are web admins or system administartors
with the option of uploading pictures to their site this good to keep in mind as
hackers may try to cheat the system by including the file signature of a jpg file
at the begining to trick the scaner into thinking that the malicous file is a
legitamate image. This aplies to cyber security as well not just web admins and
really is just good security practice in general to make sure the jpg you
downloaded is actually a jpg and not a C script in disguise of a jpg.
Final Thoughts
As I've said before this is not every file signature out there nor is it
even every possible varient of files that are included so click here
File Signatures
for a list of almost every file signature out.