-
Notifications
You must be signed in to change notification settings - Fork 1
/
file_signature_dict.py
431 lines (417 loc) · 27.8 KB
/
file_signature_dict.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
file_signature_dict = {
# Magic Number (string): [(Type/s of File, Description) (tuple)]
# "": [("", "")],
# A Magic Number is 512 Bytes in total
"00": [("PIC", "IBM Storyboard bitmap file"), ("MOV", "Apple QuickTime movie file"), ("PIF", "Windows Program Information File"), ("SEA", "Mac Stuffit Self-Extracting Archive"), ("YTR", "IRIS OCR data file")],
"00 00 00 00 14 00 00 00": [("TBI", "Windows Disk Image file")],
'00 00 00 0C 6A 50 20 20': [('JP2', 'JPEG2000 image files')],
'00 00 00 14 66 74 79 70': [('3GP', '3GPP multimedia files')],
'00 00 00 18 66 74 79 70': [('3GP5', 'MPEG-4 video files')],
'00 00 00 20 66 74 79 70': [('3GP', '3GPP2 multimedia files')],
'00 00 00 20 66 74 79 70 4D 34 41': [('M4A', 'Apple audio and video files')],
'00 00 01 00': [('SPL', 'Windows icon|printer spool file')],
'00 00 01 B3': [('MPG', 'MPEG video file')],
'00 00 01 BA': [('VOB', 'DVD video file')],
'00 00 02 00': [('CUR', 'Windows cursor'), ("WB2", "QuattroPro for Windows Spreadsheet file")],
'00 00 02 00 06 04 06 00': [('WK1', 'Lotus 1-2-3 (v1)')],
'00 00 1A 00 00 10 04 00': [('WK3', 'Lotus 1-2-3 (v3)')],
'00 00 1A 00 02 10 04 00': [('WK5', 'Lotus 1-2-3 (v4|v5)')],
'00 00 1A 00 05 10 04': [('123', 'Lotus 1-2-3 (v9)')],
'00 00 49 49 58 50 52': [('QXD', 'Quark Express (Intel)')],
'00 00 4D 4D 58 50 52': [('QXD', 'Quark Express (Motorola)')],
'00 00 FF FF FF FF': [('HLP', 'Windows Help file_1')],
'00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65': [('MNY', 'Microsoft Money file')],
'00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42': [('ACCDB', 'Microsoft Access 2007')],
'00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42': [('MDB', 'Microsoft Access')],
"00 00 00 00 62 31 05 00 09 00 00 00 00 20 00 00 00 09 00 00 00 00 00 00": [("DAT", "Bitcoin Core wallet.dat file")],
'00 01 42 41': [('ABA', 'Palm Address Book Archive')],
'00 01 42 44': [('DBA', 'Palm DateBook Archive')],
'00 06 15 61 00 00 00 02 00 00 04 D2 00 00 10 00': [('DB', 'Netscape Navigator (v4) database')],
'00 11': [('FLI', 'FLIC animation')],
'00 14 00 00 01 02': [('*', 'BIOS details in RAM')],
'00 1E 84 90 00 00 00 00': [('SNM', 'Netscape Communicator (v4) mail folder')],
'00 6E 1E F0': [('PPT', 'PowerPoint presentation subheader_1')],
'01 0F 00 00': [('MDF', 'SQL Data Base')],
'01 10': [('TR1', 'Novell LANalyzer capture file')],
'01 DA 01 01 00 03': [('RGB', 'Silicon Graphics RGB Bitmap')],
'01 FF 02 04 03 02': [('DRW', 'Micrografx vector graphic file')],
'02 64 73 73': [('DSS', 'Digital Speech Standard file')],
'03': [('DB3', 'dBASE III file')],
'03 00 00 00': [('QPH', 'Quicken price history')],
'03 00 00 00 41 50 50 52': [('ADX', 'Approach index file')],
'04': [('DB4', 'dBASE IV file')],
'04 00 00 00': [('*', 'INFO2 Windows recycle bin_1')],
'05 00 00 00': [('*', 'INFO2 Windows recycle bin_2')],
'07': [('DRW', 'Generic drawing programs')],
'07 53 4B 46': [('SKF', 'SkinCrafter skin')],
'07 64 74 32 64 64 74 64': [('DTD', 'DesignTools 2D Design file')],
'08': [('DB', 'dBASE IV or dBFast configuration file')],
'09 08 10 00 00 06 05 00': [('XLS', 'Excel spreadsheet subheader_1')],
'0A 02 01 01': [('PCX', 'ZSOFT Paintbrush file_1')],
'0A 03 01 01': [('PCX', 'ZSOFT Paintbrush file_2')],
'0A 05 01 01': [('PCX', 'ZSOFT Paintbrush file_3')],
'0C ED': [('MP', 'Monochrome Picture TIFF bitmap')],
'0D 44 4F 43': [('DOC', 'DeskMate Document')],
'0E 4E 65 72 6F 49 53 4F': [('NRI', 'Nero CD compilation')],
'0E 57 4B 53': [('WKS', 'DeskMate Worksheet')],
'0F 00 E8 03': [('PPT', 'PowerPoint presentation subheader_2')],
'11 00 00 00 53 43 43 41': [('PF', 'Windows prefetch file')],
'1A 00 00': [('NTF', 'Lotus Notes database template')],
'1A 00 00 04 00 00': [('NSF', 'Lotus Notes database')],
'1A 02': [('ARC', 'LH archive (old vers.|type 1)')],
'1A 03': [('ARC', 'LH archive (old vers.|type 2)')],
'1A 04': [('ARC', 'LH archive (old vers.|type 3)')],
'1A 08': [('ARC', 'LH archive (old vers.|type 4)')],
'1A 09': [('ARC', 'LH archive (old vers.|type 5)')],
'1A 0B': [('PAK', 'PAK Compressed archive file')],
'1A 35 01 00': [('ETH', 'WinPharoah capture file')],
'1A 45 DF A3 93 42 82 88': [('MKV', 'Matroska stream file')],
'1A 52 54 53 20 43 4F 4D': [('DAT', 'Runtime Software disk image')],
'1D 7D': [('WS', 'WordStar Version 5.0|6.0 document')],
'1F 8B 08': [('GZ', 'GZIP archive file')],
'1F 9D 90': [('TAR.Z', 'Compressed tape archive_1')],
'1F A0': [('TAR.Z', 'Compressed tape archive_2')],
'21 12': [('AIN', 'AIN Compressed Archive')],
'21 3C 61 72 63 68 3E 0A': [('LIB', 'Unix archiver (ar)|MS Program Library Common Object File Format (COFF)')],
'23 20': [('MSI', 'Cerius2 file')], '23 20 44 69 73 6B 20 44': [('VMDK', 'VMware 4 Virtual Disk description')],
'23 20 4D 69 63 72 6F 73': [('DSP', 'MS Developer Studio project file')],
'23 21 41 4D 52': [('AMR', 'Adaptive Multi-Rate ACELP Codec (GSM)')],
'23 3F 52 41 44 49 41 4E': [('HDR', 'Radiance High Dynamic Range image file')],
'24 46 4C 32 40 28 23 29': [('SAV', 'SPSS Data file')],
'25 21 50 53 2D 41 64 6F': [('EPS', 'Encapsulated PostScript file')],
'25 50 44 46': [('FDF', 'PDF file')],
'28 54 68 69 73 20 66 69': [('HQX', 'BinHex 4 Compressed Archive')],
'2A 2A 2A 20 20 49 6E 73': [('LOG', 'Symantec Wise Installer log')],
'2D 6C 68': [('LZH', 'Compressed archive')],
'2E 52 45 43': [('IVR', 'RealPlayer video file (V11+)')],
'2E 52 4D 46': [('RMVB', 'RealMedia streaming media')],
'2E 52 4D 46 00 00 00 12': [('RA', 'RealAudio file')],
'2E 72 61 FD 00': [('RA', 'RealAudio streaming media')],
'2E 73 6E 64': [(' AU', 'NeXT|Sun Microsystems audio file')],
'30': [('CAT', 'MS security catalog file')],
'30 00 00 00 4C 66 4C 65': [('EVT', 'Windows Event Viewer file')],
'30 26 B2 75 8E 66 CF 11': [('WMV', 'Windows Media Audio|Video File'), ("WMA", "Windows Media Audio|Video File")],
'30 31 4F 52 44 4E 41 4E': [('NTF', 'National Transfer Format Map')],
'30 37 30 37 30': [('*', 'cpio archive')],
'31 BE': [('WRI', 'MS Write file_1')],
'32 BE': [('WRI', 'MS Write file_2')],
'34 CD B2 A1': [('*', 'Tcpdump capture file')],
'37 7A BC AF 27 1C': [('7Z', '7-Zip compressed file')],
'37 E4 53 96 C9 DB D6 07': [('*', 'zisofs compressed file')],
'38 42 50 53': [('PSD', 'Photoshop image')],
'3A 56 45 52 53 49 4F 4E': [('SLE', 'Surfplan kite project file')],
'3C': [('XDR', 'BizTalk XML-Data Reduced Schema')],
'3C 21 64 6F 63 74 79 70': [('DCI', 'AOL HTML mail')],
'3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D': [('MANIFEST', 'Windows Visual Stylesheet')],
'3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E': [('XML', 'User Interface Language')],
'3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 0D 0A 3C 4D 4D 43 5F 43 6F 6E 73 6F 6C 65 46 69 6C 65 20 43 6F 6E 73 6F 6C 65 56 65 72': [('MSC', 'MMC Snap-in Control file')],
'3C 4D 61 6B 65 72 46 69': [('MIF', 'Adobe FrameMaker')],
'3E 00 03 00 FE FF 09 00 06': [('WB3', 'Quatro Pro for Windows 7.0')],
'3F 5F 03 00': [('GID', 'Windows Help file_2')],
'40 40 40 20 00 00 40 40 40 40': [('ENL', 'EndNote Library File')],
'41 43 31 30': [('DWG', 'Generic AutoCAD drawing')],
'41 43 53 44': [('*', 'AOL parameter|info files')],
'41 43 76': [('SLE', 'Steganos virtual secure drive')],
'41 4D 59 4F': [('SYW', 'Harvard Graphics symbol graphic')],
'41 4F 4C': [('PFC', 'AOL config files'), ("IDX", "AOL config files"), ("IND", "AOL config files"), ("BAG", "AOL config files"), ("ABI", "AOL config files")],
'41 4F 4C 20 46 65 65 64': [('BAG', 'AOL and AIM buddy list')],
'41 4F 4C 44 42': [('IDX', 'AOL user configuration')],
'41 4F 4C 49 44 58': [('IND', 'AOL client preferences|settings file')],
'41 4F 4C 49 4E 44 45 58': [('ABI', 'AOL address book index')],
'41 4F 4C 56 4D 31 30 30': [('PFC', 'AOL personal file cabinet')],
'41 56 47 36 5F 49 6E 74': [('DAT', 'AVG6 Integrity database')],
'41 72 43 01': [('ARC', 'FreeArc compressed file')],
'42 45 47 49 4E 3A 56 43': [('VCF', 'vCard')],
'42 4C 49 32 32 33 51': [('BIN', 'Speedtouch router firmware')],
'42 4D': [('BMP', 'Bitmap image')],
'42 4F 4F 4B 4D 4F 42 49': [('PRC', 'Palmpilot resource file')],
'42 5A 68': [('TBZ2', 'bzip2 compressed archive'), ("TB2", "bzip2 compressed archive"), ("TAR.BZ2", "bzip2 compressed archive")],
'43 23 2B 44 A4 43 4D A5': [('RTD', 'RagTime document')],
'43 42 46 49 4C 45': [('CBD', 'WordPerfect dictionary')],
'43 44 30 30 31': [('ISO', 'ISO-9660 CD Disc Image')],
'43 4D 58 31': [('CLB', 'Corel Binary metafile')],
'43 4F 4D 2B': [('CLB', 'COM+ Catalog')],
'43 4F 57 44': [('VMDK', 'VMware 3 Virtual Disk')],
'43 50 54 37 46 49 4C 45': [('CPT', 'Corel Photopaint file_1')],
'43 50 54 46 49 4C 45': [('CPT', 'Corel Photopaint file_2')],
'43 52 45 47': [('DAT', 'Win9x registry hive')],
'43 52 55 53 48 20 76': [('CRU', 'Crush compressed archive')],
'43 57 53': [('SWF', 'Shockwave Flash file')],
'43 61 74 61 6C 6F 67 20': [('CTF', 'WhereIsIt Catalog')],
'43 6C 69 65 6E 74 20 55': [('DAT', 'IE History file')],
'44 42 46 48': [('DB', 'Palm Zire photo database')],
'44 4D 53 21': [('DMS', 'Amiga DiskMasher compressed archive')],
'44 4F 53': [('ADF', 'Amiga disk file')],
'44 56 44': [('IFO', 'DVD info file')],
'45 4C 49 54 45 20 43 6F': [('CDR', 'Elite Plus Commander game file')],
'45 4E 54 52 59 56 43 44': [('VCD', 'VideoVCD|VCDImager file')],
'45 50': [('MDI', 'MS Document Imaging file')],
'45 52 46 53 53 41 56 45': [('DAT', 'EasyRecovery Saved State file')],
'45 56 46 09 0D 0A FF 00': [('E01', 'Expert Witness Compression Format')],
'45 6C 66 46 69 6C 65 00': [('EVTX', 'Windows Vista event log')],
'45 86 00 00 06 00': [('QBB', 'QuickBooks backup')],
'46 41 58 43 4F 56 45 52': [('CPE', 'MS Fax Cover Sheet')],
'46 4C 56': [('FLV', 'Flash video file')],
'46 4F 52 4D 00': [('AIFF', 'Audio Interchange File')],
'46 57 53': [('SWF', 'Shockwave Flash player')],
'46 72 6F 6D': [('EML', 'Generic e-mail_2')],
'47 49 46 38': [('GIF', 'GIF file')],
'47 50 41 54': [('PAT', 'GIMP pattern file')],
'47 58 32': [('GX2', 'Show Partner graphics file')],
'48 48 47 42 31': [('SH3', 'Harvard Graphics presentation file')],
'48 69 50 21': [('hip', 'Houdini image file. Three-dimensional modeling and animation')],
'49 20 49': [('TIFF', 'TIFF file_1'), ("TIFF", "TIFF file_2")],
'49 44 33': [('MP3', 'MP3 audio file')],
'49 44 33 03 00 00 00': [('KOZ', 'Sprint Music Store audio')],
'49 49 1A 00 00 00 48 45': [('CRW', 'Canon RAW file')],
'49 49 2A 00': [('TIFF', 'TIFF file_2')],
'49 53 63 28': [('HDR', 'Install Shield compressed file')],
'49 54 4F 4C 49 54 4C 53': [('LIT', 'MS Reader eBook')],
'49 54 53 46': [('CHM', 'MS Compiled HTML Help File')],
'49 6E 6E 6F 20 53 65 74': [('DAT', 'Inno Setup Uninstall Log')],
'4A 41 52 43 53 00': [('JAR', 'JARCS compressed archive')],
'4A 47 03 0E': [('JG', 'AOL ART file_1')],
'4A 47 04 0E': [('JG', 'AOL ART file_2')],
'4B 44 4D': [('VMDK', 'VMware 4 Virtual Disk')],
'4B 47 42 5F 61 72 63 68': [('KGB', 'KGB archive')],
'4B 49 00 00': [('SHD', 'Win9x printer spool file')],
'4B 57 41 4A 88 F0 27 D1': [('*', 'KWAJ (compressed) file')],
'4C 00 00 00 01 14 02 00': [('LNK', 'Windows shortcut file')],
'4C 01': [('OBJ', 'MS COFF relocatable object code')],
'4C 4E 02 00': [('GID', 'Windows help file_3')],
'4C 56 46 09 0D 0A FF 00': [('E01', 'Logical File Evidence Format')],
'4D 2D 57 20 50 6F 63 6B': [('PDB', 'Merriam-Webster Pocket Dictionary')],
'4D 41 52 31 00': [('MAR', 'Mozilla archive')],
'4D 41 52 43': [('MAR', 'Microsoft|MSN MARC archive')],
'4D 41 72 30 00': [('MAR', 'MAr compressed archive')],
'4D 44 4D 50 93 A7': [('DMP', 'Windows dump file')],
'4D 49 4C 45 53': [('MLS', 'Milestones project management file')],
'4D 4C 53 57': [('MLS', 'Skype localization data file')],
'4D 4D 00 2A': [('TIF', 'TIFF file_3')],
'4D 4D 00 2B': [('TIF', 'TIFF file_4')],
'4D 4D 4D 44 00 00': [('MMF', 'Yamaha Synthetic music Mobile Application Format')],
'4D 52 56 4E': [('NVRAM', 'VMware BIOS state file')],
'4D 53 43 46': [('CAB', 'Microsoft cabinet file'), ("PPZ", "Powerpoint Packaged Presentation")],
'4D 53 46 54 02 00 01 00': [('TLB', 'OLE|SPSS|Visual C++ library file')],
'4D 53 5F 56 4F 49 43 45': [('CDR', 'Sony Compressed Voice File'), ("DVF", "Sony Compressed Voice File")],
'4D 54 68 64': [('MID', 'MIDI sound file')],
'4D 56': [('DSN', 'CD Stomper Pro label file')],
'4D 56 32 31 34': [('MLS', 'Milestones project management file_1')],
'4D 56 32 43': [('MLS', 'Milestones project management file_2')],
'4D 5A': [('QTX', 'Windows|DOS executable file'), ("QTS", "Windows|DOS executable file"), ("PIF", "Windows|DOS executable file"), ("EXE", "Windows|DOS executable file"), ("DRV", "Windows|DOS executable file"), ("DLL", "Windows|DOS executable file"), ("386", "Windows virtual device drivers"), ("VXD", "Windows virtual device drivers"), ("COM", "Windows|DOS executable file"), ("VBX", "VisualBASIC application"), ("CPL", "Control panel application"), ("ACM", "MS audio compression manager driver"), ("OCX", "ActiveX|OLE Custom Control"), ("SCR", "Screen saver"), ("AX", "Library cache file"), ("OLB", "OLE object library")],
'4D 5A 90 00 03 00 00 00': [('AX', 'DirectShow filter'), ("FLT", "Audition graphic filter")],
'4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF': [('ZAP', 'ZoneAlam data file')],
'4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20': [('PDB', 'MS C++ debugging symbols file')],
'4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C': [('SLN', 'Visual Studio .NET file')],
'4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4D 65 64 69 61 20 50 6C 61 79 65 72 20 2D 2D 20': [('WPL', 'Windows Media Player playlist')],
'4E 41 56 54 52 41 46 46': [('DAT', 'TomTom traffic data')],
'4E 42 2A 00': [('JTP', 'MS Windows journal')],
'4E 45 53 4D 1A 01': [('NSF', 'NES Sound file')],
'4E 49 54 46 30': [('NTF', 'National Imagery Transmission Format file')],
'4E 61 6D 65 3A 20': [('COD', 'Agent newsreader character map')],
'4F 50 4C 44 61 74 61 62': [('DBF', 'Psion Series 3 Database')],
'4F 67 67 53 00 02 00 00': [('OGX', 'Ogg Vorbis Codec compressed file'), ("OGV", "Ogg Vorbis Codec compressed file"), ("OGG", "Ogg Vorbis Codec compressed file")],
'4F 7B': [('DW4', 'Visio|DisplayWrite 4 text file')],
'50 00 00 00 20 00 00 00': [('IDX', 'Quicken QuickFinder Information File')],
'50 35 0A': [('PGM', 'Portable Graymap Graphic')],
'50 41 43 4B': [('PAK', 'Quake archive file')],
'50 41 47 45 44 55': [('DMP', 'Windows memory dump')],
'50 41 58': [('PAX', 'PAX password protected bitmap')],
'50 45 53 54': [('DAT', 'PestPatrol data|scan strings')],
'50 47 50 64 4D 41 49 4E': [('PGD', 'PGP disk image')],
'50 49 43 54 00 08': [('IMG', 'ChromaGraph Graphics Card Bitmap')],
'50 4B 03 04': [('OTT', 'OpenDocument template'), ("KWD", "KWord document"), ("SXD", "OpenOffice documents"), ("SXI", "OpenOffice documents"), ("CUIX", "Customization files"), ("SXW", "OpenOffice documents"), ("XPS", "XML paper specification file"), ("WMZ", "Windows Media compressed skin file"), ("ZIP", "PKZIP archive_1"), ("DOCX", "MS Office Open XML Format Document"), ("SXC", "StarOffice spreadsheet"), ("PPTX", "MS Office Open XML Format Document"), ("ODT", "OpenDocument template"), ("XLSX", "MS Office Open XML Format Document"), ("JAR", "Java archive_1"), ("XPI", "Mozilla Browser Archive"), ("XPT", "eXact Packager Models")],
'50 4B 03 04 14 00 01 00': [('ZIP', 'ZLock Pro encrypted ZIP')],
'50 4B 03 04 14 00 06 00': [('DOCX', 'MS Office 2007 documents'), ("PPTX", "MS Office 2007 documents")],
'50 4B 03 04 14 00 08 00': [('JAR', 'Java archive_2')],
'50 4B 05 06': [('ZIP', 'PKZIP archive_2')],
'50 4B 07 08': [('ZIP', 'PKZIP archive_3')],
'50 4B 4C 49 54 45': [('ZIP', 'PKLITE archive')],
'50 4B 53 70 58': [('ZIP', 'PKSFX self-extracting archive')],
'50 4D 43 43': [('GRP', 'Windows Program Manager group file')],
'50 4E 43 49 55 4E 44 4F': [('DAT', 'Norton Disk Doctor undo file')],
'51 45 4C 20': [('QEL', 'QDL Quicken data')],
'51 46 49': [('QEMU', 'Qcow Disk Image')],
'51 57 20 56 65 72 2E 20': [('QSD', 'ABD | QSD Quicken data file')],
'52 41 5A 41 54 44 42 31': [('DAT', 'Shareaza (P2P) thumbnail')],
'52 45 47 45 44 49 54': [('SUD', 'WinNT Registry|Registry Undo files')],
'52 45 56 4E 55 4D 3A 2C': [('AD', 'Antenna data file')],
'52 49 46 46': [('WAV', 'Resource Interchange File Format'), ("RMI", "Resource Interchange File Format"), ("QCP", "Resource Interchange File Format"), ("CDA", "Resource Interchange File Format"), ("ANI", "Windows animated cursor"), ("AVI", "Resource Interchange File Format"), ("DS4", "Micrografx Designer graphic"), ("CDR", "CorelDraw document"), ("CMX", "Corel Presentation Exchange metadata"), ("DAT", "Video CD MPEG movie")],
'52 54 53 53': [('CAP', 'WinNT Netmon capture file')],
'52 61 72 21 1A 07 00': [('RAR', 'WinRAR compressed archive')],
'52 65 74 75 72 6E 2D 50': [('EML', 'Generic e-mail_1')],
'53 43 48 6C': [('AST', 'Underground Audio')],
'53 43 4D 49': [('IMG', 'Img Software Bitmap')],
'53 48 4F 57': [('SHW', 'Harvard Graphics presentation')],
'53 49 45 54 52 4F 4E 49': [('CPI', 'Sietronics CPI XRD document')],
'53 49 54 21 00': [('SIT', 'StuffIt archive')],
'53 4D 41 52 54 44 52 57': [('SDR', 'SmartDraw Drawing file')],
'53 51 4C 4F 43 4F 4E 56': [('CNV', 'DB2 conversion file')],
'53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00': [('DB', 'SQLite database file')],
'53 5A 20 88 F0 27 33 D1': [('*', 'QBASIC SZDD file')],
'53 5A 44 44 88 F0 27 33': [('*', 'SZDD file format')],
'53 74 75 66 66 49 74 20': [('SIT', 'StuffIt compressed archive')],
'53 75 70 65 72 43 61 6C': [('CAL', 'SuperCalc worksheet')],
'54 68 69 73 20 69 73 20': [('INFO', 'GNU Info Reader file')],
'55 43 45 58': [('UCE', 'Unicode extensions')],
'55 46 41 C6 D2 C1': [('UFA', 'UFA compressed archive')],
'55 46 4F 4F 72 62 69 74': [('DAT', 'UFO Capture map file')],
'56 43 50 43 48 30': [('PCH', 'Visual C PreCompiled header')],
'56 45 52 53 49 4F 4E 20': [('CTL', 'Visual Basic User-defined Control file')],
'56 65 72 73 69 6F 6E 20': [('MIF', 'MapInfo Interchange Format file')],
'57 4D 4D 50': [('DAT', 'Walkman MP3 file')],
'57 53 32 30 30 30': [('WS2', 'WordStar for Windows file')],
'57 69 6E 5A 69 70': [('ZIP', 'WinZip compressed archive')],
'57 6F 72 64 50 72 6F': [('LWP', 'Lotus WordPro file')],
'58 2D': [('EML', 'Exchange e-mail')],
'58 43 50 00': [('CAP', 'Packet sniffer files')],
'58 50 43 4F 4D 0A 54 79': [('XPT', 'XPCOM libraries')],
'58 54': [('BDR', 'MS Publisher')],
'5A 4F 4F 20': [('ZOO', 'ZOO compressed archive')],
'5B 47 65 6E 65 72 61 6C': [('ECF', 'MS Exchange configuration file')],
'5B 4D 53 56 43': [('VCW', 'Visual C++ Workbench Info File')],
'5B 50 68 6F 6E 65 5D': [('DUN', 'Dial-up networking file')],
'5B 56 45 52 5D': [('SAM', 'Lotus AMI Pro document_1')],
'5B 57 69 6E 64 6F 77 73': [('CPX', 'Microsoft Code Page Translation file')],
'5B 66 6C 74 73 69 6D 2E': [('CFG', 'Flight Simulator Aircraft Configuration')],
'5B 76 65 72 5D': [('SAM', 'Lotus AMI Pro document_2')],
'5F 27 A8 89': [('JAR', 'Jar archive')],
'5F 43 41 53 45 5F': [('CAS', 'EnCase case file')],
'60 EA': [('ARJ', 'ARJ Compressed archive file')],
'62 65 67 69 6E': [('*', 'UUencoded file')],
'62 70 6C 69 73 74': [('*', 'Binary property list (plist)')],
'63 6F 6E 65 63 74 69 78': [('VHD', 'Virtual PC HD image')],
'63 75 73 68 00 00 00 02': [('CSH', 'Photoshop Custom Shape')],
'64 00 00 00': [('P10', 'Intel PROset|Wireless Profile')],
'64 65 78 0A 30 30 39 00': [('dex', 'Dalvik (Android) executable file')],
'64 6E 73 2E': [('AU', 'Audacity audio file')],
'64 73 77 66 69 6C 65': [('DSW', 'MS Visual Studio workspace file')],
'66 49 00 00': [('SHD', 'WinNT printer spool file')],
'66 4C 61 43 00 00 00 22': [('FLAC', 'Free Lossless Audio Codec file')],
'66 72 65 65': [('MOV', 'QuickTime movie_2')],
'67 49 00 00': [('SHD', 'Win2000|XP printer spool file')],
'68 49 00 00': [('SHD', 'Win Server 2003 printer spool file')],
'6C 33 33 6C': [('DBB', 'Skype user data file')],
'6D 64 61 74': [('MOV', 'QuickTime movie_3')],
'6D 6F 6F 76': [('MOV', 'QuickTime movie_1')],
'6F 3C': [('*', 'SMS text (SIM)')],
'70 6E 6F 74': [('MOV', 'QuickTime movie_5')],
'72 65 67 66': [('DAT', 'WinNT registry file')],
'72 69 66 66': [('AC', 'Sonic Foundry Acid Music File')],
'72 74 73 70 3A 2F 2F': [('RAM', 'RealMedia metafile')],
'73 6B 69 70': [('MOV', 'QuickTime movie_6')],
'73 6C 68 21': [('DAT', 'Allegro Generic Packfile (compressed)')],
'73 6C 68 2E': [('DAT', 'Allegro Generic Packfile (uncompressed)')],
'73 6D 5F': [('PDB', 'PalmOS SuperMemo')],
'73 72 63 64 6F 63 69 64': [('CAL', 'CALS raster bitmap')],
'73 7A 65 7A': [('PDB', 'PowerBASIC Debugger Symbols')],
'74 42 4D 50 4B 6E 57 72': [('PRC', 'PathWay Map file')],
'74 68 69 73 20 69 73': [('FILE', 'Windows Extension for Unknown Format')],
'75 73 74 61 72': [('TAR', 'Tape Archive')],
'76 32 30 30 33 2E 31 30': [('FLT', 'Qimage filter')],
'77 69 64 65': [('MOV', 'QuickTime movie_4')],
'78': [('DMG', 'MacOS X image file')],
'7A 62 65 78': [('INFO', 'ZoomBrowser Image Index')],
'7B 0D 0A 6F 20': [('LGC', 'Windows application log')],
'7B 5C 70 77 69': [('PWI', 'MS WinMobile personal note')],
'7B 5C 72 74 66 31': [('RTF', 'RTF file')],
'7E 42 4B 00': [('PSP', 'Corel Paint Shop Pro image')],
'7F 45 4C 46': [('*', 'ELF executable')],
'80': [('OBJ', 'Relocatable object code')],
'80 00 00 20 03 12 04': [('ADX', 'Dreamcast audio')],
'81 32 84 C1 85 05 D0 11': [('WAB', 'Outlook Express address book (Win95)')],
'81 CD AB': [('WPF', 'WordPerfect text')],
'89 50 4E 47 0D 0A 1A 0A': [('PNG', 'PNG image')],
'8A 01 09 00 00 00 E1 08': [('AW', 'MS Answer Wizard')],
'91 33 48 46': [('HAP', 'Hamarsoft compressed archive')],
'95 00': [('SKR', 'PGP secret keyring_1')],
'95 01': [('SKR', 'PGP secret keyring_2')],
'99': [('GPG', 'GPG public keyring')],
'99 01': [('PKR', 'PGP public keyring')],
'9C CB CB 8D 13 75 D2 11': [('WAB', 'Outlook address file')],
'A0 46 1D F0': [('PPT', 'PowerPoint presentation subheader_3')],
'A1 B2 C3 D4': [('*', 'tcpdump (libpcap) capture file')],
'A1 B2 CD 34': [('*', 'Extended tcpdump (libpcap) capture file')],
'A9 0D 00 00 00 00 00 00': [('DAT', 'Access Data FTK evidence')],
'AC 9E BD 8F 00 00': [('QDF', 'QDF Quicken data')],
'AC ED': [('*', 'Java serialization data')],
'AC ED 00 05 73 72 00 12': [('PDB', 'BGBlitz position database file')],
'B0 4D 46 43': [('PWL', 'Win95 password file')],
'B1 68 DE 3A': [('DCX', 'PCX bitmap')],
'B4 6E 68 44': [('TIB', 'Acronis True Image')],
'B5 A2 B0 B3 B3 B0 A5 B5': [('CAL', 'Windows calendar')],
'BE 00 00 00 AB': [('WRI', 'MS Write file_3')],
'C3 AB CD AB': [('ACS', 'MS Agent Character file')],
'C5 D0 D3 C6': [('EPS', 'Adobe encapsulated PostScript')],
'C8 00 79 00': [('LBK', 'Jeppesen FliteLog file')],
'CA FE BA BE': [('CLASS', 'Java bytecode')],
'CD 20 AA AA 02 00 00 00': [('*', 'NAV quarantined virus file')],
'CF 11 E0 A1 B1 1A E1 00': [('DOC', 'Perfect Office document')],
'CF AD 12 FE': [('DBX', 'Outlook Express e-mail folder')],
'D0 CF 11 E0 A1 B1 1A E1': [('PPS', 'Microsoft Office document'), ("RVT", "Revit Project file"), ("AC_", "CaseWare Working Papers"), ("APR", "Lotus|IBM Approach 97 file"), ("DOC", "Microsoft Office document"), ("SOU", "Visual Studio Solution User Options file"), ("PPT", "Microsoft Office document"), ("DB", "MSWorks database file"), ("WIZ", "Microsoft Office document"), ("XLA", "Microsoft Office document"), ("MSC", "Microsoft Common Console Document"), ("MSI", "Microsoft Installer package"), ("PUB", "MS Publisher file"), ("OPT", "Developer Studio File Options file"), ("VSD", "Visio file"), ("WPS", "MSWorks text document"), ("ADP", "Access project file")],
'D2 0A 00 00': [('FTR', 'WinPharoah filter file')],
'D4 2A': [('AUT', 'AOL history|typed URL files')],
'D4 C3 B2 A1': [('*', 'WinDump (winpcap) capture file')],
'D7 CD C6 9A': [('WMF', 'Windows graphics metafile')],
'DB A5 2D 00': [('DOC', 'Word 2.0 file')],
'DC DC': [('CPL', 'Corel color palette')],
'DC FE': [('EFX', 'eFax file')],
'E3 10 00 01 00 00 00 00': [('INFO', 'Amiga icon')],
'E3 82 85 96': [('PWL', 'Win98 password file')],
'E4 52 5C 7B 8C D8 A7 4D': [('ONE', 'MS OneNote note')],
'E8': [('SYS', 'Windows executable file_1')],
'E9': [('SYS', 'Windows executable file_2')],
'EB': [('SYS', 'Windows executable file_3')],
'EB 3C 90 2A': [('IMG', 'GEM Raster file')],
'EC A5 C1 00': [('DOC', 'Word document subheader')],
'ED AB EE DB': [('RPM', 'RedHat Package Manager')],
'EF BB BF': [('*', 'UTF8 file')],
'FD FF FF FF': [('DB', 'Thumbs.db subheader')],
'FD FF FF FF 04': [('SUO', 'Visual Studio Solution subheader')],
'FD FF FF FF 0E 00 00 00': [('PPT', 'PowerPoint presentation subheader_4')],
'FD FF FF FF 10': [('XLS', 'Excel spreadsheet subheader_2')],
'FD FF FF FF 1C 00 00 00': [('PPT', 'PowerPoint presentation subheader_5')],
'FD FF FF FF 1F': [('XLS', 'Excel spreadsheet subheader_3')],
'FD FF FF FF 20': [('OPT', 'Developer Studio subheader')],
'FD FF FF FF 22': [('XLS', 'Excel spreadsheet subheader_4')],
'FD FF FF FF 23': [('XLS', 'Excel spreadsheet subheader_5')],
'FD FF FF FF 28': [('XLS', 'Excel spreadsheet subheader_6')],
'FD FF FF FF 29': [('XLS', 'Excel spreadsheet subheader_7')],
'FD FF FF FF 43 00 00 00': [('PPT', 'PowerPoint presentation subheader_6')],
'FE EF': [('GHO', 'Symantex Ghost image file')],
'FE FF': [('*', 'UTF-16|UCS-2 file')],
'FF': [('SYS', 'Windows executable')],
'FF 00 02 00 04 04 05 54': [('WKS', 'Works for Windows spreadsheet')],
'FF 46 4F 4E 54': [('CPI', 'Windows international code page')],
'FF 4B 45 59 42 20 20 20': [('SYS', 'Keyboard driver file')],
'FF 57 50 43': [('WP6', 'WordPerfect text and graphics'), ("WPD", "WordPerfect text and graphics"), ("WPG", "WordPerfect text and graphics"), ("WPP", "WordPerfect text and graphics"), ("WP", "WordPerfect text and graphics")],
'FF D8 FF E0': [('JFIF', 'JFIF IMAGE FILE - jpeg'), ("JPE", "JPE IMAGE FILE - jpeg"), ("JPEG", "JPEG IMAGE")],
'FF D8 FF E1': [('JPG', 'Digital camera JPG using Exchangeable Image File Format (EXIF)')],
'FF D8 FF E2': [('JPEG', 'CANNON EOS JPEG FILE')],
'FF D8 FF E3': [('JPEG', 'SAMSUNG D500 JPEG FILE')],
'FF D8 FF E8': [('JPG', 'Still Picture Interchange File Format (SPIFF)')],
'FF FE': [('REG', 'Windows Registry file')],
'FF FE 00 00': [('*', 'UTF-32|UCS-4 file')],
'FF FE 23 00 6C 00 69 00': [('MOF', 'MSinfo file')],
'FF FF FF FF': [('SYS', 'DOS system driver')]
}
help_menu_text = """
-------------------------------------
______ _ _____ _ _____
| ____(_) / ____(_) | __ \
| |__ _ | (___ _ | |__) | _
| __| | | \___ \| | | ___/ | | |
| | | | ____) | | | | | |_| |
|_| |_| |_____/|_| |_| \__, |
__/ |
|___/
FiSiPy is a Python tool used to determine file type by using file signatures (magic numbers).
Example:
SiFiPy.py -f "C:\\Users\\Nate\\Files\\TestFile.docx"
Usage:
-f | file=
Used to specify the directory to the file.
--b, block_size=
Used to increase the scope/size of file signature. (Not necessary to change, it is automatically calculated)
-------------------------------------
"""