Hex Values of Common File Headers

By Vesper Vei
7 minutes read

Table of Contents

  1. Hex Values of Common File Headers
    1. 1. What is a file header identifier (Magic Number)?
    2. 2. Detailed explanation of common file type headers
    3. 3. How to view and practice?

Hex Values of Common File Headers

Below I will provide you with a detailed, professional, and practical guide to common file header identifiers (Magic Numbers).

1. What is a file header identifier (Magic Number)?

  1. Definition: A file header identifier is a series of specific bytes located at the beginning of a file, usually represented in hexadecimal. It is like a “digital fingerprint” or “signature” used to uniquely identify the file’s type and format.

  2. Purpose:

    • Tells the operating system how to properly handle a file: When you double-click a file, the system reads its header rather than its extension to decide which program should open it.

    • Digital forensics and data recovery: When a file system is damaged, files are deleted, or extensions are maliciously altered, scanning the raw disk data (hex values) for file headers is a primary method for recovery and identification.

    • Malware analysis: When analyzing a suspicious file, the first step is often to inspect its header to determine its true type. For example, a file that appears to be .jpg may actually be an .exe executable.

    • Cybersecurity: WAFs (Web Application Firewalls) and intrusion detection systems (IDS) can inspect file headers to filter illegal file uploads and prevent attacks such as Webshells.

  3. Important note: File extensions (such as .txt, .exe, .jpg) can be changed arbitrarily and do not represent the file’s true type. File headers, however, are inside the file, and changing them usually corrupts the file, making them much more reliable.

2. Detailed explanation of common file type headers

Below is a categorized table containing the most common and most important file types. Offsets are usually counted from the beginning of the file (0x0).

1. Image Formats

File FormatCommon ExtensionsFile Header (Hex)File Footer (Hex)Notes
 JPEG/JFIF  .jpg.jpeg  FF D8 FF E0  FF D9 The most common image format. The opening FF D8 indicates the start of a JPEG, and FF E0 identifies the JFIF application segment.
 JPEG/Exif  .jpg.jpeg  FF D8 FF E1  FF D9 Created by digital cameras; FF E1 indicates the Exif application segment.
 PNG  .png  89 50 4E 47 0D 0A 1A 0A - 50 4E 47 is the ASCII code for the letters “PNG”, making it very easy to recognize.
 GIF  .gif  47 49 46 38  00 3B  47 49 46 38 is the opening part of “GIF89a” or “GIF87a”.
 BMP  .bmp  42 4D - 42 4D is the ASCII code for the letters “BM”.
 WEBP  .webp  52 49 46 46 ?? ?? ?? ?? 57 45 42 50 - 52 49 46 46 is “RIFF”, and 57 45 42 50 is “WEBP”. ?? represents the file size field.
 TIFF  .tif.tiff  49 49 2A 00 (little-endian) or 4D 4D 00 2A (big-endian)-There are two byte orders, so the opening identifiers differ as well.

2. Archive Formats

File FormatCommon ExtensionsFile Header (Hex)File Footer (Hex)Notes
 ZIP  .zip  50 4B 03 04 - 50 4B is the ASCII code for the letters “PK” (from founder Phil Katz). This is also the file header for .docx, .xlsx, .pptx and other Office documents, because they are essentially ZIP archives.
 RAR  .rar  52 61 72 21 1A 07 00 (RAR 4.x)- 52 61 72 21 is the ASCII code for “Rar!”. The RAR 5.0 format begins with 52 61 72 21 1A 07 01 00.
 7Z  .7z  37 7A BC AF 27 1C - 37 7A is the ASCII code for “7z”.
 GZIP  .gz  1F 8B -Commonly used for compression in Linux systems and network transmission.
TAR .tar No unified file header-TAR itself has no magic number and is usually identified through its internal structure.

3. Executable Formats

File FormatCommon ExtensionsFile Header (Hex)Notes
 Windows PE  .exe.dll.sys  4D 5A  4D 5A is the ASCII code for the letters “MZ” (from MS-DOS developer Mark Zbikowski). Modern PE files also contain an PE header (50 45 00 00) after the MZ header.
 ELF (no extension) 7F 45 4C 46  7F is followed by 45 4C 46, which is the ASCII code for “ELF”. It is the standard executable format on Linux/Unix.
 Mach-O (no extension) FE ED FA CE (32-bit) FE ED FA CF (64-bit) CA FE BA BE (universal binary)Executable format on macOS and iOS.

4. Documents & Text

File FormatCommon ExtensionsFile Header (Hex)Notes
 PDF  .pdf  25 50 44 46  25 50 44 46 is the ASCII code for “%PDF”.
 Microsoft Office  .doc.xls.ppt (old versions) D0 CF 11 E0 A1 B1 1A E1 Old OLE compound document format; all legacy Office documents share this header.
 Microsoft Office  .docx.xlsx.pptx (new versions) 50 4B 03 04 As mentioned earlier, they are ZIP files, so their file header is the same as ZIP.
 UTF-8 BOM  .txt etc. EF BB BF  Byte Order Mark (BOM); not required, but it sometimes appears at the beginning of a file to indicate encoding.

5. Audio & Video

File FormatCommon ExtensionsFile Header (Hex)Notes
 MP3  .mp3  FF FB or FF F3 or 49 44 33 MP3 files may have an ID3 tag (49 44 33, meaning “ID3”), or they may start directly with a frame sync signal (FF F?).
 WAV  .wav  52 49 46 46 ?? ?? ?? ?? 57 41 56 45  52 49 46 46 is “RIFF”, and 57 41 56 45 is “WAVE”.
 AVI  .avi  52 49 46 46 ?? ?? ?? ?? 41 56 49 20  52 49 46 46 is “RIFF”, and 41 56 49 20 is “AVI ”.
 MP4  .mp4  00 00 00 18 66 74 79 70 69 73 6F 6D or 00 00 00 20 66 74 79 70 69 73 6F 6DIt starts with a length field, but the key marker is 66 74 79 70, meaning “ftyp”.
 FLV  .flv  46 4C 56 01  46 4C 56 is the ASCII code for “FLV”.

3. How to view and practice?

  1. Use a hex editor:

    • Recommended tools: HxD (Windows), 010 Editor (cross-platform, professional), Bless Hex Editor (Linux), WinHex (Windows, professional).

    • Method: Open any file with these tools, and you will directly see its raw hexadecimal bytes. Compare them against the table above for verification.

  2. Use command-line tools (Linux/MacOS):

    • file command: file example.jpg The principle of this command is to read and analyze the file header information.

    • xxd or hexdump command: xxd example.jpg | head -n 5 can display the first few lines of a file in hexadecimal form.

  3. Online tools:

    • Search for “online hex editor” or “file signature lookup”. Many websites let you upload files or directly enter hex values for identification.

Relationship Graph

Loading graph...