Forensics, Reverse Engineering

How to identify unknown file type

You should never rely on a filename extension to determine what a file is or what is supposed to “do” by opening it. The output of each of the two following programs is not 100% accurate. Someone could have edited the file with a hex editor to change its magic number or any part of the file data to confuse tools like these. You should never fully trust the output of any tool if you haven’t analyze the file manually.


trid – is an utility designed to identify file types from their binary signatures. TrID has no fixed rules. It’s extensible and can be trained to recognize new formats. TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc. TrID is available for Windows and Linux systems.

Download TrID from here.
Download TrID file types definitions from here.
Download TrID GUI version from here along with xml file types definitions.


file – is “a file type guesser”. Tests each argument in an attempt to classify it. There are three sets of tests, performed in this order: filesystem tests, magic tests, and language tests. The first test that succeeds causes the file type to be printed.

The file program is included in most UNIX and Linux systems today. For Windows users, you will find file program in cygwin.

file options:

      --help                 display this help and exit
  -v, --version              output version information and exit
  -m, --magic-file LIST      use LIST as a colon-separated list of magic
                               number files
  -z, --uncompress           try to look inside compressed files
  -b, --brief                do not prepend filenames to output lines
  -c, --checking-printout    print the parsed form of the magic file, use in
                               conjunction with -m to debug a new magic file
                               before installing it
  -e, --exclude TEST         exclude TEST from the list of test to be
                               performed for file. Valid tests are:
                               apptype, ascii, cdf, compress, elf, encoding,
                               soft, tar, text, tokens
  -f, --files-from FILE      read the filenames to be examined from FILE
  -F, --separator STRING     use string as separator instead of `:'
  -i, --mime                 output MIME type strings (--mime-type and
      --apple                output the Apple CREATOR/TYPE
      --mime-type            output the MIME type
      --mime-encoding        output the MIME encoding
  -k, --keep-going           don't stop at the first match
  -l, --list                 list magic strength
  -L, --dereference          follow symlinks (default if POSIXLY_CORRECT is set)
  -h, --no-dereference       don't follow symlinks (default if POSIXLY_CORRECT is not set)
  -n, --no-buffer            do not buffer output
  -N, --no-pad               do not pad output
  -0, --print0               terminate filenames with ASCII NUL
  -p, --preserve-date        preserve access times on files
  -r, --raw                  don't translate unprintable chars to \ooo
  -R, --recursion            set maximum recursion level
  -s, --special-files        treat special (block/char devices) files as
                             ordinary ones
  -C, --compile              compile file specified by -m
  -d, --debug                print debugging messages