Magic Bytes Reference
File signatures (magic bytes) for identifying file types by header bytes.
Back to all tools on ToolForge
What are magic bytes? Magic bytes are unique byte sequences at the start of files that identify the file type. They're embedded in the file format specification and remain constant regardless of filename. Example: All PNG files start with
89 50 4E 47 0D 0A 1A 0A.
About Magic Bytes Reference
This reference lists magic bytes (file signatures) used to identify file types when extensions are missing, unreliable, or potentially spoofed. Security software, file managers, and forensic tools use magic bytes for accurate file type detection.
Each signature shows the hexadecimal values of the first bytes of a file, along with associated extensions and format description.
How to Read File Headers
Hex Format: FF D8 FF E0 00 10 4A 46 49 46 00 01 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─ Null terminator │ │ │ │ │ │ │ │ │ │ └──── ASCII 'F' │ │ │ │ │ │ │ │ │ └─────── ASCII 'I' │ │ │ │ │ │ │ │ └────────── ASCII 'F' │ │ │ │ │ │ │ └───────────── ASCII 'J' │ │ │ │ │ │ └──────────────── Length marker │ │ │ │ │ └─────────────────── APP0 marker │ │ │ │ └────────────────────── Start of Image │ │ │ └───────────────────────── JPEG marker │ │ └──────────────────────────── JPEG marker │ └─────────────────────────────── JPEG marker └────────────────────────────────── JPEG SOI marker This is a JPEG file with JFIF header.
Reading Magic Bytes in Code
// Node.js - Read file header
const fs = require('fs');
function getFileType(filePath) {
const buffer = fs.readFileSync(filePath, { encoding: 'hex', start: 0, end: 16 });
const hex = buffer.toUpperCase().match(/.{2}/g).join(' ');
if (hex.startsWith('89 50 4E 47')) return 'PNG image';
if (hex.startsWith('FF D8 FF')) return 'JPEG image';
if (hex.startsWith('47 49 46')) return 'GIF image';
if (hex.startsWith('25 50 44 46')) return 'PDF document';
if (hex.startsWith('50 4B 03 04')) return 'ZIP archive';
if (hex.startsWith('7F 45 4C 46')) return 'ELF executable';
return 'Unknown';
}
// Python - Read file header
def get_file_type(path):
with open(path, 'rb') as f:
header = f.read(8).hex().upper()
if header.startswith('89504E47'):
return 'PNG image'
if header.startswith('FFD8FF'):
return 'JPEG image'
if header.startswith('474946'):
return 'GIF image'
if header.startswith('25504446'):
return 'PDF document'
if header.startswith('504B0304'):
return 'ZIP archive'
return 'Unknown'
// Bash - Using file command
$ file image.png
image.png: PNG image data, 1920 x 1080, 8-bit/color RGB
// Bash - Using xxd to view hex
$ xxd -l 16 image.png
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
Magic Bytes by Category
Image Formats
| Hex Signature | Extension | File Type |
|---|---|---|
FF D8 FF | .jpg, .jpeg | JPEG image (Start of Image) |
89 50 4E 47 0D 0A 1A 0A | .png | PNG image (includes DOS line endings) |
47 49 46 38 37 61 | .gif | GIF 87a image |
47 49 46 38 39 61 | .gif | GIF 89a image (supports animation) |
52 49 46 46 ?? ?? ?? ?? 57 45 42 50 | .webp | WebP image (RIFF header) |
42 4D | .bmp | Bitmap image (ASCII 'BM') |
00 00 01 00 | .ico | Windows icon |
49 49 2A 00 | .tif, .tiff | TIFF (little-endian) |
4D 4D 00 2A | .tif, .tiff | TIFF (big-endian) |
FF 0A | .avif | AVIF image |
Document Formats
| Hex Signature | Extension | File Type |
|---|---|---|
25 50 44 46 2D | PDF document ("%PDF-") | |
D0 CF 11 E0 A1 B1 1A E1 | .doc, .xls, .ppt | Microsoft Office (OLE compound) |
50 4B 03 04 | .docx, .xlsx, .pptx | Office Open XML (ZIP-based) |
09 08 10 00 00 06 05 00 | .xls | Excel spreadsheet |
7B 5C 72 74 66 31 | .rtf | Rich Text Format ("{\rtf1") |
3C 3F 78 6D 6C | .xml | XML document ("<?xml") |
3C 68 74 6D 6C | .html, .htm | HTML document ("<html") |
Archive/Compressed Formats
| Hex Signature | Extension | File Type |
|---|---|---|
50 4B 03 04 | .zip | ZIP archive ("PK..") |
50 4B 05 06 | .zip | ZIP (empty archive) |
50 4B 07 08 | .zip | ZIP (spanned archive) |
1F 8B | .gz, .gzip | Gzip compressed |
42 5A 68 | .bz2 | Bzip2 compressed ("BZh") |
FD 37 7A 58 5A 00 | .xz | XZ compressed (7z/LZMA) |
37 7A BC AF 27 1C | .7z | 7-Zip archive |
52 61 72 21 1A 07 | .rar | RAR archive ("Rar!") |
75 73 74 61 72 | .tar | TAR archive ("ustar" at offset 257) |
Executable Formats
| Hex Signature | Extension | File Type |
|---|---|---|
7F 45 4C 46 | — | ELF executable (Linux/Unix) |
4D 5A | .exe, .dll | PE executable (Windows "MZ") |
CA FE BA BE | .class | Java class file |
CA FE 00 00 | .macho | Mach-O (macOS) |
23 21 2F 75 73 72 | — | Shell script ("#!/usr") |
Audio/Video Formats
| Hex Signature | Extension | File Type |
|---|---|---|
49 44 33 | .mp3 | MP3 with ID3 tag |
FF FB | .mp3 | MP3 (MPEG layer 3) |
FF FA | .mp3 | MP3 (MPEG layer 2) |
52 49 46 46 ?? ?? ?? ?? 57 41 56 45 | .wav | WAV audio ("RIFF....WAVE") |
4F 67 67 53 00 | .ogg, .ogv | Ogg Vorbis/Theora ("OggS") |
00 00 00 18 66 74 79 70 | .mp4, .m4v | MP4 video ("....ftyp") |
1A 45 DF A3 | .mkv, .webm | Matroska/WebM container |
66 74 79 70 71 74 20 20 | .mov | QuickTime ("ftypqt ") |
00 00 01 BA | .mpg, .mpeg | MPEG program stream |
Font Formats
| Hex Signature | Extension | File Type |
|---|---|---|
00 01 00 00 | .ttf | TrueType font |
4F 54 54 4F | .otf | OpenType font ("OTTO") |
77 4F 46 46 | .woff | WOFF font ("wOFF") |
77 4F 46 32 | .woff2 | WOFF2 font ("wOF2") |
Database/Cache Formats
| Hex Signature | Extension | File Type |
|---|---|---|
53 51 4C 69 74 65 20 66 | .db, .sqlite | SQLite database ("SQLite f") |
00 00 00 02 | .dex | Android Dalvik executable |
4A 45 52 50 02 | .jar | Java JAR file |
Encoding Signatures (BOM)
| Hex Signature | Extension | File Type |
|---|---|---|
EF BB BF | — | UTF-8 BOM (optional) |
FF FE | — | UTF-16 LE BOM |
FE FF | — | UTF-16 BE BOM |
FF FE 00 00 | — | UTF-32 LE BOM |
00 00 FE FF | — | UTF-32 BE BOM |
Frequently Asked Questions
- What are magic bytes?
- Magic bytes (file signatures) are unique byte sequences at the start of files that identify the file type. They're called 'magic' because they reliably identify formats regardless of filename extension. Example: PNG files always start with 89 50 4E 47 (hex for 'PNG').
- Why use magic bytes instead of file extensions?
- File extensions can be changed, removed, or spoofed. Magic bytes are embedded in the file itself and cannot be easily faked. Security software uses magic bytes to detect malicious files disguised as safe types. File type detection by content is more reliable than by extension.
- How do I read magic bytes?
- Magic bytes are shown in hexadecimal (base-16). Each pair represents one byte (0-255). Example: 'FF D8 FF' means bytes 255, 216, 255. Read a file's first bytes with a hex editor and compare to the signature table to identify the format.
- What file types can be identified by magic bytes?
- Most binary formats: images (JPEG, PNG, GIF, WebP), documents (PDF, DOCX, XLSX), archives (ZIP, GZIP, TAR, RAR), executables (ELF, PE, Mach-O), audio/video (MP3, WAV, MP4, MKV), fonts (TTF, WOFF), and more. Plain text files typically lack magic bytes.
- What is the 'file' command?
- The 'file' command (Linux/Unix/macOS) identifies file types using magic bytes. Usage: 'file filename' returns the detected type. It uses a magic database (/usr/share/file/magic) containing thousands of signatures. Windows equivalents include TrID and File Identifier.
- Can magic bytes be spoofed?
- Yes, magic bytes can be prepended to files to disguise them, but this requires binary editing and doesn't change the actual content structure. Security tools perform deeper inspection beyond magic bytes. Simple extension checking is less secure than magic byte validation.