🔍 File Signature Checker – Detect True File Types with Magic Bytes
Every file format has a secret identity hidden in its first few bytes — known as magic bytes or a file signature. The File Signature Checker reads those raw bytes and matches them against a database of 80+ known formats to reveal the actual file type, regardless of what the filename or extension claims.
Why File Extensions Can Lie
File extensions are just labels — any user or program can rename malware.exe to photo.jpg. Email clients, web servers, and antivirus filters that rely solely on extensions can be fooled. Magic bytes, on the other hand, are baked into the binary structure of the file itself and are almost always present in legitimate files.
Common scenarios where extension mismatches occur:
- Malware camouflage — executables renamed to image or document extensions to bypass upload filters
- Accidental saves — software saved in a different format than the extension suggests
- Legacy conversions — files converted but not renamed
- Data pipeline debugging — unknown binary blobs with no extension
How Magic Bytes Work
File format designers reserve the first few bytes for a fixed "magic" value. Here are some well-known examples:
| Format | Magic Bytes (hex) | ASCII |
|---|---|---|
| JPEG | FF D8 FF | ÿØÿ |
| PNG | 89 50 4E 47 0D 0A 1A 0A | ‰PNG\r\n\x1A\n |
25 50 44 46 2D | %PDF- | |
| ZIP / DOCX / APK | 50 4B 03 04 | PK\x03\x04 |
| Windows EXE / DLL | 4D 5A | MZ |
| ELF (Linux binary) | 7F 45 4C 46 | \x7FELF |
| SQLite Database | 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 | SQLite format 3\0 |
Some Signatures Are at Non-Zero Offsets
Not all magic bytes start at byte 0. For example, ISO 9660 disk images store their signature (CD001) at byte offset 32769, and TAR archives place ustar at offset 257. This tool scans multiple offsets to catch these cases.
Understanding the Results
When a match is found, the tool displays the format name, MIME type, common extensions, and a plain-language description. The tool also shows the raw hex bytes of the file header so you can visually inspect them. A ⚠️ Extension Mismatch warning appears if the uploaded file's extension does not match any of the extensions expected for the detected format.
Manual Hex Input
You don't always have the file on hand. If you already have the first bytes as a hex string (from a forensics report, a network packet, or a hex editor), paste them directly into the Hex Input tab. The tool accepts multiple formats:
FF D8 FF E0 (space-separated)
FFD8FFE0 (no spaces)
ff d8 ff e0 (lowercase)
0xFF,0xD8,0xFF,0xE0 (0x prefixed, comma-separated)Security Considerations
This tool runs entirely in your browser — your files are never uploaded to any server. The FileReader API reads only the first 64 bytes needed for signature detection; no file content leaves your device.
While magic-byte detection is a powerful first-pass triage technique, it should be combined with antivirus scanning, hash verification, and full content analysis for security-critical workflows. Sophisticated exploits can embed a valid-looking header while hiding a payload later in the file.
Use Cases
- Security triage — quickly flag suspicious files before opening them
- Forensic analysis — identify files recovered from disk images or network captures with missing extensions
- Developer tooling — validate file types in upload handlers or data pipelines without relying on MIME type headers sent by clients
- Education — learn how binary file formats are structured at the byte level