File Signature

Also known as Magic Bytes/Header

Most files can also be recognized by a magic value in the file start/end.

• Manipulating headers can lead to incorrect detection and maybe processing.

• Some OS use the magic headers instead of the file extension.

• Also known as File Signatures.

Some magic values:

• Office Documents: D0 CF 11 E0

• ELF: 7F E L F

• JPG: FF D8

• PNG: 89 P N G 0D 0A 1A 0A

• Java class: CA FE BA BE

Sometimes, magic headers are reused

• PK.. (50 4B 03 04) is the magic for ZIP files.

Actually, pptx are zip files.

Magic Headers can be manipulated if the content is known.

• PyInstaller allows the conversion of a Python application to an executable application.

  • It packs the pyc files into a container. The container is extracted on runtime and compiled python code is executed.

  • Headers are omitted from pyc files. If a header is added, the extracted file executes as a standard pyc file.

• Direct Visualization may help.

  • Direct byte visualization, Mapping to an image, Entropy Analysis, Tuples.