# File Type Identification

Identifying the file type is extremely important as it helps us identify the **target OS and the corresponding architecture**.

* An example of a Windows executable file is the **PE (Portable Executable)**.
  * A PE could be in form of: **.exe** ; **.dll ;** etc

To accurately identify a file type we need to **analyze the file signature**. This is to avoid false positives caused by the use of **double extensions**.

The file signature exists on the **file header**.

The file signature for PE files is represented by **hexadecimal values of 4D 5A or MZ** in the first 2 bytes (0-1).

PE programs also have the notice "This program cannot be run in DOS mode".

The PE header begins at hex **50 45**.

#### Note

Attackers may use archiving/packing to evade signature based identification.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/online-courses/malware-analysis/introduction-by-hackersploit/file-type-identification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.