Many files on a computer have a type, such as a word processing document, spread sheet, and these can be recognised by the file extension (for example .doc, .xls etc). What is not so obvious is that many files start with a unique sequence of numbers which we call the file signature.
By checking the first few bytes against a know table of signatures, it is possible to indicate if the file has a valid start, or is in fact a different type of file. For recovery modes this can be helpful when a disk structure is very corrupted. In forensic applications, it can be used to detect files that have been deliberately renamed to try and conceal the contents. The log files we produce when doing a recovery, store the results of the signature test for each file.
In order to get a more accurate match on some file types, the checking goes along way beyond the first few bytes. By doing this, at times it is possible, when restoring in raw mode to extract some file names, or indicate topic from a file
The list of signatures recognised is growing on a weekly basis, but the following gives an idea of common files that can be detected.
abc, ai, ani, atn, avi, bmp, cab, cam, cdb, cur, dbf, dbx, doc, drw, emf, exe, fm3, fmt, fon, fp7, gif, hlp, hqx, htm, ifo, jpg, jpeg, lha, lnk, mdb, mmm, mov, mp3, mp4, mpeg, msc, msi, nb7, nsf, pcx, pdf, ppd, psd, qdf, rmi, scf, tif, wav, wb1, wk3, wk4, wks, wmf, wmv, wp5, wpl, xlb, xls, xml, zip
CnW Recovery Lewes East Sussex UK