How to identify unknown files
Almost every computer user eventually finds some odd file on their hard drivers and wonders what the hell it is, because it is not associated with any current software and how did it get there in the first place?
Such files may be remnants of long uninstalled programs, documents, send you by friends and done in a program you never even heard of, or a in worst case scenario, may as well be viruses masked as "unknown" files or lately archives encrypted by some ransomware, for example CryptoWall or TeslaCrypt.
This article covers three useful ways how users can determine the origin and purpose of some of theirs unknown files.
Three methods of unknown file analysis
No.1 - Check File-Extensions.org database based on the file's extension
The best way to identify files would be of course, just to look on their file extension and check our File-Extensions.org database for it.
This should give you enough information to find out what kind of file it is and what program you need to work with it. You can of course find other similar websites, but ours is most likely the largest and extensive, covering over 30.000 file types.
In the vast majority of cases this will be enough, but sometimes the original file suffix may have been renamed or is lacking completely and you will need the help of special file analysis utilities to identify a certain unknown file.
No.2 - Use TrID - File Identifier
TrID is an excellent program for quick analysis of your files. It's pretty straightforward to use, just download it together with definitions (copy them to programs folder) and start it via command line (cmd.exe) with a proper syntax that executes the analysis of your file and will try to determine its content.
The author of the program, Marco Pontello, updates the database regularly, so it covers a large number (6401 as of this moment) of various file types and should contain most of the commonly used file types. You can download it for free, just don't forget to download the definitions (.trd file) as well.
To demonstrate how it works, we have renamed a random Microsoft Word document (.doc) and removed the extension, so the resulting file name was named just "unknown" and analyzed it with TrID. You can see the results on the screenshot below.
Pretty much right on spot, considering it was Word document with a table inserted.
You can also use the on-line version of TrID just from your web browser without the need to install anything. This can be useful when you are on other platform than Windows, so you do not have to fiddle with anything.
This is also a good way to check if some file is truly what it appears to be, especially if you are suspicious about its origin. Especially helpful for unmasking dangerous e-mail attachment with renamed file extension in an attempt to trick users to open it.
However, if TrID does not solve the mystery about your unknown file type, there is one last option you can try to identify the file.
No.3 - Use a hex viewer to analyze your files
You can use any of the available Hex viewers to get the info you need, but if you are looking for a better tool for the purpose of file analysis, we recommend FileAlyzer.
FileAlyzer is much more than a simple hex viewer. It allows a basic analysis of files and shows all kinds of properties of the content, including the hex dump.
The program can also interpret the content structure and recognize what kind of file type it is (text, graphics, media, HTML, XML, PE and more). Once again it's a free download, so definitely worth a try.
One of the most important characteristics for identifying of unknown file types is the HEX code that is unique to each file format.
The very first thing you should try is to copy the first in the HEX table and simple Google it. Many sites offer extensive databases with HEX codes, so Google search usually yields some useful results.
You can of course manually check HEX databases on such websites, to name a few examples:
File-Extensions.org database also has HEX code information, but only for the most common file types.
Just one example for all. On our screenshot below, you can see FF D8 FF E0 starting HEX code block, typical for JPEG pictures, even thought the file we opened with FileAlyzer was a .dat not a .jpg file.
Another interesting thing about the file analysis is that FileAlyzer also shows additional tabs (Bitmap, Image, EXIF etc.) related to graphics formats. This only confirms that our sample file was indeed just a common JPEG picture with extension renamed from jpg to dat.
Of course you can use any HEX viewer you want, but FileAlyzer has much greater potential to help you with identifying of your unknown files.
As you can see, all three ways to identify unknown files are viable, but each may be useful in somewhat different scenario and gives another set of clues to successfully identify unknown file types.
Sometimes you will just have partial luck and will have to solve the puzzle piece by piece until you finally find out what kind of file your mysterious file is.