file Cheat Sheet

Identify file types from magic bytes — essential before choosing exploit, extraction, or analysis tools.

Exploitation & PayloadsbinaryforensicsmagicUpdated 2026-06-02

Overview

The file command inspects magic signatures to report format (ELF, PE, ZIP, JPEG, etc.). Run on every unknown artifact during triage.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y file

file --version

Essential commands

Basic identification

file suspicious.bin

Don't stop at first match (polyglots)

file -k image.png

MIME type output

file -i document.pdf

Recursive directory

file -r ./artifacts/

Common workflows

CTF / malware triage —

file challenge

file -b challenge   # brief, no filename prefix

xxd challenge | head

Detect appended data / polyglot —

file -k photo.jpg

ELF / architecture check before exploit —

file ./vuln

ELF 64-bit LSB executable, x86-64, dynamically linked ...

readelf -h ./vuln | grep Type

Batch sort by type —

find . -type f -exec file -b {} \; | sort | uniq -c | sort -rn

Update magic database (rare formats) —

sudo apt install -y libmagic-mgc

file -m /usr/share/misc/magic.custom weird.fmt

Flags reference

`-b`	Brief mode (no filename)
`-i`	MIME (application/x-executable)
`-k`	Keep scanning after first hit
`-L`	Follow symlinks
`-z`	Try decompressing compressed types
`-s`	Read only start of file (default)
`-f list`	Read paths from file

Tips

file can be fooled — verify with xxd, binwalk, or manual headers for critical decisions.
file -i helps when scripting uploads or Content-Type checks.
For PE: follow with peda / diec or exiftool on metadata-rich formats.
Corrupted magic → try foremost or binwalk regardless of file output.