C:\>FIFile.exe File Investigator File for Windows 95/98/Me/2000/NT/XP Version 2.16 Copyright (C) 1995-2007 Forensic Innovations; ALL RIGHTS RESERVED Summary: This utility is included in the File Investigator SDK as an example application. It can be used to analyze a single file and display details about that file. It may not be distributed to non-File Investigator SDK owners. Formats: 1252 types of files can be identified. Versions: Patterns Database 2.03.012 Descriptions Database 2.03.012 Backgrounds Database 2.03.012 Directory 1.50 Engine 2.03.012 Text Previewer 1.50 Multimedia Previewer 1.50 Hexadecimal Previewer 1.50 File Find 1.50 Properties 1.50 Usage: FIFILE [drive:][path][filename] [options] FIFILE [options] Options: /? Displays this help screen. /L Displays lists of File Investigator values for: Accuracy levels Formats Storage methods Contents Platforms /P Pauses the display for each screen. C:\>FIFIle FIEngine.dll File Investigator File for Windows 95/98/Me/2000/NT/XP Version 2.16 Copyright (C) 1995-2007 Forensic Innovations; ALL RIGHTS RESERVED Settings: Registration Key = key Use Extension = ON Add Directories = ON Add Checksum = ON Get Details = ON Auto Learn = OFF Text Search Depth = 1 Summary Length = 256 Filter CR/LF = ON PathFilename: FIEngine.dll Filename: FIENGINE Extension: dll DOS Filename: FIEngine.dll Path: c:\data\robware\Source\fi\debug Size: 426054 bytes Created: 10/14/2002 02:22:21PM Modified: 02/27/2004 12:52:33PM Accessed: 03/02/2004 02:17:26PM Attributes: Archive Description: MS Windows Library (32 bit) (325) Details: File v2.3.11.0, Product v2.0.0.0, Linker v6.00 FileMode: DenyNone (2) Accuracy: HIGH (3) Checksum: 0x02169DC7 Extensions: .DLL .TLB .OCX .CPL .* MIME: HelpLine: 2158485958 Platforms: IBM PC Compatible (0x4) MS Windows 95/98/NT (0x20) Storage: Binary (0x2) Content: Graphic Image (0x40) Icon (0x400) Library of Functions (0x800) Program Data (0x2000) Sound (0x40000) Text (0x800000) Number Values: 131075 File Version (40) 720896 File/Product Version Extension (41) 131072 Product Version (42) 0 File/Product Version Extension (41) 600 Linker Version (30) Text Values: Comments (7): Analyzes a file and provides the details to a client program. Company (24): Forensic Innovations Description (13): File Investigator Engine for Windows 95/98/Me/NT/2000/XP/Vista File Version (6): 2, 3, 11, 0 Internal Name (25): FIENGINE Copyright (14): Copyright 1995-2007 Forensic Innovations, ALL RIGHTS RESERVED Originator: Microsoft Corporation Notes: A group of functions that were compiled together for MS Windows programs to use. This is a 32 bit version, for use with MS Windows 95/98, NT, and sometimes Windows 3.x (upgraded with Win32s). View Software: Graphic Workshop for Windows (Shareware) http://www.mindworkshop.com/alchemy/gww.html Edit Software: Convert SW: Graphic Workshop for Windows (Shareware) http://www.mindworkshop.com/alchemy/gww.html Reference(s): Hogan, Thom., "The Programmer's PC Sourcebook, Second Edition", Microsoft Press, Redmond, WA, 1991, p. 6-15. ASCII Header: MZÉ.....?.......+.......@....... Hex. Header: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 Scan Time: 17 (milliseconds) Open Error: 0 C:\>FIFile /L File Investigator File for Windows 95/98/Me/2000/NT/XP Version 2.03 Copyright (C) 1995-2007 Forensic Innovations; ALL RIGHTS RESERVED Accuracy Levels: 0 None (not identified) 1 Low (matched file extension) 2 Medium (quick scan) 3 High (second/deep scan) Content Types: 0 N/A 1 Animation 2 Database 3 Database Hybrid 4 Document 5 Font 6 Game Data 7 Graphic Image 8 Graphic Metafile 9 Hypertext 10 Hypermedia 11 Icon 12 Library of Functions 13 Macro 14 Program Data 15 Program Executable 16 Raw Printer Data 17 ROM/RAM Image 18 Shortcut/Link 19 Sound 20 Sound Metafile 21 Source Code 22 Spreadsheet 23 Template 24 Text 25 Text Hybrid 26 Virtual Environment 27 Virus Platforms: 0 N/A 1 Amiga 2 IBM OS/2 3 IBM PC Compatible 4 Macintosh 5 MS Windows 3.x 6 MS Windows 95/98/NT 7 MS/PC DOS 8 Sun OS 9 UNIX 10 Atari Storage Methods: 0 N/A 1 Archive 2 Binary 3 Bitmap/Raster 4 Digital Audio 5 Music Notes 6 Text 7 Translated 8 Vector Text Value Types: 0 Miscellaneous 1 Title 2 Author 3 Program Name 4 Software 5 Name 6 File Version 7 Comments 8 Display Name 9 Product 10 Source 11 Subject 12 Mac Type ID 13 Description 14 Copyright 15 Artist 16 Instrument 17 Lyric 18 Text 19 Keywords 20 Date Created 21 Mac Creator 22 Compiler 23 Compressor 24 Company 25 Internal Name 26 File Name 27 Product Version 28 Unknown Chunk Tag 29 Album 30 Year 31 Genre 32 Template 33 Revision Number 34 Date Edited 35 Date Printed 36 Date Saved 37 Mime Type Number Value Types: Notes: All number values are unsigned LONG. n represents a number value returned by FIEngine. % is used like MOD to return the remainder. Type of value Calculation on data Notes(s)/Example(s) ------------------------------- ------------------- -------------------- 1 Format Version (major) . 250 -> 2.50.??.?? 2 Program Version (major) . 525 -> 5.25.??.?? 3 # of Color Bits 4 Tempo 5 # of Instruments 6 # of Sound Bits 7 # of Sound Channels 1=mono, 2=stereo 8 Sound sampling Rate in Hz 9 Volume Level (percentage) 10 # of Descriptions 11 # of Patterns 12 Time Length (1/100 of a second) ::. 13 # of Frames/Images 14 X Resolution (dots) 640 -> 640x??? 15 Y Resolution (dots) 480 -> ???x480 16 X Resolution (in) . 525 -> 5.25x???" 17 Y Resolution (in) . 525 -> ???x5.25" 18 X Resolution (mm) 640 -> 640x??? 19 Y Resolution (mm) 525 -> ???x525mm 20 Dots/Inch (dpi) 21 Frames/second . 22 Disk Size (1/100 of an inch) . 23 # of Disk Sides 1=Single Sided, 2=Double Sided 24 Density 1=Single, 2=Double, 3=High, 4=Quad 25 Sound Compression 1=PCM 10=Linear+emph+comp 2=ADPCM 11=A-Law 3=Mu-Law 12=Fibonacci Delta 4=Linear 13=MPEG 1.0 layer 1 5=Floating point 14=MPEG 1.0 layer 2 6=Double precision 15=MPEG 1.0 layer 3 7=Fixed point 16=MPEG 2.0 layer 3 8=Linear + emphasis 17=MPEG 2.5 layer 3 9=Linear + comp 26 # of Pages 27 # of Sound Tracks 28 # of Sound Samples 29 Character Set 1=ANSI 5=ASCII 2=Mac 6=PC ASCII 3=PS/2 7=PC ANSI 4=PC 30 Linker Version . 525 -> 5.25 31 Image Compression 0=uncompressed 8=RTV 2.1(16) 1=8bit RLE 9=CCITT/3 1-D 2=4bit RLE 10=FAX CCITT Group 3 3=LZW 11=FAX CCITT Group 4 4=Cinepak Codec 12=JPEG 5=compressed 13=PackBit 6=MS-CRAM 14=IR50 7=IR32 32 X Resolution (dpi) 640 -> 640x??? 33 File Protection 0=unprotected, 1=passworded, 2=encrypted 34 # of Records 35 # of Programs 36 # of Icons 37 # of Repeats 38 # of Directories 39 # of Files 40 File Version . 65538 -> 1.02.??.?? 41 File/Product Version Extension . 65538 -> ??.??.01.02 42 Product Version . 65538 -> 1.02.??.?? 43 # of Words 44 # of Characters 45 Track # 46 Unix Permissions User bits Bits: 1=Execute Group bits 2=Write Other/All bits 4=Read Formats: Name Valid Extensions Acc --------------------------------------- --------------------------- --- 0 Unidentified NO 1 Disk Directory HI 2 Disk Volume Label HI 3 Text File TXT, DOC, INI, INF, * MED 4 Graphics Interchange Format GIF, GIFF MED 5 MS Windows Bitmap BMP, DIB, SYS, RLE, BIN, VG MED 6 Amiga Interleave File Format Image LBM, IFF, ILM, BBM, ILBM, B HI 7 MS Paint Bitmap MSP MED 8 AutoDesk Animator Flic FLI, FLC, FII MED 9 GEM Paint Image IMG, GEM MED . . . 1245 Macintosh Disk Image DMF MED 1246 Free Lossless Audio Codec FLAC, FLA MED 1247 MS Office Document (XML) XML HI 1248 MS Excel Spreadsheet (XML) XML HI 1249 MS Word Document (XML) XML HI 1250 UNIX Program / Program Library MED 1251 UNIX Program Library so MED 1252 WinRAR Compressed Archive RAR, R## MED 1253 MS Project File (ANSI) MPX MED 1254 Text File (UTF-8) txt MED 71 HIGHs 489 MEDIUMs 694 LOWs 1 NONE Key: Acc = The highest level of accuracy possible for the file format. HI = HIGH - 99%: Identified by scanning the file for recognizable signatures and data. MED = MEDIUM - 90%: Identified by matching the file header to a pattern. LOW = LOW - 50%: Identified by matching the file extension. NO = NONE - 0%: Unidentified file. ? = A wildcard that indicates a space that can be any character. # = A wildcard that indicates a space that can be any number. * = A wildcard that indicates an extension that has too many possibilities to list.