A HEX editor is a program that lets you view a file that is mostly machine code. Each character is translated to it's ASCII code. This is helpful when looking at the actual code that goes into JPG and GIF files.
Any HEX editor will work. I have downloaded a copy of XVI32, because it was freeware, but there are tons of other hex editors out on the web.
In the context of this tutorial, I will use BOLD to denote a character in HEX format. Sometimes you will see that notation with a lower case 'x' in front. Single characters I will surround in single quotes.
For example, in ASCII, the capital letter 'C' is denoted as 43 in hex (or x43), or 67 in decimal.
To convert from hex to decimal, take the first number (4) multiply by 16, and add the second number (3) to get 64 + 3 = 67.
To identify, open with notepad.
They are easy to spot, because starting at the 7th character, it has "JFIF".
Advanced class: Use a Hex Editor.
JPG files ends with characters FF D9. This is how "camouflage" works. It adds the encrypted text AFTER the FF D9 characters. Other "markers" to look for: FF D8 - start of file. Also FF C0 - section contains the image size. The y-pixel height is defined by the 4th entry after the FF C0 marker. The x-pixel width is defined by the 5th entry.
As an example: "FF C0 00 11 08 00 D4 01 1B" take the 4th and 5th bytes after the C0 (00 D4) multiply the 00 by 256 and add D4 (212) to get 212 pixels high. Multiply the 01 by 256 and add 1B (27) to get a width of 283 pixels.
To identify, open with notepad.
Gif files are also easy to spot. They usually start with GIF87a or GIF89a (depending on the format used).
Advanced class: Use a Hex Editor.
Example: "47 49 46 38 39 61 96 01 57 02" The width is the 7th and 8th bit, but the numbers are reversed. For GIF, take the 8th bit (01) and multiply by 256, then add the 7th bit (96). Gives you a width of 406. The height, take the 10th bit (02) and multiply by 256, then add the 9th bit (57) to give you 599.
To identify, open with notepad.
These files appear to start with "RIFF" and "WAVE"
MP3 files cannot be identified using Notepad.
Advanced class: Use a Hex Editor.
I can't find a single key, But, looking at a concensus: The first chracter is a usually FF. The second, third and fourth characters all have to do with versions, layers, and bit rates. So the only thing I found was that the 5th character appears to be 00. I even found one file that had a extra 00 in front (00 FF E3 22 C0 00....) So, the convention is, that there is no convention.
To identify, open with notepad.
This are very easy to spot, since most of the file is Text. As a matter of fact, they have "W o r d D o c u m e n t" either near the beginning (first screenful or near the end)
To identify, open with notepad.
They start with "BM"
Advanced class: Use a Hex Editor.
The next 4 characters are the size of the entire file. "BM6 " which is 42 46 36 04 00 00 in hex. Again, using hex, start with the 6th character, mutiply it by 256^3, take the 5th character, multiply it by 256^2, take the 4th character (04) multiply it by 256 ( to get 1024) and then add the 3rd character (36) 54 in decimal, to get 1078 byte file.
PCX files cannot be identified using Notepad.< /STRONG>
Advanced class: Use a Hex Editor.
The first character appears to be hex 0A the second character is a version label ( I had several version 3.0 or higher - hex 05) the third character appears to be a hex 01 the 5th through 8th characters and 9th through 12th are the size of the picture. (lets ignore 5-8 - they are "minimum" which is probably usually all zeros) 0A 05 01 01 00 00 00 00 3F 01 EF 00 take the 6th character, multiply it by 256, and add the 5th character. That gives you 63+256= 319 width. Then take the 8th character, multiply it by 256, and add the 7th character. That gives you a height of 239. Assuming your "minimum" are all zeros, you have to add 1 to the width and height to give you a 320 x 240 image
To identify, open with notepad.
all my zip files start with "PK", whether they were created with PKZIP or with WINZIP
To identify, open with notepad.
they have to start with %PDF-