TrID - File Identifier

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.

TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.

TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.

Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.

To get you started, the current library of definitions is up to 3459 file types and growing fast.

TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.

C:\TrID>trid c:\test\doc\lasik_info.doc TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello           Collecting data from file: c:\test\doc\lasik_info.doc Definitions found: 1959 Analyzing... 70.7% (.DOC) Microsoft Word document (58000/1/5) 29.3% (.) Generic OLE2 / Multistream Compound File (24000/1)

C:\TrID>trid c:\Download\AvBatEx.bav TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello Collecting data from file: f:\Download\AvBatEx.bav Definitions found: 1959 Analyzing... 75.8% (.BAV) The Bat! Antivirus plugin (187530/5/21) 15.2% (.EXE) Win32 Executable MS Visual C++ (generic) (37706/45/16)  4.3% (.EXE) Win32 Executable Generic (10527/13/4) 3.1% (.DLL) Win32 Dynamic Link Library (generic) (7600/42/2) 0.8% (.EXE) Generic Win/DOS Executable (2002/3)

Wildcards can be used to scan groups of files, entire folders, etc. In addition, using the switch -ae will instruct TrID to add the guessed extensions to the filenames. This come handy, for example, when working with files recovered by data rescue softwares. For example:

C:\TrID>trid c:\temp\* -ae TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello           Definitions found: 1969 Analyzing... File: c:\temp\FILE0001.CHK 75.8% (.BAV) The Bat! Antivirus plugin (187530/5/21) File: c:\temp\FILE0002.CHK 77.8% (.OGG) OGG Vorbis Audio (14014/3) File: c:\temp\FILE0003.CHK 86.0% (.DOC) Microsoft Word document (49500/1/4) File: c:\temp\FILE0004.CHK 42.6% (.EXE) UPX compressed Win32 Executable (30569/9/7) 4 file(s) renamed.

At this point, the files in the c:\temp folder will look like:

  FILE0001.CHK.bav
  FILE0002.CHK.ogg
  FILE0003.CHK.doc
  FILE0004.CHK.exe

It's possible to tell TrID to show some more information about every match (such as who created that definition, how many files were scanned, etc.); and it's also possible to limit the number of results shown.
The switch -v activate the verbose mode, and -r:nn specifies the max number of matches that TrID will display. Default is 5 for normal mode, 2 for verbose, 1 for multi-files analysis.

C:\TrID>trid "c:\t\Windows XP Startup.ogg" -v -r:2 TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello           Collecting data from file: c:\t\Windows XP Startup.ogg Definitions found: 1959 Analyzing... 77.8% (.OGG) OGG Vorbis Audio (14014/3) Author : Marco Pontello E-Mail : marcopon@nospam@myrealbox.com Home Page : http://mark0.net Definition : audio-ogg-vorbis.trid.xml Files : 35 22.2% (.OGG) OGG stream (generic) (4000/1) Author : Marco Pontello E-Mail : marcopon@nospam@myrealbox.com Home Page : http://mark0.net Definition : ogg-stream.trid.xml Files : 35

When starting, TrID will check for the TrIDDefs.TRD definitions package in the current directory. If not found, it will search on the some folder where TrID is installed. Eventually, it's possible to specify a particular defs file with the switch -d:filespec. To force TrID to wait for a key after showing the results, the -w switch is provided.

For any info or question, feel free to contact me or take a look in the forum!

Download

Win32	TrID v2.02, 25KB ZIP
Linux/x86	TrID v2.00, 28KB ZIP
	TrIDDefs.TRD package, 415KB ZIP (3459 file types, 18/08/08)

TrID's Definitions DB changes log feed!

If you like TrID, you may consider a little donation!
Even a couple of $ will let me know that you appreciate my work! Thanks!

Change Log TrID/32 v2.02 - 11/01/07: * Fixed a bug with files larger than 10MB. TrID/32 v2.00 - 04/06/06: + Major new version! + New container package for the filetypes' defs. + Batch scanning & renaming. + Ported to FreeBASIC compiler. TrID/32 v1.56 - 22/12/04: + Progress indication while loading definitions. + Quiet mode - don't show filetypes while loading definitions. TrID/32 v1.55 - 20/11/03: + Unique strings evaluation now is case insensitive. TrID/32 v1.50 - 15/11/03: + Analysys engine enhanced. Now it can use some unique strings (if contained in the defs) in addition to binary patterns at fixed positions. TrID/32 v1.23 - 13/08/03: + Verbose mode, activated using switch /V. + It's possibile to limit the number of matches showed, switch /R. TrID/32 v1.00 - 07/06/03: - After a period of beta testing, this is the first stable release for the Win32 platform.