filerecon is an open-source application which is able to do a fingerprinting of unknown file types. This is done to determine the underlying file structure and program association which might be a requirement during data recovery (e.g. after a hard-drive crash or a forensic analysis).

Initially file(1) was written for UNIX systems. Althought it is possible to compile file(1) for Windows or to run it in a cygwin environment, there is no official release for Windows providing a simple GUI available. Furthermore, filerecon provides some more transparency regarding the magic byte data base. Thus, it is possible to change the data base during run-time with a simple text editor without further knowledge of a complex data base format or programming language.

There are several implementations known which provide a similar functionality. The most popular implementation is file(1) which is currently maintained by Christos Zoulas.

The filerecon project and the according software are written and maintained by Marc Ruef. The work began at the middle of 2008. It was a result of fairly similar projects named httprecon (HTTP-Webserver Fingerprinting) and browserrecon (HTTP-Webbrowser Fingerprinting).

The current official release of filerecon was written in Microsoft Visual Basic 6.0.

Further releases might be developed under other programming languages (e.g. PHP or shell script). However, there is no official roadmap and date for a release announced.

The filerecon application and the involved parts (e.g. the data base) underlies the General Public License (GPL) if not mentioned otherwise.

There are several ways how you could support the filerecon project. First of all you can send me some feature requests and bug reports. Of course you shall use and re-distribute the software. Write articles about the project or mention it in your other work. If you want to help to improve the accuracy of the fingerprinting, provide new fingerprints. Furthermore, you might be able to change and improve the source-code due to the General Public License (GPL).

It was an initial decision that filerecon shall not require any installation. You have to download the package and decompress it. It will contain all files which you require for running the application.

The current release of filerecon was written for Microsoft Windows. It was tested on different releases of Windows XP. You might require at least 128 MByte RAM. The files you want to analyze will be loaded into the RAM first. Therefore, the application is much fast as long as you are able to provide enough free memory space (otherwise Windows will swap to a local partition which might consume a lot of time).

Run the application file as would do it with every other Windows program. Click on the colored button which opens a dialog box. You are able to specify the file you would like to analyze. After confirming your decision filerecon is going to initiate the analysis. After some seconds (or minutes) the possible matches are shown. You are able to navigate within the results to see the details for your selection.

As like file(1) the current release of filerecon tries to determine some well-known sequences for specific file structures. If this pattern-based approach is able to find some matches, those are shown as part of the result. The pattern-matching provides a higher level of accuracy if the pattern is very long and suspected on a specific offset within the file stream.

As every fingerprinting application filerecon tries to identify software by analyzing different fingerprint elements. If it is not possible to dissect and analyze them in detail, the accuracy of the analysis remains on a low level. Fingerprinting is an approximative technique only and is in the case of filerecon not able to guarantee full accuracy under all circumstances. If you think the results are incorrect or might be able to perfect, provide a better fingerprint which will be added to the official fingerprint repository.

filerecon uses a simple flat-file data base which contains all the fingerprint elements to determine the given file format. The data base file is saved as magicdatabase.txt within the application directory. This text file contains a multiple row table in which the values are delimited with a tab: (1) Offset or range, (2) search type, (3) pattern string, (4) result value.

You are able to suggest new fingerprints via email. I am going to verify their correctness and to add them to the official fingerprint repository. If possible send some example files which might be dissected during further analysis.

Since the official launch of the project I am collecting new file fingerprints as soon as I get in contact with a new/unknown file format. Check the downloads on the project web site to get the latest repository.

No, the current release of filerecon is not able to provide an auto-update feature for the fingerprint data base. You have to download the latest repository from the project web site yourself. However, such a feature might be implemented in a future release of filerecon.