File (command)

The   command is a standard program of Unix and Unix-like operating systems for recognizing the type of data contained in a computer file.

History
The original version of  originated in Unix Research Version 4 in 1973. System V brought a major update with several important changes, most notably moving the file type information into an external text file rather than compiling it into the binary itself.

Most major BSD and Linux distributions use a free, open-source reimplementation which was written in 1986–87 by Ian Darwin from scratch; it keeps file type information in a text file with a format based on that of the System V version. It was expanded by Geoff Collyer in 1989 and since then has had input from many others, including Guy Harris, Chris Lowth and Eric Fischer; from late 1993 onward its maintenance has been organized by Christos Zoulas. The OpenBSD system has its own subset implementation written from scratch, but still uses the Darwin/Zoulas collection of magic file formatted information.

The file command has also been ported to the IBM i operating system.

Specification
The Single UNIX Specification (SUS) specifies that a series of tests are performed on the file specified on the command line:
 * 1) if the file cannot be read, or its Unix file type is undetermined, the   program will indicate that the file was processed but its type was undetermined.
 * 2)   must be able to determine the types directory, FIFO, socket, block special file, and character special file
 * 3) zero-length files are identified as such
 * 4) an initial part of file is considered and   is to use position-sensitive tests
 * 5) the entire file is considered and   is to use context-sensitive tests
 * 6) the file is identified as a   file

's position-sensitive tests are normally implemented by matching various locations within the file against a textual database of magic numbers (see the Usage section). This differs from other simpler methods such as file extensions and schemes like MIME.

In the System V implementation, the Ian Darwin implementation, and the OpenBSD implementation, the  command uses a database to drive the probing of the lead bytes. That database is implemented in a file called, whose location is usually in  ,   or a similar location.

Usage
The SUS mandates the following options:


 * -M file, specify a file specially formatted containing position-sensitive tests; default position-sensitive tests and context-sensitive tests will not be performed.
 * -m file, as for -M , but default tests will be performed after the tests contained in.
 * -d, perform default position-sensitive and context-sensitive tests to the given file; this is the default behaviour unless -M or -m is specified.
 * -h, do not dereference symbolic links that point to an existing file or directory.
 * -L, dereference the symbolic link that points to an existing file or directory.
 * -i, do not classify the file further than to identify it as either: nonexistent, a block special file, a character special file, a directory, a FIFO, a socket, a symbolic link, or a regular file. Linux and BSD systems behave differently with this option and instead output an Internet media type ("MIME type") identifying the recognized file format.

Other Unix and Unix-like operating systems may add extra options than these. Ian Darwin's implementation adds -s 'special files', -k 'keep-going' or -r 'raw' (examples below), among many others.

The command tells only what the file looks like, not what it is (in the case where file looks at the content). It is easy to fool the program by putting a magic number into a file the content of which does not match it. Thus the command is not usable as a security tool other than in specific situations.

Examples
file.c: C program text

program: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

/dev/hda1 /dev/hda1: block special (0/0)

/dev/hda1: Linux/i386 ext2 filesystem

Note that -s is a non-standard option available only on the Ian Darwin branch, which tells  to read device files and try to identify their contents rather than merely identifying them as device files. Normally  does not try to read device files since reading such a file can have undesirable side effects.

libmagic-dev_5.35-4_armhf.deb: Debian binary package (format 2.0) - current ar archive - data

Through Ian Darwin's non-standard option -k the program does not stop after the first hit found, but looks for other matching patterns. The -r option, which is available in some versions, causes the unprintable new line character to be displayed in its raw form rather than in its octal representation.

compressed.gz: gzip compressed data, deflated, original filename, `compressed', last modified: Thu Jan 26 14:08:23 2006, os: Unix

compressed.gz: application/x-gzip; charset=binary

data.ppm: Netpbm PPM "rawbits" image data

/bin/cat: Mach-O universal binary with 2 architectures /bin/cat (for architecture ppc7400):	Mach-O executable ppc /bin/cat (for architecture i386):	Mach-O executable i386

Identifying symbolic links is not available on all platforms and will be dereferenced if -L is passed or POSIXLY_CORRECT is set.

Libmagic library
As of version 4.00 of the Ian Darwin/Christos Zoulas version of, the functionality of   is incorporated into a   library that is accessible via C (and C-compatible) linking;    is implemented using that library.

Manual pages

 * – a non-Ian Darwin implementation
 * – a non-Ian Darwin, non-SUS implementation
 * – a non-Ian Darwin implementation
 * – a non-Ian Darwin, non-SUS implementation
 * – a non-Ian Darwin, non-SUS implementation

Other

 * Fine Free File Command – homepage for Ian Darwin's version of  used in major BSD and Linux distributions.
 * mailing list
 * releases
 * binwalk, a firmware analysis tool that carves files based on libmagic signatures
 * TrID, an alternative providing ranked answers (instead of just one) based on statistics.