PNG File Signature — Magic Bytes
Understand the 8-byte PNG file signature (magic bytes) and what each byte means. Learn to identify PNG files by their hex header in binary analysis.
Hex
89 50 4E 47 0D 0A 1A 0A
ASCII
.PNG....
Detailed Explanation
The PNG (Portable Network Graphics) file signature is an 8-byte sequence at the very beginning of every valid PNG file: 89 50 4E 47 0D 0A 1A 0A. This signature was carefully designed to detect various types of file corruption and transmission errors, making it one of the most sophisticated magic byte sequences in use.
Byte-by-byte breakdown:
| Offset | Hex | Decimal | Purpose |
|---|---|---|---|
| 0 | 89 |
137 | High bit set — detects systems that strip bit 7 |
| 1 | 50 |
80 | ASCII "P" |
| 2 | 4E |
78 | ASCII "N" |
| 3 | 47 |
71 | ASCII "G" |
| 4 | 0D |
13 | CR (Carriage Return) |
| 5 | 0A |
10 | LF (Line Feed) |
| 6 | 1A |
26 | Ctrl+Z — stops DOS type command from displaying binary data |
| 7 | 0A |
10 | LF — detects CR-LF to LF conversion |
Why each byte matters:
The first byte (89) has its high bit set intentionally. If a file transfer system incorrectly strips the eighth bit (as some older systems did), this byte would change to 09, immediately revealing the corruption.
Bytes 1-3 spell "PNG" in ASCII, providing a human-readable identifier when viewing the file in a text editor or hex dump.
The CR-LF sequence at bytes 4-5 (0D 0A) detects a common form of corruption where systems convert LF line endings to CR-LF (or vice versa). If FTP transfer in text mode converts the line endings, the signature will not match.
Byte 6 (1A) is the Ctrl+Z character, which acts as an end-of-file marker in MS-DOS. This prevents the type command from dumping binary garbage to the console when a user accidentally tries to display a PNG as text.
The final LF at byte 7 (0A) provides a second line-ending check. Together with the CR-LF at bytes 4-5, it can detect if CR-LF pairs have been converted to standalone LFs or CRs.
After the signature:
Immediately following the 8-byte signature, a PNG file contains a series of chunks, each with a 4-byte length, a 4-byte type code (e.g., IHDR, IDAT, IEND), the chunk data, and a 4-byte CRC32 checksum. The first chunk must always be IHDR, which contains the image dimensions and color type.
Using this in file analysis:
To verify that a file is a valid PNG, simply read the first 8 bytes and compare them against this signature. Many programming languages and tools (including the file command on Unix) use magic byte detection as the primary method for identifying file types, rather than relying on file extensions.
Use Case
Security analysts and forensic investigators use PNG magic bytes to identify image files regardless of their extension, detect corrupted uploads, and validate file integrity in content management systems.