TrID

TrID Description

TrID is an utility designed to identify file types from their binary signatures. TrID has its own set of signatures (rules) for recognizing file types, and can also be trained to recognize new formats in a fast and automatic way.

TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.

TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.

Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.

To get you started, the current library of definitions is up to 14160 file types and growing fast.

Homepage: https://mark0.net/soft-trid-e.html

GitHub:

Author:

License: GPLv2

TrID Help

Usage:

TrID <[path]filespec(s)...> [-ae|-ce] [-d:file] [-ns] [-n:nn] [-@] [-v] [-w] [-?]

Where:

<filespec>        Files to identify/analyze
       -ae        Add guessed extension to filename
       -ce        Change filename extension
       -d:file    Use the specified defs package
       -ns        Disable unique strings check
       -n:nn      Number of matches to show (default: 5)
       -@         Read file list from stdin
       -v         Verbose mode - display def name, author, etc.
       -w         Wait for a key before exiting
       -?         This help!

TrID Usage Example

TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.

trid c:\test\doc\lasik_info.doc

 TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello          

 Collecting data from file: c:\test\doc\lasik_info.doc
 Definitions found: 5702
 Analyzing...

  70.7% (.DOC) Microsoft Word document (58000/1/5)
  29.3% (.) Generic OLE2 / Multistream Compound File (24000/1)

Another example:

trid c:\Download\AvBatEx.bav

 TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello

 Collecting data from file: f:\Download\AvBatEx.bav
 Definitions found: 5702
 Analyzing...

  75.8% (.BAV) The Bat! Antivirus plugin (187530/5/21)
  15.2% (.EXE) Win32 Executable MS Visual C++ (generic) (37706/45/16) 
   4.3% (.EXE) Win32 Executable Generic (10527/13/4)
   3.1% (.DLL) Win32 Dynamic Link Library (generic) (7600/42/2)
   0.8% (.EXE) Generic Win/DOS Executable (2002/3)

Wildcards can be used to scan groups of files, entire folders, etc. In addition, using the switch -ae will instruct TrID to add the guessed extensions to the filenames. This come handy, for example, when working with files recovered by data rescue softwares. For example:

trid c:\temp\* -ae

 TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello          
 Definitions found:  5702
 Analyzing...

 File: c:\temp\FILE0001.CHK
  75.8% (.BAV) The Bat! Antivirus plugin (187530/5/21)

 File: c:\temp\FILE0002.CHK
  77.8% (.OGG) OGG Vorbis Audio (14014/3)

 File: c:\temp\FILE0003.CHK
  86.0% (.DOC) Microsoft Word document (49500/1/4)

 File: c:\temp\FILE0004.CHK
  42.6% (.EXE) UPX compressed Win32 Executable (30569/9/7)

  4 file(s) renamed.

At this point, the files in the c:\temp folder will look like:

• FILE0001.CHK.bav
• FILE0002.CHK.ogg
• FILE0003.CHK.doc
• FILE0004.CHK.exe

Instead, the switch -ce will just change the file extension to the new one; if the file has no extension, the new one will be added. For example:

• IAmASoundFile.dat -> IAmASoundFile.wav
• IAmABitmap -> IAmABitmap.bmp

TrID can get a file list from stdin, with the -@ switch.

So it's possible to work on an entire folder tree, or a particular subset of files, just using the output of some other command through a pipe. Something like:

dir d:\recovered_drive /s /b | trid -ce -@
 Definitions found:  5702
 Analyzing...

 File: d:\recovered_drive\notes
 100.0% (.RTF) Rich Text Format (5000/1)

 File: d:\recovered_drive\temp\FILE0001.CHK                           
  77.8% (.OGG) OGG Vorbis Audio (14014/3)

 ...  

It's possible to tell TrID to show some more information about every match (such as the mime type, who created that definition, how many files were scanned, etc.); and it's also possible to limit the number of results shown.

The switch -v activate the verbose mode, and -r:nn specifies the max number of matches that TrID will display. Default is 5 for normal mode, 2 for verbose, 1 for multi-files analysis.

trid "c:\t\Windows XP Startup.ogg" -v -r:2

 TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello          

 Collecting data from file: c:\t\Windows XP Startup.ogg
 Definitions found: 5702
 Analyzing...

  77.8% (.OGG) OGG Vorbis audio (14014/3)
          Mime type  : audio/ogg
        Definition   : audio-ogg-vorbis.trid.xml
          Files      : 37
        Author       : Marco Pontello
          E-Mail     : marcopon@nospam@gmail.com
          Home Page  : http://mark0.net

  22.2% (.OGG) OGG stream (generic) (4000/1)
        Definition   : ogg-stream.trid.xml
          Files      : 35
        Author       : Marco Pontello
          E-Mail     : marcopon@nospam@gmail.com
          Home Page  : http://mark0.net

When starting, TrID will check for the TrIDDefs.TRD definitions package in the current directory. If not found, it will search on the some folder where TrID is installed. Eventually, it's possible to specify a particular defs file with the switch -d:filespec. To force TrID to wait for a key after showing the results, the -w switch is provided.

To speed up the process of getting the latest updated definitions, it's possible to use the TrIDUpdate Python script. It first compare the MD5 digest of the current TRD file and the one available online, so if the file isn't changed it's very quick. For example:

tridupdate.py                                                
 MD5: 1bf1b5511092e5cbcf7bbde2da7ecf21
 Checking last version online...
 MD5: 6904c61a6e5701448c52b436bda3b95a
 Downloading new defs...
 Checking defs integrity...
 OK.

 c:\TrID>tridupdate.py
 MD5: 6904c61a6e5701448c52b436bda3b95a
 Checking last version online... 
 MD5: 6904c61a6e5701448c52b436bda3b95a
 Current defs are up-to-date.

Error “trid: loadlocale.c:129: _nl_intern_locale_data: Assertion `cnt < (sizeof (_nl_value_type_LC_TIME) / sizeof (_nl_value_type_LC_TIME[0]))' failed.”

If you run into the error when starting TrID

trid: loadlocale.c:129: _nl_intern_locale_data: Assertion `cnt < (sizeof (_nl_value_type_LC_TIME) / sizeof (_nl_value_type_LC_TIME[0]))' failed.
Aborted (core dumped)

Then, before starting, run the command:

export LC_ALL=C

Then start TrID again – the error should be gone.

See also: Error “trid: loadlocale.c:129: _nl_intern_locale_data: Assertion `cnt < (sizeof (_nl_value_type_LC_TIME) / sizeof (_nl_value_type_LC_TIME[0]))' failed” (SOLVED)

How to install TrID

Installation on Kali Linux

wget http://mark0.net/download/trid_linux_64.zip
unzip trid_linux_64.zip
wget http://mark0.net/download/triddefs.zip
unzip triddefs.zip
sudo mv trid triddefs.trd /usr/local/bin/
rm triddefs.zip trid_linux_64.zip readme.txt
sudo chmod +x /usr/local/bin/trid

Run the following commands to update:

rm /usr/local/bin/trid /usr/local/bin/triddefs.trd
wget http://mark0.net/download/trid_linux_64.zip
unzip trid_linux_64.zip
wget http://mark0.net/download/triddefs.zip
unzip triddefs.zip
sudo mv trid triddefs.trd /usr/local/bin/
rm triddefs.zip trid_linux_64.zip readme.txt
sudo chmod +x /usr/local/bin/trid

Installation on Debian, Linux Mint, Ubuntu

wget http://mark0.net/download/trid_linux_64.zip
unzip trid_linux_64.zip
wget http://mark0.net/download/triddefs.zip
unzip triddefs.zip
sudo mv trid triddefs.trd /usr/local/bin/
rm triddefs.zip trid_linux_64.zip readme.txt
sudo chmod +x /usr/local/bin/trid

Installation on BlackArch

The program is pre-installed on BlackArch. To install in minimal builds run:

sudo pacman -S trid

If during installation you encounter the error “warning: cannot resolve "lib32-ncurses", a dependency of "trid"”, then see the article: Error “cannot resolve dependency lib32 (32-bit library)” (SOLVED)

Installing on Windows

Go to the official website, download the archive with the executable file (mark0.net/download/trid_w32.zip) for Windows, as well as the archive with the signature database (mark0.net/download/triddefs.zip).

Unpack both files into one folder.

Unpack the downloaded archive. For example, I put the downloaded files in the C:\Users\MiAl\Downloads\trid\ folder.

Open a command prompt, for this press Win+x, select “Windows PowerShell”.

Go to the folder with the program:

cd C:\Users\MiAl\Downloads\trid\

To determine the file extension, use a command of the form:

.\trid 'PATH\TO\FILE'

For example:

.\trid Z:\testfiles\file1

TrID is not updated frequently, but the database is regularly updated with new signatures, so update the database from time to time.

TrID Screenshots

TrID Tutorials

• How to analyze and split compound files (firmware, multi partition disk images)
• How to find out the type of a file without an extension (in Windows and Linux)
• Online service “Determining the type of a file without an extension by its content online”