Binary File Inspector

Inspect any binary: extracted strings, byte histogram and entropy heatmap.

Free in-browser binary file inspector. Extract printable strings, view a 256-bucket byte-frequency histogram, and read a Shannon entropy heatmap to spot encryption or compression. No upload — analysis is local. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does Shannon entropy tell me?

Shannon entropy measures information density from 0 to 8 bits per byte. Plain text sits around 4 to 5, compressed data around 7, and encrypted or random data approaches 8. A near-8 value strongly suggests encryption or compression.

When you are handed an unknown binary — a firmware image, a cache file, a custom save format — three quick measurements tell you a lot before you ever open a hex editor: what readable text it contains, how its bytes are distributed, and how random each region is. This inspector computes all three in your browser so you can characterize a file at a glance.

How it works

The tool reads the file into a byte array and runs three analyses:

  • String extraction finds runs of printable ASCII (0x200x7e) of at least four characters, the same approach as the Unix strings command. This surfaces embedded URLs, file paths, error messages and metadata.
  • Byte-frequency histogram counts how often each of the 256 possible byte values appears. Text files spike around the ASCII range; compressed or encrypted files look nearly flat.
  • Shannon entropy is computed both overall and per fixed-size block. Entropy H = -Σ p·log2(p) ranges from 0 bits per byte (a single repeated value) to 8 bits per byte (uniformly random). The per-block values are drawn as a heatmap from green (ordered) to red (random).

How to read the results

A low overall entropy (under ~4.5) usually means text, source code or sparse structured data. Values around 6–7 point to media or compressed content, and anything above ~7.5 is the signature of encryption, compression, or packed data. The heatmap adds spatial detail: a common pattern is a low-entropy header or table near the start, followed by a solid red block where the compressed or encrypted payload lives. Combine that with the extracted strings — a magic word, a library version, a copyright notice — to identify the format. All of this runs locally, so even confidential files never leave your device.

Typical patterns you will see

File typeOverall entropyByte histogram shapeHeatmap
Plain text / source code3.5 – 5.5Spikes around ASCII printable range (0x20–0x7E)Mostly green
Executable (ELF, PE)5.0 – 6.5Mixed: ASCII spike + code byte spreadGreen header, mid-entropy code section, red if packed
ZIP / gzip compressed7.2 – 7.9Nearly flat across all 256 valuesSolid red
AES-encrypted payload7.9 – 8.0Flat — almost perfectly uniformSolid red with no variation
JPEG image6.5 – 7.5Relatively flat with slight bias toward low valuesMedium to high red
SQLite database3.0 – 5.0Sparse — many 0x00 bytes, some text rangeAlternating green and mid blocks

Useful string extraction patterns

The strings view is where many quick identifications happen. Useful strings to look for:

  • Magic bytes as textMZ at offset 0 means a Windows executable; ELF means a Linux binary; PK means a ZIP-based archive (including DOCX, XLSX, JAR).
  • Library or product names — embedded version strings like OpenSSL 1.1.1t or zlib 1.2.11 identify dependencies.
  • File paths and build artifacts — strings like /home/user/build/project/main.c reveal the build environment and can help attribute a file.
  • Error messages — hard-coded error strings from a program’s source code are distinctive identifiers even when no other readable metadata survives.
  • URLs and IP addresses — indicate where the binary phones home or fetches resources from, relevant for malware triage.

The 16 MB limit keeps analysis responsive. For larger firmware or disk images, extract a representative region (for example the first 16 MB or a known payload section) and inspect that slice.