Have you ever seen what is inside a serialized object? I will explain
 you what is java serialization, then provide you with a sample for 
serialization. Finally most importantly, lets explore what is inside a 
serialized object and what it means. That is internals of java 
serialization and how does it works. If you want to have your own 
implementation of java serialization, this article will provide you with
 a good platform to launch.
What is Java Serialization?
Primary purpose of java serialization is to write an object into a 
stream, so that it can be transported through a network and that object 
can be rebuilt again. When there are two different parties involved, you
 need a protocol to rebuild the exact same object again. Java 
serialization API just provides you that. Other ways you can leverage 
the feature of serialization is, you can use it to perform a 
deep copy.
Why I used ‘primary purpose’ in the above definition is, sometimes 
people use java serialization as a replacement for database. Just a 
placeholder where you can persist an object across sessions. This is not
 the primary purpose of java serialization. Sometimes, when I interview 
candidates for Java I hear them saying java serialization is used for 
storing (to preserve the state) an object and retrieving it. They use it
 synonymously with database. This is a wrong perception for 
serialization.
How do you serialize?
When you want to serialize an object, that respective class should implement the 
marker interface
 serializable. It just informs the compiler that this java class can be 
serialized. You can tag properties that should not be serialized as 
transient. You open a stream and write the object into it. Java API 
takes care of the serialization protocol and persists the java object in
 a file in conformance with the protocol. De-serialization is the 
process of getting the object back from the file to its original form.
Here protocol means, understanding between serializing person and 
de-serializing person. What will be the contents of file containing the 
serialized object? This serves as a guideline to de-serialize. Have a 
look at the following sample and how its serialized file looks.
Sample Source Code for Java Serialization
| packagecom.javapapers.sample; | 
 
| importjava.io.FileInputStream; | 
 
| importjava.io.FileNotFoundException; | 
 
| importjava.io.FileOutputStream; | 
 
| importjava.io.IOException; | 
 
| importjava.io.ObjectInputStream; | 
 
| importjava.io.ObjectOutputStream; | 
 
| importjava.io.Serializable; | 
 
| classSerializationBox implementsSerializable { | 
 
|   privatebyteserializableProp = 10; | 
 
|   publicbytegetSerializableProp() { | 
 
| publicclassSerializationSample { | 
 
|   publicstaticvoidmain(String args[]) throwsIOException, | 
 
|       FileNotFoundException, ClassNotFoundException { | 
 
|     SerializationBox serialB = newSerializationBox(); | 
 
|     serialize("serial.out", serialB); | 
 
|     SerializationBox sb = (SerializationBox) deSerialize("serial.out"); | 
 
|     System.out.println(sb.getSerializableProp()); | 
 
|   publicstaticvoidserialize(String outFile, Object serializableObject) | 
 
|     FileOutputStream fos = newFileOutputStream(outFile); | 
 
|     ObjectOutputStream oos = newObjectOutputStream(fos); | 
 
|     oos.writeObject(serializableObject); | 
 
|   publicstaticObject deSerialize(String serilizedObject) | 
 
|       throwsFileNotFoundException, IOException, ClassNotFoundException { | 
 
|     FileInputStream fis = newFileInputStream(serilizedObject); | 
 
|     ObjectInputStream ois = newObjectInputStream(fis); | 
 
 
 
Exploring Java Serialization
Look at following image. After serializing ‘SerializationBox’ in the 
above sample code, I opened the output in a hex editor. You can use 
Notepad++ and 
hex plugin to open the serialized file.
Let us look at contents byte by byte and find out what they are. It 
starts with “ac ed”. It is is called STREAM_MAGIC. It is a magic number 
(java API guys says) that is written to the stream header.  It denotes 
that is start of serialzed content.

Similarly every character has a meaning. Actually the serialized file
 is more bulkier than you would expect, as it has a huge header the meta
 information of the classes involved and finally the content. 
Object Serialization Stream Protocol have a look at chapter 6.4.2 Terminal Symbols and Constants. It gives you list of symbols and constants used in serialization.
Decrypting Serialized Java Object
In the image, I have underline a unit of information in a separate color for you to easily identify.
ac ed – STREAM_MAGIC – denotes start of serialzed content
00 05 – STREAM_VERSION – serialization version
73 – TC_OBJECT – new Object
72 – TC_CLASSDESC – new Class Descriptor
00 26 – length of the class name
63 6f 6d 2e 6a 61 76 61 70 61 70 65 72 73 2e 73 61 6d 70 6c 65 2e 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 42 6f 78 – class name
57 fc 83 ca 02 85 f0 18 – SerialVersionUID
02 – this object is serializable
00 01 – count of properties in the serialzed class – one property in our example
42 00 10 – private byte
73 65 72 69 61 6c 69 7a 61 62 6c 65 50 72 6f 70 78 70 – property name – serializableProp in our example
0a – 10 the value – This is the persisted value of the property in our sample
courtsy: http://javapapers.com/core-java/java-serialization/