Hello,
Does anyone know of any good articles or papers on using hex editors in investigations?
Looking for examples etc on using hex editors on files for investigative purposes.
Thanks,
Mark
I don't know that anyone can help with this request without more information.
That question is very vague.
He's right…the question is vague.
Use hex editors for what? I use UltraEdit's hex edit capability, not to edit, but to view binary data all the time…in part, to confirm findings of my Perl scripts.
Can you be more specific, Mark?
Thanks for the responses, yes now I see your point that it was kind of vague.
Basically I am trying to find different ways in which someone could use a hex editor to find information during an investigation. For example, what kind of metadata could be found when examining a jpg, a word doc, etc etc.
I am just trying to learn different ways that I might be able to find information using a hex editor when I am examining data. I know that you can do things like run strings on an image, with –radix=d and grep for certain things then go into an image with a hex editor to find the location from the offest (from the strings), but what are the different types of data that can be found when using a hex editor with different files.
I guess I am looking for a paper/article ect where people have cracked cases or found evidence with hex editors. Just so I can learn more about the power of hex editors.
Thanks. Sorry about the brevity of my previous post. That is what two kids and a wife will do to you. )
Mark
Basically I am trying to find different ways in which someone could use a hex editor to find information during an investigation. For example, what kind of metadata could be found when examining a jpg, a word doc, etc etc.
I guess I am looking for a paper/article ect where people have cracked cases or found evidence with hex editors. Just so I can learn more about the power of hex editors.Mark
Mark,
While I can't point you to a paper or article, I'd argue that most traditional computer forensics exams are "cracked" using hex editors.
EnCase, FTK and X-Ways Forensic are all very powerful tools for analyzing digital evidence. In my opinion, they are all hex editors. Fancy hex editors. Hex editors with lots of automated features built in. But hex editors.
Hex editors let us view areas of the hard disk that are inaccessible using the OS (MBR, VBR, etc). Hex editors let us view and search for deleted files in unallocated space. Hex editors let us recover deleted files using the legacy information in directories.
I could go on and on…..and maybe I've misunderstood your question. If so, disregard my response.
Either way, I'll continue to think of the forensics software I use for all cases as glorified hex editors.
If I may, you should use a Hex VIEWER only.
Though most Hex editors actually have a "READ ONLY" mode, a Hex Viewer guarantees that you do not, by accident, alter any data.
About file headers/recognizers, something you should have a look at is this
http//
jaclaz
A decent defence brief would spot very quickly the use of an editing tool when we go out of our way to keep the evidence untouched. The only scenario would be when you are trying to create a situation which, for some reason, has been altered (perhaps to test something),
I have not used a Hex editor for years.
I use a hex editor daily - usually WinHex but latterly one I have written myself (and may come on the market soon).
Hex editors are much better for jumping around through a particular file (rather than an image) that you do not know much about to determine what the file structure is - i.e. they are used more (by me) for reverse engineering than for forensics per se, although obviously the two are linked.
Hi,
Yes I use a hex editor in every case to double check certain things. As Paul describes it is particularly good for moving around a file you are studying and manually decoding.
There are scores of documents out there on analysis using hex editors. I'm not sure that all have been published but I have access to a few file analysis papers given to me by the authors.
Steve
Reverse Engineering - the exact two words that my brain failed to come up with.
I was just being picky with the editor thing.