Member-only story
An Introduction to Hex Editing for Cybercrime Investigators
People interested in entering the growing field of cybercrime investigations can gain a leg up on the competition by learning how to use a hex editor. To “hex edit” means to make changes to the raw binary data — 1’s and 0’s — on a computer. “Hex” is short for “hexadecimal,” something I will discuss shortly. A hex editor is an application that presents the raw data of a file and allows the user to edit that data. This article will describe hexadecimal notation, the process of hex editing, and give some examples of how hex editing can be used by cybercrime investigators.
About Hexadecimal Notation
Hexadecimal notation can be a little disorienting for the uninitiated. It is based on multiples of 16, instead of 10. We are most familiar with a number system based on multiples of 10 — the decimal system. In a decimal system, we start with 0, 1, 2…up to 9, and then we add another digit and start over — so 10, 11, up to 19, and so on. Once you get to 99, you add another number and start over with 100.
A hexadecimal system starts with 0, and we count 15 spots past 9 (we do not use 10 because that would be adding another digit) by adding A, B, C, D, E, and F. In other words, A = 10, B = 11, C = 12, D = 13, E = 14, and F = 15. A new digit is added after F, and we start over with 10, 11, …1F.
So, why use this weird system?
Computers store information in another numbering system based on “1” s and “0” s. This is a base two system, and the values are written in binary notation. If you visualized what a computer sees, it could be very disorienting for a human’s eyes. Consider the phrase I hope the Dodgers win the World Series. This phrase would be rendered in binary notation as:
01001001 00100000 01101000 01101111 01110000 01100101 00100000 01110100 01101000 01100101 00100000 01000100 01101111 01100100 01100111 01100101 01110010 01110011 00100000 01110111 01101001 01101110 00100000 01110100 01101000 01100101 00100000 01010111 01101111 01110010 01101100 01100100 00100000 01010011 01100101 01110010 01101001 01100101 01110011
The convention is to group 8 digits together — as I have done above. This is because each digit is a bit, and 8 bits is a byte. Each 8-digit block is…
