An Introduction to Hex Editing for Cybercrime Investigators

Photo by freestocks on Unsplash

About Hexadecimal Notation

Hexadecimal notation can be a little disorienting for the uninitiated. It is based on multiples of 16, instead of 10. We are most familiar with a number system based on multiples of 10 — the decimal system. In a decimal system, we start with 0, 1, 2…up to 9, and then we add another digit and start over — so 10, 11, up to 19, and so on. Once you get to 99, you add another number and start over with 100.

https://owlcation.com/stem/How-to-Convert-Hex-to-Binary-and-Binary-to-Hexadecimal

Looking at a Hex Editor

There are at least four areas of focus on any hex editor:

  • The hexadecimal area in the center shows the raw data in the file
  • The character area (usually on the right) shows the characters that may correspond to the information
  • There will also be a file information area showing metadata about the file, and information about the raw data within the file
The Four Main Areas of a Hex Editor
A Highlighted Address Block in a Hex Editor

Why Would a Cybercrime Investigator use a Hex Editor?

Computer programmers and software engineers may need to use a hex editor for debugging or editing a file, among other things. Hackers can embed code in certain regions of a file, without damaging the usability or functionality of the file (thereby hiding their malware). However, cybercrime investigators will have other uses for a hex editor.

Analyzing File Signatures

Bytes at the beginning and end of a file are set aside for specific information and metadata. For example, the first several bytes in a file will determine what type of file it is — a word document, a jpg image file, an executable file, and so on. This is its file signature. File signatures are common values, and there are listings of these file signatures in several places online. Wikipedia has a listing of file signatures and at what offset they can be found in a file. Cybersecurity expert Gary Kessler maintains a file signature database that is user friendly (Figure 4).

The File Signature of an ODT File — https://filesignatures.net/

Other Uses

Another use of hex editing is recovering deleted files from a hard drive. Sometimes deleted data can be recovered if the operating system has not overwritten it. As you know, deleting a file or moving it to trash does not erase the file, but tells the computer that the space taken up by the file (the literal bits on the disk drive) is free to be used by new data. This is called unallocated space. A forensic investigator can use a hex editor to find the entire file or find fragments of the file. The process of piecing together a file in this way is called file carving. You can search in the unallocated space of a drive, look for the file header (file signature) and the file footer. You can then extract the header, the footer, and the contents in between! That should be file.

Conclusion

Hex editing at first appears to be a complex activity. However, it is easier than it first looks. Identifying file signatures, file carving, identifying time stamps, and more is made simpler through the assistance of the computer investigation community. Online resources can be found that tell the investigator where a given piece of data is expected to be found — a timestamp or a file signature, and what values one should expect. So once a person knows what to look for, it is a straightforward activity. The key is to embed yourself in that community so that it is easier to find those resources. One well-known organization is the International Society of Computer Forensic Examiners (ISFCE). Another, aimed at primarily at law enforcement, is the International Association of Computer Investigative Specialists (IACIS).

Rod is an Associate Professor of Sociology at Old Dominion University. https://www.youtube.com/c/roderickgraham

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store