FRHED

Frhed is a Windows-based hex editing tool. It is graphical in nature and incorporates many rich features useful for forensic analysis. Frhed can be downloaded at http://www.kibria.de/frhed.html.

Implementation

Frhed's output is similar to that of hexedit in that the byte offset is in the left column (in hexadecimal), the content is represented in the middle column, and the ASCII translation is in the right column. The screenshot shown in Figure 25-2 represents the same suspiciousfile.bin file loaded in the previous sections, visible by choosing File Open .


Figure 25-2: Frhed's suspiciousfile.bin representation

Searching the file's content requires that you choose Edit Find. A dialog box opens, where you are presented with many search options. To search for a hexadecimal string, you must encode the bytes in the following manner:

 <bh:#> 

The # represents the hexadecimal byte search criteria. The b means byte- sized value and h means hexadecimal notation. The flexibility of frhed allows you to also search by w for word- size or l for longword-size. Additionally, you can use d for decimal notation as an alternative to hexadecimal notation.

To search for a pattern of more than 1 unit (byte, word, or longword), multiple search strings may be concatenated , similar to that shown in the following illustration:

Click OK, and the string is located and highlighted. To continue the search forward, press F3 or choose Edit Find Next; to search backward, press F4 or choose Edit Find Previous.

To search within the ASCII column, you enter the search criteria without additional formatting. With ASCII as the content you are searching, you have the additional option of choosing a case-sensitive search. This means that if you want to search for UTXZ and you choose the Match Case option in the Find dialog box, the search will not discover utxZ in the content.

Frhed can also export the contents to an ASCII file, similar to hexdump's output. To do this, choose File Export As Hexdump. If you want to dump only a section of the file, the Export Hexdump dialog box allows you to choose the starting and ending byte offsets for the dump, as shown in the following illustration:

After the data has been dumped to a text file, the output can be viewed with any standard text-viewing utility. After you exported the data as a hexdump, you can open the text file in Windows Notepad:

One of the problems with viewing files in hex viewers is the notion of Least Significant Byte Code (little endian) versus Most Significant Byte Code (big endian) , which comes into play when files of one type of architecture (such as Motorola processors) are viewed on another (such as Intel processors). Frhed can compensate for this difference by using the switches in the menu you access by choosing Options Binary Mode. In this way, files from a different byte-ordered machine can be analyzed and swapped easily with this tool. The following illustration shows the Binary Mode Setting dialog box, which you access by choosing Options Binary Mode.

For users who are uneasy using hex viewers and translating hexadecimal into binary format, a useful feature is available by choosing Edit Manipulate Bits to open the Manipulate Bits dialog box. In this dialog box, you can select hexadecimal values as a series of on/off switches, or checkboxes, where a check mark indicates a 1 and a blank indicates a 0.

Here we can see which bits at offset 0xb6 are set to make up its decimal value of 21 (hex value of 15). For comparisons of hexadecimal and decimal numbers , refer to the ASCII table in Appendix A.

Perhaps one of frhed's most useful features, which is not available in many other editors, is its ability to partially open files. This lets a forensic analyst read small segments of enormous files, such as dd images (see Chapter 22 for a discussion of dd), for inspection without locking up all the computer's resources. To partially open a file, choose File Open Partially. The program then queries the user for a starting offset and the length of the segment to read.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net