Hexedit

 < Day Day Up > 



Although hexdump is a great tool for viewing the contents of a file, hexedit is a much better alternative. Hexedit allows a user to edit a file and then display it in a format similar to hexdump.fmt. More important, hexedit allows an analyst to search for hex and/or ASCII strings, something that cannot be accomplished by just using hexdump and grep (a pattern-matching tool available on most Unix operating systems), because the output may be broken up between new lines.

For example, if you are searching for the string utxZ in the data displayed in Figure 25-1, it would be missed by grep. This happens because the string utxZ is spread between two lines in the output of hexdump, and grep can search only line-by-line. However, with hexedit, an analyst could easily locate this string in the ASCII output.

Hexedit is also an efficient forensic tool because it can open large files (as large as the operating system supports) without slowing the machine to a crawl. This is because hexedit opens the input file a fragment at a time, as it is needed. Therefore, entire devices (such as 80GB hard drives) could be searched and analyzed with hexedit, if needed.

Hexedit can be researched and downloaded from the following web site: http://merd.net/pixel/hexedit.html.

Implementation

Hexedit is invoked with the following command:

forensic# hexedit suspiciousfile.bin

After the file is open, a display of output, such as the following, is presented:

click to expand

In the output, the offset byte count runs down the left column in hexadecimal format. The middle column shows the bytes within the suspiciousfile.bin, in hexadecimal notation. The rightmost column contains the same representation of the middle column, except in ASCII notation. Any nonprintable characters are signified by a period (.).

A summary of the commands used most often are shown in Table 25-1.

Table 25-1: Often Used Key Commands

Key Command

Description

<

Go to start of file

>

Go to end of the file

>RIGHT ARROW

Next character

>LEFT ARROW

Previous character

>DOWN ARROW

Next line

UP ARROW

Previous line

HOME

Beginning of line

END

End of line

PAGE UP

Page forward

PAGE DOWN

Page backward

F2

Save

F3

Load file

F1

Help

CTRL-L

Redraw

CTRL-Z

Suspend

CTRL-X

Save and exit

CTRL-C

Exit without saving

TAB

Toggle hex/ASCII

ENTER

Go to

BACKSPACE

Undo previous character

CTRL-U

Undo all

CTRL-S

Search forward

CTRL-R

Search backward

CTRL-SPACEBAR

Set mark

CTRL-Y

Paste

ESC-I

Fill

ESC-W

Copy

ESC-Y

Paste into a file

To accomplish the task of searching for the utxZ string in the file suspiciousfile.bin, for example, you would press TAB to transfer control to the ASCII tab. Then, press CTRL-S to search forward and CTRL-R to search backward in the ASCII representation of the file’s contents. The following process was performed, and the output is shown here:

click to expand

Notice how the cursor selects the first letter of the ASCII string utxZ, and the string wraps the line.

To search for a hexadecimal string, press TAB to move the focus to the hexadecimal tab. To locate the hexadecimal string 66 D4 D4 68, which is also line wrapped, press CTRL-S to search forward. Type in the search term 66 D4 D4 68 and press ENTER. If a reverse direction search is desired, press CTRL-R instead of CTRL-S. The following screen capture illustrates this hexadecimal search:

click to expand

In a forensic investigation, the editing ability of the hexedit tool is rarely used. Therefore, to ensure file integrity of evidence, it is a good idea to make the input file to hexedit read-only. No switch is available for hexedit to accomplish this task; therefore, you must be sure to execute the following command beforehand to make suspiciousfile.bin read-only:

forensic# chmod 500 suspiciousfile.bin
Tip 

If the file system containing the file you are opening with hexedit does not need to be written to, you should mount it as read-only to protect the contents during your analysis.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net