| < Day Day Up > |
|
Although hexdump is a great tool for viewing the contents of a file, hexedit is a much better alternative. Hexedit allows a user to edit a file and then display it in a format similar to hexdump.fmt. More important, hexedit allows an analyst to search for hex and/or ASCII strings, something that cannot be accomplished by just using hexdump and grep (a pattern-matching tool available on most Unix operating systems), because the output may be broken up between new lines.
For example, if you are searching for the string utxZ in the data displayed in Figure 25-1, it would be missed by grep. This happens because the string utxZ is spread between two lines in the output of hexdump, and grep can search only line-by-line. However, with hexedit, an analyst could easily locate this string in the ASCII output.
Hexedit is also an efficient forensic tool because it can open large files (as large as the operating system supports) without slowing the machine to a crawl. This is because hexedit opens the input file a fragment at a time, as it is needed. Therefore, entire devices (such as 80GB hard drives) could be searched and analyzed with hexedit, if needed.
Hexedit can be researched and downloaded from the following web site: http://merd.net/pixel/hexedit.html.
Hexedit is invoked with the following command:
forensic# hexedit suspiciousfile.bin
After the file is open, a display of output, such as the following, is presented:
In the output, the offset byte count runs down the left column in hexadecimal format. The middle column shows the bytes within the suspiciousfile.bin, in hexadecimal notation. The rightmost column contains the same representation of the middle column, except in ASCII notation. Any nonprintable characters are signified by a period (.).
A summary of the commands used most often are shown in Table 25-1.
Key Command | Description |
---|---|
< | Go to start of file |
> | Go to end of the file |
>RIGHT ARROW | Next character |
>LEFT ARROW | Previous character |
>DOWN ARROW | Next line |
UP ARROW | Previous line |
HOME | Beginning of line |
END | End of line |
PAGE UP | Page forward |
PAGE DOWN | Page backward |
F2 | Save |
F3 | Load file |
F1 | Help |
CTRL-L | Redraw |
CTRL-Z | Suspend |
CTRL-X | Save and exit |
CTRL-C | Exit without saving |
TAB | Toggle hex/ASCII |
ENTER | Go to |
BACKSPACE | Undo previous character |
CTRL-U | Undo all |
CTRL-S | Search forward |
CTRL-R | Search backward |
CTRL-SPACEBAR | Set mark |
CTRL-Y | Paste |
ESC-I | Fill |
ESC-W | Copy |
ESC-Y | Paste into a file |
To accomplish the task of searching for the utxZ string in the file suspiciousfile.bin, for example, you would press TAB to transfer control to the ASCII tab. Then, press CTRL-S to search forward and CTRL-R to search backward in the ASCII representation of the file’s contents. The following process was performed, and the output is shown here:
Notice how the cursor selects the first letter of the ASCII string utxZ, and the string wraps the line.
To search for a hexadecimal string, press TAB to move the focus to the hexadecimal tab. To locate the hexadecimal string 66 D4 D4 68, which is also line wrapped, press CTRL-S to search forward. Type in the search term 66 D4 D4 68 and press ENTER. If a reverse direction search is desired, press CTRL-R instead of CTRL-S. The following screen capture illustrates this hexadecimal search:
In a forensic investigation, the editing ability of the hexedit tool is rarely used. Therefore, to ensure file integrity of evidence, it is a good idea to make the input file to hexedit read-only. No switch is available for hexedit to accomplish this task; therefore, you must be sure to execute the following command beforehand to make suspiciousfile.bin read-only:
forensic# chmod 500 suspiciousfile.bin
Tip | If the file system containing the file you are opening with hexedit does not need to be written to, you should mount it as read-only to protect the contents during your analysis. |
| < Day Day Up > |
|