SANS Digital Forensics and Incident Response Blog: Daily Archives: Apr 10, 2009

Data recovery with Hex Editor and RegEx

by Quinn Shamblin

In my previous postabout recovering mp3 data from a corrupted chip, I describe a data recovery challenge that I could not solve using FTK, Foremost or Lazarus. It turned out that Regular Expressionswere my answer. But how best to run regex-based data extractionagainst a forensic image when there might be hundreds of thousands, if not millions, of individual matching frames?

Hex Editor Neowas exactly what I needed. It has a few unique features that really