SANS Digital Forensics and Incident Response Blog

Data recovery with Hex Editor and RegEx

by Quinn Shamblin

In my previous post about recovering mp3 data from a corrupted chip, I describe a data recovery challenge that I could not solve using FTK, Foremost or Lazarus. It turned out that Regular Expressions were my answer. But how best to run regex-based data extraction against a forensic image when there might be hundreds of thousands, if not millions, of individual matching frames?

Hex Editor Neo was exactly what I needed. It has a few unique features that really differentiate the product. (1) it supports regular expressions as a possible selection input and (2) it allows for multi-selection.

The procedure I used pulled roughly 600 MB of pristine mp3 data off of a 1 GB image of a corrupted compact flash chip in around 30 seconds and I was left with a nice playable result. This technique will even remove non-mp3 data that may be present in between frames on the media.

This technique does not rely or reference meta data and will therefore not recognize a break point if there are supposed to be more than one MP3 on the image you are analyzing. But if mp3 data matching the criteria discussed in my previous post is present and is in sequential order, this process should pull it out for you nicely. Obviously, you may need to review the results in an audio editor like Audacity to work with what you have recovered and split it into separate files if needed.

(Note you will need to buy a license or to start up the 14-day full-feature evaluation version to do this. Some of the required features are disabled in the free version. It isn't expensive though.)

MP3 Frame Extraction Procedure:

  1. Open a copy of the source image file using Hex Editor Neo
  2. Press <cntl+F> to enter the Find function
  3. Enter all the parameters as shown to do a Regular Expression search.ssheneofind

    The RegEx string I needed for my data was:
    \xff\xfb(\x90.{414}|\x92.{415})

    but if you have a different bit rate or other quality item, you may need a different RegEx. See the MPEG Audio Frame Header Specs for details on the header string and then use my results above and this RegEx Reference to construct one that will meet your needs.

  4. Press <cntl+i> to invert selection thereby selecting all non-mp3 frame data
  5. Press <delete> to remove the non-mp3 frame data. What is left is just the mp3 frames that meet your criteria, in sequence as found on the media
  6. Save as <filename>.mp3
  7. Proceed with subsequent review and analysis of resulting file

Quinn Shamblin (quinn.shamblin@uc.edu), GCFA Silver #2801, Investigator, University of Cincinnati Information Security

2 Comments

Posted April 13, 2009 at 5:58 AM | Permalink | Reply

hhdsoftware

We are very glad that you have found our product useful.
Anyway if you have any comments or suggestions on product functionality, you are welcome to share it. We will try to implement requested features in future versions.
Thank you.
P.S. By the way we have released version 4.81 on April 8. Here is changelog: http://www.hhdsoftware.com/Products/history/hex-editor.html#481003057

Posted October 23, 2014 at 9:11 PM | Permalink | Reply

Jaunita

Excellent way of describing, and fastidious post to get information regarding my presentation focus, which i am
going to deliver inn academy.