SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Does Forensicator Pro include a Hex Editor? and other tool tales

Well, it's been a quiet week at Lake DataBeGone, where all the forensicators are above average, or at least aspire to that. Nothing as exciting as DefCon/BlackHat this week, but we do have a few things....

Good Reads:

  • The new issue of Digital Forensics Magazine is out, and includes not only an article by Rob Lee on what it takes to become a computer forensics pro, as mentioned last week, but also an article on real time network forensics, and a nice survey of law enforcement practices around the world, written by Christa Miller. If you don't subscribe already, you should - go to http://www.digitalforensicsmagazine.com/ and sign up!
  • Selena Ley has a brief overview article on Safari artifacts that should be considered in a forensic analysis. Not exhaustive, but a nice intro.
  • With the increasing size of hard drives, and the continuing backlog of cases, the term "triage" is taking on new importance. Witness the availability of triage tools like Drive Prophet, for instance. As with all tools, it's important to have good criteria for selection of the most appropriate one. DFINews has a nice summary of the paramters used by the US Special Operations Command (USSOCOM) in their recent selection of a triage tool.

Speaking of Tools:

A while back, I saw a tweet that said something like "Commercial tools are great for you guys with budgets, but some of us are still using Sleuthkit and a hex editor!" As an independent with a very small budget, I was curious what particular hex editors my fellow financially challenged forensicators were using. So I sent out a query to the HTCIA list, the GCFA list, and my Twitter followers. Obviously that was not a random sample, but it was good enough for my purposes. I expected there to be a consensus on a couple of predominant favorites, but I was surprised to see a wide diversity. (Interestingly, I got no response from the HTCIA list.)

In my request I promised to summarize as a blog post, and this is a good week for it. The tools mentioned included:

  • 010 Editor - Very nice looking program which includes the capability of writing binary templates that allow parsing of files, and making it particularly good for reverse engineering. Windows only, 30 day free trial available, and home/academic license discount is available
  • WinHex - the most commonly mentioned tool, but not by much. It's very powerful, and pretty reasonably priced. Windows only; it's also part of the XWays suite of products. One responder noted that it allows good screen shots for presentations.
  • HxD - has both a portable and an installable version. It claims to open files up to 8EB (!) in size and still do it quickly. It also allows editing of disc and RAM. Windows only and free.
  • HexEditor Neo - Again for Windows only, and comes in several versions (and prices to match). It has regex search and the ability to multi-select search hits. This capability was instrumental in a case described in an earlier post on the SANS Forensics Blog.
  • A number of tools are available for Linux as well, of course. Linux tools mentioned included Bless, Hexcurse (ncurses based), and radare, a hugely powerful and scriptable CLI tool.
  • Hex editing capability also exists in other tools. FTK Imager (Windows) is useful for this in some situations. FileInsight (Windows) is free from McAfee labs and is extensible through the use of Python extensions.
  • And lastly, the *nix editor vi can have hex editing capability, using the ":%!xxd" command (Turn it off with ":%!xxd -r"). For the heretics in the group, emacs has a similar functionality which can be invoked by the "M-x hexl-mode" command.

So it appears that not all hex editors will fill every need, and as with other categories of tools, it's a good idea to have a variety in your armamentarium, at least until Forensicator Pro comes along with the Big Red Button. Fortunately there is a wide variety available!

News:

  • Guidance, the maker of EnCase, has announced a partnership with Lofty Perch to provide security protection for SCADA systems.

Coming Events:

Digital Forensics Case Leads for 20100813 was compiled by G W Ray Davidson, PhD, CISSP, GCIA, GCFA, ETC, assistant professor at Purdue Calumet, SANS Mentor and serial facilitator, and principal at Vigil Inc.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please send it to caseleads@sans.org.

Editor's note: Digital Forensics Magazine has provided Case Leads contributors with complimentary access to the magazine for the purposes of this and future content reviews.

3 Comments

Posted August 14, 2010 at 2:15 AM | Permalink | Reply

Christa M. Miller

Ray, thanks for the mention. That was a fun article to write and also an eye-opener thanks to my great co-authors!
Curious as to why you think the HTCIA listserv members didn't respond. Do you think there are few independents, and the remainder of financially challenged practitioners (law enforcement) have access to free tools? Or other factors?

Posted August 14, 2010 at 11:57 PM | Permalink | Reply

raydavidson

Hi Christa,
I didn't get any response at all, not even to explain why people couldn't say anything. I expect it's a combination of things, including the ones you mentioned. Also, as you know HTCIA is not open to just anyone, and there have been concerns raised about information being shared outside the group. This particular question doesn't seem like it would be problmatic, but that might also have something to do with it. Wonder if there's anyone that can help with that situation? :)

Posted August 16, 2010 at 7:33 AM | Permalink | Reply

Stuart Bird

I noticed under the WinHex entry that you mentioned that it was only available for Windows. This is correct to a point however WinHex actually performs very well under WINE on a variety of Linux operating systems. I have used it under Debian, Ubuntu, Slackware and Gentoo over the years.