SANS Digital Forensics and Incident Response Blog: Tag - hex editor

Digital Forensics Case Leads: Does Forensicator Pro include a Hex Editor? and other tool tales

Well, it's been a quiet week at Lake DataBeGone, where all the forensicators are above average, or at least aspire to that. Nothing as exciting as DefCon/BlackHat this week, but we do have a few things....

Good Reads:

  • The new issue of Digital Forensics Magazine is out, and includes not only an article by Rob Lee on what it takes to become a computer forensics pro, as mentioned last week, but also an article on real time network forensics, and a nice survey of law enforcement practices around the world, written by Christa Miller. If you don't subscribe already, you should - go to and sign up!
  • Selena Ley has a brief overview article on Safari artifacts that should be consideredin


Data recovery with Hex Editor and RegEx

by Quinn Shamblin

In my previous postabout recovering mp3 data from a corrupted chip, I describe a data recovery challenge that I could not solve using FTK, Foremost or Lazarus. It turned out that Regular Expressionswere my answer. But how best to run regex-based data extractionagainst a forensic image when there might be hundreds of thousands, if not millions, of individual matching frames?

Hex Editor Neowas exactly what I needed. It has a few unique features that really


Recovery of MP3s using regular expressions

by Quinn Shamblin

I was recently asked to recover audio MP3 from a corrupted memory chip.

The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.

audio_editorThere are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.

An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3