winhexwinhex DiskDisk Editor,Editor, RAMRAM EditorEditor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan XX--WaysWays SoftwareSoftware TechnologyTechnology AGAG z isis aa stockstock corporationcorporation incorporatedincorporated underunder thethe lawslaws ofof thethe FederalFederal RepublicRepublic ofof Germany.Germany. z WinHexWinHex waswas firstfirst releasedreleased inin 1995.1995. WinHexWinHex z thethe technicaltechnical corecore ofof XX--WaysWays ForensicsForensics ((AA powerfulpowerful datadata recoveryrecovery andand forensicsforensics tooltool )) isis anan advancedadvanced binarybinary editoreditor thatthat providesprovides accessaccess toto allall files,files, clusters,clusters, sectors,sectors, ,bytes, andand bitsbits insideinside youryour computer.computer. WinHexWinHex z ItIt supportssupports virtuallyvirtually unlimitedunlimited filefile andand diskdisk sizessizes upup toto thethe terabyteterabyte regionregion (thousands(thousands ofof gigabyte)!gigabyte)! MemoryMemory usageusage isis minimal.minimal. SpeedSpeed ofof accessaccess isis toptop--notch.notch. WhatWhat isis WinHexWinHex andand whatwhat’’ss itit goinggoing toto cost?cost? z WinHexWinHex,, isis aa powerfulpowerful applicationapplication thatthat youyou cancan useuse asas

zz anan advancedadvanced hexhex editor,editor,

WinHexWinHex zzaa tooltool forfor zz datadata analysis,analysis, zz editing,editing, zz andand recovery,recovery, DataData analysisanalysis z TheThe followingfollowing slidesslides isis toto demonstratedemonstrate howhow youyou cancan recognizerecognize thethe typetype ofof unknownunknown datadata ee..gg.. inin recoveredrecovered filesfiles withoutwithout theirtheir realreal namename .. z oror whenwhen examiningexamining hardhard diskdisk sectors,sectors, byby solesole useuse ofof visualvisual representationsrepresentations.. z UsingUsing thethe datadata analysisanalysis featurefeature ofof WinHexWinHex ,,youyou willwill notenote thatthat certaincertain filefile typestypes havehave theirtheir characteristiccharacteristic bytebyte valuevalue distribution,distribution, byby whichwhich theythey cancan bebe identifiedidentified..

WinHexWinHex zzaa datadata wipingwiping tool,tool,

WinHexWinHex

z aa forensicsforensics tooltool usedused forfor evidenceevidence gathering.gathering. WinHexWinHex,, offersoffers thethe abilityability to:to: z ReadRead andand directlydirectly editedit hardhard drivesdrives (FAT(FAT andand NTFS),NTFS), floppyfloppy disks,disks, CDCD--ROMs,ROMs, ,DVDs, CompactCompact FlashFlash cards,cards, andand otherother media.media. z ReadRead andand directlydirectly editedit RAM.RAM. z InterpretInterpret 2020 datadata types.types. WinHexWinHex z EditEdit partitionpartition tables,tables, bootboot sectors,sectors, andand otherother datadata structuresstructures usingusing templates.templates. z JoinJoin andand splitsplit files.files. z AnalyzeAnalyze andand comparecompare files.files. z SearchSearch andand replace.replace. Cont.Cont. zz CloneClone andand imageimage drives.drives. zz RecoverRecover .data. zz EncryptEncrypt filesfiles (128(128--bitbit strength).strength). zz CreateCreate hasheshashes andand checksums.checksums. Cont.Cont. zz WipeWipe drives.drives. zz DeletingDeleting filesfiles irreversiblyirreversibly (e.g.(e.g. suchsuch withwith confidentialconfidential contents)contents) zz RandomRandom--numbernumber generatorgenerator muchmuch moremore DifferencesDifferences betweenbetween WinHexWinHex andand XX--WaysWays ForensicsForensics z InIn XX--WaysWays Forensics,Forensics, disks,disks, interpretedinterpreted imageimage files,files, virtualvirtual memory,memory, andand physicalphysical RAMRAM areare strictlystrictly openedopened inin viewview modemode (read(read--only)only) only,only, toto enforceenforce forensicforensic procedures,procedures, wherewhere nono evidenceevidence mustmust bebe alteredaltered inin thethe slightest.slightest. z ThisThis strictstrict writewrite protectionprotection ofof XX--WaysWays ForensicsForensics ensuresensures thatthat nono originaloriginal evidenceevidence cancan possiblypossibly bebe alteredaltered accidentally,accidentally, whichwhich cancan bebe aa crucialcrucial aspectaspect inin courtcourt proceedings.proceedings. z OnlyOnly whenwhen notnot boundbound byby strictstrict forensicforensic proceduresprocedures and/orand/or whenwhen inin needneed toto workwork moremore aggressivelyaggressively onon disksdisks oror imagesimages (e.g.(e.g. youyou havehave toto repairrepair aa bootboot sector)sector) thenthen youyou couldcould runrun WinHexWinHex instead.instead. TechnicalTechnical BackgroundBackground z A is capable of completely displaying the contents of each file type. z A hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system. z Consider one to be a sequence of 8 bits. Each bit is either 0 or 1, it assumes one of two possible states. Therefore one byte can have one of 2•2•2•2•2•2•2•2 = 28 = 256 different values. z Since 256 is the square of 16, a byte value can be defined by a two-digit number based on the hexadecimal system, where each digit represents a tetrade or nibble of a byte, i.e. 4 bits. z The sixteen digits used in the hexadecimal system are 0- 9, A-F. TechnicalTechnical specificationsspecifications z Maximum number of windows:...... 1000 (WinNT/2000), 500 (Win9x/Me)10 z Maximum disk & file size: ...... ≈2000 GB z Maximum number of parallel program instances: ...... 99 z Maximum number of positions:...... limited by RAM only z Maximum number of reversible keyboard inputs:...... 65535 z depth:...... 128 bit z Digest length in :...... 128/256 bit z Character sets supported: ..... ANSI ASCII, IBM ASCII, EBCDIEBCDIC,C, Unicode (limited) z Offset presentation:...... hexadecimal/decimal WinHexWinHex sessionssessions zzbeginbegin withwith aa StartStart CenterCenter

z WinHexWinHex remembersremembers thethe lastlast editingediting positionposition ofof previousprevious filesfiles andand thethe statestate ofof thethe lastlast session,session, andand itit allowsallows youyou toto openopen thethe entireentire previousprevious sessionsession byby clickingclicking ContinueContinue LastLast SessionSession fromfrom thethe StartStart Center'sCenter's ProjectsProjects windowwindow z YouYou cancan alsoalso openopen projectsprojects andand launchlaunch scriptsscripts (a(a scriptscript editoreditor isis enabledenabled inin thethe ProfessionalProfessional andand SpecialistSpecialist versions).versions). z WinHexWinHex cancan openopen filesfiles asas editableeditable oror asas readread-- only.only. z EditedEdited datadata isis storedstored inin aa temporarytemporary filefile untiluntil saved,saved, atat whichwhich timetime youryour changeschanges areare committed.committed. z ThereThere isis alsoalso anan inin--placeplace EditEdit modemode inin whichwhich allall changeschanges areare mademade directlydirectly inin realreal timetime (the(the defaultdefault whenwhen editingediting RAM).RAM). YouYou cancan choosechoose thethe EditEdit modemode fromfrom thethe OpenOpen FileFile dialog.dialog. WhenWhen youyou openopen anan entireentire diskdisk oror partition,partition, thethe defaultdefault modemode isis Edit.Edit.

DiskDisk EditorEditor z TheThe diskdisk editor,editor, thatthat isis partpart ofof thethe ToolsTools menu,menu, allowsallows youyou toto accessaccess floppyfloppy andand hardhard disksdisks belowbelow thethe filefile--systemsystem level.level. z DisksDisks consistconsist ofof sectorssectors (commonly(commonly unitsunits ofof 512512 bytes).bytes). YouYou maymay accessaccess aa diskdisk eithereither logicallylogically (i.e.(i.e. controlledcontrolled byby thethe operatingoperating system)system) oror physicallyphysically (controlled(controlled byby thethe BIOS).BIOS). youyou cancan eveneven accessaccess CDCD-- ROMROM andand DVDDVD media.media. EditingEditing disksdisks andand otherother mediamedia z Opening a logical drive means opening a contiguous formatted part of a disk (a partition) that is accessible under Windows as a drive letter. It's also called a “volume”. z WinHex relies on Windows being able to access the drive. Opening a physical disk means opening the entire medium, as it is attached to the computer, e.g. a hard disk including all partitions. z It could also called the “raw device”. The disk normally does not need to be properly formatted in order to open it that way. z UsuallyUsually itit isis preferablepreferable toto openopen aa logicallogical drivedrive insteadinstead ofof aa physicalphysical diskdisk z YouYou cancan viewview thethe filefile systemsystem andand accessaccess partitionpartition bootboot sectorssectors andand filefile allocationallocation tables.tables. WithWith thethe ProfessionalProfessional license,license, youyou cancan alsoalso viewview freefree spacespace andand slackslack spacespace z OnlyOnly ifif youyou needneed toto editedit sectorssectors outsideoutside aa logicallogical drivedrive (e.g.(e.g. thethe mastermaster bootboot record),record), youyou wouldwould openopen thethe physicalphysical diskdisk insteadinstead

These three data displays demonstrate the difference in addressing and in accessing data when logically and physically accessing a drive. 16 bytes of C:\ accessed logically

the first 16 bytes of the hard drive accessed physically

and the first 16 bytes of partition C: accessed physically PleasePlease notenote thethe followingfollowing limitations:limitations: z Under Windows NT and its successors administrator rights are needed to access hard disks. z Under Windows 9x, certain requirements must be met to access CD-ROM and DVD media z Replace functions are not available. z WinHex cannot write to CD-ROM or DVD. z The cannot operate on remote (network) drives. z Edit free space on drive (Windows 95/98/Me) it is possible to edit the currently unused space on a logical drive. z WinHex creates a file which uses the complete free space on the selected drive. You can edit this file in in- place mode. z The integrity of data in the used parts of the drive cannot be affected hereby. z You can use this function to recover unintentionally deleted data which has not yet been overwritten by new files. Search for the data, mark it as the current block and copy it. Of course, z data that has been deleted by WinHex using the Wipe Securely command cannot be found in unused parts of a drive any more. SaveSave SectorsSectors z ToTo bebe usedused toto thethe SaveSave commandcommand forfor files.files. PartPart ofof thethe FileFile menu.menu. WritesWrites allall modificationsmodifications toto thethe disk.disk. PleasePlease notenote that,that, dependingdepending onon youryour changes,changes, thisthis maymay severelyseverely damagedamage thethe integrityintegrity ofof thethe diskdisk data.data. z IfIf thethe correspondingcorresponding undoundo optionoption isis enabled,enabled, aa backupbackup ofof thethe concernedconcerned sectorssectors isis created,created, beforebefore theythey areare overwritten.overwritten. DiskDisk toolstools z TheyThey provideprovide thethe following:following:

z TheThe abilityability toto browsebrowse thethe directorydirectory structurestructure z ListList filefile clustersclusters z CloneClone aa disk.disk. otherother toolstools andand optionsoptions availableavailable forfor workingworking withwith disksdisks

z SpecialistSpecialist ToolsTools z SpecialistSpecialist toolstools includeinclude thethe abilityability to:to: z GatherGather freefree spacespace z SlackSlack spacespace z TextText forfor analysis.analysis. SpecialistSpecialist ToolsTools (cont.)(cont.) z GatherGather SlackSlack SpaceSpace z CollectsCollects unusedunused bytesbytes (sectors(sectors ?)?) atat thethe endend ofof thethe allocationallocation chainchain z SeparatesSeparates thethe outputoutput slackslack areasareas withwith aa lineline breakbreak andand thethe originaloriginal clustercluster numbernumber z WorksWorks withwith FAT12,FAT12, FAT16,FAT16, FAT32,FAT32, NTFS,NTFS, Ext2,Ext2, andand Ext3Ext3 partitionspartitions z Can'tCan't accessaccess filesfiles systemsystem compressedcompressed oror encryptedencrypted slackslack

SpecialistSpecialist ToolsTools (cont.)(cont.) z SearchSearch forfor differentdifferent keywords.keywords. z CreateCreate indexindex forfor thethe drive.drive. z CreateCreate aa tabletable ofof BatesBates numbersnumbers (a(a formatformat usedused byby lawyerslawyers forfor referencingreferencing evidence)evidence) z HighlightHighlight Free/SlackFree/Slack SpaceSpace forfor easyeasy identificationidentification z FATFAT z NTFSNTFS GatherGather SlackSlack SpaceSpace z CollectsCollects slackslack spacespace (the(the unusedunused bytesbytes inin thethe respectiverespective lastlast clustersclusters ofof allall clustercluster chains,chains, beyondbeyond thethe actualactual endend ofof aa file)file) inin aa destinationdestination file.file. z EachEach occurrenceoccurrence ofof slackslack spacespace isis precededpreceded byby lineline breakbreak characterscharacters andand thethe clustercluster numbernumber wherewhere itit waswas foundfound (as(as ASCIIASCII text).text). z OtherwiseOtherwise similarsimilar toto GatherGather FreeFree Space.Space. WinHexWinHex cannotcannot accessaccess slackslack spacespace ofof filesfiles thatthat areare compressedcompressed oror encryptedencrypted atat thethe filefile systemsystem level.level.

AdditionalAdditional FeaturesFeatures z OneOne lastlast featurefeature isis worthyworthy ofof note,note, becausebecause itit pertainspertains toto thethe oppositeopposite ofof datadata recoveryrecovery z TheThe FileFile ManagerManager || WipeWipe SecurelySecurely optionoption goesgoes beyondbeyond manymany filefile shreddershredder tools.tools. z WhenWhen appliedapplied toto aa file,file, accordingaccording toto WinHexWinHex,, "Even"Even professionalprofessional attemptsattempts toto restorerestore thethe filefile willwill bebe futile.futile.““ z WipeWipe SecurelySecurely doesdoes notnot justjust overwriteoverwrite aa filefile severalseveral timestimes withwith zeroszeros oror otherother characters.characters. TheThe filefile isis alsoalso reducedreduced toto zerozero lengthlength andand thenthen deleted.deleted. DiskDisk AnalysisAnalysis z MediaMedia DetailsDetails ReportReport z PartitionPartition DetailsDetails z HPAHPA’’ss areare detecteddetected (Forensic)(Forensic) z GatherGather FreeFree SpaceSpace z FreeFree spacespace (unallocated(unallocated clusters)clusters) inin thethe currentcurrent openopen logicallogical drivedrive isis savedsaved toto aa filefile

Caution:Caution: UsingUsing aa diskdisk editoreditor cancan bebe fatalfatal z Changing values other than text strings can ruin an executable (program) file. Directly editing a drive or RAM can damage an or the drive's integrity. z When editing an executable file, dll, or other program file, always work on a copy. z Save the original in case the program file needs to be restored. z Never change the length of an executable file or its instructions and data unless you're absolutely certain of the result. Otherwise, doing so will cause the code to miss instructions and probably corrupt the file to the point that it will no longer work. Caution:Caution: UsingUsing aa diskdisk editoreditor cancan bebe fatalfatal z Fortunately,Fortunately, WinHexWinHex containscontains 2525 undoundo levels,levels, soso inin mostmost cases,cases, it'sit's possiblepossible toto restorerestore youryour modificationsmodifications z thethe statusstatus barbar alsoalso showsshows thethe file'sfile's StateState (Original/Modified)(Original/Modified) andand undoundo levels.levels. z TheThe DataData Interpreter,Interpreter, atat thethe bottombottom ofof thethe statusstatus bar,bar, translatestranslates hexhex valuesvalues atat thethe insertioninsertion pointpoint intointo decimaldecimal equivalents,equivalents, basedbased onon thethe datadata typestypes youyou choose.choose. TheThe defaultdefault typestypes areare 8,8, 16,16, andand 3232 bitbit signed.signed. z DoubleDouble--clickclick thethe DataData InterpreterInterpreter toto openopen aa menumenu ofof additionaladditional options,options, whichwhich includeinclude displayingdisplaying AssemblyAssembly LanguageLanguage codes,codes, datedate formats,formats, andand differentdifferent integerinteger types,types, asas shownshown

RAMRAM EditorEditor z ForFor debuggingdebugging purposespurposes (programming),(programming), forfor examining/manipulatingexamining/manipulating anyany runningrunning programprogram andand inin particularparticular computercomputer gamesgames (cheating).(cheating). z TheThe RAMRAM editoreditor allowsallows toto examineexamine thethe physicalphysical RAM/mainRAM/main memorymemory (under(under WindowsWindows 2000/XP2000/XP andand thethe virtualvirtual memorymemory ofof aa processprocess (i.e.(i.e. aa programprogram thatthat isis beingbeing executed).executed). z AllAll memorymemory pagespages committedcommitted byby aa processprocess areare presentedpresented inin aa continuouscontinuous block.block. RAMRAM EditorEditor (cont.)(cont.) z TheThe primaryprimary memorymemory isis usedused byby programsprograms forfor nearlynearly allall purposes.purposes. UsuallyUsually itit alsoalso containscontains thethe mainmain modulemodule ofof aa processprocess (the(the EXEEXE file),file), thethe stack,stack, andand thethe heap.heap. z TheThe ““entireentire memorymemory”” containscontains thethe wholewhole virtualvirtual memorymemory ofof aa processprocess includingincluding thethe partpart ofof memorymemory thatthat isis sharedshared amongamong allall processes,processes, exceptexcept systemsystem modules.modules. RAMRAM EditorEditor (cont.)(cont.) z UnderUnder WindowsWindows 95/98/Me,95/98/Me, systemsystem modulesmodules areare listedlisted optionallyoptionally inin thethe processprocess tree.tree. z SystemSystem modulesmodules areare defineddefined asas modulesmodules thatthat areare loadedloaded aboveabove thethe 22 GBGB barrierbarrier (such(such asas kernel32.dll,gdi32.dll).kernel32.dll,gdi32.dll). TheyThey areare sharedshared amongamong allall runningrunning processes.processes.

PleasePlease notenote thethe followingfollowing limitations:limitations: z Caution:Caution: OnlyOnly keyboardkeyboard inputinput cancan bebe undone!undone! z VirtualVirtual memorymemory ofof 1616--bitbit processesprocesses isis partiallypartially accessibleaccessible underunder WindowsWindows 95/98/Me95/98/Me only.only. z EditingEditing isis possiblepossible inin inin--placeplace modemode only.only. z SystemSystem modulesmodules ofof WindowsWindows 95/98/Me95/98/Me cancan onlyonly bebe examinedexamined inin viewview mode,mode, notnot manipulatedmanipulated.. z TheThe optionsoptions relevantrelevant forfor thethe RAMRAM editoreditor areare ““CheckCheck forfor virtualvirtual memorymemory alterationalteration”” andand ““VirtualVirtual AddressesAddresses””.. QuestionsQuestions ReferenceReference z http://articles.techrepublic.com.com/5100http://articles.techrepublic.com.com/5100 --63496349--5090471.html5090471.html z winhexwinhex manualmanual