DOCSLIB.ORG

Disk Editor, RAM Editor

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Disk Editor, RAM Editor winhexwinhex DiskDisk Editor,Editor, RAMRAM EditorEditor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan XX--WaysWays SoftwareSoftware TechnologyTechnology AGAG z isis aa stockstock corporationcorporation incorporatedincorporated underunder thethe lawslaws ofof thethe FederalFederal RepublicRepublic ofof Germany.Germany. z WinHexWinHex waswas firstfirst releasedreleased inin 1995.1995. WinHexWinHex z thethe technicaltechnical corecore ofof XX--WaysWays ForensicsForensics ((AA powerfulpowerful datadata recoveryrecovery andand forensicsforensics tooltool )) isis anan advancedadvanced binarybinary editoreditor thatthat providesprovides accessaccess toto allall files,files, clusters,clusters, sectors,sectors, bytes,bytes, andand bitsbits insideinside youryour computer.computer. WinHexWinHex z ItIt supportssupports virtuallyvirtually unlimitedunlimited filefile andand diskdisk sizessizes upup toto thethe terabyteterabyte regionregion (thousands(thousands ofof gigabyte)!gigabyte)! MemoryMemory usageusage isis minimal.minimal. SpeedSpeed ofof accessaccess isis toptop--notch.notch. WhatWhat isis WinHexWinHex andand whatwhat’’ss itit goinggoing toto cost?cost? z WinHexWinHex,, isis aa powerfulpowerful applicationapplication thatthat youyou cancan useuse asas zz anan advancedadvanced hexhex editor,editor, WinHexWinHex zzaa tooltool forfor zz datadata analysis,analysis, zz editing,editing, zz andand recovery,recovery, DataData analysisanalysis z TheThe followingfollowing slidesslides isis toto demonstratedemonstrate howhow youyou cancan recognizerecognize thethe typetype ofof unknownunknown datadata ee..gg.. inin recoveredrecovered filesfiles withoutwithout theirtheir realreal namename .. z oror whenwhen examiningexamining hardhard diskdisk sectors,sectors, byby solesole useuse ofof visualvisual representationsrepresentations.. z UsingUsing thethe datadata analysisanalysis featurefeature ofof WinHexWinHex ,,youyou willwill notenote thatthat certaincertain filefile typestypes havehave theirtheir characteristiccharacteristic bytebyte valuevalue distribution,distribution, byby whichwhich theythey cancan bebe identifiedidentified.. WinHexWinHex zzaa datadata wipingwiping tool,tool, WinHexWinHex z aa forensicsforensics tooltool usedused forfor evidenceevidence gathering.gathering. WinHexWinHex,, offersoffers thethe abilityability to:to: z ReadRead andand directlydirectly editedit hardhard drivesdrives (FAT(FAT andand NTFS),NTFS), floppyfloppy disks,disks, CDCD--ROMs,ROMs, DVDs,DVDs, CompactCompact FlashFlash cards,cards, andand otherother media.media. z ReadRead andand directlydirectly editedit RAM.RAM. z InterpretInterpret 2020 datadata types.types. WinHexWinHex z EditEdit partitionpartition tables,tables, bootboot sectors,sectors, andand otherother datadata structuresstructures usingusing templates.templates. z JoinJoin andand splitsplit files.files. z AnalyzeAnalyze andand comparecompare files.files. z SearchSearch andand replace.replace. Cont.Cont. zz CloneClone andand imageimage drives.drives. zz RecoverRecover data.data. zz EncryptEncrypt filesfiles (128(128--bitbit strength).strength). zz CreateCreate hasheshashes andand checksums.checksums. Cont.Cont. zz WipeWipe drives.drives. zz DeletingDeleting filesfiles irreversiblyirreversibly (e.g.(e.g. suchsuch withwith confidentialconfidential contents)contents) zz RandomRandom--numbernumber generatorgenerator muchmuch moremore DifferencesDifferences betweenbetween WinHexWinHex andand XX--WaysWays ForensicsForensics z InIn XX--WaysWays Forensics,Forensics, disks,disks, interpretedinterpreted imageimage files,files, virtualvirtual memory,memory, andand physicalphysical RAMRAM areare strictlystrictly openedopened inin viewview modemode (read(read--only)only) only,only, toto enforceenforce forensicforensic procedures,procedures, wherewhere nono evidenceevidence mustmust bebe alteredaltered inin thethe slightest.slightest. z ThisThis strictstrict writewrite protectionprotection ofof XX--WaysWays ForensicsForensics ensuresensures thatthat nono originaloriginal evidenceevidence cancan possiblypossibly bebe alteredaltered accidentally,accidentally, whichwhich cancan bebe aa crucialcrucial aspectaspect inin courtcourt proceedings.proceedings. z OnlyOnly whenwhen notnot boundbound byby strictstrict forensicforensic proceduresprocedures and/orand/or whenwhen inin needneed toto workwork moremore aggressivelyaggressively onon disksdisks oror imagesimages (e.g.(e.g. youyou havehave toto repairrepair aa bootboot sector)sector) thenthen youyou couldcould runrun WinHexWinHex instead.instead. TechnicalTechnical BackgroundBackground z A hex editor is capable of completely displaying the contents of each file type. z A hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system. z Consider one byte to be a sequence of 8 bits. Each bit is either 0 or 1, it assumes one of two possible states. Therefore one byte can have one of 2•2•2•2•2•2•2•2 = 28 = 256 different values. z Since 256 is the square of 16, a byte value can be defined by a two-digit number based on the hexadecimal system, where each digit represents a tetrade or nibble of a byte, i.e. 4 bits. z The sixteen digits used in the hexadecimal system are 0- 9, A-F. TechnicalTechnical specificationsspecifications z Maximum number of windows:........................1000 (WinNT/2000), 500 (Win9x/Me)10 z Maximum disk & file size: ................................................ ≈2000 GB z Maximum number of parallel program instances: ..........................99 z Maximum number of positions:................. limited by RAM only z Maximum number of reversible keyboard inputs:................65535 z Encryption depth:..........................................................128 bit z Digest length in backups:...................................... 128/256 bit z Character sets supported: ..... ANSI ASCII, IBM ASCII, EBCDIEBCDIC,C, Unicode (limited) z Offset presentation:.......................................hexadecimal/decimal WinHexWinHex sessionssessions zzbeginbegin withwith aa StartStart CenterCenter z WinHexWinHex remembersremembers thethe lastlast editingediting positionposition ofof previousprevious filesfiles andand thethe statestate ofof thethe lastlast session,session, andand itit allowsallows youyou toto openopen thethe entireentire previousprevious sessionsession byby clickingclicking ContinueContinue LastLast SessionSession fromfrom thethe StartStart Center'sCenter's ProjectsProjects windowwindow z YouYou cancan alsoalso openopen projectsprojects andand launchlaunch scriptsscripts (a(a scriptscript editoreditor isis enabledenabled inin thethe ProfessionalProfessional andand SpecialistSpecialist versions).versions). z WinHexWinHex cancan openopen filesfiles asas editableeditable oror asas readread-- only.only. z EditedEdited datadata isis storedstored inin aa temporarytemporary filefile untiluntil saved,saved, atat whichwhich timetime youryour changeschanges areare committed.committed. z ThereThere isis alsoalso anan inin--placeplace EditEdit modemode inin whichwhich allall changeschanges areare mademade directlydirectly inin realreal timetime (the(the defaultdefault whenwhen editingediting RAM).RAM). YouYou cancan choosechoose thethe EditEdit modemode fromfrom thethe OpenOpen FileFile dialog.dialog. WhenWhen youyou openopen anan entireentire diskdisk oror partition,partition, thethe defaultdefault modemode isis Edit.Edit. DiskDisk EditorEditor z TheThe diskdisk editor,editor, thatthat isis partpart ofof thethe ToolsTools menu,menu, allowsallows youyou toto accessaccess floppyfloppy andand hardhard disksdisks belowbelow thethe filefile--systemsystem level.level. z DisksDisks consistconsist ofof sectorssectors (commonly(commonly unitsunits ofof 512512 bytes).bytes). YouYou maymay accessaccess aa diskdisk eithereither logicallylogically (i.e.(i.e. controlledcontrolled byby thethe operatingoperating system)system) oror physicallyphysically (controlled(controlled byby thethe BIOS).BIOS). youyou cancan eveneven accessaccess CDCD-- ROMROM andand DVDDVD media.media. EditingEditing disksdisks andand otherother mediamedia z Opening a logical drive means opening a contiguous formatted part of a disk (a partition) that is accessible under Windows as a drive letter. It's also called a “volume”. z WinHex relies on Windows being able to access the drive. Opening a physical disk means opening the entire medium, as it is attached to the computer, e.g. a hard disk including all partitions. z It could also called the “raw device”. The disk normally does not need to be properly formatted in order to open it that way. z UsuallyUsually itit isis preferablepreferable toto openopen aa logicallogical drivedrive insteadinstead ofof aa physicalphysical diskdisk z YouYou cancan viewview thethe filefile systemsystem andand accessaccess partitionpartition bootboot sectorssectors andand filefile allocationallocation tables.tables. WithWith thethe ProfessionalProfessional license,license, youyou cancan alsoalso viewview freefree spacespace andand slackslack spacespace z OnlyOnly ifif youyou needneed toto editedit sectorssectors outsideoutside aa logicallogical drivedrive (e.g.(e.g. thethe mastermaster bootboot record),record), youyou wouldwould openopen thethe physicalphysical diskdisk insteadinstead These three data displays demonstrate the difference in addressing and in accessing data when logically
Load more

Recommended publications
  • Active@ UNDELETE Documentation
    Active @ UNDELETE Users Guide | Contents | 2 Contents Legal Statement.........................................................................................................5 Active@ UNDELETE Overview............................................................................. 6 Getting Started with Active@ UNDELETE.......................................................... 7 Active@ UNDELETE Views And Windows...................................................................................................... 7 Recovery Explorer View.......................................................................................................................... 8 Logical Drive Scan Result View..............................................................................................................9 Physical Device Scan View......................................................................................................................9 Search Results View...............................................................................................................................11 File Organizer view................................................................................................................................ 12 Application Log...................................................................................................................................... 13 Welcome View........................................................................................................................................14 Using
    [Show full text]
  • Active @ UNDELETE Users Guide | TOC | 2
    Active @ UNDELETE Users Guide | TOC | 2 Contents Legal Statement..................................................................................................4 Active@ UNDELETE Overview............................................................................. 5 Getting Started with Active@ UNDELETE........................................................... 6 Active@ UNDELETE Views And Windows......................................................................................6 Recovery Explorer View.................................................................................................... 7 Logical Drive Scan Result View.......................................................................................... 7 Physical Device Scan View................................................................................................ 8 Search Results View........................................................................................................10 Application Log...............................................................................................................11 Welcome View................................................................................................................11 Using Active@ UNDELETE Overview................................................................. 13 Recover deleted Files and Folders.............................................................................................. 14 Scan a Volume (Logical Drive) for deleted files..................................................................15
    [Show full text]
  • X-Ways Forensics/ Winhex
    X-Ways Software Technology AG X-Ways Forensics/ WinHex Integrated Computer Forensics Environment. Data Recovery & IT Security Tool. Hexadecimal Editor for Files, Disks & RAM. Manual Copyright © 1995-2014 Stefan Fleischmann, X-Ways Software Technology AG. All rights reserved. Contents 1 Preface ..................................................................................................................................................1 1.1 About WinHex and X-Ways Forensics.........................................................................................1 1.2 Legalities.......................................................................................................................................2 1.3 License Types ...............................................................................................................................2 1.4 Differences between WinHex and X-Ways Forensics..................................................................3 1.5 Getting Started with X-Ways Forensics........................................................................................4 2 Technical Background ........................................................................................................................5 2.1 Using a Hex Editor........................................................................................................................5 2.2 Endian-ness...................................................................................................................................6 2.3
    [Show full text]
  • Data & Computer Recovery Guidelines
    Data & Computer Recovery Guidelines Data & Computer Recovery Guidelines This document contains general guidelines for restoring computer operating following certain types of disasters. It should be noted these guidelines will not fit every type of disaster or every organization and that you may need to seek outside help to recover and restore your operations. This document is divided into five parts. The first part provides general guidelines which are independent of the type of disaster, the next three sections deal with issues surrounding specific disaster types (flood/water damage, power surge, and physical damage). The final section deals with general recommendations to prepare for the next disaster. General Guidelines 2. Your first step is to restore the computing equipment. These are general guidelines for recovering after any type If you do try to power on the existing equipment, it of disaster or computer failure. If you have a disaster is best to remove the hard drive(s) first to make sure recovery plan, then you should be prepared; however, the system will power on. Once you have determined there may be things that were not covered to help the system powers on, you can reinstall the hard drive you recover. This section is divided into two sections and power the system back on. Hopefully, everything (computer system recovery, data recovery) works at that point. Note: this should not be tried in the case of a water or extreme heat damage. Computer System Recovery 3. If the computer will not power on then you can either The first step is to get your physical computer systems try to fix the computer or in many cases it is easier, running again.
    [Show full text]
  • Data Remanence in Non-Volatile Semiconductor Memory (Part I)
    Data remanence in non-volatile semiconductor memory (Part I) Security Group Sergei Skorobogatov Web: www.cl.cam.ac.uk/~sps32/ Email: [email protected] Introduction Data remanence is the residual physical representation of data that has UV EPROM EEPROM Flash EEPROM been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. It shifts the threshold voltage (VTH) of the transistor which can be detected by the sense amplifier while reading data. Microcontrollers use a ‘protection fuse’ bit that restricts unauthorized access to on-chip memory if activated. Very often, this fuse is embedded in the main memory array. In this case, it is erased simultaneously with the memory. Better protection can be achieved if the fuse is located close to the memory but has a separate control circuit. This allows it to be permanently monitored as well as hardware protected from being erased too early, thus making sure that by the time the fuse is reset no data is left inside the memory. In some smartcards and microcontrollers, a password-protected boot- Structure, cross-section and operation modes for different memory types loader restricts firmware updates and data access to authorized users only. Usually, the on-chip operating system erases both code and data How much residual charge is left inside the memory cells memory before uploading new code, thus preventing any new after a standard erase operation? Is it possible to recover data application from accessing previously stored secrets.
    [Show full text]
  • Databridge ETL Solution Datasheet
    DATASHEET Extract and Transform MCP Host Data for Improved KEY FEATURES Client configuration tool for Analysis and Decision Support easy customization of table layout. Fast, well-informed business decisions require access to your organization’s key performance Dynamic before-and-after indicators residing on critical database systems. But the prospect of exposing those systems images (BI-AI) based on inevitably raises concerns around security, data integrity, cost, and performance. key change. 64-bit clients. For organizations using the Unisys ClearPath MCP server and its non-relational DMSII • Client-side management database, there’s an additional challenge: Most business intelligence tools support only console. relational databases. • Ability to run the client as a service or a daemon. The Only True ETL Solution for DMSII Data • Multi-threaded clients to That’s why businesses like yours are turning to Attachmate® DATABridge™. It’s the only increase processing speed. true Extract, Transform, Load (ETL) solution that securely integrates Unisys MCP DMSII • Support for Windows Server and non-DMSII data into a secondary system. 2012. • Secure automation of Unisys With DATABridge, you can easily integrate production data into a relational database or MCP data replication. another DMSII database located on an entirely different Unisys host system. And because • Seamless integration of DATABridge clients for Oracle and Microsoft SQL Server support a breadth of operating both DMSII and non-DMSII environments (including Windows 7, Windows Server 2012, Windows Server 2008, UNIX, data with Oracle, Microsoft SQL, and other relational AIX, SUSE Linux, and Red Hat Linux), DATABridge solutions fit seamlessly into your existing databases. infrastructure.
    [Show full text]
  • Database Analyst Ii
    Recruitment No.: 20.186 Date Opened: 5/25/2021 DATABASE ANALYST II SALARY: $5,794 to $8,153 monthly (26 pay periods annually) FINAL FILING DATE: We are accepting applications until closing at 5 pm, June 8, 2021 IT IS MANDATORY THAT YOU COMPLETE THE SUPPLEMENTAL QUESTIONNAIRE. YOUR APPLICATION WILL BE REJECTED IF YOU DO NOT PROVIDE ALL NECESSARY INFORMATION. THE POSITION The Human Resources Department is accepting applications for the position of Database Analyst II. The current opening is for a limited term, benefitted and full-time position in the Information Technology department, but the list may be utilized to fill future regular and full- time vacancies for the duration of the list. The term length for the current vacancy is not guaranteed but cannot exceed 36 months. The normal work schedule is Monday through Friday, 8 – 5 pm; a flex schedule may be available. The Information Technology department is looking for a full-time, limited-term Database Analyst I/II to develop and manage the City’s Open Data platform. Initiatives include tracking city council goals, presenting data related to capital improvement projects, and measuring budget performance. This position is in the Data Intelligence Division. Our team sees data as more than rows and columns, it tells stories that yield invaluable insights that help us solve problems, make better decisions, and create solutions. This position is responsible for building and maintaining systems that unlock the power of data. The successful candidate will be able to create data analytics & business
    [Show full text]
  • Error Characterization, Mitigation, and Recovery in Flash Memory Based Solid-State Drives
    ERRORS, MITIGATION, AND RECOVERY IN FLASH MEMORY SSDS 1 Error Characterization, Mitigation, and Recovery in Flash Memory Based Solid-State Drives Yu Cai, Saugata Ghose, Erich F. Haratsch, Yixin Luo, and Onur Mutlu Abstract—NAND flash memory is ubiquitous in everyday life The transistor traps charge within its floating gate, which dic- today because its capacity has continuously increased and cost has tates the threshold voltage level at which the transistor turns on. continuously decreased over decades. This positive growth is a The threshold voltage level of the floating gate is used to de- result of two key trends: (1) effective process technology scaling, termine the value of the digital data stored inside the transistor. and (2) multi-level (e.g., MLC, TLC) cell data coding. Unfortu- When manufacturing process scales down to a smaller tech- nately, the reliability of raw data stored in flash memory has also nology node, the size of each flash memory cell, and thus the continued to become more difficult to ensure, because these two trends lead to (1) fewer electrons in the flash memory cell (floating size of the transistor, decreases, which in turn reduces the gate) to represent the data and (2) larger cell-to-cell interference amount of charge that can be trapped within the floating gate. and disturbance effects. Without mitigation, worsening reliability Thus, process scaling increases storage density by enabling can reduce the lifetime of NAND flash memory. As a result, flash more cells to be placed in a given area, but it also causes relia- memory controllers in solid-state drives (SSDs) have become bility issues, which are the focus of this article.
    [Show full text]
  • Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO
    Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO..........................................................................................................................................1 Martin Hinner < [email protected]>, http://martin.hinner.info............................................................1 1. Introduction..........................................................................................................................................1 2. Volumes...............................................................................................................................................1 3. DOS FAT 12/16/32, VFAT.................................................................................................................2 4. High Performance FileSystem (HPFS)................................................................................................2 5. New Technology FileSystem (NTFS).................................................................................................2 6. Extended filesystems (Ext, Ext2, Ext3)...............................................................................................2 7. Macintosh Hierarchical Filesystem − HFS..........................................................................................3 8. ISO 9660 − CD−ROM filesystem.......................................................................................................3 9. Other filesystems.................................................................................................................................3
    [Show full text]
  • EEPROM Emulation
    ...the world's most energy friendly microcontrollers EEPROM Emulation AN0019 - Application Note Introduction This application note demonstrates a way to use the flash memory of the EFM32 to emulate single variable rewritable EEPROM memory through software. The example API provided enables reading and writing of single variables to non-volatile flash memory. The erase-rewrite algorithm distributes page erases and thereby doing wear leveling. This application note includes: • This PDF document • Source files (zip) • Example C-code • Multiple IDE projects 2013-09-16 - an0019_Rev1.09 1 www.silabs.com ...the world's most energy friendly microcontrollers 1 General Theory 1.1 EEPROM and Flash Based Memory EEPROM stands for Electrically Erasable Programmable Read-Only Memory and is a type of non- volatile memory that is byte erasable and therefore often used to store small amounts of data that must be saved when power is removed. The EFM32 microcontrollers do not include an embedded EEPROM module for byte erasable non-volatile storage, but all EFM32s do provide flash memory for non-volatile data storage. The main difference between flash memory and EEPROM is the erasable unit size. Flash memory is block-erasable which means that bytes cannot be erased individually, instead a block consisting of several bytes need to be erased at the same time. Through software however, it is possible to emulate individually erasable rewritable byte memory using block-erasable flash memory. To provide EEPROM functionality for the EFM32s in an application, there are at least two options available. The first one is to include an external EEPROM module when designing the hardware layout of the application.
    [Show full text]
  • PROTECTING DATA from RANSOMWARE and OTHER DATA LOSS EVENTS a Guide for Managed Service Providers to Conduct, Maintain and Test Backup Files
    PROTECTING DATA FROM RANSOMWARE AND OTHER DATA LOSS EVENTS A Guide for Managed Service Providers to Conduct, Maintain and Test Backup Files OVERVIEW The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) developed this publication to help managed service providers (MSPs) improve their cybersecurity and the cybersecurity of their customers. MSPs have become an attractive target for cyber criminals. When an MSP is vulnerable its customers are vulnerable as well. Often, attacks take the form of ransomware. Data loss incidents—whether a ransomware attack, hardware failure, or accidental or intentional data destruction—can have catastrophic effects on MSPs and their customers. This document provides recommend- ations to help MSPs conduct, maintain, and test backup files in order to reduce the impact of these data loss incidents. A backup file is a copy of files and programs made to facilitate recovery. The recommendations support practical, effective, and efficient back-up plans that address the NIST Cybersecurity Framework Subcategory PR.IP-4: Backups of information are conducted, maintained, and tested. An organization does not need to adopt all of the recommendations, only those applicable to its unique needs. This document provides a broad set of recommendations to help an MSP determine: • items to consider when planning backups and buying a backup service/product • issues to consider to maximize the chance that the backup files are useful and available when needed • issues to consider regarding business disaster recovery CHALLENGE APPROACH Backup systems implemented and not tested or NIST Interagency Report 7621 Rev. 1, Small Business planned increase operational risk for MSPs.
    [Show full text]
  • Acronis® Disk Director® 12 User's Guide
    User Guide Copyright Statement Copyright © Acronis International GmbH, 2002-2015. All rights reserved. "Acronis", "Acronis Compute with Confidence", "Acronis Recovery Manager", "Acronis Secure Zone", Acronis True Image, Acronis Try&Decide, and the Acronis logo are trademarks of Acronis International GmbH. Linux is a registered trademark of Linus Torvalds. VMware and VMware Ready are trademarks and/or registered trademarks of VMware, Inc. in the United States and/or other jurisdictions. Windows and MS-DOS are registered trademarks of Microsoft Corporation. All other trademarks and copyrights referred to are the property of their respective owners. Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of this work or derivative work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Third party code may be provided with the Software and/or Service. The license terms for such third-parties are detailed in the license.txt file located in the root installation directory. You can always find the latest up-to-date list of the third party code and the associated license terms used with the Software and/or Service at http://kb.acronis.com/content/7696 Acronis patented technologies Technologies, used in this product, are covered and protected by one or more U.S.
    [Show full text]