Hexedit

From Digital Forensics Framework

Jump to: navigation, search
  • Synopsis : hexedit path

The Hexedit viewer is an hexadecimal viewer directly integrated into the framework. It can be used to visualize binary data as .ELF or PE files. Basically, the hexedit viewer is able to display any kind of files. As DFF tries to automate most of the tasks, you sometimes will have to "force" the opening of the viewer by using the menu Open with -> Viewer -> Hexedit.

Indeed, if for example you want to open an image with the hex viewer by double-clicking on the corresponding node, the image viewer will be by default opened module instead of the hexedit viewer.

Contents

Main view

The main view of the hex viewer is represented on the following screen-shot. This is the view you will see when opening a file with hexedit. The opened file is a .ELF library from a GNU / Linux operating system.

Hexedit.png

They are several zones.

The viewer (in red)

This is the main area, where the content of the the file is displayed bytes by bytes with their equivalent in ascii characters. If they are non printable characters, a . (dot) is displayed.

On the left column (Offset column) the offset in the file is visible by default in hexadecimal, but can be displayed in decimal through the menu.

In the tool-bar, below the viewer, the page tab is selected by default. Pages are blocks 512 bytes big, but their size can be modified also through the menu. It allows to navigate through the displayed data page by page.

In the menu, the decode tab is selected. In this tab you can see the selected value in the viewer translated into decimal for 8, 16, 32 and 64 bits and binary.

The menu (in blue)

The menu is composed of four tabs :

  • Decode
  • Search
  • Goto
  • Options

Whereas options is the last one we will start by describing its content.

Options

There are two tabs :

  • General
  • Pixels

The Pixel tab is related to the pixel view. We will discuss it in the this part.

Basically, the General tab allow you to configure the hexadecimal viewer. The first available option concerns the display of the offset in the viewer : you can choose between Hexadecimal and decimal. The default value is hexadecimal.

Next, you can choose the page size. It useful because the page size differs from one file system to an other (512 bytes on FAT, 4096 bytes on Extfs for example).

Header and spare options allow to respectively choose a size for eventual header and spare.

The pages per blocks option allows to choose how many pages are contained in each blocks. For example, Extfs is made of page groups containing 32768 pages of a size of 4096 bytes.

In the left indication option you can choose whether you prefer to display offsets or page numbers in the Pages tab of the tool bar.

Option general.png

Decode

We already mentioned the decode tab : it translates a value selected in the viewer into decimal. On the main view screen-shot the selected value is 0x7F. You can see in the decode tab that this value is translated into several sizes integer (8, 16, 32 and 64 bits), signed and unsigned, and in binary.

Search

This tab is used to perform a search for a given pattern within the open file.

Before launching the search, you can configure several points :

  • The type of pattern you want to look for : text or hexadecimal.
  • The pattern itself : it can be a text or an hexadecimal value. For example we could search for .ELF (a string) or 0x464c457f (an hexadecimal value).
  • a wild-card.
  • the Start field allows you to specify the offset in the file from where you want the research to start (0 by default).
  • By checking the From cursor check-box, the Start field will be filled up with the offset where the cursor is. In other words, the search will start at the cursor position.

The result area is for now empty and cannot be accessed.

Once this few configurations are done, you can click on the Apply button.

Hex search.png
Once the research is done, a pop-up will spawn indicating the number of matches which were found in the dump (0 or more). The matching will be displayed in the menu with their offset. You can double-click on them to jump to their positions. You can click the red cross to close the result area. In example, we made a search on the ELF string and one match was found at offset 0x01

Matches.png

Matches2.png

GoTo

With the goto tab, you will be able to jump to a given position in the file.

There are two main areas :

  • Go to location
  • Options

In Go to location you can choose whether you prefer use an hexadecimal or decimal format. In the type field you can choose if you want to jump to an offset, a page or a block. In the place field, you just have to enter the address where you want to go. Then you just have to click on the Go button at the bottom of the menu.

For example if you set decimal in the format field, block in the type field and 10 in the place field you will jump to the beginning of block 10 of the file. Remember that the block size can be configured from the options menu.

The From cursor option make you jump of the offset set in the place field from the offset of the cursor. For example, if the cursor is at offset 1 and if you set 10 in decimal in the place field and check From cursor you will jump to offset 11.

The backward options does the same thing but backward, i.e the current offset will be decreased of the value set in the place field.

Hex goto.png

The tool-bar (in green)

We will here describe the four tabs of the tool-bar :

  • Pages
  • Pixels
  • Bookmarks
  • String

Pages

Each pages of the opened files can be seen here. Each green square corresponds to a page in the file. The default size of the page is 512 bytes, but this can be configured in the options menu. You can navigate through the file by clicking pages, which will make you jump to the page you just clicked on : for example, if you click on the tenth square you will jump at the beginning of page 10, so at offset 5120 if pages are 512 bytes big.

Hex pages.png

On the left column, you can choose to display the offset in bytes or in number of pages through options menu.

Bookmarks

You can bookmark some offsets in the opened file so you can go back easier to a given position.

Hex bookmark.png

Three main buttons are available :

  • Add bookmark
  • Delete bookmark
  • Edit bookmark
When you click on the Add bookmark button a pop-up spawn and you must fill the different fields up :
  • Address : the offset in the file you wish to bookmark.
  • Length in decimal
  • Length in hexadecimal
  • Ascii value
  • Description : a short description for the bookmark.
Bulb.png

Most of the field already contain a default value, depending on the position of the cursor. You can only enter the description of the bookmark.

When the configuration is done, you will need to click on the OK to confirm, or Cancel if you wish to abort this action. Once a bookmark is set, you just have to double click on it to go back to the bookmarked position.

The delete bookmark button is used to delete an existing bookmark, and edit bookmark button to edit an existing bookmark.

Hex add bookmark.png

String

The string viewer display the printable characters contained in the currently viewed data.

Hex string.png

Pixel viewer

The pixel viewer is used to display a graphic view of a node by rendering their different bytes as colored pixels. An example is shown below. On the following screen-shot, the displayed data are the content of the first kilobytes of a NTFS dump.

Pix view.png

This view is useful to graphically locate some data structures, or to display pictures in some cases.

If, in the menu, you activate the pixel tab of the options tab, you can configure this view. You can zoom or un-zoom on the view by respectively moving Scale factor scroll bar to the right or the left.

The Resolution scroll bar is used to augment or reduce the resolution of the view. You can also change the resolution by manually typing a value in the resolution spin box. It is more accurate than the scroll bar. The maximum resolution is 1024. The default value is 512. The higher the resolution, the more accurate the view.

The Indexed color is used in combination with the Format combo box. The Indexed color is only activated when the Indexed 8 bits of Format is selected. The options of the Format combo box are described below :

  • RGB (Red Green Blue). This is the default view, as shown on the previous screen-shot.
  • Alpha RGB : uses alpha-composing to render the view :

Alpha.png

  • Indexed 8 bits : renders the view in 8 bits mode. You can customize it by modify the selected option in the Indexed color combo box (we chose 256 in the Indexed color combo box to make the following screen-shot) :

Idx 8 bit.png

  • Mono : renders the view as a black and white picture :

Mono.png

Retrieved from "http://wiki.digital-forensic.org/index.php?title=Hexedit&oldid=1552"