History

Hexadecimal viewer

A hexadecimal viewer permitt a user to see or edit the raw and exact contents of a file as opposed to the interpretation of the same content that other, higher level application software may associate with the file format. For example, this could be raw image data, in contrast to the way image editing software would interpret the same file.

Launch

You can use several way in order to launch Digital Forensics Framework's hexadecimal graphical module. The first way is to right-click on a node in the VFS and select directly Hexeditor action:

Hex view is also set as our default node viewer. If you double-click on a node and that its mime-type isn't recognize, then the application will automaticaly launch it.
After launching the module, you will see this window:

This module is divided into 3 main parts:

Hexadecimal dumper

The first and main important part is the hexadecimal and ASCII representation. This is with this view that the user can navigate throught the file and analyse it. We choosed to respect the basic representation of an hexadecimal viewer, so this window is divided into a table of 3 columns:

  1. The first one is the offset display. This permit to know your position in the file. Offset are printed in red format and can be decimal or hexadecimal values.
  2. The center column represents the hexadecimal view. This view is divided into 16 bytes per lines which is the hexadecimal base (0123456789ABCDEF). Each byte is dump in 2 charaters.
  3. And the last column is the ASCII's representation of each byte. If a hex value doesn't match with an ASCII character (if char > 0x20 and char < 0x7e), a "." is then dump.

Informations and actions tab

Several informations and actions are group in this widget.

Decode Values

The first and default tab is DECODE values. It display every types and values informations regarding the cursor or selection position. You have the representation of signed or unsigned 8/16/32/64 bits and binary value of current byte.

The search tab come from the new API search feature. Indeed, from 0.5 release, search methods are implemented and directely linked into the framework and permit you to choose different options:

  • Type: Here select Charater pattern or Hexadecimal pattern
  • Pattern: Enter the pattern you want to find: "F0AB00" for hexadecimal, or "rendez-vous" for characters.
  • Wilcard: Search method is able to set a wilcard in order to match any characters ex: FO??OO
  • Start: Here select the start offset position

All the process is threaded wich allow you to continue navigating and analysis the dump. When search is done, a list of offset is display to the user and in order to go to searched pattern, just double-click it.

Go to

This section allow you to navigate and go to a specified offset in the dump. You can select different options:

  • Format: Select the format of the value (hexadecimal or decimal)
  • Type: The hexadecimal module is structured into pages and blocks which inscrease the analysis and navigation experience. You can choose here to go to an offset, a page or a block.
  • Place: Is the value where you want to go ex: block 4, page 68 or offset 7383434

In options, you can select to start from the cursor position or / and backward the cursor.

Options

Here, you can change view and data informations of the module. The first option is the global offset display type, you can choose here to see offset as hexadecimal or decimal.
You can change too, page informations:
  • Page size
  • Header of page size
  • Spare area size

And finally, the count of pages per block which define blocks size.

Bookmarks

Bookmarks permit to memorize offset and interesting zone in the dump. This feature is available in the bottom widget of the heditor and look like this:

New bookmark entries are set from current cursor position, or in a selected zone. The entry show different informations such as:

  • Address: The start address of the entry
  • Length (Dec): Length of the entry in decimal value
  • Length (Hex): Length of the entry in hexadecimal value
  • Hex value: The hexadecimal representation of the entry
  • ASCII value: The Ascii representation of the entry
  • Description: You have the possibility to enter a description of a new entry wich permit you to tag interesting elements

Once the different values entered, it is display in a table with all informations. In order to jump to the entry, just double-click to it.

hex_rclick.png (8.3 KB) jmo, 03 Mar 2010 16:32

hex_launch.png (70.6 KB) jmo, 03 Mar 2010 16:41

hex_decode.png (27.6 KB) jmo, 03 Mar 2010 17:03

hex_search.png (34.6 KB) jmo, 03 Mar 2010 17:05

hex_goto.png (23.6 KB) jmo, 03 Mar 2010 17:09

hex_book.png (16.1 KB) jmo, 03 Mar 2010 17:10

hex_addbook.png (69.1 KB) jmo, 03 Mar 2010 17:10

hex_addedbook.png (16.9 KB) jmo, 03 Mar 2010 17:10

hex_widget.png (27.1 KB) jmo, 05 Mar 2010 10:33

hex_opts.png (17.3 KB) jmo, 05 Mar 2010 11:31

Also available in: HTML TXT