Hex Editors: How to Use Them Effectively

A description of how you can use hex editors effectively.

Hello Internet, Matt here from Forensics With Matt and in today’s blog post, I will be discussing hex editors. This post will discuss ehat hex editors are, where to find them and how to use them. I will discuss all hex editors I know on Mac Linux, and Windows. Let’s get into this!

Figure 1: A view of a hex editor.

Watch the video companion here.

Video 1: My hex editor video

What is a Hex Editor?

To answer the question of , “What is a hex editor?” we have to backtrack and know one thing about what they are used for. That one thing is what a file is at its most basic level.

At its most basic level, a file is a very basic structure of data that is ble to be read by a computer. The computer, itself records this data in a format that it can read, that being binary. Files are often read by tools that convert the information in them to human-readable or human-viewable content. This is all well-and-good, but what do we do when the file is unable to be read by our computer (and there is no program readily available to read it)?

The above situation is exactly the reason a forensics professional would want a hex editor. As is evident in figure 1, a hex editor shows the whole file’s binary data in a hexadecimal format as wel as a more human-readable format to be able to be read by the investigator.

This is a simple solution to a problem that can occur for even the most seasoned forensic investigator. Next, I’’ share some hex editing software solutions on each platform: Mac, Linux, and Windows.

Hex Editors by platform

Mac

On Mac, there are two options for getting a hex editor: either by terminal or by dedicated apps. First we will go over terminal solutions. The one terminal solution I use when I am in a pinch is XXD Hex Editor, which is built-in to MacOS. This tool is a component of the vim tool, according to many sources. Vim even has an XXD extension baked into it! This makes XXD a very versatile tool.

Figure 2: XXD on the command line.

If you ever need to use XXD in vim, simply type :%!xxd to edit a file with XXD!

Windows

On Windows, there are a couple of options that I have used before, being WinHex and HxD Hex Editor.

First off, WinHex is part of the X-Ways suite. It’s full name is WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor. It is a free download that can be found on the X-Ways site. The downside to WinHex, as you see it on the X-Ways site, is that it is only a trial version and you have to buy it to get the full features. Figure 3 shows a screenshot of the user interface.

Figure 3: WinHex

One neat feature of WinHex is that you are able to open up RAM. This will be helpful in seeing what processes are running on a system and detecting some indicators of compromise. Figure 4 will show what the window for seeing what’s in main memory shows. There are many other features, so I recommend you to discover some other ones for yourself, It won’t hurt!

Figure 4: The RAM process window in WInHex.

On the other hand, I am very familiar with HxD Hex Editor. It is my hex editor of choice. It has been the tool I use on my Windows systems to view files that I can’t view with other programs. It is a simple software, like the other hex editors I mentioned previously. It has similar features to WinHex, but its added benefit is that it is fully free of charge. One can open disk images, open the main memory, change the encoding, manipulate files and do a number of other things. This is a very versatile tool.

Linux

On Linux, there is software lke GHex and Okteta. These are by default free of charge, This is because Linux is the free and open-source alternative to Windows and Mac. These software packages seem to present things in a similar manner to that of the ones previously discussed. If you would like to learn more about these hex editors, be sure to download them and check for yourself.

Interesting Use Cases of a Hex Editor

As mentioned earlier, hex editors are first and foremost used for seeking through files that you can’t open. I have personally used hex editors to view many files of different types with different data in them. If you’ve been reading this blog for a while, you will know that I recently made a post on the iOS unified Logs. In that post, I talked about SEGB files. SEGB files are types of files that store key data about iOS phone usage. These files are often displayed as “file” file format Windows. On any system, you have to put them through a parser of some kind or a hex editor to make them easy to view. Figure 5 shows an excerpt of the contents of one of the SEGB files: the one for Now Playing data. This image shows us that sometimes there are some great pieces of data that we may not be able to see with typical tools.

Figure 5: Now Playing SEGB file

For our second example of what can be done with a hex editor is, in a sense, reverse-engineering files. This reverse-engineering comes into play when we want to do something like play an audio file in an audio player that we have on our system that can not currently play it. This is demonstrated in the video below where the commentator finds a way to play music from a game in his music player.

Video 2: Using a hex editor to open proprietary files in a known player.

We can also use hex editors to fix broken files. I have written and payed many a CTF exercise and practical exercise too in which a file (often an image has its file header (the first few bits) mangled or has some other problem that makes opening it currently impossible. The normal first bits of a JPEG image file,, for instance are FF E0 s1 s2 4A 46 49 46 00. If these are changed, there needs to be some changing in a hex editor so that the file can be fixed. The video below shows one example of using a hex editor to fix a file as mentioned,

Video 3: Using a hex editor to reconstruct file signatures.

A hex editor is a genuinely useful tool that everyone, no matter whether a forensic investigator, cybersecurity specialist or just a general person should keep in their arsenal. You have seen how useful they can be. Hex editors will be used in many instances in the future and will be a great help there too!

Conclusion

In today’s post, I talked about hex editors by mentioning hex editors on all platforms, sharing uses for them and giving some recommendations on ones to use in your practice. These are some very useful tools for many things that a general information technologist would do. No matter whether you are super specialized like me or a novice who is trying to develop a general skillset, I’m sure you can find a use case for a hex editor or see one in use in some software.

If you found this post insightful, please subscribe and consider becoming a paid subscriber to help fund more posts like this on software that costs money. If you love the content, please share with your friends to help me grow. This has been Matt from Forensics with Matt talking about hex editors. Until next time, Matt OUT!