Chapter 3

The Power of HEX Finding Slivers of Data

Back to our forensic case

• The previous case discussed the challenge on search for a string of characters. XYZ

• How can Susan better represent this binary string without the tedium of decimal computation as discussed previously?

• The Solution, convert the binary string of 1’s and 0’s into their hexadecimal equivalent notation.

What is HEX?

• Hexadecimal (HEX)- is strictly a human friendly representation of binary values.

• A HEX character is often prefixed with 0x (zero, sub x) to denote it from another encoding system. Example 0x3F lets you know that 3F is HEX, and not ASCII

• Computer processor does not calculate in HEX. Software is used to convert binary to HEX.

• HEX is base 16 character code which works well with binary.

Hex representing Binary• HEX – 16 characters are 0 to 9 and A to F.– Where A represents 10, B represents 11, C

represents 12, D represents 13, E represents 14, F represents 15.

• There are 16 characters each representing 4 bits.

Hex, Binary, and Decimal Equivalents

HEX F E D C B A 9 8 7 6 5 4 3 2 1 0

Binary 1111 1110 1101 1100 1011 1010 1001 1000 0111 0110 0101 0100 0011 0010 0001 0000

Dec 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Bits and Bytes and Nibbles

• Nibble – is a byte (bits) split into two equal halves. Totaling 4 bits per half.• A single HEX character corresponds to one nibble’s worth of data (4 bits).

– Standard encoding character needs a full byte (8bits) for representation. – 2 nibbles pair together accomplishes this representation.

• Thus we have 4 bits per nibble, two nibbles equals one byte and 8 bits per byte.

• A byte can stand alone when representing a character or symbol, whereas a nibble cannot.

Nibble Pairing• Nibbles must be paired to represent a

character or symbol. • Byte – stands alone when representing a

character or symbol. • HEX – character code has 16 unique values 0-

9, A-F. • How many binary values (bits) are needed to

represent 16 unique values? 2^4 2x2x2x2 = 16

HEX Values

• A HEX value can be represented by 4 bits in length.

• A HEX value represents a nibbleHex, Binary, and Decimal Equivalents

HEX F E D C B A 9 8 7 6 5 4 3 2 1 0

Binary 1111 1110 1101 1100 1011 1010 1001 1000 0111 0110 0101 0100 0011 0010 0001 0000

Dec 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

In Summary • 1 bit = binary value 0 or 1• 4 bits = nibble = 1 HEX character• 2 nibbles = 1 byte• 8 bits = 1 byte• 1 byte = 2 HEX characters

• So to answer the question: Why use HEX to represent binary?

Because both a byte and 2 HEX characters represents 8 bits, totaling 256 values

Nibbles and Bits

• To differentiate between two nibbled pairing, we will referred to left nibble and right nibble.

• Remember nibbles work in pairs Left and right.

Converting HEX to Binary

• Hex = 3 FSplit into two nibbles 3 F_ _ _ _ _ _ _ _23 22 2 1 20 23 22 2 1 20

8 4 2 1 8 4 2 1 0011 1111

Answer00111111

Converting HEX to Decimal

• HEX - 3F 3 F

161 160

X 16 1 48 + 15 = 63

Binary HEX Editor

• A HEX Editor – is a program which allows you to view and or edit compiled programs and binary data files.

• Called HEX editor because it represents most of the data in Hexadecimal format.

• Hexadecimal is used because it is easier for human than binary.

HEX Editor

• You can’t see all the bytes stored in a file using a regular application to open the file, and there are no applications available to view deleted items.

• Sometimes, part of the file is missing, including the piece that contains the executable code launching the application needed to open it in the first place.

Binary/HEX editor

• Binary/Hex Editor is for analyzing file structures.

• Viewing HEX allows forensic investigator to go beyond the application or file, and it will allow for the viewing of all data contained within a file, including remnants of old files or even deleted files, which still may be on the hard drive.

Hex Editor Environment• Four distinct areas (Panels)

– Header Panel– Address Panel– HEX-data Panel– Character Panel

Panels• Header Panel – The header panel displays the headers of any of

the other three panels. • Address Panel – Every byte in a file is assigned a number, called

its address, starting a 0 for the first byte of the file, 1 for the second byte, and so on. The address panel displays the address of the byte at the beginning of the line.

• HEX-Data Panel - The middle hexadecimal area is the most commonly used area of a HEX editor. It lists each byte of the file in a table, usually 16 bytes per line.

• Character Panel – displays the ASCII value of each file byte. It only provides the view of printable characters; non-printable characters are shown as a period character (“.”) or with another user-defined character

• So company XYZ would be 58595A

Wrapping It Up• Cyber forensic investigators MUST have a

thorough understanding of the process by which raw bits of data are turned into information, and how complex silicon devices interprets pulses of energy, assigning these pulses the computable values of one and zero, and then into higher order numerical values, and eventually into characters that are understood by humans.

• This provide Cyber Investigators a mean to find the sliver of data they are looking for, amid potentially billions of bytes of extraneous data.