Skip to content Skip to sidebar Skip to footer
Home / How to Read Data Block Hex 512 Bytes

How to Read Data Block Hex 512 Bytes

Post a Comment

Felix The True cat had a magic bag of tricks that used to get him out of viscid situations. All practiced back up techs have their own magic bag of tricks, but it usually contains various software utilities that aid them solve tricky technical problems. 1 of the handiest utilities a back up tech tin have is a sector editor. With the right sector editor, a back up tech tin recover data or even read areas of a deejay that contain deleted or damaged data. WinHex is a handy sector editor that will fit nicely in your pocketbook of tricks.

What is WinHex and what'southward it going to cost?
WinHex, made by 10-Ways Software Technology AG of Germany, is a powerful awarding that you lot can utilize equally an avant-garde hex editor, a tool for data analysis, editing, and recovery, a information wiping tool, and a forensics tool used for evidence gathering. Customers using WinHex include the Oak Ridge National Laboratory, Hewlett Packard, National Semiconductor, several law enforcement agencies, and many other companies with data recovery and protection needs.

WinHex, which is compatible with Windows 95 through Windows XP, offers the ability to:

  • Read and directly edit hard drives (Fat and NTFS), floppy disks, CD-ROMs, DVDs, Compact Flash cards, and other media.
  • Read and direct edit RAM.
  • Translate 20 information types.
  • Edit sectionalisation tables, boot sectors, and other data structures using templates.
  • Join and split up files.
  • Clarify and compare files.
  • Search and replace.
  • Clone and image drives.
  • Recover information.
  • Encrypt files (128-bit forcefulness).
  • Create hashes and checksums.
  • Wipe drives.

Forensics features (which require a Specialist license) include the ability to:

  • Gather gratuitous and slack space.
  • Search for text based on keywords.
  • Create tab-delimited tables of bulldoze contents. These tables can be imported into a spreadsheet such as Microsoft Excel and sorted.

Licenses cost $44 (Private, $25 per boosted license), $84 (Professional, $48 per boosted license), and $126 (Specialist, $67 per boosted license), making this application a bargain for the features it offers.

Download and installation
If y'all desire to attempt out WinHex, download an evaluation version of Winhex.zip. This version works for the nigh office, but the Professional and Specialist features are disabled. After you've downloaded Winhex.zip, unzip the contents into a temporary directory on your administration workstation.

Launch the setup programme and choose a destination binder and language for installation. WinHex comes in English language, German, French, Spanish, Italian, and Portuguese versions. (The latest release is version 10.75.) WinHex'due south Setup program works like every other Windows installation wizard you've ever used. Only follow the onscreen prompts and you won't go wrong.

WinHex does not store configuration information in the registry or configuration files in the Windows OS folders, making it portable and helping y'all keep your registry size down.

In order for Windows 9x and Me users to directly admission CD-ROM sectors, the Windows file wnaspi32.dll must be present. The file is usually installed with Windows. If information technology isn't, you can find information technology on the Windows Setup CD.

To edit hard disk drive sectors under Windows NT, 2000, or XP, you'll demand Ambassador privileges.

Using WinHex
At its most basic level, WinHex is a hex editor. That is, like most hex editors it displays three columns: an address, a 16-byte hex display, and a 16-graphic symbol text display.

The information viewer can be extensively configured. For case, by clicking the upwardly, down, right, and left arrows on the toolbar, you can add lines, remove lines, add columns, and remove columns from the data brandish. You can view hex simply, text but, or both by clicking bank check boxes in the View carte. Full general options let y'all fix the colors and font, and clicking the Offset column toggles between decimal and hex accost values.

WinHex sessions begin with a Start Center, shown in Figure A, where yous can open up files, disks, RAM, and previously edited files that you can select from a list. WinHex remembers the last editing position of previous files and the state of the concluding session, and it allows yous to open up the entire previous session by clicking Continue Concluding Session from the Offset Heart's Projects window. You can besides open projects and launch scripts (a script editor is enabled in the Professional person and Specialist versions).

Effigy A
Begin your WinHex session at the Start Center.

Similar other hex editors, WinHex tin open files as editable or as read-merely. Edited data is stored in a temporary file until saved, at which time your changes are committed. There is also an in-place Edit fashion in which all changes are fabricated direct in real time (the default when editing RAM). You tin cull the Edit way from the Open File dialog. When you lot open an entire disk or partition, the default mode is Edit.

Circumspection: Using a deejay editor can exist fatal

Changing values other than text strings can ruin an executable (plan) file. Direct editing a drive or RAM tin can impairment an operating system or the bulldoze's integrity. When editing an executable file, dll, or other plan file, always piece of work on a copy. Salvage the original in case the plan file needs to be restored. Never modify the length of an executable file or its instructions and data unless y'all're admittedly certain of the result. Otherwise, doing so volition cause the lawmaking to miss instructions and probably corrupt the file to the point that it will no longer work. Fortunately, WinHex contains 25 undo levels, so in most cases, it's possible to restore your modifications.
Figure B shows the WinHex condition bar, actualization to the right of the hex display. In addition to familiar status info such equally the filename, creation date, and fourth dimension, the status bar also shows the file's State (Original/Modified) and undo levels.
Figure B
The status bar displays vital statistics about the data being edited.

The Data Interpreter, at the bottom of the status bar, translates hex values at the insertion point into decimal equivalents, based on the data types you cull. The default types are 8-, 16-, and 32-fleck signed. Double-click the Data Interpreter to open up a menu of boosted options, which include displaying Associates Language codes, engagement formats, and different integer types, as shown in Figure C.

Figure C
Past default, the Data Interpreter shows 8-, xvi-, and 32-chip values for the selected hex code "EB." Options added here are floating value and Associates Language op code.

Editing disks and other media
When using WinHex equally a disk editor, you lot can access the media through the operating arrangement (logically) or through the BIOS (physically). Accessing logically allows you to browse the disk by clusters. You tin view the file organisation and access division boot sectors and file allocation tables. With the Professional license, you can besides view free space and slack infinite.

When physically accessing a deejay, it is oftentimes possible to edit a disk that the operating system can't access, for whatever reason. Information technology is also possible to view, edit, and back up the Master Boot Tape (MBR) division tables and partition boot sectors.

Open up the Disk Editor by selecting Disk Editor from the Tools card. The Edit Disk window, shown in Figure D, appears and lets you choose which deejay, logical or physical, you wish to edit. The disk is now open in Edit manner. Changes are not made in place, but merely when you lot cull Save.

Effigy D
Employ the Disk Editor to logically or physically access a drive.

In club to repair a deejay using WinHex, information technology's essential to know the deviation between viewing disk information displayed logically and viewing disk data displayed physically.

When you open up Drive C: through logical access, what appears every bit the 00 address of the disk is actually the first byte of that partitioning's boot sector, and not the first byte of the disk. Referring once again to Figure D, you can run across that logical admission on my disk offers two choices: C:\ and D:\ (this car'south hard drive is partitioned into C:, formatted FAT32, and D:, formatted NTFS), while physical access offers only one option: Difficult Deejay I.

Selecting Hard disk 1 reads in the entire bulldoze. Hither, offset 00 really means the actual physical get-go of the hard drive, head 0, cylinder 0, sector ane, where the bootstrap code and partition tables for the disk are stored. In concrete view, Drive C: actually begins at showtime 7E00h. For comparison, Effigy E shows the first 16 bytes of C:\ accessed logically (i), the first 16 bytes of the difficult drive accessed physically (2), and the get-go 16 bytes of partition C: accessed physically (3).

Figure Eastward
These three data displays demonstrate the difference in addressing and in accessing data when logically and physically accessing a drive.

What does this word of logical vs. physical admission mean? To back up and restore your MBR with its bootstrap lawmaking and the drive'south partitioning tables, access the disk physically (preferably from another disk that has WinHex installed). If you only want to back up and restore your division's boot sector, it's a fleck easier to access the disk logically.

More disk access options
When yous open up a drive, an Admission button appears on the right of the display. Clicking Access opens a series of options, depending on the type of media opened.

For case, as C:\ is a FAT32 partition on my system, clicking Access allows me to jump to the boot sector, FAT 1, FAT 2, a directory browser, root directory, free clusters, surplus sectors, and others, as shown in Figure F. On an NTFS partition, I would be able to access the master file tabular array records.

Figure F
These options are bachelor when you're logically accessing a drive.

Had I opened C:\ physically, selecting Access would have offered me the choices of accessing either disk partition, viewing the sectionalization table and boot sector, cloning a partition, and creating a backup, every bit shown in Figure G.

Effigy K
Options for working with drives differ for physical access. Apply the tool y'all need.

In Effigy F, annotation the two Access choices: Boot Sector Template and Root Directory Template. Templates are convenient ways to view and edit these disk areas. Effigy H shows the upshot of choosing Boot Sector Template. You can also direct change information in the hex brandish.

Figure H
Templates make it easier to piece of work with raw data.

Other templates are available for viewing your drive. Choose View | Template Manager to run across a list. In addition, WinHex users have made available other templates. For example, there are templates for reading Zip disk and Palm database file formats.

Backing upwards and restoring MBRs, partitioning tables, and boot sectors
In society for a machine to kick, the difficult drive needs to incorporate a valid MBR, a partition table naming at least ane agile partition, and a valid kick sector on that partition (which will too contain the operating system's boot loader). For whatsoever bulldoze partition to be visible to the operating system, it must be listed in the MBR's partitioning table and take a valid boot sector.

The MBR consists of the commencement 512 bytes of data (512 bytes per sector) of the hard disk, in sector 1. The first 446 bytes of information contain the actual bootstrap lawmaking. The next 64 bytes are the partitioning table—iv sixteen-byte records—and the last 2 bytes contain a signature that identifies the end of all kicking sectors: 55h AAh.

Backing up and restoring a principal partition'south boot sector is a piffling safer than working with the MBR, and it'south a useful way of demonstrating WinHex's features.

The boot sector is independent in the first 512 bytes of each partition. In each case, the sector ends with the signature hex lawmaking 55h AAh. WinHex makes it easy to manually back up and restore these crucial bytes of code. It'south likewise possible to manually edit this information directly or through a template.

To back up a partitioning's boot sector, click Admission | Kick Sector. From the carte du jour, choose Edit | Re-create Sector | Into New File. Yous'll be asked for a filename. Choose a proper name such as bootcopy.dat (dat is a WinHex file blazon) and salve. A new window opens with the copied sector.

Be enlightened that if you save this file to the same deejay or partition you are viewing, you have changed the information in that segmentation. If you're attempting to recover erased data, some of the information may exist lost. When you piece of work with a hard drive that may be used as evidence, never piece of work with the original copy. For that, y'all would clone a disk. Notwithstanding, for our example, we'll go on working with the Bone deejay.

Yous could print the template information to save a hard copy in example you ever need to rebuild your MBR manually. At that fourth dimension, just access the drive with WinHex and write the data into the Boot Sector template.

There are a few means to restore the boot sector. One method would exist to open up your backup file copy and paste the data to the boot sector area.

Another way that doesn't involve as much file manipulation would exist to re-create the backup boot sector, if there is one, provided information technology hasn't also been damaged by a virus or corrupted in some way, back to the commencement of the sectionalization.

In a FAT32 file organization, the boot sector copy is stored on sector vi, which begins at offset C00h. NTFS file systems stash a copy near the end of the book. But you could notice the backup without this data by searching for the kicking sector header—coincidentally a adept fashion to demonstrate WinHex'southward Search feature.

The boot sector begins with a bound command (EBh) and contains a header in the fourth position (kickoff 3). FAT32 headers volition read, for case, MSWN4.1.

Copy the entire string from JMP to MSWN4.1 by dragging the cursor over it in either the text column or the hex display column. The string will be highlighted (Figure I). From the menu, choose Edit | Re-create Block | Normal to copy a text string to the clipboard, or Edit | Copy Block | Hex Values to copy the hex code. The option is upward to y'all.

Effigy I
WinHex highlights the block of data existence manipulated.

Now choose Search | Find Text if you copied text, or Search | Notice Hex Values if you copied a string of hex. Paste the string into the search box and click OK. The offset search will cease at sector 0. Printing F3 to continue the search. The next hit volition likely be the fill-in boot copy.

Let's make certain this sector is really an exact indistinguishable of the boot sector past using the Compare feature. With the cursor in that sector, choose Edit | Copy Into File. Proper name that file bootcopy2.

Make certain both files are open in WinHex. From the menu, choose File Manager | Compare. Use the browse buttons to add together the file's bootcopy1.dat and bootcopy2.dat to the first and 2d file boxes. Adjacent, give a proper noun to the report file WinHex volition create, as shown in Figure J. Click OK. A message will appear with the upshot, hopefully the 1 you lot want: "No differences found," significant that the two files (and boot sectors) are identical.

Effigy J
You're set up to run across if y'all've located the backup boot sector.

At this point, you lot know the location of your boot sector's fill-in, and you have two files containing exact copies of your current boot sector.

At present practice copying and replacing the boot sector from the partition'southward backup copy. Alarm: This is not for the faint of heart. If you mess upwardly, yous may have to practice replacing your boot sector for real.

Navigate to the backup re-create of your boot sector. For FAT32 drives, a quick way to practise this is to select Position | Go To Sector. Enter 6 and click OK. Cull Edit | Copy Sector | Normal. This places the data in the clipboard.

Render the insertion point to offset 0 of the original boot sector. Choose Edit | Clipboard Data | Write. A bulletin will inform you that, "The clipboard data volition be written at offset 0." Click OK.

The clipboard information overwrites sector 0 and is highlighted. The status bar at the right at present shows the following helpful information: State: Modified, Undo Level: 1, Undo Reverses: Clipboard Writing.

You tin can back out of the changes by choosing Edit | Undo. At this betoken in the do, you can also exit Drive C: without committing the changes. If y'all experience especially dauntless and want to examination your drive repair skills, choose File | Save Sectors. Merely the modifications you made will be saved.

You've now replaced your boot sector. To back up and replace the bulldoze's MBR and sectionalisation tables, choose Tools | Disk Editor and access the disk physically. Then re-create the MBR to a file and have information technology ready in example yous need to supersede it.

Additional tools
Figures Chiliad and L prove other tools and options available for working with disks. Amidst them are the ability to browse the directory structure, listing file clusters, and clone a deejay. Specialist tools include the ability to gather free space, slack space, and text for analysis; search simultaneously for dissimilar keywords; create tables of contents for the drive; create a table of Bates numbers (a format used by lawyers for referencing evidence); and highlight free and slack infinite.

Figure M
WinHex's disk tools
Figure 50
WinHex's Specialist tools

Wipe sensitive files
One last feature is worthy of annotation, because information technology pertains to the opposite of data recovery: WinHex's ability to wipe confidential information so that information technology tin can't be recovered. The File Director | Wipe Securely pick goes beyond many file shredder tools. When applied to a file, according to WinHex, "Fifty-fifty professional attempts to restore the file volition be futile."

Wipe Securely does non but overwrite a file several times with zeros or other characters. The file is also reduced to zero length then deleted. Specialist and Professional licenses go even further: WinHex erases the proper name entry of the file also.

For more than data
WinHex'due south Professional person and Specialist features brand this app a low-cost, formidable arsenal of tools for the IT professional person or law enforcement specialist. It meets the needs of those who need to edit and examine disks for data recovery and criminal evidence, as well equally those who work with sensitive data that must be deeply erased. For more than information on how to use WinHex, see the set of tutorials on the WinHex Web site.

taylorthemisside.blogspot.com

Source: https://www.techrepublic.com/article/winhex-a-powerful-data-recovery-and-forensics-tool/

Post a Comment for "How to Read Data Block Hex 512 Bytes"