ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> Windows Tools >> Audit Tools >> Current Page |Views: 7282

(Forensics: WinHex)

{ Very Basic Byte Level Checking }


Background Information
  • Background
    • WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. License type comparison.

     

  • Reference Link: 

 

Prerequisite
  1. Login to your Instructor VM, as username administrator
    • For those of you that do not have access to my class, Instructor VM is a Windows XP Operating System.

     

  2. On the Instructor VM, go to http://www.x-ways.net/winhex/
    • Scroll down and click on Download (See Below)

     

  3. Click on Save (See Below).

     

  4. Save to C:\tools\winhex

     

  5. Click on Open Folder

     

  6. Right Click on winhex.zip, and Extract All

     

  7. Click on Next

     

  8. Click on Next

     

  9. Click On Finish

 

Section 1: Run winhex
  1. On Your Instructor VM

     

  2. Click on Run

     

  3. Once winhex loads for the first timeyou will see a window similar to the below.
    • Select Computer Forensics Interface.
    • Click on OK

     

  4. File Examination 1
    • The picture below is the first file you will examine with winhex.
    • Please following the next steps

     

  5. Right Click on the Below Picture
    • Select "Save Picture As..." (See Below)

     

  6. Save the picture in
    • C:\tools\winhex\myfiles

     

  7. Navigative your Windows Explorer to C:\tools\winhex\myfiles
    • Right click on unknown_file.jpb
    • Click on Rename

     

  8. Rename unknown_file.jpg to unknown_file
    • Answer Yes, when warned about the file becoming unusable.

 

Section 2: Using winhex to look at an unknown file type
  1. On Your Instructor VM

     

  2. Click on Run

     

  3. Click on File, then Click on Open

     

  4. Navigate to C:\tools\winhex\myfiles
    • Click on file unknown_file.
    • Click on Open

     

  5. Scroll over to the far left
    • Notice on the first line it says JFIF.  This is indicative of a JPEG file.
    • Congratulations you have completed your first Byte Wise inspection of a file.

 

Section 3: Using winhex to look at an encrypted file
  1. Download Encrypted File Here.
    • Click Save

     

  2. Save File to C:\tools\winhex\myfiles

     

  3. On Your Instructor VM

     

  4. Click on Run

     

  5. Click on File, then Click on Open

     

  6. Navigate to C:\tools\winhex\myfiles
    • Click on file .pgpass.gpg.
    • Click on Open

     

  7. Scroll Over to the Far Right
    • Notice that there is no relevant information that tells you what this file is about.
    • It was first compressed with gzip, then it was encrypted with gpg.

 

Proof of Lab
  1. Do a screen print of Section 2, Step 5. 
  2. Paste to a word document
  3. Submit to moodle.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth