Examining the Raw Data on Your Hard Drive with a Hex Editor

by admin

An Introduction to the Use of a Hex Editor in Hard Drive Data Recovery:

There are occasions when it can be useful to examine the raw contents of a hard drive. These circumstances can include:

-Simply to establish if the drive has had its data erased or if there is still information stored on it.

-The drive won’t boot normally, but the correct model and capacity are reported in BIOS.

-The directory/file contents of the drive cannot be seen and are shown as “raw”. This is often accompanied by the option to re-format the drive (incidentally, never re-format a drive if it is your aim to recover lost data from it, a re-format simply overwrites the existing file table with a new, empty file table).

-You may be unsure of what is on a hard drive and find that the operating system which you are using to investigate it is not reporting any data present.

-Hex editors pay a key role in the task of accurately delineating and subsequently re-building failed RAID storage volumes.

As always with any data recovery procedure from a failed hard disk, the first step must be the precautionary one of cloning the original drive.  This means you always have the original drive available in its original state regardless of what might happen during any analysis you carry out, it is also vital in that it minimises the further deterioration of the original disk.

What is a Hex Editor?

It is a piece of software which will display the contents of the hard drive sector by sector in both hexadecimal (hence the name) and ASCII. The ”content” in this context refers to the binary 0’s and 1’s which computers use when storing data. This is best illustrated by reference to an example.

The screenshot below shows the hex editor view of a single sector on a hard drive:

Hex editor view of the start of a hard drive

 

Each sector holds 512 bytes of information (this is not the case for some very recent drives, however let’s not over-complicate things). Each byte is 8 bits of data (i.e. 8 x binary 0’s and 1’s). The sector view shows an array of 32 columns and 16 rows. Each entry in the matrix represents 8 bits or 1 byte of binary data. In order to avoid presenting a frankly bewildering string of 0’s and 1’s, these 8 bits are split into 2 x 4 bits. Each group of 4 bits is then converted in a hexadecimal number (base 16). These hex number pairs are shown as a matrix of 32 rows by 16 columns.  This data (under columns 0 to 15) is the “raw data” which your computer reads and writes on your hard drive.

The single, wider column to the right of the raw data shows the ASCII translation for each hexadecimal pair. While the binary information is meaningful to your computer, it is less so to us mere humans and so it is necessary to convert it into a form that has meaning to us. For example if you want to send an email to friend arranging where to meet, “Outside the pub at 6” is slightly more helpful than “100010110011000”. The ASCII table is a universally defined means of converting the hex figures into characters that we use. For more on ASCII translation have a look at this wiki page.

Bear in mind that the picture above is a single sector. A 1TB hard drive will consist of approximately 2,000,000,000 such sectors.

There are many hex editors available for download, arguably the best known is Winhex which is an excellent program, it is extremely easy to use as well as offering a huge range of features for more advanced requirements.

What can You Determine by Looking at the Hard Drive Content with a Hex Editor?

An almost infinite number of things, but here are some of the more basic and useful things:

It can verify if there is still data on the drive:

A hard drive which has been erased:

A raw hex view of an erased hard drive This hard drive has been “zero-wiped”.

 

A hard drive which still holds some kind of information:

A raw hex view of random data on a hard drive This drive still clearly contains something.

 

It can tell you what file systems are in use on the hard drive. Sector 0 on the drive is usually the one referred to as the MBR (Master Boot Record).  It can directly define up to 4 partitions on the hard drive. The file system for each partition is indicated by the characters outlined in red below:

Using a hex editor to determine partition and file system information on a hard drive Determining the file system(s) from the MBR.

 

The most commonly encountered file system indicators are:

07: NTFS

0B or 0C: FAT32

83: Linux

EE: EFI GPT partition (commonly used for Mac HFS+)

In the example above, the drive consists of 2 partitions, both are NTFS.

The example below is from a memory stick formatted as a single FAT32 partition:

Raw hex view of the start of a memory stick The hex editor view of a FAT32 (“0B”) memory stick.

 

The sizes and starting point of each partition can also be read from the MBR and a good hex editor will typically include a function to display this information.

Hex editors are invaluable for more advanced operations such as file carving. In instances where the file table has been corrupted or otherwise lost it can still be possible to locate individual files by searching for their characteristic raw structure. For example a typical JPEG photograph file will have a characteristic header or beginning to the file (highlighted in red below):

Characteristic raw hex view of a JPEG photo header JPEG photo characteristic raw hex view of start of file.

 

This introduction barely scratches the surface regarding the use of hex editors in data recovery, it is intended purely as an introduction to the ideas involved.

Previous post:

Next post: