The hex editor is a long-time favorite investigative tool for forensics professionals. But the capabilities of the tool go
Pen testing your VPN
beyond piecing together bits and bytes to prove a case. Used in the right context, a hex editor can actually uncover Microsoft Windows and application vulnerabilities that you may not have thought about, yet can't afford to overlook. In fact, the hex editor is one of the most underrated and overlooked security testing tools.
Here are just a few of the things you can do with a hex editor to root out security weaknesses in your Windows environment:
- Check for passwords that may still be saved in Windows, Internet Explorer (IE) and other applications. Passwords left in memory can pose a risk and this technique demonstrates just how vulnerable logins and other private information can be -- especially on public computers that can be accessed by several people.
Figure 1: Using WinHex to search Firefox's memory range for sensitive information.
If this isn't enough proof that a vulnerability exists, you can also search the computer's entire memory range for Windows application passwords or other sensitive information. Many times, I've been able to find sensitive information stored in memory by Web browsers even after the programs were closed. Searching all physical memory for this type of sensitive information is simple, fast and very revealing.
- Search local system files, such as pagefile.sys and hiberfil.sys or the entire physical disk, for sensitive information. It's worked for me every time. This can really come in handy for spot checking computer hard drives that have supposedly been wiped before being disposed of or given away. Figure 2 shows the WinHex interface for searching local files.
Figure 2: Using WinHex to search logical drive C: for sensitive information.
- Search for malware in memory or hidden data on disk that you wouldn't be able to see otherwise.
- Search for "dirty" documents, such as Microsoft Word files that reveal sensitive information that should never leave the network. Those include file authors, draft verbiage, comments or third-party information that had supposedly been removed or were assumed to be non-existent since they're not visible in the native application. This comes in handy when searching for the files of those who forgot to enable the "Remove personal information from file properties on save" option.
Even with hex editors, it pays to have good tools. There are plenty of hex editors to go around. Check out the commercial alternative to WinHex called Hex Workshop or even the freebie XVI32. Don't even bother with the DOS/Windows debug tool that we used to have to rely on. Most of the hex editor features and capabilities you'll need are not there.
If you jump in head first with a hex editor, you'll be amazed at how powerful it is and what you can uncover. With this power comes some risk: A hex editor can and will modify anything on in memory or stored on disk, so be careful. The results can be beneficial or devastating. Either way, the power is in your hands.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at [email protected].