Hex Dump Analysis & Data Forensics

What is a Hex Dump?

A hex dump is a hexadecimal representation of binary data, displaying both the raw hex values and their ASCII interpretations. Understanding hex dumps is essential for debugging, forensics, and reverse engineering.

Typical Hex Dump Format

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ASCII
00000000  50 4B 03 04 14 00 00 00 08 00 00 00 21 00 8A 7B  PK..........!..{
00000010  4C 9F 7A 00 00 00 B4 00 00 00 08 00 00 00 74 65  L.z...........te
00000020  73 74 2E 74 78 74 0B C9 48 CD 49 C9 57 08 CF 2F  st.txt..H.I.W../
          

Reading Hex Dumps

  • Offset: Position in file (00000000 = start)
  • Hex Values: Each byte in hexadecimal (00-FF)
  • ASCII Column: Printable characters (. for non-printable)

Common Hex Dump Commands

Linux/Unix

# hexdump - Standard hex dump utility
hexdump -C file.bin

# xxd - Reversible hex dump
xxd file.bin
xxd -r hex.txt output.bin  # Reverse hex dump

# od - Octal dump (with hex option)
od -A x -t x1z file.bin

# hd - Hex dump (shorthand for hexdump -C)
hd file.bin
          

Windows

# PowerShell hex dump
Format-Hex file.bin

# CertUtil (built-in)
certutil -encodehex file.bin output.txt

# Custom PowerShell function
function Get-HexDump {
    param([string]$Path)
    $bytes = [System.IO.File]::ReadAllBytes($Path)
    for ($i=0; $i -lt $bytes.Length; $i+=16) {
        $hex = ($bytes[$i..($i+15)] | 
            ForEach-Object { "{0:X2}" -f $_ }) -join " "
        $ascii = -join ($bytes[$i..($i+15)] | 
            ForEach-Object { 
                if ($_ -ge 32 -and $_ -le 126) { [char]$_ } 
                else { '.' } 
            })
        "{0:X8}  {1,-48}  {2}" -f $i, $hex, $ascii
    }
}
          

Analyzing File Structures

Identifying File Types

File signatures (magic numbers) appear in the first bytes:

File TypeHex SignatureOffset
ZIP/JAR50 4B 03 040
PNG89 50 4E 47 0D 0A 1A 0A0
JPEGFF D8 FF E00
GIF89a47 49 46 38 39 610
PDF25 50 44 460
EXE (PE)4D 5A0
ELF7F 45 4C 460
RAR52 61 72 210
7z37 7A BC AF 27 1C0
MP3FF FB or ID30
# Identify file type using hex dump
$ xxd -l 16 mystery_file
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR

# Analysis: 89 50 4E 47 = PNG signature
# This is a PNG image file!
          

Memory Dump Analysis

Reading Memory Dumps

# Create memory dump (Linux)
gdb -p [PID]
(gdb) generate-core-file
(gdb) dump memory dump.bin 0x400000 0x401000

# Analyze with xxd
xxd dump.bin | less

# Search for string in hex dump
xxd dump.bin | grep "48656c6c6f"  # Search for "Hello"
          

Common Patterns in Memory

PatternHexMeaning
Zero page00 00 00 00 00 00...Uninitialized memory
Free memoryCC CC CC CC CC CC...Debug fill pattern
Stack cookieVaries by systemBuffer overflow protection
PointersLittle-endian addressesMemory addresses

Debugging with Hex Dumps

Finding Corrupted Data

# Compare two files in hex
$ xxd file1.bin > file1.hex
$ xxd file2.bin > file2.hex
$ diff file1.hex file2.hex

# Or use cmp for binary comparison
$ cmp -l file1.bin file2.bin | head
# Shows: offset, byte1, byte2 for differences
          

Extracting Embedded Data

# Find and extract ZIP file embedded in binary
$ xxd binary.dat | grep "504b 0304"
00012340: 504b 0304 1400 0000 0800 0000 2100 8a7b  PK..........!..{

# Extract from offset 0x12340
$ dd if=binary.dat of=extracted.zip bs=1 skip=$((0x12340))

# Verify extraction
$ file extracted.zip
extracted.zip: Zip archive data
          

Network Traffic Analysis

Analyzing Packet Captures

# Export packet data from Wireshark as hex
# Or use tshark
$ tshark -r capture.pcap -T fields -e data | head -1

# Decode hex payload
$ echo "474554202f20485454502f312e310d0a" | xxd -r -p
GET / HTTP/1.1

# Our hex decoder can help analyze:
# Use: https://hexdecoder.com
          

Common Protocol Patterns

ProtocolHex PatternASCII
HTTP GET47 45 54 20GET
HTTP POST50 4F 53 54POST
FTP55 53 45 52USER
SMTP48 45 4C 4FHELO
SSH53 53 48 2DSSH-

Data Recovery Techniques

Recovering Deleted Files

# Scan disk for file signatures
$ xxd /dev/sda1 | grep -A 100 "ffd8 ff"  # JPEG
$ xxd /dev/sda1 | grep -A 100 "8950 4e47"  # PNG

# Carve out file using dd
$ dd if=/dev/sda1 of=recovered.jpg bs=1 skip=[offset] count=[size]

# Verify recovered file
$ file recovered.jpg
$ xxd recovered.jpg | head
          

Repairing Corrupted Files

# Example: Fix ZIP file header
# Correct header: 50 4B 03 04
# Corrupted:      51 4B 03 04 (first byte wrong)

# Using hex editor or xxd
$ xxd corrupted.zip > hex.txt
# Edit line 1: Change 51 to 50
$ xxd -r hex.txt > fixed.zip

# Or use printf + dd
$ printf '\\x50' | dd of=corrupted.zip bs=1 seek=0 count=1 conv=notrunc
          

Forensic Analysis Tools

Popular Hex Editors

  • HxD (Windows): Free, fast, supports large files
  • 010 Editor: Professional tool with templates
  • Hex Fiend (macOS): Native macOS hex editor
  • Ghex (Linux): GNOME hex editor
  • Bless (Linux): GTK+ based hex editor
  • Our Hex Decoder: Web-based, instant analysis

Advanced Analysis Tools

  • Binwalk: Firmware analysis and extraction
  • Volatility: Memory forensics framework
  • Autopsy: Digital forensics platform
  • Wireshark: Network protocol analyzer
  • IDA Pro: Disassembler with hex view

Practical Examples

Example 1: Analyze Unknown File

$ xxd -l 64 unknown_file
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 f000 0000  ................

# Analysis:
# 4D 5A = "MZ" signature → Windows PE executable
# @ offset 0x3C (decimal 60): F0 00 00 00 → PE header offset
          

Example 2: Find Hidden Data

# Search for ASCII strings in binary
$ xxd binary.dat | grep -i "password"
00045a20: 7061 7373 776f 7264 3d61 646d 696e 3132  password=admin12

# Extract context around match
$ dd if=binary.dat bs=1 skip=$((0x45a20)) count=100 | xxd
          

Example 3: Decode Network Packet

# HTTP POST with form data
$ echo "504f5354202f6c6f67696e20485454502f312e310d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a0d0a757365726e616d653d61646d696e267061737377 6f72643d73656372 6574" | xxd -r -p

# Output:
# POST /login HTTP/1.1
# Content-Type: application/x-www-form-urlencoded
#
# username=admin&password=secret

# Use our hex decoder for instant analysis!
          

Best Practices

  1. Always Work on Copies: Never modify original evidence
  2. Document Findings: Record offsets, patterns, and observations
  3. Use Checksums: Verify data integrity (MD5, SHA-256)
  4. Understand Endianness: Little vs big-endian byte order matters
  5. Look for Patterns: Repetition often indicates structure
  6. Cross-Reference: Use multiple tools to verify findings
  7. Test Hypotheses: Validate your interpretations with known data

💡 Forensic Tip

Use our hex decoder for quick validation of suspicious strings found in dumps. Combine with command-line tools for comprehensive analysis.

Further Learning

Analyze Hex Data Now

Use Hex Decoder →

Related Analysis Topics

Explore Other Guides