Hex Dump Analysis & Data Forensics
📚 13 min read
🎯 Advanced Level
📅 Updated: 2024
What is a Hex Dump?
A hex dump is a hexadecimal representation of binary data, displaying both the raw hex values and their ASCII interpretations. Understanding hex dumps is essential for debugging, forensics, and reverse engineering.
Typical Hex Dump Format
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ASCII 00000000 50 4B 03 04 14 00 00 00 08 00 00 00 21 00 8A 7B PK..........!..{ 00000010 4C 9F 7A 00 00 00 B4 00 00 00 08 00 00 00 74 65 L.z...........te 00000020 73 74 2E 74 78 74 0B C9 48 CD 49 C9 57 08 CF 2F st.txt..H.I.W../
Reading Hex Dumps
- Offset: Position in file (00000000 = start)
- Hex Values: Each byte in hexadecimal (00-FF)
- ASCII Column: Printable characters (. for non-printable)
Common Hex Dump Commands
Linux/Unix
# hexdump - Standard hex dump utility hexdump -C file.bin # xxd - Reversible hex dump xxd file.bin xxd -r hex.txt output.bin # Reverse hex dump # od - Octal dump (with hex option) od -A x -t x1z file.bin # hd - Hex dump (shorthand for hexdump -C) hd file.bin
Windows
# PowerShell hex dump Format-Hex file.bin # CertUtil (built-in) certutil -encodehex file.bin output.txt # Custom PowerShell function function Get-HexDump { param([string]$Path) $bytes = [System.IO.File]::ReadAllBytes($Path) for ($i=0; $i -lt $bytes.Length; $i+=16) { $hex = ($bytes[$i..($i+15)] | ForEach-Object { "{0:X2}" -f $_ }) -join " " $ascii = -join ($bytes[$i..($i+15)] | ForEach-Object { if ($_ -ge 32 -and $_ -le 126) { [char]$_ } else { '.' } }) "{0:X8} {1,-48} {2}" -f $i, $hex, $ascii } }
Analyzing File Structures
Identifying File Types
File signatures (magic numbers) appear in the first bytes:
File Type | Hex Signature | Offset |
---|---|---|
ZIP/JAR | 50 4B 03 04 | 0 |
PNG | 89 50 4E 47 0D 0A 1A 0A | 0 |
JPEG | FF D8 FF E0 | 0 |
GIF89a | 47 49 46 38 39 61 | 0 |
25 50 44 46 | 0 | |
EXE (PE) | 4D 5A | 0 |
ELF | 7F 45 4C 46 | 0 |
RAR | 52 61 72 21 | 0 |
7z | 37 7A BC AF 27 1C | 0 |
MP3 | FF FB or ID3 | 0 |
# Identify file type using hex dump $ xxd -l 16 mystery_file 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR # Analysis: 89 50 4E 47 = PNG signature # This is a PNG image file!
Memory Dump Analysis
Reading Memory Dumps
# Create memory dump (Linux) gdb -p [PID] (gdb) generate-core-file (gdb) dump memory dump.bin 0x400000 0x401000 # Analyze with xxd xxd dump.bin | less # Search for string in hex dump xxd dump.bin | grep "48656c6c6f" # Search for "Hello"
Common Patterns in Memory
Pattern | Hex | Meaning |
---|---|---|
Zero page | 00 00 00 00 00 00... | Uninitialized memory |
Free memory | CC CC CC CC CC CC... | Debug fill pattern |
Stack cookie | Varies by system | Buffer overflow protection |
Pointers | Little-endian addresses | Memory addresses |
Debugging with Hex Dumps
Finding Corrupted Data
# Compare two files in hex $ xxd file1.bin > file1.hex $ xxd file2.bin > file2.hex $ diff file1.hex file2.hex # Or use cmp for binary comparison $ cmp -l file1.bin file2.bin | head # Shows: offset, byte1, byte2 for differences
Extracting Embedded Data
# Find and extract ZIP file embedded in binary $ xxd binary.dat | grep "504b 0304" 00012340: 504b 0304 1400 0000 0800 0000 2100 8a7b PK..........!..{ # Extract from offset 0x12340 $ dd if=binary.dat of=extracted.zip bs=1 skip=$((0x12340)) # Verify extraction $ file extracted.zip extracted.zip: Zip archive data
Network Traffic Analysis
Analyzing Packet Captures
# Export packet data from Wireshark as hex # Or use tshark $ tshark -r capture.pcap -T fields -e data | head -1 # Decode hex payload $ echo "474554202f20485454502f312e310d0a" | xxd -r -p GET / HTTP/1.1 # Our hex decoder can help analyze: # Use: https://hexdecoder.com
Common Protocol Patterns
Protocol | Hex Pattern | ASCII |
---|---|---|
HTTP GET | 47 45 54 20 | GET |
HTTP POST | 50 4F 53 54 | POST |
FTP | 55 53 45 52 | USER |
SMTP | 48 45 4C 4F | HELO |
SSH | 53 53 48 2D | SSH- |
Data Recovery Techniques
Recovering Deleted Files
# Scan disk for file signatures $ xxd /dev/sda1 | grep -A 100 "ffd8 ff" # JPEG $ xxd /dev/sda1 | grep -A 100 "8950 4e47" # PNG # Carve out file using dd $ dd if=/dev/sda1 of=recovered.jpg bs=1 skip=[offset] count=[size] # Verify recovered file $ file recovered.jpg $ xxd recovered.jpg | head
Repairing Corrupted Files
# Example: Fix ZIP file header # Correct header: 50 4B 03 04 # Corrupted: 51 4B 03 04 (first byte wrong) # Using hex editor or xxd $ xxd corrupted.zip > hex.txt # Edit line 1: Change 51 to 50 $ xxd -r hex.txt > fixed.zip # Or use printf + dd $ printf '\\x50' | dd of=corrupted.zip bs=1 seek=0 count=1 conv=notrunc
Forensic Analysis Tools
Popular Hex Editors
- HxD (Windows): Free, fast, supports large files
- 010 Editor: Professional tool with templates
- Hex Fiend (macOS): Native macOS hex editor
- Ghex (Linux): GNOME hex editor
- Bless (Linux): GTK+ based hex editor
- Our Hex Decoder: Web-based, instant analysis
Advanced Analysis Tools
- Binwalk: Firmware analysis and extraction
- Volatility: Memory forensics framework
- Autopsy: Digital forensics platform
- Wireshark: Network protocol analyzer
- IDA Pro: Disassembler with hex view
Practical Examples
Example 1: Analyze Unknown File
$ xxd -l 64 unknown_file 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 f000 0000 ................ # Analysis: # 4D 5A = "MZ" signature → Windows PE executable # @ offset 0x3C (decimal 60): F0 00 00 00 → PE header offset
Example 2: Find Hidden Data
# Search for ASCII strings in binary $ xxd binary.dat | grep -i "password" 00045a20: 7061 7373 776f 7264 3d61 646d 696e 3132 password=admin12 # Extract context around match $ dd if=binary.dat bs=1 skip=$((0x45a20)) count=100 | xxd
Example 3: Decode Network Packet
# HTTP POST with form data $ echo "504f5354202f6c6f67696e20485454502f312e310d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a0d0a757365726e616d653d61646d696e267061737377 6f72643d73656372 6574" | xxd -r -p # Output: # POST /login HTTP/1.1 # Content-Type: application/x-www-form-urlencoded # # username=admin&password=secret # Use our hex decoder for instant analysis!
Best Practices
- Always Work on Copies: Never modify original evidence
- Document Findings: Record offsets, patterns, and observations
- Use Checksums: Verify data integrity (MD5, SHA-256)
- Understand Endianness: Little vs big-endian byte order matters
- Look for Patterns: Repetition often indicates structure
- Cross-Reference: Use multiple tools to verify findings
- Test Hypotheses: Validate your interpretations with known data
💡 Forensic Tip
Use our hex decoder for quick validation of suspicious strings found in dumps. Combine with command-line tools for comprehensive analysis.
Further Learning
- Beginner's Guide - Understand hex fundamentals
- Security Guide - Malware analysis techniques
- Programming Guide - Automate hex analysis
- Reference Table - Common hex patterns