(Forensics: WinHex)

{ Very Basic Byte Level Checking }

Background Information
Background
WinHex is in its core a universal hexadecimal editor,
particularly helpful in the realm of computer forensics, data
recovery, low-level data processing, and IT security. An advanced
tool for everyday and emergency use: inspect and edit all kinds
of files, recover deleted files or lost data from hard drives
with corrupt file systems or from digital camera cards. License
type comparison.

Reference Link:

http://www.x-ways.net/winhex/

Prerequisite
1. Login to your Instructor VM, as username administrator
For those of you that do not have access to my class, Instructor
VM is a Windows XP Operating System.

2. On the Instructor VM, go to http://www.x-ways.net/winhex/

Scroll down and click on Download (See Below)
3. Click on Save (See Below).

4. Save to C:\tools\winhex
5. Click on Open Folder

6. Right Click on winhex.zip, and Extract All

7. Click on Next
 8. Click on Next

9. Click On Finish

Section 1: Run winhex

1. On Your Instructor VM
Bring up Windows Explorer
Go To C:\tools\winhex
Double Click on winhex.exe
2. Click on Run

3. Once winhex loads for the first timeyou will see a window similar to
the below.
Select Computer Forensics Interface.
Click on OK

4. File Examination 1
The picture below is the first file you will examine with winhex.
Please following the next steps
5. Right Click on the Below Picture
Select "Save Picture As..." (See Below)

6. Save the picture in

C:\tools\winhex\myfiles
7. Navigative your Windows Explorer to C:\tools\winhex\myfiles
Right click on unknown_file.jpb
Click on Rename

8. Rename unknown_file.jpg to unknown_file

Answer Yes, when warned about the file becoming unusable.
Section 2: Using winhex to look at an unknown file type
1. On Your Instructor VM
Bring up Windows Explorer
Go To C:\tools\winhex
Double Click on winhex.exe

2. Click on Run

3. Click on File, then Click on Open

 4. Navigate to C:\tools\winhex\myfiles
Click on file unknown_file.
Click on Open

5. Scroll over to the far left

Notice on the first line it says JFIF. This is indicative of a
JPEG file.
Congratulations you have completed your first Byte Wise
inspection of a file.

Section 3: Using winhex to look at an encrypted file

1. Download Encrypted File Here.
Click Save
2. Save File to C:\tools\winhex\myfiles

3. On Your Instructor VM
Bring up Windows Explorer
Go To C:\tools\winhex
Double Click on winhex.exe

4. Click on Run
5. Click on File, then Click on Open

6. Navigate to C:\tools\winhex\myfiles
Click on file .pgpass.gpg.
Click on Open

7. Scroll Over to the Far Right

Notice that there is no relevant information that tells you what
this file is about.
It was first compressed with gzip, then it was encrypted with
gpg.
Proof of Lab
1. Do a screen print of Section 2, Step 5.
2. Paste to a word document
3. Submit to moodle.