ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> Windows Tools >> Audit Tools >> Current Page |Views: 18602

(Forensics: WinHex)

{ Very Basic Byte Level Checking }

Background Information
  • Background
    • WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. License type comparison.


  • Reference Link: 


  1. Login to your Instructor VM, as username administrator
    • For those of you that do not have access to my class, Instructor VM is a Windows XP Operating System.


  2. On the Instructor VM, go to
    • Scroll down and click on Download (See Below)


  3. Click on Save (See Below).


  4. Save to C:\tools\winhex


  5. Click on Open Folder


  6. Right Click on, and Extract All


  7. Click on Next


  8. Click on Next


  9. Click On Finish


Section 1: Run winhex
  1. On Your Instructor VM


  2. Click on Run


  3. Once winhex loads for the first timeyou will see a window similar to the below.
    • Select Computer Forensics Interface.
    • Click on OK


  4. File Examination 1
    • The picture below is the first file you will examine with winhex.
    • Please following the next steps


  5. Right Click on the Below Picture
    • Select "Save Picture As..." (See Below)


  6. Save the picture in
    • C:\tools\winhex\myfiles


  7. Navigative your Windows Explorer to C:\tools\winhex\myfiles
    • Right click on unknown_file.jpb
    • Click on Rename


  8. Rename unknown_file.jpg to unknown_file
    • Answer Yes, when warned about the file becoming unusable.


Section 2: Using winhex to look at an unknown file type
  1. On Your Instructor VM


  2. Click on Run


  3. Click on File, then Click on Open


  4. Navigate to C:\tools\winhex\myfiles
    • Click on file unknown_file.
    • Click on Open


  5. Scroll over to the far left
    • Notice on the first line it says JFIF.  This is indicative of a JPEG file.
    • Congratulations you have completed your first Byte Wise inspection of a file.


Section 3: Using winhex to look at an encrypted file
  1. Download Encrypted File Here.
    • Click Save


  2. Save File to C:\tools\winhex\myfiles


  3. On Your Instructor VM


  4. Click on Run


  5. Click on File, then Click on Open


  6. Navigate to C:\tools\winhex\myfiles
    • Click on file .pgpass.gpg.
    • Click on Open


  7. Scroll Over to the Far Right
    • Notice that there is no relevant information that tells you what this file is about.
    • It was first compressed with gzip, then it was encrypted with gpg.


Proof of Lab
  1. Do a screen print of Section 2, Step 5. 
  2. Paste to a word document
  3. Submit to moodle.


























Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth