Windows optimize

WinHex: A powerful data recovery and forensics tool

When you lose data on a hard drive, a sector editor allows you to view data almost everywhere on the drive. Here's how you can use WinHex to recover data anywhere on a hard drive.

Felix The Cat had a magic bag of tricks that used to get him out of sticky situations. All good support techs have their own magic bag of tricks, but it usually contains various software utilities that help them solve tricky technical problems. One of the handiest utilities a support tech can have is a sector editor. With the right sector editor, a support tech can recover data or even read areas of a disk that contain deleted or damaged data. WinHex is a handy sector editor that will fit nicely in your bag of tricks.

What is WinHex and what’s it going to cost?
WinHex, made by X-Ways Software Technology AG of Germany, is a powerful application that you can use as an advanced hex editor, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering. Customers using WinHex include the Oak Ridge National Laboratory, Hewlett Packard, National Semiconductor, several law enforcement agencies, and many other companies with data recovery and protection needs.

WinHex, which is compatible with Windows 95 through Windows XP, offers the ability to:
  • Read and directly edit hard drives (FAT and NTFS), floppy disks, CD-ROMs, DVDs, Compact Flash cards, and other media.
  • Read and directly edit RAM.
  • Interpret 20 data types.
  • Edit partition tables, boot sectors, and other data structures using templates.
  • Join and split files.
  • Analyze and compare files.
  • Search and replace.
  • Clone and image drives.
  • Recover data.
  • Encrypt files (128-bit strength).
  • Create hashes and checksums.
  • Wipe drives.

Forensics features (which require a Specialist license) include the ability to:
  • Gather free and slack space.
  • Search for text based on keywords.
  • Create tab-delimited tables of drive contents. These tables can be imported into a spreadsheet such as Microsoft Excel and sorted.

Licenses cost $44 (Private, $25 per additional license), $84 (Professional, $48 per additional license), and $126 (Specialist, $67 per additional license), making this application a bargain for the features it offers.

Download and installation
If you want to try out WinHex, download an evaluation version of Winhex.zip. This version works for the most part, but the Professional and Specialist features are disabled. After you’ve downloaded Winhex.zip, unzip the contents into a temporary directory on your administration workstation.

Launch the setup program and choose a destination folder and language for installation. WinHex comes in English, German, French, Spanish, Italian, and Portuguese versions. (The latest release is version 10.75.) WinHex’s Setup program works like every other Windows installation wizard you’ve ever used. Just follow the onscreen prompts and you won’t go wrong.

WinHex does not store configuration information in the registry or configuration files in the Windows OS folders, making it portable and helping you keep your registry size down.

In order for Windows 9x and Me users to directly access CD-ROM sectors, the Windows file wnaspi32.dll must be present. The file is usually installed with Windows. If it isn't, you can find it on the Windows Setup CD.

To edit hard disk sectors under Windows NT, 2000, or XP, you'll need Administrator privileges.

Using WinHex
At its most basic level, WinHex is a hex editor. That is, like most hex editors it displays three columns: an address, a 16-byte hex display, and a 16-character text display.

The data viewer can be extensively configured. For example, by clicking the up, down, right, and left arrows on the toolbar, you can add lines, remove lines, add columns, and remove columns from the data display. You can view hex only, text only, or both by clicking check boxes in the View menu. General options let you set the colors and font, and clicking the Offset column toggles between decimal and hex address values.

WinHex sessions begin with a Start Center, shown in Figure A, where you can open files, disks, RAM, and previously edited files that you can select from a list. WinHex remembers the last editing position of previous files and the state of the last session, and it allows you to open the entire previous session by clicking Continue Last Session from the Start Center's Projects window. You can also open projects and launch scripts (a script editor is enabled in the Professional and Specialist versions).

Figure A
Begin your WinHex session at the Start Center.


Like other hex editors, WinHex can open files as editable or as read-only. Edited data is stored in a temporary file until saved, at which time your changes are committed. There is also an in-place Edit mode in which all changes are made directly in real time (the default when editing RAM). You can choose the Edit mode from the Open File dialog. When you open an entire disk or partition, the default mode is Edit.

Caution: Using a disk editor can be fatal
Changing values other than text strings can ruin an executable (program) file. Directly editing a drive or RAM can damage an operating system or the drive's integrity. When editing an executable file, dll, or other program file, always work on a copy. Save the original in case the program file needs to be restored. Never change the length of an executable file or its instructions and data unless you're absolutely certain of the result. Otherwise, doing so will cause the code to miss instructions and probably corrupt the file to the point that it will no longer work. Fortunately, WinHex contains 25 undo levels, so in most cases, it's possible to restore your modifications.

Figure B shows the WinHex status bar, appearing to the right of the hex display. In addition to familiar status info such as the filename, creation date, and time, the status bar also shows the file's State (Original/Modified) and undo levels.

Figure B
The status bar displays vital statistics about the data being edited.


The Data Interpreter, at the bottom of the status bar, translates hex values at the insertion point into decimal equivalents, based on the data types you choose. The default types are 8-, 16-, and 32-bit signed. Double-click the Data Interpreter to open a menu of additional options, which include displaying Assembly Language codes, date formats, and different integer types, as shown in Figure C.

Figure C
By default, the Data Interpreter shows 8-, 16-, and 32-bit values for the selected hex code "EB." Options added here are floating value and Assembly Language op code.


Editing disks and other media
When using WinHex as a disk editor, you can access the media through the operating system (logically) or through the BIOS (physically). Accessing logically allows you to browse the disk by clusters. You can view the file system and access partition boot sectors and file allocation tables. With the Professional license, you can also view free space and slack space.

When physically accessing a disk, it is often possible to edit a disk that the operating system can't access, for whatever reason. It is also possible to view, edit, and back up the Master Boot Record (MBR) partition tables and partition boot sectors.

Open the Disk Editor by selecting Disk Editor from the Tools menu. The Edit Disk window, shown in Figure D, appears and lets you choose which disk, logical or physical, you wish to edit. The disk is now open in Edit mode. Changes are not made in place, but only when you choose Save.

Figure D
Use the Disk Editor to logically or physically access a drive.


In order to repair a disk using WinHex, it's essential to know the difference between viewing disk data displayed logically and viewing disk data displayed physically.

When you open Drive C: through logical access, what appears as the 00 address of the disk is really the first byte of that partition's boot sector, and not the first byte of the disk. Referring again to Figure D, you can see that logical access on my disk offers two choices: C:\ and D:\ (this machine's hard drive is partitioned into C:, formatted FAT32, and D:, formatted NTFS), while physical access offers only one choice: Hard Disk One.

Selecting Hard Disk One reads in the entire drive. Here, offset 00 really means the actual physical start of the hard drive, head 0, cylinder 0, sector 1, where the bootstrap code and partition tables for the disk are stored. In physical view, Drive C: actually begins at offset 7E00h. For comparison, Figure E shows the first 16 bytes of C:\ accessed logically (1), the first 16 bytes of the hard drive accessed physically (2), and the first 16 bytes of partition C: accessed physically (3).

Figure E
These three data displays demonstrate the difference in addressing and in accessing data when logically and physically accessing a drive.


What does this discussion of logical vs. physical access mean? To back up and restore your MBR with its bootstrap code and the drive's partition tables, access the disk physically (preferably from another disk that has WinHex installed). If you only want to back up and restore your partition's boot sector, it's a bit easier to access the disk logically.

More disk access options
When you open a drive, an Access button appears on the right of the display. Clicking Access opens a series of options, depending on the type of media opened.

For example, as C:\ is a FAT32 partition on my system, clicking Access allows me to jump to the boot sector, FAT 1, FAT 2, a directory browser, root directory, free clusters, surplus sectors, and others, as shown in Figure F. On an NTFS partition, I would be able to access the master file table records.

Figure F
These options are available when you're logically accessing a drive.


Had I opened C:\ physically, selecting Access would have offered me the choices of accessing either disk partition, viewing the partition table and boot sector, cloning a partition, and creating a backup, as shown in Figure G.

 

Figure G
Options for working with drives differ for physical access. Use the tool you need.


In Figure F, note the two Access choices: Boot Sector Template and Root Directory Template. Templates are convenient ways to view and edit these disk areas. Figure H shows the result of choosing Boot Sector Template. You can also directly modify information in the hex display.

Figure H
Templates make it easier to work with raw data.


Other templates are available for viewing your drive. Choose View | Template Manager to see a listing. In addition, WinHex users have made available other templates. For example, there are templates for reading Zip disk and Palm database file formats.

Backing up and restoring MBRs, partition tables, and boot sectors
In order for a machine to boot, the hard drive needs to contain a valid MBR, a partition table naming at least one active partition, and a valid boot sector on that partition (which will also contain the operating system's boot loader). For any drive partition to be visible to the operating system, it must be listed in the MBR's partition table and have a valid boot sector.

The MBR consists of the first 512 bytes of information (512 bytes per sector) of the hard disk, in sector 1. The first 446 bytes of information contain the actual bootstrap code. The next 64 bytes are the partition table—four 16-byte records—and the last two bytes contain a signature that identifies the end of all boot sectors: 55h AAh.

Backing up and restoring a primary partition's boot sector is a little safer than working with the MBR, and it's a useful way of demonstrating WinHex's features.

The boot sector is contained in the first 512 bytes of each partition. In each case, the sector ends with the signature hex code 55h AAh. WinHex makes it easy to manually back up and restore these crucial bytes of code. It's also possible to manually edit this information directly or through a template.

To back up a partition's boot sector, click Access | Boot Sector. From the menu, choose Edit | Copy Sector | Into New File. You'll be asked for a filename. Choose a name such as bootcopy.dat (dat is a WinHex file type) and save. A new window opens with the copied sector.

Be aware that if you save this file to the same disk or partition you are viewing, you have changed the data in that partition. If you're attempting to recover erased data, some of the data may be lost. When you work with a hard drive that may be used as evidence, never work with the original copy. For that, you would clone a disk. However, for our example, we'll continue working with the OS disk.

You could print the template information to save a hard copy in case you ever need to rebuild your MBR manually. At that time, simply access the drive with WinHex and write the data into the Boot Sector template.

There are a few ways to restore the boot sector. One method would be to open your backup file copy and paste the information to the boot sector area.

Another way that doesn't involve as much file manipulation would be to copy the backup boot sector, if there is one, provided it hasn't also been damaged by a virus or corrupted in some way, back to the beginning of the partition.

In a FAT32 file system, the boot sector copy is stored on sector 6, which begins at offset C00h. NTFS file systems stash a copy near the end of the volume. But you could find the backup without this information by searching for the boot sector header—coincidentally a good way to demonstrate WinHex's Search feature.

The boot sector begins with a jump command (EBh) and contains a header in the fourth position (offset 3). FAT32 headers will read, for example, MSWN4.1.

Copy the entire string from JMP to MSWN4.1 by dragging the cursor over it in either the text column or the hex display column. The string will be highlighted (Figure I). From the menu, choose Edit | Copy Block | Normal to copy a text string to the clipboard, or Edit | Copy Block | Hex Values to copy the hex code. The choice is up to you.

Figure I
WinHex highlights the block of data being manipulated.


Now choose Search | Find Text if you copied text, or Search | Find Hex Values if you copied a string of hex. Paste the string into the search box and click OK. The first search will stop at sector 0. Press F3 to continue the search. The next hit will likely be the backup boot copy.

Let's make sure this sector is really an exact duplicate of the boot sector by using the Compare feature. With the cursor in that sector, choose Edit | Copy Into File. Name that file bootcopy2.

Make sure both files are open in WinHex. From the menu, choose File Manager | Compare. Use the browse buttons to add the file's bootcopy1.dat and bootcopy2.dat to the first and second file boxes. Next, give a name to the report file WinHex will create, as shown in Figure J. Click OK. A message will appear with the result, hopefully the one you want: "No differences found," meaning that the two files (and boot sectors) are identical.

Figure J
You're ready to see if you've located the backup boot sector.


At this point, you know the location of your boot sector's backup, and you have two files containing exact copies of your current boot sector.

Now practice copying and replacing the boot sector from the partition's backup copy. Warning: This is not for the faint of heart. If you mess up, you may have to practice replacing your boot sector for real.

Navigate to the backup copy of your boot sector. For FAT32 drives, a quick way to do this is to select Position | Go To Sector. Enter 6 and click OK. Choose Edit | Copy Sector | Normal. This places the data in the clipboard.

Return the insertion point to offset 0 of the original boot sector. Choose Edit | Clipboard Data | Write. A message will inform you that, "The clipboard data will be written at offset 0." Click OK.

The clipboard data overwrites sector 0 and is highlighted. The status bar at the right now shows the following helpful information: State: Modified, Undo Level: 1, Undo Reverses: Clipboard Writing.

You can back out of the changes by choosing Edit | Undo. At this point in the exercise, you can also exit Drive C: without committing the changes. If you feel especially brave and want to test your drive repair skills, choose File | Save Sectors. Only the modifications you made will be saved.

You've now replaced your boot sector. To back up and replace the drive's MBR and partition tables, choose Tools | Disk Editor and access the disk physically. Then copy the MBR to a file and have it ready in case you need to replace it.

Additional tools
Figures K and L show other tools and options available for working with disks. Among them are the ability to browse the directory structure, list file clusters, and clone a disk. Specialist tools include the ability to gather free space, slack space, and text for analysis; search simultaneously for different keywords; create tables of contents for the drive; create a table of Bates numbers (a format used by lawyers for referencing evidence); and highlight free and slack space.

Figure K
WinHex's disk tools


Figure L
WinHex's Specialist tools


Wipe sensitive files
One last feature is worthy of note, because it pertains to the opposite of data recovery: WinHex's ability to wipe confidential information so that it can't be recovered. The File Manager | Wipe Securely option goes beyond many file shredder tools. When applied to a file, according to WinHex, "Even professional attempts to restore the file will be futile."

Wipe Securely does not just overwrite a file several times with zeros or other characters. The file is also reduced to zero length and then deleted. Specialist and Professional licenses go even further: WinHex erases the name entry of the file as well.

For more information
WinHex's Professional and Specialist features make this app a low-cost, formidable arsenal of tools for the IT professional or law enforcement specialist. It meets the needs of those who need to edit and examine disks for data recovery and criminal evidence, as well as those who work with sensitive data that must be securely erased. For more information on how to use WinHex, see the set of tutorials on the WinHex Web site.

 
0 comments