Solved

Whole Drive Hex Editor for Year 2013 MacBook Pro

Posted on 2013-12-16
13
508 Views
Last Modified: 2013-12-20
Looking for weeks, none of the whole disk hex editors I tried work with newest Macs.

All of them seem to be for older Macs.

Modern "for pay" hex editors seem to only handle "files" and are used as a poor man's text editor.

I have no interest whatever in files, I want to expose all of the disk to scrutiny, not just the "files".

Had hex editor years ago called "HexEdit" - worked great with old Macs using "Big Endian" addressing with Motorola CPU.

Today's Macs use Intel CPU with "Little Endian" addressing.

Reason for hex editor?  Just for fun and recreation, to observe and hopefully monitor every single hex byte on the entire drive.   (or on the SSD which most modern Macs use now)

Will require an expert who is familiar with present day Macs and OS 10.9  (Maverick)

Thanks all -

SuperSenile   (and can prove it, I am 100% senile)
0
Comment
Question by:SuperSenile
  • 7
  • 5
13 Comments
 
LVL 53

Expert Comment

by:strung
ID: 39722781
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39722834
I like wxHexEditor myself: http://www.wxhexeditor.org/home.php but it's os-x support is spotty. Win-hex http://winhex.com/winhex/ does work well for me, but not for Mac :(
In my Sans FOR508 classes we used many of the tools here: http://www.forensicswiki.org/wiki/Tools
Each has their strengths and weaknesses, we did not use the full versions of some because they cost big bucks :) Not much time is spent outside linux/windows in that class, not many EE experts i know have any forensics training and or experience. I'm doing more phone/tablet investigating of late than HDD's in my consulting.

You can use a DD image of the HDD and use that on a wide range of tools as well, doesn't have to be the "live" HDD, an in forensics it shouldn't be.
-rich
0
 

Author Comment

by:SuperSenile
ID: 39723247
richrumble posted:

"I like wxHexEditor myself: http://www.wxhexeditor.org/home.php but it's os-x support is spotty. Win-hex http://winhex.com/winhex/ does work well for me, but not for Mac :(  "

I might get desperate and drop into Windows 8.1 on my Mac just to use wxHexEditor but I prefer to keep looking a bit longer for a Mac version.

SuperSenile -
0
 

Author Comment

by:SuperSenile
ID: 39725272
by: strung Posted on 2013-12-16 at 15:01:56ID: 39722781

Have you checked out this list?

http://en.wikipedia.org/wiki/Comparison_of_hex_editors



Thanks strung, I am struggling through that wikipedia website you posted above.

The complete drive hex editor below shows promise for modern Mac hardware and OS’s

The name of it is  “IBored” and I was actually able to display the hex values of disk drive storage locations - - - absolutely zero documentation about how to learn how to use iBored features though, a novice has to try the various features and hope he/she does not blow up their Mac.

http://apps.tempel.org/iBored/

I feel guilty about yelling for help on this topic.   I was making no progress on my own, for weeks of extensive hunting on the web.

Other experts here have very good suggestions also, am following up on those suggestions and will respond to the experts.

by SuperSenile -
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39725542
Hexeditor is still vague, if you want forensics and low level access to the drive and it's sectors then you're talking more about forensics tools. Hexeditors are thought of for binary analysis.
The "big dogs" are the ones you want ultimately, Encase: https://www.encase.com/
X-ways http://www.x-ways.net/investigator/
Autospy might be good looks like it has UFX1/2 support:http://www.sleuthkit.org/autopsy/desc.php
-rich
0
 

Author Comment

by:SuperSenile
ID: 39725789
rich rumbled:

"The "big dogs" are the ones you want ultimately, Encase: https://www.encase.com/
X-ways http://www.x-ways.net/investigator/
Autospy might be good looks like it has UFX1/2 support:http://www.sleuthkit.org/autopsy/desc.php
-rich"

WOW !!! - shades of the NSA.  ;-)

I shudder to think what their software and services would cost, probably up in the tens-of-thousands of dollars.

SuperSenile
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:SuperSenile
ID: 39728461
Thanks everyone for the help.

I am convinced that I am the only one interested in whole-disk editing of the entire disk,
not merely the   _files_   on the disk, but every single byte on the drive from beginning to end.

My physical setup here is Apple OS 10.9.1 - - - on ALL of my drives, even the external 64-GB USB2 thumb drive which I am booted up from right now.  ( I like to suffer )

Mac "extended OS with journaling", and GUID option - - - on all drives.

Little endian Intel CPU.


Computer is a 4-year old 17-inch Macbook Pro with a 500-GB Solid-State-Drive.

Target new Mac will be a 15-inch "Retina Macbook Pro" in about a month, its internal drive will be a one-terabyte SSD,  USB3  and Thunderbolt ports.

I will be running several different OS's on that Mac using VMware Fusion Pro with ThunderBolt to speed up the action to a tolerable level.


I had hope of keeping all my ducks in line regarding keeping an eye on all my external boot drives - - - however it looks to be too difficult to do on a Mac.

...due to "The Devil is in the Details" syndrome.

For example, when I tried the whole drive hex editor named " iBored " it appeared to work okay however there were only sparse hex entrees on a drive I   _knew_   was jam packed with an entire Mac OS 10.9.1 - - - practically all the display was hex zeroes.

Why?   Do not know, no documentation from the lone developer.

Drive memory locations refused to scroll along with the data, which   _did_   scroll.

Again thanks everyone, sorry for wasting your time.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39728891
You need a professional tool, esp for SSD, pro tools are big bucks :(
SSD's do not work like platter/disk HDD's. Your tool needs to understand that too, and the pro ones do.
-rich
0
 

Author Comment

by:SuperSenile
ID: 39730656
Rich Rumbled Thusly:
"You need a professional tool, esp for SSD, pro tools are big bucks :(
SSD's do not work like platter/disk HDD's. Your tool needs to understand that too, and the pro ones do."
-rich


Thanks richrumble, that gives me an idea.  (to avoid the big bucks expense)

I will copy the entire SSD end-to-end with Unix dd  to create a  .bin file

Then move the bin file (binary file) to a regular spinning drive.

Then observe the hex representation of the binary with a regular whole-drive hex editor.

...assuming I can find a hex editor that runs on my Mac setup.

Involved and convoluted?   Yes.

Simple minds like mine seek simple answers, so I put up with the convolution.

Only remaining problem is to find a simple whole-drive hex editor which will work with the most recent  "Retina Macbook Pros" which came out a few weeks ago - - - and with the OS 10.9.1 code-named "Maverick" which is on those Macs.

I failed so far.  A lot of hex editors promise compatibility with late model Macs, but they fail to deliver when I put them to the test.

by supersenile -
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39730748
SSD's are not "dd"able in the way platter are.
http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence

It'd be nice it they were, but your picking the wrong media to work for forensic/inspecting/curiosity. Each time you read the drive it will be different. A hex editor again will be ok for binary data, but as an "undelete" or inspecting kind of experiment it's not going to help. Trim and wear-levling make ssd's hard for software forensics, they are better inspected with hardware, but again big $$.
http://en.wikipedia.org/wiki/Wear_leveling

You can do the DD thing, but due to the way SSD's operate, if you took two dd images, back to back, you'd probably end up with different images at the end, that is if you're doing free space inspection too. Trim and Wearlevling are OS independant more times than not, so "free" space is going to be "cleaner" the second time you image. That image should be smaller than the first.
-rich
0
 

Author Comment

by:SuperSenile
ID: 39730979
EXPERT COMMENT
by: richrumblePosted on 2013-12-19 at 15:37:38ID: 39730748

SSD's are not "dd"able in the way platter are.
http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence

It'd be nice it they were, but your picking the wrong media to work for forensic/inspecting/curiosity. Each time you read the drive it will be different. A hex editor again will be ok for binary data, but as an "undelete" or inspecting kind of experiment it's not going to help. Trim and wear-levling make ssd's hard for software forensics, they are better inspected with hardware, but again big $$.
http://en.wikipedia.org/wiki/Wear_leveling

You can do the DD thing, but due to the way SSD's operate, if you took two dd images, back to back, you'd probably end up with different images at the end, that is if you're doing free space inspection too. Trim and Wearlevling are OS independant more times than not, so "free" space is going to be "cleaner" the second time you image. That image should be smaller than the first.
-rich



Thanks rich, I was not aware of all the above.   As they say, a little knowledge is a dangerous thing.   All the above is a good thing in a way, it means that the Bad Guys can no longer hide stuff in free-space, because it will probable become over-written by SSD  Wear-leveling.

One less worry for me if I read you correctly.

Wonder if a Journal app' to log the stuff in free-space every time wear-leveling changed something would work.

Probably not, such a Journal app' might consume too much CPU time.

Plus the journal app' would need to be "tied in" with low-level wear-leveling in order to "know" when wear-leveling was due to occur.

by SuperSenile
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 39731018
The other issue with SSD's, and probably something you could pick up on somewhat is that their sizes and speed are tied to compression. Data that compresses well, like text (html, pdf, office, logs etc) allow the drive to read/write files of enormous size quickly. Files that are not compressible (typically anything encrypted) or already compressed, do not allow the drive to work as fast. if you are seeing full files on your SSD, then they are not compressible files or you're not getting the RAW data you're seeking. SSD's compress at the hardware level, and if you scan a drive using software, it's uncompressing that data. You need hardware to bypass the SSD's own hardware basically. The drive is telling you one thing, but in reality what's on the drive is a whole other story.
Again SSD's are not at all like platters, but they would be fun to poke around on like this.
This was a good article and test to read about:
http://www.pugetsystems.com/labs/articles/SSDs-Advertised-vs-Actual-Performance-179/#Compressiblevs_IncompressibleData
Only 2-3 pages, short but sweet. Perhaps not the answer you were looking for in the end, but if we are talking about platters then tools linked and mentioned here would be great.
-rich
p.s Somehow you're "reposting" the previous response(s), quoting would be fine, but it's not typically called for unless buried in a long thread.
0
 

Author Closing Comment

by:SuperSenile
ID: 39731251
Thanks richrumble.  

Often one does not get the answer one is expecting.  I appreciated your detailed explanations and am coming away knowing more about SSD issues.  Keep up the good work.  :-)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now