Sector Edit and Hex code

slingshot

Member
I would like to know more about looking at data in sectors represented in hex format. I know this can help with awkward recoveries but I feel I don't know enough about this side of it and would appreciate any help increasing my understanding of this side of recovery practice.

I understand that looking at the hex code can tell me things about the data in that sector, but other than seeing if its encrypted or not, what else can it tell me, what am I looking at / for ? First sector, sector 63 and last sector contain signatures of the file systems ? Other things ?

Thanks for any help :)
 

Jared

Administrator
Staff member
You need to spend some time analyzing and learning about partition and file system structures. There's plenty of information online about it in places like Wikipedia.

Pros don't just analyze random sectors, they're looking for specific things when looking in hex. For all I know that's somebody's nose in a jpg image you posted.

Also, FYI it's pretty unethical to post your customer's data online, even if it is just a random sector.
 

slingshot

Member
Ok thanks Jared, yes I understand something is being looked for, I just don't know enough of what those little gems are, thanks for pointing me in the right direction for learning them ;) (the random sector has now been removed)
 

Jared

Administrator
Staff member
Here's some examples of info you can read up on:

GPT partition tables: https://en.wikipedia.org/wiki/GUID_Partition_Table
MBR partition tables: https://en.wikipedia.org/wiki/Master_boot_record
NTFS structure: https://en.wikipedia.org/wiki/NTFS

Eventually, with enough study, you can have some idea what you're looking at. But, it's no fast process. When I had a lost filevault encrypted partition case (which no software could automate restoring the lost partition), I just took a full weekend and studied the structure of GPT tables. I was then able to manually write a GPT table to match what I was finding by analyzing in hex.
 

slingshot

Member
Thanks Jared, I will spend some time on that. Im aware of people editing the hex to enable access to file systems that tools can't sort out. Im also aware of some of the uses of being able to interpret hex; e.g order of RAID drives and type of RAID etc so its an area I need to learn more of :)
 
slingshot":69u0u8qy said:
Thanks Jared, I will spend some time on that. Im aware of people editing the hex to enable access to file systems that tools can't sort out. Im also aware of some of the uses of being able to interpret hex; e.g order of RAID drives and type of RAID etc so its an area I need to learn more of :)


Hi,
Guru Scott Moulton Has Some Excellent RAID Tutorials And So Do Many Others On Youtube Boss
 
Top