Tip

Find Windows vulnerabilities with a hex editor

The hex editor is a long-time favorite investigative tool for forensics professionals. But the capabilities of the tool go

Security testing tips
Hacking Vista and planning for security breaches

Pen testing your VPN

beyond piecing together bits and bytes to prove a case. Used in the right context, a hex editor can actually uncover Microsoft Windows and application vulnerabilities that you may not have thought about, yet can't afford to overlook. In fact, the hex editor is one of the most underrated and overlooked security testing tools.

Here are just a few of the things you can do with a hex editor to root out security weaknesses in your Windows environment:

  • Check for passwords that may still be saved in Windows, Internet Explorer (IE) and other applications. Passwords left in memory can pose a risk and this technique demonstrates just how vulnerable logins and other private information can be -- especially on public computers that can be accessed by several people.


Figure 1: Using WinHex to search Firefox's memory range for sensitive information.

    If this isn't enough proof that a vulnerability exists, you can also search the computer's entire memory range for Windows application passwords or other sensitive information. Many times, I've been able to find sensitive information stored in memory by Web browsers even after the programs were closed. Searching all physical memory for this type of sensitive information is simple, fast and very revealing.

  • Search local system files, such as pagefile.sys and hiberfil.sys or the entire physical disk, for sensitive information. It's worked for me every time. This can really come in handy for spot checking computer hard drives that have supposedly been wiped before being disposed of or given away. Figure 2 shows the WinHex interface for searching local files.


Figure 2: Using WinHex to search logical drive C: for sensitive information.

  • Search for malware in memory or hidden data on disk that you wouldn't be able to see otherwise.

  • Search for "dirty" documents, such as Microsoft Word files that reveal sensitive information that should never leave the network. Those include file authors, draft verbiage, comments or third-party information that had supposedly been removed or were assumed to be non-existent since they're not visible in the native application. This comes in handy when searching for the files of those who forgot to enable the "Remove personal information from file properties on save" option.

Even with hex editors, it pays to have good tools. There are plenty of hex editors to go around. Check out the commercial alternative to WinHex called Hex Workshop or even the freebie XVI32. Don't even bother with the DOS/Windows debug tool that we used to have to rely on. Most of the hex editor features and capabilities you'll need are not there.

If you jump in head first with a hex editor, you'll be amazed at how powerful it is and what you can uncover. With this power comes some risk: A hex editor can and will modify anything on in memory or stored on disk, so be careful. The results can be beneficial or devastating. Either way, the power is in your hands.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.


This was first published in September 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.