WinHex is a hexadecimal editor that allows you to read sectors on a mounted volume with support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF file systems. The basic program is available free for download, although there are levels of licenses that can be obtained for to unlock additional features. These include their individual licenses Personal ($56.00), Professional ($105.00), Specialist ($255.00) and X-Ways Forensics ($929.00) which cover the cost for one (1) license of its type.

In the world of IT, a tool like WinHex comes in quite handy when working with data recovery. A supposedly fully formatted floppy disk has no data on it and can be written to. However, when mounted under WinHex, you can access every disk sector and look for key signatures that would suggest fragments of a deleted file still remain on the storage media. Traces of a Microsoft Office document, for example (doc, xls, dot, ppt, xla, ppa, pps, pot, msi, sdw, db, vsd, msg), can be identified by using the File Recovery by Type option under the Tools -> Disk Tools menu to look for headers matching \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1 in each disk sector.

You may also specify your own signatures and label them for quick searching of any file types not listed or supported by this application. Paging through 2880 sectors on a 1.44 MB floppy disk time consuming? No problem, simply clone the disk as a raw image and edit the image on the local file system instead!

After being able to recover files that normal PC users would've thought were long gone by now, the significance of using a secure wipe/erase program to properly delete confidential data might be a little more clear. WinHex does support a Wipe Securely File Tool under the Tools menu.

With additional license privileges (only available by purchasing an upgraded license), you not only can view the contents of your system's physical memory (RAM) but edit them as well. There are some Specialist features available as well for reconstruction a RAID system or further working with mounted volumes. These features do require a Specialist or fully upgraded license to use without added restrictions.

I would highly recommend backing up (or write protecting) any target storage media before experimenting with hex editing disk sectors. Use at your own risk.

It is always fun to see what is on the drive hidden away from the usual means of reading the data. Personally I don’t feel like having someone else reading my hard drive at such a low level so I encrypt the entire hard drive so such things are impossible. My current favorite is TrueCrypt 5.0 (http://www.truecrypt.org/) which now features whole drive encryption. This mean that EVERYTHING except the boot sector on the drive is encrypted. This keeps those nasty “forensics tools” from doing their job. Of course you can see read data but it is a meaningless encrypted blob that doesn’t even have a file system.