网络犯罪人员统计_网络犯罪调查人员的十六进制编辑介绍

最新推荐文章于 2024-09-24 09:29:07 发布

weixin_26636643

最新推荐文章于 2024-09-24 09:29:07 发布

阅读量438

点赞数

文章标签：网络 python linux 人工智能 java

原文链接：https://medium.com/@roderickshawngraham/an-introduction-to-hex-editing-for-cybercrime-investigators-15041a1f3911

版权

网络犯罪人员统计

People interested in entering the growing field of cybercrime investigations can gain a leg up on the competition by learning how to use a hex editor. To “hex edit” means to make changes to the raw binary data — 1’s and 0’s — on a computer. “Hex” is short for “hexadecimal,” something I will discuss shortly. A hex editor is an application that presents the raw data of a file and allows the user to edit that data. This article will describe hexadecimal notation, the process of hex editing, and give some examples of how hex editing can be used by cybercrime investigators.

有兴趣进入不断发展的网络犯罪调查领域的人们可以通过学习如何使用十六进制编辑器来参与竞争。 “十六进制编辑”意味着在计算机上更改原始二进制数据(1和0)。 “十六进制”是“十六进制”的缩写，我将在稍后讨论。 十六进制编辑器是一种应用程序，可显示文件的原始数据并允许用户编辑该数据。本文将介绍十六进制表示法，十六进制编辑的过程，并举例说明网络犯罪调查人员如何使用十六进制编辑。

关于十六进制表示法 (About Hexadecimal Notation)

Hexadecimal notation can be a little disorienting for the uninitiated. It is based on multiples of 16, instead of 10. We are most familiar with a number system based on multiples of 10 — the decimal system. In a decimal system, we start with 0, 1, 2…up to 9, and then we add another digit and start over — so 10, 11, up to 19, and so on. Once you get to 99, you add another number and start over with 100.

十六进制表示法对于初学者可能有些迷惑。它基于16的倍数而不是10。我们最熟悉基于10的倍数的数字系统-十进制。在十进制系统中，我们从0、1、2…直至9开始，然后再加上一个数字并重新开始-因此从10、11一直到19，依此类推。达到99后，再添加一个数字，并从100开始。

A hexadecimal system starts with 0, and we count 15 spots past 9 (we do not use 10 because that would be adding another digit) by adding A, B, C, D, E, and F. In other words, A = 10, B = 11, C = 12, D = 13, E = 14, and F = 15. A new digit is added after F, and we start over with 10, 11, …1F.

十六进制系统以0开头，我们通过加A，B，C，D，E和F来计数9点之后的15个点(我们不使用10，因为那会增加另一个数字)。换句话说，A = 10 ，B = 11，C = 12，D = 13，E = 14和F =15。在F之后添加一个新数字，然后从10、11…1F重新开始。

So, why use this weird system?

那么，为什么要使用这个怪异的系统呢？

Computers store information in another numbering system based on “1” s and “0” s. This is a base two system, and the values are written in binary notation. If you visualized what a computer sees, it could be very disorienting for a human’s eyes. Consider the phrase I hope the Dodgers win the World Series. This phrase would be rendered in binary notation as:

计算机将信息存储在另一个基于“ 1”和“ 0”的编号系统中。这是一个以2为底的系统，其值以二进制表示法编写。如果您可视化计算机所看到的内容，则可能会使人的眼睛迷失方向。考虑一下我希望道奇队赢得世界大赛的那句话。该短语将以二进制表示为：

01001001 00100000 01101000 01101111 01110000 01100101 00100000 01110100 01101000 01100101 00100000 01000100 01101111 01100100 01100111 01100101 01110010 01110011 00100000 01110111 01101001 01101110 00100000 01110100 01101000 01100101 00100000 01010111 01101111 01110010 01101100 01100100 00100000 01010011 01100101 01110010 01101001 01100101 01110011

The convention is to group 8 digits together — as I have done above. This is because each digit is a bit, and 8 bits is a byte. Each 8-digit block is a byte stored on a computer. A byte is the basis of the terminology people use when describing the size of a file or how much storage they have on a computer. For example, most new desktops have a hard drive that has at least 500 GBs of storage. 500 GBs is 536,870,912,000 bytes on a computer.

惯例是将8位数字组合在一起-就像我在上面所做的那样。这是因为每个数字是一个位，而8位是一个字节。每个8位数字块是存储在计算机上的一个字节。字节是人们描述文件的大小或计算机上有多少存储空间时所用术语的基础。例如，大多数新台式机的硬盘驱动器至少具有500 GB的存储空间。计算机上的500 GB为536,870,912,000字节。

Hexadecimal notation helps the human in two ways. First, it is not as confusing as a series of 1s and 0s. It is harder for a human to identify important values when the eye sees only two values repeatedly. Second, because it is base 16 and not base 2, the same information can be shown in only a fourth of the space. That same phrase — I hope the Dodgers win the World Series — would be rendered in hexadecimal notation as:

十六进制表示法以两种方式帮助人类。首先，它不像一系列的1和0那样令人困惑。当眼睛反复看到两个值时，人很难识别重要的值。其次，因为它是基数16而不是基数2，所以相同的信息只能显示在空间的四分之一中。同一句话( 我希望道奇队赢得世界大赛 )将以十六进制表示为：

4920 686F 7065 2074 6865 2044 6F64 6765 7273 2077 696E 2074 6865 2057 6F72 6C64 2053 6572 6965 73

Hex notation is either written in blocks of 2 (which would equal 1 byte), or sometimes in blocks of 4 (which equals 2 bytes, or a word).

十六进制表示法以2的块(等于1个字节)或有时以4的块(等于2个字节或一个字)书写。

There is another benefit, though not as useful for computer investigators. If one wanted to convert from hexadecimal to binary, it is relatively easy.

还有另一个好处，尽管对计算机研究人员没有帮助。如果要从十六进制转换为二进制，则相对容易。

Consider the first “word,” or 2 bytes of the hex code above: 4920. We can use Table 1 and match the hex digit with the corresponding binary digit.

考虑上面的十六进制代码的第一个“单词”或2个字节：4920。我们可以使用表1并将十六进制数字与相应的二进制数字进行匹配。

We can see a similar conversion here in the graphic below:

我们在下面的图形中可以看到类似的转换：

Converting between binary and hexadecimal is of more interest to computer scientists or programmers because computers store information ultimately in bits. However, having a basic understanding the relationship between what is visualized on a hex editor and what the visualization means is important for anyone in a cyber field.

计算机科学家或程序员对二进制和十六进制之间的转换更感兴趣，因为计算机最终将信息存储在位中。但是，对十六进制编辑器上可视化的内容与可视化含义之间的关系有基本的了解对于网络领域的任何人都非常重要。

看着十六进制编辑器 (Looking at a Hex Editor)

There are at least four areas of focus on any hex editor:

任何十六进制编辑器至少有四个重点领域：

The address area (usually on the left) displays the position of the data in the file.
地址区域(通常在左侧)显示文件中数据的位置。
The hexadecimal area in the center shows the raw data in the file
中心的十六进制区域显示文件中的原始数据
The character area (usually on the right) shows the characters that may correspond to the information
字符区域(通常在右侧)显示了可能与信息对应的字符
There will also be a file information area showing metadata about the file, and information about the raw data within the file
还将有一个文件信息区域，显示有关文件的元数据以及有关文件中原始数据的信息

You can see these elements in the screenshot below from the popular hex editor HxD. HxD places the file information pane (called the “Data Inspector”) on the far right.

您可以从下面流行的十六进制编辑器HxD的屏幕截图中看到这些元素。 HxD将文件信息窗格(称为“数据检查器”)放在最右边。

You can use your mouse to navigate to a specific place in the file and click to place the cursor at the place. The cursor is called a caret, and the place where you clicked is called the offset. In the figure above, you will see that the caret is at offset 44. This is the 44th byte in the file. You can see the offset number at the bottom of the screen. You can also determine the offset by looking at the row (it is row 40) and the column (it is column 4).

您可以使用鼠标导航到文件中的特定位置，然后单击以将光标放置在该位置。光标称为插入符号 ，单击的位置称为偏移量 。在上图中，您将看到插入符号在偏移量44处。这是文件中的第44个字节。您可以在屏幕底部看到偏移号。您还可以通过查看行(第40行)和列(第4列)来确定偏移量。

Although one some occasions one byte is all one is interested in, it is usually the case that a block of text conveys important information. In the figure below, a block beginning at offset 44 is highlighted. We can see, looking at the bottom of the application that the address of this block is from 44–4D.

尽管有时某个字节全部感兴趣，但通常情况下，一块文本传达重要的信息。在下图中，突出显示了从偏移量44开始的块。我们可以看到，在应用程序的底部，该块的地址为44-4D。

为什么网络犯罪调查人员会使用十六进制编辑器？ (Why Would a Cybercrime Investigator use a Hex Editor?)

Computer programmers and software engineers may need to use a hex editor for debugging or editing a file, among other things. Hackers can embed code in certain regions of a file, without damaging the usability or functionality of the file (thereby hiding their malware). However, cybercrime investigators will have other uses for a hex editor.

除其他事项外，计算机程序员和软件工程师可能需要使用十六进制编辑器来调试或编辑文件。黑客可以将代码嵌入文件的某些区域中，而不会破坏文件的可用性或功能(从而隐藏其恶意软件)。但是，网络犯罪调查人员对于十六进制编辑器还有其他用途。

分析文件签名 (Analyzing File Signatures)

Bytes at the beginning and end of a file are set aside for specific information and metadata. For example, the first several bytes in a file will determine what type of file it is — a word document, a jpg image file, an executable file, and so on. This is its file signature. File signatures are common values, and there are listings of these file signatures in several places online. Wikipedia has a listing of file signatures and at what offset they can be found in a file. Cybersecurity expert Gary Kessler maintains a file signature database that is user friendly (Figure 4).

文件开头和结尾的字节留给特定的信息和元数据。例如，文件中的前几个字节将确定文件的类型-Word文档，jpg图像文件，可执行文件，等等。这是其文件签名 。文件签名是常见的值，并且在线的多个位置都有这些文件签名的列表。维基百科列出了文件签名以及可以在文件中找到的偏移量。网络安全专家Gary Kessler维护了一个用户友好的文件签名数据库 (图4)。

Consider an ODT file, the file extension for an open text document. This is a document produced by the word processing application Libreoffice. An ODT file has 50 4B 03 04 as the first 4 bytes in its file (Figure 4).

考虑ODT文件，即开放文本文档的文件扩展名。这是文字处理应用程序Libreoffice生成的文档。 ODT文件的文件的前4个字节为50 4B 03 04(图4)。

This is important for people in digital forensics because cybercriminals will change the extension of a file to hide that file. For example, they may want to hide a word document containing stolen passwords by changing the “DOC” extension to “PNG.” Most forensic software will identify file mismatches (when a file extension has changed) automatically. However, the investigator will need to look at the raw data to understand what that file actually is, and then edit the raw data so that it is readable by the appropriate application.

这对于数字取证人员来说非常重要，因为网络犯罪分子会更改文件的扩展名以隐藏该文件。例如，他们可能想通过将“ DOC”扩展名更改为“ PNG”来隐藏包含被盗密码的Word文档。大多数鉴识软件会自动识别文件不匹配(文件扩展名更改时)。但是，研究人员将需要查看原始数据以了解该文件的实际含义，然后编辑原始数据，以便适当的应用程序可以读取该原始数据。

其他用途 (Other Uses)

Another use of hex editing is recovering deleted files from a hard drive. Sometimes deleted data can be recovered if the operating system has not overwritten it. As you know, deleting a file or moving it to trash does not erase the file, but tells the computer that the space taken up by the file (the literal bits on the disk drive) is free to be used by new data. This is called unallocated space. A forensic investigator can use a hex editor to find the entire file or find fragments of the file. The process of piecing together a file in this way is called file carving. You can search in the unallocated space of a drive, look for the file header (file signature) and the file footer. You can then extract the header, the footer, and the contents in between! That should be file.

十六进制编辑的另一种用途是从硬盘驱动器恢复已删除的文件。如果操作系统没有覆盖已删除的数据，有时可以将其恢复。如您所知，删除文件或将其移至回收站不会删除文件，但会告诉计算机文件所占用的空间(磁盘驱动器上的文字位)可自由用于新数据。这称为未分配空间 。法医调查人员可以使用十六进制编辑器查找整个文件或查找文件的片段。以这种方式将文件拼接在一起的过程称为文件雕刻 。您可以在驱动器的未分配空间中搜索，查找文件标题(文件签名)和文件页脚。然后，您可以提取页眉，页脚以及其中的内容！那应该是文件。

A second use of hex editing is identifying time stamps. Timestamps are records of when something happened. For an investigator attempting to establish when a suspect accessed a file, this is essential. A suspect may attempt to change the date modified on a file to suggest they did not access it during a specified time: “The file’s last access date was 2:00 PM on 8/25/2019, but witnesses saw me surfing at around that time — it must have been someone else!”

十六进制编辑的第二个用途是识别时间戳 。时间戳是发生某事的记录。对于试图确定嫌疑人何时访问文件的调查人员，这是必不可少的。犯罪嫌疑人可能会尝试更改文件的修改日期，以表明他们在指定时间内没有访问它：“文件的最后访问日期是2019年8月25日2:00 PM，但是目击者看到我在那附近冲浪时间-一定是别人！”

However, the operating system records the true date and time of when a file was accessed. This value is stored at a predetermined offset in the file. Using a hex editor, a computer investigator can find and interpret that timestamp.

但是，操作系统会记录访问文件的真实日期和时间。该值以预定的偏移量存储在文件中。使用十六进制编辑器，计算机研究人员可以找到并解释该时间戳。

A third use is identifying malware embedded in a file. Hackers can embed code in certain areas of a file without damaging the usability or functionality of the file (thereby hiding their malware). A common practice is to embed malicious code in a document. The target opens the document and the malware spreads on their computer. Cybercrime investigators can use a hex editor to identify this malware.

第三种用途是识别嵌入在文件中的恶意软件。黑客可以将代码嵌入文件的某些区域中，而不会破坏文件的可用性或功能(从而隐藏其恶意软件)。一种常见的做法是将恶意代码嵌入文档中。目标打开文档，恶意软件在其计算机上传播。网络犯罪调查人员可以使用十六进制编辑器来识别此恶意软件。

Those uses of a hex editor are exciting but beyond the purview of this essay. Here are some resources for if one wants to explore further:

十六进制编辑器的这些用法令人兴奋，但超出了本文的范围。如果有人想进一步探索，这里有一些资源：

结论 (Conclusion)

Hex editing at first appears to be a complex activity. However, it is easier than it first looks. Identifying file signatures, file carving, identifying time stamps, and more is made simpler through the assistance of the computer investigation community. Online resources can be found that tell the investigator where a given piece of data is expected to be found — a timestamp or a file signature, and what values one should expect. So once a person knows what to look for, it is a straightforward activity. The key is to embed yourself in that community so that it is easier to find those resources. One well-known organization is the International Society of Computer Forensic Examiners (ISFCE). Another, aimed at primarily at law enforcement, is the International Association of Computer Investigative Specialists (IACIS).

十六进制编辑起初似乎是一项复杂的活动。但是，它比初看起来要容易。通过计算机调查社区的帮助，可以轻松地识别文件签名，文件雕刻，识别时间戳等等。可以找到在线资源，该资源可以告诉调查人员期望在哪里找到给定的数据-时间戳或文件签名，以及应该期望的值。因此，一旦一个人知道了要寻找的东西，这就是一件简单的事情。关键是使自己融入该社区，以便更轻松地找到这些资源。国际计算机取证检查员协会 (ISFCE)是一个著名的组织。另一个主要致力于执法的机构是国际计算机调查专家协会 (IACIS)。

Hex editing is also made easier by the fact that computers, as of yet, do not have the human capacity to modify its behavior. Therefore, once you learn a process, it does not change. File carving is a process that will be the same as long as you are working with the same file storage system. Once you have learned it — you got it! This is in stark contrast to the criminals using these computers, as they are always inventing new types of criminal behavior facilitated by computer technology. This is frustrating, but will keep computer investigators in a job for a long time!

到目前为止，由于计算机还没有人为修改其行为的能力，因此十六进制编辑也变得更加容易。因此，一旦您学习了一个过程，它就不会改变。只要使用相同的文件存储系统，文件雕刻的过程将相同。一旦学会了，就知道了！这与使用这些计算机的罪犯形成了鲜明的对比，因为他们一直在发明由计算机技术促进的新型犯罪行为。这很令人沮丧，但是会使计算机研究人员长时间工作！