How Hex Editors Help Solve A Cybercrime Investigation

The file’s data binary format representation can provide a lot of useful information about a file. A hex editor is used to work with binary data. In this article, we’ll explain what a hex editor is, how cybercrime investigators can use hex editing, and how to hex edit easily using UltraEdit.

What is a hex editor?

A hex editor is a computer program used to view and edit binary files (also called a binary editor).

Binary files are files that contain data in machine-readable form. Information that is displayed in binary format can also easily be represented in hexadecimal format. The hexadecimal data format is more human-friendly than the binary one. In addition, it requires four times less space. Hex codes represent the physical data of files, and hex editors allow you to edit them.

Hex editing software allows you to open, view, and edit the contents of all file formats. Programmers can use the data obtained from the hex editor to debug the code.

Typically, a hex editor consists of three areas: an address area, a hexadecimal representation area, and a character area.

Address area

The address area is usually located on the left side of the hex editor. It displays the address of the first byte of each line. Addresses can be displayed in hexadecimal or decimal format.

Hexadecimal code representation area

The hexadecimal codes are in the middle part of the editor. Each byte of the file is represented in hexadecimal. Numbers from 0 to 9, as well as letters A, B, C, D, E, F are used to write the hexadecimal code.

Character area

The character area is to the right of the hex editor. It displays the ASCII representation of all bytes of the file. Each byte encodes a certain character or a special code that cannot be written in the character area.

An Introduction to Hex Edit for Cybercrime Investigators

How can you use the hex edit for Cybercrime investigation?

The hex editor has several different uses for cybercrime detection.

Detecting malware embedded in a file

Attackers can inject code into the file without changing its functionality. For example, embed malicious code in a document. The user will not be aware of the malware and will open the document.

Cybercrime investigators can use a hex editor to find malicious code.

Analysis of file signature

Information about the file type is encoded in a few bytes at the beginning of the file. This is the file signature. Often, cybercriminals change the file extension to hide the file or the data it contains. You need to look at the raw (binary) data to find out which file it actually is.

Data recovery

When deleting a file, the operating system does not erase it. If the space occupied by the file has not been overwritten, then the file can be restored. Using a hexadecimal editor, specialists can find fragments of a file on disk space and combine them. In this way, technicians can completely restore a file.

Identifying timestamps

The operating system fixes the date and time of file access and stores them in a file with a certain offset. Using a hex editor, investigators can find and decode the time stamp. This allows them to find out when the attacker gained access to the file.

Why should you choose UltraEdit for work with hex files?

UltraEdit is a popular text editor. However, apart from the basic editing features, it also offers a hexadecimal editing mode. UltraEdit provides you the ability to view and edit hexadecimal and binary data.

Using UltraEdit, you can easily search for errors in your files that cannot be seen in plain text. It also provides many other useful features such as syntax highlighting, quick search, easy navigation, etc.

The main features of the UltraEdit hex editor are:

  • Allows you to edit any binary file.
  • Displays binary and ASCII characters.
  • Ability to set the number of hexadecimal bytes per line.
  • Ability to search and replace, copy, cut, paste, and delete binary data.
  • Supports editing of large files.

Try viewing, analyzing, and editing any file using the free trial version of UltraEdit.


How do I edit a hex file?

To edit a hex file, use the text editor UltraEdit, which has a mode for working with hex data. First, you should select Hex/EBCDIC mode. After that, you can search, replace, copy, paste, and delete hex values.

What does a hex editor do?

The hex editor is used to display and edit binary and hex data. It can open and modify any type of file.

What is hex code editor?

A hex editor (byte editor or binary file editor) is software that allows you to view, analyze, and edit files in hexadecimal code.

Is hex code still used?

Hex code presents binary code in an easy-to-analyze form and provides the ability to work with it. That is why it is widely used by programmers, architects, cyber forensics, and other specialists who need access to raw data.

Why do technicians use hex?

Hex code is often used to represent binary values because it is easier to understand, write and verify, and allows you to represent large numbers with fewer characters.

2 thoughts on “How Hex Editors Help Solve A Cybercrime Investigation”

  1. It would be helpful if UE would expand the functions of the Hex Editor, e.g find/replace dialogs always prompts to close the dialog (y/n).

  2. I’ve used the hex editor feature in UltraEdit for many years for several purposes. I can replace strings in compiled programs and DLLs and determine the compiler used to create an object file. I can use it to find which program is generating a particular message. I use it to determine a file’s type if the file extension has been removed. Years ago I used it pretty regularly to reset the “file corrupt” flag in ISAM files when a user would turn their computer off via the power switch while they had a file open. When I need to view the bits and bytes of a file UltraEdit is my tool.


Leave a Comment