06 February 2016

How to "use" isobuster for free

Since the day when CD burners don't have buffer underrun protection and that my HDD free space actually smaller than CD capacity this little software with cool batman icon always become a lifesaver. That time isobuster still free (pre 1.0 version), now within few years we might discard optical media for data completely (backup is OK though).

Isobuster interpret multisession disc, all kind of ISO 9660 extensions (Joliet, RR), UDF, extra track such HFS or FAT and El-torito boot image. It also show you the important thing: LBA! so you can tell by its physical location which files is vulnerable to disc defect. Finally isobuster do interruptible copying for recovery purpose. The old 0.99.9 still works on modern Windows as long as you run as administrator (or just add elevation manifest to it) but there is no support for UDF.

I know that Isobuster can be used in free (sometime nagging) mode but I'm not talk about that. The tool is FTK Imager Lite by accessdata. This forensic tool known to bundle isobuster 2.4 as shared library from version 2.6 onward, you can get older (and smaller) version via archive.org too. For current version: http://accessdata.com/support/adownloads

The basic important functionality is there, no LBA column list though instead placed in file property panel. No ISO image dumping except forensic image format. And no data carving (isobuster 3?). Overall what make isobuster so special already covered. Enjoy!

Two advanced free hex editors for Windows

Back in the day when all of my software were pirated software, WinHex is the single best thing I ever need. Now to replicate its functionality I have to combine two application HexEdit and TinyHexer or more.

TinyHexer

1. TinyHexer was my first free hex editor, it was the best during its time and probably still if only it support big file. The homepage www.mirkes.de has gone so you need to find mirror for mpth_18.exe or mpthme_18.exe. Here is mirror from softpedia http://download.softpedia.com/kRHV01DUV2Ym8XNnMprEEBK6t2a4wgfe/software/programming/.

TinyHexer's strength lies on good manipulation features and plugins which serious user will establish workflow with this tool. Furthermore tinyhexer is highly extendable, it has Delphi SDK (the file is gone?), scripting and macro replay. TinyHexer also has good reference help including scripting but not covering many of its plugins. One to note somehow tinyhexer doesn't allow paste in overwrite mode, make it hard when you have to combine/patching part of files, another minor inconvenient is the full page mouse scrolling.

HexEdit

2. HexEdit (okay what an ambiguous name here :P) the homepage is http://www.hexedit.com/. Personally I use this as tinyhexer replacement, but not for all features otherwise some are overlapped between the two. For example HexEdit missing opening process' memory but beside that HexEdit is completely different kind of hex editor. The overwhelming editing aids such track changes, mark/bookmark, highlighter, etc really make HexEdit like a word processor for binary files. Manipulation feature also extensive, lots of bitwise operation and conversion it even has data encryption (built-in) and arbitrary compression (via Zlib). HexEdit also have user expandable file structure template for analysis similar to tinyhexer.

One of its unique feature (WinHex can do this) that I like is "Keep Same Time" toggle which keep file date modification once you done editing. Its search function is comparable (no regexp unfortunately) but slower to tinyhexer. Startup also rather slow probably because its complex UI (based on MFC). The bundled manual is excellent, you'll need it for something like this. HexEdit also extendable via macro replay. In short HexEdit is the most advanced (if not overkill) open source hex editor I have ever used.


The niche extras. Two more hex editor deserve mention here for its built-in live disassembly and other for low-level operation.

FileInsight

3. FileInsight from McAfee http://www.mcafee.com/us/downloads/free-tools/index.aspx is hex editor specific for malware analysis so large file support is not a concern. Live disassembly is done using libdasm, by the way it will produce assembly for *any* interpretable binary data. The interface is rather flashy :D, I think this is a Delphi app. Its PE structure analysis is on par with the tinyhexer's plugin. And despite being niche, FileInsight also extendable, this time using JavaScript (via built-in spidermonkey engine) or Python (need preinstalled python). Note that open source wxHexEditor also can do live disassembly (via udis86) with other feature similar to the popular HxD.


disk editor
 
4. Active @ Disk Editor http://lsoft.net/disk_utilit.aspx is a low-level access hex editor that I have no other free comparison. The first two hex editor here able to open disk in raw however without the ability to traverse or sync with actual filesystem those two miss the usefulness. Most forensic tools also do low-level (raw mode) but usually for read-only acquisition and reinterpret the filesystem wholly including orphaned files (recovery) which Active @ Disk Editor doesn't (that what paid Active @ UNDELETE will do). Supported filesystem include: NTFS, FAT, HFS+, ExtFS, UFS and BtrFS. Like hexedit and tinyhexer, diskeditor also have templates in this case: boot record, partition table and so on. I found the interface rather confusing (Qt based) and could be more streamlined but this is no major issue. As bonus it could edit disk images too.