Hex Search in Oxygen Forensic® Detective

Oxygen Forensic® Detective v.14.3 has introduced the ability to search by hex in file content during data import or in the Search section. Let’s have a closer look at this functionality.

To start using this feature, switch to the Hex tab in the Search section. Here, users  can manually enter any hex sequence. Before pressing the Search button, users  can also select to search in all the files or in specific ones, like databases, media, JSON files, etc. Additionally, investigators will have the option to limit the maximum number of matches within a file.

Image 1. Hex search settings

To access detailed Hex settings, which include the offset type, the context length, and encoding, press the View button and click the Options menu.

Image 2. Hex settings

To use hex lists, switch to the Hex lists tab and click the button to open the Hex lists manager. In the manager, there are 4 pre-installed lists – Archives, Audio, Images, and Video. Each list contains hex sequences that are signatures of the displayed file types. Investigators can also create, edit, save, and delete their own hex lists.

Image 3. Hex Lists Manager

Once the hex search is completed, the results will be shown in the grid. The entry will be highlighted and will have its offset. Users  can view the details of every found entry on the right sidebar, as well as navigate to the source section by clicking on the source file link.

Image 4. Hex Search Results 

To use hex search at data import, investigators must enable search and select a hex list from the opened Manager.

Image 5. Search by Hex lists at data import  

Search by hex can help investigators look deeper in the file content, thus allowing them to  solve cases more efficiently. Two major ways that a hex search can benefit an investigation are:

  • Search for files by their signature, if this signature is not present in the known databases of headers and extensions in the software. For example, it can be a new file type or a rare file type. 
  • Search for specific types of files embedded within other files. 

Interested in trying this new feature but don’t have an Oxygen Forensic® Detective license? Request a free, fully-equipped, 20-day trial by clicking here.