PURPOSE OPERATION COMMAND LINES OPTIONS RELATED PROGRAMS
The purpose of HEX_SECT is to allow the viewing and editing of physical sectors of floppy and hard disks. Hex_sect displays individual sectors on the screen and gives the user the ability to edit the sector, save it to a disk file for further analysis, or read from a file and write the data from the file to the disk.
HEX_SECT is one of the few sector editors that will run from DOS and will work on hard drives larger than 8 gigabytes, thus giving law enforcement and forensic examiners an added ability which was lost when 8 gig drives came on the scene.
One anomaly when working within a DOS box (window) under Windows 9X. If the DOS window is not full screen, because of the way the graphics are designed, the DOS window is made to run full screen while the program is running. When the program ends, the properties of the DOS/Command Prompt window have been changed to full screen. If you want the DOS window to not be full screen the properties have to be adjusted. Sorry, this isn't me, its WIN9X allowing this to happen. (this doesn't happen under NT).
NOTE: when help screens are displayed, up and down arrows scroll the text within the help window. Return or Escape will exit the help screens.
If no disk (-d option) is chosen on the command line at program startup, the program attempts to identify all the physical hard drives on the system and displays disk parameters for each. There will be a star (*) next to the type of disk translation that is being used by the program.
The user is then asked to pick a disk from 0->the number of disks found. After the user selects the proper disk, the program proceeds to read the first sector of the drive and displays the contents.
If the -d option is used, the program uses that drive without asking the user for additional input.
If your system has multiple disks with different formats (i.e. Linux, NTFS, DOS, WIN9X) It is suggested you let the program display the choices once or twice until you get used to how the BIOS numbers the hard drives. (generally the BIOS numbers the drives starting at the IDE, and then the SCSI drives, regardless of operating system on the drives).
HEX_SECT will display a disk sector in both hexadecimal and ASCII characters. Those ASCII characters not capable of being printed (i.e. the backspace, bell, carriage return, and HEX FF) are displayed as dots (.) in the ASCII window. Most other characters are displayed with their graphic equivalent.
The data is displayed in two side by side windows. The left being the hex and the right being the ASCII representation of the characters. A highlighted cursor allows for easy association of the two sides of the screen.
Directly under the hex values (last line and on the right side of the hex window) are three numbers (generally represented in green). These numbers (displayed in green) are the character (1 byte ), integer (2 bytes ), and long (4 bytes or DWORD) designation of the character(s) that the cursor is currently pointing to. These values are useful when trying to decode hex values without a calculator. Under the ASCII window in black and white is the binary representation of the single character currently highlighted.
In normal (non editing mode) cursor movement is accomplished by the traditional use of arrow keys, the home, page up and down, backspace, plus (+), minus (-), the return/enter key, and the F2 and F3 keys (F1 gets help). Normal widow colors are yellow over blue, and highlighted characters are red.
On the lower 2 lines of the screen are minimal help directions and in the lower right corner of the screen is printed (in red) the current position of the cursor (relative to 1 within the sector). This is helpful when determining positions (displacements) of certain characters.
Also in this bottom window are displayed the disk parameters such as number of cylinders, heads, and sectors per track, and the actual CHS you are viewing (both in CHS and logical notation).
To move to a specific sector the user can use the F2, F3, plus (+), minus (-), enter key, backspace key, page up and down keys. Each of them moves to a predetermined location as described here:
F2: == Go to first sector of the disk. F3: == Go to the last sector of the disk. (logical sectors are numbered from 0 -> one less that the total number of sectors). So if we had a floppy with 2880 sectors, the sector count would go from 0 -> 2879. F4: == Perform a String search. F5: == Repeat last string search. Plus (+), or return key: == Go to next sector. Minus (-) or backspace: == Go to prior sector. Page UP: == Go to next head. (cylinder and sector remain the same). Page DN: == Go to prior head. (cylinder and sector remain the same). Home key: == Go to first character of sector. End key: == Go to last character of the sector.
To go to a specific sector the user can enter the logical sector number from (0 -> one less that the total number of sectors) in the lower window. Or, if a CHS (cylinder head sector) value is used for an absolute sector you can enter the values separated by spaces (i.e. 0 0 1). When using disks which operate in LBA mode, it is often preferable to use the logical (single number) notation. Because the CHS may not always be converted correctly.
When entering the values, if a single value is entered, the program assumes it is a logical sector value and when it detects a trio of numbers it assumes a physical CHS designation. The trio can also be entered with dashes(-) as delimiters. (0-0-1). Cylinder and head values begin at 0 and end one less than the max. So to enter the last head of a drive with 255 heads you would enter 254. Sector numbers begin at 1.
The escape key will generally get you out of the mode or help screen you are in. Depending on the mode and operation being performed, the escape key may also end the program.
Escape key operations: MODE ACTION Taken: Normal Quit/Exit program Edit Quit edit, ask to write Help Screen Exit help, back to Normal Read from File Exit mode, back to Normal Write to File Exit mode, back to Normal Control C (^C) always has immediate exit.
F1: == Will get you cursor movement and other help screens. (to get out of the help screen, use the Escape key).
F2: == Goto first sector of disk.
F3: == Goto last sector of disk.
F4: == Perform a string search. User is provided a window to enter string into. The tab key switched between entering hex and ASCII characters. Unicode is entered with alternate hex 00's. String entry and search is same as the hexedit program.
F5: == Repeat last string search.
NOTE: When the F5 is used, after the end of the disk has been reached, it will continue to wrap around to the first sector and start again. IT DOES NOT STOP until the user hits ESC or it finds another string.
‘^W’ (Control W):Will ask the user for a file name and when provided with such, will write the current sector to that name. The file is NEVER overwritten, it is ALWAYS appended to. The user is asked to provide the number of sectors to write. There is a maximum of 32767 sectors per write, or as many as there are left to the end of the disk (whichever is smaller). A carriage return defaults to the current sector only.
"^R" (Control R):Will ask the user for a file name to read from. The file must be available and capable of being read from. The file size is checked and the user is asked how many sectors to write to the disk. Only full sectors are written to the disk up to the size of the file or a maximum of 64 sectors (32K), whichever is larger. The user is then asked to confirm the amount of sectors to write, and is shown the first sector, 512 bytes of the file (in most cases this should be the only sector to write). If the user again confirms this is the information, all the information is written to the disk. Subsequent sectors are not confirmed. (so get it correct the first time).
EDITING MODE:
To enter the edit mode use the F7 key.
F7 ENTER EDIT MODE: This is the key that changes from the NORMAL mode to the EDIT mode.
When in edit mode, the changed characters are red and cursor changes to a blinking block. The cursor is located in the right (ASCII) window by default.
The user at this time can start typing characters. Any characters (except the 4 arrows for cursor movement) are entered into the buffer exactly as typed. The characters typed change colors indicating which changes were/are being made. Any key except the arrow keys, and the ESC key are entered into the sector.
At this point in edit mode, the TAB key toggles between a HEX edit and ASCII edit mode. In HEX edit mode, the cursor shifts to the hex window, and you must enter 2 hex digits or (A-F) for hex values. The TAB key again toggles back and forth.
To exit the EDIT mode, use the escape key. At that time the user is asked to write the changes to the disk. If a 'Y' is entered, the changes are committed to disk. Any other key discards the changes. In any case, after the user responds, the windows are updated to reflect the correct contents of the disk sector being viewed.
^C (control C) will Immediately EXIT the program at any time.
C:> HEX_sect
/* runs the program and detects all physical hard drives */
C:> Hex_sect -d a
/* edit drive A: */
C:> Hex_sect -d 0
/* edit first physical hard drive #0*/
C:> Hex_sect -?
/* show help screens */
-d + #: Replace the # with a drive letter A: or B: or a physical drive number 0 —> 9. The program will not work under NT on physical drives 0 -> 9. But will work on floppies.
-r Floppies ONLY. If you have an unusual formatted floppy, try this to allow the program to manually determine the floppy disk parameters. It works in some cases.
-?: Get the help screen
Norton Diskeditor
Drivespy