Hex Editors and Digital Forensics: How Investigators Recover Deleted Evidence

When you delete a file from your computer, it doesn't go anywhere. The data is still sitting on your hard drive, completely intact. Your operating system just removed the label — like tearing the table of contents page out of a book. The chapters are all still there.

And forensic investigators know exactly how to find them.

That's what hex editors are for. They're the tool that lets you peel back every layer of abstraction your computer puts between you and the raw data on your disk. No file icons, no folder structure, no friendly interface. Just the actual bytes, staring back at you, waiting to tell you what really happened.

This is one of those topics that fundamentally changes how you think about your computer. Once you understand what a hex editor reveals, you'll never look at "Delete" the same way again.

What a Hex Editor Actually Is

At its core, every file on your computer — every photo, every document, every video, every executable — is just a sequence of numbers. That's it. Your computer stores everything as binary: ones and zeros, grouped into bytes. A byte is 8 bits, which means each byte can represent a number from 0 to 255.

Reading raw binary would be brutal. Imagine staring at a wall of 01001000 01100101 01101100 01101100 01101111 and trying to make sense of it. So instead, we use hexadecimal — base-16 — which condenses each byte into two characters using the digits 0-9 and letters A-F. It's more compact, more readable, and it maps perfectly to binary: each hex digit represents exactly 4 bits.

A hex editor lets you see the raw data of any file, byte by byte, in this hexadecimal format. Think of it as X-ray vision for your hard drive. You're not looking at what the file is supposed to be — you're looking at what it actually is.

Quick example: the word "Hello" is stored as 48 65 6C 6C 6F in hex. Each pair of hex digits is one character. Simple enough. But here's where it gets interesting. File formats have signatures — specific byte sequences at the beginning of the file that identify what type of file it is. These are called magic bytes, and they're the fingerprints of the digital world.

A JPEG image always starts with FF D8 FF. A PDF starts with 25 50 44 46 (which is actually the ASCII text "%PDF"). A ZIP archive starts with 50 4B 03 04 (the letters "PK" — named after Phil Katz, the creator of the format). A PNG image starts with 89 50 4E 47.

This is how forensic tools identify file types even when someone has changed or removed the file extension. You can rename a .doc to .jpg all you want. The magic bytes don't lie.

How Forensic Investigators Use Hex Editors

A hex editor is one of the most fundamental tools in a digital forensic investigator's kit. Not the flashiest, not the most automated — but when other tools fail or when you need to understand exactly what's happening at the byte level, nothing else will do. Here's how they use them.

File Carving

This is the big one. File carving is the process of scanning raw disk data for magic bytes to locate files that the file system says don't exist anymore. Remember — when you "delete" a file, the operating system just marks that disk space as available. The actual bytes are still there, sitting in exactly the same place they were before you hit delete.

A forensic investigator can take a disk image — a complete byte-for-byte copy of the drive — open it in a hex editor, and search for known file signatures. Find FF D8 FF? That's the start of a JPEG. Find 25 50 44 46? That's a PDF. The investigator identifies the start of the file, then looks for the corresponding end marker (for JPEG, that's FF D9), and carves out everything in between. The "deleted" file is now recovered, completely intact.

Specialized tools like Scalpel and Foremost automate this process at scale, but the principle is the same: scan for magic bytes, extract the data between the start and end markers, and reconstruct the file. Hex editors let investigators do this manually when the automated tools choke — on fragmented files, corrupted sectors, or unusual file formats that the carving tools don't recognize.

Hidden Data Discovery

This is the part that keeps me up at night. Files have defined structures — a beginning, content, and an end marker. But what if someone appends data after the end marker? Your image viewer reads the JPEG, hits FF D9, and stops rendering. It never looks at whatever comes after. But a hex editor shows you everything.

Criminals have used this technique to hide encrypted messages, additional files, and even entire archives appended after a file's legitimate end marker. To any normal program, the carrier file looks and behaves perfectly normally. To a hex editor, the extra data is right there, clear as day.

There's a closely related technique called slack space hiding. When a file is stored on a disk, it occupies a whole number of allocation blocks (typically 4 kilobytes each). If a file is 5 KB, it takes up two blocks — 8 KB total. The remaining 3 KB of the second block is slack space. Old data from previously deleted files can persist in this slack space, and investigators routinely examine it for fragments of evidence.

File Type Identification

Someone renames a sensitive document from financial_records.xlsx to vacation_photo.jpg, thinking that'll throw off investigators. It won't. Open it in a hex editor, and the first few bytes immediately reveal that this is a ZIP-based Office document (Excel files are actually ZIP archives internally), not a JPEG. The header reads 50 4B 03 04, not FF D8 FF. Case closed. The rename was pointless.

Metadata Extraction

File headers and embedded metadata contain a goldmine of information: creation dates, modification timestamps, author names, software versions, device serial numbers, and sometimes even GPS coordinates. Even after someone strips the obvious metadata through a right-click menu, there's often residual data buried in the hex that standard metadata viewers miss. Forensic investigators dig through headers byte by byte to extract every last fragment of identifying information.

Steganography Detection

Unusual patterns in the hex data of an image can indicate that someone has hidden content inside it. If the least significant bits of an image's pixel data show statistical anomalies — patterns that don't match what you'd expect from a natural photograph — that's a red flag. Hex editors let investigators examine pixel data directly and look for the telltale signatures of steganographic embedding. The analysis gets deep, but it starts with looking at the raw bytes.

"I Deleted It" Doesn't Mean What You Think

This is the single most important thing most people don't understand about their computers. When you move a file to the Recycle Bin and empty it, your operating system does not erase the data. It marks those disk sectors as "available for reuse." That's all. The bytes are still physically present on the drive.

Think of it like a library. Deleting a file is equivalent to erasing the entry from the card catalog. The book is still on the shelf, exactly where it was. If someone walks through the stacks, they'll find it. That "someone" is a forensic investigator, and a hex editor is how they walk the stacks.

On a traditional hard drive (HDD), deleted data can persist for months or even years. The sectors only get overwritten when new data happens to be stored in that exact location. On a 2 TB drive that's only half full, vast stretches of "deleted" data may never be overwritten at all.

Solid-state drives (SSDs) are trickier. SSDs have a feature called TRIM, which tells the drive's controller that deleted blocks can be wiped for reuse. When TRIM runs, the drive may zero out those blocks in the background, making recovery much harder. But "harder" isn't "impossible." TRIM doesn't always execute immediately, and some drives don't implement it perfectly. There's often a recovery window — sometimes minutes, sometimes hours — where the data is still there.

The professional tools tell the story. Autopsy, FTK (Forensic Toolkit), and EnCase are industry-standard forensic platforms used by law enforcement worldwide. They can recover files that were "deleted" years ago from traditional hard drives. FTK's file carving capabilities have recovered evidence in cases where suspects were absolutely certain they'd destroyed everything.

Real Cases Solved Through Digital Evidence Recovery

This isn't theoretical. Digital evidence recovery has broken some of the most notorious criminal cases in modern history.

The BTK Killer (2005)

Dennis Rader terrorized Wichita, Kansas for over 30 years, murdering ten people between 1974 and 1991. He went dormant, then resurfaced in 2004 and started sending taunting messages to police and media. In one of those messages, he asked police if they could trace a floppy disk. They told him no. He believed them.

He sent a floppy disk to a local TV station containing a Word document. Forensic investigators examined the metadata — not just the surface-level file properties, but the deep metadata embedded in the file's structure. They found a deleted entry linking the document to "Christ Lutheran Church" and a user named "Dennis." A quick search confirmed that Dennis Rader was the president of the church council. He was arrested days later.

Thirty years of evading capture, undone by metadata in a Word document on a floppy disk. He thought he'd been careful. He hadn't even come close.

Casey Anthony Trial (2011)

In one of the most-watched trials in American history, digital forensics played a pivotal role. Investigators recovered deleted browser searches from the family computer, including searches for "foolproof suffocation" and "chloroform" that had been made using Firefox. The searches had been deleted from the browser history, but forensic analysis of the Firefox SQLite database and unallocated disk space recovered them.

The original forensic analysis by the Orange County Sheriff's Office actually missed some of these searches — they used Internet Explorer-focused tools and initially didn't examine the Firefox data thoroughly. It was a later, more detailed examination that uncovered the full search history. A stark reminder that thoroughness matters in forensic work.

Ross Ulbricht — Silk Road (2013)

Ross Ulbricht ran Silk Road, the first major dark web marketplace, under the pseudonym "Dread Pirate Roberts." When the FBI seized his laptop at a San Francisco library — timing the arrest so he'd be logged in with the drive unencrypted — they recovered an astonishing amount of evidence. Chat logs, a personal journal documenting the creation and operation of Silk Road, financial records, and server access credentials. Ulbricht believed his security practices made him untraceable. The data on his own laptop told a different story.

Corporate Fraud

Beyond headline criminal cases, hex-level evidence recovery is a staple of corporate fraud investigations. Companies that "destroy" financial records by deleting files often discover — usually during litigation — that forensic examiners can recover those records from slack space, unallocated clusters, and backup artifacts on the drives. The Enron investigation recovered thousands of "deleted" emails. Forensic examiners in securities fraud cases routinely recover spreadsheets, internal communications, and financial models that executives thought were gone forever.

The Limits of Recovery

It would be irresponsible to suggest that forensic recovery always works. It doesn't. There are real, effective countermeasures, and understanding them is just as important as understanding the recovery techniques.

Full Disk Encryption

If a drive is encrypted with something like BitLocker, VeraCrypt, or FileVault, and the investigators don't have the key, hex editors are essentially useless. The raw bytes on the disk are encrypted — they look like random noise. You can see them, but you can't interpret them. No amount of hex analysis will help without the decryption key. This is why law enforcement places such emphasis on seizing computers while they're powered on and unlocked — once the drive locks, the encryption kicks in, and the window closes.

Physical Destruction

Degaussing (exposing a hard drive to a powerful magnetic field) scrambles the data on magnetic drives. Shredding physically destroys the platters. Fire melts them. These methods are effective and final. You can't carve files from molten aluminum. Government agencies and corporations that need to guarantee data destruction use certified physical destruction processes for exactly this reason.

SSD TRIM

As mentioned, TRIM on SSDs actively wipes deleted blocks at the firmware level. Once TRIM has processed a block, the data is genuinely gone — not just marked as available, but actually zeroed out by the drive controller. This makes SSDs significantly harder targets for forensic recovery than traditional hard drives. It's one of the reasons forensic best practices now emphasize imaging drives as quickly as possible after seizure.

Secure Overwriting

Tools like DBAN (Darik's Boot and Nuke) and the shred command on Linux perform multi-pass overwriting — writing random data over every sector of the drive multiple times. After even a single pass of random data, recovery is effectively impossible with current technology. The old myth that you need 35 passes (the Gutmann method) has been debunked for modern drives — one or two passes of random data is sufficient. But the point stands: deliberate overwriting actually destroys data. Pressing "Delete" does not.

Here's the bottom line on limits: the average person who "deletes" incriminating files is almost certainly recoverable. They emptied the Recycle Bin and assumed the job was done. That's the vast majority of cases investigators encounter. The sophisticated criminal who uses full-disk encryption, secure deletion tools, and physical destruction? That's a much harder challenge. The gap between those two scenarios is enormous, and it's where most real investigations play out.

Your Digital Shovel

DetectiveOS includes HexScope, a hex analysis tool that lets you dig into the raw data of evidence files. You examine hex dumps, identify magic bytes, spot hidden content appended after end markers, and piece together files that someone tried to destroy. It's the detective's digital shovel — the tool you reach for when the obvious leads have dried up and the answer is buried in the bytes.

The Takeaway

Hex editors strip away every abstraction your computer provides and show you what's really there. In the hands of a forensic investigator, they turn "I deleted it" into "Let me show you exactly what you deleted, when you deleted it, and what you were trying to hide."

The data is almost always still there. On your hard drive, in the slack space, in the unallocated clusters, in the metadata you didn't know existed. Your operating system promised you it was gone. It wasn't. And somebody with a hex editor and enough patience can prove it.

That's not a hypothetical threat. It's the everyday reality of digital forensics. And it's been catching criminals since before most people knew what a hex editor was.