Terms and Concepts

Without being exhaustive, some terms used into the Tyrhex interface have to be explained :

Forensic approach

One of the key concept of the forensic approach is that the evidence do not have to be modified.

Tyrhex respect this concept and still allows the user to edit some volume properties using a virtual layer for each volume, saved as other information in the case file but without any effect on the evidence file.

Findings have to be documented and, when vital for investigation, cross-checked by use of alternative forensic tool. Some forensic tools use the same libraries, especially to decode file systems properties and artefacts. The unique file systems libraries included in Tyrhex provides a robust alternative tool.

Bits and bytes

Before any other concept, it is necessary to understand that all data are represented on a device using bits. 

A bit is a single binary value, 1 or 0 using a single position.

Bits are grouped in Bytes. A bytes is a sequence of 8 bits, each one representing a power of 2, starting with 2 power 0 on the right, ending with 2 power 7 on the left.

Bytes are sometimes groups in larger sequences : 

  • Word : a group of 2 bytes (16 bits)
  • Double word : a group of 4 bytes  (32 bits)
  • Quadruple word  : a group of 16 bytes (64 bits)

Sometimes, bytes have to be grouped in « untypical sizes, and the decoding tab allows the Tyrhex user to quickly get the value with a user friendly interface.


When bytes are grouped (Word, Double Word, Quadruple Word), the ordering can be logical : BIG Endian (first byte is the byte with higher values) or reversed LITTLE Endian (first byte is the byte with lower values).

Endianness is based on the history of computers and operating systems, and the type of processor used. As 8 bits registers processors do not care about endianness (they had to only handle 1 byte), followers have to.

Windows is mostly « Little Endian » based and Mac OS X mostly « Big Endian » based. Tyrhex shows the two ordering for the bytes values and automatically handles the right ordering when interpreting date and time values. 

Sectors, Clusters, Blocks

Bytes are stored on devices grouped by 512 bytes in one SECTOR. Sectors are numbered from sector 0.

File Systems introduce group of sectors (usually power of 2 multiple of sectors) to allow higher capacity and faster handling. Sectors are groupes in « clusters » or « blocks », depending of the OS used. If the name is different, it represent exactly the same thing : a group of sectors.

Tyrhex shows the offsets in bytes and sectors. When a volume is selected, offset in byte ,sectors and block relative to the volume start are shown.  As without volume selected the « block » or « cluster » value is a non-sense, there is no way to show blocks relative to the device start and some Tyrhex decoding features are then limited.


Position, in bytes or in sectors, from start of analysed forensic image is called « absolute offset ».

When working on locked volumes, the position relative to the volume start is reported in bytes, sectors and blocks.


At device start you will find some sectors describing how volumes are stored on the device.

Typically, the data needed are the first sector, the last sector and some other information.

Tyrhex handles automatically old Master Boot Record  (MBR) and new GUID Partition Table (GPT) partitioning scheme.  

When decoding MBR or GPT, Tyrhex automatically defines the volumes, check their properties and create bookmarks related to some important location related with the file system properties.


Volumes are often called partitions. A volume contains only one file system and some parameters :

  • the block size (or cluster size)
  • the location of the catalog (HFS) or the MFT (NTFS) in sectors.
    this is the central database managing all files properties
  • the location of the Journal in bytes (HFS and NTFS) 
  • the location of the Root Folder (FATs)

Most the parameters are locate in the Volume Boot Record (VBR), often located at the first sector of the volume.

When identifying volumes, Tyrhex check, based on file system features, if a more accurate volume name is available and give it to the newly created analysis volume.

Damaged VBR avoid most of software, including all operating systems and most forensic softwares, to analyse the volume content and retrieve file content and information (metadata, file name, date and time, folder structure, …). However using Tyrhex volume editor it remains possible to « rebuild » a basic VBR helping to retrieve all what is still available. 

File systems

 A volume contains only one file system.

File systems recognised and analysed by Tyrhex are :

  • FAT 16
  • FAT 32 
  • NTFS

work in progress

  • HFS (based on some undocumented findings)

By implementing file system libraries created from scratch and based on available standards but enhanced with reverse engineering and forensic experience, Tyrhex is a perfect tool to cross-check results from expensive but still not perfect forensic tools.

Users who want to write forensics findings on real cases are advised to get documentation about file systems and file systems reverse engineering available by several ressources


User can add, remove and edit bookmarks to « tag » and easily position the cursor on offsets. Clicking on the offset column title changes the « byte » offset into the « sector » offset.

Some bookmarks are created automatically when volumes are detected, helping to straight jump to some file system files (like $MFT for NTFS, root directory for FAT, …).

Finally, bookmarks can be locked in order to speed up jumps using the bookmark as reference position for the jump action.


Tyrhex allows to « lock » some positions, making moves easiest :

bookmarks can be locked to be used as « reference offset » for future moves.

volumes can be locked to restrain moves into the volume and, more important, use all volume settings in order to perform some advanced tasks, like file browsing and file extraction.

tyrhex © Yves Vandermeer  2015-2017   #tyrhex