Obtain Selected Data


When trying to repair operating systems and files which have gone hiccup there is a need to examine data on files.  I have found that some files are just to big to comfortably examine in a hex editor.

With Passwords becoming increasing vulnerable to the latest cracking tools the user cannot rely on producing long passwords that are easy to remember.  The user need to hide potential passwords in big files.  If the password is hidden in a big file it becomes difficult to access unless some means is available to access the required data which is too complex to remember.


When practising the tutorials it is worth using a Ramdisk. Ramdisks leave no activity trace when the machine is switched off.  SSD disks are not privacy secure.  Modern hard disks use SSD mechanisms for caching purposes and thus pose a security weakness.

In /etc/fstab write entry tmpfs /home/username/ram tmpfs defaults,noatime,mode=1777,size=20MB 0 0
creates ramdisk in directory /home/username/ram
Use Wine to run program "e_crypt7" program

Google for ramdisk software.  Free Basic ramdisk software to create 100MB of ramdisk is likely to be available at no cost.  Need to check that ramdisk software has no hidden problems attached to it.  Appropriate Antivirus and rootkit checking software is needed.  Website http://www.dataram.com/ is worth looking at.

The biggest advantage of a ram disk is the ability to have very fast loading and writing times. It also allows one to experiment without fear of doing damage to a hard disk.  It also allows one to try things out as possible approaches to security without leaving any trace.  Modern file systems use journaling which can leave traces of data on hard disks that a person may not want left.  A ram disk loses of traces of its file system when the computer is switched off.





Obtain Selected Data
1 512 Bytes at (1Mb-512)
  • "Process File and Obtain 512 bytes before 1MB" this is (1000000-512 Bytes)
  • Opens File and saves 512 bytes to another file
  • Some file types could be identified by the last 512 bytes
  • Hash of "512" file could be used for creating password data
    • Large "c.t"
    • Small "truecrpt password.txt"
2 Selected Position and Size
  • This function splits a large file into manageable file sizes for examination by a hex editor
  • It can be used to extract characters from a large file such as a video file for password purposes
  • Use two examples
3 Replace Data in File
  • Overwrites data in one file with data from another
  • position where to over write is determined
  • how many characters to over write is determined
  • position where to read the over write characters from is determined
  • example
4 Overwrite from another part of File
  • Overwrites data in one file with data from another part of file
  • select position in file
  • select number of characters to write
  • select position to over write
  • characters replaced with number of over written characters
5 Read Disk Sectors not done

6 Read File Sectors
  • Use to examine file contents at known positions
  • Use to change file contents at known positions
  • Use to store long random passwords which are impossible to remember in a safe place.

&9 Display Drive Root FAT not done
&7 Read Disk Image Sectors to do
&8 Explore Disk FAT not done
&a Get Disk Signature (SHA1) not done

&b Hard Disk Backup Functions not done
&c Get Icons to do works on dll or exe not shortcuts

Convert Dos (8.3) to Long File Name to do

Convert Long File Name to Dos (8.3) to do



1 512 Bytes at (1Mb-512)
Step Screen Description


  1. Download file "c.t"
    1. This is a file of a reasonable size to work with
  2. Download file "truecrpt password.txt"
    1. This is a small file to work with


  • By Mouse
  1. Click on "Utilities"
  2. Click on "Obtain Selected Data"
  3. Click on "1 512 Bytes at (1MB-512)"
  • By Keyboard
  1. Type "ALT+U"
  2. Type "O1"


  1. Select "c.t"
  2. Click on "Select File -1" button or type "Alt+1"
  3. Click on "Destination File -2" button or type "ALT+2
    1. FIle name "G:\c.t.512" created
    2. File checked to see if already exists
    3. Directory checked to see if there is room for proposed created file "c.t.512"


  1. CLick on "Process -3" button or type "ALT+3"


  1. Click on "OK" button or type "ALT+O"
  • Repeat using "truecrpt password.txt"


  1. Click on "OK" button
    1. An empty file ""truecrpt password.txt.512" is created
    2. This file is empty because the file "truecrpt password.txt" is only 50Bytes in size a lot smaller than 1000000 Bytes.

We can read created files in the "6 Read File Sectors" function



2 Selected Position and Size


  1. Download file "c.t"
    1. This is a file of a reasonable size to work with
  2. Download file "truecrpt password.txt"
    1. This is a small file to work with


  • By Mouse
  1. Click on "Utilities"
  2. Click on "Obtain Selected Data"
  3. Click on "2 Selected Position and Size"
  • By Keyboard
  1. Type "ALT+U"
  2. Type "O2"


  1. Select "c.t.512"
  2. Click on "Select File -1" button or type "ALT+1"
  3. Click on "Destination File -2" button or type "ALT+2"
    1. FIle name "G:\c.t.512.byte" created
    2. File checked to see if already exists
    3. Directory checked to see if there is room for proposed created file "c.t.byte"


  1. Click on "Process -3" button or type "ALT+3"


(A) File size of file in (N)
(B) "OK" button to write file in (O)
(C) "Cancel" button to cancel and return to opening menu
(D) Available space on drive
(E) HEX value to convert to decimal
(F) Decimal value for HEX in (E)
(H) Number of HEX characters entered
(I) Slack space of Drive
(J) This is the number of characters to read from file in (N) and write to file in (O)
(K) This is the number of bytes from start of file to read from and is dependent on file size in (A) and number of characters to write in (J)
  • K value <= A value - J value
(L) Maximum number of bytes from start of file to read from.
  •  L value = A value - J value
(M) Actual size of written file including slack
(N) file to read
(O) file to write
  1. Enter AB in (E)
    1. gives the decimal value of HEX AB in (F)
  2. Enter 50 in (J)
    1. this is the amount of characters to transfer to  file "c.t.512.byte"
  3. Enter 171 in (K)
    1. this is the position from start of file "c.t.512"


  1. Click on "OK" button (B)
    1. 50 bytes written to file "G:\c.t.512.byte"
    2. Start of write was taken from 170 bytes from beginning of file "G:\c.t.512"


  1. Click on "OK" button




2 Selected Position and Size (Large File) Follow instructions as above to select file "c.t" for loading


  1. Select "c.t"
  2. Click on "Select File -1" button or type "ALT+1"
  3. Click on "Destination File -2" button or type "ALT+2"
    1. FIle name "G:\c.t.byte" created
    2. File checked to see if already exists
    3. Directory checked to see if there is room for proposed created file "c.t.byte"


  1. Click on "Process -3" button or type "ALT+3"


(A) File size of file in (N)
(B) "OK" button to write file in (O)
(C) "Cancel" button to cancel and return to opening menu
(D) Available space on drive
(E) HEX value to convert to decimal
(F) Decimal value for HEX in (E)
(H) Number of HEX characters entered
(I) Slack space of Drive
(J) This is the number of characters to read from file in (N) and write to file in (O)
(K) This is the number of bytes from start of file to read from and is dependent on file size in (A) and number of characters to write in (J)
  • K value <= A value - J value
(M) Actual size of written file including slack
(N) file to read
(O) file to write
  1. Enter FFF0 in (E)
    1. gives the decimal value of HEX FFF0 in (F)
  2. Enter 50 in (J)
    1. this is the amount of characters to transfer to  file "c.t.512.byte"
  3. Enter 65520 in (K)
    1. this is the position from start of file "c.t.512"


Click on "OK" button (B)
  1. 50 bytes written to file "G:\c.t.512.byte"
  2. Start of write was taken from 170 bytes from beginning of file "G:\c.t.512"


Click on "OK" button










3 Replace Data in File


  1. Download file "c.t"
    1. This is a file of a reasonable size to work with
  2. Download file "truecrpt password.txt"
    1. This is a small file to work with


  • By Mouse
  1. Click on "Utilities"
  2. Click on "Obtain Selected Data"
  3. Click on "3 Replace Data in File"
  • By Keyboard
  1. Type "ALT+U"
  2. Type "O3"


  • Make copy of "c.t" by
  1. Select "c.t"
  2. right click mouse on "c.t"
  3. click on copy
  4. right click and select paste

  5. Select "d.t"
  6. Type "ALT+1"
  7. Select "truecrpt password.txt"
  8. Type "ALT+2"


  1. Click on Paste


rename "Copy of c.t" by
  1. right clicking mouse on ""Copy of c.t"
  2. click on rename


  1. Type "d.t"
  2. Press "Enter" key


  1. Select "truecrpt password.txt"
    1. This is file whose contents are to be hidden
  2. Type "ALT+1"
  3. Select "d.t"
    1. This is the file which will hide the contents
  4. Type "ALT+2"


  1. Type "Alt+3"


  • File "d.t" is copy of "c.t"
  • Password to open Veracrypt file "c.t" is "cgbs6slapji_uiWhRfvx)xy`dg+C$ie(eexhj)rj2vtyefv7{b"
  1. Check container "d.t" is opened by Veracypt using password "cgbs6slapji_uiWhRfvx)xy`dg+C$ie(eexhj)rj2vtyefv7{b"
  2. Close container "d.t"
  3. Type 50 in (J)
  4. 1000000 in (K)


  1. Click on "OK" button (B)


  1. Click on "OK" button
  2. Check container "d.t" is opened by Veracypt using password "cgbs6slapji_uiWhRfvx)xy`dg+C$ie(eexhj)rj2vtyefv7{b"
  3. Close container "d.t"
  • We have hidden a password inside a container
  • The password cannot be distinguished from the surrounding characters
  • We can extract the password using 2 Selected Position and Size

Selected Position and Size check on "d.t"









  1. Click on "OK" button
  • We have file "d.t.byte" which should have the same contents as "truecrpt password.txt"
  • We can check this by "comparing two files using "1 Two Files"

Compare Files "d.t.byte" and "truecrpt password.txt"


  • By mouse
  1. Click on "File Comparisons"
  2. Click on "1 Compare Files"
  3. Click on "1 Two Files"
  • By Keyboard
  1. Type "ALT+F"
  2. Type "11"


  1. Select file "truecrpt password.txt"
  2. Type "ALT+1"
  3. Select file "d.t.byte"
  4. Type "ALT+2"


  1. type "ALT+3"


  1. Click on "OK"
  • Confirms password can be hidden and password can be extracted

Compare Files in 20 MB container"e.t" and directory "new2"
  • We can use 2 Selected Position and Size to preserve password when writing a new file into container file
  • We can use 3 Replace Data in File when hidding a password
  • Experimentation will determine the best place to hide a password in a container file
  • See "https://www.veracrypt.fr/en/VeraCrypt%20Volume%20Format%20Specification.html" for VeraCrypt Volume Format Specification.
  • Example of tutorial follows


  1. Create 20MB Veracrytpt container file "e.t" with FAT filesystem
    1.  preferably in Ramdisk
    2.  with password in file "truecrpt password.txt"
    3. with Serpent(Twofish(AES)) encryption algorithm

  2. Open Veracrypt container file "e.t"
  1. Type "ALT+U"
  2. Type "I"
  • See image on Left
  1. Select "create SHA Check Files (9,964,584 Bytes)" in List (A)
  2. Select "H" in Drive List (F)


  1. Click on "Get Directory" button (Ym)
  2. Select veracrypt drive (H in demo)
  3. Create directory "new"
  4. Type "ALT+1"


  1. Type "ALT+3"


  1. Click on "Create Selection" button (ZG)
    1. SHA check files created in directory
  2. Unmount Veracrypt container file "e.t"
  3. Click on "Get Directory" button (Ym)
  4. Create directory "New2" on RamDisk
  5. Select directory "New2"
  6. Type "ALT+1" 


  1. Type "ALT+3"


  1. Click on "Create Selection" button (ZG)
    1. SHA check files created in directory "new2"


  1. Click on "Leave" button (U)
  • Now copy password to Veracrypt container "e.t"
  • Open Veracrypt container "e.t"
  • compare files in Veracrypt container "e.t" with files on Ramdisk
  1. Type "ALT+U"
  2. Type "O3"
  3. Select "truecrpt password.txt"
  4. Type "ALT+1"
  5. Select "e.t"
  6. Type "ALT+2"


  1. Type "ALT+3"


  1. Type 2000000 in (M)


  1. Click on "OK" button
    1. 50 bytes of contents of "truecrpt password.txt" replaces 50 bytes of "e.t" at position 2000000 from beginning of file


  1. Click on "OK" button
  • We have hidden a password inside a container
  • The password cannot be distinguished from the surrounding characters
  • We can extract the password using 2 Selected Position and Size


  • Now what we want to do is compare the files inside the veracrypt container file "e.t" with the files inside directory "new2" on Ramdisk
  1. Open Veracrypt container "e.t" using password "!6K`u,AVnBlR})A.5IiC%tt/;;Q@/O-%Q$a?@J]l,@3G[2%9~+"
  2. Type "ALT+F"
  3. Type "21"
  4. Select "New" directory
  5. Type "ALT+1"


  1. Select "New 2" directory on Ramdisk
  2. Type "ALT+2"


  1. Type "ALT+3"


  • Note 30 files are the same (I) in both directories detailed in (G) and (H)
  1. Click on "Files in 2 directories that are not the same" in List (D)


  • We have 1 file which is different at (I)
  • We are using FAT32 which does not change file location pointers
  • We can rename this file "abc.txt"
  • If we add another file we may overwrite part of the hidden password
  1. Click on "Files in 1st directory but not in 2rd directory" in List (D)


  • We have 0 file not in 2rd at (I)
  1. Click on "Files in 2nd directory but in 1st directory" in List (D)


  • We have 0 files not in 1st
  • We can use 2 Selected Position and Size to preserve password when writing a new file into container file
  • We can use 3 Replace Data in File when hidding a password
  • Experimentation will determine the best place to hide a password in a container file
  • See "https://www.veracrypt.fr/en/VeraCrypt%20Volume%20Format%20Specification.html" for VeraCrypt Volume Format Specification.







4 Overwrite from another part of File


  • By Mouse
  1. Click on "Utilities"
  2. Click on "Obtain Selected Data"
  3. Click on "4 Overwrite from another part of File"
  •     By Keyboard
  1. Type "ALT+U"
  2. Type "O4"
  3. Select "truecrpt password.txt"
  4. Type "ALT+1"


  1. Type "ALT+3"


  1. Type 10 in (J)
  2. Type 40 in (K)


  1. Click on "OK" button


  1. Click on "OK" button
    1. "!6K`u,AVnBlR})A.5IiC%tt/;;Q@/O-%Q$a?@J]l,@3G[2%9~+" is original content of "truecrpt password.txt"
    2. ",@3G[2%9~+lR})A.5IiC%tt/;;Q@/O-%Q$a?@J]l,@3G[2%9~+" is new content of "truecrpt password.txt"


  • It can be seen that first ten characters are the same as the last ten characters