FileGlance Manual

FileGlance allows you to look at a file from different angles. Is is incredibly useful especially if you look at files with unknown contents. You quickly spot where different sections of a file begin, where a file is maybe compressed or encrypted. The files are always opened read only so you can be sure nothing is altered accidentially.

The main window displays both a hex view of a file as well as other useful information.

The raw data of a file. Next to the bytes that comprise the file you find a text representation (ISO-8859-1) which can help to make sense of the data. By changing the window size you can control how many bytes per line are displayed. When looking at records with fixed size this enables you to align them line by line.

The file size is displayed not only in bytes but also kilobytes, megabytes, and gigabytes. Thus you don’t have to do the division by 1024 manually.

Here you find the entropy computed for the whole file. This gives you a quick impression if a file is encrypted/compressed or contains very ordered data. High entropy (8) means totally random data, a low number indicates ordered contents.

Simply the date/time a file was created, last modified and most recently used. The meaning of these dates can differ depending on operating system and/or file system.

Who owns the file and to which group does it belong? Who’s allowed to read, write or execute it? Since Windows has a somewhat different access rights concept the rights are only displayed on Mac and Linux.

While MD5 and SHA-1 are nowadays not considered secure anymore they are still used for validation of downloads. SHA-256 is another widely used hash algorithm. By clicking on a hash value you copy it to the clipboard.

When you break a file into chunks of equal length not only you can reveal uncompressed images but also see when a file consists of different parts. By adjusting the chunk size (width) patterns emerge and you quickly discern characteristics of the file or image.

When you hover of the different visualizations a tooltip shows where exactly the line below the mouse pointer is located in the file.

By clicking inside the views the hex view in the main window is positioned accordingly.

On the left-hand side you find how the file contents look like when interpreted as pixels. Since there are different image formats you can change the parameters in the contextual menu of the image view.

This is probably one of the most useful visualizations – how does the entropy change within a file? In the screen shot above you can easily see how random data leads to a high entropy value (right) and ordered data like the white part of the image has a low entropy value associated.

Each possible byte value from 0 to 255 is represented by a pixel. If the pixel value is present at least once in the data chunk (line) it lights green, otherwise black.

While the image, entropy and byte presence views consider each byte individually the digram view cares about combinations of bytes.

The lines and columns represent the possible byte values from 0 to 255. Green pixels indicate when a certain byte value is followed by another byte value. Black pixels mean that this combination is not present.

Since the digram view doesn’t cover the whole file you can walk in the hex view (main window) through the file and see how the digrams change. This is best done with the mouse.

The dot plot view is all about the distances in which the same byte values repeat. As with the digram view the dot plot changes depending on the position in the hex view.

The histogram visualizes byte frequencies or other words: how often does each byte value (0-255) occur in a file? Equally distributed byte frequencies are a strong indication that a file is compressed or encrypted.

By clicking on a table column header you can sort the whole table by the values in that column.