X-Ways Forensics User Manual by Stefan Fleischmann
Contents
1. AESDecrypt My Password Decrypts the active file or disk Find John MatchCase MatchWord Down Up BlockOnly SaveAllPos Unicode Wildcards Find 0x1234 Down Up BlockOnly SaveAllPos Wildcards Searches in the active window for the name John or the hexadecimal values 0x1234 respectively and stops at the first occurrence Other parameters are optional By default WinHex searches the entire file disk The optional parameters work as known from usual WinHex search options ReplaceAll Jon Don MatchCase Match Word Down Up BlockOnly Unicode Wildcards ReplaceAll 0x0A 0x0DOA Down Up BlockOnly Wildcards Replaces all occurrences of either a string or hexadecimal values in the active file with something else Can only be applied to a disk if in in place mode IfFound A boolean value that depends on whether or not the last Find or ReplaceAll command was successful Place commands that shall be executed if something was found after the IfFound command IfEqual MyVariable Hello World IfEqual 0x12345678 MyVariable IfEqual MyVariable 1000 IfEqual MyVariable MyOther Variable IfEqual MyVariable 10 MyOther Variable Compares either two numerical integer values each of them being a constant value an integer variable or a mathematical expression or two variables ASCII strings or hexadecimal values at the binary level Comparing two objects at the binary with a different length always returns False as the result If equal the follow2. Net free space computation Allows you to work with an adjusted virtual free space file that is net of clusters that were identified as belonging to previously existing files to minimize the amount of space in file systems that is read twice for logical searches and indexing After changing this option or after discovery of more previously existing files the virtual free space file is updated when it is opened next time for example selected in File mode or when it is that file s turn during a logical search Relative offsets of search hits in this virtual file may become wrong when it changes for example when some more clusters are allocated to more identified previously existing files so that the net free space file becomes smaller so they cannot be used to navigate to the search hits in File mode Only physical offsets of search hits usable in Partition Volume mode are guaranteed to remain valid The virtual free space will be frozen and not change any more when it has child objects i e usually files that have been carved within it manually in File mode because those depend on unchanged relative offsets within the virtual free space file The virtual file is shown in gray in the directory browser if the net free space computation option is active as a reminder of the fact that it does not represent the entire free space when opened Keep more data of the volume snapshot in memory e g for much quicker sorting by timestamps NTFS Op
3. 16 refused by the program The goal of the multi user coordination in v17 5 and later is to support concurrent analysis review work by multiple examiners Removing files from a volume snapshot is not considered ordinary review analysis work Volume snapshot refinements should be done systematically in advance The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17 5 and later can be seen in square brackets next to the filename so that it is easy to tell who has introduced such files to the case Technical changes to the way how multiple simultaneously users are coordinated are reserved To be on the safe side please make sure that simultaneous users are running the same version of the software Last not least v17 5 allows you to review the processing history of a case in its properties This reveals which versions were used on it recorded only by v17 3 SR 10 and later v17 4 SR 4 and later and v17 5 and later and by which users recorded only by v17 5 and later You may turn off Extended multi user coordination for some performance benefits if you are the only user of a case at a time and don t need some of the advanced options This will also allow you to open the same case more than once at the same time as the same user but then do not open the same evidence objects in more than one session at the same time with read amp write access to the volume snapshot Alternative Ways
4. A volume snapshot is stored on the disk either as a set of files named Volume dir in the folder for temporary files or if associated with a case as files named Main 1 Main 2 Main 3 Names in the evidence object s metadata directory 4 2 Refinement at the Volume Sector Level The Specialist menu allows to expand refine the standard volume snapshot in various ways such that they contain more than referenced by the regular file system Requires a specialist or forensic license Full functionality only with a forensic license 4 2 1 Run X Tensions X Tensions are DLLs which you can program yourself to extend the functionality of X Ways Forensics or use it automatically for your own purposes More information 4 2 2 Particularly thorough file system data structure search FAT12 FAT16 FAT32 Searches for orphaned subdirectories subdirectories that are no longer referenced by any other directory NTFS Searches for FILE records in sectors that do not belong to the current MFT or to a volume shadow copy VSC Such FILE records can be found e g in free space after a partition has been recreated reformatted moved resized or defragmented Can be very time consuming on very large partitions Done optionally see Volume Snapshot Options NTFS With a forensic license this function also searches INDX buffers and LogFile for noteworthy index record remnants which either reveal previous names or paths of re
5. Technical description of the interface All files or files in a certain category or all tagged files or all non excluded files are copied into a subfolder of the output folder specified by you The subfolder is named with a CRC in hexadecimal characters that is unique for the active case The files are named with unique IDs 64 bit integer numbers One additional file named Checksum is created that contains 4 bytes with the same CRC 4 bytes with the handle of the main window of X Ways Forensics or X Ways Investigator for that matter 8 reserved bytes and 128 bytes with the case title in UTF 16 When the files have been copied X Ways Forensics executes the external analysis program and specifies the complete path of the subfolder in quotation marks as a parameter The external program can now perform the analysis It can classify files by creating one rtd file for each classification When finished the program can optionally check whether the X Ways Forensics main window still exists and if so make X Ways Forensics aware of the availability of the results by sending a WM_SETTEXT messages to the main window where the text starts with Import followed by the path of the directory where to find the rtd files without quotation marks This will trigger the import automatically Alternatively the user can import the result as described above The names of the rtd files report table definition files will be used as the report table
6. e binary e float single real double longdouble extended e char charl6 string stringl6 e zstring zstringl6 e boole8 boolean boolel6 boole32 e hex e DOSDateTime FileTime OLEDateTime SQLDateTime UNIXDateTime time t JavaDateTime e GUID title must only be enclosed in inverted commas if it contains space characters title must not consist only of digits WinHex does not distinguish between upper and lower case characters in titles 41 characters are used to identify a variable at most type can be preceded by at most one member of each of the following modifier groups big endian little endian hexadecimal decimal octal read only read write These modifiers only affect the immediately following variable They are redundant if they 147 appear in the header already The number at the end of a type name denotes the size of each variable strings of each character in bits With char16 and string16 WinHex supports Unicode characters and strings However Unicode characters other than the first 256 ANSI equivalent characters are not supported The maximum string size that can be edited using a template is 8192 bytes The types string string16 and hex require an additional parameter that specifies the number of elements This parameter may be a constant or a previously declared variable If it is a constant it may be specified in hexadecimal format which is recognized if the number is pr
7. A so called digest is similar to a checksum a characteristic number used for verification of data authenticity But digests are more than that digests are strong one way hash codes It is computationally feasible to manipulate any data in such a way that its checksum remains unaffected Verifying the checksum in such a case would lead to the assumption that the data has not been changed although it has Therefore digests are used instead of checksums if malicious i e not mere random modifications to the original data are to be detected It is computationally infeasible to find any data that corresponds to a given digest It is even computationally infeasible to find two pieces of data that correspond to the same digest Of course random modifications e g caused by an inaccurate transmission can also be detected when using digests but checksums are sufficient and serve better for this purpose because they can be calculated much faster WinHex can compute the following digests MD4 MD5 SHA 1 SHA 256 RipeMD 128 RipeMD 160 and ed2k specialist and forensic licenses only 11 2 9 Attribute Legend A to be archived R read only H hidden S system X not indexed P NTFS reparse point O offline T temporary I has object ID C compressed at filesystem level c compressed in archive E encrypted at filesystem level e encrypted in archive e file type specific encryption DRM e high entropy possibly fu
8. and any sector read errors Forensic license Ability to create a second copy of an image immediately when imaging a disk which is much quicker than copying the image file later and makes sense if the 2nd copy is created on a different drive Only the first copy will be automatically verified if desired File spanning i e when to start another image file segment is kept in sync between both copies even when running out of space on one of the two target drives only Forensic license Ability to compute two hash values simultaneously If you make use of this option then both hash values will be stored in the descriptive text file The first hash value is the one that can be automatically verified when imaging completes You could intentionally choose the faster algorithm for that as main the purpose at that point is to detect I O errors and file errors The second hash value is imported into the evidence object properties when adding the image to a case Forensic license If you cancel disk imaging in the middle of the process X Ways Forensics quickly finalizes the e01 evidence file format more precisely the current segment to guarantee a consistent image even though it is not a complete image Useful for example in an emergency 134 situation when imaging media on site because a incomplete image that can be used without errors is better than an unusable corrupt image If hashing was enabled incomplete e01 images even have a hash val
9. operation helps to include files in the volume snapshot that can still be found in free or used drive space based on their file header signature and are no longer referenced by file system data structures You are asked to select certain file types for detection specify a default file size an optional filename prefix etc Please see File Recovery by Type and the file type definitions for details Files found with this method will be included in the volume snapshot only if there is no other file in the volume snapshot with the same start sector number yet overwritten files don t count to avoid duplicates Files found with this method are listed with a generic filename and size as detected by the File Recovery by Type mechanism If applied to a physical partitioned evidence object only unpartitioned space and partition gaps will be searched for signatures because the partitions are treated as separate additional evidence objects 61 4 2 4 Block wise Hashing and Matching Block wise hashing may allow to identify complete or incomplete remnants of known notable files that are still floating around in free drive space even if they were fragmented and the location of the fragments is unknown to show with some or very high certainty that these files once existed on that medium The hash values are computed when reading from the evidence object sector wise and that happens at the same time when running a file header signature search if
10. Secondly documents with the extensions types doc MS Word 4 2003 xls MS Excel 2 2003 ppt pps MS PowerPoint 97 2003 mpp MS Project 98 2003 pst MS Outlook docx MS Word 2007 2010 xlsx MS Excel 2007 2010 pptx ppsx MS PowerPointer 2007 2010 odt OpenOffice2 Writer ods OpenOffice2 Calc and pdf Adobe Acrobat are checked for file format specific encryption MS Office documents also for digital rights management DRM protection If positive these files are flagged with e in the attribute column This check requires that the separate viewer component is active Additionally the encryption test can detect eCryptfs encrypted files files stored by the Enterprise Cryptographic File System for Linux with a test that is based on eCryptfs implementations for Ubuntu 8 10 9 04 9 10 and 10 04 Such files will by marked with E in the Attributes column just like EFS encrypted files in NTES 4 3 10 Indexing Totally revised new indexing engine with many advantages Created at the same time when then volume snapshot is refined synergy saves time faster to create than before even by itself no separate optimization step just 1 index for multiple code pages character sets just 1 word list for multiple code pages character sets i e less duplicates GREP searches in the index possible multiple indexes with different names for different purposes may coexist for the same evidence object indexing wi
11. Technically it is possible to select as many file types for simultaneous recovery as you like However if you recover files of different types at the same time that typically have totally different sizes e g type A a few KB type B a few GB using a single general default file size would not be a good idea That s why optionally you can define individual default sizes for each file type in the file type definition databaseTopic81 which if exist optionally have priority over the general default file size specified in the dialog window File headers are usually found at cluster boundaries because that is where file systems mostly put the start of a file However it is more thorough and not slower to search for sector aligned file headers because that allows to also find files from previously existing partitions with a different cluster layout If performed on a physical medium or raw file with no cluster layout defined WinHex searches at sector boundaries anyway There is yet another possibility a thorough byte level search This is required when you are trying to find files that are not reliably aligned at any sector boundaries e g files in backup files or tape images or embedded in other files or when trying to find entries records micro formats memory artifacts etc i e not complete ordinary files This comes at the cost of a possibly increased number of false positives though misidentified file signatures occurring randomly on a media
12. Windows 95 with 32 bit FAT Dynamic disk volume Dynamic disk volume OnTrack Disk Manager read only partition 51 OnTrack Disk Manager read write partition Linux native file system ext2fs xiafs Hibernation partition 86 FAT 16 volumelstripe set Windows NY Corrupted NTFS volume stripe set DELL OEM partition F2 DOS 3 3 secondary partition IBM OEM partition 159 160
13. after prompting the user In place edit mode Please use caution when opening files or disks in in place edit mode All kinds of modifications keyboard input filling removing the block writing clipboard data replacements are written to the original file or disk in place without prompting It is not necessary to save the file manually after having modified it Instead the modifications are saved lazily and automatically at latest when closing the edit window However you may use the Save command to ensure the buffer is flushed at a given time The in place edit mode is preferable if the data transfer from the original to the temporary file and vice versa which is obligatory in default edit mode for certain operations consumed too much time or disk space This may be the case when opening very large files or when modifying huge amounts of data Since usually no temporary files are needed in in place edit mode this edit mode is generally faster than the default edit mode The in place edit mode is the only mode available when using the RAM editor Hint Even in in place edit mode the creation of a temporary file is unavoidable when altering the file size If you open files using the operating system e g via File Open from any drive letter currently available in Windows then operating system file write commands will be used to change a file However in WinHex it is even possible to edit files without using operating system f
14. and only contained once Useful for a customized dictionary attack Find Text This command is used to search for a specified string of up to 50 ASCII characters in the current file disk or RAM section cf Search Options Only supports those Unicode characters that are in the 0x00 0xFF range For a more powerful search variant try Simultaneous Search Find Hex Values This command is used to search for a sequence of up to 50 two character hex values cf Search Options Replace Text Use this command to replace occurrences of a specified string with another string each of up to 50 ASCII characters cf Replace Options Only supports those Unicode characters that are in the 0x00 0xFF range Replace Hex Values Functions exactly as the Replace Text command but is applied to a sequence of hex values 50 at max cf Replace Options Combined Search Provides a complex search mechanism In the current and in a second file a common offset is searched where each file contains the specified respective hex values Integer Value Enter an integer within the limits of the signed 64 bit integer data type This function searches data in the current file which can be interpreted as this integer Floating Point Value Enter a floating point number e g 12 34 0 1234 10 0 1234E2 and select a floating point data type This function searches data in the current file which can be interpreted as this floating point value Text Passa
15. and skin color detection in pictures 13 When starting up WinHex for the first time you are asked whether to run it with the forensic interface This means the Case Data window is displayed WinHex is run in read only mode and you are asked to make sure the folders for temporary files and for case data are set correctly in order to prevent WinHex from writing files to the wrong drive In order to work with a case make sure the Case Data window is visible on the left of the main window If not enable View Show Case Data From the File menu you may create a new case start from scratch open an existing case close the active case save the active case back up the case file and the entire case folder in a ZIP archive only for files lt 4 GB or automatically generate a case report You may add media as evidence objects to the case or images files that will be interpreted like media see Specialist menu or memory dumps or directories on your own computer Adding a directory instead of a whole partition or disk can be useful if a directory or a file of interest resides on a drive with many irrelevant files if you merely wish to view hash or search a few of those files check their metadata or copy them to an evidence file container etc A case is stored in a xfc file xfc stands for X Ways Forensics Case and in a subfolder of the same name just without the xfc extension This subfolder and its child folders are
16. data so that it is not necessary to search for other files within that file s boundaries g lower case Weaker version of the same flag Only if an internal file size detection algorithm exists for a file type and if a file with the same start sector number exists already with the same file size as detected the g flag will cause X Ways Forensics to skip the affected sectors This can help to prevent overlapping zip files and thereby avoid potentially many contained duplicate files t Prevents X Ways Forensics from presenting the type of carved files immediately as confirmed Useful for example for file format families such as XML to determine the exact subtype later during file type verification e Stands for embedded If a file type has a tilde algorithm in the Footer column and is marked with this flag it will be searched embedded in certain other files during volume snapshot refinements always at the byte level W upper case Identifies header signatures that are too weak to newly detect the type of a file and are merely used to confirm the type suggested by the name extension of the file 7 4 Manual Data Recovery It is possible to restore lost or logically deleted files or more general data that are merely marked as deleted in the file system but have not been physically erased or overwritten Open the logical drive where the deleted file resided on using the disk editor Principally you can recreate such a file
17. directory browser 7 2 File Recovery by Type File Header Signature Search Data recovery function in the Disk Tools menu and also a strategy to find previously existing files as part of the Refine Volume Snapshot command This recovery method is also referred to as file carving It searches for files that can be recognized by a characteristic file header signature a certain sequence of byte values Because of this approach file carving does not depend on the existence of functional file system structures When found based on the signature 103 the files are saved to the output folder that is specified by the user File Recovery by Type or merely listed in a virtual directory of the volume snapshot File header signature search Optionally recovered files of each type are put into their own subfolder JPEG HTML etc Note that file carving assumes contiguous file clusters so produces corrupt files in case the files were originally stored in a fragmented way A log file File Recovery by Type log about the selected parameters and the recovery results is written to the output folder for verification purposes Since no use is made of a possible presence of a consistent or damaged file system the original file sizes are principally unknown to this algorithm and so are the original filenames That is why the resulting files are mostly named generically according to the following pattern Prefix ext Prefix is an op
18. in 7HZsIF9B AND4TpkSbSBS can be prevented if you search for it as a whole word only if you redefine the alphabet to include digits 0 9 1 e consider them word characters It is possible to review the incomplete search hit list in the middle of an ongoing simultaneous 40 search You can click the search hit list button at any time to view the preliminary search hit list Additional search hits that have been collected as the search continues will be listed when you refresh the search hit list by clicking the Enter button in the search term list as usually This approach to view preliminary search hits is useful e g when previewing a live system on site to determine whether a medium might contain relevant files and should be captured If after searching 5 of the data and reviewing the search hits gathered so far the answer is Yes the search can be stopped already and a lot of time is saved 3 12 Logical Search Powerful subvariant of the simultaneous search Allows to search either all files all tagged files or if invoked from the directory browser context menu all selected files File slack can be specifically included or excluded The logical search has several advantages over a physical search e The search scope can be limited to certain files and folders through tagging or selecting files Please note that the amount of data to search that may be displayed in the dialog window is an estimate only The actual scope of the search
19. occurrences from a file a disk or a memory range in a file This kind of filter is useful to considerably reduce the amount of data to handle e g if a computer forensics specialist is looking for leads in the form of text such as e mail messages documents etc The target file can easily be split at a user defined size This function can also be applied to a file with collected slack space or free space or to damaged files in a proprietary format than can no longer be opened by their native applications like MS Word to recover at least unformatted text Evidence File Container see above External Virus Check Forensic license only Sends all files or all tagged files in an evidence object s volume snapshot to an external virus scanner optionally only files with a size below a certain threshold Files that are locked deleted or renamed by the virus scanner in the output directory will be added to a report table named Virus suspected It is the responsibility of the user to verify that a virus scanner is active that it watches the folder for temporary files and that it will indeed lock delete or rename infected files After verifying whether the file has been locked deleted or renamed externally X Ways Forensics deletes it itself if it still exists 92 Bates Number Files Bates numbers all the files within a given folder and its subfolders for discovery or evidentiary use A constant prefix up to 13 characters long and a uniq
20. optionally included and displayed with characters With no such gaps you may compare memory dumps to files exactly with one another absolute and virtual addresses are identical e g to examine stack and heap states or observe virusses If you select one of the listed processes you may access either the so called primary memory or the entire memory of this process or one of the loaded modules The primary memory is used by programs for nearly all purposes Usually it also contains the main module of a process the EXE file the stack and the heap The entire memory contains the allocated page of the entire logical memory address space of a process including the part of memory that is shared among all processes Please note the following limitations 101 e Access to physical RAM under Windows XP 32 bit only no more than 4 GB and with administrator rights only e Caution Only keyboard input can be undone e Editing is possible in in place mode only e The evaluation version only supports view mode The options relevant for the RAM editor are Check for virtual memory alteration and Virtual Addresses Main Memory Analysis Requires a forensic license When you open the local physical RAM via Tools Open RAM only under Windows XP or a main memory dump as a file and interpret that file exactly like you would a disk image or add a memory dump to a case processes will be listed in the directory browser e
21. resulting container is free of known viruses depending on the antivirus software in use and can reasonably be passed on to and used in an environment with higher sensitivity higher security requirements and or less sophisticated virus protection Containers of the old format may be either optimized for better performance when about to add a really great number of files or have a slim layout for fewer files Containers of the new format can hold around 1 billion files In order to retain in the container the source of files that originate from different evidence objects the names of these evidence obejcts can be included in the container as the top directory level An optional internal designation can be specified up to 31 characters which will become the volume label of the XWFS file system An optional description can also be specified up to 60 000 characters which will be imported as the evidence object comments once the container is added to a case in X Ways Forensics The description stored in the container can still be added or edited later Files selected in the directory browser can be added to the active file container with the directory browser s context menu Either you copy the logical contents of a file the logical contents and the file slack separately just the slack only the block selected in File mode or merely the file system level metadata of the file You may also specify whether child objects of selected files shoul
22. so that you can be sure that data authenticity has not been compromised in between Hashes stored in evidence files are imported automatically when added to a case You may disable the automated log feature for a specific evidence object if the log feature is enabled for the case as a whole To add images or media to a case you can use the Add commands in the case data window s File menu When adding images you can also select that the volume snapshot of newly added evidence objects should be refined immediately Another way how to add opened images or disks to the case is the Add command in the context menu of the data window s tab The command Replace with New Image in the context menu of an evidence object allows you to replace a disk that is used as an evidence object in your case with an image useful if you first 18 preview the disk before you acquire it i e created an image of it without losing your volume snapshot search hits comments etc Can also be used to simply tell X Ways Forensics the new path of an image in case the image was moved or the drive letter has changed or if the image filename was changed or if the type of the image was changed e g raw image to be replaced with a compressed and encrypted e01 evidence file In the case of a physical partitioned evidence object it is recommended to apply this command to that parent object i e the physical disk The change will then automatically also be applied t
23. though is that the number the position and the usage order of all bits can be chosen arbitrarily For example uint flex 7 15 23 31 An unusual 4 bit integer composes a 4 bit integer out of the respective most significant bits of each of the four bytes involved If these four bytes happen to be FO AO OF 0A 11110000 10100000 00001111 00001010 bit 7 is 1 bit 15 is 1 bit 23 is 0 and bit 31 is So the resulting uint_flex is 1100 1 8 1 4 0 2 0 1 12 Appendix B Script Commands 150 Script commands are case insensitive Comments may occur anywhere in a script file and must be preceded by two slashes Parameters may be 255 characters long at most Where in doubt because hex values text strings or even integer numbers are accepted as parameters you may use inverted commas quotation marks to enforce the interpretation of a parameter as text Inverted commas are required if a text string or variable name contains one or more space characters so that all characters between the inverted commas are recognized as constituting one parameter Wherever numerical parameters are expected integer numbers the integrated formula parser allows you to use mathematical expressions Such expressions need to be enclosed in brackets They must not contain space characters They may make use of variables that can be interpreted as integer numbers Supported operations are addition subtraction multiplication integer di
24. 10 DatalinkEscape Acknowledge Horizontal Tab End of Medium 06 07 Bell 17 EndofTransmissionBlock 08 09 10 Substitute 0B VerticalTab 1B Escape OD Carriage Return f 1D Group Separator OE Shift Out 1E Record Separator 2 7 Checksums A checksum is a characteristic number used for verification of data authenticity Two files with equal checksums are highly likely to be equal themselves byte by byte Calculating and comparing the checksums of a file before and after a possibly inaccurate transmission may reveal transmission errors An unaffected checksum indicates that the files are in all likelihood still identical However a file can be manipulated on purpose in such a way that its checksum remains unaffected Digests are used instead of checksums in such a case where malicious i e not mere random modifications to the original data are to be detected In WinHex checksums can be calculated for example with a command in the Tools Menu The standard checksum is simply the sum of all bytes in a file calculated on an 8 bit 16 bit 32 bit or 64 bit accumulator The CRC cyclic redundancy code is based on more sophisticated algorithms which are safer Example If a transmission alters two bytes of a file in such a way that the modifications are countervailing for instance byte one 1 byte two 1 the standard checksum remains unaffected whereas the CRC changes 2 8 Digests
25. A Z and German and French letters e g by punctuation marks blanks binary control codes digits If this option is enabled for example tomato is not found in automaton Reliable to reduce the number of hits for English German and French text only In a Simultaneous Search either all search terms are searched as whole words or only those that are indented prepended with a tab character or none depending on the state of the corresponding checkbox For a Simultaneous Search you may customize the word boundary detection for Latin based languages i e make it more strict for less search hits or more relaxed for more search hits by defining the alphabet of characters that are considered letters characters belonging to words as opposed to non word characters A word character followed by a non word character or the other way around is considered a word boundary There 122 are three easy to use pre defined settings The setting for the most thorough search results is the default Users that are overwhelmed by garbage hits for short keywords in non text data such as Base64 or binary garbage may want to try the other two options These other two options could lead to valid search hits being missed in some constellations depends on the file format but can still be justifiable as a great time saver for searches in text documents e g rather in electronic discovery rather not in computer forensics For more explanation and an example of
26. B 2 For a logical AND combination if the search terms are not marked with or you may also use the small scrollbar that appears when you select multiple search terms Allows you to see only search hits in files that contain all the selected search terms at the same time You can combine up to 7 search terms that way If you select more than 2 search terms you also have the option to be less strict and only specify a minimum number of different search terms in the same file e g require that of search terms A B C and D any combination of two of them in the same file is sufficient e g A and B or A and C or B and D etc fuzzy flexible AND combination When 2 search terms are selected in the search term list and combined with a logical AND using either of the two available methods additionally you can now require that search hits must be NEAR to each other to be listed to find more likely relevant combinations of both search terms in the same file exactly like with a proximity search The maximum distance between the search hits that constitutes NEAR can be defined by the user in bytes A NEAR combination may also be applied for more than 2 selected search terms The effect is that a search hit is listed only if any of the other selected search terms occurs nearby This paragraph quoted from wikipedia org The basic linguistic assumption is that the proximity of the words in a document implies a relationship between
27. GZ GHO PGP pubring pkr keyring ETL SQM IE Cookies CAT CER CTL SHD printer spool PF prefetch LNK shortcut and DocumentSummary alternate data streams This timestamps will be shown in the Int Creation column of the directory browser In some cases the earliest timestamp will be extracted which approximates the real original creation date best c Allows to copy certain file metadata to the Metadata column which will allow you to filter by this metadata to export the metadata with the Export List command and to output it with a report table in a case report Metadata can be extracted from all the file types specifically supported in Details mode plus Windows shortcut files Ink and prefetch files pf Only a subset of the metadata that you see in Details mode is extracted d Populates the Sender and Recipients columns for original eml files e Creates previews of Internet browser SQLite databases which may require that the files have been checked for their true file type Supports Firefox history Firefox downloads Firefox form history Firefox sign ons Chrome cookies Chrome archived history Chrome history Chrome log in data Chrome web data Safari cache Safari feeds and Skype s main db database about contacts and file transfers Creates previews also of Internet Explorer index dat files including artificial index dat files compiled from individual records from various locations during the file header signature search
28. Hex Values Copies the data as concatenated hex values e Editor Display Copies the data as text formatted as if it was displayed in the hex editor i e with an offset a hex and a text column e GREP Hex Copies the data as hex values in GREP syntax e C Pascal Source Copies the data as C Pascal formatted source code into the clipboard Paste Clipboard Inserts the clipboard contents at the current position of a file The file data following this position is moved forward Write Clipboard Copies the clipboard contents to the current file at the current position The data at this position is overwritten If the end of the file is encountered the file size is increased so that the clipboard contents finds place Paste Clipboard Into New File Creates a new file of the clipboard contents Empty Clipboard This command is used to free the memory used by the clipboard Remove Deletes the current block from the file The data following the block is pulled to the former block beginning The clipboard is not affected by this command If the block is equally defined in all open files i e it begins and ends at the same offsets this command can even be applied to all open files at the same time Paste Zero Bytes Use this command to insert zero bytes at the current position of a file Add Block as Virtual File forensic license only If you manually define a block in Volume Partition Disk File mode this command allows you to add it to the
29. Left click a day to select that day as the 38 left boundary of the timestamp filter or right click it to define it as a right boundary Middle click a day to filter for timestamps on that particular day only If the same file is listed more than once which can happen in a search hit list if it contains more than 1 search hit then its timestamps are also represented more than once in the calendar When not showing events you can now decide which column s timestamp should be included in the calendar Columns that are hidden have a width of 0 pixels are excluded all other columns are included The status bar reminds you which columns are included even if not currently visible because of horizontal scrolling Years in the calendar with no timestamps are grayed out The number of a year is displayed in a darker shade of gray the more timestamps are listed for that All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity Example During which period of time were most JPEG files processed on a volume Right click the root directory in the directory tree case data window to recursively list all files from all subdirectories then use the file type filter to limit the view to JPEG files enable the calendar view Raw In Preview mode in conjunction with the viewer component Raw mode renders the file as plain text This can be useful for example for HTML files to see the HTML source code
30. Since v17 1 users of X Ways Forensics may simply copy their xwforensics exe executable file and name the copy winhex exe or for the 64 bit edition copy their xwforensics64 exe executable file and name the copy winhex64 exe to get WinHex Or they may use the setup program which creates hard links named like that in the target directory Or they can create hard links themselves which is much cooler than ordinary copying If the program is executed as winhex exe it will identify itself as WinHex everywhere in the user interface case report case log image descriptions and all screenshots and act behave like WinHex That version is the best of both worlds with the full forensics feature set of X Ways Forensics plus the sector editing and data wiping capability of WinHex in one The WinHex API can only be used in conjunction with WinHex 1 5 Getting Started with X Ways Forensics For the latest download instructions if your update maintenance is current you can check your license status here For more information about the installation of WinHex and X Ways Forensics please see this web page Extract the files in the X Ways Forensics download to a directory of your choice An installation with the setup program is not necessary The program is portable and can also be started directly from a USB stick on other computers e g live systems that you would like to examine Also download the viewer component which is not included in the stan
31. additionally allows to compute the percentage of skin colors in pictures and to detect black amp white pictures This can be done for the file types JPEG PNG GIF TIFF BMP PSD HDR PSP SGI PCX CUT PNM PBM PGM PPM ICO The detection of black amp white or gray scale pictures is useful when looking for documents that were scanned and faxes that were stored electronically A forensic examiner who has to look for traces of child pornography can sort pictures by skin color percentage in descending order to immensely accelerate the job Checking the mass of 0 9 skin color percentage pictures e g thousands of browser cache garbage files may not be necessary any more as the most likely incriminating files will be sorted near the top of the list Please note that there may be false positives i e skin like colors of a non skin surface Pictures that cannot be correctly scanned for their color contents e g because they are too large or corrupt will be listed with a question mark instead of the skin color percentage Pictures with very small dimensions width or height no more than 8 pixels or width and height no more than 16 pixels each will be marked as irrelevant with the assumption that they cannot contain incriminating pornography or documents For large JPEG PNG GIF and TIFF files at the same time when analyzing the colors in the pictures during volume snapshot refinement X Ways Forensics can now optionally also create thumbnails in
32. advance for much quicker display updates in Gallery mode later Internal thumbnails are only created if no original thumbnails are embedded in the files and extracted at the same time and they are actually utilized for the gallery only if auxiliary thumbnails are enabled see Options General To discard all internal thumbnails but keep the computed skin 69 no color percentages you may delete the file Secondary 1 in the _ subdirectory of an evidence object behind X Ways Forensics back 1 e when the evidence object is not currently open 4 3 9 Detection of Encryption A forensic license allows to optionally perform file format specific and statistical encryption tests With an entropy test each existing file larger than 255 bytes is checked whether it is fully encrypted If the test is positive the entropy exceeds a certain threshold the file is flagged with e in the attribute column to indicate that it might deserve special attention Typical example Encrypted container files which can be mounted by encryption programs like TrueCrypt PGP Desktop BestCrypt or DriveCrypt as drive letters The entropy test is not applied to ZIP RAR TAR GZ BZ 7Z ARJ CAB JPG PNG GIF TIF MPG and SWF files which are well known to be compressed internally and therefore almost indistinguishable from random or encrypted data This test is not needed to detect that files are encrypted at the NTFS file system level or inside archives
33. again later 85 Delete Marker Removes the marker from the screen Go To Marker Moves the current position to the marker set by Mark Position Position Manager see below 5 7 View Menu Text Display Only Hides the hex column and uses the full width of the editor window for the text display Character Set Allows you to choose from ANSI ASCH IBM ASCII any other code page and the Unicode characters set for the text column Keyboard input is supported only for ANSI and IBM ASCII You may also use SHIFT F7 ANSI ASCII is the default character set Unicode characters little endian are always expected at even offsets Hex Display Only Hides the text column and uses the full width of the editor window for the hexadecimal data display Record Presentation When editing subsequent data records of the same size for instance table entries of a database you may now have WinHex display every other record with a different background color as a kind of visual aid The color can be selected in the General Options dialog Also WinHex offers to display the current record number and the offset within that record relative offset in the status bar based the record size and the offset of the first record as specified If any of the two record features is enabled the Go To Offset command allows moving the current position in units of the current record size If relative offsets are enabled the Page Dn Up keys move the cursor in units of the r
34. all files in the volume are to be searched as opposed to tagged or selected files only because the same file will already be searched under its current name in its current location If docx pptx xlsx odt odp ods pages key numbers are decoded for the search the contained xml files with the main contents document xml content xml index xml and in case of pages any existing Preview pdf are also omitted to avoid redundant search hits e In NTFS all real hard links i e hard links other than SFN except for one can be optionally omitted from logical searches and indexing Nowadays on Windows installations often between 10 000 and 100 000 hard links of system files exist for example 27 links to a file like Ph3xIB64MV dll in directories such as Windows System32 DriverStore FileRepository ph3xibc9 inf_amd64 neutral ff3a566 Windows System32 DriverStore FileRepository ph3xibc2 inf_ amd64 neutral 7621f5 Windows System32 DriverStore FileRepository ph3xibc5 inf_amd64 neutral 22703 Windows winsxs amd64_ph3xibc9 inf_31bf3856ad364e35_6 1 7600 16385 none a Windows winsxs amd64_ph3xibc5 inf_31bf3856ad364e35_6 1 7600 16385 none 9 Windows winsxs amd64_ph3xibc12 inf_31bf3856ad364e35_6 1 7600 16385 none 6 etc By searching only in one hard link of a file you can typically exclude several GB of duplicate data and yet don t miss anything if you search all other files Those additional hard links that are omitte
35. all its files and subdirectories Open Files This command is used open several files that meet special requirements at a time Select a folder in which to open files Subfolders are browsed optionally You may specify a series of file masks like w exe x dll There is also a switch that permits opening only those files that contain a certain text or certain hex values The standard search dialogs are displayed upon request for this purpose If WinHex is not set up to work as a viewer or in place editor this can be done in the Tools menu you may choose an edit mode Save Modified Files All files which have been changed are written to the disk Save All Files All files that have not been opened in view mode are written to the disk Exit Use this command to end WinHex You will be prompted to save any modifications to files and disks 5 4 Edit Menu Undo Reverses the last modification in case the corresponding undo option was activated Cut Removes the current block from the file and puts it into the clipboard The data following the block is pulled to the former block beginning Copy Block All Sector e Normally Copies the current block the entire file the current sector into the clipboard The contents of the clipboard can be pasted or written later 82 e Into New File Copies the data directly into a new file not via the clipboard For instance this command can be used to recover a lost file from disk sectors e
36. already in the volume snapshot or if internal thumbnails have been computed for large pictures then they can be optionally used as auxiliary thumbnails in the gallery to represent the main picture The benefit is that they are of course much quicker to load than the main large picture Also video stills exported from videos can be used as auxiliary thumbnails to represent the video even all of them dynamically rotating if fully check e You may specify your preferred thumbnail size in pixels WinHex will decrease the size automatically if needed to ensure that at least as many files are displayed in the gallery view as are displayed in the currently visible section of the directory browser e With a forensic license you may monitor lengthy operations from other computers in the same network i e see whether they are still ongoing or completed You can enable progress notifications via text files that can be created in a directory on a network drive and via e mail in user defined intervals Multiple recipient e mail addresses can be specified as well if delimited by commas 3rd column e The ENTER key can be used to enter up to four two digit hex values A useful example is 0x0D0A which is interpreted as an end of line marker in the Windows world Unix 0x0D The Start Center could then still be opened using SHIFT ENTER e Decide whether you want to use the TAB key to switch from text to hexadecimal mode and vice versa or to enter the TAB
37. also try to open exotic devices supported by Windows such as tapes and changers not tested Also this is how you can open alternate data streams whose path and name you know which cannot be opened through the ordinary File Open dialog without opening the volume on which they reside Opening a hard disk as a file can be useful for example if you wish to clone that disk and if source and destination disk have different sector sizes whether it makes sense in the first place to clone a hard disk despite the sector mismatch depends on the data When treated as a file there is no defined sector size and hence no possibility for a sector size mismatch Device files can also be interpreted as disks like images can Save Saves the currently displayed file to the disk In in place edit mode using this command is not necessary When using the disk editor this command is named Save Sectors Save As Saves the currently displayed file under a different name Create Disk Image Make Backup Copy cf Images and Backups Create Verify Skeleton Image cf Skeleton Images Restore Image Select an image or backup file whx file that you would like to restore Image files will be first interpreted which requires a specialist license and then preset as the source in the dialog window Clone Disk Raw images that are not split could also be restored without a specialist license invoking the Clone Disk command directly Backup Ma
38. and later It can be enabled in Options Viewer Programs optionally also for pictures that could be displayed by the internal graphics viewer library More information online The folder for temporary files used by the separate viewer component is controlled by WinHex X Ways Forensics i e set to the one the user specifies in General Options However unlike X Ways Forensics the viewer component does not silently accept unsuitable paths on read only media Please note that the viewer component since its version 8 2 creates files in the Windows profile of the currently logged on user in which it stores its configuration and settings In earlier versions if actually used not when merely loaded it left behind entries in the system registry A common misconception among users of X Ways Forensics is that the viewer component is somehow responsible for the gallery That is not the case If the viewer component is able to display a certain graphics file that does not mean that the gallery should also be able to display that graphics file If you come across a situation where the viewer component can display a certain picture but the gallery cannot please do not consider that that an obvious error and do not contact us just because of that The thumbnails in the gallery are produced with the aforementioned internal graphics viewing library which supports the formats mentioned above and in the description of the gallery If you are uncertain whether i
39. be easily viewed in any web browser also imported and further processed e g in MS Excel and MS Word A third option except for search hit lists is an XML file The list can alternatively be copied into the clipboard in the format as chosen for example to paste it directly into an externally edited report The columns to export are freely selectable Even the search hit column can be exported with the textual context around each and every actual hit where the search term itself can be visually highlighted with a yellow background color not recommended for output to MS Excel Report Table Association for Report Tables see above Edit Comment Requires a forensic license Use this command to add a comment to an item in the directory browser or to edit or remove an existing comment After entering comments you can conveniently set the filter such that only commented items are shown or only items with specific comments e g those with a certain relevance Edit Metadata Requires a forensic license Allows to edit the metadata field of a file once metadata was extracted Useful if you wish to include selected metadata not all extracted metadata in a report Refine Volume Snapshot and Simultaneous Search in items that are selected in the directory browser Tag Untag Item Requires a forensic license Tagging files means highlighting them visually placing a blue square at the beginning of a directory browser item for various reasons e
40. bin recycler Vista recyle bin Snapprop Vista volume shadow copy properties cookie gthr gthr2 Gatherer and Gatherer fragments pf prefetch attach timestamps from EDB signing date from EXE DLL SYS boot time from ETL event trace log files OLE2 last modification last saved in Office documents and RTF Skype main db chats calls file transfers account creation you can read entire chats if sorted chronologically internal creation from miscellaneous file types including Exif timestamps from photos JPEG GPS Unix Linux Macintosh system logs These events are practically of significance especially for USB device history examinations More specialized events than just standard registry timestamps are output optionally when you create a registry report depending on the report definitions used 52 Timestamps from 0x30 attributes in NTFS file systems are output as events if actually different from their 0x10 counterparts and not identical to the 0x30 creation timestamp They are marked as 0x30 in the Event Type column Malware might give itself harmless looking timestamps after deployment so that it does not seem to be related to the time of intrusion infection The 0x30 attribute timestamps however remain unaltered except if the file is renamed or moved later and that is the reason why some examiners are interested in them If the time frame of intrusion infection is known related files would be found in the e
41. by selecting the disk sectors that were allocated to the file as the current block and saving them using the menu command Edit Copy Block Into New File But it may prove difficult to find the sectors where the file is still stored There are two general ways to accomplish this 1 In case you know a snippet of the file you are looking for e g the characteristic signature in the header of a JPEG file or the words Dear Mr Smith in a MS Word document search it 108 on the disk using the common search commands Find Text or Find Hex Values This is a very simple and safe way and can be recommended to anyone 2 In case you only know the filename you will need some knowledge about the filesystem on the disk FAT16 FAT32 NTFS to find traces of former directory entries of the file and thereby determine the number of the first cluster that was allocated to the file Detailed information on file systems is available on the WinHex web site The following applies to all FAT variants If the directory that contained the file let s call that directory D still exists you can find D on the disk using Tools Disk Tools List Directory Clusters The factory template for FAT directory entries that comes with WinHex will then be helpful to find out the number of the first cluster that was allocated to the deleted file in that directory Otherwise if D has been deleted as well you need to find the contents of D usi
42. bytes 9 6 Disk Cloning Tools Disk Tools Clone Disk This function copies a defined number of sectors from a source to a destination Both the source and the destination can be either a disk click the button with the disk icon or a file click the button with the file icon In case both the source and the destination are disks both disks must have the same sector size In order to effectively duplicate a medium i e copy all sectors simply copy all sectors Select the appropriate option so the correct number of sectors is entered automatically The destination disk must not be smaller than the source disk As a disk you can also select an interpreted image or a partition opened from within a physical disk in the background As a target you cannot select an interpreted e01 evidence file as such images cannot be rewritten only raw images As a file you can only specify unsegmented raw images e g dd 001 img etc no other image types such as e01 vhd vmdk etc Disk cloning offers options that control the behavior when bad sectors are encountered on the source disk e By default you are notified of the error and prompted for either continuing or aborting the operation Log procedure silently creates a complete log file of the entire operation in the folder for temporary files filename Cloning Log txt including a report on unreadable sectors which cannot be copied and prevents WinHex from reporting each unre
43. category filter works nonetheless The category filter can be activated using a popup menu In that popup menu you can also see statistics about the how many files of each category are currently listed in the directory browser or would be listed if the category filter was turned off The name of the evidence object that the file or directory is part of Useful in a recursive case root listing i e when the directory browser shows all files of all evidence objects forensic license only Path of the file or directory starting with a backward slash based on a volume s root Filter available The filter expressions are interpreted as substrings that can match any part of the path so no wildcards are needed or supported Both columns come with filters The filter for child object allows you for example to quickly find all e mails that have an attachment with a certain name The filter for parent name for example allows you to quickly find all attachments that were attached to e mail with a subject that contains certain words Note that filters for the columns Name Parent name and Child objects share the same settings and are mutually exclusive cannot be active at the same time one will deactivate the other forensic license only Logical size of the file i e size without slack or physical size of a directory Physical file size and valid data length for files stored in an NTFS file system can be seen in the Info Pane in File mode inst
44. column to get files listed first that are likely more relevant because they contain more of the search terms that you were looking for This column is populated only for evidence objects of a case forensic license only Lists up to 25 of the search terms found in a file those that are counted in the preceding column Useful to get an idea of the search hits in a file even in the normal directory browser without the need to switch to a search hit list forensic license only Filter available which is not limited to the 25 search terms displayed in this column The page count is extracted from PDF and some Office file types as part of metadata extraction and shown in this column forensic license only The roughly rounded dimensions of a picture in thousand pixels KP or million pixels MP megapixels as the result of width times height for efficiency reasons stored as a very low precision value The dimensions are computed simultaneously with skin color percentages plus when viewing pictures full screen mode preview mode or in the gallery Allows to easily distinguish between e g small browser cache garbage graphics and high quality digital photos with the associated filter Once at least 1 still has been exported from a video file the approximate resolution of the video can also be seen in this column forensic license only Skin color percentage Available after refining the volume snapshot Indicates the degree pictures are
45. composed of skin tones Sorting or filtering by this column is the most efficient way to discover traces of e g child pornography or search for scanned documents gray scale or black and white pictures forensic license only The file s hash value if computed Filter available with a specialist and forensic license Allows to filter for files that have a hash value do not have a hash value whose hash values start with certain hex values if you specify only the beginning of a hash value or have a certain value if you specify a complete hash value This 28 Hash set Hash category Report table Comment filter can compare the hash values of files to up to 4 hash values that the user supplies as hex ASCII Quicker alternative to creating a small hash set in the hash database if you just wish to quickly find a few files e g duplicates of files with a known hash value that you can just copy from the hash column in the directory browser The easiest way to use this filter when looking for duplicates of a file which does not require copy amp paste of hash values is to right click a hash value of a given file in the directory browser in hex ASCII notation not Base32 and invoke the new Filter by command in the context menu The Hash column now displays pseudo hash values in light gray color until real hash values have been computed Pseudo hash values are based on the file metadata not on the file contents They are availabl
46. contain a single emf file only can be viewed directly with the viewer component Also extract this way are Ink shortcut files from customdestinations ms jumplists In general X Ways Forensics tries to carve files of those types that in the File Header Signatures Search txt file are marked with the e flag That means you can have X Ways Forensics uncover many more file types in other files than it does by default if you like It carves flagged file types in those host files specified by the file masks in an edit box for which no special internal algorithm exists Special internal algorithms exist that properly extract by following the data structures in the respective file format even if fragmented Ink shortcut files from automaticdestinations ms jump lists files of any type from doc ppt OLE2 compound files Firefox browser caches based on CACHE MAP files Chrome browser caches based on index files Safari browser caches Norton Backup files N360 backup nb20 and Windows Vista 7 Windows edb databases from the latter even e mail messages pictures that are embedded as Base64 in VCF files electronic business cards thumbnails from thumb db files from PDF documents any kinds of files that are marked as embedded plus JPEG and JPEG 2000 plus Acrobat form files in XML format plus JavaScript objects the latter may make it easier to determine whether a PDF file should be considered malware individual cookie files from Firefox and C
47. count of the file or directory i e how often it is referenced by a directory forensic license only 27 File count Term count Search terms Page count Pixels SC Hash A hard link that just provides a short filename SFN to satisfy the legacy 8 3 requirements of old Microsoft DOS Windows versions is not counted as a hard link Instead such files get their hard link count marked with a in the Links column of the directory browser That way the hard link count more accurately reflects the hard links actually present in the volume snapshot of X Ways Forensics and normal files always have a count of 1 whereas 2 or more means something more special If the hard link count is grayed out that designates files that will be optionally omitted during a logical search to avoid unnecessary duplicate search efforts and duplicate search hits The total number of files contained in a directory or in a file with child objects in the volume snapshot recursively i e inclusive of further subdirectories This number can also be found in the name column in parenthesis depending on the settings Computed only with a forensic license The number of search terms not search hits that have been found in a file This takes into account all search terms ever used in simultaneous searches in a case not for only the search terms that may have been selected in the search term list unless you have deleted search hits You can sort by this
48. created Up to 48 different variables allowed Another way to create a variable is the Assign command ReadLn MyVariable Reads from the current position into a variable named MyVariable until the next line break is encountered If the variable already exists its size will be adjusted accordingly Close Closes the active window without saving CloseAll Closes all windows without saving Save 152 Saves changes to the file or disk in the active window SaveAs C New Name txt Saves the file in the active window under the specified path Specify as the parameter to let the user select the destination SaveAll Saves changes in all windows Terminate Aborts script execution Exit Terminates script execution and ends WinHex ExitIfNoFilesOpen Aborts script execution if no files are already opened in WinHex Block 100 200 Block My Variable 1 My Variable 2 Defines the block in the active window to run from offset 100 to offset 200 decimal Alternatively existing variables each up to 8 bytes large can be interpreted as numeric values Block1 0x100 Defines the block beginning to be at the hexadecimal offset 0x100 A variable is allowed as the parameter as well Block2 0x200 Defines the block end to be at the hexadecimal offset 0x200 A variable is allowed as the parameter as well Copy Copies the currently defined block into the clipboard If no block is defined 1t works as known from the Copy command
49. directory indicated by the TEMP variable in your Windows system Instead of an absolute path you may also specify a dot as a placeholder for the directory from where WinHex X Ways Forensics is executed Or for the parent directory of that directory Or partial path relative to either the or directory e g temp or temp This concept applies also to the next four folders e Specify the folder in which to create and expect images and backup files whx e Specify the folder in which cases and projects are created and expected e Specify the folder in which templates and scripts are stored e Specify the folder in which to maintain the internal hash database In all of these standard paths you may use system and user environment variables where the variable name has to be enclosed in percentage signs e g TEMP e X Ways Investigator CTR X Ways Imager GUI Available when operated with a forensic license Allows to activate the considerably reduced user interface of X Ways Investigator CTR which is meant for investigators who are specialized in a certain area e g of white collar crime who do not need profound knowledge of computer forensics who do not need technical insights that WinHex and XWF are well known to offer who receive e g convenient to handle X Ways evidence file containers from well versed computer forensics examiners with only selected files from various sources e g all documents that contain the ke
50. file system for these directories if there are any e g INDX buffers in NTFS subdirectory clusters in FAT etc nothing in HFS otherwise only the contents of the files in these directories If Create log file is at least half checked a log file will be created that references all copied sector ranges X Ways Forensics makes an effort to prevent acquiring duplicate sectors e g when copying the exact same sector range a second time or when copying overlapping sector ranges so that can explain why you may not get more lines in the log file when copying the same sectors again If the checkbox is fully checked a log log file about the log file will be created with a hash of the log file All copied sector ranges can be optionally hashed and the hash values can be written to the log file and can be verified after closing the skeleton image Benefits of skeleton images Partial image saves drive space Quick to create especially when acquiring remote hard disks through a slow network connection using F Response Transports reveals only specifically targeted data excludes unrelated data as may be required by law common sense time pressure or the customer Ideally suitable for technical data structures partition tables file systems and files in a file system as well Ability to acquire all essential file system data without knowing anything about the file system and in which sectors its data structures are stored Result w
51. files MAPI processing requires a fully functioning Extended MAPI system as it comes with MS Outlook 32 bit version or Microsoft s free MAPI client http www microsoft com download en details aspx id 1004 which should be sufficient for MSG and non Unicode PST Only Outlook 2003 and newer are capable of processing the Unicode variant of PST e mail archives Non Unicode PST files can be processed with earlier versions of MS Outlook Outlook 97 and older are not recommended and may not work correctly If X Ways Forensics always fails to extract PST e mail archives through MAPI go to the Windows Control Panel and check for an e mail profile named like pstloadtmp000 and delete it It may happen that in artificially generated PST archives subject lines with Bates numbers in some e mail messages do not retain these numbers when extracted The extraction method without MAPI is generally faster has a good chance to work on PST archives where MAPI fails has a chance to find traces of deleted e mail provides more data from Calendar Contact Notes Tasks Journal entries fully supports non English Unicode characters supports overlong paths and can process password protected PST archives without the password Even if you use MAPI for PST files this alternative extraction method is used additionally to find and extract deleted contents The same alternative extraction method is always used for OST files The alternative extraction method supports the follow
52. files or earlier names locations of existing files from the file system Useful especially in conjunction with the function to initialize all free space Available in WinHex only not in X Ways Forensics Scan For Lost Partitions Formerly existing hard disk partitions that were not automatically found when opening a physical hard disk or an image of a physical hard disk may be found and properly identified with this command This command searches for the signature of master boot records partition table sectors FAT and NTFS boot sectors via the 0x55 OxAA signature plus for Ext2 Ext3 Ext4 superblocks optionally only from the first sector that follows the last location wise partition that was already found and lists newly found partitions in the directory browser Works with sector size 512 bytes only Interpret as Partition Start When you find the start sector of a volume e g lost partition on a physical disk this menu command allows you to make such a partition easily accessible via the Access button menu If no known file system is detected starting at the currently displayed sector you will be asked for the number of sectors that you wish to include in the newly defined partition Set Disk Parameters Using this command on a physical disk you may override the total number of sectors or optionally can be left blank the number of cylinders heads and sectors per track as recognized by WinHex This can be useful to access surplus sect
53. files that consist of separate segments of any size For WinHex to detect a spanned image file the first segment may have an arbitrary name and a non numeric extension or the extension 001 The second segment must have the same base name but the extension 002 the third segment 003 and so forth The Create Disk Image command can image disks and produce canonically named file segments Image segmentation is useful because the maximum file size supported in FAT32 file systems or on media such as DVD is considerably limited Four digit extensions of raw image file segments are also supported for interpretation In some rare cases WinHex may be unable to correctly determine the nature of the image i e whether it is an image of a physical disk or of a volume consequently interprets the data in the image in a wrong way If so hold the Shift key when invoking this command That way WinHex will ask you and not decide on its own In the case of raw images that will also make WinHex prompt you for the correct sector size and for an additional storage location of further image file segments in case you had to spread them across two different drives Should there be any problems with detecting the file system in a volume you may hold the Shift key when opening the volume to indicate the file system type you suppose in the volume Mode 1 and Mode 2 Form 1 ISO CD images with 2 352 bytes per sector are also supported if they are not spann
54. for eml files to the see complete e mail header and generally when in search hit list mode the viewer component cannot highlight a search hit in Preview mode because then it might contained in metadata or control code that would be represented in raw Preview mode but not normal Preview mode Sync Synchronizes the directory browser and the directory tree in that when in a recursive view you select a file in the directory browser its parent directory will be highlighted Also when clicking the Sync button unless the volume snapshot was created without cluster allocation information see Security Options the file that occupies the currently displayed sector in Volume Partition mode will be automatically selected Exploration Mode Button with a curly turquoise arrow Toggles between normal and recursive exploration of a directory When exploring recursively you do not only see the contents of the current directory but also the contents of all its subdirectories and their subdirectories and so forth To explore a directory recursively you may also right click it in the directory tree Multi monitor support It is possible to detach the lower half of a data window with Disk Partition Volume mode File mode Preview Gallery etc from the data window by clicking the three dots that are located left to the mode buttons After that you can freely move and resize it on the screen On multi monitor 39 this allows you to have that par
55. from the extension in the original filename or if the filename does not have any extension can optionally be appended to the output filename This option also has an effect when copying files to view them with the associated program When working with an active case and if special logging for this command is enabled the copy recovery process is documented in the file copylog html or copylog txt All available metadata and the output filename optionally including target path can be recorded The file can be created either in the _log subdirectory of the case or in the Recover Copy target folder Cf also Case Properties Slack space can optionally be included in the output either as part of the file or 74 separately or solely slack can be copied You can choose whether to also copy child objects of selected files of any kind of child objects if fully checked or only e mail attachments if half checked You can also choose whether to copy files that are filtered out If you have X Ways Forensics recreate the original path for copied files the hierarchical location of files that are child objects of other files must be reflected appropriately too And that must happen with the help of a directory because ordinary file systems do not support the concept that a file can contain further files as is normal with volume snapshots in X Ways Forensics However there would be a name conflict if an artificial directory was created w
56. how the whole words option works please read on The alphabet s purpose is to define word boundaries A word boundary is a boundary between 2 consecutive characters of which one character is a word character and the other character is not a word character If both characters are word characters e g ns then obviously the s does not start a new whole word and the n cannot be the end of a whole word It can be somewhere in the middle of a whole word e g mansion but in between these two characters ns there is definitely no word boundary If both characters are non word characters e g exclamation mark followed by a space then obviously the position between the two is also not a word boundary The exclamation mark cannot be the end of a word cannot occur anywhere within a word and the space cannot be the start of a word cannot occur anywhere within a word either excluding compound words If you are searching for man as a whole word within our mansion then XWF will provisionally internally find man and then first check whether the character before the m is a word character That character is a space A space character is not a word character Then it also checks whether m is a word character according to the alphabet It is That means there is a word boundary before the m Next XWF needs to check whether n and s are word characters Both are That means that after the n there is no word boundary Hence the t
57. improves effectiveness of searches and indexing f Extracts tables from various other SQLite databases in TSV format and uses the first one as a preview of the SQLite database file itself g Extracts the original revision of PDF documents that were edited if available as a child object h Provides timestamps from the file system as events to analyze in an event list i Provides internal timestamps in files as events 4 3 4 Archive Exploration A forensic license allows to include the contents of ZIP RAR ARJ GZ TAR 7Zip and BZIP archives in the volume snapshot so that files in such archives can be separately listed examined searched etc in their decompressed state as long as the archives are not encrypted Theoretically there is no limit to the number of nested levels that can be processed i e archives within archives within archives If the files are encrypted in the archive they are marked with e in the attribute column and the archive itself with e This allows to easily focus on such files using the attribute filter Document files of MS Office 2007 2010 LibreOffice OpenOffice and Work are typically Zip archives too technically and if so will be processed in the same way by default You can exclude those files if you or the recipients of evidence file containers that you prepare only wish to see the documents as a whole no embedded pictures or XML files separately and don t need to extract m
58. in case the disk size has been artificially reduced At any rate the real total number of sectors according to ATA if it can be determined is listed in the details report Some important SMART status information is also displayed for hard disks connected via SJATA that support SMART Useful to check for one s own hard disk as well as that of suspects For example you can learn how often and how long the hard disk was used and whether it has had any bad sectors in the sense that unreliable sectors were replaced internally with spare sectors If a hard disk is returned to a suspect and he or she consequently complains about bad sectors and accuses you of having damaged the disk a details report created when the hard disk was initially captured can now show whether it was already in a bad shape at that time Also seeing that spare sectors are in use means knowing that there is additional data to gain from the hard disk with the appropriate technical means Interpret Image File As Disk Treats a currently open and active disk image file as either a logical drive or physical disk This is useful if you wish to closely examine the file system structure of a disk image extract files etc without copying it back to a disk If interpreted as a physical disk WinHex can access and open the partitions contained in the image individually as known from real physical hard disks WinHex is even able to interpret spanned raw image files that is image
59. in local time The time zone definitions can be adjusted if necessary Please note that changing these definitions in any dialog window affects the definition of time zones throughout the program The standard Windows conversion technique which depends on the time zone selected in the user s system s Control Panel is still employed e in File Properties where the timestamps of files on the user s own system can be accessed changed e for the case logging feature e generally when operated without a specialist or forensic license and e when operated without the file timezone dat You can tell that either of the latter two is true if the Display time zone button in the General Options dialog is grayed out or not visible 3 20 Evidence File Containers Only available with a forensic license The Specialist menu allows to create a new file container open an existing one and close the active file container The directory browser context menu allows to fill it with selected files When you need to pass on a collection of selected files even from different evidence objects that are of particular relevance to a case to other persons involved in that case e g specialized investigators who do not need to or must not see irrelevant files evidence file containers may come in handy Most file system level metadata name path size attributes file mode timestamps deletion status classification as alternate data stream or vi
60. in the Edit menu Cut Cuts the currently defined block from the file and puts it into the clipboard Remove Removes the currently defined block from the file CopyIntoNewFile D New File dat CopyIntoNewFile D File MyVariable dat Copies the currently defined block into the specified new file without using the clipboard If no block is defined it works as known from the Copy command in the Edit menu Can copy disk sectors as well as files The new file will not be automatically opened in another edit window Allows an unlimited number of concatenations in the parameter A variable name will be 153 interpreted as an integer if not be larger than 224 16 Mio Useful for loops and file recovery Paste Pastes the current clipboard contents at the current position in a file without changing the current position WriteClipboard Writes the current clipboard contents at the current position in a file or within disk sectors without changing the current position by overwriting the data at the current position Convert Paraml1 Param2 Converts the data in the active file from one format into another one Valid parameters are ANSI IBM Binary HexASCII IntelHex MotorolaS Base64 UUCode LowerCase UpperCase and hiberfil in combinations as known from the Convert menu command AESEncrypt My Password Encrypts the active file or disk or selected block thereof with the specified key up to 32 characters long with AES
61. is determined dynamically at run time 3 Body Advanced Commands When enclosed in braces several variable declarations comprise a block that can be used repeatedly as a whole Note however that blocks must not be nested in the current implementation The character can be used in a variable s name as a placeholder for later 148 replacement with the actual repetition count The optional numbering statement defines where to begin counting 0 by default numbering 1 byte tien string len String No 10 In this example the actual variable names in the template will be String No 1 String No 2 String No 10 Instead of a constant number of repetitions 10 in this example you may also specify unlimited In that case WinHex will repeat the block until the end of file is encountered ExitLoop can be used to break out of a loop at any time Exit terminates execution of the template completely IfEqual is useful for the comparison of two expressions Operands can be either both numerical values be it constant values in decimal notation integer variables or a formulas or byte sequences given as text or hex values which are compared byte by byte ASCII string expressions must be enclosed in quotation marks hex sequences must be preceded by a Ox identifier Formulas need to be enclosed in brackets byte Value fEqual Value 1 ExitLoop ndif 10 A
62. is unknown the status is not confirmed If the signature matches a certain file type in the database however the extension matches a different file type or there is no extension at all the status is newly identified Filter available Additionally this column may contain a hint about the consistency of the format of files of various supported types as either OK or corrupt for carved files perhaps immediately for other files perhaps after file type verification or metadata extraction have taken place 24 Type description Category Evidence object Path Parent name Child objects Size Created Modified Accessed Record For an explanation of file type ranks and groups please see the description of File Type Categories txt Displays the name of the application that a file type belongs to what the filename extension stands for etc as specified in File Type Categories txt If the same extension occurs multiple times in the definition file all its meanings are listed For example pm could be a Perl module a PageMaker document or Pegasus file or an X11 Pixmap file forensic license only File type category corresponding to the file type according to the definition in File Type Categories txt see below Filter available If the same file type extension is defined multiple times belonging to different categories only one category for this file type will be displayed The
63. it that way Usually it is preferable to open a logical drive instead of a physical disk because more features are provided in this case For example clusters are defined by the file system the allocation of clusters to files and vice versa is known to WinHex free space and slack space have a meaning If you need to edit sectors outside a logical drive e g the master boot record if you wish to search something on several partitions of a hard disk at the same time or if a partition is damaged or formatted with a file system unknown to Windows so Windows is unable to make it accessible as a drive letter you would open the physical disk instead From the window that represents a physical medium you can usually also open individual partitions by double clicking 100 them in the directory browser of that window WinHex understands conventional MBR partitioning GPT GUID partition type Apple partitioning superfloppy format Windows dynamic disks as organized by the LDM Logical Disk Manager MBR and GPT style LVM2 MBR and GPT style and PC compatible BSD disklabel All dynamic volume types are supported simple spanned striped and RAID 5 Holding the Ctrl key when opening hard disks disables detection and special handling of dynamic volumes and ensures the hard disk is treated like it has been partitioned in the conventional way Some of the aforementioned partitioning types are supported with specialist and forensic
64. licenses only Please note the following limitations e Administrator rights are needed to access sectors on any kind of media Under Windows Vista 7 8 you need to run the program as administrator specifically just being logged on as administrator is not sufficient e Remote network drives cannot be accessed sector wise e X Ways Forensics cannot edit disk sectors or sectors in interpreted images at all only WinHex can e WinHex cannot write to CD ROM or DVD e Under Windows Vista 7 8 WinHex cannot write sectors on the partition with the active Windows installation and on the partition where WinHex is running from The appendix C of this manual provides you with specifications of the master boot record which can be edited using the disk editor Save Sectors To be used analogously to the Save command for files Part of the File menu Writes all modifications to the disk Please note that depending on your changes this may severely damage the integrity of the disk data If the corresponding undo option is enabled a backup of the concerned sectors is created before they are overwritten This command is only available in the full version 6 9 RAM Editor Analysis The RAM editor allows to examine the physical RAM main memory and the logical memory of a process i e a program that is being executed All memory pages committed by a process are presented in a continuous block Unused free or reserved pages are ignored by default but
65. loaded kernel modules In Details mode you can find the addresses of process related data structures for each process and the ID of its parent process In RAM mode the Info Pane shows for each memory page a process to which it is allocated if any and its memory management status With the appropriate background knowledge this functionality can be used learn more about the current state of the machine and its processes sockets open files loaded drivers and attached media to identify malware to find the decrypted version of encrypted data to analyze network traces in incident response and to do further research in the field of memory forensics 6 10 Template Editing A template is a dialog box that provides means for editing custom data structures in a more 102 comfortable and error preventing way than raw hex editing does Editing is done is separate edit boxes Changes take effect when pressing the ENTER key or when quitting the template after being prompted The data may originate from a file from disk sectors or from virtual memory Especially when editing databases you may prefer to define a custom template for ease of access to the records You will find the command to print a template in the system menu A template definition is stored in a text file with the extension tpl The template editor enables you to write template definitions and offers syntax checking A template definition mainly contains variable declarations t
66. may vary because of slack space e Searching in files usually in the cluster chains allocated to files will find search hits even if the search term happens to be physically split in a fragmented file occurs at the end and the beginning of discontiguous clusters e A logical search can be successful even in files that are compressed at the NTFS file system level as they are decompressed for searching This holds true even for files that were found via a file header signature search if that was specially adapted for NTFS compression e If the contents of archives files in ZIP RAR GZ TAR BZ2 7Z and ARJ if not encrypted forensic license only and individual e mail messages and attachments have been included in the volume snapshot they can be searched as well e The text that is contained in files whose format is supported by the viewer componet e g PDF Adobe WPD Corel WordPerfect VSD Visio SWF Shockwave Flash can automatically be extracted decoded decompressed prior to search resulting in unformatted ASCII or UTF 16 plaintext which can be reliably searched in addition to the original data itself Search hits might otherwise be missed because various file types typically or at least sometimes store text in an encoded encrypted compressed fragmented or otherwise garbled way Important In particular for HTML XML and RTF documents as well as HTML formatted e mail messages in eml files which may employ various meth
67. messages from all e mail archives and even processed original eml files it is recommended to explore recursively and use the Attribute filter not the Type or Category filter The timestamp in the Date line in an e mail message s header if accompanied by a time zone indicator like 0700 or 0200 is listed as the creation date amp time The timestamp in the Delivery Date line or alternatively if not available the first Received line is listed as the last modification date amp time For extracted e mails and their attachments sender and recipient will be displayed in the corresponding columns in the directory browser You may filter by dates as well as sender and recipient Attachments and embedded files are extracted too if found in the e mail archive exception e g AOL PFC and usually become child objects of their respective containing e mail messages in the volume snapshot All extracted e mails and attachments actually reside in the evidence object s metadata subdirectory and may utilize a lot of drive space You can indicate a preference in particular about how PST and MSG e mail archives are processed PST and MSG e mail archives can be processed either through the MAPI interface old method or not new method If the preferred method fails the other method is attempted automatically If the preferred method is MAPI the non MAPI method is still used to find traces of e mail messages in unallocated space within the PST
68. name An rtd file starts with a 4 byte signature 0x52 0x54 OxDE OxF0 the 4 byte checksum see above followed by the 64 bit file IDs integer numbers that indicate the files that should be associated with that report table 4 Volume Snapshots and their Refinement 4 1 Introduction A volume snapshot is a database of the contents of a volume or physical medium files directories at a given point of time The directory tree and the directory browser present views into this database Based on the underlying file system s data structures it consists of one record per file or directory and remembers practically all metadata name path size timestamps attributes but not the contents of files or data of directories A volume snapshot usually references both existing and previously existing e g deleted files also virtual artificially defined files if they are useful for a computer forensic examination e g so that even unused parts of a disk or volume are covered Operations such as logical searches indexing and all commands in the directory browser context menu are applied to the files and directories as they are referenced in the volume snapshot Because of compressed files and because deleted files and the virtual Free space file may be associated with the same clusters of 59 a volume multiple times the sum of all files and directories in a volume snapshot can easily exceed the total physical size of a volume
69. of a certain report table i e files in the same directory That is useful especially when exploring recursively and sorting by path to check whether there are any further notable files in the neighborhood E g you could create report tables like related to company X evidence against suspect A incriminating pictures unjustified expenses forward to investigator B print later get translated show to witness C etc and later when you are done viewing files you can get the big picture of all relevant files by using the report table filter e g Show me all files related to company X that are also considered evidence against suspect B You are practically assigning files to certain custom categories defined by yourself Also allows you to revisit files later that are still be closely examined Having files in a dedicated report table also allows to conveniently copy recover them in a single step at a later point of time or get a gallery overview of these files specifically The same file can be associated with multiple report tables This can be done in the dialog window that appears when invoking the Report Table Association command in the directory browser context menu for one file or several selected files at a time This dialog window does not show the existing associations of the selected file or files that would be quite complicated to achieve anyway for 31 multiple selected files instead simply look at the R
70. of the preceding character or set A Matches any number of occurrences of the preceding character including zero time A plus sign after a character matches any number of occurrences of it except zero 124 XYZ Characters in brackets match any one character that appears in the brackets XYZ A circumflex at the start of the string in brackets means NOT For 8 bit searches only A Z A dash within the brackets signifies a range of characters Indicates that the following special GREP character is to be treated literally X Y Repeats the preceding character or group of characters X Y times ab Functions like a parenthesis in a mathematical expression Groups ab together for and a b The pipe acts as a logical OR So it would read a or b b Matches a word boundary a Matches the start of a file Matches the logical or physical end of a file depending on the search options GREP Examples E mail addresses a zA Z0 9_ 1 20 a zA Z0 9 2 20 a zA Z 2 7 the before the is supported in Gmail addresses Internet addresses starting with http https ftp a zA Z a zA Z0 9 amp Visa and Mastercard credit card numbers a z 45 HHH Haz 45 HH HEE A A 45 HHH HEHH HEHH HHHH ideally check results via an X Tension with the Luhn algorithm to reduce the number of false hits and search without a z Search window proximity searches The GREP search win
71. one per line Line break is 0x0D Ox0A 3 19 Time Zone Concept The following applies to WinHex and X Ways Forensics when operated with a specialist or forensic license X Ways Forensics employs its own not Windows logic for converting UTC to local filetimes It displays timestamps independently of the time zone selected in the examiner s system s Control Panel The display of timestamps in X Ways Forensics may differ from Windows because in Windows a timestamp in daylight saving time is not displayed based on daylight saving time if daylight saving time is not active when looking at that timestamp When working with a case the time zone selected for that case applies globally to the entire program selectable in the Case Properties otherwise the one selected in the General Options dialog When working with a case optionally it is possible to specify different time zones per evidence object so that you can always see local filetimes even for media that were used in different time zones if preferable Note that the timestamps are converted for display only That means in a recursive view in the case root that covers multiple media sorting is based on absolute UTC timestamps Optionally the actually used conversion bias can be displayed as well see directory browser options 54 Timestamps on FAT volumes are never converted as they are not available in UTC but based on one or several unknown local time zones Export lists are output
72. original data When using the second method it does not make a difference whether you choose a signed or an unsigned format 9 3 Conversions WinHex provides the Convert command of the Edit menu for easy conversions of different data formats and for encryption and decryption The conversion can optionally be applied to all opened files instead of only the currently displayed one The formats marked with an asterisk can only be converted as a whole file not as a block The following formats are supported ANSI ASCII IBM ASCII two different ASCII character sets EBCDIC an IBM mainframe character set Lowercase uppercase characters ANSI ASCH Binary raw data Hex ASCII hexadecimal representation of raw data as ASCII text Intel Hex Extended Intellec hex ASCII data in a special format incl checksums etc Motorola S Extended Exorcisor ditto Base64 UUCode Percentage URL Encode Quoted Printable Please note When converting Intel Hex or Motorola S data the internal checksums of these formats are not checked Depending on the file size the smallest possible output subformat is chosen automatically Intel Hex 20 bit or 32 bit Motorola S S1 S2 or S3 When converting from binary to Intel Hex or Motorola S only memory regions not filled with hexadecimal FFs are translated to keep the resulting file compact The Convert command can also decompress any number of complete 16 cluster compression units compre
73. purposes Purchasing one license authorizes you to install and use the full version of the software on a single machine at a time usage by one person at a time Additional licenses authorize you to install and use the full version on additional machines at the same time or to have it used by multiple persons at the same time Exceptions e For computers in the same location licenses for the products X Ways Forensics and X Ways Investigator do not impose an upper limit on the number of computers with installations of the software only on the number of concurrent uses on different computers e If X Ways Capture is used externally on site only as many licenses are needed as there is personnel that potentially utilizes X Ways Captures at the same time utilizes on an arbitrary number of computers concurrently For each license for X Ways Forensics we will provide you with 1 USB dongle which is required for the execution of the software We do not replace lost misplaced or stolen dongles Applies to products for that an evaluation version exists The software and all accompanying files data and materials are distributed as is and with no warranties of any kind whether express or implied to the maximum extent permitted by applicable law The user must assume the entire risk of using the program knowing in particular that this software is not designed or intended for use in hazardous environments requiring fail safe performance w
74. selected to avoid unnecessary duplicated I O with the same sector scope Matches are returned as a special kind of search hits Multiple matches for contiguous blocks are more meaningful than isolated individual matches as they are even less likely the result of some coincidence and they are usually combined in a single hit The size of all such hits is shown when listing search hits The larger the size the higher the evidentiary value of the match Please note that X Ways Forensics does not verify itself that contiguous matching blocks are in the same order as in the original file s but that can be verified manually and for data that is as unique as compressed data that is most likely the case Most suitable for selected notable files larger than a few sectors files that are ideally compressed or at least not only sparsely populated with non zero data and do not contain otherwise trivial combinations of bytes values that occur frequently Good examples are zip styled Office documents pictures and video files Very trivial blocks within a file that consist of mostly just 1 byte value are ignored and not hashed the same already when creating the hash set For quicker matching ideally work with a small hash database and do not select a hash type stronger than MDS Hash sets of block hashes can be created or imported in the same way as ordinary hash sets i e for selected files using the directory browser context menu but they are handled by a
75. separate hash database for block hashes as opposed to file hashes That separate database is internally stored in a subdirectory of the main hash database directory You can create hash sets consisting of the block hashes of 1 file at a time or combined hash sets of multiple selected files The block size is currently always 512 bytes and might be user definable in a future version 4 3 Refinement at the File Level The following operations are applied after the aforementioned operations to files that are already contained in the volume snapshot and they are all applied together and file wise i e first all operations to one file then all operations to the next file and so on to process files in the order of ascending internal IDs Some of these operations may produce additional files which will get the next higher available internal ID Previously existing files whose first cluster is known to have been overwritten or whose first cluster is unknown are not processed except if you specifically target them via tagging Files that are considered irrelevant based on hash matching can be automatically omitted from all further operations to save time and avoid potentially even more irrelevant files that might otherwise be extracting from them There is also an option to omit files that are filtered out Both options are particular powerful in that they can target even files in advance that are not yet part of the volume snapshot when the refinement s
76. so that via the internal parent ID you can tell which file resided in which directory even if the path is ambigous An internal identifier of a file or directory that is unique within the entire case not just within the volume snapshot of one evidence object When creating a new case you have a choice between easily readable unique IDs that contain a delimiter separating evidence object ID and int ID or a completely numeric ID which may be better usable for some external programs when exporting a list of files forensic license only The ID of the owner of the file or directory on file systems that record that information On NTFS it s the SID or if X Ways Forensics can resolve it to a username with the help of the SAM registry files already encountered while working with the case the username forensic license only Filter available Shows the names of the authors of documents of various types MS Office OpenOffice LibreOffice RTF PDF after metadata extraction forensic license only These columns are populated for e mail messages and attachments extracted by X Ways Forensics from e mail archives plus for original eml files if metadata has been extracted from them They come with filters that allow you to enter any part of an e mail address or name to search for certain e mail messages The filter expression is interpreted as a substring so no wildcards are needed or supported forensic license only The hard link
77. the command in the Specialist menu This also makes them suitable for usage as evidence objects in your cases This holds true for evidence files in particular because they can store an optional description and an integrated hash for later automated verification Raw images have the benefit that they can be easily exchanged between even more forensic tools All output file formats support splitting into segments of a user defined size A segment size of 650 or 700 MB e g is suitable for archiving on CD R Evidence files must be split at 2047 MB at most to make them compatible with X Ways Forensics versions before v14 9 and EnCase versions before v6 and other tools With a forensic license raw image files and evidence files can automatically be verified immediately after creation by recomputing the hash value that was originally computed from the medium with the image instead Evidence file and WinHex backup compression is based on the Deflate compression algorithm that is part of the popular general purpose library zlib This algorithm consists of LZ77 compression and Huffman coding With the normal compression level you can reach a compression ratio of 40 50 on average data However this comes at the cost of a considerably reduced imaging speed Fast adaptive compression is a very good and intelligent compromise between speed and good compression not like the ordinary fast compression option in other programs With high comp
78. the image to convert decrypt translate files outside of X Ways Forensics and then want to bring the results back into the volume snapshot and see the edited files next to their original counterparts in the corresponding subdirectories This can help for example if you wish to OCR and convert PDF documents that X Ways Forensics has deemed non searchable using 78 Adobe Acrobat Rename Ability to rename virtual directories and virtual attached files in a volume snapshot Specify type Ability to specify the type of selected files yourself Useful if you wish to identify types or subtypes in an individual way unknown to X Ways Forensics for example to be able to filter by these types later For instance how about categorizing TIFF pictures that are digitally stored faxes as type fax Remember you can define your own file types in File Type Categories txt Wipe securely Files and directories that are selected in the directory browser can be securely wiped in WinHex not X Ways Forensics The data in the logical portion of a file i e excluding the file slack and the main data structures of a directory e g INDX buffers in NTFS and directory entries in FAT will be erased overwritten with a hex value pattern of your choice The existence status of the file in its file system will not be changed No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used No f
79. to create an ordinary forensically sound sector wise image compatible with other tools A must in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets e g lawyers 133 and physicians whose profession swears them to secrecy confidentiality Limitation Not available for disks partitioned as Windows dynamic disks or with Linux LVM Only files in supported file systems can be omitted Note that you can also retroactively cleanse redact already created conventional raw images in WinHex by securely wiping files selected files via the directory browser context menu The granularity of this operation is not limited to entire clusters For example that means it can also wipe files in NTFS file systems with so called resident inline storage and it does not erase file slack along For a comparison of evidence file containers skeleton images and cleansed images please see our web site All of those are images that only transport a subset of the original data Another kind of cleansed image is an image in which all the clusters marked by the file system as free are zeroed out specialist or forensic license only That is very useful if you create the image for backup purposes and not for forensic purposes or if for forensic purposes you do not require data in free space or are not supposed to acquire it to only examine existing files In conjunct
80. to the active case It will then be permanently associated with this case unless you remove it from the case later displayed in the tree like case structure and designated as an evidence object or source of evidence A subfolder is created in the case folder for each evidence object where by default files will be saved that you copy recover from that evidence object so it will always be obvious from which object exactly and from which case recovered files originate If you wish to add more than 1 file from the same directory to the case please add the whole directory just exclude or remove those files that are irrelevant In the evidence object properties window you may enter a title or number for that evidence object according to your own conventions You may change the order of evidence objects in the case tree using the small arrow buttons in the upper left corner except for dependent evidence objects partitions that belong to a physical disk The date and time it was associated with the active case is recorded and displayed The internal designation of the evidence object is displayed as well as its original size in bytes You may enter comments of arbitrary length that apply to the evidence objects and a technical description of it is added by WinHex automatically as known from the Medial Details Report command in the Specialist menu You may have WinHex calculate a hash checksum or digest on the evidence object and verify it later
81. type If the header signature of a file was not specifically checked see Refine Volume Snaphot this is merely a repetition of the filename extension and displayed in gray Otherwise if the file signature verification revealed the true nature of the file a typical extension of that type will be output That extension will be displayed in black if it is still the same as the actual extension of the file or in blue if the actual extension does not match the type of the file A convenient filter can be activated based on this column In the filter dialog you can select individual file types or entire categories You can load and save your selection There are buttons that allow to expand or collapse all categories at once Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus Forensic license only The status of the Type column Initially not verified After verifying file types based on signatures as part of refining the volume snapshot or viewing files in preview or gallery mode If a file is very small less than 8 bytes the status is irrelevant If neither the extension nor the signature is known to the file type signature database the status is not in list If the signature matches the extension according to the database the status is confirmed If the extension is referenced in the database yet the signature
82. will be applied to all open files and disks CopyFile C A dat D B dat Copies the contents of C A dat into the file D B dat MoveFile C A dat D B dat Moves the file C A dat to D B dat 155 DeleteFile C A dat Surprisingly deletes C A dat InitFreeSpace InitSlackSpace Clears free space or slack on the current logical drive respectively using the currently set initialization settings InitSlackSpace switches the drive temporarily to in place mode thus saving all pending changes InitMFTRecords Clears unused MFT FILE records on the current logical drive if it is formatted with NTFS using the currently set initialization settings Simply does nothing on other file systems The changes are written immediately to the disk Assign MyVariable 12345 Assign MyVariable 0x0D0A Assign MyVariable I like WinHex Assign MyVariable MyOtherVariable Stores the specified integer number binary data ASCII text or other variable s contents in a variable named MyVariable If this variable does not yet exist it will be created Other ways to create variables e g Read GetUserInput InttoStr Up to 48 different variables allowed to exist simultaneously Release MyVariable Specifically disposes an existing variable Mandatory to invoke only when more than 48 variables with different names are to be used during the execution of a script so that earlier variables that are not needed any more can be destroyed SetVarSize MyVar
83. 4 101580 Bs titior 3 350de005 ipa ipg 7 1 KB 03 05 2004 ji 101860 El 7 Pat tition 1 a abosterm 1 gif gif 1388 03 05 2004 1A 176812 Directory E3 a e sl Y alabama hills8 4 ipg ipg 206 KB 03 05 2004 A 101884 ee Alberti jpg ipa 114 KB 03 05 2004 A 118524 browser tor 131 KB 03 05 2004 lA Ph _ Andromeda 2 ipg ipg 83 9 KB 03 05 2004 118756 E E Extend Anary cat peg jpeg 20 4 KB 03 05 2004 14 313636 3 29 Docs a arrow_blue_5x9 1 gif gif 998 03 05 2004 1A 176814 x Mode buttons pscccmeneantset Volume Fie Preview Details Galley Calendar Legend 3 Sync 4 EO Microsoft Works Offset 0123 45 6 74 E s NTFS Image e01 21 free 3 Pictures 052375552 EF D8 FF E0 00 10 4A 46 Moya JF File system NTFS 3 0001 052375560 49 46 00 01 01 00 00 00 IF Volume labet NTFS Volume l 052375568 00 00 00 00 FF FE 00 1E b Offset column E Reaton mods i 0 052375576 63 6F 70 79 72 69 67 68 copyrigh R l Hex column 74 20 31 39 39 39 20 70 t 1999 p Aloc of visible dive space 3 System Volume Infi 052375592 68 69 6C 67 40 6D 69 74 hilg mit Text column Tae 052375600 2E 65 64 75 FF DB 00 43 eduy C sunao a T Ea Windows 052375608 00 08 06 06 07 06 05 08 ai qa Ext Image 052375616 07 07 07 09 09 08 DA OC ges ga FAT32 Image 052375624 14 OD OC OB OB OC 19 12 Snapshot taken 5 min ago 052375632 13 OF 14 1D 1A 1F 1E 1D Data ere 2 052375640 1A 1C 1C 20 24 2E 27 20 Used space 205
84. 60 up to 510 characters for output path optional original path original filename You can still limit paths to the ordinary length of 260 characters if you would not be able to access e g view copy or delete such files otherwise because ordinary tools like the Windows Explorer do not allow that Files that could not be copied e g if path too long are added to a report table The original timestamps creation modification last access are re applied to the recovered copied files When copying files or alternate data streams or other objects that do not have any or all timestamps set X Ways Forensics approximates the fact that a timestamp is not available by setting the corresponding timestamps of the output files to 0 Jan 1 1601 in NTFS This behavior can be avoided by holding the Shift key when clicking OK in the dialog box for example if you wish to use some other programs with these files that for some reason do not want to open files with such timestamps it has been reported for VLC Duplicate filenames will be changed to unique filenames by inserting incrementing numbers before the extension So if you copy all files to the same directory even those from different evidence object all output filenames will be unique and the copylog file allows you to later find out which file was originally named how and originated from where and which metadata it had The presumed correct file type of newly identified files if different
85. A RAN 70 4 4 More Information about Volume Snapshot RefineMent oooooncciocononononnconanonnnonnnnanonanocanccnn conocio 71 NEUE AAA 72 5 1 Directory Browser Context Menu cccccccccccssessseceseceeceseceseceeeseeeeeeeeeeeesseeeseeeseecaecaeensecnaeenaeees 72 5 2 Data Window Context Menu irc ide ri E a E tole sitdudcegat canteesedvdcevite deze ceive sat acces 80 5 3 Flo Men el ai tient bees 81 5 4 Eat MCU a ib ca 82 5 5 Sarl M CMU aivices vac A A A 84 5 6 Navigation Mentir E ERE sd ita 85 5 7 MAI RR NR 86 5 8 TOOLS ML A li 87 5 9 Eile Tools caida tna 89 5 10 Specialist MENU ida ada dica eii 90 Sel 2Options LEa ni EA fo seceeee NS 93 5 122 Window Menu ui neice id Gen eee i Rd wen oan 94 DLS a Help Meme EOE esas woes A ls 94 S14 Windows Context Ment suicida heey A aiii asado 95 Some Basic Concepts sc cccsseccvscssesesccsesansssssessescssnecesspsesssncssbasessssedsdossoonceseseessebesenscsosbeseocsactonesesbassseeess 96 6 1 Start Cente RA 96 6 2 Entering E E EET I E E EEE E E EE E ias 96 6 3 PAM Od ES i 96 6 4 Status Bafi arrieiro RN 98 6 5 Ud A e EEES 98 6 6 Ke Tensions APh aaen tacudated a taatasMagacdinisactweleedancdoestetieb lis A 99 6 7 WinHex AP inten ta ela non E o calor 99 6 8 Disk ECHL de ias Ad o td alas 100 6 9 RAM Editor Adal sic A ains 101 6 10 Template Editing bai daa tada 102 DAA A OO 103 7 1 File Recovery with the Directory Browser c cccsccesccesscesseeeseeeseeseecaecaecnseceseenseeseeeeeeeeenee
86. Backward Delayed Parity HP Compaq Component 1 1 3 5 7 9 11 13 15 Component 2 2 4 6 8 P P P P Component 3 P P P P 10 12 14 16 Level 5 Forward Parity aka Right Asynchronous Component 1 P 3 5 Component 2 1 P 6 Component 3 2 4 P Level 5 Forward Dynamic Parity aka Right Synchronous Component 1 P 6 8 10 Component 2 1 P 9 11 Component 3 2 4 P 12 Component 4 3 5 7 P Level 5 Forward Delayed Parity Level 5 Forward Dynamic Delayed Parity CRU Dataport Level 5EE Backward Parity Adaptec Component 1 1 3 S P Component 2 2 S 7 Component 3 S P 5 8 Component 4 P 4 6 S S spare Level 5EE Forward Parity Component 1 1 P S 7 Component 2 2 3 P S Component 3 S 4 5 P Component 4 P S 6 8 Level 6 Backward Parity Adaptec JetStor Component 1 IS UN O Component 2 2 P Q 7 Component 3 P Q 5 8 Component 4 Q 4 6 P Level 6 Backward Dynamic Parity Component 1 1 4 P OQ Component 2 2 P Q 7 Component 3 P Q 5 8 Component 4 Q 3 6 P Level 6 Forward Delayed Parity Level 6 Forward Parity The parity start component can be defined differently if necessary for many RAID variants To stick with the select standard pattern leave that value at 0 In order to define a non standard parity start component specify the number of the component where the parity is located first 1 based 142 The delay with that the parity moves on HP Compaq controllers is most often 4 or 16 but freely con
87. D prior to the reconstruction you would specify the number of actually used sectors plus header size for each component via Tools Disk Tools Set Disk Parameters as the Sector count You can usually tell that either the component order the stripe size the stripe pattern or the RAID header size was selected incorrectly when no partitions are detected or partitions with unknown file systems or with file systems that cannot be interpreted properly When you add a reconstructed RAID system to a case and optionally partitions opened from such a RAID system the selected RAID configuration parameters are saved with the evidence object which allows to access the RAID system instantly in later sessions forensic licenses only In RAID level 5 and 6 data is not only striped across all component disks in a rotating pattern but also interspersed with parity blocks for redundancy RAID level 5 and 6 are implemented in different ways by different RAID controller manufacturers in that they employ different stripe parity patterns The supported patterns are the following Level 5 Backward Parity aka Left Asynchronous Adaptec Component 1 1 3 P Component 2 2 P 5 Component 3 P 4 6 Level 5 Backward Dynamic Parity aka Left Synchronous AMI and Linux standard Component 1 1 5 9 P Component 2 2 6 P 10 Component 3 3 P 7 11 Component 4 P 4 8 12 141 Level 5
88. Deutsche Pfandbriefbank AG Analytik Jena AG and many other companies and scientific institutes User interface translation Chinese by Sprite Guo Japanese by Ichiro Sugiyama and Takao Horiuchi French by J r me Broutin revised by Bernard Lepr tre Spanish by Jos Mar a Tagarro Mart Italian by Fabrizio Degni updated by Michele Larese de Prata further completed and updated by Andrea Ghirardini Brazilian Portuguese by Heyder Lino Ferreira Polish by ProCertiv Sp z 0 0 LLC 1 2 Legalities Copyright 1995 2014 Stefan Fleischmann X Ways Software Technology AG No part of this publication may be reproduced or stored in a database or retrieval system without the prior permission of the author Any brand names and trademarks mentioned in the program or in this manual are properties of their respective holders and are generally protected by laws This publication is designed to provide accurate and authoritative information in regard to the subject matter covered However the author neither offers any warranties or representations nor does he accept any liability with respect to the program or the manual License Agreement Your use distribution or installation of a software product developed and published by X Ways Software Technology AG indicates your acceptance of this license agreement If you do not agree to any of the terms then do not install distribute or use the product A trial version may be only used for evaluation
89. FORTRAN programs since the 80 s Sporadically defined as the number of minutes since January 1 1970 The Data Interpreter options let you switch between both sub types e Macintosh HFS Date amp Time 4 bytes A 32 bit integer value that determines the number of seconds since January 1 1904 GMT HFS local time The maximum representable date is February 6 2040 at 06 28 15 GMT The date values do not account for leap seconds They do include a leap day in every year that is evenly divisible by 4 e Java Date amp Time 8 bytes A 64 bit integer value that specifies the number of milliseconds since January 1 1970 Usually stored in big endian which is the typical byte order in Java but in little endian in BlackBerry memory 2 6 ANSI ASCIVIBM ASCII ANSI ASCII is the character set used in non Unicode Windows applications It is standardized by the American National Standards Institute MS DOS uses the IBM ASCII character set also called OEM character set These character sets differ in the second half containing characters with a ASCII values greater than 127 It is reasonable to select IBM ASCII in the View menu only when viewing or editing files originating from a DOS program Use the Convert command of the Edit menu to convert text files from one character set into the other The first 32 ASCII values do not define printable characters but control codes Hex ControlCode______ Hex ControlCode oo Nuli
90. ID y filtering out files that may have already been searched before For evidence objects that contain a huge number of files the modulo option allows you to focus on a subset of files that is more or less representative of all files though less random than files listed first when sorting by hash value Applying the modulo operation to the internal ID will pick files from any directory with any name creation date etc To see only 1 000 out of 100 000 files i e every 100th file use the operation internal ID modulo 100 0 Also useful for testing purposes If you wish to compare the performance of different hard disks RAID systems processors configurations for volume snapshot refinements you don t have to process all files in an evidence object You can get quicker yet likely representative results for example in 1 10 of the time if you only process every 10th file pseudo randomly selected by internal ID Even for normal work examiners may not be required by their bosses their prosecutor to conduct a 100 complete examination for example if after review of a reasonably sized and representative subset you can extrapolate that about 10 of several 10 000 photos is illegal material The unique internal identifier of the parent directory of a file or directory in the volume snapshot Useful e g when exporting files and directories and there are multiple directories with the same name in the same path e g one existing one deleted
91. Internet Explorer 10 s WebCacheV dat files UsnJml J Windows Event Logs evt and evtx HTML previews and views of index dat Internet Explorer browser cache history files contain a column with the offset of the record within the file where the data of each row has been found This offset is presented as a link If you click it you will automatically navigate to that offset in the corresponding index dat file in File mode so that it is convenient to verify the information that X Ways Forensics has extracted from the record at that location Note that this works correctly only if the link is not broken into 2 lines which may happen in v8 4 of the viewer component but not in v8 3 7 Anyway you can still navigate to that offset manually The HTML child objects that will be generated can not only be used internally by X 64 Ways Forensics for previews of the parent file You can also view all of these tables in an external program such as your preferred browser or in MS Excel by sending these child object to the program of your choice directory browser context menu You may have X Ways Forenscis split HTML tables after an arbitrary number of rows You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component which cannot deal with very large tables The existence of HTML child object with searchable text for browser data event logs and more data sources also
92. MB e Ge 052375648 22 2C 23 1C 1C 28 37 29 7 214 861 824 bytes i 4 Zj Free snare 529 MR Interpreter Se Ao esas Sector 102296 of 530082 Offset52375552 255 Block n af Size n a Status bar Info pane Here are some instructions to help you get started and find some important features Create a case add an evidence object such as your own C drive or hard disk 0 or an image file In the directory tree you may use a right click to list the contents of a directory in the directory browser including all its subdirectories For example if you right click the root directory of a volume you will get a listing of all files in the entire volume At the same time you can use a dynamic filter to focus on files based with certain filenames of a certain file type size or with certain timestamps etc via Options Directory Browser The powerful logical search functionality can be found in Search Simultaneous Search The indexing feature can be found in the Search menu too More interesting functions in X Ways Forensics can be found in the context menu of the directory browser e g the ability to copy files off an image and in the Specialist menu in particular Refine Volume Snapshot The latter allows you to further process files automatically e g explore zip archives extract e mail messages and attachments check pictures for the amount of skin tones check documents for encryption etc There are a thousand different p
93. S Office documents you will often see many more timestamps e g Last Printed subject author organization keywords total edit time and much more Gallery Checks the file signature of all the files in the currently visible portion of the directory browser If found to be a picture a thumbnail is displayed otherwise a brief summary filename size signature By scrolling in the directory browser the gallery view scrolls as well You may switch the directory even while the thumbnails are still loading By double clicking a thumbnail you get a full size view of a picture where you may zoom in and out using the keys and Even incomplete pictures e g file incompletely recovered because of fragmention can usually be displayed partially Supported picture file types JPEG PNG GIF TIFF BMP PSD HDR PSP SGI PCX CUT PNM PBM PGM PPM ICO The gallery does not go together very well with search hit lists Calendar Gives a convenient visual overview of the timestamps of all listed files directories from all 6 timestamp columns of the directory browser in the form of a calendar or when in event list mode a similar overview of all listed event timestamps Each day with at least one time stamp is marked in the calendar with a gray color The more activity on a day the darker the color Weekends Saturdays and Sundays are specially marked with x Hover the mouse over a day to find out how many timestamps exactly fall into that day
94. SlowInfoCache IconStreams Tray notifications UserAssist Timestamps FILETIME Epoch Epoch8 MountedDevices OpenSavePidIMRU and LastVisitedPidIMRU The edit window also displays the access rights permissions of the registry keys if Default is selected LogFile Viewer Basic Concepts Each statement falls into one of the three categories 1 Log Operation The on disk data at LCN Byte offset is to be replaced in case of a Redo Undo Operation with the one specified within the log operation 2 The PAGE statement indicates the start of a new log page multiple of 4 KB The LSN specifies the last end LSN for this page A marks a stale page 3 The CheckPoint statement specifies a LSN to restart with Each statement is preceeded by an byte offset pointing into the LogFile Abbreviations LSN Logical Sequence Number LCN Logical Cluster Number VCN Virtual Cluster Number FID File ID 34 Limitations Only log operations are shown which affect on disk structures FILE records and INDX buffers are not completely dumped For complete data follow the byte offset displayed for the operation of interest An NTFS journal is only processed if the path of such a file contain the string LogFile 3 9 Registry Report From within the registry viewer WinHex can create an HTML report listing values of possibly relevant registry keys when you invoke the command Create Registry Report in the right click pop up menu The registry ke
95. Stores the decimal ASCII text representation of the integer number specified as the second parameter in a variable specified as the first parameter StrToInt MyInt MyStr Stores the binary representation of the integer number specified as a decimal ASCII string in the second parameter in a variable specified as the first parameter StrCat MyString MyString2 StrCat MyString txt Appends one string to another The second parameter may be a variable or a constant string The first parameter must be a variable The result will be saved in the variable specified by the first parameter and must not be longer than 255 characters GetClusterAlloc MyStr May be applied to a logical volume Retrieves a textual description of the current position s allocation e g which file is stored in the current cluster and saves that description in the specified variable GetClusterAllocEx IntVar May be applied to a logical volume Retrieves an integer value that indicated whether the cluster at the current position is allocated 1 or not 0 and saves that description in the specified variable GetClusterSize IntVar May be applied to a logical volume Retrieves the cluster size and saves that value in the specified integer variable InterpretImageAsDisk Treats a raw image or evidence file like the original physical disk or partition Requires a specialist or forensic license CalcHash HashType MyVariable CalcHashEx HashType MyVariable Calculates a
96. X Ways Software Technology AG X Ways Forensics WinHex Integrated Computer Forensics Environment Data Recovery amp IT Security Tool Hexadecimal Editor for Files Disks amp RAM Manual Copyright 1995 2014 Stefan Fleischmann X Ways Software Technology AG All rights reserved Contents SS E NOT 1 1 1 About WinHex and X Ways FOrensics cccccccsscesseceseceecesecesecseeeseeeeeseceseeeseecseecsaecaecnseenseenseenes 1 1 2 A O NR 2 1 3 Eicense Pi A A cde E a Venere ibaa haan eens 3 1 4 Differences between WinHex and X Ways FOrensics cccscecsseesseestecsteceseceseceeeseeeeeeeeeeeenseenaes 4 1 5 Getting Started with X Ways FOrensics ccccccccsscesssesseeeseeescecseeseceseeeeeseeeeeeeeeeeeeseeeseeeeeeneessaees 5 2 ASS so resov oprit vnos ss ooko Ssss sokov o sss rsss ohesbs s 7 2 1 Usme a HeX Editon tdt cade cil oy EE EE EEEE EEE tie 7 222 EA DES A EA E ns 8 2 3 Integer Data TYPES oaia n ere chaste cl iz 8 2 4 Floating Point Data Types cccccccssccsseceseceseceseceecseeeeeeeeesecsaeeeseecseecseecsaecaaecaecnaeesaeeseeseeeenseeges 8 2 5 Date Py pes seis A A a in dada 9 2 6 PONS LAGS CIBER orita 10 27 CHECK SUNS is 11 2 8 Digest air aia ticas 11 2 9 Attribute Legend stat da E E e di 12 2410 Technical Hints A aaa lis 12 3 Forensic Features cscscssssssscssccsccsccssscscssccssssscsssssceseesesssssssssessscsscsssssnessessssesecsesssssseesscsssseseesosees 13 3 1 Case Mane Md A e 13 3 2 Mul
97. a Interpreter and press ENTER The Data Interpreter will then enter the corresponding hex values 143 into the edit window at the current cursor position Right click the data interpreter to bring up a context menu This will let you switch between big endian and little endian translation of integer and floating point data You may also choose between decimal octal or hexadecimal integer representation This plus the digit grouping can also be selected in the Data Interpreter Options dialog Hints e Some hex values cannot be translated into floating point numbers For these hex values the Data Interpreter displays NAN not a number e Some hex values cannot be translated into valid dates The value ranges of different date types are more or less narrow e There are redundancies in the Intel instruction set which show up in the Data Interpreter as duplication of both hex opcodes and mnemonics Floating point instructions are generally displayed as F e More detailed reference can be found in the Intel Architecture Software Developer s Manual Volume 2 Instruction Set Reference available in PDF format on the Internet 9 14 Useful Hints e Menu commands that affect individual selected items in the directory browser or in a search hit or bookmark list can be found in the context menu that opens when you right click such items You won t find such commands in the main menu e Use the mouse buttons as follows to define the b
98. a simplified control panel for beginning your work It allows to quickly open files disks memory modules and folders as well as up to 255 recently edited documents 16 by default left hand list These may be files folders logical drives or physical disks When opened again WinHex restores the last cursor position the scrolling position and the block if defined of each document unless the corresponding option is disabled From the Start Center you are also able to access projects and cases right hand top list A project consists of one or more documents to edit files or disks It remembers the editing positions the window sizes and positions and some display options By saving a window arrangement as a project you can continue to work in several documents right where you left them with a single click only This is especially useful for recurring tasks When you load a project all currently opened windows are automatically closed first Besides WinHex automatically saves the window arrangement from the end of a WinHex session as a project and can re create it next time at startup Each project is stored in a prj file It can be deleted or renamed right within the Start Center context menu or DELETE F2 key Last not least the Start Center is the place where to manage scripts You may check edit create rename and delete scripts using the context menu To execute a script double click it or single click it and click the OK but
99. a template definition header which are all considered The keyword big endian causes all multi byte integer and boolean variables in the template definition to be read and written in big endian order high order byte first 146 The keyword hexadecimal causes all integer variables in the template definition to be displayed in hexadecimal notation The keyword read only ensures that the template can only be used to examine but not to manipulate data structures The edit controls within the template will be grayed out If the keyword multiple is specified in the header WinHex allows browsing to neighboring data records while displaying the template This requires that WinHex has knowledge of the record s size If it is not specified as a parameter to the multiple statement WinHex assumes the overall size of a template structure record to be the current position at the end of the template interpretation less the base editing position If this is a variable size 1 e array sizes or move parameters are determined dynamically by the value of variables WinHex cannot browse to precedent data records 2 Body Variable Declarations The body of a template definition mainly consists of variable declarations similar to those in programming languages A declaration has the basic form type title where type can be one of the following e int8 uint8 byte intl6 uintl6 int24 uint24 int32 uint32 uint48 int64 e uint flex
100. adable sector separately e WinHex can either leave a destination sector that corresponds to a damaged source sector unchanged or fill it with an ASCII pattern you specify e g your initials or something like BAD Leave the pattern edit box blank to fill such sectors with zero bytes BTW the chosen pattern is also used to display a bad sector s contents in the disk editor e Bad sectors often occur in contiguous groups and each attempt to read a bad sector usually takes a long time You may have WinHex avoid such damaged disk areas When a bad sector is encountered WinHex can skip a number of subsequent sectors you specify 32 by default This is useful if you wish to accelerate the cloning process and if you do not care about some 131 actually readable sectors not making it to the clone Regular disk cloning is not an option if you want to duplicate a disk in a removable drive e g a floppy disk with only one removable drive present The correct concept for this application is disk imaging where the data is first stored in an image file The image can then be copied to a different disk The result is the same as disk cloning When you specify a file named dev null as the destination the data will only be read and not copied anywhere and you will be warned of this This is useful if you are interested in the report about bad sectors but do not wish to actually clone or image a disk You may try simultaneous I O i
101. and it is up to the user to fill the hash database with hash sets and hash values either by creating hash sets in X Ways Forensics yourself or by importing hash sets from other sources Each hash value in the hash database belongs to one or more hash sets Each hash set belongs to either the category irrelevant known good harmless or notable known bad malicious relevant In the hash database you can quickly merge hash sets Note that duplicate hash values in the resulting hash set are not removed immediately but next time when you add a hash set and note that you are not warned if you are merging hash sets of different categories Hash values of files can be computed and matched against the hash database when refining the volume snapshot The directory browser s optional columns Hash Set and Category will then reveal for each file to which hash sets and category it belongs if any which allows you to sort filter by these aspects and ignore irrelevant files easily or focus on files you are looking for If the hash value of a file is contained in multiple selected hash sets the program will report all matching hash sets and indicate the category of one of the hash sets It does not check whether 53 the matching hash sets all belong to the same category which they should An optional second separate hash database of block hash values allows you to search for incomplete remnants
102. and the last byte is the most significant This is the common format for computers running Microsoft Windows Following the little endian paradigm the hexadecimal values 10 27 can be interpreted as the hexadecimal number 2710 decimal 10 000 The Data Interpreter is capable of interpreting data as all of the aforementioned integer types plus unsigned 48 bit integers 2 4 Floating Point Data Types Type Range Precision Digits Bytes Float Single Real Double Double Long Double Extended 3AA et The type names originate from the C programming language The corresponding Pascal names are specified in brackets The Real type exists only in Pascal The Data Interpreter is capable of translating hex values in an editor window into floating point numbers of all four types and vice versa In the computer a floating point number F is represented by a mantissa M and an exponent E where M x 2 F Both M and E are signed integer values themselves The four data types differ in their value ranges i e the number of bits reserved for the exponent and in their precision i e the number of bits reserved for the mantissa On Intel based systems calculations upon floating point numbers are carried out by a math coprocessor while the main processor waits The Intel 80x87 uses 80 bit precision for calculations whereas RISC processors often use 64 bit precision 2 5 Date Types The following date formats are supported by the D
103. ans 0 and groups letters from A to Z can be optionally specified following a tab at the end of a line in any order for example as 2P or DI3 So up to 10 rank levels are possible but it is not necessary to fully utilize this range Up to 26 groups are possible You do not have to start alphabetically The case of the letters is ignored You may also define ranks and groups for an entire category following a tab in a category line File types that have no rank and category inherit both from the category to which they belong To give a group a more descriptive name than just a single letter insert group definition lines at the end of the text file that start with a equal sign e g P Photos and videos for image group D Docs e mails and Internet IFFile types to index 3 7 Report Tables In the directory browser of an evidence object you can associate notable files with report tables A report table is a user defined virtual list of files especially notable files Files associated with report tables can then be easily included in the case report with all their metadata and even links pictures can be included directly and you can filter by their report table association in a recursive view in order to easily locate these files later like bookmarking files The filter can reference multiple report tables at the same time with OR AND and NOT operators and even has an option that allows to additionally include siblings of the files
104. are provided in one of the two edit windows Refresh View Redraws the contents of the current edit window In case the current file was updated by an external program WinHex offers to dismiss any changes made in WinHex and reload the file from scratch Also refills the directory browser if the directory browser has the input focus Useful for example when a filter for tagged items is active and you remove the tag marks of some of the listed files if you wish to update the listing in the directory browser and get rid of those files that are no longer tagged 5 8 Tools Menu Open Disk See chapter Disk Editor Clone Disk See chapter Disk Cloning Explore recursively Changes into a recursive view for the directory that is currently listed in the directory browser or back to the normal view A recursive view means that not only files will be listed that are contained directly in the current directory but also all files in all subdirectories of that directory and their subdirectories etc For example this allows to copy recover selected files from different paths in a single step File Recovery by Type See below Take New Volume Snapshot Available for partitions with one of the supported file systems WinHex traverses all cluster chains and thereby generates a drive map This enables WinHex to fill the directory browser and to display for each sector which file or directory it is allocated to It is recommended to invoke this co
105. ata Interpreter e MS DOS Date amp Time 4 bytes The lower word determines the time the upper word the date Used by several DOS function calls by the FAT file systems and many system utilities such as file archivers Second divided by 2 Minute 0 59 11 15 Hour 0 23 on a 24 hour clock 16 20 Day of the month 1 31 21 24 Month 1 January 2 February etc 25 31 Year offset from 1980 e Win32 FILETIME 8 bytes The FILETIME structure is a 64 bit integer value representing the number of 100 nanosecond intervals since January 1 1601 Used by the Win32 API e OLE 2 0 Date amp Time 8 bytes A floating point value more exactly a double whose integral part determines the number of days passed since December 30 1899 The fractional part is interpreted as the day time e g 1 4 6 00 a m This is the OLE 2 0 standard date type e g it is used by MS Excel ICQ 7 0 uses big endian OLE 2 0 timestamps in chat messages e ANSI SQL Date amp Time 8 bytes Two consecutive 32 bit integer values The first one determines the number of days since November 17 1858 The second one is the number of 100 microsecond intervals since midnight This is the ANSI SQL standard and used in many databases e g InterBase 6 0 e UNIX C FORTRAN Date amp Time 4 bytes A 32 bit integer value that determines the number of seconds since January 1 1970 This data type was used in UNIX by C and C time _t and by
106. ation is newer and faster and supported only by X Ways Forensics v16 4 and later This encryption algorithm uses a 256 bit key that is digested with SHA 256 from the 512 bit concatenation of the SHA 256 of the password you specify and 256 bits of cryptographically sound random input salt which is stored in the header of the evidence file For 128 bit AES the 256 bit key is reduced to 128 bit by xor ing the first and second half The 135 128 bit counter is randomized and incremented per encryption block as a little endian integer in 256 bit AES as a big endian integer in 128 bit AES The encryption block size of AES is 128 bits An additional SHA 256 is stored in the header as well optionally for 256 bit AES see Security Options and used later to determine whether a password specified by the user for decryption is correct or not The SHA 256 algorithm is applied to a concatenation of the salt hash x and hash y to compute this password verification hash where hash x is the SHA 256 of the user supplied password and hash y is the SHA 256 of the concatenation of the user supplied password and hash x For 128 bit AES y becomes x and is concatenated and hashed over and over again 100 000 times to practically render rainbow table attack computationally infeasible Please note that when you use compression and encryption at the same time each chunk in an e01 evidence file is first compressed then encrypted So an educated guess about the na
107. bers the tagged already viewed and excluded status of files separately for each examiner You can choose to adopt the already viewed status of files in volume snapshots from all other examiners when opening evidence objects That is useful if the goal is to avoid duplicate work if you do not wish to review files that were reviewed by any of your colleagues already Please note that individual file statuses tagged already viewed and excluded as well as search hits of other users are lost if one examiners removes items from the volume snapshot Search hits and search terms are stored on a per user basis as well The first examiner opening an older case with v17 5 or later will absorb the search hits and search terms that were stored in the case by v17 4 or earlier The Extended multi user coordination dialog window contains a button that allows you to import the search hits and search terms of another user To view all the results of a colleague report table associations search hits tag marked already viewed status of files exclusion status of files you can open the case in read only mode as him or her For that try the Options checkbox when opening a case You may prevent your colleagues from opening the case in read only mode as you The Options checkbox allows you to open a case in any of the following three modes 1 entire case read only case file and volume snapshots 2 cooperative analysis mode ability to
108. browser in a new window If a View window displays a picture and viewing pictures if limited to one picture at a time that window will be updated when you press the cursor keys in the gallery Useful especially on a spanned desktop if the View window is centered on the second monitor and if the gallery is on the first monitor Avoids having to press the Enter key to view the picture and another key to close the View window to get the input focus back to the gallery Explore Only available for directories and archives ZIP RAR TAR this command allows navigating into them within the directory browser Double clicking archives or directories does the same A command that allows listing the contents of directories as well as their subdirectories at the same time can be found in the directory tree s context menu instead in the Case Data window Explore recursively Viewer Programs Allows to send the selected file s to one of the external programs currently configured or the file s associated program in the current Windows installation This association is determined based on file extension as is usual within Windows You also have the option to open files in an external program that you select ad hoc The program that you select will be saved as a standard custom viewer program if you have not used all slots for external viewer programs yet and then also remembered for next time when you invoke the same menu command Open Opens curr
109. ce 77 See selected item in its directory Will show you the selected file or directory among its siblings Useful to quickly check out whether there are more notable files in the same directory or to better understand the function of the file when you see it in context See selected item from volume root Will show you the selected file among all other files in the same volume recursively explored from the root of that file system Useful for example to see whether there are any files with the same name the same ID e g previous version from a volume shadow copy same owner same sender or similar timestamps etc in the same file system just sort accordingly Both commands can be also be used from within the case root window and from within search hit lists so the previous Go to file in directory browser command becomes obsolete Remember you can click the Back button in the toolbar to conveniently return to the previous view Refine Volume Snapshot Simultaneous Search Run X Tensions These commands are known from the main menu From the directory browser context menu they can be applied to the selected files Create Hash Set Creates a hash set of the currently selected files and directories and their subdirectories directly within the internal hash database either with ordinary file hash values or with block hash values Attach External File Dir Requires a forensic license Ability to attach one or more external files or a
110. character 0x09 In any case TAB SHIFT can be pressed to switch the current mode e Non printable characters with a character set value smaller than 0x20 can be represented by a 112 user defined other character The bytes in the display can be represented as characters in the text column one by one or WinHex can try to combine them which if the active code page in Windows is a double byte character set may be desirable to get the characters right if 2 bytes 1 character or undesirable because of the variable row length Offsets can be presented and prompted for in a decimal or hexadecimal notation This setting is valid for the entire program When using the RAM editor it may be reasonable to have WinHex display virtual addresses instead of zero based offsets This is always done in hexadecimal notation The dialog window of the Goto Offset command will also prompt for virtual addresses Page and sector separators may be displayed If this option is enabled partially only sector separators are displayed Specify the number of bytes per line in an edit window Common values are 16 or 32 depending on the screen resolution Choose how many bytes shall be displayed in a group Powers of 2 serve best for most purposes There is an option to define the size of the extra gap between rows in the hex editor display in pixels which together with the official height of the selected font defined the distance between the rows The de
111. created automatically when the case is created You may select the base folder for your cases in General Options It is not necessary to explicitly save a case unless you need to be sure it is saved at a given time A case is saved automatically at latest when you close it or exit the program In the case properties window you may name a case according to your own conventions e g title or number The date and time you create a case is recorded and displayed The internal case filename is displayed as well You may enter a description of the case of arbitrary length and the examiner s name the examiner s organization s name and address You may enable or disable the automated log feature for the whole case Optionally the evidence object subfolders in the case folder are always suggested as default output folders for files recovered copied off a file system You may wish to disable that feature if your preference is to copy files from various evidence objects into the same output folder You may select up to two code pages related to the case more precisely related to the locale where the original media related to the case were used These code pages are used when naming eml files based on subject lines eml files extracted from e mail archives If both code pages are identical that does no harm If identical to the currently active code page in Windows they do not have any effect These code pages are also used to convert the filenames in
112. cryption Random data that is supposed to be indistinguishable from encrypted data Quite fast With cryptographically sound pseudo random data Cryptographically secure pseudo random number generator CSPRNG named ISAAC very slow In case in all open files either a block or no block is defined this command can optionally be applied to all these files at the same time To maximize security if you wish to totally wipe sanitize slack space free space unused NTFS records or an entire media you may want to apply more than one pass for overwriting disk space 130 up to three According to the Clearing and Sanitization Matrix the standard outlined in the U S Department of Defense DoD 5220 22 M operating manual method c a hard disk or floppy disk can be cleared by overwriting once all addressable locations with a single character This is usually the hexadecimal value 0x00 but can be any other value To sanitize hard disks according to method d overwrite all addressable locations with a character its complement then a random character and verify This method is not approved by the DoD for sanitizing media that contain top secret information The DoD button configures WinHex for sanitization such that it will first overwrite with 0x55 binary 01010101 then with its complement OxAA 10101010 and finally with random byte values The 0x00 button configures WinHex for simple initialization wiping once with zero
113. ct your preferred text editor and HTML viewing program The HTML viewer program can be e g MS Word or NVU i e a program that can be used to further edit the HTML case reports the X Ways Forensics can create automatically For merely viewing and printing we recommend Internet Explorer If the internal graphics viewing library is used to view pictures not the viewer component then optionally the picture viewer window can be closed automatically when a new picture is viewed You can also specify the exe path of MPlayer tested with v1 0rc2 non GUI version also download the separate codecs package and extract it into the codecs subdirectory of MPlayer or Forensic Framer two programs that allow X Ways Forensics to extract pictures from videos If mplayer exe is found in a subdirectory MPlayer of the installation directory of X Ways Forensics it will defined as the video extraction program and as an external viewer program automatically Relative paths started with or are supported where stands for the directory from which X Ways Forensics is executed and its parent directory Please note that we cannot provide support for external programs You may also specify several custom viewer programs that can be conveniently invoked from inside X Ways Forensics via the directory browser context menu Also you may specify which file types you prefer to view in the program that is associated with their extension in your system typically f
114. d are those whose hard link count is grayed out Search hits in the only hard link that does get searched are marked with the hint Links in the Descr column to remind you of the other hard links of the same file in case those search hits are relevant e Some blind spots that logical searches have in old fashioned computer forensics software products in the several thousand dollar price range do not exist in X Ways Forensics as such areas on a partition can be addressed specifically namely any transition from file slack to directly following free space and in NTFS and exFAT also from known uninitialized but physically allocated tails of files to directly following free space Should this operation freeze on a certain file remember the internal ID and the name of the currently processed file are displayed in the small progress indicator window If this operation is applied to an evidence object and it crashes X Ways Forensics will tell you which file when you restart the program and associate it with a report table depends on the Security Options All that happens so that you can exclude and omit the file when trying again 43 3 13 Search Hit Lists Available only with a forensic license when working with a case for evidence objects with a volume snapshot Otherwise the Position Manager will list search hits The directory browser can show search hits To get into this display mode search hit list instead of ordinary directory b
115. d be copied to the container as well even if they are not selected themselves either child objects of any kind of child objects if fully checked or only e mail attachments if half checked Optionally containers can include the data contents of directories themselves i e depending on the file system directory entries INDX buffers etc Useful if the recipient of the container is technically versed and might be interested in timestamps or other metadata in these data structures If you choose to include directory data in a container when creating it this has a direct 56 effect only on directories that are selected themselves It has an effect on the respective parent directory of selected items only if you enable an additional option Include parent item data contents This additional decision is needed because otherwise the directory data might unintentionally reveal the names and other metadata of files that were intentionally omitted from the container e g for reasons of confidentiality If the option Include parent item data contents is enabled even if the respective parent is a file that file s contents will be automatically copied e g the e mail message that the selected attachment belongs to the zip archive that contains the selected file or the document that the selected picture is embedded in Any file that is part of a volume snapshot e g even individual e mail messages if extracted can be added to a conta
116. d in an encrypted state within the RAM as long as WinHex is running Search and replace operations generally run fastest with case sensitivity switched on and without wildcards enabled When searching with the option count occurrences activated or when replacing without prompting for a search algorithm there are generally two ways to behave when an occurrence has been found which in some cases may have different results This is explained by the following example The letters ana are searched in the word banana The first occurrence has already been found at the second character 1 alternative The algorithm continues the search at the third character So ana is found again at the fourth character 2 alternative The three letters ana found in the word banana are skipped The remaining letters na do not contain ana any more WinHex is programmed in the second manner because this delivers the more reasonable results when counting or replacing occurrences However if you continue a search using the F3 key or you choose the replace option prompt when found the algorithm follows the first paradigm 3 Forensic Features 3 1 Case Management The integrated computer forensics environment in WinHex can be used with a forensic license of WinHex only It offers complete case management automated log and report file generation and various additional features such as gallery view file signature check HPA detection
117. d interact with the volume snapshot By default the directory browser lists existing files and directories first then deleted files and directories Compressed files are displayed in blue encrypted files in green Right clicking any item in the directory browser brings up a context menu with commands for opening a file or directory exploring a directory locating the beginning of a file or directory on the disk locating the corresponding directory entry FAT or file record NTFS listing the allocated clusters in a separate window etc When navigating from one directory to another exploring files with child objects e g e mail messages that have attachments navigating to the parent of a child object activating or deactivating filters trying different sort criteria etc please note that you can easily return to a previous view using the Back command in the Position menu or the Back button in the toolbar The icons are explained in the legend directly in the program forensic license only Deleted files and directories are represented in the directory browser with lighter icons Icons with a blue question mark indicate that the original file or directory contents may be still available Deleted 21 objects that WinHex knows are no longer accessible either because their first cluster has been reallocated because it is unknown or because they have a size of 0 bytes have icons crossed out in red Icons with an arrow on FAT volumes onl
118. d with a tiny blue arrow next to its icon Forensic license only Reparse points that do not get connected with their target directories will still show a comment that advises you of the target path as in earlier versions of X Ways Forensics 3 Hard links in HFS point to their so called indirect node file 4 Files found in volume shadow copies in NTFS point to their shadow copy host file VSC host files point to their corresponding snapshot properties file 3 22 External Analysis Interface Via the menu command Export Files for Analysis in the CaseData window you can send files for example all files in the case that belong to a certain category to an external program for further analysis This external program must comply with the interface described below Requires X Ways Forensics or X Ways Investigator or WinHex with a forensic license The analysis result can be imported back into X Ways Forensics with the Report Table Import menu command in the Case Data window For example right click the case title where it is printed in bold That will associate files classified by the external software with certain report tables and may create new report tables which allows you to filter for such files or create a report about them 58 For example the software DoublePics can recognize known pictures even if stored in a different 33 66 format or altered and return a classification such as CP relevant or irrelevant
119. dard download as it is updated much more rarely Use the 64 bit edition of the viewer component for the 64 bit edition of X Ways Forensics By default the viewer component is expected in the subdirectory viewer 32 bit or x64 viewer 64 bit Please be advised that the viewer component creates files in the profiles of the user who is currently logged on unlike X Ways Forensics so if you wish to avoid to create files on a live system that you examine don t let X Ways Forensics use the viewer component You may also wish to download MPlayer if you intend to have X Ways Forensics produce stills from videos to see them in the gallery Newer releases can always be extracted into the existing directory of an earlier release You may continue to use WinHex cfg configuration files from earlier releases in later releases but never the other way around To familiarize yourself with the names of the various elements of the user interface please refer to this screenshot Main menu Tab control Caption line of the directory browser Toolbar M X Ways Forensics NTFS Image 153 ioj xj Fie Edit Search Position View Jools Specialist Options Wind w Help le xj Case data Dak ase SR fh ee th De gt S9eegagp NTFS Image e01 window with Fie Edit FY 2nd subdirectories 161 36 197 files 381 filtered oly directory ca Framer y koner Nenes Tripper Ticas Dan tases trees 0 1020 299484 00 1 ipg she 2 1 KB 03 05 200
120. directory including subdirectories to the volume snapshot and have them processed by X Ways Forensics like regular files in the volume snapshot Useful if you need to translate convert or decrypt original files and would like to reintegrate the result back in the original volume snapshot in the original path for further examination reporting filtering searches etc Such external files will be completely managed by X Ways Forensics once attached copied to the internal evidence object subdirectory of the case and marked as virtual files When attaching a single external file and holding the Shift key X Ways Forensics proposes a new name for that file that is based on the name of the file that is selected and the attached file will be added to the same directory Otherwise the external filenames of the files will be used and they will become child objects of the selected object It is still possible to rename virtual files in the volume snapshot later at any time When attaching an external directory to the volume snapshot you are prompted whether the selected directory itself should also be attached or just its contents Usually X Ways Forensics creates virtual files in subdirectories in new virtual directories in the volume snapshot There is however an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree Useful if you copy an entire directory structure off
121. dit windows visually and synchronize scrolling in these windows see View menu Create Hard Link Cool function to create hard links of files in NTFS volumes Useful for example to play around with hard links when attending NTFS file systems training or if you would like to add the same image to the same case again which is only possible under a different name or if you would like to create a hard link to xwforensics exe named WinHex exe in order to run X Ways Forensics as WinHe First you select the existing file then a path and name for the additional hard link Copy Sparse Can copy a selected file and preserves the sparse nature if it is an NTFS sparse file in the destination file That means for example when copying a 1 TB skeleton disk image that only has 100 MB of data allocated the copy process will finish almost instantly because only 100 MB out of 1 TB of data have to be copied Conventional copy functions do not preserve the sparse nature of a file and copy the amount of data as indicated by the nominal file size even if most of the data is internally unallocated and read virtually as binary zeroes Wipe Securely This command is used to erase the contents of one or more files irrevocably such that they cannot be restored by WinHex or other special data recover software Each selected file is overwritten according to the current settings shortened to a length of zero and then deleted The name entry of the file is erased as well E
122. dow width is 128 bytes by default That means it is not guaranteed that with a variable length GREP search term i e using syntax you can find data that is longer than 128 bytes You may increase the search window width if you need to cover more than that This is needed for example for proximity searches If you require that a document contains two search terms at the same time and that the search terms should occur close to one another you could search for these search terms with two GREP expressions and specify the maximum distance allowed between them as the second parameter in the braces keyword 1 0 maxdistance keyword2 keyword2 0 maxdistance keyword The search window width in bytes required when searching with an 8 bit character set is the sum of maxdistance length keywordl and length keyword2 Please note that the preferred method to find two search terms near to each other is the NEAR combination in the search term list when two search terms are already combined with a logical AND after they have been searched for separately 125 8 7 Replace Options Prompt when found WinHex awaits your decision when an occurrence has been found You may either replace it continue or abort the search Replace all occurrences All occurrences are replaced automatically Case sensitive The characters that are to be replaced are searched using this option cf Search Options Unicode character set The specified characters a
123. e alternative access method 1 for physical hard disks may allow to access hard disks 110 formatted with an unconventional sector size or other media that cannot be accessed otherwise Note that it may be slower than the regular access method If considerably slower WinHex will notify you of this and recommend to revert to the standard access method Access method 2 affects physical hard disks only as well Both alternative methods allow you to specify a timeout in milliseconds after which read attempts will be aborted This can be useful on disks with bad sectors where an attempted read access to a single sector could otherwise cause a delay of many seconds or minutes e The substitute pattern for unreadable sectors is always used instead of the original data stored in disk sectors if these sectors cannot be read for all purposes display on the screen imaging cloning hashing searching If you are going to hash disks with bad sectors and want to compare reproduce the results with other tools then you can specify the same pattern as used by the other tool here Just note that such hash values are difficult to reproduce because bad sectors could multiply in the course of several attempts If when trying to read bad sectors you prefer to get zero value bytes delivered back totally remove the pattern ensure that the edit box is completely blank 2nd column e Specify the folder in which to create temporary files By default that is the
124. e case To make the case forget previous crasher files click the Delete button in the case properties Skipped files are also automatically added to the aforementioned report table You may schedule a simultaneous search in advance for the time after the volume snapshot refinement Interdependencies There are various interdependencies between all these operations For example if the contents of archives are included in the volume snapshot among these files there could be pictures that are to be checked for skin colors or documents that are to be checked for encryption You can work under the premise that if an additional file is added to the volume snapshot or if the true type of a file is detected as part of Refine Volume Snapshot all the appropriate other operations are applied to that file if they are all selected Imagine someone tries to conceal an incriminating JPEG picture by embedding it in a MS Word document misnaming that doc file to dll compressing that file in a Zip archive misnaming the zip file to dll compressing that dll in another Zip archive misnaming that zip file again to dll and then sends this dll file by e mail as an attachment using MS Outlook If all the respective options are selected Refine Volume Snapshot does the following It extracts the e mail attachment from the PST e mail archive It detects that the dll attachment is actually a Zip 71 archive Then it includes the contents of it in the volu
125. e highlighted you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp Alternatively of course you could get it from the data interpreter if you 113 click the first byte of the value e Select a color used as the background of the current block You can only change the color if the option Use Windows default colors is switched off e Select a color used as the background of every other fixed length record if record presentation is enabled see Position menu e Select the default color for newly created annotations positions bookmarks e You may want WinHex to highlight modified bytes i e display altered parts of a file disk or memory in a different color so you can distinguish between original data and changes you have made so far You may select the hilite color e You may choose a font for the hex editor display and decide whether the standard Windows GUI font should be used for the other parts of the WinHex X Ways Forensics GUI via an additional checkbox Last not least you may select one of several different dialog window and button styles Notation Options e Choose your preferred date time and number notation settings This is important especially to be independent of the Windows regional settings of live system that you want to preview if you are using X Ways Forensics on a computer that is not your own one You may also choose to years in dates with 2 digits
126. e instantly even for very large files They allow you to list files in a random order just like when you sort by real hash values but without having to invest time to compute real hash values first Useful for example for triage if you have limited time and just wish to quickly look at some randomly selected files in a large evidence object first e g pictures in a gallery to determine how relevant an evidence object might be Looking at files in a random order might give you a more complete and accurate impression of what is stored in an evidence object because the first x of the files listed are more varied and more representative of the evidence object as a whole if they are in a truly random order If you sort by name or path or size or timestamps on the other hand many of the files you see will likely be somewhat similar created by the same application or by the operating system by the same user for a similar purpose created or copied or received around the same time same file format so with some bad luck you will only see irrelevant files even if there is an equally large group of relevant files Remember that if you don t sort in the directory browser at all the view is skewed as well because you will see the files in the order in which they are referenced by the volume snapshot which is more or less the order in which they are referenced by the file system and thus not random Sorting by hash values can be combined with any
127. e not currently visible Very useful for example if the path is very long and does not fit on the screen in the path column maybe not even in the path tooltip display Also allows to easily copy the filename or file path or selected other data to the clipboard The Details mode also shows NTFS file permissions stored in access control lists ACLs Each element has typically the property Grant or Deny and an SID to which the permission applies The SID is translated into a friendly name if possible The permission itself is either R Read Permission C Change Permission Full Control or Special Access For a Special Access right all individual rights are listed For each permission there can be two inheritance flags container inherit CI object inherit OI or two propagation flags inherit only IO no propagate inherit NP Usually the final list element is the group membership property The Details mode also extracts some essential internal metadata from OLE2 compound files e g pre 2007 MS Office documents MS Office 2007 XML OpenOffice XML StarOffice XML HTML MS Access MDI PDF RTF WRI AOL PFC ASF WMV WMA MOV MP4 3GP M4V M4A JPEG BMP EXE DLL JIDX Java applet cache THM TIFF GIF PNG GZ ZIP PF IE cookies DMP memory dumps hiberfil sys PNF SHD amp SPL printer spool WIM Vista image files DocumentSummary alternate data streams tracking log mdb MS Access database manifest mbdx mbdb iPhone backup For M
128. e to additionally verify that all unused areas in a skeleton image are still unallocated or at least filled with binary zeroes This is not done by this function Options A skeleton image should be created as an NTFS sparse file unless you intend to copy more than half of the sectors perhaps just a very rough rule of thumb If you don t have X Ways Forensics set the nominal logical image file size to the full size of the source disk then when interpreting the skeleton image and reading from it a smaller capacity will be reported and you may get sector read errors Still worth thinking about it for example if you wish to capture merely the first 1 MB of a 1 TB hard disk Saves a lot of time if you wish to convert the skeleton image to an e01 evidence file or want to hash it in its entirety Skipping already zeroed out source sectors sectors of the source disk that only contain binary zeroes will treat such sectors exactly like sectors that were not acquired This makes the resulting skeleton image smaller more sparse but it prevent you from showing with just the skeleton image that these sectors only contained zeroes on the source disk They are indistinguishable from sectors that were not acquired Include directory data structures of the file system has an effect when you apply the Add to command of the directory browser context menu to selected directories If this option is active you will also copy the data structures of the
129. e to check the Again option For the status of the Type column of the directory browser see the Type status column Most self extracting exe archives are internally detected by the file signature check too They are Classified as the file type sfx and assigned to the category Archives so that they can be specifically targeted This prevents that compressed files in such archives go totally unnoticed in an investigation exe archives with Zip compression can be viewed in Preview mode other self extracting archives need to be copied off the image and opened with an appropriate tool like 63 WinRAR or 7 Zip The file signature check also reveals hybrid MS Office files 1 e merged MS Word and MS Excel documents that can be opened in both applications showing different contents A notice in the messages window will be displayed and any detected files will be associated with a special report table Hybrid MS Office files are a clever attempt to conceal the contents of one of the merged documents 4 3 3 Extraction of Internal Metadata Requires a forensic license a Can check the file format consistency of EXE ZIP RAR JPEG GIF PNG RIFF BMP and PDF files The Type Status column will show the result either OK or corrupt b Allows to extract internally stored creation times from OLE2 compound files e g pre 2007 MS Office documents EDB PDF MS Office HTML EML MDI ASF WMV WMA MOV JPEG THM TIFF PNG
130. e with no further problems getting all partitions and files listed immediately as if nothing was wrong This functionality is intended for advanced users that do not give up easily when at first they see nothing and have some understanding of low level data structures and know how to fix them You can enable and disable superimposition for the disk or partition in the active data window using the Edit Superimpose Sectors menu command This command allows you to select any 129 file with the raw contents of disk sectors For example you can create such a file by selecting one or more sectors as a block copying the block into a new file making the necessary adjustments possible even in X Ways Forensics because ordinary files unlike disks or interpreted images can be edited and saving that file When applied the contents of this file are superimposed to the sectors starting with the sector in which the cursor is located or if the file is named n superimposition where n is a number it will be applied to the sectors starting with sector n and all other files in the same directory matching the same mask with the same base name will also be applied to sector numbers as indicated within the filename You will immediately see the superimposed data when navigating to the affected sectors and can continue making adjustments to the imposed raw data file if you keep it open in a separate window As soon as you have saved changes in that window th
131. ead If recursive selection statistics are enabled with a forensic license the size of a directory is the total size of all the files directly or indirectly contained in that directory otherwise the size of the data structures of the directory Filter available The date and time the file or directory was created on the volume it resides on Not available on Linux filesystems The date and time the file or directory was last modified On FAT time precision is 2 second intervals only On CDFS the only available date and time stamp is listed in this column altough it does not necessarily indicate last modification Filter available The date and time the file or directory was last read or otherwise accessed On FAT only the date is recorded Filter available The date and time the file s or directory s FILE record on NTFS or inode Linux 25 update Deletion Content creation filesystems was last modified These are filesystem data structures that contain the file s meta data Filter available The date and time the file or directory was deleted Available generally on Linux filesystems and possibly on NTFS after a particular thorough file system data structure search and viewing previewing the UsnJrnl J file on the volume if there is any Not to be confused with so called deletion timestamps that other forensic tools may show you on NTFS volumes for files that have not even been deleted from the file system Filter avai
132. eams LUS in NTFS in newly taken volume snapshots is optional Either all LUS can be included if fully checked or only non EFS LUS if half checked or no LUS at all Useful for NTFS volumes written by Windows Vista if you are not interested in TXF_DATA LUS e Optionally avoid that previous versions of files in volume shadow copies are added to the volume snapshot if they are exact duplicates identical file contents so that it is much easier to focus on files for which actually previous data is still available Even if modification dates are different the file contents are often the same for files installed by the operation system If fully selected X Ways Forensics will compare files up to 128 MB if half selected only up to 16 MB as to not waste too much time on this feature e If you get read errors on a CD DVD e g because of scratches on the surface when the volume snapshot is taken you know that not all sectors with the data structures of the file system are readable Listing the IS09660 file system s directory tree on CDs in addition to a possibly also existing Joliet file system can be useful because that means a second chance to get all directories and files listed if the corresponding data structures of the same directories are located in readable sectors in the ISO09660 area e For better results when matching hash values against special hash sets only the invariable header of loaded modules can be listed in main memory analy
133. eating a new program instance By default this option is half selected That means you will be given a choice when executing the exe file again whether to start a new instance or not At that time you may also try to recover a previous instance if caught in an infinite loop Do not update file time means that WinHex will preserve the last modification time when a modified file is saved with File Save or Save As By default edit windows are not opened in a maximized state On a right click WinHex can bring up a special context menu the regular edit menu or define the end of the current block If this option is disabled you can still bring up the context menu if you hold the Shift key while right clicking If you select Show file icons the icons stored in a file are shown in the info pane If a file contains no icons the icon of the file type is shown if this option is fully selected Save program settings in cfg file If half checked the settings are saved whenever the program terminates cleanly If fully checked then every time when you click OK in any dialog window could be useful if the program does not terminate cleanly to avoid that you lose your later settings If totally unchecked the program settings will not be saved at all except if you hold the Shift key when exiting the program which is necessary once if you would like to save in the cfg file the setting that from then on the settings should not be saved aga
134. eceded by Ox You may declare arrays of variables by placing the array size in square brackets next to the type or the title Specify unlimited as the array size to make the template stop only when the end of file is encountered The following two lines declare a dynamically sized ASCII string whose length depends on the preceding variable uint8 len char len A string The same could be achieved by the following two declarations byte len string len A string The character can be used as placeholder for later replacement with the actual array element number see below This does not apply to arrays of char variables since they are automatically translated into a string Numerical parameters of string string16 and hex variables as well as array size expressions may be specified in mathematical notation They will be processed by the integrated formula parser Such expressions need to be enclosed in brackets They must not contain space characters They may make use of previously declared integer variables whose names do not contain space characters either Supported operations are addition subtraction multiplication integer division modular division bitwise AND 82 bitwise OR and bitwise XOR Valid mathematical expressions are for example 5 2 1 or len1 en2 4 The result is always an integer and must be a positive number zstring and zstringl6 are null terminated strings whose size
135. ecord size except if you hold the Ctrl key Show The Case Data window is part of the forensic user interface of WinHex X Ways Forensics and required for working with a case when hiding the window the case is closed The directory browser is available for logical drives partitions opened with the disk editor The Data Interpreter is a small window that provides translation services for the data at the current cursor position The toolbar is displayed optionally too A tab control makes each edit window accessible with a single mouse click only The info pane provides in depth information on any open object file disk RAM Template Manager Tables Provides four conversion tables cf ANSI ASCH IBM ASCII Lines amp Columns Synchronize Scrolling Synchronizes up to four tiled windows on identical absolute offsets Hold the Shift key when enabling this feature to tile the windows horizontally instead of 86 vertically Synchronize amp Compare Synchronizes up to four windows and visually displays byte value differences If no more than two windows are involved WinHex maintains the initial distance between the offsets of the first shown byte in these windows when scrolling Not synchronizing on absolute offsets is useful for example when comparing two copies of the file allocation table which are obviously at different offsets You may jump to the next or to the previous byte value difference by clicking the extra arrow buttons that
136. ed and with a forensic license also main memory dumps Also VMware s Virtual Machine Disk images VMDK and dynamic Virtual PC VHD images can be interpreted Only allocated areas in such images can be edited With a forensic license WinHex can also interpret e01 evidence files which can be created with the Create Disk Image command The Technical Details Report also checks for certain read inconsistencies that can occur with flash media for example USB stick of certain brands models but not others in data areas that have never been written used where the data is undefined The data that is read in such areas for example when imaging the media may depend on the amount of data that is read at a time with a single internal read command The result is mentioned in the report If inconsistencies are 91 detected Inconsistent read results in the report you will see a message box which offers to read sectors in smaller chunks from that device as long as it is open which likely yields the expected zero value bytes instead of some random looking non zero pattern data when reading such areas Use of this option does not give you data that is somehow more accurate or original undefined is undefined and does not mean zeroed out or contains more or less evidence it can just have a big impact on compression ratio achieved and reproducibility of hash values with other tools which may use different chunk sizes for reading and thus produce diff
137. ed as in use The option Ext2 Ext3 block logic causes this recovery method to deviate from the standard assumption of no fragmention in that it will follow the typical Ext block pattern where e g the 13th block from the header of the file is considered an indirect block that references the following data blocks This option has no effect when applied to partitions that WinHex knows have a file system other than Ext2 and Ext3 or when a header is found that is not block aligned The effects of NTFS compression on file data can optionally be compensated for in a file header signature search forensic license only in many cases successfully If the signature of an NTFS compressed file is found the file will be marked as compressed and an attempt will be made to decompress the file on the fly when needed with a sophisticated algorithm that can even 105 decompress files that consist of multiple compression units 7 3 File Type Definitions File Type Signatures txt are tab delimited text files that serves as a file type definition database for refining volume snapshots and for the File Recovery by Type command WinHex comes with various preset file type signatures You may fully customize the file type definitions and add your own ones either in File Type Signatures Search txt or in any additional such files of the same format named File Type Signatures txt which will be loaded as well and may have the benefit that th
138. ed file systems symbolic links are connected to their targets in the volume snapshot as so called related files so that you can conveniently navigate to the target by pressing Shift Backspace Also one of potentially several symlinks pointing to a certain target will become the related file of the target so that you can conveniently navigate to the symlink or quickly see in the first place that one or more symlinks exist that point to a certain target since any file that has a related file in the volume snapshot is marked with a tiny blue arrow next to its icon Also the same arrow will tell you whether the target of a symlink can actually be found in the file system If a symlink links to other symlinks those are not recursively linked If resolving symlink takes to long because there are many symlinks in a volume you may safely abort that step at any time 2 When taking a snapshot of volumes with Windows installations certain reparse points a k a junction points are connected to their targets in the volume snapshot just like as symlinks in Unix based file systems so that you can conveniently navigate to the target by pressing Shift Backspace Also there will be a back reference to one reparse point so that you can conveniently navigate to that reparse point or quickly see in the first place that one or more reparse points exist that link to a certain directory since any directory that has a related directoy in the volume snapshot is marke
139. emplate window CTRL F9 opens the Access button menu disk edit windows only e Ability to specify how cooperative X Ways Forensics behaves during long operations e g hashing searching when competing with other processes for CPU time by pressing Shift Ctrl F5 0 is the default setting not specially cooperative You could try values like 10 25 50 or 100 maximum willingness to share CPU time e g if X Ways Forensics is executed simultaneously by different users on the same server for a fairer distribution of CPU time WinHex accepts filenames specified in the command line and is drag and drop capable Use scripts to make your work with WinHex more efficient You can specify the name of a script as a command line parameter Invalid input When clicking OK in a dialog box and getting the Invalid input error pay attention to what control item in the dialog box is blinking as the value in that item is the one that is not accepted Switch from hexadecimal to decimal offset presentation by clicking the offset numbers Try clicking the status bar cells left and right mouse button 145 Appendix A Template Definition 1 Header The header of a template definition has the following format template title description description applies to file disk RAM fixed start offset sector aligned requires offset hex values big endian hexadecimal octal read only multiple fixed overall size Put any g
140. en they are newly added to the volume snapshot e g when you extract e mail and attachment from a tagged e mail archive Whether tagging and excluding works recursively or not can also be controlled by holding the Shift key Tagging or untagging recursively can be slow in large volume snapshots e Optionally the names of directories and file with child objects can be included when sorting by path full path sorting The effect is that the child objects will be listed directly after their respective parents e g e mail attachments after their containing parent e mail messages e Optionally after start up the directory browser can be not sorted at all for performance reasons That means the program will forget the last sort criteria in use last time If selected there will now also be no sorting when turning off all filters with a single mouse click to avoid longer delays when suddenly all files are listed again recursively e Filter and sort settings and a few directory browser options can be optionally stored in cases and reactivated when loading cases if stored by a compatible version e Dynamic e mail columns lets X Ways Forensics decide whether to include the columns Sender and Recipient in the directory browser They will be included if at least one extracted e mail message is in the visible portion of the directory browser otherwise not Helpful because that leaves more room for other columns when the columns exclusively filled for e
141. eneral comments to the template here begin variable declarations end Tags in brackets are optional The order of the tags is irrelevant Expressions must only be enclosed in inverted commas if they contain space characters Comments may appear anywhere in a template definition Characters following a double slash are ignored by the parser The keyword applies to must be followed by one and only one of the words file disk or RAM WinHex issues a warning if you are going to use a template on data from a different source While by default templates start interpreting the data at the current cursor position when applied an optional fixed_start statement ensures interpretation always starts at the specified absolute offset within the file or disk If the template applies to a disk the keyword sector aligned ensures the template interpretation starts at the beginning of the current sector regardless of the exact cursor position Similar to the applies to statement the requires statement enables WinHex to prevent an erroneous application of a template definition to data that does not match Specify an offset and a hex value chain of an arbitrary length that identifies the data for which the template definition was intended For example a valid master boot record can be recognized by the hex values 55 AA at offset Ox1FE an executable file by the hex values 4D 5A MZ at offset 0x0 There may be multiple applies to statements in
142. ently selected files or directories in separate data windows Unlike File Open where files can be opened just like in any other application with the help of the operating system this is a forensically sound operation in that it does not update any timestamps etc because the operating system is circumvented and the logic to read the file s contents from the correct disk sectors is implemented in WinHex itself for various file systems No changes can be made to files that were opened in this fashion however In the case of a directory the directory s data structures will be opened Print If the separate viewer component is active you may select files for printing Allows to print multiple selected documents without interruption the need to click somewhere after each document optionally along with child objects e g e mail attachments together with their respective e mail message The optional cover page contains the date and time when the print job was started and selected meta information e g filename path evidence object title file size description time stamps comments The cover page is printed by X Ways Forensics itself the following pages with the actual document are printed by the viewer component Another option is to have X Ways Forensics print the filename and path on the first page This option is not bound by the same path length limitations as the header optionally printed by the viewer component To avoid that the path
143. environment e Professional licenses allow usage of the software in any environment at home in a company in an organization or in public administration Professional licenses provide the ability to execute scripts and to use the WinHex API e Specialist licenses in addition to this allow to use the Specialist Tools menu section to fully interpret exFAT Ext2 Ext3 Ext4 Next3 CDFS ISO9660 and UDF media and enable support for RAID reconstruction Windows dynamic disks Linux LVM2 and reverse disk cloning imaging Particularly useful for IT security specialists e Forensic licenses i e licenses for X Ways Forensics in addition to the above allow to use the powerful case managing and report generating capabilities the internal viewer and the separate viewer component the gallery view all advanced features of refined volume snapshots all columns and filters in the directory browser comments and report tables plus ReiserFS Reiser4 HFS HFS UFS and XFS support Furthermore they allow to read and write evidence files e01 and much more Particularly useful for computer forensic examiners The forensic edition of WinHex is called X Ways Forensics When purchasing a license for X Ways Forensics you will receive a USB dongle that will unlock the software A more complete license comparison can be found online at http www x ways net winhex comparison html Please see http www x ways net order html on how to order your license
144. eparate directories based on selected directory browser columns is supported description file type file type description file type category sender owner hash set hash category report table associations If both an attachment and the corresponding e mail message its parent are selected for copying and not excluded by filters the attachment can optionally be embedded in the resulting output eml file as Base64 code instead of copied separately That facilitates viewing the complete e mail including attachments To view eml files you can use Outlook Express Windows Mail Windows Live Mail or Thunderbird all free of charge If certain attachments cannot be embedded you will be informed via the Messages window and in such a case they will be copied separately as if the embedding option was not selected NTFS alternative data streams ADS can optionally be output as ADS By default they are recreated as ordinary files to make them more easily accessible When using the Recover Copy command in search hit lists directories that contain hits are recreated in the output folder as files as the user likely wishes to retain the original data that contain the actual search hit Child objects are never copied along with their parent objects from within a search hit list Export List Requires a specialist license Exports data about the selected items in the directory browser to a 75 tab delimited text file or to an HTML file which can
145. eport can consist of the following elements e Basic report Starts with an optional header line an optional logo an optional preface in which you may use HTML code the case title and details followed by a list of hyperlinks to the individual evidence object sections For each evidence object the report specifies its title details and technical description your comments your annotations e Report tables All files in selected report tables can be output to the report with selected metadata such as filename path timestamps comments Files can be optionally copied off the evidence objects into a subdirectory of where the report is saved Then they will also be linked from the report Either all files can be copied or merely pictures By default pictures will be displayed directly in the HTML report file and not merely linked They are resized to the maximum dimensions you specify while retaining their aspect ratio If you specify maximum dimensions of 0x0 then the pictures will only be linked just as other files If you choose to reference multiple files in the same line to render the report more compact when printing you will appreciate that long filenames and paths can be artificially broken into multiple lines after a user defined number of pixels to make sure the width does not exceed the paper size 20 There is an option to only make a copy of tagged files for inclusion in a case report instead of all or none Useful if you w
146. eport table column but creates new report table associations in a convenient and user configurable way and or removes existing associations The program remembers the report tables selected last for creating associations In the same dialog window you can also create new report tables rename or delete existing ones and remove override previous associations For each report table you can specify whether you would typically like to associate only the selected file or directory to that report table and or at the same time the selected file s parent file if any and or the file s or directory s child objects and or any known duplicates of the selected file in the same evidence object duplicates that have been identified based on hash values and marked accordingly in the Attr column as well as hard links except in HFS Another option allows to automatically associate siblings of selected files with report tables Useful for example when reviewing search hits if you find a relevant search hit in the attachment of an e mail message and want to be sure to include other attachments of the same e mail message in further processing even if they do not contain search hits If you need to categorize a lot of files with the help of report tables you can also use keyboard shortcuts X Ways Forensics automatically assigns the shortcuts Ctrl 1 Ctrl 2 Ctrl 9 to your report tables In the dialog window for report table associations you can also assign th
147. er X Ways Software Technology AG is a stock corporation incorporated under the laws of the Federal Republic of Germany WinHex was first released in 1995 This manual was compiled from the online help of WinHex X Ways Forensics v17 5 released January 2014 It is available in English and German Supported platforms Windows XP Windows 2003 Server Windows Vista 2008 Server Windows 7 Windows 8 Windows 2012 Server 32 bit and 64 bit We would like to thank the state law enforcement agency of Rhineland Palatinate for extraordinarily numerous and essential suggestions on the development of X Ways Forensics and X Ways Investigator Professional users around the world include this list is from 10 years ago U S and German federal law enforcement agencies ministries such as the Australian Department of Defence U S national institutes e g the Oak Ridge National Laboratory in Tennessee the Technical University of Vienna the Technical University of Munich Institute of Computer Science the German Aerospace Center the German federal bureau of aviation accident investigation Microsoft Corp Hewlett Packard Toshiba Europe Siemens AG Siemens Business Services Siemens VDO AG Infineon Technologies Flash GmbH amp Co KG Ontrack Data International Inc Deloitte amp Touche KPMG Forensic Ernst amp Young Ericsson National Semiconductor Lockheed Martin BAE Systems TDK Corporation Seoul Mobile Telecom Visa International DePfa
148. er to play that video then any active filters will be turned off so that the video can actually be listed A simple click on the Back button returns to the previous overview of stills enables the previous filters again and restores the last selected item so that you can easily continue with the next still This works analogously when systematically looking at e mail attachments if occasionally for relevant attachments you would like to view the containing e mail message and e g print it or include it in a report and then return to the list of attachments 8 3 Volume Snapshot Options These options can be reached via the Directory Browser Options Most of them take effect when taking a new volume snapshot e With the option Keep volume snapshots between sessions enabled all information on file systems in opened volumes collected by WinHex Disk Tools menu and or Specialist menu remains in the folder for temporary files even when WinHex terminates WinHex can then reuse the snapshots in later sessions Volume snapshots of evidence objects in a case are always kept regardless of this setting in that evidence object s metadata subdirectory 118 Quick snapshots without cluster allocation speeds up taking a volume snapshot in particular for the file systems Ext2 Ext3 and ReiserFS and in particular also when the volume snapshot files are created across a slow USB 1 1 interface or network however causes WinHex to lose its ability to
149. erent data and hash values Note that it is possible that read inconsistencies occur that are not detected by X Ways Forensics because a complete check would be very slow Again these inconsistencies are not fatal and not the fault of the software and they can be explained Note that the Technical Details Report is routinely created already when you start disk imaging with the File Create Disk Image command so you do not need to invoke the report yourself prior to imaging Reconstruct RAID System see below Gather Free Space Traverses the currently open logical drive and gathers all unused clusters in a destination file you specify Useful to examine data fragments from previously existing files that have not been deleted securely Does not alter the source drive in any way The destination file must reside on another drive Gather Slack Space Collects slack space the unused bytes in the respective last clusters of all cluster chains beyond the actual end of a file in a destination file Otherwise similar to Gather Free Space WinHex cannot access slack space of files that are compressed or encrypted at the file system level Gather Inter Partition Space Captures all space on a physical hard disk that does not belong to any partition in a destination file for quick inspection to find out if something is hidden there or left from a prior partitioning Gather Text Recognizes text according to the parameters you specify and captures all
150. ese shortcuts to report tables yourself by simply pressing the keys while a report table is selected Ctrl 0 removes all report table associations from a file Alternatively you may simply press the keys in the numeric pad on your keyboard if Num Lock is active without Ctrl This will not be considered normal input in the directory browser although the Ctrl key is not pressed The numpad keys may not work on all computers There is an option to create report table associations for files based on search terms that they contain according to the Search terms column Useful if you wish to keep the information about which file contains which search terms even after deleting search hits or to preserve it in evidence file containers Report tables representing contained search terms are the 3rd kind of report tables the first two being report tables created by X Ways Forensics to make the user aware of certain file specialities and user created general purpose report tables Report tables representing search terms are recognized as such in evidence file containers by v17 3 and later It is possible to save and load lists of report table names in the report table association dialog window This is useful to start right away with a set of predefined report tables as typically needed for a certain kind of case The maximum number of report tables in a case is 256 Report table associations can be exported and imported see Case Management In order to outp
151. etadata from these XML files and can recognize nested documents documents embedded in other documents themselves if necessary Zip subtypes that are usually irrelevant such as jar apk and ipa are explored only optionally Note that for Zip archives with non ASCII characters in filenames to be processed correctly you need to pick the correct code page in the case properties first E g for Zip archives created under Linux that s likely UTF 8 For Zip archives created under Windows with WinZip that s likely a regional code page Note also that split spanned segmented archives are not supported 4 3 5 E mail Extraction A forensic license allows to separately list and examine e mail messages and e mail attachments stored in the following e mail archive file formats Outlook Personal Storage pst 65 Offline Storage ost Exchange edb Exchange 2007 and earlier supported Outlook Message msg Outlook Template oft Outlook Express dbx Kerio Connect store fdb files that can be processed like PST OST files AOL PFC files Mozilla mailbox including Netscape and Thunderbird generic mailbox mbox Unix mail format MHT Web Archive mht By default X Ways Forensics tries to extract from files matched by this filter expression pst ost edb dbx pfc mbox eml emlx mht olk14MsgSource msg oft mbs s tore fdb E mail messages are usually output as eml files To conveniently focus on all extracted e mail
152. even when examining a live system can assume are located on the examiner s own media They are 1 the drive letter that hosts the active case if one is active 2 the drive letter with the directory for temporary files 3 the drive letter from which X Ways Forensics was run and 4 the drive letter that contains the directory for image files The key that is required for encryption and decryption can be entered in a normal edit box Optionally you enter it blindly asterisks are displayed instead of the actual characters In this 121 case you have to confirm the key in a second edit box to detect typos By default the key is kept in main memory in an encrypted state as long as WinHex is running so that you do not have to type it again and again if you use it several times Possibly you prefer WinHex to erase the key after use Decide whether or not WinHex shall prompt before executing a script or only before executing a script via the command line Optionally files on the logical drive letters A through Z can be opened from within the directory browser with the help of the operating system instead of with the built in logic at the sector level Please note that this is forensically sound only for write protected media On writeable media Microsoft Windows will at least update i e alter falsify the last access timestamp of files you open The benefit however is that access to such files will be noticeably faster in many situatio
153. ey will not be overwritten when you install the next update if they don t have the same name as one of the default files Only if the filename contains the word search the file types will be available for file header signature searches Otherwise they are used for file type verification only of files that are already part of the volume snapshot forensic license only Up to 4096 entries are supported altogether 1024 for searching When you click the Customize button to edit the file File Type Signatures Search txt by default WinHex opens the file in MS Excel This is convenient because the file consists of columns separated by tabs If you edit the file with a text editor be sure to retain these tabs as WinHex relies on their presence to properly interpret the file type definitions MS Excel retains them automatically After editing the file type definitions you need to exit the dialog window and invoke the File Recovery by Type or Refine Volume Snapshot menu command again to see the changes in the file type list 1st column File Type A human readable designation of the file type e g JPEG Everything beyond the first 19 characters is ignored 2nd column Extensions One or more file type extensions typically used for this file type E g jpg jpeg jpe Specify the most common extension first because that one will be used by default for naming recovered files If that first extension is specified in upper case characters it wil
154. ey will take effect in the data window that represents the disk or partition whose data you are trying to fix when you refresh the view take a new volume snapshot define the start of a partition try again to open a file with a corrupt FILE record etc etc Please note that only complete sectors not partial sectors can be superimposed Superimposition can be active only for one disk or disk partition or image at a time If desired you can make a copy image or cloned disk of the virtually repaired disk or image with the usual commands while the superimposition is in effect so that the copy will have the superimposed sectors directly embedded 9 5 Wiping and Initializing To securely erase shred data in disk sectors unused disk areas Disk Tools menu or files selected with the Wipe Securely command and also simply to fill files with certain byte values WinHex offers the following options With constant byte values specified in hexadecimal notation Specify either 1 2 3 4 5 6 12 15 or 16 two character hex values which will be copied repeatedly into the current block the entire file or all disk sectors respectively Very fast With simple pseudo random byte values Specify a decimal interval 0 to 255 at max for random numbers which will be copied repeatedly into the current block the entire file or all disk sectors respectively The random bytes are Laplace distributed Fast With pseudo random data that simulates en
155. f different evidence objects of the same case using multiple machines on the same network simultaneously to save time Each user computer opens the same xfc case file the same copy on the same computer All 17 participating users computers or all except for one the master session have to open the case as partially read only i e only allowing for shared analysis work distributed volume snapshot refinement This can be done by checking the Options box in the Open Case dialog window or you will be prompted automatically when opening the case if the case if already open in another session as not read only i e in the master session You have the option to specifically open individual evidence objects not the entire case with the volume snapshot treated as read only using a dedicated command in the evidence object context menu in the Case Data window Please note that this has nothing to do with how the evidence object itself the disk or the image is treated X Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence object Only the volume snapshot i e the database with information about all the files and directories found is either read only or and that is the normal state changeable 3 3 Evidence Objects You may add any currently attached computer medium such as hard disk memory card USB stick CD ROM DVD any image file directory or ordinary single file
156. f the destination is not the same physical medium as the source Offers a chance to accelerate the cloning process by up to 30 Specialist license or higher In conjunction with simultaneous I O you may also have WinHex copy the sectors of a disk in reverse direction backwards from the end of the source disk Useful if the source disk has severe physical defects that for example cause a disk imaging program or your entire computer to freeze or crash when reaching a certain sector In such a case you can additionally create an image in reverse order by reading sectors from the disk backwards one by one or better you can even automatically complete an existing incomplete unsegmented conventional forward raw image from the rear end to get an image that is as complete as possible filled from both ends with ideally only a small zeroed gap in the middle that represents the unreadable damaged spot on the source hard disk For that you simply select an incomplete raw image file that you already have as a destination file and you will be asked whether you wish to complete it instead of overwrite WinHex will do the rest e g allocate the missing sectors in the image file zeroed out so that it has the complete size of the source disk and then fill the file backwards as much as possible Be sure to create reverse images on NTFS volumes not FAT32 The source start sector to specify for reverse imaging is the same as for conventional forward images i e
157. fault value has always been 3 before v17 2 but now it can be decreased to display more rows at the same time and see more data For example with the Courier font the display still looks fine with an extra gap of 1 but you see 15 more data based on font size 10 Even negative values are possible With 1 you may see 35 more data than before Search hit highlighting in File mode Option to get all search hits in a file highlighted in File mode at the same time either only when a search hit list is displayed if half checked or permanently once search hits have been loaded for an evidence object i e even when working with the normal directory browser if fully checked Search hits are loaded after an evidence object has been opened as soon as search hits are listed This feature also applies to user search hits Requires forensic license NTFS MFT auto coloring Highlights the various elements in FILE records of the NTFS file system when the cursor is located within such a record to facilitate navigation and understanding Requires a specialist or forensic license Also automatic highlighting of aligned FILETIME values in Disk Partition Volume and File mode is available Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted try e g with index dat registry hives Ink shortcut files etc If the lower half of a data window has the focus and FILETIME values ar
158. figurable If one of the RAID component disks is not available you can reconstruct a RAID 5 system nonetheless because one component is redundant Simply select a dummy substitute one of the other available components of the same RAID system as the missing component and declare that component missing RAID 5EE and RAID 6 can also be internally reconstructed if one component is missing 9 12 Position Manager The Position Manager maintains a list of file or disk offsets and corresponding descriptions also called annotations It is also used for search hits when not working with a case but much less powerful than a search hit list Navigating from one entry to the next is easy if you press Ctrl Left and Ctrl Right You may enter new positions and edit or delete existing entries If a special offset in a file is important to you you can add it to the Position Manager This makes it a lot easier to find it again later and you do not have to remember it Descriptions may be up to 8192 characters in size An appropriate description for instance could be Data chunk begins here Optionally all positions maintained by the Position Manager can be highlighted in the editor window in a unique color you specify and their descriptions displayed in yellow tooltip windows when the mouse cursor is moved over them You may also add or edit positions with the context menu of an edit window or by clicking the middle mouse button in an edit window C
159. filter for example to see only pictures larger than 1 MB in a random order or only files of a certain user Pseudo hashes are not guaranteed to be unique or even remain the same when you close and re open the evidence object In the internal hash database the name of the hash set that the file s hash value if available belongs to Note that this is only the name of a single hash set even if the hash value is contained in multiple hash sets in the hash database Filter available forensic license only The category of the hash set that the file s hash value if available belongs to Either irrelevant notable or blank Filter available forensic license only The name s of the report table s that the file or directory has been assigned to Filter available forensic license only The free text comment that may have been assigned to the file or directory by the 29 examiner Filter available forensic license only Metadata Metadata that can be extracted from files of various types with the context menu Filter available forensic license only Additional columns for search hit lists Physical absolute offset logical relative offset description on the nature of the search hit code page Unicode whether in decoded text whether in file slack search hit with context preview If the logical relative offset is printed in parentheses that means the search hit was found in the decoded text and the offset is not an offset in
160. for the moment or finalize the image The same skeleton image can be further completed at any later time by selecting it again with the Create Skeleton Image command but then you choose to not overwrite but to update it As you see you have full control over what data will make it into the image The methology just assumes that you have some understanding of what data you want need and should that data not be stored in ordinary easy to select files where to find it how to get it physically The sectors can be targeted in any order Multiple reads of the same sectors don t change anything in the skeleton image and have no negative effect except they may cause unnecessary duplicate lines in the optional log file that X Ways Forensics can produce Such a log file is created in the same directory as the skeleton image and will list all sector ranges that were copied optionally along with the hash value of each sector range which allows to manually verify the data in certain areas should there ever be doubt about it If you use the Add to command to copy files to a skeleton image the name of each such file will also be output in the log followed by the sector ranges that correspond to to it more than one if the file is fragmented or if X Ways Forensics simply chooses to copy sectors in multiple chunks You may want to convert the resulting raw skeleton image into a compressed and or encrypted e01 evidence file and hash it or compress it with Wi
161. future versions of X Ways Forensics via the search hit context menu You may distribute your XWF extension DLLs that you compile and or your source code free of charge or even for a fee under whatever license terms you see fit For more information please see http www x ways net forensics x tensions api html 6 7 WinHex API The WinHex API application programming interface allows to use the advanced capabilities of the WinHex Hex Editor programmatically from your own C Delphi or Visual Basic 99 programs In particular it provides a convenient and simple interface for random access to files and disks Developing software that uses the WinHex API requires a valid professional or specialist WinHex license Additionally you need import declarations for your programming language of choice the library file whxapi dll and the API documentation Please find those files and more detailed information online at http www x ways net winhex api You may also distribute both any software that makes use of the WinHex API and WinHex itself There are two ways how to distribute WinHex 1 Distribute the unlicensed WinHex version For the API to work your customer has to purchase professional or specialist licenses according to the number of WinHex installations needed Or 2 Recommended distribute a special API version of WinHex that is configured to only provide the API functionality and that is available at a reduced price You
162. g to mark them as relevant or memorize a position in a sorted list or to limit volume snapshot refinements to tagged files Tagging is not to be confused with selecting Exclude Include You may exclude selected items or all tagged or all untagged items If actually filtered out excluded files are omitted from the directory browser the gallery view and all commands that can be run from the directory browser context menu If you are only allowed to examine the contents of certain directories you could initially exclude all files in all other directories to ensure that Refining the volume snapshot can be limited to files that are not excluded Excluded items are actually filtered out only if the corresponding filter is enabled in the directory browser options If not filtered out they are listed in gray and can be included again with the directory browser context menu If you wish to review files with identical contents only once and if filenames timestamps deletion status and other file system level metadata are of secondary relevance then you can use 76 the command Exclude Duplicates in directory browser based on hash to exclude duplicate files from the currently listed part of a volume snapshot based on hash values if hash values were calculated Only one out of two or more identical files will not be excluded Do not apply this command more than once to the same files or else all identical files might be excluded dependin
163. g on the sort criteria Special rules When in doubt this function chooses to keep existing not deleted files and among deleted files rather discards carved files and keeps files found via file system data structures Optional special rules Identical e mail messages with different attachments child objects will be marked as duplicates but not excluded Identical attachments child objects will be marked as duplicates but they will be excluded only indirectly if they are part of identical e mail messages and those are excluded too This facilitates the examination and also avoids a situation where the parent e mail message of one e mail attachment family and the child object attachment of another family is excluded If later you find a relevant file for which there were duplicates and you are interested in the duplicates too e g in their filenames paths or timestamps you could create a hash set of that files to conveniently and automatically identify all the duplicates by matching the hash values of all files against that particular hash set and using the hash set filter In search hit lists you may 1 permanently delete selected search hits 2 permanently delete duplicate search hits Search hits are considered duplicates if they either have identical physical offsets or if they don t have physical offsets if their logical offsets and the corresponding internal file IDs are the same When in doubt X Ways Forensics will keep
164. g with the same case at different times or at the same time and keeps their results separate Multi user support is especially helpful for large cases Cases opened with v17 5 and later cannot be opened with earlier versions A maximum of 255 users examiners is supported per case Examiners are recognized internally by their Windows user accounts All related options can be found by clicking the button for Extended multi user coordination in the case properties dialog window Multiple users may open the same evidence objects in the same case simultaneously for examination By same case we mean the same case file not a copy stored in a shared network location or on a terminal server X Ways Forensics is responsible for synchronizing report table associations comments and additions of files to the volume snapshot and for making users aware of access conflicts before they occur and preventing them in most situations Report table associations and comments of different examiners can optionally be distinguished 15 by showing the creating examiner s initials default or alternatively other abbreviations of their names or if no abbreviation is specified their complete usernames Comments and report table associations are shared between all examiners Examiners can choose whether or not they get to see report table associations of other users The same file can be associated with the same report table only by 1 examiner X Ways Forensics remem
165. ges Use this command to look for a sequence of letters a z A Z digits 0 9 and or punctuation marks It is useful for instance if you intend to translate text passages hidden somewhere in a file with executable code Set the sensitivity of the search by specifying how long a character sequence must be to be recognized Click Tolerate Unicode characters in order to force the algorithm to accept zero bytes between two characters 84 Continue Global Search This command is used to continue a global search operation i e a search operation applied to all opened files in the next file Continue Search Lets you continue a search operation in the current file at the current position 5 6 Navigation Menu Go To Offset Moves the current position to the specified offset Normally this is done relative to the beginning of the file offset 0 You can also move the cursor relative to the current position forward or backward or from the end of the file backward An offset can be specified in bytes default words 2 bytes doublewords 4 bytes records if defined or sectors Press F11 to repeat the last position movement Go To Page Sector Browses to the specified page sector or cluster Sector and cluster numbers may optionally be entered in hexadecimal notation with the Ox prefix Please note that the data area on FAT drives starts with cluster 2 Go To FAT Entry FILE Record Jump to a certain entry in the file allocation
166. ginally recorded one will be associated with a special report table for convenient review Running the hashing volume snapshot refinement step a second time never updates the hash values that were already computed for files in the volume snapshot 4 3 2 File Type Verification A forensic license allows you to verify file types based on signatures and various algorithms i e detect filename file type mismatches in all files in the volume snapshot except those whose original first cluster is known to be no longer available For example if someone has concealed an incriminating JPEG picture by naming it invoice xls wrong filename extension the recognized file type jpg is stated in the Type column of the directory browser For more information see the description of the columns Type and Status The file signatures and extensions used for mismatch detection are defined in the accompanying file type definition files which you may fully customize It it the same database also used for file header signature searches Please note that the link between the current data in a free cluster and a deleted file that previously was stored in that cluster and its filename is weak so that a discrepancy between filename extension and detected type can simply be the natural result of a reallocation of this cluster to a totally different file in the meantime If you wish to repeat the file type verification e g after editing the file type signature database be sur
167. h expression and where you want to search You can browse either keys or names or values or all of them The search always starts at the topmost root of the first loaded hive and spans all opened hives Continue Search finds the next match after at least one match has been found The currently selected element is not relevant for where the search continues The search whole word only option is not guaranteed to work for values In the right hand window the pop up menu also contains the command Copy which lets you copy the value of the selected element to the clipboard When clicking a value of a loaded hive in the Registry Viewer if the data window with the drive image from which the hive was loaded is in File mode the cursor will automatically jump to the selected value in the registry file and the value will automatically be selected as a block in that file Useful as that allows to see the value in hexadecimal and text and as that allows to easily copy binary values in either binary or as text not only as hex ASCII The Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab delimited text file When selecting a value an edit window in the lower right corner tells you the logical size of that value and the size of its slack It also interprets registry values of the following types as known from the registry report MRUListEx BagMRU ItemPos ItemOrder Order menu ViewView2
168. h files manually as that ensures that each such file is listed only once No assumption must be made that somehow the most useful search hit in each file is the one that makes it to the list or if multiple search terms are selected the one listed search hit is for a search term that you consider more important The reduction is non destructive Bringing back the original complete search hit list merely requires that you uncheck this special option and click the Enter button again It is possible to see and via the Export list command in the context menu copy the hit counts for selected search terms in the search term list These hit counts are based on the current settings for the search hit list that is on the screen take all filters into account the explored path any active AND combination etc It is the numbers of hits that are actually listed not the numbers of hits that have been recorded saved To see the total numbers of hits deactivate any filter and select all search terms Note that the List 1 hit per file only option also functions like a filter for search hits Question Why when all the search terms are selected with List 1 hit per file only are the counts returned different from when I click on each search term individually with the same setting Answer Because the option is List 1 hit per file only and not List 1 hit per search term per file only Many users do not understand that Imagine if in the same file there
169. h hits of certain search terms select the search terms in the search term list and press the Del key 44 3 14 Search Term List Displayed in the Case Data window when in search hit viewing mode after clicking the button with the binoculars and the four horizontal lines The search term list contains all the search terms ever used for conventional non index searches in the case because those search hits are automatically saved Search terms used in index searches appear only if their search hits have been permanently saved via the context menu Index search hits are not permanently saved automatically because it only takes a few seconds to run the same index search a second time and get the same search hits listed again So if you would like to use the functionality of the search term list for index searches save their search hits first Selecting search terms in the search term list and then clicking the Enter button allows you to list all the search hits for these search terms in the currently selected path subject to filters in the search hit list You can select multiple search terms by holding the Shift or Ctrl key while clicking them You may press the Del key to delete selected search terms and all their search hits permanently To reduce a search hit list to a list of unique files that contain at least one search hit check List 1 hit per file only and then click Enter This can be very useful if you are going to review all suc
170. hash as known from the command in the Tools menu and stores it in the specified variable which will be created if it does not yet exist The HashType parameter must be one of the following CS8 CS16 CS32 CS64 CRC16 CRC32 MD5 SHA 1 SHA 256 PSCHF CalcHashEx in addition displays the hash in a dialog window 157 MessageBox Caution Displays a message box with the text Caution and offers the user an OK and a Cancel button Pressing the Cancel button will abort script execution ExecuteScript ScriptName Executes another script from within a running script at the current execution point e g depending on a conditional statement Calls to other scripts may be nested When the called script is finished execution of the original script will be resumed with the next command This feature can help you structure your scripts more clearly Turbo On Turbo Off In turbo mode most screen elements are not updated during script execution and you are not able to abort e g by pressing Esc or pause This may accelerate script execution if a lot of simple commands such as Move and NextObj are executed in a loop Debug All the following commands must be confirmed individually by the user UseLogFile Error messages are written into the log file Scripting log in the folder for temporary files These messages are not shown in a message box that requires user interaction Useful especially when running scripts on unattended remote computer
171. hat are similar to those in source code of programming languages The syntax is explained in detail in Appendix A The supported data types include all the common integer floating point and boolean variants date types hex values binary characters and strings type Arrays of both single variables and groups of variables can be used The ability to move freely forwards and backwards within the data makes using templates particularly flexible e The same variable may be interpreted and manipulated in several ways e Irrelevant data sections can be skipped The template manager lists all text files in the WinHex directory that contain template definitions The title of the template along with a description the filename and the date and time of the last modification are shown Click the Apply button to display a template using the selected template definition for the data in the current editor window at the current position You may also create a new template definition delete or edit an existing one WinHex comes with several sample templates 7 Data Recovery 7 1 File Recovery with the Directory Browser Most obviously deleted files and directories that are listed in the directory browser can be recovered easily and selectively with the directory browser s context menu You navigate to a directory or explore the root directory recursively select the files to recover and use the Recover Copy command in the context menu See chapter
172. hat have been marked as irrelevant by hash computation and hash database matching or files that have been excluded by the user or that are filtered out by an active filter can be omitted from a logical search to save time and reduce the number of irrelevant search hits The slack of such files is still covered if the option Open and search files incl slack is fully checked so that this option has a higher priority If only half checked the slack of such files is omitted too The recommendable data reduction specifically omits certain files from the search to avoid that time is wasted or duplicate hits are produced unnecessarily E mail archives of the types MBOX and DBX as well as file archives of the supported types ZIP RAR etc will not be searched if the e mails and files that they contain have already been included in the volume snapshot in order to save time In that case only those e mails and files will be searched in the natural unencoded and uncompressed state This may be reasonable for keyword searches and in particular for indexing which 42 has a hard time processing e g Base64 code but not necessarily for technical searches for signatures etc Using this option constitutes a compromise The slack of such files is still included if the file slack option is enabled as that option has a higher priority A file that that is marked as renamed moved will not be searched either if data reduction is enabled and if principally
173. he index and writes the index in an optimized file format An optimized index requires less space on disk and can be searched faster How much memory should I assign for index optimization Increasing the amount of memory available for index optimization improves the ability to eliminate duplicates from the index On the downside optimization takes longer if more memory is utilized Testing index optimization with different settings allows you to gain experience which settings work best for your system Index optimization can use more than 4 GB if it runs on a 64 bit variant of Windows XP Windows Vista or Windows 7 Can indexing utilize more than one core Yes indexing can use more than one core This is particularly true of index optimization which under optimial conditions will run n times faster on a system with n cores Note that swapping can slow down optimization if not enough RAM is available for indexing How can indexing help in cracking passwords It is possible to generate a word list from an index which can be used with third party tools for gaining access to encrypted data In this case we advise to optimize the index with as much RAM as possible to reduce the number of word duplicates Unlike for index searches we advise to create a case sensitive index for customized dictionary attacks on passwords option Match case 3 17 Event Lists Available only with a forensic license when working with a case for evidence objects w
174. here its failure to perform misuse or inability to use adequately can reasonably be expected to lead to death personal injury or severe physical or environmental damage In no event shall X Ways Software Technology AG or its officers directors employees affiliates contractors or subsidiaries be liable for any direct indirect incidental consequential or punitive damages whatsoever arising out of the use or inability to use the software to the maximum extent permitted by applicable law Any liability will be limited exclusively to refund of purchase price 2 by X Ways Software Technology AG It s the responsibility of the user to back up all data at reasonable intervals to minimize the damage caused by data losses of any kind You may not rent lease modify translate reverse engineer decompile or disassemble the software or create derivative works based on it without prior explicit permission All rights of any kind in the software product which are not expressly granted in this license agreement are entirely and exclusively reserved to and by X Ways Software Technology AG No component of the software must be accessed by other applications or processes except through the X Tensions API or the WinHex API Should any part of this agreement be or become invalid such invalidity shall not affect the validity of the remaining provisions of the agreement Acknowledgements Thanks to Dr A Kuiper for his method to process videos with MP
175. hree letters man within mansion are not considered a whole word occurrence of man Search direction Decide whether WinHex shall search from the beginning to the end or downwards or upwards from the current position Condition Offset modulo x y The search algorithm accepts search string occurrences only at offsets that meet the given requirements E g if you search for data that typically occurs at the 10 byte of a hard disk sector you may specify x 512 y 10 If you are looking for DWORD aligned data you may use x 4 y 0 to narrow down the number of hits Search in block only The search operation is limited to the current block Search in all open windows The search operation is applied to all open edit windows Press F4 to continue the search in the next window If Search in block only is enabled at the same time the search operation is limited to the current block in each window Count occurrences Save occurrence positions Forces WinHex not to show each single occurrence but to count them If this option is fully enabled WinHex will enter all occurrences into the Position Manager Search for non matches In Find Hex Values you may specify a single hex value with an exclamation mark as a prefix e g 00 to make WinHex stop when it encounters the first byte 123 value that differs GREP syntax Search option available with the Simultaneous Search only Regular expressions are a powerful search too
176. hrome SQLite databases also data blocks embedded as Base64 in XML formatted PLists plist and raw data blocks embedded in binary PLists bplist It is recommended to verify file types at the same time so X Ways Forensics can distinguish between traditional XML formatted PLists and binary PLists BPLists Many PLists do not have a plist extension and need to be identified as PLists first Since the type of the embedded data is not identified by the PList as such the output also benefits from a simultaneous file type verification Nested PLists PLists embedded in PLists will also be identified and processed recursively Another child object created for PLists represents parsed text in a human readable way and serves as a preview of the PList itself Thumbnails in certain very old thumbs db files cannot be displayed correctly Such thumbs db 67 files will be assigned to the report table Unsupported thumbs db and can be viewed e g with the freely available program DM Thumbs by GreenSpot Technologies Ltd Last not least this function can decompress most hiberfil sys files and automatically add the result to the case as raw memory dumps All other files produced by this function are added to the volume snapshot as child objects of their respective host files in which they were found A separate sub operation optional allows you to freely carve any kind of file within any file that is not processed by the first sub operation This is not l
177. iable 1 SetVarSize MyVariable 4 Explicitly sets the allocated memory size of a variable at a given time in bytes This can be useful e g for variables that hold integer values and that are the result of a calculation if this value is to be written to a binary file with a fixed length structure Without SetVarSize no assumption must be made about the size of the variable For instance the number 300 could be stored in any number of bytes larger than 1 If the new size set by SetVarSize is smaller than the old size the allocated memory is truncated If the new size is larger the allocated memory is expanded At any rate the value of the persisting bytes is retained GetUserInput MyVariable Please enter your name Stores the ASCII text or binary data 0x specified by the user at script execution time 128 bytes at max in a variable named MyVariable The user is prompted by the message you provide as the second parameter If the variable does not yet exist it will be created Other ways to create variables Assign Read GetUserInputI MyIntegerVariable Please enter your age Works like GetUserInput but accepts and stores only integer numbers 156 Inc MyVariable Interprets the variable as an integer if not larger than 8 bytes and increments it by one Useful for loops Dec MyVariable Interprets the variable as an integer if not larger than 8 bytes and decrements it by one IntToStr MyStr MyInt IntToStr MyStr 12345
178. iable both as a 32 bit integer and as a four part chain of hex values int32 Disk serial number decimal move 4 hex 4 Disk serial number hex 4 Body Flexible Integer Variables A special variable type supported by templates is uint flex This type allows to compose an unsigned integer value from various individual bits within a 32 bit 4 byte range in an arbitrary order and is even more flexible than a so called bit field in the C programming language uint_flex requires an additional parameter string in inverted commas that specifies exactly which bits are used in which order separated by commas The bit listed first becomes the most significant bit high value bit in the resulting integer and it is not interpreted as a or indicator The bit listed last becomes the least significant bit in the resulting integer The bits are counted starting with 0 Bit 0 is the bit that is the least significant bit of the Ist byte Bit 31 is the most significant bit of the fourth byte Thus the definition is based on little endian philosophy For example uint flex 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Standard 16 bit integer is exactly the same as uint16 the common unsigned 16 bit integer variable uint flex 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Standard 32 bit integer is exactly the same as uint32 the common unsigned 32 bit integer variable The benefit of uint flex
179. ical file size i e the data at the end of the file is undefined similar to file slack has nothing to do with the file and was stored on the disk at that location before You can see the valid data length of the file in File mode in the Info Pane and the undefined area is highlighted in a different color When sorting by the Attr column files with more interesting attributes are listed first e g attributes that indicate encryption and files without any attributes set or whose attributes are unknown are listed last Filter available The number of the sector that contains the beginning file the file s or directory s data Sorting by 1st sectors means to sort by physical location on the disk and e g to easily identify files that are obviously affected by ranges of bad sectors The identifier assigned to the file or directory by the file system or by WinHex Not necessarily unique A filter is available which makes it more convenient to find other hard links of a given file The unique internal identifier of a file or directory in the volume snapshot Items added to a volume snapshot last have the highest identifiers Filter available Useful for example and very easy to use if you would like to focus on the x files that were added to the volume snapshot last after having refined it or if you would like to 26 Int parent Unique ID Owner Author Sender Recipient Link count resume a logical search with internal
180. icture for the video file in Preview and Gallery mode ASF WMV videos protected with DRM cannot be processed and are consequentially marked with e in the Attr column Note that you may hear occasional sound from the videos Please turn off sound on your computer if you wish to avoid this Note also that if you select a small interval like smaller than 5 seconds you may not necessarily get additional pictures This depends on how the video was encoded compressed Duplicate stills are omitted when extracting pictures with MPlayer Once JPEG pictures have been exported from videos the videos can optionally be dynamically represented in the gallery with all extracted stills showing them stills in a loop to give a much more complete impression of the contents of videos without further user interaction without having to explore them Thus an alternative efficient way to review a large number of videos is this Explore recursively filter for videos sort in descending order by number of child objects so that videos with a similar number of stills are shown together and activate Gallery mode Watch the various video stills for each video Proceed to the next gallery page when you are confident that no incriminating videos are represented on the current page for example when all stills have been shown which you will know is the case when the gallery has rotated back to the first still for each video 4 3 8 Pictures Processing A forensic license
181. ies right click the directory in the directory tree in the Case Data window In order to tag a directory you can click it with the middle mouse button in the directory tree In order to completely delete a case you need to delete its xfc file and the corresponding directory with the same name and all its subdirectories Export Files for Analysis This menu command in the Case Data window can be applied to the entire case and from there to selected evidence objects or to the active evidence object only It uses the interface for external analysis of files to invoke external automated analysis tools such as DoublePics Export subtree This context menu command in the Case Data window allows you to export a pseudo graphical representation of the selected subtree in a Unicode text file which is best viewed with a fixed width font The exported tree reflects the current state subdirectories expanded or collapsed The menu command is available for evidence objects and also for directories if you hold the Ctrl key when right clicking a directory in the case tree Remember to fully recursively expand a portion of the tree that you want to export you can click the root of that portion and press the asterisk multiplication key on the numeric keypad 3 2 Multi User Coordination For Large Cases All cases created or opened with v17 5 and later offer enhanced multi user support where X Ways Forensics distinguishes between different examiners workin
182. igit number based on the hexadecimal system where each digit represents a tetrade or nibble of a byte i e 4 bits The sixteen digits used in the hexadecimal system are 0 9 A F You can change the value of a byte by changing these digits in the hexadecimal mode It is also possible to enter the character that is assigned to a certain byte value by a character set cf Entering Characters All kinds of characters are allowed e g letters and punctuation marks Example A byte whose decimal value is 65 is displayed as 41 in hexadecimal notation 4 16 1 65 and as the letter A in text mode The ASCII character set defines the capital letter A to have the decimal value of 65 When editing files of a certain type for instance executable files it is essential not to change the file size Moving the addresses of executable code and included data results in severely damaging such files Please note that changing the contents of a file generally may be the reason for the corresponding application to behave anomalously It is quite safe to edit text passages in a file At any rate 1t is recommendable to create backup files before editing The command Combined Search was especially designed for editing files created by computer games to save the game state If you know the value of a variable in two of such files you can find out the offset i e the position at which this data is saved Example If two files hold the information that you have 5
183. ile system data structures are changed and no filenames will be erased only the contents of files will be overwritten Files that are compressed in archives or generally files within other files e g e mails and attachments in e mail archives cannot be erased Previously existing files whose clusters are known to have been reused will not be erased Note that by erasing deleted files you might erase data in clusters that belong to other files so only select existing files if you want to avoid that assuming consistent file systems Also note that by erasing carved files you may erase too much or not enough data depending on the detected file size and depending on whether the file was originally fragmented Useful for example if copies of images are forwarded to investigators examiners other parties involved in a case who are not allowed to see the contents of certain files Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files Also useful if you are preparing images for training purposes that you would like to publish and if you would like to retroactively erase the contents of copyrighted files e g operating system or application program files Both successfully erased files and files that could not be successfully erased will be added to separate report tables when working with a case with a forensic license only by which you can filter to verify the result Fi
184. ile system as in use whose exact allocation however could not be determined This can be the case if the file system lost track of them i e forgot that these cluster are actually available for re allocation Usually there is no idle space The size of idle space and the number of the first idle cluster are only determined when needed e g when you click the Idle space file for the first time as depending on the number of cluster this is a potentially time consuming operation Volume slack Sectors at the end of the partition that are unused by the file system because they do not add to another cluster Indirect blocks Ext2 Ext3 UFS Special blocks that contain block numbers Not part of File system areas Unnoted attribute clusters NTFS Clusters that contain non resident attributes that have not been individually processed by X Ways Forensics Not part of File system areas journal ReiserFS Blocks that form the fixed journalling area On Ext3 and HFS this is not considered a virtual file because it is defined by the file system itself in dedicated records 3 6 3 Columns and Filters Most filters and several columns are available with a forensic license only Name Name of the listed file or directory and only with a forensic license only for directories and files with child objects in parentheses in a different color optionall the total number of contained files in the volume snapshot Allows to filter based on one o
185. ile types that the separate viewer component does not support 93 Crash safe text decoding If enabled text extraction from certain file types for logical searches and indexing will be done by the viewer component in a separate process such that if the viewer component crashes or becomes unstable it does not render the main process X Ways Forensics unstable or cause it to crash Buffer decoded text for context preview If enabled the result of the text extraction from certain file types for logical searches and indexing will be stored by X Ways Forensics in the volume snapshot for reuse when searching indexing again to save time Undo Options see below Security Options see below Data Interpreter Options cf Data Interpreter Edit Mode Allows you to select the edit mode used in Winhex globally The info pane s context menu allows to select the edit mode specifically for the active edit window only 5 12 Window Menu Window Manager Displays all windows and provides instant window switching functionality You may also close windows and save files Save Arrangement As Project Writes the current window constellation into a project file From the Start Center you will then be able to load the project and restore editing positions in each document at any time to conveniently continue your work right where you left it or to begin your work in case of a recurring task Close All Closes all windows and thus all open files di
186. ile write commands directly on a disk in a raw disk image in any file system supported even if not supported by Windows even files not seen by Windows e g deleted files even in partitions not seen by Windows e g by damaged or deleted without changing any timestamps or attributes in in place mode only For this editing capability the file must been opened from within the already opened volume that contains it via the Open command in the directory browser context menu or in File mode forensic license only Compressed files or generally files within other files e g e mails and attachments in e mail archives cannot be edited except in an evidence file container if they have been copied there from the original disk image Note that files cannot be shortened or expanded that way only the data in already allocated areas can be modified Editing files opened directly from within disks raw images as described above is possible in WinHex only not in X Ways Forensics or X Ways Investigator where sector level write access to which file editing is internally translated is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read only mode In forensic computing electronic discovery and IT security this editing capability can be helpful to manually redact e g overtype specific data that should not be examined disclosed seen or to securely erase specific areas with
187. imestamps but they may distract you when you are merely interested in viewing files The selection statistics are displayed below the directory browser with a forensic license only If computed in a recursive way they reveal how many subdirectories files and how much data are contained in a directory when you select it in the directory browser except if you have explored recursively already taking any active filters into account If this option is not enabled only the statistics tell you about the direct selection in the directory browser only not about the child objects that may indirectly be selected via selected directories If this option is half selected the statistics take child objects of directories into account but not child objects of files Tagging or excluding items in the directory browser can occur recursively or non recursively Non recursively means that tagging untagging excluding including a file or directory in the directory browser has no effect on parent or child objects or parent directories or subdirectories Useful for example if all child objects of a file should be processed in volume snapshot refinement or searched but not the parent object If it works recursively then it is not possible to have an untagged parent object whose child objects are all tagged If the 115 recursive tagging option is in its middle state that means that child objects still inherit the tagged state from their parent at the moment wh
188. imited to file types that are marked with the e flag Use great caution to avoid delays and copious amounts of garbage files false positives and duplicates Please apply this new function very carefully and only with a good reason to specifically targeted files only such as swap files or storage files in which backup application concatenate other files without compression not blindly to all files or random files Remember with great power comes great responsibility Signatures marked with the E flag upper case are never carved within other files to prevent the worst effects for example MPEG frames carved within MPEG videos zip records carved within zip archives eml html and mbox files carved within e mail archives hbin registry fragments carved within registry hives If you know what you are doing of course you could remove the E flag There is an option to apply the carving procedure recursively that means to files again that were already carved within other files This can lead to many duplicates if the outer file at level 1 is carved too big so that files can be carved in it that were also carved at level 0 the original file For situations were you want to carve embedded files that are not aligned at 512 byte boundaries in the original file you may make use of the extensive byte level option In such a case one of the biggest mistakes to make would be to carve at the byte level in MFT which typically contains many small fi
189. in By default WinHex numbers disk partitions in the order of their physical location If Auto detect deleted partitions is enabled WinHex tries to identify obvious deleted partitions automatically in gaps between existing partitions and in unpartitioned space directly following the last partition when opening physical hard disks Such additionally detected partitions will be listed in the Access button menu and marked as deleted Please note that deleted partitions detected in gaps between existing partitions cause the partition numbering to be changed E g an existing partition 3 might become partition 4 if a deleted partition is detected on the disk before it The Sector reading cache accelerates sequential disk access by the disk editor This option is recommended particularly when scrolling through CD ROM and floppy disk sectors since the number of necessary physical accesses is significantly reduced If Check for surplus sectors is disabled WinHex will not try to access surplus sectors when a physical hard disk is opened When additional sectors are detected WinHex will remember them the next time you open the disk You may enforce a new check by holding the Shift key while opening the disk Checking for surplus sectors may cause very long delays strange behavior or even damage to the Windows installation on some very few systems Only under Windows XP surplus sectors are included automatically which renders this option obsolete Th
190. in files e g define as a block and fill the block Note that evidence file containers are raw images if they have not been converted to the e01 evidence file format and thus allow for retroactive file editing which however will invalidate any accompanying hash values It is even possible to edit directories i e the clusters with directory 97 data e g INDX buffers in NTFS for example if you need to redact the names of certain files 6 4 Status Bar The status bar displays the following information about a file 1 Number of current page and total number of pages disk editor sectors 2 Current position offset 3 Decimal translation of the hex values at the current position 4 Beginning and end of the current block if currently defined 5 Size of current block in bytes ditto Click the status bar cells in order to 1 Move to another page sector 2 Move to another offset 3 Define the integer type for decimal translation and 4 Define the block Right click the status bar in order to copy pieces of information from the status bar into the clipboard Right clicking the 2 status bar field allows switching between absolute default and relative offset presentation This is useful when examining data that consists of records of a fixed length After specifying the record length in bytes the status bar displays the current record number and the relative offset therein Right clicking the 3 status bar field al
191. in the volume snapshot f lower case Indicates that the specified footer signature is used to find data that is not part of the file any more and should excluded Ordinary footers are included in the carved file Useful for file formats that do not have a well defined footer where the end of the file can be detected by the occurrence of data that does not belong to the file any more That could be the same signature as the header if files of that type occur typically in groups back to back or just x00 107 for file formats such as text files that do not contain zero value bytes where however x00 can be expected with a high likelihood in the RAM slack Such footer signatures should be marked as exclusive because the data matched by it is not part of the file itself F upper case Makes X Ways Forensics discard hits of the file header signature search if no corresponding footer can be found provided that a footer signature is specified in the definition Can be useful to reduce the number of or totally avoid false positives h Indicates that the specified header signature is used to find data that is not part of the file itself and should excluded G Greedily allocates all their sectors exclusively The file type signature search continues its search for further file headers only after the presumed end of such files Can be useful if an internally implemented algorithm is available that is sure that the carved file contains all valid
192. ination file The first byte word originates from the source file that was specified first Use this function to create a file with odd and even bytes words originating from separate files e g in EPROM programming Dissect Select a source file and two destination files The bytes words from the source files will be written alternately into the destination files The first byte word will be transfered to the destination file that was specified first Use this function to create two separate files each containing either the odd or the even bytes words of the original file e g in EPROM programming Compare This command is used to compare two edit windows files or disks byte by byte Decide whether different or identical bytes shall be reported You may indicate how many bytes 89 to compare If desired the operation can abort automatically after having found a certain number of differences or identical bytes The report is stored as a text file whose size might otherwise grow dramatically The comparison starts at the respective offsets specified for each edit window These offsets may differ such that e g the byte at offset 0 in file A is compared to the byte at offset 32 in file B the byte at offset 1 with the one at offset 33 etc When you select an edit window for comparison the current cursor position will automatically be entered in the From offset box There is yet another compare function in WinHex you may also compare e
193. iner Once added a file cannot be physically removed any more however its exclusion can be made permanent in the container Optionally hash values can be stored for the files that are copied into a container This allows to verify the integrity of the files later after having added the container to a case by refining the volume snapshot The hash values are computed directly for the data as read from the original source medium unless you copy metadata to the container only or taken from the volume snapshot if available Optionally the preparer of an evidence file container can pass on report table associations either all or not those created by X Ways Forensics internally or comments about included files with the container Useful to not only forward a collection of files to other investigators but also case specific information and preliminary findings E g computer specialists could add the name of the owner of a file for non IT examiners to see or the reason why a file was selected for inclusion in the container In the case of the old container format the recipient of the container will see those comment if he she is not only provided with the container but also with the optional metadata subdirectory of that container when adding the container to the case If you select to pass on comments with the container when creating it fill it with files that have comments and then close the container the metadata subdirectory is created au
194. ing code pages for encoded PST files ISO8859 1 ISO8859 2 ISO8859 3 ISO8859 4 ISO8859 5 ISO8859 6 1SO8859 7 ISO8859 8 ISO8859 9 ISO8859 10 ISO8859 11 ISO8859 13 ISO8859 14 66 ISO8859 15 ISO8859 16 koi8 r koi8 u 1250 1251 1252 1253 1254 1255 1256 1257 1258 874 UTF16 UTF32 UTF8 In certain old AOL PFC files pictures may be embedded in e mail messages in a special way In that case such an e mail message will be marked with a paperclip icon but the picture will not be separately extracted The picture if JPEG or PNG can be found however when extracting JPEG and PNG files from pfc 4 3 6 Uncovering Embedded Data Forensic license only Allows to carve files of various types that are embedded in files of other various types through a byte level file header signature search within certain files This is successful if the outer file host file is intact and the embedded file is not stored in the host file in a fragmented manner as it can happen for example in OLE2 compound files such as older MS Office documents Otherwise the embedded files may appear as corrupt Notably this function searches for JPEG and PNG pictures even JPEG pictures in other JPEG files those that contain thumbnails of themselves The files found this way will be generically named as Embedded 1 jpg Embedded 2 png etc This function also extracts emf files embedded in multi page printouts spl spooler files spl files that
195. ing commands will be executed If conditions must not be nested 154 IfGreater MyVariable Hello World IfGreater 0x12345678 MyVariable IfGreater MyVariable 1000 IfGreater MyVariable MyOtherVariable IfGreater MyVariable 10 MyOtherVariable Accepts the same parameters as IfEqual If the first one is greater than the second one the following commands will be executed If conditions must not be nested Else May occur after IfFound or IfEqual Place commands that shall be executed if nothing was found or if the compared objects are not equal after the Else command EndIf Ends conditional command execution after IfFound IfEqual IfGreater f ExitLoop Exits a loop A loop is defined by braces Closing braces may be followed by an integer number in square brackets which determines the number of loops to execute This is may also be a variable or the keyword unlimited so the loop can only be terminated with an ExitLoop command Loops must not be nested Example of a loop Write Loop 10 will write the word Loop ten times Label ContinueHere Creates a label named ContinueHere JumpTo ContinueHere Continues script execution with the command following that label NextObj Switches cyclically to the next open window and makes it the active window E g if 3 windows are open and window 3 is active NextObj will make 1 the active window ForAllObjDo The following block of script commands until EndDo occurs
196. ion with compression this option has the potential to save a lot of drive space depending on how much free space there is and imaging speed can be greatly accelerated if there are large contiguous free drive space areas in volumes partitions Note that in case of file system inconsistencies clusters could be erroneously regarded as free You have to specifically confirm the creation of cleansed images as in the traditional sense they are not forensically sound though in a more modern sense of the word they can be depending on the jurisdiction that you work in in countries with stricter personal privacy rights and depending on the overall situation Forensic license When creating an image the technical details report is created and written to a text file that accompanies the image file For an e01 evidence file it is also incorporated directly into the e01 file as a description The SMART information is queried and written to the text file again upon completion of the image so that you can see whether the status of a hard disk in bad shape has further deteriorated during imaging Secondly you can see how the power on time has changed which is useful to deduce its unit of measurement usually hours but can be different on certain hard disk models The text file also indicates the amount of time spent creating the image the compression ratio achieved the result of an immediate verification of the image based on the hash value if selected
197. ion per line and needs to be present as a Unicode text file named indexsub txt that starts with the LE Unicode indicator OxFF OxFE indexsub txt is an optional file and expected in the X Ways Forensics installation directory You will get a warning if you define a space character as part of words That is because space characters are meant to delimit words they are not part of the words themselves If a space character is defined to be part of words that means a whole sentence like Mike Smith lost his credit card today is considered just a single word so because the indexer indexes the beginnings of words the only actual real word that later could be found in the index would be Mike or the whole name Mike Smith at the start of the sentence but not Smith lost his credit card today because they are all not the start of a word If you wish to be able to find compound words like credit card or names like Mike Smith that contain a space character then you can define a space to be part of words but then it is a must to include substrings so that in the above example X Ways Forensics would index assuming 8 letter words Mike Smi ike Smit ke Smit e Smith 48 Smith Smith lo mith los ith lost th lost h lost h lost hi lost his ost his st his c t his cr his cre his cred is credi s credit credit credit c redit ca That way you can find Mike Smith and credit card Distributed indexi
198. is 1 hit for search term A and 1 hit for search term B and you select both A and B with that option enabled then only 1 hit is listed either the one for A or the one for B up to X Ways Forensics to decide So the displayed hit count is 1 for one search term and 0 for the other one If then you select the other search term only and click Enter the count for that search term will change from 0 to 1 because that is now the only possible search term from which hits can be listed and up to 1 search hit is listed per file so that 1 hit is listed There are two ways how to logically combine multiple search terms with Boolean operators 45 1 By default multiple selected search terms are combined with a logical OR To force a search term select it and press the key To exclude a search term select it and press the key To return a search term to normal OR combination press the Esc key You may also use the context menu of the search term list for all that The below examples describe the effect of selecting the search terms A and B depending on their or status A B search hits for A and search hits for B that occur in any files normal OR combination A B search hits for A and search hits for B that occur in files that contain A A B search hits for A and search hits for B that occur in files that contain both A and B AND A B search hits for A that occur in files that do not contain
199. is printed twice on the first page have either X Ways 73 Forensics or the viewer component print it not both You can print just the cover page by choosing to print only the pages 0 through 0 of the document or picture itself The header line of the cover page which specifies which user and which program and version created the print job is optional Useful if you wish to show the printout to witnesses or the suspect who should not know the username of the examiner Recover Copy Allows to copy the selected files from their current location to a location available for a standard Windows file dialog e g out of an interpreted image file or from a local disk This can be applied to both existing and deleted files and directories Illegal filename characters are filtered out Numerous extra features are available with a forensic license The complete original path can optionally be recreated in the output directory or optionally if half checked only a partial path The evidence object name becomes part of the recreated path too if you either copy from within the case root or if you do not have X Ways Forensics default to the evidence object folder as the output directory see case properties A partial path is the path starting from the currently explored directory or when copying from the recursively explored case root window only the evidence object name not the path within the evidence object Overlong paths are supported more than 2
200. is updated you are prompted for confirmation To inhibit this behavior of WinHex switch off the corresponding option If any of the operations Refine Volume Snapshot Logical Search or Indexing crashes when processing a file X Ways Forensics when started next time will tell which file was likely responsible for the crash if you had it collect information for a crash report Output messages about exceptions Determines the verbosity of the program in case of exception errors If totally unchecked only exception errors with a potentially serious impact like considerably incomplete analysis results will be brought to your attention in the Messages window If fully checked all of them will be output even those that occur typically with corrupt files only and have no negative impact on other analysis results The middle state is a reasonable compromise Regardless of this option exception errors will be noted in the error log file All notices and warnings output to the Messages window can optionally be automatically saved in a text file msglog txt in the installation directory If at that time a case is active the notice warning will be written to the msglog txt file in the log subdirectory of that case instead Strict drive letter protection Only available with a forensic license Active by default in X Ways Forensics Ensures that saving and editing files is only possible on certain drive letters namely those that X Ways Forensics
201. ish to reference all notable files with their metadata in your report but show only a subset of those Files can be output either grouped by evidence object and sorted by internal ID or in the order as they are currently listed in the case root window where you can freely change the order thanks to up to 3 sort criteria If no files are currently listed in the case root because it has not been explored recursively then the second option is grayed out Explore the case root recursively first to make it available right click it Note that if you choose the second option files that are not listed in the case root window will not be output even if they are part of a report table That means that current filter settings have an effect on the generation of the report too If files are omitted because they are not listed in the case root window at the time of report generation you will be notified of that in the report and in a message box If the box to output report tables is only half checked then only the number of items in each report table will be reported e Case log By default the report is created for the entire case Optionally it is created for selected evidence objects only 3 6 Directory Browser 3 6 1 General Description The perhaps most essential user interface element in WinHex and X Ways Forensics is the so called directory browser which resembles the Windows Explorer s right hand list Its main task is to display an
202. ith a volume snapshot When extracting metadata part of volume snapshot refinements X Ways Forensics can compile a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory Conceivable sources are browser histories Windows event logs Windows registry hives e mails etc An event list works exactly like a search hit list and can be displayed by clicking a button which is located next to the search hit list button with a clock icon on it Just like a search hit list an event list comes with additional columns the event timestamp event type event category and some events have an individual description additional text for example events recorded in the Windows registry and in Internet Explorer index dat files If an event list is sorted chronologically by timestamps it works like a timeline which may allow you to figure out a sequence of events of different kinds stored in different places e g e mail received attachment saved application started document printed file deleted that otherwise could not be seen together in context You may see events from different evidence objects at the same time from the case root window explore recursively or by path sort by event type or event category see all the usual file properties view files navigate to the definition of an event within a file if a relative offset is available and filter for certain date ranges Event ba
203. ith the same name as the parent file as that parent file might be selected for copying as well and would of course be created in the same directory as the aforementioned artificial directory that is needed to reflect the path of the child object Hence the artificial directory must be named slightly differently It can be truncated after a user defined number of characters and this is useful in particular for e mail messages that are named after the subject line and of course can contain attachments as child objects to avoid overlong paths Also either a single suffix character of your choice is appended and by default that is a special Unicode character that is invisible in complete Unicode fonts such that the directory seems to have exactly the same name as the corresponding parent file or otherwise some descriptive words like child objects are appended to the name but that unfortunately increases the total path length which all too often exceeds common limits If the edit box for the suffix character seems to be blank that is most likely because the aforementioned invisible Unicode character is in there It has a width of 0 To replace it with any other character remove the invisible character first by clicking in the edit box and hitting the backspace key on your keyboard Existing and deleted objects can be grouped together in separate output directories named Ex and Del Further grouping classification of copied files in s
204. ither one or two horizontal dividers indicates whether the list is split up into two or three groups also in the header of the column that is the primary sort criterion as a small reminder that when scrolling in the directory browser and watching out for a certain file for example based on its name you need to check in every group because the sorting takes place within each group and does not span the groups An alternative e mail representation is available in Preview mode also in the case report Attachments are not linked directly from this kind of e mail representation yet If this option is half selected the e mail header of eml files is excluded in Preview mode not Raw mode Useful if you would like to see more of the body of the e mail without scrolling You can see subject sender recipient and dates already in the directory browser and attachments are listed when exploring the parent eml file Double clicking a directory will explore it Double clicking an ordinary file will view it This option controls whether files with child objects will be typically viewed or explored on a double click If the checkbox is half checked you will be prompted Files can optionally be opened and searched including their slack The middle state of this checkbox makes a difference only for logical searches cf that topic Listing subdirectories when exploring recursively is optional They may be needed if you are interested in their names or t
205. itten to during the process the clone image may have an inconsistent state from the point of view of the operating system e g it may not be able to boot a Windows installation any more From a forensic standpoint however when cloning imaging a live system although it is highly desirable that no writing occurs any more that should not be a major problem as you still get an accurate snapshot of each and every sector If the destination of cloning or image restoration is a partition that is mounted as a drive letter WinHex will try to clear all of Windows internal buffers of that destination partition If nonetheless you don t see the new contents in Windows Explorer on the destination after the operation has complete you may simply need to reboot your system Note that WinHex does not dynamically change partition sizes and adapt partitions to destination disks larger or smaller than the source 136 9 9 Skeleton Images A typical X Ways feature that cements X Ways Forensics position as the tool that gives its users the greatest amount of control when selecting targeting filtering data at any conceivable level The ability to create forensic physical skeleton disk images that contain only those sectors that are needed for certain purposes while maintaining compatibility with other tools Forensic license only These can be sectors with partition tables file system data structures their neighboring sectors as well as sectors with file co
206. l A single regular expression may match many different words Either all search terms are considered GREP expressions or only those prepended with grep or none depending on the state of the corresponding checkbox The following characters have a special meaning in regular expressions as explained below 1 Where these special characters are to be taken literally you need to prefix them with a backslash character The operator is used to denote alternative matches You can use the regular expression car wheelltire to search for the words car wheel and car tire Any match must equal the parts before after or between any operators present The effect of is only limited by parentheses and are wildcards matches any character matches any numeric character You can define sets of characters with the help of square brackets xyz will match any of the characters x y z xyz will match any character except x y or z You can define ranges of characters using a dash a z matches any lower case letter a z matches all characters except lower case letters The listing may comprise individually listed characters and ranges at the same time aceg loq matches a c e g h i j k l o and q All characters except and are taken literally between square brackets even the wildcard characters and b stands for the start or end of a word i e the boundary between a word character and a n
207. l based on a maximum word length of 7 letters X Ways Forensics does not distinguish between uppercase and lowercase letters except if a case sensitive index was created If listing search hits takes too long e g because you entered a single character only or a very frequent short word you may press Esc or close the progress indicator window to abort Attention If you select to search for your search terms also within words but did not prepare the index for substring searches then the result will be incomplete and slow In a search hit list populated by an index search physical offsets are not available Search terms used in index searches are not added to the search term list and index search hits are not permanently saved because it is so quick to generate the same search hit list again That means you can use the functionality of the search term list e g and or flexible AND com binations or 1 hit per file for index search hits only after having permanently saved them via the context menu If you wish to search the indexes of multiple or all evidence objects in a case at the same time invoke Search Search in Index from within the case root window and make sure these evidence objects are selected for the recursive listing and have been indexed 3 16 Index Optimization Optional step that can be run once an index has been created and that is executed automatically after indexing You can safely abort the optimiza
208. l be used by the file type verification to fill the Type column for a file even if the file has one of the alternative plausible filename extensions More than 255 characters supported 3rd column Header A unique header signature by which files of this file type can be recognized It is specified in GREP syntax see Search Options for an explanation so that it s possible to match variable byte values e g xE1 xE2 mean the byte value could be OxE1 or OxE2 or undefined areas The maximum length of the represented signature is 48 bytes To find out characteristic file header signatures in the first place open several existing files of a certain type in WinHex and look for common byte values near the beginning of the file at identical offsets 106 4th column Offset The relative offset within a file at which the signature occurs Often simply 0 The signature must be contained in the first 512 bytes 5th column Footer Optional A signature byte sequence that reliably indicates the end of a file specified in GREP syntax GREP expressions that represent variably sized data may not work as expected A footer signature may help to achieve a recovery with the correct file size The recovery algorithm does not search for the footer further than the number of bytes specified as the maximum file size starting from the header Even better than a footer is the potential availability of an internally implemented algorithm in X Ways F
209. l filters with a single mouse click to ensure you are not missing any file when you no longer want the filter You can activate or deactivate column based filters individually with a single mouse click on the column header s filter symbol when holding the Shift key The options of the respective filter remain unchanged in this case The filters have been given some intelligence when navigating from a parent file to a child file or vice versa so that the filters know when it s a good time to be turned off For example If you are using a filter to focus on all extracted e mail messages recursively and then you double click an individual e mail message to have a look at its attachments in the directory browser the filter is automatically deactivated so that you can actually see these attachments A simple click on the Back button returns to the previous point of exploration and restores the previous filter settings and the last selection so that you can easily continue reviewing the next e mail message If you are using a filter to focus on videos or documents and then you double click a video or a document to see the video stills exported for that video or the embedded pictures in that document respectively the filter is automatically deactivated too When you are viewing video stills only in a gallery and you use the Backspace key or Find parent object menu command to navigate to the video that this still belongs to e g in ord
210. lable Creation timestamp that can be extracted from the internally stored metadata in various file types see context menu command as put there by the program that created the file Internal timestamps are usually less volatile and can be more difficult to manipulate than file system level timestamps They are useful for example for corroboration Filter available forensic license only The combined filter for the 6 timestamp columns allows to filter for certain date ranges typical application or for mere times matching any possible date For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working you could filter for times such as between 22 00 00 and 05 59 59 on a 24 hour clock Obviously selecting the right local time zone for the timestamp filter is crucial for this Timestamps in the normal directory browser that meet the timestamp filter condition are now highlighted Timestamps in an event list that are identical to the event timestamp are also highlighted Attr 1 sector ID Int ID DOS Windows attributes on FAT NTES filesystems Unix Linux permissions and filemode on Unix Linux Mac filesystems plus some proprietary symbols that are explained in the legend forensic license only and in topic 2 9 Partial initialization means that according to the file system NTFS or exFAT the so called valid data length is smaller than the log
211. layer The MDS message digest is copyright by RSA Data Security Inc The zlib compression library is copyright by Jean loup Gailly and Mark Adler Homepage ftp ftp cdrom com pub infozip zlib zlib html X Ways Forensics contains software by Igor Pavlov www 7 zip com Outside In Viewer Technology 1991 2007 2008 Oracle NEXT30 is a registered trademark of CTERA Networks X Ways Forensics contains an unofficial build of DevIL DevIL is governed by the LGPL http www gnu org copyleft lesser html version 2 1 The original souce code can be downloaded from http openil sourceforge net X Ways Forensics contains an unofficial build of libPFF libPFF is governed by the LGPL http www gnu org copyleft lesser html version 3 0 The original source code can be downloaded from http libpff sourceforge net Windows event log evtx viewing capability based on works by Andreas Schuster 1 3 License Types The full version of WinHex will save files larger than 200 KB write disk sectors edit virtual memory and show no evaluation version reminders It will reveal its license status on start up and in the About box To use WinHex as a full version you need at least one license base license If you are going to use WinHex on multiple machines you will also need additional licenses e Personal licenses are available at a reduced price for non commercial purposes only in a non business non institutional and non government
212. les with resident storage but which of course is fully processed already when taking the volume snapshot Hence the option to always exclude MFT at least 4 3 7 Extraction of Video Stills A forensic license allows to extract JPEG pictures from video files in a user defined interval e g every 20 seconds that can be dynamically based on the play length of the video This functionality is applied to files whose type matches the specified file mask series Requires an external program either MPlayer or Forensic Framer and requires that the volume is associated with the active case Pictures can be extracted from all the video formats and codecs supported by MPlayer Useful if you have to systematically check many videos for inappropriate illegal or otherwise relevant content e g child pornography or terrorist training camp instructions The use of intervals ensures that you won t miss important parts of videos that are hidden in the middle of a harmless vacation or birthday party video Extracting pictures considerably reduces the amount of data and looking at stills in the gallery is much faster efficient and more comfortable than having to watch all videos one after the other 68 The potentially time consuming extraction process can be run unattended e g over night beforehand Also useful if you need to include extracted pictures in a printed report The first extracted picture at the same time optionally can serve as a preview p
213. lick the right mouse button in order to see a context menu in the Position Manager The context menu provides additional commands You may delete load or save positions even export the list as HTML If the position list in the general Position Manager was changed it is saved in the file WinHex pos when exiting WinHex so that they are still available in the next session Only search hits are not permanently saved unless they have been edited via the context menu The complete documentation of the POS file format is available from the WinHex homepage at http www x ways net winhex 9 13 Data Interpreter The Data Interpreter is a small window that offers possible translations for the data at the current cursor position Contrary to popular belief among some WinHex users it totally disregards any block if selected and always interprets from the byte where the cursor is The options dialog lets you specify the data types to interpret These are various integer data types by default in decimal notation optionally hexadecimal or octal the binary format 8 bits of a byte four floating point data types assembler opcodes Intel and date types Dates are always represented in their original state exactly as stored They are never converted to any local time The Data Interpreter is also capable of translating most data types back into hex values Make sure a file is open in an edit mode other than read only mode enter a new value in the Dat
214. lly encrypted Res HFS resouce SEFS NTFS encryption metadata INDX NTFS non directory index attribute ADS NTFS alternate data stream SC found in a volume shadow copy SUID Set User ID SGID Set Group ID File mode I symbolic link c character device b block device s socket p pipe Permissions owner read write execute group read write execute other read write execute 2 10 Technical Hints e Technical specifications File systems supported for volumes gt 2 Sectors coccion NTES Ext ReiserFS Reiser4 12 Maximum number of simultaneously open partitions and interpreted volume images 99 Maximum number of data windows i 0 cisccceccitesasdsscendvestaonsssedeseusssssncevetenetvscvadessndiecensdeaavys 1000 Maximum number of simultaneous program IMStanCeS oooonocccococonocoonnnnnn nono nonn nono nocnnncnnn conos 99 Maximum number of reversible keyboard inputs ooooonnccninccnococonccconacona nono nconn ccoo ncconocnnos 65535 ERC GLAU CIES ej 010 SLO eR Rae ae eRe Mn Ere TAIT a a a Tee 128 256 bit Offset presentation A DA ts hexadecimal decimal In most cases the progress display shows the completed percentage of an operation However during search and replace operations it indicates the relative position in the current file or disk e Keys you specify for encryption decryption are not saved on the hard disk Provided that the corresponding security option is enabled the key is store
215. lock if the context menu is switched off e Double clicking left sets the block beginning e Single clicking right sets the block end e Double clicking the right button clears the block e You may want to define the block using the keyboard SHIFT arrow keys or ALT 1 and ALT 2 e Use the TAB key to switch between hexadecimal and text mode e Use the INS key to switch between insert and overwrite mode e ENTER displays the Start Center e ESC aborts the current operation if any otherwise clears the block dismisses an active dialog or template window e PAUSE stops or continues the current operation e F11 repeats the last Go To Offset command CTRL F11 works in the opposite direction from the current position e ALT is a variant of the Go To Offset command specifically to jump a certain number of sectors down e ALT is another variant specifically to jump a certain number of sectors up e SHIFT F7 switches between three character sets e SHIFT ALT F11 repeats the last Move Block command e CTRL SHIFT M invokes an open evidence object s annotations e ALT F2 recalculates the auto hash checksum or digest after a file was modified 144 ALT LEFT and ALT RIGHT allow for switching between records within a template just as the lt and gt buttons ALT HOME and ALT END access the first and the last record respectively ALT G moves the cursor in the edit window to the current template position and closes the t
216. lows copying the four hex values at the current position in reverse order into the clipboard This is useful for following pointers 6 5 Scripts Some of the functionality of WinHex can be used in an automated way e g to speed up recurring routine tasks or to perform certain tasks on unattended remote computers The ability to execute scripts other than the supplied sample scripts is limited to owners of professional licenses or higher Scripts can be run from the Start Center or the command line While a script is executed you may press Esc to abort Because of their superior possibilities scripts supersede routines which were the only method of automation in previous versions of WinHex WinHex scripts are text files with the filename extension whs They can be edited using any text editor and simply consist of a sequence of commands It is recommended to enter one command per line only for reasons of visual clarity Depending on the command you may need to specify parameters next to a command Most commands affect the file or disk presented in the currently active window See Appendix B for a description of currently supported script commands 98 6 6 X Tensions API Automate investigative tasks and extend the functionality of X Ways Forensics with X Tensions The new X Ways Forensics X Tension API application programming interface allows you to use many of the advanced capabilities of the X Ways Forensics computer software program
217. lter for duplicates Ability to filter for duplicates of a single selected file that are also currently listed in the directory browser only if a hash value is available for the selected file and the other files Actually filters for that hash value at that time and thus does not depend on previous mass identification of duplicate files using the above mentioned command Exclude Duplicates in directory browser based on hash In X Ways Investigator the actual hash values are not displayed and cannot be 79 computed but they are imported from evidence file containers that come with hash values for files Mark hit as notable In a search hit list marks selected hits with a yellow flag and includes in them in the list of notable search hits You may also press the space bar to mark a hit as notable or remove that mark Save hit permanently In a search hit list filled with index search hits allows to permanently save selected hits under the search term used By default index search hits are not saved as they can be listed again easily within a few seconds due to the nature of index searches 5 2 Data Window Context Menu When you right click the hex editor display consisting of offset column hex column text column of a file or a disk you will get a context menu that allows you to define the boundaries of the block start and end and invoke a few more commands that apply to that block Add to User Search Hits Forensic license onl
218. lume Snapshots and their Refinement ccssccssssccssscssssscssssccssssssesssssscsssssssssssssscssssascsssaecs 59 4 1 IO CUCU OMY ta dida 59 4 2 Refinement at the Volume Sector Level ccccccesccesscesseeeseeeeeeseceseceseceseeeeeeseeeeeseeeseeesaeeeeeaees 60 ADM RUM X TENSIONS sean TNA ON 60 4 2 2 Particularly thorough file system data structure search eececcescceeeeeeececeeseeeeceaeceeereeseeaee 60 II 42 3 File Header Signature Series ta Ad a e it ded 61 4 2 4 Block wise Hashing and MatchIN8 oooooconocococnconnnonnnonnnnononanncon nono ncon nooo nc corro nrnno nan rrnn ran cronos 62 4 3 Refinement at the Ple Level ae can rosa 62 4 3 1 Hash Value Computation and Matching cceccceccccssecssecseecsteceseceecseeeseeeseeeeeeeesseeeeeeeeessees 63 4 352 Pile Type VeriMed iv congue dean a E a a i tees 63 4 3 3 Extraction of Internal Metadata cccccccsccesscessceeeceeeeeeseeeseeeseecsaecsaecsaeceeeseeeseneeeaeeeaeecaeeaaees 64 43 4 Archive Exploration snoa sand A lied 65 4 3 3 Email Extracta aa a levan E ETER 65 4 3 6 Uncovering Embedded Data senseeeseseessessesseosssseesseserssossessessesseosseseesseseessessessessesseesssseesss 67 4 3 7 Extraction of Video Silla da ida sala cust Eeoa S a i eee 68 4 3 8 Pictures PTOCESSIDB Storia EE E TE E a 69 4 3 9 Detection of EMcryption cccccccccccesscssscsesceeeeeeseesseeeseecseecsaecaeceseceseceseeseeeseeeeeseceseeeseeeeeeaaees 70 4 3 10 S
219. matically and extend them with your own functionality For example you could implement some specialized file carving for certain file types automated triage functionality alternative report generation or automatically filter out unwanted search hits depending on your requirements etc Among other things X Tensions allow you to read from a disk partition volume image retrieve abundant information about each file and directory in the volume snapshot read from any file create new objects in the volume snapshot assign files to report tables add comments to files process validate and delete search hits and do practically everything else that is possible with a Windows program thanks to the Windows API You can use your programming language of choice e g C Delphi or Visual Basic and do not have to learn any new programming language You can use your compiler of choice for example Visual Studio Express freeware Since an extension is not an interpreted script but regular compiled executable code that is running in the address space of the application itself you can expect highest performance the same as with internally implemented functionality X Tensions give you easy and direct access to crucial and powerful functions deep inside X Ways Forensics When X Tensions functions can get called when refining the volume snapshot when running a simultaneous search via the directory browser context menu in
220. may place your order online at http www x ways net winhex api Volume discount available on request please specify the number of licenses you are interested in One WinHex API license needed per end user computer The product will be licensed to you you will be the actual owner of the licenses but any of your customers may use them The end user does not have to take care of anything related to WinHex 6 8 Disk Editor The disk editor that is part of the Tools menu allows you to access floppy and hard disks below the file system level Disks consist of sectors commonly units of 512 bytes You may access a disk either logically i e controlled by the operating system or physically controlled by the BIOS On most computer systems you can even access CD ROM and DVD media There is an optional raw mode for optical drives that allows to read from audio CDs and also the complete 2352 byte sectors on data CDs CD ROM and Video CDs that contain error correction codes Opening a logical drive means opening a contiguous formatted part of a disk a partition that is accessible under Windows as a drive letter It s also called a volume WinHex relies on Windows being able to access the drive Opening a physical disk means opening the entire medium as it is attached to the computer e g a hard disk including all partitions It could also called the raw device The disk normally does not need to be properly formatted in order to open
221. me snapshot namely a file with the dll extension That file is found to be actually another Zip archive Consequently that archive will be explored and the dll file inside will be detected as a doc file Searching for embedded pictures X Ways Forensics finds the JPEG file in the doc file and can immediately check it for skin colors if desired All of this happens in a single step Important note Except for indexing X Ways Forensics conveniently remembers for each and every file in the volume snapshot which refinement operations have already been applied to it so that the file will not unnecessarily be processed again which would lead to undesirable duplication of child objects waste of time etc It does not remember the individual suboptions of each operation e g whether Create previews of browser databases was selected for the metadata extraction and cannot catch up on these suboptions individually If for any reason you wish to apply certain operations again to the same file e g then with different suboptions or after having updated the signature database for file type verification you may reset a file to the state of still to be processed by volume snapshot refinement by selecting it and pressing Ctrl Del This will also clear any computed skin color percentages extracted metadata hash values hash matches etc However this function does not remove any child objects from the volume snapshot That would have to be done by the
222. mmand again after file operations on a drive to keep the information displayed by WinHex up to date Cf Security options Initialize Free Space Confidential information is possibly stored in currently unused parts of a drive as a result of normal delete copy and save actions Free space on a drive can be initialized for security reasons This effectively overwrites all data in unused parts of the disk and makes it impossible to recover this data Available for partitions opened as drive letters Available in WinHex only not in X Ways Forensics Initialize Slack Space Overwrites slack space the unused bytes in the respective last clusters of all cluster chains beyond the actual end of a file with zero bytes This may be used in addition to Initialize Free Space to securely wipe confidential data on a drive or to minimize the space a 87 compressed disk backup like a WinHex backup requires Close any running or resident program that may write to the disk prior to using this command Available in WinHex only not in X Ways Forensics Initialize MFT Records On NTFS volumes WinHex can clear all currently unused MFT Master File Table FILE records which may contain metadata e g names and even contents of previously existing files Available in WinHex only not in X Ways Forensics Initialize Directory Entries On FAT volumes WinHex can clear all currently unused directory entries to thoroughly remove traces of previously existing
223. moves the mark You can also right click the tag area of a file in the directory browser to mark it as already viewed or to remove that mark A directory is considered viewed if all the files and subdirectories that it contains are flagged as such Various columns are available in the directory browser They are all optional They are displayed 116 if they have a non zero column width in pixels or hidden if their width is zero It is possible to redefine the order of the columns in the directory browser This will also change the order of the fields in the case report i e in report tables on print cover pages in exported file listings and the Export Copy log You can select a column for relocation by clicking its radio button Then use the vertical scrollbar that appears at the top You can reset the column order to the default one by right clicking that scrollbar Filters The following can be dynamically filtered out by choosing to not list it e Existing files Useful if you are merely interested in previously existing files which could reside in existing directories e Previously existing files and directories e Tagged files and directories e Half tagged files and directories that contain at least 1 tagged and at least 1 untagged file e Untagged files and directories e Files that are marked as already viewed e Files that are not marked as already viewed e Excluded files and directories marked as excluded in the
224. n IfEqual command block is terminated with an EndIf statement If the compared expressions are equal template interpretation continues after IfEqual Optionally IfEqual can be followed by an Else statement The template processor branches into the Else block if the expressions are not equal IfEqual commands must not be nested IfGreater is similar to IfEqual The condition is true if the first expression is greater than the second Strings and hex values are compared lexicographically In order to facilitate reading and navigating the template you may define groups of variables that are separated by empty space in the dialog box section Mans Se cto aten endsection The section endsection and numbering statements do not advance the current position in the data to be interpreted There are two commands that do not declare variables either but are explicitly used to change the current position This can be done to skip irrelevant data forward movement or to be able access certain variables more than once as different types backward movement Use the move n statement to skip n bytes from the current position where n may be negative goto n navigates to the specified absolute position from the beginning of the template interpretation must be 149 positive gotoex n jumps to the specified absolute position based on the start of the data window e g file or disk The following example demonstrates how to access a var
225. n The first timestamps is an access date the second one is a creation date If no timestamps can be output these are artifacts from RecentDocs Format of entries in Reg Report txt type tab registry path tab description linefeed type definition for any Windows version NT for Windows NT through XP VT for Windows Vista and 7 FE new function without absolute paths FR query in free space of the hive registry path 35 Full path of registry keys HKLM HKEY LOCAL MACHINE HKCU HKEY CURRENT USER If an asterisk is provided as the last key all keys on the same level and deeper and their values will be included in the report example NT HKLM Software Microsoft Windows CurrentVersion report whole Windows branch If you wish to report a particular value that exists in all subkeys of a certain key you can as well write an for all subkeys and include the value after that The generated report contains the registry path with its timestamp the filename of the registry hive that the key was found in the description that was provided in the Reg Report txt file and the value The description field may contain an additional statement at the end that starts with a character If the is followed by a numeric character n the n th element of the registry path will be appended to the description in the report This can be very useful if the path and not the value or not only the value contains
226. n Preview or with the View command in the context menu you see the internal graphics viewing library or the separate viewer component at work right click the displayed picture If a context menu appears you are dealing with the viewer component Registry Viewer MS Windows maintains an internal database called registry which contains all important settings for the local system and installed software in a tree like structure The data is persistently stored in files called registry hives You can open and view hives by double clicking them in the directory browser or using the context menu This will open them in the integrated registry viewer Supported formats are NT 2K XP Va 7 hives Win9x and WinMe hives can only be loaded by the registry viewer of X Ways Forensics 15 9 and earlier NT 2K XP Va 7 hives are located in the file ntuser dat in a user profile and in the directory system32 config Up to 32 hives can be opened in the registry viewer at the same time The registry viewer has the ability to find deleted keys and values in hives that contain unused space and lost keys values in damaged incomplete hives If no complete path is known for keys they will be listed as children 33 of a virtual key called Path unknown With a right click a pop up menu can be opened anywhere in the window which lets you invoke the commands Search and Continue Search Clicking Search invokes a dialog that lets you specify a searc
227. n is active by default only if the program determines that it is running on the user s own system if it is executed from the C drive or if it was installed using the setup program The check does not occur when running the program for the first time so that you definitely have a chance to turn off this option before anything happens Given the fact that most systems on which X Ways Investigator and X Ways Forensics are run do not have an Internet connection this option has a limited effect About WinHex Displays information about WinHex the program version your license status and more 5 14 Windows Context Menu The Windows shell displays the context menu when the user clicks an object with the right mouse button WinHex is present in the context menu only if you enable to corresponding option see General Options Edit with WinHex Opens the selected file in WinHex Open in WinHex Lets you open all files of the selected folder in WinHex just like the Open Folder command of the File menu Edit Disk Opens the selected disk in the disk editor of WinHex If you hold the SHIFT key instead of the selected logical drive the corresponding physical disk is opened if any WinHex provides its own context menus on the status bar the Data Interpreter and in the Position Manager 95 6 Some Basic Concepts 6 1 Start Center The so called Start Center is a dialog window that is optionally displayed at startup and is meant as
228. n to anything other than Dummy The table Attached devices by serial number is created according to the algorithm that Harlan Carvey describes in chapter 4 of his book Furthermore you can find the tables Partitions by disk signature Windows portable devices Drivers installed File systems installed Services installed Networks and Network cards Another table is called Browser Helper Objects compiled with data from the hives NTUSER DAT and SOFTWARE about browser usage External Memory Devices is a table which can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps hardware serial number volume label volume serial number and volume size size often only under Vista Select the definition file Reg Report Devices txt to get the table 3 10 Mode Buttons When examining a logical drive partition or image file with a file system supported by WinHex there are several buttons that determine the display in the lower half of the window below the directory browser Forensic licenses only Disk Partition Volume Container Previously labeled Sectors this default view shows the binary data in all sectors of the disk partition volume container represented by the active data window as hexadecimal code as text or both Offsets and sector numbers are relative to the start of the respective disk partition volume container File Looks similar to Disk Parti
229. nRAR or 7Zip etc before passing it on to other users The compression rate will be unusually high if the skeleton image is only sparsely populated and the speed of reading extremely high because undefined unallocated areas do not have to be read from the disk For your own use you can just keep it as is since it does not use as much drive space as the nominal file size suggests thanks to NTFS sparse storage If you wish to copy the raw skeleton image be sure to copy it as a sparse file can be done in X Ways Forensics using the Tools File Tools Copy Sparse command so that the copy will also be a sparse file and only takes as much drive space as the original file A conventional copy command would copy even the vast unused and unallocated areas within the sparse file as binary zeroes To verify that the data transferred to a skeleton image has not changed such an image can be hashed entirely just like an ordinary image Alternatively and much quicker you can use the command Verify Skeleton Image to hash only those sector ranges again that were actually transferred according to the log file reading from the skeleton image and compare the hash values to those in the log file Then to verify that the log file has not changed it will be hashed 138 itself and the resulting highly valuable all encompassing master hash value is compared to the hash value stored in the optional log log file if that file was created It might be desirabl
230. naes 103 7 2 File Recovery by Type File Header Signature Search ooooconinoninoninnonoonoonnconccnn nono nonnncnnonnonnnos 103 7 3 File T p DON cia iia lada 106 7 4 Manual Data Recon ae 108 PUN S sissevvsvessssnsscsscteenecsedesecsodsosued ecessessunoduns cede soeesbnntuesdesesoes svnsseaseoecoessduedsssdessseeseanessesseee seessdeeseeces 109 8 1 General Options d 109 8 2 Directory Browser OptiotS snieerrisi eiieeii i mei deve chad E cade cose EEEE 114 8 3 Volume Snapshot Options iia iaa dae aano aneii 118 8 4 Undo Options csi tie wears e eae hea het Rah Hae a neds S 120 8 5 SECURIFY OPtlOn ssc A a 121 8 6 Search Opt ons it AA AA AAA A AAA Ai 122 8 7 Replace Opt ill las 126 9 Miscellaneous sisscsisiscccncescscascenscsesasoossesconsscenevassuescersssoncsucsussunesscoacsesseeasensssecnasnssaceutscnaceassusdcacsacousenss 127 9 1 BROCK 2s 2552 saa o Peet a cuca sal uate aettaaes E me shy Seca satogia ts coh Coad RESE 127 9 2 Modify Data nr A EE EA AA AE A E rad 127 9 3 COTVEPSIONS a o a e dd 128 9 4 Sector Superimpositioisr nien an 129 9 5 Wipmgand Initializing snora an a AREE T E A E P AAE Eaa TEAG 130 9 6 Disk ClO uc aii bt a ant 131 9 7 Images and Backups iii iaa sie abies tae a 132 9 8 Hints on Disk Cloning Imaging Image RestoratiOM ooocononnnnnncnnncnnncnonnnconccnnnonnnconnrnnrnnanannno 136 9 9 kelo Ma A td 137 9 10 Backup Mad Ti a cecal bas ia a AE a a 140 9 11 Reconstructing RAID Systems oooooonoocconononononnnoononanonnnn
231. nager cf Backups 81 Execute Executes the current file if executable or otherwise the associated program Print Use this command to print a file disk sectors or RAM contents Define the printing range via offsets You may select and set up a printer Choose the character set for printing and accept or change the suggested font size The recommended font size is calculated as follows print resolution e g 720 dpi 6 e g 120 If desired you may enter a comment which will be printed at the end In case you need more flexibility with printing you can define a block and copy it using Edit gt Copy gt Editor Display as a hex editor formatted text into the clipboard You may paste it in your favorite word processor It should look perfect in Courier New 10 pt Properties Allows you edit the size the time stamp and attributes of a file or a directory in your own Windows system in WinHex only Changeable attributes are A to be archived S system H hidden R read only X not to be indexed T temporary After entering new values in any area size timestamps or attributes simply press the ENTER key to apply them Click the button with the ellipsis to select a new file or enter path and name directly into the edit box next to that button and press the ENTER key The latter will also work for a directory Open Directory Opens a window that represents a directory on your own computer and allows you to see
232. named moved files directories that were known to the volume snapshot before or deleted files that the volume snapshot was not aware of before without file contents though Deleted files can often also be reconstructed with file contents thanks to LogFile NTFS With a forensic license existing or previously existing volume shadow copy host files are examined for valuable information that would not be available otherwise such as files that cannot be found in the current MFT any more or previous versions of files whose contents have changed Those files will be reconstructed up to 1 GB in length according to the shadow copy As always X Ways Forensics makes an extra effort to prevent duplicates from being added to the volume snapshot Processing of volume shadow copies if any occurs before all the other operations that are part of the particularly thorough file system data structure search parsing LogFile optionally searching for FILE record outside of MFT and outside of VSC searching for index records in the slack of INDX buffers If there are volume shadow copies the caption of 60 the small progress indicator window will tell you when they are being parsed Volume shadow copy host files that you exclude before processing will be omitted Files found in volume shadow copies are specially marked with SC in the Attr column or SC prev version if they are previous versions of files that were known to the volume snapshot already befo
233. ndex creation there is the option to have a common metadata subdirectory with the search index which saves drive space accelerates access because of synergetic file buffering in Windows and facilitates handling of the search index files Such a shared metadata directory for search index files xfi files is used for both index creation and index search however only if it is specifically created by the user i e if it exists when needed It is expected as a subdirectory of the directory where the image file is located with the same base name as the image files without extension and the suffix Metadata E g if the name of the image is Smith HD1 e01 then the expected name of the corresponding subdirectory is Smith HD1 Metadata If you prefer to store the index files on a different drive for performance reason 49 simply create the metadata directory as an NTFS reparse point that redirects to a different drive but this and whether this feature is used at all is at the user s discretion Search in Index After indexing files you may search the index for keywords very quickly All files with the extension xfi in the metadata subdirectory of the respective evidence object will be searched Type in one or more search terms 1 per line and start the search Anything in excess of the maximum word length used for indexing is ignored so that ridiculous is found in the index even if in the index that word was truncated to ridicu
234. ng Allows to accelerate index creation in time critical cases If n computers open the same case file from a shared network drive and participate in indexing the same evidence object s each computer can index approx 1 n of the total data may vary depending on the size of very large files within the volume snapshot If all resulting index files xfi files are created or eventually collected in the same metadata folder they are treated exactly like an index created by just one computer To ensure that no part of the volume snapshot is indexed twice or accidentally left out all participants need to agree on the same index settings and get unique numbers assigned E g if 9 computers are involved each of the numbers 1 9 needs to be specified for indexing exactly once When using distributed indexing X Ways Forensics tries to detect differences in the index settings used by the various participants options such as code pages substring support character pool etc If detected at least one of the participants will be warned before indexing starts on that machine Obviously in a shared indexing effort the settings should be same everywhere When multiple examiners share the same image file yet each work with their own case file because they examine different aspects of the same case or when providing non IT examiners with evidence file containers and pre compiled search indexes or when using the distributed indexing feature to accelerate i
235. ng the directory entry template starting with the directory that contained D Deleted files and directories are marked with the character hexadecimal E5 as the first letter in their name You may encounter the problem that the file to recover is fragmented i e not stored in subsequent contiguous clusters On FAT drives the next cluster of a file can be looked up in the file allocation table at the beginning of the drive simple templates to do this can be found on the web site but this information is erased when a file is deleted 8 Options 8 1 General Options Ist column e At startup WinHex can optionally show the Start Center or restore the last window arrangement all windows with their sizes and the positions as you left them in the precedent WinHex session e Specify the number of recently opened documents to remember and to list in the Start Center 255 at max Up to 9 of them are also listed at the end of the File menu e You may have WinHex appear in the Windows context menu The shell displays the context menu when the user clicks an object with the right mouse button WinHex provides menu items for files folders and disks If this option is not fully selected there is no menu item for files e The option Allow multiple program instances allows you to execute WinHex more than once at a time If not checked WinHex makes the main window of the previous instance the 109 foreground window instead of cr
236. nnnccon ccoo nono nono nono nac nn cnn naar rra rrnn rn ninos 141 9 12 Positi n Mana SOR ii ns ia ia nas 143 913 Data Interprete ss 143 9 14 USCIS it A IA AAA AAA A A ERT 144 Appendix A Template DefinitiOl cscnscccsccoscesssesoscssecencasseoessescsnosssesnnscebessensssbenastencessessesnscssenes 146 I A O TO 146 2 Body Variable D clarations seninim iia 147 3 Body Advanced COMIMAN S cocooonocncoonnonnnonnnonnnnonnnnnnnnn nono an nono nono nano nn non n naar anar es ioie a ns niit 148 4 Body Flexible Integer Variables oonnconncninnnnoconococonoconoconnconnconncnononon oran nono coon ccoo nr on nn nn nr co naco nnnnnos 150 Appendix B Script Commands ooonconconoonnnonconncononnnconcnnononconccncon non con nco nono roo noo nono Esino sa TESTS ETSE 150 Appendix C Master BootsRe Cord seisissiscssostescassseecvsreserseactasnsssecesseesenscsssnvsessecteseesesuesssesdssecessenses 158 IV 1 Preface 1 1 About WinHex and X Ways Forensics Copyright 1995 2014 Stefan Fleischmann X Ways Software Technology AG All rights reserved X Ways Software Technology AG Web http www x ways net Carl Diem Str 32 Product homepage http www x ways net winhex 32257 Biinde Ordering http www x ways net winhex order html Germany Support forum http www winhex net Fax 49 3212 123 2029 E mail address mail x ways com Registered in Bad Oeynhausen HRB 7475 CEO Stefan Fleischmann Board of directors chairwoman Dr M Horstmey
237. not indicating the beginning of a file Individual flags in the file type definition database can help on a per file type basis to decide which files to search for a cluster sector or byte boundaries That the start sectors of files that are already known to the volume snapshot are always excluded from file carving is optional Of course X Ways Forensics generally still tries to prevent duplicates but if the file header signature definition or the internal file size detection is strong enough to suggest that a known deleted file was overwritten with a new file then that new file will be carved although it shares the same start sector with the known file If you intentionally abort the file header signature search or if the file header signature search causes X Ways Forensics to crash next time when you start a file header signature search in the same evidence object you will find an option to resume it right where it was interrupted or where it was when the volume snapshot was last saved before the crash occurred depends on the auto save interval of the case You may limit the scope of the recovery to a currently selected block if necessary and or to allocated or unallocated space option available on a logical drive or volume E g in order to recover files that were deleted you select to recover from unallocated space only Files that are not accessible any more because of file system errors may still be stored in clusters that are consider
238. ns especially on slow media such as CDs and DVDs e g when you compute hashes or skin color percentages for files in a volume snapshot because Microsoft Windows employs read ahead mechanisms and entertains a file caching system Another benefit is that files opened with the help of the operating system are editable in WinHex Limitation Files on multi sessions CDs and DVDs cannot be read that way 8 6 Search Options Case sensitive By default a search is case sensitive so that upper and lower case characters are distinguished and e g Option with a capital O is not found in the word optionally By unchecking the checkbox you search for all upper case lower case variants of the search terms Searches can be fully case insensitive only with the Simultaneous Search with the Find Text command only for letters from the Latin English alphabet and German umlauts Unicode The specified text is searched in UTF 16 Little Endian The simultaneous search allows to search for the same text at the same time in Unicode and in two different code pages You may specify a wildcard one character or a two digit hex value which represents one byte For example this option can be used to find Speck as well as Spock when searching for Sp ck with the question mark as the wildcard Only whole words The search term is found only if it occurs as a whole word i e if delimited from other words by any character other than a z
239. ntents or any sectors in unpartitioned no man s land A skeleton image is typically sparsely populated with data with vast areas in between remaining undefined so that it makes sense to utilize NTFS sparse file technology for it Unwritten areas in the skeleton image will act as if zeroed out when read later You start skeleton imaging by invoking the File Create Skeleton Image menu command Which sectors from then now will be copied into the image is defined indirectly by making X Ways Forensics read those sectors from the source disk that are needed for a certain purpose When the target image is open in the background next you typically open the disk or partition or open and interpret the image that you wish to acquire partially That way it will be automatically defined as the source and that way even read operations during the important opening or interpretation step are triggered already when partition tables and boot sectors have to be parsed so that these essential data structures that define partitions and identify file systems are included in the skeleton image So after opening a partitioned physical disk you have a basic skeleton in your target image Partition tables pointing to partition boot sectors or nested partition tables whose function is to support all the other data in between file system data and user data If you also wish to ensure that from the skeleton image it is possible to take a volume snapshot of a certain par
240. nticity is verified before the sectors will be directly written to the disk The backup manager also allows to delete backups which you do not need any longer Backups that were created for internal use by the Undo command can be deleted by WinHex automatically cf Undo Options 140 Backup files that are maintained by the backup manager are located in the folder specified in the General Options dialog Their filenames are xxx whx where xxx is a unique three digit identification number This number is displayed in the last column of the backup manager list 9 11 Reconstructing RAID Systems WinHex and X Ways Forensics can internally destripe RAID level 0 5 SEE and 6 systems as well as JBOD consisting of up to 16 components The components may be physical hard disks or images of physical disks for hardware RAIDs or partitions for Linux software RAIDs Components that are available as images need to be opened and interpreted before you use this function You need to select the components in the correct order WinHex lets you specify the stripe size in sectors often 128 or at least a power of 2 like 32 64 256 and different RAID header sizes per component often simply 0 The header is a reserved area at the start of a component disk that some RAID controllers set aside for their private data and thus must be excluded from the reconstruction If there are a few reserved sectors at the end of a component disk as is not uncommon for JBO
241. o the child evidence objects i e partitions If the new image is an image of a different disk or a different evidence file container or an evidence file container that has been filled further i e if the volume snapshots cannot match you will likely get a warning because the size of the new image is different from the size of the previous image Time and again users of X Ways Forensics try to use this command to replace an evidence object in a case with a different evidence object although that doesn t make any sense because that way the technical description the volume snapshot any search hits comments and report table associations don t fit the other evidence object These users then typically complain that they receive an error message The message is displayed because X Ways Forensics usually notices based on the size that the new image is a totally different image If you don t need evidence object A any more in your case and you need add an evidence object B then you can simply remove A and add B There is no alternative to that and an alternative is neither reasonable nor required It is possible to open an evidence object even if the disk or image is not currently available via a special command in the evidence object s context menu to see at least the volume snapshot That means you can see all the file metadata stored in the volume snapshot filename path file size timestamps attributes etc can use most filters etc but canno
242. objects previously existing objects virtual objects The directory browser can sort files and directories in ascending or descending order and still reveals the two previous sort criteria with a lighter arrow For example if you first click the filename column and then the filename extension column files with the same extension will internally still be sorted by name In order to undefine the secondary and tertiary sort criteria hold the Shift key when clicking on the column header to determine the primary sort criterion Internally this selects the internal ID 22 as the secondary sort criterion This is to ensure that the order of items with identical data for the primary sort criterion is still well defined and reproducible after having sorted by other sort criteria in the meantime 3 6 2 Virtual Objects When orphaned objects are found e g files that have been deleted and whose original path is unknown they are listed in a special virtual directory Path unknown With a specialist or forensic license there are virtual files in the root directory that allow you to conveniently address special areas in a volume File system areas Reserved sectors and or clusters that are claimed by the file system itself for internal purposes Free space Clusters marked by the file system as not in use Idle space Areas in a volume of which WinHex does not know what they are used for including in particular clusters marked by the f
243. ods of encoding e g UTF 8 non 7 bit ASCII characters e g German umlauts decoding may be useful depending on the language of your search terms the characters contained in your search terms When you specify a file mask for decoding that mask will not only be applied to the names of searched files but also to their true type if verified by signature see Refined Volume Snapshots This feature requires the 41 separate viewer component to be active for the decoding and text extraction part The decoded text is output in Latin 1 or Unicode and can optionally be buffered cf Options Viewer Programs to allow for a convenient context preview for search hits in the decoded text and to accelerate future searches The default file mask for this option is pdf docx pptx xlsx odt odp ods pages key numbers eml wpd vsd It is recommended to add html xml rtf depending on the characters searched for and more depending on your requirements For example doc might be a good idea if you want to be very thorough because text can be fragmented or change from one character set to another abruptly in the middle of a MS Word document Just keep in mind that the additional decoding and search require more time and like result in duplicated search hits search hits found in both the original format and the result of the text extraction E mails will generally not be decoded by X Ways Forensics when only 7 bit ASCII characters are
244. of Sharing Analysis Work Option 1 Multiple computer forensic examiners can work simultaneously with their own copy of the same case simultaneously always copy both the xfc file and the corresponding subdirectory and exchange results with each other or reconcile all results in the main copy of the case by exporting and importing report table associations i e their categorization of all the relevant files e mails etc Option 2 Potentially relevant files are copied from the original evidence objects to multiple evidence file containers The containers are examined by different investigators simultaneously in newly created cases in X Ways Forensics or X Ways Investigator They also can export their report table associations which can then be imported back into the original case Both commands the export and import of report table associations can be found in the context menu of the case tree Export is supported at the case and evidence object level import at the case level The names of the examiners investigators could be included in the names of the report tables if in the original case it should be obvious who created which associations Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot or if you have removed objects from the volume snapshot in the meantime Distributed Volume Snapshot Refinement X Ways Forensics allows to refine the volume snapshots o
245. of known highly relevant files block wise on other media The Tools menu allows you to e manage the active hash database create a new empty one view the list of hash sets rename and delete hash sets toggle the hash set category and verify the integrity of the hash database F8 e import a single hash set text file NSRL RDS 2 x HashKeeper and Look text files as well as are supported e import all the hash set text files in a certain folder and all its subfolders ditto optionally into a single internal hash set whose name you have to specify e delete the active hash database e g to start a fresh one with new hash sets and or a new hash type The Create Hash Set command in the directory browser s context menu allows you to create your own hash sets in the internal hash database Whenever importing creating hash sets duplicate hash values within the same hash set will be eliminated When importing the NSRL RDS hash database X Ways Forensics checks for records with the flags s special and m malicious so that these hash values are not erroneously included in the same internal hash set that should be categorized as irrelevant The hash database supports up to 65 535 hash sets Another import and the export format is a very simple and universal hash set text file where the first line is simply the hash type e g MD5 and all the following lines are simply the hash values as ASCII hex or for SHA 1 in Base32 notation
246. on word character Which characters letters are considered word characters by the Simultaneous Search is user defined The start and end of a file also count as word boundaries b is only supported at the start and or at the end of the search term and not in conjunction with b and anchors only work only when searching in evidence objects of a case and not for index searches Byte values that correspond to ASCII characters that cannot be easily produced with a keyboard can be specified in decimal or hexadecimal notation For example 1032 and 1x20 are both equivalent to the space character in the ASCII character set This kind of notation is supported even in between square brackets E g 000 x1f matches non printable ASCII characters Multiplier characters and indicate that the preceding character s may or must occur more than once see below Complex example a bled e f h 1 matches aj abj acdj aefij aegij aehij abcdj and abefij Within brackets the characters 2 0 are not treated as special characters but literally Brief overview of supported syntax features everything else is interpreted literally A period matches any single character A pound sign matches any numeric character 0 9 nnn A byte value specified with three decimal digits 0 255 xnn A byte value specified with two hexadecimal digits 0 FF E g xOD x0A is the Windows line break Matches one or zero occurrences
247. onger the minimum length in characters the smaller the index and the faster the indexing procedure The default lower limit is 4 characters Frequent irrelevant words can be excluded from the index in the exception list with a minus prefix e g and if 3 letter words are already accepted which reduces the size of the index and the time needed to create it The larger the range of accepted word lengths the larger the index becomes and the more time indexing takes Important 3 letter words can be added to the exclusion list with a plus prefix e g xtc which overrides the default lower limit of 4 characters The exception list does not have to be sorted alphabetically Words in the exception list longer than the upper limit you specify are truncated in the index Words in the exception list are bound by the character pool and cannot contain different characters X Ways Forensics can optionally distinguish between uppercase and lowercase letters i e create a case sensitive index This can be useful e g if you create the index for the purpose of later exporting a word list for a customized dictionary attack If you have X Ways Forensics include substrings in the index this will further slow down index creation by a factor of 3 to 5 and inflate the index however you will later be able to find e g wife in housewife and solve in resolve If you do not include substrings in the index it 47 will still be possible to search the inde
248. only e There is an option to display timestamps with a precision of milliseconds You may specify the number of digits after the decimal point up to 3 Useful for the file systems NTFS Reiser4 and FAT which provide for a higher precision than seconds in all or some timestamps e Optionally the actually used time zone conversion bias including daylight saving where appropriate can be displayed right in the timestamp columns in the directory browser e File sizes can optionally always be displayed in bytes instead of rounded If the checkbox is half checked that applies to items in volumes only otherwise also items on physical partitioned media Factory settings of all options can be restored using the Initialize command of the Help menu 8 2 Directory Browser Options e Grouping files and directories in the directory browser is optional X Ways Forensics 114 remembers the sort criteria and this option separately 1 for the normal directory browser of a volume 2 for the normal directory browser of a partitioned disk 3 for search hit lists and 4 for event lists Grouping existing and deleted items in the directory browser is optional There are two possibilities how to use this feature Either previously existing files that potentially recoverable question mark icon and known unrecoverable red X icon are internally grouped as well so that in total there will be three groups or not only 2 groups A small symbol with e
249. orensics that knows the file format well and can usually find out the correct file size if a file is not fragmented incomplete or corrupt Such an algorithm is indicated in the Footer column with a tilde and an algorithm ID number 6th column Default size Optional A file type specific default maximum file size in bytes that can override the global maximum file size specified in the File Recovery by Type dialog window Useful because e g an MPEG video could be more around 1 GB in size where a Windows icon file ico could be around KB in size 7th column Flags Optional Can further tailor file carving for certain file types and are yet another indicator of how sophisticated and powerful file carving is in X Ways Forensics b The signature is searched at the byte level when given the choice Useful especially for entries record micro formats memory artifacts i e not complete ordinary files that are not typically aligned at any sector or cluster boundaries c If taken into account depends on user interface settings ignores header signatures that are not aligned at cluster boundaries Can be useful for some file types to avoid to many false positives u lower case Stands for unused Allows to carve files only in clusters that are free according to the file system U upper case Allows to carve files only in clusters that are free according to the file system and also not used by previously existing files as contained
250. orks exactly like a conventional raw image of the disk for all the intended purposes if adequately prepared with original offsets and relative distances between data structures preserved unlike in an evidence file container The file format is universal and all forensic tools that support raw images have a chance 139 to understand the data unless they need more data than was included or already don t understand the partitioning method or file system etc of the original complete disk image Caveats Note that a search hit list on the screen with context previews around the search hits for example will cause a lot of read activity so you may want to change the state of the skeleton image to idle mode when it is open in the background in certain situations To avoid that the start sectors of files or directories that you merely click in the directory browser in Partition Volume mode are copied to the skeleton image because such a click automatically jumps to the respective Ist sector you can navigate the directory browser in Legend mode instead or have to change the status of the image to idle Reading data from most extracted files such as e mail messages attachments video stills pictures embedded in MS Excel spreadsheets etc do not trigger corresponding read operations at the disk level so they cannot be copied Skeleton images are suitable only for files at the file system level not at any other level seen in volume snapshots U
251. ors at the end of the disk in case they were not detected by WinHex or to adjust the CHS coordinate system to your needs Also you have the option to change the detected sector size of a physical hard disk that WinHex works with Remember you should adjust the sector count accordingly For example if you change the detected sector size from 512 bytes to 4 KB i e you multiply it by 8 then you also need to divide the total number of sectors by 8 to keep the same total detected disk capacity assuming the capacity was detected correctly Use this command on a logical drive to override the total number of clusters WinHex detects on that drive Open RAM See chapter RAM Editor View Available only with a forensic license Invokes the internal viewer External Viewer Invokes external file viewing programs such as Quick View Plus etc as selected in the Options menu and opens the current file Invoke X Ways Trace Available only if X Ways Trace is installed This software can analyze the history cache files of various Internet browsers 88 Calculator Runs the Windows calculator calc exe Switching to scientific mode is highly recommended Hex Converter Enables you to convert hexadecimal numbers into decimal numbers and vice versa Simply type in the number and press ENTER Tables Provides four conversion tables cf ANSI IBM ASCII Analyze Block File Scans the data within the current block the entire file and counts
252. ossible to specify nothing as the substitute which means all occurrences will be removed from the file 2nd method The substitute is written into the file at the position of the occurrence If the substitute is shorter than the searched character sequence the exceeding characters will remain in the file Otherwise even the bytes behind the occurrence will be overwritten as far as the end of the file is not reached The file size is not affected 126 9 Miscellaneous 9 1 Block You can mark a range of bytes or sectors of an open file or disk as a block This part can be manipulated by several function in the edit menu just as selections in other Windows programs If no block is defined these functions usually are applied to the whole file or disk The current position and size of the block are displayed in the status bar Double clicking the right mouse button or pressing the ESC key clears the block 9 2 Modify Data Use this command to modify the data within the block or within the whole file in case no block is defined In this version of WinHex four types of data modifications are available Either a fixed integer number is added to each element of the data the bits are inverted a constant is XORed with the data a simple kind of encryption ORed or ANDed bits rotated left in a circular pattern first byte rotated by 1 bit second byte by 2 bits and so on bits are shifted logically or bytes are swapped By shifting bi
253. ot be split specify 0 as the third parameter To disable compression specify false To have the Backup Manager automatically assign a filename and place the file in the folder for backup files specify as the last parameter Goto 0x128 Goto MyVariable Moves the current cursor position to the hexadecimal offset 0x128 Alternatively an existing variable up to 8 bytes large can be interpreted as a numeric value too Move 100 Moves the current cursor position 100 bytes back decimal Write Test Write 0x0D0A Write MyVariable Writes the four ASCII characters Test or the two hexadecimal values ODOA at the current position in overwrite mode Can also write the contents of a variable specified as the parameter Moves the current position forward by the number of bytes written When the end of the file is reached to accomplish that a null byte is appended Useful so that further Write commands don t overwrite the last byte written by the previous Write command Write2 Identical to Write but does not append a null byte if the end of the file has been reached So it is not safe to assume that Write2 always moves the current position forward by the number of bytes written Insert Test Functions just as the Write command but in insert mode Must only be used with files Read MyVariable 10 Reads the 10 bytes from the current position into a variable named MyVariable If this variable does not yet exist it will be
254. produce report table associations comments search hit hits and virtual files tag files remember already viewed files exclude files 3 full access If the same user wishes to open the same case the same copy in more than 1 instance of the program simultaneously that user has three options Either 1 in the second instance the entire case is opened as read only or 2 the user is responsible for opening evidence objects that are open in one session already as read only in the other session to avoid conflicts right click an evidence object for that option or 3 the user opens the case as a separate fictitious user called his or her alter ego with separate file statuses search hits report table associations etc If the latter option is selected shared use of the case is coordinated by X Ways Forensics exactly as if the alter ego was a real different examiner even though the username is the same The aforementioned Options checkbox allows you at any time to open the case as your alter ego not only when opening the same case in a second instance of the program Multiple users running searches creating report table associations entering or editing comments editing extracted metadata tagging files excluding files marking files as already viewed is all supported for the same evidence object at the same time Removing items from a volume snapshot while the evidence object is open somewhere else however is forbidden and will be
255. r multiple filename masks one per line This filter is useful if you have a list 23 Ext Type Type status of relevant filenames or keywords and want to find out quickly whether files with such names are present There are two different ways how to use the Name filter The first way is to match certain expressions against the full name The expressions may contain asterisks wildcards like jpg Up to two asterisks are allowed per mask if they are located at the beginning and the end of it You may exclude files using file masks that start with a colon Example All files with names that start with the letter A but do not contain the word garden A in one line and garden in another When multiple positive file mask expressions are used they are combined with a logical OR negative expressions with a logical AND If the Substring search in filename option is active then all the rules above do not apply Instead a search is run within the filenames for the specified characters or optionally GREP expressions For example just type invoice to find files whose filename contains the word invoice not invoice For an explanation of GREP notation please see Search Options The anchor does not work in this context Filename extension The part of the filename that follows the last dot if any except if the last dot is the very first character not uncommon in the Unix Linux world Forensic license only File
256. re searched and replaced in Unicode format cf Search Options You may specify one character or a two digit hex value as a wildcard This is usually done in the search string If the substitute contains a wildcard the character at the corresponding position in an occurrence will not be changed Thus black and block can be replaced simultaneously with crack and crock enter bl ck and cr ck Only whole words The searched string is recognized only if it is separated from other words e g by punctuation marks or blanks If this option is enabled tomato is not replaced in automaton Search direction Decide whether WinHex shall replace from the beginning to the end or downwards or upwards from the current position Replace in block only The replace operation is limited to the current block Replace in all opened files The replace operation is applied to all files not opened in view mode If Replace in block only is enabled at the same time the replace operation is limited to the current block of each file Hint WinHex is able to replace one string or hex value sequence with another one that has a different length You will be prompted which of the following methods shall be applied Ist method The data behind the occurrence is moved due to length difference So the file size is changed This method must not be applied to certain file types such as executable files It is even p
257. re the thorough file system data structure search so that it is easy to filter them in or out Remember you can sort by ID to see the files they are a previous version of next to them You can also easily navigate to the VSC host by using the command Navigation Find related file in the directory browser context menu for example so that in Details mode learn more about that particular snapshot You could then invoke the same command once more to navigate to the corresponding snapshot properties file where in Details mode you learn even more e g description and official creation date ReiserFS Reiser4 Searches for deleted files which are not included in the standard volume snapshot at all UDF While the first and the last session of multi session UDF CDs DVDs will be listed automatically additional sessions in the middle can be found only with this option CDFS Usually all sessions on a multi session CD DVDs are detected automatically In cases where they are not e g when CDFS co exists with UDF or if the gaps between the sessions are unusually large this will detect sessions beyond the first one RAM main memory May find terminated processes and rootkits Other no difference Taking a thorough volume snapshot is possibly a lengthy operation depending on the size of the volume and for that reason this is not the standard procedure when opening volumes 4 2 3 File Header Signature Search The File header signature search
258. rensic tools other than from X Ways Older versions of WinHex with a specialist license or higher X Ways Forensics and X Ways Investigator can also understand them They can all read the contents of all files and show the most essential metadata e g filename path many attributes most timestamps existing or deleted To see the maximum amount of metadata however please use WinHex XWE XWI 16 3 and later The new format will prevent that the same files will be erroneously copied twice to the same container Artificial directories can be optionally created in containers of the new format to accommodate child objects of files for compatibility with tools that do not accept files as child objects of other files in the new container format non X Ways tools and WinHex XWF XWI 15 9 and earlier WinHex XWF XWI 16 0 and later latest release respectively do not need such artificial directories When creating a container you chose between a direct method and an indirect method to fill it Indirect means via your own hard disk 1 e the contents of files are not copied directly into the container but to your folder for temporary files first cf General Options and only then from there into the container This can be beneficial because it allows a resident antivirus software to intercept these files check them for viruses disinfect disarm them rename them move delete lock them etc so that it prevents viruses from making it into a container The
259. resp 7 points lives search simultaneously for the hex value 05 in the first and 07 in the second file 2 2 Endian ness Microprocessors differ in the position of the least significant byte Intel MIPS National Semiconductor and VAX processors have the least significant byte first A multi byte value is stored in memory from the lowest byte the little end to the highest byte For example the hexadecimal number 12345678 is stored as 78 56 34 12 This is called the little endian format Motorola and Sparc processors have the least significant byte last A multi byte value is stored in memory from the highest byte the big end to the lowest byte For example the hexadecimal number 12345678 is stored as 12 34 56 78 This is called the big endian format 2 3 Integer Data Types Format Type Range Example signed 8 bit 128 127 FF 1 unsigned 8 bit 0 255 FF 255 signed 16 bit 32 768 32 767 00 80 32 768 unsigned 16 bit 0 65 535 00 80 32 768 signed 24 bit 8 388 608 8 388 607 00 00 80 8 388 608 unsigned 24 bit 0 16 777 215 00 00 80 8 388 608 signed 32 bit 2 147 483 648 2 147 483 647 00 00 00 80 2 147 483 648 unsigned 32 bit 0 4 294 967 295 00 00 00 80 2 147 483 648 signed 64 bit 2 x 9 10 2 1 29 101 00 00 00 00 00 00 00 80 2 Unless stated otherwise multi byte numbers are stored in little endian format meaning that the first byte of a number is the least significant
260. ression you gain only a few percentage points more compression but at disproportional high cost For WinHex backups adaptive is the same as normal Raw image files can be compressed at the NTFS file system level if they are created on NTFS volumes Either normal NTFS compression is used or the image file can be made sparse such that large amounts of zero value bytes won t need drive space Cleansed images With a forensic license there is an acquisition option for those users who need to or want to exclude certain files from forensic images called Omit excluded files The data stored in clusters that are associated with files that you exclude before starting the imaging process can automatically be zeroed out in the image Before you start the imaging process for a partitioned disk open the partitions in which the files are located that you would like to exclude Wait till the volume snapshot has been taken if it was not taken before Then exclude the files You do not need to open and take volume snapshots of partitions whose data you would like to include completely All other data is copied to the image normally There is an option to watermark wiped sectors in the image with an ASCII or Unicode text string so that when working with the image you are reminded of the omission when you look at the affected areas Cleansed images are useful for anyone who needs to redact certain files in the file system but otherwise wants
261. rowser click the button with the binoculars and the four horizontal lines It is only available for evidence objects In that mode of operation there are four additional columns physical absolute offsets of the search hits logical relative offsets descriptions that include the code pages in which search hits were found and hints if found in file slack and the search hits themselves usually with a context preview sortable by search term context preview not accurate for Arabic and Hebrew text or hits in UTF 8 The directory browser s grouping options have no effect when search hits are sorted by one of these three columns The search hit description column comes with a filter that allows to focus on notable hits user search hits hits in a certain code page hits in the text extraction of documents and hits in slack space or uninitialized tail areas of files Search hits in all variants of UTF 16 that are not aligned at even offsets are marked in the Descr column as unaligned as a small hint and explanation why you can read the text only in the alignment aware context preview of the Search hits column and not in the text column Almost all commands in the directory browser context menu are available for search hit lists as well notably the ability to copy view tag and comment files The dynamic filter based on the usual directory browser columns can be used in conjunction with search hit lists e g to view hits in all doc and xls files wi
262. rtual file or e mail message or attachment and especially the contents of the file are fully retained in an evidence file container Also when a conventional physical sector wise image is overkill because you need to acquire only selected files and not entire media containers are recommended Evidence file containers use a special file system XWFS that can accomodate most metadata from conventional file systems of the Windows Linux and Apple world Evidence file containers can be interpreted added to a case and conveniently examined like other image files with X Ways Forensics 12 85 and later and in particular also in X Ways Investigator the simplified version of X Ways Forensics for investigators that are not computer forensic examiners but specialized in other areas such as corruption accounting child pornography building laws The recipient of the container can add the container to his or her own case view the files that it contains just like in a disk partition or a conventional image can run keyword searches comment on files add files to report tables create a report etc Report table associations can even be exported and imported back into the original case via case tree context menu commands This allows to split up the workload in large cases across multiple investigators 55 who work simultaneously and to reconcile their results Evidence file containers of the new format can be understood by certain computer fo
263. s 1 4 Differences between WinHex and X Ways Forensics WinHex main executable file is winhex exe or winhex64 exe always identifies itself as WinHex in the user interface X Ways Forensics main executable file xwforensics exe or xwforensics64 exe as X Ways Forensics The shared program help and the shared manual however statically refer to the name WinHex in most cases sometimes X Ways Forensics WinHex and X Ways Forensics share the same code base X Ways Forensics offers numerous additional forensic features over WinHex with a specialist license but does not allow to edit disk sectors or interpreted images and lacks various functions to wipe data known from WinHex In X Ways Forensics disks interpreted image files virtual memory and physical RAM are strictly opened in view mode read only only to enforce forensic procedures where no evidence must be altered in the slightest This strict write protection of X Ways Forensics ensures that no original evidence can possibly be altered accidentally which can be a crucial aspect in court proceedings Only when not bound by strict forensic procedures and or when in need to work more aggressively on disks or images e g you have to repair a boot sector or wipe classified or unrelated data then a user of X Ways Forensics would run WinHex instead With WinHex you can edit disk sectors and wipe entire hard disks free space slack space selected files selected disk areas etc
264. s CurrentPos GetSize unlimited are keywords that act as a placeholders and may be used where numeric parameters are required On script execution CurrentPos stands for the current offset in the active file or disk window and GetSize for its size in bytes unlimited actually stands for the number 2 147 483 647 Appendix C Master Boot Record The Master Boot Record is located at the physical beginning of a hard disk editable using the disk editor It consists of a master bootstrap loader code 446 bytes and four subsequent identically structured partition records Finally the hexadecimal signature 55AA completes a valid Master Boot Record The format of a partition record is as follows Offset 0 8 bit A value of 80 designates an active partition Partition start sector bits 0 5 Partition start track bits 8 9 in start sector as bits 6 7 158 Operating system indicator see below Partition end head 6 8 bit Partition end sector bits 0 5 Partition end track bits 8 9 in end sector as bits 6 7 8 32 bit Sectors preceding partition 32 bit Length of partition in sectors Operating system indicators hexadecimal incomplete list 00 Empty partition tableentry DOS 16 bit FAT up to 32M 05 DOS 3 3 extended partition 06 DOS 3 31 Large File System 16 bit FAT over 32M 08 OS 2 v1 0 1 3 AIX bootable partition SplitDrive Cd 09 AIX data partition o O OB
265. s automatically without further user interaction if the source disk had not been added to the case yet and if a case is open at that time when you start imaging Using this command is the recommended way to create a disk image In order to image an arbitrary range of sectors you could select a sector range as a block and copy it to a file via Edit Copy Block Into New File or use Tools Disk Tools Clone Disk The latter is particularly useful to partially image hard disks with severe physical defects not just ordinary bad sectors and can even copy sectors in reverse order It is also possible to image a physical device e g local hard disk or remote hard disk or RAM opened through F Response automatically via the command line The first parameter should start with a colon and then specify the number of the device in Windows e g 1 for hard disk No 1 This will cause that device to be opened automatically upon start up The second parameter should start with a pipe followed by either e01 or raw to indicate the preferred image file format followed by another pipe and the path and filename of the image e g le01 G Output filename e01 The third parameter can be auto to automatically exit X Ways Forensics after imaging The encryption algorithm optionally used in e01 evidence files is either 128 bit or 256 bit AES Rijndael in counter CTR mode This allows for random read access within evidence files The 128 bit implement
266. se evidence file containers instead for such purposes Note that to an unsuspecting examiner a skeleton image may look very much like an ordinary complete image Such an examiner must be made aware of the incomplete sparsely populated nature of the image Unlike in a logical evidence file container files whose contents are not contained in the image are not specially marked as such in a volume snapshot taken of an incomplete physical image X Ways Forensics v17 1 and later informs the examiner of the nature of an image when it s added to a case if it detects a skeleton image A comparison of evidence file containers and skeleton images can be found on the web site 9 10 Backup Manager Displays a list of previously created WinHex backups The items can be listed in a chronological or alphabetical order Choose the backup you would like to restore When that function completes the original file or sector contents is shown You can restore the backup e into a temporary file first such that you will still need to save it e directly and immediately to the disk or e toanew file In the case of disk sectors you may also wish to specify a different destination disk or a different destination sector number It is also possible to only extract a subset of the sectors from the backup However sectors at the beginning of a compressed backup cannot be left out during restoration If the backup was saved with a checksum and or a digest data authe
267. search The file mask is applied to both the filename and the detected true file type To see what text is extracted from a document by this function you can select the document in the directory browser in Preview mode and hold the Shift key when switching to Raw mode If you are not interested in each and every search hit but merely in which files contain at least one the specified searm terms a logical search can be greatly accelerated by telling X Ways Forensics that only one hit per file is needed so that it can skip the remainder of a file once a hit has been recorded and continue with the next file The resulting search hit list will be inherently and systematically incomplete and no assumption must be made that somehow the most useful search hit in each file will be collected or if multiple search terms are used a search hit for a search term that you consider more important will be collected However it is guaranteed that it contains all the files for which there was at least one hit for one of the search terms used and each such file once only Such a list is sufficient and efficient to manually review the affected files comment on them copy the files off an image or pass them on to other investigators in an evidence file container etc Note that of course it is not possible to combine search terms with a logical AND if only 1 hit per file was recorded That consequence is typically forgotten by unsuspecting users Files t
268. sectors triggers their acquisition However if you wish to specifically acquire selected files that is easier and it might be a good idea to turn off the indirect acquisition of any sectors that are read for whatever purpose along the way so that for a example file that you preview and that turns out to be irrelevant is not acquired 137 by the preview action already For that you can change the state of the skeleton image that is open in the background to idle using the State command in the File menu In idle mode only the Add to name of the skeleton image command in the directory browser context menu allows to acquire selected files by temporarily activating the image and triggering read operations If you wish to include some operating system files for example such as Windows registry hives explore the partition recursively from the root directory filter for those files and invoke the Add to command in the directory browser context menu Only available if no evidence file container is open in the background for filling at that time The examiner who only has the resulting skeleton image will consequently be able to view the hives and create a registry report about them assuming you had already copied the file system data structures which are required to find out which sectors contain the data of the file The dialog window to change the state of the target image also allows you to close it i e stop the acquisition
269. sed analysis instead of file based analysis is a progressive new approach with a totally 51 different perspective that may lead to knowledge about activities recorded on computers that otherwise could hardly be gained You may see connections related activity that otherwise could be overlooked and may be able to better explain the logic behind what has happened The sources of events that are exploited by the metadata extraction in this version include all the supported file systems i e all the timestamps listed in the timestamp columns of the directory browser modification record update and last access are omitted if identical to the corresponding creation timestamp processes in supported memory dumps extracted or processed e mail as well as files of these types index dat Internet browser SQLite databases firefox 55 fragments _CACHE_001_ and CACHE 002 Ink shortcuts automaticDestination ms chrome Chromium cache data_1 data_2 usnjrnl fragments Registry hives Windows evt event logs Windows evtx event logs Most extracted events come with a description that includes the event source the event ID and the record number The record number allows you to quickly search for the record in the HTML preview if you need further details about that particular event DataStore edb MS Windows operating system update events hbin Registry hive fragments doc last printed msg rp log XP restore point INFO2 XP recycle
270. shot of the evidence object in the active data window To selectively include files make sure they are not filtered out Then you can include them with a context menu command after selecting them There is another button that allows to totally remove excluded items from the volume snapshot if irrelevant not needed in particular meaningless garbage files found via a file header signature search This will render the volume snapshot smaller i e more efficient to handle and save main memory Useful also if you would like X Ways Forensics to find certain files once again via a file header signature search but for example list them with a different default file size if the 117 originally specified default file size proved inadequate The removal operation is faster if you delete seach hits prior to executing it As part of the removal internal IDs are shuffled so they do not indicate any more the order in which items were added to the volume snapshot Excluded items that have non excluded child objects are not removed It is highly recommended to work with a copy of your case when using this functionality e g produced with the Save As command Whenever one or more filters are active that actually filter out items in the currently displayed directory browser there are two blue filter symbols in the directory browser s caption line They point out that your current view is incomplete because of active files and they also allow you to deactivate al
271. sis 8 4 Undo Options The availability of the Undo command depends on the following options e Specify how many sequential actions are to be reversed by the Undo command This option does not affect the number of reversible keyboard inputs which is only limited by the available RAM e In order to save time and space on your hard disk you can specify a file size limit If a file is 120 larger than this limit backups will not be created and the Undo command is not available except for keyboard input e Automatically created backups for the internal use with the Undo command are deleted by WinHex when closing the file if the corresponding option is fully selected If it is partially selected they are deleted when WinHex terminates e For all kinds of editing operations you choose whether they should be reversible or not If so an internal backup is created before the operation takes place 8 5 Security Options Use the option Check for virtual memory alteration to make sure the RAM editor inspects the structure of virtual memory every time before reading from or writing to it If the structure has changed a possible read error is prevented Especially under Windows NT the checking may result in a loss of speed When editing the entire memory of a process WinHex generally never checks for alterations before reading even if this option is enabled Before modifications to an existing file are saved i e before the file
272. sks and RAM sections Close All Without Prompting Closes all windows and thus all opened files and disks without giving you the opportunity to save your modifications Cascade Tile Arranges the windows in the aforementioned way Minimize All Minimizes all windows Arrange Icons This command arranges minimized windows 5 13 Help Menu Contents Displays the contents of the program help 94 Setup Allows you switch the language of the user interface With Initialize you can restore the default settings of the program Uninstall Use this command to remove WinHex from your system This works properly even if you did not install WinHex using the setup program Online Opens in your browser if you have an Internet connection the X Ways web site the support forum the newsletter subscription page and a page where you can check your license status retrieve the latest download links and get upgrade offers There is also an option to check for updates online occasionally upon start up of the software or at any time when you like This can report the availability of later versions or new service releases of the currently used version not pre release versions and allow to start the download Does not send any data from within the program to the Internet for example no system or user information or dongle ID neither directly nor encrypted nor anonymized of course no case data not even the currently used version number nothing This optio
273. ssed by the NTFS file system and with a forensic license entire hiberfil sys files that were copied off an image as well as individual xpress chunks from such files Furthermore it can stretch packed 7 bit ASCII to readable 8 bit ASCII useful e g for SMS from 128 mobile phones Encryption Decryption Specify a string consisting of 1 16 characters as the encryption decryption key The key is case sensitive The more characters you enter the safer is the encryption The key itself is not used for encryption and decryption instead it is digested to the actual key The key is not saved on your hard disk If the corresponding security option is enabled the key is stored in an encrypted state in the RAM as long as WinHex is running It is recommended to specify a combination of at least 8 characters as the encryption key Do not use words of any language it is better to choose a random combination of letters punctuation marks and digits Note that encryption keys are case sensitive Remember that you will be unable to retrieve the encrypted data without the appropriate key The decryption key you enter is not verified before decrypting Encryption algorithm 256 bit AES Rijndael in counter CTR mode This encryption algorithm uses a 256 bit key that is digested with SHA 256 from the 512 bit concatenation of the SHA 256 of the key you specify and 256 bits of cryptographically sound random input salt The file is expanded by 48 b
274. t of the user interface on a separate screen and even maximize it there Reintegrating it into the main window is done by clicking the same three dots again or by clicking the Minimize button 3 11 Simultaneous Search This search command in the Search menu is available for owners of specialist and forensic licenses and offers all options only for owners of forensic licenses This search is simultaneous in that it allows the user to specify a virtually unlimited list of search terms one per line The occurrences of these search terms can be saved and listed in an evidence object s search hit list forensic licenses when working with a case or in the general Position Manager You may use the simultaneous search to systematically search multiple hard disks or disk images in a single pass for words like drug cocaine street synonym 1 for cocaine street synonym 2 for cocaine street synonym 3 for cocaine street synonym 3 for cocaine alternative spelling name of dealer 1 name of dealer 2 name of dealer 3 etc at the same time The search results can narrow down the examination to a list of files upon which to focus The simultaneous search can be used physically or logically Physically it searches the sectors on a medium in LBA order except if you search upwards then in reverse order If you do not have WinHex list the hits of a physical search you may use the F3 key to search for the next hit Logicall
275. t see any data in sectors and cannot open view any files In the Case Root window evidence objects can be marked as important with a yellow flag via the context menu or by hitting the Space bar You will see that yellow flag in the Case Data window and when selecting evidence objects for example for recursive exploration from the Case Root or when generating a report 3 4 Case Log When enabled in the case and the evidence properties window WinHex obstinately logs all activities performed when the case is open That allows you to easily track reproduce and document the steps you have followed to reach a certain result for your own information and for the court room The following is recorded e when you a select a menu item the command title or at least an ID and the name of the active edit window if not an evidence object preceded by the keyword Menu e when a message box is displayed the message text and what button you pressed OK Yes No or Cancel preceded by the keyword MsgBox e when a small progress indicator window is displayed its title like Recovering files and whether the operation was completed or aborted preceded by the keyword 19 Operation e a screenshot of each displayed dialog window with all selected options e g for a complex operation that follows preceded by the window s title e the extensive log produced by Clone Disk and File Recovery by Type e your own entries free text that yo
276. table on a FAT drive or to a certain FILE record in the master file table on an NTFS drive respectively Move Block Moves the current block selection not the data within the block forward or backward Specify the distance in bytes Press ALT F11 to repeat the last block movement press SHIFT ALT F11 to reverse the movement This command may facilitate editing a file that consists of homogeneous records of a fixed length WinHex and X Ways Forensics keep a history of your offset jumps within a file or disk and allow to go back and forward in the chain later Forensic license only With Back and Forward you can also conveniently go back to a certain directory browser setting This takes into account explored path recursive or non recursive sort criteria on off state of all filters settings of some of the filters some directory browser options The Back and Forward commands also allow to activate the previously active data window again when switching between windows Go To Beginning Of File Display the first page of the current file and moves the current position to offset 0 End Of File Displays the last page of the current file and moves the current position to the last byte offset file size 1 Beginning Of Block Moves the current position to the beginning of the current block End Of Block Moves the current position to the end of the current block Mark Position Marks the current position and thus enables you to find it
277. tarts For example when additional files are added to the snapshot by the file header signature search 62 depending on the file type these files can be further processed e g hashed or not if the Type filter is active during the later stages of the volume snapshot refinement 4 3 1 Hash Value Computation and Matching Hash values can be computed for files in the volume snapshot They are not recomputed if you apply this operation again to the same files In addition to the mere hash computation a forensic license allows to match the hash values against individually selected or simply all hash sets in the internal hash database The filter can then later be used to hide known irrelevant files Files recognized as irrelevant with the help of the hash database can be optionally excluded from further volume snapshot refinement operations which among other benefits saves time The hash values will not be updated in the volume snapshot once computed However the matching process looking up the hash values of files in the volume snapshot can be repeated for the same files at any time This will remove previous hash set matches from these files The hash category field will be updated only but emptied A forensic license allows to verify hash values that were computed at an earlier point of time or imported from an evidence file container The result will be output to the messages window Any file whose current hash value does not match the ori
278. tell each sector s and cluster s allocation for which file it is used You may use the command Take New Volume Snapshot of the Tools menu to update the view of a volume e g after unchecking this option Various volume snapshot refinement options will produce child objects for files e g extracted pictures If you prefer not to have child objects for files but for directories only auxiliary virtual directories can be created that act as the parent of the child objects as in earlier versions This is useful if you create containers that should be examined with earlier versions of X Ways Forensics or X Ways Investigator If you allow files with child objects default the Recover Copy command prevents name conflicts in the output folder automatically Inherit deleted state Causes deleted partitions to pass on their deleted state to everything that they contain files and directories and deleted e mail archives to pass on their deleted state to all the e mails directories and attachments that they contain This may seem logical but results in a loss of information as depending on the reference everything may be listed as deleted even files e mails that from the point of the file system the e mail archive still exist By default this option is not selected so that X Ways Forensics distinguishes between existing and deleted files and e mails etc even in deleted partitions deleted e mail archives so that more information is retained
279. th certain last modification dates only The search hit list is based on the position and level in the directory tree where you click so that you can e g see all search hits in files in Documents and Settings and subdirectories of the same and even search hits from all evidence objects of the entire case at the same time using the case root window Also it s possible to conveniently select one or several search terms for search hit viewing in the search term list in the Case Data window Like that it s also an easy task to find out how many search hits there are for any given search term for any level in the case tree as that number is displayed in the directory browser s caption based on the current search hit list Search hit lists are dynamic in that they are composed on the fly depending on selected search terms explored path current filter settings and based on the settings of the search term list logical AND combinations and the 1 hit per file option Search hits can be marked as notable such that a flag is displayed on the left with the directory browser context menu or by pressing the Space key With the Space key you may also remove that mark The search term list allows to create a quick overview of all hits marked as notable Search hits are stored in the metadata subdirectory of the respective evidence object When you no longer need certain search hits select them and press the Del key When you no longer need any searc
280. th regular expressions possible details to be revealed later more convenient search hit review exactly like for ordinary search hits search hits are stored permanently immediately allowing for immediate logical AND and NEAR combinations and more With the new indexing engine you may conveniently run non GREP index searches for search terms that contain space characters just like in conventional searches This is very important for names e g John Doe or XYZ Technology Ltd and spaced compound words e g bank account or credit card limit This works even if the individual components of the compound already exceed the maximum word length that was indexed by default 7 characters so that you will have no trouble finding basketball positions 10 9 letters or skyscraper architecture 10 12 letters Just as always the components are only matched up to the length that was indexed which is not a big problem because there are not many words other than basketball 70 and skyscraper that start with basketb or skyscra respectively In fact the spaces in the search terms match unindexed word delimiters other than spaces as well such as hyphens so you will also find Spider Man and freeze dried when searching for spider man and freeze dried or underscores as in bank account think of a filename like bank account html or plus signs as in credit card e g common in Google search URLs when searching for more than 1
281. the longer search hit as Smithsonian for example is more specific than Smith and favors search hits in existing files Navigation The Navigation group of commands allows interactions with the currently selected file on a generally more technical level It allows to directly locate the data structure in the file system that defines a file e g FILE record in NTFS inode in Ext2 Ext3 Ext4 directory entry in FAT and also to sort files by the offset of their defining data structures The Navigation menu also allows to produce a list of all the clusters allocated to the selected file or directory From the context menu of that list window the cluster list can be exported to a text file Optionally the list can be shortened and its creation greatly accelerated by omitting clusters in the middle of a fragment Omissions are indicated by ellipses This option takes effect only when you produce a cluster list the next time Find parent object Navigates to and selects the parent object of the selected object Equivalent to pressing the Backspace key The child object can be an ordinary file in a directory or an e mail message in an e mail archive or a file attachment in an e mail message or a picture in a document or a file in a compressed archive etc Find related object This command allows you to conveniently navigate to the so called related object if one exists for the selected file or directory Alternatively you can press Shift Backspa
282. the occurrences of each byte value 0 255 The result is graphically displayed by proportional vertical lines The number of occurrences and the percentage are displayed for each byte value when moving the mouse over the corresponding vertical line Use this command for instance to identify data of unknown type Audio data compressed data executable code etc produce characteristic graphics Use the context menu of the window to switch zero byte consideration on or off to print the analysis window or to export the analysis to a text file When analyzing small amounts of data lt 50 000 bytes the compression ratio that zlib achieves for that data is displayed in the analysis window caption which also allows to draw conclusions about the nature of the data Compute Hash Calculates one of the following checksums digest of the entire current file disks or the currently selected block 8 bit 16 bit 32 bit 64 bit checksum CRC16 CRC32 MDS5 SHA 1 SHA 256 or PSCHF 5 9 File Tools Concatenate Select several source files that are to be copied into one destination file The source files are not affected Split This command creates several destination files using the contents of a single source file Specify a split offset for each destination file The source file is not affected by this function Unify Select two source files and one destination file The bytes words from the source files will be written alternately into the dest
283. the file but in the decoded text Please note that for FAT volumes all timestamps are displayed unmodified for all other volumes the time zone concept applies 3 6 4 File Type Categories txt This customizable file defines of which file types categories are comprised The name of a category is preceded by three asterisks and a space Following is a list of file types that belong to that category one per line Such lines must start with either a or a where simply means that type is checked in the file type filter After that typical extension for that file type follows plus a space character followed by a description of the file type Only lower case letters are to be used in extensions The same file extension type may occur in multiple categories see Category column description for limitations Alternatively to extensions entire filenames are supported as well This is useful for certain files with a well defined name whose extension alone is not specific enough or which do not have any extension Complete filenames have to be enclosed in semicolons Examples index dat Internet Explorer history cache history dat Mozilla Firefox browser history passwd Existing users There is a virtual Other Unknown type category which is not specifically defined in the file and simply covers all files that do not belong to any other defined category File types are ranked by importance relevance and
284. the relevant information If the is followed by a letter the value will be preferably interpreted as the data type that the letter stands for The following letters and data types are defined at the moment f Windows FILETIME timestamp e Epoch Unix timestamp E Epoch8 Unix timestamp as QWORD T Windows system time timestamp s ANSI ASCII null terminated S UTF 16 string null terminated b binary data not to be interpreted as characters REG_ BINARY P Windows PIDL data structure 1 ItemPos data structure covers Shell Bag desktop shortcuts and more B conditional if value TRUE F conditional if value FALSE no empty mode recursion of the subtree i value case insensitive d deleted values only It is also possible to combine numeric characters and letters e g 10f In that case the numeric character must precede the letter at the start of a line comments out that line will cause it to be ignored at the start of a line will output explanatory text into the report Additional output In a second phase of the creation of the registry report additional data will be analyzed and 36 output as tables at the end of the HTML file The specifications in the definition file which belong to this second phase are marked with Dummy This causes the first phase to prevent any normal output If you would like to get the output of the first phase you merely need to change the description in the definitio
285. the words Given that authors of documents try to formulate sentences which contain a single idea or cluster related ideas within neighboring sentences or organized into paragraphs there is an inherent relatively high probability within the document structure that words used together are related Where as when two words are on the opposite ends of a book the probability there is a relationship between the words is relatively weak By limiting search results to only include matches where the words are within the specified maximum proximity or distance the search results are assumed to be of higher relevance than the matches where the words are scattered 46 3 15 Indexing Index Search Note This is a description of the old indexing engine The new one is part of volume snapshot refinements Available only with a forensic license in the Search menu when working with a case for evidence objects Reads the data with the same logic as a logical search with the same advantages see that topic Creates indexes of all words in all or certain files in the volume snapshot based on characters you provide based on the Unicode character set and or up to two code pages that you select It is possible to have up to three such indexes per evidence object e g Cyrillic characters indexed in Unicode and two Cyrillic code pages X Ways Forensics allows you to conveniently select characters from more than 22 languages for indexing Currently most E
286. thumbs db index dat always index dat The aforementioned prefix is not used in conjunction with original filenames The internal algorithm tries to determine the original size of files of various types among others JPEG GIF PNG BMP TIFF Nikon NEF Canon CR2 raw PSD CDR AVI WAV MOV MPEG MP3 MP4 3GP M4V M4A ASF WMV WMA ZIP GZIP RAR 7Z TAR MS Word MS Excel MS PowerPoint RTF PDF HTML XML XSD DTD PST DBX AOL PFC Windows Registry index dat Prefetch SPL EVTX EML by examining their data structure This affects entries in the file type definition database that have a in the Footer column These entries should not be altered in order for the size and type detection to work for these file types A footer signature can also help to find the end of a file For files about whose original size the available algorithms has no idea and for which no footer is specified or for which a specified footer is not actually found the files are recovered at the exact default file size specified by the user in KB Be generous when specifying this size because whereas files recovered too large can still be opened by their associated applications prematurely truncated files however often can t be as they are incomplete The attempt to detect the original size of files of certain types via internal algorithm or by searching for a footer is limited by a maximum size which is a user supplied multiple of the default file size 104
287. ti User Coordination For Large Cases c ccccesscssscesseesseesecsseceseceseceseceeeeseeeeeneeeseeeseeeteeesaees 15 3 3 Evidence Objects iia ER EAEE E EE 18 3 4 Cas Lo A E E do 19 3 5 Case RePEc 20 3 6 Directory BO WS ad dsd 21 3 61 General D scriptionrs ie eai E T E A E eka oe aber ck RA exten Cass ea 21 3 622 Y saccedh eonnaeth lavetablasdidecdennccdunneniedsaleysdevuchaudes sacdavdeananiidesdecssasbeandeueedeadtess 23 3 6 3 Columns and Filters aia 23 3 64 File Type Categories txt csiavcstscecscesdevsn yedtvacacteazssnsocdetasauedseae godess satecdcegs iii 30 3 7 Report Tables EEEE E EE AA AE A ai li it 31 3 8 IM VI a lata 32 3 9 Registry Report a ars 35 310 Mode Buttons ii art 37 SAA Simultaneous arial ria id ssh eth cess ii a E EE EE E E E ve Ola nia 40 3 12 Logical ear ii 41 3137 Search Hit Lists A e 44 3 14 Search Term Dist s i veebcusestistascacaescseas rannt a E E T E a EEE PE ETTA E 45 3 15 Indexing Index Search ii in id E it a 47 316 A A RN 50 O A ONO 51 3 187 Hash Database lia 53 3193 LIME Zone Concept eein A A AA ALA A e ein 54 3 20 Evidence File Containers 0 ccecccecssessseeseeeceeeecsaecaecnseceseceaecsecseeeeeaeseseeesaecseecaaecsseceseeeaeenaeenas 55 3 21 Related S aa EE E Gone dae aot iaatisbevsd acto a lgniaveredotlaatvalevd cheteasioees 57 3 22 External Analysis Interface ccccccsccccssssetsssscocsesesecsecessssencsecssencsenesencecnsesssesatectscensseaseseesens 58 4 Vo
288. tion Volume Container mode but shows only the clusters allocated to the file or directory that is currently selected in the directory browser in the order as used by the file defragmented if fragmented decompressed if compressed with offsets relative to the beginning of the file When switching from File mode to Partition Volume mode X Ways Forensics will automatically point you to the offset from the point of view of the partition volume that is equivalent to the offset within the file where the cursor was positioned last even if the file is fragmented if there is an equivalent position not if the file is a compressed or virtual attached file or an extracted e mail message or an exported video still etc Preview Checks the type of the file currently selected in the directory browser and displays the file with the help of the separate viewer component except if the viewer component is not active or if it s a picture supported file types see Gallery below and the viewer component should not be used for at pictures Even incomplete pictures e g files incompletely recovered because of fragmention can usually be displayed partially If the viewer component is not active and the file is not a picture in one of the supported formats a rudimentary ASCII text extract from the beginning of the file is displayed Details Contains all the information on a single selected file from all the directory browser columns including those that ar
289. tion at any time if you wish to continue using the program yourself i e for an index search During optimization the various index xfi index component files will be consolidated merged unified to fewer uindex xfi files finally to only a single xfi file which will be somewhat more efficient to search Also ensures that the Export Word List feature won t export duplicate words Two parameters control the optimization These parameters can be changed even after optimization starts and the changes take effect the next time a new optimization process is started which usually happens every few minutes The first parameter controls the amount of memory used by a single process which can be between 300 MB and 2 GB This value should not exceed the amount of memory installed in your system The more memory you allow an optimization process to use the better the resulting optimization because more xfi files are compiled into single search tree This translates to fewer word duplicates and better search performance at the cost of more time for optimization The second parameter controls the number of processes that optimize the index in parallel This value should not exceed the number of CPU cores present in the system Configuring the number of optimization processes is useful if you want to use the computer for other tasks while optimizing an index 50 What is the purpose of index optimization Index optimization eliminates duplicate words in t
290. tional prefix you provide is an incrementing number per evidence object ext is the filename extension that corresponds to the file header signature according to the file type definition The output filename prefix may optionally contain a placeholder d which will be replaced by the drive name This is useful if you apply File Recovery by Type to multiple drives at a time and wish to be able to easily distinguish files from different drives With a specialist license or higher the intelligent naming option will cause Exif JPEG files to be named after the digital camera model that created them and their internal time stamp if available Many Windows Registry hive files are given their original names also some JPEG files in whose metadata Photoshop has embedded a name JPEG files without known name and no Exif metadata that however have been created by a known generator get some additional information in their artificial name in parantheses First a designation of the generator signature currently e g IJG Library Photoshop and Photoshop Web where the latter stands for Photoshop when saved with optimization for usage in the web second the quality setting Q when the JPEG file was saved which ranges from 1 to 100 or 1 to 7 in the case of Photoshop Further generators Apple Canon etc theoretically could also be identified but not in the official release version of WinHex X Ways Forensics Thumbs db files are always named
291. tionally search for FILE records everywhere as part of the particularly thorough file system data structure search i e in all sectors of the partition If half checked default setting only in volume shadow copy host files You can indicate whether you are interested in getting files listed whose clusters and 119 therefore data are totally unknown with only metadata e g just filename in NTFS Ext and Reiser If fully checked all previously existing files of which metadata only is known will be included in a volume snapshot If not checked at all those files will be ignored If half checked only files for which more than just the name is known e g size attributes and timestamps will be included e g found in index records in INDX buffers or in LogFile in NTFS but not directory entry remnants in Ext or Reiser file systems e You can indicate whether you are interested in earlier names and locations of renamed moved files and directories in NTFS and whether you are interested in getting files listed for which only filename size timestamps and attributes but no data clusters are known Affects the thorough file system data structure search specialist license or higher If the checkbox for earlier names paths is half checked then you will be informed of earlier names paths of renamed moved files via comments and don t get additional files in the volume snapshot for each earlier name path e Including logged utility str
292. tition i e get a listing of all files and directories referenced by the file system in that partition then you open that partition from the source hard disk so that a volume snapshot is actually taken Again all the sectors read from the source hard disk in the process are simultaneously copied to the image and that is the file system data structures e g MFT in NTFS all directory clusters in FAT and the catalog file in HFS That adds considerably more administrative data and also metadata to your skeleton image but still no or almost no user contents Unrelated sectors that are not used by the file system are not read and therefore not copied That also means that the ability to find previously existing files in the skeleton image will be limited If you wish to include an arbitrary range of sectors in the image you only need to find a way to make X Ways Forensics read those sectors For example to include sectors from number 1 000 000 to 1 000 999 define those 1 000 sectors as a block and hash that block in Disk mode using the Tools Compute Hash command or run a physical search in that block only Or to acquire an unusually large partition gap between partition 1 and 2 you could hash the virtual file representing that gap You can also manually navigate to any single sector of interest that you want to be included e g Navigation Go To Sector or use any of the file system navigation menu commands All of that works because reading
293. to remember the position indicated by the currently defined block either in the General Position Manager or in the Position Manager of the evidence object when working with a case if you right click a block that is defined in an evidence object forensic license only Makes it easier to find the same position again later and can be used to nicely highlight and explain with tooltips the structure of files or records of a certain format that you are analyzing trying to reverse engineer etc 80 If search hits are highlighted in File mode see General Options you can also delete them via the context menu You can also get the complete Edit menu from here 5 3 File Menu New This command is used to create a file The file is principally opened in default edit mode You have to specify the desired file size Open Lets you open one or more files You may choose an edit mode in case it is not predetermined in the Options menu Also allows to open physical disks partitions and volumes as a file by clicking a button labeled Device in the file selection dialog You can enter a device path such as MAPhysicalDrivel for hard disk 1 WAVolume 12345678 9abc 11al abcd 0123456789abj for a volume with that GUID MAC for a volume mounted as drive letter C This functionality allows to open volumes that are not mounted as drive letters To get an overview of volumes known to Windows type mountvol in a command prompt window You can
294. tomatically with the same base name as the container without extension and the suffix Metadata E g if the name of the container is Smith HD1 ctr then the name of the corresponding subdirectory is Smith HD1 Metadata When closing a container that is open in the background the user is offered to compress encrypt and or split it Splitting is useful if the container is complete and relatively huge and e g should be sent to someone else on CDs or DVDs You may also find it useful to have a verifiable overall hash value for all the data in the container which can be computed at that occasion and embedded in the target container You can also freeze the file system in the target container that you create in e01 evidence file format so that it cannot be filled further even if it is converted back later to its plain state again to a raw image 3 21 Related Items Only available with a forensic license 57 Files directories that have a corresponding related file or directory in the volume snapshot are marked in the directory browser with a small blue arrow pointing downwards on the left hand side of their icon A secondary tooltip appears for files with a related file when hovering the mouse cursor over the icon which conveniently tells you the path and name of that related file for example the target of a symbolic link There are four different kinds of related objects 1 When taking a volume snapshot of Unix bas
295. ton 6 2 Entering Characters In hex mode only hexadecimal characters are to be entered 0 9 A F In text mode you can enter all kinds of characters letters numbers punctuation marks and special characters e g and Please use the Windows program charmap exe to find out key combinations for such characters e g Alt 1 7 5 for The WinHex font even supports the Euro symbol 6 3 Edit Modes The info pane displays for each file disk in which mode it was opened in the program The info pane s context menu allows to selectively change the edit mode of the active window Read only View mode Recommended for computer forensic examinations In order to enforce strict forensic procedures the only mode available in X Ways Forensics except for files in the current case s directory and in the general folder for temporary files to allow to decode decrypt and convert them etc Files or disks that are opened in view mode cannot be intentionally or 96 accidentally edited altered in WinHex only viewed In other words they are opened write protected read only by WinHex Default edit mode Modifications to files or disks opened in default edit mode are stored in temporary files Those temporary files are created and maintained dynamically when needed Only when you close the edit window or use the Save menu command the File Menu the modifications are flushed and the original file or disk is updated
296. ts you can simulate inserting or removing single bits at the beginning of the block You may also shift entire bytes currently to the left only by entering a negative number of bytes This is useful if you wish to cut bytes from a very huge file in in place mode which would otherwise require the creation of a huge temporary file Swap Bytes This command assumes all data to consist of 16 bit elements 32 bit elements resp and swaps high order and low order bytes and high order and low order words resp Use it in order to convert big endian into little endian data and vice versa Addition Specify a positive or negative decimal or hexadecimal number which is to be added to each element of the current block An integer format defines size 1 2 or 4 bytes and type signed or unsigned of an element There are two ways how to proceed if the result of the addition is out of the range of the selected integer format Either the range limit is assumed to be the new value I or the carry is ignored ID Example unsigned 8 bit format I FF 1 gt FF 255 1 gt 255 IL FF 1 gt 00 255 1 gt 0 127 Example signed 8 bit format I IL 80 180 128 1 128 001 7F 128 1 127 If you decide to use the first method WinHex will tell you how often the range limit has been exceeded The second method makes sure the operation is reversible Simply add x instead of x based on the same integer format to recreate the
297. ture of the data in a given chunk might be possible merely judging from the compressed size of the chunk i e its compression ratio even if the compressed data is encrypted If you have WinHex assign a filename for a WinHex backup automatically the file will be created in the folder for backups cf General Options named with the next free slot according to the Backup Manager s naming conventions xxx whx and will be available in the Backup Manager If you explicitly specify a path and a filename you can restore the backup or image later using the Restore Backup command and in case of split backups WinHex will automatically append the segment number to the filenames 9 8 Hints on Disk Cloning Imaging Image Restoration Cloning or imaging with WinHex X Ways Forensics makes exact sector wise forensically sound copies including all unused space and slack space An image is usually preferable to a clone as all data and metadata such as timestamps in an image file is protected from the operating system If you clone image a disk for backup purposes try to avoid that the disk is being written to by the operating system or other programs during the process e g by unmounting partitions that are mounted as drive letters before starting Such write operations are unavoidable of course if you clone image the disk that contains the active Windows installation from where you execute WinHex X Ways Forensics If the source disk is being wr
298. u add with the Add Log Entry command either to the case as a whole or to a certain evidence object The destination path of each file copied recovered with the directory browser context menu along with selected metadata of that file e g original name original path size timestamps is logged in a separate file copylog html or copylog txt in the log subdirectory All actitivities are logged with their exact date and time internally in FILETIME format with 100 nanosecond interval precision Logs are by default associated with the case as a whole However logs of activities that apply to a certain evidence object are directly associated with that evidence object This determines where they appear in a report Screenshots are saved as PNG files in the log subfolder of a case folder 3 5 Case Report You may create a report from the File menu of the Case Data window The report is saved as an HTML file and can thus be displayed and opened in a variety of applications For example you may view it in your favorite Internet browser and open and further process it in MS Word The application to open the report in can be specified in Options Viewer Programs If no such program is defined the report file will be opened in the application that is associated with the file extension on your computer With the Open Report command you can select any existing file and open it in the defined or associated application The r
299. ue serial number are inserted between the filename and the extension in a way attorneys traditionally label paper documents for later accurate identification and reference Trusted Download Solves a security problem When transferring unclassified material from a classified hard disk drive to unclassified media you need to be certain that it will have no extraneous information in any cluster or sector overhang spuriously copied along with the actual file since this slack space may still contain classified material from a time when it was allocated to a different file This command copies file in their current size and no byte more It does not copy entire sectors or clusters as conventional copy commands do Multiple files in the same folder can be copied at the same time Highlight Free Space Slack Space Displays offsets and data in softer colors light blue and gray respectively Helps to easily identify these special drive areas Works on FAT NTFS and Ext2 Ext3 partitions 5 11 Options Menu General Options see below Viewer Programs Here you may enable the separate viewer component and specify the path where it is located by default subdirectory viewer The path may be relative to the directory where X Ways Forensics is executed e g viewer or relative to the parent directory of that directory e g viewer You may decide to use it for pictures too instead of the internal graphics viewing library You may sele
300. ue that can later be verified later Forensic license You may adjust the compression option while e01 evidence files are being created Useful if your priorities higher compression rate or higher speed change for example when you see that drive space suddenly seems scarce or you have to finish the process quicker than previously thought Also useful to experiment when not sure which compression option might be best for a particular system configuration e g when imaging a live system on site and having to write the image to an external hard disk via USB where I O is slow and the overall process may be faster with compression than without Forensic license Ability to specify how many extra threads to use for compression when creating e01 evidence files By default X Ways Forensics will use no more than 4 or 8 and it depends on how many processor cores your system has but you could try to increase the number on very powerful systems with even more cores usually without problems for a chance to further increase the speed or you can reduce it you run into stability problems At the end of the imaging process the computer can be optionally either shut down or if supported by your system hibernated to save power If you select hibernation and Windows signals that hibernation fails X Ways Forensics will instead try to shut down the system There is an option to add newly created images to the case and start refining their volume snapshot
301. uropean and many Asian languages are predefined e g German Spanish French Portuguese Italian Scandinavian languages Russian South Slavic languages Eastern European languages Greek Turkish Hebrew Arabic Thai Vietnamese You may specify each character individually or ranges of characters e g a zA Z if the edit box for the character pool if the edit box starts with range To index the dash itself not recommended specify it as the last character Indexing is a potentially time consuming process and may require a large amount of drive space rule of thumb for default settings and average data 5 25 of the original amount of data However the index will allow you to conduct further searches very quickly and spontaneously The index files are saved in the metadata output folder of the corresponding evidence object The scope of the index i e which files are to be indexed can be fine tuned The default setting is that all existing files including their slack unless disabled in the directory browser options plus the virtual files which includes all free space will be indexed This avoids that certain parts of free space are indexed multiple times if they are referenced by several deleted files at the same time Note that the index of partitioned media such as physical hard disks solely covers unpartitioned areas That s because each partition can have its own index Words shorter than a lower limit you specify are ignored The l
302. urposes for which X Ways Forensics can be used so in our opinion step by step instructions click here first then there then look here are not the right way to explain the software This program help user manual is rather meant to accurately describe all the available functionality and let you creatively combine different commands to achieve a certain goal It is still the user who has to do the thinking know what he she is doing and how to interpret findings The 64 bit edition is recommended especially in situations where the 32 bit memory address space may be insufficient when dealing with disks or images that contain many millions of files or when dealing with many millions of search hits provided that you have plenty of physical RAM installed Certain operations that are computationally intensive e g hashing or encrypting may also be faster in the 64 bit edition 2 Technical Background 2 1 Using a Hex Editor A hex editor is capable of completely displaying the contents of each file type Unlike a text editor a hex editor even displays control codes e g linefeed and carriage return characters and executable code using a two digit number based on the hexadecimal system Consider one byte to be a sequence of 8 bits Each bit is either 0 or 1 it assumes one of two possible states Therefore one byte can have one of 2 2 2 2 2 2 2 2 2 256 different values Since 256 is the square of 16 a byte value can be defined by a two d
303. user separately if desired by hiding and removing them 5 Menu Reference Note Commands in the main menu File Edit Search always apply to the active data window as a whole which e g represents an open file or an open disk or to files disks that are still to be specified by the user They never apply to the file s currently selected in the directory browser That s what the directory browser context menu is there for 5 1 Directory Browser Context Menu The directory browser context menu allows the user to directly interact with the currently selected files directories notably not the tagged items There are a number of menu commands which are available depending on the selected items Double clicking files and directories will depending on the circumstances either invoke View Explore or the associated external program View This command allows viewing the selected file with WinHex internal viewers for Windows Registry files and various graphical file formats If the separate viewer component that comes with X Ways Forensics is active all other files are sent to that viewer If it is not the first installed external program will be called instead Exceptions to all of the above are files beyond 2 GB in size and NTFS system files These are always opened as data windows 72 When viewing a file in a separate window you may press Ctrl Page Dn Up to close the window and view the next file in the directory
304. usually 0 when imaging a complete hard disk For disk imaging in general it is recommended to use the File Create Disk Image functionality instead for various reasons with a forensic license support for e01 evidence files compression splitting hashing encryption metadata technical details report more convenient Only in specific cases for example when dealing with several physical disk defects or when the goal is to copy only certain ranges of sectors advanced users can use Tools Disk Tools Clone Disk to have more detailed control over which sectors are copied from where to where in which order 9 7 Images and Backups This command Create Disk Image Make Backup Copy in the File menu allows to create a backup or image of the currently open logical drive physical disk or individual file There are three possible output file formats each with unique advantages File format Evidence File Raw Image Filename extension e01 e g dd Interpretable as disk yes yes Splittable yes yes 132 Compressible yes no Encryptable yes no Optional hash integrated separate Optional description integrated separate Range of sectors only yes yes Applicable to files no no Automated maintenance no no Compatibility yes yes Required license forensic personal The major advantage of evidence files and raw images is that they can be interpreted by WinHex like the original disks with
305. ut report tables to a report the original purpose of report tables hence their name use the Create Report command in the Case Data window 3 8 Internal Viewer The internal viewer can be invoked with the View command in the Tools menu and in the directory browser s context menu plus in Preview mode It shows picture files of various file 32 formats JPEG PNG GIF TIFF BMP PSD HDR PSP SGI PCX CUT PNM PBM PGM PPM ICO using an internal graphics viewing library plus the structure of Windows registry files Windows Event Logs evt and evtx Windows shortcut files Ink Windows Prefetch files LogFiles UsnJrnl J Windows Task Scheduler job EFS LUS INFO2 Restore Point change log 1 wtmp and utmp log in records MacOS X kcpassword MacOS X finder bookmarks flnk AOL PFC Outlook NK2 auto complete files Outlook WAB address books Internet Explorer travellog files a k a RecoveryStore MS Outlook Express DBX and many other files internally If you try to view a file that is not supported by the internal viewer the separate viewer component is invoked instead There is an additional separate viewer component that integrates seamlessly and allows to conveniently view more than 270 file formats such as MS Word Excel PowerPoint Access Works Outlook HTML PDF StarOffice OpenOffice directly in WinHex and X Ways Forensics This component is provided to all owners of forensic licenses issued for v12 05
306. ven hidden processes with their timestamps and process IDs and their own respective memory address spaces can be individually viewed in Process mode with pages concatenated in correct logical order as seen by each process The particularly thorough data structure search is signature based will take a little longer than taking a standard volume snapshot and may turn up traces of additional processes including rootkits Memory can be acquired remotely with the help of F Response Tools Open Disk The analysis is supported for most but not all variants service packs of Windows 2000 Windows XP Windows 2003 Server Windows Vista Windows 2008 Server and Windows 7 32 bit and less complete 64 bit Only complete memory dumps are supported those which include regions in RAM that are utilized by the BIOS and by PCI devices Windows kernel data structures and named objects are conveniently listed in a tree in the volume snapshot under Objects Loaded modules are listed under Modules That enables X Ways Forensics to allocate the memory pages in RAM mode that they occupy to them and to compute hashes for them so that they can be identified via special hash sets For hashing purposes it is recommended to list the invariant headers of loaded modules only see Volume Snapshot Options The technical details report informs you of important system wide parameters as well as of the current addresses of important kernel data structures and
307. ven professional attempts to restore the file will be futile Therefore this command should be applied to files with confidential contents which is to be destroyed Available in WinHex only not in X Ways Forensics Delete Recursively This command can be used to recursively delete a directory with all its subdirectories if they cannot be deleted with Windows Explorer or other Windows tools and commands because of illegal characters in the directory names or because of missing rights for example if Trusted Installer is the owner if you can get those rights if you are running WinHex with administrator rights Note that you cannot apply this command to such a problematic directory itself only to a parent directory 5 10 Specialist Menu Specialist and forensic licenses only Refine Volume Snapshot see separate chapter Technical Details Report Shows information about the currently active disk or file and lets you copy it e g into a report you are writing Most extensive on physical hard disks where details for 90 each partition and even unallocated gaps between existing partitions are pointed out Under Windows 2000 and XP WinHex also reports the password protection status of ATA disks Forensic license only WinHex is able to detect hidden host protected areas HPAs a k a ATA protected areas and device configuration overlays DCO areas on IDE hard disks up under Windows 2000 and XP A message box with a warning will be displayed
308. vent list with v17 3 and later thanks to the original 0x30 attribute timestamps 0x30 timestamps are marked in the event list with an asterisk if they are later than the corresponding 0x10 timestamps which seems unnatural and in some rare cases might be the result of backdating by the rightful users of the computers themselves Under certain circumstances backdating documents is seen as fraudulent and illegal However much more commonly 0x10 timestamps predating 0x30 timestamps is just the work of installation programs or the result of copying a file or moving a file from one volume to another or extracting a file from a zip archive where Windows or other programs artificially apply the original creation time of the source file to the destination once copying turns out to be successful internal programmatic backdating If the checkbox Provide file system level timestamps as events is only half checked timestamps in 0x30 attributes are ignored for event generation which is faster 3 18 Hash Database Functionality only available with a forensic license The internal hash database once created consists of 257 binary files with the extension xhd X Ways Hash Database The storage folder is selected in the General Options dialog The hash database is organized in a very efficient way which maximizes performance when matching hash values It is up to the user to decide on what hash type the database will be based MD5 SHA 1 SHA 256
309. vision modular division bitwise AND amp bitwise OR and bitwise XOR Valid mathematical expressions are for example 5 2 1 MyVarl MyVar2 4 or MyVar The following is a description of currently supported script commands including example parameters Create D My File txt 1000 Creates the specified file with an initial file size of 1000 bytes If the file already exists it is overwritten Open D My File txt Open D txt Opens the specified file s Specify as the parameter to let the user select the file to open Open C Open D Opens the specified logical drive Specify as the parameter to let the user select a logical drive or physical disk to open Open 80h Open 81h Open 9Eh Opens the specified physical media Floppy disk numbering starts with 00h fixed and removable drive numbering with 80h optical media numbering with 9Eh Optionally you may pass a second parameter with the Open command that defines the edit mode in which to open the file or media in place or read only CreateBackup Creates a WHX backup of the active file in its current state CreateBackupEx 0 100000 650 true F My backup whx Creates a WHX backup of the active disk from sector 0 through sector 1 000 000 The backup 151 file will be split automatically at a size of 650 MB Compression is enabled true The output file is specified as the last parameter If the backup file should n
310. volume snapshot e Files and directories that are not excluded You may also activate filters based on criteria such as filenames file type categories attributes or hash set Whenever an active filter actually filters out files or directories in the directory browser this is flagged with a blue filter icon in the directory browser s header line and you will be informed of how many items exactly have been omitted from the list You also have the option by clicking the icons for open file save file on the right hand side of the caption line of the directory browser to store filter and sort settings in a separate file and load them again at any time Such files are given the extension settings Note that it is not guaranteed that different versions of the software can load each other s settings Also note that collisions among file type designations become apparent when selections for the file type filter are loaded For example if you had originally selected mmf MailMessage File category e mail then you will find that mmf is also selected as Yamaha SMAF category Sound Music This is normal and does not change what the Type filter does When in doubt the Type filter also includes other types with the same designation to avoid that anything is overlooked Below the filter options in the lower left corner you will find a button in this dialog box that allows to undo the exclusion of all files and directories in the volume snap
311. volume snapshot as a carved file or in case of File mode as a child object of the original file Useful if you wish to treat data in a certain area e g HTML code or e mail messages found floating around in free space as a file e g to view it search it specifically comment on it add it to a report etc If you manually carve a file within another file in File mode the resulting file will be marked in the Attr column as an excerpt and can be filtered as such Already carved areas in host files are highlighted in File mode Useful to remind the user whether he or she already has created excerpts from a file and where e g from a large free space virtual file when continuing to look at that host file Define Block This function is accessible from the menu and the status bar A dialog box lets you specify the desired block limits This command can also be applied to all open files Select All Defines the beginning and the end of the current file as its block limits Superimpose Sectors see below Convert cf Conversions Modify Data see below 83 Fill Block File Disk Sectors see below Wiping and Initializing 5 5 Search Menu Simultaneous Search see above Indexing Search in Index see above Optimize Index see above Export Word List Available once an index has been created Allows to save a list of all the word in the index to a text file In that list each word that occurs in the files that were indexed will be present
312. word So in that respect index searches are even more powerful than conventional searches Defining spaces as being part of words is a big no no At the moment the old and the new indexing engines coexist within the program To use the old indexing engine use the menu commands Search Indexing to create an index and Search Search in Index to search in the index To create an index with the new indexing engine use the menu command Specialist Refine Volume Snapshot To run a search in the index created by the new search engine invoke Search Simultaneous Search and select Search in Index in the drop down box at the bottom of the dialog window 4 4 More Information about Volume Snapshot Refinement Should processing freeze on a certain file remember the internal ID and the name of the currently processed file are displayed in the small progress indicator window If this operation is applied to an evidence object and it crashes X Ways Forensics will tell you which file when you restart the program and associate it with a report table named Reason for crash depends on the Security Options All that happens so that you can exclude and omit the file when trying again If the hash value for such a file was computed that file and identical files are skipped automatically if you continue to refine the volume snapshot and compute hash values at least if the protection against identical crasher files is active in the properties of th
313. x for substrings later but the result will be incomplete and the search speed much slower Please note that it is the responsibility of the user to enable substring indexing if the words in the language to index are not delimited with spaces e g in Chinese or Thai Indexing will be unnecessarily slow if the data to be indexed resides on the same disk with the case file and directory where the index is created Try to avoid indexing with an active Internet connection if your Windows system is configured to download updates and reboot automatically upon installation Optionally text in certain file types can be decoded for indexing cf Logical Search and it is possible to create indexes for selected computer media images associated with a case in a single step You can index in Unicode and in up to two different code pages simultaneously Please note that X Ways Forensics cannot simultaneously index characters in the same multi byte character code page if some characters utilize just 1 byte and others 2 bytes It is possible to define a character substitution list in Unicode that causes certain letters to be indexed as other letters e g as just e This will allow you to find certain spelling variations with a single index search e g both the name Ren with an accented e at the end and Rene without with either spelling This list must have the structure gt e e gt e gt e gt n i e 1 substit
314. xtracted e mail messages are not needed e SHA 1 hashes can always be displayed in Base32 notation in the directory browser as common in P2P programs With a forensic license the program can optionally keep track of which files were already viewed and flag them visually with a green background color around the tag This is especially useful when reviewing hundreds or thousands of documents or pictures over a longer period to avoid accidentially viewing the same documents multiple times A file can automatically be flagged as already viewed when viewing it in full window or Preview mode when viewing pictures in the gallery or when identifying a file as known good based on the hash database When identifying duplicate files based on hash values and one of the files has been marked as already viewed then the duplicates can optionally be marked as already viewed too Similarly only if the corresponding checkbox is fully checked if files have been marked already as having duplicates and their hash values are available when they are viewed duplicates within the same volume will be marked as already viewed at the same time but this is potentially slow when used in conjunction with the gallery When viewing a file with further hard links which are also duplicates those will be automatically marked as already viewed as well except in HFS To manually mark files as already viewed you can press Alt in combination with the cursor keys Alt Left re
315. y Allows you to define search hits manually Whenever you come across some relevant text for example floating around in free space in Disk Partition Volume mode or within a certain file in File mode you can select it as a block and right click the block to add it as a so called user search hit 1 e some kind of search hit not found by the program You can assign the search hit to an arbitrarily named search term category For example if what you have found is related to suspect A assign it as a search hit to a search term named after suspect A If also related to suspect B you can also assign it to another search term You could also assign it to a real search term that you have used for an automatic search User search hits can be conveniently listed in and nicely exported from search hit lists just like ordinary automatically generated search hits To distinguish then from ordinary search hits in the search hit description column user search hits are marked with an asterisk You can specify the correct code page for user search hits yourself when you define them which may be essential to get the text displayed correctly User search hits are stored related to an object in the volume snapshot if you define them in File mode User search hits are forward compatible i e older versions v16 2 and later can also see user search hits created by v16 6 Add Block as Virtual File Forensic license only See Edit menu Add Position Allows you
316. y the search proceeds file by file which is preferable and much more powerful and thorough More about the logical search You can search the same search terms simultaneously in in up to 6 code pages The default code page that is active in your Windows system is marked with an asterisk and initially preselected E g on computers in the US and in Western Europe the usual default code page is 1252 ANSI Latin I The code pages named ANSI are used in Microsoft Windows MAC indicates an Apple Macintosh code page OEM indicates a code page used in MS DOS and Windows command prompts If a search term cannot be converted to the specified code page because of characters unknown in that code page a warning is issued Code page independent GREP searches for exact byte values are possible when searching in a non code page called Direct byte wise translation for GREP which translates byte values without any mapping for certain code pages or case matching X Ways Forensics also allows to search in both little endian and big endian UTF 16 and in any regional Windows code page plus UTF16 with the MS Outlook cipher compressible encryption applied You can define which characters should be considered to be parts of words This is useful to avoid false hits for short real language words in binary garbage data or Base64 code and generally for users that consider numbers to be parts of words such as in GIF89 Example An undesirable hit for band
317. y with a specialist or forensic license and after refining the volume snapshot NTFS volumes show renamed and moved files with their original name in their former directory On Reiser4 these are moved files with their current name in their former directory A blue arrow indicates that contents for a file are available though these are not specifically the contents from before the file was renamed or moved A red arrow indicates that no contents are available existing directory previously es directory potentially recoverable previously es directory first cluster not available previously es directory renamed moved existing file virtual file listed for examination purposes vittual attached previously existing file contents unchanged a pa 7 previously ex file contents may have changed x previously ex file first cluster not available 5 renamed moved file contents may have changed 5 renamed moved file first cluster not available EJ extracted e mail pap with attachment taces of an e mail message wee file with child objects child object of file A Physical disk Sa Yolume Fartitior a Explore recursively deleted tagged already viewed Y comment exists a Report table In the caption line of the directory browser you see on the left the explored path in case of recursive exploration in italics and turqoise color and on the right the number of listed files and directories typically separate figures for existing
318. you may filter by this rank For example filtering out those file types ranked 0 will exclude font files cursors icons themes skins clip arts etc Files with a low rank are of importance just in very specific investigations for example source code in which you would not be interested when looking for office documents or pictures for example but definitely when hunting a virus programmer Higher ranked file types are relevant in more cases Generally the rank is useful in simple cases where you can expect to find what you are looking for in file types that are fairly well known As another idea you could make it a habit to only index files with higher ranks You also have the option to assign file types to a so called group a concept that is not identical to a file type category Useful for example if your standard procedure is to let examiner A check out pictures and videos examiner B documents e mail and other Internet activity and examiner 30 C operating system files of various kinds because of their specializations You can give these groups meaningful names and filter for them also using the Type Status dialog window The groups are displayed in the Type filter All the definitions about file type ranks and file type groups are made in the File Type Categories txt file Suggestions for ranks and an example of a group of files that may deserve special attention are already predefined Both ranks from 0 to 9 where missing me
319. ys that are to be reported in all open hives are defined in text files like the pre supplied Reg Report txt which can be tailored to your needs The registry files you view must have their original names or else the report may fail You may edit the list of registry keys in this files to tailor the report to your own needs Standard tables have 4 columns description extracted value registry path provided as a tooltip and last modification date of the corresponding key The dates are displayed in gray for values that are not the only values in their respective key as a visual aid to remind the reader that they are not the modification dates of the values themselves Free space in registry hives can be analyzed with the report definition file Reg Report Free Space txt The free space can be as large as several MB especially as a consequence of the use of virus scanners and registry cleaning programs Deleted registry values are now highlighted in the report in red color Also registry value slack has a relevant size in NTUSER DAT hives This fact is exploited with 2 measures 1 If the slack contains text strings it will be output in the registry report in green This new feature can optionally be turned off the registry viewer context menu 2 For values that contain item lists i e are binary you can use the Reg Report Free Space txt definitions to output registry report will output lists of filenames with timestamps in gree
320. ytes to accommodate the 256 bits of salt and a randomized 128 bit initial counter WinHex allows you to encrypt not only an entire file but also a block of data only In that case you are warned however that no salt is used and no random initial counter is used so you must not reuse your key to encrypt other data with the same encryption method The size of the block is left unchanged 9 4 Sector Superimposition With this feature you can superimpose other data on top of disks or interpreted images that are opened as read only Useful when you need to make minor temporary adjustments to data in sectors within the program to get it interpreted correctly internally but do not want to or are not allowed to alter the sectors on the disk or in the image itself or cannot because it is not a raw image but an e01 evidence file and also do not want to make another complete working copy of an image that is e g 2 TB in size if just 1 byte needs to be changed Such adjustments can be necessary for example in cases of partitioning or file system metadata corruption where just a missing magic number keeps WinHex from detecting the file system or just one flipped bit keeps WinHex from finding MFT in NTFS or just one wrong nibble in the partition table keeps WinHex from recognizing a partition as an LVM2 container partition etc etc In these situations you can manually provide and superimpose the corrected data and then hopefully work with the disk or imag
321. ywords x and y with obviously irrelevant stuff already filtered out who need to review hundreds of electronic documents identify relevant ones add comments 111 to them identify logical structures and connections between them with the help of their comments and print documents all within the same environment with a few mouse clicks which saves the time to extract and load each document in its associated application who may or may not need to work in an environment severely restricted by the system administrator anyway The X Ways Investigator interface lacks many advanced technical options to allow for easier access to non technical personnel X Ways Investigator licenses that only allow to use this GUI are available at 50 the regular rate on request An optional file investigator ini controls additional simplifications and administrative security precautions e g to allow users to open evidence file containers only and only such containers that have been classified as secure e Under Windows Vista and 7 it may be recommendable to always run WinHex X Ways Forensics as administrator if you need sector level access to media e Ifthe creation of thumbnails for pictures within large e g solid RAR archives for gallery view is too slow you may want to disable it This will also disable search hit context preview for search hits in files in archives e If large JPEGs already contain embedded thumbnails and those have been included
322. zip archives to Unicode There may be further uses in future versions Case files can be password protected This does not involve encryption and is just a kind of lock If the password is lost by a user case files saved by X Ways Investigator can be unlocked with a super user password if such a password had already been entered in the installation used at the time when the case file was saved undocumented on request When clicking the SIDs button you can see a collection of all SID username combinations encountered in that case gathered from SAM registry hives in all Windows installations on images media ever added to the case They are used by X Ways Forensics to resolve SIDs to 14 usernames when working with that case The most powerful concept in X Ways Forensics that allows to systematically and completely review files on computer media is the so called refined volume snapshot It is possible to refine the standard volume snapshot for all evidence objects of a case in one step and to search all evidence objects with volume snapshots logically with the help of the virtual global case root window Note that it is possible to generate a flat overview of all existing and deleted files from all subdirectories on an partition or image file of a partition by recursively exploring the root directory In order to explore a directory recursively i e list its contents plus the contents of all its subdirectories plus their subdirector
Download Pdf Manuals
Related Search