WinHex/X-WaysForensicsGeneralInformationAboutWinHex/X-WaysForensicsLicenseTypesMoredifferencesbetweenWinHexandX-WaysForensicsGettingstartedwithX-WaysForensicsUsingaHexEditorUsefulHintsIntegerDataTypesFloating-PointDataTypesDateTypesANSIASCII/IBMASCIIChecksumsAttributesTechnicalHintsLegalitiesUserInterfaceDirectoryBrowserModeButtons(Disk,File,Preview,Details,Gallery,Calendar,...)Columns&FiltersDataInterpreterPositionManagerStartCenterStatusBarUsefulHintsCommandlineparametersKeyboardshortcutsMenuReferenceFileMenuEditMenuSearchMenuNavigationMenuViewMenuToolsMenuSpecialistMenuOptionsMenuWindowMenuHelpMenuWindowsContextMenuDir.BrowserContextMenuDataWindowContextMenuCaseDataContextMenuOptions

GeneraloptionsDirectoryBrowserViewerprogramsVolumesnapshotoptionsUndooptionsSecurityoptionsForensicFeaturesCaseManagementEvidenceObjectsCaseLogCaseReportInternalViewerRegistryReportMountasDriveLetterEventListsFileTypeCategories.txtIndexing,IndexSearchSimultaneousSearchSearchHitListSearchTermListHashDatabasePhotoDNAFuzZyDocReportTablesExternalAnalysisInterfaceVolumeSnapshotsSelectedConceptsX-TensionsAPIScriptsEditModesDiskEditorMemoryEditor/AnalysisSurrogatepatternsConversionsModifyDataWipingandInitializingCreateDiskImagesSkeletonImagesEvidenceFileContainersDiskCloningSectorSuperimpositionReconstructingRAIDsRelatedItemsTimeZoneConceptTemplateEditingDataRecovery

WinHex/X-WaysForensics19.3©1995-2017StefanFleischmann,X-WaysSoftwareTechnologyAGX-WaysSoftwareTechnologyAGisastockcorporationincorporatedunderthelawsoftheFederalRepublicofGermany.Registeredaddress:Carl-Diem-Str.3232257BündeGermanyE-mailaddress:mail@x-ways.comFax:+49-3212-1232029Firstreleasedin1995,lastupdatedinJune2017.Supportedplatforms:WindowsXP,Windows2003Server,WindowsVista/2008Server,Windows7,Windows8/Windows2012Server,Windows8.1,Windows10.32-bitand64-bit.Standard,PEandFE.Homepage:http://www.x-ways.netForum:http://www.winhex.netWewouldliketothankthestatelawenforcementagencyofRhineland-PalatinateforextraordinarilynumerousandessentialsuggestionsonthedevelopmentofX-WaysForensicsandX-WaysInvestigator.Userinterfacetranslation:ChinesebySpriteGuo.JapanesebyTakaoHoriuchiandIchiroSugiyama(notgenerallyavailable).FrenchbyJérômeBroutin,revisedbyBernardLeprêtre.SpanishbyJoséMaríaTagarroMartí.ItalianbyAndreaGhirardini.BrazilianPortuguesebyHeyderLinoFerreira.PolishbyProCertivSp.zo.o.(LLC).ThankstoDr.A.KuiperforhismethodtoprocessvideoswithMPlayer.Registeredprofessionalusersaroundtheworldinclude(thislistisfrom~13yearsago)...U.S.andGermanfederallawenforcementagencies,U.S.nationalinstitutes(e.g.theOakRidgeNationalLaboratoryinTennessee),ministriessuchastheAustralianDepartmentofDefence,theTechnicalUniversityofVienna,theTechnicalUniversityofMunich(InstituteofComputerScience),theGermanAerospaceCenter,theGermanfederalbureauofaviationaccidentinvestigation,MicrosoftCorp.,HewlettPackard,ToshibaEurope,Ericsson,NovellInc.,OntrackDataInternationalInc.,Deloitte&Touche,KPMGForensic,Ernst&Young,SiemensAG,SiemensBusinessServices,SiemensVDOAG,InfineonTechnologiesFlashGmbH&Co.KG,LockheedMartin,BAESystems,TDKCorporation,SeoulMobile

Telecom,VisaInternational,DePfaDeutschePfandbriefbankAG,AnalytikJenaAG,andmanyothercompaniesandscientificinstitutes.

GettingstartedwithX-WaysForensicsForthelatestdownloadinstructions,ifyourupdatemaintenanceiscurrent,youcancheckyourlicensestatushere.FormoreinformationabouttheinstallationofWinHexandX-WaysForensicspleaseseethiswebpage.ExtractthefilesintheX-WaysForensicsdownloadtoadirectoryofyourchoice.Aninstallationwiththesetupprogramisnotnecessary.TheprogramisportableandcanalsobestarteddirectlyfromaUSBstickonothercomputers,e.g.livesystemsthatyouwouldliketoexamine.Alsodownloadtheviewercomponent(whichisnotincludedinthestandarddownloadasitisupdatedmuchmorerarely).Usethe64-biteditionoftheviewercomponentforthe64-biteditionofX-WaysForensics.Bydefault,theviewercomponentisexpectedinthesubdirectory\viewer(32bit)or\x64\viewer(64bit).Pleasebeadvisedthattheviewercomponentcreatesfilesintheprofilesoftheuserwhoiscurrentlyloggedon,unlikeX-WaysForensics,soifyouwishtoavoidtocreatefilesonalivesystemthatyouexamine,don'tletX-WaysForensicsusetheviewercomponent.YoumayalsowishtodownloadMPlayerifyouintendtohaveX-WaysForensicsproducestillsfromvideostoseetheminthegallery.Newerreleasescanalwaysbeextractedintotheexistingdirectoryofanearlierrelease.YoumaycontinuetouseWinHex.cfgconfigurationfilesfromearlierreleasesinlaterreleases(butnevertheotherwayaround).Herearesomeinstructionstohelpyougetstartedandfindsomeimportantfeatures:Createacase,addanevidenceobject(suchasyourownC:driveorharddisk0,oranimagefile).Inthedirectorytree,youmayusearightclicktolistthecontentsofadirectoryinthedirectorybrowserincludingallitssubdirectories.Forexample,ifyouright-clicktherootdirectoryofavolume,youwillgetalistingofallfilesintheentirevolume.Atthesametimeyoucanuseadynamicfiltertofocusonfilesbasedwithcertainfilenames,ofacertainfiletype,size,orwithcertaintimestamps,etc.viaOptions|DirectoryBrowser.ThepowerfullogicalsearchfunctionalitycanbefoundinSearch|SimultaneousSearch.MoreinterestingfunctionsinX-WaysForensicscanbefoundinthecontextmenuofthedirectorybrowser(e.g.theabilitytocopyfilesoffanimage)andintheSpecialistmenu,inparticular"RefineVolumeSnapshot".Thelatterallowsyoutofurtherprocessfilesautomatically,e.g.exploreziparchives,extracte-mailmessagesandattachments,checkpicturesfortheamountofskin

tones,checkdocumentsforencryption,etc.ThereareathousanddifferentpurposesforwhichX-WaysForensicscanbeused,soinouropinionstep-by-stepinstructions(clickherefirst,thenthere,thenlookhere)arenottherightwaytoexplainthesoftware.Thisprogramhelp/usermanualisrathermeanttoaccuratelydescribealltheavailablefunctionalityandletyoucreativelycombinedifferentfeaturestoachieveacertaingoal.Itisstilltheuserwhohastodothethinking,knowwhathe/sheisdoingandhowtointerpretfindings.The64-biteditionisrecommendedespeciallyinsituationswherethe32-bitmemoryaddressspacemaybeinsufficient,whendealingwithdisksorimagesthatcontainmanymillionsoffiles,orwhendealingwithmanymillionsofsearchhits,providedthatyouhaveplentyofphysicalRAMinstalled.Certainoperationsthatarecomputationallyintensive(e.g.hashingorencrypting)mayalsobefasterinthe64-bitedition.

LicenseTypesYoumayevaluateWinHexfreeofcharge,foratmost45days.Forregularuseandforuseasafullversion,youneedatleastonelicense.Formultipleusersatthesametimeoruseonmultiplemachinesbyoneuseratthesametime,youwillalsoneedadditionallicenses.Licenseagreement.Unliketheevaluationversion,thefullversionofWinHexwillsavefileslargerthan200KB,writedisksectors,editvirtualmemoryandshownoevaluationversionreminders.Itwillrevealitslicensingstatusonstart-upandintheAboutbox(thewindowthatappearswhenyouclicktheversionnumberintheupperrightcorner).Personallicensesareavailableatareducedpricefornon-commercialpurposesonly,inanon-business,non-institutional,andnon-governmentenvironment.Professionallicensesallowusageofthesoftwareinanyenvironment(athome,inacompany,inanorganization,orinpublicadministration).Professionallicensesprovidetheabilitytoexecutescripts.SpecialistlicensesinadditiontothatallowtouseSpecialistmenucommands,readthefilesystemsexFAT,Ext2,Ext3,Ext4,Next3®,CDFS/ISO9660,UDF,canhighlightfreedrivespaceandslackspace,enablesupportforRAIDreconstruction,Windowsdynamicdisks,LinuxLVM2,somemorecolumnsinthedirectorybrowser,andreversediskcloning/imaging.ParticularlyusefulforITsecurityspecialists.WinHexLabEditioninadditiontothatunderstandthefilesystemsHFS,HFS+/HFSJ/HFSX,ReiserFS,Reiser4,XFS,andmanyvariantsofUFSandUFS2,allowtocreateevidencefilecontainers,andallowtorunregularX-Tensions.LicensesforX-WaysForensics(forensiclicenses)inadditiontotheaboveallowtousethepowerfulcasemanagingandreportgeneratingcapabilities,theinternalviewerandtheseparateviewercomponent,thegalleryview,manymorevolumesnapshotrefinementoperations,manymorecolumnsandfiltersinthedirectorybrowser(andtheorderofthecolumnscanbechanged),commentsandreporttables.Furthermore,theyallowtoreadandwriteevidencefiles(.e01)andmuchmore.Particularlyusefulforcomputerforensicexaminers.

X-WaysInvestigatorisasimplifiedversionofX-WaysForensics.ItdoesnothaveallthefunctionalityofX-WaysForensics,notevenallthefunctionalityofWinHex,andfocusesonnon-technicalaspectssuchasreviewofpictures,documentsande-mails.UsersofX-WaysForensicscantemporarilyreducetheuserinterfaceofX-WaysForensicstothatofX-WaysInvestigatortoseeexactlywhichmenucommandsandoptionsareavailableanddecidewhetheradditionallicensesforX-WaysInvestigatorwouldbenefittheirorganizationtosplituptheinvestigativeworkloadacrossmultipleusers,someofwhichmaybespecializedinareasotherthancomputerforensics.X-WaysInvestigatorisnotreallymeantasastand-aloneproduct.Themaximumnumberofsimultaneouscharactersetsinthetextdisplayalsodependsonthelicensetype(cf.Viewmenu).Amorecompletelicensetypecomparisoncanbefoundonlineathttp://www.x-ways.net/winhex/comparison.html.Pleaseseehttp://www.x-ways.net/order.htmlonhowtoorderyourlicenses.Thankyou.

MoreDifferencesbetweenWinHexandX-WaysForensicsWinHex(mainexecutablefileiswinhex.exeorwinhex64.exe)alwaysidentifiesitselfasWinHexintheuserinterface,X-WaysForensics(mainexecutablefilexwforensics.exeorxwforensics64.exe)asX-WaysForensics.Thesharedprogramhelpandthesharedmanual,however,staticallyrefertothename"WinHex"inmostcases,sometimes"X-WaysForensics".WinHexandX-WaysForensicssharethesamecodebase.X-WaysForensicsoffersnumerousadditionalforensicfeaturesoverWinHexwithaspecialistlicense,butdoesnotallowtoeditdisksectorsorinterpretedimagesandlacksvariousfunctionstowipedataknownfromWinHex.InX-WaysForensics,disks,interpretedimagefiles,virtualmemory,andphysicalRAMarestrictlyopenedinviewmode(read-only)only,toenforceforensicprocedures,wherenoevidencemustbealteredintheslightest.ThisstrictwriteprotectionofX-WaysForensicsensuresthatnooriginalevidencecanpossiblybealteredaccidentally,whichcanbeacrucialaspectincourtproceedings.Onlywhennotboundbystrictforensicproceduresand/orwheninneedtoworkmoreaggressivelyondisksorimages(e.g.youhavetorepairabootsectororwipeclassifiedorunrelateddata),thenauserofX-WaysForensicswouldrunWinHexinstead.WithWinHexyoucaneditdisksectorsandwipeentireharddisks,freespace,slackspace,selectedfiles,selecteddiskareasetc.UsersofX-WaysForensicsmaysimplycopytheirxwforensics.exeexecutablefileandnamethecopywinhex.exe(orforthe64-biteditioncopytheirxwforensics64.exeexecutablefileandnamethecopywinhex64.exe)togetWinHex.Thesetupprogramcreatessuchcopiesautomatically.Oryoucancreatehardlinksinsteadofcopies(highercoolnessfactor).Iftheprogramisexecutedas*winhex*.exe,itwillidentifyitselfasWinHexeverywhere(intheuserinterface,casereport,caselog,imagedescriptions,andallscreenshots)andact/behavelikeWinHex.Thatversionisthebestofbothworlds,withthefullforensicsfeaturesetofX-WaysForensicsplusthesectoreditinganddatawipingcapabilityofWinHexinone.

UsingaHexEditorAhexeditoriscapableofcompletelydisplayingthecontentsofeachfiletype.Unlikeatexteditor,ahexeditorevendisplayscontrolcodes(e.g.linefeedandcarriage-returncharacters)andexecutablecode,usingatwo-digitnumberbasedonthehexadecimalsystem.Consideronebytetobeasequenceof8bits.Eachbitiseither0or1,itassumesoneoftwopossiblestates.Thereforeonebytecanhaveoneof22222222=2^8=256differentvalues.Since256isthesquareof16,abytevaluecanbedefinedbyatwo-digitnumberbasedonthehexadecimalsystem,whereeachdigitrepresentsatetradeornibbleofabyte,i.e.4bits.Thesixteendigitsusedinthehexadecimalsystemare0-9,A-F.Youcanchangethevalueofabytebychangingthesedigitsinthehexadecimalmode.Itisalsopossibletoenterthecharacterthatisassignedtoacertainbytevaluebyacharacterset.Allkindsofcharactersareallowed(e.g.lettersandpunctuationmarks).Example:Abytewhosedecimalvalueis65isdisplayedas41inhexadecimalnotation(416+1=65)andastheletterAintextmode.TheASCIIcharactersetdefinesthecapitalletterAtohavethedecimalvalueof65.Wheneditingfilesofacertaintype(forinstanceexecutablefiles),itisessentialnottochangethefilesize.Movingtheaddressesofexecutablecodeandincludeddataresultsinseverelydamagingsuchfiles.Pleasenotethatchangingthecontentsofafilegenerallymaybethereasonforthecorrespondingapplicationtobehaveanomalously.Itisquitesafetoedittextpassagesinafile.Atanyrate,itisrecommendabletocreatebackupfilesbeforeediting.Thecommand"CombinedSearch"wasespeciallydesignedforeditingfilescreatedbycomputergamestosavethegamestate.Ifyouknowthevalueofavariableintwoofsuchfiles,youcanfindouttheoffset,i.e.theposition,atwhichthisdataissaved.Example:Iftwofilesholdtheinformationthatyouhave5resp.7points/lives/...,searchsimultaneouslyforthehexvalue05inthefirstand07inthesecondfile.

IntegerDataTypesFormat/TypeRangeExamplesigned8bit-128...127FF=-1unsigned8bit0...255FF=255signed16bit-32,768...32,7670080=-32,768unsigned16bit0...65,5350080=32,768signed24bit-8,388,608...8,388,607000080=-8,388,608unsigned24bit0...16,777,215000080=8,388,608signed32bit-2,147,483,648...2,147,483,64700000080=-2,147,483,648unsigned32bit0...4,294,967,29500000080=2,147,483,648signed64Bit-2^63...2^63-10000000000000080=-2^63Unlessstatedotherwise,multi-bytenumbersarestoredinlittle-endianformat,meaningthatthefirstbyteofanumberistheleastsignificantandthelastbyteisthemostsignificant.ThisisthecommonformatforcomputersrunningMicrosoftWindows.Followingthelittle-endianparadigm,thehexadecimalvalues1027canbeinterpretedasthehexadecimalnumber2710(decimal:10,000).TheDataInterpreteriscapableofinterpretingdataasalloftheaforementionedintegertypes,plusunsigned48-bitintegers.

Floating-PointDataTypesTypeRangePrecisionBytesFloat(Single)±1.5e-45..3.4e+387-84Real±2.9e-39..1.7e+3811-126Double(Double)±5.0e-324..1.7e+30815-168LongDouble(Extended)±3.4e-4932..1.1e+493219-2010ThetypenamesoriginatefromtheCprogramminglanguage.ThecorrespondingPascalnamesarespecifiedinbrackets.TheRealtypeexistsonlyinPascal.TheDataInterpreteriscapableoftranslatinghexvaluesinaneditorwindowintofloating-pointnumbersofallfourtypesandvice-versa.Inthecomputer,afloating-pointnumberFisrepresentedbyamantissaMandanexponentE,whereM×2^E=F.BothMandEaresignedintegervaluesthemselves.Thefourdatatypesdifferintheirvalueranges(i.e.thenumberofbitsreservedfortheexponent)andintheirprecision(i.e.thenumberofbitsreservedforthemantissa).OnIntel-basedsystems,calculationsuponfloating-pointnumbersarecarriedoutbyamathcoprocessorwhilethemainprocessorwaits.TheIntel80x87uses80-bitprecisionforcalculations,whereasRISCprocessorsoftenuse64-bitprecision.

DateTypesThefollowingdateformatsaresupportedbytheDataInterpreter:MS-DOSDate&Time(4bytes)Thelowerworddeterminesthetime,theupperwordthedate.UsedbyseveralDOSfunctioncallsandbyallFATfilesystems.BitsContents0-4Seconddividedby25-10Minute(0-59)11-15Hour(0-23ona24-hourclock)16-20Dayofthemonth(1-31)21-24Month(1=January,2=February,etc.)25-31Yearoffsetfrom1980Win32FILETIME(8bytes)TheFILETIMEstructureisa64-bitintegervaluerepresentingthenumberof100-nanosecondintervalssinceJanuary1,1601.UsedbytheWin32API.OLE2.0Date&Time(8bytes)Afloating-pointvalue(moreexactly:adouble)whoseintegralpartdeterminesthenumberofdayspassedsinceDecember30,1899.Thefractionalpartisinterpretedasthedaytime(e.g.1/4=6:00a.m.).ThisistheOLE2.0standarddatetype,e.g.itisusedbyMSExcel.ICQ7.0usesbig-endianOLE2.0timestampsinchatmessagesANSISQLDate&Time(8bytes)Twoconsecutive32-bitintegervalues.ThefirstonedeterminesthenumberofdayssinceNovember17,1858.Thesecondoneisthenumberof100-microsecondintervalssincemidnight.ThisistheANSISQLstandardandusedinmanydatabases(e.g.InterBase6.0).UNIX/CDate&Time(4bytes)

A32-bitintegervaluethatdeterminesthenumberofsecondssinceJanuary1,1970.ThisdatatypeisusedinUNIX,DOSCandC++("time_t"),andbyFORTRANprogramssincethe80's.SporadicallydefinedasthenumberofminutessinceJanuary1,1970.TheDataInterpreteroptionsletyouswitchbetweenbothsub-types.MacintoshHFS+Date&Time(4bytes)A32-bitintegervaluethatdeterminesthenumberofsecondssinceJanuary1,1904GMT(HFS:localtime).ThemaximumrepresentabledateisFebruary6,2040at06:28:15GMT.Thedatevaluesdonotaccountforleapseconds.Theydoincludealeapdayineveryyearthatisevenlydivisibleby4.JavaDate&Time(8bytes)A64-bitintegervaluethatspecifiesthenumberofmillisecondssinceJanuary1,1970.Usuallystoredinbigendian,whichisthetypicalbyteorderinJava,butinlittleendianinBlackBerrymemory.MacAbsoluteTime,a.k.a.Macepochtime(4bytes)A32-bitintegervaluethatdeterminesthenumberofsecondssinceJanuary1,2001.

ANSIASCII/IBMASCIIANSIASCIIisthenameutilizedinWinHexforanextensionoftheASCIIcharactersetasusedinnon-UnicodeWindowsapplications.ItwasnamedANSIbyMicrosoftaftertheAmericanNationalStandardsInstitute,butnotdefinedbythatinstitute.Severaldifferentregionalvariantsexist,oneofwhichisactiveinWindows,typicallycodepage1252incountrieswhereaWesternEuropeanlanguageisspoken.MS-DOSandWindowscommandpromptwindowsusewhatiscalledtheIBMASCIIcharactersetinWinHex(alsocalledOEMorDOScharactersetelsewhere).Allofthese8-bitextensionsofthe7-bitASCIIcharactersetsdifferinthecharacterswithvaluesgreaterthan127.IfforexampleifyoustoreplaintextfilewithWindowsNotepadinANSIencodingandlaterviewitwiththetypecommandinacommandpromptwindow,specialcharacterssuchasGermanumlautswillnotbedisplayedcorrectly.SomeoftheregionalANSIcodepagesaredouble-bytecodepages,i.e.useeven2bytesforsomecharactersinsteadofjust1percharacter.SelectthecharactersetforthetextcolumnintheViewmenu,orclickthetopofthetextcolumn,wherethenameoftheactivecodepage/charactersetisdisplayedtochangesettings.Usethe"Convert"commandoftheEditmenutoconverttextfilesfromonecharactersettotheother.Thefirst32ASCIIvaluesdonotdefineprintablecharacters,butcontrolcodes:Hex ControlCode Hex ControlCode00 Null 10 DataLinkEscape01 StartofHeader 11 DeviceControl102 StartofText 12 DeviceControl203 EndofText 13 DeviceControl304 End of

Transmission14 DeviceControl4

05 Enquiry 15 NegativeAcknowledge

06 Acknowledge 16 SynchronousIdle07 Bell 17 End of Transmission

Block

08 Backspace 18 Cancel09 HorizontalTab 19 EndofMedium0A LineFeed 1A Substitute0B VerticalTab 1B Escape0C FormFeed 1C FileSeparator0D CarriageReturn 1D GroupSeparator0E ShiftOut 1E RecordSeparator0F ShiftIn 1F UnitSeparator

ChecksumsAchecksumisacharacteristicnumberusedforverificationofdataauthenticity.Twofileswithequalchecksumsarehighlylikelytobeequalthemselves(bytebybyte).Calculatingandcomparingthechecksumsofafilebeforeandafterapossiblyinaccuratetransmissionmayrevealtransmissionerrors.Anunaffectedchecksumindicatesthatthefilesare(inalllikelihood)stillidentical.However,afilecanbemanipulatedonpurposeinsuchawaythatitschecksumremainsunaffected.Digestsareusedinsteadofchecksumsinsuchacase,wheremalicious(i.e.notmererandom)modificationstotheoriginaldataaretobedetected.InWinHex,checksumscanbecalculatedforexamplewithacommandintheToolsMenu.Thestandardchecksumissimplythesumofallbytesinafile,calculatedeitheronan8-bit,a16-bit,a32-bit,ora64-bitaccumulator.TheCRC(cyclicredundancycode)isbasedonmoresophisticatedalgorithms,whichsafer.Example:Ifatransmissionalterstwobytesofafileinsuchawaythatthemodificationsarecountervailing(forinstancebyteone+1,bytetwo-1),thestandardchecksumremainsunaffected,whereastheCRCchanges.

DigestsAso-calleddigestis,similartoachecksum,acharacteristicnumberusedforverificationofdataauthenticity.Butdigestsaremorethanthat:digestsarestrongone-wayhashcodes.Itiscomputationallyfeasibletomanipulateanydatainsuchawaythatitschecksumremainsunaffected.Verifyingthechecksuminsuchacasewouldleadtotheassumptionthatthedatahasnotbeenchanged,althoughithas.Therefore,digestsareusedinsteadofchecksumsifmalicious(i.e.notmererandom)modificationstotheoriginaldataaretobedetected.Itiscomputationallyinfeasibletofindanydatathatcorrespondstoagivendigest.Itisevencomputationallyinfeasibletofindtwopiecesofdatathatcorrespondtothesamedigest.Ofcourse,randommodifications,e.g.causedbyaninaccuratetransmission,canalsobedetectedwhenusingdigests,butchecksumsservebetterforthispurpose,becausetheycanbecalculatedmuchfaster.WinHexcancomputethefollowingdigests:MD4,MD5,SHA-1,SHA-256,RipeMD-128,RipeMD-160,Tiger128,Tiger160,Tiger192aswellasTTH(TigerTreeHash)anded2k(specialistandforensiclicensesonly).

AttributeLegendA:tobearchivedR:read-onlyH:hiddenS:systemX:notindexedP:NTFSreparsepointO:offlineT:temporaryI:hasobjectIDC:compressedatfilesystemlevelc:compressedinarchiveE:encryptedatfilesystemlevele:encryptedinarchivee!:filetypespecificencryption/DRMe?:highentropy,possiblyfullyencrypted(Res):HFS+resouce($EFS):NTFSencryptionmetadata(INDX):NTFSnon-directoryindexattribute(ADS):NTFSalternatedatastream(SC):foundinavolumeshadowcopy(SUID):SetUserID(SGID):SetGroupIDFilemode:l=symboliclinkc=characterdeviceb=blockdevices=socketp=pipePermissions:ownerread/write/executegroupread/write/executeotherread/write/execute

TechnicalHintsSupportedfileanddisksize:atleast120TBMaximumfilesizeinvolumesnapshots:120TB-1byteMaximumnumberofsectorsgenerally:240-1Maximumnumberofclustersgenerally:232-1Maximumnumberofhashvaluesperhashdatabase:231-1Filesystemsupportforvolumeswithmorethan232sectors:NTFS,Ext*,XFS,Reiser*Filesystemsupportforvolumeswithmorethan232clusters:NTFS,Ext4,XFSMaximumnumberofsimultaneouslyopeninterpreteddiskimages:100Maximumnumberofsimultaneouslyopenpartitionsandinterpretedvolumeimages:256Maximumnumberofsearchtermsinacase:8191Maximumnumberofdatawindows:1000Max.no.ofprograminstances:99Max.reversiblekeyboardinputs:65535Encryptiondepth:128-256bitOffsetpresentation:hexadecimal/decimalInmostcases,theprogressdisplayshowsthecompletedpercentageofanoperation.However,duringsearchandreplaceoperationsitindicatestherelativepositioninthecurrentfileordisk.Searchandreplaceoperationsgenerallyrunfastestwithcasesensitivityswitchedonandwithoutwildcardsenabled.HerearesomepiecesofinformationconcerningtheMasterBootRecordofaharddisk,thatiseditableusingtheDiskEditor.Whensearchingwiththeoption"countoccurrences"activatedorwhenreplacingwithoutprompting,forasearchalgorithmtherearegenerallytwowaystobehavewhenanoccurrencehasbeenfound,whichinsomecasesmayhavedifferentresults.Thisisexplainedbythefollowingexample:Theletters"ana"aresearchedintheword"banana".Thefirstoccurrencehasalreadybeenfoundatthesecondcharacter.

1stalternative:Thealgorithmcontinuesthesearchatthethirdcharacter.So"ana"isfoundagainatthefourthcharacter.2ndalternative:Thethreelettersfoundintheword"banana"areskipped.Theremainingletters"na"donotcontain"ana"anymore.WinHexisprogrammedinthesecondmanner,sincethisdeliversthemorereasonableresultswhencountingorreplacingoccurrences.(IfyoucontinueasearchusingtheF3keyoryouchoosethereplaceoption"promptwhenfound",thealgorithmfollowsthefirstalternative.)SpecialPerformanceEnhancementsFileheadersignaturesearches,block-wisehashmatching,FILErecordsearches,searchesforlostpartitions,andphysicalsimultaneoussearchesaresparse-awareoperationswhendealingwithcertaincompressedandsparse.e01evidencefiles.Thatmeansthatareasthatontheoriginalharddiskwereneverwrittenandthusstillzeroedoutorareasthathadbeenwipedontheoriginalharddiskorconsciouslyomittedareasincleansedimagesareskippedandalmostrequirenotime,becausetheirdataneitherhastobereadnordecompressednorfurtherprocessed(searched/hashed/matchedagainsttheblockhashdatabase).Sparse-awarenessisactivefor.e01evidencefilesthatwerecreatedbyX-WaysForensicsandX-WaysImagerwithachunksizeof32KB,128KBor512KB.Alsopossiblyforimagescreatedby3rdpartysoftware,dependingonthesettingsandtheinternallayout.Operationsarenotsparse-awareonimagesofWindowsdynamicdisks,imagesofLVM2disks,andonreconstructedRAIDsbasedon.e01evidencefiles.LogicalsearchesandindexinginfilesstoredinanNTFSfilesystemarealsosparse-awareatthe.e01evidencefilelevel,andgenerallylogicalsearchesinvirtual"Freespace"files.LogicalsearchesandindexinginNTFS,Ext*,XFSandUFSfilesystemsaresparse-awareatthefilesystemlevel.Thatmeansnotimeiswastedonlargesparseareaswithinsparsefiles.Thoseareasareignored,regardlessofwhethertheevidenceobjectisan.e01evidencefile,rawimage,RAID,oractualdisk.

LegalitiesCopyright©1995-2016StefanFleischmann,X-WaysSoftwareTechnologyAG.Nopartofthispublicationmaybereproduced,orstoredinadatabaseorretrievalsystemwithoutthepriorpermissionoftheauthor.Anybrandnamesandtrademarksmentionedintheprogramorinthismanualarepropertiesoftheirrespectiveholdersandaregenerallyprotectedbylaws.FuzZyDocisatrademarkofX-WaysSoftwareTechnologyAG.Thispublicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothesubjectmattercovered.However,theauthorneitheroffersanywarrantiesorrepresentationsnordoesheacceptanyliabilitywithrespecttotheprogramorthemanual.LicenseAgreementAcknowledgementsTheMD5messagedigestiscopyrightbyRSADataSecurityInc.The"zlib"compressionlibraryiscopyrightbyJean-loupGaillyandMarkAdler.Homepage:ftp://ftp.cdrom.com/pub/infozip/zlib/zlib.htmlX-WaysForensicscontainssoftwarebyIgorPavlov,www.7-zip.com,andanAdler32implementationbyArnaudBouchez.OutsideIn®TechnologyCopyright©1991,2014,OracleCorp.and/oritsaffiliates.Allrightsreserved.NEXT3®isaregisteredtrademarkofCTERANetworks.X-WaysForensicsusesResIL,aforkofDevIL.ResILisgovernedbytheLGPL(http://www.gnu.org/copyleft/lesser.html),version2.1.Theoriginalsourcecodecanbedownloadedfromhttp://sourceforge.net/projects/resil.X-WaysForensicscontainsanunofficialbuildoflibPFF.libPFFisgovernedbytheLGPL(http://www.gnu.org/copyleft/lesser.html),version3.0.Theoriginalsourcecodecanbedownloadedfromhttp://libpff.sourceforge.net.

X-WaysForensicsusesDokan.DokanisgovernedbytheLGPL(http://www.gnu.org/copyleft/lesser.html),version3.0.Thesourcecodecanbefoundathttps://dokan-dev.github.io/.Windowseventlog(.evtx)viewingcapabilitybasedonworksbyAndreasSchuster.

StartCenterTheso-calledStartCenterisadialogwindowthatisoptionallydisplayedatstartupandismeantasasimplifiedcontrolpanelforbeginningyourwork.Itallowstoquicklyopenfiles,disks,memorymodules,andfoldersaswellasupto255recentlyediteddocuments(16bydefault,left-handlist).Thesemaybefiles,folders,logicaldrivesorphysicaldisks.Whenopenedagain,WinHexrestoresthelastcursorposition,thescrollingposition,andtheblock(ifdefined)ofeachdocument,unlessthecorrespondingoptionisdisabled.FromtheStartCenteryouarealsoabletoaccessprojectsandcases(right-handtoplist).Aprojectconsistsofoneormoredocumentstoedit(filesordisks).Itrememberstheeditingpositions,thewindowsizesandpositionsandsomedisplayoptions.Bysavingawindowarrangementasaprojectyoucancontinuetoworkinseveraldocumentsrightwhereyouleftthem,withasingleclickonly.Thisisespeciallyusefulforrecurringtasks.Whenyouloadaproject,allcurrentlyopenedwindowsareautomaticallyclosedfirst.Besides,WinHexautomaticallysavesthewindowarrangementfromtheendofaWinHexsessionasaproject,andcanre-createitnexttimeatstartup.Eachprojectisstoredina.prjfile.ItcanbedeletedorrenamedrightwithintheStartCenter(contextmenuorDel/F2key).Lastnotleast,theStartCenteristheplacewheretomanagescripts.Youmaycheck,edit,create,rename,anddeletescriptsusingthecontextmenu.Toexecuteascript,double-clickitorsingle-clickitandclicktheOKbutton.

DirectoryBrowserTheperhapsmostessentialuserinterfaceelementinWinHexandX-WaysForensicsistheso-calledWinHexandX-WaysForensicsofferadirectorybrowser,whichresemblestheWindowsExplorer'sright-handlist.Itsmaintaskistodisplay(andinteractwith)thevolumesnapshot.Completefunctionalityisonlyavailablewithaforensiclicense.Bydefault,thedirectorybrowserlistsdirectoriesfirst,thenfiles.Compressedfilesaredisplayedinblue,encryptedfilesingreen(NTFSonly).Right-clickinganyiteminthedirectorybrowserbringsupacontextmenuwithcommandsforopeningafileordirectory,exploringadirectory,locatingthebeginningofafileordirectoryonthedisk,locatingthecorrespondingdirectoryentry(FAT)orfilerecord(NTFS),listingtheallocatedclustersinaseparatewindow,etc.Whennavigatingfromonedirectorytoanother,exploringfileswithchildobjects(e.g.e-mailmessagesthathaveattachments),navigatingtotheparentofachildobject,activatingordeactivatingfilters,tryingdifferentsortcriteriaetc.,pleasenotethatyoucaneasilyreturntoapreviousviewusingtheBackcommandintheNavigationmenuortheBackbuttoninthetoolbar.ContextmenuDirectorybrowseroptionsColumns&filtersTheiconsareexplainedinthelegenddirectlyintheprogram(forensiclicenseonly).Previouslyexistingfilesanddirectoriesarerepresentedinthedirectorybrowserwithlightericons.Iconswithabluequestionmarkindicatethattheoriginalfileordirectorycontentsmaybestillavailable.DeletedobjectsthatWinHexknowsarenolongeraccessible(eitherbecausetheirfirstclusterhasbeenreallocated,becauseitisunknown,orbecausetheyhaveasizeof0bytes)haveiconscrossedoutinred.IconswithanarrowonFATvolumes(onlywithaspecialistorforensiclicense)and(afterrefiningthevolumesnapshot)NTFSvolumesshowrenamedandmovedfileswiththeiroriginalname/intheirformerdirectory.OnReiser4thesearemovedfileswiththeircurrentnameintheirformerdirectory.Abluearrowindicatesthatcontentsforafileareavailable(thoughthesearenotspecificallythecontentsfrombeforethefilewasrenamed

ormoved).Aredarrowindicatesthatnocontentsareavailable.

Inthecaptionlineofthedirectorybrowseryouseeonthelefttheexploredpath(incaseofrecursiveexplorationinitalicsandturquoisecolor).Whenclickinganycomponentofthecurrentpath,thiswillnownavigatedirectlytothatdirectory(orfilewithchildobject)whosenameyouclicked.Ontherightyouseethenumberoflistedfilesanddirectories(typicallyseparatefiguresforexistingobjects+previouslyexistingobjects+virtualobjects).Also,thenumberoflistedtaggedfilesisindicated,ifanyaretagged.Thenumberofactivefiltersisdisplayedaswell,nexttothebluefiltersymbolontheleft.Column-basedandcolumn-independentactivefiltersarecountedseparately.Usefulbecausetheremightbecolumn-basedfiltersactiveforcolumnsthatarenotcurrentlyvisibleinthedirectorybrowser,andthatcolumn-independentfiltersareactivemaybeotherwiseapparentonlywhencheckinginthedirectorybrowseroptionsdialog.Thedirectorybrowsercansortfilesanddirectoriesinascendingordescendingorder,andstillrevealsthetwoprevioussortcriteriawithalighterarrow.Forexample,ifyoufirstclickthefilenamecolumnandthenthefilenameextensioncolumn,fileswiththesameextensionwillinternallystillbesortedbyname.Inordertoundefinethesecondaryandtertiarysortcriteria,holdtheShiftkey

whenclickingonthecolumnheadertodeterminetheprimarysortcriterion.Internally,thisselectstheinternalIDasthesecondarysortcriterion.Thisistoensurethattheorderofitemswithidenticaldatafortheprimarysortcriterionisstillwelldefinedandreproducibleafterhavingsortedbyothersortcriteriainthemeantime.Thecolumnthatfunctionsastheprimarysortcriterionisalsothetargetofjumpasyoutype.Thatis,youcantypethefirstcharacterorfirstfewcharactersoftheentrythatyouarelookingforwhenthedirectorybrowserhasthefocustoautomaticallynavigateandselectthefirstornextmatchingiteminthelist,startingfromthecurrentposition.Forexample,ifthedirectorybrowserissortedbytheTypecolumn,typezifyouwishtofindthefirstzipfileinthelist.Ifhoweverthereisanotherfilelistedwithatypestartingwithz,onethatprecedeszipalphabetically,forexamplezac,thentypethenextcharacter(beforethefeaturetimesoutandforgetsthezthatyouhavealreadyentered),inthiscasei,untilyoufindwhatyouarelookingforornothinghappensanymore(ifthereisnomatchingitem).Matchingoccursinacycle.Thatmeansevenifthecurrentpositionshowsazipfile,youcantypeanyprecedinglettertojumptothefirstmatchingitemfromthetopagain,forexampledfor.docx.Ifyouarelookingfor.docxfiles,butfindalargegroupof.docfiles,thenyouneedtotypeallfourcharactersofdocx,becauseonlythexdistinguishesdocxfromdoc.FilteringYoumayactivatefiltersbasedoncriteria(columns)suchasfilename,description,filetypecategory,attributes,orhashset.Wheneveranactivefilteractuallyfiltersoutfilesordirectoriesinthedirectorybrowser,thisisflaggedwithabluefiltericoninthedirectorybrowser'sheaderline,andyouwillbeinformedofhowmanyitemsexactlyhavebeenomittedfromthelist.Youalsohavetheoption,byclickingtheiconsfor"openfile"/"savefile"ontheright-handsideofthecaptionlineofthedirectorybrowser,tostorefilterandsortsettingsinaseparatefileandloadthemagainatanytime.Suchfilesaregiventheextension".settings".Notethatitisnotguaranteedthatdifferentversionsofthesoftwarecanloadeachotherssettings.Wheneveroneormorefiltersareactivethatactuallyfilteroutitemsinthecurrentlydisplayeddirectorybrowser,therearetwobluefiltersymbolsinthedirectorybrowser'scaptionline.Theypointoutthatyourcurrentviewisincompletebecauseofactivefiles,andtheyalsoallowyoutodeactivateall

filterswithasinglemouseclick,toensureyouarenotmissinganyfilewhenyounolongerwantthefilter.Youcanactivateordeactivatecolumn-basedfiltersindividuallywithasinglemouseclickonthecolumnheader'sfiltersymbolwhenholdingtheShiftkey.Theoptionsoftherespectivefilterremainunchangedinthiscase.Thefiltershavebeengivensome"intelligence"whennavigatingfromaparentfiletoachildfileorvice-versa,sothatthefilters"know"whenit'sagoodtimetobeturnedoff.Forexample:-Ifyouareusingafiltertofocusonallextractede-mailmessagesrecursively,andthenyoudouble-clickanindividuale-mailmessagetohavealookatitsattachmentsinthedirectorybrowser,thefilterisautomaticallydeactivated,sothatyoucanactuallyseetheseattachments.AsimpleclickontheBackbuttonreturnstothepreviouspointofexplorationandrestoresthepreviousfiltersettingsandthelastselection,sothatyoucaneasilycontinuereviewingthenexte-mailmessage!-Ifyouareusingafiltertofocusonvideosordocuments,andthenyoudouble-clickavideooradocumenttoseethevideostillsexportedforthatvideoortheembeddedpicturesinthatdocument,respectively,thefilterisautomaticallydeactivated,too.-Whenyouareviewingvideostillsonly,inagallery,andyouusetheBackspacekeyor"Findparentobject"menucommandtonavigatetothevideothatthisstillbelongsto(e.g.inordertoplaythatvideo),thenanyactivefilterswillbeturnedoffsothatthevideocanactuallybelisted.AsimpleclickontheBackbuttonreturnstothepreviousoverviewofstills,enablesthepreviousfiltersagain,andrestoresthelastselecteditem,sothatyoucaneasilycontinuewiththenextstill!-Thisworksanalogouslywhensystematicallylookingate-mailattachments,ifoccasionallyforrelevantattachmentsyouwouldliketoviewthecontaininge-mailmessage(ande.g.printitorincludeitinareport)andthenreturntothelistofattachments.Whenorphanedobjectsarefound,e.g.filesthathavebeendeletedandwhoseoriginalpathisunknown,theyarelistedinaspecialvirtualdirectoryPathunknown.Withaspecialistorforensiclicense,therearevirtualfilesintherootdirectorythatallowyoutoconvenientlyaddressspecialareasinavolume:Filesystemareas:Reservedsectorsand/orclustersthatareclaimedbythefile

systemitselfforinternalpurposes.Freespace:Clustersmarkedbythefilesystemasnotinuse.Dependsonthevolumesnapshotoptions.Idlespace:AreasinavolumeofwhichWinHexdoesnotknowwhattheyareusedfor,includingclustersmarkedbythefilesystemasinuse,whoseexactallocationhowevercouldnotbedetermined.Thiscanbethecaseifthefilesystemlosttrackofthem,i.e.forgotthattheseclusterareactuallyavailableforre-allocation.Usuallythereisnoidlespace.Thesizeofidlespaceandthenumberofthefirstidleclusterareonlydeterminedwhenneeded(e.g.whenyouclickthe"Idlespace"fileforthefirsttime),asdependingonthenumberofclusterthisisapotentiallytime-consumingoperation.Volumeslack:Sectorsattheendofthepartitionthatareunusedbythefilesystembecausetheydonotaddtoanothercluster.Indirectblocks(Ext2,Ext3,UFS):Specialblocksthatcontainblocknumbers.Notpartof"Filesystemareas".Unnotedattributeclusters(NTFS):Clustersthatcontainnon-residentattributesthathavenotbeenindividuallyprocessedbyX-WaysForensics.Notpartof"Filesystemareas"..journal(ReiserFS):Blocksthatformthefixedjournallingarea.OnExt3andHFS+,thisisnotconsideredavirtualfilebecauseitisdefinedbythefilesystemitselfindedicatedrecords.

DirectoryBrowserColumns&FiltersMostfiltersandmanycolumnsareavailablewithhigherlicensetypesonly,markedwithe.g.[FOR].Name:Nameofthelistedfileordirectoryand(onlywithaforensiclicense,onlyfordirectoriesandfileswithchildobjects)inparenthesesinadifferentcoloroptionallthetotalnumberofcontainedfilesinthevolumesnapshot.Allowstofilterbasedononeormultiplefilenamemasks,oneperline.Thisfilterisusefulifyouhavealistofrelevantfilenamesorkeywordsandwanttofindoutquicklywhetherfileswithsuchnamesarepresent.TherearetwodifferentwayshowtousetheNamefilter.Thefirstwayistomatchcertainexpressionsagainstthefullname.Theexpressionsmaycontainasterisks(wildcards),like"*.jpg".Uptotwoasterisksareallowedpermaskiftheyarelocatedatthebeginningandtheendofit.Youmayexcludefilesusingfilemasksthatstartwithacolon(:).Example:Allfileswithnamesthatstartwiththeletter"A",butdonotcontaintheword"garden":"A*"inonelineand":*garden*"inanother.Whenmultiplepositivefilemaskexpressionsareused,theyarecombinedwithalogicalOR,negativeexpressions(:)withalogicalAND.Ifthe"Substringsearchinfilename"optionisactive,thenalltherulesabovedonotapply.Instead,asearchisrunwithinthefilenamesforthespecifiedcharactersoroptionallyGREPexpressions.Forexample,justtype"invoice"tofindfileswhosefilenamecontainsthewordinvoice,not"*invoice*".ForanexplanationofGREPnotationpleaseseeSearchOptions.Theanchor$doesnotworkinthiscontext.TheamountoftextthatcanbepastedintotheNamefilterhasbeenextendedto2millioncharacters.Thatdoesn'tmeanthatX-WaysForensicscanefficientlyuseafilterwithmanytenthousandsofcharactersormore.Whenindoubt,usethe"Matchagainstfullname"option,notthesubstringsearch,forbetterperformance.IfanoriginalnameisfoundforafileintheWindowsrecyclebinorinaniPhonebackuporcertainotherfilesduringmetadataextraction,thatnameisdisplayedintheNamecolumnwiththecurrentuniquenameinsquarebrackets.The

currentuniquenameisnowalsoshowninsquarebracketsinthecasereport.BothnamesaretargetedbytheNamefilter.TheheaderoftheNamecolumnallowstoquicklytagoruntagalllisteditemswithasinglemouseclick.Italsoindicateswhetheramongthelisteditemsareanytaggedoruntaggeditems.Existent:Showswhetherafileisanexistingfileorachildobjectofanexistingfileornot(existingbasedonitspointofreference,e.g.filesystem),eitherwithacheckmarkoramathematicalsymbolorinnaturallanguage,dependingontheNotationoptions.Athirdstateis"virtual".Tofilterfortheexistencestatus,pleaseusetheDescriptionfilter.Rememberyoucangroupfilesbyexistencestatususingthedirectorybrowseroptions,oryoucansortbythiscolumn.Description:Textualdescriptionoftheitem.RevealssimilarpropertiesastheiconintheNamecolumn,suchaswhethertheitemisafileordirectoryorextractede-mailorvideostilletc.,theexistence/deletion/virtual/carvedstatus,andthestatusinthevolumesnapshot(e.g.tagged,alreadyviewed).WhattextisincludedinthecolumncanbecustomizedintheNotationoptions(viaGeneralOptions).ThatthesettingsoftheDescriptioncolumnarepartoftheNotationOptionsmeansthatyoucanhavetwodifferentsettings,onegenerallyforthedirectorybrowserandtheotheronespecificallyforthetheExportListcommand.Thismightbeusefulbecauseintheexportedlistnoiconcanhelpyoutotellcertainobjecttypesandtheirdeletionstatusapart,unlikeinthedirectorybrowser.Thiscolumnalsoallowstofilterorsortbythepropertiescovered,whichmakestheDescriptionfilteroneofmostimportantfilters.Forexampleyoucanfilterout:existingfiles(usefulifyouaremerelyinterestedinpreviouslyexistingfiles[whichcouldresideinexistingdirectories])previouslyexistingfilesanddirectories.taggedfilesanddirectories.halftaggedfilesanddirectories(thatcontainatleast1taggedandatleast1untaggedfile).untaggedfilesanddirectories.filesthataremarkedasalreadyviewed.filesthatarenotmarkedasalreadyviewed.excludedfilesanddirectories(markedasexcludedinthevolumesnapshot).

filesanddirectoriesthatarenotexcluded.Thereisashortcuttogettothefilterdialogveryquickly,byright-clickingthecaptionlineofthedirectorybrowser.ThisworkseveniftheDescriptioncolumnisnotvisible.(YoumaynotneedtheDescriptioncolumninthedirectorybrowserifyourelyontheicontotellapartdifferentkindsofitems.)ThefunnelsymbolthatrepresentsthefilteroftheDescriptioncolumnhasfourpossiblecolors:1)Graywheninactive,asusually.2)Graywithavery,verylighttendencytoblue,almostindistinguishablefromgray,whenthefilterisontheoretically,butonlyexcludedfileswouldbefilteredout,butnoexcludedfilesareactuallygettingfilteredoutcurrently.3)Blue-graywhenonlyexcludedfilesarefilteredoutbythefilter,andsuchfileshaveactuallybeenfilteredout.4)OrdinarybluetoattractattentioniftheDescriptionfilterisactiveanddoesnotonlyfocusonexcludedfiles,butfiltersoutfilesbasedonotherproperties.Thissubduedcolorschemewasintroducedbecausemanyuserconsideritrather"normal"thatexcludedfilesarefilteredoutbecausetheyexcludethemfortheverypurposeofnotseeingthemanymore,sotheymayprefernottoberemindedofthatbyaglaringbluecolor.Thefilterforstillimagesfromvideoshasaspecialoptionthatallowstoalsolistthecorrespondingvideo,directlyprecedingitsstills.Thatwayitiseasytoseewhichstillimagesbelongtowhichvideo,andyoucancommentonthevideooraddthevideotoareporttablewithoutnavigatingbackandforthandwithoutusingtheslightlylessintuitivewaytoapplyreporttableassociationstoanitemthatyoucannotsee(withthe"forparentfile"option).Thetilesthatrepresentthevideosmayactasvisualdelimitersinthegalleryifyoudisableauxiliarythumbnailsinthegalleryoptions,sothatyoucaneasilyseewherestillimagesofthenextvideobegin.Aspecialfiltersettingisavailablethatallowsyoutofocusonfileswhosecreationdateislaterthanthemodificationdate,i.e.whichapparentlywerecopiedandthatwaygotanewcreationdate.TheNotationoptionsallowtomarkallsuchfileswiththeword"copied".Thepresenceofthatwordcanbeusedforconditionalcellcoloring,sothatyouquicklyseewhichfilesarelikelyoriginalfilesandwhichfileswerecopied.Notethatasearchfortheword"copied"islanguage-specific(incaseyoushareyourconditionalcellcoloringsettingswithusersinothercountries).Ext.:Filenameextension.Thepartofthefilenamethatfollowsthelastdot,ifany,exceptifthelastdotistheveryfirstcharacter(notuncommoninthe

Unix/Linuxworld).Type[INV,FOR]:Filetype.Iftheheadersignatureofafilewasnotspecificallychecked(seeRefineVolumeSnaphot),thisismerelyarepetitionofthefilenameextensionanddisplayedingray.Otherwise,ifthefilesignatureverificationrevealedthetruenatureofthefile,atypicalextensionofthattypewillbeoutput.Thatextensionwillbedisplayedinblackifitisstillthesameastheactualextensionofthefile,orinblueiftheactualextensiondoesnotmatchthetypeofthefile.Aconvenientfiltercanbeactivatedbasedonthiscolumn.Inthefilterdialogyoucanselectindividualfiletypesorentirecategories.Youcanloadandsaveyourselection.Therearebuttonsthatallowtoexpandorcollapseallcategoriesatonce.Expandingallcategoriescanbeusefulifyouwouldliketoquicklyfindacertainfiletypebytypingitsletterswhilethetreeviewwindowhastheinputfocus.Pleasenotethatcollisionsamongfiletypedesignationsbecomeapparentwhenselectionsforthefiletypefilterareloadedfrom.settingsfilesorcases.Forexampleifyouhadoriginallyselected"mmf"="MailMessageFile"(categorye-mail),thenyouwillfindthat"mmf"isalsoselectedas"YamahaSMAF"(categorySound/Music).ThisisnormalanddoesnotchangewhattheTypefilterdoes.Whenindoubt,theTypefilteralsoincludesothertypeswiththesamedesignation,toavoidthatanythingisoverlooked.TypeStatus[INV,FOR]:ThestatusoftheTypecolumn.Initiallynotverified.Afterverifyingfiletypesbasedonsignatures(aspartofrefiningthevolumesnapshotorviewingfilesinprevieworgallerymode):Ifafileisverysmall(lessthan8bytes),thestatusisirrelevant.Ifneithertheextensionnorthesignatureofagivenfileisknowntothefiletypesignaturedatabase,thestatusisnotinlist.Ifthesignaturematchestheextensionaccordingtothedatabase,thestatusisconfirmed.Iftheextensionisreferencedinthedatabase,yetthesignatureactuallyfoundinthefileisunknown,thestatusisnotconfirmed.Ifthesignatureisknownandthefilenamehasnoextension,thenthestatusisnewlyidentified.Ifthesignaturematchesacertainfiletypeinthedatabase,howevertheextensionmatchesadifferentfiletype,thestatusismismatchdetected.Filteravailable.Additionally,thiscolumnmaycontainahintabouttheconsistencyoftheformatoffilesofvarioussupportedtypesaseither"OK"or"irregular",forcarvedfilesperhapsimmediately,forotherfilesperhapsafterfiletypeverificationormetadataextractionhavetakenplace."Irregular"canmeancorrupt,incomplete,

inconsistent,unexpected,notviewable,...anythingoutoftheordinary.ForexampleinthecaseofJPEGirregularcouldmeanthatnofootersignaturewasfoundattheendofthefile.ForanexplanationoffiletyperanksandgroupspleaseseethedescriptionofFileTypeCategories.txt.Typedescription[INV,FOR]:Displaysthenameoftheapplicationthatafiletypebelongsto,whatthefilenameextensionstandsfor,etc.asspecifiedinFileTypeCategories.txt.Ifthesameextensionoccursmultipletimesinthedefinitionfile,allitsmeaningsarelisted.Forexample,.pmcouldbeaPerlmodule,aPageMakerdocument,orPegasusfile,oranX11Pixmapfile.Category[INV,FOR]:Filetypecategorycorrespondingtothefiletype,accordingtothedefinitionin"FileTypeCategories.txt"(seebelow).Filteravailable.Ifthesamefiletype/extensionisdefinedmultipletimes,belongingtodifferentcategories,onlyonecategoryforthisfiletypewillbedisplayed.Thecategoryfilterworksnonetheless.Thecategoryfiltercanbeactivatedusingapopupmenu.Inthatpopupmenuyoucanalsoseestatisticsaboutthehowmanyfilesofeachcategoryarecurrentlylistedinthedirectorybrowser(orwouldbelistedifthecategoryfilterwasturnedoff).Evidenceobject[INV,FOR]:Thenameoftheevidenceobjectthatthefileordirectoryispartof.Usefulinarecursivecaserootlisting,i.e.whenthedirectorybrowsershowsallfilesofallevidenceobjects.Path:Pathofthefileordirectory,startingwithabackwardslash,basedonavolume'sroot.Filteravailable.Thefilterexpressionsareinterpretedassubstringsthatcanmatchanypartofthepath,sonowildcardsareneededorsupported.Fullpath[SPE,LAB,FOR]:Thepathincludingthenameofthefileordirectoryitself.Sortingbyfullpathcanyieldaconvenientorderbecausechildobjectsdirectlyfollowtheirrespectiveparents.Filteravailable.Parentname,Childobjects[INV,FOR]:Bothcolumnscomewithfilters.Thefilterforchildobjectallowsyouforexampletoquicklyfindalle-mailsthathaveanattachmentwithacertainname.Thefilterforparentnameforexampleallowsyoutoquicklyfindallattachmentsthatwereattachedtoe-mailwithasubject

thatcontainscertainwords.NotethatfiltersforthecolumnsName,Parentname,andChildobjectssharethesamesettingsandaremutuallyexclusive(cannotbeactiveatthesametime,onewilldeactivatetheother).Size:Logicalsizeofthefile(i.e.sizewithoutslack)orphysicalsizeofadirectory.Physicalfilesizeandvaliddatalength(forfilesstoredinanNTFSfilesystem)canbeseenintheInfoPaneinFilemodeinstead.Ifrecursiveselectionstatisticsareenabled,withaforensiclicensethesizeofadirectoryisthetotalsizeofallthefilesdirectlyorindirectlycontainedinthatdirectory,otherwisethesizeofthedatastructuresofthedirectory.Filteravailable.Tofocusspecificallyonfileswithanunknownsize,usethefiltercondition<=-1.Created:Thedateandtimethefileordirectorywascreatedonthevolumeitresideson.NotavailableonLinuxfilesystems.Filteravailable.Modified:Thedateandtimethefileordirectorywaslastmodified.OnFAT,timeprecisionis2-secondintervalsonly.OnCDFS,theonlyavailabledateandtimestampislistedinthiscolumnalthoughitdoesnotnecessarilyindicatelastmodification.Filteravailable.Accessed:Thedateandtimethefileordirectorywaslastreadorotherwiseaccessed.NTFSlastaccesstimestampsaredisplayedingrayifidenticaltothecreationtimestamp,asthatonmostsystemslikelymeansthatthesetimestampsaresimplynotmaintained,forperformancereasons,andthusnotverysignificant.OnFAT,onlythedateisrecorded.Filteravailable.Recordchanged:Thedateandtimethefile'sordirectory'sFILErecord(onNTFS)orinode(Linuxfilesystems)waslastmodified.Thesearefilesystemdatastructuresthatcontainthefile'smetadata.Filteravailable.Deleted:Thedateandtimethefileordirectorywasdeleted.AvailablegenerallyonLinuxfilesystemsandpossiblyonNTFS(afteraparticularthoroughfilesystemdatastructuresearchandviewing/previewingthe$UsnJrnl:$Jfileonthevolume,ifthereisany).Nottobeconfusedwithso-calleddeletiontimestampsthatotherforensictoolsmayshowyouonNTFSvolumes,forfilesthathavenotevenbeendeletedfromthefilesystem.Filteravailable.Contentcreated[INV,FOR]:Creationtimestampthatcanbeextractedfromtheinternallystoredmetadatainvariousfiletypes(seecorrespondingcontextmenu

command),asputtherebytheprogramthatcreatedthefile.Internaltimestampsareusuallylessvolatileandcanbemoredifficulttomanipulatethanfilesystemleveltimestamps.Theyareusefulforexampleforcorroboration.Filteravailable.Timestampcolumnsdesignatedwithasuperscript2containalternativetimestamps[SPE,LAB,INV,FOR].InthecaseofNTFSthesevaluesaretakenfrom0x30attributesandrepresentpreviouslyvalidtimestampsfromwhenafilewaslastrenamedormoved,orpossiblybeforesomebackdatingoperationoccurred.BackdatingoperationsareoftenappliedbysetupprogramsandalsoWindowsitself(theinfamouscreationtimestamptunnellingeffect,cf.http://support.microsoft.com/kb/172190),andofcoursepotentiallybyordinaryapplicationprogramsaswellasbyusersforvariouslegitimateorlessnoblepurposes.Notethatthesecolumnsarepopulatedonlyifthesepreviouslyvalidtimestampsareactuallydifferentfromtheircurrentcounterparts,andadditionallyModified²andRecordchanged²onlyifdifferentfromCreated²,toavoidclutteringthescreenunnecessarilywithredundantinformation.Thatmeansany²timestampsthatyouseethereactuallycontainadditionalinformationandarenotredundant.Created²isalsopopulatedforHFS+filesystems,withtherelativelynew"Addeddate"timestampfromMacOSXLionandlateraswellasiOS,whereavailableandifdifferentfromtheregularCreateddate.Thattimestampspecifieswhenafilewasaddedtotheparticulardirectoryinwhichitiscontained,eveniforiginallycreatedearlier.Thecombinedfilterforallthetimestampcolumnsallowstofilterforcertaindateranges(typicalapplication)orformeretimes,matchinganypossibledate.Forexampleifyouareinterestedinunusualactivityoccurringinthemiddleofthenightwhentherightfulofficecomputeruserisnotworking,youcouldfilterfortimessuchasbetween22:00:00and05:59:59(ona24-hourclock).Obviously,selectingtherightlocaltimezoneforthetimestampfilteriscrucialforthis.PleasenotethatforFATvolumes,alltimestampsaredisplayedastheyarestored,inlocaltime(theyarenotadjusted).Forallotherfilesystemsthetimezoneconceptapplies.Timestampsinthenormaldirectorybrowserthatmeetthetimestampfilter

conditionarehighlighted.Timestampsinaneventlistthatareidenticaltotheeventtimestamparealsohighlighted.Underflowsandoverflowsinthetimestampcolumns(timestampsoutsideofthesupportedrange)aremarkedwiththetext"outofbounds",andtheycanbedistinguishedfromeachandproperlysortedandfiltered.ThesupportedrangeisMay5,1829throughMay14,2514.Attributes:DOS/WindowsattributesonFAT/NTFSfilesystems,Unix/LinuxpermissionsandfilemodeonUnix/Linux/Macfilesystems,plussomeproprietarysymbolsthatareexplainedinthelegend(forensiclicenseonly)andhere."Partialinitialization"meansthataccordingtothefilesystem(NTFSorexFAT)theso-calledvaliddatalengthissmallerthanthelogicalfilesize,i.e.thedataattheendofthefileisundefined,similartofileslackhasnothingtodowiththefile,andwasstoredonthediskatthatlocationbefore.YoucanseethevaliddatalengthofthefileinFilemodeintheInfoPane,andtheundefinedareaishighlightedinadifferentcolor.WhensortingbytheAttr.column,fileswith"moreinteresting"attributesarelistedfirst,e.g.attributesthatindicateencryption,andfileswithoutanyattributessetorwhoseattributesareunknownarelistedlast.Afilterisavailable.Forexample,youcanfilterforanyofthe9+3bitsofUnix-stylefilepermissionsspecificallyandcombinethemwithOR,AND,orEQUAL.EQUALrequiresastatusofall12bitsexactlyasselected(whethersetornotset).ANDmeansyourequireALLofthecheckedbitstobeset,butdon'tcareabouttheothers.ORmeansyouaresatisfiedalreadyifANYofthecheckedbitsisset.SUIDandSGIDbitscanbecombinedwithalogicalORorAND.Pleaserememberthatifyouareinterestedindirectorieswiththestickybit,youwillneedtoincludedirectorieswhenexploringrecursivelyandapplyfilterstodirectories,too(notthedefaultsetting).PleasenotethatthelogicaloperatorforpermissionsshouldnotbeusuallysettoEQUALbecausethatwillresultinactivefilteringforpermissionsevenifnopermissionbitsareselectedinthedialogboxatall,unliketheORorANDoperators.EQUALwithnopermissionbitsselectedmeanstofilterforfilesthathavenopermissionbitssetorfileswhosepermissionsareunknown.1stsector[notinINV]:Thenumberofthesectorthatcontainsthebeginningfilethefile'sordirectory'sdata.Sortingby1stsectorsmeanstosortbyphysicallocationonthediskandwillshowfilesnexttoeachother,thatarephysically

storedneartoeachother.Afilterisavailable,whichallowstofocusonfileswhosecontentsstartincertainsectorranges,forexampletoidentifyfilesthataredefinitelyaffectedbyknownbadsectorsortoidentifyfileswhosecontentsarestoredpasttheendofaknownincompleteimage.Rememberthatoptionallyyoucanseephysicalsectornumbershere(disk-based)insteadoflogicalsectornumbers(partition-based)ifsodesired,seeDirectoryBrowserOptions.Thefilteralsoallowstofocusoncarvedfilesthatareeitheralignedatsectorboundariesornot,forexampleafterhavingrunafileheadersignaturesearchatthebytelevel,toremovegarbagefiles,whicharemorefrequentamongfilesthatarenotaligned.FSoffset[SPE,LAB,FOR]:Showstheoffsetofthedefiningdatastructureofafileordirectoryinthefilesystem,i.e.thestructurethatisthebasisfortheinclusionofafileinthevolumesnapshot.ThatoffsetiswhereyoucancheckdetailsmanuallyincasethereareanydoubtsaboutwhereX-WaysForensicsgotthefilesystemlevelmetadatafrom.Thisisalsowhereyoumayapplyasuitabletemplatetogetanalternativeinterpretationandwhereyoucanpointdisadvantagedusersofothertoolstoastheymaynotbeabletofindsuchacruciallocationotherwiseordon'tevengetcertaindeletedfileslisted.Carvedfilesandfilesthatareembeddedinotherfilesforobviousreasonsdonothavesuchanoffsetinthefilesystem(orinthecaseofcarvedfilesatleastitisnotknowntoX-WaysForensics).Thefilesystemoffsetisalsowhereyounavigatetowhenyouusethededicatedcontextmenucommandtolocateafile'sFILErecord/inode/fileentry/catalogkeyetc.,asknownfromallversions.ID:TheidentifierassignedtothefileordirectorybythefilesystemorbyWinHex.Notnecessarilyunique.Afilterisavailable,whichmakesitmoreconvenienttofindotherhardlinksofagivenfile.Int.ID:Theuniqueinternalidentifierofafileordirectoryinthevolumesnapshot.Itemsaddedtoavolumesnapshotlasthavethehighestidentifiers.Filteravailable.Usefulforexampleandveryeasytouseifyouwouldliketofocusonthexfilesthatwereaddedtothevolumesnapshotlast(afterhavingrefinedit)orifyouwouldliketoresumealogicalsearchwithinternalIDy(filteringoutfilesthatmayhavealreadybeensearchedbefore).Forevidenceobjectsthatcontainahugenumberoffiles,themodulooptionallowsyoutofocusonasubsetoffilesthatismoreorlessrepresentativeofallfiles(thoughlessrandomthanfileslistedfirstwhensortingbyhashvalue).

ApplyingthemodulooperationtotheinternalIDwillpickfilesfromanydirectory,withanyname,creationdateetc.Toseeonly1,000outof100,000files,i.e.every100thfile,usetheoperation"internalIDmodulo100=0".Alsousefulfortestingpurposes:Ifyouwishtocomparetheperformanceofdifferentharddisks,RAIDsystems,processors,configurationsforvolumesnapshotrefinements,youdon'thavetoprocessallfilesinanevidenceobject.Youcangetquicker,yetlikelyrepresentativeresultsforexamplein1/10ofthetimeifyouonlyprocessevery10thfile,pseudo-randomlyselectedbyinternalID.Evenfornormalwork,examinersmaynotberequiredbytheirbosses/theirprosecutortoconducta100%completeexamination,forexampleifafterreviewofareasonablysizedandrepresentativesubsetyoucanextrapolatethatabout10%ofseveral10,000photosisillegalmaterial.Int.parent[notINV]:Theuniqueinternalidentifieroftheparentdirectoryofafileordirectoryinthevolumesnapshot.Usefule.g.whenexportingfilesanddirectoriesandtherearemultipledirectorieswiththesamenameinthesamepath(e.g.oneexisting,onedeleted),sothatviatheinternalparentIDyoucantellwhichfileresidedinwhichdirectoryevenifthepathisambigous.UniqueID[INV,FOR]:Aninternalidentifierofafileordirectorythatisuniquewithintheentirecase,notjustwithinthevolumesnapshotofoneevidenceobject,anduniqueforthewholelifetimeofthecase.TheuniqueIDiseasilyreadable.Itcontainsadelimiter,separatingevidenceobjectIDandint.ID.Owner[FOR]:TheIDoftheownerofthefileordirectory,onfilesystemsthatrecordthatinformation.OnNTFSit'stheSID,or,ifX-WaysForensicscanresolveittoausernamewiththehelpoftheSAMregistryfilesalreadyencounteredwhileworkingwiththecase,theusername.Filteravailable.Group[FOR]:ShowstheIDoftheassignedgroupofafileinLinuxfilesystems.Author[INV,FOR]:Showsthenamesoftheauthorsofdocumentsofvarioustypes(MSOffice,OpenOffice/LibreOffice,RTF,PDF,...),aftermetadataextraction.Filteravailable.Sender,Recipient[INV,FOR]:Thesecolumnsarepopulatedfore-mailmessagesandattachmentsextractedbyX-WaysForensicsfrome-mailarchives,

plusfororiginal.emlfilesifmetadatahasbeenextractedfromthem.Theycomewithfilters.thatallowyoutoenteranypartofane-mailaddressornametosearchforcertaine-mailmessages.Thefilterexpressionisinterpretedasasubstring,sonowildcardsareneededorsupported.Youmaychosewhichrecipienttypesyouwishtotargetwiththefilter:To:,Cc:,orBcc:orcombinationsthereof.Linkcount[FOR]:Thehardlinkcountofthefileordirectory,i.e.howoftenitisreferencedbyadirectory.Ahardlinkthatjustprovidesashortfilename(SFN)tosatisfythelegacy8.3requirementsofoldMicrosoftDOS/Windowsversionsisnotcountedasahardlink.Instead,suchfilesgettheirhardlinkcountmarkedwitha°intheLinkscolumnofthedirectorybrowser.Thatway,thehardlinkcountmoreaccuratelyreflectsthehardlinksactuallypresentinthevolumesnapshotofX-WaysForensics,andnormalfilesalwayshaveacountof1,whereas2ormoremeanssomethingmorespecial.Ifahardlinkcountof1ismarkedwithanasterisk(*),thatmeansthatthefileordirectoryisstoredashard-linkedinthedirectorystructureinHFS+althoughitwouldnotbenecessarybasedonthehardlinkcount.Ifthehardlinkcountisgrayedout,thatdesignatesfilesthatwillbeoptionallyomittedduringalogicalsearchtoavoidunnecessaryduplicatesearcheffortsandduplicatesearchhits.Filecount[INV,FOR]:Thetotalnumberoffilescontainedinadirectoryorinafilewithchildobjects,inthevolumesnapshot,recursively,i.e.inclusiveoffurthersubdirectories.Thisnumbercanalsobefoundinthenamecolumninparenthesis(dependingonthesettings).Termcount(searchtermcount)[INV,FOR]:Thenumberofsearchterms(notsearchhits)thathavebeenfoundinafile.Thistakesintoaccountallsearchtermseverusedinsimultaneoussearchesinacase,notforonlythesearchtermsthatmayhavebeenselectedinthesearchtermlist,unlessyouhavedeletedsearchhits.Youcansortbythiscolumntogetfileslistedfirstthatarelikelymorerelevant(becausetheycontainmoreofthesearchtermsthatyouwerelookingfor).Thiscolumnispopulatedonlyforevidenceobjectsofacase.Searchterms[INV,FOR]:Listsupto25ofthesearchtermsfoundinafile,thosethatarecountedintheprecedingcolumn.Usefultogetanideaofthesearchhitsinafileeveninthenormaldirectorybrowser,withouttheneedtoswitchtoasearchhitlist.Filteravailable,whichisnotlimitedtothe25search

termsdisplayedinthiscolumn.Pagecount[INV,FOR]:ThepagecountisextractedfromPDFandsomeOfficefiletypesaspartofmetadataextractionandshowninthiscolumn.Pixels[INV,FOR]:Theroughlyroundeddimensionsofapictureinthousandpixels(KP)ormillionpixels(MP,megapixels),astheresultofwidthtimesheight,forefficiencyreasonsstoredasaverylowprecisionvalue.Thedimensionsarecomputedsimultaneouslywithskincolorpercentages,pluswhenviewingpictures(full-screenmode,previewmode,orinthegallery).Allowstoeasilydistinguishbetweene.g.smallbrowsercachegarbagegraphicsandhigh-qualitydigitalphotos,withtheassociatedfilter,whichallowsyoutofocusonpictureswithlessorequaltothenumberofpixelsthatyouspecifyormoreorequalorbothatthesametime.(Worksonlyapproximatelybecauseofthelowprecisionstorageofpixelnumbers.)Onceatleast1videostillhasbeenexportedfromavideofile,theapproximateresolutionofthevideocanalsobeseeninthiscolumn.Analysis[INV,FOR]:CombinedcolumnthatshowsFuzZyDocmatchesfortextualdocumentsaswellasPhotoDNAmatchesandthecomputedamountofskintonesinrasterimages(orthefactthatapictureisablack&whiteorgray-scalepictureortoosmalltocontainanyrelevantgraphicalcontent).Availableafterrefiningthevolumesnapshotiftheunderlyingtechnologyisavailable.Sortingorfilteringbythiscolumnisthemostefficientwaytodiscovertracesofe.g.childpornographyorsearchforscanneddocuments(grayscaleorblack&whitepictures).SortingbytheAnalysiscolumnindescendingorderlistsfileswithFuzZyDocmatchesfirst(thosefileswiththemostconfidentmatchesforanyhashsetnearthetop,withlowerpercentagesfollowing),followedbyPhotoDNAmatches(showingthecategorynamesinaninternalPhotoDNAhashdatabase),followedbypictureswithnoPhotoDNAmatchesindescendingorderoftheirskintonepercentage.Afterthat,irrelevantpicturesarelisted(picturewithverysmalldimensions),andthenfilesthatarenotpictures,andnearthebottomblack&whiteandgrayscalepictures.Textcolorcodinginthatcolumnnowmakesiteasiertodistinguishbetweendifferentkindsofcategorizations.FuzZyDocmatches,PhotoDNAmatchesandcoloranalysisresultsaremutuallyexclusive.ThatmeansthatifapicturegetsitcolorsanalyzedandalsoasimilaritywithaPhotoDNAhashvalueisfound,onlythePhotoDNAcategorymatchisrememberedintheAnalysiscolumn,nottheskintonepercentage,becausethePhotoDNAmatchisconsideredmorehelpful.AstylizedPis

displayedintheAnalysiscolumnforpicturesforwhichatleastonePhotoDNAhashvalueisstoredinthevolumesnapshot.Ifthatisthecase,thehashvaluecanbeseeninDetailsmode.Hash[SPE,LAB,FOR]:Uptotwohashvaluescanbecomputedforafile(e.g.MD5andSHA-1)andthenbepresentedinthetwoHashcolumns.Filtersavailable.Thefiltersallowtofocusonfilesthathaveahashvalue,donothaveahashvalue,whosehashvaluesstartwithcertainhexvalues(ifyouspecifyonlythebeginningofahashvalue)orhaveacertainvalue(ifyouspecifyacompletehashvalue).Thisfiltercancomparethehashvaluesoffilestoupto4hashvaluesthattheusersuppliesashexASCII.Quickeralternativetocreatingasmallhashsetinthehashdatabaseifyoujustwishtoquicklyfindafewfiles,e.g.duplicatesoffileswithaknownhashvaluethatyoucanjustcopyfromthehashcolumninthedirectorybrowser.Theeasiestwaytousethisfilterwhenlookingforduplicatesofafile,whichdoesnotevenrequirecopy&pasteofhashvalues,istoright-clickahashvalueofagivenfileinthedirectorybrowserinhexASCIInotation(notBase32)andinvokethe"Filterby"commandinthecontextmenu.ThefirstHashcolumndisplayspseudo-hashvaluesinlightgraycoloruntilrealhashvalueshavebeencomputed[FOR].Pseudo-hashvaluesarebasedonthefilemetadata,notonthefilecontents.That'swhytheyareavailableinstantlyevenforverylargefiles.Theyallowyoutolistfilesinarandomorderjustlikewhenyousortbyrealhashvalues,butwithouthavingtoinvesttimetocomputerealhashvaluesfirst.Usefulforexamplefortriage,ifyouhavelimitedtimeandjustwishtoquicklylookatsomerandomlyselectedfilesinalargeevidenceobjectfirst(e.g.picturesinagallery)todeterminehowrelevantanevidenceobjectmightbe.Lookingatfilesinarandomordermightgiveyouamorecompleteandaccurateimpressionofwhatisstoredinanevidenceobject,becausethefirstx%ofthefileslistedaremorevariedandmorerepresentativeoftheevidenceobjectasawholeiftheyareinatrulyrandomorder.Ifyousortbynameorpathorsizeortimestampsontheotherhand,manyofthefilesyouseewilllikelybesomewhatsimilar(createdbythesameapplicationorbytheoperatingsystem,bythesameuser,forasimilarpurpose,createdorcopiedorreceivedaroundthesametime,samefileformat,...),sowithsomebadluckyouwillonlyseeirrelevantfilesevenifthereisanequallylargegroupofrelevantfiles.Rememberthatifyoudon'tsortinthedirectorybrowseratall,theviewisskewedaswell,becauseyou

willseethefilesintheorderinwhichtheyarereferencedbythevolumesnapshot,whichismoreorlesstheorderinwhichtheyarereferencedbythefilesystemandthusnotrandom.Sortingbyhashvaluescanbecombinedwithanyfilter,forexampletoseeonlypictureslargerthan1MBinarandomorderoronlyfilesofacertainuser.Pseudo-hashesarenotguaranteedtobeuniqueorevenremainthesamewhenyoucloseandre-opentheevidenceobject.WhichhashvalueoutofpotentiallytwohashvaluesstoredinthevolumesnapshotisdisplayedintheHashcolumncanbechangedintheDirectoryBrowserOptionsdialog.Eithertheprimaryhashvalueorthesecondaryhashvalueorbothatthesametime(iftheboxishalfchecked).TheHashcolumnfilterisappliedtothehashtype(s)thatis/arecurrentlydisplayed.Whichhashtype(s)is/aredisplayedintheHashcolumncanbeseeninthecolumnheader.Hashset[INV,FOR]:Thenamesofthehashsetsintheinternalhashdatabaseinwhichthefile'shashvaluewasfound.Upto64matchesarereturned.Filteravailable.TheHashSetcolumnshowsknownmatchesforbothinternalhashdatabasessimultaneously.Thefiltercanbeusedtofilterforselectedhashsetsofoneofthedatabasesatatime.Thedatabasetochoosehashsetsfromcanbeselectedinthefilterdialog.Hashcategory[INV,FOR]:Thecategoryofthehashsetthatthefile'shashvalue,ifavailable,belongsto.Either"irrelevant","notable",orblank.Filteravailable.Notetouserswithtwointernalhashdatabases:TheHashCategorycolumnshowsonlyonecategory.Ifyouassignthehashvalueofacertainfileinonehashdatabasetoonecategoryandthehashvalueofthesamefileintheotherhashdatabasetotheothercategory,youwillbewarnedonceduringmatchingandgivenexactinformationaboutwhichhashvalueinwhichhashsetsinwhichhashdatabasesareconflicting.Thecategorizationas"notable"willprevailwhenindoubt.Reporttable[INV,FOR]:Thename(s)ofthereporttable(s)thatthefileordirectoryhasbeenassignedto.Filteravailable.Iftheparentfileofafilehasbeenassignedtooneormorereporttablesbytheuser,thenthisispointedoutinthe"Reporttable"columnforthechildobjectaswell,inlightgraycolorandwithanarrow,exceptifthechildobjecthasreporttableassociationsitself.Remindstheuserthattheparentwasreviewedandmarkedasrelevantalready,

whichcansparehimorhertheextrastepofnavigatingtotheparentagain.Comment[INV,FOR]:Thefreetextcommentthatmayhavebeenassignedtothefileordirectorybytheexaminer.Filteravailable.Metadata[INV,FOR]:Internalfilemetadatacanbeextractedfromfilesofvarioustypesbyrefiningthevolumesnapshot,andshowninthiscolumn.ThatisasubsetofthemoreextensivemetadatapresentedinDetailsmode,usefulforfiltering,export,andreportpurposes.Itcanbeeditedwithacommandinthedirectorybrowsercontextmenu.Pleasenotethatthefrequentlyoccurringword"Generatorsignature"thatcanbeseenintheMetadatacolumnisnotstoredliterallyinternallyandthuscannotbefoundbyalogicalsearchindirectorybrowsercellsorwiththefilter.Metadata,Comments,andEventDescriptionfilterssupporttheuseofupto4expressions,whichcanbeflexiblycombinedwithANDandOR.Thelastcombinationalwayshaspriority.Forexample"AandBorC"isinterpretedas"Aand(BorC)"."AorBandC"isinterpretedas"Aor(BandC)".TheexpressionsmaystartwithacolontoindicateNOTattheexpressionlevel.Additionalcolumnsforsearchhitlists[INV,FOR]:Physical/absoluteoffset,logical/relativeoffset,descriptiononthenatureofthesearchhit(codepage/Unicode,whetherindecodedtext,whetherinfileslack),searchhitwithcontextpreview.Ifthelogicalrelativeoffsetisprintedingray,thatmeansthesearchhitwasfoundinthedecodedtextandtheoffsetisnotanoffsetinthefile,butinthedecodedtext.Additionalcolumnsforeventlists[INV,FOR]:Timestamp,eventtype,eventtypecategory,description.FlexFiltersSomemoretips:Right-clickingacolumnheaderinthedirectorybrowserquicklyactivatesordeactivatesthatcolumn'sfilterwithoutshowingthesettingsdialogwindow.Youcangetatextualsummaryofallcurrentlyactivefilterswiththeirsettings,byright-clickingthebluefunnelsymbolontheleftorrightendofthecaptionlineofthedirectorybrowser.

FlexFiltersTwoso-calledFlexFiltersareavailableinWinHexLabEdition,X-WaysInvestigatorandX-WaysForensics.Theycantargetanycolumnintheordinarydirectorybrowser(i.e.notsearchhitlistoreventlistspecificcolumns)thattheuserwishestofocuson,withanarbitrarynumberofsubstrings,andtheycanbecombinedwithalogicalORoralogicalAND.SothismakesthemtheonlyfiltersthatcanbecombinedwithoneanotherwithalogicalOR.Forexample,thesefiltersareusefulifyouwishtotargetfilesthatwerecreatedormodifiednotinaparticularcontiguousperiodoftime,butgenerallyoncertainweekdaysoronweekends,i.e.whereeitherofthesecolumnscontaintheword"Saturday"or"Sunday"inthelongdatenotationformat.Alsousefulwheneverthecolumn-specificcolumnfilterdoesnotgiveyouasmanyoptionsasyouneed(e.g.forAuthor,Sender,Recipientscurrentlyyoucanonlyenteronenameoraddressorsubstring,andwiththeDescriptionfilteryoucannotcurrentlyspecificallytargetadditionalhardlinksthatareoptionallyomittedfromcertainoperations).ThecolorthatindicatesthataFlexFilterisactiveisvioletinsteadofblue,sothatitcanbebetterdistinguishedfromaregularcolumnfilter.BothFlexFilterscomewithaNOToption,andtheymayalsotargetthesamecolumn,sothatyoucanachieveresultslike"showalle-mailmessagessentwiththenameJohnDoeinthesenderfieldwherethesenderfielddoesNOTcontainthedomainnamecompany.com".

ModeButtonsWhenexaminingalogicaldrive,partition,orimagefilewithafilesystemsupportedbyWinHex,thereareseveralbuttonsthatdeterminethedisplayinthelowerhalfofthewindow,belowthedirectorybrowser.Forensiclicensesonly.Disk/Partition/Volume/ContainerPreviouslylabeled"Sectors",thisdefaultviewshowsthebinarydatainallsectorsofthedisk/partition/volume/containerrepresentedbytheactivedatawindowashexadecimalcode,astext,orboth.Offsetsandsectornumbersarerelativetothestartoftherespectivedisk/partition/volume/container.FileLookssimilartoDisk/Partition/Volume/Containermode,butshowsonlytheclustersallocatedtothefileordirectorythatiscurrentlyselectedinthedirectorybrowser,intheorderasusedbythefile,defragmentediffragmented,decompressedifcompressed,withoffsetsrelativetothebeginningofthefile.WhenswitchingfromFilemodetoPartition/Volumemode,X-WaysForensicswillautomaticallypointyoutotheoffsetfromthepointofviewofthepartition/volumethatisequivalenttotheoffsetwithinthefilewherethecursorwaspositionedlast,evenifthefileisfragmented,ifthereisanequivalentposition(notifthefileisacompressedorvirtualattachedfileoranextractede-mailmessageoranexportedvideostilletc.).PreviewChecksthetypeofthefilecurrentlyselectedinthedirectorybrowseranddisplaysthefilewiththehelpoftheseparateviewercomponent,exceptiftheviewercomponentisnotactiveorifit'sapicture(supportedfiletypesseeGallerybelow)andtheviewercomponentshouldnotbeusedforpictures.Evenincompletepictures(e.g.filesincompletelyrecoveredbecauseoffragmention)canusuallybedisplayedpartially.Iftheviewercomponentisnotactiveandthefileisnotapictureinoneofthesupportedformats,arudimentaryASCIItextextractfromthebeginningofthefileisdisplayed.Details

Containsalltheinformationonasingleselectedfilefromallthedirectorybrowsercolumns,includingthosethatarenotcurrentlyvisible.Veryusefulforexampleifthepathisverylonganddoesnotfitonthescreeninthepathcolumn,maybenoteveninthepathtooltipdisplay.Alsoallowstoeasilycopythefilenameorfilepathorselectedotherdatatotheclipboard.TheDetailsmodealsoshowsNTFSfilepermissions(storedinaccesscontrollists,ACLs).Eachelementhastypicallytheproperty"Grant"or"Deny"andanSIDtowhichthepermissionapplies.TheSIDistranslatedintoafriendlynameifpossible.ThepermissionitselfiseitherR=ReadPermission,C=ChangePermission,FullControlorSpecialAccess.ForaSpecialAccessright,allindividualrightsarelisted.Foreachpermissiontherecanbetwoinheritanceflags:containerinherit(CI),objectinherit(OI)ortwopropagationflags:inheritonly(IO),no-propagateinherit(NP).Usuallythefinallistelementisthegroupmembershipproperty.TheDetailsmodealsoextractssomeessentialinternalmetadatafromOLE2compoundfiles(e.g.pre-2007MSOfficedocuments),MSOffice2007XML,OpenOfficeXML,StarOfficeXML,HTML,MSAccess,MDI,PDF,RTF,WRI,AOLPFC,ASF,WMV,WMA,MOV,AVI,WAV,MP4,3GP,M4V,M4A,JPEG,BMP,EXE/DLL,JIDX(Javaappletcache),THM,TIFF,GIF,PNG,GZ,ZIP,PF,IEcookies,DMPmemorydumps,hiberfil.sys,PNF,SHD&SPLprinterspool,RecentFilecache.bcf,WIMVistaimagefiles,PhotoShopPSD,INDD(AdobeInDesign),DocumentSummaryalternatedatastreams,tracking.log,.mdbMSAccessdatabase,manifest.mbdx/mbdbiPhonebackup,IconCache.db,andmanymore.ForMSOfficedocumentse.g.youwilloftenseemanymoretimestamps(e.g.LastPrinted),subject,author,organization,keywords,totaledittime,andmuchmore.ForJPEGfilesthismodeshowsanadditionaltableatthebottom.Thistablecontainsthegeneratorsignatureaswellasthe"condition"ofthefile,whichmaybe"incomplete"(ifthefilewastruncated)or"trailingdata"(ifsurplusdatawasappendedtotheJPEGdata)orinsomecases"original"(ifthefileisbelievedwithgreatcertaintytobeinapristine,unalteredstate)."Original"isbasedonthepresenceofthumbnails,theabsenceofcolorcorrectioncertificates,theabsenceofunoriginalmetadatasuchasXMP,basedontimestamps,basedonartifactsleftbehindbyknowneditingsoftware,andonwhetheraresizeoperationisdetected.

GalleryChecksthefilesignatureofallthefilesinthecurrentlyvisibleportionofthedirectorybrowser.Iffoundtobeapicture,athumbnailisdisplayed,otherwiseabriefsummary(filename,size,signature).Byscrollinginthedirectorybrowser,thegalleryviewscrollsaswell.Youmayswitchthedirectoryevenwhilethethumbnailsarestillloading.Bydouble-clickingathumbnail,yougetafull-sizeviewofapicture,whereyoumayzoominandoutusingthekeys+and-.Evenincompletepictures(e.g.fileincompletelyrecoveredbecauseoffragmention)canusuallybedisplayedpartially.Supportedpicturefiletypes:JPEG,PNG,GIF,TIFF,BMP,PSD,HDR,PSP,SGI,PCX,CUT,PNM/PBM/PGM/PPM,ICO.Optionally,thegallerycanalsoshowfilesofothertypesasthumbnails,usingtheviewercomponent.Thegallerydoesnotgotogetherverywellwithsearchhitlists.WhenaViewwindowdisplaysapicture,iflimitedtoonesuchwindow,thatwindowwillbeupdatedwiththenextpicturewhenyouhitthecursorkeysinthegallery.UsefulespeciallyiftheViewwindowiscenteredonthesecondmonitorifthegalleryisonthefirstmonitor,onaspanneddesktop.AvoidshavingtopresstheEnterkeytoviewthepictureandanotherkeytoclosetheViewwindowtogettheinputfocusbacktothegallery.CalendarGivesaconvenientvisualoverviewofthetimestampsofalllistedfiles/directories,fromall6timestampcolumnsofthedirectorybrowser,intheformofacalendar,orwhenineventlistmodeasimilaroverviewofalllistedeventtimestamps.Eachdaywithatleastonetimestampismarkedinthecalendarwithagraycolor.Themoreactivityonaday,thedarkerthecolor.Weekends(SaturdaysandSundays)arespeciallymarkedwithx.Hoverthemouseoveradaytofindouthowmanytimestampsexactlyfallintothatday.Left-clickadaytoselectthatdayastheleftboundaryofthetimestampfilter,orright-clickittodefineitasarightboundary.Middle-clickadaytofilterfortimestampsonthatparticulardayonly.Ifthesamefileislistedmorethanonce(whichcanhappeninasearchhitlistifitcontainsmorethan1searchhit),thenitstimestampsarealsorepresentedmorethanonceinthecalendar.Whennotshowingevents,youcannowdecidewhichcolumn'stimestampshouldbeincludedinthecalendar.Columnsthatarehidden(haveawidthof0

pixels)areexcluded,allothercolumnsareincluded.Thestatusbarremindsyouwhichcolumnsareincludedevenifnotcurrentlyvisiblebecauseofhorizontalscrolling.Yearsinthecalendarwithnotimestampsaregrayedout.Thenumberofayearisdisplayedinadarkershadeofgraythemoretimestampsarelistedforthat.Allshadesofgraytrytogivetheexaminerabetterandquickerimpressionofpeaksorabsenceofactivity.AsthenumberofyearsrepresentedinCalendarmodeislimited,garbagetimestampsinthefarpastcankeepyoufromseeingthelateryearsthatyouareinterestedinifyoudon'tsetafilterordon'tdeleteeventswithgarbagetimetamps.Youcanspecifytheminimumyearthatwillberepresentedbythecalendar.Anytimestampsinearlieryearswillbedisregardedbythecalendarevenifnofilterisactive.Bydefault,theminimumyearistheyear2000.Tochangeit,clickthenumberofthefirstyearontheleftinCalendarmode.Example:DuringwhichperiodoftimeweremostJPEGfilesprocessedonavolume?Right-clicktherootdirectoryinthedirectorytree(casedatawindow)torecursivelylistallfilesfromallsubdirectories,thenusethefiletypefiltertolimittheviewtoJPEGfiles,enablethecalendarview.RawInPreviewmode,inconjunctionwiththeviewercomponent,whenviewingnon-picturefiles,Rawmoderendersthefileasplaintext.ThiscanbeusefulforexampleforHTMLfilestoseetheHTMLsourcecode,for.emlfilestotheseecompletee-mailheader,andgenerallywheninsearchhitlistmodetheviewercomponentcannothighlightasearchhitinPreviewmode(becausethenitmightcontainedinmetadataorcontrolcodethatwouldberepresentedinrawPreviewmode,butnotnormalPreviewmode).YoucanmakeRawpreviewmodepersistentbyholdingtheShiftkeywhenactivatingRawmode.Filemodenowoffersa"raw"submodeforNTFS-compressedfiles.InRawmodeyoucanactuallyseethecompresseddataaswellasthesparseclusters,notthedecompressedstateofthefile.Thisisusefulforresearchoreducationalpurposesandbecausetheoreticallysmallamountsofdatacouldhavebeenmanuallyhiddeninthenotclearlydefined,butimplicitlyexistingslackareaofeachcompressionunit,whichfollowsthecompressedpayloaddata.

VCTheVCbuttonisvisibleonlyinPreviewmodewhenviewingpicturesoftypessupportedbytheinternalgraphicsviewinglibrary.Bydefaulttheinternalgraphicsviewinglibraryisusedtoprevieworviewpictures.However,ifthe"VC"buttonispushed,theviewercomponentisusedinstead,whichisalsoresponsiblefordisplayingthethumbnailsinthegallery.SyncSynchronizesthedirectorybrowserandthedirectorytreeinthatwheninarecursiveviewyouselectafileinthedirectorybrowser,itsparentdirectorywillbehighlighted.Syncmodeinnon-recursiveexplorationmodehasasimilareffectastheoption"Automaticallyexpandtocurrentfolder"intheWindowsExplorer.ThatmeansthatwhennavigatingfromonedirectorytoanotherusingthedirectorybrowserwhileSyncmodeisoff,thedirectorytreeontheleftwillnotreflectthecurrentdirectoryanymore,willneitherexpanditsparentifnecessarynorselectthecurrentdirectory.WhetherSyncmodeisactiveornotisnowrememberedseparatelyforrecursiveandnon-recursiveexploration.ExplorationModeButtonwithacurlyturquoisearrow.Togglesbetweennormalandrecursiveexplorationofadirectory.Whenexploringrecursively,youdonotonlyseethecontentsofthecurrentdirectory,butalsothecontentsofallitssubdirectoriesandtheirsubdirectories,andsoforth.Toexploreadirectoryrecursively,youmayalsoright-clickitinthedirectorytree.Multi-monitorsupportItispossibletodetachthelowerhalfofadatawindow(withDisk/Partition/Volumemode,Filemode,Preview,Galleryetc.)fromthedatawindow,byclickingthethreedotsthatarelocatedlefttothemodebuttons.Afterthat,youcanfreelymoveandresizeitonthescreen.Onmulti-monitorthisallowsyoutohavethatpartoftheuserinterfaceonaseparatescreenandevenmaximizeitthere.ReintegratingitintothemainwindowisdonebyclickingthesamethreedotsagainorbyclickingtheMinimizebutton.

StatusBarThestatusbardisplaysthefollowinginformationaboutafile:1.Numberofcurrentpageandtotalnumberofpages(diskeditor:sectors)2.Currentposition(offset)3.Decimaltranslationofthehexvaluesatthecurrentposition4.Beginningandendofthecurrentblock(ifcurrentlydefined)5.Sizeofcurrentblockinbytes(ditto)Clickthestatusbarcellsinorderto...1.Movetoanotherpage/sector,2.Movetoanotheroffset,3.Definetheintegertypefordecimaltranslationand4.Definetheblock.Right-clickthestatusbarinordertocopypiecesofinformationfromthestatusbarintotheclipboard.Right-clickingthe2ndstatusbarfieldpermitsswitchingbetweenabsolute(default)andrelativeoffsetpresentation.Right-clickingthe3rdstatusbarfieldalsopermitscopyingthefourhexvaluesatthecurrentpositioninreverseorderintotheclipboard.Thisisusefulforfollowingpointers.

DataInterpreterTheDataInterpreterisasmallwindowthatofferspossibletranslationsforthedataatthecurrentcursorposition.WhetheritisshownornotcanbecontrolledviatheViewmenu,notwiththeoptionsofthedatainterpreter.Contrarytopopularbeliefamongsomeusers,ittotallydisregardsanyblockifselectedandalwaysinterpretsfromthebytewherethecursoris.TheDataInterpreterOptionsdialogletsyouspecifythedatatypestointerpret.Thesearevariousintegerdatatypes(bydefaultindecimalnotation,optionallyhexadecimaloroctal),thebinaryformat(8,16or32bitsofabyte),fourfloating-pointdatatypes,assembleropcodes(Intel),anddatetypes.TheDataInterpretercaninterpretUNIX/C,Java/BlackBerry/AndroidandMacAbsolutetimestampsstoredasdecimalASCIItextinsteadofinbinary.Youwillfindacontextmenuitemforthataswellasacheckboxintheoptionsdialog.TheDataInterpreteroptionallytranslatestimestampsofallformatsexceptMS-DOSdate&timetolocaltime(thetimezonedefinedintheGeneralOptions).Youwillfindacontextmenuitemforthataswellasacheckboxintheoptiondialog.TheDataInterpreterisalsocapableoftranslatingmostdatatypesbackintohexvalues.Makesureafileisopeninaneditmodeotherthanread-onlymode,enteranewvalueintheDataInterpreter,andpressENTER.TheDataInterpreterwillthenenterthecorrespondinghexvaluesintotheeditwindowatthecurrentcursorposition.Right-clickthedatainterpretertobringupacontextmenu.Thiswillletyouswitchbetweenbig-endianandlittle-endiantranslationofintegerandfloating-pointdata.Youmayalsochoosebetweendecimal,octal,orhexadecimalintegerrepresentation.SeetheDataInterpreterOptionsformoresettings.ThedecompositionofV1GUIDsintotimestamp,sequencenumberandMACaddressintheDataInterpreteraswellasintemplatesisoptional.IntheDataInterpreteroptionsyoucannowchoosetoforcethedecomposition(fullychecked)orpreventit(toalwaysgetthestandardGUIDnotationwithbraces)ortoseethedecompositiononlyifthetimestampisnottooimplausible(halfchecked).ThelattersettingishelpfulforexampleforAppleGPTvaluesthatclaimtobeV1GUIDs,butcontaintwistedASCIItextinsteadofvalid

timestamps.Hints:Somehexvaluescannotbetranslatedintofloating-pointnumbers.ForthesehexvaluestheDataInterpreterdisplaysNAN(notanumber).Somehexvaluescannotbetranslatedintovaliddates.Thevaluerangesofdifferentdatetypesaremoreorlessnarrow.ThereareredundanciesintheIntelinstructionset,whichshowupintheDataInterpreterasduplicationofbothhexopcodesandmnemonics.Floating-pointinstructionsaregenerallydisplayedasF***.MoredetailedreferencecanbefoundintheIntelArchitectureSoftwareDevelopersManualVolume2:InstructionSetReference,availableinPDFformatontheInternet.

PositionManagerThePositionManagermaintainsalistoffileordiskoffsetsandcorrespondingdescriptions,calledpositions,whichcanserveasannotations/bookmarks.Itisalsousedforsearchhitswhennotworkingwithacase,butmuchlesspowerfulthanasearchhitlist.NavigatingfromoneentrytothenextiseasyifyoupressCtrl+LeftandCtrl+Right.Youmayenternewpositionsandeditordeleteexistingentries.Ifaspecialoffsetinafileisimportanttoyou,youmayaddittothePositionManager.Thismakesitaloteasiertofinditagainlater,andyoudonothavetorememberit.Descriptionsmaybeupto8192charactersinsize.Anappropriatedescriptionforinstancecouldbe"Datachunkbeginshere!".OptionallyallpositionsmaintainedbythePositionManagercanbehighlightedintheeditorwindowinauniquecoloryouspecify,andtheirdescriptionsdisplayedinyellowtooltipwindowswhenthemousecursorismovedoverthem.Youmayalsoaddoreditpositionswiththecontextmenuofaneditwindoworbyclickingthemiddlemousebuttoninaneditwindow.ClicktherightmousebuttoninordertoseeacontextmenuinthePositionManager.Thecontextmenuprovidesadditionalcommands.Youmaydelete,loadorsavepositions,evenexportthelistasHTML.IfthepositionlistinthegeneralPositionManagerwaschanged,itissavedinthefileWinHex.poswhenexitingWinHex,sothattheyarestillavailableinthenextsession.Onlysearchhitsarenotpermanentlysaved,unlesstheyhavebeeneditedviathecontextmenu.ThereisthegeneralPositionManager,whichstorespositionsthatareappliedtoalldatawindows,andthereistheaPositionManagerforeachevidenceobjectinacase,whichstorespositionsthatweredefinedforthatparticularevidenceobjectandthatareappliedonlytothatevidenceobject'sdatawindow.Theformerisinvokedthroughthemainmenu(Navigation|PositionManager),thelatterbyclickingtheright-mostbuttoninthemiddleofthescreenwhenanevidenceobjectisopen,withcrosshairsonit.Thatmayexplainitifyoucannotfindthepositionsthatyouhavedefinedpreviously.NearthetopofthedatawindowitsayswhichPositionManageryouarecurrentlylookingatifthePositionManagerisactive.SearchhitsinthegeneralPositionManagerarebydefaultdeletedassoonasthegeneralPositionManagerisclosed,toavoidconfusionaspositionsinthe

generalPositionManagerhavenoreferencetoaparticularfileordiskandareintentionallyappliedtowhateverdatasourceisactivewheninvoked.Ifyouwishtokeepsearchhits,pleasechangethecorrespondingoptioninthegeneralPositionManager'scontextmenu.AcompletedocumentationofthePOSfileformatisavailablefromtheWinHexHomepagehttp://www.x-ways.net/winhex/.

UsefulHintsMenucommandsthataffectindividual,selecteditemsinthedirectorybrowserorinasearchhitorbookmarklistcanbefoundinthecontextmenuthatopenswhenyouright-clicksuchitems.Youwon'tfindsuchcommandsinthemainmenu.Usethemousebuttonsasfollowstodefinetheblock(ifthecontextmenuisswitchedoff):Double-clickingleftsetstheblockbeginning.Single-clickingrightsetstheblockend.Double-clickingtherightbuttonclearstheblock.Youmaywanttodefinetheblockusingthekeyboard(Shift+arrowkeysorAlt+1andAlt+2).UsetheTABkeytoswitchbetweenhexadecimalandtextmode.UsetheInskeytoswitchbetweeninsertandoverwritemode.EnterdisplaystheStartCenter.ESCabortsthecurrentoperationifany,otherwiseclearstheblock,dismissesanactivedialogortemplatewindow.PAUSEstopsorcontinuesthecurrentoperation.F11repeatsthelastGoToOffsetcommand.Ctrl+F11worksintheoppositedirection(fromthecurrentposition).Alt++isavariantoftheGoToOffsetcommandspecificallytojumpacertainnumberofsectorsdown.Alt+-isanothervariantspecificallytojumpacertainnumberofsectorsup.Shift+F7switchesbetweenthreecharactersets.(Shift+)Alt+F11repeatsthelastMoveBlockcommand.Ctrl+Shift+Minvokesanopenevidenceobject'sannotationsAlt+F2recalculatestheauto-hash(checksumordigest)afterafilewasmodified.Alt+LeftandAlt+Rightallowforswitchingbetweenrecordswithinatemplate(justasthe"<"and">"buttons).Alt+HomeandAlt+Endaccessthefirstandthelastrecord,respectively.Alt+Gmovesthecursorintheeditwindowtothecurrenttemplatepositionandclosesthetemplatewindow.Ctrl+F9openstheAccessbuttonmenu(diskeditwindowsonly)PressingCtrl+Cinthedirectorybrowsercopiesthetextualdataoftheselecteditemsintotheclipboard,withthesamenotationasinthedirectorybrowseritself,otherwiseusingthefunctionalityoftheExportListcommand.

WinHexacceptsfilenamesspecifiedinthecommandline,andisdrag-and-dropcapable.UsescriptstomakeyourworkwithWinHexmoreefficient.WinHexisdrag-&-dropcapable.However,Windowspreventsdrag&dropifthereceivingapplicationwasrunasadministratorandthesendingapplicationwasnot."Invalidinput":WhenclickingOKinadialogboxandgettingthe"Invalidinput"error,payattentiontowhatcontroliteminthedialogboxisblinking,asthevalueinthatitemistheonethatisnotaccepted.Switchfromhexadecimaltodecimaloffsetpresentationbyclickingtheoffsetnumbers.Tryclickingthestatusbarcells(leftandrightmousebutton).Alleditboxesthroughouttheprogram(exceptforpasswordeditboxesandcolumnwidthboxes)rememberahistoryofupto10lastentries.Thehistorycanbeseenwhenclickingthetinybuttonthatappearsinaneditboxforwhichahistoryisavailable.Alternatively,youcanpresstheF4keyjustlikeinanormaldrop-downbox(combobox).Ifyouselectapreviousentryfromthepop-upmenu,itwillbeinsertedintotheeditboxautomatically.Userswhowishtodeletethesehistoriesorpassthemontoothers,pleasebeadvisedthattheyarestoredinthefileHistory.datwhentheprogramisended.Ifyoudonotwishtokeephistoriesbetweensessions,youcancreateanemptyfilenamedHistory.datyourselfandrenderitread-only.Todeleteaspecifichistoryentryforaparticulareditbox,selectingthatentryfromthepop-upmenuwiththeShiftkeypressed.SincethedaysofWindows95(orperhapsevenWindows3.1?)userscanpressCtrl+Ctoproduceaplain-textrepresentationofstandardWindowsmessageboxesintheclipboard.WithmessageboxesinWinHexandX-WaysForensicsitworksthesame.AlthoughthisisanelementaryfeatureinWindowsformorethan20yearsalreadyandshouldbeknowntoanyexperiencedWindowsuserandalthoughWinHexandX-WaysForensicsmakeusersawareofthat("Didyouknow?..."),thegreatmajorityofusersforsomereasonstilltakegraphicalscreenshotsofmessageboxesandpastethemintoHTMLe-mails,forexample

whentheyreporterrormessages,althoughthatismoreworkthansimplypressingCtrl+CandCtrl+Vandalthoughitinflatesthesizeofthee-mailunnecessarily,asafewASCIIcharactersneedmuchlessspacethemthousandsofpixelvalues.Thatalsomeansthescreenshotwillgetlostifthee-mailisconvertedtoplaintextwhenbeingrepliedon,andofcoursetheerrormessagetextwillnotbesearchableinagraphicalscreenshotandcannotbeconvenientlyselectedandcopiedtotheclipboardastextbytherecipient,andtherecipientcannotbesureoftheexactUnicodevalueofcertaincharactersforwhichmultiplevariantsexist.InWinHexandX-WaysForensicsitisevenpossibletocopyarudimentaryASCIIrepresentationofdialogboxesandalmostalltheircontrolitems(statictext,pushbuttons,checkboxes,radiobuttons,listboxes,comboboxes,andtreeviewcontrols)includingtheirstates(unchecked,checked,halfchecked)bypressingCtrl+Cwithanactivedialogboxonthescreen(notifaneditboxwithaselectionhastheinputfocus).Thereisalsoadedicatedcommandinthewindowmenuofandialogbox.Thatmenuisa.k.a.thesystemmenuorcontrolmenu,anditpopsupwhenright-clickingthetitleofadialogbox.Thiscopycommandisaveryefficientwaytoshowyoursettingsinacertaindialogboxtootherusersandletthemcopystringsforuseintheirowneditboxes,sothattheydon'thavetotypethem,avoidingtypos.Thetextrepresentationisevenmorepowerfulthanascreenshotbecauseitshowsthecontentsofeditboxesandlistboxescompletely,evenifthesecontrolshavescrollbarsandthecontentsexceedthephysicalboundariesofthecontrolsonthescreen.Unicodecharactersaresupported.Wesuggestthatuserstakescreenshotsofmessageboxesanddialogboxesonlyifabsolutelynecessary,forexampleiftheywishtographicallyhighlightcertaincontrolitemsinaPhotoshoporsimilarprogramstogetthemessageacross.Settingsinpracticallyalldialogboxescanalsobeconvenientlysavedtoandloadedfromfilesasneeded,forexampletosharethemwithotherusersorforfutureuse,viathesystemmenu.Thisfunctioncanremembertheselectionstatesofthemostimportantcontroltypes:checkboxes,radiobuttons,listboxes,comboboxes,andtreeviewcontrols.Thisworksevenifthecontrolsarecurrentlyinvisible.Thesettingsarestoredinfileswiththe.dlgextension(for"dialog"),inthesamedirectoryastemplatesandscripts.Thecontentsofeditboxesarealsoremembered.However,thisfunctiondoesnotrememberthecontents/textlabelsofcheckboxes,listboxes,comboboxes,andtreeviewcontrols,e.g.whichcodepageacheckboxrepresentsintheSimultaneous

Searchdialog,whichreporttablesexistintheReportTablefilterlistbox,whichexternalprogramsarelistedintheViewerProgramsdialogwindow,whichfiletypesarelistedinatreeviewcontroletc.Italsodoesnotremembertheorderofcontrolsorlistitems.Italsodoesnotremembersettingsinadependentdialogwindow(whichopense.g.whenclickinga"..."button).ThefunctionalityisnotavailablefortheDirectoryBrowserOptionsdialogwindow.Forthedirectorybrowseroptionspleasesaveandload.settingsfilesbyclickingtheiconsinthedirectorybrowsercaptionline.ThefunctionalitytostoredialogwindowselectionsinfilesisveryusefulforexamplefortheExportListcommand,wheresomeusersrepeatedlyneeddifferentsettingsfordifferentpurposes,andwheretheitemsinthelistboxarealwaysthesame(justtheavailablecolumns),exceptafterchangingthelanguageoftheuserinterface.

CommandLineParameters1)Youcansimplyspecifythenamesoffilesthatyouwishtoopenautomaticallyascommandlineparameters,includingpathifnecessary.Physicaldiskscanalsobeopened,e.g.specify:0forharddisk0.2)Thecommandlinecanbeusedtorunfileeditingscripts.Justspecifythe.whsscriptfilenameasaparameter.Itwillbeexecutedinsteadofopened.3)Thecommandlinecanbeusedtoopenanexistingcase.Justspecifythe.xfccasefilenameasthefirstparameter.YoucanaddimagestosuchacasewiththeAddImage:command(seebelow).4)ThecommandlinecanbeusedinX-WaysForensics(notX-WaysInvestigator)toautomaticallya)createacase,b)addimages,andc)refinethevolumesnapshotofalladdedevidenceobjects.Example:xwforensics64.exe"NewCase:D:\Cases\Mycase""AddImage:Z:\Images\*.e01""AddImage:Z:\Images\Myimage.dd"RVS:~autoIfnopathisspecifiedforthecase,itwillbecreatedinthedefaultdirectoryforcases.Thequotationmarksarerequiredonlyforparametersthatcontainspaces.Asyoucansee,theAddImagecommandsupportsasterisks.Italsosupportsoptionalsub-parameterstoforceinterpretationofanimageaseitheraphysical,partitionedmedium(P)orvolume(V)andtoforceinterpretationwithacertainsectorsize,wherethesectorsizeisoptional,e.g.AddImage:#P#Z:\Images\*.ddAddImage:#P,4096#Z:\Images\*.ddIfyoudontspecifythesesub-parameters,adialogwindowmightpopuptoasktheuserforthisinput,butonlyinsomeveryrarecases,onlyitnotobvioustoX-WaysForensicsfromthedatainthefirstfewsectorswhatkindofimageitisandiftheimagewasnotcreatedbyX-WaysForensicsorX-WaysImagerandiftheimageisnotin.e01evidencefileformat(e.g.rawimage).Onlyifallthreeconditionsaremetatthesametimeplusyoudonotspecifythesub-parameters,thedialogwindowwillpopup.Torefinethevolumesnapshot("RVS:~"command),X-WaysForensicswillby

defaultrunthesameoperationsaswereappliedtoa"virgin"(i.e.completelyunrefined)volumesnapshotlasttimeaccordingtotheWinHex.cfgfile.TextinmessageboxesthatusuallyneedtobeclickedawaybytheuserisredirectedtotheMessageswindowwhileprocessingthecommandlineparametersAddImageandRVS.Dialogboxes,ifany,wouldstillpopupnormally.5)Ifyouwishtoapplydifferentsettingstodifferentkindsofcases,youneedtostorethesesettingsinseparateWinHex.cfgfiles(indifferentdirectoriesorwithdifferentnames)andrestorethedesiredonebeforeexecutingX-WaysForensics.Oryoucanusethecommandlineparameter"Cfg:",whichdeterminesthenameoftheconfigurationfilefromwhichX-WaysForensicswillreadduringstart-upandtowhichitwillwritewhenterminating,insituationswhenyouneedtouseanalternativeconfiguration(nottheonestoredinthemainWinHex.cfgfile).Forexampleusefulifforautomatedprocessingyouneeddifferentsettingsthanformanualexecution,withspecificvolumesnapshotrefinementoperationsselectedortoavoidthepromptwhetherasecondinstanceshouldbestarted.Suchaparameterlookslike"Cfg:Myothersettings.cfg".Asalways,thequotationmarksarerequiredonlyifthenamecontainsspaces.Themaximumlengthofthenameis31characters.OnlyANSI/ASCIIcharactersarecurrentlysupported.CommandlineparametersareusuallyprocessedintheorderinwhichyouspecifythemexcepttheCfg:parameterisprocessedbeforealltheothers,soitdoesnotmatterwhereitgoes.Also,pleasenotethatafewsettingsarestoredinotherfiles,e.g."X-Tensions.txt"and"UnwantedMetadata.txt".6)Itisalsopossibletoimageaphysicaldevice(e.g.localharddiskorremoteharddiskorRAMopenedthroughF-Response)automaticallyviathecommandline.ThefirstparametershouldstartwithacolonandthenspecifythenumberofthedeviceinWindows(e.g.":1"forharddiskNo.1,i.e.thesecondharddisk).Thiswillcausethatdevicetobeopenedautomaticallyuponstart-up.Thesecondparametershouldstartwithapipe,followedbyeither"e01"or"raw"toindicatethepreferredimagefileformat,followedbyanotherpipeandthepathandfilenameoftheimage,thenoptionallyfollowedbyadescriptionandtheexaminername(e.g."|e01|G:\Outputfilename.e01|Mydescription|Myname").7)Thelastparametercanbe"auto"ifyouwishtoautomaticallyexitX-WaysForensicswhenfinished.

User-DefinedKeyboardShortcutsThereisabuttoninthedialogwindowwiththedirectorybrowseroptionsthatyoucanclicktodefineupto20customkeyboardshortcutsforcommandsinthedirectorybrowsercontextmenuandelsewhere.CurrentlyavailableonlyinX-WaysForensics.Shortcutsaremeanttoincreaseyourproductivitywhenperformingyourmostfrequentlyusedactivities.OnlykeycombinationsthatinvolvethekeysCtrl,AltGr,ShiftandSpacearesupported.PleasenotethatifyouusetheSpacekeyforanykeyboardshortcut,youcannotuseitanymoretotagoruntagitems.Thesecondkeycanberelativelyfreelychosenbyjustpressingitwhenthegrayedouteditboxhastheinputfocus.Incasenohuman-readabledescriptionoftheselectedkeyisprovidedandyoulaterforgetwhatkeyyouhaddefined,youcancheckoutthislistofhexadecimalkeycodes:https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspxThefollowing~80directorybrowsermenucommandcodescantheoreticallybeused(notalltested)andhavetobeenteredasanumber:9800:Viewwithexternalviewerprogram#19801:Viewwithexternalviewerprogram#29802:Viewwithexternalviewerprogram#3...9831:Viewwithexternalviewerprogram#329919:Definefiletype9920:Gotorelatedfile9921:Refinevolumesnapshotforselectedfiles9927:RunX-Tensiononselectedfiles9928:Attachexternalfile9931:Editmetadata9932:Seethisfileinitsdirectory9933:Seethisfilefromvolumeroot9934:Findparentobject9935:Logicalsearchwithinselectedfiles9937:Attachexternaldirectory9938:Erasesecurely9939:Leavesearchhitlistforspecificdirectory

9940:Deleteduplicatesearchhitsinlist9941:Selectexcludeditems9942:Editcomment9944:Include9945:Selecttaggeditems9946:Excludeallexcepttaggeditems9947:Excludetaggeditems9948:AddtoevidencefilecontainerORskeletonimageifactiveinthebackground9949:Resizesearchhit9950:Convertsearchhittocarvedfile9951:Resizecarvedandvirtualfiles9952:Assignsearchhittoothersearchterm9953:Extractconsecutivevideoframes9954:Includesearchhitinreport9955:Mountasdriveletter(makessenseonlyifadirectoryisselected,andonlyone)9956:Watchwithpreferredvideoplayer9957:ViewwithpreferredHTMLviewer9958:Viewwithpreferredtexteditor9959:Execute/openinassociatedexternalprogram9960:Selectvieweditems9961:Viewwithto-be-selectedexternalprogram9962:Removeduplicatesbasedonhash9963:Seekitembasedonint.ID9964:Sortbyrelevance9965:Print9966:Seekitembasedonlistitemnumber9967:Sortbynothing9968:Selectall9969:Filterbytheselectedfile'shashvalue(tofindduplicates)9971:Explore9972:Marksearchhitasnotable9973:Open9974:Navigatetodefiningdatastructure9975:Exportlist9976:Listclusters9977:Recover/copy9978:Explore/view

9979:Invertselection9980:IncludeinhashdatabaseYouwillnoticeafewsuspiciousgapsinbetweentheincrementingnumbers.Themissingnumbersareeitherunassignedordiscouragedtoinvokeorsimplydon'tmakemuchsensetodefineforakeyboardshortcut.Asanexampleforthelatter,9929willdeleteselectedsearchhitsorevent,somethingthatcanofcoursebeaccomplishedalreadybypressingtheDelkey.Thisinformationshallreduceyoururgetorandomlytrynumbersnotlistedhere,althoughwhoknowswhetheroneundocumentednumbermaytriggerasecret"Findallevidence"command.Pleasenotethatevenwithoutdefininganysuchkeyboardshortcutyoucanreachalldirectorybrowsercontextmenucommandspurelywiththekeyboardbypressingthecontextmenukey.(Usuallytobefoundbetweentheright-handWindowskeyandtheright-handCtrlkey.)Somemenucommandsalreadyhaveapredefinedkeyboardshortcut.ForexampletheEnterkeyisthesameasadoubleclick(eitherVieworExplore,dependingonyoursettings).ThemultiplicationkeyofnumerickeypadtriggerstheExplorecommand.DelmeansExclude.Ctrl+Delresetsfilestothe"stilltobeprocessedbyvolumesnapshotrefinement"stateandundoessomerefinementoperations.Ctrl+Shift+Delremoveshashsetmatches,hashcategory,andPhotoDNAcategorization.Ctrl+CapsLock+Delremovesthe"filecontentsunknown"flagfromafile.(UsefulforexampleifbecauseoftemporaryI/OproblemsX-WaysForensicsmarkedfilesthatwayalthoughgenerallythefilescanbereadjustfine.)Ctrl+CcopiestheselecteditemsintotheclipboardusingspecialsettingsoftheExportListdialogwindow.MainmenuTheuser-definedkeyboardshortcutsshouldbeabletoinvokepracticallyallcommandsfromthemainmenuaswell,andevenifpartsoftheuserinterfaceotherthanthedirectorybrowserhavetheinputfocus.Ifthecommandcodeofamenucommandchangesinafutureversion,X-WaysForensicswillensurethatanykeyboardshortcuttargetingthatcodewillautomaticallybecomeinactive,topreventaccidentalmisuse.Tofindoutthecommandcodesofcommandsinthemainmenu(alsocalledIDsofmenuitems),youcanopenthemainexecutablefileinaso-calledresourceeditorandhavealookatthemenuresourceinyourpreferredlanguage.Ahighlyrecommendablelight-weightexampleofsuchatoolis"PellesCforWindows",whichalsohappenstobeafineCcompilerand

completedevelopmentkitsuitableforcreatingX-Tensions.Keyboardshortcutsformainmenucommandsshouldbelessimportantthanfordirectorybrowsercontextmenucommandsbecausethemainmenualreadyhasmanydedicatedkeyboardshortcutpredefined,orevenifnotcanbereachedwithouttakingone'shandsoffthekeyboardstartingwiththeAltkey.Togiveyousomeideasaboutusefulapplications,FYIthecommandcodetotogglebetweenrecursiveandnon-recursiveexplorationis122,andthecommandcodetotakeanewvolumesnapshotis109.Commandcodesdefinedforfilters(Theorderisthehistoricalorderinwhichfilterswereintroduced.)9700:Name9701:Type9702:Typestatus9703:Category9704:Size9705:Path9706:Sender9707:Recipients9708:Timestamp9709:Attr9710:Hash19711:Hashset9712:Hashcategory9713:Reporttable9714:Comment9715:Metadata9716:Analysis9717:Pixels9718:Int.ID9719:UniqueID9720:Searchterms9721:Owner9722:Parentname9723:Childobjects9724:ID9725:Author9726:Searchhitdescription

9727:Eventtimestamp9728:Eventtype9729:Eventdescription9730:Searchhit9731:Firstsector9732:Description9733:Hash29734:Fullpath9735:Flexfilter19736:Flexfilter2CommandcodesfortheModebuttonsandrelatedbuttons122:Togglerecursiveexploration138:Accessbuttonpopupmenu172:ToggleDirectoryBrowser186:TogglePositionManager223:ToggleSearchHitList224:ToggleEventHitList225:Disk/Partition/Volume/Containermode226:Filemode227:Previewmode228:Detailsmode229:Gallerymode230:Calendarmode231:Legendmode232:Syncmode249:Rawpreviewmode250:ViewerX-Tensionpreviewmode

DirectoryBrowserContextMenuNote:Commandsinthemainmenu(File,Edit,Search,...)alwaysapplytotheactivedatawindowasawhole(whiche.g.representsanopenfileoranopendisk),ortofiles/disksthatarestilltobespecifiedbytheuser.Theyneverapplytothefile(s)currentlyselectedinthedirectorybrowser.That'swhatthedirectorybrowsercontextmenuistherefor.Thedirectorybrowsercontextmenuallowstheusertodirectlyinteractwiththecurrentlyselectedfiles/directories,notablynotthetaggeditems.Thereareanumberofmenucommandswhichareavailabledependingontheselecteditems.Double-clickingfilesanddirectorieswill,dependingonthecircumstances,eitherinvoke"View","Explore"ortheassociatedexternalprogram.ViewThiscommandallowsviewingtheselectedfilewithWinHex'internalviewersforWindowsRegistryfilesandvariousgraphicalfileformats.IftheseparateviewercomponentthatcomeswithX-WaysForensicsisactive,allotherfilesaresenttothatviewer.Ifitisnot,thefirstinstalledexternalprogramwillbecalledinstead.NTFSsystemfilesarealwaysopenedasdatawindows.Whenviewingafileinaseparatewindow,youmaypress(Ctrl+)PageDn/Uptoclosethewindowandviewthenextfileinthedirectorybrowserinanewwindow.IfaViewwindowdisplaysapictureandviewingpicturesiflimitedtoonepictureatatime,thatwindowwillbeupdatedwhenyoupressthecursorkeysinthegallery.Usefulespeciallyonaspanneddesktop,iftheViewwindowiscenteredonthesecondmonitorandifthegalleryisonthefirstmonitor.AvoidshavingtopresstheEnterkeytoviewthepictureandanotherkeytoclosetheViewwindowtogettheinputfocusbacktothegallery.ExploreOnlyavailablefordirectoriesandarchives(ZIP,RAR,TAR,...),thiscommandallowsnavigatingintothemwithinthedirectorybrowser.Double-clickingarchivesordirectoriesdoesthesame.Acommandthatallowslistingthecontentsofdirectoriesaswellastheirsubdirectoriesatthesametimecanbefoundinthedirectorytree'scontextmenuinstead(intheCaseDatawindow,

"Explorerecursively").ViewerProgramsAllowstosendtheselectedfile(s)tooneoftheexternalprogramscurrentlyconfiguredorthefile'sassociatedprograminthecurrentWindowsinstallation.ThisassociationisdeterminedbasedonfileextensionasisusualwithinWindows.Youalsohavetheoptiontoopenfilesinanexternalprogramthatyouselectadhoc.Theprogramthatyouselectwillbesavedasstandardcustomviewerprogramifyouhavenotusedallslotsforexternalviewerprogramsyet,andthenalsorememberedfornexttimewhenyouinvokethesamemenucommand.OpenOpenscurrentlyselectedfilesordirectoriesinseparatedatawindows.UnlikeFile|Open,wherefilescanbeopenedjustlikeinanyotherapplicationwiththehelpoftheoperatingsystem,thisisaforensicallysoundoperationinthatitdoesnotupdateanytimestampsetc.becausetheoperatingsystemiscircumventedandthelogictoreadthefile'scontentsfromthecorrectdisksectorsisimplementedinWinHexitselfforvariousfilesystems.Nochangescanbemadetofilesthatwereopenedinthisfashion,however.Inthecaseofadirectory,thedirectory'sdatastructureswillbeopened.PrintIftheseparateviewercomponentisactive,youmayselectfilesforprinting.Allowstoprintmultipleselecteddocumentswithoutinterruption/theneedtoclicksomewhereaftereachdocument,optionallyalongwithchildobjects(e.g.e-mailattachmentstogetherwiththeirrespectivee-mailmessage).Theoptionalcoverpagecontainsthedateandtimewhentheprintjobwasstartedandselectedmeta-information,e.g.filename,path,evidenceobjecttitle,filesize,description,timestamps,comments,...ThecoverpageisprintedbyX-WaysForensicsitself,thefollowingpageswiththeactualdocumentareprintedbytheviewercomponent.AnotheroptionistohaveX-WaysForensicsprintthefilenameandpathonthefirstpage.Thisoptionisnotboundbythesamepathlengthlimitationsastheheaderoptionallyprintedbytheviewercomponent.Toavoidthatthepathisprintedtwiceonthefirstpage,haveeitherX-WaysForensicsortheviewercomponentprintit,notboth.Youcanprintjustthecoverpageby

choosingtoprintonlythepages0through0ofthedocumentorpictureitself.Theheaderlineofthecoverpage,whichspecifieswhichuserandwhichprogramandversioncreatedtheprintjob,isoptional.Usefulifyouwishtoshowtheprintouttowitnessesorthesuspectwhoshouldnotknowtheusernameoftheexaminer.Recover/CopyMountasDriveLetterExportListRequiresaspecialistlicenseorhigher.Exportsdataabouttheselecteditemsinthedirectorybrowsertoatab-delimitedtextfileortoanHTMLfile,whichcanbeeasilyviewedinanywebbrowser,alsoimportedandfurtherprocessede.g.inMSExcelandMSWord.Athirdoption(exceptforsearchhitlists)isanXMLfile.Thelistcanalternativelybecopiedintotheclipboardintheformataschosen,forexampletopasteitdirectlyintoanexternallyeditedreport.Thecolumnstoexportarefreelyselectable.Eventhesearchhitcolumncanbeexported,withthetextualcontextaroundeachandeveryactualhit,wherethesearchtermitselfcanbevisuallyhighlightedwithayellowbackgroundcolor(notrecommendedforoutputtoMSExcel).YoumaychoosetosplituptheresultintomultiplefilesforexampletoavoidahugeHTMLfilethatInternetbrowserswillchokeon.Thereisanoptiontocopyfilesoffthedisk/imageandlinkthemfromtheHTMLoutput.ThelinkscanbefoundintheNamecolumn.Thebehaviorisaffectedbytwocasereportoptions:"NameoutputfilesafteruniqueID"and"Embedattachmentsinparent.emlfile".ThisoptionpresentsaninterestinglayoutalternativetotheregularoutputofreporttablesandalsoanalternativetotheRecover/Copycommand.TheExportListcommandremembersitsownnotationsettings,differentfromthenotationsettingsintheGeneralOptions.Thatisusefulbecausethedatabaseorspreadsheetprogramofyourchoiceinwhichyouwishtoimportthedatamaynotliketheformattingthatyouprefertoseeinthedirectorybrowser(e.g.fractionsofsecondsintimestamps,timezonebias,weekdaysindates,delimiterbetweendateandtime,integerdigitgrouping,...).WhiletheExportlistdialogwindowisonthescreen,thedirectorybrowserinthebackgroundreflectsthe

notationsettingsoftheExportListcommand,asakindofpreview.ExtractconsecutiveframesExtractsallframesspecificallyfromadefinedsectionofaselectedvideo.Usefulifacertainpartofavideoisofhighinterestandyouneedtocarefullycheckvisualdetailsincertainframesorincludetheminthereport.Youcanspecifyhowmanyconsecutiveframestoextractandstartingfromwhichsecond.ThenumberofframesthatyouneedtocoveracertainperiodoftimecanbedeductedfromtheframerateasshownintheMetadatacell(fps=framespersecond).Pleasenotethatthestartsecondmaybeinterpretedveryroughlyonly,dependingonthefrequencyofkeyframes(a.k.a.I-framesinMPEG)inthevideo.MPlayercanseekintoavideofileonlybasedonkeyframes.Ifforexampleacertainvideofilecontainskeyframesonlyevery4secondsforexample,thenthestartsecondoftheextractionmaybeoffbyupto4seconds.Keepthisinmindwhenyouenterthenumberofframesthatyouneedorthestartsecond.Thatis,tobeonthesafeside,extractmoreframesthanyoumayactuallyneedandperhapsfromanearlierstartsecond.TheframesaresavedasJPEGfilesinadirectoryofyourchoiceonyourowndrive,whereyoucanreviewthemoutsideofX-WaysForensics.Ifyoulike,youcanofcourseattachthemostrelevantframestotheoriginalvideofileinthevolumesnapshotaschildobjects.Theframesarenotstoredwithinthevolumesnapshotbydefaultsothatthesizeofthevolumesnapshotdoesnotunreasonablyinflatewithpotentiallymostlyirrelevantandredundantpictures.Iftheoutputdirectoryalreadycontainsextractedframes,fileswithidenticalrelativeframenumberswillbeoverwritten.Relativeframenumbersalwaysstartwith00000001foreachextractionandincrementwitheachframe.YoumayadjusttheJPEGcompressionifnecessaryforstrongercompressionorbetterquality.(Ofcourseyouusuallycannotexpectaverygoodqualitybecausevideosaretypicallyhighlycompressedalready.)ReportTableAssociationEditCommentRequiresaforensiclicense.Usethiscommandtoaddacommenttoaniteminthedirectorybrowserortoeditorremoveanexistingcomment.Afterenteringcomments,youcanconvenientlysetthefiltersuchthatonlycommenteditems

areshownoronlyitemswithspecificcomments,e.g.thosewithacertainrelevance.EditMetadataRequiresaforensiclicense.Allowstoeditthemetadatafieldofafileoncemetadatawasextracted.Usefulifyouwishtoincludeselectedmetadata(notallextractedmetadata)inareport.RefineVolumeSnapshotandSimultaneousSearchinitemsthatareselectedinthedirectorybrowserTag/UntagItemRequiresaforensiclicense.Taggingfilesmeanshighlightingthemvisually(placingabluesquareatthebeginningofadirectorybrowseritem),forvariousreasons,e.g.tomarkthemasrelevant,ormemorizeapositioninasortedlist,ortolimitvolumesnapshotrefinementstotaggedfiles.Taggingisnottobeconfusedwithselecting.Exclude/IncludeYoumayexcludeselecteditems(pressDel)oralltaggedoralluntaggeditems.Ifactuallyfilteredout,excludedfilesareomittedfromthedirectorybrowser,thegalleryview,andallcommandsthatcanberunfromthedirectorybrowsercontextmenu.Ifyouareonlyallowedtoexaminethecontentsofcertaindirectories,youcouldinitiallyexcludeallfilesinallotherdirectoriestoensurethat.Refiningthevolumesnapshotcanbelimitedtofilesthatarenotexcluded.Excludeditemsareactuallyfilteredoutonlyifthecorrespondingfilterisenabledinthedirectorybrowseroptions.Ifnotfilteredout,theyarelistedingrayandcanbeincludedagainwiththedirectorybrowsercontextmenuorbypressingShift+Del.FindduplicatesinlistFilterforduplicatesAbilitytofilterforduplicatesofasingleselectedfilethatarealsocurrentlylistedinthedirectorybrowser,onlyifahashvalueisavailablefortheselected

fileandtheotherfiles.Actuallyfiltersforthathashvalueatthattime,andthusdoesnotdependonpreviousmassidentificationofduplicatefilesusingtheabove-mentionedcommand"Findduplicatesinlist".InX-WaysInvestigatortheactualhashvaluesarenotdisplayedandcannotbecomputed,buttheyareimportedfromevidencefilecontainersthatcomewithhashvaluesforfilesandcanbeusedtoidentifyduplicatefiles.Insearchhitlistsyoumay1)permanentlydeleteselectedsearchhits,2)permanentlydeleteduplicatesearchhits.Searchhitsareconsideredduplicatesiftheyeitherhaveidenticalphysicaloffsetsor,iftheydon'thavephysicaloffsets,iftheirlogicaloffsetsandthecorrespondinginternalfileIDsarethesame.Whenindoubt,X-WaysForensicswillkeepthelongersearchhit(as"Smithsonian"forexampleismorespecificthan"Smith")andfavorssearchhitsinexistingfiles.3)Resize:Allowstoresizeorrepositiontheselectedsearchhits.Ifforexampleyouaresearchingforasignaturethatidentifiesrecordsinsomekindofdatabase,andyougetmanysearchhitsforthesesignatures,butwhatyouarereallyinterestedinistherecorddatathatfollowsthesignature,andyouwishtoexportthatdata,thenyoucouldadjusttheoffsetsandthelengthsofthesearchhitsinasuitableway.Also,insteadofexportingmorecontextaroundthesearchhitswiththeExportListcommandyoucouldenlargethesearchhitsthemselvespriortoexportingthem.Theeffectisvisibleimmediatelyinthesearchhitpreviewinthesearchhitlist(butnotnecessarilyimmediatelyinthehighlightinginthelowerhalfofthedatawindow).4)Anothercontextmenucommandinsearchhitlistsallowstoconvertsearchhitstocarvedfiles.Usefulifyouwishtoincludeyoursearchhitsasfilesinareport,addthemtoareporttable,commentonthem,printthecontents,Recover/Copythemetc.Notethatsearchhitsthathavebothaphysicalandalogicaloffsetswillbecarvedatthesectorlevelandwillappearinthevirtualdirectoryforcarvedfiles.Searchhitsthatonlyhavealogicaloffsetwillbecarvedwithinthefileinwhichtheywerefoundandwillappearasachildobject.Searchhitsinthedecodedtextofafileaswellassearchhitsindirectorybrowsercolumnscannotbecarvedandwillbeomitted.5)Assigntoothersearchterm:Abilitytocategorizeselectedsearchhitsbymovingthemovertoothersearchterms,existingornewones.Ifforexampleyougetseveralrelevanthitswhenrunningasearchforthesearchterm"invoice",andsomehitsarerelevantinadifferentwaythanothers,thenyoucouldassignthemtoothersearchtermslike"InvoiceABCLtd.","InvoiceXYZ

Corp."etc.Thosenewlycreatedsearchtermswillappearinthesearchtermlist,buttheyfunctionmorelikecategoriesbecausetheywerenotsearchedforliterallythemselves.NavigationOnecommandinthissubmenuallowstosortfilesbytheirestimatedrelevance(cf.metadataextraction)."SeekInt.ID"allowstoconvenientlyseektheitemwithagiveninternalID,nomatterwhetherfileordirectory.Ifafilterpreventslistingthatitem,allfilterswillbedeactivatedautomatically."SeekItem#"willjumptotheitemthathasthespecifiedpositioninthecurrentlisting.Thepositionofanyiteminthelistisshownwhenyouhoverthemousecursorovertheiconofafileordirectory.TheNavigationgroupofcommandsalsoallowsinteractionwiththecurrentlyselectedfileatagenerallymoretechnicallevel.Itallowstodirectlylocatethedatastructureinthefilesystemthatdefinesafile(e.g.FILErecordinNTFS,inodeinExt2/Ext3/Ext4,directoryentryinFAT).TheNavigationmenualsoallowstoproducealistofalltheclustersallocatedtotheselectedfileordirectory.Fromthecontextmenuofthatlistwindow,theclusterlistcanbeexportedtoatextfile.Optionallythelistcanbeshortenedanditscreationgreatlyacceleratedbyomittingclustersinthemiddleofafragment.Omissionsareindicatedbyellipses.Thisoptiontakeseffectonlywhenyouproduceaclusterlistthenexttime.Findparentobject:Navigatestoandselectstheparentobjectoftheselectedobject.EquivalenttopressingtheBackspacekey.Thechildobjectcanbeanordinaryfileinadirectory,orane-mailmessageinane-mailarchiveorafileattachmentinane-mailmessageorapictureinadocumentorafileinacompressedarchiveetc.Findrelateditem:Thiscommandallowsyoutoconvenientlynavigatetotherelateditemifoneexistsfortheselectedfileordirectory.Alternatively,youcanpressShift+Backspace.Seeselectediteminitsdirectory:Willshowyoutheselectedfileordirectoryamongitssiblings.Usefultoquicklycheckoutwhethertherearemorenotablefilesinthesamedirectoryortobetterunderstandthefunctionofthefilewhen

youseeitincontext.Seeselecteditemfromvolumeroot:Willshowyoutheselectedfileamongallotherfilesinthesamevolume,recursivelyexploredfromtherootofthefilesystem.Usefulforexampletoseewhetherthereareanyfileswiththesamename,thesameID(e.g.previousversionfromavolumeshadowcopy),sameowner,samesender,orsimilartimestampsetc.inthesamefilesystem(justsortaccordingly).Bothcommandscanbealsobeusedfromwithinthecaserootwindowandfromwithinsearchhitlists(sotheprevious"Gotofileindirectorybrowser"commandbecomesobsolete).RememberyoucanclicktheBackbuttoninthetoolbartoconvenientlyreturntothepreviousview.RefineVolumeSnapshot,SimultaneousSearch,RunX-TensionsThesecommandsareknownfromthemainmenu.Fromthedirectorybrowsercontextmenutheycanbeappliedtotheselectedfiles.IncludeinHashDatabaseCreatesahashsetofthecurrentlyselectedfilesanddirectoriesandtheirsubdirectoriesdirectlywithintheinternalhashdatabase,eitherwithordinaryfilehashvaluesorwithblockhashvaluesorPhotoDNAhashvalues.Forordinaryhashvaluesthereisanoptiontocreatemultiplehashsetsinasinglestep,wherethehashvaluesoftheselectedfilesareputintohashsetsthatarenamedaftereachfile'sreporttableassociation(s).Thisisusefulifyoucategorizenotablefilesinonecaseusingreporttables(e.g.basedondifferenttypesofCP),andwishtoquicklyidentifythesamefilesagaininothercaseslater,andautomaticallyseethecategorythatyouhadoriginallyassigned,asthehashsetname.Thecheckboxforthatislabelled"Nameafterreporttableassociations,ifany".Ifaselectedfiledoesnothaveanyreporttableassociation,itshashvaluewillbeassignedtothehashsetnamedasyouspecify,justlikeifyoudonotcheckthatcheckbox.ThiscommandcanalsobeusedtocreateaseparatefilewithPhotoDNAhashvaluesoftheselectedfilesortojustupdatefiledescriptionsoffilesinthePhotoDNAhashdatabasewiththecommentsstoredinthevolumesnapshot.

AttachExternalFile/Dir.Requiresaforensiclicense.AbilitytoattachoneormoreexternalfilesoradirectoryincludingsubdirectoriestothevolumesnapshotandhavethemprocessedbyX-WaysForensicslikeregularfilesinthevolumesnapshot.Usefulifyouneedtotranslate,convert,ordecryptoriginalfilesandwouldliketoreintegratetheresultbackintheoriginalvolumesnapshot,intheoriginalpath,forfurtherexamination,reporting,filtering,searchesetc.SuchexternalfileswillbecompletelymanagedbyX-WaysForensicsonceattached,copiedtotheinternalevidenceobjectsubdirectoryofthecase,andmarkedasvirtualfiles.Youwillbeaskedtoclassifythefilesthatyouareattachingaswhattheyactuallyare,e.g.videostillsproducedoutsideofX-WaysForensics,e-mailsextractedfrome-mailarchivesoutsideofX-WaysForensics,OLE2objects,attachmentsofvariouskinds(inparticularofPDFdocuments),etc.etc.Ifproperlyclassifiedasvideostills,theattachedpictureswillbeusedaspreviewsfortherespectiveparentvideofileforexample.TheclassificationcanbeseenintheDescriptioncolumn.WhenattachingasingleexternalfileandholdingtheShiftkey,X-WaysForensicsproposesanewnameforthatfilethatisbasedonthenameofthefilethatisselected,andtheattachedfilewillbeaddedtothesamedirectory.Otherwisetheexternalfilenamesofthefileswillbeusedandtheywillbecomechildobjectsoftheselectedobject.Itisstillpossibletorenamevirtualfilesinthevolumesnapshotlateratanytime.Whenattachinganexternaldirectorytothevolumesnapshot,youarepromptedwhethertheselecteddirectoryitselfshouldalsobeattachedorjustitscontents.UsuallyX-WaysForensicscreatesvirtualfilesinsubdirectoriesinnewvirtualdirectoriesinthevolumesnapshot.Thereis,however,anoptiontoaccommodatethefilesinexistingdirectoriesinthevolumesnapshotofthesamenameatthesamepositioninthedirectorytree.Usefulifyoucopyanentiredirectorystructureofftheimagetoconvert/decrypt/translate/...filesoutsideofX-WaysForensics,andthenwanttobringtheresultsbackintothevolumesnapshotandseetheeditedfilesnexttotheiroriginalcounterpartsinthecorrespondingsubdirectories.ThiscanhelpforexampleifyouwishtoOCRandconvertPDFdocumentsthatX-WaysForensicshasdeemednon-searchable,usingAdobeAcrobat.

X-WaysForensicscanoptionallyadoptthetimestampsofattachedfilesinthevolumesnapshot(creation,modificationand/oraccess).Youcanmakeuseofthisifyouaresurethatthetimestampsareoriginalandnottheresultofanyofyourownfilecopy/decoding/decryptionactivityetc.RenameAllowsyoutorenamevirtualdirectoriesandvirtualattachedfilesinavolumesnapshot,oriftheShiftkeyispressedevenordinaryfiles.Althoughthelatterisnotexactlyforensicallysoundwhendealingwithoriginalevidence,thiscanprovehelpfulinspecialsituations,forexampleifafilenameordirectorynameistoolongtocopyafileoutofanimageetc.Theoriginalfilenamewillbekeptasthealternativefilename.Notethatthisdoesnotrenamethefileinthefilesystem(nothingisalteredonthediskorintheimage!),onlyinthevolumesnapshot,i.e.theinternaldatabaseinX-WaysForensicsaboutthefilesystem.YoualsohavetheabilitytosetthealternativenameofafilebyholdingtheShiftkeywhenrenamingthefile(holditatthemomentwhenclickingtheOKbutton).SpecifytypeAbilitytospecifythetypeofselectedfilesyourself.UsefulifyouwishtoidentifytypesorsubtypesinanindividualwayunknowntoX-WaysForensics,forexampletobeabletofilterbythesetypeslater.Forinstance,howaboutcategorizingTIFFpicturesthataredigitallystoredfaxesastype"fax"?RememberyoucandefineyourownfiletypesinFileTypeCategories.txt.ResizeFilesfoundthroughafileheadersignaturesearchandfilesthatwerecarvedwithinotherfilescanbemanuallyresizedbytheuser.WipesecurelyFilesanddirectoriesthatareselectedinthedirectorybrowsercanbesecurelywipedinWinHex(notX-WaysForensics).Thedatainthelogicalportionofafile(i.e.excludingthefileslack)andinclustersofadirectory(e.g.containingINDXbuffersinNTFSanddirectoryentriesinFAT)willbeerased/overwrittenwithahexvaluepatternofyourchoice.Theexistencestatusofthefileinitsfilesystemwillnotbechanged,i.e.itwillnotbemarkedasdeleted,theclusterswill

notbereleasedetc.Nofilesystemlevelmetadatasuchastimestampsorattributeswillupdatedbecausenooperatingsystemfilelevelwritecommandsareused.Nofilesystemdatastructuresarechanged,andnofilenameswillbeerased,onlythecontentsoffileswillbeoverwritten.Filesthatarecompressedinarchivesorgenerallyfileswithinotherfiles(e.g.e-mailsandattachmentsine-mailarchives)cannotbeerased.Previouslyexistingfileswhoseclustersareknowntohavebeenreusedwillnotbeerased.Notethatbyerasingdeletedfilesyoumighterasedatainclustersthatbelongtootherfiles,soonlyselectexistingfilesifyouwanttoavoidthat(assumingconsistentfilesystems).Alsonotethatbyerasingcarvedfilesyoumayerasetoomuchornotenoughdata,dependingonthedetectedfilesizeanddependingonwhetherthefilewasoriginallyfragmented.Andpleasenotethatwipingdirectories,i.e.erasingthedataintheclustersallocatedtoadirectory,willcauseexistingfilesinthatdirectorytobecomeorphaned.Moretypicallyusersonlywipethecontentsoffileswiththisfunction,notthecontents(data)ofdirectories,iftheystillwishtousethefilesystem.Usefulforexampleifcopiesofimagesareforwardedtoinvestigators/examiners/otherpartiesinvolvedinacasewhoarenotallowedtoseethecontentsofcertainfiles.Usefulalsoifyouhavetoreturncomputermediaonwhichchildpornographyhasbeenfoundtotheownerafterclearingthesefiles.Alsousefulifyouarepreparingimagesfortrainingpurposesthatyouwouldliketopublishandifyouwouldliketoretroactivelyerasethecontentsofcopyrightedfiles(e.g.operatingsystemorapplicationprogramfiles).Bothsuccessfullyerasedfilesandfilesthatcouldnotbesuccessfullyerasedwillbeaddedtoseparatereporttables(whenworkingwithacase,withaforensiclicenseonly)bywhichyoucanfiltertoverifytheresult.MarkhitasnotableInasearchhitlist,marksselectedhitswithayellowflagandincludesintheminthelistofnotablesearchhits.Youmayalsopressthespacebartomarkahitasnotableorremovethatmark.HoldingtheShiftkeywheninvokingthemenucommandremovesthe"notable"flagfromallselectedsearchhits.IncludeinreportInasearchhitlist,marksselectedsearchhitsforinclusioninthecasereport,

withthegreengridicon.

CaseTreeContextMenuSomeofthecommands:Exportsubtree:ThiscontextmenucommandintheCaseDatawindowallowsyoutoexportapseudo-graphicalrepresentationoftheselectedsubtreeinaUnicodetextfile,whichisbestviewedwithafixed-widthfont.Theexportedtreereflectsthecurrentstateofsubdirectories(expandedorcollapsed).ThemenucommandisavailableforevidenceobjectsandalsofordirectoriesifyouholdtheCtrlkeywhenright-clickingadirectoryinthecasetree.Remembertofullyrecursivelyexpandaportionofthetreethatyouwanttoexport,youcanclicktherootofthatportionandpresstheasterisk(multiplication)keyonthenumerickeypad.Attachexternalfiles:Thiscommandallowstoattachexternalfilesaschildobjectstotheiroriginalcounterparts(afterdecrypting,translation,convertion,OCRing,...)inmultipleevidenceobjectsatthesametimeautomaticallyiftheyarenamedaftertheuniqueIDoftheoriginalfiles.(Thefilenameextensionisignored.)YoucannamethefilesaftertheuniqueIDwhenyoucopythemofftheimagewiththeRecover/Copycommand,andyoudonotneedtopreservethepath,astheuniqueIDalreadyfullyidentifiesthefile.Usefulifyouwishtoapplyexternaltoolstothecopiedfileswhichhaveproblemswithoverlongpaths,ifyouwishtobringbacktheresultintothevolumesnapshot.Whenattachingexternalfiles(e.g.afterdecrypting,converting,translating,...),youaregivenfouroptions:1)theattachedfilecanbecomeachildobjectoftheoriginalfileor2)theattachedfilecanbecomeasiblingoftheoriginalfile(shownnexttoit,inthesamedirectory)or3)theattachedfilecanreplacetheoriginalfile(originalfilenolongerpresent)or4)theattachedfilecanreplacetheoriginalfile,andtheoriginalfilecanbecomeachildobjectofthenewfileifstillneeded.Youcanselecttheattachmentmethodseparatelyforordinaryfilesande-mailattachments.Thethreelattermethodsareparticularlyusefulfore-mailattachmentsbecauseonlydirectchildobjectsof.emlfilesareembeddeddinthe

parent.emlfilewhenrecovering/copyingthose.emlfiles.Soifyouwouldliketohavethedecrypted/converted/translatedversionofanattachmentembeddedinthe.emlfile,thatversionshouldnotbecomegrandchildobjectasinpreviousversions.Ifyouwantoriginalandnewversionbothtobeembedded,makethemsiblings.Ifyoudonotneedtheoriginalversionembedded,replaceitcompletelyorpreserveitonlyasachildobjectofthenewversion(i.e.grandchildofthe.emlfile).Theattachedfilesadopttheclassificationoftheoriginalfiles,e.g.asextractede-mailmessagesorOLE2objects.Iftheoriginalfileshavenospecialclassification,theattachedfileswillbesimplymarkedasattachedfiles.ExportFilesforAnalysis:ThismenucommandintheCaseDatawindowcanbeappliedtotheentirecaseandfromtheretoselectedevidenceobjects,ortotheactiveevidenceobjectonly.ItusestheinterfaceforexternalanalysisoffilestoinvokeexternalautomatedanalysistoolssuchasDoublePics.Thereisacontextmenufordirectories,too.Itisdisplayedwhenright-clickingadirectorydependingontheGeneralOptionsanddependingonwhetheryouholdtheShiftkeyatthesametime.Otherwiseright-clickingadirectorymeanstoexploreitrecursively.

DataWindowContextMenuWhenyouright-clickthehexeditordisplay(consistingofoffsetcolumn,hexcolumn,textcolumn)ofafileoradisk,youwillgetacontextmenuthatallowsyoutodefinetheboundariesoftheblock(startandend)andinvokeafewmorecommandsthatapplytothatblock:AddtoUserSearchHits:Forensiclicenseonly.Allowsyoutodefinesearchhitsmanually.Wheneveryoucomeacrosssomerelevanttext,forexamplefloatingaroundinfreespaceinDisk/Partition/VolumemodeorwithinacertainfileinFilemode,youcanselectitasablockandright-clicktheblocktoadditasaso-calledusersearchhit(i.e.somekindofsearchhitnotfoundbytheprogram).Youcanassignthesearchhittoanarbitrarilynamedsearchterm/category.Forexample,ifwhatyouhavefoundisrelatedtosuspectA,assignitasasearchhittoasearchtermnamedaftersuspectA.IfalsorelatedtosuspectB,youcanalsoassignittoanothersearchterm.Youcouldalsoassignittoarealsearchtermthatyouhaveusedforanautomaticsearch.Usersearchhitscanbeconvenientlylistedinandnicelyexportedfromsearchhitlistsjustlikeordinary(automaticallygenerated)searchhits.Todistinguishthenfromordinarysearchhits,inthesearchhitdescriptioncolumnusersearchhitsaremarkedwithanasterisk(*).Youcanspecifythecorrectcodepageforusersearchhitsyourselfwhenyoudefinethem,whichmaybeessentialtogetthetextdisplayedcorrectly.UsersearchhitsarestoredrelatedtoanobjectinthevolumesnapshotifyoudefinetheminFilemode.Usersearchhitsareforwardcompatible,i.e.olderversions(v16.2andlater)canalsoseeusersearchhitscreatedbyv16.6.AddBlockasVirtualFile:Forensiclicenseonly.SeeEditmenu.AddPosition:Allowsyoutorememberthepositionindicatedbythecurrentlydefinedblock,eitherintheGeneralPositionManagerorinthePositionManageroftheevidenceobject(whenworkingwithacase,ifyouright-clickablockthatisdefinedinanevidenceobject,forensiclicenseonly).Makesiteasiertofindthesamepositionagainlater,andcanbeusedtonicelyhighlightandexplain(withtooltips)thestructureoffilesorrecordsofacertainformatthatyouareanalyzing/tryingtoreverse-engineeretc.IfsearchhitsarehighlightedinFilemode(seeGeneralOptions),youcanalso

deletethemviathecontextmenu.YoucanalsogetthecompleteEditmenufromhere.

FileMenuNew:Thiscommandisusedtocreateafile.Thefileisprincipallyopenedindefaulteditmode.Youhavetospecifythedesiredfilesize.InX-WaysForensicsyoucanalsousethiscommandtocreatedummysegmentsfor.e01-Images.Open:Letsyouopenoneormorefiles.YoumaychooseaneditmodeincaseitisnotpredeterminedintheOptionsmenu.Alsoallowstoopenphysicaldisks,partitionsandvolumesasafile,byclickingabuttonlabeled"Device..."inthefileselectiondialog.Youcanenteradevicepathsuchas\\.\PhysicalDrive1(forharddisk1)\\?\Volume{12345678-9abc-11a1-abcd-0123456789ab}(foravolumewiththatGUID)\\.\C:(foravolumemountedasdriveletterC:)Thisfunctionalityallowstoopenvolumesthatarenotmountedasdriveletters.TogetanoverviewofvolumesknowntoWindows,type"mountvol"inacommandpromptwindow.YoucanalsotrytoopenexoticdevicessupportedbyWindowssuchastapesandchangers(nottested).Alsothisishowyoucanopenalternatedatastreamswhosepathandnameyouknow,whichcannotbeopenedthroughtheordinaryFile|Opendialog,withoutopeningthevolumeonwhichtheyreside.Openingaharddiskasafilecanbeusefulforexampleifyouwishtoclonethatdiskandifsourceanddestinationdiskhavedifferentsectorsizes(whetheritmakessenseinthefirstplacetocloneaharddiskdespitethesectormismatchdependsonthedata).Whentreatedasafile,thereisnodefinedsectorsizeandhencenopossibilityforasectorsizemismatch.Devicefilescanalsobeinterpretedasdiskslikeimagescan.Save:Savesthecurrentlydisplayedfilewithallmodificationstothedisk.Inin-placeeditmode,usingthiscommandisnotnecessary.Whenusingthediskeditor,thiscommandisnamed"SaveSectors".SaveAs:Savesthecurrentlydisplayedfileunderadifferentname.CreateDiskImage/MakeBackupCopy

Create/VerifySkeletonImageRestoreImage:Selectanimagethatyouwouldliketorestore,i.e.whosesectorsyouwouldliketocopybacktotheoriginalmediumorsomeothermedium,orselectaorWinHexbackup(.whx)filewhosecontentsyouwouldliketorestore(couldbeafileordisksectors).Inthecaseofanimage,theimagewillbepresetasthesourceintheCloneDiskwindow(withaspecialistlicenseorhigher,interpreted).WithoutaspeciaIistlicenseorhigher,onlyWinHexbackupscanberestorediftheyaresplit.BackupManagerExecute:Executesthecurrentfileifexecutable,orotherwisetheassociatedprogram.PrintProperties:Allowsyoueditthesize,thetimestampandattributesofafileoradirectoryinyourownWindowssystem.Changeableattributesare:A(tobearchived),S(system),H(hidden),R(read-only),X(nottobeindexed),T(temporary),~(sparse).Afterenteringnewvaluesinanyarea(size,timestampsorattributes),simplypresstheEnterbuttontoapplythem.Clickthebuttonwiththeellipsistoselectanewfile,orenterpathandnamedirectlyintotheeditboxnexttothatbuttonandpresstheEnterkey.Thelatterwillalsoworktotargetadirectory.Pleasenotethatsettingorremovingthesparseattributedoesnotnecessarilychangetheallocationstatusofalreadyassignedclusters,butwilldefinitelyhaveaneffectonnewlyassignedclusterswhenyouexpandthefilebysettingalargerfilesizeinthesamedialogwindow.OpenDirectory:Opensawindowthatrepresentsadirectoryonyourowncomputerandallowsyoutoseeallitsfilesandsubdirectories.OpenFiles:Thiscommandisusedopenseveralfilesthatmeetspecialrequirementsatatime.Selectafolderinwhichtoopenfiles.Subfoldersarebrowsedoptionally.Youmayspecifyaseriesoffilemasks(e.g."w*.exe;x*.dll").Thereisalsoaswitchthatpermitsopeningonlythosefilesthatcontainacertaintextorcertainhexvalues.Thestandardsearchdialogsare

displayeduponrequestforthispurpose.IfWinHexisnotsetuptoworkasaviewerorin-placeeditor(thiscanbedoneintheToolsmenu),youmaychooseaneditmode.SaveModifiedFiles:Allfileswhichhavebeenchangedarewrittentothedisk.SaveAllFiles:Allfilesthathavenotbeenopenedinviewmodearewrittentothedisk.Exit:UsethiscommandtoendWinHex.Youwillbepromptedtosaveanymodificationstofilesanddisks.

EditMenuUndo:Reversesthelastmodification,incasethecorrespondingundooptionwasactivated.Cut:Removesthecurrentblockfromthefileandputsitintotheclipboard.Thedatafollowingtheblockispulledtotheformerblockbeginning.CopyBlock/All/Sector:-Normally:Copiesthecurrentblock/theentirefile/thecurrentsectorintotheclipboard.Thecontentsoftheclipboardcanbepastedorwrittenlater.-AsUnicode/ANSI:SpecificallycopiestextfromthetextcolumnasUTF-16UnicodeevenwhenthetextcolumnisnotdisplayedinUnicode,orspecificallyasANSI-encodedtextevenwhenthetextcolumnisnotdisplayedasANSIASCII.-IntoNewFile:Copiesthedatadirectlyintoanewfile(notviatheclipboard).Forinstance,thiscommandcanbeusedtorecoveralostfilefromdisksectors.-HexValues:Copiesthedataasconcatenatedhexvalues.-GREPHex:CopiesthedataashexvaluesinGREPsyntax.-EditorDisplay:Copiesthedataastext,formattedasifitwasdisplayedinthehexeditor,i.e.withanoffset,ahexandatextcolumn.-C/PascalSource:CopiesthedataasC/Pascal-formattedsourcecodeintotheclipboard.PasteClipboard:Insertstheclipboardcontentsatthecurrentpositionofafile.Thefiledatafollowingthispositionismovedforward.WriteClipboard:Copiestheclipboardcontentstothecurrentfileatthecurrentposition.Thedataatthispositionisoverwritten.Iftheendofthefileisencountered,thefilesizeisincreasedsothattheclipboardcontentsfindsplace.PasteClipboardIntoNewFile:Createsanewfileoftheclipboardcontents.EmptyClipboard:Thiscommandisusedtofreethememoryusedbytheclipboard.Remove:Deletesthecurrentblockfromthefile.Thedatafollowingtheblockispulledtotheformerblockbeginning.Theclipboardisnotaffectedbythis

command.Iftheblockisequallydefinedinallopenfiles(i.e.itbeginsandendsatthesameoffsets),thiscommandcanevenbeappliedtoallopenfilesatthesametime.PasteZeroBytes:Usethiscommandtoinsertzerobytesatthecurrentpositionofafile.AddBlockasVirtualFile:(forensiclicenseonly)IfyoumanuallydefineablockinVolume/Partition/Disk/Filemode,thiscommandallowsyoutoaddittothevolumesnapshotasacarvedfile,or(incaseofFilemode)asachildobjectoftheoriginalfile.Usefulifyouwishtotreatdatainacertainarea(e.g.HTMLcodeore-mailmessagesfoundfloatingaroundinfreespace)asafile,e.g.toviewit,searchitspecifically,commentonit,addittoareport,etc.IfyoumanuallycarveafilewithinanotherfileinFilemode,theresultingfilewillbemarkedintheAttr.columnasanexcerptandcanbefilteredassuch.AlreadycarvedareasinhostfilesarehighlightedinFilemode.Usefultoremindtheuserwhetherheorshealreadyhascreatedexcerptsfromafileandwhere(e.g.fromalargefreespacevirtualfile)whencontinuingtolookatthathostfile.DefineBlock:Thisfunctionisaccessiblefromthemenuandthestatusbar.Adialogboxletsyouspecifythedesiredblockboundariesorsize.Thiscommandcanalsobeappliedtoallopenfiles.SelectAll:Definesthebeginningandtheendofthecurrentfileasitsblocklimits.SuperimposeSectorsConvertModifyDataFillBlock/File/DiskSectors

SearchMenuSimultaneousSearchExportWordList:Availableonceanindexhasbeencreated.Allowstosavealistofallthewordintheindextoatextfile.Inthatlist,eachwordthatoccursinthefilesthatwereindexedwillbepresent,andonlycontainedonce.Usefulforacustomizeddictionaryattack.FindText:Thiscommandisusedtosearchforaspecifiedstringofupto100ASCIIcharactersinthecurrentfile,diskorRAMsection(cf.SearchOptions).OnlysupportsthoseUnicodecharactersthatareinthe0x00...0xFFrange.ForamorepowerfulsearchvarianttrySimultaneousSearch.FindHexValues:Thiscommandisusedtosearchforasequenceofupto100two-characterhexvalues(cf.SearchOptions).ReplaceText:Usethiscommandtoreplaceoccurrencesofaspecifiedstringwithanotherstring(eachofupto100ASCIIcharacters),cf.ReplaceOptions.OnlysupportsthoseUnicodecharactersthatareinthe0x00...0xFFrange.ReplaceHexValues:FunctionsexactlyastheReplaceTextcommand,butisappliedtoasequenceofhexvalues(100atmost),cf.ReplaceOptions.CombinedSearch:Providesacomplexsearchmechanism.Inthecurrentandinasecondfileacommonoffsetissearched,whereeitherfilecontainsthespecifiedrespectivehexvalues.IntegerValue:Enteraninteger(withinthelimitsofthesigned64-bitintegerdatatype).Thisfunctionsearchesdatainthecurrentfile,whichcanbeinterpretedasthisinteger.Floating-PointValue:Enterafloating-pointnumber(e.g.12.34=0.1234*10^2=0.1234E2)andselectafloating-pointdatatype.Thisfunctionsearchesdatainthecurrentfile,whichcanbeinterpretedasthisfloating-pointvalue.TextPassages:Usethiscommandtolookforasequenceofletters(a-z,A-Z),digits(0-9)and/orpunctuationmarks.Itisusefulforinstanceifyouintendto

translatetextpassageshiddensomewhereinafilewithexecutablecode.Setthesensitivityofthesearchbyspecifyinghowlongacharactersequencemustbetoberecognized.Click"TolerateUnicodecharacters"inordertoforcethealgorithmtoacceptzerobytesbetweentwocharacters.ContinueGlobalSearch:Thiscommandisusedtocontinueaglobalsearchoperation(i.e.asearchoperationappliedtoallopenedfiles)inthenextfile.ContinueSearch:Letsyoucontinueasearchoperationinthecurrentfileatthecurrentposition.

NavigationMenuGoToOffset:Movesthecurrentpositiontothespecifiedoffset.Normallythisisdonerelativetothebeginningofthefile(offset0).Youcanalsomovethecursorrelativetothecurrentposition(forwardorbackward)orfromtheendofthefile(backward).Anoffsetcanbespecifiedinbytes(default),words(2bytes),doublewords(4bytes),records(ifdefined),orsectors.PressF11torepeatthelastpositionmovement.GoToPage/Sector:Browsestothespecifiedpage,sector,orcluster.NotethatthedataareaonFATdrivesstartswithcluster#2.TheGoToSectordialog,whenappliedtoaphysicaldisk,optionallyallowstojumptothedesignatedsectorwithintherespectivepartitionwindow,sothatyoucanimmediatelyseetheallocationstatusofthecorrespondingcluster.Onlyforordinarypartitions,notWindowsdynamicvolumesorLVM2volumes.GoToFATEntry/FILERecord:JumptoacertainentryinthefileallocationtableonaFATdriveortoacertainFILErecordinthemasterfiletableonanNTFSdrive,respectively.MoveBlock:Movesthecurrentblockselection(notthedatawithintheblock)forwardorbackward.Specifythedistanceinbytes.PressAlt+F11torepeatthelastblockmovement,pressShift+Alt+F11toreversethemovement.Thiscommandmayfacilitateeditingafilethatconsistsofhomogeneousrecordsofafixedlength.WinHexandX-WaysForensicskeepahistoryofyouroffsetjumpswithinafileordiskandallowtogobackandforwardinthechainlater.Forensiclicenseonly:WithBackandForwardyoucanalsoconvenientlygobacktoacertaindirectorybrowsersetting.Thistakesintoaccount:exploredpath,recursiveornon-recursive,sortcriteria,on/offstateofallfilters,settingsofsomeofthefilters,somedirectorybrowseroptions.TheBackandForwardcommandsalsoallowtoactivatethepreviouslyactivedatawindowagainwhenswitchingbetweenwindows.GoTo...BeginningOfFile:Displaythefirstpageofthecurrentfileandmovesthecurrentpositiontooffset0.

EndOfFile:Displaysthelastpageofthecurrentfileandmovesthecurrentpositiontothelastbyte(offset=filesize-1).BeginningOfBlock:Movesthecurrentpositiontothebeginningofthecurrentblock.EndOfBlock:Movesthecurrentpositiontotheendofthecurrentblock.MarkPosition:Marksthecurrentpositionandthusenablesyoutofinditagainlater.DeleteMarker:Removesthemarkerfromthescreen.GoToMarker:MovesthecurrentpositiontothemarkersetbyMarkPosition.PositionManager

ViewMenuTextDisplayOnly:Hidesthehexcolumnandusesthefullwidthoftheeditorwindowforthetextdisplay.HexDisplayOnly:Hidesthetextcolumnandusesthefullwidthoftheeditorwindowforthehexadecimaldatadisplay.CharacterSet:Selectacharactersetorcodepageforthetextdisplay.YoumayalsouseShift+F7totoggletheactivecharacterset/codepage.ThedefaultsettingisANSIASCII.Itusesthemostefficientanduncomplicateddisplaymethod,invokingonlythemostsimpleWindowsAPIfunctions,anditseemstoalwaysshowcharacterinterpretationsaccordingtocodepage1252,evenifregionalsettingsinWindowsaredifferent,ifinthefontselectiondialog(accessibleviaGeneralOptions)the"Western"scriptisselected.TobetterutilizewidescreenmonitorsandtoassistexaminersinparticularinAsia,whomayencountertextencodedinmanydifferentcharactersetsandcodepagesinthesamecase,itispossibletoseemultipletextinterpretationsofbinarydatainthehexeditor'stextdiplayatthesametimedependingonthelicensetype.ThisisalsousefultowalkthroughtherawdataofOutlookPSTfilesthatuseciphercoding,tobeabletoreadencodedANSItext,encodedUnicodetext,andtotallyunencodedtextatthesametime.PersonallicenseforWinHex:nomorethan1charactersetatatimeProfessionallicenseforWinHex:upto2charactersetsatatimeSpecialistlicenseforWinHex,X-WaysInvestigator:upto3charactersetsatatimeWinHexLabEdition,X-WaysForensics:upto4charactersetsatatimePleasenotethatanytextinputfromthekeyboardisinterpretedasbeingbasedontheANSIcodepagethatisactiveinWindows,exceptiftheprimarytextcolumnissettotheIBM/OEM/DOScodepage850(LatinI),inwhichcaseinputisbasedonthatcodepage.RecordPresentation:Wheneditingsubsequentdatarecordsofthesamesize(forinstance,tableentriesofadatabase)youmaynowhaveWinHexdisplayeveryotherrecordwithadifferentbackgroundcolor,asakindofvisualaid.The

colorcanbeselectedintheGeneralOptionsdialog.Also,WinHexofferstodisplaythecurrentrecordnumberandtheoffsetwithinthatrecord(relativeoffset)inthestatusbar,basedtherecordsizeandtheoffsetofthefirstrecordasspecified.Ifanyofthetworecordfeaturesisenabled,theGoToOffsetcommandallowsmovingthecurrentpositioninunitsofthecurrentrecordsize.Ifrelativeoffsetsareenabled,thePageDn/Upkeysmovethecursorinunitsoftherecordsize,exceptifyouholdtheCtrlkey.Show:TheCaseDatawindowispartoftheforensicuserinterfaceofWinHex/X-WaysForensicsandrequiredforworkingwithacase(whenhidingthewindow,thecaseisclosed).Thedirectorybrowserisavailableforlogicaldrives/partitionsopenedwiththediskeditor.TheDataInterpreterisasmallwindowthatprovides"translationservices"forthedataatthecurrentcursorposition.Thetoolbarisdisplayedoptionally,too.Atabcontrolmakeseacheditwindowaccessiblewithasinglemouseclickonly.Theinfopaneprovidesin-depthinformationonanyopenobject(file,disk,RAM).TemplateManagerTables:Providesfourconversiontables(cf.ANSIASCII/IBMASCII).Lines&ColumnsSynchronizeScrolling:Synchronizesuptofourtiledwindowsonidenticalabsoluteoffsets.HoldtheShiftkeywhenenablingthisfeaturetotilethewindowshorizontallyinsteadofvertically.Synchronize&Compare:Synchronizesuptofourwindowsandvisuallydisplaysbytevaluedifferences.Ifnomorethantwowindowsareinvolved,WinHexmaintainstheinitialdistancebetweentheoffsetsofthefirstshownbyteinthesewindowswhenscrolling.Notsynchronizingonabsoluteoffsetsisusefulforexamplewhencomparingtwocopiesofthefileallocationtable,whichareobviouslyatdifferentoffsets.Youmayjumptothenextortothepreviousbytevaluedifferencebyclickingtheextraarrowbuttonsthatareprovidedinoneofthetwoeditwindows.RefreshView:Redrawsthecontentsofthecurrenteditwindow.Incasethecurrentfilewasupdatedbyanexternalprogram,WinHexofferstodismissany

changesmadeinWinHexandreloadthefilefromscratch.Alsorefillsthedirectorybrowserifthedirectorybrowserhastheinputfocus.Usefulforexamplewhenafilterfortaggeditemsisactiveandyouremovethetagmarksofsomeofthelistedfiles,ifyouwishtoupdatethelistinginthedirectorybrowserandgetridofthosefilesthatarenolongertagged.

ToolsMenuOpenDiskCloneDiskExplorerecursively:Changesintoarecursiveviewforthedirectorythatiscurrentlylistedinthedirectorybrowserorbacktothenormalview.Arecursiveviewmeansthatnotonlyfileswillbelistedthatarecontaineddirectlyinthecurrentdirectory,butalsoallfilesinallsubdirectoriesofthatdirectoryandtheirsubdirectoriesetc.Forexample,thisallowstocopy/recoverselectedfilesfromdifferentpathsinasinglestep.FileRecoverybyTypeTakeNewVolumeSnapshot:Availableforpartitionswithoneofthesupportedfilesystems.WinHextraversesallclusterchainsandtherebygeneratesadrivemap.ThisenablesWinHextofillthedirectorybrowserandtodisplayforeachsectorwhichfileordirectoryitisallocatedto.ItisrecommendedtoinvokethiscommandagainafterfileoperationsonadrivetokeeptheinformationdisplayedbyWinHexuptodate.Cf.Securityoptions.InitializeFreeSpace:Confidentialinformationispossiblystoredincurrentlyunusedpartsofadriveasaresultofnormaldelete,copyandsaveactions.Freespaceonadrivecanbeinitializedforsecurityreasons.Thiseffectivelyoverwritesalldatainunusedpartsofthediskandmakesitimpossibletorecoverthisdata.Availableforpartitionsopenedasdriveletters.AvailableinWinHexonly,notinX-WaysForensics.InitializeSlackSpace:Overwritesslackspace(theunusedbytesintherespectivelastclustersofallclusterchains,beyondtheactualendofafile)withzerobytes.Thismaybeusedinadditionto"InitializeFreeSpace"tosecurelywipeconfidentialdataonadriveortominimizethespaceacompresseddiskbackup(likeaWinHexbackup)requires.Closeanyrunningorresidentprogramthatmaywritetothediskpriortousingthiscommand.AvailableinWinHexonly,notinX-WaysForensics.InitializeMFTRecords:OnNTFSvolumes,WinHexcanclearallcurrently

unused$MFT(MasterFileTable)FILErecords,whichmaycontainmetadata(e.g.names)andevencontentsofpreviouslyexistingfiles.AvailableinWinHexonly,notinX-WaysForensics.InitializeDirectoryEntries:OnFATvolumes,WinHexcanclearallcurrentlyunuseddirectoryentries,tothoroughlyremovetracesofpreviouslyexistingfilesorearliernames/locationsofexistingfilesfromthefilesystem.Usefulespeciallyinconjunctionwiththefunctiontoinitializeallfreespace.AvailableinWinHexonly,notinX-WaysForensics.ScanForLostPartitions:Formerlyexistingharddiskpartitionsthatwerenotautomaticallyfoundwhenopeningaphysicalharddisk(oranimageofaphysicalharddisk)maybefoundandproperlyidentifiedwiththiscommand.Thiscommandsearchesforthesignatureofmasterbootrecords,partitiontablesectors,FATandNTFSbootsectorsviathe0x550xAAsignatureplusforExt2/Ext3/Ext4superblocks,optionallyonlyfromthefirstsectorthatfollowsthelast(location-wise)partitionthatwasalreadyfound,andlistsnewlyfoundpartitionsinthedirectorybrowser.Workswithsectorsize512bytesonly.InterpretasPartitionStart:Whenyoufindthestartsectorofavolume(e.g.lostpartition)onaphysicaldisk,thismenucommandallowsyoutomakesuchapartitioneasilyaccessibleviatheAccessbuttonmenu.Ifnoknownfilesystemisdetectedstartingatthecurrentlydisplayedsector,youwillbeaskedforthenumberofsectorsthatyouwishtoincludeinthenewlydefinedpartition.SetDiskParameters:Usingthiscommandonaphysicaldisk,youmayoverridethetotalnumberofsectorsoroptionally(canbeleftblank)thenumberofcylinders,heads,andsectorspertrack(allpracticallymeaninglessnowadays).Thismightbeusefultoaccesssurplussectorsattheendofthedisk(incasethetotalnumberofaccessiblesectorswasnotdetectedcorrectly),ortoadjusttheCHScoordinatesystemtoyourneeds.Alternatively,youhavetheoptiontochangethedetectedsectorsizeofaphysicalharddiskorimage,asusedinternallyintheprogramforvariousnavigationandcomputationwork.Ifyoushouldadjustthesectorsize,thesectorcountisadjustedaccordingly.Forexample,ifyouchangethedetectedsectorsizefrom512bytesto4KB(i.e.youmultiplyitby8),thenthetotalnumberofsectorsisautomaticallydividedby8tokeepthesametotaldetecteddiskcapacity(assumingthecapacitywasdetectedcorrectly).

FileToolsOpenMemoryView:Availableonlywithaforensiclicense.Invokestheinternalviewer.ExternalPrograms:InvokesexternalfileviewingprogramssuchasQuickViewPlusetc.,asselectedintheOptionsmenu,andopensthecurrentfile.InvokeX-WaysTrace:AvailableonlyifX-WaysTraceisinstalled.Thissoftwarecananalyzethehistory/cachefilesofvariousInternetbrowsers.Calculator:RunstheWindowscalculator"calc.exe".Switchingtoscientificmodeishighlyrecommended.HexConverter:Enablesyoutoconverthexadecimalnumbersintodecimalnumbersandviceversa.SimplytypeinthenumberandpressENTER.Compare:Thiscommandisusedtocomparetwodatawindows(filesordisks)bytebybyte.Decidewhetherdifferentoridenticalbytesshallbereported.Youmayspecifyhowmanybytestocompare.Ifdesired,theoperationcanabortautomaticallyafterhavingfoundacertainnumberofdifferencesoridenticalbytes.Thereportcanbestoredasatextfile,whosesizemightotherwisegrowdramatically.Thecomparisonstartsattherespectiveoffsetsspecifiedforeacheditwindow.Theseoffsetsmaydiffer,suchthate.g.thebyteatoffset0infileAiscomparedtothebyteatoffset32infileB,thebyteatoffset1withtheoneatoffset33,etc.Whenyouselectaneditwindowforcomparison,thecurrentpositionwillautomaticallybeenteredinthe"Fromoffset"box.InX-WaysForensicsthereisalsoanoptiontooutputidentifieddifferentoridenticaldataareasassearchhits(1entrypermatchingarea)insteadofatextfile(1linepermatchingbyte),forconvenientreviewandnavigationrightwithintheprograminthesearchhitlist,similartoblockhashmatches.Thisoptionisonlyavailableifatleastthe2nddatasourceisanevidenceobject.Theresultcanbeseeninthesearchhitlistofthatevidenceobject.Usefulforexampleforuserswhowishtocomparecloneddiskswithminorchanges,iftheyhavedifferenthashesoroneofthemhasbeenusedalittlemore,toactuallylocatethedifferencesandbetterunderstandwhathascausedthem.UsefulalsotocomparecomponentdisksofahardwareRAIDlevel0systemoramirroredvolumes,to

checkwhethertheyarereallyabsolutelyidentical,andifnottoeasilyfindtheareasthatdiffer,seehowlargetheyare,whatkindofdatatheseareascontain,andassesswhetherthesecondcopyrequiresfulltreatmentitselfincludingcarving,keywordsearchesetc.Thereisanothercomparefunction:Youmaycompareeditwindowsvisuallyandsynchronizescrollinginthesewindows,withtheSynchronizeandComparecommand(Viewmenu).AnalyzeBlock/File/Disk:Scansthedatawithinthecurrentblock/theentirefile/theentirediskandcountstheoccurrencesofeachbytevalue(0...255).Theresultisgraphicallydisplayedbyproportionalverticallines.Thenumberofoccurrencesandthepercentagearedisplayedforeachbytevaluewhenmovingthemouseoverthecorrespondingverticalline.Usethiscommandforinstancetoidentifydataofunknowntype.Audiodata,compresseddata,executablecodeetc.producecharacteristicgraphics.Usethecontextmenuofthewindowtoswitchzerobyteconsiderationonoroff,toprinttheanalysiswindow,ortoexporttheanalysistoatextfile.Whenanalyzingsmallamountsofdata(<50,000bytes),thecompressionratiothatzlibachievesforthatdataisdisplayedintheanalysiswindowcaption,whichalsoallowstodrawconclusionsaboutthenatureofthedata.ComputeHash:Calculatesoneofthefollowingchecksums/digestoftheentirecurrentfile,disks,orthecurrentlyselectedblock:8-bit,16-bit,32-bit,64-bitchecksum,CRC16,CRC32,MD5,SHA-1,SHA-256,orPSCHF.HashDatabase

SpecialistMenuSpecialistlicenseonly.RefineVolumeSnapshotTechnicalDetailsReport:Showsinformationaboutthecurrentlyactivediskorfileandletsyoucopyite.g.intoareportyouarewriting.Mostextensiveonphysicalharddisks,wheredetailsforeachpartitionandevenunallocatedgapsbetweenexistingpartitionsarepointedout.UnderWindowsXP,WinHexalsoreportsthepasswordprotectionstatusofATAdisks.Forensiclicenseonly:WinHexisabletodetecthiddenhost-protectedareas(HPAs,a.k.a.ATA-protectedareas)anddeviceconfigurationoverlays(DCOareas)onIDEharddisksunderWindowsXP.Amessageboxwithawarningwillbedisplayedincasethedisksizehasbeenartificiallyreduced.Atanyrate,therealtotalnumberofsectorsaccordingtoATA,ifitcanbedetermined,islistedinthedetailsreport.SomeimportantSMARTstatusinformationisalsodisplayed,forharddisksconnectedvia[S]ATAthatsupportSMART.Usefultocheckforone'sownharddiskaswellasthatofsuspects.Forexample,youcanlearnhowoftenandhowlongtheharddiskwasusedandwhetherithashadanybadsectors(inthesensethatunreliablesectorswerereplacedinternallywithsparesectors).Ifaharddiskisreturnedtoasuspectandheorsheconsequentlycomplainsaboutbadsectorsandaccusesyouofhavingdamagedthedisk,adetailsreportcreatedwhentheharddiskwasinitiallycapturedcannowshowwhetheritwasalreadyinabadshapeatthattime.Also,seeingthatsparesectorsareinusemeansknowingthatthereisadditionaldatatogainfromtheharddisk(withtheappropriatetechnicalmeans).ThefollowingmetadataaboutBitLockerandBitLockerToGovolumesisoutput:Volumecreationtimestamp,textualvolumedescription,encryptionmethod,protectiontype,andvolumemasterkeylastmodificationtimestamps.BitLocker-relatedtimestampsarealsooutputtotheeventist.TheTechnicalDetailsReportalsochecksforcertainreadinconsistenciesthatcanoccurwithflashmedia(forexampleUSBstickofcertainbrands/models,butnotothers)indataareasthathaveneverbeenwritten/used,wherethedataisundefined.Thedatathatisreadinsuchareas,forexamplewhenimagingthemedia,maydependontheamountofdatathatisreadatatimewithasingle

internalreadcommand.Theresultismentionedinthereport.Ifinconsistenciesaredetected("Inconsistentreadresults!"inthereport),youwillseeamessagebox,whichofferstoreadsectorsinsmallerchunksfromthatdeviceaslongasitisopen,whichlikelyyieldstheexpectedzerovaluebytesinsteadofsomerandomlookingnon-zeropatterndatawhenreadingsuchareas.Useofthisoptiondoesnotgiveyoudatathatissomehowmoreaccurateororiginal(undefinedisundefinedanddoesnotmeanzeroedout)orcontainsmoreorlessevidence,itcanjusthaveabigimpactoncompressionratioachievedandreproducibilityofhashvalueswithothertools,whichmayusedifferentchunksizesforreadingandthusproducedifferentdataandhashvalues.NotethatitispossiblethatreadinconsistenciesoccurthatarenotdetectedbyX-WaysForensics,becauseacompletecheckwouldbeveryslow.Again,theseinconsistenciesarenotfatalandnotthefaultofthesoftware,andtheycanbeexplained.NotethattheTechnicalDetailsReportisroutinelycreatedalreadywhenyoustartdiskimagingwiththeFile|CreateDiskImagecommand,soyoudonotneedtoinvokethereportyourselfpriortoimaging.Thereisanoptiontoshowabyte-swappedversionofaharddiskserialnumberinadditiontotheserialnumberreportedthroughtheoperatingsystem,whenindoubt.Someusersofcertaininterferinghardwarewriteblockersmayfindthatuseful.InterpretImageFileAsDiskMountasDriveLetterReconstructRAIDSystemGatherFreeSpace:Traversesthecurrentlyopenlogicaldriveandgathersallunusedclustersinadestinationfileyouspecify.Usefultoexaminedatafragmentsfrompreviouslyexistingfilesthathavenotbeendeletedsecurely.Doesnotalterthesourcedriveinanyway.Thedestinationfilemustresideonanotherdrive.GatherSlackSpace:Collectsslackspace(theunusedbytesintherespectivelastclustersofallclusterchains,beyondtheactualendofafile)inadestinationfile.Eachoccurrenceofslackspaceisprecededbylinebreakcharactersandtheclusternumberwhereitwasfound(asASCIItext).OtherwisesimilartoGatherFreeSpace.WinHexcannotaccessslackspaceoffilesthatarecompressedor

encryptedatthefilesystemlevel.GatherInter-PartitionSpace:Capturesallspaceonaphysicalharddiskthatdoesnotbelongtoanypartitioninadestinationfile,forquickinspectiontofindoutifsomethingishiddenthereorleftfromapriorpartitioning.GatherText:Recognizestextaccordingtotheparametersyouspecifyandcapturesalloccurrencesfromafile,adisk,oramemoryrangeinafile.Thiskindoffilterisusefultoconsiderablyreducetheamountofdatatohandlee.g.ifacomputerforensicsspecialistislookingforleadsintheformoftext,suchase-mailmessages,documents,etc.Thetargetfilecaneasilybesplitatauser-definedsize.Thisfunctioncanalsobeappliedtoafilewithcollectedslackspaceorfreespace,ortodamagedfilesinaproprietaryformatthancannolongerbeopenedbytheirnativeapplications,likeMSWord,torecoveratleastunformattedtext.EvidenceFileContainersExternalVirusCheck:(Forensiclicenseonly.)Sendsallfilesoralltaggedfilesinanevidenceobject'svolumesnapshottoanexternalvirusscanner,optionallyonlyfileswithasizebelowacertainthreshold.Filesthatarelocked,deleted,orrenamedbythevirusscannerintheoutputdirectorywillbeaddedtoareporttablenamed"Virussuspected".Itistheresponsibilityoftheusertoverifythatavirusscannerisactive,thatitwatchesthefolderfortemporaryfiles,andthatitwillindeedlock,deleteorrenameinfectedfiles.Afterverifyingwhetherthefilehasbeenlocked,deleted,orrenamedexternally,X-WaysForensicsdeletesititselfifitstillexists.Bates-numberFiles:Bates-numbersallthefileswithinagivenfolderanditssubfoldersfordiscoveryorevidentiaryuse.Aconstantprefix(upto13characterslong)andauniqueserialnumberareinsertedbetweenthefilenameandtheextensioninawayattorneyslabelpaperdocumentsforlateraccurateidentificationandreference.TrustedDownload:Solvesasecurityproblem.Whentransferringunclassifiedmaterialfromaclassifiedharddiskdrivetounclassifiedmedia,youneedtobecertainthatitwillhavenoextraneousinformationinanyclusterorsector"overhang"spuriouslycopiedalongwiththeactualfile,sincethisslackspacemaystillcontainclassifiedmaterialfromatimewhenitwasallocatedtoa

differentfile.Thiscommandcopiesfilesintheircurrentsize,andnobytemore.Itdoesnotcopyentiresectorsorclusters,asconventionalcopycommandsdo.Multiplefilesinthesamefoldercanbecopiedatthesametime.

OptionsMenuGeneralOptionsDirectoryBrowserOptionsVolumeSnapshotOptionsViewerProgramsDataInterpreterOptionsUndoOptionsSecurityOptionsEditMode:AllowsyoutoselecttheeditmodeusedinWinHexglobally.(Theinfopane'scontextmenuallowstoselecttheeditmodespecificallyforanactiveeditwindow.)Editmodesexplained.

WindowMenuWindowManager:Displaysalldatawindowsandprovides"instantwindowswitching"functionality.Youmayalsoclosedatawindowsandsavechanges.SaveArrangementAsProject:Writesthecurrentwindowconstellation(opencase,opendatawindows,positionofthedatawindowsonthescreen,cursorpositionindatawindows,blockselection,...)intoaprojectfile.FromtheStartCenteryouwillthenbeabletoloadtheprojectandrestoreeditingpositionsineachdocumentatanytime,toconvenientlycontinueyourworkrightwhereyouleftitortobeginyourworkincaseofarecurringtask.CloseAll:Closesalldatawindowsandthusallopenfiles,disksandRAMsections.Ifyouhaveeditedanydata,youwillbepromptedforeachandeverydatawindowifthereareunsavedchangestothedatainit,soyoucandecidewhethertosaveortodiscardthose.CloseAllWithoutPrompting:Closesalldatawindowsandthusallopenedfilesanddiskswithoutgivingyoutheopportunitytosaveanychangestothedatainallthosewindows,withoutpromptingyouforeachandeverydatawindowthathaschanges.Asthisisapotentiallydangerouscommand(youmaylosealotofworkifyouhaveediteddatainmanydatawindows),therewillbewarningandyoucanstillabort.Youknowthatawindowwillbeshownfirstthatexpectsadditionalconfirmationbecauseoftheellipsisattheendofthecommandname,asistheconvention.Cascade/Tile:Arrangesthedatawindowsintheaforementionedway.MinimizeAll:Minimizesalldatawindows.ArrangeIcons:Thiscommandneatlyarrangesallminimizeddatawindowswithinthemainwindow.

HelpMenuContents:Displaysthecontentsoftheprogramhelp.Setup:Allowsyouswitchthelanguageoftheuserinterface.WithInitializeyoucanrestorethedefaultsettingsoftheprogram.Uninstall:UsethiscommandtoremoveWinHexfromyoursystem.ThisworksproperlyevenifyoudidnotinstallWinHexusingthesetupprogram.Online:Opensinyourbrowser,ifyouhaveanInternetconnection,theX-Wayswebsite,thesupportforum,thenewslettersubscriptionpage,andapagewhereyoucancheckyourlicensestatus,retrievethelatestdownloadlinksandgetupgradeoffers.Thereisalsoanoptiontocheckforupdatesonlineoccasionallyuponstart-upofthesoftwareoratanytimewhenyoulike.Thiscanreporttheavailabilityoflaterversionsornewservicereleasesofthecurrentlyusedversion(notpre-releaseversions)andallowtostartthedownload.DoesnotsendanydatafromwithintheprogramtotheInternet,forexamplenosystemoruserinformationordongleID,neitherdirectlynorencryptednoranonymized,ofcoursenocasedata,noteventhecurrentlyusedversionnumber,nothing.Thisoptionisactivebydefaultonlyiftheprogramdeterminesthatitisrunningontheuser'sownsystem(ifitisexecutedfromtheC:driveorifitwasinstalledusingthesetupprogram).Thecheckdoesnotoccurwhenrunningtheprogramforthefirsttime,sothatyoudefinitelyhaveachancetoturnoffthisoptionbeforeanythinghappens.GiventhefactthatmostsystemsonwhichX-WaysInvestigatorandX-WaysForensicsarerundonothaveanInternetconnection,thisoptionhasalimitedeffect.Clickontheversionnumberonthefarrightofthemenubar:Displaysinformationaboutthesoftwaresuchastheprogramversion,unlockstatus,howmuchfreespaceisavailabletoitonthedrivefortemporaryfilesandimagefiles,whethertheprogramisrunningwithadministratorrights,whethertheMSVisualC++2013RedistributablePackage(forthelatestversionoftheviewercomponentandDokan)isinstalledandifnotwhetheratleasttheMSVisualC++2005Packageisinstalled(forv8.5.2oftheviewercomponentandolder).SomeofthisinformationcanbeimportantwhenrunningX-WaysForensicsonalivesystem,i.e.asystemthatisnotyourownandthatyouwishtoexamine.

WindowsContextMenuTheWindowsshelldisplaysthecontextmenuwhentheuserclicksanobjectwiththerightmousebutton.WinHexispresentinthecontextmenuonlyifyouenabletocorrespondingoption.EditwithWinHex:OpenstheselectedfileinWinHex.OpenFolderinWinHex:LetsyouopenallfilesoftheselectedfolderinWinHex,justliketheOpenFoldercommandoftheFilemenu.EditDisk:OpenstheselecteddiskinthediskeditorofWinHex.IfyouholdtheShiftkey,insteadoftheselectedlogicaldrivethecorrespondingphysicaldiskisopened,ifany.WinHexprovidesitsowncontextmenusonthestatusbar,theDataInterpreter,andinthepositionmanager.

GeneralOptions1stcolumn:UnderWindowsVistaandlateritmayberecommendabletoalwaysrunWinHex/X-WaysForensicsasadministratorifyouneedsector-levelaccesstomedia.ThiscanberememberedbyWindowsintheregistryhiveHKEY_CURRENT_USERunder\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers,buthasnoeffectoninstallationsonremovablemedia.TheoptionAllowmultipleprograminstancesallowsyouexecutetoWinHexmorethanonceonasinglecomputeratatime.Ifnotchecked,WinHexmakesthemainwindowofthepreviousinstancetheforegroundwindowinsteadofcreatinganewprograminstance.Bydefault,thisoptionishalfselected.Thatmeansyouwillbegivenachoicewhenexecutingthe.exefileagain,whethertostartanewinstanceornot.Atthattimeyoumayalsotrytorecoverapreviousinstanceifcaughtinaninfiniteloop.Forexample,shouldX-WaysForensicsgetintoaninfiniteloopwhenprocessingacertainfileduringvolumesnapshotrefinement,thiscanpotentiallyhelpthealreadyrunninginstancebreakoutofthatloopandproceedwiththenextfile.Thesecondinstancealsoshowssometechnicalinformationaboutwhatthealreadyrunninginstanceisdoingatthemoment,andcandosoevenwithoutrecoveringasupposedlyhangingpreviousinstance.Terminatingapreviousinstanceisanotheroption,butofcourseshouldbeavoided,asdatalossmayoccur.Atstartup,WinHexcanoptionallyshowtheStartCenterorrestorethelastwindowarrangement(allwindowswiththeirsizesandthepositionsasyouleftthemintheprecedentWinHexsession).Bydefault,editwindowsarenotopenedinamaximizedstate.SpecifythenumberofrecentlyopeneddocumentstorememberandtolistintheStartCenter(255atmax.).Upto9ofthemarealsolistedattheendoftheFilemenu.DonotupdatefiletimemeansthatWinHexwillpreservethelastmodification

timewhenamodifiedfileissavedwithFile|SaveorSaveAs.Morecontextmenus:IffullycheckedoriftheShiftkeyispressedwhileright-clickingadirectoryintheCaseDatawindow,acontextmenuappearsthatallowstorecursivelyexploretheright-clickeddirectory(justlikewhennocontextmenuisshown),allowstotagthedirectoryrecursively(justlikewhenpressingtheSpacebar),toexpandthedirectoryrecursively(justlikewhenpressingthemultiplykeyofthenumerickeypad),tocollapseall,exportasubtreeintoanASCIItextfile,orcopytheentirepathofthatdirectoryintotheclipboard.IfatleasthalfcheckedoriftheShiftkeyispressedwhileright-clickingthehexeditordisplay,asuitablecontextmenuwillappearthereaswell.YoumayhaveWinHexappearintheWindowscontextmenu.Theshelldisplaysthecontextmenuwhentheuserclicksanobjectwiththerightmousebutton.WinHexprovidesmenuitemsforfiles,foldersanddisks.Ifthisoptionisnotfullyselected,thereisnomenuitemforfiles.A3-statecheckboxcanoptionallypreventWindowsscreensaversfromstartingandpotentiallyrequiringtore-enterthecurrentuser'spassword,eitheronlyduringoperationsthatshowaprogressindicatorwindow(ifhalfchecked)orgenerallywhiletheprogramisrunning(iffullychecked).Thisoptionhasaneffectnomatterwhetherthemainwindowisvisibleorwhethertheprogramisrunninginthebackground.Usefulforexamplewhenacquiringalivesystemofwhichyoudon'twanttolosecontrolduringimaging,orifyouwishtokeepaneyeontheprogressindicatoronyourownmachinefromanothercornerinyouroffice.Saveprogramsettingsin.cfgfile:Ifhalfchecked,thesettingsaresavedwhenevertheprogramterminates(cleanly).Iffullychecked,theneverytimewhenyouclickOKinanydialogwindow(couldbeusefuliftheprogramdoesnotterminatecleanly,toavoidthatyouloseyourlatestsettings).Iftotallyunchecked,theprogramsettingswillnotbesavedatall,exceptifyouholdtheShiftkeywhenexitingtheprogram,whichisnecessaryonceifyouwouldliketosaveinthe.cfgfilethesettingthatfromthenonthesettingsshouldnotbesavedagain.BydefaultWinHexnumbersdiskpartitionsintheorderoftheirphysicallocation.

IfAuto-detectdeletedpartitionsisenabled,WinHextriestoidentifyobviousdeletedpartitionsautomaticallyingapsbetweenexistingpartitionsandinunpartitionedspacedirectlyfollowingthelastpartition,whenopeningphysicalharddisks.SuchadditionallydetectedpartitionswillbelistedintheAccessbuttonmenuandmarkedasdeleted.Pleasenotethatdeletedpartitionsdetectedingapsbetweenexistingpartitionscausethepartitionnumberingtobechanged.E.g.anexistingpartition#3mightbecomepartition#4ifadeletedpartitionisdetectedonthediskbeforeit.TheSectorreadingcacheacceleratessequentialdiskaccessbythediskeditor.ThisoptionisrecommendedparticularlywhenscrollingthroughCD-ROMandfloppydisksectors,sincethenumberofnecessaryphysicalaccessesissignificantlyreduced.IfCheckforsurplussectorsisdisabled,WinHexwillnottrytosearchforsurplussectorswhenaphysicalharddiskisopened.Whenadditionalsectorsaredetected,WinHexwillrememberthemthenexttimeyouopenthedisk.YoumayenforceanewcheckbyholdingtheShiftkeywhileopeningthedisk.Checkingforsurplussectorsmaycauseverylongdelays,strangebehaviororevendamagetotheWindowsinstallationonsomeveryfewsystems.Thealternativeaccessmethod1forphysicalharddisksmayallowtoaccessharddisksformattedwithanunconventionalsectorsizeorothermediathatcannotbeaccessedotherwise.Notethatitmaybeslowerthantheregularaccessmethod.Ifconsiderablyslower,WinHexwillnotifyyouofthisandrecommendtoreverttothestandardaccessmethod.Accessmethod2affectsphysicalharddisksonlyaswell.Bothmethodsallowyoutospecifyatimeoutinmillisecondsafterwhichreadattemptswillbeaborted.Thiscanbeusefulondiskswithbadsectors,whereanattemptedreadaccesstoasinglesectorcouldotherwisecauseadelayofmanysecondsorminutes.Anotheroptionistoalwaysrequestuserinputforrawimagestoconfirmthekindoftheimage(volumeordisk),thesectorsizetoassumeandthepathforpotentiallyexistingadditionalimagefilesegments.ExactlywhathappensifyouholdtheShiftkeywhiletheimageinvokingimageinterpretationorwhileaddingtheimagetoacase.UsuallynotnecessaryiftheimagewascreatedbyX-WaysForensicsitself,butstillsomeremovablemedia(USBsticksandmemorycards)mayhavebeenusedandformattedasbothvolumeandpartitionedmediumatdifferenttimes.Insuchasituation,interpretationasavolumeandasa

partitionedmediummayrevealdifferentfilesystemsthatoverlapeachother.Thesurrogatepatternforunreadablesectorsisdescribedhere.2ndcolumn:Specifythefolderinwhichtocreatetemporaryfiles.BydefaultthatisthedirectoryindicatedbytheTEMPvariableinyourWindowssystem.Insteadofanabsolutepathyoumayalsospecifyadot(.)asaplaceholderforthedirectoryfromwhereWinHex/X-WaysForensicsisexecuted.Or..fortheparentdirectoryofthatdirectory.Orpartialpathrelativetoeitherthe.or..directory(e.g..\tempor..\temp).Thisconceptappliesalsotothenextfolders.Specifythefolderinwhichtocreateandexpectimagesandbackupfiles(.whx).Specifythefolderinwhichcasesandprojectsarecreatedandexpected.Specifythefolderinwhichtemplatesandscriptsarestored.SpecifythefoldersinwhichtomaintaintheinternalhashdatabasesandthePhotoDNAhashdatabase.Thehashdatabaseofblockhashvalues,ifusedatall,isstoredinadirectoryatthesamelevelasthefirstinternalhashdatabase,withthesamebasenameplus"[blockhashvalues]"appended.Inallofthesestandardpathsyoumayusesystemanduserenvironmentvariables,wherethevariablenamehastobeenclosedinpercentagesigns,e.g.%TEMP%X-WaysInvestigator[CTR]/X-WaysImagerGUI:Availablewhenoperatedwithaforensiclicense.AllowstoactivatetheconsiderablyreduceduserinterfaceofX-WaysInvestigator[CTR],whichismeantforinvestigators-whoarespecializedinacertainareae.g.ofwhite-collarcrime-whodonotneedprofoundknowledgeofcomputerforensics-whodonotneedtechnicalinsightsthatWinHexandXWFarewell-knowntooffer-whoreceivee.g.convenient-to-handleX-Waysevidencefilecontainersfrom

well-versedcomputerforensicsexaminerswithonlyselectedfilesfromvarioussources(e.g."alldocumentsthatcontainthekeywordsxandy"),withobviouslyirrelevantstuffalreadyfilteredout-whoneedtoreviewhundredsofelectronicdocuments,identifyrelevantones,addcommentstothem,identifylogicalstructuresandconnectionsbetweenthemwiththehelpoftheircomments,andprintdocuments,allwithinthesameenvironmentwithafewmouseclicks,whichsavesthetimetoextractandloadeachdocumentinitsassociatedapplication-whomayormaynotneedtoworkinanenvironmentseverelyrestrictedbythesystemadministratoranywayTheX-WaysInvestigatorinterfacelacksmanyadvancedtechnicaloptions,toallowforeasieraccesstonon-technicalpersonnel.X-WaysInvestigatorlicensesthatonlyallowtousethisGUIareavailableat50%theregularrateonrequest.Anoptionalfile"investigator.ini"controlsadditionalsimplificationsandadministrativesecurityprecautions,e.g.toallowuserstoopenevidencefilecontainersonly,andonlysuchcontainersthathavebeenclassifiedassecure.Youmayalsoselectoneofseveraldifferentdialogwindowandbuttonstyles.Inthe"Sleep(0)Frequency"childdialogwindowyoumayspecifyhowcooperativeX-WaysForensicsbehavesduringlongoperations(e.g.hashing,searching)whencompetingwithotherprocessesforCPUtime,bypressingShift+Ctrl+F5.0isthedefaultsetting(notspeciallycooperative).Youcouldtryvalueslike10,25,50,or100(maximumwillingnesstoshareCPUtime)e.g.ifX-WaysForensicsisexecutedsimultaneouslybydifferentusersonthesameserver,forafairerdistributionofCPUtime.IfyouselectShowfileicons,theiconsstoredinafileareshownintheinfopane.Ifafilecontainsnoicons,theiconofthefiletypeisshownifthisoptionis"fully"selected.OnlyforfilesopenedwiththeFile|Openmenucommand.Withaforensiclicense,youmaymonitorlengthyoperationsfromothercomputersinthesamenetwork,i.e.seewhethertheyarestillongoingorcompleted.Youcanenableprogressnotificationsviatextfiles(thatcanbecreatedinadirectoryonanetworkdrive)andviae-mail,inuser-definedintervals.Multiplerecipiente-mailaddressescanbespecifiedaswellifdelimitedbycommas.ThecorrectSMTPportisoften25,sometimes587.ThecorrectsettingsareprovidedbyyouradministratororInternetprovider.

3rdcolumn:TheENTERkeycanbeusedtoenteruptofourtwo-digithexvalues.Ausefulexampleis0x0D0A,whichisinterpretedasanend-of-linemarkerintheWindowsworld(Unix:0x0D).TheStartCentercouldthenstillbeopenedusingSHIFT+ENTER.DecidewhetheryouwanttousetheTABkeytoswitchfromtexttohexadecimalmodeandviceversaortoentertheTABcharacter(0x09).Inanycase,TAB+SHIFTcanbepressedtoswitchthecurrentmode.Non-printablecharacterswithacharactersetvaluesmallerthan0x20canberepresentedbyauser-definedothercharacter.Thebytesinthedisplaycanberepresentedascharactersinthetextcolumnonebyone,orWinHexcantrytocombinethem,whichiftheactivecodepageinWindowsisadouble-bytecharactersetmaybedesirabletogetthecharactersright(if2bytes=1character),orundesirablebecauseofthevariablerowlength.ThishasaneffectonlyifView|CharacterSet|*ASCIIisselected,asonlythenthecodepageactiveinWindowscanmakeadifferenceforthedisplay.Offsetscanbepresentedandpromptedforinadecimalorhexadecimalnotation.Thissettingisvalidfortheentireprogram.Whenusingthememoryeditor,itmaybeusefultohaveWinHexdisplaylogicalmemoryaddressesforprocessesinsteadofzero-based,linear,contiguouslycountedoffsets.Thisisalwaysdoneinhexadecimalnotation.ThedialogwindowoftheGotoOffsetcommandwillalsopromptforlogicaladdresses.Pageandsectorseparatorsmaybedisplayed.Ifthisoptionisenabledpartially,onlysectorseparatorsaredisplayed.Specifythenumberofbytesperlineinaneditwindow.Commonvaluesare16or32(dependingonthescreenresolution).Decidehowmanybytesshallbedisplayedinagroup.Powersof2servebestformostpurposes.

Thereisanoptiontodefinethesizeoftheextragapbetweenrowsinthehexeditordisplayinpixels,whichtogetherwiththeofficialheightoftheselectedfontdefinedthedistancebetweentherows.Thedefaultvaluehasalwaysbeen3beforev17.2,butnowitcanbedecreased,todisplaymorerowsatthesametimeandseemoredata.ForexamplewiththeCourierfontthedisplaystilllooksfinewithanextragapof1,butyousee15%moredata(basedonfontsize10).Evennegativevaluesarepossible.With-1youmaysee35%moredatathanbefore.SearchhithighlightinginFilemode:OptiontogetallsearchhitsinafilehighlightedinFilemodeatthesametime,eitheronlywhenasearchhitlistisdisplayed(ifhalfchecked)orpermanentlyoncesearchhitshavebeenloadedforanevidenceobject,i.e.evenwhenworkingwiththenormaldirectorybrowser(iffullychecked).Searchhitsareloadedafteranevidenceobjecthasbeenopenedassoonassearchhitsarelisted.Thisfeaturealsoappliestousersearchhits.Requiresforensiclicense.NTFS:MFTautocoloring:HighlightsthevariouselementsinFILErecordsoftheNTFSfilesystem,whenthecursorislocatedwithinsucharecord,tofacilitatenavigationandunderstanding.Requiresaspecialistorforensiclicense.AlsoautomatichighlightingofalignedFILETIMEvaluesinDisk/Partition/VolumeandFilemodeisavailable.UsefulwhenmanuallyinspectingfilesofvariousMicrosoftformatswhichmaycontainmoretimestampsthancanbeautomaticallyextracted(trye.g.withindex.dat,registryhives,.lnkshortcutfilesetc.).IfthelowerhalfofadatawindowhasthefocusandFILETIMEvaluesarehighlighted,youmayalsohoverthemousecursoroversuchavaluetogetahumanreadableinterpretationofthetimestamp.Alternatively,ofcourse,youcouldgetitfromthedatainterpreterifyouclickthefirstbyteofthevalue.Ifauto-coloringforFILErecordsetc.isfullychecked,FILETIMEstructuresarenowhighlightedevenifnotalignedata4-byteboundaries.Highlightfreespace/slackspace:Displaysoffsetsanddatainsoftercolors(lightblueandgray,respectively).Helpstoeasilyidentifythesespecialdriveareas.WorksonFAT,NTFS,andExt2/Ext3partitions.Requiresaspecialistlicenseatleast.Selectacolorusedasthebackgroundofthecurrentblock.Youcanonlychangethecoloriftheoption"UseWindowsdefaultcolors"isswitchedoff.

Selectacolorusedasthebackgroundofeveryotherfixed-lengthrecord,ifrecordpresentationisenabled.Selectthedefaultcolorfornewlycreatedannotations/positions/bookmarks.YoumaywantWinHextohighlightmodifiedbytes,i.e.displayalteredpartsofafile,disk,ormemoryinadifferentcolor,soyoucandistinguishbetweenoriginaldataandchangesyouhavemadesofar.Youmayselectthehilitecolor.Selectthecolorforslackspaceanduninitializedspace.Youmaychooseafontforthehexeditordisplay,anddecidewhetherthestandardWindowsGUIfontshouldbeusedfortheotherpartsoftheWinHex/X-WaysForensicsGUI(viaanadditionalcheckbox).--NotationOptionsChooseyourpreferreddate,time,andnumbernotationsettings.ThisisimportantespeciallytobeindependentoftheWindowsregionalsettingsoflivesystemthatyouwanttopreviewifyouareusingX-WaysForensicsonacomputerthatisnotyourownone.Youmayalsochoosetodisplayyearsindateswith2digitsonly.Thereisanoptiontooutputdatesinthedirectorybrowserandinsomeotherpartsoftheuserinterfaceinanicer,longerandmorelocale-specificnotation,whichcanincludetheweekdayandthenameofthemonthbasedinyourlanguageorinEnglish.Also,thatformatisUnicode-capable,whichallowsforexamplefororiginalChinesenotationofdates.Pleaseseehttp://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspxforacompleteexplanationofwhatkindofnotationispossible.Examplesofhowtorepresentthemonth(inEnglish):MMMM=April,MMM=Apr,MM=04,M=4.Exampleofacompleteformat:d/MMM/yyyy(ddd)=2/Apr/2014(Wed)Thereisanoptiontodisplaytimestampswithaprecisionofmilliseconds.Youmayspecifythenumberofdigitsafterthedecimalpoint(upto3).Usefulfor

thefilesystemsNTFS,Reiser4andFAT,whichprovideforahigherprecisionthansecondsinallorsometimestamps.Optionally,theactuallyusedtimezoneconversionbias,includingdaylightsavingwhereappropriate,canbedisplayedrightinthetimestampcolumnsinthedirectorybrowser.Filesizescanoptionallyalwaysbedisplayedinbytesinsteadofrounded.Ifthecheckboxishalfchecked,thatappliestoitemsinvolumesonly,otherwisealsoitemsonphysical,partitionedmedia.SHA-1andTTH192hashescanoptionallybedisplayedinBase32notationinthedirectorybrowser,ascommoninP2Pprograms.FactorysettingsofalloptionscanberestoredusingtheInitializecommandoftheHelpmenu.

DirectoryBrowserOptionsColumnsKeyboardshortcutsGroupingfilesanddirectoriesinthedirectorybrowserisoptional.X-WaysForensicsremembersthesortcriteriaandthisoptionseparately1)forthenormaldirectorybrowserofavolume,2)forthenormaldirectorybrowserofapartitioneddisk,3)forsearchhitlistsand4)foreventlists.Groupingexistinganddeleteditemsinthedirectorybrowserisoptional.Therearetwopossibilitieshowtousethisfeature.Eitherpreviouslyexistingfilesthatpotentiallyrecoverable(questionmarkicon)andknownunrecoverable(redXicon)areinternallygroupedaswell(sothatintotaltherewillbethreegroups)ornot(only2groups).Asmallsymbolwitheitheroneortwohorizontaldividersindicateswhetherthelistissplitupintotwoorthreegroups,alsointheheaderofthecolumnthatistheprimarysortcriterion,asasmallreminderthatwhenscrollinginthedirectorybrowserandwatchingoutforacertainfileforexamplebasedonitsname,youneedtocheckineverygroup,becausethesortingtakesplacewithineachgroupanddoesnotspanthegroups.Double-clickingadirectorywillexploreit.Double-clickinganordinaryfilewillviewit.Thisoptioncontrolswhetherfileswithchildobjectswillbetypicallyviewedorexploredonadouble-click.Ifthecheckboxishalf-checked,youwillbeprompted.Filescanoptionallybeopenedandsearchedincludingtheirslack.Themiddlestateofthischeckboxmakesadifferenceonlyforlogicalsearches(cf.thattopic).A".."itemcanbeoptionallylistedatthetopofthedirectorybrowserwhennavigatingwithinavolumefromonedirectorytoanother.Ifdisplayed,itisfrozenatthetopanddoesnotscrollalongwithalltheotheritems.Itshowsalltheinformationonthedirectorythatitrepresents(theonethatyouwouldnavigatetoifyoudouble-clickit),justlikewithalltheotheritemsinthedirectorybrowser.A"."itemisalsodisplayedoptionally,representingthe

currentlyexploreddirectory.Usefulifforexampleyouwishtoseecertainmetadata(e.g.timestamps)oftheparentobjectatthesametimeasmetadataofitschildobjects.Andifthe.or..itemisafileandyouselectit,thenyoucanseethatparticularfileinFile,PrevieworDetailsmode.AnditisrepresentedinGallerymode.Listingtherootdirectoryofavolumeinthedirectorybrowser,intherootdirectoryitself,actually,iskindofillogical,butcanbeveryhelpfultoseethatdirectory'stimestamp(ifany,dependsonthefilesystem)ortoquicklynavigatetoitsclusters(ifany,alsodependsonthefilesystem)orasanotherplacewheretoquicklytagoruntagallitemsinavolume.Listingtheinternalfilesofthefilesystemisoptionalinthenormaldirectorybrowser.Thisaffectsforexamplethevarious$*filesinNTFS.SpecificallyinX-WaysInvestigatorthosefilesarenolongerlistedastheyareirrelevanttonon-technicalexaminers(thetargetgroupofX-WaysInvestigator)andmightconfusethembecausetheyarenotfamiliarwiththemfromusingordinaryhigh-levelcomputersoftware.Listingsubdirectorieswhenexploringrecursivelyisoptional.Theymaybeneededifyouareinterestedintheirnamesortimestamps,buttheymaydistractyouwhenyouaremerelyinterestedinviewingfiles.Thatfiltersareappliedtodirectories,too,isoptional.Mostoftenusersemployfilterstofocusoncertainfiles,notdirectories,andtheymaystillneedthedirectorieslistedinordertobeabletonavigatetothefilesofinterest.Theselectionstatisticsaredisplayedbelowthedirectorybrowser(withaforensiclicenseonly).Ifcomputedinarecursiveway,theyrevealhowmanysubdirectories,filesandhowmuchdataarecontainedinadirectory(orfilewithchildobjects)whenyouselectitinthedirectorybrowser,exceptifyouhaveexploredrecursivelyalready,takinganyactivefiltersintoaccount.Ifthisoptionisnotenabled,thestatisticstellyouaboutthedirectselectioninthedirectorybrowseronly,notaboutthechildobjectsthatmayindirectlybeselected.Ifthisoptionishalfselected,thestatisticstakechildobjectsofdirectoriesintoaccount,butnotchildobjectsoffiles.Taggingorexcludingitemsinthedirectorybrowsercanoccurrecursivelyornon-recursively.Non-recursivelymeansthat

tagging/untagging/excluding/includingafileordirectoryinthedirectorybrowserhasnoeffectonparentorchildobjectsorparentdirectoriesorsubdirectories.Usefulforexampleifallchildobjectsofafileshouldbeprocessedinvolumesnapshotrefinementorsearched,butnottheparentobject.Ifitworksrecursively,thenitisnotpossibletohaveanuntaggedparentobjectwhosechildobjectsarealltagged.Iftherecursivetaggingoptionisinitsmiddlestate,thatmeansthatchildobjectsstillinheritthetaggedstatefromtheirparentatthemomentwhentheyarenewlyaddedtothevolumesnapshot,e.g.whenyouextracte-mailandattachmentfromataggede-mailarchive.WhethertaggingandexcludingworkrecursivelyornotcanalsobecontrolledbyholdingtheShiftkey.Taggingoruntaggingrecursivelycanbeveryslowinlargevolumesnapshots.Advancedsorting:Takes4to6timesmoretimethanthehighlyoptimizedstandardUnicodesorting(noticeablewhensortingmillionsoffiles),buthasseveralusefulsettingsandcharacteristics:-Language-specificcharacterequivalencerules(treatßlikess,treatésimilartoe,üsimilartouetc.)-Linguisticallyimprovedcaseinsensitivity-Specialtreatmentofhyphensandapostrophes(theyaretreateddifferentlyfromothernon-alphanumericcharacterstoensurethatwordssuchas"coop"and"co-op"staytogetherinasortedlist).-Treatdecimaldigitsasnumbers,e.g.sort"2"before"10"(notusefulforhexadecimalnotation,availableunderWindows7andlateronly)-Treathalf-widthandfull-widthcharactersthesame(full-widthcharactersaresometimesusedbyEastAsianswhenwritingEnglishlanguageletters)-Ignorekanatype(treatcorrespondingJapanesehiraganaandkatakanacharactersthesame)Advancedsortingdependsontheregionalsettingsofthecurrentlyloggedonuser.Forexample,ifregionalsettingsofaNordiccountryareactive,ÅcomesafterZ,asdefinedinthealphabetsofthatregion,otherwisenearA,asperhapsexpectedbynon-locals.AdvancedsortingrulesarealsoappliedwhensortingthesearchhitsbytheSearchHitcolumn.Thereisanoptiontosortsearchhitsbytheirdataandcontextinsteadofjustbythesearchtermstowhichtheybelong.Helpfulforkeywordsearches(nottechnical,e.g.hexvalue,searches).Indeedslowersincethedataandcontextofallsearchhitstosorthavetobereadandconvertedtoacomparablecodepage.SortingbythedatainsearchhitshelpsforGREPsearches.Itmakesadifference

onlyforGREPexpressionsthatmatchvariabledatabecauseforconstantsearchtermsthesearchtermsandthedataintheircorrespondingsearchhitsareidentical.Forexample,aftersearchingfore-mailaddresseswiththeexpression[a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7},sortingbythedataallowsyoutoquicklyidentifyandvisuallyskipgroupsofidenticale-mailaddressesorseesimilare-mailaddresses(startingwiththesamecharacters)nexttoeachother.Continuingsortingbythetextthatfollowstheactualsearchhitifthesearchhitdataisthesamewillshowidenticalorsimilartextpassagesnexttoeachotherandallowyoutomorequicklyreviewthesearchhitlist.Youcanspecifyhowmanycharactersofdataandcontexttotakeintoaccountforsorting.Themorecharacters,themorememoryisneededforsorting,whichcanmakeadifferencewhenlistingahugenumberofsearchhits.Optionally,afterstart-up,thedirectorybrowsercanbenotsortedatall,forperformancereasons.Thatmeanstheprogramwillforgetthelastsortcriteriainuselasttime.Ifselected,therewillnowalsobenosortingwhenturningoffallfilterswithasinglemouseclick,toavoidlongerdelayswhensuddenlyallfilesarelistedagainrecursively.Directorybrowsersettings(inparticularcolumnwidth,filtersettingsandsortorders)canbeoptionallystoredincasesandreactivatedwhenloadingcases(ifstoredbyacompatibleversion).Dynamice-mailandtimestampcolumnsletsX-WaysForensicsdecidewhethertoincludethecolumnsSenderandRecipientinthedirectorybrowser.Theywillbeincludedifatleastoneextractede-mailmessageisinthevisibleportionofthedirectorybrowser,otherwisenot.Helpfulbecausethatleavesmoreroomforothercolumnswhenthecolumnsexclusivelyfilledforextractede-mailmessagesarenotneeded.Thecolumnswithalternativetimestampcanalsobeshowndynamically,i.e.onlywhenitemsthathavesuchtimestampsinthevolumesnapshotaredisplayedinthevisibleportionofthedirectorybrowser.Optionally,thePathcolumncanshowthe"full"path,whichmeansincludingthenameoftheobjectitself.ThisisusefulforexampleifyouwishtocopysuchacompletepathdirectlyfromthePathcolumn,andcanalsobeusedtoachieveasortorderwherechildobjectsfollowtheirrespectiveparents(e.g.e-mailattachmentstheircontainingparente-mailmessages).The1stsectorcolumncanoptionallyshowphysicalstartsectornumbersfor

filesinpartitions(countedfromthestartofthephysicaldiskordiskimage)insteadoflogicalstartsectornumbers,ifthepartitionwasopenedfromwithinthephysicaldisk/diskimage.InthatcasethecolumnlabelcontainsaPinacircle(Pforphysical).Onlyforordinarypartitions,notWindowsdynamicvolumesorLVM2volumes.AnoptionexiststoshowthefiletyperanksintheTypestatuscolumn,whichalsocausessortingbythatcolumntosortbythoseranks.RanksaredefinedintheFileTypeCategories.txtfile.Aspecialfileiconforpicturesisavailable,veryusefulwhenyourmainfocusisonsuchfiles.Dependingonwhetherthecheckboxisfullycheckedorhalfchecked,symbolslikequestionmarks,arrows,scissors,hammers,etc.thatfurtherrevealthestatusofthefilegetssuperimposedadditionalornot.Ifnot,thatiseasierontheeye.YoucanstilltelltheexactdeletionstatusfromtheDescriptioncolumn,andtheroughdeletion/existencestatusisstillobviousfromthecontrastoftheicon.Conditionalcellbackgroundcoloringhelpstodrawyourattentiontoitemsofinterestwithouthavingtofilteroutallnon-matchingitems.Matchingitemsarefoundthroughasubstringsearchinthecellcontentsofaselectedcolumn.Substringexpressionsmaybeupto15characterslong.Youmayuseanasterisktomatchanythingexceptblankcells.Ifamatchisdetectedinacell,eitheronlythebackgroundofthatparticularcellcanbecolored(called"cell-targetedcoloring")ortheentireline.Tocoloranentirecolumn,regardlessofthecellcontents,activatecell-targetedcoloringforthatcolumnandspecifyanemptyconditionstring,i.e.noconditionatall.Ifacellmeetsmultiplecell-targetedconditionsormultipleline-targetedconditions,onlythefirstconditionofeachgroupwillbeapplied.Ifdifferentconditionsapplytothesamecell(onecell-targetedandoneline-targetcolor),thatcellwillbeshowninamixofbothcolors.Forline-targetedcoloring,onlythefirst255charactersintherespectivecellareguaranteedtobesearched.Conditionscannotbedefinedforsearchhitspecificcolumns,butforeventspecificcolumns.Thatcanproveusefulwhentryingtoidentifypatternsinevents.Forexample,youcouldcoloralleventsoftype"Programstarted"inredandlog-ineventsinyellowandseemoreeasilyhowfarapartfromeachothertheyare.Conditionalcellbackgroundcoloringiscase-specificif"Storedirectorybrowsersettingsincases"isselected.Thecolorsettingsarealsostoredinafile

named"ConditionalColoring.cfg",andtheyarestoredinandloadedfrom.settingsfilesalongwithotherdirectorybrowsersettings.Upto255conditionsmaybedefined.

Variouscolumnsareavailableinthedirectorybrowser.Theyarealloptional.Theyaredisplayediftheyhaveanon-zerocolumnwidthinpixels,orhiddeniftheirwidthiszero.Youcantogglecolumnvisibilitypurelywiththemouseifyoulike,byclickingthecolumnlabelinthedialogwindow.Itispossibletoredefinetheorderofthecolumnsinthedirectorybrowser.Thiswillalsochangetheorderofthefieldsinthecasereport(i.e.inreporttables),onprintcoverpages,inexportedfilelistings,andtheExport/Copylog.Youcanselectacolumnforrelocationbyclickingitsradiobutton.Thenusetheverticalscrollbarthatappearsatthetop.Youcanresetthecolumnordertothedefaultonebyright-clickingthatscrollbar.Inthelowerleftcornerofthedirectorybrowseroptionsyouwillfindabuttoninthisdialogboxthatallowstoundotheexclusionallfilesanddirectoriesinthevolumesnapshotoftheevidenceobjectintheactivedatawindow.Toselectivelyincludefiles,makesuretheyarenotfilteredout.Thenyoucanincludethemwithacontextmenucommandafterselectingthem.Thereisanotherbuttonthatallowstototallyremoveexcludeditemsfromthevolumesnapshotifirrelevant/notneeded,inparticularmeaninglessgarbagefilesfoundviaafileheadersignaturesearch.Thiswillrenderthevolumesnapshotsmaller,i.e.moreefficienttohandle,andsavemainmemory.UsefulalsoifyouwouldlikeX-WaysForensicstofindcertainfilesonceagainviaafileheadersignaturesearch,butforexamplelistthemwithadifferentdefaultfilesizeiftheoriginallyspecifieddefaultfilesizeprovedinadequate.Theremovaloperationisfasterifyoudeleteseachhitspriortoexecutingit.Aspartoftheremoval,internalIDsareshuffled,sotheydonotindicateanymoretheorderinwhichitemswereaddedtothevolumesnapshot.Excludeditemsthathavenon-excludedchildobjectsarenotremoved.Itishighlyrecommendedtoworkwithacopyofyourcasewhenusingthisfunctionality,e.g.producedwiththeSaveAscommand.

ViewerPrograms&GalleryOptionsHereyoumayactivatetheseparateviewercomponentandspecifythepathwhereitislocated(bydefault:subdirectory"viewer").ThepathmayberelativetothedirectorywhereX-WaysForensicsisexecuted(.),e.g.".\viewer"orrelativetotheparentdirectoryofthatdirectory,e.g."..\viewer".Iftheinternalgraphicsviewinglibraryisusedtoviewpictures,nottheviewercomponent,thenoptionallythepictureviewerwindowcanbeclosedautomaticallywhenanewpictureisviewed(if"Viewmultiplepicturessimultaneously"isnotselected).Inthatcaseanautoupdateoptionisavailablethatallowstoautomaticallyloadthenextpictureintothesinglepictureviewerwindowassoonasanewpictureisselected,onewayortheother,forexamplewithasinglemouseclickorwhendefiningareporttableassociationforthepreviewpictureorwhenpressingoneofthearrowkeys.Thisshouldbeusefulmainlywhenworkingwithmultiplemonitors,wherethepictureviewerwindowremainsonthe2ndmonitor.YoumayselectyourpreferredtexteditorandHTMLviewingprogram.TheHTMLviewerprogramcanbee.g.MSWordorNVU,i.e.aprogramthatcanbeusedtofurtheredittheHTMLcasereportstheX-WaysForensicscancreateautomatically.FormerelyviewingandprintingwerecommendInternetExplorer.Youcanalsospecifythepathofthe.exefileofMPlayer,aprogramthatallowsX-WaysForensicstoextractpicturesfromvideos.Ifmplayer.exeisfoundinasubdirectory\MPlayeroftheinstallationdirectoryofX-WaysForensics,itwilldefinedasthevideoextractionprogramandasanexternalviewerprogramautomatically.Relativepathsstartedwith.\or..\aresupported,where.standsforthedirectoryfromwhichX-WaysForensicsisexecutedand..itsparentdirectory.Pleasenotethatwecannotprovidesupportforexternalprograms.Youmayalsospecifyupto32customviewerprogramsthatcanbeconvenientlyinvokedfrominsideX-WaysForensicsviathedirectorybrowsercontextmenu.Alsoyoumayspecifywhichfiletypesyouprefertoviewintheprogramthatisassociatedwiththeirextensioninyoursystem,typicallyfiletypesthattheseparateviewercomponentdoesnotsupport.Thereisacheckboxlabelled"Appendtypeasextensionifnewlyidentified"checkbox.Allowstomoreeasily

getWindowstoruntherightprogramformisnamedfiles,fileswithoutextensionetc.Thepathsoftheseexternalviewerprogramsaredefinedinaseparatefile,namedPrograms.txt,sothatitiseasytoshareacollectionofexternalprogramsseparately,orkeepthemwhentakingoverallotherprogramsettingsfromsomeoneelse.Inthattextfileyoumayalsochangeabsolutepathstorelativepaths(with.and..),forprogramsthatareasportableasX-WaysForensicsitselfandthatyouwishtakealongonaUSBstickforanalysesoflivesystems.Analternativee-mailrepresentationisavailableinPreviewmode(alsointhecasereport).Attachmentsarenotlinkeddirectlyfromthiskindofe-mailrepresentationyetinPreviewmode.Thee-mailheaderscanoptionallybeexcluded(notRawmode).Usefulwiththestandarde-mailrepresentationifyouwouldliketoseemoreofthebodyofthee-mailwithoutscrolling.Youcanseesubject,sender,recipientanddatesalreadyinthedirectorybrowser,andattachmentsarelistedwhenexploringtheparent.emlfile.Crash-safetextdecoding:Ifenabled,textextractionfromcertainfiletypesforlogicalsearchesandindexingwillbedonebytheviewercomponentinaseparateprocess,suchthatiftheviewercomponentcrashesorbecomesunstable,itdoesnotrenderthemainprocess(X-WaysForensics)unstableorcauseittocrash.Ifthisoptionisonlyhalfselected,.emlfileswillnotbedecodedinthecrash-safemanner.Bufferdecodedtextforcontextpreview:Ifenabled,theresultofthetextextractionfromcertainfiletypesforlogicalsearchesandindexingwillbestoredbyX-WaysForensicsinthevolumesnapshotforreusewhensearching/indexingagain,tosavetime.GalleryOptionsGalleryscreenspaceisutilizedveryefficientlybecausethumbnailsarenotforcedtobesquares.Youcanspecifyyourpreferredthumbnailwidthandheightseparately,inpixels.Thespecifieddimensionswillbedynamicallyadjusted(increased)tobestfilltheavailablescreenspacewithoutpartialthumbnailsbeingvisible.Sincemostphotosandpracticallyallvideosareshotinlandscapeformat,youmaywanttoselectwidthandheightaccordingly(widthlargerthanheight)whenviewingpictures.Documentthumbnailscanoftenbefreelyadjustedtoanyrectangleshape,forexamplethoserepresentingwordprocessingdocumentsorspreadsheets,butnotpresentations.Formostdocumentsotherthan

presentations,portraitformatfeelslikeamorenaturalwayofrepresentation.Theaspectratioofthewidthandheightthatyouspecifyisdisplayedintheoptionsdialogtoquicklygiveyouaroughideahowcompatiblethemeasureswillbewithordinaryphotos,videosordocuments.Ifthecreationofthumbnailsforpictureswithinlarge(e.g.solidRAR)archivesforgalleryviewistooslow,youmaywanttodisableit.Thiswillalsodisablesearchhitcontextpreviewforsearchhitsinfilesinarchives.IflargeJPEGscontainembeddedthumbnailsandthosehavebeenincludedalreadyinthevolumesnapshotorifinternalthumbnailshavebeencomputedforlargepictures,thentheycanbeoptionallyusedasauxiliarythumbnailsinthegallerytorepresentthemainpicture.Thebenefitisthattheyareofcoursemuchquickertoloadthanthemainlargepicture.Alsovideostillsexportedfromvideoscanbeusedasauxiliarythumbnailstorepresentthevideo,evenallofthemdynamicallyrotatingiffullychecked.Thegalleryhasitsown"Dbl-click=ViewinsteadofExplore"3-stateoption,analogouslytothedirectorybrowser.Bydefault,double-clickingmeansViewinthegallery.Thereisanoptiontoviewfileswithasingleclickinthegalleryinsteadofwithadoubleclick.Usefulforexampleifyouwishtoviewcertainpicturesonaseparatemonitor,whereyoudonothavetoclosetheviewwindowtoseethegalleryagain,whennotviewingallpicturesoneaftertheother(forwhichthePageUporDnkeyismoreefficient).Anotheroptionallowstotagafilebyclickinganywhereinthethumbnail,notjustinthetagsquare.Thatmakesitmoreconvenienttotagalargenumberoffiles,andismorecomfortablethatselectingmultiplefileswhileholdingtheCtrlkey.Thegallerycanoptionallyshowthumbnailsforanyfiletypesupportedbytheviewercomponent,includingOfficedocuments,PDF,HTML,e-mails,andpicturesthattheinternalgraphicsviewinglibrarycannotdisplay(e.g..emf,.wmf,...).Youcanchoosebetweennormalandslightlyshrunkandstronglyshrunkthumbnailsofdocuments.Shrunkthumbnailsshowmuchmoredetailfromanoriginaldocumentandtheoriginallayout,butatthecostofreadability.Largerfonts(inparticularcaptions)inanoriginaldocument,ifnotshrunk,are

typicallyreadableinthethumbnailandcanalreadygiveyouanideawhatkindofdocumentitisevenifdon'tviewit,soyoucanmorequicklyfindthedocumentsthatyouarelookingfor.Plus,youwillbeabletoseewhichfilescanbenicelyviewedwiththeviewercomponentatall.ItisstronglyrecommendedrunX-WaysForensicswithAeroenabledinWindowswhenusingthegallerywiththenon-pictureoption.Filesthatarelargerthan16MBarenotrepresentedwithathumbnail,forperformancereasons.X-WaysForensicstriestoabortthegenerationofathumbnailifittakeslongerthanafewseconds.Ifthegenerationofatruethumbnailisunsuccessful,youmayseeaviewercomponenterrormessagelike"Operationcancelled"intinyredlettersinthethumbnailinstead.IfthumbnailgenerationisnotevenattemptedbyX-WaysForensics,youwilljustseethefilenameandanicon.Thumbnailsoftrue-colorpicturescanbeoptionallyconvertedtograyscaleimagesinthegallery.Thisoptionismeantforlawenforcementuserswhosejobistoreviewchildpornographyphotos,toreducethementalimpactandstresslevel.Thetimeoutinmillisecondswhenloadingpictureswiththeinternalgraphicsviewinglibraryisaborted(e.g.corruptorunsupportedorextremelylargepicturefiles),isuser-definable.Keepingtrackofviewedfiles

VolumeSnapshotOptionsTheseoptionscanbereachedviatheDirectoryBrowserOptions.Mostofthemtakeeffectwhentakinganewvolumesnapshot.ExtendedattributesinNTFSareoptionallyincludedinthevolumesnapshotaschildobjectsofthedirectoryorfiletowhichtheybelong,withthename"$EA"andmarkedintheAttr.columnwith"($EA)".Eitherallsuchattributes(iftheboxisfullychecked)oronlynon-residentones(ifhalf-checked,default).Ifnoneatall,theclustersthatbelongtonon-residentextendedattributesofexistingobjectswillbecoveredbythevirtualfile"miscnon-residentattributes"asbefore.Backgroundinformation:Microsoftusesextendedattributesonsystembinariesaspartofthesecurebootcomponents.Attackershavebeenusinglargeextendedattributestohidemalwareinsomehighprofilecases.Largeextendedattributesareflaggedautomaticallybyreporttableassociations.Includingloggedutilitystreams(LUS)inNTFSinnewlytakenvolumesnapshotsisoptional.EitherallLUScanbeincluded(iffullychecked)oronlynon-$EFSLUS(ifhalfchecked)ornoLUSatall.UsefulforNTFSvolumeswrittenbyWindowsVista,ifyouarenotinterestedin$TXF_DATALUS.DownloadedfilesinNTFScanbeconvenientlyrecognizediftheiralternativedatastream"Zone.Identifier"isrepresentedasareporttableassociationinsteadofasachildobjectinthevolumesnapshot.Thatmeansyoudonotneedtonavigatetothechildobjecttofindoutwhatthechildobjectmightbe."ZoneId=3"asthenameofthereporttableidentifiesfilesdownloadedfromtheInternet.Bydefault,allocatedclustersinFAT12,FAT16,FAT32,andexFATfilesystemsareskippedwhenreadingthedataofdeletedfiles.Thatmeansthatdataofdeletedfilesisnotnecessarilyassumedtobecontiguous,butassumedtooccupyasmanyfreeclustersfromthestartclusternumberasarenecessarytoaccommodatetheknownfilesize,whileskippingclustersthataremarkedasinusebyexistingfiles.Iftheendofthevolumeisreachedthatway,thenextfreeclustersaretakenfromthestartofthevolume,replicatingthebuilt-inlogicoftypicalFAT32filesystemdriverstorotatethroughthevolumeonthesearchforallocatableclusters.Thisoptionretroactivelychangestheassumptionaboutthestoragelocationoffilesthatarealreadycontainedinthevolumesnapshot,thus

changingthisoptionwillalsocausehashvaluestochangeiftheyarere-computed.IfyougetreaderrorsonaCD/DVD(e.g.becauseofscratchesonthesurface)whenthevolumesnapshotistaken,youknowthatnotallsectorswiththedatastructuresofthefilesystemarereadable.ListingtheISO9660filesystem'sdirectorytreeonCDsinadditiontoapossiblyalsoexistingJolietfilesystemcanbeusefulbecausethatmeansasecondchancetogetalldirectoriesandfileslisted,ifthecorrespondingdatastructuresofthesamedirectoriesarelocatedinreadablesectorsintheISO9660area.ParsingthejournalinExt3/Ext4filesystemswhentakingavolumesnapshotisoptional.ExtendedattributesinHFS+arenowoptionallyincludedinthevolumesnapshotaschildobjectsofthefilesordirectoriestowhichtheybelong(inX-WaysForensicsonly)dependingona3-statecheckbox.Iffullychecked,extendedattributesarepresentedaschildobjectsevenwhentheyhavebeenspeciallyinterpretedalreadybyX-WaysForensicsinternally.Ifhalfchecked(defaultsettinginX-WaysForensics),theyarepresentedaschildobjectsonlyiftheyarenotspeciallyinterpretedbyX-WaysForensicsassumingthattheusermightwanttocheckthemoutmanually.Forbetterresultswhenmatchinghashvaluesagainstspecialhashsets,onlytheinvariableheaderofloadedmodulescanbelistedinmainmemoryanalysis.ThereisanoptionforincrementalsnapshotcompletionwhendealingwithOSdirectorylistingsasevidenceobjects(whenyouaddadirectorytoyourcase).Ifselected,thevolumesnapshotinitiallyjustcontainsthecontentsofthetop-leveldirectory,anditisfurthercompletedonlyondemand,step-by-stepwhenyoumanuallyexploresubdirectories.ThisisexactlyhowtheWindowsExplorer/FileExplorerinWindowsworks,andusefulwhendealingwithslowandhugenetworkdrivesthatwouldtakealongtimeupfronttoscancompletely.Butit'sverydifferentfromtheusualapproachinX-WaysForensics,andwillobviouslypreventyoufromgettingacompletelistingofallfileswhenexploringrecursively,simplybecausethereisnoguaranteethatallfileshavebeenincludedinthevolumesnapshotyetuntilyouhaveexploredallsubdirectories.Ifatanytimeyoudecidethatyouwishtoincludethecontentsofacertaindirectoryinthevolumesnapshotrecursively,youcanusethe"Expandall"commandinthe

contextmenuoftheCaseDatawindow(right-clickingthatdirectory)orunselecttheoptiontocompletethevolumesnapshotondemandandthenexplorethatdirectory.Pleaserememberthatthemostconvenientwaytoexpandanentiresubtreeisbyclickingitsrootandpressingthemultiplicationkeyonthenumerickeypad(standardfeatureinWindows).Evidencefilecontainersofv18.8andlaterspecificallyrememberthevolumesnapshotrefinement(RVS)statusofthefilesthattheycontain,e.g.whetherstillimageshavebeencapturedalreadyfromavideoorwhetherembeddeddataalreadyhasbeenuncoveredfromafile.Ifyouchoosetoacceptandtrustthisstatus,thesefileswillnotbeprocessedagainifyoudecidetorefinethevolumesnapshotofthecontainer.YoumayoccasionallynotwanttoaccepttheRVSstatusoffilesincontainers,toavoidmissingsomething,ifyoususpectthattheoriginalexaminerdidnotapplyasthoroughsettingsasyouwouldorthattheymayhaveusedanolder,lesscapableversionofX-WaysForensicstoprocessthefiles.AdoptingtheRVSstatusisalsoamusttogetvideoswithinacontainerrepresentedinthegallerywithrotatingcapturedstillimages.-------------Inheritdeletedstate:Causesdeletedpartitionstopassontheirdeletedstatetoeverythingthattheycontain(filesanddirectories),anddeletede-mailarchivestopassontheirdeletedstatetoallthee-mails,directoriesandattachmentsthattheycontain.Thismayseemlogical,butresultsinalossofinformation,asdependingonthereferenceeverythingmaybelistedasdeleted,evenfiles/e-mailsthatfromthepointofthefilesystem/thee-mailarchivestillexistedwhenthepartition/filewasdeleted.Bydefault,thisoptionisnotselected,sothatX-WaysForensicsdistinguishesbetweenexistinganddeletedfilesande-mailsetc.evenindeletedpartitions/deletede-mailarchives,sothatmoreinformationisretained.Netfreespacecomputation:Allowsyoutoworkwithanadjustedvirtualfreespacefilethatisnetofclustersthatwereidentifiedasbelongingtopreviouslyexistingfiles,tominimizetheamountofspaceinfilesystemsthatisreadtwiceforlogicalsearchesandindexing.Afterchangingthisoptionorafterdiscoveryofmorepreviouslyexistingfiles,thevirtualfreespacefileisupdatedwhenitisopenednexttime,forexampleselectedinFilemodeorwhenitisthatfile'sturnduringalogicalsearch.Relativeoffsetsofsearchhitsinthisvirtualfilemaybecomewrongwhenitchanges(forexamplewhensomemoreclustersareallocatedtomoreidentifiedpreviouslyexistingfiles,sothatthenetfreespace

filebecomessmaller),sotheycannotbeusedtonavigatetothesearchhitsinFilemode.Onlyphysicaloffsetsofsearchhits,usableinPartition/Volumemode,areguaranteedtoremainvalid.Thevirtualfreespacewillbefrozenandnotchangeanymoreonceithasbeenindexed,oronceitgetschildobjects,i.e.usuallyfilesthathavebeencarvedwithinitmanuallyinFilemode,becausethosedependonunchangedrelativeoffsetswithinthevirtualfreespacefile.Optionally,filesonthelogicaldrivelettersA:throughZ:canbeopenedfromwithinthedirectorybrowserwiththehelpoftheoperatingsysteminsteadofwiththebuilt-inlogicatthesectorlevel.Pleasenotethatthisisforensicallysoundonlyforwrite-protectedmedia.Onwriteablemedia,MicrosoftWindowsmayupdate(i.e.alter,falsify)thelastaccesstimestampoffilesyouopen.Thebenefit,however,isthataccesstosuchfileswillbenoticeablyfasterinmanysituations,especiallyonslowmediasuchasCDsandDVDs,e.g.whenyoucomputehashesorskincolorpercentagesforfilesinavolumesnapshot,becauseMicrosoftWindowsemploysread-aheadmechanismsandentertainsafilecachingsystem.AnotherbenefitisthatfilesopenedwiththehelpoftheoperatingsystemareeditableinWinHex.Limitation:Filesonmulti-sessionsCDsandDVDscannotbereadthatway.Knownuninitializedportionsattheendofafileincertainfilesystemsthatremembersuchconditions(validdatalength<logicalfilesize)canoptionallybereadasbinaryzeroesinsteadofaswhateverdataisstoredintheallocatedclusters.ThismimicsthebehaviorofWindowswhenordinaryapplicationsopenfilesthroughtheoperatingsysteminsteadofreadingthecontentsofthefiledirectlyfromthesectorsinthevolume.Usefulforexampletoachievehashcompatibilitywithsuchapplications.Thisoptionnotablydoesnotapplytoreadoperationsforlogicalsearches,sothatlogicalsearchesremainforensicallythoroughandclustersallocatedtouninitializedportionsoffilesarestillsearched.Thisoptionhasanimmediateeffectevenonalreadyopenedfiles,forthenextinternalreadoperation.Youcanindicatewhetheryouareinterestedingettingfilesincludedinthevolumesnapshotwhoseclusters(andthereforedata)aretotallyunknown,withonlymetadata(e.g.justfilenameandpathand/ortimestamps),inExt*,XFS,Reiser*andNTFS.Iffullychecked,allpreviouslyexistingfilesofwhichmetadataonlyisknownwillbeincludedinavolumesnapshot.Ifnotcheckedatall,thosefileswillbeignored.Ifhalfchecked,onlyfilesforwhichmorethanjustthenameortimestampsareknownwillbeincluded,butnotdirectoryentry

remnantsinExt*orReiserfilesystems.Quicksnapshotswithoutclusterallocationspeedsuptakingavolumesnapshot(inparticularforthefilesystemsExt2,Ext3andReiserFS,andinparticularalsowhenthevolumesnapshotfilesarecreatedacrossaslowUSB1.1interfaceornetwork),however,causesWinHextoloseitsabilitytotelleachsectorsandclustersallocation(forwhichfileitisused).Youmayusethecommand"TakeNewVolumeSnapshot"oftheToolsmenutoupdatetheviewofavolume,e.g.afteruncheckingthisoption.WiththeoptionKeepvolumesnapshotsbetweensessionsenabled,allinformationonfilesystemsinopenedvolumescollectedbyWinHex(DiskToolsmenuand/orSpecialistmenu)remainsinthefolderfortemporaryfilesevenwhenWinHexterminates.WinHexcanthenreusethesnapshotsinlatersessions.Volumesnapshotsofevidenceobjectsinacasearealwayskept,regardlessofthissetting,inthatevidenceobject'smetadatasubdirectory.Keepmoredataofthevolumesnapshotinmemory,e.g.formuchquickersortingbytimestamps.

UndoOptionsTheavailabilityofthe"Undo"commanddependsonthefollowingoptions:SpecifyhowmanysequentialactionsaretobereversedbytheUndocommand.Thisoptiondoesnotaffectthenumberofreversiblekeyboardinputs,whichisonlylimitedbytheavailableRAM.Inordertosavetimeandspaceonyourharddisk,youcanspecifyafilesizelimit.Ifafileislargerthanthislimit,backupswillnotbecreatedandtheUndocommandisnotavailableexceptforkeyboardinput.AutomaticallycreatedbackupsfortheinternalusewiththeUndocommandaredeletedbyWinHexwhenclosingthefile,ifthecorrespondingoptionisfullyselectedIfitispartiallyselected,theyaredeletedwhenWinHexterminates.Chooseforallkindsofeditingactionswhethertheyshouldbereversibleornot.Incasetheyshould,aninternalbackupiscreatedbeforetheactiontakesplace.

SecurityOptionsBeforemodificationstoanexistingfilearesaved(i.e.beforethefileisupdated),youarebydefaultpromptedforconfirmation,butthisbehaviorcanbechanged.IfanyoftheoperationsRefineVolumeSnapshotandLogicalSearchcrasheswhenprocessingafile,X-WaysForensicswhenstartednexttimewilltell,whichfilewaslikelyresponsibleforthecrash,ifyouhaditcollectinformationforacrashreport.Iffullychecked,shouldvolumesnapshotrefinementcrashtheprogram,restartingtheprogramwillalsopointoutwhichsuboperationexactlywasappliedtotheproblematicfile(s)whentheprogramcrashed.Ithasnotbeentestedwhetherthisenhancedgranularityofloggingmightcauseanynoticeableslowdown.Theremaybemultiplecandidatesfortheproblematicfilethattriggeredtheinstabilityifmultipleworkerthreadswereactiveatthetimeofacrash.AllnoticesandwarningsoutputtotheMessageswindowcanoptionallybeautomaticallysavedinatextfile"msglog.txt"intheinstallationdirectory.Ifatthattimeacaseisactive,thenotice/warningwillbewrittentothemsglog.txtfileinthelogsubdirectoryofthatcaseinstead.Outputmessagesaboutexceptions:Determinestheverbosityoftheprogramincaseofexceptionerrors.Iftotallyunchecked,onlyexceptionerrorswithapotentiallyseriousimpact(likeconsiderablyincompleteanalysisresults)willbebroughttoyourattentionintheMessageswindow.Iffullychecked,allofthemwillbeoutput,eventhosethatoccurtypicallywithcorruptfilesonlyandhavenonegativeimpactonotheranalysisresults.Themiddlestateisareasonablecompromise.Regardlessofthisoption,exceptionerrorswillbenotedintheerror.logfile.UsetheoptionCheckforvirtualmemoryalterationtomakesuretheRAMeditorinspectsthestructureofvirtualmemoryeverytimebeforereadingfromorwritingtoit.Ifthestructurehaschanged,apossiblereaderrorisprevented.EspeciallyunderWindowsNTthecheckingmayresultinalossofspeed.Wheneditingthe"entirememory"ofaprocess,WinHexgenerallyneverchecksforalterations,evenifthisoptionisenabled.

Strictdriveletterprotection:Onlyavailablewithaforensiclicense.ActivebydefaultinX-WaysForensics.Ensuresthatsavingandeditingfilesisonlypossibleoncertaindriveletters,namelythosethatX-WaysForensicsevenwhenexaminingalivesystemcanassumearelocatedontheexaminer'sownmedia.Theyare:1)thedriveletterthathoststheactivecaseifoneisactive,2)thedriveletterwiththedirectoryfortemporaryfiles,3)thedriveletterfromwhichX-WaysForensicswasrunand4)thedriveletterthatcontainsthedirectoryforimagefiles.Thekeythatisrequiredforencryptionanddecryptioncanbeenteredinanormaleditbox.Optionally,youenteritblindly(asterisksaredisplayedinsteadoftheactualcharacters).Inthiscaseyouhavetoconfirmthekeyinasecondeditboxtodetecttypos.Bydefault,theencryptionkeyiskeptinmainmemory(inanencryptedstate)aslongasWinHexisrunningsothatyoudonothavetotypeitagainandagainifyouuseitseveraltimes.PossiblyyoupreferWinHextoerasethekeyafteruse.DecidewhetherornotWinHexshallpromptbeforeexecutingascript,oronlybeforeexecutingascriptviathecommandline.Optionally,checksumswithmulti-byteaccumulators(16-bit,32-bit,and64-bitchecksums)arecomputedbyte-wiseinsteadofaddingunitsthatareequivalentinsizetotheaccumulatoritself,e.g.4bytesfor32-bitchecksums.Bothvariantsexistinreallifeapplications.

InterpretImageFileAsDiskThiscommandintheSpecialistmenutreatsacurrentlyopenandactivediskimagefileaseitheralogicalvolume(potentiallywithasupportedfilesystem)orphysical(potentiallypartitioned)disk.Thisisusefulifyouwishtocloselyexaminethefilesystemstructureofadiskimage,extractfiles,etc.withoutassistancefromanyoperatingsystem.Ifinterpretedasaphysicaldisk,WinHexcanaccessandopenthepartitionscontainedintheimageindividuallyasknownfrom"real"physicalharddisks.ThesamefunctionalityisalsousedinternallywhenaddingimagestoacaseinX-WaysForensicsandre-openingthemlater.Itisalsopossibletointerpretspannedrawimagefiles,thatis,imagefilesthatconsistofseparatesegmentsofanysize.ForWinHextodetectaspannedimagefile,theareafewpossibilitiessupportedfornaming:1)Thefirstsegmentmayhaveanarbitrarynon-numericfilenameextension(e.g..ddor.img),andthenthesecondsegmentsmustbenamed.002,thethirdsegment.003,andsoon.2)Thefirstsegmentmayhaveoneofthesenumericfilenameextensions:.001or.0001or.000or.0000.Thefollowingsegmentsmustdirectlycontinuewithincrementingnumbersandtheexactsamenumberofdigits,eitherthreeorfour.Obviouslyallsegmentsmusthavethesamebasefilename(thepartofthenamebeforetheextension).TheCreateDiskImagecommandcanimagedisksandproducecanonicallynamedfilesegments.ImagesegmentationisusefulbecausethemaximumfilesizesupportedinFAT32filesystemsoronmediasuchasDVDisconsiderablylimited.Itmightalsohelpinriskreduction(thesmallerthesegments,thelesscatastrophictheamountoflostdataifafileislostduetofilesystemerrors)andmighthaveaperformancebenefit(iftheoperatingsystemmoreeffectivelybuffersfrequentlyrequiredimagedataifstoredinsmallersegments).InsomerarecasesWinHexmaybeunabletocorrectlydeterminethenatureoftheimage,i.e.whetheritisanimageofaphysicaldiskorofavolume,consequentlyinterpretsthedataintheimageinawrongway.Ifso,holdtheShiftkeywheninvokingthiscommand.ThatwayWinHexwillaskyouandnotdecideonitsown.ThatwillalsomakeWinHexpromptyouforthecorrectsectorsizeandinthecaseofrawimagesforanadditionalstoragelocationoffurtherimagefilesegments(incaseyouhadtospreadthemacrosstwodifferentdrives).Shouldtherebeanyproblemswithdetectingthefilesysteminavolume,you

mayholdtheShiftkeywhenopeningthevolumetoindicatethefilesystemtypeyousupposeinthevolume.Mode1andMode2Form1ISOCDimageswith2,352bytespersectorarealsosupported,iftheyarenotspanned,and(withaforensiclicense)alsomainmemorydumps.AlsoVMware'sVirtualMachineDiskimages(VMDK)canbeinterpretedanddynamicVirtualPCVHDimagesandVirtualBoxdiskimages(VDI)ofthedefaultsubtype"sparse"andthesubtypes"fixedsize"and"diff"(snapshots).Snapshotimagescanonlybeinterpretediftheparentisavailableandopenandinterpreteditselfbeforehand.VMDKimageswithESXiHostSparseExtents(alsoreferredtoas"Copy-on-WriteDisks"orCOWD),asusedbyESXiserverse.g.forvirtualmachinesnapshots,arenotsupported.Onlyallocatedareasinvirtualmachineimagescanbeedited.Withaforensiclicense,WinHexcanalsointerpret.e01evidencefiles,whichcanbecreatedwiththeCreateDiskImagecommand.Itisalsopossibletointerpretimagesofvariouskinds(rawimagesandmostVHD/VMDK/VDI)andnature(disk/volume)eveniftheyarestoredwithinotherimages(forensicdiskimagescreatedbyyourself),withoutcopyingthemofftheouterimagefirst,aslongastheydonotconsistofmultiplesegments.Thatcansaveaconsiderableamountoftime,especiallyifafterinterpretingthecontainedimageyoucanquicklyseethatitisnotreallyrelevant,andofcoursealsodrivespace.Firstright-clicktheimageinthedirectorybrowserandopenitwiththecontextmenu'sOpencommandinaseparatedatawindow.Afterthat,interprettheimageusingthecommandinthemainmenu.Andthen,oncethevolumesnapshothasbeentaken,ifyouthinkthattheimageisrelevant,youcanaddittotheactivecaseasusuallywiththe"Addtoactivecase"commandincontextmenuofthedatawindow'staborwiththeAddcommandintheCaseDatawindow'sFilemenu.ImagefileswithinTARarchiveshouldalsowork,whichishandyforVMDKvirtualmachinediskswithinOVAfiles(openvirtualizationarchivesinTARformat).ThenewerMicrosoftvirtualdiskimageformatVHDXisnotsupported.ToconvertVHDXimagestoVHD,youcanrunthefollowingcommandinthepowershellofanyHyperVsupportingoperatingsystem(Windows10,WindowsServer2012):Convert-VHD-PathX:\ExistingImage.vhdx-DestinationPathV:\ConvertedImage.vhd

Loose$MFTfilescanbedirectlyandconvenientlyinterpretedasiftheywereimagesofNTFSvolumes,togetatleastafulllistingofallfilesanddirectories,withtheirpaths,timestampsandattributes.It'spossibletoopenresidentfiles(fileswhosecontentsissmallenoughtofitintotheFILErecords),butnootherfiles,ofcourse.Usefulifinspecialsituationsallyouhaveisthe$MFT,nottheentirevolume.

CaseManagementTheintegratedcomputerforensicsenvironmentinWinHexcanbeusedwithaforensiclicenseofWinHexonly.Itofferscompletecasemanagementformultipleexaminerspercase,automatedlogandreportfilegeneration,andvariousadditionalfeaturessuchasgalleryview,filesignaturecheck,HPAdetection,andskincolordetectioninpictures.WhenstartingupWinHexforthefirsttime,youareaskedwhethertorunitwiththeforensicinterface.Thismeansthe"CaseData"windowisdisplayed,WinHexisruninViewmode,andyouareaskedtomakesurethefoldersfortemporaryfilesandforcasedataaresetcorrectly,inordertopreventWinHexfromwritingfilestothewrongdrive.Inordertoworkwithacase,makesurethe"CaseData"windowisvisibleontheleftofthemainwindow.Ifnot,enableView|Show|CaseData.FromtheFilemenu,youmaycreateanewcase(startfromscratch),openanexistingcase,closetheactivecase,savetheactivecase,backupthecasefileandtheentirecasefolderinaZIParchive(onlypossibleforfiles<4GB),orautomaticallygenerateacasereport.Youmayaddmediaasevidenceobjectstothecase,orimages(filesthatwillbeinterpretedlikemedia),ormemorydumps,ordirectoriesonyourowncomputer.Addingadirectoryinsteadofawholepartitionordiskcanbeusefulifadirectoryorafileofinterestresidesonadrivewithmanyirrelevantfiles,ifyoumerelywishtoview,hash,orsearchafewofthosefiles,checktheirmetadataorcopythemtoanevidencefilecontaineretc.Acaseisstoredina.xfcfile(xfcstandsforX-WaysForensicsCase)andinasubfolderofthesamename,justwithoutthe.xfcextension.Thissubfoldersanditschildfoldersarecreatedautomaticallywhenthecaseiscreated.YoumayselectthebasefolderforyourcasesinGeneralOptions.Itisnotnecessarytoexplicitlysaveacase,unlessyouneedtobesureitissavedatagiventime.Acaseissavedautomaticallyatlatestwhenyoucloseitorexittheprogram.Theonlyexceptioniswhenclosingthecasewiththe"CloseCase(don'tsave)"command.Forexampleifyouhaveaccidentallylostyourcarefullysettagmarks(byuntaggingall,withamisdirectedclickinthecolumnheader)orifyouaccidentallylostreporttableassociations(bypressingCtrl+0forallselectedfiles),itisimportanttoinvokethatspecialmenucommandassoonaspossible,

beforetheauto-saveintervalelapsesnexttime,toavoidthatthevolumesnapshot(s)willbesaved.Afterwardsyoucanopenthecaseagain,andfindeverythingasitwaslasttimewhenthecasewassaved,whichmeansthatonaverageyouwillonlylosehalftheamountofworkthatyougetdonewithintheauto-saveinterval,noteverything.Inthecasepropertieswindow,youmaynameacaseaccordingtoyourownconventions(e.g.titleornumber).Thedateandtimeyoucreateacaseisrecordedanddisplayed.Theinternalcasefilenameisdisplayedaswell.Youmayenteradescriptionofthecase(ofarbitrarylength)andtheexaminer'sname,theexaminer'sorganization'snameandaddress.Youmayenableordisabletheautomatedlogfeatureforthewholecase.Optionally,theevidenceobjectsubfoldersinthecasefolderarealwayssuggestedasdefaultoutputfoldersforfilesrecovered/copiedoffafilesystem.Youmaywishtodisablethatfeatureifyourpreferenceistocopyfilesfromvariousevidenceobjectsintothesameoutputfolder.Youmayselectuptotwocodepagesrelatedtothecase(moreprecisely:relatedtothelocalewheretheoriginalmediarelatedtothecasewereused).Thesecodepagesareusedwhennaming.emlfilesbasedonsubjectlines(.emlfilesextractedfrome-mailarchives).Ifbothcodepagesareidentical,thatdoesnoharm.IfidenticaltothecurrentlyactivecodepageinWindows,theydonothaveanyeffect.ThesecodepagesarealsousedtoconvertthefilenamesinziparchivestoUnicode.Theremaybefurtherusesinfutureversions.Casefilescanbepassword-protected.Thisdoesnotinvolveencryptionandisjustakindoflock.Ifthepasswordislostbyauser,casefilessavedbyX-WaysInvestigatorcanbeunlockedwithasuper-userpasswordifsuchapasswordhadalreadybeenenteredintheinstallationusedatthetimewhenthecasefilewassaved(undocumentedonrequest).Whencreatinganewcase,youhavetheoptiontomakeX-WaysForensicsrecognizeevidenceobjectsthatarephysicalmedia(notimages)bytheirownintrinsicproperties,notbytheWindowsdisknumber.UsingthisoptionwillpreventearlierversionsofX-WaysForensicsfromopeningthecase.TheadvantageisthatyoumayaddmultipleharddisksorexternalUSBdisksorstickstothecasethatareattachedtothecomputeratdifferenttimesandgetthesamedisknumberassignedbyWindows.AnotheradvantageisthatifthenumberofthesamediskasassignedbyWindowschanges,X-WaysForensics

willstillrecognizethedisk.Usefulespeciallyfortriage,whennotworkingwithimages.PleasenotethatX-WaysForensicsmaybeunabletorecognizeexternalmediaalreadyknowntothecaseifnexttimetheyareattachedthroughadifferenthardwarewriteblocker.Inthatsituationyoucanstillusethe"Replacewithnewdisk"commandintheevidenceobjectcontextmenutopointX-WaysForensicstothecorrectdisk.NotethatcomponentdisksofaninternallyreconstructedRAID(readdisks,notimages)arestillrememberedbytheWindowsdisknumberwhenre-openingaRAIDthatyouhaveaddedtoacase.WhenclickingthePasswords...button,thecase'spasswordlistsforencryptedgeneralpurposefilearchiveswillopeninyourpreferredtexteditorforediting.WhenclickingtheSIDs...buttonyoucanseeacollectionofallSID/usernamecombinationsencounteredinthatcase(gatheredfromSAMregistryhivesinallWindowsinstallationsonimages/mediaeveraddedtothecase).TheyareusedbyX-WaysForensicstoresolveSIDstousernameswhenworkingwiththatcase.EvidenceObjectsThemostpowerfulconceptinX-WaysForensics,thatallowstosystematicallyandcompletelyreviewfilesoncomputermedia,istheso-calledrefinedvolumesnapshot.Itispossibletorefinethestandardvolumesnapshotforallevidenceobjectsofacaseinonestep,andtosearchallevidenceobjectswithvolumesnapshotslogicallywiththehelpofthevirtualglobalcaserootwindow.Notethatitispossibletogenerateaflatoverviewofallexistinganddeletedfilesfromallsubdirectoriesonanpartitionorimagefileofapartitionbyrecursivelyexploringtherootdirectory.Inordertoexploreadirectoryrecursively(i.e.listitscontentsplusthecontentsofallitssubdirectoriesplustheirsubdirectories),right-clickthedirectoryinthedirectorytreeintheCaseDatawindow.Inordertotagadirectory,youcanclickitwiththemiddlemousebuttoninthedirectorytree.BackupsThecommand"Backup/Restore"intheCaseDatacontextmenuallowsyoutoconvenientlymakeabackupoftheselectedevidenceobject'svolumesnapshot.Backupscanberestoredatanylatertimewiththesamecommand,andtheycanalsobedeletedwiththesamecommand(right-clickaniteminthelistofbackupstogettheDeletecommand).Suchabackupislikeasnapshotofthevolume

snapshot.Usefulifyouthinkyoumightwanttoreverttoacertainprocessingstagelater(i.e.undochangestothevolumesnapshot),forexampleafterhavingcarefullytaggedthousandsfilesthatyoudon'twanttolose,beforerunningafileheadersignaturesearchwithexperimentalsettingsthatmightproducealotofgarbagefiles,beforeattachingexternalfileswithoptionsthatyouhadnevertriedbefore,beforerunninganX-Tensionmadebya3rdparty,beforetotallyremovingexcludeditemsfromthevolumesnapshotetc.Reporttableassociations,events,andsearchhitsarealsoincludedinthebackup.Searchhitscanberestoredfromabackuponlyifthesearchtermlistofthecasedidnotchangeinthemeantime.Indexesarenotincludedinthebackup,butcanbemanuallybackedup,ofcourse.Thesamecommandappliedatthecaselevel(right-clickthecasetitleinboldforthat)allowstomakeabackupoftheentirecase,coveringallevidenceobjects'volumesnapshots,allreporttables,events,searchterms,searchhits,indexes,imagefilepaths,etc.etc.Suchbackupscanberestoredfromthesamedialogwindow.SuchbackupscanalsobeopeneddirectlywiththeOpenCasecommandifnecessary,astheyarecompletecopiesofacase.(Backup.xfcfilearecreatedwiththe"hidden"attribute,though,astheyaremeanttobedealtwithwithinX-WaysForensicsonly.)Inordertocompletelydeleteacaseorthebackupofacasemanually,youneedtodeleteits.xfcfileandthecorrespondingdirectorywiththesamenameandallitssubdirectories.

Multi-UserCoordinationforLargeCasesAll cases created or opened with v17.5 and later offer enhanced multi-usersupport, where X-Ways Forensics distinguishes between different examinersworkingwiththesamecaseatdifferenttimesoratthesametimeandkeepstheirresults separate.Multi-user support is especially helpful for large cases.Casesopenedwithv17.5andlatercannotbeopenedwithearlierversions.Amaximumof 255 users (examiners) is supported per case. Examiners are recognizedinternallybytheirWindowsuseraccounts.Multiple users may open the same evidence objects in the same casesimultaneouslyforexamination.Bysamecasewemeanthesamecasefile,notacopy, stored in a shared network location or on a terminal server. X-WaysForensics is responsible for synchronizing report table associations, commentsand additions of files to the volume snapshot, and formaking users aware ofaccessconflictsbeforetheyoccurandpreventingtheminmostsituations.All related options can be found by clicking the button labelled "Multi-usersupport options" in the case properties dialog window. In particular, whencreatingthecase(andonlythen),youcanchoosetomakeX-WaysForensicsnotdistinguishbetweendifferentusers.Thatwouldbeusefulifyouknowthatonlyyouwillprocess thatcaseand ifyouwish toprocess itondifferentcomputerswhereyouhaveWindowsaccountswithdifferentSIDs,sothatyouwillalwaysbetreatedasthesameuser.Alsousefulifmultipleusersaregoingtoprocessthesamecaseatdifferenttimesandwishtosharealltheirresultsdirectly,asitwasthecaseinX-WaysForensicsbeforev17.5.Another multi-user support option coordinates certain kinds of accesses tovolume snapshots (related to adding items to the snapshot as well as editingcommentsandmetadata)morecarefully.Itmayhavesomeperformancebenefitsifdisabled.Disablingthissynchronizationisrecommendableonlyforcasesthataredefinitelyonlyprocessedby1useratatime.Reporttableassociationsandcommentsofdifferentexaminerscanoptionallybevisuallydistinguished, by showing the creating examiner's initials (default), or

alternatively other abbreviations of their names or (if no abbreviation isspecified)theircompleteusernames.Examinerscanchoosewhetherornottheygettoseereporttableassociationsofotherusersoronlytheirownassociations(or, ifhalfchecked,only theirownassociationsplus thoseofunknownusers).The same file can be associated with the same report table only by 1examiner. X-Ways Forensics imports and shows newly created report tableassociations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or whenmanually invoking the Save Case command. The option to show initials forreporttableassociationsisrepresentedasa3-statecheckbox.Ifhalf-checked,ithas an effect on the directory browser only, not for the Export List orRecover/Copycommandforexampleandnotinthecasereport.X-Ways Forensics remembers the "tagged", "already viewed" and "excluded"statusoffilesseparatelyforeachexaminer.Youcanchoosetoadoptthe"alreadyviewed" status of files in volume snapshots from all other examiners whenopeningevidenceobjects.Thatisusefulifthegoalistoavoidduplicatework,ifyoudonotwish to review files thatwere reviewedbyanyofyour colleaguesalready.Pleasenotethatindividualfilestatuses("tagged","alreadyviewed"and"excluded") as well as search hits of other users are lost if one examinersremovesitemsfromthevolumesnapshot.Search hits and search terms are stored on a per-user basis as well. The firstexamineropeninganolder casewithv17.5or laterwill absorb the searchhitsandsearchtermsthatwerestoredinthecasebyv17.4orearlier.The"Multi-usersupportoptions"dialogwindowcontainsabuttonthatallowsyoutoimportthesearchhitsandsearchtermsofanotheruser.Anoptionisavailabletolimittheimportofanotheruser'ssearchhitstosearchhitsthataremarkedasnotableortothat user's manually defined search hits (so-called user search hits). Anotheroptionallows to takeaway thesearchhits fromtheotheruserwhen importingthem.Usefuliftheotheruserisgoingtoresumehisworklaterandwillwanttoimport your search hits back when he or she is taking over again, to avoidduplications of search hits, because your search hits include his or her hitsalreadyafteryouhaveimportedthem.Toviewall theresultsofacolleague(reporttableassociations,searchhits,tagmarked,alreadyviewedstatusof files,exclusionstatusof files),youcanopenthecaseinread-onlymodeashimorher.Forthat,trythe"Options..."checkboxwhenopeningacase.Youmaypreventyourcolleaguesfromopeningthecasein

read-onlymodeasyou.The "Options..." checkbox allows you to open a case in any of the followingthreemodes:

1) entirecaseread-only(casefileandvolumesnapshots),2) cooperativeanalysismode(abilitytoproducereporttableassociations,

comments,searchhithits,andvirtualfiles;tagfiles;rememberalreadyviewedfiles,excludefiles)

3) fullaccessIfthesameuserwishes toopen thesamecase(thesamecopy) inmore than1instanceoftheprogramsimultaneously,thatuserhastwooptions.Either

1) inthesecondinstancetheentirecase(includingevidenceobjects)isopenedasread-only,or

2) theuseropensthecaseasaseparate,fictitioususer(calledhisorher"alterego")withseparatefilestatuses,searchhits,reporttableassociationsetc.(shareduseofthecaseandtheevidenceobjectsiscoordinatedbyX-WaysForensicsexactlyasifthealteregowasareal,differentexaminer,eventhoughtheusernameisthesame).

The aforementioned "Options..." checkbox allowsyou at any time toopen thecaseasyouralterego,notonlywhenopeningthesamecaseinasecondinstanceoftheprogram.Italsoallowsyoutoopenacaseinsharedanalysismodeifitisnotopenanywhereelseatthemoment.Multiple users running searches, creating report table associations, entering orediting comments, editing extracted metadata, tagging files, excluding files,markingfilesasalreadyviewedisallsupportedforthesameevidenceobjectatthe same time. Removing items from a volume snapshot while the evidenceobjectisopensomewhereelse,however,isforbiddenandwillberefusedbytheprogram.Thegoalofthemulti-usercoordinationinv17.5andlateristosupportconcurrentanalysis/reviewworkbymultipleexaminers.Removing files fromavolume snapshot is not considered ordinary review/analysis work. Volumesnapshotrefinementsshouldbedonesystematicallyinadvance.The initials of the examinerwho has attached files to the volume snapshot ormanuallycarvedfiles inv17.5andlatercanbeseeninsquarebracketsnext tothefilename,sothatitiseasytotellwhohasintroducedsuchfilestothecase.

Technicalchangestothewayhowmultiplesimultaneouslyusersarecoordinatedarereserved.Tobeonthesafeside,pleasemakesurethatsimultaneoususersarerunningthesameversionofthesoftware.Lastnotleastv17.5allowsyoutoreviewtheprocessinghistoryofacaseinitsproperties.Thisrevealswhichversionswereusedonit(recordedonlybyv17.3SR-10andlater,v17.4SR-4andlaterandv17.5andlater)andbywhichusers(recordedonlybyv17.5andlater).Youmayturnoff"Coordinateprocessingbysimultaneoususersmorecarefully"forsomeperformancebenefitsthereisonlyuserofacaseatatime.Thereisanoptiontoalwayssuggestsharedanalysismodewhenopeningacase.Thatmodecanbeusefulevenforthefirstofmanysimultaneoususersthatopenthesamecasebecauseonlyinthatmodenewlycreatedreporttableassociationsare sharedout toother simultaneoususersat regularly intervals (dependingonthecaseauto-saveoption).AlternativeWaysofSharingAnalysisWorkOption#1:Multiplecomputerforensicexaminerscanworksimultaneouslywiththeirowncopyofthesamecasesimultaneously(alwayscopyboththe.xfcfileand the corresponding subdirectory) and exchange results with each other orreconcile all results in themain copy of the case, by exporting and importingreporttableassociations(i.e.theircategorizationofalltherelevantfiles,e-mails,etc.).Option #2: Potentially relevant files are copied from the original evidenceobjects to multiple evidence file containers. The containers are examined bydifferent investigators simultaneously in newly created cases (in X-WaysForensics or X-Ways Investigator). They also can export their report tableassociations,whichcanthenbeimportedbackintotheoriginalcase.Bothcommands,theexportandimportofreporttableassociations,canbefoundinthecontextmenuofthecasetree.Exportissupportedatthecaseandevidenceobjectlevel,importatthecaselevel.Thenamesoftheexaminers/investigatorscould be included in the names of the report tables if in the original case itshouldbeobviouswhocreatedwhichassociations.Pleasenotethatyoucannot

importreporttableassociationsintheoriginalcaseanymoreifyouhavetakenanewvolumesnapshotorifyouhaveremovedobjectsfromthevolumesnapshotin themeantime,because in that situation it isnotguaranteed that the internalIDsof the file remain the sameand thata reliableassociation ispossible.Theimportworksonlyifyouimport into thesameevidenceobject thatyouexportfrom.ThesameevidenceobjectinacaseinX-WaysForensics,oracopyofthesamecase.Itdoesnothelpifit'sthesameimageordiskinadifferentcase.Evenifitisthesamecaseandthediskorimagewasremovedfromthecaseandlateradded again, it will not be considered the same evidence object any more.However, you (e.g. as a user of X-Ways Investigator) can export from anevidence file container in a new case and have a user of X-Ways Forensicsimport the report table associations into the original evidence object in theoriginal case, fromwhich the files in the container originate. That is possiblebecause the evidence file container has information that allow to identify theoriginalevidenceobject.DistributedVolumeSnapshotRefinementX-WaysForensics allows to refine the volume snapshots ofdifferent evidenceobjects of the same case using multiple machines on the same network,simultaneously,tosavetimethroughparallelization.Eachuser/computeropens the same .xfccase file (the samecopyon the samecomputer). All participating users/computers or all except for one (themastersession)havetoopenthecaseaspartiallyread-only,i.e.onlyallowingforsharedanalysis work/distributed volume snapshot refinement. This can be done bychecking the Options box in the Open Case dialog window, or you will beprompted automatically when opening the case if the case if already open inanothersessionasnotread-only(i.e.inthemastersession).Othersessionswillseetherefinementresultsatlatestwhenrefinementhascompletedandwhentherespectiveevidenceobjectisre-opened.Thecasedoesnothavetobeclosedandre-opened.You have the option to specifically open individual evidence objects (not theentire case) with the volume snapshot treated as read-only, using a dedicatedcommandintheevidenceobjectcontextmenuintheCaseDatawindow.Pleasenotethatthishasnothingtodowithhowtheevidenceobjectitself(thediskortheimage) is treated.X-WaysForensicsneveraltersdata insectorsofdisksorinterpretedimagesfileswhenopeningthemasevidenceobject.Onlythevolume

snapshot, i.e. the databasewith information about all the files and directoriesfound,iseitherread-onlyor,andthatisthenormalstate,changeable.

EvidenceObjectsYoumayaddanycurrentlyattachedcomputermedium(suchasharddisk,memorycard,USBstick,CD-ROM,DVD,...),anyimagefile,directoryorordinarysinglefiletotheactivecase.Itwillthenbepermanentlyassociatedwiththiscase(unlessyouremoveitfromthecaselater),displayedinthetree-likecasestructure,anddesignatedasanevidenceobjectorsourceofevidence.Asubfolderiscreatedinthecasefolderforeachevidenceobject,wherebydefaultfileswillbesavedthatyoucopy/recoverfromthatevidenceobject,soitwillalwaysbeobviousfromwhichobjectexactly(andfromwhichcase)recoveredfilesoriginate.Ifyouwishtoaddmorethan1filefromthesamedirectorytothecase,pleaseaddthewholedirectory,justexcludeorremovethosefilesthatareirrelevant.Intheevidenceobjectpropertieswindow,youmayenteratitleornumberforthatevidenceobjectaccordingtoyourownconventions.Youmaychangetheorderofevidenceobjectsinthecasetreeusingthesmallarrowbuttonsintheupperleftcorner,exceptfor"dependent"evidenceobjects(partitionsthatbelongtoaphysicaldisk).Thedateandtimeitwasassociatedwiththeactivecaseisrecordedanddisplayed.Theinternaldesignationoftheevidenceobjectisdisplayedaswellasitsoriginalsizeinbytes.Youmayentercommentsofarbitrarylengththatapplytotheevidenceobjects,andatechnicaldescriptionofitisaddedbyX-WaysForensicsautomatically(asknownfromtheTechnicalDetailsReportcommandintheSpecialistmenu,plussomeessentialinformationaboutWindowsinstallations,iffoundinapartition).Youmayhavetheprogramcalculateoneortwohashes(checksumordigest)ontheevidenceobjectandverifythemlater,sothatyoucanbesurethatdataauthenticityhasnotbeencompromisedinbetween.Hashesstoredinevidencefilesareimportedautomaticallywhenaddedtoacase.Youmaydisabletheautomatedlogfeatureforaspecificevidenceobjectifthelogfeatureisenabledforthecaseasawhole.Toaddimagesormediatoacase.youcanusethe"Add"commandsinthecasedatawindow'sFilemenu.Whenaddingimages,youcanalsoselectthatthevolumesnapshotofnewlyaddedevidenceobjectsshouldberefinedimmediately.Anotherwayhowtoaddopenedimagesordiskstothecaseisthe"Add"commandinthecontextmenuofthedatawindow'stab.Thecommand"ReplacewithNewImage"inthecontextmenuofanevidence

objectallowsyoutoreplaceadiskthatisusedasanevidenceobjectinyourcasewithanimage(usefulifyoufirstpreviewthediskbeforeyouacquireit,i.e.createdanimageofit),withoutlosingyourvolumesnapshot,searchhits,comments,etc.CanalsobeusedtosimplytellX-WaysForensicsthenewpathofanimageincasetheimagewasmovedorthedriveletterhaschanged,oriftheimagefilenamewaschanged,orifthetypeoftheimagewaschanged(e.g.rawimagetobereplacedwithacompressedandencrypted.e01evidencefile).Inthecaseofaphysical,partitionedevidenceobjectitisrecommendedtoapplythiscommandtothatparentobject(i.e.thephysicaldisk).Thechangewillthenautomaticallyalsobeappliedtothechildevidenceobjects(i.e.partitions).Ifthenewimageisanimageofadifferentdiskoradifferentevidencefilecontaineroranevidencefilecontainerthathasbeenfilledfurther,i.e.ifthevolumesnapshotscannotmatch,youwilllikelygetawarningbecausethesizeofthenewimageisdifferentfromthesizeofthepreviousimage.Timeandagain,usersofX-WaysForensicstrytousethiscommandtoreplaceanevidenceobjectinacasewithadifferentevidenceobject,althoughthatdoesn'tmakeanysensebecausethatwaythetechnicaldescription,thevolumesnapshot,anysearchhits,commentsandreporttableassociationsdon'tfittheotherevidenceobject.Theseusersthentypicallycomplainthattheyreceiveanerrormessage.ThemessageisdisplayedbecauseX-WaysForensicsusuallynoticesbasedonthesizethatthenewimageisatotallydifferentimage.Ifyoudon'tneedevidenceobjectAanymoreinyourcaseandyouneedaddanevidenceobjectB,thenyoucansimplyremoveAandaddB.Thereisnoalternativetothat,andanalternativeisneitherreasonablenorrequired.Itispossibletoopenanevidenceobjectevenifthediskorimageisnotcurrentlyavailable,viaaspecialcommandintheevidenceobject'scontextmenu,toseeatleastthevolumesnapshot.Thatmeansyoucanseeallthefilemetadatastoredinthevolumesnapshot(filename,path,filesize,timestamps,attributes,etc.),canusemostfiltersetc.,butcannotseeanydatainsectorsandcannotopen/viewanyfiles.IntheCaseRootwindow,evidenceobjectscanbemarkedasimportantwithayellowflag,viathecontextmenuorbyhittingtheSpacebar.YouwillseethatyellowflagintheCaseDatawindowandwhenselectingevidenceobjects,forexampleforrecursiveexplorationfromtheCaseRootorwhengeneratingareport.InthepropertiesofevidenceobjectswithaFATfilesystemyoucanoptionally

definewhichtimezonethelocaltimestampsinthatfilesystemsarebasedon,ifyouhaveanidea/opinionaboutthat.Thattimezonedependsonthesettingsofthecomputerordevicethatwrotetothefilesystem.(Keepinmindthatthosesettingsmayhavechangedovertimeandthusasingletimezonemaynotbeadequatetogetalltimestampsright.)Ifyoudefinethetimezonereference,filesystemleveltimestampsarepresentedaccordingtotheselecteddisplaytimezoneandnotintheiroriginallocaltimeanymore.TheyareinternallyconvertedfromlocaltimetoUTC(basedonyourtimezonereference)andthenfromUTCtothedisplaytimezone,atthemomentwhenthetimestampsaredisplayed.Theeffectisnotpermanent,thereferencetimezonesettingscanbechangedatanytime.Thedefinitionofatimezonereferenceislostifyouopenacaseinversionsolderthanv19.3.WhencopyingfilesfromFATfilesystemstoanevidencefilecontainer,filesystemleveltimestampsofthesefilesareusuallymarkedinthecontainerasbasedonanunknownlocaltimezonesothattheywillnotbetimezoneadjustedwhenreviewingthecontainerinthefuture.Ifhoweveryouarecertainabouttheoriginaltimezoneanddefinethetimezonereferenceforthesourceevidenceobject,thetimestampsareconvertedtoUTCwithinthecontainerbasedonthereferencetimezoneandmarkedinthecontainerastimestampsinUTC,permanently.Inthatstatethetimestampslaterwillbeadjustedaccordingtotheselecteddisplaytimezone,evenifyouchangeyourmindandchangethereferencetimezoneinthesourceevidenceobject.Theevidencefilecontainerisself-containedandseparatefromthesourceevidenceobjectoncefileshavebeencopied.

CaseLogWhenenabledinthecaseandtheevidencepropertieswindow,WinHexobstinatelylogsallactivitiesperformedwhenthecaseisopen.Thatallowsyoutoeasilytrack,reproduce,anddocumentthestepsyouhavefollowedtoreachacertainresult,foryourowninformationandforthecourtroom.Thefollowingisrecorded:whenyouaselectamenuitem,thecommandtitle(oratleastanID),andthenameoftheactiveeditwindow,ifnotanevidenceobject,precededbythekeyword"Menu",whenamessageboxisdisplayed,themessagetextandwhatbuttonyoupressed(OK,Yes,No,orCancel),precededbythekeyword"MsgBox",whenasmallprogressindicatorwindowisdisplayed,itstitle(like"Recoveringfiles...")andwhethertheoperationwascompletedoraborted,precededbythekeyword"Operation",ascreenshotofeachdisplayeddialogwindowwithallselectedoptions,e.g.foracomplexoperationthatfollows,precededbythewindow'stitle,*theextensivelogproducedbyCloneDiskandFileRecoverybyType,yourownentries(freetext)thatyouaddwiththeAddLogEntrycommand,eithertothecaseasawholeortoacertainevidenceobject.Thedestinationpathofeachfilecopied/recoveredwiththedirectorybrowsercontextmenu,alongwithselectedmetadataofthatfile(e.g.originalname,originalpath,size,timestamps,...),isloggedinaseparatefilecopylog.htmlor"copylog.txt"inthe_logsubdirectory.Allactitivitiesareloggedwiththeirexactdateandtime,internallyinFILETIMEformatwith100-nanosecondintervalprecision.Logsarebydefaultassociatedwiththecaseasawhole.However,logsofactivitiesthatapplytoacertainevidenceobjectaredirectlyassociatedwiththatevidenceobject.Thisdetermineswheretheyappearinareport.ScreenshotsaresavedasPNGfilesinthe_logsubfolderofacasefolder.*If"Includescreenshotsinlog"inthecasepropertiesishalf-checked,thatmeansthatnoactualscreenshotsofdialogwindowswillbetaken,justasimpleASCIIrepresentationwillbestoredinthelog(thesamethatyougetwhenviaCtrl+C).ThesedetailsareincludedinaspecialwayintheHTMLoutput,sothattheydo

notdetracttoomuchfromthemainlogentries.Eithertheyareoutputinasmallerfontandgraycolor(if"Includescreenshotsinlog"isfullychecked)orsimplyasapop-upwhenhoveringwiththemousecursoroveraspace-savingplaceholderrectangle,asknownfromWindowsregistryreportsinX-WaysForensics(ifhalfchecked)ornotatall(ifnotchecked).Theplaceholderrectangleandpop-upworkbestwhenviewedinGoogleChrome,asthatbrowserdoesnottruncatethetextiflengthyandevenshowsapreviewofthefirstlineintheplaceholderrectangle.IfyouhaveX-WaysForensicstakeconventional(real)screenshotsofdialogboxesinthelog,pixelswiththegraybackgroundcolorcanbechangedtopurewhite,tosavetoner/inkincaseyouaregoingtoprintyourlogatsometime(anyway,pleasethinktwiceandsavepaper).

CaseReportYoumaycreateareportfromtheFilemenuoftheCaseDatawindow.ThereportissavedasanHTMLfileandcanthusbedisplayedandopenedinavarietyofapplications.Forexample,youmayviewitinyourfavoriteInternetbrowserandopenandfurtherprocessitinMSWord.TheapplicationtoopenthereportincanbespecifiedinOptions|ViewerPrograms.Ifnosuchprogramisdefined,thereportfilewillbeopenedintheapplicationthatisassociatedwiththefileextensiononyourcomputer.WiththeOpenReportcommandyoucanselectanyexistingfileandopenitinthedefinedorassociatedapplication.Thereportcanconsistofthefollowingelements:Basicreport:Startswithanoptionalheaderline,anoptionallogo,anoptionalpreface(inwhichyoumayuseHTMLcode),thecasetitleanddetails,followedbyalistofhyperlinkstotheindividualevidenceobjectsections.Foreachevidenceobject,thereportspecifiesitstitle,details,andtechnicaldescription,yourcomments,yourannotations.Ifonlyhalfchecked,technicaldetailsabouttheevidenceobjectsarenotincludedinthecasereport,theevidenceobjectsaremerelylisted.Reporttables:Allfilesinselectedreporttablescanbeoutputtothereport,withselectedmetadatasuchasfilename,path,timestamps,comments.Filescanbeoptionallycopiedofftheevidenceobjectsintoasubdirectoryofwherethereportissaved.Thentheywillalsobelinkedfromthereport.Eitherallfilescanbecopiedormerelypictures.Ifonlypictures,forvideosatleastthefirststillimage(ifavailable)willbecopiedandusedtorepresentthevideointhereport.Bydefault,pictureswillbedisplayeddirectlyintheHTMLreportfileandnotmerelylinked.Theyareresizedtothemaximumdimensionsyouspecifywhileretainingtheiraspectratio.Ifyouspecifymaximumdimensionsof0×0,thenthepictureswillonlybelinked,justasotherfiles.Ifyouchoosetooutputmultiplefilesinthesameline(torenderthereportmorecompactwhenprinting),youwillappreciatethatlongfilenamesandpathscanbeartificiallybrokenintomultiplelinesafterauser-definednumberofpixels,tomakesurethewidthdoesnotexceedthepapersize.Thereisanoptiontoonlymakeacopyoftaggedfilesforinclusioninacasereportinsteadofallornone.Usefulifyouwishtoreferenceallnotablefileswith

theirmetadatainyourreport,butshowonlyasubsetofthose.FilescanbeoutputeithergroupedbyevidenceobjectandsortedbyinternalIDorintheorderastheyarecurrentlylistedinthecaserootwindow,whereyoucanfreelychangetheorderthankstoupto3sortcriteria.Ifnofilesarecurrentlylistedinthecaseroot(becauseithasnotbeenexploredrecursively),thenthesecondoptionisgrayedout.Explorethecaserootrecursivelyfirsttomakeitavailable(right-clickit).Notethatifyouchoosethesecondoption,filesthatarenotlistedinthecaserootwindowwillnotbeoutput,eveniftheyarepartofareporttable.Thatmeansthatcurrentfiltersettingshaveaneffectonthegenerationofthereport,too.Iffilesareomittedbecausetheyarenotlistedinthecaserootwindowatthetimeofreportgeneration,youwillbenotifiedofthatinthereportandinamessagebox.Iftheboxtooutputreporttablesisonlyhalfchecked,thenonlythenumberofitemsineachreporttablewillbereported.Manydifferentsettingsallowtotweakthereporttoyourliking.Forexample,"NameoutputfilesafteruniqueID"willensurefilenamesthataresuccinct,unique,trackableandreproducible,andwillalsoensurethatifthesamefilesisassociatedwithmultiplereporttables,itwillbecopiedtothereportsubdirectoryonlyonce.Thatsavestimeanddrivespace."Listeachfileonlyonce"isa3-statecheckbox.Iffullychecked,nofilewillbereferencedinthereportbymorethanonereporttable.Notethatyoucanstillseeallreporttableassociationsofafilewhenitislistedinitsfirstreporttableinthereport,ifyououtputthefield"Reporttable".Ifthecheckboxishalf-checked,thatmeansthatafilewillstillbereferenced(listed)byadditionalreporttablesinthereportifithasmultipleassociations,butcopiedonlyonceandlinkedonlyfromthefirstreporttable.AspecialoptionallowstooutputthecompleteinternalmetadatafromafileinthecasereportasknownfromDetailsmode,inHTMLformat,insteadoftheextractedsubsetintheMetadatacolumninplaintext.Smallerversionsofpicturescanoptionallybegeneratedspecificallyforthereport,togreatlyreducethememoryrequirementsoftheInternetbrowserorwordprocessingapplicationwhenloadingtheHTMLreport,andtoaccelerateloading.Thiscanmakeabigdifferenceforreportswithmanyhigh-resolutionphotos.TheJPEGcompressionfactorisuser-definable.Theresolutiondependsonthespecified"maximumdimensionsofpictures".Thecheckboxthatrepresentsthisoptionisa3-statecheckbox.Ifhalfchecked,thesmallerversions

ofthepicturesareusedonlyforthepreviewdirectlyintheHTMLreport.Iffullychecked,evenwhenclickingthepictureinthereportyouwillonlyseethesmallerversion,andtheoriginallargerfileisnotincludedinthereportatall.Thiscanbebeneficialifyourmainconcernisthedrivespacerequirementofyourreportwithlinkedfiles,nottheoutputqualityofpictures.Thereportcanoptionallyalsoshowpreviews/thumbnailsofnon-picturefiles,e.g.Officedocuments,e-mails,webpages,programmingsourcecode,etc.etc.,similartothegallery.Youcanshrinkthepreviewrepresentationslightlyoralotornotatall,toeitherbeabletoreadsomeofthetextrightinthereportwithoutopeningthedocumentortogetabetterimpressionoftheoverallformattingofthetextandjustseelogosetc.Searchhitsthataremarkedforinclusioninthereportcanbeoutputoptionally,withtheircontexttotheleftandtotheright.File-relatedsearchhitsareoutputinthereporttablesectionabouttherespectivefile,alongwithalltheselectedfilemetadata,ifthefileispartofareporttableandthatreporttableisactuallyoutputinthereport.Ifnot,suchsearchhitscanbefoundinthesectionabouttheevidenceobjecttowhichtheybelong.Purelyphysicalusersearchhits(definedinDisk/Partitionmode,notFilemode)arealwaysoutputininthesectionabouttheevidenceobject.CaselogBydefault,thereportiscreatedfortheentirecase.Optionallyitiscreatedforselectedevidenceobjectsonly.ItisrelativelyeasytouseCSS(cascadingstylesheets)forcasereportformatdefinitions.InadditiontodefiningtheparametersforstandardHTMLelements,keyelementsofthereportareassigned"class"parameterstosimplifytargetingthoseforformattingpurposes.Examplestylesheetsareavailabletouseasabasisforfurthermodification.ThereportoptionsallowpickingoreditingaCSSfileaspartofthereportingprocess.Thedefaultis"CaseReport.txt".Thedefaultlookfromv18.0andearlierisstillavailableas"CaseReportClassic.txt".

ReportTablesInthedirectorybrowserofanevidenceobject,youcanassociatenotablefileswithreporttables.Areporttableisauser-defined(virtual)listoffiles,especiallynotablefiles.Filesassociatedwithreporttablescanthenbeeasilyincludedinthecasereportwithalltheirmetadataandevenlinks(picturescanbeincludeddirectly),andyoucanfilterbytheirreporttableassociationinarecursiveviewinordertoeasilylocatethesefileslater(likebookmarkingfiles).Thefiltercanreferencemultiplereporttablesatthesametime(withOR,ANDandNOToperators)andevenhasanoptionthatallowstoadditionallyincludesiblingsofthefilesofacertainreporttable,i.e.filesinthesamedirectory.Thatisuseful,especiallywhenexploringrecursivelyandsortingbypath,tocheckwhetherthereareanyfurthernotablefilesintheneighborhood.E.g.youcouldcreatereporttableslike"relatedtocompanyX","evidenceagainstsuspectA","incriminatingpictures","unjustifiedexpenses","forwardtoinvestigatorB","printlater","gettranslated","showtowitnessC"etc.,andlaterwhenyouaredoneviewingfiles,youcangetthebigpictureofallrelevantfilesbyusingthereporttablefilter(e.g."ShowmeallfilesrelatedtocompanyXthatarealsoconsideredevidenceagainstsuspectB").Youarepracticallyassigningfilestocertaincustomcategoriesdefinedbyyourself.Alsoallowsyoutorevisitfileslaterthatarestillbecloselyexamined.Havingfilesinadedicatedreporttablealsoallowstoconvenientlycopy/recovertheminasinglestepatalaterpointoftimeorgetagalleryoverviewofthesefilesspecifically.Thesamefilecanbeassociatedwithmultiplereporttables.ThiscanbedoneinthedialogwindowthatappearswheninvokingtheReportTableAssociationcommandinthedirectorybrowsercontextmenu,foronefileorseveralselectedfilesatatime.Thisdialogwindowdoesnotshowtheexistingassociationsoftheselectedfileorfiles(thatwouldbequitecomplicatedtoachieveanywayformultipleselectedfiles,insteadsimplylookatthe"Reporttable"column),butcreatesnewreporttableassociationsinaconvenientanduser-configurablewayand/orremovesexistingassociations.Theprogramremembersthereporttablesselectedlastforcreatingassociations.Inthesamedialogwindowyoucanalsocreatenewreporttables,renameordeleteexistingones,andremove/overridepreviousassociations.Foreachreporttableyoucanspecifywhetheryouwouldtypicallyliketoassociateonlytheselectedfileordirectorytothatreporttableand/oratthesametimetheselectedfile'sparentfile

(ifany)and/orthefile'sordirectory'schildobjectsand/oranyknownduplicatesoftheselectedfileinanycurrentlyopenevidenceobject(duplicatesthathavebeenidentifiedbasedonhashvaluesandmarkedaccordinglyintheAttr.column,seecontextmenu,aswellashardlinksexceptinHFS+).Anotheroptionallowstoautomaticallyassociatesiblingsofselectedfileswithreporttables.Usefulforexamplewhenreviewingsearchhits,ifyoufindarelevantsearchhitintheattachmentofane-mailmessageandwanttobesuretoincludeotherattachmentsofthesamee-mailmessageinfurtherprocessing,eveniftheydonotcontainsearchhits.Ifyouneedtocategorizealotoffileswiththehelpofreporttables,youcanalsousekeyboardshortcuts.X-WaysForensicsautomaticallyassignstheshortcutsCtrl+1,Ctrl+2,...,Ctrl+9toyourreporttables.Inthedialogwindowforreporttableassociationsyoucanalsoassigntheseshortcutstoreporttablesyourself,bysimplypressingthekeyswhileareporttableisselected.AlternativelyyoumaysimplypressthekeysinthenumericpadonyourkeyboardifNumLockisactive,withoutCtrl.ThiswillnotbeconsiderednormalinputinthedirectorybrowseralthoughtheCtrlkeyisnotpressed.Thenumpadkeysmaynotworkonallcomputers.Ctrl+0removesallreporttableassociationsfromtheselectedfiles.Alt+1,Alt+2,...,Alt+9removestheassociationswiththerelatedreporttablefromtheselectedfiles.Optionallythenextiteminthedirectorybrowsercanbeautomaticallyselectedafterassociatingoneitemwithareporttable.A3-statecheckboxallowsyoutodothateitherneveroronlyforassociationscreatedwithkeyboardshortcutsorforallassociationmethods.Youmayenterafreetextdescriptionforanyreporttable,byclickingthebuttonwiththe"properties"iconinthereporttableassociationdialog.Thedescriptionwillbeincludedinthecasereportifthereporttableisoutput.Usefulforsomeexplanationofwhatthereporttableisabout.Helpstokeepthereporttablenameitself,whichappearsatmanyplacesintheuserinterface,moreconcise.Thereisanoptiontocreatereporttableassociationsforfilesbasedonsearchtermsthattheycontainaccordingtothe"Searchterms"column.Usefulifyouwishtokeeptheinformationaboutwhichfilecontainswhichsearchtermsevenafterdeletingsearchhits,ortopreserveitinevidencefilecontainers.Reporttablesrepresentingcontainedsearchtermsarethe3rdkindofreporttables,the

firsttwobeingreporttablescreatedbyX-WaysForensicstomaketheuserawareofcertainfilespecialitiesanduser-createdgeneralpurposereporttables.Anotheroptionallowstoconvertmatchinghashsetstoreporttableassociations.Thiscanbeusefulforexampleifyouwishtorecreateyourhashdatabasefromscratchordeleteyourhashdatabase,anddonotonlywishtopreservethehashcategoryofknownfilesinthevolumesnapshot,butalsotheexactmatchinghashsetnames.Alsousefulifyouwishtoaddfilestoanevidencefilecontainerandwishtolettherecipientknowtheoriginalhashsetmatches,notonlythehashcategory.Theseauxiliaryreporttablesarehighlightedinadifferentcolortodistinguishthemfromotherkindsofreporttables.Associationswithhashsetbasedreporttablescanalsobecreatedontheflywhencopyingfilestoanevidencefilecontainer.Intotalthereare5differentkindsofreporttables:1)user-createdreporttables,whichmayormaynotbemeantforreportpurposes,2)reporttablescreatedbyX-WaysForensicstomaketheuserawareofspecialpropertiesoffiles,3)reporttablesrepresentingsearchtermsthatarecontainedinafile,4)reporttablesrepresentinghashsetsinwhichafilewasfound,5)reporttablesrepresentinggroupsofduplicatefiles.Toavoidabloatedlistofreporttablesavailableforselectionduringreportcreation,reporttablesarenowofferedinthatdialogwindowonlyiftheyareactuallyintendedforreportpurposes.Thatisassumedbydefaultforalluser-createdreporttables.Youcantogglethereportpurposeofeachreporttableinthereporttableassociationdialogwindow,byassigningorremovingthe"star"symbol.Itispossibletosaveandloadlistsofreporttablenamesinthereporttableassociationdialogwindow.Thisisusefultostartrightawaywithasetofpredefinedreporttablesastypicallyneededforacertainkindofcase.Themaximumnumberofreporttablesinacaseis1000.Reporttableassociationscanbeexportedandimported.SeeAlternativeWaysofSharingAnalysisWork.Inordertooutputreporttablestoareport(theoriginalpurposeofreporttables,hencetheirname),usetheCreateReportcommandintheCaseDatawindow.ReporttableassociationsarealsousedinternallyandcreatedautomaticallybyX-WaysForensics,tomaketheuserawareofvariouspotentialspecialtiesof

certainfiles.Itisuptoyouwhetheryouwishtofollowupandtakeacloserlookatthosefilesornot.Thenamesofinternallycreatedreporttablesaredisplayedasindentedandinadifferentcolor,toavoidmix-upwithyourownreporttables.Automaticallygeneratedreporttablesinclude:NodetectabletextualcontentsUnabletodecodetextForerrormessagesseeMetadataUnabletoexploreEmptyarchive?SpannedarchiveNoe-mailsfoundPathtoolong.Largenon-resident$EAAnimatedGIFAnimatedPNGMulti-pageTIFFMulti-pageJPEGmarkerPhonescreenshot?Zipbomb?NotfullyprocessedUnexpectedtail(SFX?)/Containsunknownsegment(SFX?)FSGPacker/PECompact/UPX/Unknownsegment/Binder?Containsembeddeddocument(s)Containsembeddedobject(s)ContainsembeddedfileContainshiddenfileHybridMSOfficedocument!RARhybridContainsembeddednon-JPEG/non-PNGpictureContainsinvisibleoldrevisionsConcatenated-PDFContainsprivatechunkNopicturesextractedReasonforcrash?UnsupportedfiletypevariantOmittedNotcopiedVirussuspectedUnabletoread

Notdecompressed

InternalViewerAvailablewithaforensiclicenseofWinHexonly.Theinternalviewercanbeinvokedwiththe"View"commandintheToolsmenuandinthedirectorybrowser'scontextmenu,plusinPreviewmode.Itshowspicturefilesofvariousfileformats(JPEG,PNG,GIF,TIFF,BMP,PSD,HDR,PSP,SGI,PCX,CUT,PNM/PBM/PGM/PPM,ICO,usinganinternalgraphicsviewinglibrary)plusthestructureofWindowsregistryfiles,WindowsEventLogs(.evtand.evtx),Windowsshortcutfiles(.lnk),WindowsPrefetchfiles,$LogFiles,$UsnJrnl:$J,Ext3/Ext4.journal,.ds_store,WindowsTaskScheduler(.job),$EFSLUS,INFO2,RestorePointchange.log.1,wtmpandutmplog-inrecords,MacOSXkcpassword,MacOSXfinderbookmarks(flnk),AOLPFC,OutlookNK2auto-completefiles,OutlookWABaddressbooks,InternetExplorertravellogfiles(a.k.a.RecoveryStore),SkypeChatSync,MSOutlookExpressDBXandmanymorefilesinternally.Ifyoutrytoviewafilethatisnotsupportedbytheinternalviewer,theseparateviewercomponentisinvokedinstead.Thereisanadditionalseparateviewercomponentthatintegratesseamlesslyandallowstoconvenientlyviewmorethan270(!)fileformats(suchasMSWord/Excel/PowerPoint/Access/Works/Outlook,HTML,PDF,CorelDraw,StarOffice,OpenOffice,...)directlyinWinHexandX-WaysForensics.ThiscomponentisincludedinX-WaysForensicsandX-WaysInvestigator.ItcanbeenabledinOptions|ViewerPrograms,optionallyalsoforpicturesthatcouldbedisplayedbytheinternalgraphicsviewerlibrary.Moreinformationonline.ThefolderfortemporaryfilesusedbytheseparateviewercomponentiscontrolledbyWinHex/X-WaysForensics,i.e.settotheonetheuserspecifiesinGeneralOptions.However,unlikeX-WaysForensics,theviewercomponentdoesnotsilentlyacceptunsuitablepathsonread-onlymedia.Pleasenotethattheviewercomponentsinceitsversion8.2createsfilesintheWindowsprofileofthecurrentlyloggedonuser,inwhichitstoresitsconfigurationandsettings.Inearlierversions,ifactuallyused,notwhenmerelyloaded,itleftbehindentriesinthesystemregistry.RegistryViewerMSWindowsmaintainsaninternaldatabasecalledregistrywhichcontainsallimportantsettingsforthelocalsystemandinstalledsoftwareinatree-likestructure.Thedataispersistentlystoredinfilescalledregistryhives.Youcan

openandviewhivesbydouble-clickingtheminthedirectorybrowserorusingthecontextmenu.Thiswillopenthemintheintegratedregistryviewer.SupportedformatsareNT/2K/XP/Va/7hives.Win9xandWinMehivescanonlybeloadedbytheregistryviewerofX-WaysForensics15.9andearlier.NT/2K/XP/Va/7hivesarelocatedinthefile"ntuser.dat"inauserprofileandinthedirectory\system32\config.Upto32hivescanbeopenedintheregistryvieweratthesametime.Theregistryviewerhastheabilitytofinddeletedkeysandvaluesinhivesthatcontainunusedspaceandlostkeys/valuesindamaged/incompletehives.Ifnocompletepathisknownforkeys,theywillbelistedaschildrenofavirtualkeycalled"Pathunknown".Witharight-clickapop-upmenucanbeopenedanywhereinthewindow,whichletsyouinvokethecommands"Search"and"ContinueSearch".Clicking"Search"invokesupadialogthatletsyouspecifyasearchexpressionandwhereyouwanttosearch.Youcanbrowseeitherkeysornamesorvaluesorallofthem.Thesearchalwaysstartsatthetopmostrootofthefirstloadedhiveandspansallopenedhives."ContinueSearch"findsthenextmatchafteratleastonematchhasbeenfound.Thecurrentlyselectedelementisnotrelevantforwherethesearchcontinues.The"searchwholewordonly"optionisnotguaranteedtoworkforvalues.Intheright-handwindowthepop-upmenualsocontainsthecommand"Copy"whichletsyoucopythevalueoftheselectedelementtotheclipboard.WhenclickingavalueofaloadedhiveintheRegistryViewer,ifthedatawindowwiththedrive/imagefromwhichthehivewasloadedisinFilemode,thecursorwillautomaticallyjumptotheselectedvalueintheregistryfile,andthevaluewillautomaticallybeselectedasablockinthatfile.Usefulasthatallowstoseethevalueinhexadecimalandtextandasthatallowstoeasilycopybinaryvaluesineitherbinaryorastext,notonlyashexASCII.TheExportListcommandintheregistryviewercontextmenuallowstoexportallvaluesintheselectedhivetoatab-delimitedtextfile.Whenselectingavalue,aneditwindowinthelowerrightcornertellsyouthelogicalsizeofthatvalueandthesizeofitsslack.Italsointerpretsregistryvaluesofthefollowingtypes,asknownfromtheregistryreport:MRUListEx,

BagMRU,ItemPos,ItemOrder,Order(menu),ViewView2,SlowInfoCache,IconStreams(Traynotifications),UserAssist,Timestamps(FILETIME,EPOCHE,Epoche8),MountedDevices,OpenSavePidlMRU,andLastVisitedPidlMRU.Theeditwindowalsodisplaystheaccessrights/permissionsoftheregistrykeysif(Default)isselected.Creatingregistryreportsautomatically$LogFileViewerBasicConcepts:Eachstatementfallsintooneofthethreecategories:1)Log-OperationTheon-diskdataat(LCN,Byteoffset)istobereplacedincaseofaRedo/Undo-Operationwiththeonespecifiedwithinthelogoperation.2)ThePAGEstatementindicatesthestartofanewlogpage(multipleof4KB).TheLSNspecifiesthelastendLSNforthispage.A*marksastalepage.3)TheCheckPointstatementspecifiesaLSNtorestartwith.Eachstatementispreceededbyanbyteoffsetpointingintothe$LogFile.Abbreviations:LSN=LogicalSequenceNumberLCN=LogicalClusterNumberVCN=VirtualClusterNumberFID=FileIDLimitations:Onlylogoperationsareshownwhichaffecton-diskstructures.FILErecordsandINDXbuffersarenotcompletelydumped.Forcompletedata,followthebyteoffsetdisplayedfortheoperationofinterest.AnNTFSjournalisonlyprocessedifthepathofsuchafilecontainthestring$LogFile.

RegistryReportFromwithintheregistryviewer,WinHexcancreateanHTMLreport,listingvaluesofpossiblyrelevantregistrykeys,whenyouinvokethecommand"CreateRegistryReport"intheright-clickpop-upmenu.Theregistrykeysthataretobereportedinallopenhivesaredefinedintextfileslikethepre-supplied"RegReport*.txt",whichcanbetailoredtoyourneeds.Theregistryfilesyouviewmusthavetheiroriginalnames,orelsethereportmayfail.Youmayeditthelistofregistrykeysinthisfilestotailorthereporttoyourownneeds.Standardtableshave4columns:description,extractedvalue,registrypath(providedasatooltip),andlastmodificationdateofthecorrespondingkey.Thedatesaredisplayedingrayforvaluesthatarenottheonlyvaluesintheirrespectivekey,asavisualaidtoremindthereaderthattheyarenotthemodificationdatesofthevaluesthemselves.Freespaceinregistryhivescanbeanalyzedwiththereportdefinitionfile"RegReportFreeSpace.txt".ThefreespacecanbeaslargeasseveralMB,especiallyasaconsequenceoftheuseofvirusscannersandregistrycleaningprograms.Deletedregistryvaluesarenowhighlightedinthereportinredcolor.AlsoregistryvalueslackhasarelevantsizeinNTUSER.DAThives.Thisfactisexploitedwith2measures:1)Iftheslackcontainstextstrings,itwillbeoutputintheregistryreport(ingreen).Thisnewfeaturecanoptionallybeturnedofftheregistryviewercontextmenu.2)Forvaluesthatcontainitemlists(i.e.arebinary)youcanusethe"RegReportFreeSpace.txt"definitionstooutputregistryreportwilloutputlistsoffilenameswithtimestampsingreen.Thefirsttimestampsisanaccessdate,thesecondoneisacreationdate.Ifnotimestampscanbeoutput,theseareartifactsfrom"RecentDocs".Formatofentriesin"RegReport*.txt"(type)(tab)(registrypath)(tab)(description)(linefeed=Chr(13)Chr(10))type:

??definitionforanyWindowsversionNTforWindowsNTthroughXPVTforWindowsVistaand7**newfunction(withoutabsolutepaths)FRqueryinfreespaceofthehiveregistrypath:FullpathofregistrykeysHKLM:HKEY_LOCAL_MACHINEHKCU:HKEY_CURRENT_USERIfanasterisk("*")isprovidedasthelastkey,allkeysonthesamelevelanddeeperandtheirvalueswillbeincludedinthereport.example:NTHKLM\Software\Microsoft\Windows\CurrentVersion\*reportwholeWindowsbranchIfyouwishtoreportaparticularvaluethatexistsinallsubkeysofacertainkey,youcanaswellwritean"*"forallsubkeysandincludethevalueafterthat.Thegeneratedreportcontainstheregistrypathwithitstimestamp,thefilenameoftheregistryhivethatthekeywasfoundin,thedescriptionthatwasprovidedinthe"RegReport*.txt"file,andthevalue.Thedescriptionfieldmaycontainanadditionalstatementattheendthatstartswitha%character.Ifthe%isfollowedbyanumericcharactern,then-thelementoftheregistrypathwillbeappendedtothedescriptioninthereport.Thiscanbeveryusefulifthepathandnotthevalue(ornotonlythevalue)containstherelevantinformation.Ifthe%isfollowedbyaletter,thevaluewillbepreferablyinterpretedasthedatatypethattheletterstandsfor.Thefollowinglettersanddatatypesaredefinedatthemoment:%fWindowsFILETIMEtimestamp%eEpoch(Unix)timestamp%EEpoch8(Unix)timestampasQWORD.%TWindowssystemtimetimestamp%sANSI-ASCIInull-terminated%SUTF16stringnull-terminated

%bbinarydatanottobeinterpretedascharacters(REG_BINARY)%PWindowsPIDLdatastructure%IItemPosdatastructure(coversShellBag,desktopshortcuts,andmore)%Bconditional:ifvalueTRUE%Fconditional:ifvalueFALSE%-noemptymode%+recursionofthesubtree%ivaluecase-insensitive%ddeletedvaluesonlyItisalsopossibletocombinenumericcharactersandletters(e.g.%10f).Inthatcasethenumericcharactermustprecedetheletter.//atthestartofalinecommentsoutthatline(willcauseittobeignored).##atthestartofalinewilloutputexplanatorytextintothereport.AdditionaloutputInasecondphaseofthecreationoftheregistryreport,additionaldatawillbeanalyzedandoutputastablesattheendoftheHTMLfile.Thespecificationsinthedefinitionfilewhichbelongtothissecondphasearemarkedwith"Dummy".Thiscausesthefirstphasetopreventanynormaloutput.Ifyouwouldliketogettheoutputofthefirstphase,youmerelyneedtochangethedescriptioninthedefinitiontoanythingotherthan"Dummy".Thetable"Attacheddevicesbyserialnumber"iscreatedaccordingtothealgorithmthatHarlanCarveydescribesinchapter4ofhisbook.Furthermoreyoucanfindthetables"Partitionsbydisksignature","Windowsportabledevices","Driversinstalled","Filesystemsinstalled","Servicesinstalled","Networks",and"Networkcards".Anothertableiscalled"BrowserHelperObjects",compiledwithdatafromthehivesNTUSER.DATandSOFTWARE,aboutbrowserusage."ExternalMemoryDevices"isatablewhichcanberetrievedfromSoftwarehivesofWindowsVistaandlaterthatlistsexternalmediawithaccesstimestamps,hardwareserialnumber,volumelabel,volumeserialnumberandvolumesize(sizeoftenonlyunderVista).Selectthedefinitionfile"RegReportDevices.txt"togetthetable.

SimultaneousSearchThissearchcommandintheSearchmenuisavailableforownersofspecialistandforensiclicenses,andoffersalloptionsonlyforownersofforensiclicenses.Thissearchissimultaneousinthatitallowstheusertospecifyavirtuallyunlimitedlistofsearchterms,oneperline.Theoccurrencesofthesesearchtermscanbesavedandlistedinanevidenceobject'ssearchhitlist(forensiclicenses,whenworkingwithacase),orinthegeneralPositionManager.Youmayusethesimultaneoussearchtosystematicallysearchmultipleharddisksordiskimagesinasinglepassforwordslike"drug","cocaine",(streetsynonym#1forcocaine),(streetsynonym#2forcocaine),(streetsynonym#3forcocaine),(streetsynonym#3forcocaine,alternativespelling),(nameofdealer#1),(nameofdealer#2),(nameofdealer#3)etc.atthesametime.Thesearchresultscannarrowdowntheexaminationtoalistoffilesuponwhichtofocus.Thesimultaneoussearchcanbeusedtosearchphysicallyinsectorsorlogicallyinfileorinapreviouslycreatedindex.Physically,itsearchesthesectorsonamediuminLBAorder(exceptifyousearchupwards,theninreverseorder).IfyoudonothaveWinHexlistthehitsofaphysicalsearch,youmayusetheF3keytosearchforthenexthit.Logically,thesearchproceedsfilebyfile,whichispreferableandmuchmorepowerfulandthorough.Moreaboutthelogicalsearch.Youcansearchthesamesearchtermssimultaneouslyinupto6codepages.Thedefaultcodepage,thatisactiveinyourWindowssystem,ismarkedwithanasteriskandinitiallypreselected.E.g.oncomputersintheUSandinWesternEurope,theusualdefaultcodepageis1252ANSILatinI.Thecodepagesnamed"ANSI"areusedinMicrosoftWindows."MAC"indicatesanAppleMacintoshcodepage."OEM"indicatesacodepageusedinMS-DOSandWindowscommandprompts.Ifasearchtermcannotbeconvertedtothespecifiedcodepagebecauseofcharactersunknowninthatcodepage,awarningisissued.CodepageindependentGREPsearchesforexactbytevaluesarepossiblewhensearchingina"non"codepagecalled"Directbyte-wisetranslationforGREP",whichtranslatesbytevalueswithoutanymappingforcertaincodepagesorcasematching.X-WaysForensicsalsoallowstosearchinbothlittle-endianandbig-endianUTF-16,andinanyregionalWindowscode

pageplusUTF16withtheMSOutlookcipher(compressibleencryption)applied.Youcandefinewhichcharactersshouldbeconsideredtobepartsofwords.ThisisusefultoavoidfalsehitsforshortreallanguagewordsinbinarygarbagedataorBase64codeandgenerallyforusersthatconsidernumberstobepartsofwords(suchasin"GIF89").Example:Anundesirablehitfor"band"in"7HZsIF9BAND4TpkSbSBS"canbepreventedifyousearchforitasawholewordonlyifyouredefinethealphabettoincludedigits0-9,i.e.considerthemwordcharacters.Itispossibletoreviewthe(incomplete)searchhitlistinthemiddleofanongoingsimultaneoussearch.Youcanclickthesearchhitlistbuttonatanytimetoviewthepreliminarysearchhitlist.Additionalsearchhitsthathavebeencollectedasthesearchcontinueswillbelistedwhenyourefreshthesearchhitlist,byclickingtheEnterbuttoninthesearchtermlistasusually.Thisapproachtoviewpreliminarysearchhitsisusefule.g.whenpreviewingalivesystemonsitetodeterminewhetheramediummightcontainrelevantfilesandshouldbecaptured.Ifaftersearching5%ofthedataandreviewingthesearchhitsgatheredsofartheanswerisYes,thesearchcanbestoppedalreadyandalotoftimeissaved.GeneralsearchoptionsOptionsandadvantagesofthelogicalsearch

LogicalSearchPowerfulsubvariantofthesimultaneoussearch.Allowstosearcheitherallfiles,alltagged,or(ifinvokedfromthedirectorybrowsercontextmenu)allselectedfiles.Thelogicalsearchhasseveraladvantagesoveraphysicalsearch:+Fileslackcanbespecificallytargeted(forallfilesor,ifonlyhalfchecked,forfilesthatarenotomitted)orignored.+Thesearchscopecanbelimitedtocertainfilesandfolders,throughtaggingorselectingfiles.Pleasenotethattheamountofdatatosearchthatmaybedisplayedinthedialogwindowisanestimateonly.Theactualscopeofthesearchmayvarybecauseofslackspace.+Searchinginfiles(usually=intheclusterchainsallocatedtofiles)willfindsearchhitsevenifthesearchtermhappenstobephysicallysplitinafragmentedfile(occursattheendandthebeginningofdiscontiguousclusters).+AlogicalsearchcanbesuccessfuleveninfilesthatarecompressedattheNTFSfilesystemlevel,astheyaredecompressedforsearching.Thisholdstrueevenforfilesthatwerefoundviaafileheadersignaturesearch,ifthatwasspeciallyadaptedforNTFScompression.+Ifthecontentsofarchives(filesinZIP,RAR,GZ,TAR,BZ2,7Z,andARJ,ifnotencrypted,forensiclicenseonly)andindividuale-mailmessagesandattachmentshavebeenincludedinthevolumesnapshot,theycanbesearchedaswell.+Thetextthatiscontainedinfileswhoseformatissupportedbytheviewercomponet,e.g.PDF(Adobe),WPD(CorelWordPerfect),VSD(Visio),SWF(ShockwaveFlash),canautomaticallybeextracted/decoded/decompressedpriortosearch,resultinginunformattedASCIIorUTF-16plaintext,whichcanbereliablysearchedinadditiontotheoriginaldataitself.Searchhitsmightotherwisebemissedbecausevariousfiletypestypicallyoratleastsometimesstoretextinanencoded,encrypted,compressed,fragmentedorotherwisegarbledway.Important:InparticularforHTML,XMLandRTFdocumentsaswellase-mailmessages,whichmayemployvariousmethodsofencoding(e.g.UTF-8)non-7-bit-ASCIIcharacters(e.g.GermanumlautsorChinese

characters),decodingmaybeuseful,dependingonthelanguageofyoursearchterms/thecharacterscontainedinyoursearchterms.Whenyouspecifyafilemaskfordecoding,thatmaskwillnotonlybeappliedtothenamesofsearchedfiles,butalsototheirtruetypeifverifiedbysignature(seeRefinedVolumeSnapshots).Thisfeaturerequirestheseparateviewercomponenttobeactiveforthedecodingandtextextractionpart.ThedecodedtextisoutputinLatin1orUnicode,andcanoptionallybebuffered(cf.Options|ViewerPrograms)toallowforaconvenientcontextpreviewforsearchhitsinthedecodedtextandtoacceleratefuturesearches.Thedefaultfilemaskforthisoptionis*.pdf;*.docx;*.pptx;*.xlsx;*.odt;*.odp;*.ods;*.pages;*.key;*.numbers;*.eml;*.wpd;*.vsd.Itisrecommendedtoadd;*.html;*.xml;*.rtfdependingonthecharacterssearchedfor,andmoredependingonyourrequirements.Forexample*.docmightbeagoodideaifyouwanttobeverythoroughbecausetextcanbefragmentedorchangefromonecharactersettoanotherabruptlyinthemiddleofaMSWorddocument.Justkeepinmindthattheadditionaldecodingandsearchresultrequiremoretimeandlikelyresultinduplicatedsearchhits(searchhitsfoundinboththeoriginalformatandtheresultofthetextextraction).E-mailswillgenerallynotbedecodedbyX-WaysForensicswhenonly7-bitASCIIcharactersaresearch.Thefilemaskisappliedtoboththefilenameandthedetectedtruefiletype.Toseewhattextisextractedfromadocumentbythisfunction,youcanselectthedocumentinthedirectorybrowserinPreviewmodeandholdtheShiftkeywhenswitchingtoRawmode.+Ifyouarenotinterestedineachandeverysearchhit,butmerelyinwhichfilescontainatleastonethespecifiedsearmterms,alogicalsearchcanbegreatlyacceleratedbytellingX-WaysForensicsthatonlyonehitperfileisneeded,sothatitcanskiptheremainderofafileonceahithasbeenrecordedandcontinuewiththenextfile.Theresultingsearchhitlistwillbeinherentlyandsystematicallyincomplete,andnoassumptionmustbemadethatsomehow"themostuseful"searchhitineachfilewillbecollected,or,ifmultiplesearchtermsareused,asearchhitforasearchtermthatyouconsidermoreimportantwillbecollected.However,itisguaranteedthatitcontainsallthefilesforwhichtherewasatleastonehit(foroneofthesearchtermsused),andeachsuchfileonceonly.Suchalistissufficient(andefficient!)tomanuallyreviewtheaffectedfiles,commentonthem,copythefilesoffanimageorpassthemontootherinvestigatorsinanevidencefilecontaineretc.NotethatofcourseitisnotpossibletocombinesearchtermswithalogicalANDifonly1hitperfilewasrecorded.Thatconsequenceistypicallyforgottenbyunsuspectingusers.

+Filesthathavebeenmarkedasirrelevantbyhashcomputationandhashdatabasematchingorfilesthathavebeenexcludedbytheuserorthatarefilteredoutbyanactivefiltercanbeomittedfromalogicalsearchtosavetimeandreducethenumberofirrelevantsearchhits.Theslackofsuchfilesisstillcoverediftheoption"Openandsearchfilesincl.slack"isfullychecked,sothatthisoptionhasahigherpriority.Ifonlyhalfchecked,theslackofsuchfilesisomitted,too.+Therecommendabledatareductionspecificallyomitscertainfilesfromthesearchtoavoidthattimeiswastedorduplicatehitsareproducedunnecessarily.E-mailarchivesofthetypesMBOXandDBXaswellasfilearchivesofthesupportedtypes(ZIP,RARetc.)willnotbesearchedifthee-mailsandfilesthattheycontainhavealreadybeenincludedinthevolumesnapshot,inordertosavetime.Inthatcaseonlythoseextractede-mailsandfileswillbesearched,intheirnatural(unencodedanduncompressed)state.Thismaybereasonableforkeywordsearchesandinparticularforindexing(whichhasahardtimeprocessinge.g.Base64code),butnotnecessarilyfortechnicalsearchesforsignaturesetc.Usingthisoptionconstitutesacompromise.Theslackofarchivefilesisstillincludedifthefileslackoptionisenabled,asthatoptionhasahigherpriority.Afilethatthatismarkedasrenamed/movedwillnotbesearchedeitherifdatareductionisenabledandifprincipallyallfilesinthevolumearetobesearched(asopposedtotaggedorselectedfilesonly)becausethesamefilewillalreadybesearchedunderitscurrentname/initscurrentlocation.If*.docx;*.pptx;*.xlsx;*.odt;*.odp;*.ods;*.pages;*.key;*.numbersaredecodedforthesearch,thecontained.xmlfileswiththemaincontents(document.xml,content.xml,index.xml,...)andincaseof.pagesanyexistingPreview.pdfarealsoomitted,toavoidredundantsearchhits.FileswitharedXiconwillnotbesearched,exceptiftheyarespecificallytargetedviaaselectionortagmark.+InNTFS,all"real"hardlinks(i.e.hardlinksotherthanSFN)exceptforonecanbeoptionallyomittedfromlogicalsearchesandindexing.NowadaysonWindowsinstallationsoftenbetween10,000and100,000hardlinksofsystemfilesexist,forexample27linkstoafilelike"Ph3xIB64MV.dll"indirectoriessuchas\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\Windows\System32\DriverStore\FileRepository\ph3xibc2.inf_amd64_neutral_7621f5d62d77f42e

\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\Windows\winsxs\amd64_ph3xibc9.inf_31bf3856ad364e35_6.1.7600.16385_none_a0a14b454657e48e\Windows\winsxs\amd64_ph3xibc5.inf_31bf3856ad364e35_6.1.7600.16385_none_9e7d0270e1def2ea\Windows\winsxs\amd64_ph3xibc12.inf_31bf3856ad364e35_6.1.7600.16385_none_64d7af985f2a04e4etc.Bysearchingonlyinonehardlinkofafile,youcantypicallyexcludeseveralGBofduplicatedataandyetdon'tmissanythingifyousearchallotherfiles.Thoseadditionalhardlinksthatareomittedarethosewhosehardlinkcountisgrayedout.Searchhitsintheonlyhardlinkthatdoesgetsearchedaremarkedwiththehint"->Links!"intheDescr.columntoremindyouoftheotherhardlinksofthesamefileincasethosesearchhitsarerelevant.*Optiontoapplylogicalsimultaneoussearchestovariousmetadataoffilesinadditiontothefilecontents.Moreprecisely,theycanbeappliedtothecellsofanyselecteddirectorybrowsercolumnsuchasName,Author,Sender,RecipientsorMetadata.Thatcanspareyoufrompastingyourkeywordsinthefilterdialogsofvariousdirectorybrowsercolumns.ThatmethodologyisalsomorethoroughbecauseallthetextaddressedbythisfeatureissearchableinUTF-16,whereaselsewherethesamedatamaybefragmented(e.g.filenamesinparticularinFAT),speciallyencoded(e.g.senderandrecipientsasquotedprintableine-mails),compressed,orstoredinunexpectedcodepages.Itisalsoconvenientbecauseanyhitswillbepresentedandlistedinthesamefashionasordinarysearchhitsinfilecontents,justspeciallymarkedinthesearchhitdescriptioncolumnwiththenameofthecolumnthatthetextthatcontainsthesearchhitsactuallybelongstoandhighlightedinadifferentcolor.Youcanalsofilterforsearchhitsinmetadata.Whenselectingasearchhitinmetadata,itisautomaticallysearchedforandhighlightedinDetailsmode,justasordinarysearchhitsinfilecontentsareautomaticallysearchedforandhighlightedinPreviewmode.Notethatthesimultaneoussearchinmetadatadoesnotsearchinadditionalcelltextthatisdisplayedinadifferentcolor,suchasalternativefilenamesandfilecountsintheNamecolumn.+Someblindspotsthatlogicalsearcheshaveinold-fashionedcomputerforensicssoftwareproductsintheseveralthousanddollarpricerangedonotexistinX-WaysForensics,assuchareasonapartitioncanbeaddressedspecifically,namelyanytransitionfromfileslacktodirectlyfollowingfree

space,andinNTFSandexFATalsofromknownuninitialized(butphysicallyallocated)tailsoffilestodirectlyfollowingfreespace.SearchOptionsShouldthisoperationfreezeonacertainfile,remembertheinternalIDandthenameofthecurrentlyprocessedfilearedisplayedinthesmallprogressindicatorwindow.Ifthisoperationisappliedtoanevidenceobjectanditcrashes,X-WaysForensicswilltellyouwhichfilewhenyourestarttheprogramandassociateitwithareporttable(dependsontheSecurityOptions).Allthathappenssothatyoucanexcludeandomitthefilewhentryingagain.Aparallelizationoption(currentlystillconsideredexperimental)allowsyoutobetterutilizemultipleprocessorcoresbyemployingmultiplethreads.Ithasaneffectonlywhensearchinginevidenceobjectsthatareimagesordirectories,notdisks.Thefasteryourmassstoragesolutionperforms(intermsofseektimesanddatatransferspeed),themoretimeyousavepercentage-wise.Inperfectconditions,thiscanmorethandoublethespeedoflogicalsearches.Ifyouselectjustnoextrathreadsforthelogicalsearch,itwillworkasinX-WaysForensicsversionsbefore18.9.Ifyouselect1ormoreextrathreads,searchingisdoneinadditionalworkerthreads,andthemainthreadoftheprocesswillbeidle,whichmeanstheGUIwillremainhighlyresponsive.InX-WaysInvestigatorupto2workerthreadsmaybeused,inX-WaysForensicsupto8,dependingonthenumberofprocessorcoresdetected.

SearchHitListAvailableonlywithaforensiclicense,whenworkingwithacase,forevidenceobjectswithavolumesnapshot.(OtherwisethePositionManagerwilllistsearchhits.)Thedirectorybrowsercanshowsearchhits.Togetintothisdisplaymode(searchhitlistinsteadofordinarydirectorybrowser),clickthebuttonwiththebinocularsandthefourhorizontallines.Itisonlyavailableforevidenceobjects.Inthatmodeofoperationtherearefouradditionalcolumns:physical/absoluteoffsetsofthesearchhits,logical/relativeoffsets,descriptionsthatincludethecodepagesinwhichsearchhitswerefoundandhintsiffoundinfileslack,andthesearchhitsthemselves(usuallywithacontextpreview,sortablebysearchterm,contextpreviewnotaccurateforArabicandHebrewtextorhitsinUTF-8).Thedirectorybrowser'sgroupingoptionshavenoeffectwhensearchhitsaresortedbyoneofthesethreecolumns.Thesearchhitdescriptioncolumncomeswithafilterthatallowstofocusonnotablehits,hitstoincludeinthecasereport,usersearchhits,hitsinacertaincodepage,hitsinthetextextractionofdocuments,andhitsinslackspaceoruninitializedtailareasoffiles.SearchhitsinallvariantsofUTF-16thatarenotalignedatevenoffsetsaremarkedintheDescr.columnas"unaligned",asasmallhintandexplanationwhyyoucanreadthetextonlyinthealignment-awarecontextpreviewoftheSearchhitscolumn,andnotinthetextcolumn.Almostallcommandsinthedirectorybrowsercontextmenuareavailableforsearchhitlistsaswell,notablytheabilitytocopy,view,tagandcommentfiles.Thedynamicfilterbasedontheusualdirectorybrowsercolumnscanbeusedinconjunctionwithsearchhitlistse.g.toviewhitsinall.docand.xlsfileswithcertainlastmodificationdatesonly.Thesearchhitlistisbasedonthepositionandlevelinthedirectorytreewhereyouclick,sothatyoucane.g.seeallsearchhitsinfilesin\DocumentsandSettingsandsubdirectoriesofthesame,andevensearchhitsfromallevidenceobjectsoftheentirecaseatthesametime,usingthecaserootwindow.Alsoit'spossibletoconvenientlyselectoneorseveralsearchtermsforsearchhitviewing,inthesearchtermlistintheCaseDatawindow.Likethatit'salsoaneasytasktofindouthowmanysearchhitsthereareforanygivensearchtermforanylevelinthecasetree,asthatnumberisdisplayedinthedirectory

browser'scaptionbasedonthecurrentsearchhitlist.Searchhitlistsare"dynamic"inthattheyarecomposed"onthefly"dependingonselectedsearchterms,exploredpath,currentfiltersettingsandbasedonthesettingsofthesearchtermlist(logicalANDcombinationsandthe"1hitperitem"option).Searchhitscanbemarkedasnotable(suchthatayellowlightbulbisdisplayedontheleft)withthedirectorybrowsercontextmenuorbypressingtheSpacekey.WiththeSpacekeyyoumayalsoremovethatmark.YoumayunmarkmultipleselectedsearchhitsasnotablebyholdingtheShiftkeywheninvokingthe"Markasnotable"contextmenucommand.YoucanfilterfornotablesearchhitsviatheSearchhitscolumnfilter.Ifyounolongerneedcertainsearchhits,youcanselectanddeletethem.Forexamplebecausetheremightbeduplicatesorbecauseyouwouldliketorunasearchforthesamesearchtermsinthesamefilesagainwithslightlydifferentsettings.Ifyounolongerneedanysearchhitsofcertainsearchterms,youcanselectthesesearchtermsinthesearchtermlistanddeletethosealongwithalltheirsearchhits.

SearchTermListDisplayedintheCaseDatawindowwheninsearchhitviewingmode(afterclickingthebuttonwiththebinocularsandthefourhorizontallines).Thesearchtermlistcontainsallthesearchtermseversearchforinthecaseunlessdeletedbytheuser.Thesearchtermscanoptionallybesortedalphabeticallyinascendingorderorbythelistedsearchhitcountindescendingorder,viathecontextmenuofthesearchtermlist,tomakeiteasiertolocateacertainsearchterminlengthylists.SelectingsearchtermsinthesearchtermlistandthenclickingtheEnterbuttonallowsyoutolistallthesearchhitsforthesesearchtermsinthecurrentlyselectedpath,subjecttofilters,inthesearchhitlist.YoucanselectmultiplesearchtermsbyholdingtheShiftorCtrlkeywhileclickingthem.YoumaypresstheDelkeytodeleteselectedsearchtermsandalltheirsearchhitspermanently.Toreduceasearchhitlisttoalistofuniquefilesthatcontainatleastonesearchhit,check"List1hitperitemonly"andthenclickEnter.Thiscanbeveryusefulifyouaregoingtoreviewallsuchfilesmanually,ensuringthateachsuchfileislistedonlyonce.Noassumptionmustbemadethatsomehow"themostuseful"searchhitineachfileistheonethatmakesittothelist,orifmultiplesearchtermsareselectedtheonelistedsearchhitisforasearchtermthatyouconsidermoreimportant.Thereductionisnon-destructive.Bringingbacktheoriginal,completesearchhitlistmerelyrequiresthatyouuncheckthisspecialboxandclicktheEnterbuttonagain.Theoptiontolist1searchhitperitemonlydoesnotfilteroutsearchhitsinslackspaceorinun-initializedpartsoffiles(inthepartexceedingtheso-calledvaliddatalength).Thisisusefulbe-causetheslackofafileistypicallynotrelatedtothecontentsofthatfile,soanysearchhitsinthesespecialareaswouldlikelyhaveatotallydifferentcontextthansearchhitsinthelogicalpor-tionofthefile(andespeciallysearchhitsintheuninitializedpartofafilemayresideindatafromvariousdifferentsources)andthustheyneedtobereviewedadditionally.Pleasenotethatitisstillnecessarytounselectthe"1hitperitem"optiontoseparatelycheckoutsearchhitsincon-glomeratessuchaspagefile.sysandthevirtual"Freespace"file,whichcontaindatafromtotallydifferentsources.The"1hitperitem"optionismostusefulfordocuments,forwhichyoucanoftentellafteronequicklookinPreviewmodewhetherthatparticularfileisrelevantor

not.Itispossibletosee(andviatheExportlistcommandinthecontextmenucopy)thehitcountsforselectedsearchtermsinthesearchtermlist.Thesehitcountsarebasedonthecurrentsettingsforthesearchhitlistthatisonthescreen,takeallfiltersintoaccount,theexploredpath,anyactiveANDcombinationetc.Itisthenumbersofhitsthatareactuallylisted,notthenumbersofhitsthathavebeenrecorded/saved.Toseethetotalnumbersofhits,deactivateanyfilterandselectallsearchterms.Notethatthe"List1hitperitemonly"optionalsofunctionslikeafilterforsearchhits.Youcanrenamesearchtermswithacommandinthecontextmenuofthesearchtermlist,forexamplesothatlengthyGREPexpressionsarereplacedwithamoreconciseandeasier-to-understandnamesuchas"IPaddresses","Creditcardnumbers","E-mailaddresses"etc.HitcountinsearchtermlistsTherearetwowayshowtologicallycombinemultiplesearchtermswithBooleanoperators:1)Bydefault,multipleselectedsearchtermsarecombinedwithalogicalOR.Toforceasearchterm,selectitandpressthe"+"key.Toexcludeasearchterm,selectitandpressthe"-"key.ToreturnasearchtermtonormalORcombination,presstheEsckey.Youmayalsousethecontextmenuofthesearchtermlistforallthat.ThebelowexamplesdescribetheeffectofselectingthesearchtermsAandBdependingontheir"+"or"-"status.AB=searchhitsforAandsearchhitsforBthatoccurinanyfiles(normalORcombination)+AB=searchhitsforAandsearchhitsforBthatoccurinfilesthatcontainA+A+B

=searchhitsforAandsearchhitsforBthatoccurinfilesthatcontainbothAandB(ANDcombination)A-B=searchhitsforAthatoccurinfilesthatdonotcontainB2)ForalogicalANDcombination,ifthesearchtermsarenotmarkedwith"+"or"-",youmayalsousethesmallscrollbarthatappearswhenyouselectmultiplesearchterms.Allowsyoutoseeonlysearchhitsinfilesthatcontainalltheselectedsearchtermsatthesametime.Youcancombineupto7searchtermsthatway.Ifyouselectmorethan2searchterms,youalsohavetheoptiontobelessstrictandonlyspecifyaminimumnumberofdifferentsearchtermsinthesamefile,e.g.requirethatofsearchtermsA,B,CandDanycombinationoftwooftheminthesamefileissufficient,e.g.AandB,orAandC,orBandD,etc.(fuzzy/flexibleANDcombination).Inadditiontothe"Min.x"option,thesearchtermlistalsooffersoffersa"Max.1"optionwhenmultiplesearchtermsareselectedthatarenotforcedwitha+orexcludedwitha-."Max.1"willlistsearchhitsonlyiftheyarecontainedinfilesthatdonotcontainanyoftheotherselectedsearchterms.Forexamplefor3searchterms,togetthesameresultsotherwise,youwouldhavehadtolistsearchhitsforsearchtermAwhileexcludingBandC,thenlistsearchhitsforBwhileexcludingAandC,andthenlistsearchhitsforCwhileexcludingAandB,whichofcourseisnotaselegantanddoesnotshowyouallsuchsingularsearchhitsatthesametime.When2searchtermsareselectedinthesearchtermlistandcombinedwithalogicalAND(usingeitherofthetwoavailablemethods),additionallyyoucannowrequirethatsearchhitsmustbe"NEAR"toeachothertobelisted,tofindmorelikelyrelevantcombinationsofbothsearchtermsinthesamefile,exactlylikewithaproximitysearch.Themaximumdistancebetweenthesearchhitsthatconstitutes"NEAR"canbedefinedbytheuserinbytes.ANEARcombinationmayalsobeappliedformorethan2selectedsearchterms.Theeffectisthatasearchhitislistedonlyif*any*oftheotherselectedsearchtermsoccursnearby.Thisparagraphquotedfromwikipedia.org:Thebasic,linguistic,assumptionisthattheproximityofthewordsinadocumentimpliesarelationshipbetweenthewords.Giventhatauthorsofdocumentstrytoformulatesentenceswhichcontain

asingleidea,orclusterrelatedideaswithinneighboringsentencesororganizedintoparagraphs,thereisaninherent,relativelyhigh,probabilitywithinthedocumentstructurethatwordsusedtogetherarerelated.Whereas,whentwowordsareontheoppositeendsofabook,theprobabilitythereisarelationshipbetweenthewordsisrelativelyweak.Bylimitingsearchresultstoonlyincludematcheswherethewordsarewithinthespecifiedmaximumproximity,ordistance,thesearchresultsareassumedtobeofhigherrelevancethanthematcheswherethewordsarescattered.What'smore,thesearchtermlistoffersa"NOTNEAR"option(abbreviatedNTNR)inadditionto"NEAR".With2selectedsearchterms,NTNRwillensurethatonlysearchhitsarelistedthatarenotlocatedinvicinityofanysearchhitsoftherespectiveothersearchterm.Withmorethan2selectedsearchterms,theresultsarecurrentlyundefined.

EventListsAvailableonlywithaforensiclicense,whenworkingwithacase,forevidenceobjectswithavolumesnapshot.Whenextractingmetadata(partofvolumesnapshotrefinements),X-WaysForensicscancompilealistofeventsfromtimestampsthatcanbefoundatthefilesystemlevelaswellasinternallyinfilesandinmainmemory.Conceivablesourcesarebrowserhistories,Windowseventlogs,Windowsregistryhives,e-mails,etc.Aneventlistworksexactlylikeasearchhitlistandcanbedisplayedbyclickingabuttonwhichislocatednexttothesearchhitlistbutton,withaclockicononit.Justlikeasearchhitlist,aneventlistcomeswithadditionalcolumns:theeventtimestamp,eventtype,eventcategory,andsomeeventshaveanindividualdescription/additionaltext,forexampleeventsrecordedintheWindowsregistryandinInternetExplorerindex.datfiles.Ifaneventlistissortedchronologically,bytimestamps,itworkslikeatimeline,whichmayallowyoutofigureoutasequenceofeventsofdifferentkindsstoredindifferentplaces(e.g.e-mailreceived,attachmentsaved,applicationstarted,documentprinted,filedeleted)thatotherwisecouldnotbeseentogetherincontext.Youmayseeeventsfromdifferentevidenceobjectsatthesametimeasusuallyfromthecaserootwindow,explorerecursivelyorbypath,sortbyeventtypeoreventcategory,seealltheusualfileproperties,viewfiles,navigatetothedefinitionofaneventwithinafile(ifarelativeoffsetisavailable)andfilterforcertaindateranges.YoumaymarkeventsasnotablejustlikesearchhitsandfilterfornotableeventsviatheTimestampcolumn.Event-basedanalysisinsteadoffile-basedanalysisisaprogressivenewapproachwithatotallydifferentperspectivethatmayleadtoknowledgeaboutactivitiesrecordedoncomputersthatotherwisecouldhardlybegained.Youmayseeconnections(relatedactivity)thatotherwisecouldbeoverlooked,andmaybeabletobetterexplainthelogicbehindwhathashappened.Thesourcesofeventsthatareexploitedbythemetadataextractioninthisversionincludeallthesupportedfilesystems(i.e.allthetimestampslistedinthetimestampcolumnsofthedirectorybrowser;modification,recordupdateand

lastaccessareomittedifidenticaltothecorrespondingcreationtimestamp),processesinsupportedmemorydumps,extractedorprocessede-mail,aswellasfilesofthesetypes:index.datInternetbrowserSQLitedatabases.firefox(~55)fragments_CACHE_001_and_CACHE_002_.lnkshortcuts.automaticDestination-ms.chromeChromiumcachedata_1,data_2.usnjrnlfragmentsRegistryhives*Windows.evteventlogsWindows.evtxeventlogs(Mostextractedeventscomewithadescriptionthatincludestheeventsource,theeventIDandtherecordnumber.TherecordnumberallowsyoutoquicklysearchfortherecordintheHTMLpreviewifyouneedfurtherdetailsaboutthatparticularevent.)DataStore.edb(MSWindowsoperatingsystemupdateevents).hbinRegistryhivefragments.doc(lastprinted).msgrp.logXPrestorepointINFO2XPrecyclebin.recyclerVistarecylebin.snappropVistavolumeshadowcopyproperties.cookie.gthr;.gthr2GathererandGathererfragments.pfprefetchattachtimestampsfromEDBsigningdatefromEXE/DLL/SYS/...boottimefromETL(eventtracelog)filesOLE2lastmodificationlastsavedinOfficedocumentsandRTFSkypemain.db(chats,calls,filetransfers,accountcreation,...-youcanreadentirechatsifsortedchronologically)SkypeChatSyncinternalcreationfrommiscellaneousfiletypes,includingExiftimestampsfromphotosJPEGGPS

Unix/Linux/Macintoshsystemlogs(TheseeventsarepracticallyofsignificanceespeciallyforUSBdevicehistoryexaminations.)*Morespecializedeventsthanjuststandardregistrytimestampsareoutputoptionallywhenyoucreatearegistryreport,dependingonthereportdefinitionsused!Theeventtypeisdisplayedingrayifthetimestampisapreviouslyvalidtimestamp,forexamplesuchasthosefoundinNTFSin0x30attributesorindexrecordsofINDXbufferslackorin$LogFile.Timestampsfrom0x30attributesinNTFSfilesystemsareoutputaseventsonlyifactuallydifferentfromtheir0x10counterpartsandnotidenticaltothe0x30creationtimestamp.Theyaremarkedas"0x30"intheEventTypecolumn.Malwaremightgiveitselfharmlesslookingtimestampsafterdeployment,sothatitdoesnotseemtoberelatedtothetimeofintrusion/infection.The0x30attributetimestamps,however,remainunaltered(exceptifthefileisrenamedormovedlater),andthatisthereasonwhysomeexaminersareinterestedinthem.Ifthetimeframeofintrusion/infectionisknown,relatedfileswouldbefoundintheeventlistthankstotheoriginal0x30attributetimestamps.0x30timestampsaremarkedintheeventlistwitha"greaterthan"symboliftheyarelaterthanthecorresponding0x10timestamps,whichseemsunnaturalandinsomerarecasesmightbetheresultofbackdatingbytherightfulusersofthecomputersthemselves.Undercertaincircumstances,backdatingdocumentsisseenasfraudulentandillegal.However,muchmorecommonly0x10timestampspredating0x30timestampsisjusttheworkofinstallationprogramsortheresultofcopyingafileormovingafilefromonevolumetoanotherorextractingafilefromaziparchive,whereWindowsorotherprogramsartificiallyapplytheoriginalcreationtimeofthesourcefiletothedestinationoncecopyingturnsouttobesuccessful(internalprogrammaticbackdating).Theselectionsintheeventtypefilterarenotrememberedbytheprogramfromonesessiontothenext.Pleaseseethedescriptionofthetimestampcolumnsformoreinformation.

MountAsDriveLetterAvailableinX-WaysForensicsandWinHexLabEdition.(Forevidencefilecontainerswithnomorethan1,000objectswithanylicensetypeforWinHex,evenintheevaluationversion,freeofcharge.)AllowstomountthevolumethatisrepresentedbytheactivedatawindowasaWindowsdriveletter,eitherentirely(ifthecommandisinvokedintheSpecialistmenuorinthecasetreecontextmenuforawholevolume)orpartially(ifappliedtoadirectoryorfilewithchildobjectusingthedirectorybrowsercontextmenuorthecasetreecontextmenu).Thisallowsforconvenientandquickaccesstoallfileswithexternalprogramswherenecessary(withouttheneedtocopythefilestoyourownlocaldriveletterfirst).Veryefficientinparticularifyouwishtocheckawholevolumeordirectoryorcertainfileswithavirusscanner.Mountingworksforallthefilesystemsthataresupported,forallpartitioningmethodssupportedandallimagetypessupported(inX-WaysForensics:rawimages,.e01,VDI,VMDK,VHD,andofcourseevidencefilecontainers),evenforimageswithinimages,alsoforpartitionsofphysicallyattacheddisksformattedwithafilesystemunknowntoWindows.Accesstoallthefilesiscompleteread-only,mountingofvolumesinimagesordiskpartitionswillnotchangeanythingintheimage/onthedisk.Tounmountadriveletter,simplyinvokethemountcommandinanyofthemenusagainandclicktheCancelbutton.Youcanchoosetoseeallexistingandoptionallyallknowndeletedfilesfromthevolumeinthedriveletter,exactlythesamefilesasknownfromtheverythoroughvolumesnapshotofX-WaysForensicsitself,whichdependsonwhetheryouhaverefineditalreadyornot.Optionallyfilteredoutfilescanbeomittedfromdirectorylistings.Childobjectsoffiles(filesinfiles)areoptionallyexposedaswell,presentedasfilesinanartificialdirectorythathasthesamenameastheparentfile,withjustasinglecharacterappendedtorenderthenameunique,asyoumayknowitfromtheRecover/Copycommand.Bydefault,thatsuffixcharacterisinvisible,i.e.aUnicodecharacterwithnowidth,tomakethepathofthechildobjectslookasoriginalaspossible.Youmaywishtoreplacethatcharacterwithsomethingelse,e.g.anunderscore,forexamplebecauseyouareworkingwithanexternalprogramthatisnotUnicode-capable.Forthatyouneedtoremovetheinvisiblecharacterfromtheeditboxfirst,forexamplebypressingtheBackspacekey,whichworksevenifitdoesnothave

anyvisibleeffect.Afterthatyoucaninsertanyothercharacter.Previouslyexistingitemsarelistedoptionally,andiflisted,theyarepresentedwiththe"hidden"attribute,sothattheycanbevisuallydistinguishedfromexistingitemsevenintheWindowsExplorera.k.a.FileExplorer.Virtualdirectoriesarepresentedinthesameway.(Ofcourse,hiddenfilesaredisplayedinWindowsonlyifyouchoosetoseethem,seeTools|Folderoptions|View.)Existingfilesarelistedoptionallyaswell(butexistingdirectoriesmandatorily,astheyarepotentiallyneededtonavigatetocertainpreviouslyexistingfiles).Virtualfilesinavolumesnapshotaswellasinternalfilesofthefilesystem(e.g.$MFTinNTFSandCataloginHFS+)areincludedoptionally,andsoareoriginalnamesandlocationsoffilesthatthathavebeenrenamed/moved.Specialobjectslikealternatedatastreams,extractede-mails,videostills,embeddedthumbnails,manualfileexcerpts,etc.etc.arepresentedinthemounteddriveasordinaryfiles.Fileslackisnotexposed.Fileswithidenticalnamesinthesamedirectory(e.g.1existing,1previouslyexistingfile,upto16)arenotproblematicwithmounting.Suchfilescanbeopenedfromwithinmountedvolumesthroughthedriveletterasiftheyhaduniquenames.ThisfunctionrequiresWindows7andlaterandtheinstallationofadriver(whichwillbestartedwhenyouuseanyofthemountcommandsforthefirsttime)andtheMicrosoftVisualC++2013RedistributablePackage(whichisnotincludedinWindowsbydefaultandmayneedtobedownloaded).ThatmeansthatthisparticularpartofX-WaysForensicsisnotportable,butit'snotatypicalfunctionforpreviewsoflivesystemsanyway.Interactivity:DeletingafileinavolumemountedbyX-WaysForensicsinWindowsofcoursedoesnotdeletethefileintheimageoronthedisk,butunderWindows7canoptionallytriggeroneofthefollowingactionsinthevolumesnapshot:1)excludethefileinthevolumesnapshot2)markthefileasalreadyviewed,or3)associatethefilewithareporttableofyourchoice.Thelatterisveryusefulifyoumountthevolumeinordertocheckthefilesformalwarewithanexternalvirusscanner.Shouldthevirusscannerdeleteorquarantineanyofthefiles,X-WaysForensicswillnoticethatandaddthefiletothespecifiedreporttable.Notethatifyoumanuallymoveafileoffthevolumetosomeotherdriveletterthiswilltriggerthesameaction,becausethatkindofmovingisidenticaltocopyingfollowedbydeletion.Movingafilewithinthe

samevolumeisnotallowed.RenamingafileinamountedvolumeinWindowsalsorenamesthefileinthevolumesnapshot.(Theoriginalnameispreservedanddisplayedinthedirectorybrowseradditionally.)

FileTypeCategories.txtThiscustomizablefiledefinesofwhichfiletypescategoriesarecomprised.Thenameofacategoryisprecededbythreeasterisksandaspace(***).Followingisalistoffiletypesthatbelongtothatcategory,oneperline.Suchlinesmuststartwitheithera"+"ora"-",where"+"simplymeansthattypeischeckedinthefiletypefilter.Afterthat,typicalextensionforthatfiletypefollows,plusaspacecharacter,followedbyadescriptionofthefiletype.Onlylower-caselettersaretobeusedinextensions.Thesamefileextension/typemayoccurinmultiplecategories(seeCategorycolumndescriptionforlimitations).Alternativelytoextensions,entirefilenamesaresupportedaswell.Thisisusefulforcertainfileswithawell-definednamewhoseextensionaloneisnotspecificenoughorwhichdonothaveanyextension.Completefilenameshavetobeenclosedinsemicolons.Examples:-;index.dat;InternetExplorerhistory/cache-;history.dat;Mozilla/Firefoxbrowserhistory-;passwd;ExistingusersThereisavirtual"Other/Unknowntype"category,whichisnotspecificallydefinedinthefileandsimplycoversallfilesthatdonotbelongtoanyother,definedcategory.Youmaystoreadditionalcustomdefinitionsoffiletypesandcategoriesinaseparatefilenamed"FileTypeCategoriesUser.txt".Thisfilewillbereadandmaintainedinadditiontothestandarddefinitionsin"FileTypeCategories.txt"andhasthesamestructure,butisnotoverwrittenbyupdatesofthesoftwareifcontainedintheinstallationdirectory,sothatyoucaneasilycontinuetouseitevenwhenoverwritingyourinstallationwithanewversion.Filetypesarerankedbyimportance/relevanceandyoumayfilterbythisrank.Forexample,filteringoutthosefiletypesranked#0willexcludefontfiles,cursors,icons,themes,skins,cliparts,etc.Fileswithalowrankareofimportancejustinveryspecificinvestigations,forexamplesourcecode,inwhichyouwouldnotbeinterestedwhenlookingforofficedocumentsorpicturesforexample,butdefinitelywhenhuntingavirusprogrammer.Higherrankedfiletypesarerelevantinmorecases.Generallytherankisusefulinsimplecaseswhereyoucanexpecttofindwhatyouarelookingforinfiletypes

thatarefairlywellknown.Asanotheridea,youcouldmakeitahabittoonlyindexfileswithhigherranks.Youalsohavetheoptiontoassignfiletypestoaso-calledgroup,aconceptthatisnotidenticaltoafiletypecategory.UsefulforexampleifyourstandardprocedureistoletexaminerAcheckoutpicturesandvideos,examinerBdocuments,e-mail,andotherInternetactivity,andexaminerCoperatingsystemfilesofvariouskinds,becauseoftheirspecializations.Youcangivethesegroupsmeaningfulnamesandfilterforthem,alsousingtheTypeStatusdialogwindow.ThegroupsaredisplayedintheTypefilter.Allthedefinitionsaboutfiletyperanksandfiletypegroupsaremadeinthe"FileTypeCategories.txt"file.Suggestionsforranksandanexampleofagroupoffilesthatmaydeservespecialattentionarealreadypredefined.Bothranks(from0to9,wheremissingmeans0)andgroups(lettersfromAtoZ)canbeoptionallyspecifiedfollowingatabattheendofaline,inanyorder,forexampleas"2P"or"DI3".Soupto10ranklevelsarepossible,butitisnotnecessarytofullyutilizethisrange.Upto26groupsarepossible.Youdonothavetostartalphabetically.Thecaseofthelettersisignored.Youmayalsodefineranksandgroupsforanentirecategory,followingatabinacategoryline.Filetypesthathavenorankandcategoryinheritbothfromthecategorytowhichtheybelong.Togiveagroupamoredescriptivenamethanjustasingleletter,insertgroupdefinitionlinesattheendofthetextfilethatstartwithaequalsign,e.g.=P=Photosandvideosforimagegroup=D=Docs,e-mailsandInternet=I=FiletypestoindexYoumaystoreadditionalcustomdefinitionsoffiletypesandcategoriesinaseparatefilenamed"FileTypeCategoriesUser.txt",whichwillbereadandmaintainedinadditiontothestandarddefinitionsin"FileTypeCategories.txt"andhasthesamestructureandisnotoverwrittenbyupdatesofthesoftwareifcontainedintheinstallationdirectory,sothatyoucaneasilycontinuetouseitevenwhenoverwritingyourinstallationwithanewversion.

HashDatabaseFunctionalityonlyavailablewithaforensiclicense.Aninternalhashdatabase,oncecreated,consistsof257binaryfileswiththeextension.xhd(X-WaysHashDatabase).ThestoragefolderisselectedintheGeneralOptionsdialog.Suchaninternalhashdatabaseisorganizedinaveryefficientway,whichmaximizesperformancewhenmatchinghashvalues.Itisuptotheusertodecideonwhathashtypethedatabasewillbebased(MD5,SHA-1,SHA-256,...),anditisuptotheusertofillthehashdatabasewithhashsetsandhashvalues,eitherbycreatinghashsetsinX-WaysForensicsyourselforbyimportinghashsetsfromothersources.Thesamehashdatabasecanbesharedandusedsimultaneouslybymultipleusersorinstancesifthesamestoragefolderisselected.However,itcannotbeupdatedwhileotherusers/instancesareusingit.Itispossibletomaintaintwoseparatehashdatabasesatthesametime,databasesbasedonthesamehashtypeordifferenthashtypes.Usefulforexampleifyoureceivehashsetsfromdifferentsourceswithdifferenthashtypes(e.g.somewithMD5andsomewithSHA-1values)andwishtousethemsimultaneously.Thesecondhashdatabasemaybestoredonadifferentdrive.Usefulifforexampletheprimaryhashdatabaseforgeneraluseissharedwithcolleaguesonanetworkdriveandtheuserwishestocreateorimportnewhashsets,eitherfortemporaryuseonlyorwhiletheprimaryhashdatabaseislockedbyotherusers,intoalocallystoredseconddatabase.Eachhashvalueinthehashdatabasebelongstooneormorehashsets.Eachhashsetbelongstoeitherthecategoryirrelevant/knowngood/harmlessor"notable"/knownbad/malicious/relevantorcanremainuncategorized(meaning"notdecidedyet"or"uncertain").Hashvaluesoffilescanbecomputedandmatchedagainstthehashdatabasewhenrefiningthevolumesnapshot.Thedirectorybrowser'soptionalcolumnsHashSetand"Categorywillthenrevealforeachfiletowhichhashsetsandcategoryitbelongs,ifany(whichallowsyoutosort/filterbytheseaspectsandignoreirrelevantfileseasilyorfocusonfilesyouarelookingfor).Ifthehashvalueofafileiscontainedinmultipleselectedhashsets,theprogramwillreportallmatchinghashsetsandindicatethecategoryofoneofthehashsets.Italsocheckswhetherthematchinghashsetsallbelongtothesamecategory,andifnot,willshowawarning.

Anoptionalsecond,separatehashdatabaseofblockhashvalues(insteadofnormalfilehashvalues),storedinaseparatedirectory,allowsyoutosearchforincompleteremnantsofknownhighlyrelevantfilesblock-wiseonothermedia.ViatheToolsmenuyougetinvokethedialogwindowtomanagetheactivehashdatabase(s),whichallowsyouto-startafresh,blankhashdatabase(anddiscardtheexistingcurrentdatabase,usingthe"Initialize"command,whereyouhavetheopportunitytoselectanewhashtype),-viewalistofthehashsetsthatarecontainedinthedatabase,-renamehashsets,-mergehashsets(notethatduplicatehashvaluesintheresultinghashsetarenotremovedimmediately,butnexttimewhenyouaddahashset,andnotethatyouarenotwarnedifyouaremerginghashsetsofdifferentcategories),-togglethecategoryofhashsets,-verifytheintegrityofthehashdatabase,-importselectedhashsettextfiles,-importallthehashsettextfilesinacertainfolderandallitssubfolders(ditto),optionallyintoasingleinternalhashsetwhosenameyouhavetospecify,-exportselectedhashsets(forexampleifyouwishtoexchangeindividualhashsetswithotherexaminers,notthewholedatabase),-andswitchbetweenthenormalfilehashdatabaseandtheblockhashdatabase.*NSRLRDS2.x,HashKeeper,andILooktextfilesaresupported,plushashsetsintheJSON/ODATAformatlayoutasusedbyProjectVic(versions1.0,1.1und1.2)asfoundintheHubstreamInbox.Anotherimportandtheonlyexportformatisaverysimpleanduniversalhashsettextfile,wherethefirstlineissimplythehashtype(e.g."MD5")andallthefollowinglinesaresimplythehashvaluesasASCIIhexor(forSHA-1)inBase32notation,oneperline.Linebreakis0x0D0x0A.WhenimportinghashvaluesfromNSRLRDS,ifyoucategorizethehashsetasirrelevant,hashvaluesmarkedasspecialormaliciouswillbeignored(notimported).Ifyoucategorizethehashsetasnotable,onlyhashvaluesthataremarkedasmaliciouswillbeimported.Ifyousetthehashsettotheuncategorizedstate,onlyhashvaluesthataremarkedasspecialorhaveanunknownflagwillbeimported.Ifyouwishtoimportallhashvalues,youcanimportthesameNSRLhashsetfilethreetimes,withdifferentcategorizations,

andallhashvalueswillendupinsuitablycategorizedinternalhashsets.TheIncludeinHashDatabasecommandinthedirectorybrowser'scontextmenuallowsyoutocreateyourownhashsetsinanyoftheinternalhashdatabases.Wheneverimporting/creatinghashsets,duplicatehashvalueswithinthesamehashsetwillbeeliminated.WhenimportingtheNSRLRDShashdatabase,X-WaysForensicschecksforrecordswiththeflags"s"(special)and"m"(malicious)sothatthesehashvaluesarenoterroneouslyincludedinthesameinternalhashsetthatshouldbecategorizedasirrelevant.Thehashdatabasesupportsupto65,535hashsets.Duplicatehashvaluesthatarealreadycontainedinthehashdatabasecanoptionallybeeitherremovedfromanewlycreatedornewlyimportedhashsetorfromallexistinghashsets,tokeepthehashdatabasemorecompact/lessredundantifsodesired.Thereisawaytoefficientlydeleteindividualhashvaluesfromanexistinghashset,byimportingahashsetfile(simple1-columnformat,1hashvalueperline),wherethehashvaluestodeletemustbelistedfirstandmustbeprependedwithaminussign("-").Thefilemusthavethesamenameastheexistinghashsetinthedatabasethatyouwishtoupdate(additionalfilenameextensionallowed).Thereisanoptiontounloadthehashdatabaseifloadedatthemomentwhenalldatawindowsareclosed(themomentwhenthelastopendatawindowisclosed),tosavemainmemoryortospecificallyallowotherconcurrentusersorinstancestochangethehashdatabase.PhotoDNAFuzZyDoc

PhotoDNAX-WaysForensicsappliesthePhotoDNAhashingalgorithmtophotos,untilfurthernotice.Thankstotherobustnessofthehashalgorithmanditsspecializationinphotos,itusuallyallowstoautomaticallyrecognizeknownphotoseveniftheyhaveexperiencedlossycompressionrepeatedly(e.g.JPEG),iftheyhavebeenstoredinadifferentfileformat,resized,partiallyblurred/pixelated,color-adjustedorcontrast-adjustedetc.Unlikehashvaluescomputedbyconventionalgeneralpurposealgorithms,PhotoDNAhashesareresistanttovarioussuchimagealterationsorchangeonlyslightly.Optionally,knownphotoscanberecognizedeveniftheyweremirrored(flippedhorizontally).Toavoidlossoftimewithsmallirrelevantpictures,PhotoDNAisnotappliedtopicturesthatarelessthan50pixelswideortall.ForlicensingreasonsthePhotoDNAfunctionalityismadeavailableasaseparatedownload,andprovidedbyX-Waysitselfonlytolawenforcementagencies,whichmayuseittopreventthespreadofchildsexualabusecontentandforinvestigationstargetedtostopitsdistributionandpossession.FordetailsaboutPhotoDNApleaseseethishighleveltechnicalexplanationandthispressinformation.IfthePhotoDNAfunctionalityispresent,adatabasewithPhotoDNAhashvaluesofphotoscanbecreatedandmaintainedwithinX-WaysForensics,andphotosmaybematchedagainstthathashdatabaseinX-WaysForensicsandX-WaysInvestigatortoautomaticallyidentifyknownincriminatingcontent.Lawenforcementagenciesmaywanttocreateandsharetheirowncollectionsofsuchhashvalues,basedonpicturesfrompreviouscases,orimportanextensiveexistingcollectionfromProjectVic(JSON/ODATAformatlayoutversion1.0,fromv18.1ofX-WaysForensicsalsoversion1.1,fromv18.2ofX-WaysForensicsalsoversion1.2).YoucanalsoimportPhotoDNAhashdatabasesofotherX-Waysusers(selectthe"RHDB"file!),youmaydeletehashcategoriesthatyoudon'tneedanymore,andyoumaymergeorrenamecategoriesinyourdatabase.Whenimportingsomeoneelse'shashdatabase,theircategoriesofthesamenamewillbemergedwithyours.PhotoDNAhashvaluesmayalsobeimportediftheyarestoredintextfiles,with"PhotoDNA"inthefirstline,followedby1hashvalueperlineinhexASCIIorBase64.

HashvaluesofpicturesinthevolumesnapshotofanevidenceobjectcanbeaddedtothePhotoDNAhashdatabaseinthesamewayasconventionalhashsetsareaddedtoaconventionalhashdatabase,usingtheIncludeinHashDatabasecommandinthedirectorybrowsercontextmenu.ThedatabaseisoneoftheseveraldatabasesthatcanbemanagedwiththeTools|HashDatabasecommand.ThePhotoDNAhashdatabaseisstoredinadirectorynexttohashdatabase#1.WhenimportingPhotoDNAhashcollectionsorwhenincludingthePhotoDNAhashvaluesofselectedfilesintothedatabasedirectlyinX-WaysForensics,theadditionalentriesarecheckedforredundanciesandconflictingcategorizationsamongeachotherandwithexistingentriesinthedatabase,tokeepthedatabaseassmall,fastandusefulaspossible.Thisisrecommended,butoptional,andifyouskipthisstepandifthedatasetisverylarge,youpotentiallysavehoursoftime,atthecostthatmatchingpicturesagainstthedatabaseduringvolumesnapshotrefinementwilltakemoretime,andthatforvariationsofthesamepictureyoumaygetdifferentclassificationsreturned.Youmaydefinetheimportstrictnessseparatelytodefinehowsimilarhashvalueshavetobetowarrantare-classificationofexistingvalues(tokeepthedatabaseconsistent)andtodefinehowsimilarhashvalueshavetobetooverwrite(replace)anexistingvaluewithanewvalue(tokeepthedatabasecompactandlessredundant).Thelatterstrictnessmustnotbelessthantheformer.Ahashvaluecanbeeitheranexisting,oldvalueinthedatabase,anewhashvalueinthedatabaseaddedbythecurrentimportoperation,orapendinghashvaluethatisyettobeaddedtothedatabase.1)IfapendinghashYisabsolutelyidenticaltoanoldornewhashX,Ywillbeignoredandnotaddedtothedatabase.IfYandXarejustsimilar,Ywillbeadded.IfYandXarealmostidentical,Xisdirectlyreplaced(overwritten)withY.2)IfYandXareidenticalorsimilarand,butbelongtodifferentcategories,andXisnew,thatmeansthatthequalityoftheimportfileislow.Youwillseeawarning.IftheimportisfromaProjectVichashcollection,andthetwocategoriesaretherelativelysimilarcategories"childabuse"and"childexploitation",nospecialactionistaken.Ifthetwocategoriesinvolvedarenotthosetwo:IfeitherXorYbelongstothecategory"non-pertinent"andthepictureisalargelymonochromaticpicture,Xwillbeassignedtothecategory"non-pertinent".OtherwisethecategorizationconflictwillberesolvedbyassigningXtothecategory"uncategorized".3)IfYandXareidenticalorsimilar,butbelongtodifferentcategories,andXisold,XwillbeassignedtothesamecategoryasY,assumingthattheprevious

categorizationiswrongoroutdatedandtheimportfilecontainscorrect/newinformation.Thisisbeneficialforexampleforentrieswhoseoriginalcategorizationisfromaforeignsource(e.g.ProjectVic)andwhichneedstobeadjustedbecauseofdifferentlegislationorjurisdictioninyourcountryorsimplybecauseofcategorizationerrorsordifferentinterpretations.Whatisconsideredchildpornographyinonecountryisnotnecessarilyclassifiedassuchinanothercountry(example:computergenerationimages,animation).Recategorizationrequiresthatyouhavecopiesofthesamepictures(notnecessarilytheexactsamefiles)inyourcollectionorknowwhichhashvaluesbelongstowhichpictureexactly.WhenaddingPhotoDNAhashvaluestotheinternalPhotoDNAhashdatabasewiththeIncludeinHashDatabasecommand,youhavetheoptiontostoreyourcommentsabouttheselectedfilesinthathashdatabaseasdescriptions.Thesedescriptionscanbeautomaticallyadoptedascommentsagainnexttimewhenthesamepicturesarefoundinanothercase.Theycaneitherreplaceexistingcommentsintheothercaseor(ifthecorrespondingcheckboxishalfchecked)beappendedtoexistingcomments.Thisisveryusefulforexampleforpoliceinvestigatorswhoarerequiredbythecourttoprovideatextualdescriptionofeachandeverychildpornographypicture,toatleastsparethemtheworkofenteringdescriptionsofthesameknownpicturesmorethanonce.Alsousefultostoreinformationsuchasknownidentitiesofthepersonsinthephoto,previouscasenumbersetc.,forfuturereferenceifthesamephotosarefoundelsewhere.ThedescriptionsinthehashdatabasecanbeupdatedwithyourcommentsbysimplyaddingthePhotoDNAhashvaluesofthesamefilestotheinternaldatabaseagainthroughtheIncludeinHashDatabasecommand.Whenyouimportacolleague'sinternalhashdatabase(byselectingtheirRHDBfile),besuretohavenotonlythecorrespondingRHCNfile(withthecategorynames)presentinthesamedirectory,butalsothenewsubdirectoriesthatcontainthedescriptions,ifany,ifyouwishtoimportthesedescriptions.Todeleteallinternaldescriptions,youcansimplydeletetheD*subdirectoriesofthePhotoDNAhashdatabasedirectory.Orifyouwishtoshareyourdatabasewithotheruserswithoutthedescriptions,simplydonotincludetheD*subdirectories.YoumayalsomanuallydeleteorupdateanyindividualdescriptionsinthetextfilesintheD*subdirectoriesatanytime.Descriptionsthatyoualreadyhaveinyourdatabasewillnotgetlostifyouimporthashvaluesofthesamepicturesagainfromothersources,excepttheywillbeoverwrittenifthatothersourceisaPhotoDNAhashdatabaseofX-WaysForensicsthathas

descriptionsofthesamepictures.WhencreatingaPhotoDNAhashsetofselectedpictures,youmaychoosetonotaddthehashsetintotheinternaldatabase,butcreateaseparateplaintextfilewithPhotoDNAhashvaluesinstead.Forthat,pleasecheckthe"Saveas..."box.Suchfilescanbepassedontootherusersiftheywishtoaddthespecifiedhashvaluestotheirdatabasesorremovethem(seeabove).ItispossibletocleanseaPhotoDNAhashdatabasefromunwantedhashvalues.Thehashvaluestoremoveareprovidedasaplaintextfile,with1hashvalueinhexASCIInotationperlineand"PhotoDNA"inthefirstline.Thespecifiedhashvaluesmatchexactequivalentscontainedinthehashdatabaseandalsosmallvariations(samedeviationpermittedassetformatching).ItmaybecomenecessarytocleanseaPhotoDNAhashdatabaseifyouhaveimportedhashsetsfromaforeignsourcewhosecontentspartiallydonotmeetyourrequirements,whichbecomesapparentwhenyougetfalsehits,ifyoudonotwishtoremovetheentirehashset,orifyouhaveaccidentallyincludedawrongpictureinyourhashdatabaseyourself.Thereisabuttonthatallowstoexportselectedhashcollectionsintotextfilestosharethemwithotherusersortocheckwhichhashvaluesarecontained/whichoneswerededuplicatedetc.Anotherfunction(thebuttonwiththemagnifyingglass)willhelpyoutocheckthedatabaseforthepresenceofaspecifichashvalue,specifiedinHexASCIIorBase64notation.Ifthereisahit,youwillbeshownthenameofthehashcollectionthatcontainsthehashvalue.Ifthematchingentryinthedatabasehasatextualdescription,thatdescriptionwillbeshownaswell.Upto19matchesarereturned,andforeachyouwillseehowprecisethematchis(thehigher,themoreprecise;samebasicscaleastheuser-specifiedstrictnessformatching,i.e.level1meansveryroughmatch).Youhavetheoptiontonarrowdowntheresultlisttomoreprecisematchesbyenforcingahigherminimumstrictnesslevel,whichisusefuliftherearemorematchesthancanbelisted.ThereisafunctiontomarkselectedPhotoDNAcategoriesas"preferred",withablackstar.Thatwaytheywillgetpriorityifforapictureinthevolumesnapshotmatchesarefoundwithhashvaluesindifferentcategories.Suchpreferredcategorieswillbereportedasamatchevenifalternativematcheswithnon-preferredcategoriesaremuchclosermatches.Thatisusefulforexampleifyouhavecategoriesinyourdatabasethatyoutrusttobeaccurateandsuitableand

othersthatyoutrustless,forexamplebecausetheyareknowntocontainerrors(e.g.thesamepictureclassifiedasCPandnon-pertinentatthesametime)and/orbecausetheyarefromaforeignsourceandbasedondifferentlawsandjurisdiction.Matchingispartofthe"pictureanalysisandprocessing"operationinSpecialist|RefineVolumeSnapshot.IftherematchesforthesamepictureindifferentcategoriesofthePhotoDNAhashdatabase,youcanseethatinthedirectorybrowser:Thenameofthecategorywiththeclosestmatchisshown,followedbyacommaandanellipsis.Inrarecaseswherethishappensitcanbeimportanttoreviewthepicturemanuallyandmakethefinaldecisionaboutitsrelevanceforthecase.Youcanalsofilterforpicturesthatwerefoundinmorethanonecategory.Suchpicturesmaydeserveasmuchattentionasduplicatesinconventionalhashdatabasesthatbelongtothe"irrelevant"categoryand"notable"categoryatthesametimeandareusuallytheresultofaninconsistentlypopulateddatabase,e.g.accidentalmiscategorizationsorcorrectcategorizationsmadebyusersindifferentjurisdictionsetc.Ifthereturnedbestmatchingcategoryforapictureiswronginyouropinion,youcanfixthisbyaddingthePhotoDNAhashvalueofthatpicturetothePhotoDNAdatabaseagain,specifyingthecorrectcategory.

IdentifyKnownDocumentsUsingFuzZyDocPartofvolumesnapshotrefinement.Theso-calledFuzZyDoctechnologycanhelpyoutoidentifyknowndocuments(wordprocessingdocuments,presentations,spreadsheets,e-mails,plaintextfiles,...)withamuchmorerobustapproachthanconventionalhashvalues.Evenifadocumentwasstoredinadifferentfileformat(e.g.firstPPT,thenPPTX,thenPDF),itcanstillberecognized.Internalmetadatachanges,e.g.aftera"Saveas"ororafterprinting(whichmayupdatea"lastprinted"timestamp),donotpreventidentificationeither.Veryofteneveniftextwasinserted/removed/reordered/revised,adocumentcanstillberecognized.Thisisachievedbyusingfuzzyhashes.FuzZyDochashvaluesarestoredinyetanotherhashdatabaseinX-WaysForensics.HashsetsbasedonselecteddocumentscanbeaddedtotheFuzZyDocdatabaseexactlylikehashsetscanbecreatedinordinaryhashdatabases,andtheFuzZyDochashdatabasecanalsobemanagedinthesamedialogwindowastheotherhashdatabases.Foreachselecteddocumentyoucancreate1separatehashset,oryoucancreate1hashsetforallselecteddocuments.Upto65,535hashsetsaresupportedinaFuzZyDochashdatabase.FuzZyDocisavailabletoallusersofX-WaysForensicsandX-WaysInvestigator(i.e.notonlylawenforcementlikePhotoDNA).FuzZyDocshouldworkwellwithdocumentsinpracticallyallWesternandEasternEuropeanlanguages,manyAsianlanguages(e.g.Chinese,Japanese,Korean,Indonesian,Malay,Tamil,Tagalog,...,butnotThai,Divehi,Tibetan,Punjabi,...),andMiddleEasternlanguages(e.g.Arabic,Hebrew,...,butnotPashto,...).Notethatnumbersinspreadsheetcellsarenotexploitedbythealgorithm,onlytext.NotethatonlyfileswithaconfirmedornewlyidentifiedtypewillbematchedagainsttheFuzZyDochashdatabase.Forthatreason,filetypeverificationisappliedautomaticallywhenFuzZyDocmatchingisrequested.Documentswhosecontentsarelargelyidentical(e.g.invoicescreatedbythesamecompanywiththesameletterhead)areconsideredsimilarbythealgorithm

evenifimportantdetailschange(billingaddress,price,productdescription),dependingontheamountofidenticaltext.Thatmeansthatifyouhave1copyofaninvoiceofacompany,matchingagainstunknowndocumentswilleasilyidentifyotherinvoicesofthesamecompany.Foreverydocumentthatismatchedagainstthedatabase,upto4matchinghashsetsarereturned,andthe4bestmatchinghashsetsarepickedforthatifmorethan4match.Foreverymatchinghashset,X-WaysForensicsalsopresentsapercentagethatroughlyindicatestowhatdegreethecontentsofthedocumentmatchthehashset.Twodifferentpercentagetypesareavailable.Apercentagebasedonthetotaltextintheprocesseddocumentgivesyouanideaofhowmuchofthetextinthedocumentisknown/wasrecognized,whereasapercentagebasedonthetextrepresentedbythehashsetgivesyouanideaofhowcloselyadocumentresemblestheoriginaldocumentthatthehashsetisbasedon(makessenseonlyifyougenerate1hashsetperdocument,i.e.donotcombinemultipledocumentsin1hashset).Thematchingpercentagedoesnotcountcharactersonebyone,anditworksonlyondocumentsthatactuallymakesense,notonsmalltestfilesthatonlycontainafewwords.BeforematchingfilesagainsttheFuzZyDochashdatabase(anewoperationofSpecialist|RefineVolumeSnapshot),youcanspecifywhichtypesoffilesyouwouldliketoanalyze,andyoucanunselecthashsetsinthedatabasethatyouaretemporarilynotinterestedin.Notethatprocessinglessfiles(e.g.byspecifyinglessfiletypesinthemask)ofcoursewillrequirelesstime,proportionally,butselectinglesshashsetsformatchingassuchdoesnotsavetime.Youmayspecifyacertainminimumpercentagethatyourequireformatches(15%bydefault)toignoreinsignificantminorsimilarities.Thatoptionisnotmeanttosavetimeeither.Inordertore-matchalldocumentsinthevolumesnapshotagainsttheFuzZyDochashdatabase,pleaseremovethecheckmarkinthe"Alreadydone"boxfirst.Otherwisethesamefileswillnotbematchedagain,forperformancereasons.Re-matchingthesamefilesmaybecomenecessarynotonlyifyouaddadditionalhashsetstoyourFuzZyDocdatabase,butalsoifyoudeletehashsets,asthatinvalidatessomeinternallinks(ifthathappens,itwillbeshowninthecellsoftheresultcolumn).MatcheswiththeFuzZyDocdatabasearepresentedinthesamecolumnasPhotoDNAmatchesandskincolorpercentages,called"Analysis".AfilterforFuzZyDocmatchesisavailable.FuzZyDocshouldproveveryusefulformany

kindsofwhitecollarcrimecases,mostobviously(butnotlimitedto)thoseinvolvingstolenintellectualproperty(e.g.softwaresourcecode)orleakageofclassifieddocuments.

ExternalAnalysisInterfaceViathemenucommand"ExportFilesforAnalysis"intheCaseDatawindow,youcansendfiles(forexampleallfilesinthecasethatbelongtoacertaincategory)toanexternalprogramforfurtheranalysis.Thisexternalprogrammustcomplywiththeinterfacedescribedbelow.RequiresX-WaysForensicsorX-WaysInvestigatororWinHexwithaforensiclicense.TheanalysisresultcanbeimportedbackintoX-WaysForensicswiththeReportTableImportmenucommandintheCaseDatawindow.(Forexample,right-clickthecasetitlewhereitisprintedinbold.)Thatwillassociatefilesclassifiedbytheexternalsoftwarewithcertainreporttables(andmaycreatenewreporttables),whichallowsyoutofilterforsuchfilesorcreateareportaboutthem.Forexample,thesoftwareDoublePicscanrecognizeknownpictures(evenifstoredinadifferentformatoraltered)andreturnaclassificationsuchasCP,relevant,orirrelevant.TechnicaldescriptionoftheinterfaceAllfilesorfilesinacertaincategoryoralltaggedfilesorallnon-excludedfilesarecopiedintoasubfolderoftheoutputfolderspecifiedbyyou.ThesubfolderisnamedwithaCRCinhexadecimalcharactersthatisuniquefortheactivecase.ThefilesarenamedwithuniqueIDs(64-bitintegernumbers).Oneadditionalfilenamed"Checksum"iscreatedthatcontains4byteswiththesameCRC,4byteswiththehandleofthemainwindowofX-WaysForensics(orX-WaysInvestigator,forthatmatter),8reservedbytes,and128byteswiththecasetitleinUTF-16.Whenthefileshavebeencopied,X-WaysForensicsexecutestheexternalanalysisprogramandspecifiesthecompletepathofthesubfolderinquotationmarksasaparameter.Theexternalprogramcannowperformtheanalysis.Itcanclassifyfilesbycreatingone.rtdfileforeachclassification.Whenfinished,theprogramcanoptionallycheckwhethertheX-WaysForensicsmainwindowstillexistsand,ifso,makeX-WaysForensicsawareoftheavailabilityoftheresults,bysendingaWM_SETTEXTmessagestothemainwindow,wherethetextstartswith"Import:",followedbythepathofthe

directorywheretofindthe.rtdfiles,withoutquotationmarks.Thiswilltriggertheimportautomatically.Alternatively,theusercanimporttheresultasdescribedabove.Thenamesofthe.rtdfiles(reporttabledefinitionfiles)willbeusedasthereporttablename.An.rtdfilestartwitha4-bytesignature(0x52,0x54,0xDE,0xF0),the4bytechecksum(seeabove),followedbythe64-bitfileIDs(integernumbers)thatindicatethefilesthatshouldbeassociatedwiththatreporttable.

VolumeSnapshotsandtheirRefinementAvolumesnapshotisadatabaseofthecontentsofavolumeorphysicalmedium(files,directories,...)atagivenpointoftime.Thedirectorytreeandthedirectorybrowserpresentviewsintothisdatabase.Basedontheunderlyingfilesystem'sdatastructures,itconsistsofonerecordperfileordirectory,andrememberspracticallyallmetadata(name,path,size,timestamps,attributes,...),butnotthecontentsoffilesordataofdirectories.Avolumesnapshotusuallyreferencesbothexistingandpreviouslyexisting(e.g.deleted)files,alsovirtual(artificallydefined)filesiftheyareusefulforacomputerforensicexamination(e.g.sothatevenunusedpartsofadiskorvolumearecovered).Operationssuchaslogicalsearches,indexing,andallcommandsinthedirectorybrowsercontextmenuareappliedtothefilesanddirectoriesastheyarereferencedinthevolumesnapshot.Becauseofcompressedfilesandbecausedeletedfilesandthevirtual"Freespace"filemaybeassociatedwiththesameclustersofavolumemultipletimes,thesumofallfilesanddirectoriesinavolumesnapshotcaneasilyexceedthetotalphysicalsizeofavolume.AvolumesnapshotisstoredonthediskeitherasasetoffilesnamedVolume*.dirinthefolderfortemporaryfilesor(ifassociatedwithacase)asfilesnamedMain1,Main2,Main3,Names,,intheevidenceobject'smetadatadirectory.VolumeSnapshotOptionsTheSpecialistmenuallowstoexpand/refinethestandardvolumesnapshotinvariousways.Requiresaspecialistorforensiclicense.Fullfunctionalityonlywithaforensiclicense.RunX-Tensions:X-TensionsareDLLs,whichyoucanprogramyourself,toextendthefunctionalityofX-WaysForensicsoruseitautomaticallyforyourownpurposes.Moreinformation.ParticularlythoroughfilesystemdatastructuresearchFileheadersignaturesearchBlock-wisehashingandmatching

Thebelowoperationsareappliedaftertheaforementionedoperations,tofilesthatarealreadycontainedinthevolumesnapshot,andtheyareallappliedtogetherandfile-wise(i.e.firstalloperationstoonefile,thenalloperationstothenextfile,andsoon),toprocessfilesintheorderofascendinginternalIDs.Someoftheseoperationsmayproduceadditionalfiles,whichwillgetthenexthigheravailableinternalID.Previouslyexistingfileswhosefirstclusterisknowntohavebeenoverwrittenorwhosefirstclusterisunknownarenotprocessedexceptifyouspecificallytargetthemviatagging.Filesthatareconsideredirrelevantbasedonhashmatchingcanbeautomaticallyomittedfromallfurtheroperationstosavetimeandavoidpotentiallyevenmoreirrelevantfilesthatmightotherwisebeextractingfromthem.Itisalsopossibletoomitnotonlyknownirrelevantfiles,butalsoknownrelevantfilesfromfurtherprocessing.Usefulforexampleifinlargecasesyouhaveorexpectreallymanysuchfilesandhavingproofoftheirpresenceissufficientforyouandyoudon'tneedtoextracttheirinternalmetadata,don'tneedtocomputetheirskintonepercentagesorPhotoDNAhashes,anddon'tneedtocheckthemforembeddeddataetc.Thereisalsoanoptiontoomitfilesthatarefilteredout.Alloftheseoptionsareparticularpowerfulinthattheycantargetevenfilesinadvancethatarenotyetpartofthevolumesnapshotwhentherefinementstarts.Forexamplewhenadditionalfilesareaddedtothesnapshotbythefileheadersignaturesearch,dependingonthefiletypethesefilescanbefurtherprocessed(e.g.hashed)ornot,iftheTypefilterisactiveduringthelaterstagesofthevolumesnapshotrefinement.ThereisanoptiontoomitadditionalhardlinksforthesamefileinNTFS/HFS+fromvolumesnapshotrefinementjustasfromlogicalsearches,tosavetimeandreducethenumberofredundantidenticalchildobjectsetc.ThiscanmakeabigdifferenceonpartitionswithWindowsinstallationsthathavealotofhardlinksandHFS+partitionswithMacOSXTimeMachine.Whichhardlinksareconsideredthe"additional"hardlinksinternallycanbeseeninthe"Linkcount"column(graynumbermeanstobeomitted)andalsointheDescriptioncolumn,whichidentifiesallhardlinks(i.e.fileswithahardlinkcountlargerthan2)andtheadditionalonesinparticulartextually.Thehardlinkthatisnotmarkedas"optionallyomitted"intheDescriptioncolumnisconsideredthe"main"hardlinkinternally.

ComputehashVerifyfiletypeswithsignaturesalgorithmsExtractinternalmetadata,browserhistory,andeventsIncludecontentsofZipandRARarchivesetc.Extracte-mailmessagesandattachmentsUncoverembeddeddatainvariousfiletypesExportJPEGpicturesfromvideosPictureanalysisandprocessingFileformatspecificandstatisticalencryptiontestsIndexing

Shouldprocessingfreezeonacertainfile,notethattheinternalIDandthenameofthecurrentlyprocessedfilearedisplayedinthesmallprogressindicatorwindow.Ifthevolumesnapshotrefinementisappliedtoanevidenceobjectandtherefinementcrasheswhenprocessingasinglefileatatime,X-WaysForensicswilltellyouwhichfilewhenyourestarttheprogramandassociateitwithareporttablenamed"Reasonforcrash?"(dependsontheSecurityOptions).Allthathappenssothatyoucanexcludeandomitthefilewhentryingagain.Itdoesnoharm(doesnotcreateduplicationsanddoesnotcostmuchtime)ifyourestartsnapshotrefinementforthatvolumefromscratch,asalreadyprocessedfileswillquicklybeskipped,uptothepointwheretherefinementprogresswaslastsaved,whichdependsontheauto-saveintervalofthecase.Thevolumesnapshotremembersforeachfileseparatelywhichoperationsofthevolumesnapshotrefinementhavebeenappliedtoitalready,sothesameoperationswillusuallynotbeappliedagaintothesamefile.Ifthehashvalueforaproblematic(crashing)filewascomputed,thatfileand

identicalfilesareskippedautomaticallyifyou(continueto)refinethevolumesnapshotandcomputehashvalues(atleastiftheprotectionagainstidenticalcrasherfilesisactiveinthepropertiesofthecase).Tomakethecaseforgetpreviouscrasherfiles,clicktheDeletebuttoninthecaseproperties.Skippedfilesarealsoautomaticallyaddedtotheaforementionedreporttable.Thefileprocessingpartofvolumesnapshotrefinementssupportsmultiplethreads(onlyifnotappliedtoaselection).Dependingontheselectedsuboperationsandthetypesofthefilesinthevolume,anddependingonI/Ospeed,thiscandouble,triplicateorevenquadruplicatetheperformance.Thefasteryourmassstoragesolution(HDD,SSD,RAID)intermsofseektimesanddatatransferspeed,themoretimeyousavepercentage-wise.Thisparallelizationfeatureisstillconsideredexperimentalandnotcompleteyet,butthepotentialtimesavinginoneofthemostimportantandmosttime-consumingfunctionsoftheprogramisenormous.Selectingmultipleextrathreadshasaneffectonlywhensearchinginevidenceobjectsthatareimagesordirectories,notdisks.Ifyouselect0extrathreads,itwillworkasinX-WaysForensicsversionsbefore19.0.Ifyouselect1ormoreextrathreads,processingisdoneinadditionalworkerthreads(asmanyasyouselect),andthemainthreadoftheprocesswillbeidle,whichmeanstheGUIwillremainhighlyresponsive.InX-WaysInvestigatorupto2workerthreadsmaybeused,inX-WaysForensicsupto8,ifyourCPUsupportsthat.Ifmulti-threadedprocessingcrashes,nexttimewhenyourestarttheprogramitprobablycannottellyouwhichfileexactlypresumablycausedthecrash.File-wiseprocessingconductedbyX-Tensions(throughcallsofXT_ProcessItemorXT_ProcessItemEx)arealsoparallelizediftheX-Tensionsidentifiesitselfasthread-safe.Processingoffilesinfilearchivesiscurrentlyexcludedfromparallelisationinternally.Parallelizationiscurrentlynotofferedasanoptionifindexingisselected.Youmayscheduleasimultaneoussearchinadvanceforthetimeafterthevolumesnapshotrefinement.InterdependenciesTherearevariousinterdependenciesbetweenalltheseoperations.Forexample,ifthecontentsofarchivesareincludedinthevolumesnapshot,amongthesefilestherecouldbepicturesthataretobecheckedforskincolors,ordocumentsthataretobecheckedforencryption.Youcanworkunderthepremisethatifanadditionalfileisaddedtothevolumesnapshotorifthetruetypeofafileis

detectedaspartofRefineVolumeSnapshot,alltheappropriateotheroperationsareappliedtothatfile,iftheyareallselected.Theoutputofoneoperationautomaticallybecomestheinputofallotheroperations(oreventhesameoperationagain),wheresuitable.ImaginesomeonetriestoconcealanincriminatingJPEGpicturebyembeddingitinaMSWorddocument,misnamingthat.docfileto.dll,compressingthatfileinaZiparchive,misnamingthe.zipfileto.dll,compressingthat.dllinanotherZiparchive,misnamingthat.zipfileagainto.dll,andthensendsthis.dllfilebye-mailasanattachmentusingMSOutlook.Ifalltherespectiveoptionsareselected,RefineVolumeSnapshotdoesthefollowing:Itextractsthee-mailattachmentfromthePSTe-mailarchive.Itdetectsthatthe.dllattachmentisactuallyaZiparchive.Thenitincludesthecontentsofitinthevolumesnapshot,namelyafilewiththe.dllextension.ThatfileisfoundtobeactuallyanotherZiparchive.Consequentlythatarchivewillbeexplored,andthe.dllfileinsidewillbedetectedasa.docfile.Searchingforembeddedpictures,X-WaysForensicsfindstheJPEGfileinthe.docfileandcanimmediatelycheckitforskincolorsifdesired.Allofthishappensinasinglestep.Wow.NotesX-WaysForensicsconvenientlyremembersforeachandeveryfileinthevolumesnapshotwhichrefinementoperationshavealreadybeenappliedtoit,sothatthefilewillnotunnecessarilybeprocessedagain,whichwouldleadtoundesirableduplicationofchildobjects,wasteoftimeetc.X-WaysForensicsdoesnotremembertheindividualsuboptionsofeachoperation(e.g.whether"Createpreviewsofbrowserdatabases"wasselectedforthemetadataextraction)andcannotcatchuponthesesuboptionsindividually.Theonlyoperationsthatwillbeappliedrepeatedlyareindexingandmatchingofhashvaluesagainstthehashdatabase.Ifforanyreasonyouwishtoapplycertainotheroperationsagaintothesamefile(e.g.thenwithdifferentsuboptionsorafterhavingupdatedthesignaturedatabaseforfiletypeverification),youmayresetafiletothestateof"stilltobeprocessed"byvolumesnapshotrefinement,byselectingitandpressingCtrl+Del.Thiswillalsoclearanycomputedskincolorpercentages,extractedmetadata,hashvalues,hashmatches,etc.However,thisfunctiondoesnotremoveanychildobjectsfromthevolumesnapshot.Thatwouldhavetobedonebytheuserseparately,ifdesired,byhidingandremovingthem.Neitherdoesthisfunctiondeleteanyeventsthatwerecreatedduringpriorrefinementoperations.Anotherkeyboardshortcut,Ctrl+Shift+Del,allowstoremove

matcheswithordinaryhashsets,FuzZyDochashsets,andPhotoDNAcategoriesfromselectedfilesinthevolumesnapshot,whichevenifthehashsetsaredeletedfromthehashdatabasearenotdiscardedotherwise.Whetherafileshouldbeprocessedbyvolumesnapshotrefinementornotisdecidedonlyatthetimewhenitisthatfile'sturn,notwhenyoustarttheoperation.Thatmeansifyoucontinuetoworkintheprogramwhileavolumesnapshotrefinementisongoing,andalteroractivateordeactivatefiltersortagoruntagfilesorexcludeorincludefiles,thatmaystillaffectthescopeoftheoperation,dependingonthechosenoptionsanddependingonwhetherthefilesthatyoutag/untag/exclude/include/...stillhavetobeprocessedornot.Soifforexampleyoufindoutthattheoperationtakestoomuchtime,youcanstillmakethefiltermorestrictoruntagcertainverylargefilesetc.,withoutinterruptingtheprocess.Whenvolumesnapshotrefinementisinthestageofprocessingindividualfiles,thentheprogresspercentageissimplytheinternalIDofthecurrentlyprocessedfiledividedbythetotalnumberofitemsinthevolumesnapshot.X-WaysForensicsdoesn'tknowbeforehandwhichfilesneedalotoftimetoprocess,onlywhenactuallyreadingfromthefileitwillbedecidedwhatshouldbedonewiththefileanddiscoveredhowmuchdataisembeddedetc.Filetypeverificationandpotentiallyhashdatabasematchingmaychangethedecisionaboutwhattodowiththefile,ifanythingatall.Ifanentireevidenceobjectconsistsofjust1file,e.g.ifyouaddedasinglefilestothecase,thentheprogresspercentagewillnotadvance.Theprogressis0%initiallyand100%forafractionofasecondwhendone.Thedisplayedpercentagedoesnotreflectthesub-progresswithinagivenlargefile.Anunlabelled(buttooltipped)checkboxinthevolumesnapshotrefinementdialogwindowcannowmakeX-WaysForensicsrevealwhichsuboperationiscurrentlyappliedtothecurrentlyprocessedfile.A3-digitabbreviationwillbedisplayedwiththefollowingmeaning:Sig:filetypeverificationHsh:hashingVid:capturesporadicstillimagesfromvideosIdx:preprocessingoriginalfilecontentsforindexingDec:textdecodingforindexingIdX:preprocessingdecodedtextforindexingEmb:searchforembeddeddata

PDN:PhotoDNAdatabasematchingPic:otherpictureanalysisstepsEml:e-mailextractionFuz:FuzZyDocdatabasematchingMet:metadataextractionEnc:fileformatspecificencryptiontestEnt:entropycheckArc:inclusionoffilesinarchivesintothevolumesnapshotThismaybehelpfulforeducationalreasons,togiveusersabetterideaofhowcomputationallyexpensivecertainsuboperationsareandhowmuchtimecouldbesavedbynotselectingthemifnotabsolutelynecessary.Itmayalsoproveusefulfordebuggingpurposes.Whetherthisoptionmayslowdownprocessingoncertaincomputershasnotbeentested.CertainpreviouslyvalidtimestampsoffilesareoutputaseventsduringvarioussuboperationsoftheparticularlythoroughfilesystemdatastructuresearchonNTFS,dependingontherefinementoption"Provideby-catchtimestampsfromvarioussourcesasevents",whichmayalsoeffectotheroperationswhoseprimarypurposeisnottheretrievaloftimestamps/events.

ParticularlyThoroughFileSystemDataStructureSearchPartofvolumesnapshotrefinement.Runningaparticularlythoroughfilesystemdatastructuresearchispossiblyalengthyoperation,dependingonthesizeofthevolume,andforthatreasonnotdoneautomaticallywhentakingthevolumesnapshot.FAT12/FAT16/FAT32:Searchesfororphanedsubdirectories(subdirectoriesthatarenolongerreferencedbyanyotherdirectory).Ext3/Ext4:SimilartotheprocedureforFAT.Checkstheentirevolumeforpreviouslyexistingdirectorystructureswhosecontentsarenolongerknownfromcorrespondinginodes(thesewouldhavebeenlookedataspartoftheregularvolumesnapshotalready).Suchdirectoriesarelistedwithagenericname,usuallyin"Pathunknown",butpotentiallyintherootdirectory,ifthatiswheretheyexistedpreviously.(Therootdirectoryisspecialinthissituation,asithasanunchangeableID.)ReiserFS,Reiser4:Searchesfordeletedfiles(whicharenotincludedinthestandardvolumesnapshotatall).UDF:Whilethefirstandthelastsessionofmulti-sessionUDFCDs/DVDswillbelistedautomatically,additionalsessionsinthemiddlecanbefoundonlywiththisoption.CDFS:Usuallyallsessionsonamulti-sessionCD/DVDsaredetectedautomatically.Incaseswheretheyarenot(e.g.whenCDFSco-existswithUDForifthegapsbetweenthesessionsareunusuallylarge),thiswilldetectsessionsbeyondthefirstone.RAM(mainmemory):Mayfindterminatedprocessesandrootkits.NTFS:Volumeshadowcopiescanbeparsedoptionally,withaforensiclicense.Existingandpreviouslyexistingvolumeshadowcopyhostfilesarecheckedforvaluableinformationthatwouldnotbeavailableotherwise,suchasfilesthat

cannotbefoundinthecurrent$MFTanymoreorpreviousversionsoffileswhosecontentshavechanged.Thosefileswillbereconstructedupto1GBinlengthaccordingtotheshadowcopy.Processingofvolumeshadowcopies,ifany,occursbeforealltheotheroperationsthatarepartoftheparticularlythoroughfilesystemdatastructuresearch(parsing$LogFile,optionallysearchingforFILErecordoutsideof$MFTandoutsideofVSC,searchingforindexrecordsintheslackofINDXbuffers).Iftherearevolumeshadowcopies,thecaptionofthesmallprogressindicatorwindowwilltellyouwhentheyarebeingparsed.Volumeshadowcopyhostfilesthatyouexcludebeforeprocessingwillbeomitted.Filesfoundinvolumeshadowcopiesarespeciallymarkedwith"SC#"intheAttr.column,or"SC#,prev.version"iftheyarepreviousversionsoffilesthatwereknowntothevolumesnapshotalreadybeforethethoroughfilesystemdatastructuresearch,sothatitiseasytofiltertheminorout.#standsforthesequentialnumberofthesnapshotinwhichthesefileswerefound.RememberyoucansortbyIDtoseethefilestheyareapreviousversionofnexttothem.YoucanalsoeasilynavigatetotheVSChostbyusingthecommandNavigation|Findrelatedfileinthedirectorybrowsercontextmenu,forexamplesothatinDetailsmodelearnmoreaboutthatparticularsnapshot.Youcouldtheninvokethesamecommandoncemoretonavigatetothecorrespondingsnapshotpropertiesfile,whereinDetailsmodeyoulearnevenmore,e.g.descriptionandofficialcreationdate.Youmayoptionallyavoidthatpreviousversionsoffilesinvolumeshadowcopiesareaddedtothevolumesnapshotiftheyareexactduplicates(identicalfilecontents)sothatitismucheasiertofocusonfilesforwhichactuallypreviousdataisstillavailable.Timeforthatmaybewellinvestedbecauseevenifmodificationdatesaredifferent,thefilecontentsareoftenthesameforfilesinstalledbytheoperationsystem.Iffullyselected,X-WaysForensicswillcomparefilesupto128MB,ifhalfselected,onlyupto16MB,astonotwastetoomuchtimeonthisfeature.NTFS:FILErecordscanbeoptionallysearchedeverywhere,insectorsthatneitherbelongtothecurrentMFTnortoavolumeshadowcopy(VSC)processedbytheabove-mentionedoption.SuchFILErecordscanbefounde.g.infreespaceafterapartitionhasbeenrecreated,reformatted,moved,resized,ordefragmented.Timeconsumingonverylargepartitions.

NTFS:Withaforensiclicense,thecurrent$LogFileaswellasoldversionsof$LogFilefoundinprocessedvolumeshadowcopiescanbeexploited.Thecontentsofdeletedfilescanoftenbereconstructedthanksto$LogFile.Indexrecordsremnantsin$LogFileaswellasintheslackofINDXbufferscanbeexploitedthateitherrevealpreviousnamesorpathsofrenamed/movedfiles/directoriesthatwereknowntothevolumesnapshotbeforeordeletedfilesthatthevolumesnapshotwasnotawareofbefore(withoutfilecontents,though).Youcanindicatewhetheryouareinterestedinearliernamesandpathsofrenamed/movedfilesanddirectoriesornot.Ifthecheckboxforearliernames/pathsishalfchecked,youmayfindearliernames/pathsofrenamed/movedfilesintheMetadatacolumnanddon'tgetadditionalfilesinthevolumesnapshotforeachearliername/path.Youcanalsoindicatewhetheryouareinterestedincludingtracesoffilesinthevolumesnapshotwhoseclustersareunknownandforwhichonlyname,size,timestampsandattributesareavailable.DuringallthesuboperationsforNTFS,theinclusionofredundant(identical)filesinthevolumesnapshotisavoidedasmuchaspossible.IftheonlynewinformationgainedfromoldversionsofFILErecordsorindexrecordsispreviouslyvalidtimestamps,noearliernames/paths/contentsoffiles,orifyouhaveindicatedthatyouarenotinterestedinearliernames/paths,thenthesetimestampsareonlyoutputasevents,dependingonthevolumesnapshotrefinementoption"Provideby-catchtimestampsfromvarioussourcesasevents".NTFS:Youcanindicatewhetheryouareinterestedingettingfilesincludedinthevolumesnapshotwhoseclusters(andthereforedata)aretotallyunknown,withonlymetadata(e.g.filename,path,size,attributes,andtimestamps),asmaybefoundinindexrecordsinINDXbuffersorin$LogFile.Ifchecked,allpreviouslyexistingfilesofwhichmetadataonlyisknownwillbeincludedinavolumesnapshot.Ifnotchecked,thosefileswillbeignored.otherfilesystems:noactiontaken

FileHeaderSignatureSearchPartofvolumesnapshotrefinement.The"Fileheadersignaturesearch"operationhelpstoincludefilesinthevolumesnapshotthatcanstillbefoundinfreeoruseddrivespacebasedontheirfileheadersignatureandarenolongerreferencedbyfilesystemdatastructures.Youareaskedtoselectcertainfiletypesfordetection,specifyadefaultfilesize,anoptionalfilenameprefixetc.PleaseseeFileRecoverybyTypeandthefiletypedefinitionfordetails.Filesfoundwiththismethodwillbeincludedinthevolumesnapshotonlyifthereisnootherfileinthevolumesnapshotwiththesamestartsectornumberyet(overwrittenfilesdon'tcount),toavoidduplicates.However,filesthatarenotalignedatsectorboundarieswillalwaysbeincludedforperformancereasons.FilesfoundwiththismethodarelistedwithagenericfilenameandsizeasdetectedbytheFileRecoverybyTypemechanism.Ifappliedtoaphysical,partitionedevidenceobject,onlyunpartitionedspaceandpartitiongapswillbesearchedforfileheaders,becausethepartitionsaretreatedasseparate,additionalevidenceobjects.Usuallyresultsofthefileheadersignaturesearchareoutputinaspecialvirtualdirectoryforcarvedfiles,whichisasubdirectoryof"Pathunknown".However,thereisanoptiontoshowresultingfilesaschildobjectsofexistingfiles,ifthecarvedfileswerefoundwithintheseotherfiles.

Block-wiseHashingandMatchingPartofvolumesnapshotrefinement.Availablewithaforensiclicense.Block-wisehashingmayallowtoidentifycompleteorincompleteremnantsofknownnotablefilesthatarestillfloatingaroundinfreedrivespaceeveniftheywerefragmentedandthelocationofthefragmentsisunknown,toshowwithsomeorveryhighcertaintythatthesefilesonceexistedonthatmedium.Thehashvaluesarecomputedwhenreadingfromtheevidenceobjectsector-wise,andthathappensatthesametimewhenrunningafileheadersignaturesearchifselected,toavoidunnecessaryduplicatedI/O,withthesamesectorscope.Matchesarereturnedasaspecialkindofsearchhits.Thatmeansyouneedtoinvokethesearchhitlisttoseethem.Multiplematchesforcontiguousblocksaremoremeaningfulthanisolatedindividualmatches,astheyareevenlesslikelytheresultofsomecoincidence,andtheyareusuallycombinedinasinglehit.Thesizeofallsuchhitsisshownwhenlistingsearchhits.Thelargerthesize,thehighertheevidentiaryvalueofthematch.PleasenotethatX-WaysForensicsdoesnotverifyitselfthatcontiguousmatchingblocksareinthesameorderasintheoriginalfile(s),butthatcanbeverifiedmanuallyandfordatathatisasuniqueascompresseddatathatismostlikelythecase.Mostsuitableforselectednotablefileslargerthanafewsectors,filesthatareideallycompressedoratleastnotonlysparselypopulatedwithnon-zerodataanddonotcontainotherwisetrivialcombinationsofbytesvaluesthatoccurfrequently.Goodexamplesarezip-styledOfficedocuments,picturesandvideofiles.Verytrivialblockswithinafilethatconsistofmostlyjust1bytevalueareignoredandnothashed(thesamealreadywhencreatingthehashset).Forquickermatching,ideallyworkwithasmallhashdatabaseanddonotselectahashtypestrongerthanMD5.ThelengthofblockhashmatchesisshownintheSizecolumn.Thisisusefulsothatyoucansortthembythelengthsandreviewmoreimportant(larger)matchesfirst.Hashsetsofblockhashescanbecreatedorimportedinthesamewayasordinaryhashsets,i.e.forselectedfilesusingthedirectorybrowsercontextmenu,buttheyarehandledbyaseparatehashdatabaseforblockhashes(asopposedtofilehashes).Thatseparatedatabaseisinternallystoredinasubdirectoryofthemainhashdatabasedirectory.Youcancreatehashsetsconsistingoftheblockhashesof1fileatatime,orcombinedhashsetsof

multipleselectedfiles.Theblocksizeiscurrentlyalways512bytesandmightbeuser-definableinafutureversion.

ComputeHashPartofvolumesnapshotrefinement.Hashvaluescanbecomputedforfilesinthevolumesnapshot.Theyarenotrecomputedifyouapplythisoperationagaintothesamefiles.Inadditiontothemerehashcomputation,aforensiclicenseallowstomatchthehashvaluesagainstindividuallyselected(orsimplyall)hashsetsinaninternalhashdatabase.Thefiltercanthenlaterbeusedtohideknownirrelevantfiles.Filesrecognizedasirrelevantwiththehelpofthehashdatabasecanbeoptionallyexcludedfromfurthervolumesnapshotrefinementoperations,whichamongotherbenefitssavestime.Thehashvalueswillnotbeupdatedinthevolumesnapshotoncecomputed.However,thematchingprocess(lookingupthehashvaluesoffilesinthevolumesnapshot)canberepeatedforthesamefilesatanytime.Thiswillremoveprevioushashsetmatchesfromthesefiles.Thehashcategoryfieldwillbeupdatedonly,butnotemptied.Itispossibletocomputehashvaluesoftwodifferenthashtypesatthesametimewhenrefiningthevolumesnapshot,forgeneralpurposesortomatchthemagainsttwohashdatabaseswithdifferenthashtypes.Ifmatchingisselected,allhashvalueswillbematchedagainstanyofthetwohashdatabaseswhosehashtypefits.ThatmeanseveniftheprimaryhashtypeinthevolumesnapshotisMD5andthesecondaryisSHA-1,andhashdatabase#1isbasedonSHA-1and#2basedonMD5,X-WaysForensicswillmatchthehashvaluesaccordingly.Thehashtypesinthevolumesnapshotandinthehashdatabasesdonothavetobeinthesameorder.Aforensiclicenseallowstoverifyhashvaluesthatwerecomputedatanearlierpointoftime,orimportedfromanevidencefilecontainer.TheresultwillbeoutputtotheMessageswindow.Anyfilewhosecurrenthashvaluedoesnotmatchtheoriginallyrecordedonewillbeassociatedwithaspecialreporttableforconvenientreview.Runningthehashingvolumesnapshotrefinementstepasecondtimeneverupdatesthehashvaluesthatwerealreadycomputedforfilesinthevolumesnapshot.Childobjectsoffilesinheritthehashcategory"irrelevant"fromtheirparents.Thatispossiblebecauseifanentirefileisirrelevant,everythingthatcanbeextractedfromthatfilemustalsobeirrelevant.However,whatisextractedfrom

a"notable"fileisnotnecessarilyalsonotable,becauseperhapsonlysomepartsoraspectsoftheparentfilearenotable.Ofcourse,childobjectsofirrelevantparentswillonlybeoutputiftheuserchoosestonotomitirrelevantfilesfromfurtherprocessinginthefirstplace.

VerifyFileTypesPartofvolumesnapshotrefinement.Aforensiclicenseallowsyoutoverifyfiletypesbasedonsignaturesandvariousalgorithms,i.e.detectfilename/filetypemismatchesinallfilesinthevolumesnapshotexceptthosewhoseoriginalfirstclusterisknowntobenolongeravailable.Forexample,ifsomeonehasconcealedanincriminatingJPEGpicturebynamingit"invoice.xls"(wrongfilenameextension),therecognizedfiletype"jpg"isstatedintheTypecolumnofthedirectorybrowser.FormoreinformationseethedescriptionofthecolumnsTypeandStatus.Thefilesignaturesandextensionsusedformismatchdetectionaredefinedintheaccompanyingfiletypedefinitionfiles,whichyoumayfullycustomize.Ititthesamedatabasealsousedforfileheadersignaturesearches.Pleasenotethatthelinkbetweenthecurrentdatainafreeclusterandadeletedfile,thatpreviouslywasstoredinthatcluster,anditsfilenameisweak,sothatadiscrepancybetweenfilenameextensionanddetectedtypecansimplybethenaturalresultofareallocationofthisclustertoatotallydifferentfileinthemeantime.Ifyouwishtorepeatthefiletypeverification,e.g.aftereditingthefiletypesignaturedatabase,besuretochecktheAgainoption.ForthestatusoftheTypecolumnofthedirectorybrowser,seethe"Typestatus"column.Mostself-extracting.exearchivesareinternallydetectedbythefilesignaturecheck,too.Theyareclassifiedasthefiletype"sfx"andassignedtothecategory"Archives"sothattheycanbespecificallytargeted.Thispreventsthatcompressedfilesinsucharchivesgototallyunnoticedinaninvestigation..exearchiveswithZipcompressioncanbeviewedinPreviewmode,otherself-extractingarchivesneedtobecopiedofftheimageandopenedwithanappropriatetoollikeWinRARor7-Zip.ThefilesignaturecheckalsorevealshybridMSOfficefiles,i.e.mergedMSWordandMSExceldocumentsthatcanbeopenedinbothapplications,showingdifferentcontents.Anoticeinthemessageswindowwillbedisplayed,andanydetectedfileswillbeassociatedwithaspecialreporttable.HybridMSOfficefilesareacleverattempttoconcealthecontentsofoneofthemergeddocuments.

ExtractInternalMetadataandEventsPartofvolumesnapshotrefinement.Requiresaforensiclicense.a)CancheckthefileformatconsistencyofEXE,ZIP,RAR,JPEG,GIF,PNG,RIFF,BMP,andPDFfiles.TheTypeStatuscolumnwillshowtheresult,either"OK"or"corrupt".b)AllowstoextractinternallystoredcreationtimesfromOLE2compoundfiles(e.g.pre-2007MSOfficedocuments),EDB,PDF,MSOfficeHTML,EML,MDI,ASF,WMV,WMA,MOV,JPEG,THM,TIFF,PNG,GZ,GHO,PGPpubring.pkrkeyring,ETL,SQM,IECookies,CAT,CER,CTL,SHDprinterspool,PFprefetch,LNKshortcut,andDocumentSummaryalternatedatastreams.ThistimestampswillbeshownintheInt.Creationcolumnofthedirectorybrowser.Insomecasestheearliesttimestampwillbeextracted,whichapproximatesthereal,originalcreationdatebest.c)AllowstocopycertainfilemetadatatotheMetadatacolumn,whichwillallowyoutofilterbythismetadata,toexportthemetadatawiththeExportListcommand,andtooutputitwithareporttableinacasereport.MetadatacanbeextractedfromallthefiletypesspecificallysupportedinDetailsmodeplusWindowsshortcutfiles(.lnk)andprefetchfiles(.pf).OnlyasubsetofthemetadatathatyouseeinDetailsmodeisextracted.YouhavetheoptiontostripcertainlinesofftheextractedmetadatainordertonotseethemintheMetadatacolumn,forexampletokeepthecasereportortheoutputoftheExportListcommandmorecompactforprintingorviewingonthescreen,orjustbecausecertainmetadatafieldsarenotrelevanttoyou.Youcanidentifyunwantedmetadatafieldsbyasubstring.Thatsubstringcaneithermatchthefieldname(e.g."FocalLength")orthevalueofthefield(forexampleifyouknowinadvancethatyouarenotinterestedintheAuthorfieldifthenameoftheauthorofadocumentis"JoeHuber").1substringisenteredperline.Substringsmaycontainspaces.Youcanshareyourdefinitionsbysharingthefile"UnwantedMetadata.txt".d)Allowstorestoreoriginalfilesystemmetadata(suchasfilename,timestamps)whenfoundincertainfiletypessuchas$I*recyclebinfilesandiPhonemobilesyncbackupindexes(Manifest.mbdx).Originalfilenamesaretypicallymuchmoremeaningfulthanrandomnamesthatareassignedjusttoguarantee

uniquenessinasingledirectoryforbackuppurposes.Examplesofsuchrandomnamesare3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae(forafileinaniPhonebackup)or$RAE2PBF.jpg(Windowsrecyclebin).ThecurrentfilenameaccordingtothefilesystemcanstillbeseeninsquarebracketsintheNamecolumn,aswellasinDetailsmode,andtheNamefilterwillfindboththeoriginalandthecurrentname,sothatcurrentfilenameisnotcompletelylost.AlternativenamesandtimestampsarealsoextractedfromLinuxPNGthumbnailsasknownfromUbuntuandKubuntudistributions,desktopmanagerMATEandGNOMEThumbnailFactory.ThenameoftheoriginalfileisshowninsquarebracketsintheNamecolumnandtherecordedtimestampoftheoriginalfileisshownasa"Contentcreated"timestamp.ThecompletepathoftheoriginalfilecanbeseenintheMetadatacolumn.e)PopulatestheSenderandRecipientscolumnsfororiginalsinglee-mailfiles(.eml,.emlx,.olk14msgsource).Extractthesubjectofsuche-mailmessagesandshowsitintheNamecolumnifdifferentfromthenameofthefile,andunlessthefileisacarvedfile(i.e.afilewithanartificiallygeneratedfilename),theoriginalfilenamewillbepreservedandshownasanalternativenameinthesamecolumn.f)CreatespreviewsofInternetbrowserSQLitedatabases,whichmayrequirethatthefileshavebeencheckedfortheirtruefiletype.SupportsFirefoxhistory,Firefoxdownloads,Firefoxformhistory,Firefoxsign-ons,Chromecookies,Chromearchivedhistory,Chromehistory,Chromelog-indata,Chromewebdata,Chromesync,Safaricache,Safarifeeds,andSkype'smain.dbdatabaseaboutcontactsandfiletransfers.CreatespreviewsalsoofInternetExplorerindex.datfiles(includingartificialindex.datfilescompiledfromindividualrecordsfromvariouslocationsduringthefileheadersignaturesearch),InternetExplorer10'sWebCacheV*.datfiles,theEdgebrowser'sspartan.edbfile(allfavoritesandReadingListentrieswillbeaddedtotheeventlist),$UsnJrnl:$J,WindowsEventLogs(.evtand.evtx),AppleFSEventlogs.FromiOS'ssms.dballrecordedconversationsviaSMSareextractedtoindividualchatfiles,andallmessagesareaddedtotheeventlist,wheretheycanbefilteredbasedonphonenumberoremailaddress.AlsoextractsbrowsinghistoryinformationfromSafari'sicondatabase.ThisalternativesourceisveryinterestingbecauseitrecordsbrowsinghistoryevenwhenSafariisinprivatebrowsingmode.HTMLpreviewsandviewsofindex.datInternetExplorerbrowsercache/historyfilescontainacolumnwiththeoffsetoftherecordwithinthefilewherethedataof

eachrowhasbeenfound.Thisoffsetispresentedasalink.Ifyouclickit,youwillautomaticallynavigatetothatoffsetinthecorrespondingindex.datfileinFilemodesothatitisconvenienttoverifytheinformationthatX-WaysForensicshasextractedfromtherecordatthatlocation.(Notethatthisworkscorrectlyonlyifthelinkisnotbrokeninto2lines,whichmayhappeninv8.4oftheviewercomponent,butnotinv8.3.7.Anywayyoucanstillnavigatetothatoffsetmanually.)TheHTMLchildobjectsthatwillbegeneratedcannotonlybeusedinternallybyX-WaysForensicsforpreviewsoftheparentfile.YoucanalsoviewallofthesetablesinanexternalprogramsuchasyourpreferredbrowserorinMSExcel,bysendingthesechildobjecttotheprogramofyourchoice(directorybrowsercontextmenu).YoumayhaveX-WaysForenscissplitHTMLtablesafteranarbitrarynumberofrows.YoucansetthisnumbermuchhigherifyoudoviewtheHTMLpreviewsexternallywithyourpreferredInternetbrowserandnotwiththeviewercomponent,whichcannotdealwithverylargetables.TheexistenceofHTMLchildobjectwithsearchabletextforbrowserdata,eventlogsandmoredatasourcesalsoimproveseffectivenessofsearchesandindexing.g)ExtractstablesfromvariousotherSQLitedatabasesinTSVformatandusesthefirstoneasapreviewoftheSQLitedatabasefileitself.h)ExtractstheoriginalrevisionofPDFdocumentsthatwereedited,ifavailable,asachildobject.i)Providestimestampsfromthefilesystemaseventstoanalyzeinaneventlist.j)Providesinternaltimestampsinfilesasevents.k)Agenericrelevanceoffilescanbeestimated.Thisrelevanceisbasedonavarietyoffactors,suchasthetypeofthefile,itsgeneratorifknown(forJPEGandPDFfiles),itscurrentness(lastmodificationdate),whetheritisknownfromanyhashdatabase,thewealthofinternalmetadatathatitcontains,itssize,thevisualcontentofpictures,whetheraPNGfileisasmartphonescreenshot,whetheranHTMLfilehasbeenlocallysavedbytheusermanually,whetherthereissomethingunusualaboutthefile,etc.etc.Theweightwithwhichthecurrentnessandthesizeofafileaffectitscomputedgenericrelevanceisuser-definable.100%meansdefaultweight.50%meanshalfofthat.0%meansthefactorhasnoeffectatall.Themaximumis255%.Therelevanceisnotmerelycontent-based,buttheresultofafundamentalcharacterization.Inparticularthe

generatorsignatureisaprovenance-basedcriterion.Themainideaisthatifyourtimeforexaminationislimited,youcanstartwiththefilesthathavethehighestgenericrelevance,tomaximizeyourchancetofindwhatyouarelookingfor,ifitexists,andfinditratherearly.Tosortlistedfilesbyrelevanceindescendingorder,i.e.prioritizethemforreview,selectNavigation|SortbyRelevancefromthedirectorybrowsercontextmenu.

IncludeContentsofZipandRARArchivesetc.Partofvolumesnapshotrefinement.AforensiclicenseallowstoincludethecontentsofZIP,RAR,ARJ,GZ,TAR,7Zip,andBZIParchivesinthevolumesnapshot,sothatfilesinsucharchivescanbeseparatelylisted,examined,searched,etc.,intheirdecompressedstate,aslongasthearchivesarenotencrypted.Theoretically,thereisnolimittothenumberofnestedlevelsthatcanbeprocessed(i.e.archiveswithinarchiveswithinarchives).Ifthefilesareencryptedinthearchive,theyaremarkedwith"e"intheattributecolumnandthearchiveitselfwith"e!".Thisallowstoeasilyfocusonsuchfilesusingtheattributefilter.DocumentfilesofMSOffice2007/2010/2013,LibreOffice,OpenOffice,andiWorkaretypicallyZiparchives,too,technically,andifsoareprocessedinthesamewaybydefault.Youcanchoosetonotprocessthosefilesifyouortherecipientsofevidencefilecontainersthatyouprepareonlywishtoseethedocumentsasawhole,noembeddedpicturesorXMLfilesseparately,anddon'tneedtoextractmetadatafromtheseXMLfilesandcanrecognizenesteddocuments(documentsembeddedinotherdocuments)themselvesifnecessary.Therearemany,manyotherfiletypesthataretechnicallysubtypesofZipthatareprocessedoptionally.Zipsubtypeswhosecontentsareusuallyirrelevantareforexample.jar,.apkand.ipa,thoughspecialinterestgroupslikemalwareinvestigatorsmightthinkotherwise,sothechoiceisyours.X-WaysForensicstriestodetectandprotectitselfagainstofzipbombsaswellasrecursivezipandgzarchivesandpossiblyotherrecursivearchivetypes.Protectionmeansthatprocessingwillstopatacertainleveloncethemaliciousnatureofthearchiveisdetected.Archivesidentifiedinthisfashionwillbemarkedasalreadyprocessedandaddedtoaspecialinternalreporttable.Pleasenotethatifafterwardsyouwishtomanuallydigdeeperthanthelevelatwhichtherecursiveautomaticexplorationstops,youcandosobymarkingtheinner-mostarchivereachedasstilltobeprocessed(bypressingCtrl+Del)andthenapplyingtheExplorecommandinthecontextmenutoitmanually.

NotethatforZiparchiveswithnon-ASCIIcharactersinfilenamestobeprocessedcorrectly,youneedtopickthecorrectcodepageinthecasepropertiesfirst.E.g.forZiparchivescreatedunderLinux,that'slikelyUTF-8.ForZiparchivescreatedunderWindowswithWinZip,that'slikelyaregionalcodepage.Notealsothatsplit/spanned/segmentedarchivesarenotsupported.EncryptedZip,RAR,and7zfilearchivescanalsobeprocessed,providedthatthepasswordisknownorcanbeguessed.X-WaysForensicswilltryanypasswordlistedineitherthepasswordcollectionofthecurrentcaseorageneralpasswordcollection.Youcaneditthelistrightfromwithinthedialogwindowwiththeoptionsforarchiveprocessing.Thecase-specificpasswordcollectioncanalsobeeditedfromwithinthecaseproperties,anditisstoredinaUTF-16encodedtextinthecasedirectory,named"Passwords.txt".ThegeneralpasswordcollectionisstoredinafileofthesamenameintheinstallationdirectoryorinyourWindowsuserprofiledirectory.AlmostallUnicodecharactersaresupported,includingspacecharactersandChinesecharactersetc.Passwordsareusuallycase-sensitive.Ifthecollectioncontainstherightpasswordforaparticularfilearchive,thatpasswordwillberememberedinthatfile'sextractedmetadataandtakendirectlyfromthereinsteadofthepasswordcollectionifneededagainlatertoreadfilesinthearchive.Alternatively,youcanprovideaspecificpasswordforaparticularfilearchivemanuallyanddirectlybyeditingthatfile'smetadata,youjustneedtoknowthatthepasswordmustbeprependedwith"Password:".(NotetoFrenchusers:Nospacebeforethecolon.)Fileswithinencryptedfilearchivesarenottreatedandshownasencrypted("e"attribute)iftherightpasswordwasavailableatthemomentwhenthefileswereaddedtothevolumesnapshot.Thearchivesthemselvesarestillshownwiththe"e!"attribute.RARarchivesand7ziparchivesinwhichnotonlythefilecontents,butalsothenamesareencryptedarenotcurrentlysupported.

ExtractE-mailMessagesandAttachmentsPartofvolumesnapshotrefinement.Aforensiclicenseallowstoseparatelylistandexaminee-mailmessagesande-mailattachmentsstoredinthefollowinge-mailarchivefileformats:OutlookPersonalStorage(.pst),OfflineStorage(.ost),Exchange(.edb,Exchange2010andearliersupported,2010stillinatestingstage),OutlookMessage(.msg),OutlookTemplate(.oft),OutlookExpress,OutlookforMac,KerioConnect(store.fdbfilesthatcanbeprocessedlikeordinaryPST/OSTfiles),AOLPFCfiles,Mozillamailbox(includingNetscapeandThunderbird),genericmailbox(mbox,Unixmailformat),MHTWebArchive(.mht).Bydefault,X-WaysForensicstriestoextractfromthesefiletypes:pst,ost,edb,dbx,pfc,mbox,eml,emlx,mht,msg,olk14msgsource,olk14message,oft,mbsE-mailmessagesareusuallyoutputas.emlfiles.Toconvenientlyfocusonallextractede-mailmessagesfromalle-mailarchives(andevenprocessedoriginal.emlfiles)itisrecommendedtoexplorerecursivelyandusetheAttributefilter(nottheTypeorCategoryfilter).Thetimestampinthe"Date:"lineinane-mailmessage'sheader(ifaccompaniedbyatimezoneindicatorlike-0700or+0200)islistedasthecreationdate&time.Thetimestampinthe"Delivery-Date:"line(oralternatively,ifnotavailable,thefirst"Received:"line)islistedasthelastmodificationdate&time.Forextractede-mailsandtheirattachments,senderandrecipientwillbedisplayedinthecorrespondingcolumnsinthedirectorybrowser.Youmayfilterbydatesaswellassenderandrecipient.Ife-mailmessageshaveaSender:lineinadditiontoaFrom:line,thenthesenderaccordingtotheSender:lineisnowshownintheSendercolumnofthedirectorybrowseradditionally,aftertheFrom:sender,ifactuallydifferent.Theyaredelimitedbyspacesandapipe(|).Forexample,anEnglishlanguageMSOutlookshowssuche-mailsashavingbeensent"onbehalfof"someoneelse(bytheSender:senderonbehalfoftheFrom:sender).Youcanfilterforsuche-mailsbyenteringapipeasasubstringfortheSendercolumn.Analogously,different

kindsofrecipients(To:,Cc:,andBcc:)aredelimitedbypipesintheRecipientcolumn.Attachmentsandembeddedfilesareextracted,too,iffoundinthee-mailarchive(exceptione.g.AOLPFC)andusuallybecomechildobjectsoftheirrespectivecontaininge-mailmessagesinthevolumesnapshot.Allextractede-mailsandattachmentsactuallyresideintheevidenceobject'smetadatasubdirectoryandmayutilizealotofdrivespace.E-mailextractionfromPSTcanprocesspassword-protectedPSTarchiveswithoutthepassword!ItsupportsthefollowingcodepagesforencodedPSTfiles:ISO8859-1,ISO8859-2,ISO8859-3,ISO8859-4,ISO8859-5,ISO8859-6,ISO8859-7,ISO8859-8,ISO8859-9,ISO8859-10,ISO8859-11,ISO8859-13,ISO8859-14,ISO8859-15,ISO8859-16,koi8-r,koi8-u,1250,1251,1252,1253,1254,1255,1256,1257,1258,874,UTF16,UTF32,UTF8IncertainoldAOLPFCfiles,picturesmaybeembeddedine-mailmessagesinaspecialway.Inthatcase,suchane-mailmessagewillbemarkedwithapaperclipicon,butthepicturewillnotbeseparatelyextracted.Thepicture,ifJPEGorPNG,canbefound,however,whenextractingJPEGandPNGfilesfrom*.pfc.Someadvantagesofthe.emlformatforoutput:E-mailmessagesoutputas.emlfilesarerepresentedassimpleandasauthenticanduniversalasitgets.Theyareeasytounderstand,clearlystructuredintoheaderandbody,andextremelyeasytocompletelyviewinavarietyofsimpleprograms(e.g.texteditor,wordprocessing,Internetbrowser,freee-mailclientslikeThunderbirdandWindowsMail).NocommercialsoftwarelikeMSOutlookneededisneededtoview.emlfiles..emlisthe"natural"formatofe-mail,justlikearawimageisthenaturalformatofadiskimage,ifyouevenwanttocallita"format"(actuallyithasnoadditionalformatspecifications,it'sjustaplainrepresentationofthedatathatitshouldrepresent).An.emlfilecontainsthecompleteoriginalmetadataofthee-mailmessage,fullyintact,exactlyasitwassentanddelivered.Youhavecompletecontroloverthefileifyoucopyitoutforsomeoneelse,canseealldata,canverifythatnounintendeddatamadeitintothefile.Youcaneasilyredactanytextinthebodymanuallywithasimpletexteditor,redactanymetadataintheheader,easilyretroactivelyremoveanyattachmentusingasimpletexteditorifneeded,allofwhichisimpossibletodowithacomplexproprietarybinaryfileformatsuchasMSG.Thegeneralformatof.emlfilescan

beunderstoodbyanyone,anditissimplyatextfile.TheformatofMSGfilescanbeunderstoodonlywithacomputerscienceorprogrammingbackground,andlearningittakesalotoftime.Redactinge-maildatahiddeninMSGfilesisdifficult.Asidetaskofe-mailprocessingistoextractedfilesfrome-mailrelatedMIMarchivesandmakethemaccessibleaschildobjectsinthevolumesnapshotinplainbinaryform.

UncoverEmbeddedDataPartofvolumesnapshotrefinement.Forensiclicenseonly.Allowstocarvefilesofvarioustypesthatareembeddedinfilesofothervarioustypes,throughabyte-levelfileheadersignaturesearchwithincertainfiles.Thisissuccessfuliftheouterfile(hostfile)isintactandtheembeddedfileisnotstoredinthehostfileinafragmentedmanner.Otherwisetheembeddedfilesmayappearascorrupt.NotablythisfunctionsearchesforJPEGandPNGpictures,evenJPEGpicturesinotherJPEGfiles(thosethatcontainthumbnailsofthemselves).Thefilesfoundthiswaywillbegenericallynamedas"Embedded1....jpg","Embedded2....png",etc.Thisfunctionalsoextracts.emffilesembeddedinmulti-pageprintouts(.splspoolerfiles)..splfilesthatcontainasingle.emffileonlycanbevieweddirectlywiththeviewercomponent.Alsoextractedthiswayare.lnkshortcutfilesfrom.customdestinations-msjumplists.Specialinternalalgorithmsexistthatproperlyextract,byfollowingthedatastructuresintherespectivefileformat,eveniffragmented,.lnkshortcutfilesfrom.automaticdestinations-msjumplists,filesofvarioustypesfromOLE2compoundfiles(e.g.MSWord.doc,MSPowerPoint.ppt),Firefoxbrowsercaches(basedon"_CACHE_MAP_"files),Safaribrowsercaches,NortonBackupfiles(N360backup,.nb20)andWindowsVista/7Windows.edbdatabases(fromthelatterevene-mailmessages),andpicturesthatareembeddedasBase64inVCFfiles(electronicbusinesscards).Chromebrowsercachesareprocessedbasedon"index"files,withsupportformultiplestreamsofthesamecacheentry:TheHTTPresponse(named.chrome1)isoutputaswellas,ifpresent,asarecompiledJavaScriptentries(.js1).Ifano-cachedirectivewassentbythewebserver,atleasttheHTTPresponseisstillcached.InPreviewmodeyoucanseeaspecialrepresentationofHTTPresponses.Chromecachescannowalsobeprocessediftheirindexisnotavailable,forexampleifcachefragmentshavebeencarvedorifthecachewaspartiallydeletedorcorrupted.Itmaybepossibleinsomecasesthatabetterextractionresultcanbeachievedwithouttheindex,evenifitispresent.Totrythat,iftheindexhasnotbeenprocessedbefore,youcanhavetheuncoverfunctionprocess"data_4"filesandomittheindex.data_4ispartoftheoptional

"specialinterest"group.Alsoextractedarethumbnailsfromthumb*.dbfiles,fromGoogle'sPicasa3imageorganizerandviewersoftware(thumbindex.dbandrelatedfiles),Photoshopthumbnailcaches(AdobeBridgeCache.bc),CanonZoomBrowserthumbnailcollections(.info),andPaintShopProcaches(.jbf).Thumbnailsincertainveryold"thumbs.db"filescannotbedisplayedcorrectly.Suchthumbs.dbfileswillbeassignedtothereporttable"Unsupportedthumbs.db"andcanbeviewede.g.withthefreelyavailableprogram"DMThumbs"byGreenSpotTechnologiesLtd.Thumbcache*.dbfilesofWindowsVistaandlateraretargetedindirectlyifthumbcache_idx.dbisinthemaskandifthatfileisavailableinthesamedirectory.Thatspeedsuptheextractionandavoidstheoutputofnumerousduplicatethumbnails(onlythehighestavailableresolutionisoutput).Ifthumbcache_idx.dbisinthemask,thatalsomeansthatthumbcache*.dbfilesthatarespecificallyselectedortaggedforprocessingarenotprocessedunlessthethumbcache_idx.dbfileisalsoselected/tagged.Also,fromPDFdocumentsitextractsanykindsoffilesthataremarkedasembeddedplusJPEGandJPEG2000plusAcrobatformfilesinXMLformatplusJavaScriptobjects(thelattermaymakeiteasiertodeterminewhetheraPDFfileshouldbeconsideredmalware).ExtractsindividualcookiefilesfromFirefoxandChromeSQLitedatabases,alsodatablocksembeddedasBase64inXML-formattedPLists(.plist)andrawdatablocksembeddedinbinaryPLists(.bplist).ItisrecommendedtoverifyfiletypesatthesametimesoX-WaysForensicscandistinguishbetweentraditional(XML-formatted)PListsandbinaryPLists(BPLists).ManyPListsdonothavea.plistextensionandneedtobeidentifiedasPListsfirst.SincethetypeoftheembeddeddataisnotidentifiedbythePListassuch,theoutputalsobenefitsfromasimultaneousfiletypeverification.NestedPLists(PListsembeddedinPLists)willalsobeidentifiedandprocessedrecursively.AnotherchildobjectcreatedforPListsrepresentsparsedtextinahuman-readablewayandservesasapreviewofthePListitself.Alsoreconstructse-mailmessagesandextractscontactandaccountinformationfromtheLivecomm.edbdatabase,whichisusedbytheWindowsMailclient(Windows7andnewer),andcontactsfromWindowsLiveMailcontacts.edbdatabase,alsocontactsfromWindowsLiveMessenger'scontacts.edbdatabase.Youcanalsouncovervariouspotentiallyrelevantresourcesin32-bitand64-bitWindowsPEexecutables(programmsandlibraries)aschildobjects,in

particularRCDATA,namedobjects,bitmaps,iconsandmanifests.Usefulforexampleformalwareanalysis.Thisdoesnothappenautomatically,onlyifyouspecificallytargetexecutablefilesviaasuitableseriesoffilemasks.FullyBase64-encodedfilesinthevolumesnapshot,providedthattheyhave"b64"intheTypecolumncanbeautomaticallydecoded,andtheresultisoutputinbinaryas(surprise)achildobject.Lastnotleastthisfunctioncandecompresshiberfil.sysfilesfromWindowsXP,Vistaand7(32and64bit)andautomaticallyaddtheresulttothecaseasrawmemorydumps.hiberfil.sysslack(compresseddatafromprevioususageofahiberfil.sysfile,asfoundneartheend,ifthelastusageachievedstrongercompressionthanprevioususages)isprovidedasachildobjectinitsdecompressedform.Generallyallfilesproducedbythisfunctionareaddedtothevolumesnapshotaschildobjectsoftheirrespectivehostfilesinwhichtheywerefound.Filessmallerthan65bytesarenottouched,forperformancereasons.Twoseparatefilemasksaremaintainedforuncoveringembeddeddatainvariousfiletypes.Thesecondmaskisoptionalandlabelledas"specialinterest".Forexamplemalwareinvestigatorsmaychoosetoalsoprocessexecutablefilesthatwaywhenneeded.Youmayprependanyelementofamaskwithacolontotemporarilyexcludeit,butkeepitinthelistforfuturereference.E.g.:*.jpgmeansnotfileswithjpgastheextensionortype.Infilesofatypeforwhichnointernalextractionalgorithmisbuiltin,X-WaysForensicstriestocarveembeddeddatausingthosefileheadersignaturesthataremarkedinFileHeaderSignaturesSearch.txtwiththeeflag.ThatmeansyoucanhaveX-WaysForensicsuncoverembeddeddatainmanymorefiletypesthanitdoesbydefaultifyoulike!FileheadersignaturesearchinallfilesnotprocessedaboveAseparatesub-operationoptionalallowsyoutofreelycarveanykindoffilewithinanyfilethatisnotprocessedbythefirstsub-operation.Bydefault,filetypeswiththe"e"flagareselectedforthat.Usegreatcautiontoavoiddelaysandcopiousamountsofgarbagefiles(falsepositives)andduplicates.Pleaseapplythisnewfunctionverycarefullyandonlywithagoodreasonto

specificallytargetedfilesonly,suchasswapfilesorstoragefilesinwhichbackupapplicationconcatenateotherfileswithoutcompression,notblindlytoallfilesorrandomfiles.Rememberwithgreatpowercomesgreatresponsibility.Signaturesmarkedwiththe"E"flag(uppercase)arenevercarvedwithinotherfiles,topreventtheworsteffects,forexampleMPEGframescarvedwithinMPEGvideos,ziprecordscarvedwithinziparchives,.eml,.htmland.mboxfilescarvedwithine-mailarchives,.hbinregistryfragmentscarvedwithinregistryhives.Ifyouknowwhatyouaredoing,ofcourseyoucouldremovetheEflag.Thereisanoptiontoapplythecarvingprocedurerecursively,thatistoalsocarveinfilesthatwerealreadycarvedwithinotherfilesthemselves.Thiscanleadtomanyduplicatesiftheouterfileatlevel1iscarvedtoobigsothatfilescanbecarvedinitthatwerealsocarvedatlevel0(theoriginalfile).Forsituationswereyouwanttocarveembeddedfilesthatarenotalignedat512-byteboundariesintheoriginalfile,youmaymakeuseoftheextensivebyte-leveloption.Filesarenevercarvedin$MFT.ThedefaultsettingswillmakeX-WaysForensicsconductafileheadersignaturesearchesatthebytelevelwithinpagefile.sysfiles,tofinde-mailfragments,.lnkshortcutfiles,pictures,etc.

CaptureStillImagesfromVideosPartofvolumesnapshotrefinement.AforensiclicenseallowstosporadicallycapturestillimagesfromvideofilesinJPEGformat.Thishappenseitherinauser-definedinterval(e.g.every20seconds)thatcanbedynamicallybasedontheplaylengthofthevideo,oryoucanoptforafixednumberofvideostillspervideo(1-255),nomattertheplaylength.Whilefixed-lengthintervalsresultinnumberofstillsthatgrowsproportionallywiththeplaylength,thefixedabsolutenumberlimitsyourworkloadifyouaregoingtolookatallstillsinthegallery,andalsodecreasesthetimetoprocesslongvideos,butofcourseatthecostofbeinglessthoroughandanincreasedriskofmissingsomethingshouldanysuspecthiderelevantcontentsomewherewithinaninnocuousvideo.X-WaysForensicstriestoextractafixednumberofstillsevenlyfromalloverthevideotogivearepresentativeimpressionofit.Thisfunctionalityisappliedtofileswhosetypematchesthespecifiedfilemaskseries.Requiresanexternalprogram(MPlayer),andrequiresthatthevolumeisassociatedwiththeactivecase.PicturescanbeextractedfromallthevideoformatsandcodecssupportedbyMPlayer.Usefulifyouhavetosystematicallycheckmanyvideosforinappropriate,illegal,orotherwiserelevantcontent(e.g.childpornographyorterroristtrainingcampinstructions).Theuseofintervalsensuresthatyouwon'tmissnotablepartsthatarehiddeninthemiddleofaharmlessvacationorbirthdaypartyvideo.Extractingpicturesconsiderablyreducestheamountofdata,andlookingatstillsinthegalleryismuchfaster,efficientandmorecomfortablethanhavingtowatchallvideosoneaftertheother.Thepotentiallytime-consumingextractionprocesscanberununattendede.g.overnightbeforehand.Alsousefulifyouneedtoincludeextractedpicturesinaprintedreport.ThefirstextractedpictureatthesametimeoptionallycanserveasapreviewpictureforthevideofileinPreviewandGallerymode.ASF/WMVvideosprotectedwithDRMcannotbeprocessedandareconsequentiallymarkedwithe!intheAttr.column.Notethatyoumayhearoccasionalsoundfromthevideos.Pleaseturnoffsoundonyourcomputerifyouwishtoavoidthis.Notealsothatifyouselectasmallinterval(likesmallerthan5seconds),youmaynotnecessarilyget

additionalpictures.Thisdependsonhowthevideowasencoded/compressed.DuplicatestillsareomittedwhenextractingpictureswithMPlayer.OnceJPEGpictureshavebeenexportedfromvideos,thevideoscanoptionallybedynamicallyrepresentedinthegallery,withallextractedstills,showingthemstillsinaloop,togiveamuchmorecompleteimpressionofthecontentsofvideoswithoutfurtheruserinteraction(withouthavingtoexplorethem).Thusanalternativeefficientwaytoreviewalargenumberofvideosisthis:Explorerecursively,filterforvideos,sortindescendingorderbynumberofchildobjects(sothatvideoswithasimilarnumberofstillsareshowntogether),andactivateGallerymode.Watchthevariousvideostillsforeachvideo.Proceedtothenextgallerypagewhenyouareconfidentthatnoincriminatingvideosarerepresentedonthecurrentpage,forexamplewhenallstillshavebeenshown,whichyouwillknowisthecasewhenthegalleryhasrotatedbacktothefirststillforeachvideo.Asmallamountofmetadataisextractedfromvideoswhenexportingstills,usuallycoding/compressionformat,resolution,bitsperpixel,framespersecond,dataratepersecondforvideodata.Thatisinadditiontothemetadatathatisprovidedbytheregularmetadataextraction.

PictureAnalysisandProcessingPartofvolumesnapshotrefinement.Aforensiclicenseadditionallyallowstocomputethepercentageofskincolorsinpicturesandtodetectblack&whitepictures.ThiscanbedoneforthefiletypesJPEG,PNG,GIF,TIFF,BMP,PSD,HDR,PSP,SGI,PCX,CUT,PNM/PBM/PGM/PPM,ICO.Thedetectionofblack&whiteorgray-scalepicturesisusefulwhenlookingfordocumentsthatwerescannedandfaxesthatwerestoredelectronically.Aforensicexaminerwhohastolookfortracesofchildpornographycansortpicturesbyskincolorpercentageindescendingordertoimmenselyacceleratethejob.Checkingthemassof0%..9%skincolorpercentagepictures(e.g.thousandsofbrowsercachegarbagefiles)maynotbenecessaryanymoreasthemostlikelyincriminatingfileswillbesortednearthetopofthelist.Pleasenotethattheremaybefalsepositives,i.e.skin-likecolorsofanon-skinsurface.Picturesthatcannotbecorrectlyscannedfortheircolorcontents,e.g.becausetheyaretoolargeorcorrupt,willbelistedwithaquestionmarkinsteadoftheskincolorpercentage.Pictureswithverysmalldimensions(widthorheightnomorethan8pixels,orwidthtimesheightnomorethanyouindicate)willbemarkedasirrelevantwiththeassumptionthattheycannotcontainincriminatingpornographyordocuments.ForlargeJPEG,PNG,GIFandTIFFfiles,atthesametimewhenanalyzingthecolorsinthepicturesduringvolumesnapshotrefinement,X-WaysForensicscanoptionallyalsocreatethumbnailsinadvanceformuchquickerdisplayupdatesinGallerymodelater.Internalthumbnailsareonlycreatedifnooriginalthumbnailsareembeddedinthefilesandextractedatthesametime,andtheyareactuallyutilizedforthegalleryonlyifauxiliarythumbnailsareenabled(seeOptions|General).Itispossibletospecifyyourpreferredresolution(maximumwidthorheightinpixels)andquality(JPEGcompressionfactor)ofthethumbnails.However,themaximumamountofdatathatcanbestoredinthevolumesnapshotforathumbnailislimited,to64KB,soifageneratedthumbnailgetslargerthanthat,X-WaysForensicswillautomaticallyreducetheuser-definedresolutionaccordingly.Todiscardallinternalthumbnails,butkeepthecomputedskincolorpercentages,youmaydeletethefile"Secondary1"inthe"_"subdirectoryofanevidenceobjectbehindX-WaysForensics'back,i.e.whentheevidenceobjectisnotcurrentlyopen.

IfyouhaveaninternalPhotoDNAhashdatabase,knownphotoscanberecognizedautomaticallyevenifvisuallyaltered.Ifyouselectmorestrictmatching(allowlessvariationinapicture),theprocesscanbenoticeablyfasterinhugedatabases.AnyresultingmatchescanbeseenandfilteredinthecombinedAnalysiscolumn.PleasenotethatphotosthatarerecognizedviaPhotoDNAalreadyarenotadditionallycheckedfortheamountofskintone.PhotoDNAhashvaluesarecomputedandmatchedonlyifthepicturecontainsatotalnumberofpixelsthatislargerthanauser-definedminimum(widthtimesheight).Thisavoidsdatabaselook-upsthatcanbetime-consuminginverylargePhotoDNAhashdatabasesandtypicallyhavenobenefitforsmallgarbagepictures.Theminimumdimensionsallowedasaconditionare50x50pixels.ThePhotoDNAalgorithmintrinsicallyrequiresacertainminimumnumberofpixelstoprovidemeaningfulresults.Ifyouselectthelowestpossiblestrictnesslevelformatching(level1),youwillbeaskedwhetheryouarereallycertain,asthatlevelisknowntooccasionallydeliverfalsematches.ThatlevelisofferedinX-WaysForensicsonlybecauseitisprovisionallysuggestedbytheoriginaldevelopersofPhotoDNA.TherecommendedanddefaultlevelinX-WaysForensicsislevel3.ItispossibletomoreconvenientlymatchpicturesagainstthePhotoDNAhashdatabaseagain,forexampleafterhavingaddedsomehashvaluestothedatabaseorafterhavingassignedhashvaluestodifferentcategories,thankstoanewcheckboxsimplylabelled"Again".Youcanstilluncheckthe"Alreadydone?"checkboxforthewholepictureanalysisandprocessingoperationtoalsodiscardtheresultsoftheskincolorcomputationandprecomputedthumbnailsandregeneratebothplusthePhotoDNAmatchesfromscratch.Pleasenotethatwiththe"Again"optionwhenre-usingpreviouslycomputedPhotoDNAhashes,changestothestateofthecheckbox"Recognizepicturesevenifmirrored"havenoeffect.Thatmeansifpreviouslyuncheckedwhenhashvalueswerecomputedforthefirstandstoredinthevolumesnapshot,checkingitlaterwhenre-usingthestoredhashvalueswon'tdoanygood.MatchingpicturesagainstthePhotoDNAhashdatabaseanothertimeismuchfasterifduringapreviousrunyouhaveX-WaysForensicsstorethecomputedPhotoDNAhashesinthevolumesnapshot.Savesthetimetoreadthefilesfromthedisk/imageagainandtodecode/decompresstheJPEGdataorotherformatsagain(time-consumingforhigh-resolutionphotos)andtorecomputethehashvalues.PleasenotethatPhotoDNAhashesrequireconsiderablymoredrivespacethanordinaryhashes.Also,morethanonePhotoDNAhashmayberequiredfor

justonepicture.Itisrecommendedtostorethehashvaluesinthevolumesnapshotforfuturefastre-matchingonlyifyouexpectyourPhotoDNAhashdatabasetochangeduringprocessingofacase,forexampleifitislikelythatyouoryourcolleaguesdiscoverfurtherrelevantpicturesinthatcase,forcingyoutosearchforothercopiesofthesepictures.Todiscardstoredhashvaluesyoucaneithertakeanewvolumesnapshot,oralternativelyyoumaydeletethefile"PDNA"inthe"_"subdirectoryoftheevidenceobject,wherethevolumesnapshotisinternallystored.IfmatchesarereturnedfromregularhashdatabasesaswellasthePhotoDNAhashdatabaseatthesametimewithconflictingcategorizations,the"moresevere"categoryprevails:unknown<knowngood<known,butuncategorized<knownbad.TheoptiontomarkafileasalreadyviewedwhenitgetscategorizedasirrelevantisnowappliedtothecombinedresultofordinaryhashdatabaseandPhotoDNAhashdatabasematching.

FileFormatSpecificandStatisticalEncryptionTestsPartofvolumesnapshotrefinement.Aforensiclicenseallowstooptionallyperformfileformatspecificandstatisticalencryptiontests.Withanentropytest,eachexistingfilelargerthan255bytesischeckedwhetheritisfullyencrypted.Ifthetestispositive(theentropyexceedsacertainthreshold),thefileisflaggedwith"e?"intheattributecolumn,toindicatethatitmightdeservespecialattention.Typicalexample:Encryptedcontainerfiles,whichcanbemountedbyencryptionprogramslikeTrueCrypt,PGPDesktop,BestCrypt,orDriveCryptasdriveletters.TheentropytestisnotappliedtoZIP,RAR,TAR,GZ,BZ,7Z,ARJ,CAB,JPG,PNG,GIF,TIF,MPG,andSWFfiles,whicharewell-knowntobecompressedinternallyandthereforealmostindistinguishablefromrandomorencrypteddata.ThistestisnotneededtodetectthatfilesareencryptedattheNTFSfilesystemlevelorinsidearchives.Secondly,documentswiththeextensions/types.doc(MSWord4...2003),.xls(MSExcel2...2003),.ppt,.pps(MSPowerPoint97-2003),.mpp(MSProject98-2003),.pst(MSOutlook),.docx(MSWord2007...2010),.xlsx(MSExcel2007...2010),.pptx,.ppsx(MSPowerPointer2007-2010),.odt(OpenOffice2Writer),.ods(OpenOffice2Calc)and.pdf(AdobeAcrobat)arecheckedforfileformatspecificencryption,MSOfficedocumentsalsofordigitalrightsmanagement(DRM)protection.Ifpositive,thesefilesareflaggedwith"e!"intheattributecolumn.Thischeckrequiresthattheseparateviewercomponentisactive.Additionally,theencryptiontestcandetecteCryptfs-encryptedfiles(filesstoredbytheEnterpriseCryptographicFileSystemforLinux),withatestthatisbasedoneCryptfsimplementationsforUbuntu8.10,9.04,9.10and10.04.Suchfileswillbymarkedwith"E"intheAttributescolumn,justlikeEFS-encryptedfilesinNTFS.

IndexingPartofvolumesnapshotrefinement.Availableonlywithaforensiclicense.Readsthedatawiththesamelogicasalogicalsearch,withthesameadvantages(seethattopic).Createsindexesofallwordsinallorcertainfilesinthevolumesnapshot,basedoncharactersyouprovide,basedontheUnicodecharactersetand/oruptotwocodepagesthatyouselect.Itispossibletohaveuptothreesuchindexesperevidenceobject(e.g.CyrilliccharactersindexedinUnicodeandtwoCyrilliccodepages).X-WaysForensicsallowsyoutoconvenientlyselectcharactersfrommorethan22languagesforindexing.Currently,mostEuropeanandmanyAsianlanguagesarepredefined,e.g.German,Spanish,French,Portuguese,Italian,Scandinavianlanguages,Russian,SouthSlaviclanguages,EasternEuropeanlanguages,Greek,Turkish,Hebrew,Arabic,Thai,Vietnamese.Youmayspecifyeachandeverycharacterexplicitly,orspecifyrangesofcharactersthatcanoptionallybefollowedbyadditionalsinglecharacters(e.g.a-zA-Zäöü)iftheeditboxforthecharacterpoolstartswith"range:".Toindexthedashitself(notrecommended),specifyitasthelastcharacterintheeditbox.Indexingisapotentiallytime-consumingprocessandmayrequirealargeamountofdrivespace(ruleofthumbfordefaultsettingsandaveragedata:5-25%oftheoriginalamountofdata).However,theindexwillallowyoutoconductfurthersearchesveryquicklyandspontaneously.Theindexfilesaresavedinthesubdirectoriesofthemetadatafolderofthecorrespondingevidenceobject.Thescopeoftheindex,i.e.whichfilesaretobeindexed,canbefine-tuned.Notethattheindexofpartitionedmediasuchasphysicalharddiskssolelycoversunpartitionedareas.That'sbecauseeachpartitioncanhaveitsownindex.Wordsshorterthanalowerlimityouspecifyareignored.Thelongertheminimumlengthincharacters,thesmallertheindexandthefastertheindexingprocedure.Thedefaultlowerlimitis4characters.Frequentirrelevantwordscanbeexcludedfromtheindexintheexceptionlistwithaminusprefix(e.g.-and,if3-letterwordsarealreadyaccepted),whichreducesthesizeoftheindexandthetimeneededtocreateit.Thelargertherangeofacceptedwordlengths,thelargertheindexbecomesandthemoretimeindexingtakes.Important3-letterwordscanbeaddedtotheexclusionlistwithaplusprefix(e.g.+xtc),whichoverridesthedefaultlowerlimitof4characters.Theexceptionlistdoesnothavetobe

sortedalphabetically.Wordsintheexceptionlistlongerthantheupperlimityouspecifyaretruncatedintheindex.Wordsintheexceptionlistareboundbythecharacterpoolandcannotcontaindifferentcharacters.X-WaysForensicscanoptionallydistinguishbetweenuppercaseandlowercaseletters,i.e.createacase-sensitiveindex.Thiscanbeusefule.g.ifyoucreatetheindexforthepurposeoflaterexportingawordlistforacustomizeddictionaryattack.IfyouhaveX-WaysForensicsincludesubstringsintheindex,thiswillfurtherslowdownindexcreation(byafactorof3to5)andinflatetheindex,however,youwilllaterbeabletofinde.g."wife"in"housewife"and"solve"in"resolve".Ifyoudonotincludesubstringsintheindex,itwillstillbepossibletosearchtheindexforsubstringslater,buttheresultwillbeincomplete,andthesearchspeedmuchslower.Pleasenotethatitistheresponsibilityoftheusertoenablesubstringindexingifthewordsinthelanguagetoindexarenotdelimitedwithspaces(Chinese,Japanese,Thai,...).Indexingwillbeunnecessarilyslowifthedatatobeindexedresidesonthesamediskwiththecasefileanddirectory,wheretheindexiscreated.TrytoavoidindexingwithanactiveInternetconnectionifyourWindowssystemisconfiguredtodownloadupdatesandrebootautomaticallyuponinstallation.Optionally,textincertainfiletypescanbedecodedforindexing(cf.LogicalSearch),anditispossibletocreateindexesformultipleselectedcomputermedia/imagesassociatedwithacaseinasinglestep.Youcanindexinuptosixdifferentcodepagessimultaneously.ItispossibletodefineacharactersubstitutionlistinUnicodethatcausescertainletterstobeindexedasotherletters(e.g."é"asjust"e").Thiswillallowyoutofindcertainspellingvariationswithasingleindexsearch,e.g.boththename"René"withanaccentedeattheendand"Rene"without,witheitherspelling.Thislistmusthavethestructureé>eè>eà>a...(i.e.1substitionperline)andneedstobepresentasaUnicodetextfilenamed"indexsub.txt"thatstartswiththeLEUnicodeindicator0xFF0xFE.

"indexsub.txt"isanoptionalfileandexpectedintheX-WaysForensicsinstallationdirectory.Youwillbewarnedifyoudefineaspacecharacteraspartofwords.Thatisbecausespacecharactersaremeanttodelimitwords,theyarenotpartofthewordsthemselves.Ifaspacecharacterisdefinedtobepartofwords,thatmeansawholesentencelike"MikeSmithlosthiscreditcardtoday."isconsideredjustasingleword.Youcandeleteallindexesforanevidenceobjectbyremovingthe"Alreadydone"checkmarkintheRefineVolumeSnapshotdialog.Thiswillalsoclearthe"i"flagfromallindexedfilesinthevolumesnapshot.SearchinIndex:Afterindexingfiles,youmaysearchtheindexforkeywordsveryquickly,usingtheSimultaneousSearchfunction.Select"SearchinIndex"fromthedrop-downboxatthebottom.Anythinginexcessofthemaximumwordlengthusedforindexingisignored(sothat"ridiculous"isfoundintheindexevenifintheindexthatwordwastruncatedto"ridicul"basedonamaximumwordlengthof7letters).X-WaysForensicsdoesnotdistinguishbetweenuppercaseandlowercaselettersexceptifacase-sensitiveindexwascreated.Inasearchhitlistpopulatedbyanindexsearch,physicaloffsetsarenotavailable.Youmayconvenientlyrunnon-GREPindexsearchesforsearchtermsthatcontainspacecharacters,justlikeinconventionalsearches.Thisisveryimportantfornames(e.g."JohnDoe"or"XYZTechnologyLtd")andspacedcompoundwords(e.g."bankaccount"or"creditcardlimit").Thisworkseveniftheindividualcomponentsofthecompoundalreadyexceedthemaximumwordlengththatwasindexed(bydefault7characters),sothatyouwillhavenotroublefinding"basketballpositions"(10+9letters)or"skyscraperarchitecture"(10+12letters).Justasalwaysthecomponentsareonlymatcheduptothelengththatwasindexed,whichisnotabigproblembecausetherearenotmanywordsotherthan"basketball"and"skyscraper"thatstartwith"basketb"or"skyscra",respectively.Infactthespacesinthesearchtermsmatchunindexedworddelimitersotherthanspacesaswell,suchashyphens,soyouwillalsofind"Spider-Man"and"freeze-dried"whensearchingfor"spiderman"and"freezedried",orunderscoresasin"bank_account"(thinkofafilenamelike"bank_account.html"),orplussignsasin"credit+card"(e.g.commoninGooglesearchURLswhensearchingformorethan1word),orperiodsasin

"interview.pdf".Sointhatrespectindexsearchesareevenmorepowerfulthanconventionalsearches.Definingspacesasbeingpartofwordsisabigno-no.

EditModesTheinfopanedisplaysforeachfile/disk,inwhichmodeitwasopenedintheprogram.Theinfopane'scontextmenuallowstoselectivelychangetheeditmodeoftheactivewindow.Read-only/Viewmode:Recommendedforcomputerforensicexaminations.Inordertoenforcestrictforensicprocedures,theonlymodeavailableinX-WaysForensics,exceptforfilesinthecurrentcase'sdirectoryandinthegeneralfolderfortemporaryfiles,toallowtodecode,decrypt,andconvertthem,etc.Filesordisksthatareopenedinviewmodecannotbe(intentionallyoraccidentally)edited/alteredinWinHex,onlyviewed.Inotherwords,theyareopenedwrite-protected=read-onlybyWinHex.Defaulteditmode:Modificationstofilesordisksopenedindefaulteditmodearestoredintemporaryfiles.Thosetemporaryfilesarecreatedandmaintaineddynamicallywhenneeded.OnlywhenyouclosetheeditwindoworusetheSavemenucommandtheFileMenu,themodificationsareflushedandtheoriginalfileordiskisupdated,afterpromptingtheuser.In-placeeditmode:Pleaseusecautionwhenopeningfilesordisksinin-placeeditmode.Allkindsofmodifications(keyboardinput,filling/removingtheblock,writingclipboarddata,replacements,...)arewrittentotheoriginalfileordisk("in-place")withoutprompting!Itisnotnecessarytosavethefilemanuallyafterhavingmodifiedit.Instead,themodificationsaresavedlazilyandautomatically,atlatestwhenclosingtheeditwindow.However,youmayusetheSavecommandtoensurethebufferisflushedatagiventime.Thein-placeeditmodeispreferableifthedatatransferfromtheoriginaltothetemporaryfileandvice-versa,whichisobligatoryindefaulteditmodeforcertainoperations,consumedtoomuchtimeordiskspace.Thismaybethecasewhenopeningverylargefilesorwhenmodifyinghugeamountsofdata.Sinceusuallynotemporaryfilesareneededinin-placeeditmode,thiseditmodeisgenerallyfasterthanthedefaulteditmode.Thein-placeeditmodeistheonlymodeavailablewhenusingtheRAMeditor.Hint:Eveninin-placeeditmodethecreationofatemporaryfileisunavoidablewhenalteringthefilesize.Ifyouopenfilesusingtheoperatingsystem(e.g.viaFile|Open,fromanydrive

lettercurrentlyavailableinWindows),thenoperatingsystemfilewritecommandswillbeusedtochangeafileonthedisk.However,inWinHexitisevenpossibletoeditfileswithoutusingoperatingsystemfilewritecommands,directlyonadisk/inarawdiskimageinanyfilesystemsupported,evenifthatfilesystemisnotknowntoWindows,evenfilesnotseenbyWindows(e.g.deletedfiles),eveninpartitionsnotseenbyWindows(e.g.bydamagedordeleted),withoutchanginganytimestampsorattributes,inin-placemodeonly.Forthiseditingcapability,thefilemustbeenopenedfromwithinthealreadyopenedvolumethatcontainsit,eitherviatheOpencommandinthedirectorybrowsercontextmenuorinFilemode(forensiclicenseonly).Compressedfilesorgenerallyfileswithinotherfiles(e.g.e-mailsandattachmentsine-mailarchives)cannotbeedited,exceptinanevidencefilecontaineriftheyhavebeencopiedtherefromtheoriginaldisk/image.Notethatfilescannotbeshortenedorexpandedthatway,onlythedatainalreadyallocatedareascanbemodified.Editingfilesopeneddirectlyfromwithindisks/rawimagesasdescribedaboveispossibleinWinHexonly,notinX-WaysForensicsorX-WaysInvestigator,wheresectorlevelwriteaccess(towhichfileeditingisinternallytranslated)isdisabledandwheretheonlymodeavailablefordisksandinterpretedimagesandfilesopenedfromwithinvolumesisread-onlymode.X-WaysForensicscanbeeasilyranasWinHexifpreferred(simplyrenamethe.exefile,details).Inforensiccomputing,electronicdiscoveryandITsecurity,thiseditingcapabilitycanbehelpfultomanuallyredact(e.g.overtype)specificdatathatshouldnotbeexamined/disclosed/seenortosecurelyerasespecificareaswithinfiles(e.g.defineasablockandfilltheblock).Notethatevidencefilecontainersarerawimagesiftheyhavenotbeenconvertedtothe.e01evidencefileformatandthusallowforretroactivefileediting,which,howeverwillinvalidateanyaccompanyinghashvalues.Itisevenpossibletoeditdirectories,i.e.theclusterswithdirectorydata,e.g.INDXbuffersinNTFS,forexampleifyouneedtoredactthenamesofcertainfiles.

ScriptsSomeofthefunctionalityofWinHexcanbeusedinanautomatedway,e.g.tospeeduprecurringroutinetasksortoperformcertaintasksonunattendedremotecomputers.Theabilitytoexecutescriptsotherthanthesuppliedsamplescriptsislimitedtoownersofaprofessionalorhigherlicense.ScriptscanberunfromtheStartCenterorthecommandline.Whileascriptisexecuted,youmaypressEsctoabort.Becauseoftheirsuperiorpossibilities,scriptssupersederoutines,whichweretheonlymethodofautomationinpreviousversionsofWinHex.WinHexscriptsaretextfileswiththefilenameextension".whs".Theycanbeeditedusinganytexteditorandsimplyconsistofasequenceofcommands.Itisrecommendedtoenteronecommandperlineonly,forreasonsofvisualclarity.Dependingonthecommand,youmayneedtospecifyparametersnexttoacommand.Mostcommandsaffectthefileordiskpresentedinthecurrentlyactivewindow.Scriptcommandsarecase-insensitive.Commentsmayoccuranywhereinascriptfileandmustbeprecededbytwoslashes.Parametersmaybe255characterslongatmost.Whereindoubtbecausehexvalues,textstrings(orevenintegernumbers)areacceptedasparameters,youmayusequotationmarkstoenforcetheinterpretationofaparameterastext.Quotationmarksarerequiredifatextstringorvariablenamecontainsoneormorespacecharacters,sothatallcharactersinbetweenarerecognizedasconstitutingoneparameter.Ifthetextwithinquotationmarksisthenameofadefinedvariable,thevariablewillbeusedastheparameter.Wherevernumericalparametersareexpected(integernumbers),theintegratedformulaparserallowsyoutousemathematicalexpressions.Suchexpressionsneedtobeenclosedinbrackets.Theymustnotcontainspacecharacters.Theymaymakeuseofvariablesthatcanbeinterpretedasintegernumbers.Supportedoperationsareaddition(+),subtraction(-),multiplication(*),integerdivision(/),modulardivision(%),bitwiseAND(&),bitwiseOR(|),andbitwiseXOR(^).Validmathematicalexpressionsareforexample(5*2+1),(MyVar1/(MyVar2+4)),or(-MyVar).Thefollowingisadescriptionofcurrentlysupportedscriptcommands,includingexampleparameters.

Create"D:\MyFile.txt"1000Createsthespecifiedfilewithaninitialfilesizeof1000bytes.Ifthefilealreadyexists,itisoverwritten.Open"D:\MyFile.txt"Open"D:\*.txt"Opensthespecifiedfile(s).Specify"?"astheparametertolettheuserselectthefiletoopen.OpenC:OpenD:Opensthespecifiedlogicaldrive.Specify":?"astheparametertolettheuserselectalogicaldriveorphysicaldisktoopen.Open80hOpen81hOpen9EhOpensthespecifiedphysicalmedia.Floppydisknumberingstartswith00h,fixedandremovabledrivenumberingwith80h,opticalmedianumberingwith9Eh.Optionally,youmaypassasecondparameterwiththeOpencommandthatdefinestheeditmodeinwhichtoopenthefileormedia("in-place"or"read-only").CreateBackupCreatesaWHXbackupoftheactivefileinitscurrentstate.CreateBackupEx0100000650true"F:\Mybackup.whx"CreatesaWHXbackupoftheactivedisk,fromsector0throughsector1,000,000.Thebackupfilewillbesplitautomaticallyatasizeof650MB.Compressionisenabled("true").Theoutputfileisspecifiedasthelastparameter.Ifthebackupfileshouldnotbesplit,specify0asthethirdparameter.Todisablecompression,specify"false".TohavetheBackupManagerautomaticallyassignafilenameandplacethefileinthefolderforbackupfiles,specify""asthelastparameter.

Goto0x128GotoMyVariableMovesthecurrentcursorpositiontothehexadecimaloffset0x128.Alternatively,anexistingvariable(upto8byteslarge)canbeinterpretedasanumericvalue,too.Move-100Movesthecurrentcursorposition100bytesback(decimal).Write"Test"Write0x0D0AWriteMyVariableWritesthefourASCIIcharacters"Test"orthetwohexadecimalvalues"0D0A"atthecurrentposition(inoverwritemode).Canalsowritethecontentsofavariablespecifiedastheparameter.Movesthecurrentpositionforwardbythenumberofbyteswritten.Whentheendofthefileisreached,toaccomplishthat,anullbyteisappended.UsefulsothatfurtherWritecommandsdon'toverwritethelastbytewrittenbythepreviousWritecommand.Write2IdenticaltoWrite,butdoesnotappendanullbyteiftheendofthefilehasbeenreached.SoitisnotsafetoassumethatWrite2alwaysmovesthecurrentpositionforwardbythenumberofbyteswritten.Insert"Test"Functionsjustasthe"Write"command,butininsertmode.Mustonlybeusedwithfiles.ReadMyVariable10Readsthe10bytesfromthecurrentpositionintoavariablenamed"MyVariable".Ifthisvariabledoesnotyetexist,itwillbecreated.Upto48differentvariablesallowed.Otherwaystocreatevariables:Assign,GetUserInput.ReadLnMyVariableReadsfromthecurrentpositionintoavariablenamed"MyVariable"untilthenextlinebreakisencountered.Ifthevariablealreadyexists,itssizewillbeadjustedaccordingly.

CloseClosestheactivewindowwithoutsaving.CloseAllClosesallwindowswithoutsaving.SaveSaveschangestothefileordiskintheactivewindow.SaveAs"C:\NewName.txt"Savesthefileintheactivewindowunderthespecifiedpathandfilename.Specify"?"astheparametertolettheuserselectthedestination.SaveAllSaveschangesinallwindows.TerminateAbortsscriptexecution.ExitTerminatesscriptexecutionandendsWinHex.ExitIfNoFilesOpenAbortsscriptexecutionifnofilesarealreadyopenedinWinHex.Block100200Block"MyVariable1""MyVariable2"Definestheblockintheactivewindowtorunfromoffset100tooffset200(decimal).Alternatively,existingvariables(eachupto8byteslarge)canbeinterpretedasnumericvalues.Block10x100Definestheblockbeginningtobeatthehexadecimaloffset0x100.Avariableisallowedastheparameteraswell.Block20x200Definestheblockendtobeatthehexadecimaloffset0x200.Avariableisallowedastheparameteraswell.

CopyCopiesthecurrentlydefinedblockintotheclipboard.Ifnoblockisdefined,itworksasknownfromtheCopycommandintheEditmenu.CutCutsthecurrentlydefinedblockfromthefileandputsitintotheclipboard.RemoveRemovesthecurrentlydefinedblockfromthefile.CopyIntoNewFile"D:\NewFile.dat"CopyIntoNewFile"D:\File+MyVariable+.dat"Copiesthecurrentlydefinedblockintothespecifiednewfile,withoutusingtheclipboard.Ifnoblockisdefined,itworksasknownfromtheCopycommandintheEditmenu.Cancopydisksectorsaswellasfiles.Allowsanunlimitednumberof"+"concatenationsintheparameter.Avariablenamewillbeinterpretedasanintegerifnotbelargerthan2^24(~16Mio.).Usefulforloopsandfilerecovery.PastePastesthecurrentclipboardcontentsatthecurrentpositioninafile,withoutchangingthecurrentposition.WriteClipboardWritesthecurrentclipboardcontentsatthecurrentpositioninafileorwithindisksectors,withoutchangingthecurrentposition,byoverwritingthedataatthecurrentposition.ConvertParam1Param2Convertsthedataintheactivefilefromoneformatintoanotherone.ValidparametersareANSI,IBM,Binary,HexASCII,IntelHex,MotorolaS,Base64,UUCode,LowerCase,UpperCase,hiberfil,incombinationsasknownfromtheConvertmenucommand.AESEncrypt"MyPassword"Encryptstheactivefileordisk,orselectedblockthereof,withthespecifiedkey(upto32characterslong)withAES.AESDecrypt"MyPassword"

Decryptstheactivefileordisk.Find"John"[MatchCaseMatchWordDownUpBlockOnlySaveAllPosUnicodeWildcards]Find0x0D0A[DownUpBlockOnlySaveAllPosWildcards]SearchesintheactivewindowforthenameJohnorthehexadecimalvalues0x0D0A,respectively,andstopsatthefirstoccurrence.Otherparametersareoptional.Bydefault,WinHexsearchestheentirefile/disk.TheoptionalparametersworkasknownfromusualWinHexsearchoptions.ReplaceAll"John""Joan"[MatchCaseMatchWordDownUpBlockOnlyUnicodeWildcards]ReplaceAll0x0A0x0D0A[DownUpBlockOnlyWildcards]Replacesalloccurrencesofeitherastringorhexadecimalvaluesintheactivefilewithsomethingelse.Canonlybeappliedtoadiskifinin-placemode.IfFoundAbooleanvaluethatdependsonwhetherornotthelastFindorReplaceAllcommandwassuccessful.PlacecommandsthatshallbeexecutedifsomethingwasfoundaftertheIfFoundcommand.IfEqualMyVariable"HelloWorld"IfEqual0x12345678MyVariableIfEqualMyVariable1000IfEqualMyVariableMyOtherVariableIfEqualMyVariable(10*MyOtherVariable)Compareseithertwonumericalintegervalues(eachofthembeingaconstantvalue,anintegervariableoramathematicalexpression)ortwovariables,ASCIIstrings,orhexadecimalvaluesatthebinarylevel.ComparingtwoobjectsatthebinarywithadifferentlengthalwaysreturnsFalseastheresult.Ifequal,thefollowingcommandswillbeexecuted.Ifconditionsmustnotbenested.IfGreaterMyVariable"HelloWorld"IfGreater0x12345678MyVariableIfGreaterMyVariable1000IfGreaterMyVariableMyOtherVariableIfGreaterMyVariable(10*MyOtherVariable)AcceptsthesameparametersasIfEqual.Ifthefirstoneisgreaterthanthesecondone,thefollowingcommandswillbeexecuted.Ifconditionsmustnotbe

nested.ElseMayoccurafterIfFoundorIfEqual.PlacecommandsthatshallbeexecutedifnothingwasfoundorifthecomparedobjectsarenotequalaftertheElsecommand.EndIfEndsconditionalcommandexecution(afterIfFound,IfEqual,IfGreater).{..ExitLoop...}Exitsaloop.Aloopisdefinedbybraces.Closingbracesmaybefollowedbyanintegernumberinsquarebrackets,whichdeterminesthenumberofloopstoexecute.Thisismayalsobeavariableorthekeyword"unlimited"(sotheloopcanonlybeterminatedwithanExitLoopcommand).Loopsmustnotbenested.Exampleofaloop:{Loop"}[10]willwritetheword"Loop"tentimes.LabelContinueHereCreatesalabelnamed"ContinueHere"JumpToContinueHereContinuesscriptexecutionwiththecommandfollowingthatlabel.NextObjSwitchescyclicallytothenextopenwindowandmakesitthe"active"window.E.g.if3windowsareeopen,andwindow#3isactive,NextObjwillmake#1theactivewindow.ForAllObjDoThefollowingblockofscriptcommands(untilEndDooccurs)willbeappliedtoallopenfilesanddisks.CopyFileC:\A.datD:\B.datCopiesthecontentsofC:\A.datintothefileD:\B.dat.

MoveFileC:\A.datD:\B.datMovesthefileC:\A.dattoD:\B.dat.DeleteFileC:\A.datSurprisingly,deletesC:\A.dat.InitFreeSpaceInitSlackSpaceClearsfreespaceorslackonthecurrentlogicaldrive,respectively,usingthecurrentlysetinitializationsettings.InitSlackSpaceswitchesthedrivetemporarilytoin-placemode,thussavingallpendingchanges.InitMFTRecordsClearsunusedMFTFILErecordsonthecurrentlogicaldriveifitisformattedwithNTFS,usingthecurrentlysetinitializationsettings.Simplydoesnothingonotherfilesystems.Thechangesarewrittenimmediatelytothedisk.AssignMyVariable12345AssignMyVariable0x0D0AAssignMyVariable"IlikeWinHex"AssignMyVariableMyOtherVariableStoresthespecifiedintegernumber,binarydata,ASCIItext,orothervariable'scontentsinavariablenamed"MyVariable".Ifthisvariabledoesnotyetexist,itwillbecreated.Otherwaystocreatevariables:e.g.Read,GetUserInput,InttoStr.Upto48differentvariablesallowedtoexistsimultaneously.ReleaseMyVariableSpecificallydisposesanexistingvariable.Mandatorytoinvokeonlywhenmorethan48variableswithdifferentnamesaretobeusedduringtheexecutionofascript,sothatearliervariablesthatarenotneededanymorecanbedestroyed.SetVarSizeMyVariable1SetVarSizeMyVariable4Explicitlysetstheallocatedmemorysizeofavariableatagiventime,inbytes.Thiscanbeusefule.g.forvariablesthatholdintegervaluesandthataretheresultofacalculation,ifthisvalueistobewrittentoabinaryfilewithafixed-lengthstructure.WithoutSetVarSize,noassumptionmustbemadeaboutthesizeofthevariable.Forinstance,thenumber300couldbestoredinanynumberofbyteslargerthan1.IfthenewsizesetbySetVarSizeissmallerthantheoldsize,

theallocatedmemoryistruncated.Ifthenewsizeislarger,theallocatedmemoryisexpanded.Atanyrate,thevalueofthepersistingbytesisretained.GetUserInputMyVariable"Pleaseenteryourname:"StorestheASCIItextorbinarydata(0x...)specifiedbytheuseratscriptexecutiontime(128bytesatmax.)inavariablenamed"MyVariable".Theuserispromptedbythemessageyouprovideasthesecondparameter.Ifthevariabledoesnotyetexist,itwillbecreated.Otherwaystocreatevariables:Assign,Read.GetUserInputIMyIntegerVariable"Pleaseenteryourage:"WorkslikeGetUserInput,butacceptsandstoresonlyintegernumbers.IncMyVariableInterpretsthevariableasaninteger(ifnotlargerthan8bytes)andincrementsitbyone.Usefulforloops.DecMyVariableInterpretsthevariableasaninteger(ifnotlargerthan8bytes)anddecrementsitbyone.IntToStrMyStrMyIntIntToStrMyStr12345StoresthedecimalASCIItextrepresentationoftheintegernumberspecifiedasthesecondparameterinavariablespecifiedasthefirstparameter.StrToIntMyIntMyStrStoresthebinaryrepresentationoftheintegernumberspecifiedasadecimalASCIIstringinthesecondparameterinavariablespecifiedasthefirstparameter.StrCatMyStringMyString2StrCatMyString".txt"Appendsonestringtoanother.Thesecondparametermaybeavariableoraconstantstring.Thefirstparametermustbeavariable.Theresultwillbesavedinthevariablespecifiedbythefirstparameterandmustnotbelongerthan255characters.GetClusterAllocMyStr

Maybeappliedtoalogicalvolume.Retrievesatextualdescriptionofthecurrentposition'sallocation,e.g.whichfileisstoredinthecurrentcluster,andsavesthatdescriptioninthespecifiedvariable.GetClusterAllocExIntVarMaybeappliedtoalogicalvolume.Retrievesanintegervaluethatindicatedwhethertheclusteratthecurrentpositionisallocated(1)ornot(0),andsavesthatdescriptioninthespecifiedvariable.GetClusterSizeIntVarMaybeappliedtoalogicalvolume.Retrievestheclustersizeandsavesthatvalueinthespecifiedintegervariable.InterpretImageAsDiskTreatsarawimage,Encaseimageorevidencefileliketheoriginalphysicaldiskorpartition.Requiresaspecialistorforensiclicense.CalcHashHashTypeMyVariableCalcHashExHashTypeMyVariableCalculatesahashasknownfromthecommandintheToolsmenuandstoresitinthespecifiedvariable(whichwillbecreatedifitdoesnotyetexist).TheHashTypeparametermustbeoneofthefollowing:CS8,CS16,CS32,CS64,CRC16,CRC32,MD5,SHA-1,SHA-256,PSCHF.CalcHashExinadditiondisplaysthehashinadialogwindow.MessageBox"Caution"Displaysamessageboxwiththetext"Caution"andofferstheuseranOKandaCancelbutton.PressingtheCancelbuttonwillabortscriptexecution.ExecuteScript"ScriptName"Executesanotherscriptfromwithinarunningscript,atthecurrentexecutionpoint,e.g.dependingonaconditionalstatement.Callstootherscriptsmaybenested.Whenthecalledscriptisfinished,executionoftheoriginalscriptwillberesumedwiththenextcommand.Thisfeaturecanhelpyoustructureyourscriptsmoreclearly.TurboOnTurboOffInturbomode,mostscreenelementsarenotupdatedduringscriptexecutionand

youarenotabletoabort(e.g.bypressingEsc)orpause.ThismayacceleratesscriptexecutionifalotofsimplecommandssuchasMoveandNextObjareexecutedinaloop.DebugAllthefollowingcommandsmustbeconfirmedindividuallybytheuser.UseLogFileErrormessagesarewrittenintothelogfile"Scripting.log"inthefolderfortemporaryfiles.Thesemessagesarenotshowninamessageboxthatrequiresuserinteraction.Usefulespeciallywhenrunningscriptsonunattendedremotecomputers.CurrentPosGetSizeunlimitedarekeywordsthatactasplaceholdersandmaybeusedwherenumericparametersarerequired.Onscriptexecution,CurrentPosstandsforthecurrentoffsetintheactivefileordiskwindowandGetSizeforitssizeinbytes.unlimitedactuallystandsforthenumber2,147,483,647.

X-TensionsAPIAutomateinvestigativetasksandextendthefunctionalityofX-WaysForensicswithX-Tensions:TheX-WaysForensicsX-TensionAPI(applicationprogramminginterface)allowsyoutousemanyoftheadvancedcapabilitiesoftheX-WaysForensicscomputersoftwareprogrammaticallyandextendthemwithyourownfunctionality.Forexample,youcouldimplementsomespecializedfilecarvingforcertainfiletypes,automatedtriagefunctionality,alternativereportgeneration,orautomaticallyfilteroutunwantedsearchhitsdependingonyourrequirementsetc.Amongotherthings,X-Tensionsallowyouto:-readfromadisk/partition/volume/image-retrieveabundantinformationabouteachfileanddirectoryinthevolumesnapshot-readfromanyfile-createnewobjectsinthevolumesnapshot-assignfilestoreporttables-addcommentstofiles-process,validateanddeletesearchhits-anddopracticallyeverythingelsethatispossiblewithaWindowsprogram!(thankstotheWindowsAPI)Youcanuseyourprogramminglanguageofchoice,e.g.C++,Delphi,orVisualBasic,anddonothavetolearnanynewprogramminglanguage.Youcanuseyourcompilerofchoice,forexampleVisualStudioExpress(freeware).Sinceanextensionisnotaninterpretedscript,butregularcompiledexecutablecodethatisrunningintheaddressspaceoftheapplicationitself,youcanexpecthighestperformance,thesameaswithinternallyimplementedfunctionality.X-TensionsgiveyoueasyanddirectaccesstocrucialandpowerfulfunctionsdeepinsideX-WaysForensics.WhenX-Tensionsfunctionscangetcalled:-whenrefiningthevolumesnapshot-whenrunningasimultaneoussearch-viathedirectorybrowsercontextmenu-viathesearchhitlistcontextmenu

TheX-TensionAPIalsoallowsthedevelopmentanduseofso-calledDiskI/OX-Tensions.Thesearesnap-insthatsitbetweenallanalysisfunctionalityandtheuserinterfaceofX-WaysForensicsontheonehandandadisk/image/RAID/partition/volumefromwhichsectorsarereadontheotherhand.TheycanforexampledealwithfulldiskencryptionanddecryptthedatainallsectorsreadbyX-WaysForensicsontheflywhenneeded,sothatallrelevantfunctionsonlygettoseethedecrypteddataandcandealwithitasifitwasanormaldisk/volume.TheusermayopenaselectedevidenceobjectthroughsuchaDiskI/OX-TensionusinganewcommandinthecontextmenuoftheCaseDatawindow.AfterselectingtheintendedX-TensionDLL,iftheDLLsignalsthatitcansuccessfullydealwiththedatainthatevidenceobject,thecasewillrememberwhichDLLthatwaschosenandautomaticallyapplyitnexttimewhenopeningthesameevidenceobject.Notethatasalwayspartitionscountasevidenceobjectsthemselves.Thatwayfulldiskencryptioncanbetackledaswellasvolumelevelencryption.YoumaydistributeyourX-TensionDLLsthatyoucompileand/oryoursourcecodefreeofchargeorevenforafee,underwhateverlicensetermsyouseefit.Formoreinformationpleaseseehttp://www.x-ways.net/forensics/x-tensions/api.html.

DiskEditorTheDiskEditor,thatispartoftheToolsmenu,allowsyoutoaccessfloppyandharddisksbelowfilesystemlevel.Disksconsistofsectors(commonlyunitsof512bytes).Youmayaccessadiskeitherlogically(i.e.controlledbytheoperatingsystem)orphysically(controlledbytheBIOS).OnmostcomputersystemsyoucanevenaccessCD-ROMandDVDmedia.ThereisanoptionalrawmodeforopticaldrivesthatallowstoreadfromaudioCDsandalsothecomplete2352-bytesectorsondataCDs(CD-ROMandVideoCDs)thatcontainerrorcorrectioncodes.Openingalogicaldrivemeansopeningacontiguousformattedpartofadisk(apartition)thatisaccessibleunderWindowsasadriveletter.It'salsocalleda"volume".WinHexreliesonWindowsbeingabletoaccessthedrive.Openingaphysicaldiskmeansopeningtheentiremedium,asitisattachedtothecomputer,e.g.aharddiskincludingallpartitions.Itcouldalsocalledthe"rawdevice".Thedisknormallydoesnotneedtobeproperlyformattedinordertoopenitthatway.Usuallyitispreferabletoopenalogicaldriveinsteadofaphysicaldisk,becausemorefeaturesareprovidedinthiscase.Forexample,"clusters"aredefinedbythefilesystem,theallocationofclusterstofiles(andviceversa)isknowntoWinHex,"freespace"and"slackspace"haveameaning.Ifyouneedtoeditsectorsoutsidealogicaldrive(e.g.themasterbootrecord),ifyouwishtosearchsomethingonseveralpartitionsofaharddiskatthesametime,orifapartitionisdamagedorformattedwithafilesystemunknowntoWindows,soWindowsisunabletomakeitaccessibleasadriveletter,youwouldopenthephysicaldiskinstead.Fromthewindowthatrepresentsaphysicalmediumyoucanusuallyalsoopenindividualpartitions,bydouble-clickingtheminthedirectorybrowserofthatwindow.WinHexunderstandsconventionalMBRpartitioning,GPT(GUIDpartitiontype),Applepartitioning,superfloppyformat,WindowsdynamicdisksasorganizedbytheLDM(LogicalDiskManager,MBRandGPTstyle),LVM2(MBRandGPTstyle)andPC-compatibleBSDdisklabel.Alldynamicvolumetypesaresupported:simple,spanned,striped,andRAID5.HoldingtheCtrlkeywhenopeningharddisksdisablesdetectionandspecialhandlingofdynamicvolumesandensurestheharddiskistreatedlikeithasbeenpartitionedintheconventionalway.Someoftheaforementionedpartitioningtypesaresupportedwithspecialistandforensiclicensesonly.

DirectoryBrowserPleasenotethefollowinglimitations:Administratorrightsareneededtoaccesssectorsonanykindofmedia.UnderWindowsVista/7/8youneedtoruntheprogramasadministratorspecifically,justbeingloggedonasadministratorisnotsufficient.Remote(network)drivescannotbeaccessedsector-wise.X-WaysForensicscannoteditdisksectorsorsectorsininterpretedimagesatall,onlyWinHexcan.WinHexcannotwritetoCD-ROMorDVD.UnderWindowsVista/7/8,WinHexcannotwritesectorsonthepartitionwiththeactiveWindowsinstallationandonthepartitionwhereWinHexisrunningfrom.SaveSectors:TobeusedanalogouslytotheSavecommandforfiles.PartoftheFilemenu.Writesallmodificationstothedisk.Pleasenotethat,dependingonyourchanges,thismayseverelydamagetheintegrityofthediskdata.Ifthecorrespondingundooptionisenabled,abackupoftheconcernedsectorsiscreated,beforetheyareoverwritten.Thiscommandisonlyavailableinthefullversion.HerearesomepiecesofinformationconcerningtheMasterBootRecordofaharddisk,thatiseditableusingthediskeditor.

MemoryEditor/AnalysisTheMemoryEditorispartoftheToolsmenu.ItallowstoexaminethephysicalRAM/mainmemoryandthelogicalmemoryofaprocess(i.e.aprogramthatisbeingexecuted)inalivesystem.Allmemorypagescommittedbyaprocessarepresentedinacontinuousblock.Unused(freeorreserved)pagesareignoredbydefault,butoptionallyincludedanddisplayedwith"?"characters.Withnosuchgaps,youmaycomparememorydumpstofilesexactlywithoneanother(absoluteandvirtualaddressesareidentical),e.g.toexaminestackandheapstatesorobservevirusses.Ifyouexpandoneofthelistedprocessesinthelist,youmayopeneithertheso-calledprimarymemoryortheentirememoryofthisprocessoroneoftheloadedmodules(DLLs).Theprimarymemoryisthelowerpartoftheaddressrange,belowtheareawheresystemDLLsareloaded.Usuallyitalsocontainsthemainmoduleofaprocess(theEXEfile),thestack,andtheheap.The"entirememory"containsalltheallocatedpagesintheentirelogicalmemoryaddressspaceofaprocess.Withthe64-biteditionofWinHex/X-WaysForensicsyoucangetloadedmodulesabovethe4GBbarrierin64-bitprocesseslisted,andreadandeditmemoryinsuchaddressranges.Unicodeissupportedforprocessandmodulenamesandpathsinthememoryeditor.Pageboundariesarerepresentedbyhorizontallines.Boundariesthatrepresentgapsbetweencontiguousallocatedregionsarerepresentedbydarkerhorizontallines.TheInfoPaneshowsinformationsuchasthemaximumaddressrepresentedandthenumberofallocationgaps(=numberofcontiguousallocatedpageranges-1)aswellasprotectionstatusandtypeofthecurrentlydisplayedpage.Pleasenotethefollowinglimitations:AccesstophysicalRAMunderWindowsXP(32-bit)only,nomorethan4GB,andwithadministratorrightsonlyCaution:Onlykeyboardinputcanbeundone!Editingispossibleinin-placemodeonly.Theevaluationversiononlysupportsviewmode.Theoptionsrelevantforthememoryeditorare"Checkforvirtualmemory

alteration"(securityoptions)and"Virtualaddresses"(generaloptions).MainmemoryanalysisRequiresaforensiclicense.WhenyouopenthelocalphysicalRAM(viaTools|OpenRAM,onlyunderWindowsXP)oramainmemorydumpasafile(andinterpretthatfileexactlylikeyouwouldadiskimage)oraddamemorydumptoacase,processeswillbelistedinthedirectorybrowser,evenhiddenprocesses,withtheirtimestampsandprocessIDs,andtheirownrespectivememoryaddressspacescanbeindividuallyviewedin"Process"mode,withpagesconcatenatedincorrectlogicalorderasseenbyeachprocess.The"particularlythoroughdatastructuresearch"issignature-based,willtakealittlelongerthantakingastandardvolumesnapshot,andmayturnuptracesofadditionalprocesses.MemorycanbeacquiredremotelywiththehelpofF-Response(Tools|OpenDisk).Theanalysisissupportedformost(butnotall)variants(servicepacks)ofWindows2000,WindowsXP,Windows2003Server,WindowsVista,Windows2008Server,andWindows7,32bitand(lesscomplete)64bit.Onlycompletememorydumpsaresupported,thosewhichincluderegionsinRAMthatareutilizedbytheBIOSandbyPCIdevices.Windowskerneldatastructuresandnamedobjectsareconvenientlylistedinatreeinthevolumesnapshotunder"Objects".Loadedmodulesarelistedunder"Modules".ThatenablesX-WaysForensicstoallocatethememorypagesinRAMmodethattheyoccupytothem,andtocomputehashesforthemsothattheycanbeidentifiedviaspecialhashsets.Forhashingpurposesitisrecommendedtolisttheinvariantheadersofloadedmodulesonly(seeVolumeSnapshotOptions).Thetechnicaldetailsreportinformsyouofimportantsystem-wideparametersaswellasofthecurrentaddressesofimportantkerneldatastructuresandofloadedkernelmodules.InDetailsmodeyoucanfindtheaddressesofprocess-relateddatastructuresforeachprocessandtheIDofitsparentprocess.InRAMmode,theInfoPaneshowsforeachmemorypageaprocesstowhichitisallocated(ifany)anditsmemorymanagementstatus.Withtheappropriatebackgroundknowledge,thisfunctionalitycanbeusedlearnmoreaboutthecurrentstateofthemachineanditsprocesses,sockets,openfiles,loadeddrivers,andattachedmedia,toidentifymalware,tofindthedecryptedversionofencrypteddata,toanalyzenetworktracesinincidentresponse,andto

dofurtherresearchinthefieldofmemoryforensics.

ConversionsWinHexprovidesthe"Convert"commandoftheEditmenuforeasyconversionsofdifferentdataformatsandforencryptionanddecryption.Theconversioncanoptionallybeappliedtoallopenedfilesinsteadofonlythecurrentlydisplayedone.Theformatsmarkedwithanasterisk(*)canonlybeconvertedasawholefile,notasablock.Thefollowingformatsaresupported:ANSIASCII,IBMASCII(twodifferentASCIIcharactersets)EBCDIC(anIBMmainframecharacterset)Lowercase/uppercasecharacters(ANSIASCII)Binary*(rawdata)HexASCII*(hexadecimalrepresentationofrawdataasASCIItext)IntelHex*(=ExtendedIntellec;hexASCIIdatainaspecialformat,incl.checksumsetc.)MotorolaS*(=ExtendedExorcisor;ditto)Base64*UUCode*PercentageURLEncodeQuotedPrintablePleasenote:WhenconvertingIntelHexorMotorolaSdata,theinternalchecksumsoftheseformatsarenotchecked.Dependingonthefilesize,thesmallestpossibleoutputsubformatischosenautomatically.IntelHex:20-bitor32-bit.MotorolaS:S1,S2,orS3.WhenconvertingfrombinarytoIntelHexorMotorolaS,onlymemoryregionsnotfilledwithhexadecimalFFsaretranslated,tokeeptheresultingfilecompact.TheConvertcommandcanalsodecompressanynumberofcomplete16-clustercompressionunitscompressedbytheNTFSfilesystem*and(withaforensiclicense)entirehiberfil.sysfilesthatwerecopiedoffanimageaswellasindividualxpresschunksfromsuchfiles.Also,itallowstoconvertso-calledNandroidbackupfilesoftheNANDflashmemoryofAndroiddevicestoregularrawimages.Furthermoreitcanstretchpacked7-bitASCIItoreadable8-bitASCII*,usefule.g.forSMSfrommobilephones.

Encryption/DecryptionItisrecommendedtospecifyacombinationofatleast8charactersastheencryptionkey.Donotusewordsofanylanguage,itisbettertochoosearandomcombinationofletters,punctuationmarks,anddigits.Notethatencryptionkeysarecasesensitive.Rememberthatyouwillbeunabletoretrievetheencrypteddatawithouttheappropriatekey.Thedecryptionkeyyouenterisnotverifiedbeforedecrypting.Encryptionalgorithm:256-bitAES/Rijndael,incounter(CTR)mode.Thisencryptionalgorithmusesa256-bitkeythatisdigestedwithSHA-256fromthe512-bitconcatenationoftheSHA-256ofthekeyyouspecifyand256bitsofcryptographicallysoundrandominput(salt).Thefileisexpandedby48bytestoaccommodatethe256bitsofsalt,andarandomized128-bitinitialcounter.WinHexallowsyoutoencryptnotonlyanentirefile,butalsoablockofdataonly.Inthatcaseyouarewarned,however,thatnosaltisusedandnorandominitialcounterisused,soyoumustnotreuseyourkeytoencryptotherdatawiththesameencryptionmethod.Thesizeoftheblockisleftunchanged.

ModifyDataUsethiscommandtomodifythedatawithintheblockorwithinthewholefile,incasenoblockisdefined.Eitherafixedintegernumberisaddedtoeachelementofthedata,thebitsareinverted,aconstantisXORedwiththedata(asimplekindofencryption),ORed,orANDed,bitsareshiftedlogically,bitsrotatedleftinacircularpattern(firstbyterotatedby1bit,secondbyteby2bits,andsoon),orbytesareswapped.Byshiftingbits,youcansimulateinsertingorremovingsinglebitsatthebeginningoftheblock.Youmayalsoshiftentirebytes(currentlytotheleftonly,byenteringanegativenumberofbytes).Thisisusefulifyouwishtocutbytesfromaveryhugefileinin-placemode,whichwouldotherwiserequirethecreationofahugetemporaryfile.SwapBytesThiscommandassumesalldatatoconsistof16-bitelements(32-bitelementsresp.)andswapshigh-orderandlow-orderbytes(andhigh-orderandlow-orderwordsresp.).Useitinordertoconvertbig-endianintolittle-endiandataandviceversa.AdditionSpecifyapositiveornegative,decimalorhexadecimalnumber,whichistobeaddedtoeachelementofthecurrentblock.Anintegerformatdefinessize(1,2or4bytes)andtype(signedorunsigned)ofanelement.Therearetwowayshowtoproceediftheresultoftheadditionisoutoftherangeoftheselectedintegerformat.Eithertherangelimitisassumedtobethenewvalue(I)orthecarryisignored(II).Example:unsigned8-bitformatI.FF+1->FF(255+1->255)II.FF+1->00(255+1->0)Example:signed8-bitformatI.80-1->80(-128-1->-128)II.80-1->7F(-128-1->+127)

Ifyoudecidetousethefirstmethod,WinHexwilltellyouhowoftentherangelimithasbeenexceeded.Thesecondmethodmakessuretheoperationisreversible.Simplyadd-xinsteadofxbasedonthesameintegerformattorecreatetheoriginaldata.Whenusingthesecondmethoditdoesnotmakeadifferencewhetheryouchooseasignedoranunsignedformat.

SectorSuperimpositionWiththisfeatureyoucansuperimposeotherdataontopofdisksorinterpretedimagesthatareopenedasread-only.Usefulwhenyouneedtomakeminortemporaryvirtualadjustmentstodatainsectorswithinthescopeoftheprogramtogetitinterpretedcorrectlyinternally,butdonotwishtoorarenotallowedtoalterthesectorsonthediskorintheimageitself(orcannotbecauseitisnotarawimage,butan.e01evidencefile)andalsodonotwanttomakeanothercompleteworkingcopyofanimagethatise.g.2TBinsizeifjust1byteneedstobechanged.Suchadjustmentscanbenecessaryforexampleincasesofpartitioningorfilesystemmetadatacorruption,wherejustamissingmagicnumberkeepsWinHexfromdetectingthefilesystemorjustoneflippedbitkeepsWinHexfromfinding$MFTinNTFSorjustonewrongnibbleinthepartitiontablekeepsWinHexfromrecognizingapartitionasanLVM2containerpartitionetc.etc.Inthesesituationsyoucanmanuallyprovideandsuperimposethecorrecteddataandthenhopefullyworkwiththediskorimagewithnofurtherproblems,gettingallpartitionsandfileslistedimmediatelyasifnothingwaswrong.Thisfunctionalityisintendedforadvancedusersthatdonotgiveupeasilywhenatfirsttheysee"nothing"andhavesomeunderstandingoflowleveldatastructuresandknowhowtofixthem.YoucanenableanddisablesuperimpositionforthediskorpartitionintheactivedatawindowusingtheEdit|SuperimposeSectorsmenucommand.Thiscommandallowsyoutoselectanyfilewiththerawcontentsofdisksectors.Forexample,youcancreatesuchafilebyselectingoneormoresectorsasablock,copyingtheblockintoanewfile,makingthenecessaryadjustments(possibleeveninX-WaysForensicsbecauseordinaryfilesunlikedisksorinterpretedimagescanbeedited)andsavingthatfile.Whenapplied,thecontentsofthisfilearesuperimposedtothesectorsstartingwiththesectorinwhichthecursorislocated,orifthefileisnamed"*n.sector",wherenisanumber,itwillbeappliedtothesectorsstartingwithsectorn,andallotherfilesinthesamedirectorymatchingthesamemaskwillalsobeappliedtosectornumbersasindicatedwithinthefilename.Youwillimmediatelyseethesuperimposeddatawhennavigatingtotheaffectedsectors,andcancontinuemakingadjustmentstotheimposedrawdatafileifyoukeepitopeninaseparatewindow.Assoonasyouhavesavedchangesinthatwindow,theywilltakeeffectinthedatawindowthatrepresentsthediskorpartitionwhosedatayouaretryingtofixwhenyourefreshtheview,takeanewvolumesnapshot,definethestartofapartition,tryagainto

openafilewithacorruptFILErecordetc.etc.Pleasenotethatonlycompletesectors,notpartialsectors,canbesuperimposed.Superimpositioncanbeactiveonlyforonediskordiskpartitionorimageatatime.Ifactiveforaphysicalpartitioneddiskorimageofaphysicalpartitioneddisk,apartitionopenedfromwithinthephysicaldiskwillalsoshowthesuperimposeddata.Ifdesired,youcanmakeacopy(imageorcloneddisk)ofthevirtuallyrepaireddiskorimagewiththeusualcommandswhilethesuperimpositionisineffect,sothatthecopywillhavethesuperimposedsectorsdirectlyembedded.

WipingandInitializingTosecurelyerase(shred)dataindisksectors,unuseddiskareas(DiskToolsmenu),orfilesselectedwiththeWipeSecurelycommand,andalsosimplytofillfileswithcertainbytevalues,WinHexoffersthefollowingoptions:Withconstantbytevaluesspecifiedinhexadecimalnotation:Specifyeither1,2,3,4,5,6,12,15,or16two-characterhexvalues,whichwillbecopiedrepeatedlyintothecurrentblock,theentirefileoralldisksectors,respectively.Veryfast.Withsimplepseudo-randombytevalues:Specifyadecimalinterval(0to255atmax.)forrandomnumbers,whichwillbecopiedrepeatedlyintothecurrentblock,theentirefileoralldisksectors,respectively.TherandombytesareLaplace-distributed.Fast.Withpseudo-randomdatathatsimulatesencryption:Randomdatathatissupposedtobeindistinguishablefromencrypteddata.Quitefast.Withcryptographicallysoundpseudo-randomdata:Cryptographicallysecurepseudo-randomnumbergenerator(CSPRNG)calledISAAC,veryslow.Incaseinallopenfileseitherablockornoblockisdefined,thiscommandcanoptionallybeappliedtoallthesefilesatthesametime.Tomaximizesecurity,ifyouwishtototallywipe(sanitize)slackspace,freespace,unusedNTFSrecords,oranentiremedia,youmaywanttoapplymorethanonepassforoverwritingdiskspace(uptothree).AccordingtotheClearingandSanitizationMatrix,thestandardoutlinedintheU.S.DepartmentofDefense(DoD)5220.22-Moperatingmanual,method"c",aharddiskorfloppydiskcanbeclearedbyoverwriting(once)alladdressablelocationswithasinglecharacter.Thisisusuallythehexadecimalvalue0x00,butcanbeanyothervalue.Tosanitizeharddisksaccordingtomethod"d",overwritealladdressablelocationswithacharacter,itscomplement,thenarandomcharacter,andverify.(ThismethodisnotapprovedbytheDoDforsanitizingmediathatcontaintopsecretinformation.)

The"DoD"buttonconfiguresWinHexforsanitization,suchthatitwillfirstoverwritewith0x55(binary01010101),thenwithitscomplement(0xAA=10101010),andfinallywithrandombytevalues.The"0x00"buttonconfiguresWinHexforsimpleinitialization,wipingoncewithzerobytes.

DiskCloningThisfunctioncopiesadefinednumberofsectorsfromasourcetoadestination.Boththesourceandthedestinationcanbeeitheradisk(clickthebuttonwiththediskicon)orafile(clickthebuttonwiththefileicon).Incaseboththesourceandthedestinationaredisks,bothdisksmusthavethesamesectorsize.Inordertoeffectivelyduplicateamedium(i.e.copyallsectors),simplycopyallsectors.Selecttheappropriateoption,sothecorrectnumberofsectorsisenteredautomatically.Thedestinationdiskmustnotbesmallerthanthesourcedisk.Asadiskyoucanalsoselectaninterpretedimageorapartitionopenedfromwithinaphysicaldiskinthebackground.Asatargetyoucannotselectaninterpreted.e01evidencefileassuchimagescannotberewritten,onlyrawimages.Asafileyoucanonlyspecifyunsegmentedrawimages,e.g..dd,.001,.imgetc.,nootherimagetypessuchas.e01,.vhd.,.vmdketc.Diskcloningoffersoptionsthatcontrolthebehaviorwhenbadsectorsareencounteredonthesourcedisk:Bydefault,youarenotifiedoftheerrorandpromptedforeithercontinuingorabortingtheoperation."Logproceduresilently"createsacompletelogfileoftheentireoperationinthefolderfortemporaryfiles(filename"CloningLog.txt"),includingareportonunreadablesectors(whichcannotbecopied),andpreventsWinHexfromreportingeachunreadablesectorseparately.WinHexcaneitherleavethedestinationsectorthatcorrespondstoadamagedsourcesectorunchangedorfillitwithanASCIIpatternyouspecify(e.g.yourinitials,orsomethinglike"BAD").Leavethepatterneditboxblanktofillsuchsectorswithzerobytes.BTW,thispatternisalsousedtodisplayabadsector'scontentsinthediskeditor.Badsectorsoftenoccurincontiguousgroups,andeachattempttoreadabadsectorusuallytakesalongtime.YoumayhaveWinHexavoidsuchdamageddiskareas.Whenabadsectorisencountered,WinHexcantrytoskipanumberofsubsequentsectorsyouspecify.Thisisusefulifyouwishtoacceleratethecloningprocessandifyoudonotcareaboutsomeactuallyreadablesectorsnotmakingittotheclone.Regulardiskcloningisnotanoptionifyouwanttoduplicateadiskinaremovabledrive(e.g.afloppydisk)withonlyoneremovabledrivepresent.The

correctconceptforthisapplicationisdiskimaging,wherethedataisfirststoredinanimagefile.Theimagecanthenbecopiedtoadifferentdisk.Theresultisthesameasdiskcloning.Whenyouspecifyafilenamed"dev-null"asthedestination,thedatawillonlybereadandnotcopiedanywhere(andyouwillbewarnedofthis).Thisisusefulifyouareinterestedinthereportaboutbadsectors,butdonotwishtoactuallycloneorimageadisk.Youmaytry"simultaneousI/O"ifthedestinationisnotthesamephysicalmediumasthesource.Offersachancetoacceleratethecloningprocessbyupto30%byreadingandwritingsimultaneously.Specialistlicenseorhigher:InconjunctionwithsimultaneousI/OyoumayalsohaveWinHexcopythesectorsofadiskinreversedirection,backwardsfromtheendofthesourcedisk.Usefulifthesourcediskhasseverephysicaldefectsthatforexamplecauseadiskimagingprogramoryourentirecomputertofreezeorcrashwhenreachingacertainsector.Insuchacaseyoucanadditionallycreateanimageinreverseorder,byreadingsectorsfromthediskbackwardsonebyone,orbetter,youcanevenautomaticallycompleteanexistingincompleteunsegmentedconventional("forward")rawimagefromtherearendtogetanimagethatisascompleteaspossible,filledfrombothends,withideallyonlyasmallzeroedgapinthemiddlethatrepresentstheunreadabledamagedspotonthesourceharddisk.Forthatyousimplyselectanincompleterawimagefilethatyoualreadyhaveasadestinationfile,andyouwillbeaskedwhetheryouwishtocompleteitinsteadofoverwrite.WinHexwilldotherest,e.g.allocatethemissingsectorsintheimagefile(zeroedout)sothatithasthecompletesizeofthesourcediskandthenfillthefilebackwardsasmuchaspossible.BesuretocreatereverseimagesonNTFSvolumes,notFAT32.Thesourcestartsectortospecifyforreverseimagingisthesameasforconventionalforwardimages,i.e.usually0whenimagingacompleteharddisk.FordiskimagingingeneralitisrecommendedtousetheFile|CreateDiskImagefunctionalityforvariousreasons(withaforensiclicense:supportfor.e01evidencefiles,compression,splitting,hashing,encryption,metadata,technicaldetailsreport,moreconvenient).Onlyinspecificcases,forexamplewhendealingwithseveralphysicaldiskdefectsorwhenthegoalistocopyonlycertainrangesofsectors,advanceduserscanuseTools|DiskTools|CloneDisktohavemoredetailedcontroloverwhichsectorsarecopiedfromwheretowhere

inwhichorder.Morehintsondiskcloninganddiskimaging.

CreateDiskImage/MakeBackupCopyThiscommandintheFilemenuallowstocreateabackuporimageofthecurrentlyopenlogicaldrive,physicaldisk,orindividualfile.Therearethreepossibleoutputfileformats,eachwithuniqueadvantages.Fileformat:WinHexBackupEvidenceFileRawImageFilenameextension:.whx.e01e.g..ddInterpretableasdisk:noyesyesSplittable:yesyesyesCompressible:yesyes(NTFS)Encryptable:noyesnoOptionalhash:integratedintegratedseparatetextfileOptionaldescription:integratedintegratedseparatetextfileRangeofsectorsonly:yes(yes)(yes)Applicabletofiles:yesnonoAutomatedmaintenance:BackupManagernonoCompatibility:no(yes)yesRequiredlicense:noneforensicpersonalThemajoradvantageofevidencefilesandrawimagesisthattheycanbeinterpretedbyWinHexliketheoriginaldisks(withthecommandintheSpecialistmenu).Thisalsomakesthemsuitableforusageasevidenceobjectsinyourcases.Thisholdstrueforevidencefilesinparticularbecausetheycanstoreanoptionaldescriptionandanintegratedhashforlaterautomatedverification.Rawimageshavethebenefitthattheycanbeeasilyexchangedbetweenevenmoreforensictools.Alloutputfileformatssupportsplittingintosegmentsofauser-definedsize.Asegmentsizeof650oder700MBe.g.issuitableforarchivingonCD-R.Evidencefilesmustbesplitat2047MBatmosttomakethemcompatiblewithX-WaysForensicsversionsbeforev14.9andEnCaseversionsbeforev6andcertainothertools.Withaforensiclicense,rawimagefilesandevidencefilescanautomaticallybeverifiedimmediatelyaftercreation,byrecomputingthehashvaluethatwasoriginallycomputedfromthemedium,withtheimageinstead.EvidencefileandWinHexbackupcompressionisbasedonthe"Deflate"compressionalgorithmthatispartofthepopulargeneral-purposelibraryzlib.ThisalgorithmconsistsofLZ77compressionandHuffmancoding.Withthe

"normal"compressionlevelyoucanreachacompressionratioof40-50%onaveragedata.However,thiscomesatthecostofaconsiderablyreducedimagingspeed."Fast/adaptive"compressionisaverygoodandintelligentcompromisebetweenspeedandgoodcompression,notliketheordinaryfastcompressionoptioninotherprograms.With"high"compressionyougainonlyafewpercentagepointsmorecompression,butatdisproportionalhighcost.ForWinHexbackups,"adaptive"isthesameas"normal".RawimagefilescanbecompressedattheNTFSfilesystemlevel,iftheyarecreatedonNTFSvolumes.EithernormalNTFScompressionisused,ortheimagefilecanbemade"sparse",suchthatlargeamountsofzero-valuebyteswon'tneeddrivespace.Cleansedimages:Withaforensiclicense,thereisanacquisitionoptionforthoseuserswhoneedtoorwanttoexcludecertainfilesfromforensicimages,called"Omitexcludedfiles".Thedatastoredinclustersthatareassociatedwithfilesthatyouexcludebeforestartingtheimagingprocesswillautomaticallybezeroedoutintheimage.Won'thaveanyeffectonfileswhosecontentsarenotstoredintheirownclusters.Beforeyoustarttheimagingprocessforapartitioneddisk,openthepartitionsinwhichthefilesarelocatedthatyouwouldliketoexclude.Waittillthevolumesnapshothasbeentakenifitwasnottakenbefore.Thenexcludethefiles.Youdonotneedtoopenandtakevolumesnapshotsofpartitionswhosedatayouwouldliketoincludecompletely.Allotherdataiscopiedtotheimagenormally.Thereisanoptionto"watermark"wipedsectorsintheimagewithanASCIIorUnicodetextstring,sothatwhenworkingwiththeimageyouareremindedoftheomissionwhenyoulookattheaffectedareas.Cleansedimagesareusefulforanyonewhoneedstoredactcertainfilesinthefilesystem,butotherwisewantstocreateanordinaryforensicallysoundsector-wiseimage,compatiblewithothertools.Amustincountrieswhoselegislationspeciallyprotectsthemostprivatepersonaldataofindividualsandcertaindataacquiredfromcustodiansofprofessionalsecrets(e.g.lawyersandphysicians,whoseprofessionswearsthemtosecrecy/confidentiality).Limitation:NotavailablefordiskspartitionedasWindowsdynamicdisksorwithLinuxLVM*.Onlyfilesinsupportedfilesystemscanbeomitted.Notethatyoucanalsoretroactivelycleanse(redact)alreadycreatedconventionalrawimages,inWinHex,bysecurelywipingfilesselectedfilesviathedirectorybrowsercontextmenu.Thegranularityofthisoperationisnotlimitedtoentireclusters.Forexample,thatmeansitcanalsowipefilesinNTFSfilesystemswithso-calledresident/inlinestorageanditdoesnoterasefileslackalong.Foracomparisonof

evidencefilecontainers,skeletonimagesandcleansedimagespleaseseeourwebsite.Allofthoseareimagesthatonlytransportasubsetoftheoriginaldata.Anotherkindofcleansedimageisanimageinwhichalltheclustersmarkedbythefilesystemasfreearezeroedout(specialistorforensiclicenseonly).Thatisveryusefulifyoucreatetheimageforbackuppurposesandnotforforensicpurposes,orifforforensicpurposesyoudonotrequiredatainfreespaceorarenotsupposedtoacquireit(toonlyexamineexistingfiles).Inconjunctionwithcompression,thisoptionhasthepotentialtosavealotofdrivespace,dependingonhowmuchfreespacethereis,andimagingspeedcanbegreatlyacceleratediftherearelargecontiguousfreedrivespaceareasinvolumes/partitions.Notethatincaseoffilesysteminconsistenciesclusterscouldbeerroneouslyregardedasfree.Ifyouwishtoomitbothcertain(excluded)filesandfreeclusters,alsoexcludethevirtualfile"Freespace"andturnof"netfreespacecomputation"inthevolumesnapshotoptions.Youhavetospecificallyconfirmthecreationofcleansedimagesasinthetraditionalsensetheyarenotforensicallysound(thoughinamoremodernsenseofthewordtheycanbe,dependingonthejurisdictionthatyouworkinincountrieswithstricterpersonalprivacyrightsanddependingontheoverallsituation).X-WaysForensicschecksforandwarnsofoverlappingpartitionswhencreatingacleansedimageofapartitionedphysicaldisk.Clustersinaffecteddiskareasarenotomitted.Insuchasituation,itisrecommendedtoimagetherelevantpartitionsseparately.Forensiclicense:Whencreatinganimage,thetechnicaldetailsreportiscreatedandwrittentoatextfilethataccompaniestheimagefile.Foran.e01evidencefileitisalsoincorporateddirectlyintothe.e01fileasadescription.TheSMARTinformationisqueriedandwrittentothetextfileagainuponcompletionoftheimage,sothatyoucanseewhetherthestatusofaharddiskinbadshapehasfurtherdeterioratedduringimaging.Secondly,youcanseehowthe"powerontime"haschanged,whichisusefultodeduceitsunitofmeasurement(usuallyhours,butcanbedifferentoncertainharddiskmodels).Thetextfilealsoindicatestheamountoftimespentcreatingtheimage,thecompressionratioachieved,theresultofanimmediateverificationoftheimagebasedonthehashvalue(ifselected),andanysectorreaderrors.

Forensiclicense:Abilitytocreateasecondcopyofanimageimmediatelywhenimagingadisk,whichismuchquickerthancopyingtheimagefilelaterandmakessenseifthe2ndcopyiscreatedonadifferentdrive.Filespanning(i.e.whentostartanotherimagefilesegment)iskeptinsyncbetweenbothcopiesevenwhenrunningoutofspaceononeofthetwotargetdrivesonly.Forensiclicense:Youmayspecifyanoverflowlocationinadvancewherefurtherimagefilesegmentswillbestoredshouldspaceontheprimaryoutputdrivebeexhausted.Ifyouleavethatfieldblankorifeventheoverflowlocationhasnomorespaceleft,youwillbepromptedforanewpathasbeforewhenneeded.Ifanoverflowlocationisspecifiedinadvanceandatthesametimeyouchosetocreatetwocopiesoftheimage,thenpleasenotethattheoverflowlocationisusedonlyforthefirstimagecopythatrunsoutofspace,ifany.Fortheotherimagecopyyouwouldbepromptedifspaceisscarce.Forensiclicense:Abilitytocomputetwohashvaluessimultaneously.Ifyoumakeuseofthisoption,thenbothhashvalueswillbestoredinthedescriptivetextfile.Thefirsthashvalueistheonethatcanbeautomaticallyverifiedwhenimagingcompletes.YoucouldintentionallychoosethefasteralgorithmforthatasthemainpurposeatthatpointistodetectI/Oerrorsandfileerrors.Thesecondhashvalueisimportedintotheevidenceobjectpropertieswhenaddingtheimagetoacase.AnoptionallowstoexhaustsystemmemorypriortothehashverificationtoinvalidateandthwartanyfilebuffersemployedbyWindowssothatthedataoftheimageisreaddirectlyfromthediskfortheverificationandnottakenfromthememorybuffer.Thisoptionexistsforsmallimagesandforsomewhatparanoidoruber-diligentusers.ItisnotrequiredforimagesthataremuchlargerthanthephysicalamountofRAMthatisinstalledinyourmachinebecausebythetimewhenthefinalpartsoftheimagehavebeenwritten,theinitialpartsarenolongerinthebuffer,andoncethefinalpartsareabouttobeverifiedtheyarenolongerinthebufferbecauseatthattimetheinitialpartsareinthebufferastheyhavebeenverifiedjustbefore.Yoursystemmaybehavealittlebitsluggishforawhilewhenusingthisoption,andverificationmaybeslightlyslowerthannormally.Forensiclicense:Abilitytoscheduleinadvancesubsequentdiskimagingoperationsinadditionalinstancesthatwillwaituntilalreadyongoingimagingoperationsinpreviousinstanceshavecompleted,toavoidinefficient

simultaneouscreationofmultipleimagesonthesameoutputdisk(whichisunnecessarilyslowandproduceshighlyfragmentedimagefiles).Additionalinstancesonlywaitforpreviousinstancesinwhichthecheckboxforwaitingwascheckedaswell,butnotforothers.Forensiclicense:Ifyoucanceldiskimaginginthemiddleoftheprocess,X-WaysForensicsquicklyfinalizesthe.e01evidencefileformat(moreprecisely,thecurrentsegment)toguaranteeaconsistentimageeventhoughitisnotacompleteimage.Usefulforexampleinanemergencysituationwhenimagingmediaonsite,becauseaincompleteimagethatcanbeusedwithouterrorsisbetterthananunusablecorruptimage.Ifhashingwasenabled,incomplete.e01imagesevenhaveahashvaluethatcanlaterbeverifiedlater.Forensiclicense:Forthe.e01evidencefileformat,youmaychoosetheinternalchunksize.Mightberegardedasusefulbysometoachieveamarginallybettercompressionratioforordinarydata,attheexpenseofmoretimeneededwhencreatingtheimageandwhenlaterrandomlyaccessingdataintheimage,butimprovescompressionnoticeablyforextremelycompressibledata(e.g.awipedorunusedareasofaharddisk).A512KBchunksizereducestheimagesizewithidealdata(e.g.only0x00bytes)ceterisparibusbyanadditional40%comparedtoa32KBchunksize.Forensiclicense:Thedescriptivetextfilethatisgeneratedforimagespointsouttheexactsizesinbytesofallsegmentsofrawimagesfilesandtheexactchunkcountsinallsegmentsof.e01evidencefiles.Ifforwhateverreasononeormoresegmentsgetlostorcorrupted,thisallowstocreateartificialplaceholdersegmentsoftherightcapacitytofillinanygaps,suchthatallthedatainsubsequentsegmentswillhavethecorrectlogicaldistancefromthedatainprecedingsegments,topreservevalidityofpointerswithinthedata(partitionstartsectorsinthepartitiontable,clusternumbersinfilesystemdatastructures)aslongastheoriginalimagefilesegmentsthatcontainsourceanddestinationareavailable.Forensiclicense:Youmayadjustthecompressionoptionwhile.e01evidencefilesarebeingcreated.Usefulifyourpriorities(highercompressionrateorhigherspeed)change,forexamplewhenyouseethatdrivespacesuddenlyseemsscarceoryouhavetofinishtheprocessquickerthanpreviouslythought.Alsousefultoexperiment,whennotsurewhichcompressionoptionmightbebestforaparticularsystemconfiguration(e.g.whenimagingalivesystemon

siteandhavingtowritetheimagetoanexternalharddiskviaUSB,whereI/Oisslowandtheoverallprocessmaybefasterwithcompressionthanwithout).Forensiclicense:Whenimagingwithactivecompressionin.e01format,X-WaysForensicsprovidesimmediatevisualfeedbackabouttheactualamountofdatafoundonthedisk.Thatispossiblebecausediskareasthatwereneverwrittenaswellasdiskareasthatwerewipedachieveextremelyhighcompressionratios.Therollingcompressionratioisrepresentedduringimagingbyverticalbarsinaseparatewindow.Thehigherthebar,thelowerthe"datadensity"inthatarea.Thecompressionstatisticsarealsostoredinthe.e01evidencefile,sothatthesamechartisalsoavailableatanylatertimefromtheevidenceobjectpropertiesdialogwhenyouclickthe"Compression"button.Forensiclicense:Abilitytospecifyhowmanyextrathreadstouseforcompressionwhencreating.e01evidencefiles.BydefaultX-WaysForensicswillusenomorethan4or8,anditdependsonhowmanyprocessorcoresyoursystemhas,butyoucouldtrytoincreasethenumberonverypowerfulsystemswithevenmorecoresusuallywithoutproblems,forachancetofurtherincreasethespeed,oryoucanreduceityourunintostabilityproblems.Forensiclicense:Youhavetheoptiontochangethenatureofanimage(diskorvolume)anditssectorsizewhencreatingtheimage.Thisispossiblenotonlyfor.e01evidencefiles,wherebothisexplicitlydefinedintheinternalmetadata(compatiblewithothertools),butalsoforrawimages(viaexternalmetadata,compatibleonlywithX-WaysForensics/Imagev18.4andlater,lostiftheimageleavestherealmofNTFSfilesystems).Usefulwheneverthesourceofthedataisnotanidealinterpretation.ForexampleifareconstructedRAIDactuallyrepresentsavolume,notaphysicaldisk,thenyoucanalreadyadjustthenatureoftheimageaccordinglywhenyoucreateit.OrifthesectorsizeofthereconstructedRAIDoradiskinanenclosuredoesnotmatchthesectorsizeofthefilesysteminapartition,youcanadjustthesectorsizeoftheimageaccordingly.Allofthiswillallowforsmootherandmoresuccessfulusageoftheimagelater,inparticularbyuserswhodonotpaymuchattentiontodetailssuchasimagetypeandsectorsize.Withtheadditionalmetadatapresentforarawimage,X-WaysForensicsdoesnotneedtopromptusersforthenatureoftheimageanditssectorsizeevenifundernormalcircumstancesitwould(forexamplebecausetheimagedoesnotstartwithaneasilyidentifiablepartitioningmethodorvolumebootsector).

Attheendoftheimagingprocess,thecomputercanbeoptionallyeithershutdownor(ifsupportedbyyoursystem)hibernated,tosavepower.IfyouselecthibernationandWindowssignalsthathibernationfails,X-WaysForensicswillinsteadtrytoshutdownthesystem.Thereisanoptiontoaddnewlycreatedimagestothecaseandstartrefiningtheirvolumesnapshot(s)automaticallywithoutfurtheruserinteractionifthesourcediskhadnotbeenaddedtothecaseyetandifacaseisopenatthattimewhenyoustartimaging.Usingthiscommandistherecommendedwaytocreateadiskimage.Inordertoimageanarbitraryrangeofsectors,youcouldselectasectorrangeasablockandcopyittoafileviaEdit|CopyBlock|IntoNewFile,oruseTools|DiskTools|CloneDisk.Thelatterisparticularlyusefultopartiallyimageharddiskswithseverephysicaldefects(notjustordinarybadsectors)andcanevencopysectorsinreverseorder.Forimagingautomationpleaseseecommandlineparameters.MorehintsondiskcloninganddiskimagingSkeletonimagesTheencryptionalgorithmoptionallyusedin.e01evidencefilesiseither128-bitor256-bitAES/Rijndael,incounter(CTR)mode.Thisallowsforrandomreadaccesswithinevidencefiles.The128-bitimplementationisnewerandfasterandsupportedonlybyX-WaysForensicsv16.4andlater.Encryptionwillrenderan.e01evidencefileincompatiblewithothertools.Theencryptionalgorithmusesa256-bitkeythatisdigestedwithSHA-256fromthe512-bitconcatenationoftheSHA-256ofthepasswordyouspecifyand256bitsofcryptographicallysoundrandominput(salt),whichisstoredintheheaderoftheevidencefile.For128-bitAESthe256-bitkeyisreducedto128bitbyxor-ingthefirstandsecondhalf.The128-bitcounterisrandomizedandincrementedperencryptionblock,asalittle-endianintegerin256-bitAES,asabig-endianintegerin128-bitAES.TheencryptionblocksizeofAESis128bits.AnadditionalSHA-256isstoredintheheaderaswell(optionallyfor256-bitAES,seeSecurityOptions)andusedlatertodeterminewhetherapassword,specifiedbytheuserfordecryption,iscorrectornot.TheSHA-256algorithmisappliedtoaconcatenationofthesalt,hashx,andhashytocomputethispasswordverificationhash,wherehashxistheSHA-

256oftheuser-suppliedpasswordandhashyistheSHA-256oftheconcatenationoftheuser-suppliedpasswordandhashx.For128-bitAES,ybecomesxandisconcatenatedandhashedoverandoveragain,100,000times,topracticallyrenderrainbowtableattackcomputationallyinfeasible.Pleasenotethatwhenyouusecompressionandencryptionatthesametime,eachchunkinan.e01evidencefileisfirstcompressed,thenencrypted.Soaneducatedguessaboutthenatureofthedatainagivenchunkmightbepossible,merelyjudgingfromthecompressedsizeofthechunk(i.e.itscompressionratio),evenifthecompresseddataisencrypted.IfyouhaveWinHexassignafilenameforaWinHexbackupautomatically,thefilewillbecreatedinthefolderforbackups(cf.GeneralOptions),namedwiththenextfree"slot"accordingtotheBackupManager'snamingconventions("xxx.whx"),andwillbeavailableintheBackupManager.Ifyouexplicitlyspecifyapathandafilename,youcanrestorethebackuporimagelaterusingtheRestoreBackupcommand,andincaseofsplitbackupsWinHexwillautomaticallyappendthesegmentnumbertothefilenames.

DummyImageSegmentsWiththeFile|Newcommandyouhavetheoptiontoconvenientlycreatedummy/makeshiftsegmentsfor.e01evidencefilesthatcansubstitutemissing/lost/corruptoriginalsegments.Theuserspecifiestherequiredchunksizeandthenumberofchunksaswellasafilenameforthedesiredsegment(mustbewiththecorrectextension,identifyingthesegmentnumber,notnumber1).Thedatawrittenintothechunksisarecurringtextualpattern("MISSINGIMAGEFILESEGMENT!"whenrunningX-WaysForensicsinEnglish),sothatyouknowthatyouarelookingatagapinbetweenavailabledatawhenbrowsingtheinterpretedcombinedimagelater.Theideaofsuchanartificialdummysegmentisthatifcorrectlycreateditcanserveasaplaceholderthatensuresthatdatainsubsequentsegmentshasthecorrectlogicaldistancefromthedatainprecedingsegmented.Ofcourse,thehashoftheentireimagecannotbesuccessfullyverifiedanymoreiftheoriginaldataisnotpresent,andofcourse,thisfunctionalityshouldbeusedonlyasalastresortifthereisnobackupofthemissingsegmentfileandifdatarecoveryfailsetc.,andcreationandusageofsuchadummyimagefilesegmentshouldbeproperlydocumented.(forensiclicenseonly)Wheninterpretingan.e01evidencefilethatcontainsdummysegments,youwillbenotified,andthetotalnumberofplaceholderchunksarenotedintheevidenceobjectpropertieswhentheimageisaddedtothecase.Ifyourequireaplaceholderforasinglemissingsegmentofwhichyoudon'tknowthechunksizeandchunkcountbecausetheimagewascreatedwithoutthenewinformationinthedescriptivetextfile,thisishowtofindout:Changethefilenameextensionofthepenultimatesegmenttothatofthemissingsegmentsothatthereisnogap.Thenrenamethelastsegmenttothenowmissingpenultimatesegment.(Ifthemissingsegmentactuallyisthepenultimateone,thelaststepissufficient;ifthemissingoneisthelast,norenamingisrequiredatall.)Thenaddtheimage(firstsegment)toacaseinX-WaysForensicsasusually.X-WaysForensicswillbringthemisnamedsegmenttoyourattentionintheMessageswindow,whichcanbeignored.Checktheevidenceobjectpropertiesforthechunksizeaswellastheexpectedchunkcountandtheactuallyreferencedchunkcount.Subtracttheactuallyreferencedchunkcountfromtheexpectedchunkcount.Nowyouknowhowmanychunksaremissing.Changethefilenameextensionbacktowhatitwasbefore,andthencreatethe

missingdummysegmentwiththecorrectchunksize,correctchunkcount,andcorrectextension.Withavariation,thisapproachalsoworksifmultipleconsecutivesegmentsaremissing,justyourenamemoreavailablesegmentstofillthegapinthefirststep,andyoucreateasmanydummysegmentsasnecessarytofillthegap.Whichdummysegmentexactlycontainshowmanysurrogatechunksisnotimportantaslongasthetotalnumberofsurrogatechunksmustaccountexactlyforthetotalnumberofmissingchunks.Ifmultiplediscontiguoussegmentsaremissing,suitabledummysegmentscanonlybecreatedwiththenewinformationfromthedescriptivetextfile.

SkeletonImagesForensiclicenseonly.AtypicalX-WaysfeaturethatcementsX-WaysForensics'position as the tool that gives its users the greatest amount of control whenselecting/targeting/filtering data at any conceivable level: The ability to createforensic physical skeleton disk images that contain only those sectors that areneeded for certain purposes,whilemaintaining compatibilitywith other tools.These can be sectors with partition tables, file system data structures, theirneighboring sectors as well as sectors with file contents or any sectors inunpartitioned noman's land. A skeleton image is typically sparsely populatedwithdata,withvastareasinbetweenremainingundefined,sothatitmakessenseto utilize NTFS sparse file technology for it. Unwritten areas in the skeletonimagewillactasifzeroedoutwhenreadlater.Youstartskeleton imagingby invoking theFile |CreateSkeletonImagemenucommand.Whichsectorsfromthennowwillbecopiedintotheimageisdefinedindirectly,bymakingX-WaysForensicsreadthosesectorsfromthesourcediskthat are needed for a certain purpose. When the target image is open in thebackground,nextyoutypicallyopenthediskorpartitionoropenandinterpretthe image thatyouwish toacquirepartially.Thatway itwillbeautomaticallydefined as the source, and thatwayeven readoperationsduring the importantopening or interpretation step are triggered already, when partition tables andbootsectorshavetobeparsed,sothattheseessentialdatastructuresthatdefinepartitionsandidentifyfilesystemsareincludedintheskeletonimage.Soafteropeningapartitionedphysicaldisk,youhavea"basicskeleton"inyourtargetimage:Partitiontablespointingtopartitionbootsectorsornestedpartitiontables,whose function is to support all the other data in between (file systemdataanduserdata).Ifyoualsowishtoensurethatfromtheskeletonimageitispossibletotakeavolumesnapshotofacertainpartition,i.e.getalistingofallfilesanddirectoriesreferencedbythefilesysteminthatpartition,thenyouopenthat partition from the source hard disk so that a volume snapshot is actuallytaken.Again, all the sectors read from the sourceharddisk in theprocess aresimultaneouslycopied to the image, and that is the file systemdata structures,e.g.$MFTinNTFS,alldirectoryclustersinFAT,andthecatalogfileinHFS+.That adds considerably more administrative data and also metadata to yourskeletonimage,butstillnooralmostnousercontents.Unrelatedsectorsthatarenot used by the file system are not read and therefore not copied. That also

meansthattheabilitytofindpreviouslyexistingfilesintheskeletonimagewillbelimited.Ifyouwishtoincludeanarbitraryrangeofsectorsintheimage,youonlyneedto find a way tomakeX-Ways Forensics read those sectors. For example, toincludesectorsfromnumber1,000,000to1,000,999,definethose1,000sectorsasablockandhashthatblock(inDiskmode)usingtheTools|ComputeHashcommand,orrunaphysicalsearchinthatblockonly.Or,toacquireanunusuallylarge partition gap between partition 1 and 2, you could hash the virtual filerepresenting that gap.You can alsomanually navigate to any single sector ofinterestthatyouwanttobeincluded(e.g.Navigation|GoToSector)oruseanyofthefilesystemnavigationmenucommands.Allofthatworksbecausereadingsectorstriggerstheiracquisition.However, ifyouwishtospecificallyacquireselected files, that iseasier,and itmightbeagoodidea to turnoff the indirectacquisitionofanysectors thatareread for whatever purpose along the way, so that for a example file that youpreviewandthatturnsouttobeirrelevantisnotacquiredbythepreviewactionalready.Forthat,youcanchangethestateoftheskeletonimagethatisopeninthebackground to "idle",using theStatecommand in theFilemenu. In "idle"mode,onlythe"Addto[nameoftheskeletonimage]"commandinthedirectorybrowsercontextmenuallowstoacquireselectedfiles(bytemporarilyactivatingtheimageandtriggeringreadoperations),.If you wish to include some operating system files, for example, such asWindowsregistryhives,explorethepartitionrecursivelyfromtherootdirectory,filterforthosefilesandinvokethe"Addto"commandinthedirectorybrowsercontext menu. (Only available if no evidence file container is open in thebackground for filling at that time.) The examinerwho only has the resultingskeletonimagewillconsequentlybeabletoviewthehivesandcreatearegistryreport about them, assuming you had already copied the file system datastructureswhich are required to findoutwhich sectors contain the data of thefile.Thedialogwindow to change the state of the target image also allowsyou tocloseit,i.e.stoptheacquisitionforthemomentorfinalizetheimage.Thesameskeleton imagecanbefurthercompletedatany later timebyselecting itagainwith the "Create Skeleton Image" command, but then you choose to notoverwrite,buttoupdateit.

Asyousee,youhavefullcontroloverwhatdatawillmakeitintotheimage.Themethology just assumes that you have some understanding of what data youwant/need and, should that data not be stored in ordinary easy-to-select files,wheretofindit/howtogetitphysically.Thesectorscanbetargetedinanyorder.Multiplereadsofthesamesectorsdon'tchangeanythingintheskeletonimageandhavenonegativeeffect,excepttheymaycauseunnecessaryduplicatelinesin the optional log file thatX-Ways Forensics can produce. Such a log file iscreatedinthesamedirectoryastheskeletonimageandwilllistallsectorrangesthat were copied, optionally along with the hash value of each sector range,whichallows tomanuallyverify thedata in certain areas should there everbedoubt about it. If you use the "Add to" command to copy files to a skeletonimage,thenameofeachsuchfilewillalsobeoutputinthelog,followedbythesectorrangesthatcorrespondtotoit(morethanoneifthefileisfragmentedorifX-WaysForensicssimplychoosestocopysectorsinmultiplechunks).Youmaywant to convert the resulting raw skeleton image into a compressedand/orencrypted.e01evidencefileandhashitorcompressitwithWinRARor7Zip etc. before passing it on to other users. The compression rate will beunusuallyhighiftheskeletonimageisonlysparselypopulated,andthespeedofreadingextremelyhighbecauseundefined/unallocated areasdonothave tobereadfromthedisk.Foryourownuse,youcanjustkeepitasissinceitdoesnotuseasmuchdrivespaceasthenominalfilesizesuggeststhankstoNTFSsparsestorage. If you wish to copy the raw skeleton image, be sure to copy it as asparsefile(canbedoneinX-WaysForensicsusingtheTools|FileTools|CopySparsecommand) so that thecopywill alsobea sparse file andonly takesasmuchdrivespaceastheoriginalfile.Aconventionalcopycommandwouldcopyeven the vast unused and unallocated areas within the sparse file as binaryzeroes.Toverifythatthedatatransferredtoaskeletonimagehasnotchanged,suchanimage can be hashed entirely, just like an ordinary image. Alternatively, andmuchquicker,youcanusethecommand"VerifySkeletonImage"tohashonlythosesectorrangesagainthatwereactuallytransferred,accordingtothe.logfile(readingfromtheskeletonimage),andcomparethehashvaluestothoseinthe.logfile.Then,toverifythatthe.logfilehasnotchanged,itwillbehasheditself,and the resulting highly valuable all encompassing master hash value iscompared to thehashvalue stored in theoptional .log.log file, if that filewascreated. It might be desirable to additionally verify that all unused areas in a

skeletonimagearestillunallocatedoratleastfilledwithbinaryzeroes.Thisisnotdonebythisfunction.Options:

AskeletonimageshouldbecreatedasanNTFSsparsefileunlessyouintendtocopymorethanhalfofthesectorsperhaps(justaveryroughruleofthumb).Ifyoudon'thaveX-WaysForensicssetthenominal(logical)imagefilesizetothefullsizeofthesourcedisk,thenwheninterpretingtheskeletonimageandreadingfromit,asmaller"capacity"willbereportedandyoumaygetsectorreaderrors.Stillworththinkingaboutitforexampleifyouwishtocapturemerelythefirst1MBofa1TBharddisk.Savesalotoftimeifyouwishtoconverttheskeletonimagetoan.e01evidencefileorwanttohashitinitsentirety.Skippingalreadyzeroedoutsourcesectors(sectorsofthesourcediskthatonlycontainbinaryzeroes)willtreatsuchsectorsexactlylikesectorsthatwerenotacquired.Thismakestheresultingskeletonimagesmaller("moresparse"),butitpreventyoufromshowingwithjusttheskeletonimagethatthesesectorsonlycontainedzeroesonthesourcedisk.Theyareindistinguishablefromsectorsthatwerenotacquired."Includedirectorydatastructuresofthefilesystem"hasaneffectwhenyouapplythe"Addto"commandofthedirectorybrowsercontextmenutoselecteddirectories.Ifthisoptionisselected,youwillalsocopythedatastructuresofthefilesystemforthesedirectories,ifthereareany,e.g.INDXbuffersinNTFS,subdirectoryclustersinFAT,etc.(nothinginHFS+),otherwiseonlythecontentsofthefilesinthesedirectories."Reporttableassociations"willcreateareporttableassociationforeveryfilethatyouspecificallyaddtotheskeletonimageinthesourcevolumesnapshot,sothatitiseasytoseewhichfileswerecopiedalreadyincaseofanydoubt.If"Createlogfile"isatleasthalfchecked,a.logfilewillbecreatedthatreferencesallcopiedsectorranges.X-WaysForensicsmakesanefforttopreventacquiringduplicatesectors,e.g.whencopyingtheexactsamesectorrangeasecondtimeorwhencopyingoverlappingsectorranges,sothatcanexplainwhyyoumaynotgetmorelinesinthe.logfilewhencopyingthesamesectorsagain.Ifthecheckboxisfullychecked,a

.log.logfileaboutthe.logfilewillbecreatedwithahashofthe.logfile.Allcopiedsectorrangescanbeoptionallyhashed,andthehashvaluescanbewrittentothe.logfileandcanbeverifiedafterclosingtheskeletonimage.

Benefitsofskeletonimages:

Partialimage,savesdrivespace.Quicktocreate,especiallywhenacquiringremoteharddisksthroughaslownetworkconnectionusingF-Response.Transports/revealsonlyspecificallytargeteddata,excludesunrelateddata,asmayberequiredbylaw,commonsense,timepressureorthecustomer.Ideallysuitablefortechnicaldatastructures(partitiontables,filesystems)andfilesinafilesystemaswell.Abilitytoacquireallessentialfilesystemdatawithoutknowinganythingaboutthefilesystemandinwhichsectorsitsdatastructuresarestored.Resultworksexactlylikeaconventionalrawimageofthediskforalltheintendedpurposesifadequatelyprepared,withoriginaloffsetsandrelativedistancesbetweendatastructurespreserved(unlikeinanevidencefilecontainer).Thefileformatisuniversal,andallforensictoolsthatsupportrawimageshaveachancetounderstandthedata,unlesstheyneedmoredatathanwasincludedoralreadydon'tunderstandthepartitioningmethodorfilesystemetc.oftheoriginalcompletedisk/image.

Caveats:

Notethatasearchhitlistonthescreenwithcontextpreviewsaroundthesearchhitsforexamplewillcausealotofreadactivity,soyoumaywanttochangethestateoftheskeletonimagetoidlemodewhenitisopeninthebackgroundincertainsituations.ToavoidthatthestartsectorsoffilesordirectoriesthatyoumerelyclickinthedirectorybrowserinPartition/Volumemodearecopiedtotheskeletonimage(becausesuchaclickautomaticallyjumpstotherespective1stsector),youcannavigatethedirectorybrowserinLegendmodeinstead,orhavetochangethestatusoftheimageto"idle".Readingdatafrommostextractedfilessuchase-mailmessages,

attachments,videostills,picturesembeddedinMSExcelspreadsheetsetc.donottriggercorrespondingreadoperationsatthedisklevel,sotheycannotbecopied.Skeletonimagesaresuitableonlyforfilesatthefilesystemlevel,notatanyotherlevelseeninvolumesnapshots.Useevidencefilecontainersinsteadforsuchpurposes.Notethattoanunsuspectingexamineraskeletonimagemaylookverymuchlikeanordinarycompleteimage.Suchanexaminermustbemadeawareoftheincomplete,sparselypopulatednatureoftheimage.Unlikeinalogicalevidencefilecontainer,fileswhosecontentsarenotcontainedintheimagearenotspeciallymarkedassuchinavolumesnapshottakenofanincompletephysicalimage.X-WaysForensicsv17.1andlaterinformstheexaminerofthenatureofanimagewhenit'saddedtoacase,ifitdetectsaskeletonimage.

Acomparisonofevidencefilecontainersandskeletonimagescanbefoundonthewebsite.SnippetimagingAvariantofskeletonimagingiscalled"snippetimaging".Clickthebuttonlabelled"Snippetimaging"inthefileselectiondialogoftheFile|CreateSkeletonImagemenucommandtostartsnippetimaging.AnysectorsthatarebeingreadbyX-WaysForensicsfromanydiskorimagewhilesnippetimagingisactivearewrittenintoseparatefilesnamedafterthesectornumber,witha.sectorextension,inasubdirectoryofthedefaultdirectoryforimagesnamedafterthediskorvolume.Contiguoussectorreadsarecopiedtoasinglefile.SnippetimagingmodecanbedeactivatedbyinvokingtheFile|SnippetImagingmenucommand.Snippetimagingishelpfulinspecificsituationsonly,forexamplefordebuggingpurposes,wheninneedforveryspecificsectorsonlythatarebestlocatedbythesoftwareautomatically(e.g.datastructuresneededwhenopeningaparticularfile).Comparedtoskeletonimaging,snippetimagingcanbebeneficialbecausenoimagefileofthesamesizeasthesourcediskiscreated.(Evenifit'sanominalsizeonlyandtheimageissparse,sparsedoesnothelpifthefileneedstobesentviaInternetorcopiedtoafilesystemthatdoesnotpreservethesparsenatureofthefile.)

Becauseoftheircompatiblenames,snippetimagefilescanbedirectlyusedforsectorsuperimposition.Theycanalsoconvenientlyandbecauseoftheirtypicallysmallsizevery,veryquicklyberestoredtoaotherdisks,allsuchfilesinthesamedirectoryatthesametime,ofcoursetakingthesectornumbersinthefilenamesintoaccount,byclickingnewbutton"Snippetimaging"intheFile|RestoreImagedialogwindow.

EvidenceFileContainersOnlyavailablewithaforensiclicense.TheSpecialistmenuallowstocreateanewfilecontainer,openanexistingone,andclosetheactivefilecontainer.Thedirectorybrowsercontextmenuallowstofillitwithselectedfiles.Whenyouneedtopassonacollectionofselectedfiles(evenfromdifferentevidenceobjects)thatareofparticularrelevancetoacase,tootherpersonsinvolvedinthatcase,e.g.specializedinvestigators,whodonotneedtoormustnotseeirrelevantfiles,evidencefilecontainersmaycomeinhandy.Mostfile-systemlevelmetadata(name,path,size,attributes/filemode,timestamps,deletionstatus,classificationasalternatedatastreamorvirtualfileore-mailmessageorattachment,...)andespeciallythecontentsofthefilearefullyretainedinanevidencefilecontainer.Alsowhenaconventional(physical,sector-wise)imageisoverkillbecauseyouneedtoacquireonlyselectedfilesandnotentiremedia,containersarerecommended.Evidencefilecontainersuseaspecialfilesystem(XWFS)thatcanaccomodatemostmetadatafromconventionalfilesystemsoftheWindows,Linux,andAppleworld.Evidencefilecontainerscanbeinterpreted,addedtoacaseandconvenientlyexaminedlikeotherimagefiles,andinparticularalsoinX-WaysInvestigator[CTR],thesimplifiedversionofX-WaysForensicsforinvestigatorsthatarenotcomputerforensicexaminers,butspecializedinotherareassuchascorruption,accounting,childpornography,buildinglaws,...Therecipientofthecontainercanaddthecontainertohisorherowncase,viewthefilesthatitcontainsjustlikeinadiskpartitionoraconventionalimage,canrunkeywordsearches,commentonfiles,addfilestoreporttables,createareport,etc.Reporttableassociationscanevenbeexportedandimportedbackintotheoriginalcase,viacasetreecontextmenucommands.Thisallowstosplituptheworkloadinlargecasesacrossmultipleinvestigatorswhoworksimultaneouslyandtoreconciletheirresults.EvidencefilecontainersofthecurrentformatcanbeunderstoodbycertaincomputerforensictoolsotherthanfromX-Ways.OlderversionsofWinHex(withaspecialistlicenseorhigher),X-WaysForensicsandX-WaysInvestigatorcanalsounderstandthem.Theycanallreadthecontentsofallfilesandshowthemostessentialmetadata(e.g.filename,path,manyattributes,mosttimestamps,existingordeleted).Toseethemaximumamountofmetadata,however,please

useWinHex/XWF/XWI16.3andlater.Moreinformation.Subjecttochange:Ifanevidencefilecontainercontainsnomorethan1,000objects,itcanopenedinWinHexwithanylicensetypeandevenintheevaluationversion(freeofcharge,notonlyforevaluationpurposes),anditcanbeinterpretedandmountedasadriveletter.Containerscantheoreticallyholdaround1billionfiles.X-WaysForensicsautomaticallypreventsthatthesamefileiscopiedtothecontainertwice.Ifyouwishtocheckthecontentsofanevidencefilecontainerwhileyouarefillingit,thatisnoproblem.Youcantentativelyaddittothesamecaseasanevidenceobjectwhileitisopenforfilling.Youdonotneedtoremoveitfromthecaseorclosetheevidenceobjectinordertofillthecontainerfurther.Aftereveryfillingstep,youcantakeanewvolumesnapshotofthecontainertoseethecompleteup-to-datecontents.Andwhendonefillingthecontainer,youcanremoveitfromthatcaseasitisprobablynolongerneededinthere.Inordertoidentify/preservethesourceoffilesthatoriginatefromdifferentevidenceobjects,thenamesoftheseevidenceobejctscanbeincludedinthecontainerasthetopdirectorylevel.Iftheoptiontoinsertanartificialtopdirectorylevelisonlyhalfselected,thatmeansthatonlythethenamesofpartitionevidenceobjectsareincludedthathaveaphysicalevidenceobjectasaparent.Usefuliftheparentevidenceobjectnameisverylongandredundanttoincludebecauseyouwillfillyourentirecontaineronlywithfilesfromthatphysicalevidenceobjectandwillreferencethatobject'snameinthecontainernamealready.Artificialdirectoriescanbeoptionallycreatedincontainerstoaccommodatechildobjectsoffiles,forcompatibilitywithtoolsthatdonotacceptfilesaschildobjectsofotherfiles(nonX-WaystoolsandWinHex/XWF/XWI15.9andearlier).WinHex/XWF/XWI16.0andlater(latestrelease,respectively)donotneedsuchartificialdirectories.Whencreatingacontainer,youchosebetweenadirectmethodandanindirectmethodtofillit.Indirectmeansviayourownharddisk,i.ethecontentsoffilesarenotcopieddirectlyintothecontainer,buttoyourfolderfortemporaryfilesfirst(cf.GeneralOptions),andonlythenfromthereintothecontainer.Thiscanbebeneficialbecauseitallowsaresidentantivirussoftwaretointerceptthesefiles(checkthemforviruses,disinfect/disarmthem,renamethem,move/delete/lockthem,etc.),sothatitpreventsvirusesfrommakingitintoa

container.Theresultingcontainerisfreeofknownviruses(dependingontheantivirussoftwareinuse)andcanreasonablybepassedontoandusedinanenvironmentwithhighersensitivity,highersecurityrequirements,and/orlesssophisticatedvirusprotection.Pleasecheckwhetheryourantivirussoftwareworksinthissituationbeforeyourelyonit.Anoptionalinternaldesignationcanbespecified(upto31characters),whichwillbecomethevolumelabeloftheXWFSfilesystem.Anoptionaldescriptioncanalsobespecified(upto60,000characters),whichwillbeimportedastheevidenceobjectcommentsoncethecontainerisaddedtoacaseinX-WaysForensics.Thedescriptionstoredinthecontainercanstillbeaddedoreditedlater.Filesselectedinthedirectorybrowsercanbeaddedtothecontainerthatisopeninthebackgroundwiththedirectorybrowser'scontextmenu.Eitheryoucopythelogicalcontentsofafile,thelogicalcontentsandthefileslackseparately,justtheslack,onlytheblockselectedinFilemode,ormerelythefilesystemlevelmetadataofthefile.Youmayalsospecifywhetherchildobjectsofselectedfilesshouldbecopiedtothecontaineraswell,eveniftheyarenotselectedthemselves,eitherchildobjectsofanykindofchildobjects(iffullychecked)oronlye-mailattachments(ifhalfchecked).Optionallycontainerscanincludethedata/contentsofdirectoriesthemselves,i.e.dependingonthefilesystem,directoryentries,INDXbuffers,etc.Usefuliftherecipientofthecontaineristechnicallyversedandmightbeinterestedintimestampsorothermetadatainthesedatastructures.Ifyouchoosetoincludedirectorydatainacontainerwhencreatingit,thishasadirecteffectonlyondirectoriesthatareselectedthemselves.Ithasaneffectontherespectiveparentdirectoryofselecteditemsonlyifyouenableanadditionaloption("Includedatastructures/contentsofdirectparentitems").Thisadditionaldecisionisneededbecauseotherwisethedirectorydatamightunintentionallyrevealthenamesandothermetadataoffilesthatwereintentionallyomittedfromthecontainer,e.g.forreasonsofconfidentiality.IfinthecontaineryouhaveX-WaysForensicsrecreatetheoriginalpathoffilesthatarechildobjectsofotherfiles,thenthoseparentfileswillbeincludedinthecontaineratleastasnominally,withoutdata,sothatthechildobjectappearswiththecorrectpathanditisclearwhereitcomesfrom,justbylookingatthecontainer.Examplesforsuchparentfilesarethee-mailmessagethataselected

attachmentbelongsto,theziparchivethatcontainsaselectedfile,andthedocumentthataselectedpictureisembeddedin.WiththeoptionIncludedatastructures/contentsofdirectparentitems,thedataofsuchfilesisalsoincludedinthecontainer,evenifthesefileswerenotselectedforcopyingthemselves.Anyfilethatispartofavolumesnapshot(e.g.evenindividuale-mailmessagesifextracted)canbeaddedtoacontainer.Onceadded,afilecannotbephysicallyremovedanymore,however,itsexclusioncanbemadepermanentinthecontainer.Youhavetheoptiontoautomaticallycreatereporttableassociationsforfilesthathavebeenaddedtoanevidencefilecontainer.Optionally,hashvaluescanbestoredforthefilesthatarecopiedintoacontainer.Thisallowstoverifytheintegrityofthefileslater,afterhavingaddedthecontainertoacase,byrefiningthevolumesnapshot.Thehashvaluesarecomputeddirectlyforthedataasreadfromtheoriginalsourcemedium(unlessyoucopymetadatatothecontaineronly)ortakenfromthevolumesnapshot,ifavailable.Optionally,thepreparerofanevidencefilecontainercanpassonreporttableassociations(eitherallornotthosecreatedbyX-WaysForensicsinternally)orcommentsaboutincludedfileswiththecontainer.Usefultonotonlyforwardacollectionoffilestootherinvestigators,butalsocase-specificinformationandpreliminaryfindings.Forexample,thecommentcouldexplainthereasonwhyafilewasselectedforinclusioninthecontainerinthefirstplace.Pleasenotethattransferringextractedmetadatatothecontainerisnotrecommendediftherecipientwouldliketoworkwithaneventlistbecauseeventsarenottransferredtothecontainerandeventsderivedfromwithinfilecontentswillnotbeaddedtotheeventlistifafileismarkedasalreadymetadata-processed.Abortoperationuponreaderror:Thisoptionallowstoabortcopyingfilesintoanevidencefilecontaineruponareaderrorandtonotincludeaffectedfilespartially.Usefulwhenacquiringfilesfromanetworklocationandtheconnectionmightbeinterrupted,ifyouassumethatifthathappensyouwillgettheconnectionbackandwillbemoresuccessfulwhenyoutryagain,toavoidhavingincompletefilesinthecontainer,whichcannotbereplacedwithacompletecopyretroactively.Availableonlywhennotfillingcontainersindirectly.Whenclosingacontainerthatisopeninthebackground,theuserisofferedto

compress,encrypt,and/orsplitit.Thisisusefulifthecontaineriscompleteandrelativelyhuge,ande.g.shouldbesenttosomeoneelseonCDsorDVDs.Youmayalsofinditusefultohaveaverifiableoverallhashvalueforallthedatainthecontainer,whichcanbecomputedatthatoccasionandembeddedinthetargetcontainer.Youcanalsofreezethefilesysteminthetargetcontainerthatyoucreatein.e01evidencefileformat,sothatitcannotbefilledfurtherevenifitisconvertedbacklatertoitsplainstateagain(toarawimage).

RelatedItemsOnlyavailablewithaforensiclicense.Files/directoriesthathaveacorresponding"related"fileordirectoryinthevolumesnapshotaremarkedinthedirectorybrowserwithasmallbluearrowpointingdownwardsontheleft-handsideoftheiricon.Asecondarytooltipappearsforfileswitha"related"filewhenhoveringthemousecursorovertheicon,whichconvenientlytellsyouthepathandnameofthatrelatedfile,forexamplethetargetofasymboliclink.Therearefourdifferentkindsofrelatedobjects:1)WhentakingavolumesnapshotofUnix-basedfilesystems,symboliclinksareconnectedtotheirtargetsinthevolumesnapshotasso-calledrelatedfiles,sothatyoucanconvenientlynavigatetothetargetbypressingShift+Backspace.Alsooneofpotentiallyseveralsymlinkspointingtoacertaintargetwillbecometherelatedfileofthetarget,sothatyoucanconvenientlynavigatetothesymlinkorquicklyseeinthefirstplacethatoneormoresymlinksexistthatpointtoacertaintarget,sinceanyfilethathasa"related"fileinthevolumesnapshotismarkedwithatinybluearrownexttoitsicon.Alsothesamearrowwilltellyouwhetherthetargetofasymlinkcanactuallybefoundinthefilesystem.Ifasymlinklinkstoothersymlinks,thosearenotrecursivelylinked.Ifresolvingsymlinktakestolongbecausetherearemanysymlinksinavolume,youmaysafelyabortthatstepatanytime.2)WhentakingasnapshotofvolumeswithWindowsinstallations,certainreparsepoints(a.k.a.junctionpoints)areconnectedtotheirtargetsinthevolumesnapshotjustlikeassymlinksinUnix-basedfilesystems,sothatyoucanconvenientlynavigatetothetargetbypressingShift+Backspace.Alsotherewillbeaback-referencetoonereparsepoint,sothatyoucanconvenientlynavigatetothatreparsepointorquicklyseeinthefirstplacethatoneormorereparsepointsexistthatlinktoacertaindirectory,sinceanydirectorythathasa"related"directoyinthevolumesnapshotismarkedwithatinybluearrownexttoitsicon.Forensiclicenseonly.ReparsepointsthatdonotgetconnectedwiththeirtargetdirectorieswillstillshowacommentthatadvisesyouofthetargetpathasinearlierversionsofX-WaysForensics.3)HardlinksinHFS+pointtotheircorrespondingiNode*(indirectnode)file.

iNode*filespointbacktooneoftheirhardlinkedcounterparts,sothatitisveryconvenienttolocateatleastoneofthosehardlinksandseetheactualuseandlocationofthefile.TofindotherhardlinksforthesameiNode*file,youcanforexamplesortbythecolumn"1stsector".4)FilesfoundinvolumeshadowcopiesinNTFSpointtotheirshadowcopyhostfile.VSChostfilespointtotheircorrespondingsnapshotpropertiesfile.

GeneratorSignaturesThegeneratorsignatureisaconceptthatidentifiessubtypesofcommonfiletypeslikeJPEGandPDF.Thosesubtypescanbeassociatedwithdevices(scanners,cameras)orapplications(e.g.Photoshop).ForJPEG,thesignatureisbasedonthequantizationtableandsomeotherinvariantfeaturesthataresharedbyallJPEGfiles.Thegeneratorsignatureisprovidedwiththemetadataasa32bitrawhexnumberaccompaniedbyatextualdescriptionderivedfromthefileGeneratorSignatures.txt.607AE169(IJGLibrary94/Paint)ThisexampleshowsthesignaturethatresultsfromaJPEGfilegeneratedbyMicrosoftPaint.Thenumberistheimagequalityintherange1...100.94isthefixedimagequalitysettingspecificforMicrosoftPaint.JPEGsignaturescanbesubdividedintothreegroups.ThefirstgroupisnamedStandard(identicaltoIJGLibrary).FilesinthisgroupmakeuseofthequantizationtablesasdefinedbytheJPEGstandard.Thereareexactly99qualitygrades.ThesecondgroupisnamedExtended.Hereaparticulargradeissubdividedintoroughly100additionalgradesbyinterpolatingthestandardquantizationtables.Thosesignaturesusuallybelongtoentrylevelcameramodelsthatactaccordingtosize-prioritycompressionmethods.D3D8AD02(Extended95.10/10MPcamera)TheimagequalityispresentedwithtwofractionaldigitswithinthemetadatacolumnaswellaswiththeDQT-markerinthedetailspane.Whetheracameraoperateswiththesize-priorityschemecanbejudgedbytheExiffieldCompressedBitsPerPixel.ThethirdgroupiscalledCustom.Filesinthisgroupmakeuseofproprietaryquantizationtablesthatarespecifictocertaindevicesorapplications.Heretootheimagequalityisshownintherange0100withtwofractionaldigits.ExceptionsarePhotoshopwith13gradesintherange0...12,AppleQuicktimewithgradesintherange11024,andLEADTechnologieswiththerange2255.

53631B67(LEADTechnologies2/Scan)Thesecondpartofthedescription,Scan,canalsohavethevaluesFacebook,WhatsApporMsPhoto.MsPhotomeansthatthisfilehasbeeneditedbyMicosoftPhotoGallery.Generatorsignaturesformthebasisofthecalculationofthegenericrelevance.Inaddition,GeneratorsignaturesareusedinX-WaysForensicsduringthefileheadersignaturesearchtonamecarvedJPEGfilesifnobettermetadataisavailable(e.g.cameramodelandtimestampfromtheExifdata).Ifthemetadataextractioncannotfindanybettermetadata,thegeneratorsignaturecanstillbeoutput,andthatsignatureatleastallowsyoutoidentifygroupsoffilesthatlikelyhavethesameorigin.VerifyingwhetherthegeneratorsignatureandavailableExifmetadataareconsistentwitheachothermaytellyouwhetherapicturewaseditedandsavedagain.Inparticularthegeneratorsignatureallowstoidentifyfilesthatwereproducedbyscanners,asthereareonlyahandfulofgeneratorscommonlyusedinscanners.Thatallowstoreliablyidentifyscannedimageseveniftheyarenotblackandwhiteornot100%usinggrayscalecolorsonly.PDFfilesproducedbyscannerscanalsobeidentifiedbygeneratorsignatures.SuchfilesareassociatedwiththereporttableScan.PDFgeneratorsignaturesareavailableeveniftherearenometadataornometadatacouldbeextracted.With4,700signatures(asofv19.0),morethan99%ofallPDFfilesarecovered.OneparticularlynotablePDFgeneratorsignaturecategoryinthefileGeneratorSignatures.txtisReporting/Records,whichidentifiesdocumentslikebankaccountstatementsandinvoices.Thisidentificationalsoimprovestheautomaticrelevancejudgment.Thefile"GeneratorSignatures.txt"issimilartotheothertextfilesthatshipwithX-WaysForensicsandlikethosecanbeeditedittoadjusttherelevanceestimationthatispartofmetadataextraction.IfforexampleknowingthataJPEGfilewasgeneratedbyascannerisimportantforyou(becauseyouareataxfraudorotherwhitecollarcrimeinvestigatorinterestedinscanneddocuments),youwouldmakesurethattheJPEG/Scangrouphasahighweight(e.g.9).That'sthenumberafterthetabinthelinewiththe***groupdefinition.Ifsuchafileisoflessimportancetoyou(e.g.becausethepicturesthatyouhavetolookforareCPphotos),thenyoureducetheweightofthatgroup(settingite.g.to1).You

canalsoedittheindividualrelevanceofeachgeneratorinagroup.Aweightofaparticularsignaturehastobeintherange09,defaultbeing5.Thereisnosuchrangerestrictionfortheweightofagroup.Themodeldesignationsofknownscanningdevicescanbemanuallyextendedinthesection"KnownScanner"of"GeneratorSignatures.txt".IdentificationbymodelnamecanhelptoidentifyscannedimagesiftheycontainExifdataorwereedited.Generallythedetectionasscannedimagesisbasedon1)generatorsignature,2)genericpropertiesoftheExifmetadata(FileSource,Density,...)and3)theKnownScannerlist.Theprefix"Reporting::"ingeneratorsignaturedefinitionsallowsforeasierfilteringforthecategoryreporting/records.

TimeZoneConceptThefollowingappliestoWinHexandX-WaysForensicswhenoperatedwithaspecialistorforensiclicense.X-WaysForensicsemploysitsown,notWindows'logictoconvertUTCtimestampstoafreelychosentimezonefordisplayinthedirectorybrowser,inreporttablesandexportedlists.Itdisplaystimestampsindependentlyofthetimezoneselectedintheexaminer'ssystem'sControlPanel.ThedisplayoftimestampsinX-WaysForensicsmaydifferfromWindowsbecauseinWindowsatimestampindaylightsavingtimeisnotdisplayedbasedondaylightsavingtimeifdaylightsavingtimeisnotactivewhenlookingatthattimestamp.Whenworkingwithacase,thetimezoneselectedforthatcaseappliesgloballytotheentireprogram(selectableintheCaseProperties),otherwisetheoneselectedintheGeneralOptionsdialog.Whenworkingwithacase,optionallyitispossibletospecifydifferenttimezonesperevidenceobject,sothatyoucanalwaysseelocalfiletimesevenformediathatwereusedindifferenttimezones,ifpreferable.Notethatthetimestampsareconvertedfordisplayonly.Thatmeans,inarecursiveviewinthecaserootthatcoversmultiplemedia,sortingisbasedonabsoluteUTCtimestamps.Optionally,theactuallyusedconversionbiascanbedisplayedaswell(seedirectorybrowseroptions).TimestampsonFATvolumesareneverconvertedastheyarenotavailableinUTC,butbasedononeorseveralunknownlocaltimezones.TimestampsinfilesystemsthatstorethetimezoneexplicitlyareconvertedtoUTCinternallyandthenfordiplaypurposesfromUTCtoalocaltimezone.Thetimezonedefinitionscanbeadjusted,ifnecessary.Pleasenotethatchangingthesedefinitionsinanydialogwindowaffectsthedefinitionoftimezonesthroughouttheprogram.ThestandardWindowsconversiontechnique,whichdependsonthetimezoneselectedintheuser'ssystem'sControlPanel,isstillemployed...-inFile|Properties,wherethetimestampsoffilesontheuser'sownsystemcanbeaccessed/changed,-forthecaseloggingfeature,-generallywhenoperatedwithoutaspecialistorforensiclicense,and

-whenoperatedwithoutthefile"timezone.dat".Youcantellthateitherofthelattertwoistrueifthe"Displaytimezone"buttonintheGeneralOptionsdialogisgrayedoutornotvisible.

TemplateEditingAtemplateisadialogboxthatprovidesmeansforeditingcustomdatastructuresinamorecomfortableanderror-preventingwaythanrawhexeditingdoes.Editingisdoneisseparateeditboxes.ChangestakeeffectwhenpressingtheEnterkeyorwhenquittingthetemplateafterbeingprompted.Thedatamayoriginatefromafile,fromdisksectors,orfromvirtualmemory.Especiallywheneditingdatabases,youmayprefertodefineacustomtemplateforeaseofaccesstotherecords.Youwillfindthecommandtoprintatemplateinthesystemmenu.Atemplatedefinitionisstoredinatextfilewiththeextension.tpl.Thetemplateeditorenablesyoutowritetemplatedefinitionsandofferssyntaxchecking.Atemplatedefinitionmainlycontainsvariabledeclarations,thataresimilartothoseinsourcecodeofprogramminglanguages.Thesupporteddatatypesincludeallthecommoninteger,floating-pointandbooleanvariants,datetypes,hexvalues,binary,characters,andstringstype.Arraysofbothsinglevariablesandgroupsofvariablescanbeused.Theabilitytomovefreelyforwardsandbackwardswithinthedatamakesusingtemplatesparticularlyflexible:Thesamevariablemaybeinterpretedandmanipulatedinseveralways.Irrelevantdatasectionscanbeskipped.ThetemplatemanagerlistsalltextfilesintheWinHexdirectorythatcontaintemplatedefinitions.Thetitleofthetemplatealongwithadescription,thefilename,andthedateandtimeofthelastmodificationisshown.ClicktheApplybuttontodisplayatemplateusingtheselectedtemplatedefinitionforthedatainthecurrenteditorwindowatthecurrentposition.Youmayalsocreateanewtemplatedefinition,deleteoreditanexistingone.WinHexcomeswithseveraldemonstrationtemplates.

DataRecoveryTherearethreewayshowtorecoverdatausingWinHex.Allrequirethatyouopenthedisktorecoverfromwiththediskeditor.1)Filerecoverywiththedirectorybrowser:Younavigatetoadirectory(orexploretherootdirectoryrecursively),selectthefilestorecover,andusetheRecover/Copycommandinthecontextmenu.2)Automaticrecoveryoffilesofacertaintype(doesnotrequireahealthyfilesystem)3)ManualdatarecoveryImportant:Atanyrate,donotusethedrivethatyouwishtorecoverfromforwritingdataanymore!Youmayinadvertantlyoverwritelostfiles,makingthemunrecoverable.ThisincludesnotbootingWindowsfromsuchadriveanymore,asthisinvolvesnumerouswriteoperations.

Recover/CopyCommandinthecontextmenuofthedirectorybrowser.AllowstocopytheselectedfilesfromtheircurrentlocationtoalocationavailableforastandardWindowsfiledialog,e.g.outofaninterpretedimagefileorfromalocaldisk.Thiscanbeappliedtobothexistinganddeletedfilesanddirectories.Illegalfilenamecharactersarefilteredout.Ifnecessary,youcanmanuallyentertheoutputpathbyclickingthe"..."buttoninthesamelinewherethepathisdisplayed.UsefulifyouwishtospecifyanetworklocationthatWindowsdoesnotlistbydefaultinthedialogwindowforthepathselection.Ifyouenteranon-existingoutputpath,youwillbenotifiedandmayproceedanyway,inwhichcasethatpathwillbecreatedautomaticallyifpossible.Theunlabeledcheckboxnexttothe"..."buttoncanbeusedtoindicatethatyouwouldliketogetaWindowsExplorerwindowopenedfortheoutputpathoncecopyinghascompletedtocheckouttheresult.Numerousextrafeaturesareavailablewithaforensiclicense:Thecompleteoriginalpathcanoptionallyberecreatedintheoutputdirectory,oroptionally(ifhalfchecked)onlyapartialpath.Theevidenceobjectnamebecomespartoftherecreatedpath,too,ifyoueithercopyfromwithinthecaserootorifyoudonothaveX-WaysForensicsdefaulttotheevidenceobjectfolderastheoutputdirectory(seecaseproperties).Apartialpathisthepathstartingfromthecurrentlyexploreddirectory,orwhencopyingfromtherecursivelyexploredcaserootwindowonlytheevidenceobjectname,notthepathwithintheevidenceobject.Overlongpathsaresupported(morethan260,upto510characters,foroutputpath+optionaloriginalpath+originalfilename).Youcanstilllimitpathstotheordinarylengthof260charactersorlessifyouwouldnotbeabletoaccess(e.g.view,copyordelete)suchfilesotherwise(becauseordinarytoolsliketheWindowsExplorerdonotallowthat).Iftheoutputpathofaselectedfileexceedsthelimit,thenameoftheisshorteneduntilitfits.Ifshorteningthenamedoesnothelptostayunderthespecifiedpathlengthlimit,thefilenotcopied,butaddedtoareporttable,sothatyoucanconvenientlyselectalltheomittedfileslaterandcopythemseparatelywithoutoriginalpathifyoulike.

Itispossibletocreatea2ndcopyofallselectedfilesinaseparatedirectory.Usefulifyouneedtoprovidetwopartieswithcopiesofrelevantfilesandwishtosavetime.Theloggingoptionisforthe1stcopyonly,though.AnoptionexiststonameoutputfilesaftertheiruniqueID,whilepreservingthefilenameextension.Ifonlyhalfchecked,thefileswillnotbenamedpurelyaftertheuniqueID(+extension),instead,theuniqueIDwillbeinserted,betweenbasefilenameandfilenameextension,orprepended.Filesthatcouldnotbecopied(e.g.ifpathtoolong)areaddedtoareporttable.Theoriginaltimestamps(creation,modification,lastaccess,ifavailable)arere-appliedtotherecovered/copiedfiles.Unlessyouchoosetooverwriteorskipfileswithidenticalnamesthatexistintheoutputdirectory,duplicatefilenameswillbechangedtouniquefilenamesbyinsertingincrementingnumbersbeforetheextension.Soifyoucopyallfilestothesamedirectory,eventhosefromdifferentevidenceobject,alloutputfilenameswillbeunique(andthecopylogfileallowsyoutolaterfindoutwhichfilewasoriginallynamedhowandoriginatedfromwhereandwhichmetadataithad).Thepresumedcorrectfiletypeofnewlyidentifiedfiles,ifdifferentfromtheextensionintheoriginalfilenameorifthefilenamedoesnothaveanyextension,canoptionallybeappendedtotheoutputfilename.Thisoptionalsohasaneffectwhencopyingfilestoviewthemwiththeassociatedprogram.Whenworkingwithanactivecaseandifspecialloggingforthiscommandisenabled,thecopy/recoveryprocessisdocumentedinthefilecopylog.htmlor"copylog.txt".Allavailablemetadataandtheoutputfilename(optionallyincludingtargetpath)canberecorded.Thefilecanbecreatedeitherinthe_logsubdirectoryofthecaseorintheRecover/Copytargetfolder.Cf.alsoCaseProperties.Slackspacecanoptionallybeincludedintheoutput,eitheraspartofthefileorseparately,orsolelyslackcanbecopied.Youcanchoosewhethertoalsocopychildobjectsofselectedfilesornot.

Youcanalsochoosewhethertocopyfilesthatarefilteredout.IfyouhaveX-WaysForensicsrecreatetheoriginalpathforcopiedfiles,thehierarchicallocationoffilesthatarechildobjectsofotherfilesmustbereflectedappropriately,too.Andthatmusthappenwiththehelpofadirectory,becauseordinaryfilesystemsdonotsupporttheconceptthatafilecancontainfurtherfiles,asisnormalwithvolumesnapshotsinX-WaysForensics.However,therewouldbeanameconflictifanartificialdirectorywascreatedwiththesamenameastheparentfile,asthatparentfilemightbeselectedforcopyingaswell,andwouldofcoursebecreatedinthesamedirectoryastheaforementionedartificialdirectorythatisneededtoreflectthepathofthechildobject.Hencetheartificialdirectorymustbenamedslightlydifferently.Itcanbetruncatedafterauser-definednumberofcharacters,andthisisusefulinparticularfore-mailmessagesthatarenamedafterthesubjectlineandofcoursecancontainattachmentsaschildobjects,toavoidoverlongpaths.Alsoeitherasinglesuffixcharacterofyourchoicecanbeappended(andbydefaultthatisaspecialUnicodecharacterthatisinvisibleincompleteUnicodefonts,suchthatthedirectoryseemstohaveexactlythesamenameasthecorrespondingparentfile),orotherwisesomedescriptivewordslike"childobjects"areappendedtothename(butthatunfortunatelyincreasesthetotalpathlength,whichalltoooftenexceedscommonlimits).Iftheeditboxforthesuffixcharacterseemstobeblank,thatismostlikelybecausetheaforementionedinvisibleUnicodecharacterisinthere.Ithasawidthof0.Toreplaceitwithanyothercharacter,removetheinvisiblecharacterfirst,byclickingintheeditboxandhittingthebackspacekeyonyourkeyboard.ExistinganddeletedobjectscanbegroupedtogetherinseparateoutputdirectoriesnamedExandDel.Furthergrouping/classificationofcopiedfilesinseparatedirectoriesbasedonuptotwoselecteddirectorybrowsercolumnsissupported:description,filetype,filetypedescription,filetypecategory,sender,owner,hashset,hashcategory,reporttableassociations,searchterms.Ifbothanattachmentandthecorrespondinge-mailmessage(itsparent)areselectedforcopyingandnotexcludedbyfilters,theattachmentcanoptionallybeembeddedintheresultingoutput.emlfileasBase64codeinsteadofcopiedseparately.Thatfacilitatesviewingthecompletee-mailincludingattachments.

Toview.emlfilesyoucanuseOutlookExpress,WindowsMail,WindowsLiveMailorThunderbird(allfreeofcharge).Ifcertainattachmentscannotbeembedded,youwillbeinformedviatheMessageswindow,andinsuchacasetheywillbecopiedseparately,asiftheembeddingoptionwasnotselected.NTFSalternativedatastreams(ADS)canoptionallybeoutputasADS.Bydefault,theyarerecreatedasordinaryfiles,tomakethemmoreeasilyaccessible.X-WaysForensicscantrytoencodezeroedoutareasinafileassparsewhenwritingthedata.Thiswillhaveaneffectonlyifthezeroedareasaresomewhatalignedandsufficientlylarge,andofcourseonlywhenwritingtoanNTFSorReFSvolume,notFAT.Worksnomatterwhetherthesourcefileisdefinedassparseornot.Thisoptionwillreducethedatatransferrateandisonlyrecommendableifyouknowthatthedatathatyouarecopyingisprobablysuitable.Youmayusethealternativenamesoffiles,ifavailable,fortheoutput.Thealternativename,ifoneexists,canbeseeninthedirectorybrowserinsquarebrackets.Forexample,whenparsingiPhonebackups,X-WaysForensicsautomaticallychangesartificialgenericfilenamesbacktowhattheywereoriginally.Or,whenparsing$IfilesfromtheWindowsrecyclebin,thecorresponding$Rfilesaregiventheiroriginalnames.Ifforsomereasonyouprefertheuntranslatedfilenameswhencopyingsuchfilesofftheimagetoyourownharddisk,forexamplebecauseyouwishtoprocessthesefileswithsomeexternaltoolthatexpectstheartificialfilenames,thenyoucannowusethisoption.WhenusingtheRecover/Copycommandinsearchhitlists,directoriesthatcontainhitsarerecreatedintheoutputfolderasfiles,astheuserlikelywishestoretaintheoriginaldatathatcontaintheactualsearchhit.Childobjectsarenevercopiedalongwiththeirparentobjectsfromwithinasearchhitlist.

DuplicateFileDetectionIfyouwishtoreviewfileswithabsolutelyidenticaldataonlyonceandiffilenames,timestamps,deletionstatusandotherfilesystemlevelmetadataareofsecondaryimportance,thenyoucanusethecommand"Findduplicatesinlist"inthedirectorybrowsercontextmenutoidentifyduplicatefiles,basedonhashvalues(ifcomputed)orothercriteria.Allthecurrentlylistedfilesarechecked(listed,notselected!).Ifsodesired,theduplicatescanbeautomaticallyexcludedinthevolumesnapshot.Onlyonefileineachgroupofidenticalfileswillnotbeexcluded.Eachgroupofidenticalfilescanoptionallybeassignedtoauniquereporttable,whichmakesiteasytouseafiltertoseeallthemembersofagivengroup,eveniftheyarecontainedindifferentevidenceobjects.Whenindoubtwhichduplicatetoexclude,thisfunctionchoosestokeepexisting(notdeleted)files,andamongdeletedfilesratherdiscardscarvedfilesandkeepsfilesfoundviafilesystemdatastructures.Andwhenindoubt,itpreferstokeepthecopyofafilewhoseownerisknown.Optionalspecialrules:Identicale-mailmessageswithdifferentattachments(childobjects)willbemarkedasduplicates,butnotexcluded.Identicalattachments(childobjects)willbemarkedasduplicates,buttheywillbeexcludedonlyindirectlyiftheyarepartofidenticale-mailmessagesandthoseareexcluded,too.Thisfacilitatestheexaminationandalsoavoidsasituationwheretheparent(e-mailmessage)ofonee-mail+attachmentfamilyandthechildobject(attachment)ofanotherfamilyisexcluded.Iflateryoufindrelevantfilesforwhichtherewereduplicatesandyouareinterestedintheduplicates,too(wishtoseetheirtheirfilenames,paths,ortimestampsetc.),youcouldforexamplecreateahashsetofthatfilestoconvenientlyandautomaticallyidentifyalltheduplicates,bymatchingthehashvaluesofallfilesagainstthatparticularhashsetandusingthehashsetfilter,oryoucouldusetheHashcolumnfilterdirectly.Pairsofduplicatesinthesamevolumesnapshotcanbeoptionallylinkedasso-calledrelateditems,sothatit'seasytonavigatefromonesuchfiletoatleastoneduplicate.However,thatdoesnotworkacrossevidenceobjectboundaries.MarkingthefilesasduplicatesintheDescriptioncolumnisoptional.Alternatively,youmayexcludefilessimplybasedonidenticalnamesinsteadof

identicalhashvalues.Thisisacase-insensitivecomparisonandofcourseshouldbeusedonlyifyouknowwhatyouaredoing,asitdoesnotcomparethefilecontentsatall.Couldbeusefulforexampleifyouwishtogetridofmultiplecopiesofthesamefilesfoundinbackupsifyoudonotneedtokeepdifferentversionsofthesefiles.Ifpriortothecomparisonforexampleyousortbylastmodificationdateindescendingorder,thiswillensurethatthenewestversionofthefilewillbekeptandallolderversionswillbeexcluded.FileswithidenticalnamesarenotmarkedasduplicatesintheAttr.column.IfyouhaveaccesstoPhotoDNAinX-WaysForensics,youmayalsoidentifyandexcludeduplicatepicturesusingPhotoDNA.Allduplicateswillbemarkedas"duplicatesfound"intheAttr.column,andallexceptonewillbeexcluded.Whenindoubt,deletedfilesorpictureswithapoorresolutionwillbeexcludedandexistingfilesandpictureswithahigherresolutionwillbekept.Pleasenotethatthehashvaluecomparisonisapotentiallytime-consumingoperationifmanypicturesarelistedinthedirectorybrowser,muchmoresothanforconventionalhashvalues.However,youcanabortthecomparisonatanytime.ThisoperationrequiresthatPhotoDNAhashvalueshavebeencomputedbeforehand,usingSpecialist|RefineVolumeSnapshot|Pictureprocessing|ComputePhotoDNAhashvalues.ItisusefulforexampleforlawenforcementagenciesthatwishcreatePhotoDNAhashsetsofuniquepicturesonlyandforthatpurposemaintainalawfulcollectionofincriminatingpictureswithoutduplicates.ThestrictnessofthepicturecomparisonisthesameassetintheSpecialist|RefineVolumeSnapshot|PictureprocessingdialogwindowformatchingagainstthePhotoDNAhashdatabase.

SurrogatePatternsIftheprogramhastroublereadingdataforDisk/Partition/VolumeorFile/Previewmodeorforsearches,hashing,imaging,etc.etc.,thequestionisdataitshouldpresenttotherequester.Forreaderrorsatdifferentlevelsitusesdifferentsurrogate/substitutestrings(presettexts),manyofwhichbythewayarelanguagedependent.Thesestringsarerepeatedlycopiedintothereadbufferuntilitisfull,formingarecurringpatternthatiseasytospotvisuallyifshownonthescreenandthatshouldhopefulyeasilycatchtheuser'sattentionandmakehimorherimmediatelyawareoftheproblem.1)"UNABLETOREADFILE"forexamplemeansthatatleastcertainportions/segments/extentsofafilecannotreadbecausethefilesystemdoesnotdefinewheretofindthemorbecauseitdoesbutthatdefinitionisinvalidorbecauseitdoesbutX-WaysForensicsdoesnotunderstandit.Example:Thefilesystemdefinesthatafileconsistsof6clustersstartingatcluster1000inthevolumeand4clustersstartingatcluster55,555inthevolume.Onepossiblereasonfor"UNABLETOREADFILE"inthisexamplewouldbethatthevolumeconsistsof40,000clustersonly.Thefirst6clustersofthefilecanberead,butthelast4clustersofthefilecannotberead,simplybecausethereisnocluster55,555thatcouldberead.Ifthisconcernsanexistingfile,itissomekindoffilesystemcorruptionorvolumeinconsistency.Couldhappenifsomethingwentwrongwhenavolumewasshrunk,orifit'saspannedvolumecoveringmultipledisksofwhichonlythefirstsegmentisavailabletreatedasifitwastheentirevolume.Anotherpossiblereasonfor"UNABLETOREADFILE"wouldbethatX-WaysForensicswasabletoreconstructapreviouslyexistingfilepartiallyonly.Thesizemaybeknownfrom$LogFileoravolumeshadowcopy,andthefirstfewclustersofthefilemaybeknownfromthesource,butthewhereaboutsoftheremainingclustersmaybeunknown.Anotherpossiblereasonfor"UNABLETOREADFILE"ifit'sacompressedfileinafilearchivewouldbethatthefilearchiveiscorruptsothatthecontainedcompressedfilecannotbereadcompletelyanymoreIfit'safilesystemproblem,thenyoucanfindmoremorepreciselywhatisgoingonbylookingatthefilesystemdatastructuresthatdefinethevolume.Userscan

usuallyeasilylocatethemin2secondsviaarightclickonthefile,Navigation|Seek[nameofthedatastructure].2)"BADEVIDENCEFILE!"referstoaprobleminanimagein.e01evidencefileformat.Apossiblereasontoseethatpatternwouldbethattherequestedsectoriscontainedinthe2ndhalfofacompressedchunk(alsocalledblock)inwhichafewbitsflippedsothatonlyroughlythefirsthalfcouldbesuccessfullydecompressed.3)"UNREADABLESECTOR"isapatternthatisdefinedinOptions|General,whichisalwaysusedinsteadoftheoriginaldatastoredindisksectorsifthesesectorscannotberead,forallpurposes(displayonthescreen,imaging,cloning,hashing,searching,...).Ifyouaregoingtohashdiskswithbadsectorsandwanttocompare/reproducetheresultswithothertools,thenyoucanspecifythesamepatternasusedbytheothertoolhere.Justnotethatsuchhashvaluesaredifficulttoreproducebecausebadsectorscouldmultiplyinthecourseofseveralattempts.Ifwhentryingtoreadbadsectorsyouprefertogetzero-valuebytesdeliveredback,totallyremovethepattern(ensurethattheeditboxiscompletelyblank).Ifyoukeepthepattern,itwillmakeitmucheasiertotellwhichsectorscouldbereadandwhichsectorscouldnotbe,ontheoriginalharddiskdirectly,andthatisalsothecasewhenyoulookatthesamesectorsinanimageofthatharddisk,providedthatthepatternwasactiveatthemomentwhentheimagewascreatedwithX-WaysForensics.AbadsectoronaharddiskisforexampleonewhoseinternalCRCdoesnotmatchthepayloaddatainthatsectoranymore.4)Othersurrogatepatternsare"MISSINGIMAGEFILESEGMENT!","PASTENDOFIMG",and"UNREADABLEPAGE",allofwhichshouldbebasicallyself-explanatory.("Page"referstoamemorypage.)

ReconstructRAIDSystemMenucommandintheSpecialistmenu.WinHexandX-WaysForensicscaninternallydestripeRAIDlevel0,5,5EEand6systemsaswellasJBODconsistingofupto16components.ThecomponentsmaybephysicalharddisksorimagesofphysicaldisksforhardwareRAIDs,orpartitionsforLinuxsoftwareRAIDs.Componentsthatareavailableasimagesneedtobeopenedandinterpretedbeforeyouusethisfunction.ComponentsthatarepartitionsneedtobeopenedfirstbeforetheRAIDreconstructioncantakeplace.Youneedtoselectthecomponentsinthecorrectorder.WinHexletsyouspecifythestripsizeinsectors(often128oratleastapowerof2like32,64,256)anddifferentRAIDheadersizespercomponent(oftensimply0).ThestripsizemultipliedbythenumberofRAIDcomponentdisksgivestheso-calledstripesize,i.e.awholerow.TheheaderisareservedareaatthestartofacomponentdiskthatsomeRAIDcontrollerssetasidefortheirprivatedataandthusmustbeexcludedfromthereconstruction.Ifthereareafewreservedsectorsattheendofacomponentdisk,asisnotuncommonforJBOD,priortothereconstructionyouwouldspecifythenumberofactuallyusedsectorsplusheadersizeforeachcomponentviaTools|DiskTools|SetDiskParametersasthe"Sectorcount".Youcanusuallytellthateitherthecomponentorder,thestripsize,thestripepattern,ortheRAIDheadersizewasselectedincorrectlywhennopartitionsaredetectedorpartitionswithunknownfilesystemsorwithfilesystemsthatcannotbeinterpretedproperly.WhenyouaddareconstructedRAIDsystemtoacase(andoptionallypartitionsopenedfromsuchaRAIDsystem),theselectedRAIDconfigurationparametersaresavedwiththeevidenceobject,whichallowstoaccesstheRAIDsysteminstantlyinlatersessions(forensiclicensesonly).InRAIDlevel5and6,dataisnotonlystripedacrossallcomponentdisksinarotatingpattern,butalsointerspersedwithparityblocksforredundancy.RAIDlevel5and6areimplementedindifferentwaysbydifferentRAIDcontroller

manufacturersinthattheyemploydifferentstripe/paritypatterns.Thesupportedpatternsarethefollowing:Level5:BackwardParityakaLeftAsynchronous(Adaptec)Component1:13PComponent2:2P5Component3:P46Level5:BackwardDynamicParityakaLeftSynchronous(AMIandLinuxstandard)Component1:159PComponent2:26P10Component3:3P711Component4:P4812Level5:BackwardDelayedParity(HP/Compaq)Component1:13579111315Component2:2468PPPPComponent3:PPPP10121416Level5:ForwardParity(akaRightAsynchronous)Component1:P35Component2:1P6Component3:24PLevel5:ForwardDynamicParity(akaRightSynchronous)Component1:P6810Component2:1P911Component3:24P12Component4:357PLevel5:ForwardDelayedParityLevel5:ForwardDynamicDelayedParity(CRU/Dataport)Level5EE:BackwardParity(Adaptec)Component1:13SPComponent2:2SP7Component3:SP58Component4:P46S(S=spare)

Level5EE:ForwardParityComponent1:1PS7Component2:23PSComponent3:S45PComponent4:PS68Level6:BackwardParity(Adaptec/JetStor)Component1:13PQComponent2:2PQ7Component3:PQ58Component4:Q46PLevel6:BackwardDynamicParityComponent1:14PQComponent2:2PQ7Component3:PQ58Component4:Q36PLevel6:ForwardDelayedParityLevel6:ForwardParityTheparitystartcomponentcanbedefineddifferentlyifnecessary,formanyRAIDvariants.Tostickwiththeselectstandardpattern,leavethatvalueat0.Inordertodefineanon-standardparitystartcomponent,specifythenumberofthecomponentwheretheparityislocatedfirst(1-based).ThedelaywiththattheparitymovesonHP/Compaqcontrollersismostoften4or16,butfreelyconfigurable.IfoneoftheRAIDcomponentdisksisnotavailable,youcanreconstructaRAID5systemnonethelessbecauseonecomponentisredundant.Simplyselectadummysubstitute(oneoftheother,availablecomponentsofthesameRAIDsystem)asthemissingcomponentanddeclarethatcomponent"missing"!RAID5EEandRAID6canalsobeinternallyreconstructedifonecomponentismissing.SupportforsoftwareRAIDs

LinuxMDRAIDcontainerpartitionsareautomaticallyrecognizedassuch.Theyarerepresentedastwodistinctitems:AstaticheaderareathatcontainsmetadataabouttheRAIDingeneralandthefollowingcomponentinparticular,usuallyatrelativeoffset4096,andanexplorablepartitionthatservesastheRAIDcomponent.IncaseofRAIDlevel1thatexplorablepartitioncontainsafullyself-containedvolumewhosefilesystemcanbeparsednormally(withoutanyreconstructioneffort)ifsupported.IncaseofotherRAIDlevels,thereconstructioncanbeaccomplishedwiththeSpecialist|ReconstructRAIDcommand,andsomehintsonthecorrectreconstructionparametersareshownascommentsattachedtotheheaderareaitem.NotethatyouneedtoopenalltherelevantpartitionsfirstsothattheyareofferedforselectionasthecomponentsoftheRAID.Theresultofthereconstructionwillbeasinglevolume,whichisrepresentedasencompassedinavirtualphysicaldisk.TheRAIDcomponentshavetoremaininthecaseasevidenceobjectsforinternalreasons,toallowtore-openthereconstructedRAIDwithasinglemouse-clicklater.Windowsstoragepoolcontainerpartitionsarealsoautomaticallyrecognizedassuch,anditispossibletoproperlyopenpartitionswhosesectorssizeisamultipleofthesectorsizeoftheunderlyingphysicaldisk.ThisisimportantforexampleforWindowsstoragespacepartitionsinWindowsstoragespacepooldisks.Thesepartitionsanddiskshaveasimulatedsectorsizeof4KBeveniftheyresideonphysicaldiskswithasectorsizeof512bytes.ThesearchforlostpartitionscanfindNTFSstoragespacepartitionswithinstoragespacecontainerpartitionsdespitesectorsizediscrepancies,whichisausefulwork-aroundforsimplesingle-diskstoragespaces.

Endian-nessMicroprocessorsdifferinthepositionoftheleastsignificantbyte:Intel®,MIPS®,NationalSemiconductor,andVAXprocessorshavetheleastsignificantbytefirst.Amulti-bytevalueisstoredinmemoryfromthelowestbyte(the"littleend")tothehighestbyte.Forexample,thehexadecimalvalue12345678isstoredas78563412.Thisiscalledthelittle-endianformat.MotorolaandSparcprocessorshavetheleastsignificantbytelast.Amulti-bytevalueisstoredinmemoryfromthehighestbyte(the"bigend")tothelowestbyte.Forexample,thehexadecimalvalue12345678isstoredas12345678.Thisiscalledthebig-endianformat.

MasterBootRecordTheMasterBootRecordislocatedatthephysicalbeginningofaharddisk,editableusingtheDiskEditor.Itconsistsofamasterbootstraploadercode(446bytes)andfoursubsequent,identicallystructuredpartitionrecords.Finally,thehexadecimalsignature55AAcompletesavalidMasterBootRecord.Theformatofapartitionrecordisasfollows:Offset Size Description0 8bit Avalueof80designatesanactivepartition.1 8bit Partitionstarthead2 8bit Partitionstartsector(bits0-5)3 8bit Partitionstarttrack(bits8,9instartsectoras

bits6,7)4 8bit Operatingsystemindicator,seebelow5 8bit Partitionendhead6 8bit Partitionendsector(bits0-5)7 8bit Partitionendtrack(bits8,9in endsectoras

bits6,7)8 32

bitSectorsprecedingpartition

C 32bit

Lengthofpartitioninsectors

Operatingsystemindicators:(hexadecimal,incompletelist)00 Emptypartition-tableentry01 DOS12-bitFAT04 DOS16-bitFAT(upto32M)05 DOS3.3+extendedpartition06 DOS3.31+LargeFileSystem(16-bitFAT,over32M)07 WindowsNTNTFS,OS/2HPFS,AdvancedUnix

08 OS/2v1.0-1.3,AIXbootablepartition,SplitDrive09 AIXdatapartition0A OS/2BootManager0B Windows95with32-bitFAT0C Windows 95 with 32-bit FAT (using LBA-mode INT 13

extensions)0E Logical-block-addressable VFAT (same as 06, but using

LBA-modeINT13)0F Logical-block-addressable VFAT (same as 05, but using

LBA-modeINT13)17 HiddenNTFSpartition1B HiddenWindows95FAT32partition1C HiddenWindows95FAT32partition(usingLBA-modeINT

13extensions)1E HiddenLBAVFATpartition42 Dynamicdiskvolume50 OnTrackDiskManager,read-onlypartition51 OnTrackDiskManager,read/writepartition81 Linux82 LinuxSwappartition,Solaris(Unix)83 Linuxnativefilesystem(ext2fs/xiafs)84 Hibernationpartition85 LinuxEXT86 FAT16volume/stripeset(WindowsNT)87 HPFS fault-tolerant mirrored partition, NTFS volume/stripe

setA0 LaptophibernationpartitionBE SolarisbootpartitionC0 DR-DOS/NovellDOSsecuredpartitionC6 CorruptedFAT16volume/stripeset(WindowsNT)C7 CorruptedNTFSvolume/stripesetDE DELLOEMpartitionF2 DOS3.3+secondarypartition

FE IBMOEMpartition

SearchOptionsCasesensitive:Ifasearchiscase-sensitive,thatmeansthatupperandlowercasecharactersaredistinguishedande.g.OptionwithacapitalOisnotfoundinthewordoptionally.Byuncheckingthecheckbox,yousearchforallupper-case/lower-casevariantsofthesearchterms.SearchesarefullycaseinsensitiveonlywiththeSimultaneousSearch,withtheFindTextcommandonlyforlettersfromtheLatin/EnglishalphabetandGermanumlauts.IntheSimultaneousSearchyoumayusecase-sensitiveandnon-case-sensitivesearchtermsatthesametimeiftheMatchcaseoptionishalfselected.Inthatcaseyoumayprependsearchtermswithcase:tomarkthemascase-sensitive.Unicode:ThespecifiedtextissearchedinUTF-16LittleEndian.ThesimultaneoussearchallowstosearchforthesametextatthesametimeinUnicodeandinothercodepages.Youmayspecifyawildcard(onecharacteroratwo-digithexvalue),whichrepresentsonebyte.Forexamplethisoptioncanbeusedtofind"Speck"aswellas"Spock"whensearchingfor"Sp?ck"withthequestionmarkasthewildcard.Onlywholewords:Thesearchtermisfoundonlyifitoccursasawholeword,i.e.ifdelimitedfromotherwordsbyanycharacterotherthana...z,A..ZandGermanandFrenchletters(e.g.bypunctuationmarks,blanks,binarycontrolcodes,digits).Ifthisoptionisenabled,forexample"tomato"isnotfoundin"automaton".ReliabletoreducethenumberofhitsforEnglish,German,andFrenchtextonly.InaSimultaneousSearcheitherallsearchtermsaresearchedaswholewordsoronlythosethatareindented(prependedwithatabcharacter)ornone,dependingonthestateofthecorrespondingcheckbox.Ifyouwishtocombinetheindentionforasearchasawholewordwiththe"case:"prefixforcasesensitivity,enterthe"case:"prefixfirstandtheninsertthetabcharacterfortheindention.ForaSimultaneousSearchyoumaycustomizethewordboundarydetectionforlanguagesthatutilizetheLatin1codepage,i.e.makeitmorestrict(forlesssearchhits)ormorerelaxed(formoresearchhits),bydefiningthealphabetofcharactersthatareconsideredletters(i.e.charactersbelongingtowords)asopposedtonon-wordcharacters.Awordcharacterfollowedbyanon-wordcharacterortheotherwayaroundisconsideredawordboundary.Therearethree

easy-to-usepre-definedsettings.Thesettingforthemostthoroughsearchresultsisthedefault.Usersthatareoverwhelmedbygarbagehitsforshortkeywordsinnon-textdatasuchasBase64orbinarygarbagemaywanttotrytheothertwooptions.Theseothertwooptionscouldleadtovalidsearchhitsbeingmissedinsomeconstellations(dependsonthefileformat),butcanstillbejustifiableasagreattimesaverforsearchesintextdocuments,e.g.ratherinelectronicdiscovery,rathernotincomputerforensics.Formoreexplanationandanexampleofhowthewholewordsoptionworks,pleasereadon:Awordboundaryisaboundarybetweentwoconsecutivecharactersofwhichonecharacterisawordcharacterandtheothercharacterisnotawordcharacter.Iftwoconsecutivecharactersarebothwordcharacters(e.g."ns"),thenobviouslythe"s"doesnotstartanewwholeword,andthe"n"cannotbetheendofawholeword.Itcanbesomewhereinthemiddleofawholeword(e.g."mansion"),butinbetweenthesetwocharacters"ns"thereisdefinitelynowordboundary.Ifbothcharactersarenon-wordcharacters(e.g."!",exclamationmarkfollowedbyaspace),thenobviouslythepositionbetweenthetwoisnotawordboundaryeither.Theexclamationmarkcannotbetheendofaword(cannotoccuranywherewithinaword),andthespacecannotbethestartofaword(cannotoccuranywherewithinawordeither,excludingcompoundwords).Ifyouaresearchingfor"man"asawholewordwithin"ourmansion",thenXWFwillprovisionally/internallyfind"man",andthenfirstcheckwhetherthecharacterbeforethe"m"isawordcharacter.Thatcharacterisaspace.Aspacecharacterisnotawordcharacter.Thenitalsocheckswhether"m"isawordcharacteraccordingtothealphabet.Itis.Thatmeansthereisawordboundarybeforethe"m".NextXWFneedstocheckwhether"n"and"s"arewordcharacters.Bothare.Thatmeansthatafterthe"n"thereisnowordboundary.Hencethethreeletters"man"within"mansion"arenotconsideredawholewordoccurrenceof"man".ThewholewordsonlyrestrictionoftheSimultaneousSearchisnotappliedtosearchhitsthatarenotwordsaccordingtotheuser'sselectedalphabetdefinition(checkingonlythefirstandthelastcharacterinthesearchhit).Forexampleifyouaresearchingfor"LOL!!",thenthiscannotpossiblybeawholewordbecausetheexclamationmarkisnotaletterandthusnotcontainedinthedefinedalphabet(well,unlessyouhaveaddedtheexclamationmarktoitmanually).However,theGREPwordboundaryindicator\bisstillappliedinsuchacase,forexampletobeabletosearchforcertaindatainbetweenwords,datathatisnotconsideredaworditself.

InadditiontothealphabetofcharactersfortheLatin1codepage(forallWesternEuropeanlanguages),anoptionaladditionalalphabetcanbedefinedforlettersofanotherlanguage.Ifactivated,itisusedforsearchesinUTF-16andsearchesinregionalANSI/OEM/IBM/ISO/Maccodepageswithonly1bytecharactersuchasforCyrillic,Greek,Turkish,Arabic,Hebrew,Vietnamese,andvariousCentral/Eastern/SouthEasternEuropeanlanguages.TheCyrillicalphabetispredefined.Searchdirection:DecidewhetherWinHexshallsearchfromthebeginningtotheend,ordownwardsorupwardsfromthecurrentposition.Condition:Offsetmodulox=y:Thesearchalgorithmacceptssearchstringoccurrencesonlyatoffsetsthatmeetthegivenrequirements.E.g.ifyousearchfordatathattypicallyoccursatthe10thbyteofaharddisksector,youmayspecifyx=512,y=10.IfyouarelookingforDWORD-aligneddata,youmayusex=4,y=0tonarrowdownthenumberofhits.Searchinblockonly:Thesearchoperationislimitedtothecurrentblock.Searchinallopenwindows:Thesearchoperationisappliedtoallopeneditwindows.PressF4tocontinuethesearchinthenextwindow.If"Searchinblockonly"isenabledatthesametime,thesearchoperationislimitedtothecurrentblockineachwindow.Countoccurrences/Listsearchhits:CausesWinHexnottojumptoeachsingleoccurrence,buttocountorlistthem.Searchfor"non-matches":In"FindHexValues"youmayspecifyasinglehexvaluewithanexclamationmarkasaprefix(e.g.!00)tomakeWinHexstopwhenitencountersthefirstbytevaluethatdiffers.OptionsandadvantagesofthelogicalsearchGREPsyntax:SearchoptionavailablewiththeSimultaneousSearchonly.Regularexpressionsareapowerfulsearchtool.Asingleregularexpressionmaymatchmanydifferentwords.EitherallsearchtermsareconsideredGREPexpressionsoronlythoseprependedwith"grep:"ornone,dependingonthestateofthecorrespondingcheckbox.Youmayprependasearchtermwithboth

"case:"(seeabove)and"grep:"inthatorder.Thefollowingcharactershaveaspecialmeaninginregularexpressions,asexplainedbelow:()[]{}|\.#+?.Wherethesespecialcharactersaretobetakenliterally,youneedtoprefixthemwithabackslashcharacter(\).The|operatorisusedtodenotealternativematches.Youcanusetheregularexpressioncar(wheel|tire)tosearchforthewords"carwheel"and"cartire".Anymatchmustequalthepartsbefore,after,orbetweenany|operatorspresent.Theeffectof|isonlylimitedbyparentheses..and#arewildcards:.matchesanycharacter,#matchesanynumericcharacter.Youcandefinesetsofcharacterswiththehelpofsquarebrackets:[xyz]willmatchanyofthecharactersx,y,z.[^xyz]willmatchanycharacterexceptx,y,orz.Youcandefinerangesofcharactersusingadash:[a-z]matchesanylower-caseletter.[^a-z]matchesallcharactersexceptlower-caseletters.Thelistingmaycompriseindividuallylistedcharactersandrangesatthesametime:[aceg-loq]matchesa,c,e,g,h,i,j,k,l,o,andq.Allcharactersexcept[,],-,and\aretakenliterallybetweensquarebrackets,eventhewildcardcharacters.and#.\bstandsforthestartorendofaword,i.e.theboundarybetweenawordcharacterandanon-wordcharacter.Whichcharacters/lettersareconsideredwordcharactersbytheSimultaneousSearchisuser-defined.Thestartandendofafilealsocountaswordboundaries.\bisonlysupportedatthestartand/orattheendofthesearchterm,andnotinconjunctionwith|.\b,^,and$anchorsonlyworkonlywhensearchinginevidenceobjectsofacase,andnotforindexsearches.BytevaluesthatcorrespondtoASCIIcharactersthatcannotbeeasilyproducedwithakeyboardcanbespecifiedindecimalorhexadecimalnotation:Forexample,\032and\x20arebothequivalenttothespacecharacterintheASCIIcharacterset.Thiskindofnotationissupportedeveninbetweensquarebrackets.E.g.[\000-\x1f]matchesnon-printableASCIIcharacters.Multipliercharacters(*,+,and?)indicatethattheprecedingcharacter(s)mayormustoccurmorethanonce(seebelow).Complexexample:a(b|cd|e[f-h]i)*jmatchesaj,abj,acdj,aefij,aegij,aehij,abcdj,andabefij.Within[]brackets,thecharacters.*+?{}()|arenottreatedasspecialcharacters,butliterally.

Briefoverviewofsupportedsyntaxfeatures(everythingelseisinterpretedliterally).Aperiodmatchesanysinglecharacter.#Apoundsignmatchesanynumericcharacter[0-9].\nnnAbytevaluespecifiedwiththreedecimaldigits(\000...\255).\xnnAbytevaluespecifiedwithtwohexadecimaldigits(\x00...\xFF).Forexample,\x0D\x0AisaWindowslinebreak.\unnnnAUnicodevaluespecifiedwithfourhexadecimaldigits.Dependingontheselectedcodepage(s),correspondstodifferentbytevalues.?Matchesoneorzerooccurrencesoftheprecedingcharacterorset.*Matchesanynumberofoccurrencesoftheprecedingcharacter,includingzerotime.+Aplussignafteracharactermatchesanynumberofoccurrencesofthatcharacterexceptzero.[XYZ]Charactersinbracketsmatchanyonecharacterthatappearsinthebrackets.[^XYZ]AcircumflexatthestartofthestringinbracketsmeansNOT.[A-Z]Adashwithinthebracketssignifiesarangeofcharacters.\IndicatesthatthefollowingspecialGREPcharacteristobetreatedliterally.{X,Y}RepeatstheprecedingcharacterorgroupofcharactersX-Ytimes.(ab)Functionslikeaparenthesisinamathematicalexpression.Groupsabtogetherfor+,?,*,|and{}.a|bThepipeactsasalogicalOR.Soitwouldread"aorb".\bMatchesawordboundary.^Matchesthestartofafile.$Matchesthelogicalorphysicalendofafile,dependingonthesearchoptions.GREPExamplesE-mailaddresses[a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}(the+beforethe@issupportedinGmailaddresses)Internetaddressesstartingwithhttp://,https://,ftp://

[a-zA-Z]+://[a-zA-Z0-9/_\?$&=\-\.]+VisaandMastercardcreditcardnumbers[^#a-z][45]###############[^#a-z][45]###-####-####-####[45]###############(ideallycheckresultsviaanX-TensionwiththeLuhnalgorithmtoreducethenumberoffalsehitsandsearchwithout[^#a-z])SearchMenuReplaceOptionsTechnicalHintsAllowoverlappinghits:IfyouuseGREPsyntaxtosearchforsearchhitsofvariablelength,multiplevalidhitsatthesamelocationmaybetheresult.Ifyousearchforexamplefore-mailaddresses,andthesearchalgorithmisfedwiththecharactersequence"mail@x-ways.com",thenitwilldeterminethatthecharactersfromthe"m"in"mail"matchtheGREPexpressionanditwillrecordahit.Afterthat,itproceedswiththe"a"in"mail"andrealizes,thatail@x-ways.comfitsthebillaswell,andsodoil@x-ways.comandl@x-ways.com.Allofthesemightbevalide-mailaddresses.Sothesearchalgorithmisentirelyright,buttypicallyusersdonotwishtoseethoseadditionalhits.Soifyoudonotallowforoverlappinghits,newhitsarerecordedonlyafterthe"m"in".com".Notallowingoverlappinghitsmeanstoexclusivelyassignthecharacterscoveredbyahittothathitandnottopotentialotherhitsanymore.Searchwindow,proximitysearchesTheGREPsearchwindowwidthis128bytesbydefault.Thatmeansitisnotguaranteedthatwithavariable-lengthGREPsearchterm(i.e.using{+syntax)youcanfinddatathatislongerthan128bytes.Youmayincreasethesearchwindowwidthifyouneedtocovermorethanthat.Thisisneededforexampleforproximitysearches.Ifyourequirethatadocumentcontainstwosearchtermsatthesametime,andthatthesearchtermsshouldoccurclosetooneanother,youcouldsearchforthesesearchtermswithtwoGREPexpressionsandspecifythemaximumdistanceallowedbetweenthemasthesecondparameterinthebraces:

keyword1.{0,maxdistance}keyword2keyword2.{0,maxdistance}keyword1Thesearchwindowwidthinbytesrequiredwhensearchingwithan8-bitcharactersetisthesumofmaxdistance,length(keyword1)andlength(keyword2).PleasenotethatthepreferredmethodtofindtwosearchtermsneartoeachotheristheNEARcombinationinthesearchtermlist,whentwosearchtermsarealreadycombinedwithalogicalAND,aftertheyhavebeensearchedforseparately.

BackupManagerDisplaysalistofpreviouslycreatedWinHexbackups.Theitemscanbelistedinachronologicaloralphabeticalorder.Choosethebackupyouwouldliketorestore.Whenthatfunctioncompletes,theoriginalfileorsectorcontentsisshown.Youcanrestorethebackupintoatemporaryfilefirstsuchthatyouwillstillneedtosaveit,directlyandimmediatelytothedisk,ortoanewfile.Inthecaseofdisksectorsyoumayalsowishtospecifyadifferentdestinationdiskoradifferentdestinationsectornumber.Itisalsopossibletoonlyextractasubsetofthesectorsfromthebackup.(However,sectorsatthebeginningofacompressedbackupcannotbeleftoutduringrestoration.)Ifthebackupwassavedwithachecksumand/oradigest,dataauthenticityisverifiedbeforethesectorswillbedirectlywrittentothedisk.Thebackupmanageralsoallowstodeletebackupswhichyoudonotneedanylonger.BackupsthatwerecreatedforinternalusebytheUndocommandcanbedeletedbyWinHexautomatically(cf.UndoOptions).BackupfilesthataremaintainedbytheBackupManagerarelocatedinthefolderspecifiedintheGeneralOptionsdialog.Theirfilenamesare"xxx.whx"wherexxxisauniquethree-digitidentificationnumber.Thisnumberisdisplayedinthelastcolumnofthebackupmanagerlist.AcompletedocumentationoftheWHXfileformatisavailablefromtheWinHexHomepagehttp://www.winhex.com.

PrintingUsethe"print"commandoftheFilemenutoprintafile,disksectorsorRAMcontents.Definetheprintingrangeviaoffsets.Youmayselectandsetupaprinter.Pleasechoosethecharactersetforprintingandacceptorchangethesuggestedfontsize.Therecommendedfontsizeiscalculatedasfollows:printresolution(e.g.720dpi)/6(e.g.=120).Ifdesiredyoumayenteracommentwhichwillbeprintedattheend.Ifyouneedmoreflexibilitywithprinting,youcandefineablockandcopyitusing"Edit->Copy->EditorDisplay"asahex-editor-formattedtextintotheclipboard.Youmaypasteitinyourfavoritewordprocessor.Itshouldlookperfectin"CourierNew",10pt.

ReplaceOptionsPromptwhenfound:WinHexawaitsyourdeecisionwhenanoccurrencehasbeenfound.Youmayeitherreplaceit,continueorabortthesearch.Replacealloccurrences:Alloccurrencesarereplacedautomatically.Casesensitive:Thecharactersthataretobereplacedaresearchedusingthisoption(cf.SearchOptions).Unicodecharacterset:ThespecifiedcharactersaresearchedandreplacedinUnicodeformat(cf.SearchOptions).Youmayspecifyonecharacter/atwo-digithexvalueasawildcard(cf.SearchOptions).Thisisusuallydoneinthesearchstring.Ifthesubstitutecontainsawildcard,thecharacterattherelativepositioninanoccurrencewillnotbechanged.Thus,"black"and"block"canbereplacedsimultaneouslywith"crack"and"crock"(enter"bl?ck"and"cr?ck").Onlywholewords:Thesearchedstringisrecognizedonlyifitisseparatedfromotherwordse.g.bypunctuationmarksorblanks.Ifthisoptionisenabled,"tomato"isnotreplacedin"automaton".Searchdirection:DecidewhetherWinHexshallreplacefromthebeginningtotheend,ordownwardsorupwardsfromthecurrentposition.Replaceinblockonly:Thereplaceoperationislimitedtothecurrentblock.Replaceinallopenedfiles:Thereplaceoperationisappliedtoallfilesnotopenedinviewmode.If"Replaceinblockonly"isenabledatthesametime,thereplaceoperationislimitedtothecurrentblockofeachfile.WinHexisabletoreplaceonestringorhexvaluesequencewithanotheronethathasadifferentlength.Youwillbeprompted,whichofthefollowingmethodsshallbeapplied:1stmethod:Thedatabehindtheoccurrenceismovedduetolengthdifference.Sothefilesizeischanged.Thismethodmustnotbeappliedtocertainfiletypes,

suchasexecutablefiles.Itisevenpossibletospecifynothingasthesubstitute,whichmeansalloccurrenceswillberemovedfromthefile!2ndmethod:Thesubstituteiswrittenintothefileatthepositionoftheoccurrence.Ifthesubstituteisshorterthanthesearchedcharactersequence,theexceedingcharacterswillremaininthefile.Otherwiseeventhebytesbehindtheoccurrencewillbeoverwritten(asfarastheendofthefileisnotreached).Thefilesizeisnotaffected.SearchMenuSearchOptionsTechnicalHints

FileRecoverybyType/FileHeaderSignatureSearchDatarecoveryfunctionintheDiskToolsmenu,andalsoastrategytofindpreviouslyexistingfilesaspartoftheRefineVolumeSnapshotcommand.Thisrecoverymethodisalsoreferredtoas"filecarving".Itsearchesforfilesthatcanberecognizedbyacharacteristicfileheadersignature(acertainsequenceofbytevalues).Becauseofthisapproach,filecarvingdoesnotdependontheexistenceoffunctionalfilesystemstructures.FileRecoverybyType:Filesfoundbasedonafileheadersignaturearecarvedandstoredintheoutputfolderthatyouspecifyononeofyourowndrives.Optionally,recoveredfilesofeachtypeareputintotheirownsubfolder(...\JPEG,...\HTML,etc.).Thepresumedcontentsofthefilesareactuallycopied.Fileheadersignaturesearch:Filesfoundbasedonafileheadersignaturearenotstoredanywhere,butmerelylistedinadedicatedvirtualdirectoryofthevolumesnapshot.Onlyareferencetothefileisstored(artificiallygeneratedname,presumedsize,startoffset,...).Thefilecontentsarereadfromtheoriginaldisk/imageontheflywhenneededtoview/copythefile.Optionally,youcanoutputfilesfromseparatefileheadersignaturesearchoperationsintoseparatesubdirectories,sothatit'seasiertodistinguishbetweenthemifneeded.Notethatfilecarvinggenerallyassumescontiguousfileclusters,soitproducescorruptfilesincasethefileswereoriginallystoredinafragmentedway.Thefollowingexceptionexists:IfthefileheadersignaturesearchinvolumeswithasupportedfilesystemotherthanExt2/Ext3findsthestartofafileinfreespace,ataclusterboundary,thedataisbydefaultassumedtoflowaroundpotentiallyfollowingclustersthataremarkedbythefilesystemasinuse.Thiswillcorrectlyreconstructfilesthatwerecreatedafterandstoredaroundotherfilesandthendeleted,aslongasthereleasedclusterswerenotre-usedandoverwrittenafterwards.Topreventfilecarvingpurelyinfreespacethisway,i.e.assumecontiguousclusters,youcanunselecttheoption"Carvefilesinfreeclustersaroundusedclusters".Theoption"Ext2/Ext3blocklogic"causesthisrecoverymethodtodeviatefrom

thestandardassumptionofnofragmentionaswell,inthatitwillfollowthetypicalExtblockpattern,wheree.g.the13thblockfromtheheaderofthefileisconsideredanindirectblockthatreferencesthefollowingdatablocks.ThisoptionhasnoeffectwhenappliedtopartitionsthatWinHexknowshaveafilesystemotherthanExt2andExt3orwhenaheaderisfoundthatisnotblock-aligned.Alogfile"FileRecoverybyType.log"abouttheselectedparametersandtherecoveryresultsiswrittentotheoutputfolderforverificationpurposes.Youcanexpandorcollapsetheentirefiletypetreeinthisdialogwindowwithasinglemouseclickontheappropriatebutton.Thatisusefulbecausewhenexpandedyouonlyneedtotypethefirstfewcharactersofthefiletypedescriptiontoautomaticallyjumptothefirstmatchingiteminthetree.Sincenouseismadeofapossiblepresenceofa(consistentordamaged)filesystem,theoriginalfilesizesareprincipallyunknowntothisrecoverymethod,andsoaretheoriginalfilenames.Thatiswhytheresultingfilesaremostlynamedgenericallyaccordingtothefollowingpattern:Prefix#####.ext."Prefix"isanoptionalprefixyouprovide.#####"isanincrementingnumberperevidenceobject."ext"isthefilenameextensionthatcorrespondstothefileheadersignatureaccordingtothefiletypedefinition.Theoutputfilenameprefixmayoptionallycontainaplaceholder"%d",whichwillbereplacedbythedrivename.ThisisusefulifyouapplyFileRecoverybyTypetomultipledrivesatatimeandwishtobeabletoeasilydistinguishfilesfromdifferentdrives.Withaspecialistlicenseorhigher,the"intelligentnaming"optionwillcauseExifJPEGfilestobeautomaticallynamedafterthedigitalcameramodelthatcreatedthemandtheirinternaltimestamp,ifavailable.ManyWindowsRegistryhivefilesaregiventheiroriginalnames,alsosomeJPEGfilesinwhosemetadataPhotoshophasembeddedaname.JPEGfileswithoutknownnameandnoExifmetadatathathoweverhavebeencreatedbyaknownlibraryreceivesomeadditionalinformationintheirartificialnamesinparentheses(seegeneratorsignature).Thumbs.dbfilesarealwaysnamedthumbs.db,index.datalwaysindex.dat.Theaforementionedprefixisnotusedinconjunctionwithoriginalfilenames.Variousalgorithmsareatworkinternallythattrytodeterminetheoriginalsizesoffilesofmanydifferenttypes(amongothers,JPEG,GIF,PNG,BMP,TIFF,

NikonNEF,CanonCR2raw,PSD,CDR,AVI,WAV,MOV,MPEG,MP3,MP4,3GP,M4V,M4A,ASF,WMV,WMA,ZIP,GZIP,RAR,7Z,TAR,MSWord,MSExcel,MSPowerPoint,RTF,PDF,HTML,XML,XSD,DTD,PST,DBX,AOLPFC,WindowsRegistry,index.dat,Prefetch,SPL,EVTX,EML)byexaminingtheirdatastructure.Thisappliestoentriesinthefiletypedefinitiondatabasethathavea"~"intheFootercolumn.Theseentriesshouldnotbealteredinorderforthesizeandtypedetectiontoworkforthesefiletypes.Alternatively,afootersignaturecanalsohelptofindtheendofafile.Filesforwhichneitheraninternalalgorithmnorafootersignaturedefinitionexistsorfileaboutwhoseoriginalsizetheavailableinternalalgorithmhasnoideaandforwhichnofootersignatureisactuallyfound,arerecoveredatthedefaultsizespecifiedinthefiletypedefinitiondatabaseinbytes.Begenerouswhenspecifyingsuchasizebecausewhereasfilesrecovered"toolarge"canstillbeopenedbytheirassociatedapplications,prematurelytruncatedfilesoftencan'tbeastheyareincomplete.Theattempttodetecttheoriginalsizeoffilesofcertaintypesbysearchingforafooterislimitedbyasizedetectionlimit,whichisoptionallyspecifiedinthedatabaseaswell,afterthedefaultsizeandaforwardslash.Suchalimitisnecessarytoavoidthatafooterforagivenfileissearchedwithinthewholevolume,whichwouldbeverytime-consumingifthevolumeislarge.Also,itbecomesincreasinglyunlikelytofindtherightfooterifnotintheimmediatevicinityoftheheader,andeveniffoundveryfarapart,suchafileislikelyfragmentedorpartiallyoverwrittenetc.Thestandarddefaultsize(ifnotspecified)is1MB.Thestandardmaximumsize(ifnotspecified)is64timesthedefaultfilesize.Fileheadersareusuallyfoundatclusterboundariesbecausethatiswherefilesystemsmostlyputthestartofafile.However,itismorethorough(andnotslower)tosearchforsector-alignedfileheadersbecausethatallowstoalsofindfilesfrompreviouslyexistingpartitionswithadifferentclusterlayout,sosearchingatsectorboundariesisthedefaultbehavior.Ifperformedonaphysicalmediumorrawfilewithnoclusterlayoutdefined,WinHexhastosearchatsectorboundariesanyway.Thereisyetanotherpossibility,athoroughbyte-levelsearch.Thisisrequiredwhenyouaretryingtofindfilesthatarenotreliablyalignedatanysectorboundaries(e.g.filesinbackupfilesortapeimagesorembeddedinotherfiles)orwhentryingtofindentries/records/micro-formats/memoryartifactsetc.,i.e.notcompleteordinaryfiles.Thiscomesatthecostofapossiblyincreasednumberoffalsepositives,though,misidentifiedfilesignaturesoccurringrandomlyonamedia,notindicatingthebeginningofafile.Individualflagsinthefiletypedefinitiondatabasecanhelponaperfiletype

basistodecidewhichfilestosearchforacluster,sectororbyteboundaries.Thatthestartsectorsoffilesthatarealreadyknowntothevolumesnapshotarealwaysexcludedfromfilecarvingisoptional.Ofcourse,X-WaysForensicsgenerallystilltriestopreventduplicates,butifthefileheadersignaturedefinitionortheinternalfilesizedetectionisstrongenoughtosuggestthataknowndeletedfilewasoverwrittenwithanewfile,thenthatnewfilewillbecarvedalthoughitsharesthesamestartsectorwiththeknownfile.IfyouintentionallyabortthefileheadersignaturesearchorifthefileheadersignaturesearchcausesX-WaysForensicstocrash,nexttimewhenyoustartafileheadersignaturesearchinthesameevidenceobject,youwillfindanoptiontoresumeitrightwhereitwasinterrupted,orwhereitwaswhenthevolumesnapshotwaslastsavedbeforethecrashoccurred(dependsontheauto-saveintervalofthecase).Youmaylimitthescopeoftherecoverytoacurrentlyselectedblockifnecessaryand/ortoallocatedorunallocatedspace(optionavailableonalogicaldriveorvolume).E.g.inordertorecoverfilesthatweredeleted,youselecttorecoverfromunallocatedspaceonly.Filesthatarenotaccessibleanymorebecauseoffilesystemerrorsmaystillbestoredinclustersthatareconsideredasinuse.TheeffectsofNTFScompressiononfiledatacanoptionallybecompensatedforinafileheadersignaturesearch(forensiclicenseonly),inmanycasessuccessfully.IfthesignatureofanNTFS-compressedfileisfound,thefilewillbemarkedascompressed,andanattemptwillbemadetodecompressthefileontheflywhenneededwithasophisticatedalgorithmthatcanevendecompressfilesthatconsistofmultiplecompressionunits.

SurplusSectorsThistermisusedinWinHexinthefollowingway:SurplussectorsonalogicaldrivearethosefewsectorsattheendthatdonotaddtoafullclusterandthuscannotbeusedbytheOS(andthusbynoconventionalapplicationprogrameither).Synonym:volumeslack.Surplussectorsonaphysicaldiskarethosesectorsattheendthatarelocatedoutsidetheregulardiskgeometryscheme(becausetheydonotaddtoafullcylinder/header/trackentity),whichiswhytheyareusuallynotusedbyanypartitionortheoperatingsystem(oranyconventionalapplicationprogram).Synonym:unpartitionablespace.Surplussectorshavenothingtodowith"bad"ordamagedsectorsorsectorsaharddiskinternallyusesasareplacementforsectorsfoundtobefaulty.

FileToolsConcatenate:Selectseveralsourcefilesthataretobecopiedintoonedestinationfile.Thesourcefilesarenotaffected.Split:Thiscommandcreatesseveraldestinationfilesusingthecontentsofasinglesourcefile.Specifyasplitoffsetforeachdestinationfile.Thesourcefileisnotaffectedbythisfunction.Unify:Selecttwosourcefilesandonedestinationfile.Thebytes/wordsfromthesourcefileswillbewrittenalternatelyintothedestinationfile.Thefirstbyte/wordoriginatesfromthesourcefilethatwasspecifiedfirst.Usethisfunctiontocreateafilewithoddandevenbytes/wordsoriginatingfromseparatefiles(e.g.inEPROMprogramming).Dissect:Selectasourcefileandtwodestinationfiles.Thebytes/wordsfromthesourcefileswillbewrittenalternatelyintothedestinationfiles.Thefirstbyte/wordwillbetransferedtothedestinationfilethatwasspecifiedfirst.Usethisfunctiontocreatetwoseparatefileseachcontainingeithertheoddortheevenbytes/wordsoftheoriginalfile(e.g.inEPROMprogramming).CreateHardLink:CoolfunctiontocreatehardlinksoffilesinNTFSvolumes.UsefulforexampletoplayaroundwithhardlinkswhenattendingNTFSfilesystemstraining,orifyouwouldliketoaddthesameimagetothesamecaseagain,whichisonlypossibleunderadifferentname,orifyouwouldliketocreateahardlinktoxwforensics.exenamedWinHex.exe,inordertorunX-WaysForensicsasWinHex(details).Firstyouselecttheexistingfile,thenapathandnamefortheadditionalhardlink.CopySparse:CancopyaselectedfileandpreservesthesparsenatureifitisanNTFSsparsefile,inthedestinationfile.Thatmeansforexamplewhencopyinga1TBskeletondiskimagethatonlyhas100MBofdataallocated,thecopyprocesswillfinishalmostinstantlybecauseonly100MBoutof1TBofdatahavetobecopied.Conventionalcopyfunctionsdonotpreservethesparsenatureofafileandcopytheamountofdataasindicatedbythenominalfilesize,evenifmostofthedataisinternallyunallocatedandreadvirtuallyasbinaryzeroes.ReplicateDirectory:Copiesadirectorywithallitsfilesandsubdirectories,

recursively,andrecreatesindividuallyNTFS-compressedsourcefilesasNTFS-compressedintherespectiveoutputfolderifsupportedbythedestinationfilesystemandanylayerinbetween.Thecommanddoesnotretroactivelycompresssuchfilesaftertheircreation,butwritesthemimmediatelyascompressed,whichismoreefficient.However,itstillhastocopy/sendthedecompressedamountofdataofthesourcefile.Supportsoverlongpaths.Selectthesourcedirectoryfirst,thenspecify/createthedestinationdirectory.Thisfunctionisusefulforexampleifyouwishtocopyormoveacasedirectory,whichcontainsafewNTFS-compressedfilesthatwouldbeinefficienttostoreasuncompressed.NotethatalternativelyyoucanopenacaseandusetheSaveAscommandintheCaseDatawindowforthesameeffect.WipeSecurely:Thiscommandisusedtoerasethecontentsofoneormorefilesirrevocablyonmagneticdisks,suchthattheycannotberestoredbyWinHexitselforotherspecialdatarecoverysoftware.Eachselectedfileisoverwrittenwithdataasselectedbytheuser,shortenedtoalengthofzeroandthendeleted.Thenameentryofthefileisoverwrittenaswell.Evenprofessionalattemptstorestorethefilewillbefutile.Thereforethiscommandshouldbeappliedtofileswithconfidentialcontentsthataretobedestroyed.Optionsforthat.AvailableinWinHexonly,notinX-WaysForensics.DeleteRecursively:ThiscommandcanbeusedtorecursivelydeleteadirectorywithallitssubdirectoriesiftheycannotbedeletedwithWindowsExplorerorotherWindowstoolsandcommandsbecauseofillegalcharactersinthedirectorynamesorbecauseofmissingrights(forexampleif"TrustedInstaller"istheowner)ifyoucangetthoserights(ifyouarerunningWinHexwithadministratorrights).Notethatyoucannotapplythiscommandtosuchaproblematicdirectoryitself,onlytoaparentdirectory.

KeepingTrackofViewedFilesWithaforensiclicense,theprogramcanoptionallykeeptrackofwhichfileswerealreadyviewedandflagthemvisuallywithagreenbackgroundcoloraroundthetag.Thisisespeciallyusefulwhenreviewinghundredsorthousandsofdocumentsorpicturesoveralongerperiod,toavoidaccidentiallyviewingthesamedocumentsmultipletimes.AfilecanautomaticallybeflaggedasalreadyviewedwhenviewingitinfullwindoworPreviewmode,whenviewingpicturesinthegallery,orwhenidentifyingafileasknowngoodbasedonthehashdatabase.Whenidentifyingduplicatefilesbasedonhashvalues,andoneofthefileshasbeenmarkedasalreadyviewed,thentheduplicatescanoptionallybemarkedasalreadyviewed,too.Similarly(onlyifthecorrespondingcheckboxisfullychecked),iffileshavebeenmarkedalreadyashavingduplicatesandtheirhashvaluesareavailable,whentheyareviewed,duplicateswithinanyopenvolumewillbemarkedasalreadyviewedatthesametime,butthisispotentiallyslowwhenusedinconjunctionwiththegallery.Whenviewingafilewithfurtherhardlinks(whicharealsoduplicates),thosewillbeautomaticallymarkedasalreadyviewedaswell,exceptinHFS+.Tomanuallymarkfilesasalreadyviewed,youcanpressAltincombinationwiththecursorkeys.Alt+Leftremovesthemark.Youcanalsoright-clickthetagareaofafileinthedirectorybrowsertomarkitasalreadyviewedortoremovethatmark.Adirectoryisconsideredviewedifallthefilesandsubdirectoriesthatitcontainsareflaggedassuch.

KeySpecifyacharacterstringastheencryption/decryptionkey.Thekeyiscase-sensitive.Themorecharactersyouenterasanencryptionkey,themoresecureitis.Thekeyitselfisnotusedforencryptionanddecryption,insteaditisdigestedtotheactualkey.Thekeyisnotsavedonyourharddisk.Ifthecorrespondingsecurityoptionisenabled,thekeyisstoredinanencryptedstateintheRAMaslongasWinHexisrunning.

HitCountintheSearchTermListQuestion:Whywhenallthesearchtermsareselectedwith"List1hitperitemonly"arethecountsreturneddifferentfromwhenIclickoneachsearchtermindividuallywiththesamesetting?Answer:Becausetheoptionis"List1hitperitemonly",andnot"List1hitpersearchtermperitemonly".Manyusersdonotunderstandthat.Imagineifinthesamefilethereis1hitforsearchtermAand1hitforsearchtermB,andyouselectbothAandBwiththatoptionenabled,thenonly1hitislisted,eithertheoneforAortheoneforB(uptoX-WaysForensicstodecide).Sothedisplayedhitcountis1foronesearchtermand0fortheotherone.Ifthenyouselecttheothersearchtermonlyandclick"Enter",thecountforthatsearchtermwillchangefrom0to1becausethatisnowtheonlypossiblesearchtermfromwhichhitscanbelisted,andupto1searchhitislistedperfile,sothat1hitislisted.

FileTypeDefinitions"FileTypeSignatures*.txt"aretab-delimitedtextfilesthatservesasafiletypedefinitiondatabaseforrefiningvolumesnapshotsandfortheFileRecoverybyTypecommand.WinHexcomeswithvariouspresetfiletypesignatures.Youmayfullycustomizethefiletypedefinitionsandaddyourownones,eitherin"FileTypeSignaturesSearch.txt"orinanyadditionalsuchfilesofthesameformatnamed"FileTypeSignatures*.txt",whichwillbeloadedaswellandmayhavethebenefitthattheywillnotbeoverwrittenwhenyouinstallthenextupdateiftheydon'thavethesamenameasoneofthedefaultfiles.Onlyifthefilenamecontainstheword"search",thefiletypeswillbeavailableforfileheadersignaturesearches.Otherwisetheyareusedforfiletypeverificationonlyoffilesthatarealreadypartofthevolumesnapshot(forensiclicenseonly).Upto4096entriesaresupportedaltogether(1024forsearching).WhenyouclicktheCustomizebuttontoeditthefile"FileTypeSignaturesSearch.txt",bydefaultWinHexopensthefileinMSExcel.Thisisconvenientbecausethefileconsistsofcolumnsseparatedbytabs.Ifyoueditthefilewithatexteditor,besuretoretainthesetabs,asWinHexreliesontheirpresencetoproperlyinterpretthefiletypedefinitions.MSExcelretainsthemautomatically.Aftereditingthefiletypedefinitions,youneedtoexitthedialogwindowandinvoketheFileRecoverybyTypeorRefineVolumeSnapshotmenucommandagaintoseethechangesinthefiletypelist.1stcolumn:FileTypeAhuman-readabledesignationofthefiletype,e.g."JPEG".Everythingbeyondthefirst19charactersisignored.2ndcolumn:ExtensionsOneormorefiletypeextensionstypicallyusedforthisfiletype.E.g."jpg;jpeg;jpe".Specifythemostcommonextensionfirstbecausethatonewillbeusedbydefaultfornamingrecoveredfiles.Ifthatfirstextensionisspecifiedinupper-casecharacters,itwillbeusedbythefiletypeverificationtofilltheTypecolumnforafileevenifthefilehasoneofthealternativeplausiblefilename

extensions.Morethan255characterssupported.3rdcolumn:HeaderAuniqueheadersignaturebywhichfilesofthisfiletypecanberecognized.ItisspecifiedinGREPsyntax(seeSearchOptionsforanexplanation),sothatit'spossibletomatchvariablebytevalues(e.g.[\xE1\xE2]mean"thebytevaluecouldbe0xE1or0xE2")orundefinedareas(.).Themaximumlengthoftherepresentedsignatureis48bytes.Tofindoutcharacteristicfileheadersignaturesinthefirstplace,openseveralexistingfilesofacertaintypeinWinHexandlookforcommonbytevaluesnearthebeginningofthefileatidenticaloffsets.4thcolumn:OffsetTherelativeoffsetwithinafileatwhichthesignatureoccurs.Oftensimply0.Thesignaturemustbecontainedinthefirst512bytes.5thcolumn:FooterOptional.Asignature(bytesequence)thatreliablyindicatestheendofafile,specifiedinGREPsyntax.GREPexpressionsthatrepresentvariably-sizeddatamaynotworkasexpected.Afootersignaturemayhelptoachievearecoverywiththecorrectfilesize.Therecoveryalgorithmdoesnotsearchforthefooterfurtherthanthenumberofbytesspecifiedasthemaximumfilesize,startingfromtheheader.EvenbetterthanafooteristhepotentialavailabilityofaninternallyimplementedalgorithminX-WaysForensicsthatknowsthefileformatwellandcanusuallyfindoutthecorrectfilesizeifafileisnotfragmented,incompleteorcorrupt.SuchanalgorithmisindicatedintheFootercolumnwithatilde(~)andanalgorithmIDnumber.6thcolumn:DefaultsizeOptional.1or2values.If2values,thesecondoneisafiletypespecificsizedetectionlimitanddelimitedfromthedefaultsizebyaforwardslash.Foranexplanationseehere.7thcolumn:Flags

Optional.CanfurthertailorfilecarvingforcertainfiletypesandareyetanotherindicatorofhowsophisticatedandpowerfulfilecarvingisinX-WaysForensics.b(lowercase):Thesignatureissearchedatthebytelevelwhengiventhechoice.Usefulespeciallyforentries/record/micro-formats/memoryartifacts(i.e.notcompleteordinaryfiles)thatarenottypicallyalignedatanysectororclusterboundaries.B(uppercase):Preventsabyte-levelsearchforthatparticularsignature,forperformancereasons.c(lowercase):Iftakenintoaccount(dependsonuserinterfacesettings),ignoresheadersignaturesthatarenotalignedatclusterboundaries.Canbeusefulforsomefiletypestoavoidtomanyfalsepositives.C(uppercase):DenotesfiletypesignaturesthatshouldnotbeusedtosearchforNTFS-compressedfilesifcompensationforNTFScompressionisactive,becausetheyaretooweakandwouldyieldtoomanyfalsepositivesorwouldnotbeactuallystoredascompressedanyway.d(lowercase,for"direct"):Thesignaturewillbeinterpretedliterally,notasasaGREPexpression,characterbycharacter,withbytevaluesaccordingtotheactivecodepageinyourWindowssystem.UsefulforexampleifyouarenotveryfamiliarwithGREPnotationordon'tneedGREPandjustwanttogetallcharactersinterpretedliterallyaccordingtothecodepagethatisactiveinyourWindowssystem,withoutthinkingmuchaboutwhetherthecharactersareconsideredspecialcharactersinGREP.Forexample,<?xmlversion="1isavalidsignatureforcertainXMLfiles,butitworksonlywiththedirectflagbecausethequestionmarkhasaspecialmeaninginGREP,whichresultsinadifferentbytevaluesequenceforthesignatureinternallyiftheentireexpressionisinterpretedasGREP,andwouldnotyieldanymatchesifGREPinterpretationisactive.e:Standsfor"embedded".Ifafiletypehasatilde(~)algorithmintheFootercolumnandismarkedwiththisflag,itwillbepreselectedforasearchofembeddeddataincertainotherfilesduringvolumesnapshotrefinements,inthe"Fileheadersignaturesearchinallfilesnotprocessedabove"section.The"e"flagmerelyhelpstoinitializethetickmarksforthisoption.Ultimatelytheuser

canchangetheselectedfiletypesforthatoperationintheuserinterface.Also,thetypesmarkedwiththe"e"flagwillbesearchedembeddedinfilesoftypesforwhichnointernalextractionalgorithmexists.E:Nevercarvedasanembeddedfilewithinotherfiles.f(lowercase):Indicatesthatthespecifiedfootersignatureisusedtofinddatathatisnotpartofthefileanymoreandshouldexcluded.Ordinaryfootersareincludedinthecarvedfile.Usefulforfileformatsthatdonothaveawelldefinedfooter,wheretheendofthefilecanbedetectedbytheoccurrenceofdatathatdoesnotbelongtothefileanymore.Thatcouldbethesamesignatureastheheader(iffilesofthattypeoccurtypicallyingroups,backtoback)orjust\x00(forfileformatssuchastextfilesthatdonotcontainzero-valuebytes,wherehowever\x00canbeexpectedwithahighlikelihoodintheRAMslack).Suchfootersignaturesshouldbemarkedasexclusivebecausethedatamatchedbyitisnotpartofthefileitself.F(uppercase):MakesX-WaysForensicsdiscardhitsofthefileheadersignaturesearchifnocorrespondingfootercanbefound,providedthatafootersignatureisspecifiedinthedefinition.Canbeusefultoreducethenumberofortotallyavoidfalsepositives.G:Standsfor"greedy".Greedilyallocatesallthesectorsexclusively.Thefiletypesignaturesearchcontinuesitssearchforfurtherfileheadersonlyafterthepresumedendofsuchfiles.Canbeusefulifaninternallyimplementedalgorithmisavailablethatiscertainthatthecarvedfilecontainsallvaliddata,sothatitisnotnecessarytosearchforotherfileswithinthepreviouslycarvedfile'sboundaries.Theflaghasaneffectonlyifthefileheadersignatureisfoundatasectorboundary.Ifafileinfreespaceiscarvedaroundallocatedclusters,onlythefirstfragmentofthefileisskippedwhensearchingforfurtherfileheadersignatures.g(lowercase):Weakerversionofthesameflag.Onlyifaninternalfilesizedetectionalgorithmexistsforafiletypeandifafilewiththesamestartsectornumberexistsalreadywiththesamefilesizeasdetected,the"g"flagwillcauseX-WaysForensicstoskiptheaffectedsectors.Thiscanhelptopreventoverlappingzipfilesandtherebyavoidpotentiallymanycontainedduplicatefiles.Hasnoeffectwhencombinedwithb.h:Indicatesthatthespecifiedheadersignatureisusedtofinddatathatisnotpart

ofthefileitself.Thatmeansthattheheaderwillbeexcludedfromthecarvedfile.Thecarvedfilewillstartaftertheheader.Additionally,thisflagpreventsfilecarvinginfreespacearoundallocatedclustersforfilesofthistype.L:Identifieslinksthatmerelylinktootherdefinitions.UsefulforexampletohaveanentryforOpenOfficefiles,whichwasmissedbysomeusersandwhoseabsencecouldleadtothemisconceptionthatitisnotpossibletocarveOpenOfficefiles.IftheentryforOpenOfficeisselectedforcarving,thisinternallyautomaticallyselectsziparchivesforcarving,whichmakessensebecauseOpenOfficefilestechnicallyarezipfilesandcanbecarvedassuch.ThedisadvantageisjustthatotherziparchivesthatarenotOpenOfficefilesarealsocarved.However,thosefileswillbedistinguishablethanksontheinternalfiletypedetection,forexamplebasedontheautomaticallyassignedfilenameextension.S:Markssignaturesthataregoodenoughforthefileheadersignaturesearch(probablyinconjunctionwithacarvingalgorithm),butnotforfiletypeverificationbecauseofoccasionalmisidentifications.Thisflagshouldbeveryrarelyneeded.t:PreventsX-WaysForensicsfrompresentingthetypeofcarvedfilesimmediatelyasconfirmed.UsefulforexampleforfileformatfamiliessuchasXML,todeterminetheexactsubtypelaterduringfiletypeverification.u(lowercase):Standsfor"unused".Allowstocarvefilesonlyinclustersthatarefreeaccordingtothefilesystem.U(uppercase):Allowstocarvefilesonlyinclustersthatarefreeaccordingtothefilesystemandalsonotusedbypreviouslyexistingfilesascontainedinthevolumesnapshot.W(uppercase):Identifiesheadersignaturesthataretooweaktonewlydetectthetypeofafileandaremerelyusedtoconfirmthetypesuggestedbythenameextensionofthefile.x:Identifiesfiletypesforwhichitisrelativelynormalthattheactualfilenameextensionisnotthestandardextensionforthatfiletype,sothatfilesofthesetypeswillnotbehighlightedas"mismatchdetected"afterfiletypeverification,butjustpresentedas"newlyidentified",astonotdrawmoreattentiontothese

filesthantheydeserve.y:Identifiesfiletypesthatareknowntouseencryptioninternally,whichallowstomarkcarvedfilesofthesetypesintheAttr.columnimmediatelywith"e!".

Hintsondiskcloning,diskimaging,andimagerestorationCloningorimagingwithWinHex/X-WaysForensicsmakesexactsector-wise,forensicallysoundcopies,includingallunusedspaceandslackspace.Animageisusuallypreferabletoaclone,asalldata(andmetadatasuchastimestamps)inanimagefileisprotectedfromtheoperatingsystem.Ifyouclone/imageadiskforbackuppurposes,trytoavoidthatthediskisbeingwrittentobytheoperatingsystemorotherprogramsduringtheprocess,e.g.byunmountingpartitionsthataremountedasdrivelettersbeforestarting.Suchwriteoperationsareunavoidable,ofcourse,ifyouclone/imagethediskthatcontainstheactiveWindowsinstallationfromwhereyouexecuteWinHex/X-WaysForensics.Ifthesourcediskisbeingwrittentoduringtheprocess,theclone/imagemayhaveaninconsistentstatefromthepointofviewoftheoperatingsystem(e.g.itmaynotbeabletobootaWindowsinstallationanymore).Fromaforensicstandpoint,however,whencloning/imagingalivesystem,althoughitishighlydesirablethatnowritingoccursanymore,thatshouldnotbeamajorproblem,asyoustillgetanaccuratesnapshotofeachandeverysector.Ifthedestinationofcloningorimagerestorationisapartitionthatismountedasadriveletter,WinHexwilltrytoclearallofWindows'internalbuffersofthatdestinationpartition.Ifnonethelessyoudon'tseethenewcontentsinWindowsExploreronthedestinationaftertheoperationhascomplete,youmaysimplyneedtorebootyoursystem.NotethatWinHexdoesnotdynamicallychangepartitionsizesandadaptpartitionstodestinationdiskslargerorsmallerthanthesource.

Optionally,filescanbeindirectlyaddedtoevidencefilecontainers,viayourownharddisk.Thatmeanstheyarenotcopieddirectlyintothecontainer,buttoyourfolderfortemporaryfilesfirst(cf.GeneralOptions),andonlythenfromthereintothecontainer.Thiscanbebeneficialbecauseitallowsaresidentantivirussoftwaretointerceptthesefiles(checkthemforviruses,disinfect/disarmthem,renamethem,move/delete/lockthem,etc.),sothatitpreventsvirusesfrommakingitintoacontainer.Theresultingcontainerisfreeofknownviruses(dependingontheantivirussoftwareinuse)andcanreasonablybepassedontoandusedinanenvironmentwithhighersensitivity,highersecurityrequirements,and/orlesssophisticatedvirusprotection.Important:Pleaseverifyfirst,bytestingwithknownmalware,thatyourantivirussoftwareworksasintendedinthissituation.

TemplateDefinitionAtemplatedefinitionconsistsofaheaderandabody.HeadersyntaxVariabledeclarationsinthebodyAdvancedcommandsthebody

VariableDeclarationsThebodyofatemplatedefinitionmainlyconsistsofvariabledeclarations,similartothoseinprogramminglanguages.Adeclarationhasthebasicformtype"title"wheretypecanbeoneofthefollowing:int8,uint8=byte,int16,uint16,int24,uint24,int32,uint32,uint48,int64,uint_flex,binary,float=single,real,double,longdouble=extended,char,char16,string,string16,zstring,zstring16,boole8=boolean,boole16,boole32,hex,DOSDateTime,FileTime,OLEDateTime,SQLDateTime,UNIXDateTime=time_t,JavaDateTime,GUID"title"mustonlybeenclosedininvertedcommasifitcontainsspacecharacters."title"mustnotconsistonlyofdigits.WinHexdoesnotdistinguishbetweenupperandlowercasecharactersintitles.41charactersareusedtoidentifyavariableatmost.typecanbeprecededbyatmostonememberofeachofthefollowingmodifiergroups:big-endianlittle-endian(seeEndian-ness)hexadecimaldecimaloctalread-onlyread-writelocalThesemodifiersonlyaffecttheimmediatelyfollowingvariable.Theyareredundantiftheyappearintheheaderalready."local"translatestimestampsexceptDOSDateTimefromUTCtothetimezonespecifiedintheGeneralOptions.

Thenumberattheendofatypenamedenotesthesizeofeachvariable(strings:ofeachcharacter)inbits.Withchar16andstring16,WinHexsupportsUnicodecharactersandstrings.However,Unicodecharactersotherthanthefirst256ANSI-equivalentcharactersarenotsupported.Themaximumstringsizethatcanbeeditedusingatemplateis8192bytes.Thetypesstring,string16,andhexrequireanadditionalparameterthatspecifiesthenumberofelements.Thisparametermaybeaconstantorapreviouslydeclaredvariableoramathematicalexpression(seebelow).Ifitisaconstant,itmaybespecifiedinhexadecimalformat,whichisrecognizedifthenumberisprecededby0x.Youmaydeclarearraysofvariablesbyplacingthearraysizeinsquarebracketsnexttothetypeorthetitle.ThefollowingtwolinesdeclareadynamicallysizedASCIIstring,whoselengthdependsontheprecedingvariable:uint8"len"char[len]"Astring"Thesamecouldbeachievedbythefollowingtwodeclarations:byte"len"stringlen"Astring"Thecharacter"~"canbeusedasaplaceholderforlaterreplacementwiththeactualarrayelementnumber(seeAdvancedCommands).Thisdoesnotapplytoarraysofcharvariables,sincetheyareautomaticallytranslatedintoastring.Numericalparametersofstring,string16,andhexvariablesaswellasarraysizeexpressionsmaybespecifiedinmathematicalnotation.Theywillbeprocessedbytheintegratedformulaparser.Suchexpressionsneedtobeenclosedinparentheses.Theymustnotcontainspacecharacters.Theymaymakeuseofpreviouslydeclaredintegervariableswhosenamesdonotcontainspacecharacterseither.Supportedoperationsareaddition(+),subtraction(-),multiplication(*),integerdivision(/),modulardivision(%),bitwiseAND(&),bitwiseOR(|),andbitwiseXOR(^).Validmathematicalexpressionsareforexample(5*2+1)or(len1/(len2+4)).Theresultisalwaysanintegerandmustbeapositivenumber.

zstringandzstring16arenull-terminatedstringswhosesizeisdetermineddynamicallyatrun-time.

ManualDataRecoveryAsidefromofferingvariousautomaticdatarecoverymechanisms,WinHexisapowerfultooltomanuallyrecoverydata.Itispossibletorestorelostordeletedfiles(ormoregeneral:data)thathavenotbeenphysicallyerased(oroverwritten),butmerelymarkedasdeletedinthefilesystem(logicaldeletion).Openthelogicaldrivewherethedeletedfileresidedonusingthediskeditor.Principallyyoucanrecreatesuchafilebyselectingthedisksectors,thatwereallocatedtothefile,asthecurrentblockandsavingthemusingthemenucommandEdit|CopyBlock|IntoNewFile.Butitmayprovedifficulttofindthesectorswherethefileisstillstoredinthefirstplace.Thereareprincipallytwowaystoaccomplishthis:1. Incaseyouknowasnippetofthefileyouarelookingfor(e.g.the

characteristicsignatureintheheaderofaJPEGfileorthewords"DearMr.Smith"inaMSWorddocument),searchitonthediskusingthecommonsearchcommands("FindText"or"FindHexValues").Thisisaverysimpleandsafeway,andcanberecommendedtoanyone.

2. Incaseyouonlyknowthefilename,youwillneedsomeknowledge

aboutthefilesystemonthedisk(FAT16,FAT32,NTFS,...)tofindtracesofformerdirectoryentriesofthefileandtherebydeterminethenumberofthefirstclusterthatwasallocatedtothefile.InformationonfilesystemsisavailableintheKnowledgeBaseontheWinHexwebsite.ThefollowingappliestoallFATvariants:

Ifthedirectorythatcontainedthefile(let'scallthatdirectory"D")stillexists,youcanfindDonthediskusingTools|DiskTools|ListDirectoryClusters.ThefactorytemplateforFATdirectoryentriesthatcomeswithWinHexwillthenbehelpfultofindoutthenumberofthefirstclusterthatwasallocatedtothedeletedfileinthatdirectory.Otherwise,ifDhasbeendeletedaswell,youneedtofindthecontentsofD(usingthedirectoryentrytemplate)startingwiththedirectorythatcontainedD(possiblytherootdirectory).

Deletedfilesanddirectoriesaremarkedwiththecharacter"å"

(hexadecimal:E5)asthefirstletterintheirname.Youmayencountertheproblemthatthefiletorecoverisfragmented,thatis,notstoredinsubsequentcontiguousclusters.OnFATdrives,thenextclusterofafilecanbelookedupinthefileallocationtableatthebeginningofthedrive,butthisinformationiserasedwhenafileisdeleted.

TemplateDefinitionHeaderTheheaderofatemplatedefinitionhasthefollowingformat:template"title"[description"description"][applies_to(file/disk/RAM)][fixed_startoffset][sector-aligned][requiresoffset"hexvalues"][big-endian][hexadecimal/octal][read-only][multiple[fixedoverallsize]]//Putanygeneralcommentstothetemplatehere.beginvariabledeclarationsendTagsinbracketsareoptional.Theorderofthetagsisirrelevant.Expressionsneedonlybeenclosedininvertedcommasiftheycontainspacecharacters.Commentsmayappearanywhereinatemplatedefinition.Charactersfollowingadoubleslashareignoredbytheparser.Thekeyword"applies_to"mustbefollowedbyoneandonlyoneofthewordsfile,disk,orRAM.WinHexissuesawarningifyouaregoingtouseatemplateondatafromadifferentsource.Whilebydefaulttemplatesstartinterpretingthedataatthecurrentcursorpositionwhenapplied,anoptionalfixed_startstatementensuresinterpretationalwaysstartsatthespecifiedabsoluteoffsetwithinthefileordisk.Ifthetemplateappliestoadisk,thekeyword"sector-aligned"ensuresthetemplateinterpretationstartsatthebeginningofthecurrentsector,regardlessoftheexactcursorposition.Similartothe"applies_to"statement,the"requires"statementenablesWinHex

topreventanerroneousapplicationofatemplatedefinitiontodatathatdoesnotmatch.Specifyanoffsetandahex-valuechainofanarbitrarylengththatidentifiesthedataforwhichthetemplatedefinitionwasintended.Forexample,avalidmasterbootrecordcanberecognizedbythehexvalues55AAatoffset0x1FE,anexecutablefilebythehexvalues4D5A("MZ")atoffset0x0.Theremaybemultiple"appliesto"statementsinatemplatedefinitionheader,whichareallconsidered.Thekeyword"big-endian"causesallmulti-byteintegerandbooleanvariablesinthetemplatedefinitiontobereadandwritteninbig-endianorder(high-orderbytefirst).Thekeyword"hexadecimal"causesallintegervariablesinthetemplatedefinitiontobedisplayedinhexadecimalnotation.Thekeyword"read-only"ensuresthatthetemplatecanonlybeusedtoexamine,butnottomanipulatedatastructures.Theeditcontrolswithinthetemplatewillbegrayedout.Ifthekeyword"multiple"isspecifiedintheheader,WinHexallowsbrowsingtoneighboringdatarecordswhiledisplayingthetemplate.ThisrequiresthatWinHexhasknowledgeoftherecord'ssize.Ifitisnotspecifiedasaparametertothe"multiple"statement,WinHexassumestheoverallsizeofatemplatestructure(=record)tobethecurrentpositionattheendofthetemplateinterpretationlessthebaseeditingposition.Ifthisisavariablesize,i.e.arraysizesormoveparametersaredetermineddynamicallybythevalueofvariables,WinHexcannotbrowsetoprecedentdatarecords.

AdvancedCommandsWhenenclosedinbraces,severalvariabledeclarationscompriseablockthatcanbeusedrepeatedlyasawhole.Note,however,thatblocksmustnotbenestedinthecurrentimplementation.The"~"charactercanbeusedinavariable'snameasaplaceholderforlaterreplacementwiththeactualrepetitioncount.Theoptional"numbering"statementdefineswheretobegincounting(0bydefault).numbering1{abbyte"len"stringlen"StringNo.~"}[10]Inthisexampletheactualvariablenamesinthetemplatewillbe"StringNo.1","StringNo.2",...,"StringNo.10".Insteadofaconstantnumberofrepetitions(10inthisexample),youmayalsospecify"unlimited".InthatcaseWinHexwillrepeattheblockuntiltheendoffileisencountered."ExitLoop"canbeusedtobreakoutofaloopatanytime."Exit"terminatesexecutionofthetemplatecompletely."IfEqual"isusefulforthecomparisonoftwoexpressions.Operandscanbeeitherbothnumericalvalues,beitconstantvaluesindecimalnotation,integervariablesoraformulas,orbytesequencesgivenastextorhexvalueswhicharecomparedbytebybyte.ASCIIstringexpressionsmustbeenclosedinquotationmarks,hexsequencesmustbeprrecededbya"0x"idennnnnntifier.Formulasneedtobeenclosedinbrackets.{byteValueIfEqualValue1ExitLoopEndIf}[10]An"IfEqual"commandblockisterminatedwithan"EndIf"statement.Ifthecomparedexpressionsareequal,templateinterpretationcontinuesafter"IfEqual".Optionally,"IfEqual"canbefollowedbyan"Else"statement.Thetemplateprocessorbranchesintothe"Else"blockiftheexpressionsarenotequal."IfEqual"commandsmustnotbenested."IfGreater"issimilarto

"IfEqual".Theconditionistrueifthefirstexpressionisgreaterthanthesecond.Stringsandhexvaluesarecomparedlexicographically.Inordertofacilitatereadingandnavigatingthetemplate,youmaydefinegroupsofvariablesthatareseparatedbyemptyspaceeinthedialogbox:section"...SectionTitle..."...variabledeclaractions...endsectionThe"section","endsection",and"numbering"statementsdonotadvancethecurrentpositioninthedatatobeinterpreted.Therearethreecommandsthatdonotdeclarevariableseither,butareexplicitlyusedtochangethecurrentposition.Thiscanbedonetoskipirrelevantdata(forwardmovement)ortobeableaccesscertainvariablesmorethanonceasdifferenttypes(backwardmovement).Usethe"moven"statementtoskipnbytesfromthecurrentposition,wherenmaybenegative."goton"navigatestothespecifiedabsolutepositionfromthebeginningofthetemplateinterpretation(mustbepositive)."gotoexn"jumpstothespecifiedabsolutepositionbasedonthestartofthedatawindow(e.g.fileordisk).Thefollowingexampledemonstrateshowtoaccessavariablebothasa32-bitintegerandasafour-partchainofhexvalues:int32"Diskserialnumber(decimal)"move-4hex4"Diskserialnumber(hex)"

FlexibleIntegerVariablesAspecialvariabletypesupportedbytemplatesisuint_flex.Thistypeallowstocomposeanunsignedintegervaluefromvariousindividualbitswithina32-bit(4-byte)rangeinanarbitraryorderandisevenmoreflexiblethanaso-calledbitfieldintheCprogramminglanguage.uint_flexrequiresanadditionalparameterstringininvertedcommasthatspecifiesexactlywhichbitsareusedinwhichorder,separatedbycommas.Thebitlistedfirstbecomesthemostsignificantbit(highvaluebit)intheresultinginteger,anditisnotinterpretedasa+or-indicator.Thebitlistedlastbecomestheleastsignificantbitintheresultinginteger.Thebitsarecountedstartingwith0.Bit0isthebitthatistheleastsignificantbitofthe1stbyte.Bit31isthemostsignificantbitofthefourthbyte.Thus,thedefinitionisbasedonlittle-endianphilosophy.Forexample,uint_flex"15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0""Standard16-bitinteger"isexactlythesameasuint16,thecommonunsigned16-bitintegervariable.uint_flex"31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0""Standard32-bitinteger"isexactlythesameasuint32,thecommonunsigned32-bitintegervariable.Thebenefitofuint_flex,though,isthatthenumber,theposition,andtheusageorderofallbitscanbechosenarbitrarily.Forexample,uint_flex"7,15,23,31""Anunusual4-bitinteger"composesa4-bitintegeroutoftherespectivemostsignificantbitsofeachofthefourbytesinvolved.IfthesefourbyteshappentobeF0A00F0A=11110000101000000000111100001010,bit7is1,bit15is1,bit23is0,andbit31is0.Sotheresultinguint_flexis1100=1*8+1*4+0*2+0*1=12.