X-Ways Forensics
16.3
Downloadable
only for customers
(instructions provided on purchase and
here)
User manual Quick Guides
Brett
Shaver's guide
Creating images
Creating cases
Reporting notable
files
Dynamic filtering
Searching
Evaluation version available to law enforcement,
government, and companies on request.
Please provide
us with your full
official address.
Eval. version
of WinHex |
X-Ways Forensics comprises all the general and specialist features known from WinHex,
such as...
- Disk cloning and imaging
- Ability to read partitioning and file system structures inside raw
(.dd) image files, ISO and VHD images
- Complete access to disks, RAIDs, and images more than
2 TB in size (more than 232 sectors) with sector
sizes up to 8 KB
- Built-in interpretation of JBOD, RAID 0 and RAID 5 systems and
dynamic disks
- Native support for FAT12, FAT16, FAT32,
exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4,
Next3®, CDFS/ISO9660/Joliet, UDF
- Viewing and dumping physical RAM* and the
virtual memory of running processes
- Various data recovery techniques, lightning
fast and powerful file carving
- Well maintained file header signature database based on
GREP notation
- Data interpreter, knowing 20 variable types
- Viewing and editing binary data structures
using templates
- Hard disk cleansing to produce forensically sterile media
- Gathering slack space, free space, inter-partition space, and generic
text from drives and images
- File and directory catalog creation for all computer media
- Easy detection of and access to NTFS alternate data streams (ADS)
- Mass hash calculation for files (CRC32, MD4,
ed2k, MD5, SHA-1, SHA-256, RipeMD, ...)
- Lightning fast powerful physical and logical search capabilities for many search terms at the
same time
- Recursive view of all existing and deleted files
in all subdirectories
- Automatic coloring for the structure of FILE
records in NTFS
- Bookmarks/annotations
-
Runs in WinFE, the forensically sound bootable Windows
environment, e.g. for triage/preview, with limitations
- ...
...and then some:
- Superior, fast disk imaging with intelligent
compression options
- Ability to read and write .e01 evidence files
(a.k.a. EnCase images), optionally with real encryption (256-bit
AES, i.e. not mere “password protection”)
- Complete case management
- Automated activity logging (audit logs)
- Write protection to ensure data authenticity
- Remote
analysis capability for drives in network can be added
optionally (details)
-
Additional support for the filesystems
HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, many variants of UFS1 and UFS2
-
Supported partitioning types: Windows dynamic disks (both MBR and GPT style)
and
Apple supported in addition to MBR, GPT (GUID partitioning), and unpartitioned (Superfloppy)
- Ability to copy relevant files to
evidence file
containers, where they retain almost all their original file
system metadata, as a means to selectively acquire data in the
first place or to exchange selected files with investigators,
prosecution, lawyers, etc.
- Very
powerful main memory analysis for local RAM or memory dumps of
Windows 2000, XP, Vista, 2003 Server, 2008 Server, Windows 7
-
Shows owners of files, NTFS file permissions,
object IDs/GUIDs, special attributes
-
Convenient back & forward navigation from one
directory to another, multiple steps, restoring sort criteria,
filter (de)activation, selection
- Gallery view for pictures
- Calendar
view
- File preview,
seamlessly integrated viewer component
for 270+ file types
- Keeps track
of which files were already viewed during the investigation
- Ability to
examine e-mail extracted from Outlook (PST, OST), Exchange EDB, Outlook Express
(DBX), Mozilla (including Thunderbird), AOL PFC, generic
mailbox (mbox, Berkeley, BSD, Unix), Eudora, PocoMail, Barca,
Opera, Forte Agent, The Bat!, Pegasus, PMMail, FoxMail, maildir folders (local copies)
- Automatic extensive file type verification
based on signatures and specialized algorithms
- Ability to tag files and add notable files to report tables
- Automated reports that can be imported and further
processed by any other
application that understands HTML, such as MS Word
- Ability to associate comments about files for
inclusion in the report or for filtering
- Directory tree on the left, ability to explore
and tag directories including all their subdirectories
- Synchronizing the sectors view with the file
list and directory tree
- Powerful dynamic filters based on true file type,
hash set category, timestamps, file size, comments, report tables,
contained search terms, ...
- Ability to copy files off an image or a drive
including their full path, including or excluding
file slack, or file slack separately or only slack
- Compensation for NTFS compression effects and
Ext2/Ext3 block allocation logic in
file carving
- Automatic identification of encrypted MS
Office and PDF documents
- Finds pictures embedded in
documents (e.g. MS Office, PDF) automatically
- Skin color detection (e.g. a gallery view sorted by skin color percentage
greatly accelerates a search for traces of child pornography)
- Ability to extract still pictures from video files
in user-defined intervals, using
MPlayer or
Forensic Framer,
to drastically reduce the amount of data when having to check to
inappropriate or illegal content
- Internal viewer for Windows Registry files (all
Windows versions); automated and configurable powerful Registry report
- Viewer for Windows event log files (.evt,
.evtx), Windows
shortcut (.lnk) files, Windows Prefetch files, $LogFile,
$UsnJrnl, restore point change.log, ...
- Extracts metadata and internal creation
timestamps from various file types and allows to filter by that,
e.g. MS Office, OpenOffice, StarOffice, HTML, MDI, PDF, RTF,
WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A,
JPEG, BMP, THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP
memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool,
tracking.log, ...
- Lists the contents of archives directly in
the directory browser, even in a recursive view
- Logical search, in all or selected
files/directories only, following fragmented cluster chains, in
compressed files, optionally decoding text in PDF, XML, ...
- Powerful search hit listings with context preview,
e.g. like “all search hits for the search terms A, B, and D in
.doc and .ppt files below \Documents and Settings with last
access date in 2004 that do not contain search term C”
- Search and index in both Unicode and various code pages
- Highly flexible indexing algorithm,
supporting solid compound words
- Logically combine search hits with an AND,
fuzzy AND, + and -
operators
- Ability to export search hits as HTML,
highlighted within their context, with file metadata
- Detection of host-protected areas (HPA), a.k.a. ATA-protected areas
- Match files against the lightning-fast internal hash database
- Ability to import NSRL RDS 2.x, HashKeeper, and ILook
hash sets
- Create your own hash sets
- Ability to decompress entire hiberfil.sys
files and individual xpress chunks
- X-Tensions API
(programming interface) to add your own functionality or
automate existing functionality
- Interface for external analysis programs such
as DoublePics that for example can recognize known pictures
(even if stored in a different format or altered!) and can
return the classification (“CP”, “relevant”, “irrelevant”) to
X-Ways Forensics
- [...]
X-Ways Forensics is available at a
very affordable price. It is always updated whenever WinHex is updated as
well. Other available languages:    
 .
X-Ways Forensics is protected with a dongle.
Special rates available for
licenses for disk imaging only. Reduced and simplified user interface
available for investigators that are not forensic computing
specialists, at half the price:
X-Ways Investigator |
