Computer Forensics, Investigations and Security
X-Ways Forensics - an advanced
Software for computer investigative
specialists in private enterprise and law enforcement.
and data recovery software.
Marketed by X-Ways Software Technology AG.
In A Nutshell
X-Ways Forensics, the forensic edition of WinHex, is a powerful and affordable integrated computer forensics environment with numerous forensic features, rendering it a powerful disk analysis tool: capturing free space, slack space, inter-partition space, and text, creating a fully detailed drive contents table with all existing and deleted files and directories and even alternate data streams (NTFS), Bates-numbering files, and more. Picture gallery, file preview, calendar/timeline display. Also serves as a low-level disk imaging and cloning tool that creates true mirrors (including all slack space) and reads most drive formats and media types, and supports drives and files of virtually unlimited size (even terabytes on NTFS volumes!).
X-Ways Forensics and WinHex can natively interpret and show the directory structure on FAT, NTFS, Ext2/3, Reiser, CDFS, and UDF media and image files. It performs safe recoveries on hard disks, memory card, flash disks, floppy disks, ZIP, JAZ, CDs, DVDs, and more. It incorporates several automated file recovery mechanisms and allows to conveniently recover data manually. WinHex provides sophisticated, flexible and lightning-fast simultaneous search functions that you may use to scan entire media (or image files), including slack, for deleted files, hidden data and more. Via physical access, this can be accomplished even if a volume is undetectable by the operating system e.g. due to an unknown or a corrupt file system.
Some Of The Features In More Detail
- Disk Editor, File Editor, RAM Editor
WinHex is an advanced binary editor that provides access to all files, clusters, sectors, bytes, nibbles, and bits inside your computer. It supports virtually unlimited file and disk sizes up to the terabyte region (thousands of gigabyte)! Memory usage is minimal. Speed of access is top-notch.
- Directory Browser for FAT, NTFS, Ext2/Ext3, ReiserFS,
Similar to and as easy to use as the Windows Explorer's right-hand list. This browser lists existing as well as deleted files and directories, with all details. Allows to list cluster chains, to navigate to files and directories in the disk editor, and to copy files off the drive. Works on image files and partitions even if not mounted in Windows because of native file system support!
- Disk Cloning/Disk Imaging under DOS and Windows
WinHex produces sector-wise copies of most media types, either to other disks (clones, mirrors) or to image files, using physical or logical disk access. The copies are forensically sound, they include all slack space and all free space. Very important for forensic examiners because it allows to work on the copy. Image files can optionally be compressed or split into independant archives. WinHex can silently generate log files that will note any damaged sector it encounters during cloning. All readable data will make it into the mirror. WinHex lets you check the integrity and authenticity of image files before restoring them.
Besides, a DOS-based hard disk cloning and imaging tool is included. Most Windows environments tend to access a newly attached drive without asking, thereby e.g. altering the last access dates of some files. This is avoided under DOS. Requires a specialist or forensic license. X-Ways Replica
- Data Recovery
With its sophisticated disk editor, WinHex not only provides for manual file recovery. WinHex is also able to automatically recover files and even entire nested directory structures. There are several data recovery mechanisms integrated:
1. File Recovery by Name: Simply specify one or more file masks (like *.gif, Smith*.doc, etc.) and have WinHex do the rest. Works on FAT12, FAT16, FAT32, and NTFS.
2. File Recovery by Type: WinHex can recover all files that can be recognized by a certain file header signature (e.g. JPEG files, MS Office documents). This works on practically all file systems. Details
3. With the above-mentioned directory browser you can conveniently and selectively recover listed files and directories.
4. There is a special automatic recovery mode for FAT and NTFS drives, accessible via the Access button menu. Details
- Partition Recovery/Boot Record Recovery
WinHex lets you edit FAT12, FAT16, FAT32, and NTFS boot sectors as well as partition tables using tailored templates.
- Hard Drive Cleansing/Disk Wiping
WinHex can quickly fill every sector of a disk with zero bytes (or in fact any byte pattern you like, even random bytes), as often as you like (to maximize security). This effectively removes any traces of files, directories, viruses, proprietary and diagnostic partitions, etc and renders a disk forensically clean. Works in accordance with the standard outlined in DoD 5220.22-M (for details, please see this white paper).
WinHex can also securely erase specific files or unused space on a drive only. Besides, you can fill sectors with a byte pattern that stands for an ASCII string such as Bad Sector on the destination disk before cloning: This will make those parts of the destination disk easily recognizable that have not been overwritten during cloning because of unreadable (physically damaged) source sectors or because of a smaller source drive. (Alternatively, unreadable source sectors can be written as zero-filled sectors on the destination disk.)
- File Slack Capturing
Slack space occurs whenever a file's size is not evenly divisible by the cluster size (which is practically always the case). The unused end of the last cluster allocated to a file still contains traces of other, previously existing files, and often reveals leads and evidence. WinHex gathers slack space in a file, so you can examine it conveniently and coherently. Works on FAT12, FAT16, FAT32, and NTFS. Tools | Specialist Tools | Gather Slack Space. Requires a specialist or forensic license.
Unused clusters, currently not allocated to any file or directory, also may still contain traces of other, previously existing files. WinHex can gathers free space in a file, too, for later examination. Works on FAT12, FAT16, FAT32, and NTFS. Tools | Specialist Tools | Gather Free Space. Requires a specialist or forensic license.
- Inter-Partition Space Capturing
Gathers all space on a hard disk that does not belong to any partition in a file, for quick inspection to find out if something is hidden there or left from a prior partitioning. Tools | Specialist Tools | Gather Inter-Partition Space. Requires a specialist or forensic license.
Recognizes and gathers text from a file, a disk, or a memory range in a file. This kind of filter is useful to considerably reduce the amount of data to handle e.g. if a forensic examiner is looking for leads in the form of text, such as e-mail messages, documents, etc. The target file can easily be split at a user-defined size. Requires a specialist or forensic license.
Disk Catalog Creation
Create a table of existing and deleted files and directories, with user-configurable information such as attributes, all available date & time stamps, size, number of first cluster, hash codes, NTFS alternate data streams (which contain hidden data) etc. Extremely useful to systematically examine the contents of a disk. Allows to limit the search for files of a certain type using a filename mask (e.g. *.jpg). The resulting table can be imported and further processed by databases or MS Excel. Sorting by date & time stamps will result in a good overview of what a disk has been used for at a certain time. E.g. the NTFS attribute encrypted might quickly reveal what files may turn out to be the most important ones in a forensic analysis. Requires a specialist or forensic license.
Media Details Report
Shows information about the currently active disk or file and lets you copy it e.g. into a report you writing. Most extensive on physical hard disks, where details for each partition and even unallocated gaps between existing partitions are pointed out.
Interpret Image File As Disk
Treats a currently open and active disk image file as either a logical
drive or physical disk. This is useful if you wish to closely examine the file system
structure of a disk image, extract files, etc. without copying it back to a disk. If
interpreted as a physical disk, WinHex can access and open the partitions contained in the
image individually as known from "real" physical hard disks.
WinHex is even able to interpret spanned image files, that is, image files that consist of separate segments of any size. For WinHex to detect a spanned image file, the first segment may have an abritrary name and a non-numeric extension or the extension ".000". The second segment must have the same base name, but the extension ".001", the third segment ".002", and so on. The DOS cloning tool X-Ways Replica is able to image disks and produce such file segments. This is useful because the maximum image file size supported by FAT16 and FAT32 is 2 GB or 4 GB, respectively.
- Data Interpreter
Knows all integer types, floating-point types, date formats, assembler opcodes, and more, and converts in both directions. (Details)
- Data Analysis
Find out what kind of binary data you are dealing with. (Details)
- Binary Search/Text Search
Search for any data you can imagine, specified in hexadecimal, ASCII, or EBCDIC, in both directions, even generic text passages hidden within binary data. WinHex can either stop at each occurrence, or simply log the results, aborting only when prompted or if the end of disk is encountered. This is particularly useful for locating certain keywords for investigative purposes. WinHex can also ignore read errors during searches, which proves useful on physically damaged media. On a disk, WinHex searches in allocated space, slack space, and erased space.
Tools | Specialist Tools | Simultaneous Search. A parallel search facility, that lets you specify a virtually unlimited list of search terms, one per line. The search terms are searched simultaneously, and their occurrences can be archived either in the Position Manager, or in a tab-delimited text file, similar to the disk catalog, which can be further processed in MS Excel or any database. WinHex will save
- the offset of each occurrence,
- the search term,
- the name of the file or disk searched, and
- in the case of a logical drive the cluster allocation as well! (i.e. the name and path of the file that is stored at that particular offset, if any)
That means you are now able to systematically search through an entire hard drive in a single pass for words like
- (street synonym #1 for cocaine)
- (street synonym #2 for cocaine)
- (street synonym #3 for cocaine)
- (street synonym #3 for cocaine, alternative spelling)
- (name of dealer #1)
- (name of dealer #2)
- (name of dealer #3)
at the same time! This will narrow down the examination to a list of files upon which to focus. If you don't want WinHex to archive the occurrences, you may use the F3 key to continue the search. Requires a specialist or forensic license.
- Bates-Numbering Files
Bates-numbers all the files within a given folder and its subfolders for discovery or evidentiary use. A prefix (up to 13 characters long) and a unique serial number are inserted between the filename and the extension in a way attorneys traditionally label paper documents for later accurate identification and reference. Requires a specialist or forensic license.
Using tailored scripts you are able to automate routine steps in your investigation. For example, you may want to concatenate searches for various keywords, or repeatedly save certain clusters into files on other drives, or execute any long-running or toilsome operations while you are absent.
- Position Manager
Save logged occurrences of search strings or otherwise important addresses within files or disks as bookmarks for later use. Archive bookmark collections as dedicated position files or export them as HTML tables (for use in MS Excel etc.).
- Checksums, CRC16, CRC32, MD5, SHA-1, SHA-256, PSCHF
WinHex can calculate several kinds of hash values of any file, disk, partition, or any part of a disk, even 256-bit digests, for the most suspicious ones. In particular, the MD5 message digest algorithm (128-bit) is incorporated, which produces commonly used unique numeric identifiers (hash values). The hash value of a known file can be compared against the hash value of an unknown file on a seized computer system. Matching values indicate with statistical certainty that the unknown file on the seized system has been authenticated and therefore does not need to be further examined.
The operation of creating exact duplicates of one media on another media of the same type is called disk cloning. The duplicate is also referred to as a mirror or a physical sector copy. Disk imaging is the term given to creating an exact copy of a disk in form of an image file. This image file can be stored on different media types for archiving and later restoration. Both forensically sound cloning and imaging are essential for data recovery and computer investigative purposes.
- Risk-Free Work
In a data recovery scenario, it is mandatory to know that working on damaged media directly can, and often does, result in the compounding of physical damage and/or corruption of the logic. Using WinHex to clone or image a disk enables you to work aggressively on a mirror without the possibility of making matters worse.
- Investigative Analysis/Discovery
In the realm of computer forensics, there is no alternative to disk cloning/imaging. An investigator must clone a disk before starting the analysis. Cloning/imaging ensures that the original media is unchanged, both by checksum and digest (MD5) confirmation, and the evidentiary procedure is uncorrupt.
- Disk Spanning
When imaging to a file, if the target media is smaller than the image file, you may prefer to pre-set a volume size. E.g. when using CD-Rs to store an image you can indicate a 650 MB volume size. This allows you to burn the individual volumes created by WinHex using your regular burning software.
You can recreate an entire image or any portion of that image. For instance, if you ever wish to restore only the boot sector of a drive, you can extract only this sector without having to wait for the entire image to restore.
Version 11.1 is great. You continue to improve upon an already exemplary product and maintain excellent user support. I wish other software producers were in your league. I operate a computer forensic/electronic evidence business and use your product in all my cases almost without exception as a standard first line examination tool. The integration with Windows Explorer enables me to open many files quickly and conveniently under Winhex to quickly assess what I have. A great, reliable and bug free product.
Jeffrey R. Gross - President
Computer Forensic Associates, Inc.
Electronic Evidence Specialists
Investigations, Recovery, Analysis & Consulting
As a professional forensics examiner, I have
used Winhex as a forensics instrument in recovering and analyzing digital information. I
have tested and validated the professional version and it has proved to be accurate and
trustworthy in its reporting. I have the highest level of confidence in WinHex's efficacy
in digital forensics cases. I am confident that the tool and my use of this instrument
would stand legal review and opposing challenge.
I have given past expert reports and testimony based on my personal use of Winhex Professional in litigation which involves several significant civil matters. These include investigations dealing with Enron Corporation, Andersen Consulting, NewPark Drilling and ATMOS energy. I have also used Winhex in several criminal forensics matters here in the US in Texas, Oklahoma, District of Columbia and Federal cases.
Larry Leibrock, Ph. D.
Founder and CTO of eForensics® LLC
Digital Forensics Examinations
Experienced Court Appointed Special Master
Enterprise Server/Network Investigations
Information Technologies Risk Assessments and Penetration Studies