| Author | Message | ||
     Chris Randle (Narny) |
I was using Position Manager together with Find Hex Values. Not sure if my observations are bugs, user error or intended functionality. WinHex 12.55 SR-4 specialist licence. I opened 48 files using Open Folder and a file mask. Searched using Find Hex Values as follows: Values: A0CC No Wildcard, Search All, No offset, No block All open windows List search hits up to 1000 No ignore read errors The search stopped at 1000 hits and I opened the position manager. 1) The majority of the hits were not 0xA0CC. I'm looking at highlights on 0xD430, 0x3030, 0x20A0, etc. Think this may be linked to 2) and 3), so the highlighted hits were within other files, not the one being viewed. So it's not a fault with Find, I think. 2) The position manager did not record the filename and extension in the hit results. 3) If I manually add a bookmark by highlighting a block of text within an open file, the filename and extension are not stored in the position manager. Hence, if I switch to another file, the same offset remains highlighted. This is also true if I highlight an offset within a drive or device, the same offset remains highlighted within any open files. Shouldn't the pos. manager distinguish between bookmarks made in devices and those made in files and, if in a file, then remember the filename? 4) If I give a bookmark a description, I don't see this as a tooltip when I hover over the highlight. | ||
| Stefan Fleischmann (Admin) |
1) If you search in multiple windows at the same time, the general Position Manager lists all search hits in all windows. 3) > Hence The aforemention fact is not the reason for the observation that follows. > if I switch to another file, the same offset remains highlighted The general Position Manager keeps a list of search hits and bookmarks globally. > Shouldn't the pos. manager distinguish between > bookmarks made in devices and those made in files and, > if in a file, then remember the filename? From your point of view it probably should, from my point of view it could. But then you would lose the reference to all hits and bookmarks when you merely rename a file or move it to another path, so that would not be an ideal solution either. Possible solutions: a) Do not open files via File | Open Folder, but open the disk instead and select the files in the directory browser. Then search these files logically, right-clicking them in the directory browser. The search hits will be collected relative to the disk (so there will be no "false" display of hits in the general Position Manager, as only one window is involved). b) If you wish to maintain one Position Manager per object (where that object can be a file or disk, where the file can change its name or location; where the disk can change its number of drive letter; where the disk can later be replaced with an image file), do not add search hits and bookmarks to the general Position Manager, but to each object's individual Position Manager, you could create an ad-hoc case in the Case Data window (you could do that even if you do not refer to your current work as a "case", and that is feasible even without a forensic licence, you just could not re-open a previously saved case) and add each file as an evidence object to that case. 4) Is "Tooltips" ticked in the Position Manager's context menu? If so, please try unticking and reticking that menu item. If that does not help either, you could try initializing all settings (Help | Setup, and manually preserve a copy of your current winhex.cfg file if you like). | ||
| Chris Randle (Narny) |
Stefan, Thank you for taking the trouble to provide such a detailed response to my questions. To take the easiest bits first: 4) The tooltips wasn't ticked in the Pos Mgr's context menu, so that now works great. a) I like the logical searching through the disk, with the Pos Mgr remembering the file name. I can right-mouse-click on a result and open the search result as a file. Neat. b) I had never thought to try using any forensic features, since I have only a specialist licence. The searching is very slick when you use a case. I must try not to get too fond of the features, or I'll have to buy a forensic licence! Finally, just one observation about searching that I still find illogical. Others may not, or I may have missed something: It seems odd that I can have a few unrelated files open, and search through all open windows for a few possible hex strings, asking to list search results, and yet when the results are presented, the search is only half found because I need to manually try each file against each result hit to see if there's a match. In the above case, it's a lot more difficult to approach the problem from the "searching the disk solution", because the files have been opened in an ad-hoc manner, with no common folder or file type, etc. | ||
| Jens Kirschner |
The oddity you describe likely results from using the general search hits: Every position marked in the general hit list will be highlighted in every window. This is where using a case and thus individual search hits really comes in handy. |