| Author | Message | ||
     Frederic COHEN SOLAL (Fredso) |
Hello, How can i do for search text when there is octets 00 beetwen each letter: exemple:I search SOURCE but in hexa i have 53 00 4F 00 55 00 52 00 43 00 45 is there any character ansi for 00? Fredric | ||
| Stefan Fleischmann (Admin) |
No, there isn't, in fact 0x00 usually terminates a text string. You could either make use of wildcards or search for the corresponding hex values instead. | ||
| Wayne Plumtree (Wayne384) |
Fredrik / Stefan I believe the text that Fredrik refers to is Unicode. Wayne | ||
| Stefan Fleischmann (Admin) |
Wayne, you are right. Frederic, if you are searching for Unicode strings (in this case obviously "SOURCE"), the best way is to just enter "SOURCE" and enable the option [x] Unicode character set. | ||
| Frederic COHEN SOLAL (Fredso) |
Stefan and Wayne ! OK!That runs very well! Thanks to you two Frederic In french "BON WEEK END" (!!!!) | ||
| Ross Johnson Username: ross_winpro_net Registered: N/A |
WinHex 13.7 SR-7 Search Menu Regarding both "Find Text" and "Find hex values". "Count occurrences" and "Search in Block only" become unavailable (i.e. grayed out) for an object when the object is added to a case. To use either "Count occurrences" or "Search in Block only" with an object added to a case, I can open separate internal objects (e.g. a file or free space) and then perform a count or search in a block. I cannot find a simple way to use "Count occurrences" or "Search in Block only" with the complete original object (once it has been added to a case). Is there a way to use either with the version of the object that is added to the case (as opposed to opening another version of the object external to the case)? BTW, when there happens to be a selected block at the time of the search, the grayed out "Search in block only" has a grayed out check mark added. Does this have any meaning? Such as the selected block will only be searched? Or perhaps skipped? (The search appears to be the same with or without the grayed out check mark.) Thank you, Ross@WinPro.net | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
No, there is no such way, but "Search in block only" will work for such evidence objects in the next version again. Please note that adding individual files to a case as evidence objects is not recommendable from our point view any more. | ||
| Ross Johnson Username: ross_winpro_net Registered: N/A |
> "Search in block only" will work for such evidence objects in the next version again. Thank you very much. > Please note that adding individual files to a case as evidence objects is not recommendable from our point view any more. Yes, the objects I was adding were volumes on physical drives, volumes within images and images of volumes (such as CD images). Those are the types expected (recommended), correct? > No, there is no such way, Darn, then I will skip citing examples of the need for "Count occurrences" and ask for an assessment of these work arounds: 1. I suppose a very good substitute for "Count occurrences" could be: Simultaneous Search using "List Hits", note the total, then delete the hits when done? This does not appear to be any slower than using "Count occurrences" on the same object (outside the case)? Plus multiple counts can be done "simultaneously". Plus it is logged in the case for the object. The only drawback I can think of is if the search term has already been used (e.g. for a selected block) and those results need to be retained, it could be much harder to distinguish and delete the new efforts. 2. In that case a second work around could involve a Refined Volume Snapshot using search terms as signatures, choosing byte level and a unique name prefix. Then in the DB the prefix can be sorted, selected, count noted, then deleted. 3. Script. But no automatic case log? 4. Use "Count occurrences" on the same object outside the case then somehow manually log it in the case? Any flaws in the above? Any other ideas anyone? Or should those work arounds cover all bases? Thank you, Ross@WinPro.net | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> Those are the types expected (recommended), correct? Yes, plus physical media and images of the same and file containers. I recommend you simply do not add individual files to a case in the first place or un-associate them if already done. Then you can use these options again. | ||
| Brandon Warhurst Username: roboknight Registered: N/A |
Here is a question related to searching: I know I can search for something and save the bookmarks. However, what I'd like to know is if there is a way to separate the bookmarks across different files. I edit multiple files regularly and would like to be able to have a separate bookmark list for each opened file. I especially use this kind of thing when I'm searching for pieces of one file in another, larger file and of course all of the bookmarks for one file do not apply to the other file. It would be especially useful since I usually sweep out bytes to search for with the hex search and the items get automatically labeled with the hex value. So is there a way to separate these bookmarks into different lists? | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
This is all taken care of automatically if you work with a case and assign separate evidence objects to the case. Each evidence object has its own search hits and its own Position Manager. If the evidence object is a disk, partition or image of a disk or or partition, it will also be remembered which search hit is located in which individual file within the evidence object. If you do not work with a case, you can load and save entries in the Position Manager with the Position Manager's context menu. | ||
| Brandon Warhurst Username: roboknight Registered: 1-1997 |
Almost what I was looking for, but not quite. I guess I need to open a "case" to associate the Position Manager file name to the file tab I currently have open. I don't usually need to work in the "case" mode. I was hoping that each tab you had open could have a different "positions file", but it appears that all tabs use the same file. I guess if I remember to switch files then I get what I wanted. | ||
| Brandon Warhurst Username: roboknight Registered: 1-1997 |
Well, then here is a different question: What is the "filename" section for in the position manager? Does WinHex try to detect the filename that a "hit" belongs to if it understands the underlying file system? I can see how that would be a useful thing if I was analyzing regular file system dumps. However, I don't usually do that on a regular basis. I deal with more arcane file system dumps and it would be more useful to be able to use those things for something else, like tagging which tabs I've found something in. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> Does WinHex try to detect the filename that a "hit" > belongs to if it understands the underlying file system? Yes, exactly, but that has been superseded by much more powerful search hit lists in the forensic edition. Only when working with a case, each evidence object and therefore each tab has its own Position Manager. |