WinHex/X-Ways Forensics: Installation Details
The following information shall help you tailor your
installation of WinHex/X-Ways Forensics or automate the installation
on multiple machines (e.g. in a network). Please consider the
license agreement and
the number of licenses purchased.
WinHex and X-Ways Forensics can be run
under Windows XP/Vista/Server 2003/7/Server 2008/8/Server 2012, 32-bit and 64-bit. No testing has been done under
Windows 2000 for 10 years or so, and compatibility with Windows 98/Me version has been lost
gradually since around v12/v13. The last version to run on Windows 3.1x was v7.54. Old versions are
available to registered users on request.
Forensics/X-Ways Investigator are not resource hungry at all! You can
execute these programs on old computers running Windows XP, with just 256 MB
RAM and 1 GB free hard disk space. With just 512 MB RAM you can already open
and analyze volumes with around 5 million files! (It will not be fast, but
it works.) Good to know if you ever
have to run it on live systems that you encounter on site, to preview them.
The following are tips for higher
performance and processing huge amounts of files, in no particular order:
The higher the processor frequency,
2 processor cores are better than 1, 4
better than 2, in many situations. More than 4 will be used in special
situations such as during disk imaging.
On a terminal server with multiple
users or generally when running multiple instances on the same machine, even more cores and more RAM make sense, also for the 32-bit
Use a 64-bit Windows version. If a
32-bit version, run Windows with the /3GB switch.
Use > 4 GB of RAM. 4 GB can be
addressed directly by the 32-bit edition of X-Ways Forensics under 64-bit Windows, 3 GB under 32-bit Windows.
More RAM still helps indirectly thanks to caching in Windows. The 64-bit edition can use more memory directly, of course.
The more RAM can be used directly, the larger volume snapshots are
supported (i.e. evidence objects with millions of files), the more
evidence objects with large volume snapshots can be open at the same
time, the more data of a volume snapshot can be held in memory and the
more search hits can be maintained.
With the 32-bit edition of X-Ways
Forensics 16.4, analyzing a partition with for example 25 million objects (files and
directories) is no problem as long as you are using a 64-bit Windows.
For even bigger volume snapshots or if you would like to keep several
evidence objects with such big volume snapshots open at the same time,
please rather use the 64-bit edition of X-Ways Forensics.
Under low memory conditions with large volume snapshots, have
XWF keep less data in memory (see Volume Snapshot Options) and
don't open many evidence objects that contain many files at the same
time if you don't have to (volume snapshot refinements and simultaneous
searches can open the evidence objects themselves on demand when needed,
except for Windows dynamic disks or Linux LVM2 disks with spanned
volumes, and automatically close them again).
Do not permanently and unnecessarily
collect millions of search hits. If you get too many search hits with
too unspecific search terms, delete search hits that you don't need any
more, to free up memory.
If possible, don't store cases and images on the
If possible, don't store temporary
files and images on the
Use faster disks, with a higher data
transfer rate and quicker access.
Store images on a RAID instead of on a
disk, for a higher transfer rate.
Avoid using media that are connected
Format your own volumes with NTFS, not
Don't use NTFS encryption (EFS) or
Use a large cluster size such as 16 KB
or more for the volume that will hold your images.
Don't use compressed .e01 evidence
files created with tools other than X-Ways Forensics (avoid normal or
Avoid an active virus scanner in the
background if you can.
v15.9 and earlier only: Don't select all file types for file
carving (file header signature search) if you don't have to.
For simultaneous searches with 4 or
more keywords, use v15.9 or later.
For indexing, don't include more
characters and shorter or longer word lengths than absolutely necessary.
Don't index substrings unless absolutely necessary.
|Differences between WinHex and
X-Ways Forensics, co-existence between both programs
X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over
WinHex with a license. With a license for X-Ways Forensics, you can
alternatively also use WinHex with the same license (and the same dongle).
Both programs then offer the same full forensic feature set and are identical except for the following:
- WinHex (winhex.exe) always identifies itself as WinHex
in the user interface, X-Ways Forensics (xwforensics.exe) as X-Ways
Forensics. The program help and the manual, however, statically refer to
"WinHex" in most cases.
- winhex.exe is available as a separate download for
users of X-Ways Forensics as an add-on. When adding winhex.exe to an
X-Ways Forensics installation, the versions must match, which is safe to
assume if both were downloaded at the same time.
- In X-Ways Forensics, disks, interpreted image files,
virtual memory, and physical RAM are strictly opened in view mode
(read-only) only, to enforce forensic procedures, where no evidence must
be altered in the slightest. This strict write protection of X-Ways
Forensics ensures that no original evidence can possibly be altered
accidentally, which can be a crucial aspect in court proceedings. Only
when not bound by strict forensic procedures and/or when in need to work
more aggressively on disks or images (e.g. you have to repair a boot
sector) then you could run WinHex instead. With WinHex you can edit disk
sectors and wipe entire hard disks, free space, or slack space.
- The WinHex API can
only be used in conjunction with WinHex.
It is not necessary to
install WinHex/X-Ways Forensics/X-Ways Investigator using the supplied setup.exe program. This
installation program only copies the shipped files to the destination folder (plus all
.whx files it finds), sets the desired language (English, German, French, Spanish,
Italian, or Portuguese), and creates a program shortcut in the start menu. All other
settings are initialized by winhex.exe/xwforensics.exe itself.
WinHex/X-Ways Forensics/X-Ways Investigator is a fully portable application
that can be executed from a USB stick on any computer without any
When updating an existing
installation of a non-dongled based products, the setup program will warn you in case the new version would no longer
accept the existing license codes, before actually overwriting the existing
(v17.0 and later)
file contains the settings (options, filters, paths, ...). It is created by
WinHex/X-Ways Forensics/X-Ways Investigator automatically when run for the
first time, and maintained either in the installation directory, or in a
user-specific subdirectory like \AppData\Local\X-Ways in the user profile if
1) WinHex.cfg already exists in that directory, 2) the installation
directory is located on the C: drive and is write-protected for the user or 3) a file named winhex.user
is present in the installation directory. If only a generic file WinHex.cfg exists
(in the installation directory), not a user-specific one, yet usage of
individual configurations is suggested by 2) or 3), the generic file will be used
to initialize all users' settings who do not have an individual WinHex.cfg file. If no configuration
file is found at all, the configuration is initialized with default values
that may be language-specific. The default language is English. To
force WinHex/X-Ways Forensics to initialize itself with a different language, create an
empty file named winhex.ger, winhex.fr, winhex.esp, winhex.ita, or
winhex.por in the installation directory. By default, WinHex/X-Ways
Forensics/X-Ways Investigator store all data in the directory where the .exe
file is located so that the program is fully portable and prevent
unnecessary alteration of the system that is examined. You can create an
empty file named winhex.user to enforce user-specific configurations.
(v16.9 and older)
file is located either in the installation directory or in a subdirectory of
the virtual store (32-bit edition only, under Windows Vista and newer). The
optional insertion of the username (supported as of v13.2 SR-5) guarantees that
different users can share the same installation but have individual
settings. Note that there must be a space character before the username. If a generic file WinHex.cfg
exists (i.e. without a username), that file will be used instead for all
users who do not have an individual .cfg file. If no configuration file is
found at all, the configuration is initialized with default values. To force WinHex/X-Ways
Forensics to use user-specific configuration files, create an empty file
named winhex.user in the installation directory (as of v16.9 SR-1).
(v9.5 and later)
Alternatively, each user can have an individual configuration
(own case folder, own folder for image files, and all other settings) in
his/her system registry. That way the usage of the WinHex*.cfg files
is avoided altogether.
To that end, simply create an empty file named winhex.rgt in
the installation folder. If this file is found during startup, WinHex reads the configuration
from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex
tries to read an existing winhex [username].cfg file in the
installation folder. If this file does
not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt
is found when exiting, WinHex writes the configuration to the local registry.
The registry configuration feature is available as of
different versions and configurations
versions may be installed in different directories at the same time and have
their own configurations. Also multiple installations of the same version in
different directories are possible, to run different configurations. Note
that in both cases to ensure different configuration, if the configuration
is user-specific, multiple installations must be contained in directories of
versions may be copied/installed over older versions, but never the other way around.
WinHex wird a forensic license and X-Ways Forensics (if exactly the same
release) may and shall share the same installation directory and use many
identical files. The 32-bit and the 64-bit edition (if exactly the same
release) may and shall also share the same installation directory.
|Case Data Storage
Knowing about what is
stored in which file using which storage technology enables you to optimize your backup strategy and may
allow you to partially or fully recover your case if you suffer
from data loss (e.g. your case file or volume snapshot becomes corrupt). For example, if you spent a long time already refining the
volume snapshot, tagging and adding comments to files, and then the main
.xfc case file is lost, you can create a new case, add the same images
again, and then behind XWF's back (when it's not running or that
case is not open or at least the evidence object is not open) replace the
files the "_" subdirectory of the evidence object(s) with those from the original case to restore the volume
snapshots, comments and tagmarks.
|Name in v16
||Name in v17
||main volume snapshot data (e.g. file size, file
ID, type status, attributes, tagged status, already viewed status,
...) always in memory
|Volume Files 2.dir
||main volume snapshot data (e.g. start sector
number, hard link count, skin color percentage, ...), optionally
held in memory
|Volume Files 3.dir
||main volume snapshot data (timestamps),
optionally held in memory
||NTFS compression, *
||allocation of the clusters of the file system to
||file types encountered
||references into SenRec.dir, data runs for certain
recovered files, and more
||names of files and directories
|Volume Hash Values.dir
||hash set matches
||metadata extracted from the file contents
|Volume Search Hits.dir
||event main data (timestamps, type of event,
corresponding file in the volume snapshot)
||event variable length text
||decoded text from various files for logical
searches and indexing
||NTFS compression, *
||bitmap of clusters by which free space is
||Temporary preallocation to prevent fragmentation,
||extracted files (e-mail messages, attachments,
video stills, attached files)
||NTFS sparse, *
||NTFS sparse, *
||sender and recipients of e-mail encountered in
|.xfc case file
||.xfc case file
||everything else, e.g. report table names, report
table associations, evidence objects properties, search terms that
the search hits relate to, ...
*NTFS not indexed
The following files are
required for proper functioning:
- winhex.exe/xwforensics.exe (main executable file)
- external.dll (required for some types of direct hard disk and
floppy disk access)*
- psapi.dll (required only for using the RAM editor under Windows
- hi.dll (required only for picture viewing, shipped with X-Ways
Forensics only, until v13.7)*
- DevIL.dll (required only for picture viewing, shipped with X-Ways
Forensics only, since v13.7)
- Chinese.dat, Chinese2.dat (required for the
Chinese user interface only, since v13.7)*
- index*.txt (used for indexing in X-Ways
- zlib1.dll (since v13.7)
- zip.dll (required only for archive handling, shipped with X-Ways
Forensics only, as of v11.7)*
- rar.dll (required only for RAR archive handling, shipped with
X-Ways Forensics only, as of v11.7)*
- zip.exe (required only for case backups, shipped with X-Ways
Forensics only, as of v12.8)*
- hash.dll (required only for
faster hash computation, shipped with X-Ways
Forensics, downloadable separately for WinHex here,
requires a professional license or higher, as of v12.9)*
- m.dat (X-Ways Forensics only)
- nfi.exe (v9.7 through v10.7 only)
- dialogs.dat (dialog resources, all languages)
- language.dat (string resources, all languages)
- EBCDIC.dat (EBCDIC character set support, as of v9.26)*
- timezone.dat (flexible time zone
interpretation feature, as of v12.8)*
- winhex.hlp, winhex.cnt (English program help)*
- winhex-d.hlp, winhex-d.cnt (German program help)*
- winhex-f.hlp, winhex-f.cnt (French program help)*
- File Type Signatures.txt (file type definition file for file
recovery by type, as of v11.2)*
- File Type Categories.txt (file category definition file for
category view, shipped with X-Ways Forensics only, as of v11.5)*
- Reg Report [Keys].txt (definitions for the registry report
function, shipped with X-Ways Forensics only, as of v11.5)*
- *.tpl (various sample template definition files)*
- *.whs (various sample scripts, as of v10.0)*
*The files marked with an asterisk are not required if the specified
functionality is not needed.
viewer component has be downloaded
and decompressed separately. It is expected by default in the subfolder
\viewer of the installation folder (as of v12.1).
A hash database does
not ship with X-Ways Forensics. By default, an internal hash database found in the
subfolder \HashDB of the installation folder will be automatically activated in
MPlayer can be used
in X-Ways Forensics and X-Ways Investigator to watch and extract JPEG
pictures from video files since v14.8. It is expected in the subfolder
\mplayer of the installation folder. The separate codec package should be
extracted to the subfolder \codecs of the MPlayer installation.
Alternatively, the program
Forensic Framer can be used to
extract JPEG pictures from video files. It contains MPlayer.
|Required Non-Shipped Files
For use of the WinHex API
(WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic,
some other files are needed. Details
For direct access to CD-ROM sectors under Windows 9x/Me,
the ASPI interface must be installed (wnaspi32.dll). This file is available from
the Windows setup CD-ROM. However, it should already exist on most Windows installations.
WinHex does not require a specific version of comctl32.dll.
WinHex does not rely on the presence any runtime library (e.g. msv*.dll).
Editing/writing hard disk sectors
under Windows NT/2000/XP/Vista/7 requires administrator privileges. Under Windows Vista/7 it is not sufficient to be
simplified logged in as administrator. Instead, you need to explicitly run
WinHex as administrator.
|Bart's PE Builder
This package contains all necessary configuration files and instructions for BartPE.