WinHex/X-Ways Forensics: Installation Details

WinHex and X-Ways Forensics can be run under Windows XP/Vista/Server 2003/7/Server 2008/8/Server 2012, 32-bit and 64-bit. No testing has been done under Windows 2000 for 10 years or so, and compatibility with Windows 98/Me version has been lost gradually since around v12/v13. The last version to run on Windows 3.1x was v7.54. Old versions are available to registered users on request.

WinHex/X-Ways Forensics/X-Ways Investigator are not resource hungry at all! You can execute these programs on old computers running Windows XP, with just 256 MB RAM and 1 GB free hard disk space. With just 512 MB RAM you can already open and analyze volumes with around 5 million files! (It will not be fast, but it works.) Good to know if you ever have to run it on live systems that you encounter on site, to preview them.

The following are tips for higher performance and processing huge amounts of files, in no particular order:

• The higher the processor frequency, the better.

• 2 processor cores are better than 1, 4 better than 2, in many situations. More than 4 will be used in special situations such as during disk imaging.

• On a terminal server with multiple users or generally when running multiple instances on the same machine, even more cores and more RAM make sense, also for the 32-bit edition.

• Use a 64-bit Windows version. If a 32-bit version, run Windows with the /3GB switch.

• Use > 4 GB of RAM. 4 GB can be addressed directly by the 32-bit edition of X-Ways Forensics under 64-bit Windows, 3 GB under 32-bit Windows. More RAM still helps indirectly thanks to caching in Windows. The 64-bit edition can use more memory directly, of course. The more RAM can be used directly, the larger volume snapshots are supported (i.e. evidence objects with millions of files), the more evidence objects with large volume snapshots can be open at the same time, the more data of a volume snapshot can be held in memory and the more search hits can be maintained.

• With the 32-bit edition of X-Ways Forensics 16.4, analyzing a partition with for example 25 million objects (files and directories) is no problem as long as you are using a 64-bit Windows. For even bigger volume snapshots or if you would like to keep several evidence objects with such big volume snapshots open at the same time, please rather use the 64-bit edition of X-Ways Forensics.

• Under low memory conditions with large volume snapshots, have XWF keep less data in memory (see Volume Snapshot Options) and don't open many evidence objects that contain many files at the same time if you don't have to (volume snapshot refinements and simultaneous searches can open the evidence objects themselves on demand when needed, except for Windows dynamic disks or Linux LVM2 disks with spanned volumes, and automatically close them again).

• Do not permanently and unnecessarily collect millions of search hits. If you get too many search hits with too unspecific search terms, delete search hits that you don't need any more, to free up memory.

• If possible, don't store cases and images on the same disk.

• If possible, don't store temporary files and images on the same disk.

• Use faster disks, with a higher data transfer rate and quicker access.

• Store images on a RAID instead of on a disk, for a higher transfer rate.

• Avoid using media that are connected via USB.

• Format your own volumes with NTFS, not FAT.

• Don't use NTFS encryption (EFS) or NTFS compression.

• Use a large cluster size such as 16 KB or more for the volume that will hold your images. 

• Don't use compressed .e01 evidence files created with tools other than X-Ways Forensics (avoid normal or strong compression).

• Avoid an active virus scanner in the background if you can.

• v15.9 and earlier only: Don't select all file types for file carving  (file header signature search) if you don't have to.

• For simultaneous searches with 4 or more keywords, use v15.9 or later.

• For indexing, don't include more characters and shorter or longer word lengths than absolutely necessary. Don't index substrings unless absolutely necessary.

WinHex and X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over WinHex with a license. With a license for X-Ways Forensics, you can alternatively also use WinHex with the same license (and the same dongle). Both programs then offer the same full forensic feature set and are identical except for the following:

• WinHex (winhex.exe) always identifies itself as WinHex in the user interface, X-Ways Forensics (xwforensics.exe) as X-Ways Forensics. The program help and the manual, however, statically refer to "WinHex" in most cases. 

• winhex.exe is available as a separate download for users of X-Ways Forensics as an add-on. When adding winhex.exe to an X-Ways Forensics installation, the versions must match, which is safe to assume if both were downloaded at the same time.

• In X-Ways Forensics, disks, interpreted image files, virtual memory, and physical RAM are strictly opened in view mode (read-only) only, to enforce forensic procedures, where no evidence must be altered in the slightest. This strict write protection of X-Ways Forensics ensures that no original evidence can possibly be altered accidentally, which can be a crucial aspect in court proceedings. Only when not bound by strict forensic procedures and/or when in need to work more aggressively on disks or images (e.g. you have to repair a boot sector) then you could run WinHex instead. With WinHex you can edit disk sectors and wipe entire hard disks, free space, or slack space.

• The WinHex API can only be used in conjunction with WinHex. 

It is not necessary to install WinHex/X-Ways Forensics/X-Ways Investigator using the supplied setup.exe program. This installation program only copies the shipped files to the destination folder (plus all .whx files it finds), sets the desired language (English, German, French, Spanish, Italian, or Portuguese), and creates a program shortcut in the start menu. All other settings are initialized by winhex.exe/xwforensics.exe itself. WinHex/X-Ways Forensics/X-Ways Investigator is a fully portable application that can be executed from a USB stick on any computer without any installation.

When updating an existing installation of a non-dongled based products, the setup program will warn you in case the new version would no longer accept the existing license codes, before actually overwriting the existing installation.

The WinHex.cfg file contains the settings (options, filters, paths, ...). It is created by WinHex/X-Ways Forensics/X-Ways Investigator automatically when run for the first time, and maintained either in the installation directory, or in a user-specific subdirectory like \AppData\Local\X-Ways in the user profile if 1) WinHex.cfg already exists in that directory, 2) the installation directory is located on the C: drive and is write-protected for the user or 3) a file named winhex.user is present in the installation directory. If only a generic file WinHex.cfg exists (in the installation directory), not a user-specific one, yet usage of individual configurations is suggested by 2) or 3), the generic file will be used to initialize all users' settings who do not have an individual WinHex.cfg file. If no configuration file is found at all, the configuration is initialized with default values that may be language-specific. The default language is English. To force WinHex/X-Ways Forensics to initialize itself with a different language, create an empty file named winhex.ger, winhex.fr, winhex.esp, winhex.ita, or winhex.por in the installation directory. By default, WinHex/X-Ways Forensics/X-Ways Investigator store all data in the directory where the .exe file is located so that the program is fully portable and prevent unnecessary alteration of the system that is examined. You can create an empty file named winhex.user to enforce user-specific configurations. 

The WinHex [username].cfg file is located either in the installation directory or in a subdirectory of the virtual store (32-bit edition only, under Windows Vista and newer). The optional insertion of the username (supported as of v13.2 SR-5) guarantees that different users can share the same installation but have individual settings. Note that there must be a space character before the username. If a generic file WinHex.cfg exists (i.e. without a username), that file will be used instead for all users who do not have an individual .cfg file. If no configuration file is found at all, the configuration is initialized with default values. To force WinHex/X-Ways Forensics to use user-specific configuration files, create an empty file named winhex.user in the installation directory (as of v16.9 SR-1).

Alternatively, each user can have an individual configuration (own case folder, own folder for image files, and all other settings) in his/her system registry. That way the usage of the WinHex*.cfg files is avoided altogether.

To that end, simply create an empty file named winhex.rgt in the installation folder. If this file is found during startup, WinHex reads the configuration from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex tries to read an existing winhex [username].cfg file in the installation folder. If this file does not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt is found when exiting, WinHex writes the configuration to the local registry. 

The registry configuration feature is available as of WinHex v9.5.

Different versions may be installed in different directories at the same time and have their own configurations. Also multiple installations of the same version in different directories are possible, to run different configurations. Note that in both cases to ensure different configuration, if the configuration is user-specific, multiple installations must be contained in directories of different names.

New versions may be copied/installed over older versions, but never the other way around.  WinHex wird a forensic license and X-Ways Forensics (if exactly the same release) may and shall share the same installation directory and use many identical files. The 32-bit and the 64-bit edition (if exactly the same release) may and shall also share the same installation directory.

Knowing about what is stored in which file using which storage technology enables you to optimize your backup strategy and may allow you to partially or fully recover your case if you suffer from data loss (e.g. your case file or volume snapshot becomes corrupt). For example, if you spent a long time already refining the volume snapshot, tagging and adding comments to files, and then the main .xfc case file is lost, you can create a new case, add the same images again, and then behind XWF's back (when it's not running or that case is not open or at least the evidence object is not open) replace the files the "_" subdirectory of the evidence object(s) with those from the original case to restore the volume snapshots, comments and tagmarks.

*NTFS not indexed

The following files are required for proper functioning:

• winhex.exe/xwforensics.exe (main executable file)
• external.dll (required for some types of direct hard disk and floppy disk access)*
• psapi.dll (required only for using the RAM editor under Windows NT/2000/XP)*
• hi.dll (required only for picture viewing, shipped with X-Ways Forensics only, until v13.7)*
• DevIL.dll (required only for picture viewing, shipped with X-Ways Forensics only, since v13.7)
• Chinese.dat, Chinese2.dat (required for the Chinese user interface only, since v13.7)*
• index*.txt (used for indexing in X-Ways Forensics)
• zlib1.dll (since v13.7)
• zip.dll (required only for archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• rar.dll (required only for RAR archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• zip.exe (required only for case backups, shipped with X-Ways Forensics only, as of v12.8)*
• hash.dll (required only for faster hash computation, shipped with X-Ways Forensics, downloadable separately for WinHex here, requires a professional license or higher, as of v12.9)*
• m.dat (X-Ways Forensics only)
• nfi.exe (v9.7 through v10.7 only)
• dialogs.dat (dialog resources, all languages)
• language.dat (string resources, all languages)
• EBCDIC.dat (EBCDIC character set support, as of v9.26)*
• timezone.dat (flexible time zone interpretation feature, as of v12.8)*
• winhex.hlp, winhex.cnt (English program help)*
• winhex-d.hlp, winhex-d.cnt (German program help)*
• winhex-f.hlp, winhex-f.cnt (French program help)*
• File Type Signatures.txt (file type definition file for file recovery by type, as of v11.2)*
• File Type Categories.txt (file category definition file for category view, shipped with X-Ways Forensics only, as of v11.5)*
• Reg Report [Keys].txt (definitions for the registry report function, shipped with X-Ways Forensics only, as of v11.5)*
• *.tpl (various sample template definition files)*
• *.whs (various sample scripts, as of v10.0)*

*The files marked with an asterisk are not required if the specified functionality is not needed.

A hash database does not ship with X-Ways Forensics. By default, an internal hash database found in the subfolder \HashDB of the installation folder will be automatically activated in X-Ways Forensics.

Alternatively, the program Forensic Framer can be used to extract JPEG pictures from video files. It contains MPlayer.

For use of the WinHex API (WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic, some other files are needed. Details

For direct access to CD-ROM sectors under Windows 9x/Me, the ASPI interface must be installed (wnaspi32.dll). This file is available from the Windows setup CD-ROM. However, it should already exist on most Windows installations.

WinHex does not require a specific version of comctl32.dll. WinHex does not rely on the presence any runtime library (e.g. msv*.dll).

Editing/writing hard disk sectors under Windows NT/2000/XP/Vista/7 requires administrator privileges. Under Windows Vista/7 it is not sufficient to be simplified logged in as administrator. Instead, you need to explicitly run WinHex as administrator.

This package contains all necessary configuration files and instructions for BartPE.