|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||
WinHex: Specialist Tools Menu
Gather Free Space: Traverses the currently open logical drive and gathers all unused clusters in a destination file you specify. Useful to examine data fragments from previously existing files that have not been deleted securely. Does not alter the source drive in any way. The destination file must reside on another drive. Note: very slow on NTFS drives. Gather Slack Space: Collects slack space (the unused bytes in the respective last clusters of all cluster chains, beyond the actual end of a file) in a destination file. Otherwise similar to Gather Free Space. Works with FAT12, FAT16, FAT32, and NTFS drives. WinHex cannot access slack space of files that are compressed or encrypted at the file system level. Gather Inter-Partition Space: Captures all space on a hard disk that does not belong to any partition in a destination file, for quick inspection to find out if something is hidden there or left from a prior partitioning. Gather Text: Recognizes text according to the parameters you specify and captures all occurrences from a file, a disk, or a memory range in a file. This kind of filter is useful to considerably reduce the amount of data to handle e.g. if a computer forensics specialist is looking for leads in the form of text, such as e-mail messages, documents, etc. The target file can easily be split at a user-defined size. This function can also be applied to a file with collected slack space or free space, or to damaged files in a proprietary format than can no longer be opened by their native applications, like MS Word, to recover at least unformatted text. Simultaneous Search: A parallel search facility, that lets you specify a virtually unlimited list of search terms, one per line. The search terms are searched simultaneously, and their occurrences can be archived either in the Position Manager, or in a tab-delimited text file, similar to the disk catalog, which can be further processed in MS Excel or any database. WinHex will save the offset of each occurrence, the search term, the name of the file or disk searched, and in the case of a logical drive the cluster allocation as well! (i.e. the name and path of the file that is stored at that particular offset, if any) That means e.g. a forensic examiner is now able to
systematically search through an entire hard drive in a single pass for words like Create Drive Contents Table: Creates a disk "catalog" of existing and deleted files and directories on a logical drive or partition, with user-configurable information such as attributes, all available date & time stamps, size, allocated clusters, hash (checksum or digest), alternate data streams (which contain hidden data, on NTFS drives only), etc. Extremely useful to systematically examine the contents of a disk. Allows to limit the search for files of a certain type using a filename mask (e.g. *.jpg;*.gif). Hash values can only be calculated for existing files. Internal system files and extensive cluster allocation information can only by listed for NTFS volumes if you include deleted files in the table. In the column with cluster allocation information you may also find only a sector in the master file table listed (in which small files are stored directly). Clusters allocated to alternate data streams are listed in this column following the ADS name and a colon. The resulting table can be imported and further processed by databases or MS Excel. Sorting by date & time stamps will result in a good overview of what a disk has been used for at a certain time. E.g. the NTFS attribute "encrypted" might quickly reveal what files may turn out to be the most important ones in a forensic analysis. Create Directory Contents Table: Works like Create Drive Contents Table, but for a user-selected directory and its subdirectories only. Media Details Report: Shows information about the currently active disk or file and lets you copy it e.g. into a report you are writing. Most extensive on physical hard disks, where details for each partition and even unallocated gaps between existing partitions are pointed out. Interpret Image File As Disk: Treats a
currently open and active disk image file as either a logical drive or physical disk. This
is useful if you wish to closely examine the file system structure of a disk image,
extract files, etc. without copying it back to a disk. If interpreted as a physical disk,
WinHex can access and open the partitions contained in the image individually as known
from "real" physical hard disks. Bates-Number Files: Bates-numbers all the files within a given folder and its subfolders for discovery or evidentiary use. A constant prefix (up to 13 characters long) and a unique serial number are inserted between the filename and the extension in a way attorneys traditionally label paper documents for later accurate identification and reference. Trusted Download: Solves a security problem. When transferring unclassified material from a classified hard disk drive to unclassified media, you need to be certain that it will have no extraneous information in any cluster or sector "overhang" spuriously copied along with the actual file, since this slack space may still contain classified material from a time when it was allocated to a different file. This command copies file in their current size, and no byte more. It does not copy entire sectors or clusters, as conventional copy commands do. Multiple files in the same folder can be copied at the same time. Highlight Free Space/Slack Space: Displays offsets and data in softer colors (light blue and gray, respectively). Helps to easily identify these special drive areas. Works on FAT and NTFS logical drive and FAT partitions. |
|||||||||
