Orders, Prices:
  Credit card
 
  Wire transfer or check
 
Products
 
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
 
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
 
Find out more about WinHex! WinHex
  More information
  License types
  Upgrade
  Forensic features
  All features
 
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
 
Find out more about X-Ways Trace X-Ways Trace
User activity
 
Find out more about Davory Davory
Data recovery
 
Find out more about X-Ways Security X-Ways Security
Permanent erasure
 
Find out more about Evidor Evidor
Evidence collector
 
Services
 
Training
 

 
Contact X-Ways Contact X-Ways
Support forum
 
Corporate info Corporate info
  X-Ways Software Technology AG  
 
 

Additional Templates for WinHex & X-Ways Forensics

 

Data Structure
(and submitted by whom)		 Description
& Download
Dalet radio automation system
Steven Scholte

I've been using WinHex to analyse some soundfiles created by the Dalet radio automation system (version 5.1). I have made a couple of templates for this purpose and I thought I'd share them. There are three templates.

Dalet SND file header.txt
Dalet VOL file header.txt

One for reading the header of files with the SND extension. These are the old style soundfiles used to store MPEG-layer II audio. All SND files are accompanied by a VOL file which is used to store the volume information. This enables the Dalet system to quickly draw the waveform.

Dalet BWF file header.txt

The third template describes the Broadcast Wave Format as developed by the EBU. This format can be used to store MPEG as well as linear (uncompressed) audio. The BWF format is not only used by Dalet, but also by other programs used in radio and television production. (Steven Scholte)
JFS Superblock
Jens Kirschner		 JFS Superblock.tpl

This template should work for Linux implementations of JFS. (Jens Kirschner)
Reiser4 File System Data Structures
Jens Kirschner		 Reiser4 is a fairly complex file system. Not every possible data structure variation is covered by these templates, but they work fairly well for me.

Start with the Reiser4 Superblock.tpl on Sector 64.

From the root, follow Reiser4's internal tree using the Reiser4 Node Header.tpl on the nodes and either of the following on their node entries:  Reiser4 Item Header Large.tpl or Reiser4 Item Header Small.tpl . "Large" and "Small" refer to the key size, large is usually what you want being default on Reiser4. The best way to use these templates: Put your cursor on the first byte of the node for the node header template; but put it on the first byte of the following (!) block for the item header templates and (within the template view) move backwards - one to start and then repeatedly to see the other keys.

Reiser4 Stat Data.tpl Reads the Reiser4 variant of inode-like file management.
Reiser4 Directory Entries.tpl Reads all entries in a Reiser4 directory structure.

Finding the structures for Stat Data and Directories is more of a problem and a bit beyond this little description... (Jens Kirschner)
CDFS File System Data Structures
Chris Taylor		 CDFS Volume Descriptor.tpl
CDFS Path Tables Ascii.tpl
CDFS Path Tables Unicode.tpl
CDFS Directory Entry Ascii.tpl
CDFS Directory Entry Unicode.tpl

Some WinHex templates for viewing the Volume Descriptor, Path Tables, and Directory Entries on ISO9660 CDs. (Chris Taylor)
NTFS FILE Records and Data Runs
Jens Kirschner		 NTFS FILE Record.tpl
NTFS Data Runs.tpl

The NTFS FILE records are of a pretty variable structure. However, the first template extracts the main parts of the $STANDARD_INFORMATION (0x10) and $FILENAME (0x30) attributes. It also parses the FILE records header and at least lists all the other attributes present.

If you do find the beginning of a data run within one of the attributes, apply the second template to the beginning of that data run and all the data runs within the set will be extracted.

Keep in mind, though, neither of these templates knows anything about the fixup bytes which basically replace two bytes of potentially crucial information with more or less random values at the end of each sector making up a FILE record, so there may be the occasional odd value. (Jens Kirschner)
Windows .lnk Files
Steve Guty		 Non-Unicode LNK FILE Record.tpl
LNK FILE Record.tpl

1. The volume serial number doesn't match the physical case SN for hard
drives; it does match the Windows-assigned volume serial number returned by
the VOL command.
2. There's some additional info at the end of the .lnk files which is
described as "an unknown structure" in Jesse Hager's article
(http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf); I can
see that the computer name forms a part of this, but am currently at a loss
to discern how to reliably retrieve this data.
3. On some link files created under Windows 98 and earlier versions, you may
not see a length value preceding the strings for description, relative path,
working directory, etc. at the end of the template, so you may want to
modify those sections to simple zstrings rather than char[n] strings. (Steve Guty)
UFS File System Data Structures
Michele Larese		 UFS1 Superblock BE.tpl (big-endian)
UFS1 Superblock LE.tpl (little-endian)
UFS1 superblock, located 8192 bytes from the start of an UFS partition

UFS1 Cylinder Group Descriptor BE.tpl (big-endian)
UFS1 Cylinder Group Descriptor LE.tpl (little-endian)
UFS1 cylinder group descriptor

UFS1 Inode BE.tpl (big-endian)
UFS1 Inode LE.tpl (little-endian)
UFS1 inode structure

UFS2 Superblock BE.tpl (big-endian)
UFS2 Superblock LE.tpl (little-endian)
UFS2 superblock, located 65536, 131072 or 262144 bytes from the start of an UFS partition

UFS2 Cylinder Group Descriptor BE.tpl (big-endian)
UFS2 Cylinder Group Descriptor LE.tpl (little-endian)
UFS2 cylinder group descriptor

UFS2 Inode BE.tpl (big-endian)
UFS2 Inode LE.tpl (little-endian)
UFS2 inode structure

UFS directory entry BE.tpl (big-endian)
UFS directory entry LE.tpl (little-endian)
UFS directory entry, identical for UFS1 and UFS2.
These templates display only regular entries in a directory block, not deleted ones.
Microsoft Windows Event Log
Andreas Schuster		 EVT_Cursor.tpl
Cursor record.

EVT_Event.tpl
Event record.

EVT_Header.tpl
Header record.

More information: http://www.dfn-cert.de/events/ws/2005/dfncert-ws2005-f4.pdf
HFS+ File System Data Structures
Stefan Fleischmann		 HFSPlus_Volume_Header.tpl
Located 1024 bytes from the start of an Apple HFS+ volume.

HFSPlus_Catalog_Key.tpl
Defines a file or directory. Includes the file or folder record that follows.

POS File Format
Stefan Fleischmann		 WinHex/X-Ways Forensics position file format (.pos). Fully documented here.

POS_File_Format_1.1.tpl
POS_File_Format_2.0.tpl
WAV PCM File Format
Khomenko Volodymyr		 Structure of a simple WAV-PCM (unpacked) audio file

WAVPCM.tpl
BMP File Format
Khomenko Volodymyr		 Structure of a BMP bitmap image file with palette

BMP.tpl
AFP Datastream Records
Bob Carlyle		 AFP (Advanced Function Presentation) is a widely used print datastream for high-end production printing throughout the world. It is also a viewable datastream, similar to PDF files (although PDF is much more powerful), using the AFP Viewer Plug-In, and other documentation is available at http://ibm.com/printers. The datastream itself is EBCDIC-based, but there is a lot of software that uses this datastream on ASCII-based systems.

AFP Structured Fields.tpl
Structured Fax File Format
Ulf Zibis		 SFF_File_Format.tpl
Cf. http://delphi.pjh2.de/articles/graphic/sff_format.php .
TIFF Image File Format v6.0
Ulf Zibis		 TIFF File Format.tpl
TIFF File IFD.tpl
Cf. http://partners.adobe.com/asn/developer/PDFS/TN/TIFF6.pdf .
Palm Database Files
Ulf Zibis		 Palm PDB.tpl
Palm PDB 6 records.tpl
ZIP File
Alex Sidorov		 ZIP.tpl
ZIP File Data Structures
Trenton D. Adams		 All ZIPs start with the "ZIP Local File Header Structure" template. These are repeated until all files in the ZIP have been looked at. After each one of those comes the "ZIP Data Descriptor Structure" (which I've never actually seen myself).  In order for a "ZIP Data Descriptor Structure" to occur after each ZIP entry, bit 3 of the General Purpose bit flag of the "ZIP Local File Header Structure" must be set.  For me, I've never actually seen that bit set, and hence have never actually seen a "ZIP Data Descriptor Structure".

Now, last but not least is the final listing of all ZIP entries in the archive for spanning purposes.  You use the "ZIP Central Directory Structure" repeatedly until a "ZIP End of Central Directory Structure" is encountered.   And, each signature of the structures tells you which one you're encountering.   Remember though, the signatures are little endian because this is the ZIP specification.

ZIP_Local_File_Header_Structure.tpl
ZIP_Data_Descriptor_Structure.tpl
ZIP_Central_Directory_Structure.tpl
ZIP_End_of_Central_Dir_Structure.tpl
FAT32 FSINFO Sector
Stefan Fleischmann		 To be applied to sector 1 of a FAT32-formatted logical drive. Contains additional information about the volume. FSINFO Sector.tpl
DBF Format (Tutorial)
Paul Mullen		 Three templates for data in the "dbf" or "xbase" format which originated with Ashton-Tate’s dBase program and has since been adopted by many applications. Presented as a tutorial on how to create such templates. tutorial.zip
FAT16 Entry
Paul Mullen		 Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 16-bit FAT. FAT16 Entry.tpl
FAT32 Entry
Stefan Fleischmann		 Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 32-bit FAT. Based on the FAT16 template version. FAT32 Entry.tpl
... ...

About user templates

 

Thanks to all past and future contributors!