Transcription of X-Ways Forensics & WinHex Manual
1 X-Ways Software Technology AG X-Ways Forensics / WinHex Integrated Computer Forensics Environment. Data Recovery & IT Security Tool. Hexadecimal Editor for Files, Disks & RAM. Manual Copyright 1995-2018 Stefan Fleischmann, X-Ways Software Technology AG. All rights reserved. Contents 1 About WinHex and X-Ways License More differences between WinHex & X-Ways Getting Started with X-Ways 2 Technical Using a Hex Integer Data Floating-Point Data Date ANSI ASCII/IBM Checksums, Hashes, Attribute Technical 3 User Start Directory General Virtual Columns and More about the Timestamp Columns ..34 Mode Status Data Position Useful Command Line User-Defined Keyboard 4 Menu Directory Browser Context Case Data Window Context Data Window Context File Edit Search Navigation View Tools File Specialist Options Window Help II Windows Context 5 Forensic Interpret Image File As Case Management.
2 79 Multi-User Coordination For Large Evidence Case Case Report Viewer Registry Simultaneous Logical Search Hit Search Term Hit Count in Search Term Event Mount As Drive File Type Hash Time Zone Evidence File Related Items ..121 Generator External Analysis 6 Volume Snapshots and their Refinement at the Volume/Sector Run Particularly thorough file system data structure File Header Signature Block-wise Hashing and Refinement at the File Hash Value Computation and File Type Extraction of Internal Archive E-mail Uncovering Embedded Capture Still Images from Pictures Analysis and Detection of More Information about Volume Snapshot Refinement ..145 7 Some Basic Edit X-Tensions III Disk Memory Template 8 Data File Recovery with the Directory File Recovery by Type/File Header Signature File Type Manual Data 9 General Volume Snapshot Viewer Programs & Gallery Undo Security Search Replace 10 Modify Sector Wiping and Disk Images and Dummy Image Hints on Disk Cloning, Imaging, Image Skeleton Backup Recover/Copy Duplicate File Surrogate Reconstructing RAID Systems.
3 206 Appendix A: Template 1 2 Body: Variable 3 Body: Advanced 4 Body: Flexible Integer Appendix B: Script Appendix C: Master Boot IV 1 Preface About WinHex and X-Ways Forensics Copyright 1995-2018 Stefan Fleischmann, X-Ways Software Technology AG. All rights reserved. X-Ways Software Technology AG Web: Carl-Diem-Str. 32 Order at: B nde User forum: Germany Fax: +49 3212-123 2029 E-mail address: Registered in Bad Oeynhausen (HRB 7475). CEO: Stefan Fleischmann. Board of directors (chairwoman): Dr. M. Horstmeyer. X-Ways Software Technology AG is a stock corporation incorporated under the laws of the Federal Republic of Germany. WinHex was first released in 1995. This Manual was compiled from the online help of WinHex / X-Ways Forensics SR-2, released in September 2018. Supported platforms: Windows XP, Windows 2003 Server, Windows Vista/Server 2008, Windows 7, Windows 8 2012, Windows 10/ Server 2016.
4 32-bit and 64-bit. Standard, PE and FE. Some functionality is also available when run under Linux+Wine. However, some copy protection methods (among them dongles) unfortunately do not work under Linux+Wine at all. User interface translation: Chinese by Sprite Guo. Japanese by Takao Horiuchi and Ichiro Sugiyama (not generally available). French by J r me Broutin, revised by Bernard Lepr tre. Spanish by Jos Mar a Tagarro Mart . Italian by Andrea Ghirardini. Brazilian Portuguese by Heyder Lino Ferreira. Polish by ProCertiv Sp. z (LLC). We would like to thank the state law enforcement agency of Rhineland-Palatinate for extraordinarily numerous and essential suggestions on the development of X-Ways Forensics and X-Ways Investigator. Thanks to Dr. A. Kuiper for his method to process videos with MPlayer.
5 Professional users around the world (this list is from ~14 years ago) and German federal law enforcement agencies, ministries such as the Australian Department of Defence, national institutes ( the Oak Ridge National Laboratory in Tennessee), the Technical University of Vienna, the Technical University of Munich (Institute of Computer Science), the German Aerospace Center, the German federal bureau of aviation accident investigation, Microsoft Corp., Hewlett Packard, Toshiba Europe, Siemens AG, Siemens Business Services, Siemens VDO AG, Infineon Technologies Flash GmbH & Co. KG, Ontrack Data International Inc., Deloitte & Touche, KPMG Forensic, Ernst & Young, Ericsson, National Semiconductor, Lockheed Martin, BAE Systems, TDK Corporation, Seoul Mobile Telecom, Visa International, DePfa Deutsche Pfandbriefbank AG, 1 Analytik Jena AG, and many other companies and scientific institutes.
6 Legalities Copyright 1995-2018 Stefan Fleischmann, X-Ways Software Technology AG. No part of this publication may be reproduced, or stored in a database or retrieval system without the prior permission of the author. Any brand names and trademarks mentioned in the program or in this Manual are properties of their respective holders and are generally protected by laws. FuzZyDoc is a trademark of X-Ways Software Technology AG. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. However, the author neither offers any warranties or representations nor does he accept any liability with respect to the program or the Manual . License Agreement Acknowledgements The MD5 message digest is copyright by RSA Data Security Inc. The zlib compression library is copyright by Jean-loup Gailly and Mark Adler.
7 Homepage: X-Ways Forensics contains software by Igor Pavlov, , and an Adler32 implementation by Arnaud Bouchez. Outside In Technology Copyright 1991, 2014, Oracle Corp. and/or its affiliates. All rights reserved. NEXT3 is a registered trademark of CTERA Networks. X-Ways Forensics uses ResIL, a fork of DevIL. ResIL is governed by the LGPL ( ), version The source code can be downloaded from X-Ways Forensics contains an unofficial build of libPFF. libPFF is governed by the LGPL ( ), version The original source code can be downloaded from X-Ways Forensics uses Dokan. Dokan is governed by the LGPL ( ), version The source code can be found at Windows event log (.evtx) viewing capability based on works by Andreas Schuster.
8 2 License Types You may evaluate WinHex free of charge, for at most 45 days. For regular use and for use as a full version, you need at least one license. For multiple users at the same time or use on multiple machines by one user at the same time, you will also need additional licenses. License agreement. Unlike the evaluation version, the full version of WinHex will save files larger than 200 KB, write disk sectors, edit virtual memory and show no evaluation version reminders. It will reveal its licensing status on start-up and in the About box (the window that appears when you click the version number in the upper right corner). Personal licenses are available at a reduced price for non-commercial purposes only, in a non-business, non-institutional, and non-government environment. Professional licenses allow usage of the software in any environment (at home, in a company, in an organization, or in public administration).
9 Professional licenses provide the ability to execute scripts. Specialist licenses in addition to that allow to use Specialist menu commands, read the file systems exFAT, Ext2, Ext3, Ext4, Next3 , CDFS/ISO9660, UDF, can highlight free drive space and slack space, enable support for RAID reconstruction, Windows dynamic disks, Linux LVM2, some more columns in the directory browser, and reverse disk cloning/imaging. Particularly useful for IT security specialists. WinHex Lab Edition in addition to that understand the file systems HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, XFS, and many variants of UFS and UFS2 and many data structures of APFS, allow to create evidence file containers, and allow to run regular X-Tensions. Licenses for X-Ways Forensics ( forensic licenses ) in addition to the above allow to use the powerful case managing and report generating capabilities, the internal viewer and the separate viewer component, the gallery view, many more volume snapshot refinement operations, many more columns and filters in the directory browser (and the order of the columns can be changed), comments and report tables.
10 Furthermore, they allow to read and write evidence files (.e01) and can do much, much more! Particularly useful for computer forensic examiners. X-Ways Investigator is a simplified version of X-Ways Forensics . It does not have all the functionality of X-Ways Forensics , not even all the functionality of WinHex . Users of X-Ways Forensics can temporarily reduce the user interface of X-Ways Forensics to that of X-Ways Investigator to see if additional licenses for X-Ways Investigator would benefit their organization to split up the investigative workload across multiple users, some of them non-technical. X-Ways Investigator is not really meant as a stand-alone product. The maximum number of simultaneous character sets in the text display also depends on the license type (cf. View menu).
