X-Ways Software Technology AG X-Ways Forensics/ WinHex Integrated Computer Forensics Environment. Data Recovery & IT Security Tool. Hexadecimal Editor for Files, Disks & RAM. Manual Copyright © 1998-2021 Stefan Fleischmann, X-Ways Software Technology AG. All rights reservedContents 1 Preface. 1.1 About WinHex and X-Ways Forensics. 1 12 Legalities 2 13 License Types 4 3 6 1.4 More differences between WinHex & X-Ways Forensics, 1S Getting Started with X-Ways Forensics. 2 Technical Background 2.1 Using @ Hex Eiit0t..susonsnninnnansnininnnnsinininnnninininnnnnnnsn a7 22 Endian-ness. 8 23 Integer Data Types. 8 24 Floating-Point Data Types. 9 2S Dale TYPES ssn nin : 9 26 ANSI ASCIMIBM SCT... — : - 10 2.7 Checksums, Hashes, Digests. n 28 Attribute Legend... .cenuennn = — 7 29 Technical Hints B 3. User Interface. 31 Overview. “4 3.2 Start Center 15 33 __ Directory Browser. 16 33.1 General Description 16 3.32 Virtual Objects. 18 333° Filtering 19 3.34 Columns and Filters 20 33.5 More about the Timestamp Columns 31 336 FlexFilters 33 3.4 Mode ButtO0s...ossnscannnnnmnninninannnnnnnnnann ses 33 35 Status Bar 40 3.6 Data Interpreter on... a - - : a 3.7 Position Manager 2 38 Useful Hints... = 2 — on 39 Command Line Parameters. 4s 3.10 User-Defined Keyboard Shortcuts = = ee 4 Menu Reference. 4.1 Directory Browser Context Menu. —— — SI 42 Case Data Window Context Ment... . 60 43. Data Window Context Ment... = = soon 6 44° File Mem 2 AS Edit MEM soosnssonmnimnnnnnn == == sonar 8 46 Search Menu 6s AT Navigation Mettt coco —— : : 6 48 ViewMent..... = : or 4.9 Tools Menu, 69 410 File TOOLS .ssnnnnnnnennnnn == == 7 4.11 Specialist Menu 73 412 Options Ment ..csocnninnnnnne == == eas 4.13 Window Menu 76 4.14 Help Menu... 76 4.18 Windows Context Menu. 7 15 Forensic Features. S._ Interpret Image File As Disk. 52 Case Management. 53 Multi-User Coordination For Large Cases. 54 Evidence Objects ses $5 CuoLog (Activity Lop 56 Case Report. 57 Report Tables 58 Viewer Functionality . 59 Registry Report 5.10 Simultaneous Search. S11 Logical Search. 5.12 Search Hit List. 513. Search Term List. S14 Hit Count in Search Term Lists 5.15 Event Lists = 5.16 Mount As Drive Letter. 5.17 File Type Categories... S18 Hash Database 5.19 PHOEODNA so 5.20 Time Zone Concept. 5.21 Evidence File Containers 5.22 Related Items 5.23 Generator Signatures... 5.24 Extemal Analysis Interface 6 Volume Snapshots and their Refinemen 6.1 Introduction. 62 Refinement at the Volume/Sector Level... 621 Rum X-Tensions. 622 Particularly thorough file system data structure search, 623 File Header Signature Search 624 Block-wise Hashing and Matching. 63 Refinement atthe File Level. 63.1 Hash Value Computation and Matching... 632 File Type Verification 63.3 Extraction of Intemal Metadata 634 Archive Exploration 635 E-mail Extraction 63.6 Uncovering Embedded Data 63.7 Capture Still Images from Videos 63.8 Pictures Analysis and Processing 63.9 FucZyDoc. : 63.10 Detection of Encryption 63.11 Indexing, 64 More Information about Volume Snapshot Refinement. 64.1 Interdependencies 642 Notes = 7 Some Basic Concepts. 7.1 Edit Modes. 72 Scripts 73. X-Tensions API 74 Disk Editor. 75 Memory Editor/Analysis. m 128 128 129 129 131 131 132 133 134 134 137 139 140 143 144 146 47 148 150 151 151 153 154 154 156 15716 8 Data Recovery. Template Editing... 159 8.1 FileRecovery with the Directory Browser. 159 82 File Recovery by TypeTile Header Signne Search 160 83 File Type Definitions. sono 2 84 Manual Data Recovery 166 9 Options. 167 9.1 General Options 167 9.2 Diectory BOWSEE.esonnnsnninnnansnnnnnansinininnnannninnnnanninnsn 174 9.3 Volume Snapshot Options 179 9.4 Viewer Programs & Gallery Options. smn 93 Undo Options 187 9.6 Security Options 187 9.7 Search Options. 190 9.8 Replace Options 194 10 Miscellaneous.. 10.1 Block 195 10.2 Modify Data. 195 10.3 Conversions 196 10.4 Sector Superimposition. 198 10.5. Wiping and Initializing .....snnninnnnannnnnnnnvinnnnenn senna 99 106 Disk Cloning 200 10.7 Images and Backups . sntannninninnininnininnnninnninnnnnnnannvncnnnn 201 10.8 Dummy Image Segments 206 109 Hin on Dik Cloning. Imag Image Resto 207 10.10 Skeleton Images. o ns 208 10.11 Backup Manager... ve son stannanininncinnianannannnsins B12 10.12 Recover/Copy Command v.ssevnornnnn son seannnninneD13 10.13 Duplicate File Detection...ss0-nrsnnsnnannsnininsnnnninnnnnn sennnaninenned16 10.14 Surrogate Patter... tna 217 10.15 Reconstructing RAID Systems 218 Appendix Az ‘Template Definition. 222 1 Header: 222 2. Body: Variable Declarations 223 3 Body: Advanced Commands. 224 4 Body: Fleaible Integer Variables 226 Appendix B: 227 Appendix C: Vv