WinHex

A powerful data recovery and forensic tool

What is a Hex Editor?

A hex editor is a program which allows you to edit compiled programs and binary data-files.

A hex editor is capable of completely displaying the contents of each file type. Unlike a text editor, a hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system.

What is WinHex?

WinHex is a powerful application that you can use as an advanced hex editor and file-viewer, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering and IT security.

Forensic Features

Case Management- It offers complete case management, automated log and report file generation.

Evidence Objects- You may add any currently attached computer medium (such as hard disk,

memory card, USB stick, CD-ROM, DVD, ...), any image file, or ordinary file to the active case.

Log & Report Feature- WinHex obstinately logs all activities performed when the case is open. That

allows you to easily track, reproduce, and document the steps you have followed to reach a certain result.

Report Tables- A report table is a user-defined (virtual) list of files. Files associated with report

tables can then be easily included in the case report with all their metadata and even links.

Forensic Features cont. Volume Snapshots- A volume snapshot is a database of the contents of a volume at a given

point of time. A volume snapshot usually references both existing and previously existing (e.g. deleted) files, also virtual (artificially defined) files.

Directory Browser- Resembles the Windows Explorer's right-hand list; its main task is to display

(and interact with) the volume snapshot. Directory browser also list deleted files and directories.

Internal Viewer- It shows picture files of various file formats, the structure of Windows

registry files, Windows Event Logs, Windows shortcut liles (.lnk), Windows Prefetch files, $LogFiles, and AOL PFC files internally.

Simultaneous Search- This search is simultaneous in that it allows the user to specify a virtually

unlimited list of search terms, one per line.

Forensic Features cont. Logical Search- Powerful subvariant of the simultaneous search. Allows to search either all

files, all existing and ficitious files (which includes all free space), or all tagged files or slack space.

Search Hit Lists- The directory browser can show search hits.

Search Term List- The search term list contains all the search terms ever used for

conventional (non-index) searches in the case, plus those index search terms for which index search hits have been permanently saved.

Indexing, Index Search- Creates indexes of all words in all or certain files in the volume snapshot,

based on characters you provide, based on the Unicode character set and/or up to two code pages that you select.

Forensic Features cont.

Hash Database- The internal hash database, once created, consists of 257 binary files

with the extension .xhd (X-Ways Hash Database). It is up to you to decide, around what hash type the database is built (MD5, SHA-1, SHA-256, ...).

Time Zone Concept- X-Ways Forensics employs its own, not Windows' logic for converting

UTC to local filetimes. It displays timestamps independently of the time zone selected in the examiner's system's Control Panel.

Evidence File Containers- An evidence file container is a raw image file formatted with the XWFS

file system.

Other Features

Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF

Built-in interpretation of RAID systems and dynamic disks

Various data recovery techniques

RAM editor, providing access to physical RAM and other

processes' virtual memory

Other Features cont.

Data interpreter, knowing 20 data types Editing data structures using templates (e.g. to repair

partition table/boot sector)

Concatenating and splitting files, unifying and dividing odd and even bytes/words

Analyzing and comparing files

Particularly flexible search and replace functions

Other Features cont.

Disk cloning (under DOS with X-Ways Replica)

Drive images & backups (optionally compressed or split into 650

MB archives)

Programming interface (API) and scripting

256-bit AES encryption, checksums, CRC32, hashes (MD5,

SHA-1, ...)

Erase (wipe) confidential files securely, hard drive cleansing to

protect your privacy

Other Features cont.

Import all clipboard formats, incl. ASCII hex values

Convert between binary, hex ASCII, Intel Hex, and

Motorola S

Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)

Supports files >4 GB. Very fast. Easy to use.

Extensive online help.

Data Recovery File Recovery with the Directory Browser- Deleted files and directories that are listed in the directory browser can be

recovered easily and selectively with the directory browser’s context menu.

File Recovery by Type- This recovery method is also referred to as "file carving". It searches for files

that can be recognized by a characteristic file header signature. WinHex can often detect if recovered JPEG, GIF, and files of some other types, are corrupt or incomplete. The algorithm tries to determine the original size of different data type files by examining their data structure, roughly limited by the user-supplied maximum size.

- Technically it is possible to select as many file types for simultaneous recovery as you like.

- File headers can be searched only at cluster boundaries, as the beginning of a cluster is the only place where a file can start in a cluster-based file system.

Data Recovery cont.

File Type Definitions- "File Type Signatures.txt" is a tab-delimited text file that serves as a file

type definition database for contents tables and for the File Recovery by Type command.

- WinHex comes with various preset file type signatures. You may fully customize the file type definitions and add your own ones, either in "File Type Signatures.txt" itself or you create additional such files of the same format named "File Type Signatures *.txt"

- After editing the file type definitions, you need to invoke the File Recovery by Type.

Data Recovery cont.

Manual Data Recovery

- It is possible to restore lost or logically deleted files (or more general: data) that are merely marked as deleted in the file system, but have not

been physically erased (or overwritten).

- Using the disk editor where the deleted file resided the logical drive can be opened to retrieve the deleted file using different technical

techniques.

Acquire

Volume snapshot of Lexar Flash Drive

Search

Simultaneous Search of Flash Drive.

Analyze

Analyzing disc

Summary

WinHex is an advanced universal hexadecimal editor, particularly utilized in the realm of computer forensics, data recovery, low-level data processing, and IT security; inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

Features include:- Disk Drive Imaging- Create hashes and checksums - Search and Replace- Wipe drives - Edit partition tables, boot sectors, and other data structures using templates - Join and split files - Analyze and compare files - Read and directly edit RAM - Runs in read-only mode (write blocker software)- Gather free and slack space