WinHex

1
WinHex

• A powerful data recovery and forensic tool

2
What is a Hex Editor?

• A hex editor is a program which allows you to
  edit compiled programs and binary data-files.
• A hex editor is capable of completely displaying
  the contents of each file type. Unlike a text
  editor, a hex editor even displays control codes
  (e.g. linefeed and carriage-return characters)
  and executable code, using a two-digit number
  based on the hexadecimal system.

3
What is WinHex?

• WinHex is a powerful application that you can use
  as an advanced hex editor and file-viewer, a tool
  for data analysis, editing, and recovery, a data
  wiping tool, and a forensics tool used for
  evidence gathering and IT security.

4
Forensic Features

• Case Management
• It offers complete case management, automated log
  and report file generation.
• Evidence Objects
• You may add any currently attached computer
  medium (such as hard disk, memory card, USB
  stick, CD-ROM, DVD, ...), any image file, or
  ordinary file to the active case.
• Log Report Feature
• WinHex obstinately logs all activities performed
  when the case is open. That allows you to easily
  track, reproduce, and document the steps you have
  followed to reach a certain result.
• Report Tables
• A report table is a user-defined (virtual) list
  of files. Files associated with report tables can
  then be easily included in the case report with
  all their metadata and even links.

5
Forensic Features cont.

• Volume Snapshots
• A volume snapshot is a database of the contents
  of a volume at a given point of time. A volume
  snapshot usually references both existing and
  previously existing (e.g. deleted) files, also
  virtual (artificially defined) files.
• Directory Browser
• Resembles the Windows Explorer's right-hand list
  its main task is to display (and interact with)
  the volume snapshot. Directory browser also list
  deleted files and directories.
• Internal Viewer
• It shows picture files of various file formats,
  the structure of Windows registry files, Windows
  Event Logs, Windows shortcut liles (.lnk),
  Windows Prefetch files, LogFiles, and AOL PFC
  files internally.
• Simultaneous Search
• This search is simultaneous in that it allows the
  user to specify a virtually unlimited list of
  search terms, one per line.

6
Forensic Features cont.

• Logical Search
• Powerful subvariant of the simultaneous search.
  Allows to search either all files, all existing
  and ficitious files (which includes all free
  space), or all tagged files or slack space.
• Search Hit Lists
• The directory browser can show search hits.
• Search Term List
• The search term list contains all the search
  terms ever used for conventional (non-index)
  searches in the case, plus those index search
  terms for which index search hits have been
  permanently saved.
• Indexing, Index Search
• Creates indexes of all words in all or certain
  files in the volume snapshot, based on characters
  you provide, based on the Unicode character set
  and/or up to two code pages that you select.

7
Forensic Features cont.

• Hash Database
• The internal hash database, once created,
  consists of 257 binary files with the extension
  .xhd (X-Ways Hash Database). It is up to you to
  decide, around what hash type the database is
  built (MD5, SHA-1, SHA-256, ...).
• Time Zone Concept
• X-Ways Forensics employs its own, not Windows'
  logic for converting UTC to local filetimes. It
  displays timestamps independently of the time
  zone selected in the examiner's system's Control
  Panel.
• Evidence File Containers
• An evidence file container is a raw image file
  formatted with the XWFS file system.

8
Other Features

• Native support for FAT, NTFS, Ext2/3, ReiserFS,
  Reiser4, UFS, CDFS, UDF
• Built-in interpretation of RAID systems and
  dynamic disks
• Various data recovery techniques
• RAM editor, providing access to physical RAM and
  other processes' virtual memory

9
Other Features cont.

• Data interpreter, knowing 20 data types
• Editing data structures using templates (e.g. to
  repair partition table/boot sector)
• Concatenating and splitting files, unifying and
  dividing odd and even bytes/words
• Analyzing and comparing files
• Particularly flexible search and replace
  functions

10
Other Features cont.

• Disk cloning (under DOS with X-Ways Replica)
• Drive images backups (optionally compressed or
  split into 650 MB archives)
• Programming interface (API) and scripting
• 256-bit AES encryption, checksums, CRC32, hashes
  (MD5, SHA-1, ...)
• Erase (wipe) confidential files securely, hard
  drive cleansing to protect your privacy

11
Other Features cont.

• Import all clipboard formats, incl. ASCII hex
  values
• Convert between binary, hex ASCII, Intel Hex, and
  Motorola S
• Character sets ANSI ASCII, IBM ASCII, EBCDIC,
  (Unicode)
• Supports files gt4 GB. Very fast. Easy to use.
  Extensive online help.

12
Data Recovery

• File Recovery with the Directory Browser
• Deleted files and directories that are listed in
  the directory browser can be recovered easily and
  selectively with the directory browsers context
  menu.
• File Recovery by Type
• This recovery method is also referred to as "file
  carving". It searches for files that can be
  recognized by a characteristic file header
  signature. WinHex can often detect if recovered
  JPEG, GIF, and files of some other types, are
  corrupt or incomplete. The algorithm tries to
  determine the original size of different data
  type files by examining their data structure,
  roughly limited by the user-supplied maximum
  size.
• Technically it is possible to select as many file
  types for simultaneous recovery as you like.
• File headers can be searched only at cluster
  boundaries, as the beginning of a cluster is the
  only place where a file can start in a
  cluster-based file system.

13
Data Recovery cont.

• File Type Definitions
• "File Type Signatures.txt" is a tab-delimited
  text file that serves as a file type definition
  database for contents tables and for the File
  Recovery by Type command.
• WinHex comes with various preset file type
  signatures. You may fully customize the file type
  definitions and add your own ones, either in
  "File Type Signatures.txt" itself or you create
  additional such files of the same format named
  "File Type Signatures .txt"
• After editing the file type definitions, you need
  to invoke the File Recovery by Type.

14
Data Recovery cont.

• Manual Data Recovery
• It is possible to restore lost or logically
  deleted files (or more general data) that are
  merely marked as deleted in the file system, but
  have not been physically erased (or overwritten).
  
• Using the disk editor where the deleted file
  resided the logical drive can be opened to
  retrieve the deleted file using different
  technical techniques.

15
Acquire

• Volume snapshot of Lexar Flash Drive

16
Search

• Simultaneous Search of Flash Drive.

17
Analyze

• Analyzing disc

18
Summary

• WinHex is an advanced universal hexadecimal
  editor, particularly utilized in the realm of
  computer forensics, data recovery, low-level data
  processing, and IT security inspect and edit all
  kinds of files, recover deleted files or lost
  data from hard drives with corrupt file systems
  or from digital camera cards.
• Features include
• Disk Drive Imaging
• Create hashes and checksums
• Search and Replace
• Wipe drives
• Edit partition tables, boot sectors, and other
  data structures using templates
• Join and split files
• Analyze and compare files
• Read and directly edit RAM
• Runs in read-only mode (write blocker software)
• Gather free and slack space