What is a Hex Editor?. A hex editor is a program which allows you to edit compiled programs and binary data-files. A hex editor is capable of completely displaying the contents of each file type. Unlike a text editor, a hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system. .
1. WinHex A powerful data recovery and forensic tool
2. What is a Hex Editor? A hex editor is a program which allows you to edit compiled programs and binary data-files.
A hex editor is capable of completely displaying the contents of each file type. Unlike a text editor, a hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system.
3. What is WinHex? WinHex is a powerful application that you can use as an advanced hex editor and file-viewer, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering and IT security.
4. Forensic Features Case Management
It offers complete case management, automated log and report file generation.
You may add any currently attached computer medium (such as hard disk, memory card, USB stick, CD-ROM, DVD, ...), any image file, or ordinary file to the active case.
Log & Report Feature
WinHex obstinately logs all activities performed when the case is open. That allows you to easily track, reproduce, and document the steps you have followed to reach a certain result.
A report table is a user-defined (virtual) list of files. Files associated with report tables can then be easily included in the case report with all their metadata and even links.
5. Forensic Features cont. Volume Snapshots
A volume snapshot is a database of the contents of a volume at a given point of time. A volume snapshot usually references both existing and previously existing (e.g. deleted) files, also virtual (artificially defined) files.
Resembles the Windows Explorer's right-hand list; its main task is to display (and interact with) the volume snapshot. Directory browser also list deleted files and directories.
It shows picture files of various file formats, the structure of Windows registry files, Windows Event Logs, Windows shortcut liles (.lnk), Windows Prefetch files, $LogFiles, and AOL PFC files internally.
This search is simultaneous in that it allows the user to specify a virtually unlimited list of search terms, one per line.
6. Forensic Features cont. Logical Search
Powerful subvariant of the simultaneous search. Allows to search either all files, all existing and ficitious files (which includes all free space), or all tagged files or slack space.
Search Hit Lists
The directory browser can show search hits.
Search Term List
The search term list contains all the search terms ever used for conventional (non-index) searches in the case, plus those index search terms for which index search hits have been permanently saved.
Indexing, Index Search
Creates indexes of all words in all or certain files in the volume snapshot, based on characters you provide, based on the Unicode character set and/or up to two code pages that you select.
7. Forensic Features cont. Hash Database
The internal hash database, once created, consists of 257 binary files with the extension .xhd (X-Ways Hash Database). It is up to you to decide, around what hash type the database is built (MD5, SHA-1, SHA-256, ...).
Time Zone Concept
X-Ways Forensics employs its own, not Windows' logic for converting UTC to local filetimes. It displays timestamps independently of the time zone selected in the examiner's system's Control Panel.
Evidence File Containers
An evidence file container is a raw image file formatted with the XWFS file system.
8. Other Features Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF
Built-in interpretation of RAID systems and dynamic disks
Various data recovery techniques
RAM editor, providing access to physical RAM and other processes' virtual memory
9. Other Features cont. Data interpreter, knowing 20 data types
Editing data structures using templates (e.g. to repair partition table/boot sector)
Concatenating and splitting files, unifying and dividing odd and even bytes/words
Analyzing and comparing files
Particularly flexible search and replace functions
10. Other Features cont. Disk cloning (under DOS with X-Ways Replica)
Drive images & backups (optionally compressed or split into 650 MB archives)
Programming interface (API) and scripting
256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
11. Other Features cont. Import all clipboard formats, incl. ASCII hex values
Convert between binary, hex ASCII, Intel Hex, and Motorola S
Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
Supports files >4 GB. Very fast. Easy to use. Extensive online help.
12. Data Recovery File Recovery with the Directory Browser
Deleted files and directories that are listed in the directory browser can be recovered easily and selectively with the directory browser’s context menu.
File Recovery by Type
This recovery method is also referred to as "file carving". It searches for files that can be recognized by a characteristic file header signature. WinHex can often detect if recovered JPEG, GIF, and files of some other types, are corrupt or incomplete. The algorithm tries to determine the original size of different data type files by examining their data structure, roughly limited by the user-supplied maximum size.
Technically it is possible to select as many file types for simultaneous recovery as you like.
File headers can be searched only at cluster boundaries, as the beginning of a cluster is the only place where a file can start in a cluster-based file system.
13. Data Recovery cont. File Type Definitions
"File Type Signatures.txt" is a tab-delimited text file that serves as a file type definition database for contents tables and for the File Recovery by Type command.
WinHex comes with various preset file type signatures. You may fully customize the file type definitions and add your own ones, either in "File Type Signatures.txt" itself or you create additional such files of the same format named "File Type Signatures *.txt"
After editing the file type definitions, you need to invoke the File Recovery by Type.
14. Data Recovery cont. Manual Data Recovery
It is possible to restore lost or logically deleted files (or more general: data) that are merely marked as deleted in the file system, but have not been physically erased (or overwritten).
Using the disk editor where the deleted file resided the logical drive can be opened to retrieve the deleted file using different technical techniques.
15. Acquire Volume snapshot of Lexar Flash Drive
16. Search Simultaneous Search of Flash Drive.
17. Analyze Analyzing disc
18. Summary WinHex is an advanced universal hexadecimal editor, particularly utilized in the realm of computer forensics, data recovery, low-level data processing, and IT security; inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.
Disk Drive Imaging
Create hashes and checksums
Search and Replace
Edit partition tables, boot sectors, and other data structures using templates
Join and split files
Analyze and compare files
Read and directly edit RAM
Runs in read-only mode (write blocker software)
Gather free and slack space