X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

Computer Forensics, Investigations and Security

X-Ways Forensics - an advanced computer examination
and data recovery software.

Software for computer investigative specialists in private enterprise and law enforcement.
Marketed by X-Ways Software Technology AG.

 

In A Nutshell

X-Ways Forensics, the forensic edition of WinHex, is a powerful and affordable integrated computer forensics environment with numerous forensic features, rendering it a powerful disk analysis tool: capturing free space, slack space, inter-partition space, and text, creating a fully detailed drive contents table with all existing and deleted files and directories and even alternate data streams (NTFS), Bates-numbering files, and more. Picture gallery, file preview, calendar/timeline display. Also serves as a low-level disk imaging and cloning tool that creates true mirrors (including all slack space) and reads most drive formats and media types, and supports drives and files of virtually unlimited size (even terabytes on NTFS volumes!).

X-Ways Forensics and WinHex can natively interpret and show the directory structure on FAT, NTFS, Ext2/3, Reiser, CDFS, and UDF media and image files. It performs safe recoveries on hard disks, memory card, flash disks, floppy disks, ZIP, JAZ, CDs, DVDs, and more. It incorporates several automated file recovery mechanisms and allows to conveniently recover data manually. WinHex provides sophisticated, flexible and lightning-fast simultaneous search functions that you may use to scan entire media (or image files), including slack, for deleted files, hidden data and more. Via physical access, this can be accomplished even if a volume is undetectable by the operating system e.g. due to an unknown or a corrupt file system. 

 

Evaluation versionWhite Paper
Evidor Evidence AcquisitionTrace User ActivityDavory Data Recovery

 

Some Of The Features In More Detail

  • Disk Editor, File Editor, RAM Editor

    WinHex is an advanced binary editor that provides access to all files, clusters, sectors, bytes, nibbles, and bits inside your computer. It supports virtually unlimited file and disk sizes up to the terabyte region (thousands of gigabyte)! Memory usage is minimal. Speed of access is top-notch.

  • Directory Browser for FAT, NTFS, Ext2/Ext3, ReiserFS, CDFS/ISO9660, UDF

    Similar to and as easy to use as the Windows Explorer's right-hand list. This browser lists existing as well as deleted files and directories, with all details. Allows to list cluster chains, to navigate to files and directories in the disk editor, and to copy files off the drive. Works on image files and partitions even if not mounted in Windows because of native file system support!

  • Disk Cloning/Disk Imaging under DOS and Windows

    WinHex produces sector-wise copies of most media types, either to other disks (clones, mirrors) or to image files, using physical or logical disk access. The copies are forensically sound, they include all slack space and all free space. Very important for forensic examiners because it allows to work on the copy. Image files can optionally be compressed or split into independant archives. WinHex can silently generate log files that will note any damaged sector it encounters during cloning. All readable data will make it into the mirror. WinHex lets you check the integrity and authenticity of image files before restoring them.

    Besides, a DOS-based hard disk cloning and imaging tool is included. Most Windows environments tend to access a newly attached drive without asking, thereby e.g. altering the last access dates of some files. This is avoided under DOS. Requires a specialist or forensic license. X-Ways Replica

  • Data Recovery

    With its sophisticated disk editor, WinHex not only provides for manual file recovery. WinHex is also able to automatically recover files and even entire nested directory structures. There are several data recovery mechanisms integrated:

    1. “File Recovery by Name”: Simply specify one or more file masks (like *.gif, Smith*.doc, etc.) and have WinHex do the rest. Works on FAT12, FAT16, FAT32, and NTFS.

    2. “File Recovery by Type”: WinHex can recover all files that can be recognized by a certain file header signature (e.g. JPEG files, MS Office documents). This works on practically all file systems. Details

    3. With the above-mentioned directory browser you can conveniently and selectively recover listed files and directories.

    4. There is a special automatic recovery mode for FAT and NTFS drives, accessible via the Access button menu. Details

  • Partition Recovery/Boot Record Recovery

    WinHex lets you edit FAT12, FAT16, FAT32, and NTFS boot sectors as well as partition tables using tailored templates.

  • Hard Drive Cleansing/Disk Wiping

    WinHex can quickly fill every sector of a disk with zero bytes (or in fact any byte pattern you like, even random bytes), as often as you like (to maximize security). This effectively removes any traces of files, directories, viruses, proprietary and diagnostic partitions, etc and renders a disk “forensically clean”. Works in accordance with the standard outlined in DoD 5220.22-M (for details, please see this white paper).

    WinHex can also securely erase specific files or unused space on a drive only. Besides, you can fill sectors with a byte pattern that stands for an ASCII string such as “Bad Sector” on the destination disk before cloning: This will make those parts of the destination disk easily recognizable that have not been overwritten during cloning because of unreadable (physically damaged) source sectors or because of a smaller source drive. (Alternatively, unreadable source sectors can be written as zero-filled sectors on the destination disk.) 

  • Bates-Numbering Files

    Bates-numbers all the files within a given folder and its subfolders for discovery or evidentiary use. A prefix (up to 13 characters long) and a unique serial number are inserted between the filename and the extension in a way attorneys traditionally label paper documents for later accurate identification and reference. Requires a specialist or forensic license.

  • Scripting

    Using tailored scripts you are able to automate routine steps in your investigation. For example, you may want to concatenate searches for various keywords, or repeatedly save certain clusters into files on other drives, or execute any long-running or toilsome operations while you are absent.

  • Position Manager

    Save logged occurrences of search strings or otherwise important addresses within files or disks as bookmarks for later use. Archive bookmark collections as dedicated position files or export them as HTML tables (for use in MS Excel etc.).

  • Checksums, CRC16, CRC32, MD5, SHA-1, SHA-256, PSCHF

    WinHex can calculate several kinds of hash values of any file, disk, partition, or any part of a disk, even 256-bit digests, for the most suspicious ones. In particular, the MD5 message digest algorithm (128-bit) is incorporated, which produces commonly used unique numeric identifiers (hash values). The hash value of a known file can be compared against the hash value of an unknown file on a seized computer system. Matching values indicate with statistical certainty that the unknown file on the seized system has been authenticated and therefore does not need to be further examined.

Download evaluation versionWhite Paper
Evidor Evidence AcquisitionTrace User ActivityDavory Data Recovery

 

Disk Cloning And Imaging

The operation of creating exact duplicates of one media on another media of the same type is called disk cloning. The duplicate is also referred to as a mirror or a physical sector copy. Disk imaging is the term given to creating an exact copy of a disk in form of an image file. This image file can be stored on different media types for archiving and later restoration. Both forensically sound cloning and imaging are essential for data recovery and computer investigative purposes. 

 

“Version 11.1 is great. You continue to improve upon an already exemplary product and maintain excellent user support. I wish other software producers were in your league. I operate a computer forensic/electronic evidence business and use your product in all my cases almost without exception as a standard first line examination tool. The integration with Windows Explorer enables me to open many files quickly and conveniently under Winhex to quickly assess what I have. A great, reliable and bug free product.”

Jeffrey R. Gross - President
Computer Forensic Associates, Inc.
Electronic Evidence Specialists
Investigations, Recovery, Analysis & Consulting
www.4nsic.org

 

“As a professional forensics examiner, I have used Winhex as a forensics instrument in recovering and analyzing digital information. I have tested and validated the professional version and it has proved to be accurate and trustworthy in its reporting. I have the highest level of confidence in WinHex's efficacy in digital forensics cases. I am confident that the tool and my use of this instrument would stand legal review and opposing challenge.

I have given past expert reports and testimony based on my personal use of Winhex Professional in litigation which involves several significant civil matters. These include investigations dealing with Enron Corporation, Andersen Consulting, NewPark Drilling and ATMOS energy. I have also used Winhex in several criminal forensics matters here in the US in Texas, Oklahoma, District of Columbia and Federal cases.”

Larry Leibrock, Ph. D.
Founder and CTO of eForensics® LLC
Digital Forensics Examinations
Experienced Court Appointed Special Master
Enterprise Server/Network Investigations
Information Technologies Risk Assessments and Penetration Studies