Getting started with X-Ways Forensics
For the latest download instructions, if your update maintenance is current, you can check your license status here. For more information about the installation of WinHex and X-Ways Forensics please see this web page.
Extract the files in the X-Ways Forensics download to a directory of your choice. An installation with the setup program is not necessary. The program is portable and can also be started directly from a USB stick on other computers, e.g. live systems that you would like to examine. Also download the viewer component (which is not included in the standard download as it is updated much more rarely). Use the 64-bit edition of the viewer component for the 64-bit edition of X-Ways Forensics. By default, the viewer component is expected in the subdirectory \viewer (32 bit) or \x64\viewer (64 bit). Please be advised that the viewer component creates files in the profiles of the user who is currently logged on, unlike X-Ways Forensics, so if you wish to avoid to create files on a live system that you examine, don't let X-Ways Forensics use the viewer component. You may also wish to download MPlayer if you intend to have X-Ways Forensics produce stills from videos to see them in the gallery. Newer releases can always be extracted into the existing directory of an earlier release. You may continue to use WinHex.cfg configuration files from earlier releases in later releases (but never the other way around).
Here are some instructions to help you get started and find some important features: Create a case, add an evidence object (such as your own C: drive or hard disk 0, or an image file). In the directory tree, you may use a right click to list the contents of a directory in the directory browser including all its subdirectories. For example, if you right-click the root directory of a volume, you will get a listing of all files in the entire volume. At the same time you can use a dynamic filter to focus on files based with certain filenames, of a certain file type, size, or with certain timestamps, etc. via Options | Directory Browser.
The powerful logical search functionality can be found in Search | Simultaneous Search. More interesting functions in X-Ways Forensics can be found in the context menu of the directory browser (e.g. the ability to copy files off an image) and in the Specialist menu, in particular "Refine Volume Snapshot". The latter allows you to further process files automatically, e.g. explore zip archives, extract e-mail messages and attachments, check pictures for the amount of skin tones, check documents for encryption, etc.
There are a thousand different purposes for which X-Ways Forensics can be used, so in our opinion step-by-step instructions (click here first, then there, then look here) are not the right way to explain the software. This program help/user manual is rather meant to accurately describe all the available functionality and let you creatively combine different features to achieve a certain goal. It is still the user who has to do the thinking, know what he/she is doing and how to interpret findings.
The 64-bit edition is recommended especially in situations where the 32-bit memory address space may be insufficient, when dealing with disks or images that contain many millions of files, or when dealing with many millions of search hits, provided that you have plenty of physical RAM installed. Certain operations that are computationally intensive (e.g. hashing or encrypting) may also be faster in the 64-bit edition.