Recover/Copy

WinHex & X-Ways

Recover/Copy

 

Command in the context menu of the directory browser.

 

Allows to copy the selected files from their current location to a location available for a standard Windows file dialog, e.g. out of an interpreted image file or from a local disk. This can be applied to both existing and deleted files and directories. Illegal filename characters are filtered out.

 

If necessary, you can manually enter the output path by clicking the "..." button in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list by default in the dialog window for the path selection. If you enter a non-existing output path, you will be notified and may proceed anyway, in which case that path will be created automatically if possible. The unlabeled check box next to the "..." button can be used to indicate that you would like to get a Windows Explorer window opened for the output path once copying has completed to check out the result.

 

Numerous extra features are available with a forensic license:

 

• The complete original path can optionally be recreated in the output directory, or optionally (if half checked) only a partial path. The evidence object name becomes part of the recreated path, too, if you either copy from within the case root or if you do not have X-Ways Forensics default to the evidence object folder as the output directory (see case properties). A partial path is the path starting from the currently explored directory, or when copying from the recursively explored case root window only the evidence object name, not the path within the evidence object.

 

• Overlong paths are supported (more than 260, up to 510 characters, for output path + optional original path + original filename). You can still limit paths to the ordinary length of 260 characters or less if you would not be able to access (e.g. view, copy or delete) such files otherwise (because ordinary tools like the Windows Explorer do not allow that). If the output path of a selected file exceeds the limit, the name of the is shortened until it fits. If shortening the name does not help to stay under the specified path length limit, the file not copied, but added to a report table, so that you can conveniently select all the omitted files later and copy them separately without original path if you like.

 

• It is possible to create a 2nd copy of all selected files in a separate directory. Useful if you need to provide two parties with copies of relevant files and wish to save time. The logging option is for the 1st copy only, though.

 

• An option exists to name output files after their unique ID, while preserving the filename extension. If only half checked, the files will not be named purely after the unique ID (+extension), instead, the unique ID will be inserted, between base filename and filename extension, or prepended.

 

• Files that could not be copied (e.g. if path too long) are added to a report table.

 

• The original timestamps (creation, modification, last access, if available) are re-applied to the recovered/copied files.

 

• Unless you choose to overwrite or skip files with identical names that exist in the output directory, duplicate filenames will be changed to unique filenames by inserting incrementing numbers before the extension. So if you copy all files to the same directory, even those from different evidence object, all output filenames will be unique (and the copylog file allows you to later find out which file was originally named how and originated from where and which metadata it had).

 

• The presumed correct file type of newly identified files, if different from the extension in the original filename or if the filename does not have any extension, can optionally be appended to the output filename. This option also has an effect when copying files to view them with the associated program.

 

• When working with an active case and if special logging for this command is enabled, the copy/recovery process is documented in the file “copylog.html” or "copylog.txt". All available metadata and the output filename (optionally including target path) can be recorded. The file can be created either in the _log subdirectory of the case or in the Recover/Copy target folder. Cf. also Case Properties.

 

• Slack space can optionally be included in the output, either as part of the file or separately, or solely slack can be copied.

 

• You can choose whether to also copy child objects of selected files or not.

 

• You can also choose whether to copy files that are filtered out.

 

• If you have X-Ways Forensics recreate the original path for copied files, the hierarchical location of files that are child objects of other files must be reflected appropriately, too. And that must happen with the help of a directory, because ordinary file systems do not support the concept that a file can contain further files, as is normal with volume snapshots in X-Ways Forensics. However, there would be a name conflict if an artificial directory was created with the same name as the parent file, as that parent file might be selected for copying as well, and would of course be created in the same directory as the aforementioned artificial directory that is needed to reflect the path of the child object. Hence the artificial directory must be named slightly differently. It can be truncated after a user-defined number of characters, and this is useful in particular for e-mail messages that are named after the subject line and of course can contain attachments as child objects, to avoid overlong paths. Also either a single suffix character of your choice can be appended (and by default that is a special Unicode character that is invisible in complete Unicode fonts, such that the directory seems to have exactly the same name as the corresponding parent file), or otherwise some descriptive words like " child objects" are appended to the name (but that unfortunately increases the total path length, which all too often exceeds common limits). If the edit box for the suffix character seems to be blank, that is most likely because the aforementioned invisible Unicode character is in there. It has a width of 0. To replace it with any other character, remove the invisible character first, by clicking in the edit box and hitting the backspace key on your keyboard.

 

• Existing and deleted objects can be grouped together in separate output directories named “Ex” and “Del”.

 

• Further grouping/classification of copied files in separate directories based on up to two selected directory browser columns is supported: description, file type, file type description, file type category, sender, owner, hash set, hash category, report table associations, search terms.

 

• If both an attachment and the corresponding e-mail message (its parent) are selected for copying and not excluded by filters, the attachment can optionally be embedded in the resulting output .eml file as Base64 code instead of copied separately. That facilitates viewing the complete e-mail including attachments. To view .eml files you can use Outlook Express, Windows Mail, Windows Live Mail or Thunderbird (all free of charge). If certain attachments cannot be embedded, you will be informed via the Messages window, and in such a case they will be copied separately, as if the embedding option was not selected.

 

• NTFS alternative data streams (ADS) can optionally be output as ADS. By default, they are recreated as ordinary files, to make them more easily accessible.

 

• X-Ways Forensics can try to encode zeroed out areas in a file as sparse when writing the data. This will have an effect only if the zeroed areas are somewhat aligned and sufficiently large, and of course only when writing to an NTFS or ReFS volume, not FAT. Works no matter whether the source file is defined as sparse or not. This option will reduce the data transfer rate and is only recommendable if you know that the data that you are copying is probably suitable.

 

• You may use the alternative names of files, if available, for the output. The alternative name, if one exists, can be seen in the directory browser in square brackets. For example, when parsing iPhone backups, X-Ways Forensics automatically changes artificial generic filenames back to what they were originally. Or, when parsing $I files from the Windows recycle bin, the corresponding $R files are given their original names. If for some reason you prefer the untranslated filenames when copying such files off the image to your own hard disk, for example because you wish to process these files with some external tool that expects the artificial filenames, then you can now use this option.

 

When using the Recover/Copy command in search hit lists, directories that contain hits are recreated in the output folder as files, as the user likely wishes to retain the original data that contain the actual search hit. Child objects are never copied along with their parent objects from within a search hit list.