Edit Modes
The info pane displays for each file/disk, in which mode it was opened in the program. The info pane's context menu allows to selectively change the edit mode of the active window.
Read-only/View mode: Recommended for computer forensic examinations. In order to enforce strict forensic procedures, the only mode available in X-Ways Forensics, except for files in the current case's directory and in the general folder for temporary files, to allow to decode, decrypt, and convert them, etc. Files or disks that are opened in view mode cannot be (intentionally or accidentally) edited/altered in WinHex, only viewed. In other words, they are opened write-protected = read-only by WinHex.
Default edit mode: Modifications to files or disks opened in default edit mode are stored in temporary files. Those temporary files are created and maintained dynamically when needed. Only when you close the edit window or use the Save menu command the File Menu, the modifications are flushed and the original file or disk is updated, after prompting the user.
In-place edit mode: Please use caution when opening files or disks in in-place edit mode. All kinds of modifications (keyboard input, filling/removing the block, writing clipboard data, replacements, ...) are written to the original file or disk ("in-place") without prompting! It is not necessary to save the file manually after having modified it. Instead, the modifications are saved lazily and automatically, at latest when closing the edit window. However, you may use the Save command to ensure the buffer is flushed at a given time.
The in-place edit mode is preferable if the data transfer from the original to the temporary file and vice-versa, which is obligatory in default edit mode for certain operations, consumed too much time or disk space. This may be the case when opening very large files or when modifying huge amounts of data. Since usually no temporary files are needed in in-place edit mode, this edit mode is generally faster than the default edit mode. The in-place edit mode is the only mode available when using the RAM editor. Hint: Even in in-place edit mode the creation of a temporary file is unavoidable when altering the file size.
If you open files using the operating system (e.g. via File | Open, from any drive letter currently available in Windows), then operating system file write commands will be used to change a file on the disk. However, in WinHex it is even possible to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if that file system is not known to Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode only. For this editing capability, the file must been opened from within the already opened volume that contains it, either via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes is read-only mode. X-Ways Forensics can be easily ran as WinHex if preferred (simply rename the .exe file, details).
In forensic computing, electronic discovery and IT security, this editing capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values. It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.