Related Items
Only available with a forensic license.
Files/directories that have a corresponding "related" file or directory in the volume snapshot are marked in the directory browser with a small blue arrow pointing downwards on the left-hand side of their icon. A secondary tooltip appears for files with a "related" file when hovering the mouse cursor over the icon, which conveniently tells you the path and name of that related file, for example the target of a symbolic link. There are four different kinds of related objects:
1) When taking a volume snapshot of Unix-based file systems, symbolic links are connected to their targets in the volume snapshot as so-called related files, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also one of potentially several symlinks pointing to a certain target will become the related file of the target, so that you can conveniently navigate to the symlink or quickly see in the first place that one or more symlinks exist that point to a certain target, since any file that has a "related" file in the volume snapshot is marked with a tiny blue arrow next to its icon. Also the same arrow will tell you whether the target of a symlink can actually be found in the file system. If a symlink links to other symlinks, those are not recursively linked. If resolving symlink takes to long because there are many symlinks in a volume, you may safely abort that step at any time.
2) When taking a snapshot of volumes with Windows installations, certain reparse points (a.k.a. junction points) are connected to their targets in the volume snapshot just like as symlinks in Unix-based file systems, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also there will be a back-reference to one reparse point, so that you can conveniently navigate to that reparse point or quickly see in the first place that one or more reparse points exist that link to a certain directory, since any directory that has a "related" directoy in the volume snapshot is marked with a tiny blue arrow next to its icon. Forensic license only. Reparse points that do not get connected with their target directories will still show a comment that advises you of the target path as in earlier versions of X-Ways Forensics.
3) Hard links in HFS+ point to their corresponding iNode* (indirect node) file. iNode* files point back to one of their hardlinked counterparts, so that it is very convenient to locate at least one of those hardlinks and see the actual use and location of the file. To find other hardlinks for the same iNode* file, you can for example sort by the column "1st sector".
4) Files found in volume shadow copies in NTFS point to their shadow copy host file. VSC host files point to their corresponding snapshot properties file.