Interpret Image File As Disk
This command in the Specialist menu treats a currently open and active disk image file as either a logical volume (potentially with a supported file system) or physical (potentially partitioned) disk. This is useful if you wish to closely examine the file system structure of a disk image, extract files, etc. without assistance from any operating system. If interpreted as a physical disk, WinHex can access and open the partitions contained in the image individually as known from "real" physical hard disks. The same functionality is also used internally when adding images to a case in X-Ways Forensics and re-opening them later.
It is also possible to interpret spanned raw image files, that is, image files that consist of separate segments of any size. For WinHex to detect a spanned image file, the are a few possibilities supported for naming:
1) The first segment may have an arbitrary non-numeric filename extension (e.g. .dd or .img), and then the second segments must be named .002, the third segment .003, and so on.
2) The first segment may have one of these numeric filename extensions: .001 or .0001 or .000 or .0000. The following segments must directly continue with incrementing numbers and the exact same number of digits, either three or four.
Obviously all segments must have the same base filename (the part of the name before the extension). The Create Disk Image command can image disks and produce canonically named file segments. Image segmentation is useful because the maximum file size supported in FAT32 file systems or on media such as DVD is considerably limited. It might also help in risk reduction (the smaller the segments, the less catastrophic the amount of lost data if a file is lost due to file system errors) and might have a performance benefit (if the operating system more effectively buffers frequently required image data if stored in smaller segments).
In some rare cases WinHex may be unable to correctly determine the nature of the image, i.e. whether it is an image of a physical disk or of a volume, consequently interprets the data in the image in a wrong way. If so, hold the Shift key when invoking this command. That way WinHex will ask you and not decide on its own. That will also make WinHex prompt you for the correct sector size and in the case of raw images for an additional storage location of further image file segments (in case you had to spread them across two different drives). Should there be any problems with detecting the file system in a volume, you may hold the Shift key when opening the volume to indicate the file system type you suppose in the volume.
Mode 1 and Mode 2 Form 1 ISO CD images with 2,352 bytes per sector are also supported, if they are not spanned, and (with a forensic license) also main memory dumps. Also VMware's Virtual Machine Disk images (VMDK) can be interpreted and dynamic Virtual PC VHD images and Virtual Box disk images (VDI) of the default subtype "sparse" and the subtypes "fixed size" and "diff" (snapshots). Snapshot images can only be interpreted if the parent is available and open and interpreted itself beforehand. VMDK images with ESXi Host Sparse Extents (also referred to as "Copy-on-Write Disks" or COWD), as used by ESXi servers e.g. for virtual machine snapshots, are not supported. Only allocated areas in virtual machine images can be edited. With a forensic license, WinHex can also interpret .e01 evidence files, which can be created with the Create Disk Image command.
It is also possible to interpret images of various kinds (raw images and most VHD/VMDK/VDI) and nature (disk/volume) even if they are stored within other images (forensic disk images created by yourself), without copying them off the outer image first, as long as they do not consist of multiple segments. That can save a considerable amount of time, especially if after interpreting the contained image you can quickly see that it is not really relevant, and of course also drive space. First right-click the image in the directory browser and open it with the context menu's Open command in a separate data window. After that, interpret the image using the command in the main menu. And then, once the volume snapshot has been taken, if you think that the image is relevant, you can add it to the active case as usually with the "Add to active case" command in context menu of the data window's tab or with the Add command in the Case Data window's File menu. Image files within TAR archive should also work, which is handy for VMDK virtual machine disks within OVA files (open virtualization archives in TAR format).
The newer Microsoft virtual disk image format VHDX is not supported. To convert VHDX images to VHD, you can run the following command in the powershell of any HyperV supporting operating system (Windows 10, Windows Server 2012):
Convert-VHD -Path X:\ExistingImage.vhdx -DestinationPath V:\ConvertedImage.vhd
Loose $MFT files can be directly and conveniently interpreted as if they were images of NTFS volumes, to get at least a full listing of all files and directories, with their paths, timestamps and attributes. It's possible to open resident files (files whose contents is small enough to fit into the FILE records), but no other files, of course. Useful if in special situations all you have is the $MFT, not the entire volume.