Command Line Parameters
1) You can simply specify the names of files that you wish to open automatically as command line parameters, including path if necessary. Physical disks can also be opened, e.g. specify :0 for hard disk 0.
2) The command line can be used to run file editing scripts. Just specify the .whs script filename as a parameter. It will be executed instead of opened.
3) The command line can be used to open an existing case. Just specify the .xfc case filename as the first parameter. You can add images to such a case with the AddImage: command (see below).
4) The command line can be used in X-Ways Forensics (not X-Ways Investigator) to automatically a) create a case, b) add images, and c) refine the volume snapshot of all added evidence objects. Example:
xwforensics64.exe "NewCase:D:\Cases\My case" "AddImage:Z:\Images\*.e01" "AddImage:Z:\Images\My image.dd" RVS:~ auto
If no path is specified for the case, it will be created in the default directory for cases. The quotation marks are required only for parameters that contain spaces. As you can see, the AddImage command supports asterisks. It also supports optional sub-parameters to force interpretation of an image as either a physical, partitioned medium (P) or volume (V) and to force interpretation with a certain sector size, where the sector size is optional, e.g.
AddImage:#P#Z:\Images\*.dd
AddImage:#P,4096#Z:\Images\*.dd
If you dont specify these sub-parameters, a dialog window might pop up to ask the user for this input, but only in some very rare cases, only it not obvious to X-Ways Forensics from the data in the first few sectors what kind of image it is and if the image was not created by X-Ways Forensics or X-Ways Imager and if the image is not in .e01 evidence file format (e.g. raw image). Only if all three conditions are met at the same time plus you do not specify the sub-parameters, the dialog window will pop up.
To refine the volume snapshot ("RVS:~" command), X-Ways Forensics will by default run the same operations as were applied to a "virgin" (i.e. completely unrefined) volume snapshot last time according to the WinHex.cfg file. Text in message boxes that usually need to be clicked away by the user is redirected to the Messages window while processing the command line parameters AddImage and RVS. Dialog boxes, if any, would still pop up normally.
5) If you wish to apply different settings to different kinds of cases, you need to store these settings in separate WinHex.cfg files (in different directories or with different names) and restore the desired one before executing X-Ways Forensics. Or you can use the command line parameter "Cfg:", which determines the name of the configuration file from which X-Ways Forensics will read during start-up and to which it will write when terminating, in situations when you need to use an alternative configuration (not the one stored in the main WinHex.cfg file). For example useful if for automated processing you need different settings than for manual execution, with specific volume snapshot refinement operations selected or to avoid the prompt whether a second instance should be started. Such a parameter looks like "Cfg:My other settings.cfg". As always, the quotation marks are required only if the name contains spaces. The maximum length of the name is 31 characters. Only ANSI/ASCII characters are currently supported. Command line parameters are usually processed in the order in which you specify them except the Cfg: parameter is processed before all the others, so it does not matter where it goes. Also, please note that a few settings are stored in other files, e.g. "X-Tensions.txt" and "Unwanted Metadata.txt".
6) It is also possible to image a physical device (e.g. local hard disk or remote hard disk or RAM opened through F-Response) automatically via the command line. The first parameter should start with a colon and then specify the number of the device in Windows (e.g. ":1" for hard disk No. 1, i.e. the second hard disk). This will cause that device to be opened automatically upon start-up. The second parameter should start with a pipe, followed by either "e01" or "raw" to indicate the preferred image file format, followed by another pipe and the path and filename of the image, then optionally followed by a description and the examiner name (e.g. "|e01|G:\Output filename.e01|My description|My name").
7) The last parameter can be "auto" if you wish to automatically exit X-Ways Forensics when finished.