Surrogate Patterns
If the program has trouble reading data for Disk/Partition/Volume or File/Preview mode or for searches, hashing, imaging, etc. etc., the question is data it should present to the requester. For read errors at different levels it uses different surrogate/substitute strings (preset texts), many of which by the way are language dependent. These strings are repeatedly copied into the read buffer until it is full, forming a recurring pattern that is easy to spot visually if shown on the screen and that should hopefuly easily catch the user's attention and make him or her immediately aware of the problem.
1) "UNABLE TO READ FILE" for example means that at least certain portions/segments/extents of a file cannot read because the file system does not define where to find them or because it does but that definition is invalid or because it does but X-Ways Forensics does not understand it.
Example: The file system defines that a file consists of 6 clusters starting at cluster 1000 in the volume and 4 clusters starting at cluster 55,555 in the volume.
One possible reason for "UNABLE TO READ FILE" in this example would be that the volume consists of 40,000 clusters only. The first 6 clusters of the file can be read, but the last 4 clusters of the file cannot be read, simply because there is no cluster 55,555 that could be read. If this concerns an existing file, it is some kind of file system corruption or volume inconsistency. Could happen if something went wrong when a volume was shrunk, or if it's a spanned volume covering multiple disks of which only the first segment is available treated as if it was the entire volume. Another possible reason for "UNABLE TO READ FILE" would be that X-Ways Forensics was able to reconstruct a previously existing file partially only. The size may be known from $LogFile or a volume shadow copy, and the first few clusters of the file may be known from the source, but the whereabouts of the remaining clusters may be unknown. Another possible reason for "UNABLE TO READ FILE" if it's a compressed file in a file archive would be that the file archive is corrupt so that the contained compressed file cannot be read completely any more
If it's a file system problem, then you can find more more precisely what is going on by looking at the file system data structures that define the volume. Users can usually easily locate them in 2 seconds via a right click on the file, Navigation | Seek [name of the data structure].
2) "BADEVIDENCEFILE!" refers to a problem in an image in .e01 evidence file format. A possible reason to see that pattern would be that the requested sector is contained in the 2nd half of a compressed chunk (also called block) in which a few bits flipped so that only roughly the first half could be successfully decompressed.
3) "UNREADABLESECTOR" is a pattern that is defined in Options | General, which is always used instead of the original data stored in disk sectors if these sectors cannot be read, for all purposes (display on the screen, imaging, cloning, hashing, searching, ...). If you are going to hash disks with bad sectors and want to compare/reproduce the results with other tools, then you can specify the same pattern as used by the other tool here. Just note that such hash values are difficult to reproduce because bad sectors could multiply in the course of several attempts. If when trying to read bad sectors you prefer to get zero-value bytes delivered back, totally remove the pattern (ensure that the edit box is completely blank). If you keep the pattern, it will make it much easier to tell which sectors could be read and which sectors could not be, on the original hard disk directly, and that is also the case when you look at the same sectors in an image of that hard disk, provided that the pattern was active at the moment when the image was created with X-Ways Forensics. A bad sector on a hard disk is for example one whose internal CRC does not match the payload data in that sector any more.
4) Other surrogate patterns are "MISSING IMAGE FILE SEGMENT!", "PAST END OF IMG", and "UNREADABLE PAGE", all of which should be basically self-explanatory. ("Page" refers to a memory page.)