Tools Menu
Explore recursively: Changes into a recursive view for the directory that is currently listed in the directory browser or back to the normal view. A recursive view means that not only files will be listed that are contained directly in the current directory, but also all files in all subdirectories of that directory and their subdirectories etc. For example, this allows to copy/recover selected files from different paths in a single step.
Take New Volume Snapshot: Available for partitions with one of the supported file systems. WinHex traverses all cluster chains and thereby generates a drive map. This enables WinHex to fill the directory browser and to display for each sector which file or directory it is allocated to. It is recommended to invoke this command again after file operations on a drive to keep the information displayed by WinHex up to date. Cf. Security options.
Initialize Free Space: Confidential information is possibly stored in currently unused parts of a drive as a result of normal delete, copy and save actions. Free space on a drive can be initialized for security reasons. This effectively overwrites all data in unused parts of the disk and makes it impossible to recover this data. Available for partitions opened as drive letters. Available in WinHex only, not in X-Ways Forensics.
Initialize Slack Space: Overwrites slack space (the unused bytes in the respective last clusters of all cluster chains, beyond the actual end of a file) with zero bytes. This may be used in addition to "Initialize Free Space" to securely wipe confidential data on a drive or to minimize the space a compressed disk backup (like a WinHex backup) requires. Close any running or resident program that may write to the disk prior to using this command. Available in WinHex only, not in X-Ways Forensics.
Initialize MFT Records: On NTFS volumes, WinHex can clear all currently unused $MFT (Master File Table) FILE records, which may contain metadata (e.g. names) and even contents of previously existing files. Available in WinHex only, not in X-Ways Forensics.
Initialize Directory Entries: On FAT volumes, WinHex can clear all currently unused directory entries, to thoroughly remove traces of previously existing files or earlier names/locations of existing files from the file system. Useful especially in conjunction with the function to initialize all free space. Available in WinHex only, not in X-Ways Forensics.
Scan For Lost Partitions: Formerly existing hard disk partitions that were not automatically found when opening a physical hard disk (or an image of a physical hard disk) may be found and properly identified with this command. This command searches for the signature of master boot records, partition table sectors, FAT and NTFS boot sectors via the 0x55 0xAA signature plus for Ext2/Ext3/Ext4 superblocks, optionally only from the first sector that follows the last (location-wise) partition that was already found, and lists newly found partitions in the directory browser. Works with sector size 512 bytes only.
Interpret as Partition Start: When you find the start sector of a volume (e.g. lost partition) on a physical disk, this menu command allows you to make such a partition easily accessible via the Access button menu. If no known file system is detected starting at the currently displayed sector, you will be asked for the number of sectors that you wish to include in the newly defined partition.
Set Disk Parameters: Using this command on a physical disk, you may override the total number of sectors or optionally (can be left blank) the number of cylinders, heads, and sectors per track (all practically meaningless nowadays). This might be useful to access surplus sectors at the end of the disk (in case the total number of accessible sectors was not detected correctly), or to adjust the CHS coordinate system to your needs. Alternatively, you have the option to change the detected sector size of a physical hard disk or image, as used internally in the program for various navigation and computation work. If you should adjust the sector size, the sector count is adjusted accordingly. For example, if you change the detected sector size from 512 bytes to 4 KB (i.e. you multiply it by 8), then the total number of sectors is automatically divided by 8 to keep the same total detected disk capacity (assuming the capacity was detected correctly).
View: Available only with a forensic license. Invokes the internal viewer.
External Programs: Invokes external file viewing programs such as Quick View Plus etc., as selected in the Options menu, and opens the current file.
Invoke X-Ways Trace: Available only if X-Ways Trace is installed. This software can analyze the history/cache files of various Internet browsers.
Calculator: Runs the Windows calculator "calc.exe". Switching to scientific mode is highly recommended.
Hex Converter: Enables you to convert hexadecimal numbers into decimal numbers and vice versa. Simply type in the number and press ENTER.
Compare: This command is used to compare two data windows (files or disks) byte by byte. Decide whether different or identical bytes shall be reported. You may specify how many bytes to compare. If desired, the operation can abort automatically after having found a certain number of differences or identical bytes. The report can be stored as a text file, whose size might otherwise grow dramatically. The comparison starts at the respective offsets specified for each edit window. These offsets may differ, such that e.g. the byte at offset 0 in file A is compared to the byte at offset 32 in file B, the byte at offset 1 with the one at offset 33, etc. When you select an edit window for comparison, the current position will automatically be entered in the "From offset" box.
In X-Ways Forensics there is also an option to output identified different or identical data areas as search hits (1 entry per matching area) instead of a text file (1 line per matching byte), for convenient review and navigation right within the program in the search hit list, similar to block hash matches. This option is only available if at least the 2nd data source is an evidence object. The result can be seen in the search hit list of that evidence object. Useful for example for users who wish to compare cloned disks with minor changes, if they have different hashes or one of them has been used a little more, to actually locate the differences and better understand what has caused them. Useful also to compare component disks of a hardware RAID level 0 system or a mirrored volumes, to check whether they are really absolutely identical, and if not to easily find the areas that differ, see how large they are, what kind of data these areas contain, and assess whether the second copy requires full treatment itself including carving, keyword searches etc.
There is another compare function: You may compare edit windows visually and synchronize scrolling in these windows, with the Synchronize and Compare command (View menu).
Analyze Block/File/Disk: Scans the data within the current block/the entire file/the entire disk and counts the occurrences of each byte value (0...255). The result is graphically displayed by proportional vertical lines. The number of occurrences and the percentage are displayed for each byte value when moving the mouse over the corresponding vertical line.
Use this command for instance to identify data of unknown type. Audio data, compressed data, executable code etc. produce characteristic graphics. Use the context menu of the window to switch zero byte consideration on or off, to print the analysis window, or to export the analysis to a text file.
When analyzing small amounts of data (<50,000 bytes), the compression ratio that zlib achieves for that data is displayed in the analysis window caption, which also allows to draw conclusions about the nature of the data.
Compute Hash: Calculates one of the following checksums/digest of the entire current file, disks, or the currently selected block: 8-bit, 16-bit, 32-bit, 64-bit checksum, CRC16, CRC32, MD5, SHA-1, SHA-256, or PSCHF.