Security Options

WinHex & X-Ways

Security Options

 

• Before modifications to an existing file are saved (i. e. before the file is updated), you are by default prompted for confirmation, but this behavior can be changed.

 

• If any of the operations Refine Volume Snapshot and Logical Search crashes when processing a file, X-Ways Forensics when started next time will tell, which file was likely responsible for the crash, if you had it collect information for a crash report. If fully checked, should volume snapshot refinement crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed. It has not been tested whether this enhanced granularity of logging might cause any noticeable slowdown. There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash.

 

• All notices and warnings output to the Messages window can optionally be automatically saved in a text file "msglog.txt" in the installation directory. If at that time a case is active, the notice/warning will be written to the msglog.txt file in the log subdirectory of that case instead.

 

• Output messages about exceptions: Determines the verbosity of the program in case of exception errors. If totally unchecked, only exception errors with a potentially serious impact (like considerably incomplete analysis results) will be brought to your attention in the Messages window. If fully checked, all of them will be output, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The middle state is a reasonable compromise. Regardless of this option, exception errors will be noted in the error.log file.

 

• Use the option Check for virtual memory alteration to make sure the RAM editor inspects the structure of virtual memory every time before reading from or writing to it. If the structure has changed, a possible read error is prevented. Especially under Windows NT the checking may result in a loss of speed. When editing the "entire memory" of a process, WinHex generally never checks for alterations, even if this option is enabled.

 

• Strict drive letter protection: Only available with a forensic license.Active by default in X-Ways Forensics. Ensures that saving and editing files is only possible on certain drive letters, namely those that X-Ways Forensics even when examining a live system can assume are located on the examiner's own media. They are: 1) the drive letter that hosts the active case if one is active, 2) the drive letter with the directory for temporary files, 3) the drive letter from which X-Ways Forensics was run and 4) the drive letter that contains the directory for image files.

 

• The key that is required for encryption and decryption can be entered in a normal edit box. Optionally, you enter it blindly (asterisks are displayed instead of the actual characters). In this case you have to confirm the key in a second edit box to detect typos.

 

• By default, the encryption key is kept in main memory (in an encrypted state) as long as WinHex is running so that you do not have to type it again and again if you use it several times. Possibly you prefer WinHex to erase the key after use.

 

• Decide whether or not WinHex shall prompt before executing a script, or only before executing a script via the command line.

 

• Optionally, checksums with multi-byte accumulators (16-bit, 32-bit, and 64-bit checksums) are computed byte-wise instead of adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.