Hints on disk cloning, disk imaging, and image restoration
Cloning or imaging with WinHex/X-Ways Forensics makes exact sector-
wise, forensically sound copies, including all unused space and slack space.
An image is usually preferable to a clone, as all data (and metadata such
as timestamps) in an image file is protected from the operating system.
If you clone/image a disk for backup purposes, try to avoid that the disk is
being written to by the operating system or other programs during the process,
e.g. by unmounting partitions that are mounted as drive letters before starting.
Such write operations are unavoidable, of course, if you clone/image the disk
that contains the active Windows installation from where you execute WinHex/
X-Ways Forensics. If the source disk is being written to during the process,
the clone/image may have an inconsistent state from the point of view of the
operating system (e.g. it may not be able to boot a Windows installation any
more). From a forensic standpoint, however, when cloning/imaging a live
system, although it is highly desirable that no writing occurs any more, that
should not be a major problem, as you still get an accurate snapshot of each
and every sector.
If the destination of cloning or image restoration is a partition that is mounted
as a drive letter, WinHex will try to clear all of Windows' internal buffers of that
destination partition. If nonetheless you don't see the new contents in Windows
Explorer on the destination after the operation has complete, you may simply
need to reboot your system.
Note that WinHex does not dynamically change partition sizes and adapt
partitions to destination disks larger or smaller than the source.