Directory Browser
The perhaps most essential user interface element in WinHex and X-Ways Forensics is the so-called WinHex and X-Ways Forensics offer a directory browser, which resembles the Windows Explorer's right-hand list. Its main task is to display (and interact with) the volume snapshot. Complete functionality is only available with a forensic license. By default, the directory browser lists directories first, then files. Compressed files are displayed in blue, encrypted files in green (NTFS only). Right-clicking any item in the directory browser brings up a context menu with commands for opening a file or directory, exploring a directory, locating the beginning of a file or directory on the disk, locating the corresponding directory entry (FAT) or file record (NTFS), listing the allocated clusters in a separate window, etc.
When navigating from one directory to another, exploring files with child objects (e.g. e-mail messages that have attachments), navigating to the parent of a child object, activating or deactivating filters, trying different sort criteria etc., please note that you can easily return to a previous view using the Back command in the Navigation menu or the Back button in the toolbar.
The icons are explained in the legend directly in the program (forensic license only). Previously existing files and directories are represented in the directory browser with lighter icons. Icons with a blue question mark indicate that the original file or directory contents may be still available. Deleted objects that WinHex knows are no longer accessible (either because their first cluster has been reallocated, because it is unknown, or because they have a size of 0 bytes) have icons crossed out in red. Icons with an arrow on FAT volumes (only with a specialist or forensic license) and (after refining the volume snapshot) NTFS volumes show renamed and moved files with their original name/in their former directory. On Reiser4 these are moved files with their current name in their former directory. A blue arrow indicates that contents for a file are available (though these are not specifically the contents from before the file was renamed or moved). A red arrow indicates that no contents are available.
In the caption line of the directory browser you see on the left the explored path (in case of recursive exploration in italics and turquoise color). When clicking any component of the current path, this will now navigate directly to that directory (or file with child object) whose name you clicked. On the right you see the number of listed files and directories (typically separate figures for existing objects + previously existing objects + virtual objects). Also, the number of listed tagged files is indicated, if any are tagged. The number of active filters is displayed as well, next to the blue filter symbol on the left. Column-based and column-independent active filters are counted separately. Useful because there might be column-based filters active for columns that are not currently visible in the directory browser, and that column-independent filters are active may be otherwise apparent only when checking in the directory browser options dialog.
The directory browser can sort files and directories in ascending or descending order, and still reveals the two previous sort criteria with a lighter arrow. For example, if you first click the filename column and then the filename extension column, files with the same extension will internally still be sorted by name.
In order to undefine the secondary and tertiary sort criteria, hold the Shift key when clicking on the column header to determine the primary sort criterion. Internally, this selects the internal ID as the secondary sort criterion. This is to ensure that the order of items with identical data for the primary sort criterion is still well defined and reproducible after having sorted by other sort criteria in the meantime.
The column that functions as the primary sort criterion is also the target of jump as you type. That is, you can type the first character or first few characters of the entry that you are looking for when the directory browser has the focus to automatically navigate and select the first or next matching item in the list, starting from the current position. For example, if the directory browser is sorted by the Type column, type z if you wish to find the first zip file in the list. If however there is another file listed with a type starting with z, one that precedes zip alphabetically, for example zac, then type the next character (before the feature times out and forgets the z that you have already entered), in this case i, until you find what you are looking for or nothing happens any more (if there is no matching item). Matching occurs in a cycle. That means even if the current position shows a zip file, you can type any preceding letter to jump to the first matching item from the top again, for example d for .docx. If you are looking for .docx files, but find a large group of .doc files, then you need to type all four characters of docx, because only the x distinguishes docx from doc.
Filtering
You may activate filters based on criteria (columns) such as filename, description, file type category, attributes, or hash set. Whenever an active filter actually filters out files or directories in the directory browser, this is flagged with a blue filter icon in the directory browser's header line, and you will be informed of how many items exactly have been omitted from the list. You also have the option, by clicking the icons for "open file"/"save file" on the right-hand side of the caption line of the directory browser, to store filter and sort settings in a separate file and load them again at any time. Such files are given the extension ".settings". Note that it is not guaranteed that different versions of the software can load each others settings.
Whenever one or more filters are active that actually filter out items in the currently displayed directory browser, there are two blue filter symbols in the directory browser's caption line. They point out that your current view is incomplete because of active files, and they also allow you to deactivate all filters with a single mouse click, to ensure you are not missing any file when you no longer want the filter. You can activate or deactivate column-based filters individually with a single mouse click on the column header's filter symbol when holding the Shift key. The options of the respective filter remain unchanged in this case.
The filters have been given some "intelligence" when navigating from a parent file to a child file or vice-versa, so that the filters "know" when it's a good time to be turned off.
For example:
- If you are using a filter to focus on all extracted e-mail messages recursively, and then you double-click an individual e-mail message to have a look at its attachments in the directory browser, the filter is automatically deactivated, so that you can actually see these attachments. A simple click on the Back button returns to the previous point of exploration and restores the previous filter settings and the last selection, so that you can easily continue reviewing the next e-mail message!
- If you are using a filter to focus on videos or documents, and then you double-click a video or a document to see the video stills exported for that video or the embedded pictures in that document, respectively, the filter is automatically deactivated, too.
- When you are viewing video stills only, in a gallery, and you use the Backspace key or "Find parent object" menu command to navigate to the video that this still belongs to (e.g. in order to play that video), then any active filters will be turned off so that the video can actually be listed. A simple click on the Back button returns to the previous overview of stills, enables the previous filters again, and restores the last selected item, so that you can easily continue with the next still!
- This works analogously when systematically looking at e-mail attachments, if occasionally for relevant attachments you would like to view the containing e-mail message (and e.g. print it or include it in a report) and then return to the list of attachments.
When orphaned objects are found, e.g. files that have been deleted and whose original path is unknown, they are listed in a special virtual directory Path unknown. With a specialist or forensic license, there are virtual files in the root directory that allow you to conveniently address special areas in a volume:
File system areas: Reserved sectors and/or clusters that are claimed by the file system itself for internal purposes.
Free space: Clusters marked by the file system as not in use. Depends on the volume snapshot options.
Idle space: Areas in a volume of which WinHex does not know what they are used for, including clusters marked by the file system as in use, whose exact allocation however could not be determined. This can be the case if the file system lost track of them, i.e. forgot that these cluster are actually available for re-allocation. Usually there is no idle space. The size of idle space and the number of the first idle cluster are only determined when needed (e.g. when you click the "Idle space" file for the first time), as depending on the number of cluster this is a potentially time-consuming operation.
Volume slack: Sectors at the end of the partition that are unused by the file system because they do not add to another cluster.
Indirect blocks (Ext2, Ext3, UFS): Special blocks that contain block numbers. Not part of "File system areas".
Unnoted attribute clusters (NTFS): Clusters that contain non-resident attributes that have not been individually processed by X-Ways Forensics. Not part of "File system areas".
.journal (ReiserFS): Blocks that form the fixed journalling area. On Ext3 and HFS+, this is not considered a virtual file because it is defined by the file system itself in dedicated records.