Case Management
The integrated computer forensics environment in WinHex can be used with a forensic license of WinHex only. It offers complete case management for multiple examiners per case, automated log and report file generation, and various additional features such as gallery view, file signature check, HPA detection, and skin color detection in pictures.
When starting up WinHex for the first time, you are asked whether to run it with the forensic interface. This means the "Case Data" window is displayed, WinHex is run in View mode, and you are asked to make sure the folders for temporary files and for case data are set correctly, in order to prevent WinHex from writing files to the wrong drive.
In order to work with a case, make sure the "Case Data" window is visible on the left of the main window. If not, enable View | Show | Case Data.
From the File menu, you may create a new case (start from scratch), open an existing case, close the active case, save the active case, back up the case file and the entire case folder in a ZIP archive (only possible for files < 4 GB), or automatically generate a case report. You may add media as evidence objects to the case, or images (files that will be interpreted like media), or memory dumps, or directories on your own computer. Adding a directory instead of a whole partition or disk can be useful if a directory or a file of interest resides on a drive with many irrelevant files, if you merely wish to view, hash, or search a few of those files, check their metadata or copy them to an evidence file container etc.
A case is stored in a .xfc file (xfc stands for X-Ways Forensics Case) and in a subfolder of the same name, just without the .xfc extension. This subfolders and its child folders are created automatically when the case is created. You may select the base folder for your cases in General Options. It is not necessary to explicitly save a case, unless you need to be sure it is saved at a given time. A case is saved automatically at latest when you close it or exit the program. The only exception is when closing the case with the "Close Case (don't save)" command. For example if you have accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl+0 for all selected files), it is important to invoke that special menu command as soon as possible, before the auto-save interval elapses next time, to avoid that the volume snapshot(s) will be saved. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.
In the case properties window, you may name a case according to your own conventions (e.g. title or number). The date and time you create a case is recorded and displayed. The internal case filename is displayed as well. You may enter a description of the case (of arbitrary length) and the examiner's name, the examiner's organization's name and address. You may enable or disable the automated log feature for the whole case. Optionally, the evidence object subfolders in the case folder are always suggested as default output folders for files recovered/copied off a file system. You may wish to disable that feature if your preference is to copy files from various evidence objects into the same output folder.
You may select up to two code pages related to the case (more precisely: related to the locale where the original media related to the case were used). These code pages are used when naming .eml files based on subject lines (.eml files extracted from e-mail archives). If both code pages are identical, that does no harm. If identical to the currently active code page in Windows, they do not have any effect. These code pages are also used to convert the filenames in zip archives to Unicode. There may be further uses in future versions.
Case files can be password-protected. This does not involve encryption and is just a kind of lock. If the password is lost by a user, case files saved by X-Ways Investigator can be unlocked with a super-user password if such a password had already been entered in the installation used at the time when the case file was saved (undocumented on request).
When creating a new case, you have the option to make X-Ways Forensics recognize evidence objects that are physical media (not images) by their own intrinsic properties, not by the Windows disk number. Using this option will prevent earlier versions of X-Ways Forensics from opening the case. The advantage is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk. Useful especially for triage, when not working with images. Please note that X-Ways Forensics may be unable to recognize external media already known to the case if next time they are attached through a different hardware write blocker. In that situation you can still use the "Replace with new disk" command in the evidence object context menu to point X-Ways Forensics to the correct disk. Note that component disks of an internally reconstructed RAID (read disks, not images) are still remembered by the Windows disk number when re-opening a RAID that you have added to a case.
When clicking the Passwords... button, the case's password lists for encrypted general purpose file archives will open in your preferred text editor for editing.
When clicking the SIDs... button you can see a collection of all SID/username combinations encountered in that case (gathered from SAM registry hives in all Windows installations on images/media ever added to the case). They are used by X-Ways Forensics to resolve SIDs to usernames when working with that case.
The most powerful concept in X-Ways Forensics, that allows to systematically and completely review files on computer media, is the so-called refined volume snapshot. It is possible to refine the standard volume snapshot for all evidence objects of a case in one step, and to search all evidence objects with volume snapshots logically with the help of the virtual global case root window. Note that it is possible to generate a flat overview of all existing and deleted files from all subdirectories on an partition or image file of a partition by recursively exploring the root directory. In order to explore a directory recursively (i.e. list its contents plus the contents of all its subdirectories plus their subdirectories), right-click the directory in the directory tree in the Case Data window. In order to tag a directory, you can click it with the middle mouse button in the directory tree.
Backups
The command "Back up/Restore" in the Case Data context menu allows you to conveniently make a backup of the selected evidence object's volume snapshot. Backups can be restored at any later time with the same command, and they can also be deleted with the same command (right-click an item in the list of backups to get the Delete command). Such a backup is like a snapshot of the volume snapshot. Useful if you think you might want to revert to a certain processing stage later (i.e. undo changes to the volume snapshot), for example after having carefully tagged thousands files that you don't want to lose, before running a file header signature search with experimental settings that might produce a lot of garbage files, before attaching external files with options that you had never tried before, before running an X-Tension made by a 3rd party, before totally removing excluded items from the volume snapshot etc. Report table associations, events, and search hits are also included in the backup. Search hits can be restored from a backup only if the search term list of the case did not change in the meantime. Indexes are not included in the backup, but can be manually backed up, of course.
The same command applied at the case level (right-click the case title in bold for that) allows to make a backup of the entire case, covering all evidence objects' volume snapshots, all report tables, events, search terms, search hits, indexes, image file paths, etc. etc. Such backups can be restored from the same dialog window. Such backups can also be opened directly with the Open Case command if necessary, as they are complete copies of a case. (Backup .xfc file are created with the "hidden" attribute, though, as they are meant to be dealt with within X-Ways Forensics only.)
In order to completely delete a case or the backup of a case manually, you need to delete its .xfc file and the corresponding directory with the same name and all its subdirectories.