Case Log
When enabled in the case and the evidence properties window, WinHex obstinately logs all activities performed when the case is open. That allows you to easily track, reproduce, and document the steps you have followed to reach a certain result, for your own information and for the court room.
The following is recorded:
when you a select a menu item, the command title (or at least an ID), and the name of the active edit window, if not an evidence object, preceded by the keyword "Menu",
when a message box is displayed, the message text and what button you pressed (OK, Yes, No, or Cancel), preceded by the keyword "MsgBox",
when a small progress indicator window is displayed, its title (like "Recovering files...") and whether the operation was completed or aborted, preceded by the keyword "Operation",
a screenshot of each displayed dialog window with all selected options, e.g. for a complex operation that follows, preceded by the window's title,*
the extensive log produced by Clone Disk and File Recovery by Type,
your own entries (free text) that you add with the Add Log Entry command, either to the case as a whole or to a certain evidence object.
The destination path of each file copied/recovered with the directory browser context menu, along with selected metadata of that file (e.g. original name, original path, size, timestamps, ...), is logged in a separate file copylog.html or "copylog.txt" in the _log subdirectory.
All actitivities are logged with their exact date and time, internally in FILETIME format with 100-nanosecond interval precision. Logs are by default associated with the case as a whole. However, logs of activities that apply to a certain evidence object are directly associated with that evidence object. This determines where they appear in a report. Screenshots are saved as PNG files in the _log subfolder of a case folder.
*If "Include screenshots in log" in the case properties is half-checked, that means that no actual screenshots of dialog windows will be taken, just a simple ASCII representation will be stored in the log (the same that you get when via Ctrl+C). These details are included in a special way in the HTML output, so that they do not detract too much from the main log entries. Either they are output in a smaller font and gray color (if "Include screenshots in log" is fully checked) or simply as a pop-up when hovering with the mouse cursor over a space-saving placeholder rectangle, as known from Windows registry reports in X-Ways Forensics (if half checked) or not at all (if not checked). The placeholder rectangle and pop-up work best when viewed in Google Chrome, as that browser does not truncate the text if lengthy and even shows a preview of the first line in the placeholder rectangle. If you have X-Ways Forensics take conventional (real) screenshots of dialog boxes in the log, pixels with the gray background color can be changed to pure white, to save toner/ink in case you are going to print your log at some time (anyway, please think twice and save paper).