Internal Viewer

WinHex & X-Ways

Internal Viewer

 

Available with a forensic license of WinHex only. The internal viewer can be invoked with the "View" command in the Tools menu and in the directory browser's context menu, plus in Preview mode. It shows picture files of various file formats (JPEG, PNG, GIF, TIFF, BMP, PSD, HDR, PSP, SGI, PCX, CUT, PNM/PBM/PGM/PPM, ICO, using an internal graphics viewing library) plus the structure of Windows registry files, Windows Event Logs (.evt and .evtx), Windows shortcut files (.lnk), Windows Prefetch files, $LogFiles, $UsnJrnl:$J, Ext3/Ext4 .journal, .ds_store, Windows Task Scheduler (.job), $EFS LUS, INFO2, Restore Point change.log.1, wtmp and utmp log-in records, MacOS X kcpassword, MacOS X finder bookmarks (flnk), AOL PFC, Outlook NK2 auto-complete files, Outlook WAB address books, Internet Explorer travellog files (a.k.a. RecoveryStore), Skype Chat Sync, MS Outlook Express DBX and many more files internally. If you try to view a file that is not supported by the internal viewer, the separate viewer component is invoked instead.

 

There is an additional separate viewer component that integrates seamlessly and allows to conveniently view more than 270 (!) file formats (such as MS Word/Excel/PowerPoint/Access/Works/Outlook, HTML, PDF, CorelDraw, StarOffice, OpenOffice, ...) directly in WinHex and X-Ways Forensics. This component is included in X-Ways Forensics and X-Ways Investigator. It can be enabled in Options | Viewer Programs, optionally also for pictures that could be displayed by the internal graphics viewer library. More information online. The folder for temporary files used by the separate viewer component is controlled by WinHex/X-Ways Forensics, i.e. set to the one the user specifies in General Options. However, unlike X-Ways Forensics, the viewer component does not silently accept unsuitable paths on read-only media. Please note that the viewer component since its version 8.2 creates files in the Windows profile of the currently logged on user, in which it stores its configuration and settings. In earlier versions, if actually used, not when merely loaded, it left behind entries in the system registry.

 

Registry Viewer

 

MS Windows maintains an internal database called registry which contains all important settings for the local system and installed software in a tree-like structure. The data is persistently stored in files called registry hives. You can open and view hives by double-clicking them in the directory browser or using the context menu. This will open them in the integrated registry viewer. Supported formats are NT/2K/XP/Va/7 hives. Win9x and WinMe hives can only be loaded by the registry viewer of X-Ways Forensics 15.9 and earlier. NT/2K/XP/Va/7 hives are located in the file "ntuser.dat" in a user profile and in the directory \system32\config.

 

Up to 32 hives can be opened in the registry viewer at the same time. The registry viewer has the ability to find deleted keys and values in hives that contain unused space and lost keys/values in damaged/incomplete hives. If no complete path is known for keys, they will be listed as children of a virtual key called "Path unknown".

 

With a right-click a pop-up menu can be opened anywhere in the window, which lets you invoke the commands "Search" and "Continue Search". Clicking "Search" invokes up a dialog that lets you specify a search expression and where you want to search. You can browse either keys or names or values or all of them. The search always starts at the topmost root of the first loaded hive and spans all opened hives. "Continue Search" finds the next match after at least one match has been found. The currently selected element is not relevant for where the search continues. The "search whole word only" option is not guaranteed to work for values.

 

In the right-hand window the pop-up menu also contains the command "Copy" which lets you copy the value of the selected element to the clipboard.

 

When clicking a value of a loaded hive in the Registry Viewer, if the data window with the drive/image from which the hive was loaded is in File mode, the cursor will automatically jump to the selected value in the registry file, and the value will automatically be selected as a block in that file. Useful as that allows to see the value in hexadecimal and text and as that allows to easily copy binary values in either binary or as text, not only as hex ASCII.

 

The Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.

 

When selecting a value, an edit window in the lower right corner tells you the logical size of that value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8), MountedDevices, OpenSavePidlMRU, and LastVisitedPidlMRU. The edit window also displays the access rights/permissions of the registry keys if (Default) is selected.

 

Creating registry reports automatically

 

$LogFile Viewer

 

Basic Concepts:

Each statement falls into one of the three categories:

1) Log-Operation

The on-disk data at (LCN,Byte offset) is to be replaced in case of a Redo/Undo-Operation with the one specified within the log operation.

2) The PAGE statement indicates the start of a new log page (multiple of 4 KB). The LSN specifies the last end LSN for this page. A * marks a stale page.

3) The CheckPoint statement specifies a LSN to restart with.

Each statement is preceeded by an byte offset pointing into the $LogFile.

 

Abbreviations:

LSN=Logical Sequence Number

LCN=Logical Cluster Number

VCN=Virtual Cluster Number

FID=File ID

 

Limitations:

Only log operations are shown which affect on-disk structures. FILE records and INDX buffers are not completely dumped. For complete data, follow the byte offset displayed for the operation of interest. An NTFS journal is only processed if the path of such a file contain the string $LogFile.