Mode Buttons

WinHex & X-Ways

Mode Buttons

 

When examining a logical drive, partition, or image file with a file system supported by WinHex, there are several buttons that determine the display in the lower half of the window, below the directory browser. Forensic licenses only.

 

Disk/Partition/Volume/Container

 

Previously labeled "Sectors", this default view shows the binary data in all sectors of the disk/partition/volume/container represented by the active data window as hexadecimal code, as text, or both. Offsets and sector numbers are relative to the start of the respective disk/partition/volume/container.

 

File

 

Looks similar to Disk/Partition/Volume/Container mode, but shows only the clusters allocated to the file or directory that is currently selected in the directory browser, in the order as used by the file, defragmented if fragmented, decompressed if compressed, with offsets relative to the beginning of the file. When switching from File mode to Partition/Volume mode, X-Ways Forensics will automatically point you to the offset from the point of view of the partition/volume that is equivalent to the offset within the file where the cursor was positioned last, even if the file is fragmented, if there is an equivalent position (not if the file is a compressed or virtual attached file or an extracted e-mail message or an exported video still etc.).

 

Preview

 

Checks the type of the file currently selected in the directory browser and displays the file with the help of the separate viewer component, except if the viewer component is not active or if it's a picture (supported file types see Gallery below) and the viewer component should not be used for pictures. Even incomplete pictures (e.g. files incompletely recovered because of fragmention) can usually be displayed partially. If the viewer component is not active and the file is not a picture in one of the supported formats, a rudimentary ASCII text extract from the beginning of the file is displayed.

 

Details

 

Contains all the information on a single selected file from all the directory browser columns, including those that are not currently visible. Very useful for example if the path is very long and does not fit on the screen in the path column, maybe not even in the path tooltip display. Also allows to easily copy the filename or file path or selected other data to the clipboard.

 

The Details mode also shows NTFS file permissions (stored in access control lists, ACLs). Each element has typically the property "Grant" or "Deny" and an SID to which the permission applies. The SID is translated into a friendly name if possible. The permission itself is either R = Read Permission, C = Change Permission, Full Control or Special Access. For a Special Access right, all individual rights are listed. For each permission there can be two inheritance flags: container inherit (CI), object inherit (OI) or two propagation flags: inherit only (IO), no-propagate inherit (NP). Usually the final list element is the group membership property.

 

The Details mode also extracts some essential internal metadata from OLE2 compound files (e.g. pre-2007 MS Office documents), MS Office 2007 XML, OpenOffice XML, StarOffice XML, HTML, MS Access, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, BMP, EXE/DLL, JIDX (Java applet cache), THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool, RecentFilecache.bcf, WIM Vista image files, PhotoShop PSD, INDD (Adobe InDesign), DocumentSummary alternate data streams, tracking.log, .mdb MS Access database, manifest.mbdx/mbdb iPhone backup, IconCache.db, and many more. For MS Office documents e.g. you will often see many more timestamps (e.g. Last Printed), subject, author, organization, keywords, total edit time, and much more.

 

For JPEG files this mode shows an additional table at the bottom. This table contains the generator signature as well as the "condition" of the file, which may be "incomplete" (if the file was truncated) or "trailing data" (if surplus data was appended to the JPEG data) or in some cases "original" (if the file is believed with great certainty to be in a pristine, unaltered state). "Original" is based on the presence of thumbnails, the absence of color correction certificates, the absence of unoriginal metadata such as XMP, based on timestamps, based on artifacts left behind by known editing software, and on whether a resize operation is detected.

 

Gallery

 

Checks the file signature of all the files in the currently visible portion of the directory browser. If found to be a picture, a thumbnail is displayed, otherwise a brief summary (filename, size, signature). By scrolling in the directory browser, the gallery view scrolls as well. You may switch the directory even while the thumbnails are still loading. By double-clicking a thumbnail, you get a full-size view of a picture, where you may zoom in and out using the keys + and -. Even incomplete pictures (e.g. file incompletely recovered because of fragmention) can usually be displayed partially. Supported picture file types: JPEG, PNG, GIF, TIFF, BMP, PSD, HDR, PSP, SGI, PCX, CUT, PNM/PBM/PGM/PPM, ICO. Optionally, the gallery can also show files of other types as thumbnails, using the viewer component. The gallery does not go together very well with search hit lists.

 

When a View window displays a picture, if limited to one such window, that window will be updated with the next picture when you hit the cursor keys in the gallery. Useful especially if the View window is centered on the second monitor if the gallery is on the first monitor, on a spanned desktop. Avoids having to press the Enter key to view the picture and another key to close the View window to get the input focus back to the gallery.

 

Calendar

 

Gives a convenient visual overview of the timestamps of all listed files/directories, from all 6 timestamp columns of the directory browser, in the form of a calendar, or when in event list mode a similar overview of all listed event timestamps. Each day with at least one time stamp is marked in the calendar with a gray color. The more activity on a day, the darker the color. Weekends (Saturdays and Sundays) are specially marked with x. Hover the mouse over a day to find out how many timestamps exactly fall into that day. Left-click a day to select that day as the left boundary of the timestamp filter, or right-click it to define it as a right boundary. Middle-click a day to filter for timestamps on that particular day only. If the same file is listed more than once (which can happen in a search hit list if it contains more than 1 search hit), then its timestamps are also represented more than once in the calendar.

 

When not showing events, you can now decide which column's timestamp should be included in the calendar. Columns that are hidden (have a width of 0 pixels) are excluded, all other columns are included. The status bar reminds you which columns are included even if not currently visible because of horizontal scrolling.

 

Years in the calendar with no timestamps are grayed out. The number of a year is displayed in a darker shade of gray the more timestamps are listed for that. All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity.

 

As the number of years represented in Calendar mode is limited, garbage timestamps in the far past can keep you from seeing the later years that you are interested in if you don't set a filter or don't delete events with garbage timetamps. You can specify the minimum year that will be represented by the calendar. Any timestamps in earlier years will be disregarded by the calendar even if no filter is active. By default, the minimum year is the year 2000. To change it, click the number of the first year on the left in Calendar mode.

 

Example: During which period of time were most JPEG files processed on a volume? Right-click the root directory in the directory tree (case data window) to recursively list all files from all subdirectories, then use the file type filter to limit the view to JPEG files, enable the calendar view.

 

Raw

 

In Preview mode, in conjunction with the viewer component, when viewing non-picture files, Raw mode renders the file as plain text. This can be useful for example for HTML files to see the HTML source code, for .eml files to the see complete e-mail header, and generally when in search hit list mode the viewer component cannot highlight a search hit in Preview mode (because then it might contained in metadata or control code that would be represented in raw Preview mode, but not normal Preview mode). You can make Raw preview mode persistent by holding the Shift key when activating Raw mode.

 

File mode now offers a "raw" submode for NTFS-compressed files. In Raw mode you can actually see the compressed data as well as the sparse clusters, not the decompressed state of the file. This is useful for research or educational purposes and because theoretically small amounts of data could have been manually hidden in the not clearly defined, but implicitly existing slack area of each compression unit, which follows the compressed payload data.

 

VC

 

The VC button is visible only in Preview mode when viewing pictures of types supported by the internal graphics viewing library. By default the internal graphics viewing library is used to preview or view pictures. However, if the "VC" button is pushed, the viewer component is used instead, which is also responsible for displaying the thumbnails in the gallery.

 

Sync

 

Synchronizes the directory browser and the directory tree in that when in a recursive view you select a file in the directory browser, its parent directory will be highlighted. Sync mode in non-recursive exploration mode has a similar effect as the option "Automatically expand to current folder" in the Windows Explorer. That means that when navigating from one directory to another using the directory browser while Sync mode is off, the directory tree on the left will not reflect the current directory any more, will neither expand its parent if necessary nor select the current directory. Whether Sync mode is active or not is now remembered separately for recursive and non-recursive exploration.

 

Exploration Mode

 

Button with a curly turquoise arrow. Toggles between normal and recursive exploration of a directory. When exploring recursively, you do not only see the contents of the current directory, but also the contents of all its subdirectories and their subdirectories, and so forth. To explore a directory recursively, you may also right-click it in the directory tree.

 

Multi-monitor support

 

It is possible to detach the lower half of a data window (with Disk/Partition/Volume mode, File mode, Preview, Gallery etc.) from the data window, by clicking the three dots that are located left to the mode buttons. After that, you can freely move and resize it on the screen. On multi-monitor this allows you to have that part of the user interface on a separate screen and even maximize it there. Reintegrating it into the main window is done by clicking the same three dots again or by clicking the Minimize button.