Directory Browser Options
Grouping files and directories in the directory browser is optional. X-Ways Forensics remembers the sort criteria and this option separately
1) for the normal directory browser of a volume,
2) for the normal directory browser of a partitioned disk,
3) for search hit lists and
4) for event lists.
Grouping existing and deleted items in the directory browser is optional. There are two possibilities how to use this feature. Either previously existing files that potentially recoverable (question mark icon) and known unrecoverable (red X icon) are internally grouped as well (so that in total there will be three groups) or not (only 2 groups). A small symbol with either one or two horizontal dividers indicates whether the list is split up into two or three groups, also in the header of the column that is the primary sort criterion, as a small reminder that when scrolling in the directory browser and watching out for a certain file for example based on its name, you need to check in every group, because the sorting takes place within each group and does not span the groups.
Double-clicking a directory will explore it. Double-clicking an ordinary file will view it. This option controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted.
Files can optionally be opened and searched including their slack. The middle state of this checkbox makes a difference only for logical searches (cf. that topic).
A ".." item can be optionally listed at the top of the directory browser when navigating within a volume from one directory to another. If displayed, it is frozen at the top and does not scroll along with all the other items. It shows all the information on the directory that it represents (the one that you would navigate to if you double-click it), just like with all the other items in the directory browser. A "." item is also displayed optionally, representing the currently explored directory. Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects. And if the . or .. item is a file and you select it, then you can see that particular file in File, Preview or Details mode. And it is represented in Gallery mode.
Listing the root directory of a volume in the directory browser, in the root directory itself, actually, is kind of illogical, but can be very helpful to see that directory's timestamp (if any, depends on the file system) or to quickly navigate to its clusters (if any, also depends on the file system) or as another place where to quickly tag or untag all items in a volume.
Listing the internal files of the file system is optional in the normal directory browser. This affects for example the various $* files in NTFS. Specifically in X-Ways Investigator those files are no longer listed as they are irrelevant to non-technical examiners (the target group of X-Ways Investigator) and might confuse them because they are not familiar with them from using ordinary high-level computer software.
Listing subdirectories when exploring recursively is optional. They may be needed if you are interested in their names or timestamps, but they may distract you when you are merely interested in viewing files.
That filters are applied to directories, too, is optional. Most often users employ filters to focus on certain files, not directories, and they may still need the directories listed in order to be able to navigate to the files of interest.
The selection statistics are displayed below the directory browser (with a forensic license only). If computed in a recursive way, they reveal how many subdirectories, files and how much data are contained in a directory (or file with child objects) when you select it in the directory browser, except if you have explored recursively already, taking any active filters into account. If this option is not enabled, the statistics tell you about the direct selection in the directory browser only, not about the child objects that may indirectly be selected. If this option is half selected, the statistics take child objects of directories into account, but not child objects of files.
Tagging or excluding items in the directory browser can occur recursively or non-recursively. Non-recursively means that tagging/untagging/excluding/including a file or directory in the directory browser has no effect on parent or child objects or parent directories or subdirectories. Useful for example if all child objects of a file should be processed in volume snapshot refinement or searched, but not the parent object. If it works recursively, then it is not possible to have an untagged parent object whose child objects are all tagged. If the recursive tagging option is in its middle state, that means that child objects still inherit the tagged state from their parent at the moment when they are newly added to the volume snapshot, e.g. when you extract e-mail and attachment from a tagged e-mail archive. Whether tagging and excluding work recursively or not can also be controlled by holding the Shift key. Tagging or untagging recursively can be very slow in large volume snapshots.
Advanced sorting: Takes 4 to 6 times more time than the highly optimized standard Unicode sorting (noticeable when sorting millions of files), but has several useful settings and characteristics:
- Language-specific character equivalence rules (treat ß like ss, treat é similar to e, ü similar to u etc.)
- Linguistically improved case insensitivity
- Special treatment of hyphens and apostrophes (they are treated differently from other non-alphanumeric characters to ensure that words such as "coop" and "co-op" stay together in a sorted list).
- Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for hexadecimal notation, available under Windows 7 and later only)
- Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters)
- Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same)
Advanced sorting depends on the regional settings of the currently logged on user. For example, if regional settings of a Nordic country are active, Å comes after Z, as defined in the alphabets of that region, otherwise near A, as perhaps expected by non-locals. Advanced sorting rules are also applied when sorting the search hits by the Search Hit column.
There is an option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page. Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data because for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other. Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list. You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.
Optionally, after start-up, the directory browser can be not sorted at all, for performance reasons. That means the program will forget the last sort criteria in use last time. If selected, there will now also be no sorting when turning off all filters with a single mouse click, to avoid longer delays when suddenly all files are listed again recursively.
Directory browser settings (in particular column width, filter settings and sort orders) can be optionally stored in cases and reactivated when loading cases (if stored by a compatible version).
Dynamic e-mail and timestamp columns lets X-Ways Forensics decide whether to include the columns Sender and Recipient in the directory browser. They will be included if at least one extracted e-mail message is in the visible portion of the directory browser, otherwise not. Helpful because that leaves more room for other columns when the columns exclusively filled for extracted e-mail messages are not needed. The columns with alternative timestamp can also be shown dynamically, i.e. only when items that have such timestamps in the volume snapshot are displayed in the visible portion of the directory browser.
Optionally, the Path column can show the "full" path, which means including the name of the object itself. This is useful for example if you wish to copy such a complete path directly from the Path column, and can also be used to achieve a sort order where child objects follow their respective parents (e.g. e-mail attachments their containing parent e-mail messages).
The 1st sector column can optionally show physical start sector numbers for files in partitions (counted from the start of the physical disk or disk image) instead of logical start sector numbers, if the partition was opened from within the physical disk/disk image. In that case the column label contains a P in a circle (P for physical). Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.
An option exists to show the file type ranks in the Type status column, which also causes sorting by that column to sort by those ranks. Ranks are defined in the File Type Categories.txt file.
A special file icon for pictures is available, very useful when your main focus is on such files. Depending on whether the check box is fully checked or half checked, symbols like question marks, arrows, scissors, hammers, etc. that further reveal the status of the file gets superimposed additional or not. If not, that is easier on the eye. You can still tell the exact deletion status from the Description column, and the rough deletion/existence status is still obvious from the contrast of the icon.
Conditional cell background coloring helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. You may use an asterisk to match anything except blank cells. If a match is detected in a cell, either only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all. If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.
Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are. Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. The color settings are also stored in a file named "Conditional Coloring.cfg", and they are stored in and loaded from .settings files along with other directory browser settings. Up to 255 conditions may be defined.
Various columns are available in the directory browser. They are all optional. They are displayed if they have a non-zero column width in pixels, or hidden if their width is zero. You can toggle column visibility purely with the mouse if you like, by clicking the column label in the dialog window.
It is possible to redefine the order of the columns in the directory browser. This will also change the order of the fields in the case report (i.e. in report tables), on print cover pages, in exported file listings, and the Export/Copy log. You can select a column for relocation by clicking its radio button. Then use the vertical scrollbar that appears at the top. You can reset the column order to the default one by right-clicking that scrollbar.
In the lower left corner of the directory browser options you will find a button in this dialog box that allows to undo the exclusion all files and directories in the volume snapshot of the evidence object in the active data window. To selectively include files, make sure they are not filtered out. Then you can include them with a context menu command after selecting them.
There is another button that allows to totally remove excluded items from the volume snapshot if irrelevant/not needed, in particular meaningless garbage files found via a file header signature search. This will render the volume snapshot smaller, i.e. more efficient to handle, and save main memory. Useful also if you would like X-Ways Forensics to find certain files once again via a file header signature search, but for example list them with a different default file size if the originally specified default file size proved inadequate. The removal operation is faster if you delete seach hits prior to executing it. As part of the removal, internal IDs are shuffled, so they do not indicate any more the order in which items were added to the volume snapshot. Excluded items that have non-excluded child objects are not removed. It is highly recommended to work with a copy of your case when using this functionality, e.g. produced with the Save As command.