Directory Browser Context Menu
Note: Commands in the main menu (File, Edit, Search, ...) always apply to the active data window as a whole (which e.g. represents an open file or an open disk), or to files/disks that are still to be specified by the user. They never apply to the file(s) currently selected in the directory browser. That's what the directory browser context menu is there for.
The directory browser context menu allows the user to directly interact with the currently selected files/directories, notably not the tagged items. There are a number of menu commands which are available depending on the selected items. Double-clicking files and directories will, depending on the circumstances, either invoke "View", "Explore" or the associated external program.
View
This command allows viewing the selected file with WinHex' internal viewers for Windows Registry files and various graphical file formats. If the separate viewer component that comes with X-Ways Forensics is active, all other files are sent to that viewer. If it is not, the first installed external program will be called instead. NTFS system files are always opened as data windows.
When viewing a file in a separate window, you may press (Ctrl+) Page Dn/Up to close the window and view the next file in the directory browser in a new window. If a View window displays a picture and viewing pictures if limited to one picture at a time, that window will be updated when you press the cursor keys in the gallery. Useful especially on a spanned desktop, if the View window is centered on the second monitor and if the gallery is on the first monitor. Avoids having to press the Enter key to view the picture and another key to close the View window to get the input focus back to the gallery.
Explore
Only available for directories and archives (ZIP, RAR, TAR, ...), this command allows navigating into them within the directory browser. Double-clicking archives or directories does the same. A command that allows listing the contents of directories as well as their subdirectories at the same time can be found in the directory tree's context menu instead (in the Case Data window, "Explore recursively").
Viewer Programs
Allows to send the selected file(s) to one of the external programs currently configured or the file's associated program in the current Windows installation. This association is determined based on file extension as is usual within Windows.
You also have the option to open files in an external program that you select ad hoc. The program that you select will be saved as standard custom viewer program if you have not used all slots for external viewer programs yet, and then also remembered for next time when you invoke the same menu command.
Open
Opens currently selected files or directories in separate data windows. Unlike File | Open, where files can be opened just like in any other application with the help of the operating system, this is a forensically sound operation in that it does not update any timestamps etc. because the operating system is circumvented and the logic to read the file's contents from the correct disk sectors is implemented in WinHex itself for various file systems. No changes can be made to files that were opened in this fashion, however. In the case of a directory, the directory's data structures will be opened.
If the separate viewer component is active, you may select files for printing. Allows to print multiple selected documents without interruption/the need to click somewhere after each document, optionally along with child objects (e.g. e-mail attachments together with their respective e-mail message). The optional cover page contains the date and time when the print job was started and selected meta-information, e.g. filename, path, evidence object title, file size, description, time stamps, comments, ... The cover page is printed by X-Ways Forensics itself, the following pages with the actual document are printed by the viewer component. Another option is to have X-Ways Forensics print the filename and path on the first page. This option is not bound by the same path length limitations as the header optionally printed by the viewer component. To avoid that the path is printed twice on the first page, have either X-Ways Forensics or the viewer component print it, not both. You can print just the cover page by choosing to print only the pages 0 through 0 of the document or picture itself. The header line of the cover page, which specifies which user and which program and version created the print job, is optional. Useful if you wish to show the printout to witnesses or the suspect who should not know the username of the examiner.
Export List
Requires a specialist license or higher. Exports data about the selected items in the directory browser to a tab-delimited text file or to an HTML file, which can be easily viewed in any web browser, also imported and further processed e.g. in MS Excel and MS Word. A third option (except for search hit lists) is an XML file. The list can alternatively be copied into the clipboard in the format as chosen, for example to paste it directly into an externally edited report. The columns to export are freely selectable. Even the search hit column can be exported, with the textual context around each and every actual hit, where the search term itself can be visually highlighted with a yellow background color (not recommended for output to MS Excel). You may choose to split up the result into multiple files for example to avoid a huge HTML file that Internet browsers will choke on.
There is an option to copy files off the disk/image and link them from the HTML output. The links can be found in the Name column. The behavior is affected by two case report options: "Name output files after unique ID" and "Embed attachments in parent .eml file". This option presents an interesting layout alternative to the regular output of report tables and also an alternative to the Recover/Copy command.
The Export List command remembers its own notation settings, different from the notation settings in the General Options. That is useful because the database or spreadsheet program of your choice in which you wish to import the data may not like the formatting that you prefer to see in the directory browser (e.g. fractions of seconds in timestamps, time zone bias, weekdays in dates, delimiter between date and time, integer digit grouping, ...). While the Export list dialog window is on the screen, the directory browser in the background reflects the notation settings of the Export List command, as a kind of preview.
Extract consecutive frames
Extracts all frames specifically from a defined section of a selected video. Useful if a certain part of a video is of high interest and you need to carefully check visual details in certain frames or include them in the report. You can specify how many consecutive frames to extract and starting from which second. The number of frames that you need to cover a certain period of time can be deducted from the frame rate as shown in the Metadata cell (fps = frames per second). Please note that the start second may be interpreted very roughly only, depending on the frequency of keyframes (a.k.a. I-frames in MPEG) in the video. MPlayer can seek into a video file only based on keyframes. If for example a certain video file contains keyframes only every 4 seconds for example, then the start second of the extraction may be off by up to 4 seconds. Keep this in mind when you enter the number of frames that you need or the start second. That is, to be on the safe side, extract more frames than you may actually need and perhaps from an earlier start second.
The frames are saved as JPEG files in a directory of your choice on your own drive, where you can review them outside of X-Ways Forensics. If you like, you can of course attach the most relevant frames to the original video file in the volume snapshot as child objects. The frames are not stored within the volume snapshot by default so that the size of the volume snapshot does not unreasonably inflate with potentially mostly irrelevant and redundant pictures. If the output directory already contains extracted frames, files with identical relative frame numbers will be overwritten. Relative frame numbers always start with 00000001 for each extraction and increment with each frame. You may adjust the JPEG compression if necessary for stronger compression or better quality. (Of course you usually cannot expect a very good quality because videos are typically highly compressed already.)
Report Table Association
Edit Comment
Requires a forensic license. Use this command to add a comment to an item in the directory browser or to edit or remove an existing comment. After entering comments, you can conveniently set the filter such that only commented items are shown or only items with specific comments, e.g. those with a certain relevance.
Edit Metadata
Requires a forensic license. Allows to edit the metadata field of a file once metadata was extracted. Useful if you wish to include selected metadata (not all extracted metadata) in a report.
Refine Volume Snapshot and Simultaneous Search in items that are selected in the directory browser
Tag/Untag Item
Requires a forensic license. Tagging files means highlighting them visually (placing a blue square at the beginning of a directory browser item), for various reasons, e.g. to mark them as relevant, or memorize a position in a sorted list, or to limit volume snapshot refinements to tagged files. Tagging is not to be confused with selecting.
Exclude/Include
You may exclude selected items (press Del) or all tagged or all untagged items. If actually filtered out, excluded files are omitted from the directory browser, the gallery view, and all commands that can be run from the directory browser context menu. If you are only allowed to examine the contents of certain directories, you could initially exclude all files in all other directories to ensure that. Refining the volume snapshot can be limited to files that are not excluded. Excluded items are actually filtered out only if the corresponding filter is enabled in the directory browser options. If not filtered out, they are listed in gray and can be included again with the directory browser context menu or by pressing Shift+Del.
Filter for duplicates
Ability to filter for duplicates of a single selected file that are also currently listed in the directory browser, only if a hash value is available for the selected file and the other files. Actually filters for that hash value at that time, and thus does not depend on previous mass identification of duplicate files using the above-mentioned command "Find duplicates in list". In X-Ways Investigator the actual hash values are not displayed and cannot be computed, but they are imported from evidence file containers that come with hash values for files and can be used to identify duplicate files.
In search hit lists you may
1) permanently delete selected search hits,
2) permanently delete duplicate search hits. Search hits are considered duplicates if they either have identical physical offsets or, if they don't have physical offsets, if their logical offsets and the corresponding internal file IDs are the same. When in doubt, X-Ways Forensics will keep the longer search hit (as "Smithsonian" for example is more specific than "Smith") and favors search hits in existing files.
3) Resize: Allows to resize or reposition the selected search hits. If for example you are searching for a signature that identifies records in some kind of database, and you get many search hits for these signatures, but what you are really interested in is the record data that follows the signature, and you wish to export that data, then you could adjust the offsets and the lengths of the search hits in a suitable way. Also, instead of exporting more context around the search hits with the Export List command you could enlarge the search hits themselves prior to exporting them. The effect is visible immediately in the search hit preview in the search hit list (but not necessarily immediately in the highlighting in the lower half of the data window).
4) Another context menu command in search hit lists allows to convert search hits to carved files. Useful if you wish to include your search hits as files in a report, add them to a report table, comment on them, print the contents, Recover/Copy them etc. Note that search hits that have both a physical and a logical offsets will be carved at the sector level and will appear in the virtual directory for carved files. Search hits that only have a logical offset will be carved within the file in which they were found and will appear as a child object. Search hits in the decoded text of a file as well as search hits in directory browser columns cannot be carved and will be omitted.
5) Assign to other search term: Ability to categorize selected search hits by moving them over to other search terms, existing or new ones. If for example you get several relevant hits when running a search for the search term "invoice", and some hits are relevant in a different way than others, then you could assign them to other search terms like "Invoice ABC Ltd.", "Invoice XYZ Corp." etc. Those newly created search terms will appear in the search term list, but they function more like categories because they were not searched for literally themselves.
Navigation
One command in this submenu allows to sort files by their estimated relevance (cf. metadata extraction). "Seek Int. ID" allows to conveniently seek the item with a given internal ID, no matter whether file or directory. If a filter prevents listing that item, all filters will be deactivated automatically. "Seek Item #" will jump to the item that has the specified position in the current listing. The position of any item in the list is shown when you hover the mouse cursor over the icon of a file or directory.
The Navigation group of commands also allows interaction with the currently selected file at a generally more technical level. It allows to directly locate the data structure in the file system that defines a file (e.g. FILE record in NTFS, inode in Ext2/Ext3/Ext4, directory entry in FAT).
The Navigation menu also allows to produce a list of all the clusters allocated to the selected file or directory. From the context menu of that list window, the cluster list can be exported to a text file. Optionally the list can be shortened and its creation greatly accelerated by omitting clusters in the middle of a fragment. Omissions are indicated by ellipses. This option takes effect only when you produce a cluster list the next time.
Find parent object: Navigates to and selects the parent object of the selected object. Equivalent to pressing the Backspace key. The child object can be an ordinary file in a directory, or an e-mail message in an e-mail archive or a file attachment in an e-mail message or a picture in a document or a file in a compressed archive etc.
Find related item: This command allows you to conveniently navigate to the related item if one exists for the selected file or directory. Alternatively, you can press Shift+Backspace.
See selected item in its directory: Will show you the selected file or directory among its siblings. Useful to quickly check out whether there are more notable files in the same directory or to better understand the function of the file when you see it in context.
See selected item from volume root: Will show you the selected file among all other files in the same volume, recursively explored from the root of the file system. Useful for example to see whether there are any files with the same name, the same ID (e.g. previous version from a volume shadow copy), same owner, same sender, or similar timestamps etc. in the same file system (just sort accordingly).
Both commands can be also be used from within the case root window and from within search hit lists (so the previous "Go to file in directory browser" command becomes obsolete). Remember you can click the Back button in the toolbar to conveniently return to the previous view.
Refine Volume Snapshot, Simultaneous Search, Run X-Tensions
These commands are known from the main menu. From the directory browser context menu they can be applied to the selected files.
Include in Hash Database
Creates a hash set of the currently selected files and directories and their subdirectories directly within the internal hash database, either with ordinary file hash values or with block hash values or PhotoDNA hash values. For ordinary hash values there is an option to create multiple hash sets in a single step, where the hash values of the selected files are put into hash sets that are named after each file's report table association(s). This is useful if you categorize notable files in one case using report tables (e.g. based on different types of CP), and wish to quickly identify the same files again in other cases later, and automatically see the category that you had originally assigned, as the hash set name.
The checkbox for that is labelled "Name after report table associations, if any". If a selected file does not have any report table association, its hash value will be assigned to the hash set named as you specify, just like if you do not check that checkbox.
This command can also be used to create a separate file with PhotoDNA hash values of the selected files or to just update file descriptions of files in the PhotoDNA hash database with the comments stored in the volume snapshot.
Attach External File/Dir.
Requires a forensic license. Ability to attach one or more external files or a directory including subdirectories to the volume snapshot and have them processed by X-Ways Forensics like regular files in the volume snapshot. Useful if you need to translate, convert, or decrypt original files and would like to reintegrate the result back in the original volume snapshot, in the original path, for further examination, reporting, filtering, searches etc. Such external files will be completely managed by X-Ways Forensics once attached, copied to the internal evidence object subdirectory of the case, and marked as virtual files.
You will be asked to classify the files that you are attaching as what they actually are, e.g. video stills produced outside of X-Ways Forensics, e-mails extracted from e-mail archives outside of X-Ways Forensics, OLE2 objects, attachments of various kinds (in particular of PDF documents), etc. etc. If properly classified as video stills, the attached pictures will be used as previews for the respective parent video file for example. The classification can be seen in the Description column.
When attaching a single external file and holding the Shift key, X-Ways Forensics proposes a new name for that file that is based on the name of the file that is selected, and the attached file will be added to the same directory. Otherwise the external filenames of the files will be used and they will become child objects of the selected object. It is still possible to rename virtual files in the volume snapshot later at any time.
When attaching an external directory to the volume snapshot, you are prompted whether the selected directory itself should also be attached or just its contents. Usually X-Ways Forensics creates virtual files in subdirectories in new virtual directories in the volume snapshot. There is, however, an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree. Useful if you copy an entire directory structure off the image to convert/decrypt/translate/... files outside of X-Ways Forensics, and then want to bring the results back into the volume snapshot and see the edited files next to their original counterparts in the corresponding subdirectories. This can help for example if you wish to OCR and convert PDF documents that X-Ways Forensics has deemed non-searchable, using Adobe Acrobat.
X-Ways Forensics can optionally adopt the timestamps of attached files in the volume snapshot (creation, modification and/or access). You can make use of this if you are sure that the timestamps are original and not the result of any of your own file copy/decoding/decryption activity etc.
Rename
Allows you to rename virtual directories and virtual attached files in a volume snapshot, or if the Shift key is pressed even ordinary files. Although the latter is not exactly forensically sound when dealing with original evidence, this can prove helpful in special situations, for example if a filename or directory name is too long to copy a file out of an image etc. The original filename will be kept as the alternative filename. Note that this does not rename the file in the file system (nothing is altered on the disk or in the image!), only in the volume snapshot, i.e. the internal database in X-Ways Forensics about the file system. You also have the ability to set the alternative name of a file by holding the Shift key when renaming the file (hold it at the moment when clicking the OK button).
Specify type
Ability to specify the type of selected files yourself. Useful if you wish to identify types or subtypes in an individual way unknown to X-Ways Forensics, for example to be able to filter by these types later. For instance, how about categorizing TIFF pictures that are digitally stored faxes as type "fax"? Remember you can define your own file types in File Type Categories.txt.
Resize
Files found through a file header signature search and files that were carved within other files can be manually resized by the user.
Wipe securely
Files and directories that are selected in the directory browser can be securely wiped in WinHex (not X-Ways Forensics). The data in the logical portion of a file (i.e. excluding the file slack) and in clusters of a directory (e.g. containing INDX buffers in NTFS and directory entries in FAT) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed, i.e. it will not be marked as deleted, the clusters will not be released etc. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Files that are compressed in archives or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. And please note that wiping directories, i.e. erasing the data in the clusters allocated to a directory, will cause existing files in that directory to become orphaned. More typically users only wipe the contents of files with this function, not the contents (data) of directories, if they still wish to use the file system.
Useful for example if copies of images are forwarded to investigators/examiners/other parties involved in a case who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and if you would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).
Both successfully erased files and files that could not be successfully erased will be added to separate report tables (when working with a case, with a forensic license only) by which you can filter to verify the result.
Mark hit as notable
In a search hit list, marks selected hits with a yellow flag and includes in them in the list of notable search hits. You may also press the space bar to mark a hit as notable or remove that mark. Holding the Shift key when invoking the menu command removes the "notable" flag from all selected search hits.
Include in report
In a search hit list, marks selected search hits for inclusion in the case report, with the green grid icon.