General Options
1st column:
Under Windows Vista and later it may be recommendable to always run WinHex/X-Ways Forensics as administrator if you need sector-level access to media. This can be remembered by Windows in the registry hive HKEY_CURRENT_USER under \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, but has no effect on installations on removable media.
The option Allow multiple program instances allows you execute to WinHex more than once on a single computer at a time. If not checked, WinHex makes the main window of the previous instance the foreground window instead of creating a new program instance. By default, this option is half selected. That means you will be given a choice when executing the .exe file again, whether to start a new instance or not. At that time you may also try to recover a previous instance if caught in an infinite loop. For example, should X-Ways Forensics get into an infinite loop when processing a certain file during volume snapshot refinement, this can potentially help the already running instance break out of that loop and proceed with the next file. The second instance also shows some technical information about what the already running instance is doing at the moment, and can do so even without recovering a supposedly hanging previous instance. Terminating a previous instance is another option, but of course should be avoided, as data loss may occur.
At startup, WinHex can optionally show the Start Center or restore the last window arrangement (all windows with their sizes and the positions as you left them in the precedent WinHex session).
By default, edit windows are not opened in a maximized state.
Specify the number of recently opened documents to remember and to list in the Start Center (255 at max.). Up to 9 of them are also listed at the end of the File menu.
Do not update file time means that WinHex will preserve the last modification time when a modified file is saved with File | Save or Save As.
More context menus: If fully checked or if the Shift key is pressed while right-clicking a directory in the Case Data window, a context menu appears that allows to recursively explore the right-clicked directory (just like when no context menu is shown), allows to tag the directory recursively (just like when pressing the Space bar), to expand the directory recursively (just like when pressing the multiply key of the numeric keypad), to collapse all, export a subtree into an ASCII text file, or copy the entire path of that directory into the clipboard. If at least half checked or if the Shift key is pressed while right-clicking the hex editor display, a suitable context menu will appear there as well.
You may have WinHex appear in the Windows context menu. The shell displays the context menu when the user clicks an object with the right mouse button. WinHex provides menu items for files, folders and disks. If this option is not fully selected, there is no menu item for files.
A 3-state check box can optionally prevent Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). This option has an effect no matter whether the main window is visible or whether the program is running in the background. Useful for example when acquiring a live system of which you don't want to lose control during imaging, or if you wish to keep an eye on the progress indicator on your own machine from another corner in your office.
Save program settings in .cfg file: If half checked, the settings are saved whenever the program terminates (cleanly). If fully checked, then every time when you click OK in any dialog window (could be useful if the program does not terminate cleanly, to avoid that you lose your latest settings). If totally unchecked, the program settings will not be saved at all, except if you hold the Shift key when exiting the program, which is necessary once if you would like to save in the .cfg file the setting that from then on the settings should not be saved again.
By default WinHex numbers disk partitions in the order of their physical location.
If Auto-detect deleted partitions is enabled, WinHex tries to identify obvious deleted partitions automatically in gaps between existing partitions and in unpartitioned space directly following the last partition, when opening physical hard disks. Such additionally detected partitions will be listed in the Access button menu and marked as deleted. Please note that deleted partitions detected in gaps between existing partitions cause the partition numbering to be changed. E.g. an existing partition #3 might become partition #4 if a deleted partition is detected on the disk before it.
The Sector reading cache accelerates sequential disk access by the disk editor. This option is recommended particularly when scrolling through CD-ROM and floppy disk sectors, since the number of necessary physical accesses is significantly reduced.
If Check for surplus sectors is disabled, WinHex will not try to search for surplus sectors when a physical hard disk is opened. When additional sectors are detected, WinHex will remember them the next time you open the disk. You may enforce a new check by holding the Shift key while opening the disk. Checking for surplus sectors may cause very long delays, strange behavior or even damage to the Windows installation on some very few systems.
The alternative access method 1 for physical hard disks may allow to access hard disks formatted with an unconventional sector size or other media that cannot be accessed otherwise. Note that it may be slower than the regular access method. If considerably slower, WinHex will notify you of this and recommend to revert to the standard access method. Access method 2 affects physical hard disks only as well. Both methods allow you to specify a timeout in milliseconds after which read attempts will be aborted. This can be useful on disks with bad sectors, where an attempted read access to a single sector could otherwise cause a delay of many seconds or minutes.
Another option is to always request user input for raw images to confirm the kind of the image (volume or disk), the sector size to assume and the path for potentially existing additional image file segments. Exactly what happens if you hold the Shift key while the image invoking image interpretation or while adding the image to a case. Usually not necessary if the image was created by X-Ways Forensics itself, but still some removable media (USB sticks and memory cards) may have been used and formatted as both volume and partitioned medium at different times. In such a situation, interpretation as a volume and as a partitioned medium may reveal different file systems that overlap each other.
The surrogate pattern for unreadable sectors is described here.
2nd column:
Specify the folder in which to create temporary files. By default that is the directory indicated by the TEMP variable in your Windows system. Instead of an absolute path you may also specify a dot (.) as a placeholder for the directory from where WinHex/X-Ways Forensics is executed. Or .. for the parent directory of that directory. Or partial path relative to either the . or .. directory (e.g. .\temp or ..\temp). This concept applies also to the next folders.
Specify the folder in which to create and expect images and backup files (.whx).
Specify the folder in which cases and projects are created and expected.
Specify the folder in which templates and scripts are stored.
Specify the folders in which to maintain the internal hash databases and the PhotoDNA hash database. The hash database of block hash values, if used at all, is stored in a directory at the same level as the first internal hash database, with the same base name plus " [block hash values]" appended.
In all of these standard paths you may use system and user environment variables, where the variable name has to be enclosed in percentage signs, e.g. %TEMP%
X-Ways Investigator [CTR]/X-Ways Imager GUI: Available when operated with a forensic license. Allows to activate the considerably reduced user interface of X-Ways Investigator [CTR], which is meant for investigators
- who are specialized in a certain area e.g. of white-collar crime
- who do not need profound knowledge of computer forensics
- who do not need technical insights that WinHex and XWF are well-known to offer
- who receive e.g. convenient-to-handle X-Ways evidence file containers from well-versed computer forensics examiners with only selected files from various sources (e.g. "all documents that contain the keywords x and y"), with obviously irrelevant stuff already filtered out
- who need to review hundreds of electronic documents, identify relevant ones, add comments to them, identify logical structures and connections between them with the help of their comments, and print documents, all within the same environment with a few mouse clicks, which saves the time to extract and load each document in its associated application
- who may or may not need to work in an environment severely restricted by the system administrator anyway
The X-Ways Investigator interface lacks many advanced technical options, to allow for easier access to non-technical personnel. X-Ways Investigator licenses that only allow to use this GUI are available at 50% the regular rate on request. An optional file "investigator.ini" controls additional simplifications and administrative security precautions, e.g. to allow users to open evidence file containers only, and only such containers that have been classified as secure.
You may also select one of several different dialog window and button styles.
In the "Sleep(0) Frequency" child dialog window you may specify how cooperative X-Ways Forensics behaves during long operations (e.g. hashing, searching) when competing with other processes for CPU time, by pressing Shift+Ctrl+F5. 0 is the default setting (not specially cooperative). You could try values like 10, 25, 50, or 100 (maximum willingness to share CPU time) e.g. if X-Ways Forensics is executed simultaneously by different users on the same server, for a fairer distribution of CPU time.
If you select Show file icons, the icons stored in a file are shown in the info pane. If a file contains no icons, the icon of the file type is shown if this option is "fully" selected. Only for files opened with the File | Open menu command.
With a forensic license, you may monitor lengthy operations from other computers in the same network, i.e. see whether they are still ongoing or completed. You can enable progress notifications via text files (that can be created in a directory on a network drive) and via e-mail, in user-defined intervals. Multiple recipient e-mail addresses can be specified as well if delimited by commas. The correct SMTP port is often 25, sometimes 587. The correct settings are provided by your administrator or Internet provider.
3rd column:
The ENTER key can be used to enter up to four two-digit hex values. A useful example is 0x0D0A, which is interpreted as an end-of-line marker in the Windows world (Unix: 0x0D). The Start Center could then still be opened using SHIFT+ENTER.
Decide whether you want to use the TAB key to switch from text to hexadecimal mode and vice versa or to enter the TAB character (0x09). In any case, TAB+SHIFT can be pressed to switch the current mode.
Non-printable characters with a character set value smaller than 0x20 can be represented by a user-defined other character.
The bytes in the display can be represented as characters in the text column one by one, or WinHex can try to combine them, which if the active code page in Windows is a double-byte character set may be desirable to get the characters right (if 2 bytes = 1 character), or undesirable because of the variable row length. This has an effect only if View | Character Set | * ASCII is selected, as only then the code page active in Windows can make a difference for the display.
Offsets can be presented and prompted for in a decimal or hexadecimal notation. This setting is valid for the entire program.
When using the memory editor, it may be useful to have WinHex display logical memory addresses for processes instead of zero-based, linear, contiguously counted offsets. This is always done in hexadecimal notation. The dialog window of the Goto Offset command will also prompt for logical addresses.
Page and sector separators may be displayed. If this option is enabled partially, only sector separators are displayed.
Specify the number of bytes per line in an edit window. Common values are 16 or 32 (depending on the screen resolution).
Decide how many bytes shall be displayed in a group. Powers of 2 serve best for most purposes.
There is an option to define the size of the extra gap between rows in the hex editor display in pixels, which together with the official height of the selected font defined the distance between the rows. The default value has always been 3 before v17.2, but now it can be decreased, to display more rows at the same time and see more data. For example with the Courier font the display still looks fine with an extra gap of 1, but you see 15% more data (based on font size 10). Even negative values are possible. With -1 you may see 35% more data than before.
Search hit highlighting in File mode: Option to get all search hits in a file highlighted in File mode at the same time, either only when a search hit list is displayed (if half checked) or permanently once search hits have been loaded for an evidence object, i.e. even when working with the normal directory browser (if fully checked). Search hits are loaded after an evidence object has been opened as soon as search hits are listed. This feature also applies to user search hits. Requires forensic license.
NTFS: MFT auto coloring: Highlights the various elements in FILE records of the NTFS file system, when the cursor is located within such a record, to facilitate navigation and understanding. Requires a specialist or forensic license. Also automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode is available. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value. If auto-coloring for FILE records etc. is fully checked, FILETIME structures are now highlighted even if not aligned at a 4-byte boundaries.
Highlight free space/slack space: Displays offsets and data in softer colors (light blue and gray, respectively). Helps to easily identify these special drive areas. Works on FAT, NTFS, and Ext2/Ext3 partitions. Requires a specialist license at least.
Select a color used as the background of the current block. You can only change the color if the option "Use Windows default colors" is switched off.
Select a color used as the background of every other fixed-length record, if record presentation is enabled.
Select the default color for newly created annotations/positions/bookmarks.
You may want WinHex to highlight modified bytes, i.e. display altered parts of a file, disk, or memory in a different color, so you can distinguish between original data and changes you have made so far. You may select the hilite color.
Select the color for slack space and uninitialized space.
You may choose a font for the hex editor display, and decide whether the standard Windows GUI font should be used for the other parts of the WinHex/X-Ways Forensics GUI (via an additional checkbox).
--
Notation Options
Choose your preferred date, time, and number notation settings. This is important especially to be independent of the Windows regional settings of live system that you want to preview if you are using X-Ways Forensics on a computer that is not your own one. You may also choose to display years in dates with 2 digits only.
There is an option to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode-capable, which allows for example for original Chinese notation of dates. Please see http://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspx for a complete explanation of what kind of notation is possible.
Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4.
Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014 (Wed)
There is an option to display timestamps with a precision of milliseconds. You may specify the number of digits after the decimal point (up to 3). Useful for the file systems NTFS, Reiser4 and FAT, which provide for a higher precision than seconds in all or some timestamps.
Optionally, the actually used time zone conversion bias, including daylight saving where appropriate, can be displayed right in the timestamp columns in the directory browser.
File sizes can optionally always be displayed in bytes instead of rounded. If the checkbox is half checked, that applies to items in volumes only, otherwise also items on physical, partitioned media.
SHA-1 and TTH192 hashes can optionally be displayed in Base32 notation in the directory browser, as common in P2P programs.
Factory settings of all options can be restored using the Initialize command of the Help menu.