Columns & Filters

WinHex & X-Ways

Directory Browser Columns & Filters

 

Most filters and many columns are available with higher license types only, marked with e.g. [FOR].

 

Name: Name of the listed file or directory and (only with a forensic license, only for directories and files with child objects) in parentheses in a different color optionall the total number of contained files in the volume snapshot. Allows to filter based on one or multiple filename masks, one per line. This filter is useful if you have a list of relevant filenames or keywords and want to find out quickly whether files with such names are present.

 

There are two different ways how to use the Name filter. The first way is to match certain expressions against the full name. The expressions may contain asterisks (wildcards), like "*.jpg". Up to two asterisks are allowed per mask if they are located at the beginning and the end of it. You may exclude files using file masks that start with a colon (:). Example: All files with names that start with the letter "A", but do not contain the word "garden": "A*" in one line and ":*garden*" in another. When multiple positive file mask expressions are used, they are combined with a logical OR, negative expressions (:) with a logical AND.

 

If the "Substring search in filename" option is active, then all the rules above do not apply. Instead, a search is run within the filenames for the specified characters or optionally GREP expressions. For example, just type "invoice" to find files whose filename contains the word invoice, not "*invoice*". For an explanation of GREP notation please see Search Options. The anchor $ does not work in this context.

 

The amount of text that can be pasted into the Name filter has been extended to 2 million characters. That doesn't mean that X-Ways Forensics can efficiently use a filter with many ten thousands of characters or more. When in doubt, use the "Match against full name" option, not the substring search, for better performance.

 

If an original name is found for a file in the Windows recycle bin or in an iPhone backup or certain other files during metadata extraction, that name is displayed in the Name column with the current unique name in square brackets. The current unique name is now also shown in square brackets in the case report. Both names are targeted by the Name filter.

 

The header of the Name column allows to quickly tag or untag all listed items with a single mouse click. It also indicates whether among the listed items are any tagged or untagged items.

 

Existent: Shows whether a file is an existing file or a child object of an existing file or not (existing based on its point of reference, e.g. file system), either with a check mark or a mathematical symbol or in natural language, depending on the Notation options. A third state is "virtual". To filter for the existence status, please use the Description filter. Remember you can group files by existence status using the directory browser options, or you can sort by this column.

 

Description: Textual description of the item. Reveals similar properties as the icon in the Name column, such as whether the item is a file or directory or extracted e-mail or video still etc., the existence/deletion/virtual/carved status, and the status in the volume snapshot (e.g. tagged, already viewed). What text is included in the column can be customized in the Notation options (via General Options). That the settings of the Description column are part of the Notation Options means that you can have two different settings, one generally for the directory browser and the other one specifically for the the Export List command. This might be useful because in the exported list no icon can help you to tell certain object types and their deletion status apart, unlike in the directory browser.

 

This column also allows to filter or sort by the properties covered, which makes the Description filter one of most important filters. For example you can filter out:

• existing files (useful if you are merely interested in previously existing files [which could reside in existing directories])

• previously existing files and directories.

• tagged files and directories.

• half tagged files and directories (that contain at least 1 tagged and at least 1 untagged file).

• untagged files and directories.

• files that are marked as already viewed.

• files that are not marked as already viewed.

• excluded files and directories (marked as excluded in the volume snapshot).

• files and directories that are not excluded.

There is a shortcut to get to the filter dialog very quickly, by right-clicking the caption line of the directory browser. This works even if the Description column is not visible. (You may not need the Description column in the directory browser if you rely on the icon to tell apart different kinds of items.) The funnel symbol that represents the filter of the Description column has four possible colors: 1) Gray when inactive, as usually. 2) Gray with a very, very light tendency to blue, almost indistinguishable from gray, when the filter is on theoretically, but only excluded files would be filtered out, but no excluded files are actually getting filtered out currently. 3) Blue-gray when only excluded files are filtered out by the filter, and such files have actually been filtered out. 4) Ordinary blue to attract attention if the Description filter is active and does not only focus on excluded files, but filters out files based on other properties. This subdued color scheme was introduced because many user consider it rather "normal" that excluded files are filtered out because they exclude them for the very purpose of not seeing them any more, so they may prefer not to be reminded of that by a glaring blue color.

 

The filter for still images from videos has a special option that allows to also list the corresponding video, directly preceding its stills. That way it is easy to see which still images belong to which video, and you can comment on the video or add the video to a report table without navigating back and forth and without using the slightly less intuitive way to apply report table associations to an item that you cannot see (with the "for parent file" option). The tiles that represent the videos may act as visual delimiters in the gallery if you disable auxiliary thumbnails in the gallery options, so that you can easily see where still images of the next video begin.

 

A special filter setting is available that allows you to focus on files whose creation date is later than the modification date, i.e. which apparently were copied and that way got a new creation date. The Notation options allow to mark all such files with the word "copied". The presence of that word can be used for conditional cell coloring, so that you quickly see which files are likely original files and which files were copied. Note that a search for the word "copied" is language-specific (in case you share your conditional cell coloring settings with users in other countries).

 

Ext.: Filename extension. The part of the filename that follows the last dot, if any, except if the last dot is the very first character (not uncommon in the Unix/Linux world).

 

Type [INV, FOR]: File type. If the header signature of a file was not specifically checked (see Refine Volume Snaphot), this is merely a repetition of the filename extension and displayed in gray. Otherwise, if the file signature verification revealed the true nature of the file, a typical extension of that type will be output. That extension will be displayed in black if it is still the same as the actual extension of the file, or in blue if the actual extension does not match the type of the file. A convenient filter can be activated based on this column. In the filter dialog you can select individual file types or entire categories. You can load and save your selection. There are buttons that allow to expand or collapse all categories at once. Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus.

 

Please note that collisions among file type designations become apparent when selections for the file type filter are loaded from .settings files or cases. For example if you had originally selected "mmf" = "MailMessage File" (category e-mail), then you will find that "mmf" is also selected as "Yamaha SMAF" (category Sound/Music). This is normal and does not change what the Type filter does. When in doubt, the Type filter also includes other types with the same designation, to avoid that anything is overlooked.

 

Type Status [INV, FOR]: The status of the Type column. Initially “not verified”. After verifying file types based on signatures (as part of refining the volume snapshot or viewing files in preview or gallery mode): If a file is very small (less than 8 bytes), the status is “irrelevant”. If neither the extension nor the signature of a given file is known to the file type signature database, the status is “not in list”. If the signature matches the extension according to the database, the status is “confirmed”. If the extension is referenced in the database, yet the signature actually found in the file is unknown, the status is “not confirmed”. If the signature is known and the filename has no extension, then the status is “newly identified”. If the signature matches a certain file type in the database, however the extension matches a different file type, the status is “mismatch detected”. Filter available.

 

Additionally, this column may contain a hint about the consistency of the format of files of various supported types as either "OK" or "irregular", for carved files perhaps immediately, for other files perhaps after file type verification or metadata extraction have taken place. "Irregular" can mean corrupt, incomplete, inconsistent, unexpected, not viewable, ... anything out of the ordinary. For example in the case of JPEG irregular could mean that no footer signature was found at the end of the file.

 

For an explanation of file type ranks and groups please see the description of File Type Categories.txt.

 

Type description [INV, FOR]: Displays the name of the application that a file type belongs to, what the filename extension stands for, etc. as specified in File Type Categories.txt. If the same extension occurs multiple times in the definition file, all its meanings are listed. For example, .pm could be a Perl module, a PageMaker document, or Pegasus file, or an X11 Pixmap file.

 

Category [INV, FOR]: File type category corresponding to the file type, according to the definition in "File Type Categories.txt" (see below). Filter available. If the same file type/extension is defined multiple times, belonging to different categories, only one category for this file type will be displayed. The category filter works nonetheless. The category filter can be activated using a popup menu. In that popup menu you can also see statistics about the how many files of each category are currently listed in the directory browser (or would be listed if the category filter was turned off).

 

Evidence object [INV, FOR]: The name of the evidence object that the file or directory is part of. Useful in a recursive case root listing, i.e. when the directory browser shows all files of all evidence objects.

 

Path: Path of the file or directory, starting with a backward slash, based on a volume's root. Filter available. The filter expressions are interpreted as substrings that can match any part of the path, so no wildcards are needed or supported.

 

Full path [SPE, LAB, FOR]: The path including the name of the file or directory itself. Sorting by full path can yield a convenient order because child objects directly follow their respective parents. Filter available.

 

Parent name, Child objects [INV, FOR]: Both columns come with filters. The filter for child object allows you for example to quickly find all e-mails that have an attachment with a certain name. The filter for parent name for example allows you to quickly find all attachments that were attached to e-mail with a subject that contains certain words. Note that filters for the columns Name, Parent name, and Child objects share the same settings and are mutually exclusive (cannot be active at the same time, one will deactivate the other).

 

Size: Logical size of the file (i.e. size without slack) or physical size of a directory. Physical file size and valid data length (for files stored in an NTFS file system) can be seen in the Info Pane in File mode instead. If recursive selection statistics are enabled, with a forensic license the size of a directory is the total size of all the files directly or indirectly contained in that directory, otherwise the size of the data structures of the directory. Filter available. To focus specifically on files with an unknown size, use the filter condition <= -1.

 

Created: The date and time the file or directory was created on the volume it resides on. Not available on Linux filesystems. Filter available.

 

Modified: The date and time the file or directory was last modified. On FAT, time precision is 2-second intervals only. On CDFS, the only available date and time stamp is listed in this column although it does not necessarily indicate last modification. Filter available.

 

Accessed: The date and time the file or directory was last read or otherwise accessed. NTFS last access timestamps are displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained, for performance reasons, and thus not very significant. On FAT, only the date is recorded. Filter available.

 

Record changed: The date and time the file's or directory's FILE record (on NTFS) or inode (Linux filesystems) was last modified. These are filesystem data structures that contain the file's meta data. Filter available.

 

Deleted: The date and time the file or directory was deleted. Available generally on Linux filesystems and possibly on NTFS (after a particular thorough file system data structure search and viewing/previewing the $UsnJrnl:$J file on the volume, if there is any). Not to be confused with so-called deletion timestamps that other forensic tools may show you on NTFS volumes, for files that have not even been deleted from the file system. Filter available.

 

Content created [INV, FOR]: Creation timestamp that can be extracted from the internally stored metadata in various file types (see corresponding context menu command), as put there by the program that created the file. Internal timestamps are usually less volatile and can be more difficult to manipulate than file system level timestamps. They are useful for example for corroboration. Filter available.

 

 

Timestamp columns designated with a superscript 2 contain alternative timestamps [SPE, LAB, INV, FOR]. In the case of NTFS these values are taken from 0x30 attributes and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous creation timestamp tunnelling effect, cf. http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally Modified² and Record changed² only if different from Created², to avoid cluttering the screen unnecessarily with redundant information. That means any ² timestamps that you see there actually contain additional information and are not redundant.

 

Created² is also populated for HFS+ file systems, with the relatively new "Added date" timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier.

 

The combined filter for all the timestamp columns allows to filter for certain date ranges (typical application) or for mere times, matching any possible date. For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working, you could filter for times such as between 22:00:00 and 05:59:59 (on a 24-hour clock). Obviously, selecting the right local time zone for the timestamp filter is crucial for this.

 

Please note that for FAT volumes, all timestamps are displayed as they are stored, in local time (they are not adjusted). For all other file systems the time zone concept applies.

 

Timestamps in the normal directory browser that meet the timestamp filter condition are highlighted. Timestamps in an event list that are identical to the event timestamp are also highlighted.

 

Underflows and overflows in the timestamp columns (timestamps outside of the supported range) are marked with the text "out of bounds", and they can be distinguished from each and properly sorted and filtered. The supported range is May 5, 1829 through May 14, 2514.

 

 

Attributes: DOS/Windows attributes on FAT/NTFS filesystems, Unix/Linux permissions and filemode on Unix/Linux/Mac filesystems, plus some proprietary symbols that are explained in the legend (forensic license only) and here.

"Partial initialization" means that according to the file system (NTFS or exFAT) the so-called valid data length is smaller than the logical file size, i.e. the data at the end of the file is undefined, similar to file slack has nothing to do with the file, and was stored on the disk at that location before. You can see the valid data length of the file in File mode in the Info Pane, and the undefined area is highlighted in a different color.

When sorting by the Attr. column, files with "more interesting" attributes are listed first, e.g. attributes that indicate encryption, and files without any attributes set or whose attributes are unknown are listed last.

A filter is available. For example, you can filter for any of the 9+3 bits of Unix-style file permissions specifically and combine them with OR, AND, or EQUAL. EQUAL requires a status of all 12 bits exactly as selected (whether set or not set). AND means you require ALL of the checked bits to be set, but don't care about the others. OR means you are satisfied already if ANY of the checked bits is set. SUID and SGID bits can be combined with a logical OR or AND. Please remember that if you are interested in directories with the sticky bit, you will need to include directories when exploring recursively and apply filters to directories, too (not the default setting). Please note that the logical operator for permissions should not be usually set to EQUAL because that will result in active filtering for permissions even if no permission bits are selected in the dialog box at all, unlike the OR or AND operators. EQUAL with no permission bits selected means to filter for files that have no permission bits set or files whose permissions are unknown.

 

1st sector [not in INV]: The number of the sector that contains the beginning file the file's or directory's data. Sorting by 1st sectors means to sort by physical location on the disk and will show files next to each other, that are physically stored near to each other. A filter is available, which allows to focus on files whose contents start in certain sector ranges, for example to identify files that are definitely affected by known bad sectors or to identify files whose contents are stored past the end of a known incomplete image. Remember that optionally you can see physical sector numbers here (disk-based) instead of logical sector numbers (partition-based) if so desired, see Directory Browser Options. The filter also allows to focus on carved files that are either aligned at sector boundaries or not, for example after having run a file header signature search at the byte level, to remove garbage files, which are more frequent among files that are not aligned.

 

FS offset [SPE, LAB, FOR]: Shows the offset of the defining data structure of a file or directory in the file system, i.e. the structure that is the basis for the inclusion of a file in the volume snapshot. That offset is where you can check details manually in case there are any doubts about where X-Ways Forensics got the file system level metadata from. This is also where you may apply a suitable template to get an alternative interpretation and where you can point disadvantaged users of other tools to as they may not be able to find such a crucial location otherwise or don't even get certain deleted files listed. Carved files and files that are embedded in other files for obvious reasons do not have such an offset in the file system (or in the case of carved files at least it is not known to X-Ways Forensics). The file system offset is also where you navigate to when you use the dedicated context menu command to locate a file's FILE record/inode/file entry/catalog key etc., as known from all versions.

 

ID: The identifier assigned to the file or directory by the file system or by WinHex. Not necessarily unique. A filter is available, which makes it more convenient to find other hard links of a given file.

 

Int. ID: The unique internal identifier of a file or directory in the volume snapshot. Items added to a volume snapshot last have the highest identifiers. Filter available. Useful for example and very easy to use if you would like to focus on the x files that were added to the volume snapshot last (after having refined it) or if you would like to resume a logical search with internal ID y (filtering out files that may have already been searched before).

 

For evidence objects that contain a huge number of files, the modulo option allows you to focus on a subset of files that is more or less representative of all files (though less random than files listed first when sorting by hash value). Applying the modulo operation to the internal ID will pick files from any directory, with any name, creation date etc. To see only 1,000 out of 100,000 files, i.e. every 100th file, use the operation "internal ID modulo 100 = 0". Also useful for testing purposes: If you wish to compare the performance of different hard disks, RAID systems, processors, configurations for volume snapshot refinements, you don't have to process all files in an evidence object. You can get quicker, yet likely representative results for example in 1/10 of the time if you only process every 10th file, pseudo-randomly selected by internal ID.

 

Even for normal work, examiners may not be required by their bosses/their prosecutor to conduct a 100% complete examination, for example if after review of a reasonably sized and representative subset you can extrapolate that about 10% of several 10,000 photos is illegal material.

 

Int. parent [not INV]: The unique internal identifier of the parent directory of a file or directory in the volume snapshot. Useful e.g. when exporting files and directories and there are multiple directories with the same name in the same path (e.g. one existing, one deleted), so that via the internal parent ID you can tell which file resided in which directory even if the path is ambigous.

 

Unique ID [INV, FOR]: An internal identifier of a file or directory that is unique within the entire case, not just within the volume snapshot of one evidence object, and unique for the whole life time of the case. The unique ID is easily readable. It contains a delimiter, separating evidence object ID and int. ID.

 

Owner [FOR]: The ID of the owner of the file or directory, on file systems that record that information. On NTFS it's the SID, or, if X-Ways Forensics can resolve it to a username with the help of the SAM registry files already encountered while working with the case, the username. Filter available.

 

Group [FOR]: Shows the ID of the assigned group of a file in Linux file systems.

 

Author [INV, FOR]: Shows the names of the authors of documents of various types (MS Office, OpenOffice/LibreOffice, RTF, PDF, ...), after metadata extraction. Filter available.

 

Sender, Recipient [INV, FOR]: These columns are populated for e-mail messages and attachments extracted by X-Ways Forensics from e-mail archives, plus for original .eml files if metadata has been extracted from them. They come with filters. that allow you to enter any part of an e-mail address or name to search for certain e-mail messages. The filter expression is interpreted as a substring, so no wildcards are needed or supported. You may chose which recipient types you wish to target with the filter: To:, Cc:, or Bcc: or combinations thereof.

 

Link count [FOR]: The hard link count of the file or directory, i.e. how often it is referenced by a directory.

A hard link that just provides a short filename (SFN) to satisfy the legacy 8.3 requirements of old Microsoft DOS/Windows versions is not counted as a hard link. Instead, such files get their hard link count marked with a ° in the Links column of the directory browser. That way, the hard link count more accurately reflects the hard links actually present in the volume snapshot of X-Ways Forensics, and normal files always have a count of 1, whereas 2 or more means something more special. If a hard link count of 1 is marked with an asterisk (*), that means that the file or directory is stored as hard-linked in the directory structure in HFS+ although it would not be necessary based on the hard link count. If the hard link count is grayed out, that designates files that will be optionally omitted during a logical search to avoid unnecessary duplicate search efforts and duplicate search hits.

 

File count [INV, FOR]: The total number of files contained in a directory or in a file with child objects, in the volume snapshot, recursively, i.e. inclusive of further subdirectories. This number can also be found in the name column in parenthesis (depending on the settings).

 

Term count (search term count) [INV, FOR]: The number of search terms (not search hits) that have been found in a file. This takes into account all search terms ever used in simultaneous searches in a case, not for only the search terms that may have been selected in the search term list, unless you have deleted search hits. You can sort by this column to get files listed first that are likely more relevant (because they contain more of the search terms that you were looking for). This column is populated only for evidence objects of a case.

 

Search terms [INV, FOR]: Lists up to 25 of the search terms found in a file, those that are counted in the preceding column. Useful to get an idea of the search hits in a file even in the normal directory browser, without the need to switch to a search hit list. Filter available, which is not limited to the 25 search terms displayed in this column.

 

Page count [INV, FOR]: The page count is extracted from PDF and some Office file types as part of metadata extraction and shown in this column.

 

Pixels [INV, FOR]: The roughly rounded dimensions of a picture in thousand pixels (KP) or million pixels (MP, megapixels), as the result of width times height, for efficiency reasons stored as a very low precision value. The dimensions are computed simultaneously with skin color percentages, plus when viewing pictures (full-screen mode, preview mode, or in the gallery). Allows to easily distinguish between e.g. small browser cache garbage graphics and high-quality digital photos, with the associated filter, which allows you to focus on pictures with less or equal to the number of pixels that you specify or more or equal or both at the same time. (Works only approximately because of the low precision storage of pixel numbers.) Once at least 1 video still has been exported from a video file, the approximate resolution of the video can also be seen in this column.

 

Analysis [INV, FOR]: Combined column that shows FuzZyDoc matches for textual documents as well as PhotoDNA matches and the computed amount of skin tones in raster images (or the fact that a picture is a black & white or gray-scale picture or too small to contain any relevant graphical content). Available after refining the volume snapshot if the underlying technology is available. Sorting or filtering by this column is the most efficient way to discover traces of e.g. child pornography or search for scanned documents (gray scale or black & white pictures). Sorting by the Analysis column in descending order lists files with FuzZyDoc matches first (those files with the most confident matches for any hash set near the top, with lower percentages following), followed by PhotoDNA matches (showing the category names in an internal PhotoDNA hash database), followed by pictures with no PhotoDNA matches in descending order of their skin tone percentage. After that, irrelevant pictures are listed (picture with very small dimensions), and then files that are not pictures, and near the bottom black & white and gray scale pictures. Text color coding in that column now makes it easier to distinguish between different kinds of categorizations. FuzZyDoc matches, PhotoDNA matches and color analysis results are mutually exclusive. That means that if a picture gets it colors analyzed and also a similarity with a PhotoDNA hash value is found, only the PhotoDNA category match is remembered in the Analysis column, not the skin tone percentage, because the PhotoDNA match is considered more helpful. A stylized P is displayed in the Analysis column for pictures for which at least one PhotoDNA hash value is stored in the volume snapshot. If that is the case, the hash value can be seen in Details mode.

 

Hash [SPE, LAB, FOR]: Up to two hash values can be computed for a file (e.g. MD5 and SHA-1) and then be presented in the two Hash columns. Filters available. The filters allow to focus on files that have a hash value, do not have a hash value, whose hash values start with certain hex values (if you specify only the beginning of a hash value) or have a certain value (if you specify a complete hash value). This filter can compare the hash values of files to up to 4 hash values that the user supplies as hex ASCII. Quicker alternative to creating a small hash set in the hash database if you just wish to quickly find a few files, e.g. duplicates of files with a known hash value that you can just copy from the hash column in the directory browser. The easiest way to use this filter when looking for duplicates of a file, which does not even require copy & paste of hash values, is to right-click a hash value of a given file in the directory browser in hex ASCII notation (not Base32) and invoke the "Filter by" command in the context menu.

 

The first Hash column displays pseudo-hash values in light gray color until real hash values have been computed [FOR]. Pseudo-hash values are based on the file metadata, not on the file contents. That's why they are available instantly even for very large files. They allow you to list files in a random order just like when you sort by real hash values, but without having to invest time to compute real hash values first. Useful for example for triage, if you have limited time and just wish to quickly look at some randomly selected files in a large evidence object first (e.g. pictures in a gallery) to determine how relevant an evidence object might be.

 

Looking at files in a random order might give you a more complete and accurate impression of what is stored in an evidence object, because the first x% of the files listed are more varied and more representative of the evidence object as a whole if they are in a truly random order. If you sort by name or path or size or timestamps on the other hand, many of the files you see will likely be somewhat similar (created by the same application or by the operating system, by the same user, for a similar purpose, created or copied or received around the same time, same file format, ...), so with some bad luck you will only see irrelevant files even if there is an equally large group of relevant files. Remember that if you don't sort in the directory browser at all, the view is skewed as well, because you will see the files in the order in which they are referenced by the volume snapshot, which is more or less the order in which they are referenced by the file system and thus not random.

 

Sorting by hash values can be combined with any filter, for example to see only pictures larger than 1 MB in a random order or only files of a certain user. Pseudo-hashes are not guaranteed to be unique or even remain the same when you close and re-open the evidence object.

 

Which hash value out of potentially two hash values stored in the volume snapshot is displayed in the Hash column can be changed in the Directory Browser Options dialog. Either the primary hash value or the secondary hash value or both at the same time (if the box is half checked). The Hash column filter is applied to the hash type(s) that is/are currently displayed. Which hash type(s) is/are displayed in the Hash column can be seen in the column header.

 

Hash set [INV, FOR]: The names of the hash sets in the internal hash database in which the file's hash value was found. Up to 64 matches are returned. Filter available. The Hash Set column shows known matches for both internal hash databases simultaneously. The filter can be used to filter for selected hash sets of one of the databases at a time. The database to choose hash sets from can be selected in the filter dialog.

 

Hash category [INV, FOR]: The category of the hash set that the file's hash value, if available, belongs to. Either "irrelevant", "notable", or blank. Filter available. Note to users with two internal hash databases: The Hash Category column shows only one category. If you assign the hash value of a certain file in one hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once during matching and given exact information about which hash value in which hash sets in which hash databases are conflicting. The categorization as "notable" will prevail when in doubt.

 

Report table [INV, FOR]: The name(s) of the report table(s) that the file or directory has been assigned to. Filter available. If the parent file of a file has been assigned to one or more report tables by the user, then this is pointed out in the "Report table" column for the child object as well, in light gray color and with an arrow, except if the child object has report table associations itself. Reminds the user that the parent was reviewed and marked as relevant already, which can spare him or her the extra step of navigating to the parent again.

 

Comment [INV, FOR]: The free text comment that may have been assigned to the file or directory by the examiner. Filter available.

 

Metadata  [INV, FOR]: Internal file metadata can be extracted from files of various types by refining the volume snapshot, and shown in this column. That is a subset of the more extensive metadata presented in Details mode, useful for filtering, export, and report purposes. It can be edited with a command in the directory browser context menu. Please note that the frequently occurring word "Generator signature" that can be seen in the Metadata column is not stored literally internally and thus cannot be found by a logical search in directory browser cells or with the filter.

 

Metadata, Comments, and Event Description filters support the use of up to 4 expressions, which can be flexibly combined with AND and OR. The last combination always has priority. For example "A and B or C" is interpreted as "A and (B or C)". "A or B and C" is interpreted as "A or (B and C)". The expressions may start with a colon to indicate NOT at the expression level.

 

Additional columns for search hit lists [INV, FOR]: Physical/absolute offset, logical/relative offset, description on the nature of the search hit (code page/Unicode, whether in decoded text, whether in file slack), search hit with context preview. If the logical relative offset is printed in gray, that means the search hit was found in the decoded text and the offset is not an offset in the file, but in the decoded text.

 

Additional columns for event lists [INV, FOR]: Timestamp, event type, event type category, description.

 

FlexFilters

 

Some more tips: Right-clicking a column header in the directory browser quickly activates or deactivates that column's filter without showing the settings dialog window. You can get a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.