Simultaneous Search
This search command in the Search menu is available for owners of specialist and forensic licenses, and offers all options only for owners of forensic licenses. This search is simultaneous in that it allows the user to specify a virtually unlimited list of search terms, one per line. The occurrences of these search terms can be saved and listed in an evidence object's search hit list (forensic licenses, when working with a case), or in the general Position Manager.
You may use the simultaneous search to systematically search multiple hard disks or disk images in a single pass for words like "drug", "cocaine", (street synonym #1 for cocaine), (street synonym #2 for cocaine), (street synonym #3 for cocaine), (street synonym #3 for cocaine, alternative spelling), (name of dealer #1), (name of dealer #2), (name of dealer #3) etc. at the same time. The search results can narrow down the examination to a list of files upon which to focus.
The simultaneous search can be used to search physically in sectors or logically in file or in a previously created index. Physically, it searches the sectors on a medium in LBA order (except if you search upwards, then in reverse order). If you do not have WinHex list the hits of a physical search, you may use the F3 key to search for the next hit. Logically, the search proceeds file by file, which is preferable and much more powerful and thorough. More about the logical search.
You can search the same search terms simultaneously in up to 6 code pages. The default code page, that is active in your Windows system, is marked with an asterisk and initially preselected. E.g. on computers in the US and in Western Europe, the usual default code page is 1252 ANSI Latin I. The code pages named "ANSI" are used in Microsoft Windows. "MAC" indicates an Apple Macintosh code page. "OEM" indicates a code page used in MS-DOS and Windows command prompts. If a search term cannot be converted to the specified code page because of characters unknown in that code page, a warning is issued. Code page independent GREP searches for exact byte values are possible when searching in a "non" code page called "Direct byte-wise translation for GREP", which translates byte values without any mapping for certain code pages or case matching. X-Ways Forensics also allows to search in both little-endian and big-endian UTF-16, and in any regional Windows code page plus UTF16 with the MS Outlook cipher (compressible encryption) applied.
You can define which characters should be considered to be parts of words. This is useful to avoid false hits for short real language words in binary garbage data or Base64 code and generally for users that consider numbers to be parts of words (such as in "GIF89"). Example: An undesirable hit for "band" in "7HZsIF9BAND4TpkSbSBS" can be prevented if you search for it as a whole word only if you redefine the alphabet to include digits 0-9, i.e. consider them word characters.
It is possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. You can click the search hit list button at any time to view the preliminary search hit list. Additional search hits that have been collected as the search continues will be listed when you refresh the search hit list, by clicking the Enter button in the search term list as usually. This approach to view preliminary search hits is useful e.g. when previewing a live system on site to determine whether a medium might contain relevant files and should be captured. If after searching 5% of the data and reviewing the search hits gathered so far the answer is Yes, the search can be stopped already and a lot of time is saved.
General search options
Options and advantages of the logical search