Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v17.1 [May 14, 2013]
Another typical X-Ways feature that cements X-Ways Forensics' position as the tool that gives its users the greatest amount of control when selecting/targeting/filtering data at any conceivable level: The ability to create forensic physical skeleton disk images, which contain only those sectors that are needed for certain purposes, while maintaining compatibility with other tools. These can be sectors with partition tables, file system data structures, their neighboring sectors as well as sectors with file contents or any sectors in unpartitioned no man's land. A skeleton image is typically sparsely populated with data, with vast areas in between remaining undefined, so that it makes sense to utilize NTFS sparse file technology for it. Unwritten areas in the skeleton image will act as if zeroed out when read later.
You start skeleton imaging by invoking the File | Create Skeleton Image menu command. Which sectors from then now will be copied into the image is defined indirectly, by making X-Ways Forensics read those sectors from the source disk that are needed for a certain purpose. When the target image is open in the background, next you typically open the disk or partition or open and interpret the image that you wish to acquire partially. That way it will be automatically defined as the source, and that way even read operations during the important opening or interpretation step are triggered, when partition tables and boot sectors are parsed, so that these essential data structures that define partitions and identify file systems are included in the skeleton image without having to select the relevant sectors manually.
After opening a partitioned physical disk, you have a "basic skeleton" in your target image: Partition tables pointing to partition boot sectors or nested partition tables, whose function is to support all the other data in between (file system data and user data). If you also wish to ensure that from the skeleton image it is possible to take a volume snapshot of a certain partition, i.e. get a listing of all files and directories referenced by the file system in that partition, then you open that partition from the source hard disk so that a volume snapshot is taken. Again, all the sectors read from the source hard disk in the process are simultaneously copied to the image, and those contain the file system data structures, e.g. $MFT in NTFS, all directory clusters in FAT, the catalog file in HFS+ etc. etc. That adds considerably more administrative data and also metadata to your skeleton image, but still no or almost no user content. Unrelated sectors that are not used by the file system are not read and therefore not copied. That also means that the ability to find previously existing files in the skeleton image will be limited.
The dialog window to change the state of the target image also allows you to close it, i.e. stop the acquisition for the moment or finalize the image. The same skeleton image can be further completed at any later time by selecting it again with the "Create Skeleton Image" command, but then you choose to not overwrite, but to update it.
Share images, video and music between your Android and Windows devices
