WINHEX

Data Interpretation

The left column is the Offset column, which gives the relative byte address of the respective line in either hexadecimal or decimal notation. The middle column is the hexadecimal representation of the actual data. The right column is the ASCII representation. Optionally, the user can switch to hex-only or ASCII-only display from the View menu. The typical editor display (hex plus ASCII) can also be dumped by choosing Edit Copy Editor Display and pasting the output into a text file. Another option is to interpret text as IBM ASCII (used in DOS, as opposed to the ASCII variant in MS Windows) or EBCDIC (an IBM mainframe character set).

The Data Interpreter is a useful tool to interpret binary data, such as integer numbers, floating-point numbers , and dates in multiple formats. Such binary data can be found in any kind of binary file and in file system data structures such as boot sectors, FAT directory entries, NTFS FILE records, and so on. When examining data originating from a computer with a Motorola or SPARC processor, the Data Interpreter can be configured for the big-endian format. WinHex also supports interpreting data elements of a known file format using templates.

WinHex can fully interpret the file system data structures of FAT12, FAT16, FAT32, and NTFS and show the directory tree of either a logical drive, an image file representing a logical drive, or a single partition of a physical hard disk. When these are opened, then information such as file creation date, date of last modification, and date of last access are accessible. In the case of an image file, choose Tools Disk Tools Interpret File As Disk to open the file. When browsing directories, WinHex will automatically show corresponding raw data on the drive in the hexadecimal/ASCII part of the edit window.

For example, when double-clicking a directory, the user not only sees the contents of that directory in an Explorer-like interface, but also the binary data on the drive where information has been stored by the operating system. When you double-click a file, WinHex will show the beginning of the file on the drive and a list of all associated clusters. The directory view includes deleted files and folders that the user can recover with a right-click.

Searching

WinHex allows an analyst to search for ASCII strings, for any combination of hexadecimal values, for binary integer numbers, and more under the Search menu. This is more powerful than just using hexdump and grep, because the output from hexdump and grep may be broken up between new lines. The scope of the search (Up, Down, All, Selected Block Only) can be freely selected.

When multiple files are open in WinHex, they can be searched simultaneously. When searching an entire drive and a match is found, WinHex will show what file is stored in the cluster that contained the match on the screen. You can have WinHex find the next match by pressing F3. Optionally, WinHex will stop only at search term occurrences with a special condition. These could include occurrences with a relative offset 10 on a disk sector boundary that are "entire words" or that match the case.

A "not" operator is availablefor example, to find the first nonzero byte in an almost "blank" file. Additionally, wildcards can be used for text and hex searches. WinHex can generically search for text in a massive binary file or on an entire drive (choose Search Text Passages), based on the user's preferences of what text characteristics should be recognized (such as number of subsequent printable characters, kind of characters , or character set).

WinHex also supports a simultaneous search mode, where you can search for multiple text strings or hex values at the same time (choose Specialist Simultaneous Search). Here we are searching for several words from a drug list supplied by http://www.rxlist.com/:

For example, the user can search for various people's names, postal addresses, telephone numbers, e-mail addresses, street synonyms of weapon names , drugs, alternative spellings, common misspellings, and other variables to find whether they are stored anywhere on a drive, and if so, where exactly. WinHex is able to search text simultaneously in the ASCII and the Unicode character set. The results (matching offsets with a description) can optionally be saved in the WinHex Position Manager or in a tab-delimited text file, which can be further processed by importing it into another application such as MS Excel. If used on a logical drive or image file, WinHex will also describe the location of the match as either free drive space, slack space, or space allocated to a specific file.

Another available option creates a "catalog" of existing and deleted files and directories on a drive, which you can access by choosing Specialist Create Drive Contents Table. The catalog lists user-configurable information such as attributes, all available date and timestamps, size , allocated clusters, hashes, and alternative data streams (which may contain hidden data on NTFS drives). These searches are useful to examine the contents of a disk systematically, to search for certain filenames, or to match existing files' hashes against a database of known "good" or "bad" files. It allows users to limit the search for files of a certain type using a filename mask (such as * .jpg and * .gif ). The resulting table can be imported and further processed by databases or MS Excel. Sorting by date- and timestamps will result in a good overview of what a disk has been used for at a certain time. The NTFS encryption attribute might quickly reveal what files will turn out to be crucial in a forensic examination.

Data Recovery

Deleted files can be recovered directly in the directory view (see Figure 25-3 shown previously) if traces of these files can still be found in the file system data structures. Deleted or otherwise lost files can also be recovered using another method that searches for characteristic file type signatures on a drive (choose Tools Disk Tools File Recovery By Type). When the file is found, the file header and the following data are extracted from the drive and put into a user-specified output folder. This method works even if the file system is severely damaged, because it does not make use of any file system data structures. By default, WinHex looks for file type signatures only at the beginning of clusters. However, when recovering files from backup files or tapes, where they are not aligned at cluster boundaries, or if the user is not sure of the cluster structure, the "thorough search" works well. Notice that several file types can be recovered simultaneously.

The file retrieval can read from a specific file you specify, complete folders and subfolders, or even entire hard disks in all files, free space, and slack space. The example just shown searches for traces of deleted web pages and similar files.