X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

WinHex/X-Ways Forensics: Administration Tips

The following information shall help you tailor your installation of WinHex/X-Ways Forensics or automate the installation on multiple machines (e.g. in a network). Please consider the license agreement and the number of licenses purchased.

System optimization

WinHex/X-Ways Forensics/X-Ways Investigator are not resource hungry at all. You can execute these programs on old computers running Windows XP, with just 256 MB RAM and 1 GB free hard disk space. With just 512 MB RAM you can already open and analyze volumes with around 5 million files! (It will not be fast, but it works.) Good to know if you ever have to run it on old live systems that you encounter on site, to preview/triage them.

The following are tips for higher performance and better scalability (processing huge amounts of files), in no particular order:

  • The higher the CPU frequency, the better.

  • The presence of multiple processor cores is utilized by the application in many situations: Disk imaging, disk cloning, indexing, logical searches (currently in v19.x up to 8 threads) and volume snapshot refinement (also up to 8 threads).

  • Refining volume snapshots of different evidence objects in parallel to better utilize multiple processor cores is possible if you open the same case (the same copy of .xfc file) in multiple instances of the program (in “Allow distributed analysis work and volume snapshot refinment” mode). That makes most sense if these evidence objects are not stored on the same hard disk.

  • On a terminal server with multiple users or generally when running multiple instances on the same machine, even more cores and more RAM make sense, also for the 32-bit edition.

  • Use a 64-bit Windows version. If a 32-bit version, run Windows with the /3GB switch.

  • Use > 4 GB of RAM. 4 GB can be addressed directly by the 32-bit edition of X-Ways Forensics under 64-bit Windows, 3 GB under 32-bit Windows. More RAM in 32 bit still helps indirectly thanks to caching in Windows. The 64-bit edition can use more memory directly, of course. The more RAM can be used directly, the larger volume snapshots are supported (i.e. evidence objects with millions of files), the more evidence objects with large volume snapshots can be open at the same time, the more data of a volume snapshot can be held in memory and the more search hits can be maintained.

  • With the 32-bit edition of X-Ways Forensics, analyzing a partition with for example 25 million objects (files and directories) is no problem as long as you are using a 64-bit Windows. For even bigger volume snapshots or if you would like to keep several evidence objects with such big volume snapshots open at the same time, please rather use the 64-bit edition of X-Ways Forensics.

  • Under low memory conditions with large volume snapshots, have XWF keep less data in memory (see Volume Snapshot Options) and don't open many evidence objects that contain many files at the same time if you don't have to (volume snapshot refinements and simultaneous searches can open the evidence objects themselves on demand when needed, except for Windows dynamic disks or Linux LVM2 disks with spanned volumes, and automatically close them again).

  • Do not permanently and unnecessarily collect millions of search hits. If you get too many search hits with too unspecific search terms, delete search hits that you don't need any more, to free up memory.

  • If possible, don't store cases and images on the same disk.

  • If possible, don't store temporary files and images on the same disk.

  • Use faster disks, with a higher data transfer rate and quicker access.

  • High quality SSDs are better, of course.

  • Store images on a RAID instead of on a disk, for a higher transfer rate.

  • Avoid using media that are connected via USB.

  • Format your own volumes with NTFS, not FAT.

  • Don't use NTFS encryption (EFS) or NTFS compression.

  • Use a large cluster size such as 16 KB or more for the volume that will hold your images. 

  • Don't use compressed .e01 evidence files created with tools other than X-Ways Forensics (avoid normal or strong compression).

  • Avoid an active virus scanner in the background if you can.

  • For indexing, don't include more characters and shorter or longer word lengths than absolutely necessary. Don't index substrings unless absolutely necessary.

Differences between WinHex and X-Ways Forensics, co-existence between both programs

WinHex and X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over WinHex with a license. With a license for X-Ways Forensics, you can alternatively also use WinHex with the same license (and the same dongle). Simply copy xwforensics[64].exe within the same directory and name the copy winhex[64].exe. Both programs then offer the same full forensic feature set and are identical except for the following:

  • WinHex (winhex.exe) always identifies itself as WinHex in the user interface, X-Ways Forensics (xwforensics.exe) as X-Ways Forensics. The program help and the manual, however, statically refer to "WinHex" in most cases. 
  • In X-Ways Forensics, disks, interpreted image files, virtual memory, and physical RAM are strictly opened in view mode (read-only) only, to enforce forensic procedures, where no evidence must be altered in the slightest. This strict write protection of X-Ways Forensics ensures that no original evidence can possibly be altered accidentally, which can be a crucial aspect in court proceedings. Only when not bound by strict forensic procedures and/or when in need to work more aggressively on disks or images (e.g. you have to repair a boot sector) then you could run WinHex instead. With WinHex you can edit disk sectors and wipe entire hard disks, free space, or slack space.
Setup Program

It is not necessary to install WinHex/X-Ways Forensics/X-Ways Investigator using the supplied setup.exe program. In fact this installation program itself recommends to ignore it. It only copies the shipped files to the destination folder (plus all .whs files it finds), sets the desired language (English, German, French, Spanish, Italian, or Portuguese), and creates a program shortcut in the start menu. All other settings are initialized by winhex.exe/xwforensics.exe itself. WinHex/X-Ways Forensics/X-Ways Investigator are fully portable applications that can be executed from a USB stick on any computer without any installation.

When updating an existing installation of a non-dongled based products, the setup program will warn you in case the new version would no longer accept the existing license codes, before actually overwriting the existing installation.

Configuration File
(v17.0 and later)

The WinHex.cfg file contains the settings (options, filters, paths, ...). It is created by WinHex/X-Ways Forensics/X-Ways Investigator automatically when run for the first time, and maintained either a) in the installation directory or b) in a subdirectory of \AppData\Local\X-Ways in the user profile. b) is used as the storage location if 1) WinHex.cfg already exists in that directory, 2) the installation directory is located on the C: drive and is write-protected for the user, or 3) a file named winhex.user or (from v18.7 SR-7) named winhex.user.[username] is present in the installation directory. If only a generic file WinHex.cfg exists (in the installation directory), not a user-specific one (in the subdirectory of the user profile), yet usage of a user-specific/individual configurations is indicated by 2) or 3), the generic file will be used to initialize the settings of all those users who do not (yet) have an individual WinHex.cfg file. If no configuration file is found at all, the configuration is initialized with default values.

These default values may be language-specific. The default language is English. To force WinHex/X-Ways Forensics to initialize itself with a different language, create an empty file named winhex.ger, winhex.fr, winhex.esp, winhex.ita, or winhex.por in the installation directory. By default, WinHex/X-Ways Forensics/X-Ways Investigator store all data in the directory where the .exe file is located so that the program is fully portable and prevent unnecessary alteration of the system that is examined. As mentioned above, you can create an empty file named winhex.user to force user-specific configurations. From v17.3 you can create an empty file named winhex.nouser to force a generic configuration (for example for portable use on a USB disk).

Configuration File
(v16.9 and older)

The WinHex [username].cfg file is located either in the installation directory or in a subdirectory of the virtual store (32-bit edition only, under Windows Vista and newer). The optional insertion of the username (supported as of v13.2 SR-5) guarantees that different users can share the same installation but have individual settings. Note that there must be a space character before the username. If a generic file WinHex.cfg exists (i.e. without a username), that file will be used instead for all users who do not have an individual .cfg file. If no configuration file is found at all, the configuration is initialized with default values. To force WinHex/X-Ways Forensics to use user-specific configuration files, create an empty file named winhex.user in the installation directory (as of v16.9 SR-1).

Registry Configuration
(v9.5 and later)

Alternatively, each user can have an individual configuration (own case folder, own folder for image files, and all other settings) in his/her system registry. That way the usage of the WinHex*.cfg files is avoided altogether.

To that end, simply create an empty file named winhex.rgt in the installation folder. If this file is found during startup, WinHex reads the configuration from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex tries to read an existing winhex [username].cfg file in the installation folder. If this file does not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt is found when exiting, WinHex writes the configuration to the local registry. 

The registry configuration feature is available as of WinHex v9.5.

Compatibility of different versions and configurations

Different versions may be installed in different directories at the same time and have their own configurations. Also multiple installations of the same version in different directories are possible, to run different configurations. Note that in both cases to ensure different configuration, if the configuration is user-specific, multiple installations must be contained in directories of different names.

New versions may be copied/installed over older versions, but never the other way around.  WinHex with a forensic license and X-Ways Forensics (if exactly the same release) may and shall share the same installation directory and use many identical files. The 32-bit and the 64-bit edition (if exactly the same release) may and shall also share the same installation directory. You must not mix and run .exe files of different versions in the same directory.

Case Data Storage

Knowing about what is stored in which file using which storage technology enables you to optimize your backup strategy and may allow you to partially or fully recover your case if you suffer from data loss (e.g. your case file or volume snapshot becomes corrupt). For example, if you spent a long time already refining the volume snapshot, tagging and adding comments to files, and then the main .xfc case file is lost, you can create a new case, add the same images again, and then behind XWF's back (when it's not running or that case is not open or at least the evidence object is not open) replace the files the "_" subdirectory of the evidence object(s) with those from the original case to restore the volume snapshots, comments and tagmarks.

Name in v16 Name in v17 Storage specialty Purpose
Volume Files.dir Main 1 * main volume snapshot data (e.g. file size, file ID, type status, attributes, tagged status, already viewed status, ...) always in memory
Volume Files 2.dir Main 2 * main volume snapshot data (e.g. start sector number, hard link count, skin color percentage, ...), optionally held in memory
Volume Files 3.dir Main 3 * main volume snapshot data (timestamps), optionally held in memory
Volume Clusters.dir Clusters NTFS compression, * allocation of the clusters of the file system to the files
Volume Comments.dir Comments * examiner's comments
Volume Extensions.dir Types * file types encountered
Volume Extra.dir Xtra * references into SenRec.dir, data runs for certain recovered files, and more
Volume Filenames.dir Names * names of files and directories
Volume Hash Values.dir Hash Values * hash values
Volume Matches.dir Matches * hash set matches
Volume Metadata.dir Metadata * metadata extracted from the file contents
Volume Search Hits.dir Search Hits * search hits
Events.dir Events 1 * event main data (timestamps, type of event, corresponding file in the volume snapshot)
EvDescr.dir Events 2 * event variable length text
Decoded Text.dir Decoded * decoded text from various files for logical searches and indexing
Bitmap.dir Bitmap NTFS compression, * bitmap of clusters by which free space is optionally reduced
External subdirectory External Temporary preallocation to prevent fragmentation, * extracted files (e-mail messages, attachments, video stills, attached files)
n/a Control NTFS sparse, * internal use
n/a Relations NTFS sparse, * internal use
Index subdirectory variable * Index
SenRec.dir SenRec.dir   sender and recipients of e-mail encountered in the case
.xfc case file .xfc case file   everything else, e.g. report table names, report table associations, evidence objects properties, search terms that the search hits relate to, ...

*NTFS not indexed

 
Program Files

Some notes about files that come with WinHex and/or X-Ways Forensics:

  • winhex.exe/xwforensics.exe (main executable file, 32-bit edition)
  • winhex64.exe/xwforensics64.exe (main executable file, 64-bit edition)
  • DevIL.dll, ILU.dll, ILUT.dll (required only for picture viewing)
  • Chinese.* (required for the Chinese user interface only)
  • index*.txt (used for indexing in X-Ways Forensics)
  • indexer*.exe (used for indexing and index searches in X-Ways Forensics)
  • zlib1.dll
  • zip.dll (required only for archive handling)
  • rar.dll (required only for RAR archive handling)
  • zip.exe (required only for case backups)
  • hash.dll (for faster hash computation)
  • dialogs.dat (dialog resources)
  • language.dat (string resources)
  • timezone.dat (time zone definitions)
  • decode.dat (used for crash-safe text decoding, two separate files, for the 32-bit and 64-bit edition)
  • winhex*.chm (program help)
  • File Type Signatures *.txt (file type signature definitions)
  • File Type Categories.txt (file category definition file)
  • Reg Report *.txt (definitions for the registry report function)
  • *.tpl (various sample template definition files)
  • *.whs (various sample scripts, as of v10.0)
  • ...

You can delete files for functionality that is not required. For example, if you get false generic virus alerts about the small 32-bit decode.dat file and you are using the 64-bit edition of X-Ways Forensics, you can simply delete the 32-bit decode.dat file. Also, you are hereby given permission to submit the decode.dat file to the manufacturer of your anti-virus tool if you get a warning, so that future signature updates no flag the file as suspicious.

Viewer Component
Hash Database
The viewer component has be downloaded and decompressed separately. It is expected by default in the subfolder \viewer of the installation folder (as of v12.1). 

A hash database does not ship with X-Ways Forensics. By default, an internal hash database found in the subfolder \HashDB of the installation folder will be automatically activated in X-Ways Forensics.

MPlayer The program MPlayer can be used in X-Ways Forensics and X-Ways Investigator to watch and extract JPEG pictures from video files since v14.8. It is expected in the subfolder \mplayer of the installation folder. The separate codec package should be extracted to the subfolder \codecs of the MPlayer installation.
Required Non-Shipped Files

For use of the WinHex API (WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic, some other files are needed. Details

For direct access to CD-ROM sectors under Windows 9x/Me, the ASPI interface must be installed (wnaspi32.dll). This file is available from the Windows setup CD-ROM. However, it should already exist on most Windows installations.

WinHex does not require a specific version of comctl32.dll. WinHex does not rely on the presence any runtime library (e.g. msv*.dll).

Disk Editing

Editing/writing hard disk sectors under Windows NT/2000/XP/Vista/7 requires administrator privileges. Under Windows Vista/7 it is not sufficient to be simplified logged in as administrator. Instead, you need to explicitly run WinHex as administrator.

Bart's PE Builder

This package contains all necessary configuration files and instructions for BartPE.