1 / 18

WinHex

WinHex. A powerful data recovery and forensic tool. What is a Hex Editor?. A hex editor is a program which allows you to edit compiled programs and binary data-files.

serena
Télécharger la présentation

WinHex

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WinHex A powerful data recovery and forensic tool

  2. What is a Hex Editor? • A hex editor is a program which allows you to edit compiled programs and binary data-files. • A hex editor is capable of completely displaying the contents of each file type. Unlike a text editor, a hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system.

  3. What is WinHex? • WinHex is a powerful application that you can use as an advanced hex editor and file-viewer, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering and IT security.

  4. Forensic Features • Case Management • It offers complete case management, automated log and report file generation. • Evidence Objects • You may add any currently attached computer medium (such as hard disk, memory card, USB stick, CD-ROM, DVD, ...), any image file, or ordinary file to the active case. • Log & Report Feature • WinHex obstinately logs all activities performed when the case is open. That allows you to easily track, reproduce, and document the steps you have followed to reach a certain result. • Report Tables • A report table is a user-defined (virtual) list of files. Files associated with report tables can then be easily included in the case report with all their metadata and even links.

  5. Forensic Features cont. • Volume Snapshots • A volume snapshot is a database of the contents of a volume at a given point of time. A volume snapshot usually references both existing and previously existing (e.g. deleted) files, also virtual (artificially defined) files. • Directory Browser • Resembles the Windows Explorer's right-hand list; its main task is to display (and interact with) the volume snapshot. Directory browser also list deleted files and directories. • Internal Viewer • It shows picture files of various file formats, the structure of Windows registry files, Windows Event Logs, Windows shortcut liles (.lnk), Windows Prefetch files, $LogFiles, and AOL PFC files internally. • Simultaneous Search • This search is simultaneous in that it allows the user to specify a virtually unlimited list of search terms, one per line.

  6. Forensic Features cont. • Logical Search • Powerful subvariant of the simultaneous search. Allows to search either all files, all existing and ficitious files (which includes all free space), or all tagged files or slack space. • Search Hit Lists • The directory browser can show search hits. • Search Term List • The search term list contains all the search terms ever used for conventional (non-index) searches in the case, plus those index search terms for which index search hits have been permanently saved. • Indexing, Index Search • Creates indexes of all words in all or certain files in the volume snapshot, based on characters you provide, based on the Unicode character set and/or up to two code pages that you select.

  7. Forensic Features cont. • Hash Database • The internal hash database, once created, consists of 257 binary files with the extension .xhd (X-Ways Hash Database). It is up to you to decide, around what hash type the database is built (MD5, SHA-1, SHA-256, ...). • Time Zone Concept • X-Ways Forensics employs its own, not Windows' logic for converting UTC to local filetimes. It displays timestamps independently of the time zone selected in the examiner's system's Control Panel. • Evidence File Containers • An evidence file container is a raw image file formatted with the XWFS file system.

  8. Other Features • Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF • Built-in interpretation of RAID systems and dynamic disks • Various data recovery techniques • RAM editor, providing access to physical RAM and other processes' virtual memory

  9. Other Features cont. • Data interpreter, knowing 20 data types • Editing data structures using templates (e.g. to repair partition table/boot sector) • Concatenating and splitting files, unifying and dividing odd and even bytes/words • Analyzing and comparing files • Particularly flexible search and replace functions

  10. Other Features cont. • Disk cloning (under DOS with X-Ways Replica) • Drive images & backups (optionally compressed or split into 650 MB archives) • Programming interface (API) and scripting • 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...) • Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy

  11. Other Features cont. • Import all clipboard formats, incl. ASCII hex values • Convert between binary, hex ASCII, Intel Hex, and Motorola S • Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode) • Supports files >4 GB. Very fast. Easy to use. Extensive online help.

  12. Data Recovery • File Recovery with the Directory Browser • Deleted files and directories that are listed in the directory browser can be recovered easily and selectively with the directory browser’s context menu. • File Recovery by Type • This recovery method is also referred to as "file carving". It searches for files that can be recognized by a characteristic file header signature. WinHex can often detect if recovered JPEG, GIF, and files of some other types, are corrupt or incomplete. The algorithm tries to determine the original size of different data type files by examining their data structure, roughly limited by the user-supplied maximum size. • Technically it is possible to select as many file types for simultaneous recovery as you like. • File headers can be searched only at cluster boundaries, as the beginning of a cluster is the only place where a file can start in a cluster-based file system.

  13. Data Recovery cont. • File Type Definitions • "File Type Signatures.txt" is a tab-delimited text file that serves as a file type definition database for contents tables and for the File Recovery by Type command. • WinHex comes with various preset file type signatures. You may fully customize the file type definitions and add your own ones, either in "File Type Signatures.txt" itself or you create additional such files of the same format named "File Type Signatures *.txt" • After editing the file type definitions, you need to invoke the File Recovery by Type.

  14. Data Recovery cont. • Manual Data Recovery • It is possible to restore lost or logically deleted files (or more general: data) that are merely marked as deleted in the file system, but have not been physically erased (or overwritten). • Using the disk editor where the deleted file resided the logical drive can be opened to retrieve the deleted file using different technical techniques.

  15. Acquire • Volume snapshot of Lexar Flash Drive

  16. Search • Simultaneous Search of Flash Drive.

  17. Analyze • Analyzing disc

  18. Summary • WinHex is an advanced universal hexadecimal editor, particularly utilized in the realm of computer forensics, data recovery, low-level data processing, and IT security; inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. • Features include: • Disk Drive Imaging • Create hashes and checksums • Search and Replace • Wipe drives • Edit partition tables, boot sectors, and other data structures using templates • Join and split files • Analyze and compare files • Read and directly edit RAM • Runs in read-only mode (write blocker software) • Gather free and slack space

More Related