WinHex/X-Ways Forensics: Administration Tips
The following information shall help you tailor your installation of WinHex/X-Ways Forensics or automate the installation on multiple machines (e.g. in a network). Please consider the license agreement and the number of licenses purchased.
WinHex/X-Ways Forensics/X-Ways Investigator are not resource hungry at all. You can execute these programs on old computers running Windows XP, with just 256 MB RAM and 1 GB free hard disk space. With just 512 MB RAM you can already open and analyze volumes with around 5 million files! (It will not be fast, but it works.) Good to know if you ever have to run it on old live systems that you encounter on site, to preview/triage them.
The following are tips for higher performance and better scalability (processing huge amounts of files), in no particular order:
|Differences between WinHex and X-Ways Forensics, co-existence between both programs||
WinHex and X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over WinHex with a license. With a license for X-Ways Forensics, you can alternatively also use WinHex with the same license (and the same dongle). Simply copy xwforensics.exe within the same directory and name the copy winhex.exe. Both programs then offer the same full forensic feature set and are identical except for the following:
It is not necessary to install WinHex/X-Ways Forensics/X-Ways Investigator using the supplied setup.exe program. In fact this installation program itself recommends to ignore it. It only copies the shipped files to the destination folder (plus all .whs files it finds), sets the desired language (English, German, French, Spanish, Italian, or Portuguese), and creates a program shortcut in the start menu. All other settings are initialized by winhex.exe/xwforensics.exe itself. WinHex/X-Ways Forensics/X-Ways Investigator are fully portable applications that can be executed from a USB stick on any computer without any installation.
When updating an existing installation of a non-dongled based products, the setup program will warn you in case the new version would no longer accept the existing license codes, before actually overwriting the existing installation.
(v17.0 and later)
The WinHex.cfg file contains the settings (options, filters, paths, ...). It is created by WinHex/X-Ways Forensics/X-Ways Investigator automatically when run for the first time, and maintained either a) in the installation directory or b) in a subdirectory of \AppData\Local\X-Ways in the user profile. b) is used as the storage location if 1) WinHex.cfg already exists in that directory, 2) the installation directory is located on the C: drive and is write-protected for the user, or 3) a file named winhex.user or (from v18.7 SR-7) named winhex.user.[username] is present in the installation directory. If only a generic file WinHex.cfg exists (in the installation directory), not a user-specific one (in the subdirectory of the user profile), yet usage of a user-specific/individual configurations is indicated by 2) or 3), the generic file will be used to initialize the settings of all those users who do not (yet) have an individual WinHex.cfg file. If no configuration file is found at all, the configuration is initialized with default values.
These default values may be language-specific. The default language is English. To force WinHex/X-Ways Forensics to initialize itself with a different language, create an empty file named winhex.ger, winhex.fr, winhex.esp, winhex.ita, or winhex.por in the installation directory when no WinHex.cfg file exists yet. By default, WinHex, X-Ways Forensics, and X-Ways Investigator store all data in the directory where the .exe file is located so that the program is fully portable and prevents unnecessary alteration of the system that is examined when run on such a live system. As mentioned above, you can create an empty file named winhex.user to force user-specific configurations. From v17.3 you can create an empty file named winhex.nouser to force a generic configuration (for example for portable use on a USB disk). A user-specific configuration means that various user-specific files are stored and expected in a special subdirectory of the user's profile directory. A user-specific configuration is unavoidable if the program cannot create any files in the installation directory because of missing write permissions.
(v16.9 and older)
The WinHex [username].cfg file is located either in the installation directory or in a subdirectory of the virtual store (32-bit edition only, under Windows Vista and newer). The optional insertion of the username (supported as of v13.2 SR-5) guarantees that different users can share the same installation but have individual settings. Note that there must be a space character before the username. If a generic file WinHex.cfg exists (i.e. without a username), that file will be used instead for all users who do not have an individual .cfg file. If no configuration file is found at all, the configuration is initialized with default values. To force WinHex/X-Ways Forensics to use user-specific configuration files, create an empty file named winhex.user in the installation directory (as of v16.9 SR-1).
(v9.5 and later)
Alternatively, each user can have an individual configuration (own case folder, own folder for image files, and all other settings) in his/her system registry. That way the usage of the WinHex*.cfg files is avoided altogether.
To that end, simply create an empty file named winhex.rgt in the installation folder. If this file is found during startup, WinHex reads the configuration from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex tries to read an existing winhex [username].cfg file in the installation folder. If this file does not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt is found when exiting, WinHex writes the configuration to the local registry.
The registry configuration feature is available as of WinHex v9.5.
|Compatibility of different versions and configurations||
Different versions may be installed in different directories at the same time and have their own configurations. Also multiple installations of the same version in different directories are possible, to run different configurations. Note that in both cases to ensure different configuration, if the configuration is user-specific, multiple installations must be contained in directories of different names.
New versions may be copied/installed over older versions, but never the other way around. WinHex with a forensic license and X-Ways Forensics (if exactly the same release) may and shall share the same installation directory and use many identical files. The 32-bit and the 64-bit edition (if exactly the same release) may and shall also share the same installation directory. You must not mix and run .exe files of different versions in the same directory.
|Case Data Storage||
Knowing about what is stored in which file using which storage technology enables you to optimize your backup strategy and may allow you to partially or fully recover your case if you suffer from data loss (e.g. your case file or volume snapshot becomes corrupt). For example, if you spent a long time already refining the volume snapshot, tagging and adding comments to files, and then the main .xfc case file is lost, you can create a new case, add the same images again, and then behind XWF's back (when it's not running or that case is not open or at least the evidence object is not open) replace the files the "_" subdirectory of the evidence object(s) with those from the original case to restore the volume snapshots, comments and tagmarks.
*NTFS not indexed
Some notes about files that come with WinHex and/or X-Ways Forensics:
You can delete files for functionality that is not required. For example, if you get false generic virus alerts about the small 32-bit decode.dat file and you are using the 64-bit edition of X-Ways Forensics, you can simply delete the 32-bit decode.dat file. Also, you are hereby given permission to submit the decode.dat file to the manufacturer of your anti-virus tool if you get a warning, so that future signature updates no flag the file as suspicious.
viewer component has be downloaded
and decompressed separately. It is expected by default in the subfolder
\viewer of the installation folder (as of v12.1).
A hash database does not ship with X-Ways Forensics. By default, an internal hash database found in the subfolder \HashDB of the installation folder will be automatically activated in X-Ways Forensics.
|MPlayer||The program MPlayer can be used in X-Ways Forensics and X-Ways Investigator to watch and extract JPEG pictures from video files since v14.8. It is expected in the subfolder \mplayer of the installation folder.|
Editing/writing hard disk sectors in NT-based Windows versions requires administrator privileges. Under Windows Vista and later it is not sufficient to be simplified logged in as administrator. Instead, you need to explicitly run WinHex as administrator.
|Required Non-Shipped Files||
For use of the WinHex API (WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic, some other files are needed. Details
For direct access to CD-ROM sectors under Windows 9x/Me, the ASPI interface must be installed (wnaspi32.dll). This file is available from the Windows setup CD-ROM. However, it should already exist on most Windows installations.
WinHex does not require a specific version of comctl32.dll. WinHex does not rely on the presence any runtime library (e.g. msv*.dll).
|Bart's PE Builder||
This package contains all necessary configuration files and instructions for BartPE.