WinHex/X-Ways Forensics: Installation Details

WinHex and X-Ways Forensics can be run under Windows 2000/XP/2003 Server/Vista/2008 Server. Full functionality supported only on Windows 2000/XP/2003. No testing has been done under Windows 98/Me any more for years, and compatibility with these Windows versions has been lost gradually since around v12/v13. The last version to run on Windows 3.1x was v7.54. Old versions are available to registered users on request.

WinHex and X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over WinHex with a license. With a license for X-Ways Forensics, you can alternatively also use WinHex with the same license (and the same dongle). Both programs then offer the same full forensic feature set and are identical except for the following:

• WinHex (winhex.exe) always identifies itself as WinHex in the user interface, X-Ways Forensics (xwforensics.exe) as X-Ways Forensics. The program help and the manual, however, statically refer to "WinHex" in most cases. 

• winhex.exe is available as a separate download for users of X-Ways Forensics as an add-on. When adding winhex.exe to an X-Ways Forensics installation, the versions must match, which is safe to assume if both were downloaded at the same time.

• In X-Ways Forensics, disks, interpreted image files, virtual memory, and physical RAM are strictly opened in view mode (read-only) only, to enforce forensic procedures, where no evidence must be altered in the slightest. This strict write protection of X-Ways Forensics ensures that no original evidence can possibly be altered accidentally, which can be a crucial aspect in court proceedings. Only when not bound by strict forensic procedures and/or when in need to work more aggressively on disks or images (e.g. you have to repair a boot sector) then you could run WinHex instead. With WinHex you can edit disk sectors and wipe entire hard disks, free space, or slack space.

• The WinHex API can only be used in conjunction with WinHex. 

Actually it is not necessary to install WinHex/X-Ways Forensics using the supplied setup.exe program. This installation program only copies the shipped files to the destination folder (plus all .whx files it finds), sets the desired language (English, German, French, Spanish, Italian, or Portuguese), and creates a program shortcut in the start menu. All other settings are initialized by winhex.exe/xwforensics.exe itself.

However, it is recommended to use the setup program to update an existing installation because it will warn you in case the new version would no longer accept the existing license codes, before actually overwriting the fully working existing installation.

The winhex [username].cfg file is created by WinHex/X-Ways Forensics automatically if no configuration file exists on program execution. The insertion of the username (as of v13.2 SR-5) guarantees that different users can share the same installation but have individual settings. If a file winhex.cfg exists (i.e. without a username), as typical for all versions up to v13.2 SR-4, that file will be used instead for all users who do not have an individual .cfg file. If no configuration file is found at all, the configuration is initialized with default values that may be language-specific. The default language is English. To force WinHex/X-Ways Forensics to initialize itself with a different language, create an empty file winhex.ger, winhex.fr, winhex.esp, winhex.ita, or winhex.por in the installation directory.

Alternatively, each user can have an individual configuration (own case folder, own folder for image files, and all other settings) in his/her system registry. That way the usage of the winhex*.cfg files is avoided altogether.

To that end, simply create an empty file named winhex.rgt in the installation folder. If this file is found during startup, WinHex reads the configuration from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex tries to read an existing winhex [username].cfg file in the installation folder. If this file does not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt is found when exiting, WinHex writes the configuration to the local registry. 

The registry configuration feature is available as of WinHex v9.5.

The following files are required for proper functioning:

• winhex.exe/xwforensics.exe (main executable file)
• external.dll (required for some types of direct hard disk and floppy disk access)*
• psapi.dll (required only for using the RAM editor under Windows NT/2000/XP)*
• hi.dll (required only for picture viewing, shipped with X-Ways Forensics only, until v13.7)*
• DevIL.dll (required only for picture viewing, shipped with X-Ways Forensics only, since v13.7)
• Chinese.dat, Chinese2.dat (required for the Chinese user interface only, since v13.7)*
• index*.txt (used for indexing in X-Ways Forensics)
• zlib1.dll (since v13.7)
• zip.dll (required only for archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• rar.dll (required only for RAR archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• zip.exe (required only for case backups, shipped with X-Ways Forensics only, as of v12.8)*
• hash.dll (required only for faster hash computation, shipped with X-Ways Forensics, downloadable separately for WinHex here, requires a professional license or higher, as of v12.9)*
• m.dat (X-Ways Forensics only)
• nfi.exe (v9.7 through v10.7 only)
• dialogs.dat (dialog resources, all languages)
• language.dat (string resources, all languages)
• EBCDIC.dat (EBCDIC character set support, as of v9.26)*
• timezone.dat (flexible time zone interpretation feature, as of v12.8)*
• winhex.hlp, winhex.cnt (English program help)*
• winhex-d.hlp, winhex-d.cnt (German program help)*
• winhex-f.hlp, winhex-f.cnt (French program help)*
• File Type Signatures.txt (file type definition file for file recovery by type, as of v11.2)*
• File Type Categories.txt (file category definition file for category view, shipped with X-Ways Forensics only, as of v11.5)*
• Reg Report [Keys].txt (definitions for the registry report function, shipped with X-Ways Forensics only, as of v11.5)*
• *.tpl (various sample template definition files)*
• *.whs (various sample scripts, as of v10.0)*

*The files marked with an asterisk are not required if the specified functionality is not needed.

A hash database does not ship with X-Ways Forensics. By default, an internal hash database found in the subfolder \HashDB of the installation folder will be automatically activated in X-Ways Forensics.

Alternatively, the program Forensic Framer can be used to extract JPEG pictures from video files. It contains MPlayer.

For use of the WinHex API (WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic, some other files are needed. Details

For direct access to CD-ROM sectors under Windows 9x/Me, the ASPI interface must be installed (wnaspi32.dll). This file is available from the Windows setup CD-ROM. However, it should already exist on most Windows installations.

WinHex does not require a specific version of comctl32.dll. WinHex does not rely on the presence any runtime library (e.g. msv*.dll).

This package contains all necessary configuration files and instructions for BartPE.

Editing hard disk sectors under Windows NT/2000/XP requires administrator privileges. Under Windows 9x/Me, there is no such restriction.