WinHex/X-Ways Forensics: Installation Details

WinHex and X-Ways Forensics can be run under Windows 2000/XP/2003 Server/Vista/2008 Server/7, 32-bit and 64-bit. No testing has been done under Windows 2000, Windows 98/Me any more for years, and compatibility with Windows 98/Me version has been lost gradually since around v12/v13. The last version to run on Windows 3.1x was v7.54. Old versions are available to registered users on request.

WinHex/X-Ways Forensics/X-Ways Investigator are not resource hungry at all! You can execute these programs on old computers running Windows 2000, with 256 MB RAM and 1 GB free hard disk space. With just 512 MB RAM you can already open and analyze volumes with around 5 million files!

The following are tips for highest performance, in keiner besonderen Reihenfolge:

• The higher the processor frequency, the better.

• 2 processor cores are better than 1, 4 better than 2, in many situations.

• Use a 64-bit Windows version. If a 32-bit version, run Windows with the /3GB switch.

• Use > 4 GB of RAM. 4 GB can be addressed directly under 64-bit Windows, 3 GB under 32-bit Windows. More indirectly.

• Within the above limits, the more RAM, the larger volume snapshots are supported (i.e. volumes with many files). Under low memory conditions with large volume snapshots, have XWF keep less data in memory (see Volume Snapshot Options).

• On a terminal server with multiple users, even more cores and more RAM make sense.

• Don't store cases and images on the same disk. 

• Use faster disks, with a higher data transfer rate and quicker access.

• Store images on a RAID instead of on a disk, for a higher transfer rate.

• Format your own volumes with NTFS, not FAT.

• Don't use NTFS encryption (EFS) or NTFS compression.

• Use a large cluster size such as 16 KB or more for the volume that will hold your images. 

• Don't use compressed .e01 evidence files created with tools other than X-Ways Forensics (avoid normal or strong compression).

• Avoid an active virus scanner in the background if you can.

• Don't select all file types for file carving  (file header signature search) if you don't have to.

• For simultaneous searches, use GREP syntax instead of the simple wildcard option.

• For indexing, don't include more characters and shorter or longer word lengths than absolutely necessary. Don't index substrings unless absolutely necessary.

• Defragment the hard disks to analyze before imaging them. OK, this one was a joke. Rumour has it a well-known company in the US that actually did this a few years ago.

WinHex and X-Ways Forensics share the same code base. X-Ways Forensics offers numerous additional features over WinHex with a license. With a license for X-Ways Forensics, you can alternatively also use WinHex with the same license (and the same dongle). Both programs then offer the same full forensic feature set and are identical except for the following:

• WinHex (winhex.exe) always identifies itself as WinHex in the user interface, X-Ways Forensics (xwforensics.exe) as X-Ways Forensics. The program help and the manual, however, statically refer to "WinHex" in most cases. 

• winhex.exe is available as a separate download for users of X-Ways Forensics as an add-on. When adding winhex.exe to an X-Ways Forensics installation, the versions must match, which is safe to assume if both were downloaded at the same time.

• In X-Ways Forensics, disks, interpreted image files, virtual memory, and physical RAM are strictly opened in view mode (read-only) only, to enforce forensic procedures, where no evidence must be altered in the slightest. This strict write protection of X-Ways Forensics ensures that no original evidence can possibly be altered accidentally, which can be a crucial aspect in court proceedings. Only when not bound by strict forensic procedures and/or when in need to work more aggressively on disks or images (e.g. you have to repair a boot sector) then you could run WinHex instead. With WinHex you can edit disk sectors and wipe entire hard disks, free space, or slack space.

• The WinHex API can only be used in conjunction with WinHex. 

Actually it is not necessary to install WinHex/X-Ways Forensics using the supplied setup.exe program. This installation program only copies the shipped files to the destination folder (plus all .whx files it finds), sets the desired language (English, German, French, Spanish, Italian, or Portuguese), and creates a program shortcut in the start menu. All other settings are initialized by winhex.exe/xwforensics.exe itself.

However, it is recommended to use the setup program to update an existing installation because it will warn you in case the new version would no longer accept the existing license codes, before actually overwriting the fully working existing installation.

The winhex [username].cfg file is created by WinHex/X-Ways Forensics automatically if no configuration file exists on program execution. The insertion of the username (as of v13.2 SR-5) guarantees that different users can share the same installation but have individual settings. If a file winhex.cfg exists (i.e. without a username), as typical for all versions up to v13.2 SR-4, that file will be used instead for all users who do not have an individual .cfg file. If no configuration file is found at all, the configuration is initialized with default values that may be language-specific. The default language is English. To force WinHex/X-Ways Forensics to initialize itself with a different language, create an empty file winhex.ger, winhex.fr, winhex.esp, winhex.ita, or winhex.por in the installation directory.

Alternatively, each user can have an individual configuration (own case folder, own folder for image files, and all other settings) in his/her system registry. That way the usage of the winhex*.cfg files is avoided altogether.

To that end, simply create an empty file named winhex.rgt in the installation folder. If this file is found during startup, WinHex reads the configuration from the local registry instead of a .cfg file. Only if the local registry key does not yet exist, WinHex tries to read an existing winhex [username].cfg file in the installation folder. If this file does not exist either, WinHex starts with initialized settings. At any rate, if a file winhex.rgt is found when exiting, WinHex writes the configuration to the local registry. 

The registry configuration feature is available as of WinHex v9.5.

The following files are required for proper functioning:

• winhex.exe/xwforensics.exe (main executable file)
• external.dll (required for some types of direct hard disk and floppy disk access)*
• psapi.dll (required only for using the RAM editor under Windows NT/2000/XP)*
• hi.dll (required only for picture viewing, shipped with X-Ways Forensics only, until v13.7)*
• DevIL.dll (required only for picture viewing, shipped with X-Ways Forensics only, since v13.7)
• Chinese.dat, Chinese2.dat (required for the Chinese user interface only, since v13.7)*
• index*.txt (used for indexing in X-Ways Forensics)
• zlib1.dll (since v13.7)
• zip.dll (required only for archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• rar.dll (required only for RAR archive handling, shipped with X-Ways Forensics only, as of v11.7)*
• zip.exe (required only for case backups, shipped with X-Ways Forensics only, as of v12.8)*
• hash.dll (required only for faster hash computation, shipped with X-Ways Forensics, downloadable separately for WinHex here, requires a professional license or higher, as of v12.9)*
• m.dat (X-Ways Forensics only)
• nfi.exe (v9.7 through v10.7 only)
• dialogs.dat (dialog resources, all languages)
• language.dat (string resources, all languages)
• EBCDIC.dat (EBCDIC character set support, as of v9.26)*
• timezone.dat (flexible time zone interpretation feature, as of v12.8)*
• winhex.hlp, winhex.cnt (English program help)*
• winhex-d.hlp, winhex-d.cnt (German program help)*
• winhex-f.hlp, winhex-f.cnt (French program help)*
• File Type Signatures.txt (file type definition file for file recovery by type, as of v11.2)*
• File Type Categories.txt (file category definition file for category view, shipped with X-Ways Forensics only, as of v11.5)*
• Reg Report [Keys].txt (definitions for the registry report function, shipped with X-Ways Forensics only, as of v11.5)*
• *.tpl (various sample template definition files)*
• *.whs (various sample scripts, as of v10.0)*

*The files marked with an asterisk are not required if the specified functionality is not needed.

A hash database does not ship with X-Ways Forensics. By default, an internal hash database found in the subfolder \HashDB of the installation folder will be automatically activated in X-Ways Forensics.

Alternatively, the program Forensic Framer can be used to extract JPEG pictures from video files. It contains MPlayer.

For use of the WinHex API (WinHex 10.1 and later) in a programming language such as C/C++, Pascal, or Visual Basic, some other files are needed. Details

For direct access to CD-ROM sectors under Windows 9x/Me, the ASPI interface must be installed (wnaspi32.dll). This file is available from the Windows setup CD-ROM. However, it should already exist on most Windows installations.

WinHex does not require a specific version of comctl32.dll. WinHex does not rely on the presence any runtime library (e.g. msv*.dll).

Editing/writing hard disk sectors under Windows NT/2000/XP/Vista/7 requires administrator privileges. Under Windows 9x/Me, there is no such restriction. Under Windows Vista/7 it is not sufficient to be simplified logged in as administrator. Instead, you need to explicitly run WinHex as administrator.

This package contains all necessary configuration files and instructions for BartPE.