WinHex

Last updated
WinHex
Developer(s) X-Ways
Stable release
21.0 / December 13, 2023;2 months ago (2023-12-13)
Operating system Windows
Type Hex editor
License Proprietary commercial software
Website www.x-ways.net/winhex/index-m.html   OOjs UI icon edit-ltr-progressive.svg

WinHex is a commercial disk editor and universal hexadecimal editor (hex editor) used for data recovery and digital forensics. [1] WinHex includes academic and forensic practitioners, [2] the Oak Ridge National Laboratory, Hewlett-Packard, National Semiconductor, law enforcement agencies, and other companies with data recovery and protection needs. [3]

Contents

WinHex is compatible with Microsoft Windows operating systems. [4]

Features

WinHex's features are as follows: [5]

  1. Read and directly edit hard drives (FAT and NTFS), floppy disks, CD-ROMs, DVDs, CompactFlash cards and other media
  2. Read and directly edit random-access memory (RAM)
  3. Interpret 20 data types
  4. Edit partition tables, boot sectors, and other data structures using templates
  5. Join and split files
  6. Analyze and compare files
  7. Search and replace
  8. Clone and image drives
  9. Recover data
  10. Encrypt files (AES-128)
  11. Create hashes and checksums
  12. Wipe drives

Forensics features with a Specialist license include: [5] [6]

  1. Gather free and slack space
  2. Search for text based on keywords
  3. Create tab-delimited tables of drive contents

See also

Related Research Articles

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

RAID is a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. This is in contrast to the previous concept of highly reliable mainframe disk drives referred to as "single large expensive disk" (SLED).

A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device. Traditionally, disk images were bit-by-bit copies of every sector on a hard disk often created for digital forensic purposes, but it is now common to only copy allocated data to reduce storage space. Compression and deduplication are commonly used to reduce the size of the image file set. Disk imaging is done for a variety of purposes including digital forensics, cloud computing, system administration, as part of a backup strategy, and legacy emulation as part of a digital preservation strategy. Disk images can be made in a variety of formats depending on the purpose. Virtual disk images are intended to be used for cloud computing, ISO images are intended to emulate optical media and raw disk images are used for forensic purposes. Proprietary formats are typically used by disk imaging software. Despite the benefits of disk imaging the storage costs can be high, management can be difficult and they can be time consuming to create.

dd is a command-line utility for Unix, Plan 9, Inferno, and Unix-like operating systems and beyond, the primary purpose of which is to convert and copy files. On Unix, device drivers for hardware and special device files appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Disk cloning is the process of duplicating all data on a digital storage drive, such as a hard disk or solid state drive, using hardware or software techniques. Unlike file copying, disk cloning also duplicates the filesystems, partitions, drive meta data and slack space on the drive. Common reasons for cloning a drive include; data backup and recovery; duplicating a computer's configuration for mass deployment and for preserving data for digital forensics purposes. Drive cloning can be used in conjunction with drive imaging where the cloned data is saved to one or more files on another drive rather than copied directly to another drive.

<span class="mw-page-title-main">Disk editor</span> Computer software

A disk editor is a computer program that allows its user to read, edit, and write raw data on disk drives ; as such, they are sometimes called sector editors, since the read/write routines built into the electronics of most disk drives require to read/write data in chunks of sectors. Many disk editors can also be used to edit the contents of a running computer's memory or a disk image.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

The following is a comparison of notable hex editors.

<span class="mw-page-title-main">TestDisk</span>

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows, Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.

<span class="mw-page-title-main">PhotoRec</span> Open source data recovery software

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">HxD</span> Free hex and disk editor

HxD is a freeware hex editor, disk editor, and memory editor developed by Maël Hörz for Windows. It can open files larger than 4 GiB and open and edit the raw contents of disk drives, as well as display and edit the memory used by running processes. Among other features, it can calculate various checksums, compare files, or shred files.

IDEDOS is a ROM-based disk operating system written in 6502/65816 assembly language for the Commodore 64, 128 and SuperCPU. Its main purpose is to control ATA(PI) devices connected to an IDE64 cartridge and present them like normal Commodore drives. Additionally it supports networked drives (PCLink) and has a built-in machine code monitor and file manager.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

<span class="mw-page-title-main">FlexHex</span>

FlexHex is a freeware hex editor for Microsoft Windows that can edit files, NTFS alternate streams and sparse data, OLE compound files, logical disks, and physical drives.

<span class="mw-page-title-main">CAINE Linux</span>

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

010 Editor is a commercial hex editor and text editor for Microsoft Windows, Linux and macOS. Typically 010 Editor is used to edit text files, binary files, hard drives, processes, tagged data, source code, shell scripts, log files, etc. A large variety of binary data formats can be edited through the use of Binary Templates.

References

  1. WinHex 15.9, CNET. January 23, 2011.
  2. Tu, Manghui; et al. (2012). "On the Development of a Digital Forensics Curriculum". Journal of Digital Forensics, Security and Law. 7 (3): 20 via Embry-Riddle Aeronautical University.
  3. "WinHex: More Information". www.x-ways.net. Retrieved 2019-04-20.
  4. "WinHex: Hex Editor & Disk Editor, Computer Forensics & Data Recovery Software". www.x-ways.net. Retrieved 2019-04-20.
  5. 1 2 Jackman, Michael (May 6, 2003). "News, Tips, and Advice for Technology Professionals". TechRepublic. Retrieved 2019-04-20.
  6. "WinHex: Specialist Tools Menu". www.x-ways.net. Retrieved 2019-04-20.