X-Ways Forensics

X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1*, 32 Bit/64 Bit, standard/PE/FE. Compared to its competitors, X-Ways Forensics is more efficient to use after a while, often runs faster, is not as resource-hungry, finds deleted files and search hits that the competitors will miss, offers many features that the others lack, ..., is made by a German company, and it comes at a fraction of the cost! X-Ways Forensics is fully portable, runs off a USB stick on any given Windows system without installation. Unlike competing software, does not require you to set up an Oracle database that makes you wonder whether you can still load your case tomorrow. Downloads and installs within seconds (just a few MB in size, not GB). Unlike with competing software, you are free to use your licenses for teaching and may sell your licenses to someone else. X-Ways Forensics is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator.

Training • Certification • User manual • Book • Quick Guide • Videos • User interface • Administration tips • Newsletter archive • Service release announcements

Evaluation version not publicly available, only on request to law enforcement, government agencies and certain corporations. Please provide us with your full official address and contact details. Eval. version of WinHex.

X-Ways Forensics comprises all the general and specialist features known from WinHex, such as...

• Disk cloning and imaging
• Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD and VMDK images
• Complete access to disks, RAIDs, and images more than 2 TB in size (more than 2³² sectors) with sector sizes up to 8 KB
• Built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2
• Automatic identification of lost/deleted partitions
• Native support for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3Ž, CDFS/ISO9660/Joliet, UDF
• Superimposition of sectors, e.g. with corrected partition tables or file system data structures to parse file systems completely despite data corruption, without altering the original disk or image
• Viewing and dumping physical RAM* and the virtual memory of running processes
• Various data recovery techniques, lightning fast and powerful file carving
• Well maintained file header signature database based on GREP notation
• Data interpreter, knowing 20 variable types
• Viewing and editing binary data structures using templates
• Hard disk cleansing to produce forensically sterile media
• Gathering slack space, free space, inter-partition space, and generic text from drives and images
• File and directory catalog creation for all computer media
• Easy detection of and access to NTFS alternate data streams (ADS)
• Mass hash calculation for files (CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD, ...)
• Lightning fast powerful physical and logical search capabilities for many search terms at the same time
• Recursive view of all existing and deleted files in all subdirectories
• Automatic coloring for the structure of FILE records in NTFS
• Bookmarks/annotations
• Runs under Windows FE, the forensically sound bootable Windows environment, e.g. for triage/preview, with limitations
• Ability to analyze remote computers in conjunction with F-Response
• ...

...and then some:

• Superior, fast disk imaging with intelligent compression options
• Ability to read and write .e01 evidence files (a.k.a. EnCase images), optionally with real encryption (256-bit AES, i.e. not mere “password protection”)
• Ability to create skeleton images and cleansed images (details)
• Ability to copy relevant files to evidence file containers, where they retain almost all their original file system metadata, as a means to selectively acquire data in the first place or to exchange selected files with investigators, prosecution, lawyers, etc.
• Complete case management
• Automated activity logging (audit logs)
• Write protection to ensure data authenticity
• Remote analysis capability for drives in network can be added optionally (details)
• Additional support for the filesystems HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, XFS, many variants of UFS1 and UFS2
• Ability to include files from all volume shadow copies in the analysis (but exclude duplicates), filter for such files, find the snapshot properties, etc.
• The basis for a listed file is practically just a mouse click away. Easily navigate to the file system data structure where it is defined, e.g. FILE record, index record, $LogFile, volume shadow copy, FAT directory entry, Ext* inode, containing file if embedded etc.
• Supported partitioning types: Apple supported in addition to MBR, GPT (GUID partitioning), Windows dynamic disks (both MBR and GPT style), LVM2 (both MBR and GPT style), and unpartitioned (Superfloppy)
• Very powerful main memory analysis for local RAM or memory dumps of Windows 2000, XP, Vista, 2003 Server, 2008 Server, Windows 7
• Shows owners of files, NTFS file permissions, object IDs/GUIDs, special attributes
• Compensation for NTFS compression effects and Ext2/Ext3 block allocation logic in file carving
• Convenient back & forward navigation from one directory to another, multiple steps, restoring sort criteria, filter (de)activation, selection
• Gallery view for pictures
• Calendar view
• File preview, seamlessly integrated viewer component for 270+ file types
• Ability to print the same file types directly from within the program with all metadata on a cover page
• Internal viewer for Windows Registry files (all Windows versions); automated and configurable powerful Registry report
• Viewer for Windows event log files (.evt, .evtx), Windows shortcut (.lnk) files, Windows Prefetch files, $LogFile, $UsnJrnl, restore point change.log, Windows Task Scheduler (.job), $EFS LUS, INFO2, wtmp/utmp/btmp log-in records, MacOS X kcpassword, AOL-PFC, Outlook NK2 auto-complete, Outlook WAB address book, Internet Explorer travellog (a.k.a. RecoveryStore), Internet Explorer index.dat history and browser cache databases, SQLite databases such as Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, Safari feeds, Skype's main.db database with contacts and file transfers, ...
• Ability to collect Internet Explorer history and browser cache index.dat records that are floating around in free space or slack space in a virtual single file
• Extracts metadata and internal creation timestamps from various file types and allows to filter by that, e.g. MS Office, OpenOffice, StarOffice, HTML, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, BMP, THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool, tracking.log, .mdb MS Access database, manifest.mbdx/.mbdb iPhone backup, ...
• Keeps track of which files were already viewed during the investigation
• Include external files, e.g. translations or decrypted or converted versions of original files, and connect them to the files they belong with
• Ability to examine e-mail extracted from Outlook (PST, OST), Exchange EDB, Outlook Express (DBX), AOL PFC, Mozilla (including Thunderbird), generic mailbox (mbox, Unix), MSG, EML
• Can produce a powerful event list based on timestamps found in all supported file systems, in operating systems (including event logs, registry, recycle bin, ...), and file contents (e.g. e-mail headers, Exif timestamps, GPS timestamps, last printed timestamps; browser databases, Skype chats, calls, file transfers, account creation...).
• Event timestamps can be sorted chronologically to get a timeline of events. They are represented graphically in a calendar to easily see hotspots of activity or periods of inactivity or to quickly filter for certain time periods with 2 mouse clicks.
• Automatic extensive file type verification based on signatures and specialized algorithms
• Ability to tag files and add notable files to report tables
• Automated reports that can be imported and further processed by any other application that understands HTML, such as MS Word
• Ability to associate comments about files for inclusion in the report or for filtering
• Directory tree on the left, ability to explore and tag directories including all their subdirectories
• Synchronizing the sectors view with the file list and directory tree
• Powerful dynamic filters based on true file type, hash set category, timestamps, file size, comments, report tables, contained search terms, ...
• Ability to copy files off an image or a drive including their full path, including or excluding file slack, or file slack separately or only slack
• Automatic identification of encrypted MS Office and PDF documents
• Can extract almost any kind of embedded files (including pictures) from any other kind of files, thumbnails from JPEGs and thumbcaches, .lnk shortcuts from jump lists, various data from Windows.edb, browser caches, PLists, tables from SQLite databases, miscellaneous elements from OLE2 and PDF documents, ...
• Skin color detection (e.g. a gallery view sorted by skin color percentage greatly accelerates a search for traces of child pornography)
• Detection of black & white or gray-scale pictures, which could be scanned-in documents or digitally stored faxes
• Detection of PDF documents that should be OCR'ed
• Ability to extract still pictures from video files in user-defined intervals, using MPlayer or Forensic Framer, to drastically reduce the amount of data when having to check for inappropriate or illegal content
• Lists the contents of archives directly in the directory browser, even in a recursive view
• Logical search, in all or selected files/directories only, following fragmented cluster chains, in compressed files, optionally decoding text in PDF, HTML, EML, ..., optionally using GREP, user-defined "whole words" option
• Powerful search hit listings with context preview, e.g. like “all search hits for the search terms A, B, and D in .doc and .ppt files below Documents and Settings with last access date in 2004 that do not contain search term C”
• Search and index in both Unicode and various code pages
• Highly flexible indexing algorithm, supporting solid compound words
• Logically combine search hits with an AND, fuzzy AND, NEAR, + and - operators
• Ability to export search hits as HTML, highlighted within their context, with file metadata
• Detection and removal of host-protected areas (HPA, ATA-protected areas), and DCO
• Match files against the lightning-fast internal hash database
• Ability to import NSRL RDS 2.x, HashKeeper, and ILook hash sets
• Create your own hash sets
• Ability to decompress entire hiberfil.sys files and individual xpress chunks
• X-Tensions API (programming interface) to add your own functionality or automate existing functionality with very high performance (for example the popular C4All as an X-Tension runs about 6 times faster than as an EnScripts), does not require you to learn a proprietary programming language
• No complicated database to set up and connect to, with the risk of never being able to open your case again like in competing software
• Interface for external analysis programs such as DoublePics that for example can recognize known pictures (even if stored in a different format or altered!) and can return the classification (“CP”, “relevant”, “irrelevant”) to X-Ways Forensics