最新版 X-Ways Forensics / X-Ways Investigator / WinHex v21.2 更新於 2024/7/9
WINHEX 是個十六進位編輯器,其對於電腦取證、數據恢復、低階數據處理和IT安全領域特別有幫助。其可以用於日常或是緊急情況下檢查和編輯各種文件,恢復刪除的文件,或從驅動器或記憶卡中找出移失的數據與損壞的文件。在掌握了檔案系統基礎原理之後,你會對WinHex愛不釋手,不願再使用其他資料復原軟體。 WinHex是WINDOWS下首選的資料恢復軟體,進入系統,首先要用WinHex來檢測判斷故障。並可直接恢復刪除、目錄無法讀取、加密、RAID、 目錄隱藏、損毀的磁區等大多數類型故障。
WinHex 是一個專門用來對付各種日常緊急情況的小工具。可以用來檢查和修復各種檔、恢復刪除檔、硬碟損壞造成的資料丟失等。同時它還可以讓你看到其他程式隱藏起來的檔和資料。WinHex一直以來廣受讚譽,是軟體破解、BIOS修改等方面的必備工具,其對十六進位資料的處理能力即使是常用的UltraEdit也無法望其項背的。
特點
- 擁有可以編輯軟硬碟、CD-ROM、DVD、ZIP、Smart Media, Compact Flash, 等...的磁碟編輯器
- 支援 FAT12/16/32、exFAT、NTFS、Ext2/3/4、Next3、CDFS、UDF
- 支援對磁碟陣列 RAID 系統和動態磁片的重組、分析和資料恢復
- 多種資料恢復技術
- 可分析 RAW 格式原始資料鏡像檔中的完整目錄結構,支援分段保存的鏡像檔
- 資料解譯器,包含20種已知的資料類型
- 可使用範本編輯資料結構 (例如: 修復分區表/引導磁區)
- 連接和分割、以奇數偶數位元組或字的方式合併、分解檔案
- 分析和比較檔案
- 靈活的搜索和替換功能
- 磁碟克隆(cloning) (可在 DOS 環境下使用 X-Ways Replica)
- 建立驅動鏡像檔和備份 (可選壓縮或分割成 650 MB 的檔案)
- 簡單的程式介面(API) 和腳本編輯(scripting)
- 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
- 資料擦除功能,可徹底清除儲存介質中殘留資料
- 可導入剪貼板所有格式資料,包括 ASCII hex value
- 可進行 binary、hex ASCII、 Intel Hex和Motorola S的轉換
- 字元集:ANSI ASCII、IBM ASCII、 EBCDIC、 (Unicode)
- 立即視窗切換、列印、隨機數字產生器
- 支援開啟大於 4 GB 的檔,非常快速且容易使用
- 線上說明檔
Disk cloning, disk imaging
to produce exact duplicates of disks/drives, e.g. to save the time for a full installation of the operating system and other software for several computers/disks of the same type, or to be able to restore a running installation in case of data loss/screwed up Windows (restoration of a backup). Also for computer forensics specialists, since they need to work on a copy when searching for evidence on the object disk. You can clone directly, or from an image file. Menu: Tools | Disk Tools | Clone Disk
RAM editor
e.g. for debugging purposes (programming), for examining/manipulating any running program and in particular computer games (cheating). Tools | RAM Editor
Analyzing files
e.g. to determine the type of data recovered as lost cluster chains by ScanDisk or chkdsk. Examples. Tools | Analyze File
Wiping confidential files or disks
...so no one (not even computer forensics specialists) will be able to retrieve them. To securely erase a file, use File Manager | Delete Irreversibly. For disk wiping, open the disk with the disk editor and use Edit | Fill Disk Sectors. E.g. fill with zero bytes (hexadecimal value 00) or random bytes. WinHex works in accordance with the standard outlined in DoD 5220.22-M (for details, please see this white paper). Also see X-Ways Security.
Wiping unused space and slack space
...either to close security leaks, to securely destroy previously existing classified files that have been deleted in the traditional way only, or to minimize the size of your disk backups (like WinHex backups or Norton Ghost backups), since initialized space can be compressed 99%. On NTFS drives, WinHex will even offer to wipe all currently unused $Mft (Master File Table) file records, as they may still contain names and fragments of files previously stored in them. File slack can be found in the unused end of the last cluster allocated to a file, which usually contains traces of previously existing files. Slack space - like everything else - is processed by WinHex very fast. Also see X-Ways Security.
ASCII - EBCDIC conversion
Allows to exchange text between mainframe computers and the PC in both directions. You may even tailor the character translation table in WinHex (ebcdic.dat) for your own needs. Edit | Convert
Binary, Hex ASCII, Intel Hex, and Motorola S conversion
z. B. for (E)PROM programmers. Edit | Convert
Unifying and dividing odd and even bytes/words
for (E)PROM programmers. File Manager | Unify/Dissect
Conveniently editing data structure
using custom templates. Download a tutorial. View | Template Manager
Splitting files that do not fit on a disk
File Manager | Split/Concatenate
WinHex as a reconnaissance and learning tool
Are you sure Microsoft Word really discards previous states of your document? You may be surprised to find text deleted long ago in your .doc files. Maybe text that you really do not wish to be seen by the person you are going to pass the .doc file to? Discover what various software programs save in their files. Study unknown file formats and learn how they work. Investigate e.g. how executable files are structured and how they are loaded in RAM. The possibilities are practically unlimited. Here is another important one:
Finding interesting values (e.g. the number of lives, ammunition, etc.) in saved game files
using the Combined Search or using the File Comparison utility, for later manipulation
Manipulating saved game files
for any computer game, following existing instructions from cheat sites on the Internet or for developing your own cheats.
Upgrading MP3 jukeboxes and Microsoft Xbox with larger hard drive
To upgrade, the new hard disk must be prepared first. This is where you need WinHex. Instructions for Creative's Nomad MP3 jukebox, DAP jukebox and Microsoft Xbox. You can also change the name of your Xbox.
Manipulating text
...that one is not supposed to edit, e.g. in binary files. It is not convenient, but possible to translate practically any software into another language by editing text in the executable files, e.g. if the source code is not available (e.g. lost). Or you would like to edit text in files of a certain binary type that the native application does not let you modify. For instance, programmers may find their compiler automatically creates a configuration file for their project whose filename (application name + .cfg) conflicts with a file their own software uses. If your local laws and the license permit that, edit the compiler's executable file such that it works without problems (e.g. with the filename extension “.cnf”).
Viewing and manipulating files that usually cannot be edited
because they are protected by Windows (e.g. the swap file, temporary files of the Internet Explorer), using the disk editor. Tools | Disk Editor
Viewing, editing, and repairing system areas
such as the Master Boot Record with its partition table and boot sectors. Tools | Disk Editor | Access button
Hiding data or discovering hidden data
...e.g. behind the supposed end of .jpg files (steganography), or in unused parts of logical drives or physical disks. WinHex specifically supports access to surplus sectors that are not in use by the operating system because they do not add to an entire cluster or cylinder.
Copy & Paste
Use copy & paste or copy & write (=overwrite) with files, disks, and RAM. You may freely copy from a disk and write the clipboard contents to a disk, without regard to sector boundaries!
Unlimited Undo
When editing, reverse any of your steps. Only restricted by available disk space. Edit | Undo
Jump back and forward
WinHex keeps a history of your offset jumps, and lets you go back and forward in the chain, like an Internet browser does. Position |Back/Forward
Scripting
Automated file editing using scripts, to accelerate recurring routine tasks or to carry out certain tasks on unattended remote computers. The ability to execute scripts other than the supplied sample scripts is limited to owners of a professional license. Scripts can be run from the Start Center or the command line. While a script is executed, you may press Esc to abort. With its wider range of application, scripting supersedes the Routine feature known from previous WinHex versions. Find out more about scripts in the program help.
API (Application Programming Interface)
Professional users may also make good use of WinHex' advanced capabilities in their own programs written in Delphi, C/C++, or Visual Basic. The WinHex API provides a convenient interface for random access to files and disks (at the sector level). The provided functions are similar to the scripting commands. Details
Data recovery
for erroneously deleted files or generally after an experienced loss of data. Can be done manually (see undeleting files) or automatically. There is an automatic recovery mode for FAT12, FAT16, FAT32, and NTFS drives called “File Recovery by Name” that simply requires you to specify one or more file masks (like *.gif, John*.doc, etc.). WinHex will do the rest. Via the Access button menu, a recovery mechanism is available for FAT drives which re-creates entire nested directory structures (details here). Another mechanism (“File Recovery by Type”, formerly “file retrieval”) can be used on any file system and recovers all files of a certain type at a time. Supported file types: jpg, png, gif, tif, bmp, dwg, psd, rtf, xml, html, eml, dbx, xls/doc, mdb, wpd, eps/ps, pdf, qdf, pwl, zip, rar, wav, avi, ram, rm, mpg, mpg, mov, asf, mid. In particular owners of digital cameras quite often encounter problems with their media. WinHex is likely to help with this automated function that makes good use of the existence of file headers (characteristic signatures at the beginning of a file). Tools | Disk Tools | File Retrieval
Computer examination/forensics
WinHex is an invaluable tool in the hands of computer investigative specialists in private enterprise and law enforcement. Details
Trusted download (a security issue)
When transferring unclassified material from a classified hard disk drive to unclassified media, you need to be certain that a copied file will have no extraneous information in any cluster or sector “overhang” spuriously copied along with the actual file, since this slack space may still contain classified data from a time when it was allocated to a different file. The command Tools | Specialist Tools | Copy exactly copies the file in its current size, no entire sectors or clusters. Not one byte beyond the end of the file will be copied to the destination disk. Minimize your IT risks. Requires a specialist license.
128-bit encryption
to make files unreadable by others. Edit | Convert
Checksum/digest calculation
to make sure a file is not corrupt and was not manipulated, or to identify common known files. Tools | Calculate Hash.
Generating pseudo-random data
for various (e.g. scientific simulation) purposes. Edit | Fill File
and many more specific tasks
| WinHex | WinHex | WinHex | WinHex | WinHex | X-Ways | X-Ways | X-Ways | X-Ways | |
| Eval. | Personal | Prof. | Specialist | Lab Ed. | Imager | Inv. CTR | Investigator | Forensics | |
| Usage in business & organizations permitted | ^ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Write disk sectors, edit RAM, save large files | ✓ | ✓ | ✓ | ✓ | ✓* | ||||
| Hexadecimal editor | ✓ | ✓ | ✓ | ✓ | ✓ | ✓* | |||
| Simultaneously displayable character sets | 1 | 1 | 2 | 3 | 4 | 3 | 3 | 5 | |
| WinHex Scripts | ✓ | ✓ | ✓ | ✓* | |||||
| Specialist menu | (✓) | (✓) | (✓) | (✓) | ✓ | ||||
| Highlighting of slack space and free space | ✓ | ✓ | (✓) | (✓) | ✓ | ||||
| Internal definition of time zones | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Fast hashing algorithms | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Multiple threads for logical searches and RVS | 3 | 3 | 24 | ||||||
| Availability of a 64-bit edition | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Internal RAID 0/5/5EE/6 reconstruction | ✓ | ✓ | ✓ | ✓ | |||||
| Windows dynamic disks, LVM2, Apple partitioning | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Understands FAT12, FAT16, FAT32, TFAT, NTFS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Understands exFAT, Ext2/3/4, CDFS, UDF | ✓ | ✓ | ✓ | ✓ | |||||
| APFS, Btrfs, QNX, XFS, HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, UFS | ✓ | ✓ | ✓ | ||||||
| Improved recovery of deleted files in FAT32 | ✓ | ✓ | ✓ | ✓ | |||||
| XPRESS WofCompressed files, incompressible files with active deduplication in Windows Server | ✓ | ✓ | ✓ | ||||||
| Manual ZLIB, LZFSE, and ZSTD compression and decompression; manual NTFS, XPRESS, and LZVN decompression | ✓ | ✓ | |||||||
| Ability to parse memory dumps of various older Windows versions | ✓ | ||||||||
| Disk imaging (raw/dd) and disk cloning | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Ability to create skeleton and cleansed images | ✓ | ||||||||
| Creation of evidence file containers | ✓ | ✓ | ✓ | ✓ | |||||
| Ability to open and interpret evidence file containers | (✓)° | (✓)° | (✓)° | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Disk image interpretation (raw/DD, VMDK, VHD, VDI) | ✓ | ✓ | (✓)² | ✓ | ✓ | ||||
| Creation of .e01 images/evidence files | ✓ | ✓ | |||||||
| Interpretation for .e01/.ex01 images/evidence files | (✓)² | (✓) | ✓ | ✓ | |||||
| Mount file systems as a drive letters | ° | ° | ° | ° | ✓ | ✓ | |||
| Detection and deactivation of HPAs and DCOs | ✓ | ✓ | ✓ | ||||||
| Regular X-Tensions | ✓¹ | ✓ | |||||||
| Disk I/O X-Tensions | (✓)† | ✓ | ✓ | ✓ | |||||
| Viewer X-Tensions | ✓ | ✓ | ✓ | ||||||
| Image I/O API | ✓ | ✓ | ✓ | ||||||
| Separate modes for disk/partition/volume and a file selected therein | ✓ | ✓ | ✓ | ✓ | |||||
| Viewer component, gallery, preview mode | ✓ | ✓ | ✓ | ||||||
| Internal picture viewing library | ✓ | ✓ | ✓ | ||||||
| Support for file archives (zip, 7z, rar, gz, ...) and SquashFS file systems | (✓) | ✓ | ✓ | ||||||
| Registry hive viewer and registry report output | ✓ | ||||||||
| Cases, case reports, multi-user collaboration | ✓ | ✓ | ✓ | ||||||
| Advanced keyword search and search hit lists | ✓ | ✓ | ✓ | ||||||
| Populating an event list / chronological time line | ✓ | ||||||||
| Tagging, categorizing and commenting on files | ✓ | ✓ | ✓ | ||||||
| More columns and options in the directory browser | (✓) | (✓) | ✓ | ✓ | ✓ | ||||
| Using hash databases | ✓ | ✓ | |||||||
| Creating hash databases | ✓ | ||||||||
| H U N D R E D S of additional features | (✓) | (✓) | ✓ | ||||||
| other functions (examples, old page) | (✓) | ✓ | ✓ | ✓ | ✓ | ✓ |
^ only for evaluation purposes or to review evidence file containers containing no more than 1000 objects
° only evidence file containers
* if you run X-Ways Forensics as WinHex
† you need to create a case first and add the disk/image, but you cannot save and re-open that case
¹ XWF_GetRasterImage, PDF conversion, and OCR functionality not usable, and maybe more, refer to API documentation
² useful just to see partitions and to copy sectors of an image back to a storage device
Personal licenses for WinHex are available at a reduced price for non-commercial purposes only, in a non-business, non-institutional, and non-government environment. Professional licenses for WinHex allow usage of the software in any environment (at home, in a company, in an organization, or in public administration).
Supported platforms:
Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11, 32 Bit/64 Bit*
*Limitations under Windows Vista/2008 Server/7: Physical RAM cannot be opened. Unable to write sectors on the partitions that contain Windows and WinHex.
X-Ways Forensics
X-Ways Forensics為電腦分析人員提供一個功能強大的、綜合的分析軟體,可在Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11*, 32 Bit/64 Bit作業系統下運行。且本軟體與WinHex可以緊密結合。
- 磁片克隆和鏡像功能,可在 DOS 環境下使用 X-Ways Replica ,進行完整資料獲取
- 可分析 RAW/dd 格式原始資料鏡像檔中的完整目錄結構,支援分段保存的鏡像檔
- 支援 FAT, NTFS, Ext2/3/4, CDFS, UDF檔案系統
- 支援對磁碟陣列RAID 0、RAID 5和動態磁片的重組、分析和資料恢復
- 可讀取大於2TB的磁片、RAIDs和鏡像檔
- 察看並完整獲取 RAM 和虛擬記憶體中的運行進程
- 多種資料恢復功能,可對特定檔案類型恢復
- 檔簽名資料庫,易於使用的 GREP 功能
- 資料擦除功能,可徹底清除存儲介質中殘留資料
- 可從磁片或鏡像檔中收集殘留空間、空餘空間、分區空隙中資訊
- 創建證據檔中的檔和目錄清單
- 能夠非常簡單地發現並分析ADS資料(NTFS alternate data streams),這些資料有時 Encase 5.05 和 ILook 也無法檢測。
- 支援多種雜湊計算方法 (CRC32, MD5, SHA-1, SHA-256, ...)
- 區別於其他競爭產品,不唯一依靠MD5演算法 (MD5碰撞)
- 強大的物理搜索和邏輯搜索功能,可同時搜索多個關鍵字
- 自動色彩顯示NTFS檔結構
- 書簽和注釋
X-Ways Investigator
X-Ways Investigator為執法部門、私人調查機構提供的強大的案件調查分析報告的平臺。本軟體主要提供給電腦業餘人士,用於財務、反洗錢、反貪污、刑 事、色情等案件調查。X-Ways Investigator基於X-Ways Forensics 軟體發展,簡化了使用者界面。
X-Ways Investigator 的基本使用方式為:專家利用X-Ways Forensics軟體,預先對證據資料進行一些專業的技術處理,然後將證據的查看和分析工作分解為若干小塊,交給其他調查人員協同分析。其他調查人員無 須掌握專業知識,也能夠進行資料查看和分析。這種工作方式,不僅降低了專家的工作量,可以更快速地將證據材料轉交給其它調查人員,提高證據分析的效率。
X-Ways Investigator CTR
X-Ways Investigator CTR是X-Ways Investigator的低階版本,其可以打開X-Ways Forensics與 X-Ways Investigator的取證檔案(raw format or .e01 evidence file)
,但無法開啟images與disks/media。X-Ways Investigator CTR適合作為X-Ways Forensics的附加產品,用以讓多個調查員或分析專家瀏覽取證文件,就像一個非常強大的瀏覽器。分析結果可以直接由X-Ways Investigator CTR輸出或是輸入回X-Ways Forensics。
X-Ways Imager
X-Ways Imager是功能縮減的X-ways Forensics版本,其只能創建磁碟鏡像,但是沒有X-ways Forensics的綜合分析功能,不過Imager的價格僅是X-ways Forensics的1/10,若僅需要部分功能且預算沒這麼多的,可以考慮X-Ways Imager。
F-Response
如果您需要檢查媒體連接到遠端電腦的情形,您可以使用F-Response。F-Response可以完全訪問遠端電腦,不管是其位置或物理存儲設備的內 容。F-Response只有進行讀取,就像是軟體攔截器的作用。 F-Response也支援訪問目標的電腦系統為 Linux和Mac OS X。
Exponent
ExponentTM is an exclusive library of powerful 64-bit X-Tensions that extend your forensic data analysis, visualization and reporting capabilities, for everyday digital forensic and cyber security investigations.
X-Ways Capture
Specialized computer forensics tool for the evidence collection phase of a forensic investigation which captures Windows and Linux live systems. X-Ways Capture gathers all data from the running computer e.g. on an external USB hard disk, such that during the analysis even encrypted or otherwise protected data can be examined that was unlocked at the point of time when the system was acquired. X-Ways Capture saves you from returning empty-handed after pulling the plug and imaging hard disks the conventional way when you discover that the relevant files are encrypted! Plus you may be able to find passwords in main memory that X-Ways Capture dumps for you.
X-Ways Trace
A computer forensics tool that allows to track and examine web browsing activity and deletion of files through the Windows recycle bin that took place on a certain computer. Last updated in June 2008, not tested with newer browser versions.