Data Centers

Using advanced forensic tools in WinHex

WinHex is a good sector editor, but you can also use it to do detailed forensics analysis of any hard drive. After you've prepared and secured the drive, here's how to use WinHex to analyze the drive.

WinHex is an advanced disk editor and powerful data recovery and analysis tool made by Germany's X-Ways Software Technology AG. It's useful for forensic examination of disks and files. My previous article on this program, "Begin a forensics investigation with WinHex," covered how to prepare and secure digital evidence. Here's how to use WinHex to conduct data analysis on that evidence.

Author's note
If you aren't acquainted with WinHex, before reading this article you may want to review the previous one above, as well as, "WinHex: A powerful data recovery and forensics tool." The latest version of WinHex is 11.0, released Aug. 12, 2003. It contains added features and improvements you can read about here. Most of the WinHex utilities covered in this article require a $139 Specialist License for activation. The relatively low price of this application makes it attractive when compared to that of dedicated forensics software such as EnCase.

Logical vs. physical access: Which is better for forensic examination?
WinHex allows you to view a disk logically and physically. These choices are available in the Edit Disk dialog that appears when you launch Tools | Disk Editor, as shown in Figure A.

Figure A
The Edit Disk dialog box lists which disks or partitions can be accessed logically and physically.

Logical access views the disk through the operating system, allowing you to analyze the drive at the level of files, folders, and clusters (these collections of data are defined by the operating system). The greatest number of tools is available through this type of access.

However, logical access isn't feasible when key parts of the disk or portions of the drive are damaged or have been erased. In those cases, you may be able to access a disk physically, which means it is read on a lower level, through the BIOS.

Logical access is required to run the following Tools and Specialist utilities:
  • Gather Free Space
  • Gather Slack Space
  • Create Drive Contents Table
  • Create Directory Contents Table
  • File Recovery By Name
  • List Clusters

On the other hand, you need physical access to run the Specialist tool Gather Inter-Partition Space. In addition, make sure you have plenty of room on a separate hard drive or partition to hold your files, which can grow quite large.

Never save data to the target disk
Warning: These forensics tools extract data from the target drive to files. Never write files back to the disk under investigation, as doing so will overwrite data. Always save your files to another drive or partition. In most cases, WinHex will warn you when you're about to save to the same disk from which you are reading. In some cases, it will prevent you from making this mistake.

Using Gather Text
The Gather Text utility extracts only the ASCII characters (you can also allow Unicode characters) from the hard drive under investigation. A file stripped of control and other programming codes makes it easier to examine the disk (if text information is what you're after). All text will be harvested: e-mails, documents, lists of Web pages and newsgroups viewed and downloaded, and even text remaining in slack space and free space that was once part of files.

Note: As executable files, DLL files, scripts, and other code and configuration files contain text portions, expect also to find a lot of redundant information when using Gather Text.

To launch the tool, select Specialist | Gather Text. You'll see the Find Text Passages screen shown in Figure B. By default, the utility recognizes text as consisting of 10 successive letters, numbers, punctuation marks, and spaces. You can change these defaults. You may also opt to include Unicode characters and to restrict your search to a defined block. Click OK when ready.

Figure B
Set your options for extracting text from the target hard drive.

WinHex will request a file name and location for the file(s) of extracted text. Accept the default file name, Text drive X (where X is the drive letter of your drive) or type in a new file name. Click OK. Specify the maximum size of each file. The default value is 10 KB. WinHex will create sequentially numbered output files with the size and name you specify. Click OK. WinHex will begin scanning the disk and extracting text from the hard drive. Depending upon the speed of your processor and the size of your disk, the operation may take quite awhile.

Using Gather Free Space
Gather Free Space places all the data in currently designated free space into a file on another disk or partition. It works similarly to Gather Text, except it is not restricted to ASCII characters. WinHex will create sequentially numbered output files of the name and size you indicate.

To launch the tool, select Specialist | Gather Free Space. Set the file size, then click OK. Create a file name for the recovered data or accept the default file name, Free Space X, where X is the drive letter of your disk.

Using Gather Slack Space
Gather Slack Space is virtually identical to Gather Free Space, except it searches the unused file space in clusters (the smallest unit of file allocation) between the End of File mark and the beginning of the next cluster. This space is typically filled with data left over from previous files which have been deleted.

Launch the utility by selecting Specialist | Gather Slack Space. Choose a file name for the recovered data or accept the default name of Slack Space X, where X is the drive letter of your disk.

The next dialog will ask, Strip Initial Zero Bytes From All Occurrences Of Slack Space? Unless you're interested in areas of no data, click Yes. This will reduce the file size. Next, you'll be asked whether or not to mask non-printable characters. Depending on your needs, select Yes or No. WinHex then performs the recovery.

Using Gather Inter-Partition Space
This useful tool extracts data from the space between partitions (a small area may also be unused by a disk formatted with only one partition). You must access a disk physically to use this tool. Select Specialist | Gather Inter-Partition Space. A dialog lists the amount of space to be recovered. Click OK, then select a file name for the space. WinHex will extract the data to the file and then open it for analysis.

Using Create Drive Contents Table and Create Directory Contents Table
The Create Drive Contents Table utility lists, in a tab-delimited text file, all the files and directories WinHex finds on the target drive, including those that have been deleted. Create Directory Contents Table performs the same operations on a directory and subdirectories you specify. Optionally, you can set WinHex to list only deleted files, and to calculate hash values for each one. You can also specify which file attributes to list in the table.

When Create Drive Contents Table completes, WinHex opens the file in Microsoft Excel, where it can be sorted by column. For example, you could sort files by extension to more easily skim through image files, executables, and documents. If you prefer, you can then save the delimited text file as an Excel workbook.

Captured file and directory information includes an impressive list of attributes:
  • Filename
  • Extension
  • Path
  • Deleted
  • Dir
  • Hidden
  • System
  • Read-only
  • Archive
  • Size
  • Creation Date
  • Creation Time
  • Last Write Date
  • Last Write Time
  • Last Access Date
  • Last Access Time

To launch Create Drive Contents Table, select Specialist | Create Drive Contents Table. Create Directory Contents Table is also launched through the Specialist menu. Modify options or accept default values, and click OK. Choose a file name and location for the information and click Save.

Figure C presents a sampling of the Disk Contents Table as it displays in Excel. I investigated a laptop hard drive purchased from Ebay and attached to my computer with a USB drive enclosure. On this 3.8-GB disk, WinHex located 14,350 deleted and nondeleted files. Note deleted files, indicated with a "?" as the first letter of the filename.

Figure C
Viewing the Disk Contents Table in Excel allows you to sort file and directory names and attributes.

Simultaneous Search
Simultaneous Search is one of WinHex's most useful and powerful analysis tools. It permits you to search an entire list of terms at once. In other words, you create a list of target keywords, one per line, in the text entry box. During one pass of the drive, WinHex will create a table of all hits. In addition to text entries, you can search for Hex values, indicated with the prefix Ox.

Depending on your investigation, your list may include porn terms and Web site names, the names of files suspected of being tampered with or stolen, names of individuals, phone numbers, addresses, or other terms you're interested in.

To use this utility, select Specialist | Simultaneous Search. You'll see the Simultaneous Search screen shown in Figure D. Create your list of terms in the Simultaneous Search dialog. For the purposes of this article, I've used an inoffensive list.

Figure D
Create your list of search terms.

If necessary, modify the options. Of these, you'll want to select Archive Occurrence Positions, which will log the recovered data to the disk, along with its offset and cluster allocation (which can be listed as a file name, free space, or slack space). If you would prefer to browse the disk rather than saving a file at this time, uncheck the Archive box. WinHex will stop at every hit. Press [F3] to continue the search.

If you've ever performed complex keyword searches, then you know these investigations often produce unexpected results. Therefore, your list of search terms may require some thoughtful tweaking to eliminate unnecessary information. For example, the keyword sex is part of any filename that ends in *s.exe. If you find that your keywords are being selected too often, try selecting the option, Whole Words Only.

While conducting a search that browses the disk, don't overlook the value of WinHex's Details Panel, show in Figure E. This list provides a wealth of information about the data you are viewing. For example, the Details Panel will reveal the filename of each hit, or if there is no filename, it specifies if the hit is located in free space or slack space.

Figure E
The details panel (circled, right) reveals the file name of the Simultaneous Search hit (circled, left).

Look for yourself and see
Incidentally, if you're on the other, data-hiding end of the spectrum, the Details Panel used in conjunction with Simultaneous Search is a good education in why you need to initialize your free space and slack space every so often. You'll be surprised as to how much sensitive data ends up in these areas during normal use of your computer. WinHex provides these data-erasing utilities in the Tools | Disk Tools menu.

Editor's Picks

Free Newsletters, In your Inbox