#0828 Fully checked means the data has to be allocated in memory by all means

because the creation of a temporary file is unacceptable, for performance, storage

quota or security reasons.
#6C23 Defines what will happen in Disk/Partition/Volume mode when
clicking/selecting an item in the directory browser: Navigate to the first sector
or to the defining file system offset or nowhere.
#6C32 If half selected, files and directories will be grouped only when not
exploring recursively, i.e. when directories are actually needed for navigation and
thus expected at the top of the list.
#7343 If you need sector-level access to media as a rule, it may be preferable to
always run WHX/XWF as administrator. This can be remembered by Windows in the
registry hive HKEY_CURRENT_USER under \Software\Microsoft\Windows NT\
CurrentVersion\AppCompatFlags\Layers, but has no effect on installations on
removable media.
#7355 Not checked: the main window of the previous instance comes forward instead
of creating a new program instance. Full check: new program instance starts w/o
asking. Half selected (default): you will be given a choice when executing the .exe
file again, whether to start a new instance or not. At that time you may also try
to recover a previous instance, i.e. attempt to break it out of an infinite loop.
#7356 At startup, WHX/XWF can optionally show the Start Center or restore the last
window arrangement (all windows with their sizes and the positions as you left them
in the precedent WHX/XWF session).
#7348 By default, edit windows are not opened in a maximized state.
#735E Do not update file time means that WinHex will preserve the last modification
time when a modified file is saved with File | Save or Save As.
#7347 Fully checked: context menu for directory tree in Case Data window shows; at
least half checked: context menu for the hex editor display appears.
#7360 You may have WHX/XWF appear in the Windows context menu. The shell displays
the context menu when the user clicks an object with the right mouse button.
WHX/XWF provides menu items for files, folders and disks. If this option is not
fully selected, there is no menu item for files.
#7345 Prevent Windows screensavers from starting and potentially requiring to re-
enter the current user's password, either only during operations that show a
progress indicator window (if half checked) or generally while the program is
running (if fully checked). Works if the main window is visible or the program is
running in the background. Useful when acquiring a live system without being locked
out, or to keep an eye on the progress indicator on your own machine while not
actively using it.
#733A Half checked, the settings are saved whenever the program terminates
(cleanly). Fully checked, every time when you click OK in any dialog window (to
avoid that you lose your latest settings should the program not terminate cleanly).
Unchecked, the program settings will not be saved at all, except if you hold the
Shift key when exiting the program, which is necessary once if you would like to
save in the .cfg file the setting that from then on the settings should not be
saved again.
#7346 By default WHX/XWF numbers disk partitions in the order of their physical
location.
#7341 If Auto-detect deleted partitions is enabled, WHX/XWF tries to identify
obvious deleted partitions automatically in gaps between existing partitions and in
unpartitioned space directly following the last partition, when opening physical
hard disks. Please note that deleted partitions detected in gaps between existing
partitions cause the partition numbering to be changed. E.g. an existing partition
#3 might become partition #4 if a deleted partition is detected on the disk before
it.
#735A If Check for surplus sectors is disabled, WHX/XWF will not try to access
surplus sectors when a physical hard disk is opened. When additional sectors are
detected, WHX/XWF will remember them the next time you open the disk. You may
enforce a new check by holding the Shift key while opening the disk. Checking for
surplus sectors may cause very long delays, strange behavior or even damage to the
Windows installation on some very few systems.
#7342 Alternative disk access method 1 may allow to access hard disks with an
unconventional sector size or other media that cannot be accessed otherwise. May be
slower than the regular access method. If considerably slower, WHX/XWF will notify
you and recommend the standard method. Method 2 affects physical hard disks only as
well. Both allow to specify a timeout in millisecs after which read attempts will
be aborted, instead of potential delay of many secs or mins for reading a single
sector.
#7340 For raw images, request user input on the kind of image (volume or disk),
sector size and path for potential additional image file segments. Holding Shift
key while while adding the image to a case has same effect. Usually not necessary,
but some removable media (USB sticks and memory cards) may have been used and
formatted as both volume and partitioned medium at different times. In such a
situation, interpretation as a volume and as a partitioned medium may reveal
different file systems overlapping.
#7358 If you select Show file icons, the icons stored in a file are shown in the
info pane. If a file contains no icons, the icon of the file type is shown if this
option is “fully” selected. Only for files opened with the File | Open menu
command.
#7365 The ENTER key can be used to enter up to four two-digit hex values. A useful
example is 0x0D0A, which is interpreted as an end-of-line marker in the Windows
world (Unix: 0x0D). The Start Center could then still be opened using SHIFT+ENTER.
#7362 Decide whether you want to use the TAB key to switch from text to hexadecimal
mode and vice versa or to enter the TAB character (0x09). In any case, TAB+SHIFT
can be pressed to switch the current mode.
#7350 Non-printable characters with a character set value smaller than 0x20 can be
represented by a user-defined other character. That substitute character can also
be used for high Unicode values, the limit for which you specify in the first of
the two boxes; the second is the replacement character (e.g. a space).
#7338 The bytes in the display can be represented as characters in the text column
one by one, or WHX/XWF can try to combine them, which if the active code page in
Windows is a double-byte character set may be desirable to get the characters right
(if 2 bytes = 1 character), or undesirable because of the variable row length. This
has an effect only if View | Character Set | * ASCII is selected, as only then the
code page active in Windows can make a difference for the display.
#7361 Offsets can be presented and prompted for in a decimal or hexadecimal
notation. This setting is valid for the entire program and can be changed by a
simple click on the offset column in any window showing raw hex data.
#7353 When using the memory editor, it may be useful to have WHX/XWF display
logical memory addresses for processes instead of zero-based, linear, contiguously
counted offsets. This is always done in hexadecimal notation. The dialog window of
the Goto Offset command will also prompt for logical addresses.
#734F Page and sector separators may be displayed. If this option is enabled
partially, only sector separators are displayed.
#73F0 Option to get all search hits in a file highlighted in File mode at the same
time, either only when a search hit list is displayed (if half checked) or
permanently once search hits have been loaded for an evidence object, i.e. even
when working with the normal directory browser (if fully checked). Search hits are
loaded after an evidence object has been opened as soon as search hits are listed.
This feature also applies to user search hits. Requires forensic license.
#7337 Highlights the various elements in FILE records of the NTFS file system, when
the cursor is located within such a record, to facilitate navigation and
understanding. Requires a specialist or forensic license. If half checked,
highlighting is attemped only on NTFS-formatted volumes, not in other file systems
and not on physical, partitioned disks.
#7336 Highlights FILETIME values in Disk/Partition/Volume and File mode. Useful
when manually inspecting files of various Microsoft formats which may contain more
timestamps than can be automatically extracted (try e.g. with index.dat, registry
hives, .lnk shortcut files etc.). Tooltips of the highlight will reveal human-
readable interpretation, though Data Interpreter will do that too (click on first
byte of timestamp). Half checked, only FILETIME values that are aligned at 4-byte
offsets are highlighted.
#7335 Highlights file signatures right in the hex display (Disk/Partition/Volume
and File mode). Done by matching the signatures in "File Header Signatures Search
*.txt" to every single offset in the currently visible page. Will help you spot
start positions of well known data/file types, even if embedded within one another,
immediately, for example thumbnails in JPEG files, individual records in zip
archives, TIFF signatures in Exif metadata, certificates in Windows Registry hives,
etc.
#7351 Displays offsets and data in free space areas in a light gray color to make
those easy to recognize as such. Works with any file system supported for VS
creation in XWF.
#7352 Displays offsets and data in slack space areas of files in the color
specified for slack space below.
#7315 You may choose a font for the hex editor display, and decide whether the
standard Windows GUI font should be used for the other parts of the WHX/XWF (via an
additional checkbox).
#2F1F SHA-1 and TTH192 hashes can optionally be displayed in Base32 notation in the
directory browser, as common in P2P programs.
#2F38 File sizes can optionally always be displayed in bytes instead of rounded. If
the checkbox is half checked, that applies to items in volumes only, otherwise also
items on physical, partitioned media.
#2F3B Optionally, the actually used time zone conversion bias, including daylight
saving where appropriate, can be displayed right in the timestamp columns in the
directory browser.
#2F2F There is an option to display timestamps with a precision of milliseconds.
You may specify the number of digits after the decimal point (up to 3). Useful for
the file systems NTFS, Reiser4 and FAT, which provide for a higher precision than
seconds in all or some timestamps.
#2F61 There is an option to output dates in the directory browser and in some other
parts of the user interface in a nicer, longer and more locale-specific notation,
which can include the weekday and the name of the month based in your language or
in English. Also, that format is Unicode capable, which allows for example for
original Chinese notation of dates. Examples of how to represent the month (in
English): MMMM = April, MMM = Apr, MM = 04, M = 4. Example of a complete format:
d/MMM/yyyy (ddd) = 2/Apr/2014
#6D40 Extended attributes in NTFS are optionally included in the volume snapshot as
child objects of the directory or file to which they belong, with the name "$EA"
and marked in the Attr. column with "($EA)". Fully checked: all such attributes;
half-checked (default): only non-resident ones. Not checked, the clusters that
belong to non-resident extended attributes of existing objects will be covered by
the virtual file "misc non-resident attributes".
#6D5F Including logged utility streams (LUS) in NTFS in newly taken volume
snapshots is optional. Either all LUS can be included (if fully checked) or only
non-$EFS LUS (if half checked) or no LUS at all. Useful for NTFS volumes written by
Windows Vista, if you are not interested in $TXF_DATA LUS.
#6D60 Downloaded files in NTFS can be conveniently recognized if their alternative
data stream "Zone.Identifier" is represented as a label instead of as a child
object in the volume snapshot. That means you do not need to navigate to the child
object to find out what the child object might be. "ZoneId=3" as the label name
identifies files downloaded from the Internet.
#6D5D If enabled, allocated clusters in (ex)FAT file systems are skipped when
reading the data of deleted files, i.e. they are not necessarily assumed to be
contiguous, but assumed to occupy as many free clusters from the start cluster
number as are necessary for their size, while skipping clusters that are marked as
in use. Changin this option may affect files that are already contained in the VS,
thus changing this option will also cause hash values to change if they are re-
computed.
#6D5C The extra effort that X-Ways Forensics makes to include deleted objects in
FAT32 file systems correctly in the volume snapshot is optional. If only half
checked, the extra effort is made only for subdirectories, not files.
#6D3D If you get read errors on a CD/DVD (e.g. because of scratches on the surface)
when the volume snapshot is taken, you know that not all sectors with the data
structures of the file system are readable. Listing the ISO9660 file system's
directory tree on CDs in addition to a possibly also existing Joliet file system
gives you a second chance to get all directories and files listed, if the
corresponding data structures of the same directories are located in readable
sectors in the ISO9660 area
#6D61 Output of simple extended attributes in Apple file systems as special lines
in the Metadata column instead of child objects is optional. If included in the
Metadata column, the Metadata field will also be shown in Details mode.
#6D5E Not checked (default): All extended attributes deemed relevant by XWF are
processed and output either in the Metadata column if they are textual in nature or
as file contents of resident or compressed files or as links to related
directories, or as child objects that are marked in the Attr. column with (EA).
Half checked, "firstlink" and "quarantine" attributes are also output in the
Metadata column. Fully checked, even empty binary PLists and ordinary "Security"
attributes are output as child objects
#6D37 For better results when matching hash values against special hash sets, only
the invariable header of loaded modules can be listed in main memory analysis.
#6D62 Selected, the initial VS just contains the contents of the top-level
directory, and is further completed step-by-step when exploring subdirectories.
This is how Windows Explorer works, and useful when dealing with slow and huge
network drives that would take a long time up front to scan completely. But very
different from the usual approach in XWF: will prevent you from getting a complete
listing of all files when exploring recursively, until you have manually explored
all subdirectories.
#6D63 Evidence file containers since v18.8 specifically remember the RVS status of
the files that they contain. If you accept this status, these files will not be
processed again even if then run RVS on the container. You may not want to accept
the RVS status of files in containers, if you wish to apply more thorough settings
then may have been used before, or if an older, less capable version of XWF was
used to process the files.
#6D3E Causes deleted partitions to pass on their deleted state to everything that
they contain (files and directories), and deleted e-mail archives to pass on their
deleted state to all the e-mails, directories and attachments that they contain.
Not checked by default, because results in a loss of information, as depending on
the reference everything may be listed as deleted, even files/e-mails that from the
point of the file system/the e-mail archive still existed when the partition/file
was deleted.
#6D3C Adjusts virtual free space file: net of clusters that were identified as
belonging to prev. existing files, to minimize the amount of space in file systems
that is read twice for logical searches. After changing this option or after
discovery of more previously existing files, the virtual free space file is updated
when it is opened next time. Relative offsets of search hits in this virtual file
may become wrong when it changes, so they cannot be used to navigate to the search
hits in File mode after that
#6D6E Optionally, files on the logical drive letters A: through Z: can be opened
from within the directory browser with the help of the operating system instead of
with the built-in logic at the sector level. Please note that this is forensically
sound only for write-protected media. On writeable media, Microsoft Windows may
update (i.e. alter, falsify) the last access timestamp of files you open. Much
faster access to drives, though, especially on very slow drives.
#6D6F If fully checked, it has an effect on all read operations except logical
searches, indexing, and search hit context preview. If half checked, it has an
effect on all read operations except those three and on how files contents are
presented in File mode and in separate data windows. If checked (fully or half),
that is a useful setting to achieve file hash compatibility with ordinary (user
level) Windows applications. Not checked at all achieves hash compatibility with
ordinary forensic tools.
#6D3F Applies to Ext*, XFS, Reiser* and NTFS. Fully checked, all previously
existing files of which metadata only is known will be included in a volume
snapshot. If not checked at all, those files will be ignored. Half checked, only
files for which more than just the name or timestamps are known will be included,
but not directory entry remnants in Ext* or Reiser file systems.
#6D65 Quick snapshots without cluster allocation speeds up taking a volume snapshot
(in particular for the file systems Ext2, Ext3 and ReiserFS, and in particular also
when the volume snapshot files are created across a slow USB 1.1 interface or
network), however, causes WHX/XWF to lose its ability to tell each sector’s and
cluster’s allocation (for which file it is used). You may use the command "Take New
Volume Snapshot" of the Tools menu to update the view of a volume, e.g. after
unchecking this option.
#6D64 If enabled, all information on file systems in opened volumes collected by
WHX/XWF (Disk Tools menu and/or Specialist menu) remains in the folder for
temporary files even when WHX/XWF terminates. WHX/XWF can then reuse the snapshots
in later sessions. Volume snapshots of evidence objects in a case are always kept,
regardless of this setting, in that evidence object's metadata subdirectory.
#6D3A Keep more data of the volume snapshot in memory, e.g. for much quicker
sorting by timestamps.
#7462 Here you may activate the separate viewer component and specify the path
where it is located. Please note: the path is expected to point to the *parent*
directory of the "viewer" and "x64\viewer" directories.
#74CB If the internal graphics viewing library is used to view pictures, not the
viewer component, then optionally the picture viewer window can be closed
automatically when a new picture is viewed (if "View multiple pictures
simultaneously" is not selected).
#74D0 In that case an auto update option is available that allows to automatically
load the next picture into the single picture viewer window as soon as a new
picture is selected, one way or the other, for example with a single mouse click or
when defining a label for the preview picture or when pressing one of the arrow
keys. This should be useful mainly when working with multiple monitors, where the
picture viewer window remains on the 2nd monitor.
#7438 Also, you may specify which file types you prefer to view in the program that
is associated with their extension in your system, typically file types that the
separate viewer component does not support. There is a checkbox labelled "Append
type as extension if newly identified" checkbox. Allows to more easily get Windows
to run the right program for misnamed files, files without extension etc.
#74CC An alternative e-mail representation is available in Preview mode (also in
the case report). Attachments are not linked directly from this kind of e-mail
representation yet in Preview mode.
#74CE The e-mail headers can optionally be excluded (not Raw mode). Useful with the
standard e-mail representation if you would like to see more of the body of the e-
mail without scrolling. You can see subject, sender, recipient and dates already in
the directory browser, and attachments are listed when exploring the parent .eml
file.
#74C9 If enabled, text extraction from certain file types for logical searches and
indexing will be done by the viewer component in a separate process, such that if
the viewer component crashes or becomes unstable, it does not render the main
process (X-Ways Forensics) unstable or cause it to crash.
#74CA If enabled, the result of the text extraction from certain file types for
logical searches and indexing will be stored by X-Ways Forensics in the volume
snapshot for reuse when searching/indexing again, to save time.

Will also keep the results of an OCR operation, if applicable.

#7440 If the creation of thumbnails for pictures within large (e.g. solid RAR)
archives for gallery view is too slow, you may want to disable it. This will also
disable search hit context preview for search hits in files in archives.
#7437 If large JPEGs already contain embedded thumbnails and those have been
included already in the volume snapshot or if internal thumbnails have been
computed for large pictures, then they can be optionally used as auxiliary
thumbnails in the gallery to represent the main picture for significantly faster
gallery loading. Video stills, once exported, can be used represent the video;
dynamically rotating if fully checked.
#7429 The gallery has its own "Dbl-click=View instead of Explore" 3-state option,
analogously to the directory browser. By default, double-clicking means View in the
gallery.
#745D There is an option to view files with a single click in the gallery instead
of with a double click. Useful for example if you wish to view certain pictures on
a separate monitor, where you do not have to close the view window to see the
gallery again, when not viewing all pictures one after the other (for which the
Page Up or Dn key is more efficient).
#745E Another option allows to tag a file by clicking anywhere in the thumbnail,
not just in the tag square. That makes it more convenient to tag a large number of
files, and is more comfortable that selecting multiple files while holding the Ctrl
key.
#7435 The gallery can optionally show thumbnails for any file type supported by the
viewer component, including Office documents, PDF, HTML, e-mails, and pictures that
the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...).
#7434 You can choose between normal and slightly shrunk and strongly shrunk
thumbnails of documents. Shrunk thumbnails show much more detail from an original
document and the original layout, but at the cost of readability. Larger fonts (in
particular captions) in an original document, if not shrunk, are typically readable
in the thumbnail and can already give you an idea what kind of document it is even
if don't view it, so you can more quickly find the documents that you are looking
for.
#74C8 Thumbnails of true-color pictures can optionally be color-adjusted in the
gallery. This option is meant for law enforcement users whose job is to review
child pornography photos, to reduce the mental impact and stress level. If the
checkbox for this option is fully checked, the thumbnails will appear in grayscale.
If half checked, color swapping will take place in such a way that human skin will
appear very unnatural.
#743E Keep track of which files were already viewed and flag them visually with a
green background color around the tag. This is especially useful when reviewing
hundreds or thousands of documents or pictures over a longer period, to avoid
accidentially viewing the same documents multiple times. Rules set via the button
to the right.
#6F68 To manually mark files as already viewed, you can press Alt in combination
with the cursor keys. Alt+Left removes the mark. You can also right-click the tag
area of a file in the directory browser to mark it as already viewed or to remove
that mark.
#6F6B When identifying duplicate files based on hash values, if one of the files
has been marked as already viewed, then this option marks the duplicates already
viewed, too. Fully checked, if duplicates have been identified already when files
are viewed, known duplicates within any open volume will also be marked as already
viewed (potentially slow in conjunction with gallery). This option also applies to
hard linked files in NTFS.
#6F66 Viewing a file is available via the context menu - or usually just by double-
clicking it.
#7B66 For all kinds of editing operations you choose whether they should be
reversible or not. If so, an internal backup is created before the operation takes
place.
#7B64 Automatically created backups for the internal use with the Undo command are
deleted by WHX/XWF when closing the file, if the corresponding option is fully
selected. If it is partially selected, they are deleted when WHX/XWF terminates.
#7C68 Before modifications to an existing file are saved (i. e. before the file is
updated), you are by default prompted for confirmation, but this behavior can be
changed.
#7C69 If any of the operations for RVS or Search crash when processing a file, this
option enables XWF when started next time to identify the file likely responsible
for the crash. Fully checked, should RVS crash the program, restarting the program
will also point out which suboperation exactly was applied to the problematic
file(s) when the program crashed.There may be multiple candidates for the
problematic file that triggered the instability if multiple worker threads were
active at the time of a crash.
#7C6F Unchecked, only exception errors with a potentially serious impact (like
considerably incomplete analysis results) will be brought to your attention in the
Messages window. Fully checked, all of them will be output, even those that occur
typically with corrupt files only and have no negative impact on other analysis
results. The middle state is a reasonable compromise. Regardless of this option,
exception errors will be noted in the error.log file.
#7C6B All notices and warnings output to the Messages window can optionally be
automatically saved in a text file “msglog.txt” in the installation directory. If
at that time a case is active, the notice/warning will be written to the msglog.txt
file in the log subdirectory of that case instead. Fully checked, even messages in
the Progress indicator window (descriptions of operations as well as names of
processed files) are output.
#7C67 Use the option Check for virtual memory changes to make sure the RAM editor
inspects the structure of virtual memory every time before reading from or writing
to it. If the structure has changed, a possible read error is prevented. Especially
under Windows NT the checking may result in a loss of speed. When editing the
"entire memory" of a process, WinHex generally never checks for alterations, even
if this option is enabled.
#7C6A Active by default in XWF. Ensures that saving and editing files is only
possible on certain drive letters, namely those that X-Ways Forensics even when
examining a live system can assume are located on the examiner's own media. They
are: 1) the drive letter that hosts the active case if one is active, 2) the drive
letter with the directory for temporary files, 3) the drive letter from which X-
Ways Forensics was run and 4) the drive letter that contains the directory for
image files.
#7C6C The key that is required for encryption and decryption can be entered in a
normal edit box. Optionally, you enter it blindly (asterisks are displayed instead
of the actual characters). In this case you have to confirm the key in a second
edit box to detect typos.
#7C6D By default, the key is kept in main memory (in an encrypted state) as long as
WHX/XWF is running, so that you do not have to type it again and again if you use
it several times. Possibly you prefer WHX/XWF to erase the key after use.
#7C0A Decide whether or not WHX/XWF shall prompt before executing a script, or only
before executing a script via the command line.
#7C71 Optionally, checksums with multi-byte accumulators (16-bit, 32-bit, and 64-
bit checksums) are computed byte-wise instead of adding units that are equivalent
in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants
exist in real life applications.
#1A21 If checked, search hits for identical search terms are merged and made
accessible through the same item in the search term list. Useful when running
multiple searches for the same search terms. Unchecked, always produces a new item
in the search term list, even if the search term is identical to a previously used
one. Useful, if you run searches with different settings, in order to be able to
distinguish the resulting search hits later.
#1A35 File slack can be specifically targeted (for all files or, if only half
checked, for files that are not omitted) or ignored.
#1A2B Precondition: You are NOT interested in every search hit, but merely which
files contain any hits at all. Speeds up the search by skipping the remainder of a
file once the first hit has been recorded. Will obviously lead to incomplete search
results, so not safe to assume that "the most useful" or the "most important"
search hit in each file will be collected, nor will logical combinations of search
results be possible. However, each file with at least one hit will be found.
#1ABD Files that have been identfied as irrelevant by hash database matching (fully
checked: any known files, i.e. including the notable) can be omitted from a logical
search to save time and reduce the number of irrelevant search hits. The slack of
such files is still covered if the option "Open and search files incl. slack" is
fully checked, so that this option has a higher priority. If only half checked, the
slack of such files is omitted, too.
#1ABE Files that have been excluded by the user can be omitted from a logical
search to save time and reduce the number of irrelevant search hits. The slack of
such files is still covered if the option "Open and search files incl. slack" is
fully checked, so that this option has a higher priority. If only half checked, the
slack of such files is omitted, too.
#1ABF Files that are filtered out by an active filter can be omitted from a logical
search to save time and reduce the number of irrelevant search hits. The slack of
such files is still covered if the option "Open and search files incl. slack" is
fully checked, so that this option has a higher priority. If only half checked, the
slack of such files is omitted, too.
#1AC0 E-mail archives (MBOX and DBX) and file archives (ZIP, RAR etc.) will not be
searched if their respective child objects have been included in the VS. In that
case only those extracted e-mails and files will be searched, in their natural
(unencoded and uncompressed) state. This may be reasonable for keyword searches and
in particular for indexing, but not necessarily for technical searches for
signatures etc.
#6C33 Fully checked: existing and previously existing items are grouped, i.e.
sorted separately. Half checked, even prev. existing items with question mark vs
red X icons are grouped, i.e. a total of 3 groups. A small symbol with either one
or two horizontal dividers indicates whether the list is split up into two or three
groups, also in the header of the column that is the primary sort criterion.
#6C29 Double-clicking a directory will explore it. Double-clicking an ordinary file
will view it. This option controls whether files with child objects will be
typically viewed or explored on a double-click. If the checkbox is half-checked,
you will be prompted.
#6D31 Files can optionally be opened and searched including their slack. The middle
state of this checkbox makes a difference only for logical searches.
#6C3E Half or fully checked: The ".." item is listed at the top of the directory
browser representing the parent directory. Fully checked: the "." item is also
displayed, representing the currently explored directory, i.e. the one you are in.
Useful if for example you wish to see certain metadata (e.g. timestamps) of the
parent object at the same time as metadata of its child objects, or to be able to
select it for e.g. Details mode.
#6C34 Listing the root directory of a volume in the directory browser, in the root
directory itself, actually, is kind of illogical, but can be very helpful to see
that directory's timestamp (if any, depends on the file system) or to quickly
navigate to its clusters (if any, also depends on the file system) or as another
place where to quickly tag or untag all items in a volume.
#6C5F Listing the internal files of the file system is optional in the normal
directory browser. This affects for example the various $* files in NTFS.
Specifically in X-Ways Investigator those files are no longer listed as they are
irrelevant to non-technical examiners (the target group of X-Ways Investigator) and
might confuse them because they are not familiar with them from using ordinary
high-level computer software.
#6C37 Listing subdirectories when exploring recursively is optional. They are not
needed for navigation if already all files from all subdirectories are listed and
may distract you when you are merely interested in viewing files. By default this
option is half-checked. In this state, directories are listed when exploring
recursively only if a filter is active that is applicable to directories, when
actually applying filters to directories, too.
#6C3C That filters are applied to directories, too, is optional. Most often users
employ filters to focus on certain files, not directories, and they may still need
the directories listed in order to be able to navigate to the files of interest.
#6C3A The selection statistics are displayed below the directory browser. Computed
recursively, they reveal how many files and how much data are contained in the
selected directories (or files with child objects), taking any active filters into
account. Disabled, only the direct selection is shown, without child objects. In
the middle state, both the direct selection and the total of direct and indirect
selection are shown.
#6C2D Non-recursively means (un)tagging a file or directory in the directory
browser has no effect on parent or child objects or parent directories or
subdirectories. Recursively, it is not possible to have an untagged parent object
whose child objects are all tagged. Half-checked means that child objects still
inherit the tagged state from their parent at the moment when they are newly added
to the volume snapshot, e.g. when you extract e-mail and attachment from a tagged
e-mail archive.
#6C27 Non-recursively means including/excluding a file or directory in the
directory browser has no effect on parent or child objects or parent directories or
subdirectories. Useful for example if all child objects of a file should be
processed in volume snapshot refinement or searched, but not the parent object.
#6C31 Takes 4 to 6 times more time than the highly optimized standard Unicode
sorting (noticeable when sorting millions of files), but has several useful
settings and characteristics
#6B66 Special treatment of hyphens and apostrophes (they are treated differently
from other nonalphanumeric characters to ensure that words such as "coop" and "co-
op" stay together in a sorted list).
#6B67 Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for
hexadecimal notation, available under Windows 7 and later only)
#6B68 Treat half-width and full-width characters the same (full-width characters
are sometimes used by East Asians when writing English language letters)
#6B65 Ignore kana type (treat corresponding Japanese hiragana and katakana
characters the same)
#6B2D Sort search hits by their data and context instead of just by the search
term. Makes a difference only for regular expressions that match variable data, so
the sorting is by the actual data, as opposed to the more generic search
expression. Continuing sorting by the text that follows the search hit if the hit
data is the same will show identical or similar text passages next to each other.
More characters means more memory is needed for sorting.
#6C3B Optionally, after start-up, the directory browser can be not sorted at all,
for performance reasons. That means the program will forget the last sort criteria
in use last time. If selected, there will now also be no sorting when turning off
all filters with a single mouse click, to avoid longer delays when suddenly all
files are listed again recursively.
#6C38 Directory browser settings (in particular column width, filter settings and
sort orders) can be optionally stored in cases and reactivated when loading cases
(if stored by a compatible version).
#6C3F Sender and Recipient columns will be included if at least one extracted e-
mail message is in the visible portion of the directory browser, otherwise not. The
columns with alternative timestamp can also be shown dynamically, i.e. only when
items that have such timestamps in the volume snapshot are displayed in the visible
portion of the directory browser.
#6C2E The 1st sector column can optionally show physical start sector numbers for
files in partitions (counted from the start of the physical disk or disk image)
instead of logical start sector numbers, if the partition was opened from within
the physical disk/disk image. In that case the column label contains a P in a
circle (P for physical). Only for ordinary partitions, not Windows dynamic volumes
or LVM2 volumes.
#6C39 An option exists to show the file type ranks in the Type status column, which
also causes sorting by that column to sort by those ranks. Ranks are defined in the
File Type Categories.txt file.
#6C26 A special file icon for pictures is available, very useful when your main
focus is on such files. Depending on whether the check box is fully checked or half
checked, symbols like question marks, arrows, scissors, hammers, etc. that further
reveal the status of the file get superimposed additionally or not. If not, that is
easier on the eye. You can still tell the exact deletion status from the
Description column, and the rough deletion/existence status is still obvious from
the contrast of the icon.
#6C20 Allows specifying rules according to which individual directory browser
cells, or the entire row affected, or an entire column (regardless of individual
entry values) are colored to make certain details stand out and be more easily
noticed.
#D4DA Recognize evidence objects that are physical media (not images) by their own
intrinsic properties, not by the Windows disk number. The advantage is that you may
add multiple hard disks or external USB disks or sticks to the case that are
attached to the computer at different times and get the same disk number assigned
by Windows. Another advantage is that if the number of the same disk as assigned by
Windows changes, X-Ways Forensics will still recognize the disk.
#D4D1 Case files can be password-protected. This does not involve encryption and is
just a kind of lock. If the password is lost by a user, case files saved by X-Ways
Investigator can be unlocked with a super-user password if such a password had
already been entered in the installation used at the time when the case file was
saved (undocumented, details on request).
#D4CD Optionally, the evidence object subfolders in the case folder are always
suggested as default output folders for files recovered/copied off a file system.
You may wish to disable that feature if your preference is to copy files from
various evidence objects into the same output folder.
#D4C9 You may enable or disable the automated log feature for the whole case.
#D563 Enabling this will mean that XWF tracks search results, RTAs etc. on a user-
specific basis, thus allowing the options below. Not distinguishing between
different users is useful if you only you will process that case and even if you
process it on different computers where you have Windows accounts with different
SIDs you will always be treated as the same user. Also useful if multiple examiners
are going to process the same case at different times and wish to share all their
results directly.
#D564 Another multi-user support option coordinates certain kinds of accesses to
volume snapshots (related to adding items to the snapshot as well as editing
comments and metadata) more carefully. It may have some performance benefits if
disabled. Disabling this synchronization is recommendable only for cases that are
definitely only processed by 1 user at a time.
#D565 XWF remembers the "tagged", "already viewed" and "excluded" status of files
separately for each examiner. Adopt the "already viewed" status of files in volume
snapshots from all other examiners when opening evidence objects to avoid duplicate
work, if you do not wish to review files that were reviewed by any of your
colleagues already. Individual file statuses (tagged, etc) and search hits of other
users are lost if one examiner removes items from the VS.
#D56F Shared analysis mode can be useful even for the first of many simultaneous
users that open the same case because only in that mode newly created labels are
shared out to other simultaneous users at regularly intervals (depending on the
case auto-save option).

Can alternatively achieved by checking the [x] Options when opening a case.
#D568 Choose whether or not users get to see labels of other users or only their
own associations (or, if half checked, only their own associations plus those of
unknown users). The same file can be assigned the same label only by 1 examiner.
#D569 Half-checked, initials are showing in the user interface only; fully checked
also externally: in a case report, exported list, Recover/Copy log, print cover
page, evidence file container.
#907E Fully checked: force decomposition of V1 GUIDs into timestamp, sequence
number and MAC address; half-checked: only do so, if the timestamp is not too
implausible; unchecked: never decompose, always show in format like {E0FFD8FF-1000-
464A-4946-000102000001}
#6E33 Existing and previously existing volume shadow copy host files are checked
for valuable information that would not be available otherwise, such as files that
cannot be found in the current $MFT any more or previous versions of files whose
contents have changed. Those files will be reconstructed up to 1 GB in length
according to the shadow copy. Processing of volume shadow copies, if any, occurs
before all the other operations that are part of the particularly thorough file
system data structure search.
#6E3B Avoid that previous versions of files if they are exact duplicates (identical
file contents) so that it is much easier to focus on files for which actually
previous data is still available. Even if modification dates are different, the
file contents are often the same for files installed by the operation system. Fully
selected, XWF will compare files up to 128 MB, if half selected, only up to 16 MB,
as to not waste too much time on this feature.
#6E39 FILE records can be optionally searched everywhere, in sectors that neither
belong to the current MFT nor to a volume shadow copy (VSC) processed by the above-
mentioned option. Such FILE records can be found e.g. in free space after a
partition has been recreated, reformatted, moved, resized, or defragmented. Time
consuming on very large partitions.
#6E34 Current $LogFile and old versions of $LogFile found in VSC can be exploited.
The contents of deleted files can often be reconstructed thanks to $LogFile. Index
record remnants in $LogFile can be exploited that either reveal previous names or
paths of renamed/moved files/directories that were known to the volume snapshot
before or deleted files that the volume snapshot was not aware of before.
#6E40 You can indicate whether you are interested in earlier names and paths of
renamed/moved files and directories or not. If the checkbox for earlier names/paths
is half checked, you may find earlier names/paths of renamed/moved files in the
Metadata column and don't get additional files in the volume snapshot for each
earlier name/path.
#6E3F You can also indicate whether you are interested including traces of files in
the volume snapshot whose clusters are unknown and for which only name, size,
timestamps and attributes are available.
#6C28 File counts can optionally be displayed in the directory browser at the end
of the names of directories and files with child objects. If fully checked, that
will happen also in the directory tree in the Case Data window.
#6C2A By default, the Path column displays a partial path from the current
exploration base when exploring recursively. If fully checked, a partial path
starts with the subdirectory name. If half checked, it starts with ...\ to point
out the omission.
#57BD Fully ticked, even known notable files will be omitted - as they are known to
be notable, further processing may well not be required.
#57BF Please ensure, if using this option, that only the files you truly wish to
not see processed are currently filtered out!
#577D Instead of processing only the current volume snapshot, extend the processing
across multiple, or indeed all, volumes in the case.
#5763 If enabled, certain previously valid timestamps of files are output as events
during various suboperations of the particularly thorough file system data
structure search on NTFS, which may also effect other operations whose primary
purpose is not the retrieval of timestamps/events. (See "Extract internal metadata,
browser history and events" for the regular event provision functions.)
#57C0 See Description column "Hard link" and "Hard link, optionally omitted" for
files affected.
#7327 The Sector reading cache accelerates sequential disk access by the disk
editor. This option is recommended particularly when scrolling through CD-ROM and
floppy disk sectors, since the number of necessary physical accesses is
significantly reduced.
#7357 For the most complete dark screen experience you would change your entire
Windows system to a dark theme. The easiest way to achieve that not only for
"apps", but also real desktop applications, is to activate the black high contrast
theme. In Windows 10 you would go to PC Settings | Personalization | Settings for
high contrast | Activate high contrast | Contrast black.
#2F2D Fully/half checked: different symbols in Existent column represent
existing/prev. exist./virtual. Not checked: uses words yes/no/virtual instead.
#2F3C If the Created date is greater (read: later) than the Modified date, then the
file was likely copied in Windows, which creates this precise situation. This
option adds the word "copied" to the Description to illustrate this fact.
#6C25 Use checkmarks instead of squares for tagging. Alternatively, use buttons on
the right to define color gradient for the squares.
#6C78 Flex Filters can target any column in the ordinary directory browser that the
user wishes to focus on, with an arbitrary number of substrings, and they can be
combined with a logical OR or a logical AND. So this makes them the only filters
that can be combined with one another with a logical OR.
#6D5B A user-designated copy of the FAT table can be used, or otherwise the one
that is defined as active in the boot sector (in case of FAT32). If neither the
user selects a copy nor the boot sector defines a single copy as active, the first
copy will be used, labelled as "FAT 1".
#6D35 Allows running a more in-depth parsing of deleted directory entries during
the initial creation of the volume snapshot, even if they are misaligned in
relation to the current directory entries. This might find additional previously
existing files in Ext, at a likely manageable risk of finding some garbage entries
as well.
#6D41 Newly discovered names (e.g. e-mail subject lines of original .eml files or
names of files in iPhone backups) can become the main filenames in a volume
snapshot (and thus also potentially part of paths if they have child objects), so
that the original names as per the file system becomes alternative names, or they
can become the alternative names themselves, displayed in a lighter color after the
main names in square brackets as additional information. If half selected, only
subject lines found in original .eml files become main names.
#6D43 Assigns all fragmented files in a newly created volume snapshot a special
label.
#6D3B Convert certain RTF-formatted e-mail bodies from Outlook e-mail archives to
plain UTF-8 (when extracting e-mails) to be able to better view generated .eml
files in external e-mail clients and to allow for the alternative .eml preview.
#6D42 Alternative interpretation of extended timestamps has an effect when
including the contents of file archives in the volume snapshot.
#6E35 Similar to the procedure for FAT. Checks the entire volume for previously
existing directory structures whose contents are no longer known from corresponding
inodes (these would have been looked at as part of the regular volume snapshot
already). Such directories are listed with a generic name, usually in "Path
unknown", but potentially in the root directory, if that is where they existed
previously.
#6E32 Certain previously existing files that otherwise would be presented only with
file system metadata and no contents can be associated with data using the
Ext3/Ext4 journal.
#5772 FAT: Searches for orphaned subdirectories that are no longer referenced by
any other directory.

Btrfs: Searches for orphaned nodes of the FS tree.

NTFS/Ext*: see suboptions

#D4D0 Automatically verify the hash value when adding an image to a case, if such a
hash value is present, or (if the checkbox is fully checked) to compute the hash
value from scratch if the image doesn't have one.
#D566 To view all the results of a colleague (labels, search hits, tag marked,
already viewed status of files, exclusion status of files), you can open the case
in read-only mode as him or her. For that, try the "Options..." checkbox when
opening a case. Disabling this option prevents your colleagues from opening the
case in read-only mode as you.
#747D To use OCR, the path to the Tesseract package (available from X-Ways
downloads) needs to be set here.
#74D2 Determines whether selecting a directory in Preview should attempt displaying
a full subdirectory tree from there, and if so, which details to include.
#74D5 Listing the individual files within a directory tree preview might take a
very long time - and just getting a list of the files in a directory could be much
more easily achieved by just looking at the file listing in the directory browser
instead.
#74D6 Exif orientation instructions (for picture rotation and/or flipping) can be
either applied strictly (fully checked) or only when X-Ways Forensics determines
that they still need to be applied.
#6F65 Viewing files with Preview counts as "already viewed" only after an optional
delay.
#6F69 Once a file is known to be irrelevant, it is no longer worth viewing, so
might as well be treated as "already viewed" - or rather, already judged without
viewing.
#6F6A Literal viewing of a zero byte file is a rather meaningless operation. Treat
them as already viewed for this reason.
#9087 Parses 16 bytes and displays them in a form like either {E0FFD8FF-1000-464A-
4946-000102000001} or parses them further to decompose them into MAC address and
timestamp, if possible, depending on the option to the right.
#7C72 Certain metadata about large .e01 evidence files is kept in separate .xmet
files to speed up reopening in XWF next time. Fully checked, .xmet file is stored
in the same directory as the image, benefits other cases/users as well. Half
checked, .xmet file is stored in the evidence object's metadata directory of the
current case; use the latter if the image is stored on a write-protected drive.
#7C64 If an .e01 evidence file that found to have very inefficient layouts (less
than 32 chunks per table section or compressed chunks with a compression ratio of
less than 0.1%), that is brought to the users attention so that they can avoid
whatever software or hardware created that image.
#7C65 Whether a password verification hash for .e01 evidence files created with
256-bit AES encryption is included in the .e01 evidence file or not is up to you to
decide. The hash allows X-Ways Forensics to check whether the password that you
enter when opening such an image is correct.
#7C66 The CRCs in .e01 chunks can be automatically checked on the fly when chunks
are read, and any discrepancies will be reported in the Messages window. This costs
a little computing power.
#1A2A For full regular expression rules, see "Search Options" in the program help.
#1A22 Case sensitive search; with additional option on the right, only for those
search terms that start with case: at the beginning of the line.
#1A76 Allows e.g. treating accented characters like é as their non-accented
equivalent, by creating adjustment rules like é>e. Character adjustments are
*always* case-sensitive, even if the rest of the search is not. To have upper case
adjustments as well, additional lines for the upper-case equivalent are needed.
#1AC7 In current Windows installations often between 10,000 and 100,000 hard links
of system files exist. Searching only one hard link per file, typically omits
several GB of duplicate data and yet nothing is missed. Optionally omitted hard
links are identified as such in the Description. Search hits in hard links are
marked "-> Links!" in the Descr. column to remind you of the other hard links of
the same file in case those search hits are relevant.
#1A89 Apply search to various metadata of files in addition to the file contents;
specifically, to any selected directory browser column such as Name, Author,
Sender, Recipients or Metadata (see button on the right), otherwise individually
searchable by filters, of course.
#6C08 Align path at left or right hand edge of column
#7044 In order to overrule the regular sort order (by ev. obj. and int. ID = by
Unique ID), first list all (!) items and sorting as desired in the case root window
and select this option
#7043 Sorting by evidence object and int. ID = sorting by Unique ID
#704F [x] thumbnails REPLACE pictures outright
[/] original pictures are copied and linked from thumbnails (if appropriate option
chosen above)
#7048 e.g. full EXIF parsing instead of metadata digest
#74CF For Preview purposes, this can be changed on the fly by clicking "VC" button
while in Preview
#7474 Unlike regular text included in spreadsheets (which can be searched by simply
using the "Decode text" option in the search, like for other document types),
numbers and dates are stored as binary data in spreadsheets. If a search uses dates
or numbers as search terms and hits in spreadsheets are potentially of interest,
this option makes numbers in spreadsheets text for search purposes.
#B4C8 A strict AND combination (fully checked) requires that all targeted
timestamps are actually present/available. A soft AND combination (half checked)
requires only all available timestamps to meet the condition (and at least one must
be available). Not checked means OR combination (just one of the selected
timestamps has to match).
#BD2C E: encrypted at filesystem level
e: encrypted in archive (whose password was not found)
e!: file type specific encryption (pw protection/DRM)
#BD2D high entropy, possibly fully encrypted
#BD2E NTFS reparse points (also used for WofCompression)
#BD2F NTFS alternate data streams, resource forks in HFS+/HFS
#BD30 NTFS attributes Logged Utility Stream, Index or Bitmap
#BD36 Extended Attribute
#BD31 compressed in an archive
#BD32 C: Compressed by the file system
~: sparse storage
#BD33 Offline attribute
#BD34 Temporary
#BD35 Have Object ID
#BD37 Hidden
#BD38 Contents only partially initialized
#BD39 Open or write-locked files in OS dir list
#BD3A Found in shadow copy
#BD3B Prev. version found in shadow copy
#BD6F Linux/Unix "Set User ID"
#BD6E Linux/Unix "Set Group ID"
#BD6D Sticky bit set
#BD61 Any of the above set Unix permissions will suffice
#BD62 All of the above set Unix permissions required
#BD63 Exactly the above set permissions and no others
#BD3C Symbolic links refer to other files/directories by name and (optionally) path
#BD3D Special files can be:
b - block device file (storage devices, partitions, etc.)
c - character device file (e.g. audio devices, keyboard, mouse, etc.)
p - officially called FIFO, commonly known as a "named pipe"; used for process
communication
s - Socket, alternatively used for process communication
#BD3E Found via Journal
#6C24 Multiple filters are usually AND combined (to show only items that match all
currently active filters); enabling OR filtering changes that to show any items
that match at least one of the currently active filters.
#2FC9 Half selected: adds more specific description, particularly for child
objects, which can be identified as still images, attachments, alternate data
streams, etc, as appropriate. Full check would add "file" and "directory" a lot.
#2FCF Shows internal refinement state for each file:
[Emb]: checked for embedded data to uncover
[Arc]: file archive checked for content
[Enc]: encryption test already performed
[Ext]: e-mail or e-mail archive checked for extractable content
[Met]: checked for internal metadata
[Xtn]: created by an X-Tension
#2FCD Refers to details like "extracted text", "with attachment" or "file contents
unknown"
#6F0A Choose a different first color for the "already viewed" color gradient
#6F0B Choose a different second color for the "already viewed" color gradient
#D4D9 Each case gets its own subdirectory !temp - this option controls whether that
one or the generic temp (set in General Options) is to be used for this case.
#D4DE Each case gets its own subdirectory !images - this option controls whether
that one or the generic Images (set in General Options) is to be used for this
case; when activated, a different case specific directory can be specified in the
box below.
#D4CC Activity logging using screenshots (full check) vs a text representation
(half check): the text representations are more space efficient, but also
searchable, copy/paste capable and never limited by visual space, i.e. nothing is
cut off by scrollbars etc.
#5787 Either only after step 2 or (if fully checked) also after step 1. NB:
Snapshot backups can be restored through the context menu of the respective
evidence object in the Case Data window.
#7405 To add more languages to this list, you can download further trained data
packages from https://github.com/tesseract-ocr/tessdata/ and add them to your
tessdata directory
#576C Output results as labels in addition to the output in the "Hash set" column,
either for all matches or only those with hash sets of the notable type.
#7061 [x] Output properties of both the case and the evidence objects, as well as
optional extras below
[/] Output properties of just the case, as well as optional extras below
#7067 Outputs a list of only those search hits that have been marked as "notable"
in the search hits list
#707A Report is produced in HTML form and then
[ ] remains like that
[x] is converted to PDF, with the HTML then discarded
[/] is converted to PDF, with both versions remaining in the end
#7063 [x] List all the files associated with the selected labels as report tables
[/] Only list the selected labels themselves, none of the files
[ ] Don't mention the labels
#7046 If a file is associated with multiple labels selected for output as a report
table
[ ] the file is listed/copied/linked for each report table that refers to it
[x] the file is listed/copied/linked only for the first report table that refers to
it
[/] the file is listed for each, but copied/linked only for the first report table
that refers to it
#703D [ ] eml files are copied out normally
[x] HTML presentations are created instead, making e-mails more convenient to view
[/] eml files are copied out normally, but named .txt instead
#7049 For HTML presentations of e-mails, the full e-mail headers are shown in a
separate box at the bottom of the output, unless this option contradicts
#70D9 For each report table entry, the output can either show the thumbnail above
the metadata fields output, or the other way around
#70DB In case files are not yet hashed in the volume snapshot anyway