This paper was originally written 10 Sept 2021, for Professor Leinecker's Digital Forensics I class.
This paper will provide a rough overview of several features that WinHex, a digital forensics tool, offers. To begin, WinHex can be used to view the hex and ASCII contents of a file or file system, recover a file, look at recently deleted files on a file system, alter a file at the hex or ASCII level, and much more. It contains a plethora of tools, all designed to be used in digital forensics investigations.
One such tool is the Compute Hash tool. This can be accessed through the Tools menu. It can take a file and compute any sort of hash based on the contents of the file. The most commonly used hashes are MD5 and SHA-1, however there are many others, such as SHA-256 and RipeMD-128. In a digital forensics investigation, and elsewhere, hashes are used as a form of integrity check. A hash value is, in theory, a unique value assigned to a file, based on its contents. The data in a file is put through an algorithm, such as those listed earlier, and the value that is spit out will change if any of the data in the file is modified. This allows a reader to be confident that the data in a file has not been altered so long as the hash value is the same as it was earlier.
Another tool in WinHex is the HexConverter. This, too, is accessed through the Tools menu. It takes either hexadecimal or decimal numbers, and converts it to the other. For example, if one puts A203 in the hexadecimal portion, 41475 will be given back to them, which is the decimal equivalent. This is very useful for making measurements more understandable. If you were to present hexadecimal values to a jury, they may become confused or frustrated, as very few lay people understand hex enough to relate it to their own experiences. Using this tool to convert hex to decimal will allow juries to better understand evidence being shown, and come to a more rational and well-thought out conclusion, without changing the underlying truth behind the evidence or data.
One last tool to discuss is the Clone Disk tool. This can be accessed through Tools -> Disk Tools -> Clone Disk. This tool allows you to make an exact copy of a disk to another device. This is very useful to investigators, as you never want to do analysis on an original piece of evidence, or else risk accidentally or intentionally modifying that evidence. Misuse of original evidence could mean the evidence being thrown out, or the entire case being declared a mistrial.
This tool has several options you can adjust. You can choose to copy the entire medium, meaning the whole disk is copied over, or you can copy specific sectors of the source. You can label any sector that can’t be read, which would make identifying damaged or corrupted sectors a lot easier. You can also skip damaged areas altogether, the benefit of such being a decrease in disk occupation.
One option is to copy sectors in reverse order. I did some digging and can’t seem to find out why this would be done, and I suspect it may change the hash value from the original, but I haven’t tested it. My one hypothesis is that copying the sectors backwards might reveal some sort of steganography technique. When selecting the option, it gives you a prompt asking if you are confident you want to copy backwards, which tells me that it probably isn’t used very often unless under specific circumstances.