Edit and inspect files, recover lost or deleted data and perform various computer forensics operations with the help of this universal hexadecimal editor
Unlike text editors, Hex editors are capable to display and manipulate the binary data of any file type. The application is not usually addressed to the average computer users, due to the knowledge required to recover damaged or deleted files by using only control codes and executable code.
All the data displayed uses two-digit numbers based on the hexadecimal system which uses only 16 digits from 0 to 9 and A to F. WinHex enables users to change the value of any bite just by changing these values in hexadecimal mode.
The application supports a wide array of partition types including: FAT12, FAT16, FAT32, exFAT, NTFS, Ext2/3/4, Next3, CDFS and UDF. As a disk editor, WinHex allows you to inspect and recover lost, deleted or corrupt data from almost any kind of media including: hard disks, floppy disks, CD-ROM & DVD drives, ZIP, Smart Media, Compact Flash etc.
The usability of WinHex doesn’t stop here; the application will provide users with a RAM editor that gives instant access to physical RAM and the virtual memory used by your opened processes.
Calculating checksums and hashes is easy using WinHex. The application supports Checksums from 8 bits to 64 bits, CRC16, CRC32, MD5, SHA-1, SHA-256, RipeMD-128, RipeMD-160, MD4 and ed2k hash types.
The interface is well structured and provides users quick access to the most important features with one or two mouse clicks. The Hex panel will display all the info associated with each hexadecimal digit in a simpl and accessible manner.
WinHex can display various character sets including: ANSI ASCII, IBM ASCII, EBCDIC and Unicode. Converting between binary, hex ASCII, Intel Hex and Motorola S is also possible.
The built-in Data interpreter can read various data types including RAID systems and dynamic disks. The application can also automate various file editing procedures using scripts, thus accelerating routine tasks.
In the hands of professionals and computer forensics, WinHex can become a valuable instrument that can help them uncover important evidence and solve difficult cases.
LIMITATIONS IN THE UNREGISTERED VERSION
- Doesn’t save files larger than 200 KB
- Doesn’t write disk sectors, edit virtual memory
- Evaluation version reminders
- Disk cloning, disk imaging:
- to produce exact duplicates of disks/drives, e.g. to save the time for a full installation of the operating system and other software for several computers/disks of the same type, or to be able to restore a running installation in case of data loss/screwed up Windows (restoration of a backup). Also for computer forensics specialists, since they need to work on a copy when searching for evidence on the object disk. You can clone directly, or from an image file. Menu: Tools | Disk Tools | Clone Disk
- RAM editor:
- e.g. for debugging purposes (programming), for examining/manipulating any running program and in particular computer games (cheating). Tools | RAM Editor
- Analyzing files:
- e.g. to determine the type of data recovered as lost cluster chains by ScanDisk or chkdsk. Examples. Tools | Analyze File
- Wiping confidential files or disks:
- …so no one (not even computer forensics specialists) will be able to retrieve them. To securely erase a file, use File Manager | Delete Irreversibly. For disk wiping, open the disk with the disk editor and use Edit | Fill Disk Sectors. E.g. fill with zero bytes (hexadecimal value 00) or random bytes. WinHex works in accordance with the standard outlined in DoD 5220.22-M (for details, please see this white paper). Also see X-Ways Security.
- Wiping unused space and slack space:
- …either to close security leaks, to securely destroy previously existing classified files that have been deleted in the traditional way only, or to minimize the size of your disk backups (like WinHex backups or Norton Ghost backups), since initialized space can be compressed 99%. On NTFS drives, WinHex will even offer to wipe all currently unused $Mft (Master File Table) file records, as they may still contain names and fragments of files previously stored in them. File slack can be found in the unused end of the last cluster allocated to a file, which usually contains traces of previously existing files. Slack space – like everything else – is processed by WinHex very fast. Also see X-Ways Security.
- ASCII – EBCDIC conversion:
- Allows to exchange text between mainframe computers and the PC in both directions. You may even tailor the character translation table in WinHex (ebcdic.dat) for your own needs. Edit | Convert
- Binary, Hex ASCII, Intel Hex, and Motorola S conversion
- z. B. for (E)PROM programmers. Edit | Convert
- Unifying and dividing odd and even bytes/words
- for (E)PROM programmers. File Manager | Unify/Dissect
- Conveniently editing data structure:
- using custom templates. Download a tutorial. View | Template Manager
- Splitting files that do not fit on a disk:
- File Manager | Split/Concatenate
- WinHex as a reconnaissance and learning tool
- Are you sure Microsoft Word really discards previous states of your document? You may be surprised to find text deleted long ago in your .doc files. Maybe text that you really do not wish to be seen by the person you are going to pass the .doc file to? Discover what various software programs save in their files. Study unknown file formats and learn how they work. Investigate e.g. how executable files are structured and how they are loaded in RAM. The possibilities are practically unlimited. Here is another important one:
- Finding interesting values (e.g. the number of lives, ammunition, etc.) in saved game files
- using the Combined Search or using the File Comparison utility, for later manipulation
- Manipulating saved game files:
- for any computer game, following existing instructions from cheat sites on the Internet or for developing your own cheats.
- Upgrading MP3 jukeboxes and Microsoft Xbox with larger hard drive:
- To upgrade, the new hard disk must be prepared first. This is where you need WinHex. Instructions for Creative’s Nomad MP3 jukebox, DAP jukebox and Microsoft Xbox. You can also change the name of your Xbox.
- Manipulating text:
- …that one is not supposed to edit, e.g. in binary files. It is not convenient, but possible to translate practically any software into another language by editing text in the executable files, e.g. if the source code is not available (e.g. lost). Or you would like to edit text in files of a certain binary type that the native application does not let you modify. For instance, programmers may find their compiler automatically creates a configuration file for their project whose filename (application name + .cfg) conflicts with a file their own software uses. If your local laws and the license permit that, edit the compiler’s executable file such that it works without problems (e.g. with the filename extension “.cnf”).
- Viewing and manipulating files that usually cannot be edited
- because they are protected by Windows (e.g. the swap file, temporary files of the Internet Explorer), using the disk editor. Tools | Disk Editor
- Viewing, editing, and repairing system areas:
- such as the Master Boot Record with its partition table and boot sectors. Tools | Disk Editor | Access button
- Hiding data or discovering hidden data:
- …e.g. behind the supposed end of .jpg files (steganography), or in unused parts of logical drives or physical disks. WinHex specifically supports access to surplus sectors that are not in use by the operating system because they do not add to an entire cluster or cylinder.
- Copy & Paste:
- Use copy & paste or copy & write (=overwrite) with files, disks, and RAM. You may freely copy from a disk and write the clipboard contents to a disk, without regard to sector boundaries!
- Unlimited Undo:
- When editing, reverse any of your steps. Only restricted by available disk space. Edit | Undo
- Jump back and forward:
- WinHex keeps a history of your offset jumps, and lets you go back and forward in the chain, like an Internet browser does. Position | Back/Forward
- Automated file editing using scripts, to accelerate recurring routine tasks or to carry out certain tasks on unattended remote computers. The ability to execute scripts other than the supplied sample scripts is limited to owners of a professional license. Scripts can be run from the Start Center or the command line. While a script is executed, you may press Esc to abort. With its wider range of application, scripting supersedes the Routine feature known from previous WinHex versions. Find out more about scripts in the program help.
- API (Application Programming Interface):
- Professional users may also make good use of WinHex’ advanced capabilities in their own programs written in Delphi, C/C++, or Visual Basic. The WinHex API provides a convenient interface for random access to files and disks (at the sector level). The provided functions are similar to the scripting commands.
- Data recovery:
- for erroneously deleted files or generally after an experienced loss of data. Can be done manually (see undeleting files) or automatically. There is an automatic recovery mode for FAT12, FAT16, FAT32, and NTFS drives called “File Recovery by Name” that simply requires you to specify one or more file masks (like *.gif, John*.doc, etc.). WinHex will do the rest. Via the Access button menu, a recovery mechanism is available for FAT drives which re-creates entire nested directory structures (details here). Another mechanism (“File Recovery by Type”, formerly “file retrieval”) can be used on any file system and recovers all files of a certain type at a time. Supported file types: jpg, png, gif, tif, bmp, dwg, psd, rtf, xml, html, eml, dbx, xls/doc, mdb, wpd, eps/ps, pdf, qdf, pwl, zip, rar, wav, avi, ram, rm, mpg, mpg, mov, asf, mid. In particular owners of digital cameras quite often encounter problems with their media. WinHex is likely to help with this automated function that makes good use of the existence of file headers (characteristic signatures at the beginning of a file). Tools | Disk Tools | File Retrieval
- Computer examination/forensics:
- WinHex is an invaluable tool in the hands of computer investigative specialists in private enterprise and law enforcement.
- Trusted download (a security issue):
- When transferring unclassified material from a classified hard disk drive to unclassified media, you need to be certain that a copied file will have no extraneous information in any cluster or sector “overhang” spuriously copied along with the actual file, since this slack space may still contain classified data from a time when it was allocated to a different file. The command Tools | Specialist Tools | Copy exactly copies the file in its current size, no entire sectors or clusters. Not one byte beyond the end of the file will be copied to the destination disk. Minimize your IT risks. Requires a specialist license.
- 128-bit encryption:
- to make files unreadable by others. Edit | Convert
- Checksum/digest calculation:
- to make sure a file is not corrupt and was not manipulated, or to identify common known files. Tools | Calculate Hash.
- Generating pseudo-random data:
- for various (e.g. scientific simulation) purposes. Edit | Fill File