I have used X-Ways and Winhex ever since I started my digital forensics career in 2012, thanks to IACIS, whose BCFE training course uses Winhex to train students to navigate through file systems and file data.
These tips are for those who are either new to forensics or haven't used X-Ways and have some interest in using it. Also, here are some handy resources to help when researching X-Ways:
When you are about start analysis on a new piece of evidence, you should almost always create a case within X-Ways. You have several options to set when create a case:
Here is a list of the options I pay attention to the most when I create a new case:
Case Title/number -
Case-specific directory for temporary files -
Case-specific default path for images -
Once these settings are set, click "OK" to create the case and start your analysis.
One of my favorite features of X-Ways is its ability to load an extracted MFT file like a forensic image. There are tons of tools out there to handle MFT analysis, but X-Ways produces a view of the MFT like you are navigating a full file system.
There are two ways to load an MFT into X-Ways; with a case and without a case:
Load an MFT with an X-Ways case:
This is a feature I use all the time during analysis. When you have evidence loaded into X-Ways and are browsing the file system, there is a squiggly blue arrow button in the bottom toolbar. This is the Explore Recursive option.
By clicking this button, X-Ways will completely flatten the file system into one level and let you see every single file and folder on one view.
In the Directory Browser options you can select whether Directories are shown and whether they should be grouped together or mixed with files.
This is a very handy function to have when tracing activity on a system, especially ransomware or general malware analysis. From the recursive view you can quickly sort by any of the primary timestamps and layer two additional sorts. This can quickly reveal additional files and directories related to the incident you are investigating.