Winhex Forensics  


Hi All,

I am aware that a few out there use Winhex Forensic edition and was wondering about its real world functionality acquiring and examining systems that don’t need to be shutdown.

I have copied the program files to CD and run off a live system in order to acquire an image as well as conduct cursory searches (all in a testing environment). Before running you have to point the applications default “save” location for (temp files, recovered files and image file) to removable media. It seems to work well….is anyone actually using Winhex in this manner?



Posted : 17/11/2005 6:16 pm
WinHex has come in handy for me more than a few times. The most used features on a live system for me have been

* Open RAM
* Clipboard Data
* Gather Free Space
* Gather Slack Space
* Gather Text

Since It opens in Read Only mode I am comfortable with running it on a live system.

I do struggle with its file recovery feature. Lot of duplicates/false positives. Maybe I am not using it right and blaming the tool. I haven't played with file recovery much.

Posted : 17/11/2005 7:13 pm