I am aware that a few out there use Winhex Forensic edition and was wondering about its real world functionality acquiring and examining systems that donâ€™t need to be shutdown.
I have copied the program files to CD and run off a live system in order to acquire an image as well as conduct cursory searches (all in a testing environment). Before running you have to point the applications default â€œsaveâ€ location for (temp files, recovered files and image file) to removable media. It seems to work wellâ€¦.is anyone actually using Winhex in this manner?
WinHex has come in handy for me more than a few times. The most used features on a live system for me have been
* Open RAM
* Clipboard Data
* Gather Free Space
* Gather Slack Space
* Gather Text
Since It opens in Read Only mode I am comfortable with running it on a live system.
I do struggle with its file recovery feature. Lot of duplicates/false positives. Maybe I am not using it right and blaming the tool. I haven't played with file recovery much.