How To Use Winhex To Recover Data



  1. Winhex Software
  2. How To Use Winhex To Recover Data Recovery
  3. Winhex Template
  4. Winhex Download
  5. How To Use Winhex To Recover Data

WinHex also supports interpreting data elements of a known file format using templates. WinHex can fully interpret the file system data structures of FAT12, FAT16, FAT32, and NTFS and show the directory tree of either a logical drive, an image file representing a logical drive, or a single partition of a physical hard disk. The disk editor specially supports the following file systems: FAT12, FAT16, FAT32, NTFS. Useful to inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. This hex editor opens files larger than 4 GB in a second. Very fast in general. WinHex include a feature for shifting bits and altering byte patterns of entire files or specified data (Nelson, Phillips, & Steuart, 2016). As WinHEx can view the file on bit level, it also allows the user to unscramble the data by shifting the bits back to the original place.

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

Current supported features with this tool are:

  • Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, …
  • Native support for FAT12/16/32, exFAT, NTFS,Ext2/3/4, Next3®, CDFS, UDF
  • Built-in interpretation of RAID systems and dynamic disks
  • Various data recovery techniques
  • RAM editor, providing access to physical RAM and other processes’ virtual memory
  • Data interpreter, knowing 20 data types
  • Editing data structures using templates (e.g. to repair partition table/boot sector)
  • Concatenating and splitting files, unifying and dividing odd and even bytes/words
  • Analyzing and comparing files
  • Particularly flexible search and replace functions
  • Disk cloning (under DOS with X-Ways Replica)
  • Drive images & backups (optionally compressed or split into 650 MB archives)
  • Programming interface (API) and scripting
  • 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, …)
  • Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
  • Import all clipboard formats, incl. ASCII hex values
  • Convert between binary, hex ASCII, Intel Hex, and Motorola S
  • Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
  • Instant window switching. Printing. Random-number generator.
  • Supports files of any size. Very fast. Easy to use. Extensive program help.

You can read more and download this tool over here: http://www.x-ways.net/winhex/

How To Use Winhex To Recover Data

Related Posts:

3Recover deleted files (FAT32)

Common ways to delete a file

Deleting files is one of the most common operations we do when using a computer. Under The Windows operating system, there are mainly the following four basic methods to delete files:

1. Delete the file directly, that is, the deleted file does not go through the recycle bin;

2. Put the file in the recycle bin and then empty or delete the file from the recycle bin again.

3. Cut the file and paste it into the target folder.

4. Overwrite a file with the same name by copying a file with the same name in the target folder and overwriting it.

After a file has been deleted, whether it can be fully recovered depends on the extent to which the deleted file has been destroyed. Since different file systems manage files differently, we will only discuss the recovery of deleted files in FAT32 and NTFS file systems.

Common cases of file deletion (FAT32)

In the FAT32 file system, there may be the following six situations after the file is deleted:

Case 1: The directory entry of the deleted file remains, and the file contents are continuously stored and not overwritten;

Case 2: The directory entry of the deleted file is still retained, and the file contents are continuously stored, but some or all of the file contents are overwritten;

Case 3: The directory entries of deleted files are still retained, the file contents are stored discontinuously, and the file contents are not overwritten;

Case 4: The directory entry of the deleted file is overwritten, but the file contents are stored continuously and are not overwritten;

Case 5: The directory entry of the deleted file is still retained, but the high 16 bits of the starting cluster number in the directory entry is set to 0000, and the file contents are continuously stored without being overwritten;

Case 6: The directory entry of the deleted file, part or all of the file contents, has been overwritten.

For case 1, the success rate of file recovery is 100%, and the recovered file can be used normally;

How to use winhex to recover data recovery

For case 2, the success rate of file recovery is also 100%, but whether the recovered file can be used depends on the extent to which the deleted file content is overwritten;

For case 3, we can get the start cluster number and file size of the file from the directory entry of the deleted file, look for the free cluster number downward from the start cluster number of the file, check whether the free cluster number is the file content to be restored, and connect the file content to be restored at last; Note: For the FAT32 file system, for files stored discontinuously, in general, the cluster number of subsequent segments is always greater than that of preceding segments. The cluster number of the following segment is rarely smaller than that of the preceding segment.

For case 4, you can find and recover files by file type;

For case 5, if the capacity of the logical disk is relatively small, the trial method can be used to estimate the high 16-bit value of the starting cluster number of the file. You can also estimate the high 16-bit value of the directory by looking at the adjacent directories of the directory entry;

For case 6, if the entire contents of the file have been overwritten, it cannot be recovered; If only part of the file content is overwritten, and the overwritten part of the file content does not affect the normal use of the file, the possibility of restoring the file exists.

Recover deleted files (FAT32)

This section only discusses the basic ideas, methods, and steps of using WinHex to recover deleted files (FAT32) under the Windows platform. And the use of other data recovery software to restore the deleted files of the basic ideas, methods, and steps, please study by yourself.

The following introduces two basic ideas, methods, and steps of recovering deleted files in the form of examples.

[Method (1)] Copy the deleted file to the specified directory.

Go to the folder where the directory of the deleted file is located, find the directory entry of the deleted file, select the deleted file directory entry, and copy the deleted file into the specified directory.

[Basic steps]

Step 1 Move the cursor to the directory where the deleted file is located, and then find the directory entry of the deleted file in the directory;

Step 2: Move the cursor to the directory entry of the deleted file, right-click, and select “Recover/Copy…” from the pop-up shortcut menu. In the “Select Target Folder” window, select the folder where the deleted files are stored, and click the “OK” button.

In this case, the a03.doc file in the root directory of the drive J was deleted, and we need to recover the deleted a03.doc file.

[Detailed steps]

Step 1: Start WinHex and open drive J;

Step 2: Move the cursor to the root directory of drive J, and find the directory entry of deleted file “a03.doc”, as shown in the figure. Note: After deleted a03.doc file, the file shown in WinHex is named “?03. Doc “;

Step 3: Move the cursor to “?03.doc, right-click and select “Recover/Copy…” from the pop-up shortcut menu; As shown in the figure;

Step 4: The “Select Target Folder” window appears. In the “Select Target Folder” window, select the location of files to be stored. In this case, the files to be recovered will be stored in the root directory of Disk D. Click the “OK” button as shown;

You can find the recovered file named “_03.doc” in the root directory of disk D.

[Method (2)] Restore the deleted file to the state before deletion.

Restore the directory entries of deleted files to the state before deletion, and restore the FAT linked list of deleted file contents to the state before deletion.

[Basic steps]

Step 1: Move the cursor to the directory where the deleted file is located, find the directory entry of the deleted file in the directory, and change the ASCII code “E5” of the first byte of the deleted file directory entry to the ASCII code that can display characters, such as “41”;

Step 2: Get the starting cluster number and the number of bytes of the deleted file from the deleted file directory entry, calculate the cluster number of the file and recover the linked list of file allocation of the file in FAT1 and FAT2 tables.

[Detailed steps]

Step 1 Start WinHex and open drive J;

Step 2: Move the cursor to the root directory of drive J, and find the directory entry of deleted file “A03.doc”; Change the value of the first byte of the file directory entry from “E5” to “41”, which is the ASCII code of “A”, as shown in the figure.

Step 3 It can be seen from the figure that the starting cluster number of deleted file a03.doc is 54424 (i.e. 0X0000D498), and the occupied space is 31232 (i.e. 0X00007A00) bytes. From the DBR of Drive J, it can be seen that the sector number of each cluster is 2. It can be calculated that:

Number of clusters of a03.doc file = ROUNDUP(number of bytes of files /(number of sectors of each cluster ×512),0)

= ROUNDUP (31232 / (512) 2 x, 0)

= 31

Since the a03.doc file starts with cluster number 54424 and the contents of a03.doc file are continuously stored on drive J, the ending cluster number is 54454. That is, the content of a03.doc file occupies the cluster number 54424~54454(i.e. 0XD498 ~ 0XD4B6). From this, the linked list of a03.doc files can be calculated, as shown in the figure.

The storage form of its allocated linked list in the FAT1 table and FAT2 table is shown in the figure:

Winhex Software

Step 4: Restore the linked list of a03.doc files in table FAT1. Move the cursor to 0XD498(that is, the location of cluster 54424).

Steps: “location” -> “Go to FAT Entry”; Type 54424 in the “Go to FAT Entry” window that pops up. Move the cursor to FAT1 table 54424, enter “99 D4 00” at cluster 54424, enter “9A D4 00” at 54425, and enter “9B D4 00” at 54426…, enter “B6 D4 00 00” at the position of cluster item No. 54453, and “FF FF FF 0F” at the position of cluster item No. 54454, as shown in the figure, and then save; At this point, the linked list of a03.doc files in FAT1 table has been restored.

Step 5: Restore the linked list of A03.doc files in the FAT2 table. It can be seen from the DBR of Drive J that each FAT table accounts for 1585 sectors. The sector number of the linked list of a03.doc files in the FAT1 table on Drive J is sector 5447. Therefore, the sector number of the linked list of a03.doc file in the FAT2 table in drive J is sector 7032. Move the cursor to sector 7032.

Steps: “location” -> “Go to Sector”; Select “Logical” on the Go to Sector window that pops up. Type 7032 in the file box to the right of “Sector:” to move the cursor to Sector 7032. Enter “99 D4 00” at 54424, “9A D4 00” at 54425, and “9B D4 00” at 54426… , type “B6 D4 00 00” at cluster 54453 and “FF FF FF 0F” at cluster 54454, as shown in the figure. Save and exit WinHex. At this point, the linked list of a03.doc files in the FAT2 table has been restored “.

The recovered “a03.doc” file can be seen in the root directory of drive J in step 6.

Common cases of file deletion (NTFS)

For NTFS file systems, there are five possible scenarios when a file is deleted:

Case 1: The record of the deleted file in the metafile $MFT remains, and the 80H attribute of the file record is the resident attribute;

Case 2: The record of the deleted file in meta-file $MFT is still retained, the 80H attribute of the file record is non-resident, and the file content is not overwritten;

Case 3: The record of the deleted file in meta-file $MFT is still retained. The 80H attribute of the file record is a non-resident attribute, but part or all of the file content has been overwritten.

Case 4: The record of the deleted file in the metafile $MFT has been overwritten. The 80H attribute of the file record is non-resident, but the file content is not overwritten.

Case 5: The record of the deleted file in the metafile $MFT has been overwritten, the 80H attribute of the file record is non-resident, and some or all of the file contents have been overwritten.

For case 1 and case 2, the success rate of file recovery is 100%, and the recovered file can be used normally;

For case 3, the success rate of file recovery is also 100%, but whether the recovered file can be used normally depends on the extent of the file content is covered and the importance of the file content;

For case 4, you can restore the file by file type, and the recovered file can be used normally;

For case 5, you can restore by file type, but the restored file may not be usable.

For NTFS file systems, after a file has been deleted, other data recovery software can be used for recovery. This section discusses only the basic steps for recovering deleted files using WinHex software.

Recover the deleted files (NTFS)

[Basic steps]

Step 1. Move the cursor to the folder in the recycle bin that begins with “S-1-5-21”;

Step 2 Find the file with the file name of “$I+6 random characters + extension”. Note: the file size is 0.5KB;

How To Use Winhex To Recover Data Recovery

Step 3: The disk character, path and file name of the deleted file can be viewed from the 80H attribute of the file record. Carefully confirm whether the file is the file to be recovered. If “yes”, turn to step 4; If not, go to Step 2 and look for the next text file with the name “$I+6 random characters + extension”.

Step 4 Find the file with “$R+6 random characters + extension” (note: 6 random characters are the same as “$I+6 random characters”);

Step 5: Move the cursor to the file “$R+6 random characters + extension”, right-click and select “Recover/Copy…” from the pop-up shortcut menu. In the “Select Target Folder” window, select the location of the file and click the “OK” button.

In this case, we recover the deleted 13.jpg file in the abcd3 folder of drive H with WinHex software.

Winhex Template

[Detailed steps]

Step 1 Start WinHex and open drive H;

Step 2: Move the cursor to the drive H, then locate the deleted file in $Recycle.binS-1-5-21-894613213-3022215824-3749548889-100

In the folder, find the file “$IS30pkh.jpg” and move the cursor to the record 80H attribute, as shown in the figure. According to the record 80H attribute, the drive letter, path, and filename of the deleted file are “H:abcd313.jpg”, which is the drive letter, path and file name of the file to be recovered.

Step 3: As can be known from the record of $IS30pkh.jpg file, the deleted file is in the folder $recycle.binS-1-5-894613213-3022215824-3749548889-100 in drive H. And the filename is $RS30PKH.jpg.

Winhex Download

Move the cursor to $RS30pkk.jpg, right-click, select “Recover/Copy…” from the pop-up shortcut menu. Select the folder in the “Select Target Folder” window, select abc folder on Disk F here, and then click the “OK” button;

How To Use Winhex To Recover Data

Step 4: Go to the ABC folder of F disk, and you can view the restored “$RS30pkh.jpg”, the contents of which are the contents of deleted file 13.jpg.