1

File Comparisons

Copyrigtht (c) 2019. All rights reserved.

Using WinHex
Donald L. Buresh, Ph.D., J.D., LL.M.
Utica College: Trends in Cybercrime
 Table of Contents 2

Copyrigtht (c) 2019. All rights reserved.

 Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
 WinHex and Its Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
 Value of WinHex to the Forensic Community . . . . . . . . . . . . . . . . . . 7
 Comparison Features Tested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
 Research Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
 NIST Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
 Test Cases to Be Employed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
 Description of Test Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
 Table of Contents 3

Copyrigtht (c) 2019. All rights reserved.

 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
 File Comparison in General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
 What Was Discovered. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
 Weaknesses or Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
 Conclusions and Future Recommendations . . . . . . . . . . . . . . . . . . . 32
 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
 Abstract 4

Copyrigtht (c) 2019. All rights reserved.

 This presentation examines the file comparison feature of WinHex, a software
application from X-Ways Software Technologies AG.
 The examiner compared text files, Microsoft Word documents and JPEG files
employing the utility.
 The results of the analysis indicate that WinHex is an excellent forensic tool that
can be used on a variety of file types.
 Introduction 5

Copyrigtht (c) 2019. All rights reserved.

 The introduction to this paper is divided into two subsections.
 The first subsection discusses the WinHex and its author, while the second
subsection describes the value of WinHex to the forensic community.
 WinHex and Its Author 6

Copyrigtht (c) 2019. All rights reserved.

 The purpose of this paper is to analyze the comparison file feature of WinHex, a disk
and hexadecimal editor that is employed in recovering digital forensics data (X-Ways Staff, n.d.).
 The application is a Microsoft Windows application developed by X-Ways Software Technology
AG, a stock company incorporated under the laws of the Federal Republic of Germany in April
2002 (X-Ways Staff, n.d.).
 Stefan Fleischmann is the Chief Executive Officer of the company (X-Ways Staff, n.d.).
 Fleishmann has concentrated on computer forensics, having trained law-enforcement officers,
federal government personnel, tax fraud investigators, and private sector forensic examiners in the
United States, Germany, China, Hong Kong, Australia, and the United Kingdom (X-Ways Staff,
n.d.).
 With more than 32,000 users across the planet, X-Ways Software Technology is a leading supplier
of computer forensics software in Europe (X-Ways Staff, n.d.).
 Finally, in 2007, Stefan Fleischmann was appointed a professor at the Fangwei Institute of
Technology in China (X-Ways Staff, n.d.).
 Value of WinHex to the Forensic 7

Community

Copyrigtht (c) 2019. All rights reserved.

 WinHex is a powerful hexadecimal editor (Jackman, 2003).
 It is a data analysis tool that can be successfully employed for editing and
recovering data (Jackman, 2003).
 WinHex is also a wiping tool and a forensic tool that can be used for gathering
evidence (Jackman, 2003).
 The software application is compatible with Windows 95, Windows XP, Windows
Vista, and Windows 10 (Jackman, 2003).
 Value of WinHex to the Forensic 8

Community

Copyrigtht (c) 2019. All rights reserved.

 With WinHex, a forensics examiner may read and directly edit both FAT and
NTFS hard drives, floppy disks, CD-ROMs, DVDs, flash drives and other
data storage media. WinHex can:
 Read and edit hard drives (FAT and NTFS), floppy disks, CD-ROMs, DVDs, flash drives, and other media;
 Read and directly edit RAM;
 Interpret 20 different data types;
 Edit partition tables, boot sectors, etc.;
 Join and split files;
 Analyze and compare files;
 Search and replace data;
 Clone and image drives;
 Recover lost data;
 Encrypt files with 128-bit encryption;
 Create hashes and checksums; and
 Wipe drives (Jackman, 2003).
 Value of WinHex to the Forensic 9

Community

Copyrigtht (c) 2019. All rights reserved.

 WinHex also possesses the following additional forensic features that require an
enhanced license to access:
 Gather free and slack space;
 Search for text based on keywords; and
 Create tab-delimited tables of drive contents that can be imported into a spreadsheet
(Jackman, 2003).
 Based on the functionality listed above, it is evident that WinHex is quite valuable
to forensic examiners and the forensic community. In the opinion of this author, it
is a forensic tool that should and ought to be in every cybersecurity forensic
examiner’s toolbox.
 Comparison Features Tested 10

Copyrigtht (c) 2019. All rights reserved.

 Depending on the type of file, there are several different proven file comparison
methodologies (Crider, 2018).
 With word processors, file comparison is made on a word level, whereas in many file
comparison programming tools, the comparison is at the line level (Crider, 2018).
 Because WinHex is a computer forensics tool, the application employs a byte-by-byte
comparison methodology (X-Ways Staff, 2019).
 The Compare command is used to compare two data windows, files, or disks (X-Ways
Staff, 2019).
 The user determines whether different or identical bytes are reported and how many
bytes to compare (X-Ways Staff, 2019).
 If selected, the command can stop automatically after having found pre-specified
different or identical bytes (X-Ways Staff, 2019).
 The report is stored as a text file (X-Ways Staff, 2019).
 Comparison Features Tested 11

Copyrigtht (c) 2019. All rights reserved.

 The comparison begins at a specified offset for each file and can be different for
each file (X-Ways Staff, 2019).
 In WinHex, there is an option to have one entry per matching data area instead of
one line per matching byte, provided that a second data source is an evidence
object (X-Ways Staff, 2019).
This facility is useful when WinHex users desire to compare cloned disks to locate
and better understand the causes of any differences (X-Ways Staff, 2019).
 Research Questions 12

Copyrigtht (c) 2019. All rights reserved.

 The two research questions that are answered by this analysis are:
 What is the result of testing two files that are the same when compared using WinHex?
 What is the result of testing two files that are intentionally constructed to be different
when compared using WinHex?
 The ability of WinHex to compare two files depends on the type of the file being
examined.
 For example, WinHex could compare text files, Microsoft Word documents,
Microsoft Excel worksheets, Microsoft PowerPoint presentations, JPEG image
files, etc.
 The list of different files that could be tested is seemingly endless. Thus, the file
type becomes the independent variable, where the dependent variable has two
values: (1) yes, the files are the same, and (2) no, the files are different.
 NIST Methodology 13

Copyrigtht (c) 2019. All rights reserved.

 The National Institute of Standards and Technology (“NIST”) testing
methodology was employed in the evaluation of WinHex (NIST Staff, 2017).
 The method is functionally driven (NIST Staff, 2017). The initially separates
forensic investigation activities into categories or functions (NIST Staff, 2017).
 For example, hard disk write-protection, disk imaging, and string searching are
distinct categories for the NIST testing methodology (NIST Staff, 2017).
 Once the class is identified, a testing methodology is created for each group
(NIST Staff, 2017).
 NIST Methodology 14

Copyrigtht (c) 2019. All rights reserved.

 After a category and at least one tool are selected, a test case document is generated that
specifies the requirements for the given class (NIST Staff, 2017).
 The NIST testing methodology calls this document the tools category specification (NIST
Staff, 2017). Then a test environment is developed for each tool category (NIST Staff, 2017).
 Finally, the NIST testing process is specified and consists of the following steps:
 Acquire the tool to be tested;
 Review the tool documentation;
 Select the relevant test cases that depend on the tool’s supported features;
 Develop a test strategy and tactics;
 Execute the test cases developed;
 Record the results of the test case; and
 Generate a test report (NIST Staff, 2017)
 NIST Methodology 15

Copyrigtht (c) 2019. All rights reserved.

 Once a test report has been created, the results are reviewed by the appropriate
individuals, known in NIST parlance as the Steering Committee (NIST Staff,
2017).
 In some instances, the test tool vendor can also review the report (NIST Staff,
2017).
 Finally, the document is published for review by the relevant organization (NIST
Staff, 2017).
 Test Cases to Be Employed 16

Copyrigtht (c) 2019. All rights reserved.

 Because of the wide variety of different file types, it has been decided to limit the
research to text files, Microsoft Word documents, and JPEG image files.
 For the text and Microsoft Word files, a single character will be modified within a
file.
 The physical position of that character within a text or Microsoft Word file is not
considered.
 This is a decision on the part of this author to limit the scope of the testing effort.
 Test Cases to Be Employed 17

Copyrigtht (c) 2019. All rights reserved.

 The JPEG image files are particularly interesting because where the difference
between two JPEG files occurs within a JPEG image file may have some bearing
on whether WinHex can identify the difference.
 For the purposes of this testing process, only one byte of a JPEG image file will
be modified with the presumption that if WinHex can identify the one-byte
difference, the application can also determine when multiple bytes are different.
 The position of the one-byte difference may not play a factor in the identification
of the difference.
 This means that there will be only one JPEG test case, where the one-byte
variation will occur somewhere in the middle of a JPEG image file.
 Test Cases to Be Employed 18

Copyrigtht (c) 2019. All rights reserved.

 There will be two test cases for text files and Microsoft Word documents, wherein
one instance the files will be the same, and in the other instance, the files will be
different for a total of four test cases.
 For the JPEG image file type, there will be two test cases, wherein one situation,
the files will be the same, whereas, in the second situation, the files will be
different, but where the physical location of the one-byte difference will not
matter.
 Test Cases to Be Employed 19

Copyrigtht (c) 2019. All rights reserved.

 To validate the results from WinHex, the Microsoft DOS (“MS-DOS”) file
comparison command, fc, will be employed (Microsoft Staff, 2017).
 The fc command has been in existence since MS-DOS was first introduced on
August 12, 1981, with the advent of the IBM PC (Computer Hope Staff, 2019).
 Given the fact that the fc command has been in existence for nearly forty years, it
is a viable alternative software application to verify the results from WinHex.
WinHex and the fc command will have the same number of test cases.
 Overall, twelve test cases will be executed in the course of testing the WinHex file
comparison feature.
Analysis: Description of Test Process 20

Copyrigtht (c) 2019. All rights reserved.

 The first step in the testing process will be to create the text, Microsoft Word, and
JPEG files to be tested.
 The text and the Microsoft Word files will contain the following single sentence
from Charles Dickens’ novel entitled, A Tale of Two Cities:
 It was the best of times, it was the worst of times, it was the age of wisdom, it was the
age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the
season of Light, it was the season of Darkness, it was the spring of hope, it was the
winter of despair, we had everything before us, we had nothing before us, we were all
going direct to Heaven, we were all going direct the other way – in short, the period
was so far like the present period, that some of its noisiest authorities insisted on its
being received, for good or for evil, in the superlative degree of comparison only
(Dickens, 1999[1859]).
 Description of Test Process 21

Copyrigtht (c) 2019. All rights reserved.

 The sentence was chosen for Hegelian dialectical reasons.
 It is a study of opposites, where the novel is the evolution to synthesis. The other
purpose is that by changing one character, the change may be hard to decipher
while the meaning of the sentence remains the same.
 For each test case, there will be three files created, where two of the files will be
the same so that a comparison of two copies of the same data can be achieved.
 Once the original text file via Notepad and Microsoft Word files have been
created, the word “Darkness” will be changed to “darkness,” where the capital
letter “D” will be changed to the small letter “d.”
 The two original files and the altered file be stored in their own sub-directory so
that the test cases will be distinct.
 Description of Test Process 22

Copyrigtht (c) 2019. All rights reserved.

 As for the JPEG file, the file to be employed is contained in Figure 1 and is a picture
of myself as a much younger man.

 Figure 1. Donald L. Buresh as a younger man.

 The byte to be changed at offset 5573h will be set to 00h where it was originally
4Ah.
 It is anticipated that the visual effect of the change will be invisible to the naked eye.
 Description of Test Process 23

Copyrigtht (c) 2019. All rights reserved.

 After creating the test cases, WinHex will be used to conduct file comparisons.
 The first test case will be between the two copies of the same file. The results
should indicate that the files are exact copies of each other.
 The second test employing WinHex will be between one of the two copies and the
altered file.
 The results should show the single-byte difference. The next step is to perform the
same series of test using fc, the Microsoft DOS file comparison command.
 It is anticipated that the effect of employing fc will be precisely the same as when
using WinHex.
 Test Results 24

Copyrigtht (c) 2019. All rights reserved.

 When the text files were compared, both WinHex and fc revealed that the test files
that were the same when they were the same and different when they were
different.
 When the Microsoft Word documents were compared, WinHex demonstrated that
the test files were the same when they were supposed to been the same, but were
of unequal length in bytes.
 As for fc, the Microsoft DOS command displayed the bytes that were different in
text format.
 When the JPEG files were compared, WinHex indicated that the test were the
same when they were supposed to be the same.
 The Microsoft DOC command fc showed that there were some alignment between
the test files.
 File Comparison in General 25

Copyrigtht (c) 2019. All rights reserved.

 The literature review showed that file comparison techniques are patentable, and
that there are a variety of different techniques.
 For example, in Patent No. 6,236,993, Fanberg (2001) patented a file comparison
methodology whereby “[c]omparisons are handled between files which differ by
any predetermined function such as additive or multiplicative without using file
wide delimiters, field boundary or field format information” (p. 1).
 Cane et al. (2000), received a United States patent for file comparison for data
backup and file synchronization, where the “file comparison employs a single
function F to calculate a digital signature from data in a sliding window” and
where. the “digital signature is both incrementally computable and position
[s]ensitive” (p. 1).
 File Comparison in General 26

Copyrigtht (c) 2019. All rights reserved.

 Fink et al. (2003) obtained Patent No. 6,574,729, which involved a “system for
remotely identifying and providing information of unknown software on remote
network node by comparing the unknown software with software audit file
maintained on server” (p. 1).
 Kelley and Palveda (1997) devised an interrogation index file comparison
methodology, where a “method of comparing files takes three passes through data
tables in memory to generate tables containing pointers to matches and
mismatches by employing a method of key word-index translation in which a
keyword is taken from a first data table in a first pass and used as the index in
loading an index table containing a pointer to the record containing that keyword”
(p. 1).
 File Comparison in General 27

Copyrigtht (c) 2019. All rights reserved.

 Casey (2004) investigated the strengths and shortcomings of WinHex Specialist
Edition (version 11.25 SR-7).
 The context was the overall digital forensics process (Casey, 2004). The emphasis
was on how well WinHex preserved and examined data on storage media (Casey,
2004).
 Casey (2204) was unable to discover any serious problems when analyzing the
tool’s ability to generate a forensic image or verify the integrity of an image.
 Generally accepted data sets were employed in the course of the analysis (Casey,
2004).
 The research was not focused on WinHex’s file comparison facilities (Casey,
2004).
 File Comparison in General 28

Copyrigtht (c) 2019. All rights reserved.

 In contrast, when looking up WinHex employing Google Scholar, the examiner
counted more than three dozen other articles on WinHex (Google Scholar, n.d.).
 Unfortunately, all of the articles were written in Chinese, making it impossible for
the examiner to review the content of these articles.
 What is apparent from this information is that the Chinese are very interested in
WinHex.
 This comes as no surprise to the examiner because Stefan Fleishmann, the chief
executive officer of X-Ways Software Technology AG, was appointed a professor
at the Fangwei Institute of Technology in China (X-Ways Staff, n.d.).
 What Was Discovered 29

Copyrigtht (c) 2019. All rights reserved.

 This analysis discovered that WinHex is an outstanding tool when comparing text
and JPEG files.
 The reason is probably that it is a byte-by-byte comparison utility. WinHex does
possess significant value when comparing the content of Microsoft Word
documents and does not appear to have any problems isolating forensic issues
when examining Microsoft Word document data that is not content.
 A cybercriminal can hide information in the header and formatting areas of a
document. WinHex seems to isolate this data effectively.
 What Was Discovered 30

Copyrigtht (c) 2019. All rights reserved.

 As for fc, the Microsoft DOS file comparison utility, its ability to be a viable
forensic tool seems limited.
 The utility appears to be a brute-force comparison program, where its functions
seem to be more oriented towards line-by-line text file comparisons rather than
application-specific file comparisons such as Microsoft Word.
 The result was that fc is an application better relegated to history rather than be
spouted as modern-day forensic tool.
 Weaknesses or Limitations 31

Copyrigtht (c) 2019. All rights reserved.

 In the opinion of the examiner, the major strength of WinHex is that it is an
effective Microsoft Windows utility.
 The application seems to be tied to the Microsoft Windows operating system.
 If there is a weakness to WinHex, it is that it is exclusively a Microsoft Windows
application.
 WinHex cannot be used with Linux nor Apple operating systems.
 Conclusion and Future Research 32

Recommendations

Copyrigtht (c) 2019. All rights reserved.

 The purpose of this study was to investigate the file comparison facilities of
WinHex.
 The conclusion is that the application is probably well suited for comparing text
files and Microsoft Word documents.
 The examination presumes that the results in testing Microsoft Excel and
Microsoft PowerPoint would be similar to the results in testing Microsoft Word.
 The application seems to be a robust product that can be employed successfully
during a forensic analysis.
 Conclusion and Future Research 33

Recommendations

Copyrigtht (c) 2019. All rights reserved.

 One area where future research may bear sweet tasting fruit is translating the
legion of articles about WinHex from Chinese to English.
 In this way, American forensic experts will reap the benefits of the plethora of
Chinese articles written about WinHex.
 It seems that when it comes to WinHex, the Chinese possess a competitive
advantage over the Americans.
 References 34

Copyrigtht (c) 2019. All rights reserved.

 Cane, D. Hirschman, D. Speare, P., Vaitzblit, L., & Marson, H. (2000, August 08). U.S.
Patent No. 6,101,507. Washington, D.C.: U.S. Patent and Trademark Office. Retrieved
from https://patentimages.storage.googleapis.com/55/8a/35/b99f23d2278745/
US6101507.pdf
 Carrier, B. (2005) File system forensic analysis. Boston: Addison-Wesley Publishing.
 Casey, E. (2004, June). Tool review – WinHex. Digital Investigation, 1(2), 114-128. .
Retrieved from https://www.sciencedirect.com/science/article/pii/S1742287604000295
 Computer Hope Staff. (2019, April 02). Microsoft DOS history. Computer Hope.
Retrieved from https://www.computerhope.com/history/dos.htm
 Crider, M. (2018, January 16). How to use Microsoft Word’s compare feature. How-to-
Geek. Retrieved from https://www.howtogeek.com/339166/how-to-use-microsoft-
words-compare-feature/
 References 35

Copyrigtht (c) 2019. All rights reserved.

 Dickens, C. (1999[1859]). A tale of two cities. New York: Dover Publications, Inc.
 Fanberg, V. V. (2001, May 22). U.S. Patent No. 6,236,993. Washington, D.C.: U.S. Patent and
Trademark Office, Retrieved from
https://patentimages.storage.googleapis.com/cc/29/58/463198bc8090ed/US6236993.pdf
 Fink, P. E., Henness, M. A., & Szablowski, W. (2003, June 03). U.S. Patent No. 6,574,729.
Washington, D.C.: U.S. Patent and Trademark Office, Retrieved from
https://patentimages.storage.googleapis.com/98/94/75/771ed2011de69a/US6574729.pdf
 Google Scholar. (n.d.).WinHex. Google Scholar. Retrieved from https://scholar.google.com/winhex
 HotHotSoftware. (2012, May 12). How to File compare to compare files software for two different
binary or text files [Video file] Retrieved from https://www.youtube.com/watch?v=iASfCXuuhIQ
 Jackman, M. (2003, May 06). WinHex: A powerful data recovery and forensics tool. Tech Republic.
Retrieved from https://www.techrepublic.com/article/winhex-a-powerful-data-recovery-and-
forensics-tool/
 References 36

Copyrigtht (c) 2019. All rights reserved.

 Kelley, E. E., & Palveda, J. F. (1997, February 18). U.S. Patent No. 5,604,901. Washington,
D.C.: U.S. Patent and Trademark Office, Retrieved from
https://patentimages.storage.googleapis.com/d5/cd/29/57e2df751f7819/US5604901.pdf
 Microsoft Staff. (2017, October 15). fc. Microsoft Corp. Retrieved from
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fc
 NIST Staff. (2017, May 08) Methodology Overview. National Institute of Standards and
Technology. Retrieved from https://www.nist.gov/itl/ssd/software-quality-group/computer-
forensics-tool-testing-program-cftt/cftt-general-0
 Pfleeger, C. P., & Pfleeger, S. L. (2014). Analyzing computer security. Upper Saddle River,
NJ: Pearson Publishing.
 References 37

Copyrigtht (c) 2019. All rights reserved.

 X-Ways Staff. (n.d.). WinHex: Computer Forensics & Data Recovery Software,
Hex Editor & Disk Editor. X-Ways Software Technology AG. Retrieved from
https://www.x-ways.net/winhex/
 X-Ways Staff. (2019). X-Ways forensics/WinHex manual. Carl Diem Str. 32,
32257 Bünde, Germany: X-Ways Software Technology AG. Retrieved from
https://www.x-ways.net/winhex/manual.pdf