Download WinHex 15.2
X-Ways Software Technology released version 15.2 of WinHex earlier this month. WinHex is not only a universal hex editor, but is also capable of low-level data processing through a simple interface. The program includes a ram editor, a data interpreter and a disk editor and can be used, for example, to retrieve deleted information and to inspect files. WinHex works on all Windows versions from 98 with the exception of NT, but the full arsenal of features can only be fully exploited on Windows 2000 and above. Below you will find everything that has changed in the program since version 15.1:
What’s new?
- If more than 1 GB of main memory is available, the optimization of an index now better utilizes that memory, which may result in a tremendous acceleration of this step for large indexes.
- There are now two different checkboxes in the Index Search window. Checking the first one helps finding words within words (eg “wife” in “housewife”, incomplete and slow if the index was not prepared for substring searches). The second one makes it optional to find word extensions (eg “houses” when searching for “house” and “skyscraper” when searching for “sky”). Finding word extensions was default behavior in previous versions. Unchecking both options works like a “whole words only” option.
- It is now possible to replace an evidence object with a new medium (drive letter or physical disk). Useful if you are working with original disks, not images, and the drive letter or disk number has changed.
- The graphics library has been updated. Some issues with the display of pictures were fixed.
- It is now possible to group existing and deleted files in different output directories when using the Recover/Copy command. Requires that you have X-Ways Forensics recreate the original path.
- Ability to recreate files whose original paths contains directory names with trailing spaces, although not allowed by Windows, by removing such spaces.
- It is now possible to mark files as hidden even in a search hit list. Such files will actually be filtered out if you do not list hidden items when you click the Enter button in the search term list window to recompile the search hit list.
- When adding a file to a report table, it is now also possible to recursively add all its child objects to the same report table, not only direct children.
- Ability to view Unix/Linux wtmp and utmp log-in records.
- Recognizes the TFAT file system as such.
- When enabling the recommendable data reduction for logical searches, files marked as moved/renamed will not be searched any more, as the same data is searched when the same file is searched under in its new location/under its new name.
- Can import SHA-1 hashes from .e01 evidence files as now optionally provided by EnCase 6.12. (Note that in X-Ways Forensics you were never forced to use MD5).
- Naming problem solved for e-mail messages that were extracted from .msg files that were attached to the volume snapshot as virtual files.
- It is now possible to view/search/dump physical RAM on remote computers through F-Response 2.x (works in conjunction with X-Ways Forensics since v15.1 SR-5).
- Several minor improvements.
- Main memory analysis. Processes will be listed in the directory browser, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in “Process” mode, with pages concatenated in correct logical order as soon by each process. The “particularly thorough data structure search” will take a little longer and may turn up traces of additional processes including rootkits. Works for memory dumps from many, but not all Windows versions and service packs. Currently requires that the name of file with the memory dump contains the word “RAM” or “dump”, for it to be detected as a memory dump.
- For internally reconstructed RAIDs, the number of the component disk from which the current sector (where the cursor is in) was read is now displayed in the Details Panel, along with the relative number that that sector has on that component disk.
- For reasons of convenience, WinHex and X-Ways Forensics now remember and restore the last selected item and other settings of the directory browser when reopening data windows and evidence objects.
- Hash sets can now be classified as to how important they are. This is useful because when matching hash values against the hash database, only one match is returned even if the same hash values is contained in multiple hash sets. Now you can make sure that in such a case you get the most important hash set returned, for example a hash set that identifies CP pictures without any doubt as opposed to hash sets that may contain the hash values of doubtful pictures. Also new: If there is more than one match, a “+” sign will be displayed in the hash set column in the directory browser after the name of one of the matching hash sets.
- Hash set names may now contain Unicode characters.
- Some special information for memory dumps (if they are recognized as such, see above) is now available in Technical Details Reports.
- Now shows attachments as child objects of e-mail messages instead of in a virtual “Attach” folder in some cases where this previously did not happen.
- Evidence file containers created by v15.2 Beta 3 and later can now also transport the hash category of a file and the skin color percentage.
- Icons of hidden files are now displayed in gray instead of blue. Icons of notable files are now displayed in red instead of blue.
- RAM analysis now also works for local physical RAM opened via Tools | Open RAM, not only for memory dumps.
- An error with the new hash database algorithm in Beta 2 was fixed.
- An error in the “Totally remove hidden items” function was fixed that existed since v14.8.
- Support for mode 1 ISO CD images with 2,352 bytes per sector, if not spanned (segmented).
- Minor improvements and fixes for the new memory analysis feature.
- It is now possible to attach all the files of an entire directory to the volume snapshot, not just individual files, if you hold the Ctrl key while invoking the directory browser menu command. Useful for example after having extracted thousands of .msg files from a .pst or .ost e-mail archive using the viewer component, to integrate them back into X-Ways Forensics for further processing.
- When identifying and hiding duplicate files, previously it was possible that duplicate e-mails with attachments (e-mail/attachment pairs) were separated if the parent (e-mail message) of one pair and the child (attachment) of another pair was hidden. The algorithm was improved and this undesirable situation is now avoided.
- Evidence file containers created by v15.2 Beta 3 should only be used in the same version or in earlier versions. Future versions might misinterpret them. The layout of the new fields in now finalized.
- The “Save As” command is now also available for disks (yet another way how to create a raw image).
- Avoids exception errors with certain corrupt .gif files.
- Memory analysis further improved
- Identical email messages with different attachments (child objects) will be marked as duplicates, but not hidden. Identical attachments (child objects) will be marked as duplicates, but they will be hidden only indirectly if they are part of identical e-mail messages and those are hidden, too. This facilitates the examination and also avoids a situation where the parent (e-mail message) of one e-mail+attachment family and the child object (attachment) of another family is hidden.
- The downloadable PDF user manual has been updated.
- Fixed an exception error of type 216 at offset 00550348 that could occur when taking volume snapshots.
- Fixed an exception error that could in rare cases when optimizing an index.
Version number | 15.2 |
Release status | Final |
Operating systems | Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 |
Website | X-Ways Software Technology |
Download | |
File size |
1.39MB |
License type | Shareware |