Software Update: WinHex 15.3

X-Ways Software Technology released version 15.3 of WinHex on Monday. WinHex is not only a universal hex editor, but is also capable of low-level data processing through a simple interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information and to inspect files. WinHex works on all Windows versions from Windows 2000 onwards and is available in four different versions. Below is what has changed in the program since version 15.2:

What’s new?

• The index optimization step was reworked. It can now utilize an unlimited and user-defined number of processor cores simultaneously and a user-defined amount of main memory, for faster and more thorough optimization.
• Improved memory handling for search hits. No additional memory requirement for search hits any more when loading or saving the case. Memory for search hits is now needed only when the evidence object is open (same as before already with memory for volume snapshots). The limitation of the number of search hits in one evidence object by main memory was slightly increased (now several ten million search hits possible). Search hits saved by v15.3 cannot be loaded by older versions any more.
• Decoding the text in PDF, HTML, and various other documents for the logical search and for indexing can no longer cause the program to freeze or crash if the viewer component has problems processing the file eg because the file is corrupt.
• When attempting to view or preview a file with the viewer component that is a known to be a reason for crashes, you are asked whether you are really sure you would like to view the file.
• Detects if hash database is in use to avoid conflicts when updating it.
• When you add an excerpt from a file to the volume snapshot as a virtual file (select a block in File mode and use the Edit menu for that), the resulting file is now marked as “excerpt” in the Attr. column and is filterable like this.
• zip.exe was updated with a version that supports larger .zip files. That program is used for archiving cases.
• In main memory (local live main memory or memory dumps), Windows kernel data structures and named objects are now conveniently listed in a tree in the volume snapshot. Other objects will be listed per process in the handle table.
• Three additional data types have been added to the Data Interpreter: SID (security identifiers), IP addresses, and packed 7-bit ASCII strings. IP addresses are also available in templates, and the variable type is called “IP”.
• Three additional hash types have been added: RipeMD-128, RipeMD-160, and MD4. Support for MD4 has been added because that hash type is in use eg in aMule.
• The integrity test of the hash database can now be aborted.
• The case report can now optionally be split into multiple HTML files if too many pictures are to be included (like hundreds or thousands) that give Internet browsers or other programs headache when loading the HTML file.
• New index optimization further improved.
• Improved compatibility with .e01 evidence files as produced by EnCase 6.13.
• Avoided “… is not a valid character” error message in inappropriate situations.
• Supports overlong paths (up to about 510 characters) when taking a volume snapshot of a network drive.
• Clickable links to attachments in emails in Preview mode now work in some very rare cases where they previously didn’t.
• When opening main memory, loaded modules are now listed, in a virtual directory named “Modules”. That enables X-Ways Forensics to allocate the memory pages in RAM mode that they occupy to them, and to compute hashes for them so that they can be identified via special hash sets.
• Memory analysis more robust.
• It is now possible to output the report for selected evidence objects only, not simply for all evidence objects, via an additional checkbox in the report options dialog. (forensic license only)
• A new filter has been introduced that allows to focus on files that have been already or have not been viewed yet by the examiner. See Directory Browser Options. (forensic license only)
• Some options from the Security Options and the Directory Browser Options that affect the creation of volume snapshots have been moved to a separate dialog box that you can access via a button in the Directory Browser Options.
• A new volume snapshot option is now available that causes deleted partitions to pass on their deleted state to everything that they contain (files, directories, …), and deleted e-mail archives to pass on their deleted state to all the e- mails, directories and attachments that they contain. This may seem logical, but results in a loss of information (*everything* is listed as deleted). By default, X-Ways Forensics still distinguishes between existing and deleted files and e-mails etc. even in deleted partitions/deleted e-mail archives, as in earlier versions, so that more information is retained.
• Via two other new volume snapshot options you can indicate whether you are interested in earlier names and locations of renamed/moved files in NTFS and whether you are interested in getting files listed for which only filename, size, timestamps and attributes (but no data) are known. By default, such files are listed, as in earlier versions. (specialist or forensic license only)
• ed2k hash values ​​can now be computed for files in the volume snapshot. This hash type is used in file sharing programs. (specialist or forensic license only)
• The menu items for simultaneous search and the index searches have been moved to the top of the menu (for license types in which they are available), since they are the most important ones in the Search menu.
• Fixed an error that in some situation occurred when processing certain thumbs.db files.