Downloads

Software Update: WinHex 16.0

By admin
Spread the love

X-Ways Software Technology has released version 16.0 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows 2000 onwards and is available in four different versions, with prices from 40 euros. Since version 15.9, the following changes and improvements have been made:

What’s new?

  • There is no performance penalty any more for selecting many or all file types for the file header signature search. File header signature searches are now considerably faster and basically limited in speed only by the medium from which the data is read.
  • Ability to interpret data in the text column as text encoded in an arbitrary code page. That is very useful for East Asian code pages, Eastern European code pages and UTF-8 if the text is found outside of files that can be nicely viewed by the viewer component, eg floating around in free drive space. The character set/code page for the text column can now be selected via View | Character Set. Please note that you may need to select a font in General Options that contains all characters that you intend to read, and for East Asian characters you need to have support for these kinds of languages ​​installed in Windows.
  • Ability to view Windows Vista and Windows 7 event log files (.evtx), based on work by Andreas Schuster.
  • Completely revised and more robust registry hive handling. Ability to find deleted keys and values ​​in hives that contain unused space and lost keys/values ​​in damaged/incomplete hives. If no complete path is known for keys, they will be listed as children of a new virtual key called “Path unknown”. The search function in the registry viewer is now more thorough and robust.
  • Analysis of free space in registry hives with the report definition file “Reg Report Free Space.txt”. The free space can be as large as several MB, especially as a consequence of the use of virus scanners and registry cleaning programs.
  • Windows registry report: New data type %I (ITEM list) covers not only Shell Bag (as in previous versions), but also for example desktop shortcuts. Format adjusted for Windows Vista and 7.
  • When switching from File mode to Partition/Volume mode, X-Ways Forensics will now automatically point you to the offset from the point of view of the partition/volume that is equivalent to the offset within the file where the cursor was positioned last, even if the file is fragmented, if there is an equivalent position (not if the file is a compressed or virtual attached file or an extracted e-mail message or an exported video still etc.).
  • New investigator.ini option +38 allows to prevent imports of report table associations.
  • Ability to specify the directory in which to create a case when creating a new case, for that particular case only.
  • File header signature searches are now even faster.
  • Registry report function further improved and revised. Deleted values ​​are now highlighted in red in the report.
  • Directories with search hits that are copied from a search hit list now receive a special name when they are created as files in the output folder.
  • Ability to open an evidence object even if the disk or image is not currently available, via a special command in the evidence object’s context menu, to see the volume snapshot. That means you can see all the file metadata stored in the volume snapshot (filename, path, file size, timestamps, attributes, etc.), can use all filters etc., but cannot see any data in sectors and cannot open/view any traffic jams.
  • Improved thumbnails extraction from Windows Vista’s and Windows 7’s thumbcache_*.db files. Ability to assign original filenames, file paths, and modification timestamps to certain thumbnails that were previously just named with a 16-digit hex number.
  • Ability to customize the notation of dates, times, and numbers (see new button in Options | General). Useful to be independent of the settings of live system that you want to preview. Ability to display years with 2 digits only.
  • The registry viewer now allows to recursively explore all the keys and values ​​in a hive and sort them in a chronological order.
  • Better Unicode support in the registry report for Asian registry hives.
  • Tray notifications artifacts from Windows 7 registry hives are now supported and decoded. The timestamps render these artifacts useful for computer forensics.
  • Further improved support for shell bags.
  • Support for two new zip subtypes: APK Android smartphone packages and KEY Apple iWork keynote presentation files.
  • Sorting by search term count column has been accelerated.
  • An exception error was fixed that could occur when viewing EVTX event log files.
  • Fixed an exception error that could occur when extracting metadata from carved MP4 and ASF files.
  • Hash database functions internally reworked. When importing the NSRL RDS hash database, X-Ways Forensics now checks for records with the flags “s” (special) and “m” (malicious) so that these hash values ​​are not erroneously included in the same internal hash set that should be categorized as irrelevant.
  • Technical information about segmented .e01 evidence files could occur repeatedly in the evidence object properties. This was fixed.
  • It is now possible to abort lengthy sort operations. The directory browser is now unsorted after start-up by default. This new behavior can be turned off in the directory browser options.
  • The grouping options now have an effect even if the directory browser is not sorted.
  • The option to display fractions of seconds in high resolution timestamps has been moved from the directory browser options to the new notation options. The option to display the time zone bias has also been moved to the notation options.
  • The report table filter has a new option that allows to additionally include siblings of the associated files, ie files in the same directory as the files that are part of the selected report table(s). Useful, especially when exploring recursively and sorting by path, to check whether there are any further notable files in the neighborhood.
  • Ability to optionally also add any known duplicates of the selected file(s) in the same evidence object to a report table (files which have been identified as duplicates based on hash values ​​and marked as such in the Attr. column).
  • Ability to identify animated GIFs. Animated GIFs will be added to a special report table during the file type verification.
  • Ability to select the character set/code page for Disk/Partition/File mode in X-Ways Investigator (tentatively included).
  • Licensed users of X-Ways Forensics with active update maintenance can now conveniently find older versions for download if needed.
  • Registry value slack has a relevant size in NTUSER.DAT hives. This fact is now exploited with 2 measures:
    • If the slack contains text strings, it will be output in the registry report (in green). This new feature can optionally be turned off the registry viewer context menu.
    • For values ​​that contain item lists (ie are binary) you can use the “Reg Report Free Space.txt” definitions to output registry report will output lists of filenames with timestamps in green. The first timestamps is an access date, the second one is a creation date. If no timestamps can be output, these are artifacts from “RecentDocs”.
  • Deleted registry values ​​are now highlighted in the report in red color.
  • Tools | Disk Tools | Clone Disk now allows for reverse disk cloning and reverse disk imaging (requires a specialist or forensic license). Useful if the disk to acquire has severe physical defects that for example cause a disk imaging program or the entire Windows system to freeze or crash when reaching a certain sector. In such a case you can create an image in reverse order, by reading sectors from the end of the disk backwards, and it is even possible to automatically fill an existing incomplete ordinary (“forward”) image additionally backwards to get an image that is as complete as possible, with only a small zeroed gap somewhere in the middle that represents the unreadable damaged spot on the source hard disk. Yes, X-Ways Forensics is quite a sophisticated disk imaging tool not only because of its speed, and we would like to remind everyone that additional dongles just for disk imaging are available for much less than the cost of a full license (see here).
  • With additional dongles for X-Ways Forensics just for disk imaging you can now additionally use the Tools | Disk Tools | CloneDisk functionality.
  • Some further improvements in registry report generation.
  • In the original release it was not possible to change the codepage for the text column. That was fixed.
  • Fixed a number notation issue that was present on the first execution of the program with a fresh installation only.

Version number 16.0
Release status Final
Operating systems Windows 7, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
Website X-Ways Software Technology
Download
File size

1.74MB
License type Shareware
You might also like
News

Apple has been working on its own search engine for years. It’s called…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

Meta introduces open source language model Llama 2, works on PCs and phones