Software Update: WinHex 17.6

X-Ways Software Technology has released version 17.6 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versions, with Prices from about forty euros to over a thousand euros for the most extensive version. The following changes and improvements have been made in this release:

What’s new?

  • X Ways Imager:
    • Ability to immediately verify newly created images.
    • Ability to convert raw images to .e01 evidence files or vice versa (after opening and interpreting the existing images).
    • Ability to open ordinary binary files in X-Ways Imager.
    • Ability to copy selected sectors or byte ranges from ordinary files, images or disks into the clipboard or into new files.
    • Ability to navigate to specific sector numbers.
  • Metadata extraction from IconCache.db files. Important Windows artifact that can help to prove executions of programs for example in malware investigations.
  • Ability to reconstruct e-mail messages from the Livecomm.edb database, which is used by the Windows Mail client (Windows 7 and newer) as part of the “uncover embedded data” operation. Also extracts contact and account information.
  • File type detection and categorization updated.
  • X-Tensions API: A new function named XWF_AddEvent was introduced, which allows to add events to the event hit list of an evidence object. XT_Prepare and XT_Finalize now receive a handle to the evidence object that the X-Tension is applied to.
  • The old indexing engine was removed.
  • User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.
  • X-Tension API: Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integrating so-called Viewer X-Tensions. Such X-Tensions provide special views of any supported file type by responding to calls of an XT_View function that they have to export. For details please see Users can load Viewer X-Tensions in the Options | ViewerPrograms dialog.
  • X-Tension API: New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED_METAWFATA_ITEM_FLAGMTED_ For details please see
  • The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.
  • A new investigator.ini option +52 prevents the use of Viewer X-Tensions, for example for security reasons. Remember that X-Tensions are Windows DLLs, which can potentially do harmful things to your system.
  • Ability to uncover embedded pictures from the caches of Google’s Picasa 3 image organizer and viewer software (thumbindex.db and related files).
  • Ability to manually enter the Recover/Copy output path by clicking a new “…” button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list automatically.
  • New metadata extraction feature, which allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename according to the file system can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will find both the original and the current name, so that current filename is not completely lost.
  • Event Extraction from Picasa 3.
  • File type verification updated.
  • New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS-compressed source files as NTFS-compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively compress such files after their creation, but writes them immediately as compressed, which is more efficient. However, it still has to copy/send the decompressed amount of data of the source file. Select the source directory first, then specify/create the destination directory. This function is useful for example if you wish to copy or move a case directory, which contains a few NTFS-compressed files that would be inefficient to store as uncompressed. Note that alternatively you can open a case and use the Save As command in the Case Data window for the same effect.
  • Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (.info), and Paint Shop Pro caches (.jbf).
  • File type verification updated.
  • The search term list can now be sorted by search terms alphabetically in ascending order or by the listed search hit count in descending order, via the context menu of the search term list, to make it easier to locate a certain search term in lengthy lists.
  • Certain kinds of files with child objects such as e-mail archives are now included in the directory tree in the Case Data window, along with their subdirectories.
  • You can make Raw preview mode persistent by holding the Shift key when activating Raw mode.
  • The hash database of block hash values ​​is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus ” [block hash values]” appended.
  • Support for Mac Absolute Time in the Data Interpreter.
  • The Data Interpreter is now able to interpret UNIX/C, Java/BlackBerry/Android and Mac Absolute timestamps stored as decimal ASCII text instead of in binary. You will find a context menu item for that as well as a checkbox in the options dialog.
  • The Data Interpreter now optionally translates timestamps of all formats except MS-DOS date & time to local time (the time zone defined in the General Options). You will find a context menu item for that as well as a checkbox in the option dialog.
  • Ability to convert so-called Nandroid backup files of the NAND flash memory of Android devices to regular raw images via Edit | convert.
  • Increased capacity for large cases.
  • More complete output of serial numbers or USB devices.
  • New date type “MacAbsTime” supported in templates.
  • New modifier “local” supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the timezone specified in the General Options.
  • Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.
  • Internal file carving algorithms for INDD, Bridge Cache and Picasa3 index files implemented.
  • Improved support for Magix Photo Manager Cache .mxc2 and .mxc3 and other files.
  • Ability to see model and serial numbers of physical media without administrator rights.
  • Ability to mark events as notable and filter for notable events via the Timestamp column.
  • Ability unmark multiple selected search hits and events as notable, by holding the Shift key when invoking the “Mark as notable” context menu command.
  • That the directory for images that specified in the General Options is preselected for newly created images is now optional.
  • Option to always suggest to open a case with extended multi-user coordination in shared analysis mode. That mode can be useful even for the first of many simultaneous users of the case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).
  • Imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited mode.)
  • Unicode support for email excerpt reconstruction from Thunderbird indexing databases.
  • Ability to uncover various potentially relevant resources in 32-bit and 64-bit Windows PE executables (programms and libraries) as child objects, in particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you specifically target executable files via a suitable series of file masks.
  • More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.
  • Metadata and internal file carving support for AMR voice recording files.
  • Hash database dialog window revised.
  • Ability to store additional custom definitions of file types and categories in a separate file named “File Type Categories User.txt”, which will be read and maintained in addition to the standard definitions in “File Type Categories.txt” and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so that you can easily continue to use it even when overwriting your installation with a new version.
  • The Replicate Directory command can now operate on overlong paths.
  • Support for even more deeply nested (recursively forwarded) email messages in OST/PST email archives.
  • Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several commands in the Case Data window’s context menu during various ongoing operations.
  • Displays the amount of free space on the output drive in the Create Disk Image dialog window.
  • Performance of uncovering thumbnails in large JPEG files improved.
  • New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).
  • Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and produces much less redundant thumbnails especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (which will in turn target the corresponding thumbcache*.db files) via the provided mask and not the thumbcache*.db files directly as in previous versions of X-Ways Forensics.
  • Structure of the technical details report for physical media slightly improved.
  • Supports certain .bmp graphics with larger headers.
  • Some other improvements in the internal graphics viewer.
  • Fixed an exception error that could occur when processing SQLite databases.
  • Some minor fixes for EDB processing.
  • Program help and user manual updated.

Version number 17.6
Release status Final
Operating systems Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8
Website X-Ways Software Technology
File size


License type Shareware