Software Update: WinHex 17.8

Spread the love

X-Ways Software Technology has released version 17.8 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versions, of Prices from about forty euros to over a thousand euros for the most extensive version. The following changes and improvements have been made in this release:

What’s new?

  • Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (eg filenames in particular in FAT), specially encoded (eg sender and recipients as quoted printable in emails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.
    When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.
    Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.
  • Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, eg hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | … and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.
    Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_-+.]{1,20}@[a-zA-Z0-9-.]{2.20}.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other.
    Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.
    You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.
  • Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.
  • The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).
  • User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.
  • Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.
  • Ability to conveniently load keywords from a text file into the Name filter and save them directly from the dialog window.
  • Sparse files are now represented with a tilde (~) instead of the word “sparse” in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file by setting a larger file size in the same dialog window.
  • New directory browser columns named Created² and Modified² introduced, showing alternative creation and last modification timestamps. For NTFS, they are populated in newly taken volume snapshots with timestamps from the 0x30 attribute and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous Creation timestamp tunneling effect, http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally Modified² only if different from Created², to avoid cluttering the screen unnecessarily. That means any timestamps that you see there actually contain additional information and are not redundant.
  • Created² is also populated for HFS+ file systems, with the relatively new “Added date” timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier. “Added date” timestamps in HFS+ are also output as events.
  • All Created² and Modified² timestamps shown in the directory browser are now also preserved in evidence file containers.
  • A new multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the new removed option “Extended multi-user coordination”, from previous versions.
  • Support for a relatively new Windows registry format specialty found for example in Windows 7 AppCompatCache keys.
  • Support for the Windows 8 successor of AppCompatCache, ie the Amcache.hve hive, using a dedicated registry report definition file named “Reg Report Amcache.txt”, which allows to produce a report and extract related special events.
  • Sparse files are now represented with a tilde (~) instead of the word “sparse” in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file, by setting a larger file size in the same dialog window.
  • File type verification slightly revised.
  • Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.
  • Volume shadow copy exploitation revised.
  • File type verification updated.
  • New directory browser column named Record changed², showing timestamps from NTFS 0x30 attributes.
  • Option to limit the import of another user’s search hits to search hits that are marked as notable or to that user’s manually defined search hits (so-called user search hits).
  • Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.
  • Support for nested emails when embedding attachments in parent .eml file.
  • Support for another thumbs.db format variant.
  • Ability to export the category statistics of listed files via the Category column’s filter popup menu if the Category filter is not active, as tab-delimited text.
  • NTFS last access timestamps are now displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained and thus not very significant.
  • The folder for templates, X-Tensions and scripts may now be a relative path. Previously only “.” was supported.
  • In previously taken volume snapshots of HFS+ file systems, the contents of files with a hard-link count of 1 was not accessible if such files had an associated iNode file. That was fixed. Such files that unexpectedly have an associated iNode file are now marked with a ° in the Link count column.
  • More complete artificial headers for sent e-mails from Exchange databases, which allow to properly reference attachments in the .eml representation.
  • That the columns “Term count” and “Search terms” were populated only after the search hit list for an evidence object has been displayed once was fixed.

Version number 17.8
Release status Final
Operating systems Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8
Website X-Ways Software Technology
Download http://www.winhex.com/winhex.zip
File size

2.10MB

License type Shareware
You might also like