Software Update: WinHex 18.2

Spread the love

X-Ways Software Technology has released version 18.2 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versionsof Prices from about forty euros to over a thousand euros for the most extensive version. The following changes and improvements have been made in this release:

what’s new?

  • Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.
  • Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.
  • Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.
  • Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.
  • Ability to split huge HTML and TSV exports from the directory browser into separate files.
  • Ability to tweak CPU and memory utilization of indexing, and more conservative default values ​​are used.
  • Exchange EDB extraction slightly revised.
  • Fixed an infinite loop that could occur in the original Preview release.
  • Both default and maximum file sizes for carving are now individually specified in the “File Header Signatures Search.txt” file on a per file type basis, no longer generically in the user interface. That allows for better output quality because different file types have different variances in typical file sizes (larger or smaller deviations from their respective average file size).
  • The virtual “Free space” file is now frozen also once it is indexed, to avoid later invalidation of index offsets.
  • Faster processing of huge numbers of original .eml and .msg files in very large volume snapshots. Volume snapshots saved by earlier releases have to be converted to a new format by v18.2 Preview 3 and later.
  • Avoided garbled look of toolbar icons on systems with only 16-bit color depth (High Color).
  • Exchange EDB support slightly revised.
  • Support for Project VIC JSON files format 1.2.
  • Tentative support for Exchange 2010 EDB databases. Feedback appreciated!
  • More efficient processing of solid 7zip archives.
  • Substring filter for the Author column.
  • Extended support for relative paths to external programs.
  • Volume shadow copy processing revised, delivering better results.
  • Extraction of browsing history information from Safari’s icon database. This alternative source is very interesting because it records browsing history even when Safari is in private browsing mode.
  • Ability to copy the path of the selected key in the Registry Viewer using a new context menu command.
  • Maintains a history of the last 8 search terms used in the Registry Viewer.
  • Ability to view .DS_Store in more detail in Preview mode.
  • A new button labeled “XT” is now shown when viewer X-Tensions are available (loaded), next to the “Raw” button. Allows you to conveniently change the preview to the representation provided by the first viewer X-Tension that feels responsible for the type of the selected file. Or back to the regular preview if not helpful, in both directions with a single mouse click. You may also combine Raw and XT submodes of Preview mode, for example for debugging purposes if you are programming a viewer X-Tension of your own and have it return HTML code that you wish to check in X-Ways Forensics.
  • Improved dealing with incomplete Ext* partitions, in particular those that are part of Linux software RAIDs if not reconstructed by the user, but processed directly by themselves.
  • For the file systems Ext2/Ext3/Ext4, there is now a “Particularly thorough file system data structure search” functionality, which checks the entire volume for previously existing directory structures whose contents are no longer known from corresponding inodes (these would have been looked at as part of the regular volume snapshot already). Such directories are listed with a generic name, usually in “Path unknown”, but potentially in the root directory, if that is where they existed previously (the root directory is special in this situation, as it has an unchangeable ID).
  • New directory browser context menu command to exclude files based on identical names instead of identical hash values. This is a case-insensitive comparison and of course should be used only if you know what you are doing, as it does not compare the file contents at all. Could be useful for example if you wish to get rid of multiple copies of the same files found in backups if you do not need to keep different versions of these files. If prior to the comparison for example you sort by last modification date in descending order, this will ensure that the newest version of the file will be kept and all older versions will be excluded. Files with identical names are not marked as duplicates in the Attr. column. That happens only if you identify identical files based on hash values, in previous versions.
  • Context menu for directories in the Case Data window. Available if “More context menus” in Options | General is fully checked or if the Shift key is pressed while right-clicking a directory. Allows to recursively explore the right-clicked directory (just like when no context menu is shown), allows to tag the directory recursively (just like when pressing the Space bar), to expand the directory recursively (just like when pressing the multiply key of the numeric keypad), to collapse all, export a subtree into an ASCII text file, or copy the entire path of that directory into the clipboard.
  • “Create main report” is now a 3-state checkbox in the case report options dialog. If only half checked, details about the evidence objects are not included in the case report, the evidence objects are merely listed. Evidence objects details, if included, now precede report tables in the report. Links to report tables now work even if the report is optionally split into multiple HTML files, and there is a link back from each report table to the report table overview. The report is now split based on the number of items that are referenced, not based on the number of pictures that are displayed in the report. If the report is split, the next segment is now linked from the bottom of the previous segment.
  • Improved support for logical memory addresses in the Position Manager (previously called “virtual” memory addresses).
  • The case log, if output along with the case report, is now a separate HTML file. If the report is saved in a directory other than the case directory and screenshots of the case log are to be included, they are now copied to the appropriate subdirectory.
  • The Chinese translation of the user interface was updated.
  • Slightly revised file type verification.
  • Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the “Hash set” column with the word “deleted” to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values ​​of files against the hash database again, might have confused that they cannot target files with matches using the “Hash set” column filter, which only offers existing hash sets.
  • More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table associations.
  • The newly introduced optional commas in the column “Default size” in “File Type Signatures Search.txt” have been replaced with colons for better compatibility with MS Excel.
  • Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well (as introduced with v18.0).
  • Prevented erroneous “Please stop ongoing operation first.” message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors.
  • Fixed an error with message “Unable to release memory” that could occur during file header signature searches.

Version number 18.2
Release status Final
Operating systems Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8, Windows 10
Website X-Ways Software Technology
Download
File size

2.26MB

License type Shareware
You might also like