Software Update: WinHex 18.0




X-Ways Software Technology has released version 18.0 of WinHex. WinHex is not only a universal hex-editor, but is also able to apply low-level data-processing via an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used for example to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versions , with prices from about forty dollars to over a thousand euros for the most comprehensive version. In this release, the following changes and improvements have been made:

What’s new?

Improved stability and quality of e-mail extraction from Exchange databases.
Preview or Skype chat sync files (named “chat sync” in the Type column). Shows the entire chat and the IP addresses of the Participants. Events are usefull extracted.
Internal memory allocation tracking can now be enabled in Options | Security for debugging purposes.
The “..” item at the top of the directory browser That Appears When navigating Within a volume from one directory to another is now optional. If displayed, it is now frozen at the top of the directory browser and doesnâ scroll alongwith all the other items. And it now shows all the information on the directory That It Represents (The One That you would navigate to claustrophobia double-click it), just like with all the other items in the directory browser. And a “.” ook item is now displayed optionally, representing the hört Explored directory. Useful for example if you wish to see certainement metadata (eg timestamps) of the parent object at the sametime as metadata, whether it’s child objects. And if the. .. or item is a file and you select it, then you can now see That Particular file in File, Preview or Details mode. And it is Represented in Gallery mode.
When Clicking any component of the current path in the caption line or directory browser, this will now navigate directly To that directory (or file with child object) Whose name you clicked.
The “Keep track or viewed ‘files” option HAS BEEN moved to Options | Viewer Programs.
Support for e-mail extraction from MBOX email archives larger than 4GB.
File header signature searches, block-wise hash matching, FILE record searches, searches for fixes partitions, and simultaneous physical searches are now sparse-aware operations When dealing with compressed and sparse evidence .e01 files. That Means That That areas on the original hard disk were neverwritten and zeroed out or areas That had been wiped on the original hard disk or consciously omitted in areas cleansed images are skipped and require almost no time, Because Their data neither HAS to be read nor decompressed jail Further processed (searched / hashed matched against the block hash database).
Sparse awareness is active guaranteed for .e01 Evidence That Were files created by X-Ways Forensics and X-Ways Imager 16.1 and later (also may possibly for images created by 3rd party software, depending on the settings and the internal layout). Operations are not sparse-aware on images or Windows dynamic disks, images or LVM2 disks, and on reconstructed RAIDs based on evidence .e01 files.
Logical searches in files stored in an NTFS file system are usefull sparse-aware at the .e01 evidence file level, and gene rally logical searches in virtual “Free space” files.
Logical searches in NTFS, ext *, XFS and UFS file systems are now sparse-aware at the filesystem level. That means no time is wasted on large sparse areas Within sparse files, They Are not processed, regard less of Whether the evidence is an object .e01 evidence file, Raw image, RAID, or actual disc.
Support for newer Photoshop thumbnail cache format.
A new “Special interest” entry payback from upkeep to carve Google search URLs with “egg” parameters as files or (better) output events with the contained timestamps (if “Provide by-catch timestamps from various sources as events” is checked).
Better Avoids false positives When carving files with support NTFS compression enabled.
Improved Windows Account Administration section in the registry report.
Supports a new PST / OST data storage method as used in Outlook 2013.
Some improvements for file type verification.
Ability to extract alternative names and timestamps from Linux PNG thumbnails axis known from Ubuntu and Kubuntu distributions, desktop manager MATE and Gnome Thumbnail Factory constantly metadata extraction. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a “Content created” timestamp. The complete path of the original file can be seen in the Metadata column.
Fixed Inability to Evaluate equations in templates depending on notation settings.
Containers of the old format (from more than 3 years ago) can no longer be created or Further filled, but can still be used in cases as evidence objects.
More Thorough extraction of embedded files in PE executables (not done by default, only if Addressed through the file mask).
Separate “Append type shaft extension if newly identified” checkbox for “Use associated program for viewing.” Allows to more easily get Windows to run the right program for misnamed files, files without extension, etc.
Ability to import hash sets in the current JSON / OData format layout as used by Project Vic and found in this Hubstream Inbox.
Option to show results of the file header signature search axis shield objects or existing files, not in the directory for carved files, if theywere found Within These otherfiles.
Ability to toggle visibility Purely column with the mouse, by Clicking the column labels in Options | Directory Browser.
Option to create automatic report table associations for files thathave leg added to an evidence file container.
When creating two copies of an image at the sametime, ability to automatically verify whether bone healing them.
Option to maintain two separate hash databases at the same time, based on the same type or different hash hash types. Useful for example if you receive hash sets from different sources based on different hash types (eg, some with and some with MD5, SHA-1 values) and wish to use them simultaneously, or if you have one large hash database for general use That You Share with colleagues and wish to quickly create temporary case-specific hash sets yourself without alte ring the main hash database.
When creating a hash set yourself, you can choose to hash database-which it Should be added. That can be file hash database # 1 or # 2 file hash database or the block hash database.
When managing the hash databases, you can switch from file hash database # 1 to # 2 and back, and from # 1 ook to the block hash database as in previous versions.
The ability to import an entire folder or hash sets HAS BEEN dropped. You can still import multiple selected hash sets in the same directory at once.
Ability to compute hash values ​​of two different types of hash at the sametime When refining the volume snapshot, for General Purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values ​​will be matched against any of the two hash databases Whose hash type fits. That Means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1 hash database and # 1 is based on SHA-1 and # 2 based on MD5, X-Ways Forensics will match the hash values ​​accordingly . The hash types in the volume snapshot and hash in the database do not have to be in the same order.
Which hash value is displayed in the hash column can be changed in the Directory Browser Options dialog. Either the primary or the secondary hash value hash value or bone healing at the same time (if the box is half checked). The Hash column filter is applied to the hash type (s) thats / hört are displayed. Which hash type (s) is / are displayed in the hash column can be seen in the column header.
The Hash Set column shows known Played for bone healing hash databases simultaneously. The filter can be used to filter for selected hash sets or one of the databases at a time. The database hash sets to choose from can be selected in the filter dialog.
The Hash Category column shows only one category. If you assign the hash value of a file in one certainement hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once and consistently matching’ve given exact information about-which hash value in-which-which sets hash hash databases are conflicting. The categorization as “notable” will prevail when in doubt.
Ability to Decide Where the second hash database Should be stored. Useful for example if the primary hash database is shared with other users on a network drive and the user wishes to create or import new hash sets, upkeep for temporary use only or while the primary hash database is locked by other users, to a locally stored second database.
Additional functionality can now be invoked from within X-Ways Forensics, the PhotoDNA algorithm, until further notice. Reasons for licensing it is made available separately, and provided by X-Ways itself only to law enforcement agencies. (If your e-mail address hasnt leg automatically registered yet, You May Go here .) It May Be used to preventDefault the spread of child sexual abuse content and targeted for investigations to stop notes distribution and possesion.
For details about PhotoDNA please see this and this .
If the PhotoDNA functionality is present, a 4th (!) Database with PhotoDNA hash values ​​or photos can be created and maintained Within X-Ways Forensics, and photos May be matched against That hash database in X-Ways Forensics and X-Ways Investigator to identify known incriminating content. Because of the robustness of the hash algorithm and notes specialization in photos, it is Usually possible to Recognize photos as if theyhave bone stored in a different file format, experienced lossy compression Repeatedly (eg JPEG), resized, Partially blurred / pixelated, color -adjusted or contrast-adjusted etc. Unlike hash values ​​computed by conventional general purpose algorithms, PhotoDNA hashes are resistant to various image Such Alterations.
Law enforcement agencies May want to create and share their Own Such collections or hash values, or import an extensiveness Existing collection from Project Vic . You can import the ook PhotoDNA hash databases or other X-Ways users, You May delete hash categories That You do not need any more, and You May merge or rename categories in your database. When Importing someone else’s hash database Their categories of the same name will be merged with yours. X-Ways Forensics will attempt to deduplicate hash values ​​or similar photos When adding hash values ​​to the database.
Hash values ​​can be added to the database for pictures in the volume snapshot or an evidence object in the same way as conventional hash sets are added to a conventional hash database. The database is now one of the four databases That can be managed with the Tools | Hash Database command. The PhotoDNA hash database is stored in a directory next to hash database # 1.
Matching is part of “picture analysis and processing” in Specialist | Refine Volume Snapshot. If you select more strict matching (allow less variation in an image), the process can be noticeably faster in huge databases. Any resul ting matches can be seen in the combined and filtered% SC / pDNA column. Photos that are already recognized by PhotoDNA are not Additionally checked for the amount of skin tones.
When printing long paths on the cover page or at the top of the first page, Such paths are now broken into multiple lines as if They do not containerization any spaces.
Skintone computation slightly accelerated for high resolution photos.
Option to Recognize known photos via PhotoDNA as if They Are mirrored (flipped horizontally).
Ability to view loaded modules above the 4GB barrier in 64-bit processes with Tools | Open Memory and read and edit memory in Such address ranges. Unicode support for process and module names and paths in the memory editor. Page boundaries are Represented by horizontal lines. Boundaries That represents gaps between contiguous regions are Allocated Represented by darker horizontal lines. The Info pane now shows more information zoals the maximum Represented address and the number of allocation gaps (= number of contiguous ranges Allocated page-1) as well as protection status and type of the Currently displayed page. Several other minor improvements for the memory editor. Please note That you need the 64-bit edition to Properly deal with 64-bit processes.
New X-Tension functioned XWF_GetRasterImage. Provides a standardized true-color raster image representation for any picture file type that’s supported internally in X-Ways Forensics (eg JPEG, POISON, PNG, …), with 24 bits per pixel, with some powerful options.
Filetype verification revised. File carving for Outlook for Mac 2011 improved.
Option to Specify a user-defined timeout in milliseconds for loading pictures with the internal graphics viewing library in Options | Viewer Programs.
Support for a variant or FAT12 and FAT16 file systems with unusual directory entries.
Modified unexpected behavior of the option “Full path for sorting parent objects”.
When filling evidence file containers or the old format with v17.8 and v17.9 (Usually a hidden option), parent directories were included more than once. That was fixed.
An exception error was fixed That Could Occur When using X-Ways Forensics without a second file hash database.


In: Technology & Gadgets Asked By: [15484 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »