Find a Question:
WinHex logo (60 pix) X-Ways Software Technology has released version 17.6 of WinHex. WinHex is not only a universal hex-editor, but is also capable of low-level data-processing to be applied via an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and may be used to retrieve deleted information, or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versions , with prices from about forty dollars to over a thousand euros for the most comprehensive version. In this release, the following changes and improvements:
Ability to: immediately verifydata newly created images.
Ability to convert raw images to. E01 evidence files or vice versa (after opening and interpreting the Existing images).
Ability to open ordinary binary files in X-Ways Imager.
Ability to copy selected sectors or byte ranges from ordinary files, images or disks into the clipboard or into new files.
Ability to navigate to specific sector numbers.
Metadata extraction from IconCache.db files. Important Windows arti factthat can help to prove Executions or programs for example in malware investigations.
Ability to reconstruct e-mail messages from the Livecomm.edb database, Which is used by the Windows Mail client (Windows 7 and newer) as part of the “uncover embedded data” operation. Also extracts contact and account information.
Filetype detection and categorization updated.
X-Tensions API: A new function named XWF_AddEvent was introduced, All which allows to add events to the event hit list or an evidence object. XT_Prepare XT_Finalize now and receive a handle to the object Evidence That the X-Tension is applied to.
The old indexing engine was removed.
User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.
X-Tension API: Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integra tion so-called X-Tensions Viewer. Such X-Tensions providence special views or any supported file type by responding to calls of an operating XT_View thatthey have to export. For details please see http://www.x-ways.net/forensics/x-tensions/api.html. Users can load Viewer X-Tensions in the Options | Viewer Programs dialog.
X-Tension API: New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED, and XWF_ITEM_INFO_FLAG_METADATAEXTRACTED. For details please see http://www.x-ways.net/forensics/x-tensions/api.html.
The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.
A new option investigator.ini +52 Prevents the use of X-Tensions Viewer, for example for security reasons. Remember That X-Tensions are Windows DLLs, All which can do Potentially harmful things to your system.
Ability to uncover embedded pictures from the caches or Google’s Picasa 3 image organizer and viewer software (thumbindex.db and related files).
Ability to manually enter the Recover / Copy output path by Clicking a new “…” button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not automatically list.
New metadata extraction feature, All which allows to restore original filesystem metadata (zoals filename, timestamp) when found in certain types of file zoals $ i * recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are much more meaningful than random Typically That names are assigned just to guarantee uniqueness in a single directory for backup purposes. Such examples of random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $ RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename accordion thing to the file system can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will find both the original and the current name, So THAT current filename is not completely dissolves.
Event extraction from Picasa 3.
Filetype verification updated.
New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS compressed source files as NTFS compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively Such compress files after Their creation, but writes them: immediately axis compressed, Which is more efficient. However, it still has to copy / send the decompressed amount of data of the source file. Select the source directory first, then specify / create the destination directory. This function is useful for example if you wish to copy or move a case directory, All which contains a few NTFS compressed files thatwould be inefficient to store as uncompressed. NOTE THAT alternatively you can open a case and use the Save As command in the Case Data window for the same effect.
Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (info.), And Paint Shop Pro caches (. Jbf).
Filetype verification updated.
The search term list can now be sorted alphabetically by search terms in ascending order or listed by the search hit count in descending order, using the context menu or the search term list, to make it easier to locate a certain search term in lengthy lists.
Certain kinds of files with child objects zoals email archives are now included in the directory tree in the Case Data window, along withtheir subdirectories.
You can make persistent Raw preview mode by holding the Shift key when activating Raw mode.
The hash database or block hash values is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus “[block hash values]” appended.
Support for Mac Absolute Time in the Data Interpreter.
The Data Interpreter is now bootable to interpret UNIX / C, Java / BlackBerry / Android and Mac Absolute timestamps stored as decimal ASCII text or binary instead. You will find a context menu for that item as well as a checkbox in the options dialog.
The Data Interpreter Translates now optionally timestamps of all formats except MS-DOS date and time to local time (the time zone defined in the General Options). You will find a context menu for that item as well as a checkbox in the option dialog.
Ability to convert so-called Nandroid backup files of the NAND flash memory or Android devices to regular raw images via Edit | Convert.
Increased capacity for large cases.
More complete output or serial numbers or USB devices.
New date type “MacAbsTime” supported in templates.
New modifier “local” supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the time zone specified in the General Options.
Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.
Internal file carving algorithms for INDD, Bridge cache and index files Picasa3 Implemented.
Improved support for Magix Photo Manager Cache. Mxc2 and. Mxc3 and other files.
Ability to see model and serial numbers of physical media without administrator rights.
Ability to mark notable events ash and filter for notable events through the Timestamp column.
Ability unmark multiple selected search hits and events as notable, by holding the Shift key when Invoking the “Mark as notable” context menu command.
That the directory for Images that specified in the General Options is preselected for newly created images is now optional.
Option to always suggest to open a case with extended multi-user coordination in shared mode analysis. That mode can be useful even for the first of many simultaneous users of the case Because only in newly created fashion That report table associations are shared out to other users simultaneous Regularly at intervals (Depending on the case auto-save option).
Imports and shows newly created report table associations or other simultaneous users in shared mode analysis when re-opening an evidence object or case when auto-save interval elapses or when manually Invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited fashion.)
Unicode support for e-mail excerpt reconstruction from Thunderbird indexing databases.
Ability to uncover various Potentially relevant resources in 32-bit and 64-bit Windows PE executables (programms and libraries) as child objects in Particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you Specifically target executable files via a suitable series of file masks.
More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.
Metadata file carving and internal support for AMR voice recording files.
Hash database dialog window revised.
Ability to store additional custom definitions or file types and categories in a separate file named “File Type Categories User.txt”, whichwill be read and maintained in addition to the standard definitions in “File Type Categories.txt” and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so That You can easily continued to use it even when writing about your installation with a new version.
The Replicate Directory command can now operate on over long paths.
Support for even more deeply nested (recursively forwarded) email messages in OST / PST email archives.
Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several at commands in the Case Data window’s context menu during various ongoing operations.
Displays the amount of free space on the drive output in the Create Disk Image dialog window.
Performance of uncovering thumbnails in large JPEG files improved.
New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for All which the Page Up or Dn key is more efficient).
Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and much less redundant Produces thumbnails Especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (whichwill in turn target the corresponding thing thumbcache *. Db files) provided through the mask and not the thumbcache *. Db files directly as in previous versions of X-Ways Forensics.
Structure of the technical details report for physical media slightly improved.
Supports certain. Bmp graphics with larger headers.
Some other improvements in the internal graphics viewer.
Fixed an exception error That Could Occur when processing SQLite databases.
Some minor fixes for EDB processing.
Program help and user manual updated.
WinHex screenshot (620 pix)Viewing:-503
Answer this Question
You must be Logged In to post an Answer.
Not a member yet? Sign Up Now »
Star Points Scale
Earn points for Asking and Answering Questions!