X-Ways Software Technology heeft versie 15.6 van WinHex uitgebracht. WinHex is niet alleen een universele hexeditor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in vier verschillende versies, met prijzen vanaf veertig euro. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
- X-Ways Forensics can now identify the true sector count according to ATA on ATA/SATA hard disks where that failed (returned a question mark only) in previous versions. Useful to detect an attempt to limit the addressable capacity of a hard disk using an HPA (host-protected area) or DCO (device configuration overlay). (forensic license only)
- Whenever X-Ways Forensics checks for an HPA/DCO (that is when imaging a hard disk, when adding it to a case, or when creating a Technical Details Report for it) and actually detects one, it now offers to either temporarily or permanently deactivate the HPA/DCO and make the full official disk capacity accesssible, so that you can e.g. image the hard disk in its full size before it returns to its original state next time when it powers down. (forensic license only)
- The Technical Details Report can now retrieve the internal error count recorded by hard disks if available through the SMART interface.
- Better plausibility checks for deleted files in Ext* file systems.
- Representation of file system areas in certain Ext4 volumes corrected.
- The link reference (inode number) of a hard-link file in HFS+ is now shown in the Comments column. You can use the Comments filter to filter for a given inode number.
- Representation of the system files Attributes and Startup in the root directory of HFS+ volumes, if defined.
- Convenient display and deconstruction of the objects ID(s) of files stored in NTFS volumes in Details mode.
- Matches for multiple hash sets are now supported in the hash set column.
- Encryption/decprytion with AES accelerated on computers with multiple processor cores thanks to parallelization.
- Indexing and index optimization revised. They are now slightly faster, and are more efficient in memory utilization.
- Improved sorting performance for the columns for which sorting became slower with v15.4 (date columns, SC%, pixels, owner, hard-link count, ...).
- That .eml files are renamed to .txt when copying files off the image for inclusion in the report so that Internet Explorer can open them, is now optional, so that Firefox can send such files to Outlook Express.
- Pictures can now be optionally embedded directly in the HTML report as inline code, so that there is no need any more for separate files in the report subdirectory. Of course, this greatly increases the size of the HTML file.
- The folder for scripts is now also used as the folder for templates.
- That the general folder for images is preselected when adding images to the case is now optional.
- When importing a hash set, X-Ways Forensics automatically filters out duplicate hash values within that hash set. This has a big effect on the US NIST NSRL RDS database for example and reduces its size tremendously. If your hash database already contains hash sets with duplicates, those will be eliminated by v15.6 as well next time when you import any other hash set. Hash databases used by v15.6 and later cannot be opened any more by v15.1 or earlier.
- The Sender and Recipients columns are now populated for e-mail attachments, too, so that even when you focus on attachments you can immediately tell who sent that file to whom, and don't have to navigate to the parent e-mail message to find out (e.g. by pressing the Backspace key). You can also filter for attachments via Sender/Recipient.
- The Sender and Recipients fields are now copied into evidence file containers for e-mail messages extracted from PST/OST files without the MAPI method.
- Sorting many e-mail messages by Sender or Recipients was potentially very slow in earlier versions, except in v15.5 for e-mails extracted from PST/OST archives not via MAPI. Sorting by Sender or Recipients is now generally fast for e-mail extracted with v15.6.
- Sender and Recipients as well as an internal creation date are now extracted from original .eml files (i.e. .eml files not created by X-Ways Forensics when extracting e-mails from e-mail archives) when extracting internal metadata from such files.
- Fixed an error that could cause instability when using the Sender/Recipient filter.
- The Attribute filter for "e?" did not work for files that were marked as e-mail attachments. This was fixed.
- Ability to finalize/convert/encrypt evidence file container in X-Ways Investigator after filling them, just like in X-Ways Forensics. Useful for example when investigators need to forward identified incriminating files (e.g. CP) to other departments/agencies in an encrypted state. In order to not unnecessarily confuse users of X-Ways Investigator who don't need this ability, it can be disabled with the new switch +32 in investigator.ini.
- Option to always specifically run WinHex/X-Ways Forensics as administrator under Windows Vista/7 (see General Options).
- Option to automatically restart the program when a restart is necessary after changing certain settings.
- Ability to optionally store the key for already added AES-encrypted .e01 evidence files in the case file, so that you don't have to enter it over and over again when opening the evidence object. This is convenient, but 100% secure only if you protect your case files.
- Metadata extraction from HTML documents.
- Simple and quick plausibility check for internally reconstructed RAID 5 that warns you immediately after reconstruction if the parity does not match.
- A new directory browser option now controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted whenever double-clicking such a file. In earlier versions such a file was always explored, altough it might have been more intuitive to view it (think of a MS Office 2007 or OpenOffice document with XML files as child objects).
- Avoids a memory allocation error message when trying to open certain files with a size of 0 bytes on NTFS volumes.
|12:01||SlimBrowser 4.12 build 025|
|11:58||KDE Software Compilation 4.4.1|