X-Ways Software Technology heeft versie 16.8 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
- Ability to extract e-mails and indexed files from Windows.edb files. Requires Windows Vista or 7.
- XML is now supported as a new output format for the Export List command. The way how the Metadata column is processed, which may contain many more separate fields, will still be improved.
- File type identification and file size detection supported for Chrome session files, which are identified in the Type column as "snss". These files store information about opened tabs, their histories and visited web sites.
- Revised internal algorithm and automatic length detection for carving JPEG files. This new algorithm also improves intelligent naming of carved JPEG files in that certain JPEG files can be given an original name as found in Photoshop metadata. Also the quality of uncovering JPEG pictures that are embedded in other files is greatly improved.
- The generator signatures of JPEG files are now output in Details mode. These signatures reveal the creating software and are available even if other metadata is removed. For JPEG files with ordinary metadata they can be used for corroboration.
- Ability to view certain misformed JPEG pictures with a lagging header signature in Gallery and Preview mode.
- HTML previews and views of index.dat Internet Explorer browser cache/history files now contain an extra column with the offset of the record where the data of each row has been found. This offset is presented as a link. If you click it, you will automatically navigate to that offset in the corresponding index.dat file in File mode so that it is convenient to verify the information that X-Ways Forensics has extracted from the record at that location. (Note that this works correctly only if the link is not broken into 2 lines, which may happen in v8.4 of the viewer component, but not in v8.3.7. Anyway you can still navigate to that offset manually.)
- By default now uses the viewer component to view and preview .mdb MS Access database files.
- Accelerated .e01 evidence file creation.
- Ability to compute two hash values simultaneously when creating disk images.
- Revised chunk CRC definition in encrypted .e01 evidence files.
- Containers of the new format no longer need to be optimized for a certain number of files and now have a fixed limit of around 1 billion objects that they can hold.
- Improved XML export of selected individual metadata fields in the Metadata column.
- When aborting the disk imaging process, X-Ways Forensics now at least finalizes the .e01 evidence file format to guarantee a valid file even though it is not a complete image. Useful for example in an emergency situation when imaging media on site, because a usable incomplete image is better than an unusable corrupt image. If hashing was enabled, incomplete images even have a hash value that can later be verified manually, to show that the available data in the image has not changed.
- Slightly improved compression ratio for the slow strong compression option (but still does not usually justify the additional time needed).
- Ability to adjust the compression option while .e01 evidence files are being created. Useful if your priorities (higher compression rate or higher speed) change, for example when you see that drive space suddenly seems scarce or you have to finish the process quicker than previously thought. Also useful to experiment, when not sure which compression option might be best for a particular system configuration (e.g. when on site and having to write the image to an external hard disk via USB, where I/O is slow and the overall process may be faster with compression than without).
- Support for Virtual PC snapshots/differencing VHD image files.
- Internal type detection of Apple iWork Pages and Numbers files, and special treatment of iWork documents during volume snapshot refinement and logical searches (recommended data reduction option).
- Ability to detect file format specific encryption of various MS Office 2007 and 2010 file types as part of volume snapshot refinement.
- Ability to view and preview MacOS X finder bookmarks (flnk).
- New clipboard output option of the Export List command.
- New file header signature definitions added.
- Fixed two rare exception errors in Registry Viewer.
- Ability to enter timestamps in the timestamp column filter dialog based on an arbitrary time zone. In previous versions the timestamps had to be specified in UTC.
- Blank lines entered as simultaneous search keywords or substrings for the filters Name, Path, Parent name or Child objects are now silently ignored and filtered out for the next use of the same function.
- In the Report table column, if a file is associated with multiple report tables, their names are now listed exactly in the order as the report tables are defined. (In earlier versions the order was not deterministic.) You can change that order in any dialog window that deals with report tables, and for example sort report tables alphabetically or by importance or topic.
- When changing the order of report tables, an entire selected group of report tables can now be moved up or down at the same time, which for example makes it easy to move all internally created report tables to the bottom of the list below your own report tables in a single step.
- When 2 search terms are selected in the search term list and combined with a logical AND (using either of the two available methods), additionally you can now require that search hits must be "near" to each other to be listed, to find more likely relevant combinations of both search terms in the same file, exactly like with a proximity search. The maximum distance between the search hits that constitutes "near" can be defined by the user in bytes.
- The new disk imaging engine of v16.8 caused errors on systems with more than 8 reported processor cores. That was fixed.
- Ability to collect Internet Explorer history and browser cache records that are floating around in free drive space or file slack in a virtual single file named "index.dat" as part of the file header signature search. The URL records collected cluster-wise. An HTML preview of the resulting "artificial" raw index.dat file can be created automatically as part of metadata extraction just as for natural index.dat files. The offsets in that preview refer to the index.dat file. To locate the corresponding offset in the volume and see the actual basis for the interpretation in the HTML file, simply switch from the index.dat in File mode to Partition/Volume mode.
- Ability to populate the columns Sender, Recipient and Int. Creation for .olk14MsgSource e-mail messages when extracting metadata just as for original .eml files. (Attachments are extracted from .olk14MsgSource already since v16.3.)
- Ability to view search hits in UTF-16 Big Endian. UTF-16 Big Endian is common for example in the Apple Mac world, for filenames in the file systems Joliet and UDF, and in Java.
- The number of notable search hits is now displayed in parentheses in the search term window.
- Ability to open files in an external program that you select ad hoc, via the directory browser context menu, Viewer Programs submenu. The program that you select will be saved as standard custom viewer program if you have not used all slots for external viewer programs yet, and then also remembered for next time when you invoke the same menu command.
- Ability to unselect all file types in the Type filter with a single mouse click.
- Ability to automatically decompress hiberfil.sys files as part of volume snapshot refinements and add them to the case as evidence objects because they can be treated like memory dumps. You can find this new feature in the newly named multi-purpose Swiss army knife refinement option "Uncover embedded data in miscellaneous file types".
- Optional alternative e-mail representation in Preview mode (see directory browser options) and in the case report. The latter allows you nicely view e-mails in the report, without invoking external programs.
- To see the decoded text that the viewer component can extract from a document for the logical search/indexing or that it has extracted already, you may hold the Shift key while clicking the Raw button in Preview mode.
- Ability to view carved TCP and UDP packets in Preview mode instead of Details mode.
- Support for shared analysis work and distributed volume snapshot refinement in the same case. Use this feature
Each user/computer opens the same .xfc case file (the same copy on the same computer). All participating users/computers or all except for one (the master session) have to open the case as partially read-only, i.e. only allowing for distributed analysis work/volume snapshot refinement. This can be done by selecting View mode in the Open Case dialog window, or you will be prompted automatically when opening the case if the case if already open in another session as not read-only (i.e. in the master session). When completed, the results (the refined volume snapshot, comments, report table associations, search hits, tag marks, etc.) will be visible when opening the evidence object in the master session next time, and a notice about successful synchronization appears in the Messages window. If two users try to open the same evidence object as not read-only at the same time, the second one will be warned and advised to open it as read-only to avoid conflicts. Only one user may change the volume snapshot of an evidence object at a time.
- when several examiners are available to deal with a large case, to review different evidence objects with multiple machines on the same network or with separate accounts on a terminal server, simultaneously
- to refine the volume snapshots of different evidence objects with multiple machines on the same network, simultaneously.
- Ability to specifically open individual evidence objects (not the entire case) with the volume snapshot treated as read-only, using a dedicated command in the evidence object context menu in the Case Data window. Just as with the option to open a case as read-only, this is useful for cooperative work, if you know your colleagues may want to open the same case (the same copy) and the same evidence object and if you wish to let them makes changes in that evidence object's volume snapshot, but keep control of the case as such (i.e. run the master session). Again, that has nothing to do with how the evidence object itself (the disk or the image) is treated. X-Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence object. Only the volume snapshot, i.e. the database with information about all the files and directories found, is either read-only or (and that is the normal situation) changeable.
- X-Tension API function XWF_GetHashValue implemented and XWF_GetSize officially available now.
- Improved support for Windows Task Scheduler (file header signature database and registry report).
- Interpretation of file allocation table entries in exFAT file systems in the Info Pane. Brackets indicate that the displayed information is not actually retrieved from the file allocation table (but from other sources) and that the entry where the cursor is located is actually unused.
- File header signature search: Rough file size detection for .olk14MsgSource e-mail message files.
|09:27||Apple iTunes 11.0|