WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. Versie 12.7 is sinds kort beschikbaar met de volgende veranderingen:
- Recursively explored directories are now specially flagged in the directory tree. A simple right click in the directory tree is now sufficient to explore a directory recursively (formerly: right click and context menu item).
- Directories whose contents are either fully or partially tagged are now specially flagged in the directory tree as well. The middle mouse button can now be used in the directory tree to tag or untag directories.
- Support for the file systems UFS and UFS2, both in big-endian and little-endian variants.
- The Refine Volume Snapshot command now features the statistical entropy test for the detection of fully encrypted files as known from the now obsolete Create Drive Contents Table command, plus a new file format specific encryption/ password protection test for PDF documents and MS Office documents such as MS Word 4...2003, MS Excel 2...2003, MS PowerPoint 97-2003, and MS Project 98-2003.
- The Details Panel is now integrated into a data window, more exactly into the data (or sectors) area in a data window. The benefit is that more screen space is available horizontally for the directory browser, gallery mode, preview mode, calendar mode, and the status bar.
- Certain search operations (without GREP, in particular with several keywords, case insensitive) are now considerably faster.
- Evidence file containers can now optionally include disk/image names as the first directory level, so that for multiple sources it is still obvious where files originate from when reviewing the containers.
- It is now possible to mix files with UNIX-styled permissions and files with DOS/Windows-styled attributes in the same evidence file container. Both will be displayed correctly in X-Ways Forensics.
- In volume snapshots taken by v12.7 and later, there will be a fictitiuous directory "Path unknown" instead of "Deleted Items". That's because a dedicated overview of deleted items is already available in recursive views with the dynamic filter. The only need for such a special directory is now to accomodate lost/ deleted files whose path is unknown, i.e. which are orphaned or were only discovered based on their header signatures.
- Ability to preview disks without temporary files being written anywhere on the system. For that purpose you can set the folder for temporary files and the folder for cases to a directory on the CD from which you are running X-Ways Forensics (e.g. simply "."). X-Ways Forensics will still allow you to create the case and work with it, just won't be able to save it. Remember, you do not need to "install" X-Ways Forensics before running it.
- The drive letter that contains the folder for image files is now officially considered a legitimate output folder in X-Ways Forensics.
- Ability to add file slack to evidence file containers specifically. Hold the Shift key when invoking the menu command to add a file. (since 12.6 SR-1)
- Optional faster slim volume snapshot without cluster allocation scan now available for all file systems (Safety & Security Options). Useful e.g. when previewing a live system and having temporary and snapshot files written to one's own USB stick where only USB 1.1 speed is available. (since v12.6 SR-4)
- Ability to select an internally assembled RAID 0 as a source disk in the Disk Cloning dialog window. (since v12.6 SR-7)
- In additional to the "reduced" user interface, there is now an optional "forensic lite" user interface, meant for investigators in law enforcement
The "forensic lite" interface lacks _many_ advanced technical features on the outside, to allow for easier access to non-technical personnel. Forensic licenses that _only_ allow to use the "forensic lite" interface are available at 50% the regular rate, on request.
- who are specialized in areas e.g. such as white-collar crime, corruption, tax fraud, etc.
- who do not need profound knowledge of computer forensics
- who do not need technical insights that WinHex and XWF are well-known to provide as a by-product
- who receive e.g. convenient-to-handle X-Ways evidence file containers from well-versed computer forensics examiners with only selected files from various sources (e.g. "all documents that contain the keywords x and y"), with obviously irrelevant stuff already filtered out
- who need to review hundreds of electronic documents, identify relevant ones, add comments to them, identify logical structures and connections between them with the help of their comments, and print documents, all with a few mouse clicks within the same environment, which saves the time to extract and load each document in its associated application
- Several other minor improvements and error corrections.