WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. Versie 12.8 is sinds kort beschikbaar met de volgende veranderingen:
Version 12.8 beta 7:
- Fixed the calendar view and comply with the new time zone concept
Version 12.8 beta 6:
- Backspace exception error fixed.
- Error in timezone conversion fixed.
Version 12.8 beta 5:
- Fixed an error that prevented the use of "Synchronize & Compare" with interpreted evidence files.
- Time zone concept.
Version 12.8 beta 4:
- The selection statistics now distinguish between files and directories, and they respect filters. More horizontal space for the selection statistics if the Details Panel is displayed on the right-hand side.
Version 12.8 beta 3:
- Unless already in a recursive view and directories are output, the selection statistics now works recursively. That means, when you select a directory in the directory browser, all items in that directory and all its subdirectories are counted, plus the total size of all these items is displayed.
- Knowing the total recursive size of the selection, X-Ways Forensics now displays the overall progress in the progress indicator window when searching logically.
Version 12.8 beta 2:
- Improvements and fixes in HFS support.
- Exception during File Recovery by Type at byte level fixed.
- MFT auto coloring feature available (see General Options). Automatically highlights the elements of NTFS FILE records. (specialist and forensic licenses only)
- When refining the volume snapshot, there is now the ability to search for files by header signature in used drive space in addition to free space.
- Files found with the aforementioned method are included in the volume snapshot only if no other file in the snapshot already starts at the same cluster or if they are not aligned at cluster boundaries. That means that volume snapshots newly created by v12.8 Beta 3 and later will list less duplicates.
- Ability to carve out files with the Ext2/Ext3 block logic that exceed the size of available main memory.
- Ability to export file lists from the directory browser to a tab-delimited text file even for volumes that are not associated as evidence objects or when not working with a case, as a substitute for the Create Drive/Directory Contents Table command.
Version 12.8 beta 1:
- Improvements in HFS support.
- When hiding duplicate files based on identical hash values, a comment is now left with both duplicate items so you can later easily locate the respective other item if necessary, e.g. when you later find out that these items are relevant and need to know the name, path or timestamps of the hidden duplicate.
- When searching logically in a recursive view in the case root window, it is now possible to output search hit lists.
- Less deleted garbage files in "Path unknown" on Ext3 volumes.
- In the directory browser you can now press the Backspace key to move to the parent directory.
- When searching logically and outputtig the results as a table of files with hits, the progress indicator window now keeps you updated on the total number of files added to that table.
- Fixes and improvements added with v12.7 SR-6.
Version 12.8 debug:
- Failure of original preview version to correctly read Windows NT 4.0 and Windows 2000 NTFS volumes fixed.
- Some more errors from original preview version fixed.
- Handling of incomplete .e01 evidence files improved.
- Fixes and improvements added with v12.7 SR-4.
- Support for the HFS file system.
- WinHex can now often display the context of search hits for which no physical offset is known (e.g. because the hit is in an NTFS-compressed file).
- The internal ID that files and directories have in the internal volume snapshot can now be seen in an optional column in the directory browser. Sorting by that internal ID can help you easily identifying those files that have been added last to a volume snapshot when you use Specialist | Refine Volume Snapshot.
- While it is not possible to remove files or directories from an evidence file container, you can now belatedly suppress items (e.g. if they were added accidentally). This is how: Open the container and interpret it like a regular image file, hide the items, and then deactivate them with the Specialist | Evidence File Container menu. Unlike hiding, this is a permanent change in the container. Again, this operation does not physically remove items from a container.
- The volume slack (an area on a partition that was formerly called logical surplus sectors in WinHex) is now easily viewable and searchable in newly created volume snapshots as another fictitious file in the root directory.
- On NTFS volumes, the MFT's bitmap is now easily viewable in newly created volume snapshots as another system file stream in the root directory. In that bitmap you can see which FILE records are marked as in use and which ones are unused.
- Improvements in UFS file system support.
- Support for NTFS volumes with extreme $MFT fragmentation improved.
- The mouse wheel now generally scrolls in the window that the mouse cursor currently hovers over, not the window that is active (i.e. has the input focus). The mouse wheel now also works in templates.
- Statistics on total number of items and number of tagged and hidden items in a volume snapshot, available in the Refine Volume Snapshot dialog window. Ability to hide all tagged files on a volume with a single command in the directory browser context menu, in addition to "Hide all untagged items".
- Fictitious items are now counted as files or directories in the directory browser header line.
- Free space and slack space are now highlighted in two different colors.
- Several other minor improvements.
- The Create Drive Contents Table command has been removed from the menu, but before it will be fully removed, it is still available via the Shift+F10 keyboard shortcut. The Create Drive Contents Table command has been superseded by the volume snapshot concept in conjunction with dynamic filters.
- It is now possible to recursively explore the evidence object overview at the case root level, that is, list all files in all subdirectories in all evidence objets in a convenient flat view, based on the dynamic filter settings.
- X-Ways Forensics can now internally re-assemble hardware RAID level 5 systems in addition to level 0. The supported striping/ parity patterns are:
One of the RAID component disks is redundant and can be declared missing if not available.
- backward parity (Adaptec)
- backward parity dynamic (AMI)
- backward parity delayed (Compaq/HP)
- forward parity
- If a RAID system has been added to a case as an evidence object, it is now easier to replace an image file that is part of that RAID system if its name or location has changed.
- Some processes previously hidden from the RAM editor are now listed.
- It is now possible to fill evidence file containers indirectly. That means, files are copied to the folder for temporary files first, and only then from there to the container. This enables resident antivirus software to check these files and prevent X-Ways Forensics from adding them to the container in case they are infected. An evidence file container filled that way can be reasonably moved to and examined in an environment with a higher sensitivity. (see Security Options)
- Ability to selectively include certain columns of a report table to the case report. (see Case Properties)
- Compatibility with overlong file paths further improved.
- The original version 12.7 incorrectly auto-detected raw images of physical disks as images of individual partitions.
- For reasons of convenience, the Data Interpreter is now hidden in Preview mode, Gallery mode, Calendar mode, and Legend mode (i.e. when not associated with any visible binary data anyway).
- The edit mode specified with the second parameter of the WinHex API function WHX_OpenEx was ignored by WinHex. This was fixed.
- Search hits in deleted files are now listed with a gray filename and path to make it more obvious that the link between the data in the cluster and the deleted file is weak.
- Files within deleted archives are now always listed as deleted as well.
- An error was fixed that could occur under certain conditions when searching files or disks larger than 2 GB. Among the symptoms were negative search hit offsets and instability.
- When creating bookmarks based on a block selection, the suggested description is now a more complete text excerpt from the block, filtered in the same way as the rudimentary ASCII preview, ignoring null characters and various non-printable characters. That way you can easily create bookmarks around relevant search hits including the context.
- The file mode/permissions in Linux/UNIX file systems are now displayed more completely and include SGID, sticky bit, character device and block device.
- Files identified as notable by the hash database are now highlighted in red.
- Auto-detected existing and deleted partitions can now optionally be sorted and numbered based on their location on the disk, see General Options.
- When reviewing search hit lists with Preview mode enabled, the separate viewer component's preview now highlights the first occurrence of the search term in that document automatically. This is not necessarily the search hit selected in the list. The search can be continued with F3 in that document.
- Several other minor improvements and error corrections.