X-Ways Software Technology heeft zojuist versie 12.9 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen en om bijvoorbeeld bestanden te inspecteren. Het changelog van deze release laat de volgende veranderingen zien:
- The directory browser is now directly based on volume snapshots. That means, items in report tables that are loaded are mandatorily matched against the volume snapshot, and any items that are not part of the volume snapshot cannot be listed in the directory browser. Since one abstraction layer of data has become obsolete that way, memory utilization per item has been reduced by more than 50%, which is measurable e.g. for a recursive listing of 100,000s items. Filling the directory browser with that many items is also even quicker now. (Loading large report tables with many thousand items is slow, though.)
- Fictitious file "Idle space", in newly created volume snapshots. Covers clusters that are marked as allocated, whose exact allocation, however, X-Ways Forensics could not determine, e.g. because these clusters were only previously allocated and then not properly freed in the file system.
- Additional fictitious files for Ext2/Ext3, ReiserFS, NTFS, FAT, and HFS+ in newly created volume snapshots. There is a brief description of most fictitious files in the program help chapter about the directory browser. The root directory itself is now listed as a special searchable directory for several file systems.
- The contents of archives that are explored in the directory browser (e.g. double-clicked) are now incorporated into the volume snapshot right away, as known from Refine Volume Snapshot.
- New optional directory browser columns reveal the owner and the hard link count of files and directories on NTFS/Ext2/Ext3/ReiserFS/Reiser4/HFS+/UFS volumes. Hard links are now listed on NTFS volumes.
- Support for advanced UDF features such as resident files and directories and variably positioned file set descriptors.
- Improvements in UFS support.
- File size filter.
- Filter for some special values in the Attribute column.
- Optionally, files on the logical drive letters A: through Z: can be opened with the help of the operating system instead of with the built-in logic at the sector level. Please note that this is forensically sound only for write-protected media. On writeable media, Microsoft Windows will at least update (i.e. alter, falsify) the last access timestamp of files you open. The benefit, however, is that access to such files may be noticeably faster in many situations, especially on slow media such as CDs and DVDs, e.g. when you compute hashes or skin color percentages for files in a volume snapshot, because Microsoft Windows employs read-ahead mechanisms and entertains a file caching system. See Options | Security.
- Logging user activity separately for each evidence object becomes optional and is even disabled by default in a fresh installation. If disabled, X-Ways Forensics will generate one large chronological log for the entire case, spanning all evidence objects. Note that a log recorded in either way cannot later be converted to the other style.
- The folder for temporary files used by the separate viewer component is now controlled by WinHex/X-Ways Forensics, i.e. set to the one the user specifies in General Options. However, unlike X-Ways Forensics, the viewer component does not silently accept unsuitable paths on read-only media. Please note that the viewer component, if actually used, also leaves entries in the system registry.
- "File Type Categories.txt" now supports full filenames in addition to filename extensions. Useful for certain files with a well-defined name whose extension is not specific enough:
- -;index.dat; Internet Explorer history/cache
- -;history.dat; Mozilla/Firefox browser history
- Support for unified contents/report tables and for the category view of tables was dropped.
- The "File Type Signature.txt" database was updated.
- The disk selection dialog window already reveals on which physical disks the volumes mounted as drive letters A: through Z: reside.
- Calendar mode: color markers were swapped in v12.85. This was fixed.
- Several other minor improvements and same fix level as v12.85 SR-8.