WinHex is niet alleen een universele hex-editor, zoals de naam laat vermoeden, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen of om bijvoorbeeld bestanden te inspecteren. De ontwikkelaars van X-Ways Software Technology hebben een bčtaversie van WinHex 13.2 uitgebracht met de volgende aankondiging:
A beta version of WinHex/X-Ways Forensics 13.2 is now available. The download link for X-Ways Forensics can be retrieved by querying one's license status. The download link for WinHex is on the main WinHex web page.
- There are new (optional) quick filter buttons in the directory browser column headers that allow to activate and modify dynamic filter settings more instantly.
- Report tables have evolved from tab-delimited text files that are associated with just one evidence object to virtual, case-wide categories, by which you can dynamically filter or sort, even in the case root, not unlike comments. However, while comments are best for free text, report tables can now serve as convenient user-defined categories such "related to company x", "incriminating pictures", "unjustified expenses". Using report tables that way for filtering instead of keywords in comments can prevent errors due to typos. One file can be part of multiple report tables.
The report tables columns you can select for output to the case report are now the same as for the directory browser. Report tables created and filled by v12.9 and later can be imported by v13.2. Report table titles now use Unicode instead of ASCII. Filenames in report tables are now output to the case report in Unicode.
- Comments now use the Unicode instead of the ASCII character set throughout the user interface and the case report.
- Case titles, case filenames, case descriptions, examiner names, image filenames, evidence object titles, comments, command line parameters, and the case log now all work with Unicode.
- It is now possible to select evidence objects for recursive viewing in the case root.
- Cases last saved by v13.2 cannot be opened any more by earlier versions of X-Ways Forensics. v13.2 won't import certain items from cases saved by earlier versions: search hit lists from v12.9 and earlier; free space, slack space, and text that was captured in a separate file and associated with a case.
- The name of the evidence object that a directory browser item belongs to is now displayed in a separate column. This field is useful in a recursively explored case root and for reports that include the new case-level report tables.
- When associating a hard disk and its partitions with a case as evidence objects, the case tree now lists the partitions as child nodes of the disk. Volumes/partitions are now represented by a different icon in the case tree to better tell them apart from physical media. They no longer employ a separate icon for access to the root directory, but provide access directly. All of this allows to more conveniently handle larger cases that involve many hard disks with many partitions and to utilize screen space more economically.
- The particularly thorough file system data structure search on NTFS volumes with its new second step now usually turns up much more previously existing files than before, files that have been deleted, renamed, or moved. Known earlier names/locations of renamed/moved files will be displayed with new arrow icons. For many of the additionally discovered deleted files, however, only the metadata is available (filename, timestamps, ID, ...), not the file contents.
- Newly created volume snapshots for FAT volumes now identify directory entries that indicate that files have been renamed or moved. They are displayed with an arrow icon as well.
- Support for multiple sessions on optical media formatted with UDF. The first and the last session will be listed automatically. Additional sessions in the middle can be found through a particular thorough file system structure search.
- Strict drive letter based write protection is now optional (yet still enabled by default) in X-Ways Forensics. See Options | Security.
- All text output in the messages window can now be optionally logged in a file messages.txt. See Options | Security. This file is created in the log subfolder of the case, if a case is active, or else in the installation directory.
- Newly created evidence file containers can now be optimized for better performance if a huge number of files is to be added. All three options related to containers are now presented whenever creating a new container, no longer in Options | Security.
- The Copy/Recover command now offers a convenient option to copy files including their slack or the slack separately. (forensic licenses only)
- X-Ways Forensics now allows to view Windows Event Log files (.evt).
- File Type Signatures.txt: More legitimate extensions per file type supported.
- During the creation of image files, X-Ways Forensics now displays the average data transfer rate in MB per minute and the average compression ratio for compressed evidence files.
- The case report is now more flexible. All components (basic report, report tables, log) are optional. Also you can now optionally omit times from the case log, e.g. if you do wish to pass on the log to someone else, but feel uncomfortable disclosing the pace you worked at.
- The program to view HTML reports (case reports, registry reports, event log conversions) can now be selected in Options | Viewer Programs. MS Word can be more useful than an Internet browser because e.g. it allows to further process the report and can display directly embedded TIF pictures. If no program is specified in that dialog window (like by default), HTML files will be viewed with the default program for that file type in your system.
- When the hash of an evidence object is verified or computed for the first time, the result is added to the technical description of the evidence object.
- The standard extension of template text files has been changed from .txt to .tpl. Like that, templates can be more easily told apart from other text files.