X-Ways Software Technology heeft zojuist versie 13.3 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen en om bijvoorbeeld bestanden te inspecteren. Het changelog van deze release laat de volgende veranderingen zien:
What's new in 13.3?
- Please be reminded that you can check out the reduced user interface for investigators that are specialized in areas other than computers (such as accounting, money laundering, corruption, child pornography, ...) if you click that corresponding checkbox in Options | General Options twice. Licenses for only this simplified version of X-Ways Forensics are available at half the price. With that user interface, investigators can browse e.g. evidence file containers prepared by computer forensic examiners, view documents, comment on them, print them, search them, and create reports on them. They are spared most technical details of the full version of X-Ways Forensics.
- Support for GUID partition tables (GPT) as created by Intel Macs and (if specially selected) by Windows Vista. Requires a specialist or forensic license. Ability to automatically and manually find deleted partitions same as for conventional partition tables (MBR/EMBR concept).
- Partitioned media such as hard disks now have a directory browser that lists the partitions. (Internally, a kind of volume snapshot is used for that.) Supersedes the Access button menu (the popup menu that appears when clicking the button with the big black arrow pointing down), which will soon be removed for physical media in future releases. Allows to easily access partition start sectors, optionally with templates, and all unpartitioned areas. Also allows to include all unpartitioned areas in a global Logical Search run from the case root. Reveals the partitioning type (MBR, GPT, dynamic, Apple, floppy/superfloppy) and the partitions' file systems. Allows to sort the partition listing by physical location, file system, and partition size.
- Ability to index all evidence objects with volume snapshots in a case in a single step.
- Ability to search the indexes of all evidence objects in a case at the same time if they are open and have been indexed, from within the case root.
- Support for distributed indexing, to accelerate index creation in time-critical cases. If n computers participate in indexing the same evidence object, each computer can index approx. 1/n of the total data (may vary depending on the size of very large files within the volume snapshot). If all resulting index files (.xfi files) are created or eventually collected in the same metadata folder, they are treated exactly like an index created by just one computer. To ensure that no part of the volume snapshot is indexed twice or accidentally left out, all participants need to agree on the same index settings and get unique numbers assigned. E.g. if 9 computers are involved, each of the numbers 1...9 needs to be specified for indexing exactly once.
- Specialist | Gather Text is now considerably faster. Unicode text is converted to ASCII text.
- With identical settings, indexing is now somewhat faster than before.
- File masks for decoding text in logical searches are now applied to the true file types in addition to the filenames, if signatures have been verified by refining the volume snapshot. It is recommended to apply this text decoding option to RTF and HTML documents depending on the characters used in your search terms, as in these kinds of documents non- 7-bit ASCII characters like e.g. German umlauts are typically encoded. (since v13.2 SR-3)
- Analogously to the Logical Search command, *indexing* can now cover the encoded, compressed or otherwise garbled text in PDF, WordPerfect, RTF, HTML and other documents as well.
- An error in indexing was fixed that caused the "Exception" option not to work reliably in earlier releases of v13.2. (since v13.2 SR-3)
- Search hit preview improved for very long matches for GREP expressions.
- When archiving a case, index files can be optionally excluded.
- Enhanced compatibility of .e01 evidence files created by X-Ways Forensics. (since v13.2 SR-7)
- Ability to extract information about hardware devices from Windows 2000/XP registry files ("SYSTEM" file) when creating the registry report.
- The registry report definition file Reg Report Keys.txt now supports multiple wildcards in registry paths.
- Reg Report Keys.txt now supports the specification of registry branches that are Windows version independent. E.g. application program settings no longer need to be specified twice, but only once, with ?? as the OS identifier instead of NT and/or 9x.
- Overlapping GREP search hits for the same GREP expression now prevented for physical searches, too.
- Configuration file now user-specific by default, i.e. multiple users sharing the same installation folder (e.g. on a server) will have individual winhex*.cfg files. For details please go to http://www.x-ways.net/winhex/setup.html. (since v13.2 SR-5)
- Incomplete directory tree error after hash computation fixed. (since v13.2 SR-5)
- When reviewing index search hits in Preview mode, you can now use F3 to search for additional hits in the same file in the Preview area. (since v13.2 SR-5)
- Notable search hits are now marked with a flag instead of a paperclip icon, to avoid confusion, as that icon is already used on the button that brings up the Position Manager and bookmarks. (since v13.2 SR-5)
- Graphical anomalies under Windows 2000 fixed. (since v13.2 SR-8)
- FAT timestamps no longer translated to local time in calendar view. (since v13.2 SR-9)
- Several other minor improvements and fixes.