WinHex is niet alleen een universele hex-editor, zoals de naam laat vermoeden, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen of om bijvoorbeeld bestanden te inspecteren. De ontwikkelaars van X-Ways Software Technology hebben WinHex 13.4 uitgebracht met de volgende aanpassingen:
- Ability to assign one or several files to multiple report tables in a single step. Ability to create new report tables, rename and delete existing ones directly in the same dialog window.
- The filename of the case report is now freely selectable. When files in report tables are to be included in the report, they are now extracted from the evidence object (copied to a subdirectory) only when the report is created. That way it is easier to distinguish between multiple reports that consist of different report tables and to distinguish between their corresponding subdirectories and files, e.g. if different reports are created for different recipients, where each recipient should only be provided with the files he/she needs to see.
- Report tables in case reports can now be considerably condensed in that multiple items can now be output in the same line. E.g. you could select a small thumbnail size for pictures and save a lot paper or screen space by grouping 4 pictures per line in the report.
- Ability to filter out items that already belong to a report table ("NOT" operator) in order to concentrate on those that may still need to be associated with such a table.
- Ability to export items in the directory browser in exactly the same format and columns as displayed in the program. Unlike before, the names of matching hash sets and associated report tables are exported as are free text comments. Columns are selectable. The output text file can be either Unicode or ASCII. As the descriptive icons cannot be seen in the exported list, an additional optional column has been introduced that provides a textual description of exported items (indicating whether they are existing files or deleted directories etc.).
- Ability to wipe hard disk space with pseudo-random data that looks like highly encrypted data (quite fast). Ability to wipe with cryptographically secure pseudo-random numbers (very slow). The data transfer rate is now displayed in the progress indicator window.
- Because of its minor significance, the command to add individual files to the case by default is not available in the directory browser's context menu any more, only if you hold the Shift key when right-clicking.
- Supported number of RAID component disks increased from 5 to 10.
- Ability to execute WinHex/X-Ways Forensics in a path with true Unicode characters. Various directories such as the folder for image files and for temporary files may now contain true Unicode characters in the path (still testing). However, the viewer component does not accept such paths for temporary files.
- StrToInt script commands now supports integer values larger than 4 billion (32-bit unsigned).
- File signature and type definitions for MS Office 2007 and OpenOffice.org 2 added.
- New association with report tables can now either replace the previous association or be cumulative.
- Ability to cope with date formats set in the Windows Control Panel that do not end with either month, day or year, but with a closing special character such as another period. That character is omitted from the display in X-Ways Forensics, but the order of month, day, and year is adapted correctly.
- File type filter accelerated.
- When multiple examiners share the same image file, yet each work with their own case files because they examine different aspects of the same case simultaneously, or when providing non-IT examiners with evidence file containers and pre-compiled search indexes, or when using the distributed indexing feature to accelerate index creation, there is now the option to have a common metadata subdirectory with the search index, which saves drive space, accelerates access because of improved Windows file buffering, and facilitates handling of the search index files.
Such a shared metadata directory for search index file (.xfi files) is used for both index creation and index search, however only if it is specifically created by the user, i.e. if it exists when needed. It is expected as a subdirectory of the directory where the image file is located, with the same base name as the image file, without extension, and the suffix " Metadata". If you prefer to store the index files on a different drive for performance reason, simply create the metadata directory as an NTFS reparse point that redirects to a different drive, but this and whether this feature is used at all is at the user's discretion.
- The same generic metadata subdirectory is now used when creating an evidence file container, if individual comments about files are to be passed on with that container, which is a new option for newly created containers. The recipient of the container will see those comments if he/she is not only provided with the container, but also with the metadata subdirectory of that container. Useful to not only forward a collection of files to other investigators as before, but also customized information and preliminary findings. E.g. computer specialists could add the name of the owner of a file for non-IT examiners to see, or the reason why a file was selected for inclusion in the container.