X-Ways Software Technology heeft vandaag versie 14.0 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen en om bijvoorbeeld bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf 98 met uitzondering van NT, maar het complete arsenaal aan mogelijkheden kan alleen volledig worden benut op Windows 2000, XP en 2003 Server. Het changelog van deze release laat de volgende veranderingen zien:
- X-Ways Forensics can now optionally keep track of which files were already viewed, and flag them visually with a green background color around the tag. This is especially useful when reviewing hundreds or thousands of documents/pictures over a longer period, to avoid accidentially viewing the same documents multiple times and to assure the user of his or her progress. A file can automatically be flagged as already viewed when viewing it in Preview or full window mode, when viewing pictures in the gallery, or when identifying a file as known good based on the hash database. This is customizable in the directory browser options dialog. To manually flag files as already viewed, you can press Alt in combination with the cursor keys. Alt+Left removes the mark. A directory will be marked as fully viewed once all files in it are marked as already viewed. The total number of viewed items in the volume snapshot can be seen under Specialist | Refine Volume Snapshot.
- Ability to delete duplicate search hits with a context menu command. Search hits are considered duplicates if they either have identical physical offsets or, if they don't have physical offsets, if their logical offsets and the corresponding internal file IDs are the same. (Comments by e-mail on the definition of duplicate search hits are welcome. Perhaps the lengths of two search hits should be identical, too, before declaring them duplicates.) No assumption must be made that the duplicate that is selected for deletion is the "less valuable" search hit (but this is subject to improvement in future releases). E.g. a search hit in a deleted file "delivery28924.pdf" might be more helpful than in the virtual file "Free space", even if it's the same search hit. Or a hit for "Smithsonian" may be more helpful than a hit for "Smith".
- Due to popular demand, it is now possible to redefine the order of the columns in the directory browser, in the directory browser options dialog. This will also change the order of the fields in the case report (i.e. in report tables), on print cover pages and in exported file listings. You can select a column for relocation by clicking its radio button. Then use the vertical scrollbar that appears at the top. You can reset the column order to the default one if you right-click that scrollbar.
- There is now a filter for the skin color percentage column, allowing to specifically address e.g. pictures with a high amount of skin tones or gray scale and black and white pictures.
- The attribute filter now allows to specifically list files that are flagged as possibly encrypted based on the entropy test ("e?").
- Improved file signature search at sector boundaries for MPEG files, in that no overlapping MPEG fragments and no MPEG fragments in the middle of known MPEG files will be output/listed any more.
- Now supports up to 75 locally accessible physical media instead of 30.
- Displaying pictures with the separate viewer component instead of with the internal graphics library is now noticeably faster (but still noticeably slower than with the internal graphics library).
- Write access possible to disk sectors under Windows Vista for physical media and partitions opened from within physical media (not opened as a drive letters in WinHex) in most of the situations where this failed with previous versions of WinHex.
- The case root is now a complete overview of all evidence objects. It is now possible to remove evidence objects from the case in the case root window, and in particular to remove multiple selected evidence objects at a time (useful e.g. if you have added multiple ordinary files to the case directly instead of to a file container, which is preferable).
- E-mail messages and attachments can now be extracted from Outlook .msg files.
- Two more columns, Sender and Recipient, have been introduced, that are filled for e-mail messages. These columns come with convenient substring filters. They can optionally be displayed dynamically, i.e. included in the directory browser only when e-mail messages are actually listed in the visible portion. This avoids wasting space on the screen for these columns when no e-mail messages are currently listed.
- It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.
- The attribute filter now allows to specifically list files with the Hidden attribute, e-mail messages, and e-mail attachments only.
- Ability to view the messages.txt file directly from within the case properties dialog window.
- When using the Recover/Copy command in search hit lists, directories are now recreated in the output folder as files, as the user likely wants to retain the original data with the search hit. The Recover/Copy command in such situations did not branch into selected subdirectories anyway in earlier versions.
- Dynamic e-mail columns option fixed.
- The Recover/Copy command is no longer covered by general logging, but has its own HTML log file, "copylog.html", which can include not only the output filename and path, but also any of the available metadata about the copied files, e.g. original name, original path, size, timestamps, true type, etc. The HTML file is created in the _log subdirectory of a case. (forensic license only)
- The Export command now creates HTML files instead of text files. The result is much more convenient to view (e.g. in a web browser, in MS Word or MS Excel), especially in the case of exported search hits with context, where the actual search term can be highlighted within the context (yellow background color). Search hit highlighting, however, is optional, as it does not have the desired effect when viewing with MS Excel. With the HTML output for search results, the main functionality of Evidor is now available in X-Ways Forensics, too. If needed, programs like MS Excel can still be used to convert the HTML to tab-delimited ASCII or Unicode text as created by earlier versions of X-Ways Forensics.
- The number of backups that X-Ways Forensics keeps for a case file is now user-definable (5 by default) instead of just 1.
- Some minor improvements.