X-Ways Software Technology heeft WinHex voorzien van een update naar versie 14.3. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een RAM-editor, een Data Interpreter en een Disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf 98 met uitzondering van NT, maar het complete arsenaal aan mogelijkheden kan alleen volledig worden benut op Windows 2000, XP en 2003 Server. De belangrijkste verandering in deze release is de verbetering van de indexering, die nu ook Unicode aan kan. Het volledige changelog van versie 14.3 ziet er als volgt uit:
Changes in WinHex version 14.3:
- The indexing feature has been significantly extended. It is now possible to index text both in single-byte character code pages and in Unicode (UTF-16LE)! Also it is possible to have up to three such indexes per evidence object (e.g. Cyrillic characters indexed in Unicode and two Cyrillic code pages). Multiple indexes, if selected, are created consecutively in this version, but with only a single user interaction at the beginning. The index search will search in all created indexes for an evidence object at the same time.
Since Unicode is now supported for indexing, the characters to index are entered as Unicode characters, and X-Ways Forensics allows you to conveniently select characters from more than 22 languages for indexing. Currently, most European and many Asian languages are predefined, e.g. German, Spanish, French, Portuguese, Italian, Scandinavian languages, Russian, South Slavic languages, Eastern European languages, Greek, Turkish, Hebrew, Arabic, Thai, Vietnamese. We appreciate corrections to these character presets (email@example.com). Please note that it is the responsibility of the user to select the appropriate code page(s) and to enable substring indexing if the words in the language to index are not delimited with spaces (e.g. in Thai).
Also, it is now possible to optionally create an index that is case-sensitive. This is useful e.g. if you create the index for the purpose of creating a word list for a customized dictionary attack.
To do: The Export Word List command is not implemented yet for the new index algorithm. The program help has not been updated yet.
- When selecting Chinese as the user interface language, more parts of the user interface can now be actually seen with Chinese characters even if the Chinese code page is not active in Windows (as long as support for East Asian characters has been installed).
- The Details mode has been significantly extended for OLE2 compound files (e.g. pre-2007 MS Office documents) and .shd printer spool files, in that it shows their metadata. For MS Office documents, you will often see many more timestamps (e.g. Last Printed), subject, author, organization, keywords, total edit time, and much more.
- You will now see accurate listings of the contents of Windows shortcut files (.lnk) when viewing them in Preview or full-window view. The listing includes path, name, size, attributes and timestamps of the file being linked, volume label and serial number, drive type, icon file, link description, and much more.
- When refining the volume snapshot and verifying the true file type based on signatures, X-Ways Forensics now warns when it finds hybrid MS Office files, i.e. merged MS Word and MS Excel documents that can be opened in both applications, showing different contents. A notice in the messages window will be displayed, and any detected files will be associated with a special report table. Hybrid MS Office files are a clever attempt to conceal the contents of one of the merged documents.
- Ability to open CDs/DVDs in external optical drives as physical media.
- Additional hash category filters have been introduced: Output irrelevant files only, output unknown files only.
- In newly taken volume snapshots, files and directory on NTFS volumes that have an object ID are now flagged with a capital I in the Attribute column.
- When replacing a partitioned evidence object with a (new) image file, the child evidence objects (partitions) will now be replaced with the same image automatically.
- Several minor improvements, some of them in relation to the extraction of e-mail messages.
- An exception error was fixed that could occur at the end of a file header signature search in certain situations. Also to be fixed with v14.2 SR-5.