X-Ways Software Technology heeft gisteren versie 14.6 van WinHex uitgebracht. WinHex is niet alleen een universele hexeditor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een ram-editor, een data interpreter en een diskeditor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf 98 met uitzondering van NT, maar het complete arsenaal aan mogelijkheden kan alleen volledig worden benut op Windows 2000, of hoger. Het changelog van deze release laat de volgende veranderingen en verbeteringen zien:
- Ability to completely access and examine media and interpreted image files with more than 4.3 billion (2^32) sectors. (still testing) Allows to read data from beyond the 2 TB barrier on media with a sector size of 512 bytes. Also support for NTFS volumes that consist of more than 2^32 sectors. Other file systems on partitions that large: Not specifically supported.
- Ability to attach external files to the volume snapshot and have them processed by X-Ways Forensics like regular files in the volume snapshot. Useful if you need to translate or decrypt original files and would like to reintegrate the result back in the original volume snapshot, in the original path, for further examination, reporting, filtering, searches etc. Such external files will be completely managed by X-Ways Forensics once attached, copied to the metadata directory, and marked as virtual files. In order to attach a file, you right-click the original file that the external file is based on and invoke "Attach external file". The new file should be named based on the original file.
- When filling an evidence file container, two new options are now available: One option allows you to copy files partially to the container only. This is possible if the file has been opened in File mode and a block is selected. Useful e.g. if there is a relevant search hit in the middle of a 2 GB swap file or of a 100 GB virtual free space file, and you would like to forward the context of that search hit to someone via a container, thereby omitting GBs of data that are not related.
- The other option allows you to copy *only* the file system metadata of selected files to a container, totally omitting all file contents. When examing such a container, you can see the entire original directory structure, all filenames, timestamps, file sizes, attributes, etc. and can use various filters.
- Ability to specifically deal with NTFS compression when searching for files via file header signatures (forensic license only). Allows to automatically list NTFS-compressed files of certain types whose FILE records are no longer available. These files are also automatically decompressed for File mode, Preview mode, and the Recover/Copy command.
- Now extracts metadata from JPEG, PNG, TIF, GIF, THM, thumbs.db, ASF, WMV, WMA, MOV, GZ in Details mode in addition to many other file types. Additional metadata now extracted from PPT files. General further improvements for OLE2 compound files.
- When running a file header signature search, WinHex now automatically names Exif JPEG pictures after the model designation and time stamp as stored by the digital camera card. (specialist license or higher)
- The internal creation timestamp that can be found in various file types can now be displayed in a separate directory browser column, once extracted with a new context menu command ("Extract Internal Metadata") or once seen in Details mode. Thanks to this new column and the timestamp filter, it is now very easy to focus on files/documents that were actually created in a certain time period. Internally stored timestamps are usually less volatile than file system level timestamps and more difficult to manipulate retroactively. The supported file types are: OLE2 compound files (e.g. pre-2007 MS Office documents), MDI, ASF, WMV, WMA, MOV, various JPEG variants, THM, TIFF, PNG, GZ, SHD printer spool, PF prefetch, LNK shortcut, and DocumentSummary alternate data streams.
- The option to copy/append metadata to comments has been moved to the same new context menu command.
- The hash set column now comes with a filter that allows to more conveniently focus on files whose hash values are contained in selected hash set or are not contained in selected hash sets.
- When using the Recover/Copy command, overlong paths are now truncated and rendered legal if shortening the last path component can achieve that. Any file with a path longer than 259 characters after this attempt will still not be copied and rather associated to a report table because it wouldn't be possible to deal with this file in Windows anyway.
- UTC-based timestamps displayed in the registry viewer and in the registry report now respect the "Show time zone bias" option so that it's obvious if and how they have been converted to local time. The same time zone settings as for the active case are used.
- When analyzing small amounts of data (<50000 bytes) with Tools | Analyze Data, the compression ratio that zlib achieves for that data is now displayed in the analysis window caption.
- Attachments in original .eml e-mail message files (not virtually produced by X-Ways Forensics itself) can now be extracted if you add *.eml to the series of file masks for e-mail extraction.
- Item numbers in the directory browser are now 1-based instead of 0-based.
- Sectors mode is now labeled either Disk, Partition, Volume, or Container, depending on the nature of the data represented in the data window.
- Several minor improvements.