Winhex is niet alleen een universele hex-editor, zoals de naam laat vermoeden, maar is ook in staat om low-level dataprocessing toe te passen. Het programma beschikt onder andere over een ram-editor, een data-interpreter en een disk-editor, en kan dus worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. De ontwikkelaars van X-Ways Software Technology hebben na zeven ontwikkelversies van Winhex, versie 14.8 uitgebracht. De bijbehorende lijst met veranderingen bevat helaas ook de verbeteringen die toegevoegd zijn aan X-Ways Forensics en die dus niet in Winhex terug te vinden zullen zijn.
- Ability to extract JPEG pictures from video files, in a user-defined interval (e.g. every 20 seconds). Immensely useful if you have to systematically check many videos for inappropriate or illegal content (e.g. child pornography). Looking at extracted pictures in the gallery is much faster and more comfortable than having to watch each video entirely one after the other, as the amount of data is vastly reduced, and the extraction process can be run unattended e.g. over night.
Also useful if you need to include still pictures in a printed report. The extracted pictures of each video are collected in a virtual directory named after the orginal video file, as virtual files, in the same path as the original file, so that it's easy to link suspicious still pictures back to a video. The first extracted picture of a video at the same time serves as a preview picture for the video file in Preview and Gallery mode. ASF/WMV videos protected with digital rights management (DRM) cannot be processed and are consequentially marked with e! in the Attr. column.
Requires an external program, either the non-GUI version of MPlayer and its separately downloadable codec package (extract to "codecs" subdirectory of MPlayer), or Forensic Framer (available February 2008). The program has to be selected in Options | Viewer Programs. Pictures can be extracted from these video formats and codecs.
- Ability to rename virtual directories, with a new command in the directory browser context menu.
- Ability to preview/view $EFS logged utility streams (LUS).
- The option to filter out $EFS logged utility streams was removed from the directory browser option dialog. An option was added that keeps NTFS LUS from being included in newly taken volume snapshots in the first place, or only non-$EFS LUS. Useful for NTFS volumes written by Windows Vista if you are not interested in NTFS LUS.
- Attribute filters for NTFS $EFS, other logged utility streams, NTFS offline files, files with object ID, Unix/Linux symlinks, and other Unix/Linux special files.
- Attribute filters for pictures that were extracted from videos and for virtual files that were manually attached to a volume snapshot.
- Option to retain alternate data streams as ADS when using the Recover/Copy command if the output volume is formatted with NTFS. (forensic license only) If disabled or if copied to a different file system, ADS are recreated as conventional files, as before.
- When using the Recover/Copy command to copy files including their path, the name of the evidence object is now recreated as a directory also if "Default to evidence object folders for output" is unchecked in the case properties, not only when copying from a recursively explored case root window.
- Metadata extraction from MP3 files. ID3-embedded files other than JPEG and PNG (which can be automatically extracted) are indicated by a special report table once discovered.
- File Type Signatures.txt, File Type Categories.txt, and file carving further expanded and improved.
- Support for anchors in the GREP syntax: \b for a word boundary, ^ for the start of a file, $ for the end of a file.
- Further improved partial support for CD-ROM XA.
- Should X-Ways Forensics crash during Refine Volume Snapshot, Logical Search or Indexing whenever it is dealing with one of the file in the volume snapshot, you will automatically be pointed to the offending file when you restart the program, so that you can easily omit it when trying again. Depends on a new option in Security Options. The VS.log file known from v14.7 is no longer created.
- The Options | Viewer Programs dialog window now allows to define an additional external program specifically for video files (forensic license only). If defined, double-clicking files that belong to the Video category will send them directly to that external program. If MPlayer is detected by X-Ways Forensics (or Forensic Framer, which includes MPlayer), MPlayer will be predefined.
- The option to group tagged and untagged items was removed. However, it is now easily possible to filter by tags (see below).
- The options to filter out existing/previously existing/hidden items have been superseded by options that are defined in a "positive" sense and more in line with other filters: Show existing files, show previously existing items, show tagged items, show untagged items, show hidden items, show non-hidden items. This change also renders is very easy to focus on files that were tagged or hidden.
- A path filter has been introduced. Allows you to focus on files in whose path a certain substrings occurs, e.g. "pic" or "Temporary Int".
- X-Ways Forensics can now distinguish between .wma/.wmv audio/video files when verifying the file type based on signatures. Much more metadata is now extracted from .asf, .wmv, and .wma files. For a MS Excel document, the name of the person that opened it last is now extracted.
- File Type Signatures.txt further expanded.
- Available hashes in the volume snapshot are now reused instead of re-computed when creating hash sets.
- Additional option in investigator.ini that prevents users from deleting report tables.
- Same fix level as v14.7 SR-5.
- Several minor improvements.
- Intelligent file size detection for .rar archives for File Header Signature Search and File Recovery by Type, which allows to extract and not only list files in such archives.
- Files identified as duplicates based on hash values are no longer optionally marked with comments, but with a "duplicates found" mark in the Attribute column, which is more efficient, is retained in evidence file containers (for the recipient to see that he/she can be supplied with the duplicates if needed), and is now filterable.
- Can now identify the exact type of optical media in the technical details report (whether CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RW, etc.). Somewhat faster read access to DVDs.
- Predefined character pool for indexing Japanese text.
- Ability to copy selected text from viewer component windows to the clipboard in Unicode and RTF.
- File Type Categories.txt and File Type Signatures.txt further expanded.
- Other minor improvements.
- Details mode now more visually appealing and easier to understand. Will be further improved in future releases/versions.
- File header signature search and file type verification improved for HTML, XML, XSD, and DTD.
- There is now an Attr. filter that allows to focus on files for which file system metadata is available only and whose contents are totally unknown (where not even the original location of the data ont he volume is known). Such files are usually part of the volume snapshot after a particularly thorough file system data structure search on NTFS volumes.
- The setup program now shows a progress window when the viewer component is copied (if found in the subdirectory \viewer). It also automatically copies MPlayer (if found in the subdirectory \MPlayer). Remember that if these external components are found in the expected subdirectories, they are activated in Options | Viewer Programs automatically.
- Other minor improvements.
- When pictures are extracted from video files or when e-mail messages and attachments are extracted from e-mail archives, X-Ways Forensics no longer creates a virtual directory whose name resembles the original filename. Instead, the extracted files are accessible directly by double-clicking the original file. They also can still be seen when exploring recursively. The parent file's icon will be marked with an ellipsis, to indicate that the file's contents were extracted and there is more to find "behind" the file. The main benefit is that it is now much faster to identify the parent file. For example, when tagging an extracted file, the parent file will be half tagged automatically, which makes it easier to e.g. add such files to a report tables later. Or when navigating back upwards from the extracted contents to the parent file by clicking the ".." item, the parent file itself instead of a virtual directory will be automally selected. Also the path of the extracted contents is more authentic because no suffix " Mail" or " Pics" is artificially inserted in the path any more.
- Option to filter out previously existing files available in X-Ways Investigator, unless prevented by new option "+28" in investigator.ini.
- If in the case report options you specify maximum dimensions for pictures as 0×0, then the pictures will only be linked, just as other files, not displayed directly in the report.
- The Attr. filter was broken in Beta 3. This was fixed.
- The thorough search for lost partitions now recognizes Ext2/Ext3/Ext4 superblocks.
- Once found, embedded pictures in documents and thumbs.db files are now accessible directly via their host files rather than via virtual subdirectories, analogously to files extracted from e-mail archives and video files since v14.8 Beta 4.
- The binary contents of recycle bin info2 files, .lnk shortcut files, and $EFS LUS are no longer output directly as part of a case report. Instead, a textual representation of their contents is output, as known from Preview mode.
- Other minor improvements.
- Options to explicitly include or exclude child objects of directories or files when using the Recover/Copy command or when filling evidence file containers. As before, when copying from an already recursive view, however, child objects cannot be included.
- It is now possible to include directory data (i.e. depending on the file system, directory entries, INDX buffers, ...) in evidence file containers. Useful if the user of the container might be interested in timestamps or other metadata in these data structures. If you choose to include directory data in a container when creating it, this has a direct effect only on directories that are selected themselves. If has an effect on parent directories of selected items only if you check an additional option. This is needed because otherwise the directory data might unintentionally reveal the names and other metadata of files that were intentionally omitted from the container, e.g. for reasons of confidentiality. Earlier versions of X-Ways Forensics