X-Ways Software Technology heeft gisteren versie 14.9 van WinHex uitgebracht. WinHex is niet alleen een universele hexeditor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder andere over een ram-editor, een data interpreter en een diskeditor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf 98 met uitzondering van NT, maar het complete arsenaal aan mogelijkheden kan alleen volledig worden benut op Windows 2000, of hoger. Hieronder is te vinden wat er allemaal sinds versie 14.8 veranderd is:
- Better structured and more visually appealing representation of internal file metadata in Details mode for various file types.
- Support for true Unicode filenames for the examination of Zip, RAR, and 7zip archives. Note that for Zip archives with true Unicode filenames to be processed correctly, you need to pick the correct code page in the case properties first. E.g. for Zip archives created under Linux, that's likely UTF-8. For Zip archives created under Windows in Asia, that's likely a regional code page.
- Better support for very large archives in excess of 2 GB. Some other minor improvements in relation to archive handling.
- Some minor improvements/fixes for e-mail processing, concerning filename conflicts, e-mails with unusual line-break formats, Pegasus Mail and PocoMail files.
- The option to not include free drive space in otherwise complete sector-wise images of partitions/volumes is now available in X-Ways Forensics, too, not only in WinHex when run with a specialist or forensic license. It's now included in X-Ways Forensics because more selective instead of complete acquisitions may be preferable or even required in certain jurisdictions and because certain prosecutors wish to limit examinations to existing files anyway. Special precautions help to avoid unintentional use of this option.
- Ability to filter out those previously existing items only whose first cluster is known to be unavailable (most notably the so-called "X files"), by using a new third state of the checkbox entitled "List previously existing items".
- Ability to focus on files that have child objects with the Attribute filter.
- Whenever one or more filters are active that actually filter out items in the currently displayed directory browser, the two blue filter symbols in the directory browser's caption line are now clickable and allow you to deactivate all filters with a single mouse click, to ensure you are not missing any file. This was a frequently requested feature. Comments on the actual implementation are welcome, by e-mail or in the computer forensics section of the forum.
- The new button that allows to deactivate all filters now also causes search hits list to be displayed in full, in that if multiple search terms are selected and "Min. x" or "All x" settings are used, they are reduced to "Min. 1". Also it unchecks the "List 1 hit per file only" checkbox, if checked.
- No longer adds XML files to the report table "No detectable textual contents" when no text is extracted from them by the viewer component for the logical search/for indexing.
- An error was fixed that would prevent files beyond the 2 TB barrier from being read correctly, on NTFS volumes larger than 2 TB.
- X-Ways Forensics and X-Ways Investigator now notify you when you get nearer to the end of your update maintenance period.
- The viewer component is now loaded only when actually needed, not when starting the program.
- The e-mail extraction functionality now checks *.pst for their signature and original *.eml for the presence of embedded files before trying to do the extraction. Files embedded in original .eml files are now extracted directly as child objects, and the e-mail message is not duplicated any more.
- The "Text" button that turns the preview provided by the viewer component into a raw text preview (which for example is very helpful when interested in all header lines of an e-mail message), is now labelled "Raw", to increase awareness of the fact that usually it is _not_ desirable to view files in that mode.
- Some other minor improvements.
- The new e-mail extraction method that associates e-mail attachments with their respective parent e-mail messages as child objects was very slow for large e-mail archives. That problem was solved.
- The old e-mail extraction logic from v14.8 and before, where attachments were collected in a separate directory "Attach", can now be used again by choosing to not allow files with child objects. See Options | Directory Browser. Note that this option will eventually be removed in future versions. It is included for backwards compatibility only.
- Password-protected Outlook PST e-mail archives will now be marked with "e!" if either the encryption test is applied to such files or if you try to extract e-mail from such files.
- For certain file types the file type verification now determines the correct file type without highlighting the type status as "newly identified" even if the type is different from the extension. It does that for Windows Registry files (because it's normal for them not to have any extension) and HTML/XML files (because there are a variety of extensions that are all normal and plausible). That helps to keep the number of files with the type status "newly identified" low and allows to better concentrate on files that were actually misnamed.
- Finds deleted partitions automatically if located 64 sectors apart from a previously found partition (not only 63 or 2048 sectors as before).
- Since the introduction of 256-bit AES in WinHex/X-Ways Forensics, the PC1 encryption algorithm was still supported only for compatibility with earlier versions. Support has now been discontinued.
- Some other minor improvements.
- X-Ways Forensics now points out if a file in an NTFS volume has been only partially filled with data. Such files are marked with "partial init." (partial initialization) in the Attribute column and can be filtered like that. The size of the actually initialized/defined portion of the file is now displayed in the Details Panel when opening such a file or when looking at it in File mode, labelled as "Valid data length", and the affected data range will be displayed in a different color. Search hits in the uninitialized portion of a file will be marked as search hits in "slack etc.".
All of that is meant to help a skillful forensic examiner to avoid drawing inaccurate conclusions. This risk exists because data that is stored in the allocated clusters of a file may be old data that was present on the disk before the clusters were allocated to that file, if the clusters have never been actually overwritten with new data. Typically, file types that may not always be fully initialized include
and database files, temporary files, and generally files created by applications that like to preallocate storage space for performance reasons or to prevent later file fragmentation.
- Windows Registry
- Windows Event Log (.evt and .evtx)
- Outlook PST
- Outlook Express DBX
- Windows MediaPlayer databases
- Windows Reliability Monitor
- SystemIndex Indexer CiFiles
- Microsoft Network Downloader
- Windows Font Cache
- Windows Vista thumbcache
- Windows rescache
- Microsoft IME User Dictionary
- Java .jsa
- Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.sys files, including xpress chunks located in the "slack" of hiberfil.sys that are even older. This feature is available in Edit | Convert. (forensic license only)
- Creation and last access timestamps are now extracted from zip archives when including their contents in the volume snapshot, if these timestamps are available.
- More complete Unicode support in various portions of the user interface, such that the Chinese and Japanese translation can now be used correctly even if the code page that is active in the Windows system is not 936 or 932, respectively. More complete Unicode support also for case HTML reports output in Chinese or Japanese.
- Encrypted files in archives currently cannot be opened in v14.9 Beta.
- When extracting e-mail messages and attachments, attachments now become child objects of their respective parent e-mail messages. That makes it very easy to find the attachments for a given e-mail message, or to find the e-mail message that contains a given attachment. Because of this parent-child relationship, you can now conveniently include the containing e-mail message when copying attachments to an evidence file container. Tagging an e-mail message will also tag its attachments. Tagging an attachment will at least partially tag the containing e-mail message. (forensic license only)
- The names of attached and embedded files that belong to e-mail messages in the same e-mail folder are usually no longer made unique by artificially inserting an incrementing number in square brackets before the extension.
- The body of e-mail messages extracted from PST archives with Outlook 2003 or later present is now more faithful for Asian languages.
- The directory browser context menu command that in previous versions found the containing e-mail message for a given attachment has been renamed "Find parent object", moved to the Position submenu and can now be applied to any file. It's function is now identical to the Backspace key, and it's now available with any license type. It also no longer switches back from a recursive to a non-recursive view if the parent object is already listed in the directory browser in that recursive view.
- Pictures embedded in other files can now be included in the volume snapshot even if their respective parent files are compressed.
- Representation of .lnk shortcut files for Preview mode and View command now more visually appealing. (forensic license only)
- It is now possible to focus on or filter out half tagged items (see Directory Browser Options).
- Ability to export lists as text files in Unicode.
- Stills extracted from videos are now named after the video file, not only after the time index.
- Naming carved JPEG files after camera model and date and time (specialist or forensic license), where possible, is now optional.
- Fixed errors of earlier preview versions.
- Fixed an error that under certain circumstances caused a file header signature search to find and list files that were already part of the volume snapshot before, although this feature is supposed to avoid creating duplicates.
- Several minor improvements.
- Metadata extraction from hiberfil.sys files, .wim Vista image files, and GZ archives in Details mode.
- Indexing: Unnecessary interruption by user prompts in certain situations prevented.
- Even after exploring a directory by clicking it in the directory tree you will now find a ".." item at the top of the directory browser, which you can double-click to go upwards to the respective parent directory, same as with the backspace key.
- Report field selection list error from Preview 3 fixed.
- Some minor improvements.
- The quick-guides that are downloadable from the X-Ways Forensics product web page have been updated for v14.8/v14.9 where necessary.
- Ability to read and write .e01 evidence files with a segment size larger than 2 GB. In fact it is not necessary any more to split them at all (except of course if the target file system is FAT32 or if you need to burn the image on CDs or DVDs). For full compatibility with earlier versions of X-Ways Forensics, with EnCase versions before v6, and with other products, split them at 2,047 MB or less, as before.
- Report tables created by X-Ways Forensics itself (by v14.9 Preview 3 and later) can now be distinguished from user-created report tables in dialog windows.
- The size limit that defines when a picture is considered irrelevant for skin tone analysis is now slightly more strict (width or height no more than 8 pixels, or width and height no more than 16 pixels each).
- Ability to rename virtual attached files in the volume snapshot with the directory browser context menu.
- Metadata extraction from MS Office 2007 XML, OpenOffice XML, StarOffice XML, .dmp memory dumps, and PNF (precompiled setup information) files.
- Same fix level as v14.8 SR-2.