X-Ways Software Technology heeft versie 15.0 van Winhex uitgebracht. Winhex is niet alleen een universele hexeditor, maar is ook in staat om low-level dataprocessing toe te passen via een makkelijke interface. Het programma beschikt onder meer over een ram-editor, een data interpreter en een diskeditor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen en om bestanden te inspecteren. Winhex werkt op alle Windows-versies vanaf 98 met uitzondering van NT, maar het complete arsenaal aan mogelijkheden kan alleen volledig worden benut op Windows 2000 of hoger. Nieuw in deze release is dat er nu optimaal van meerdere processorcores wordt gebruikgemaakt, waardoor het programma een stuk sneller geworden is. Het volledige changelog van deze release ziet er als volgt uit:
Changes in version 15.0:
- X-Ways Forensics 15.0 features a totally revised indexing algorithm that specifically utilizes multiple processor cores and on systems that have multiple process cores runs faster than its predecessor, in particular when taking the (optional) optimization step into account.
- The file type signatures database now distinguishes between signatures that are useful for file type verification only (to verify the type of files that are already contained in the volume snapshot, forensic license only) and signatures that are strong and important enough to also use them in a file header signature search, i.e. to find additional files. For that purposes, two separate definition text files now ship with X-Ways Forensics. The purpose is to keep users from blindly selecting all file types for the search, from getting too many false positive for weak signatures as a consequence, from geting too many garbage files (e.g. MPEG fragments that cannot be played), from getting too many irrelevant files (e.g. font files, cursor files), and from unnecessarily suffering from a slow search speed, and from complaining about all of this. Of course it's still possible to add new file type definitions for file header signature searches or to move file type definitions from one definition file to the other consciously.
- File type signature and category definitions have been further expanded.
- Previously existing files whose first clusters are known to be overwritten are no longer checked for their true file type.
- Zip and Rar archives that X-Ways Forensics knows contain encrypted files are now marked as encrypted themselves, with "e!" (file format specifically encrypted) in the Attribute column. Allows to focus on such files more conveniently than before. (And some users didn't realize how it was possible before.)
- It is now possible to manually define a block in Volume/Partition/Disk mode and add it to the volume snapshot as a carved file. Useful if you wish to treat data in a certain area (e.g. HTML code or e-mail messages found floating around in free space) as a file, e.g. to view it, search it specifically, comment on it, add it to a report, etc. The command for that can be found in the Edit menu.
- The German name of the virtual directory for carved files has been changed from "Per Signatur gefunden" to "Aus Sektoren herausgemeißelt" (Übersetzung/Umschreibung für "carved"). Wenn Sie eine andere Benennung vorschlagen möchten, melden Sie sich bitte.
- A new directory browser option called "Full path sorting" for objects that have child objects has been introduced. The effect is that, if sorted by path, child objects will be listed directly after their respective parents (e.g. files after their parent directories, e-mails after the e-mail archives from which they have been extracted, e-mail attachments after their containing parent e-mail messages, compressed files after their parent archives, etc.).
- Support for more than 255 file type signature definitions.
- Two more external programs can be defined.
- The first portion of the Details mode ("Data from the Volume Snapshot") is now displayed as a table, which is visually more appealing.
- Metadata extraction from BMP files and (on logical drive letters) EXE/DLL files.
- .cfg files from previous versions cannot be imported any more.
- When verifying file types, for files that are not recognized by any entry in the file header signature database, X-Ways Forensics now makes additional attempts at detecting the file type. Useful to recognize file types that do not have a fixed signature, e.g. .eml e-mail messages, programming language source code, batch files, and many more.
- The names of extracted .eml files are now usually more authentic especially if the subject line is encoded in an Asian code page.
- When outputting report tables to the case report, to make the report more compact (e.g. for printing), it is now possible to break the filename and paths lines after a user-defined number of pixels. Helps to avoid that the report becomes wider than a printable page, especially when referencing more than one file per row.
- When viewing search hits in the decoded version of e.g. PDF documents in raw preview mode, you now see the exact raw decoded text as used for searching. Useful if the viewer component cannot highlight a search hit in the regular view of the PDF document.
- Some minor improvements in e-mail processing.