Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Software-update: WinHex 16.1

WinHex logo (60 pix)X-Ways Software Technology heeft versie 16.1 van WinHex uitgebracht. WinHex is niet alleen een universele hexeditor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in vier verschillende versies, met prijzen vanaf 40 euro. Sinds versie 16.0 zijn de volgende veranderingen en verbeteringen doorgevoerd:

What's new?
  • X-Ways Forensics can now process Exchange EDB databases and extract user mailboxes with their e-mail, attachments, contacts, appointments and tasks. Requires X-Ways Forensics to run under Windows Vista or later. Tested with and designed for MS Exchange 2007. Feedback much appreciated, also for Exchange versions 2003 and 2010.
  • Additional information included in imaging log.
  • New version of the internally used graphics viewing library.
  • More powerful and convenient batch processing thanks to an option to automatically trigger logical searches (previously only indexing) after volume snapshot refinement and thanks to an option to trigger the volume snapshot refinement (and therefore indirectly also logical searches) immediately after adding images to the case. That means you click through all the dialog windows initially and then run the selected operations without further user interaction. The operations will be run in this order: First all images are added to the case. Then the volume snapshots will be taken and refined if selected. After that, for selected evidence objects (previous or newly added ones) a logical search will be run if selected. Finally for each selected evidence object an index can be created.
  • Ability to invoke the menu commands to refine volume snapshots and run logical searches in selected evidence objects even when no data window is open at that time. As always, these operations will open data windows themselves when needed and close them automatically when no longer needed, to avoid unnecessary main memory utilization by loaded volume snapshots.
  • A new case tree context menu command that allows to export any portion of the tree to a Unicode text file. The tree will be represented exactly in its current state of expansion and can span all evidence objects. To export a subtree, right-click a directory while holding the control key. Use a fixed font to view the text file. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.
  • Some errors fixed in Exchange EDB processing, support for some more Exchange EDB variants, and more output about conditions when Exchange EDB processing does not succeed.
  • New version of the internally used library for archive decompression.
  • During lengthy Exchange EDB processing, the main window of X-Ways Forensics now remains responsive, and the progress indicator window provides updates. Also EDB extraction can now be aborted liked any other length operation.
  • More efficient memory management for EDB processing.
  • Filename conflict fixed that could occur in case report creation in v16.0 SR-3 through v16.0 SR-6.
  • Case Report: File naming conflict fixed that existed in v16.0 SR-3 through v16.0 SR-6. And filenames are now truncated at latest at 127 characters.
  • Ability to change the order of evidence objects in the case tree, via the properties dialog window, except for "dependent" evidence objects (partitions that belong to a physical disk).
  • Many additional file signature definitions, mostly for file type verification only.
  • The thorough file system data structure search will now check for INDX buffers for index records referencing existing files that are not referenced in the $MFT any more because the $MFT is in a corrupt or incomplete state, for example because the image is incomplete.
  • Further improved Exchange EDB support. We ask for more testing. Thank you very much!
  • Ability to interpret VMware's Virtual Machine Disk images (VMDK) in addition to .e01 evidence files, raw/dd images, ISO images and VHD images.
  • New Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.
  • Additional edit window in the registry viewer that tells you the logical size of the selected value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8). More to come.
  • New special table "External Memory Device" included in registry report that can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.
  • Extracting e-mail from Exchange EDB databases: Memory requirements reduced and further improvements.
  • You can now conveniently close viewer windows (whose contents are provided by the viewer component) by hitting the Esc key on your keyboard.
  • Notification when opening a case if it can only be opened as read-only because of the read-only file attribute or because of insufficient file permissions.
  • It is now possible to close filter dialogs by clicking the "x" in the upper right corner or by pressing Alt+F4 without deactivating the filter if its active and without losing selection and scroll position in the directory browser.
  • When using the Recover/Copy command and the output filename has to be shortened to fit in the maximum path length specified by the user, the filename is now shortened in a nicer way, by preserving the extension whenever possible. (forensic license only)
  • Ability to automatically hibernate the system after disk imaging, image restoration and disk cloning. (Previously the only option was to shut down the system.) If Windows signals that hibernation fails, X-Ways Forensics will instead try to shut down the system.
  • Better response during lengthy Exchange EDB extractions.
  • Registry Viewer: Special interpretation of MountedDevices, OpenSavePidlMRU, and LastVisitedPidlMRU
  • Indexing slightly accelerated.
  • Imaging with compressed .e01 evidence files as the output format accelerated for disks that contain large areas of binary zeroes, for example because they were wiped by the user some time or zeroed out by the manufacturer and never completely filled.
  • New "sparse" compression option for .e01 evidence files that only compresses large areas of zero value bytes in a very efficient way.
  • Ability to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if not supported by Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode. For this new editing capability, the file must been opened from within the already opened volume that contains it, via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image.
    Previously it was only possible to edit files when opened via File | Open, using operating system file write commands or indirectly by editing disk sectors. In File mode (forensic license only) and when opening files from within already opened volumes, the only available mode so far was read-only mode. All of this has changed. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read-only mode. For owners of a license for X-Ways Forensics, this change only affects the special WinHex version that they receive additionally, not X-Ways Forensics itself.
    In forensic computing, electronic discovery and IT security, the new edit capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values.
    It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.
  • New file wiping functionality for files that are selected in the directory browser, via a command in the context menu. The data in the logical portion of the file (i.e. excluding the file slack) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. This functionality is only available in WinHex, not in X-Ways Forensics.
    Useful for example if copies of images are forwarded to investigators/examiners who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).
    Both successfully erased files and files that could not be successfully erased will be added to separate report tables by which you can filter to verify the result.
  • The metadata extraction functionality has been removed from the directory browser context menu. It is now part of the Refine Volume Snapshot command and thus cannot be applied to selected files any more, but to either all files, tagged files or not hidden files.
  • The new wiping functionality in the directory browser context menu now also erases data of selected directories, not only file contents.
  • Cool new function to create hard links of files on NTFS volumes. Useful for example to play around with hard links during our File Systems Revealed training, or if you would like to add the same image to the same case again, which is only possible under a different name. The hard links will be created in the same directory and of course can be renamed and moved by you after they have been created. Tools | Disk Tools | Create Hard Link.
  • Shorter and language-independent case subdirectory names in all cases created by v16.1 and later.
  • More convenient procedure when the path or drive letter of an image in a case has changed, especially if the image was added to the case in v16.1 and later and you have updated the standard directory for images in the General Options already.
  • New special table in the registry report called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage.
  • The number of data types that are interpreted by the new edit window further increased. The new edit window now also displays the access rights/permissions of the registry keys if (Default) is selected. Several small improvements in the registry viewer/report.

Versienummer 16.1
Releasestatus Final
Besturingssystemen Windows 7, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
Website X-Ways Software Technology
Bestandsgrootte 1,75MB
Licentietype Shareware

Door Bart van Klaveren

Downloads en Best Buy Guide


Meer historie


Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.

Call of Duty: Black Ops 4 HTC U12+ dual sim LG W7 Google Pixel 3 XL OnePlus 6 Battlefield V Samsung Galaxy S9 Dual Sim Google Pixel 3

Tweakers vormt samen met Tweakers Elect, Hardware.Info, Autotrack, Nationale Vacaturebank en Intermediair de Persgroep Online Services B.V.
Alle rechten voorbehouden © 1998 - 2018 Hosting door True