X-Ways Software Technology heeft versie 16.7 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
File System Support
- Ability to execute dongle-based product variants (X-Ways Forensics, X-Ways Imager and the special version of WinHex that users of X-Ways Forensics get) under Windows 8. Dongle-free product variants were executable under Windows 8 already before.
- Ability to extract browser history and browser cache management information from Internet Explorer 10 databases (from Windows 8) as part of metadata extraction in conjunction with file type verification. Requires Windows Vista or later.
- Relative paths supported for MPlayer/Forensic Framer and the external video player program.
- Ability to use the Back and Forward extra mouse buttons if available to navigate backward and forward. (not tested yet)
- Supports an additional variant of geodata in JPEG exif data.
- Improved representation of extensible metadata (Adobe-XMP) in JPEG and PDF files.
- Gigatribe (P2P) signature definitions added.
- Fixed inability of v16.6 to display search hits in the Outlook code page correctly.
- Fixed an input focus problem of v16.5 and v16.6 in the directory browser that could occur after changing filter settings.
- Fixed an error that could occur when adding more items after loading an already very large volume snapshot (> 6 million).
- Program help now in .chm HTML help format.
- Support for Ext2, Ext3, ReiserFS and Reiser4 volumes larger than 2 TB.
- Option to get all search hits in a file highlighted in File mode at the same time, either only when a search hit list is displayed (if half checked) or permanently once search hits have been loaded for an evidence object (if fully checked), i.e. even when working with the normal directory browser. Search hits are loaded after an evidence object has been opened as soon as search hits are listed. This new feature also applies to user search hits.
- Ability to delete highlighted search hits when right-clicking them in File mode.
- Much more efficient storage of files that are manually carved within other files (i.e. in File mode, using the Add Block as Virtual File command). Older versions of X-Ways Forensics see these excerpt files as complete copies of the original host files.
- Already carved areas in host files are now highlighted in File mode. Useful to remind the user whether he or she already has created excerpts from a file and where (e.g. from a large free space virtual file) when continuing to look at that host file.
- New X-Tensions API function XWF_CreateFile (named XWF_CreateFileEx in Beta 2) that allows to attach an external file to the volume snapshot and efficiently carve files within other files (i.e. create files that are marked as "excerpts" in the volume snapshot).
- Ability to omit files from volume snapshot refinement operations that are filtered out. That is a new powerful option scope-defining option that can target files in advance that are not yet part of the volume snapshot when the refinement starts. For example when additional files are added to the snapshot by the file header signature search, depending on the file type these files can be further processed (e.g. hashed) or not, if the Type filter is active during the later stages of the volume snapshot refinement.
- The hash filter dialog and the "Filter by..." context menu command now both understand Base32 SHA-1 hash values, too.
- Print command in the directory browser context menu: Ability to print just the cover page by choosing to print only the pages 0 through 0 of the document or picture itself.
- Ability to run a new simultaneous search while reviewing existing search hits. Additional search hits will be listed when you refresh the search hit list, by clicking the Enter button in the search term list as usually.
- When clicking the search hit list button to review preliminary search hits during an ongoig search, that search will not be paused, but continue.
- Ability to create user search hits when in search hit list mode.
- New filter in the search hit description column that allows to focus on notable hits, user search hits, hits in a certain code page, hits in the text extraction of documents, and hits in slack space or uninitialized tail areas of files. This is a very powerful filter and the first search hit specific filter in the search hit list!
- User search hits are now marked with an asterisk (*) in the search hit description column.
- Provides human-readable previews of binary PLists from Mac computers.
- The refine volume snapshot operations last applied by the user to a fresh volume snapshot are now preselected when refining another fresh (i.e. totally unrefined) volume snapshot next time, for reasons of convenience.
- Binary PLists (.bplist) have been added to the list of file masks in which to search embedded JPEG and PNG pictures (Specialist | Refine Volume Snapshot). It is recommended to verify file types at the same time so X-Ways Forensics can distinguish between traditional (XML-formatted) PLists and binary PLists (BPLists). Many PLists do not have a .plist extension and need to be identified as PLists first.
- Data blocks embedded as Base64 in XML-formatted PLists (.plist) can also be extracted as separate child objects by the same operation. Since the type of the embedded data is not identified by the PList as such, the output also benefits from a simultaneous file type verification. Nested PLists (PLists embedded in PLists) will also be identified and processed recursively.
- File header signature search: The flag for greedy sector allocation is now "G" instead of "g". "g" (lower case) is now a weaker version of the same flag. Only if an internal file size detection algorithm exists for a file type and if a file with the same start sector number exists already with the same file size as detected, the "g" flag will cause X-Ways Forensics to skip the affected sectors. This can help to prevent overlapping zip files and thereby avoid potentially many contained duplicate files.
- The Export List command did work correctly in v16.7 Beta 4 if the output format was TSV. That was also fixed.
- Ability to quickly merge hash sets in the internal hash database. Note that duplicate hash values in the resulting hash set are not removed immediately, but next time when you import a hash set, and that you are not warned if you are merging hash sets of different categories.
- More efficient internal storage of some identified embedded pictures.
- Extraction of metadata from original .eml files is now a separate option of the metadata extraction operation.
- Ability to associate a manually carved file ("Add Block as Virtual File" command) to report tables immediately upon its creation.
- Ability to activate or deactivate column-based filters individually, with a single mouse click on the column header's filter symbol when holding the Shift key. The options of the respective filter remain unchanged.
- New case report option that makes the Internet browser start a new page after x rows with files when printing the HTML report.
- More reliable to find lost Ext* partitions and more reliable to identify Ext* file systems, in cases were an Ext* partition was previously formatted with a Microsoft file system.
- In the context menu of data windows, in the English and German user interface, bookmarks have been renamed positions. This is more consistent with the term "Position Manager" and enforces the notion that entries in the Position Manager are no longer the preferred way to bookmark locations in the forensic user interface, when working with cases, where you ideally create so-called user search hits for these purposes, which are much more powerful (they can be listed, selected, viewed and exported with their context just like ordinary search hits).
- The file messages.txt is now named msglog.txt and encoded in UTF-8 instead of UTF-16.
- Data blocks embedded as in binary PLists (.bplist) are now also extracted as separate child objects by the same operation as in XML PLists.
File Format Support
- Faster and more diligent reconstruction of files in volume shadow copies (up to 1 GB).
- Support for Ext4 volumes larger than 2 TB.
- When switching from Volume/Partition to File mode and File mode represents the file that is known to occupy the cluster last seen in Volume/Partition mode, the relative offset in the file that corresponds to the last cursor position in Volume/Partition mode is calculated, and the cursor is automatically moved there. Useful for example if wish to see how the data continues in the file if the file is fragmented, or (in WinHex) to edit th data in the next fragment. Does not work if the file is compressed.
Remember you can press the Sync button to automatically highlight the file that is known to occupy the cluster on the screen in Volume/Partition mode. Which file is known to occupy the currently displayed cluster can be seen in the Info Pane.
- WinHex only: Ability to securely wipe files in NTFS file systems that are compressed or use sparse storage, using the directory browser context menu command.
- Support for Mode 2 Form 1 ISO images with 2,352 bytes per sector. Previously only Mode 1 was suppported.
- File size detection for ELF executable and shared object files as part of file header signature search.
- Filter for the hash column. Allows to filter for files that have a hash value, do not have a hash value, whose hash values start with certain hex values (if you specify only the beginning of a hash value) or have a certain value (if you specify a complete hash value). This filter can compare the hash values of files to up to 4 hash values that the user supplies as hex ASCII. Quicker alternative to creating a small hash set in the hash database if you just wish to quickly find a few files, e.g. duplicates of files with a known hash value that you can just copy from the hash column in the directory browser. Available with a specialist and forensic license.
- The easiest way to use this filter when looking for duplicates, which does not require copy & paste of hash values, is to right-click a hash value of a given file in the directory browser in hex ASCII notation (not Base32) and invoke the new "Filter by" command in the context menu.
- Ability to import SHA-1 hash sets in Base32 notation for hash set matching in P2P investigations. Such a hash set text file must have "SHA-1" in the first line, followed by the hash values in Base32 notation, one per line.
- Option to display SHA-1 hash values in Base32 notation in the directory browser.
- Option to save the program settings in the .cfg file either when the program terminates (cleanly), i.e. like before, or every time when you click OK in any dialog window (could be useful if the program does not terminate cleanly, to avoid that you lose your later settings). Can be found in Options | General. If totally unchecked, the program settings will not be saved at all, except if you hold the Shift key when exiting the program, which is necessary once if you would like to save in the .cfg file the setting that from then on the settings should not be saved again.
- Whenever the program detects that you are using the .cfg file of a later version in an earlier version, which is not permitted, v16.7 will change the aforementioned option such that the program settings will not be saved, as to not corrupt the .cfg file.
- New investigator.ini option that allows to prevent users from changing the option to save the program settings as desired by some agencies for their users of X-Ways Investigator so that they always start the program with the same canonical settings as predefined by their more experienced colleagues.
- The optional preface for a case report now supports HTML code.