X-Ways Software Technology heeft versie 16.9 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
- Ability to use GREP syntax specifically for some search terms only, while others are keywords in a natural language. For this setting make sure that the GREP syntax box is half checked, and prepend GREP expressions with "grep:".
- Similarly, when not using GREP syntax, you can now search for only some search terms as whole words, also by checking the corresponding box half only, and by indenting search terms that you want to find as whole words only, i.e. prepend them with a tab character.
- Easy to use settings for the alphabet that defines word boundaries when searching for whole words only in Latin-based languages. The setting for the most thorough search results remains the default. Users that are overwhelmed by garbage hits for short keywords in non-text data such as Base64 or binary garbage may want to try the other two options. These other two options could lead to valid search hits being missed in some constellations (depends on the file format), but can still be justifiable as a great time saver for searches in text documents.
- Option to work with an adjusted virtual free space file that is net of clusters that were identified as belonging to previously existing files, to minimize the amount of space in file systems that is read twice for logical searches and indexing. After changing the option (in Options | Volume Snapshot) the virtual file is updated when it is opened next time, for example selected in File mode or when it is that file's turn during a logical search. Relative offsets of search hits in this virtual file become wrong when the file changes, so they cannot be used to navigate to the search hits in File mode.
- Sorting by path accelerated.
- Also it is now possible to "unsort" the directory browser by clicking the header of the column that represents the primary sort criterion while holding the Shift key.
- Ability to image a physical device (e.g. local hard disk or remote hard disk or RAM opened through F-Response) automatically via the command line. The first parameter should start with a colon and then specify the number of the device in Windows (e.g. ":1" for hard disk No. 1). This will cause that device to be opened automatically upon start-up. The second parameter should start with a pipe, followed by either e01 or raw to indicate the preferred image file format, followed by another pipe and the path and filename of the image (e.g. "|e01|G:\Output filename.e01"). The third parameter can be "auto" to automatically exit X-Ways Forensics after imaging. (That command has always been available in WinHex and X-Ways Forensics, just like you were always able to open files through the command line or execute .whs WinHex scripts.)
- When attaching an external directory to the volume snapshot, usually X-Ways Forensics creates virtual files in a new virtual directory. Now there is an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree. Useful if you copy an entire directory structures off the image to convert/decrypt/translate/... files outside of X-Ways Forensics, and then want to bring the results back into the volume snapshot and see the files next to their original counterparts in the same original subdirectories. This can help for example if you wish to OCR and convert PDF documents that X-Ways Forensics has deemed non-searchable using Adobe Acrobat.
- When attaching an external directory to the volume snapshot, you are now prompted whether the selected directory itself should also be attached (that was the standard behavior in earlier versions) or just its contents.
- Preview of .pf prefetch files improved.
- Revised processing of PLists.
- Ability to display certain non-standard GIF pictures in the gallery and in Preview mode using the internal graphics viewing library that caused exception errors in v16.7 and before and were not attempted to display by v16.8.
- In Gallery mode scrolling using the mouse wheel now always scrolls by exactly one page of thumbnails for reasons of convenience. Everywhere else the mouse wheel scrolls by as many lines as specified in the Windows Control Panel since v16.7. In v16.6 and earlier that was an option in the General Options.
- Menu option to display text in the text column in big-endian UCS-2/UTF-16 Unicode. Useful especially to correctly see East Asian characters for example in HFS* file systems and in binary PLists.
- The Print command in the directory browser context menu now has a convenient option to print any child objects after the selected file(s), e.g. e-mail attachments together with their respective e-mail message.
- X-Tensions API: New flags XWF_SEARCH_WHOLEWORDS2 and XWF_SEARCH_GREP2 to reflect the new search options. New XT_PrepareSearch function supported that allows X-Tensions that monitor search hits to also monitor some search settings and adjust search terms.
- Ability to generate a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory, when extracting metadata. Conceivable sources include browser histories, Windows event logs, Windows registry hives, e-mails, etc. An event list works exactly like a search hit list and can be displayed by clicking a new button which is located next to the search hit list button, with a clock icon on it. Just like a search hit list, an event list comes with additional columns: the event timestamp, event type, event category, and optionally a file offset.
When an event list is sorted chronologically, by timestamps, it works like a timeline, that may allow you to figure out a sequence of events of different kinds stored in different places (e.g. e-mail received, attachment saved, application started, document printed, file deleted) that otherwise could not be seen together in context. You may see events from different evidence objects at the same time as usually from the case root window, explore recursively or by path, sort by event type or event category, see all the usual file properties, view files, navigate to the definition of an event within a file (if a relative offset is available) and filter for certain date ranges.
Event-based analysis instead of file-based analysis is a progressive new approach with a totally different perspective that may lead to knowledge about activities recorded on computers that otherwise could not be gained. You may see connections (related activity) that otherwise could be overlooked, and may be able to better explain the logic behind what has happened. The sources of events that are exploited by the metadata extraction in this preview release are still limited (file system, index.dat, e-mails, processes in memory dumps). More will be covered in future releases.
- It is now easier to enter dates in the timestamp filter dialogs. You can click buttons to get a calendar control in which to pick a date using mouse clicks.
- File type verification and file header signature search revised.
- New flag U for file header signatures that will cause files (or records) of this type to be carved only in net free space. Useful especially for internal records of Zip files, RAR archives, Internet Explorer index.dat files, and Firefox URL records, to avoid numerous duplications.
- The metadata extraction for index.dat files (HTML preview generation and event extraction) is now also applied to carved fragments of index.dat files (Internet Explorer URL records).
- Maximum number of contained search terms listed in the Search Term column of the directory browser is now 25 instead of 10.
- New verbosity option: If totally unchecked in Options | Security, only exception errors with a potentially serious impact (like considerably incomplete of analysis results) will be brought to your attention in the Messages window. If fully checked, all of them will be output, like before, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The new default option is a reasonable compromise.
- Carved files are now defined to have slack space if they happen to start at a cluster boundary.
- Superimposition of sectors on top of disks or interpreted images that are opened as read-only. Useful when you need to make minor temporary adjustments to data in sectors within the program to get it interpreted correctly internally, but do not want to or are not allowed to alter the sectors on the disk or in the image itself (or cannot because it is not a raw image, but an .e01 evidence file), and also do not want to make another complete working copy of an image that is e.g. 2 TB in size if just 1 byte needs to be changed. Such adjustments can be necessary for example in cases of partitioning or file system metadata corruption, where just a missing magic number keeps WinHex from detecting the file system or just one flipped bit keeps WinHex from finding $MFT in NTFS or just one wrong nibble in the partition table keeps WinHex from recognizing a partition as an LVM2 container partition etc. etc. In these situations you can manually provide and superimpose the corrected data and then hopefully work with the disk or image with no further problems, getting all partitions and files listed immediately as if nothing was wrong. This functionality is intended for advanced users that do not give up easily when at first they see "nothing" and have some understanding of low level data structures and know how to fix them.
You can enable and disable superimposition for the disk or partition in the active data window using the Edit | Superimpose Sectors menu command. This command allows you to select any file with the raw contents of disk sectors. For example, you can create such a file by selecting one or more sectors as a block, copying the block into a new file, making the necessary adjustments (possible even in X-Ways Forensics because ordinary files unlike disks or interpreted images can be edited) and saving that file. When applied, the contents of this file are superimposed to the sectors starting with the sector in which the cursor is located, or if the file is named "*.n.superimposition", where n is a number, it will be applied to the sectors starting with sector n, and all other files in the same directory matching the same mask with the same base name will also be applied to sector numbers as indicated within the filename. You will immediately see the superimposed data when navigating to the affected sectors, and can continue making adjustments to the imposed raw data file if you keep it open in a separate window. As soon as you have saved changes in that window, they will take effect in the data window that represents the disk or partition whose data you are trying to fix when you refresh the view, take a new volume snapshot, define the start of a partition, try again to open a file with a corrupt FILE record etc. etc.
Please note that only complete sectors, not partial sectors, can be superimposed. Superimposition can be active only for one disk or disk partition or image at a time. If desired, you can make a copy (image or cloned disk) of the virtually repaired disk or image with the usual commands while the superimposition is in effect, so that the copy will have the superimposed sectors directly embedded.
- Reports the total number of CRC errors in the evidence object properties for each hash computation if chunk CRCs are being verified when reading from .e01 evidence files (see Options | Security).
- File type verification signatures and algorithms updated.
- New hash type available: Adler32
- The values of the bits in the volume attributes of HFS+ file systems are now output in the Technical Details Report.
- Ability to copy up to ~4 GB of data into the internal clipboard (~2 GB before).
- Extraction of all tables (with all columns except binary data) from all other SQLite databases besides the already supported various Internet browser databases as part of metadata extraction. The first extracted table will also serve as a preview of the SQLite database file itself.
- Ability to copy up to ~4 GB of data into the internal clipboard in the 64-bit edition (~2 GB before and still in the 32-bit edition).
- Buttons that allow to expand or collapse all categories in the file type filter dialog. Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus.
- Option to only make a copy of tagged files for inclusion in a case report instead of all or none. Useful if you wish to reference all notable files with their metadata in your report, but show only a subset of those.
- Whether new report table associations for selected files are created for the selected files only or also for their child objects or duplicates etc. is now a setting that is individual to each report table.
- New icon for renamed/moved directories in FAT and exFAT volumes.
- Support for PC-compatible BSD disklabel partitioning.
- The View | Refresh View menu command now also refills the directory browser if the directory browser has the input focus. Useful for example when a filter for tagged items is active and you remove the tag marks of some of the listed files, if you wish to update the listing in the directory browser and get rid of those files that are no longer tagged.
- Ability to check for updates online occasionally (Options | Security). This can report the availability of later versions or new service releases of the currently used version and allow to start the download. Does not send any data from within the program to the Internet, for example no system or user information or dongle ID, neither directly nor encrypted nor anonymized, of course no case data, not even the currently used version number, nothing. This option is active by default only if the program determines that it is running on the examiner's own system (if it is executed from the C: drive or if it was installed using the setup program). The check does not occur when running the program for the first time, so that you definitely have a chance to turn off this option before anything happens. Given the fact that most systems on which X-Ways Investigator and X-Ways Forensics are run do not have an Internet connection, this feature has a limited effect only.
- The file carving flags b (for byte granularity) and g (for greedy allocation) can now be combined. Useful when carving records from files like $UsnJrnl:$J. For $UsnJrnl:$J in particular an internal algorithm is available that can combine multiple contiguous records in a single carved file. The g flag makes sure that those records that have been included already will not be found and carved again separately. Such a carved file that is composed of multiple records can be nicely viewed in Preview mode, and viewing that file is much more efficient than viewing individually carved records.
- Ability to print multiple selected files optionally in separate print jobs like in v16.3 and earlier.
- Simultaneous creation of 2 copies of .e01 evidence files was unsuccessful if they were given different names. That was fixed.
- Several user interface elements improved.
- Some more statistics in the evidence object properties.