Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Software-update: WinHex 17.2

WinHex logo (60 pix)X-Ways Software Technology heeft versie 17.2 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows XP en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro tot over de duizend euro voor de meest uitgebreide versie. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:

What's new?
  • Yet another acquisition option for users who need to or want to exclude certain data from forensic images. You can now create ordinary images, in raw format or as an .e01 evidence file - with all the known options such as hashing, compression, encryption, splitting - and exclude the data in clusters associated with files that you hide before starting the acquisition process. The resulting image is called a cleansed image. The affected sectors are zeroed out in the image and optionally marked with an easily recognizable "watermark" of your choice. All other data is copied to the image normally.
    Useful for anyone who needs to redact certain files in the file system, but otherwise wants to create an ordinary forensically sound sector-wise image, compatible with other tools. A must in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets (e.g. lawyers and physicians, whose profession swears them to secrecy/confidentiality). For a comparison of evidence file containers, skeleton images and cleansed images, which all serve similar purposes, please see here.
    Before you start the imaging process for a partitioned disk, open the partitions in which the files are located that you would like to exclude from the image. Wait till the volume snapshot has been taken if it was not taken before. Then hide the files. You do not need to open and take volume snapshots of partitions whose data you would like to include completely.
    Note that alternatively you can retroactively cleanse (redact) already created complete raw images, in WinHex, by securely wiping files selected files via the directory browser context menu. The granularity of this operation is not limited to entire clusters. For example, that means it can also wipe files in NTFS file systems with so-called resident/inline storage and it does not erase file slack along.
  • Totally revised indexing engine with many advantages: Created optionally at the same time when then volume snapshot is refined (synergy saves time), faster to create than before, no separate optimization step, just 1 index for multiple code pages/character sets, just 1 word list for multiple code pages/character sets (i.e. less duplicates), GREP searches in the index possible, multiple indexes with different names for different purposes may coexist for the same evidence object, indexing with regular expressions possible (details to be revealed later), more convenient search hit review (exactly like for ordinary search hits, search hits are stored permanently immediately, allowing for immediate logical AND and NEAR combinations), and more.
    At the moment the old and the new indexing engines coexist within the program. To use the old indexing engine use the menu commands Search | Indexing (to create an index) and Search | Search in Index (to search in the index). To use the new indexing engine use the menu commands Specialist | Refine Volume Snapshot (to create an index) and Search | Simultaneous Search (to search in the index, select "Search in Index" in the drop-down box).
  • Events recorded by Skype are now output to the event list (chats, calls, file transfers, account creation, ...). When sorting these events by their timestamps, you can read all chats messages in chronological order.
  • Metadata extraction from PE .exe files with version resources.
  • New directory browser column: Unique ID. Similar to the internal ID, but unique within the entire case, not just within the evidence object. A filter for this column will probably be added at a later time.
  • The options "Group files and directory", "List dir.s when exploring recursively" and "Apply filters to directories, too" are now remembered separately by the normal directory browser, search hit lists and event lists.
  • X-Tensions API: Ability to retrieve the result of the skin tone/gray scale analysis of pictures programmatically, via XWF_GetItemInformation.
  • Resolving hard links in HFS+ file systems has been accelerated. You can always abort that step if it takes too long.
  • Ability to choose completely numeric unique IDs for a case instead of unique IDs with a delimiter, when creating a case.
  • The crash-safe text decoding option for logical searches and indexing is now much faster, almost as fast as the regular decoding option.
  • Ability to retrieve the hardware serial numbers of USB media.
  • Fixed an error that occurred when writing to symlinks in Ext* and XFS file systems.
  • The Hash column now displays pseudo-hash values in light gray color until real hash values have been computed. Pseudo-hash values are based on the file metadata, not on the file contents. They are available instantly even for very large files. They allow you to list files in a random order just like when you sort by real hash values, but without having to invest time to compute real hash values first. Useful for example for triage, if you have limited time and just wish to quickly look at some randomly selected files in a large evidence object first (e.g. pictures in a gallery) to determine how relevant an evidence object might be.
    Looking at files in a random order might give you a more complete and accurate impression of what is stored in an evidence object, because the first x% of the files listed are more varied and more representative of the evidence object as a whole if they are in a truely random order. If you sort by name or path or size or timestamps on the other hand, many of the files you see will likely be somewhat similar (created by the same application or by the operating system, by the same user, for a similar purpose, created or copied or received around the same time, same file format, ...), so with some bad luck you will only see irrelevant files even if there is an equally large group of relevant files. Remember that if you don't sort in the directory browser at all, the view is skewed as well, because you will see the files in the order in which they are referenced by the volume snapshot, which is more or less the order in which they are referenced by the file system and thus not random.
    Sorting by hash values can be combined with any filter, for example to see only pictures larger than 1 MB in a random order or only files of a certain user. Pseudo-hashes are not guaranteed to be unique or even remain the same when you close and re-open the evidence object.
  • For a similar purpose, there is now a modulo option for the internal ID filter. For evidence objects that contain a huge number of files, it allows you to focus on a subset of files that is more or less representative of all files (though less random than files selected by hash value). Applying the modulo operation to the internal ID will pick files from any directory, with any name, creation date etc. To see only 1,000 out of 100,000 files, i.e. every 100th file, use the operation "internal ID modulo 100 = 0". Also useful for testing purposes: If you wish to compare the performance of different hard disks, RAID systems, processors, configurations for volume snapshot refinements, you don't have to process all files in an evidence object. You can get quicker, yet likely representative results for example in 1/10 of the time if you only process every 10th file, pseudo-randomly selected by internal ID.
    Even for normal work, examiners may not be required by their bosses/their prosecutor to conduct a 100% complete examination, for example because after review of a reasonably sized and representative subset you can extrapolate that about 10% of several 10,000 photos is illegal material.
  • Some optimizations for volume snapshot refinements.
  • Random access to large .e01 evidence file segments accelerated.
  • Ability to attempt a recovery of an unresponsive previous instance by starting another instance (executing the same .exe file again) if the option "Allow multiple program instances" is half checked. For example, should X-Ways Forensics get into an infinite loop when processing a certain file during volume snapshot refinement, this can potentially help the already running instance break out of that loop and proceed with the next file. The second instance also shows some technical information about what the already running instance is doing at the moment, and can do so even without recovering a supposedly hanging previous instance.
  • Meanwhile, a C# port of the X-Tension API is available from (also to make it easier to develop X-Tensions in .Net, thanks to Chad Gough.
  • Revised e-mail extraction from MS Exchange databases and Outlook PST e-mail archives.
  • Hiding files is now called excluding files.
  • Program help updated.
  • Metadata from the XML files in zip-styled Office documents can now be extracted even if the XML files are not included in the volume snapshot.
  • Better readable font in dialog boxes for the Chinese, Japanese and Russian user interface.
  • Option to use the standard Windows GUI font for the WinHex/X-Ways Forensics GUI (see additional font checkbox in General Options).
  • Better support for NNTP-encoded e-mails.
  • Traditional Chinese predefined for indexing.
  • Option to define the size of the extra gap between rows in the hex editor display in pixels, which together with the official height of the selected font defined the distance between the rows. The default value has always been 3, but now it can be decreased, to display more rows at the same time and see more data. For example with the Courier font the display still looks fine with an extra gap of 1, but you see 15% more data (based on font size 10). Even negative values are possible. With -1 you may see 35% more data than before. See Options | General.
  • Better support for large system fonts for high screen resoutions.
  • Ability to copy up to 64 KB of data in a selected block into the clipboard in X-Ways Investigator (subject to change).
  • More stable when decompressing corrupt zip archives.
  • Separate file type category "Chats, Messaging" defined. If anyone has more ideas which file types to add to that category, please send e-mail. Thanks.

Versienummer 17.2
Releasestatus Final
Besturingssystemen Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8
Website X-Ways Software Technology
Bestandsgrootte 1,99MB
Licentietype Shareware

Door Bart van Klaveren

Downloads en Best Buy Guide


Meer historie


Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.

Apple iPhone 11 Nintendo Switch Lite LG OLED C9 Google Pixel 4 FIFA 20 Samsung Galaxy S10 Sony PlayStation 5 Elektrische voertuigen

'14 '15 '16 '17 2018

Tweakers vormt samen met Hardware Info, AutoTrack,, Nationale Vacaturebank, Intermediair en Independer DPG Online Services B.V.
Alle rechten voorbehouden © 1998 - 2019 Hosting door True