Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Door , , 0 reacties
Bron: X-Ways Software Technology

WinHex logo (60 pix)X-Ways Software Technology heeft versie 17.5 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows XP en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro tot over de duizend euro voor de meest uitgebreide versie. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:

What's new?
  • Extended multi-user support for large cases. Useful when multiple examiners process the same case at different times or different evidence objects of the same case at the same time, and wish to tell apart their own results from their colleagues' results. Report table associations, comments and search terms/hits of different examiners can optionally be distinguished, by showing the creating examiner's initials (default) or other abbreviations of their names or (if no abbreviation is specified) their complete usernames. The same file can be associated with the same report table only by 1 examiner.
    Examiners can choose whether or not they get to see report table associations of other users. All related options can be found by clicking the "..." button for the extended multi-user support. Extended multi-user support can only be enabled for new cases, in the case properties dialog window. Older versions cannot open cases with support enabled. Examiners are recognized internally by their Windows user accounts. A maximum of 255 examiners is supported per case.
  • Ability to review the processing history of a case in its properties, which reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later, even without extended multi-user support).
  • The existence of extended attributes for files in NTFS ($EA attributes) is now revealed in the Attr. column in newly taken volume snapshots, and you can filter for the presence of such attributes. Useful to detect certain malware as seen in recent high-profile cases.
  • Considerably improved treatment of hard-linked files in HFS+. Resolving hard links is now much faster and thorough in current HFS+ volumes that heavily use hard links because of Time Machine. Hard links to directories and resource-only files are now also resolved. The hard link count is accurately represented. All hard links except for 1 are optionally omitted from logical searches, just as in NTFS, to avoid excessive duplication of data to be searched and duplication of search hits. Hard links that are ignored are identified by a grayed out hard-link count (no longer by an asterisk as in previous versions). Additionally, iNode files (indirect node files) that got connected with the hard links that reference them as so-called "related items" in the volume snapshot are omitted. Should the hard-link count of an iNode file be not grayed out, that indicates an orphaned iNode file (one that is not referenced by any hard-linked file, at least not in the volume snapshot). Comments are no longer used for hard-linked files in HFS+.
  • The names of the authors of documents of various types (DOC, XLS, PPT, RTF, PDF, more in future releases) are now output in a new column named "Author" after metadata extraction.
  • The page count is now extracted from PDF and some Office file types (more in future releases) as part of metadata extraction and shown in a new column.
  • Extraction of pictures that are embedded as Base64 in VCF files (electronic business cards).
  • Option to create report table associations for files that were successfully added to a skeleton image using the directory browser context menu command.
  • Extraction of events from Unix/Linux/Macintosh system logs. These events are practically of significance especially for USB device history examinations.
  • File type identification of MMAP, IDML, INCX, EDX, ENML, NBI.
  • Sorting and filtering by comments and extracted metadata greatly accelerated for huge volume snapshots in which a huge number of files have comments or extracted metadata.
  • Sorting by certain directory browser columns such as owner, author, sender, recipients, report tables, comments, extracted metadata, search terms, hash set is now more user-friendly, in that items with blanks (i.e. unknown owner, unknown author, no report table associations, no comments, ...) are listed last, not first. Also, the default sort order of the hash category column is now descending.
  • Improved detection of non-standard LVM2 container partitions.
  • Fixed an error with comments and extracted metadata in v17.5 Preview.
  • File type definitions updated.
  • All cases opened with v17.5 Preview 3 and later now have extended multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time. Cases opened with v17.5 Preview 3 and later cannot be open any more with earlier releases/versions.
  • It is now possible for multiple users to open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for preventing and making users aware of access conflicts before they occur.
  • X-Ways Forensics now remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects, if the goal is to avoid duplicate work and if you are not interested in reviewing files that were reviewed by any of your colleagues already. Individual statuses and search hits of other users are lost if one examiners removes items from the volume snapshot.
  • Search hits and keywords are now stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and keywords stored in the case by v17.4 or earlier. In some future release it should be possible to import other examiners' search hits.
  • If the same user wishes to open the same case (the same copy) in more than one session simultaneously, that user has 3 options. Either the entire case is opened as read-only, OR the user is responsible for opening evidence objects that are open in one session already as read-only in the other session to avoid conflicts OR the user opens the case as a separate, fictitious user (called "alter ego") with separate file statuses, search hits, report table associations etc. If the latter option is selected, shared use of the case is coordinated by X-Ways Forensics exactly as if the alter ago was a real, different examiner, even though the username is the same. The maximum number of users for a case, including any alter egos, is 255.
  • The new "Options..." checkbox when opening a case allows to open a case in any of the three modes known from earlier versions: Entire case read-only (case file and volume snapshots), cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files), or full access. Plus, the dialog box allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program. Plus, if permitted by other examiners, you may open the case as one of them in read-only mode, to see their results (report table associations, search hit hits, tagged files, already viewed files, excluded files).
  • Running searches, creating report table associations, entering comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else is forbidden. The goal is support for concurrent analysis/review work by multiple examiners. Volume snapshot refinements on the other hand should be done systematically beforehand. Removing files from a volume snapshot is not considered ordinary review/analysis work.
  • The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can now be seen in square brackets after the name, so that it is easy to tell who has introduced them to the case.
  • Revised look of the user interface (toolbar, menus, directory browser, gallery). Unavailable commands are no longer represented by an icon in the toolbar to make it look less cluttered.
  • VMDK virtual disk images which have been compressed for transport purposes (the VMDK format variant referred to as "stream-optimized"), as used by the OVF appliance export format, are now supported.
  • More file type signatures defined.
  • Files embedded in Norton Backup files (N360 backup, *.nb20) can now be automatically uncovered.
  • Improved extraction of files from Firefox caches based on "_CACHE_MAP_" files and Chrome caches based on "index" files. Retrieves metadata such as original filenames and timestamps. Metadata extraction from "index" files.
  • Gridlines in the directory browser are now optional, and if displayed can be either light gray or light blue. Without gridlines and without the grayed out icons in the toolbar, the screen looks a little less cluttered.
  • The entire row over which the mouse cursor hovers is now highlighted. That makes it easier to identify other far away cells in the same row.
  • File type verification updated. New file type category GPS/Navigation.
  • Ability to import search hits of another user.
  • Support for more deeply nested directory trees in Ext*.
  • Some clusters of significantly fragmented files in Ext4 were incorrectly contained in idle space as well. This has been fixed.
  • Support for VMDK snapshots where the VMDK images are stored in segments, each usually representing 2 GB of the virtual disk. Previously only monolithic VMKDs were supported, i.e. where the entire VMDK image is stored in one file (whether sparse or not).
  • Fixed errors in VMDK support in previous preview and beta versions of v17.5.
  • Fixed potential exception error in Firefox cache extraction in v17.5 Beta 1.
  • Colored icons for excluded and notable files now displayed with no noticeable delay even when Aero is enabled.
  • The file type filter dialog now remembers which categories were expanded.
  • Stability of EVTX processing improved.
  • Program help and user manual updated for v17.5.
  • Creating the descriptive text file when imaging disks is now optional.
  • The option to define the number of extra compression threads when creating .e01 evidence files is no longer hidden.
  • Some improvements for very large scaled system fonts.
  • Reconstruction of indexed e-mails messages from the indexing database of the Thunderbird email client and output as child objects in the volume snapshot, as part of extraction of embedded data in SQLite databases.
  • Exclusion of known SQLite databases from the embedded data extraction if it's know that there is no valuable binary data to be found.
  • Improved support for high dpi display settings in Windows (150% and larger), in message boxes, file selection dialogs, info pane, mode buttons, toolbar, progress indicator window, directory browser, and search hit context preview.
  • Improved support for MS Internet Explorer recovery travellog files.
  • Windows Registry report and event extraction revised.
  • Ability to interpret evidence file containers larger than 4 TB.
  • Support for NTFS file systems larger than 2^32 clusters (which are not supported in Windows 8 and earlier, but perhaps in later versions).
  • File type verification updated.
  • Ability to specify separate virtual output directories for separate file carving runs, for example to distinguish operations of different scopes or for different purposes (e.g. first ordinary sector-level file carving in an entire partition, then byte-level file carving of e-mails in free space).

WinHex screenshot (620 pix)

Versienummer:17.5
Releasestatus:Final
Besturingssystemen:Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8
Website:X-Ways Software Technology
Download:http://www.winhex.com/winhex.zip
Bestandsgrootte:1,69MB
Licentietype:Shareware
Moderatie-faq Wijzig weergave

Reacties


Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.



Apple iOS 10 Google Pixel Apple iPhone 7 Sony PlayStation VR AMD Radeon RX 480 4GB Battlefield 1 Google Android Nougat Watch Dogs 2

© 1998 - 2016 de Persgroep Online Services B.V. Tweakers vormt samen met o.a. Autotrack en Carsom.nl de Persgroep Online Services B.V. Hosting door True