X-Ways Software Technology heeft versie 18.0 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows XP en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro tot over de duizend euro voor de meest uitgebreide versie. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
- Improved stability and quality of e-mail extraction from Exchange databases.
- Preview of Skype chat sync files (named "chatsync" in the Type column). Shows the complete chat and the IP addresses of the participants. Events are also extracted.
- Internal memory allocation tracking can now be enabled in Options | Security for debugging purposes.
- The ".." item at the top of the directory browser that appears when navigating within a volume from one directory to another is now optional. If displayed, it is now frozen at the top of the directory browser and does not scroll along with all the other items. And it now shows all the information on the directory that it represents (the one that you would navigate to if you double-click it), just like with all the other items in the directory browser. And a "." item is now also displayed optionally, representing the currently explored directory. Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects. And if the . or .. item is a file and you select it, then you can now see that particular file in File, Preview or Details mode. And it is represented in Gallery mode.
- When clicking any component of the current path in the caption line of the directory browser, this will now navigate directly to that directory (or file with child object) whose name you clicked.
- The "Keep track of viewed files" option has been moved to Options | Viewer Programs.
- Support for e-mail extraction from MBOX e-mail archives larger than 4 GB.
- File header signature searches, block-wise hash matching, FILE record searches, searches for lost partitions, and physical simultaneous searches are now sparse-aware operations when dealing with compressed and sparse .e01 evidence files. That means that areas that on the original hard disk were never written and zeroed out or areas that had been wiped on the original hard disk or consciously omitted areas in cleansed images are skipped and almost require no time, because their data neither has to be read nor decompressed nor further processed (searched/hashed matched against the block hash database).
Sparse-awareness is active guaranteed for .e01 evidence files that were created by X-Ways Forensics and X-Ways Imager 16.1 and later (also possibly for images created by 3rd party software, depending on the settings and the internal layout). Operations are not sparse-aware on images of Windows dynamic disks, images of LVM2 disks, and on reconstructed RAIDs based on .e01 evidence files.
- Logical searches in files stored in an NTFS file system are also sparse-aware at the .e01 evidence file level, and generally logical searches in virtual "Free space" files.
- Logical searches in NTFS, Ext*, XFS and UFS file systems are now sparse-aware at the file system level. That means no time is wasted on large sparse areas within sparse files, they are not processed, regardless of whether the evidence object is an .e01 evidence file, raw image, RAID, or actual disk.
- Support for newer Photoshop thumbnail cache format.
- A new "Special interest" entry allows to either carve Google search URLs with "ei" parameters as files or (better) output events with the contained timestamps (if "Provide by-catch timestamps from various sources as events" is checked).
- Better avoids false positives when carving files with support NTFS compression enabled.
- Improved Windows account administration section in the registry report.
- Supports a new PST/OST data storage method as used in Outlook 2013.
- Some improvements for file type verification.
- Ability to extract alternative names and timestamps from Linux PNG thumbnails as known from Ubuntu and Kubuntu distributions, desktop manager MATE and GNOME ThumbnailFactory during metadata extraction. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a "Content created" timestamp. The complete path of the original file can be seen in the Metadata column.
- Fixed inability to evaluate equations in templates depending on notation settings.
- Containers of the old format (from more than 3 years ago) can no longer be created or further filled, but can still be used in cases as evidence objects.
- More thorough extraction of embedded files in PE executables (not done by default, only if addressed via the file mask).
- Separate "Append type as extension if newly identified" checkbox for "Use associated program for viewing". Allows to more easily get Windows to run the right program for misnamed files, files without extension etc.
- Ability to import hash sets in the current JSON/ODATA format layout as used by Project Vic and found in the Hubstream Inbox.
- Option to show results of the file header signature search as child objects of existing files, not in the directory for carved files, if they were found within these other files.
- Ability to toggle column visibility purely with the mouse, by clicking the column labels in Options | Directory Browser.
- Option to create automatic report table associations for files that have been added to an evidence file container.
- When creating two copies of an image at the same time, ability to automatically verify both of them.
- Option to maintain two separate hash databases at the same time, based on the same hash type or different hash types. Useful for example if you receive hash sets from different sources based on different hash types (e.g. some with MD5 and some with SHA-1 values) and wish to use them simultaneously, or if you have one large hash database for general use that you share with colleagues and wish to quickly create temporary case-specific hash sets yourself without altering the main hash database.
When creating a hash set yourself, you can choose to which hash database it should be added. That can be file hash database #1 or file hash database #2 or the block hash database.
When managing the hash databases, you can switch from file hash database #1 to #2 and back, and from #1 also to the block hash database as in previous versions.
The ability to import an entire folder of hash sets has been dropped. You can still import multiple selected hash sets in the same directory at once.
- Ability to compute hash values of two different hash types at the same time when refining the volume snapshot, for general purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values will be matched against any of the two hash databases whose hash type fits. That means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1, and hash database #1 is based on SHA-1 and #2 based on MD5, X-Ways Forensics will match the hash values accordingly. The hash types in the volume snapshot and in the hash databases do not have to be in the same order.
- Which hash value is displayed in the Hash column can be changed in the Directory Browser Options dialog. Either the primary hash value or the secondary hash value or both at the same time (if the box is half checked). The Hash column filter is applied to the hash type(s) that is/are currently displayed. Which hash type(s) is/are displayed in the Hash column can be seen in the column header.
- The Hash Set column shows known matches for both hash databases simultaneously. The filter can be used to filter for selected hash sets of one of the databases at a time. The database to choose hash sets from can be selected in the filter dialog.
- The Hash Category column shows only one category. If you assign the hash value of a certain file in one hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once during matching and given exact information about which hash value in which hash sets in which hash databases are conflicting. The categorization as "notable" will prevail when in doubt.
- Ability to decide where the second hash database should be stored. Useful if for example the primary hash database is shared with other users on a network drive and the user wishes to create or import new hash sets, either for temporary use only or while the primary hash database is locked by other users, to a locally stored second database.
- Additional functionality can now be invoked from within X-Ways Forensics, the PhotoDNA algorithm, until further notice. For licensing reasons it is made available separately, and provided by X-Ways itself only to law enforcement agencies. (If your e-mail address has not been automatically registered yet, you may go here.) It may be used to prevent the spread of child sexual abuse content and for investigations targeted to stop its distribution and possession.
For details about PhotoDNA please see this and this.
If the PhotoDNA functionality is present, a 4th (!) database, with PhotoDNA hash values of photos can be created and maintained within X-Ways Forensics, and photos may be matched against that hash database in X-Ways Forensics and X-Ways Investigator to identify known incriminating content. Because of the robustness of the hash algorithm and its specialization in photos, it is usually possible to recognize photos even if they have been stored in a different file format, experienced lossy compression repeatedly (e.g. JPEG), resized, partially blurred/pixelated, color-adjusted or contrast-adjusted etc. Unlike hash values computed by conventional general purpose algorithms, PhotoDNA hashes are resistant to various such image alterations.
Law enforcement agencies may want to create and share their own collections of such hash values, or import an extensive existing collection from Project Vic. You can also import the PhotoDNA hash databases of other X-Ways users, you may delete hash categories that you don't need any more, and you may merge or rename categories in your database. When importing someone else's hash database, their categories of the same name will be merged with yours. X-Ways Forensics will attempt to deduplicate hash values of similar photos when adding hash values to the database.
Hash values can be added to the database for pictures in the volume snapshot of an evidence object in the same way as conventional hash sets are added to a conventional hash database. The database is one of the now 4 databases that can be managed with the Tools | Hash Database command. The PhotoDNA hash database is stored in a directory next to hash database #1.
Matching is part of "picture analysis and processing" in Specialist | Refine Volume Snapshot. If you select more strict matching (allow less variation in an image), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the combined SC%/PDNA column. Photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tones.
- When printing long paths on the cover page or at the top of the first page, such paths are now broken into multiple lines even if they do not contain any spaces.
- Skin tone computation slightly accelerated for high resolution photos.
- Option to recognize known photos via PhotoDNA even if they are mirrored (flipped horizontally).
- Ability to view loaded modules above the 4 GB barrier in 64-bit processes with Tools | Open Memory and read and edit memory in such address ranges. Unicode support for process and module names and paths in the memory editor. Page boundaries are represented by horizontal lines. Boundaries that represent gaps between contiguous allocated regions are represented by darker horizontal lines. The Info Pane now shows more information such as the maximum address represented and the number of allocation gaps (=number of contiguous allocated page ranges-1) as well as protection status and type of the currently displayed page. Several other minor improvements for the memory editor. Please note that you need the 64-bit edition to properly deal with 64-bit processes.
- New X-Tension function XWF_GetRasterImage. Provides a standardized true-color raster image representation for any picture file type that is supported internally in X-Ways Forensics (e.g. JPEG, GIF, PNG, ...), with 24 bits per pixel, with some powerful options.
- File type verification revised. File carving for Outlook for Mac 2011 improved.
- Option to specify a user-defined timeout in milliseconds for loading pictures with the internal graphics viewing library, in Options | Viewer Programs.
- Support for a variant of FAT12 and FAT16 file systems with unusual directory entries.
- Modified unexpected behavior of the option "Full path sorting for parent objects".
- When filling evidence file containers of the old format with v17.8 and v17.9 (a usually hidden option), parent directories were included more than once. That was fixed.
- An exception error was fixed that could occur when using X-Ways Forensics without a second file hash database.