Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Door , , 1 reactie
Bron: X-Ways Software Technology

WinHex logo (60 pix) X-Ways Software Technology heeft versie 18.1 van WinHex uitgebracht. WinHex is niet alleen een universele hex-editor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows XP en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro tot over de duizend euro voor de meest uitgebreide versie. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:

What's new?
  • Better support for larger font sizes in the hex editor display and in character tables. Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, small center screen buttons, the status bar, tag squares, sort arrows. Important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight. File and directory icons generally revised and now more consistent between directory tree and the directory browser.
  • When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.
  • Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.
  • Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.
  • The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory.
  • The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.
  • The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.
  • Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the first report table.
  • Ability to include all items in all open evidence objects in the directory browser options dialog of a recursively explore case root window.
  • New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.
  • X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.
  • Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).
  • A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key.
  • Support for Project VIC JSON files format 1.1.
  • Additional information provided to X-Tensions via the XT_Init call.
  • File type verification revised. Category order revised (based on typical frequency).
  • Now up to 2 alter egos of the same user may open the same case at the same time. Some users might find this useful for parallelized simultaneous volume snapshot refinement of different evidence objects in the same case on the same computer.
  • Support for the updated database format of the Chrome history. Support for Opera browsing history since version 15.0 (the switch to the Chromium engine).
  • .evtx event log processing slightly revised.
  • Support for the hash types Tiger128, Tiger160, and Tiger192.
  • "Name output files after unique ID" is now a 3-state checkbox. If half checked, the files will not be named purely after the unique ID (+extension) any more. Instead, the unique ID will be inserted between base filename and filename extension.
  • Nicer names for files that are extracted from Google Chrome caches.
  • Support for Tiger Tree Hashes (TTH). Useful for investigations that involve Direct Connect P2P file sharing programs. Base32 notation for TTH can be enabled in the directory browser options.
  • Type verification revised.
  • New file carving method for Quickbooks .qbw files.
  • Support for Windows 10 (Technical Preview) as a platform.
  • Several toolbar and menu icons have been revised. In particular, almost all icons are now available in high resolution for high DPI settings (for owners of 4K or 5K displays). New icons are now shown to represent pictures, e-mails, and miscellaneous Outlook data.
  • It is now easier to use CSS (cascading style sheets) for case report format definitions. In addition to defining the parameters for standard HTML elements (which would have been possible previously already), key elements of the report are now assigned "class" parameters to simplify targeting those for formatting purposes. Example style sheets are available to use as a basis for further modification. The report options allow picking or editing a CSS file as part of the reporting process. The new default is "Case Report.txt". The previous default is still available as "Case Report Classic.txt".
  • Minor fix in the HTML code of search hit exports.
  • Special carving support for EDB (ESE) log files (.edblog). These log files of forensically relevant in that Microsoft stores more and more internal data about EDB databases in these files. The log file record and keep the complete data that is added to a database at a certain point, until it is eventually deleted in the log file. Typically multiple such log files can be recovered from Windows systems, and search hits in such a log file are more meaningful than in ordinary free space. Metadata is also extracted from these log files.
  • Better support for the CAB file format family, which includes Windows Installer files (less interesting), Windows Cabinet (more interesting, may contain e-mails) and Microsoft OneNote packages (also more interesting).
  • In newly taken Volume Snapshots of Ext3 and Ext4 file systems, X-Ways Forensics now considers the contents of these file systems' journals as alternative sources for information. This may lead to the listing of additional previously existing files, or the listing of previously existing files that were found without contents in previous versions now also found with contents, or the identification of previous names for currently existing files (in the latter case, a note to that effect would be added to the existing file's Metadata column). Important caveat: Since Ext3/4 journaling involves copies of entire file system blocks, journal rollover will occur quite quickly on very active partitions, with the most recent entries in the journal being identical to the current state of affairs, of course.
  • Retrieves some essential information about Windows installations, if found, from partitions or images that are added to a case, and displays them in the evidence object properties.
  • Support for Deflate64 compression in zip archives.
  • Fixed an exception error that could occur when extracting e-mails from certain MBOX e-mail archives.
  • Minor fix for and improvement of event extraction from .evtx event logs in case events had been deleted in the event log by the user.
  • Option to show pictures above the text in report tables in the case report, not below.
  • Italian translation of the user interface updated.
  • Reconciles information from Ext3/4 directory entry remnants and the journal, for a more complete and faithful representation of previously existing files, with contents and timestamps that were not available previously.
  • Files whose representations are based on an inode in the Ext3/Ext4 journal are marked with (Jrnl) in the Attr. column. A filter for such files is available.
  • Fixed potential spill-over of sender and recipients to other e-mail fragments extracted from Windows.edb.
  • Some file type verification improvements.
  • Fixed an error that could occur when processing file archives larger than 2 GB.

WinHex screenshot (620 pix)

Versienummer:18.1
Releasestatus:Final
Besturingssystemen:Windows 7, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8, Windows 10
Website:X-Ways Software Technology
Download:http://www.winhex.com/winhex.zip
Bestandsgrootte:2,28MB
Licentietype:Shareware
Moderatie-faq Wijzig weergave

Reacties (1)

Handig om even binnenin een file te kijken. Onlangs nog gebruikt om in een savestate van een MAME-spel te zoeken naar mijn highscore en die van 28000 in één klap naar 999000 te veranderen. Spel daarna terug ingeladen en hey presto, na twee minuutjes had ik 1 miljoen bereikt.

Op dit item kan niet meer gereageerd worden.



Apple iOS 10 Google Pixel Apple iPhone 7 Sony PlayStation VR AMD Radeon RX 480 4GB Battlefield 1 Google Android Nougat Watch Dogs 2

© 1998 - 2016 de Persgroep Online Services B.V. Tweakers vormt samen met o.a. Autotrack en Carsom.nl de Persgroep Online Services B.V. Hosting door True