Download WinHex 17.7

X-Ways Software Technology has released version 17.7 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows XP and is available in different versions, of Prices from about forty euros to over a thousand euros for the most extensive version. The following changes and improvements have been made in this release:

What’s new?

• New Directory Browser option for advanced sorting of the Name column. Takes 4 to 6 times more time than the highly optimized standard Unicode sorting from previous versions (noticeable when sorting millions of files), but has several useful settings and characteristics:
  • Language-specific character equivalence rules (treat ß like ss, treat é similar to e, ü similar to u etc.)
  • Linguistically improved case insensitivity
  • Special treatment of hyphens and apostrophes (they are treated differently from other non-alphanumeric characters to ensure that words such as “coop” and “co-op” stay together in a sorted list).
  • Treat decimal digits as numbers, eg sort “2” before “10” (not useful for hexadecimal notation, available under Windows 7 and later only)
  • Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters)
  • Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same)

  Advanced sorting depends on the regional settings of the currently logged on user. For example, if regional settings of a Nordic country are active, Å comes after Z, as defined in the alphabets of that region, otherwise near A, as perhaps expected by non-locals. Advanced sorting rules are also applied when sorting the search hits by the Search Hit column.

• Files that are included in an evidence file container without contents just to complete the full original path of child objects that they contain with their names are now shown in the directory tree.
• Option to abort copying files into an evidence file container upon a read error and to not include affected files partially. Useful when acquiring files from a network location and the connection might be interrupted, if you assume that if that happens you will get the connection back and will be more successful when you try again, to avoid having incomplete files in the container, which cannot be replaced with a complete copy retroactively. Available only when not filling containers indirectly.
• The active display time zone of the active case or of any evidence object is now shown directly on the button in the properties dialog window.
• Ability to specifically filter for 0x30 timestamps in the event list, using the event type filter.
• If an original name is found for a file in the Windows recycle bin or in an iPhone backup during metadata extraction, that name is displayed in the Name column with the current unique name in square brackets. The current unique name is now also shown in square brackets in the case report. Both names are targeted by the Name filter.
• Two new X-Tension API functions: XWF_GetBlock and XWF_SetBlock.
• Accelerated multi-threaded block hash matching.
• New X-Tensions API functions XWF_GetExtractedMetadata and XWF_AddExtractedMetadata.
• Improved presentation of e-mail extracted from Outlook PST/OST archives that contains forwarded other e-mail messages as attachments.
• Revised Exchange database extraction (up to version 2007) with improved support of internal e-mail communication and a wider set of metadata.
• As not all users know, when they recreate original paths of files in evidence file containers, the parent objects of files in files are included (and need to be included) in the container even if not selected themselves, just to guarantee that the child objects are shown with their complete correct path. But then these parent files are included without file contents, of course, just with file system metadata, as obvious for example from the Attr. column. Such parent files with metadata only are now no longer listed in containers when exploring recursively, just like directories, because in fact they function like mere directories in the container, even though they were real files in the source file system. They were not deemed relevant by the creator of the container (as they were not selected for inclusion themselves), so it is perhaps more logical that only if users explicitly wish to list directories even when exploring recursively (one of the directory browser options), such files will be listed as well.
• If the parent file of a file in a file has been assigned to one or more report tables by the user, then this will now be pointed out in the “Report table” column for the child object as well, in gray color and with an arrow. Reminds the user that the parent was reviewed and marked as relevant already, which can spare him or her the extra step of navigating to the parent again.
• New X-Tension function XWF_GetMetadata.
• Fixed an error in the display of report table associations in the directory browser in v17.7 Preview 3.
• Tentatively extended the amount of text that can be pasted into the Name filter to 2 million characters (30,000 before). That doesn’t guarantee that X-Ways Forensics can efficiently use a filter with many tens of thousands of characters or more. When in doubt, use the “Match against full name” option, not the substring search.
• Minor improvements of the revised Exchange database extraction.
• The header of the Name column now allows to tag or untag all listed items with a single mouse click. It also indicates whether among the listed items are any tagged or untagged items.
• The number of listed tagged files is now displayed in the caption line of the directory browser if there any tagged files are listed.
• Tagging and excluding recursively are now two separate options.
• Recover/Copy: Ability to group output files in directories by the search terms that they can contain according to the Search terms column.
• New investigator.ini option +53 that prevents malfunctioning filter and sort settings in cases.
• Ability to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode-capable, which allows for example for original Chinese notation of dates. See Options | General | Notation. Please see http://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspx for a complete explanation of what kind of notation is possible.
  Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4.
  Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014 (Wed)
• Creating report table associations at the same time for known duplicates of directly targeted files now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.
• When files are viewed that have duplicates, marking the duplicates as already viewed as well now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.
• Support for the MacOS artifact .DS_Store, which helps to analyze recycle bin activity.
• New file type category “Address Book”.
• Better support of Samsung and Nokia .tec graphics files.
• X-Tensions API: Function XWF_GetFileCount available.
• X-Tensions API: Parameters for XWF_OpenItem defined.
• When creating a new case, you now have the option to make X-Ways Forensics recognize evidence objects that are physical media (not images) by their own properties, not by the Windows disk number. Using this option will prevent earlier versions of X-Ways Forensics from opening the case. The advantage is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk. Useful especially for triage, when not working with images. Please note that X-Ways Forensics may be unable to recognize external media already known to the case if next time they are attached through a different hardware write blocker. In that situation you can still use the “Replace with new disk” command in the evidence object context menu to point X-Ways Forensics to the correct disk. Just as a reminder: You can open an evidence objects even if the disk is not currently attached to the system, just to see and work with the volume snapshot, using a command in the evidence object context menu.
• Greatly accelerated recursive tagging, untagging, excluding and including of a large number of selected files, which previously was potentially very slow in large refined volume snapshots.
• Recover/Copy: Option to name output files after their unique ID. Available only when copying without original path, selectable when clicking the “…” button.
• Log-on events in Windows event logs are now presented in the event list with domain name, log-on ID and IP address when available.
• New X-Tension functions XWF_GetReportTableInfo and XWF_GetEvObjReportTableAssocs.
• X-Tensions API: 0x00100000 flag of XWF_ITEM_INFO_FLAGS now deprecated.
• Metadata extraction from RecentFilecache.bcf, an important Windows 8 artifact.
• X-Tension API: New XWF_GetItemInformation capabilitiy added: XWF_ITEM_INFO_EMBEDDEDOFFSET. New function XWF_GetSearchTerm.
• Report table associations for e-mail messages with recipients on Bcc:.
• Ability to import multiple selected hash set files at a time.
• Ability to efficiently delete individual hash values ​​from an existing hash set, by importing a hash set file (simple 1-column format, 1 hash value per line), where the hash values ​​to delete must be listed first and must be prepended with a minus sign (“-“). The file must have the same name as the existing hash set that you wish to update (additional filename extension allowed).
• Avoided a rare exception error that could occur when parsing corrupt LVM2 partitioning data structures.
• X-Tension API: 2 more flags for XWF_ITEM_INFO_FLAGS.
• Ability to schedule in advance subsequent disk imaging operations in additional instances that wait until ongoing imaging operations in previous instances complete, to avoid inefficient simultaneous creation of multiple images on the same output disk (which is unnecessarily slow and produces highly fragmented image files).
• Larger tooltip for cells with a lot of text, eg in the Metadata column.
• Special paragraph in Details mode about previous names and paths of files, if known.
• Detection of some full disk/partition encryption schemes.
• Data Interpreter option for a binary representation of 16 or 32 bits instead of just 8 bits.
• Directory browser column widths are now stored in cases along with filter and sort settings, as well as in .settings files.
• Excluding files in search hit lists and event lists now has an immediate effect (if excluded files are actually filtered out) and usually auto-selects the next remaining search hit or event in the list.
• In certain situations the associations of search hits with their corresponding search terms were potentially lost in some evidence objects after deleting search terms. That was fixed.