Download WinHex 14.6

X-Ways Software Technology released version 14.6 of WinHex yesterday. WinHex is not only a universal hex editor, but is also capable of low-level data processing through a simple interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information and to inspect files. WinHex works on all Windows versions from 98 with the exception of NT, but the full arsenal of features can only be fully exploited on Windows 2000, or higher. The changelog of this release shows the following changes and improvements:

What’s new?

• Ability to completely access and examine media and interpreted image files with more than 4.3 billion (2^32) sectors. (still testing) Allows to read data from beyond the 2 TB barrier on media with a sector size of 512 bytes. Also support for NTFS volumes that consist of more than 2^32 sectors. Other file systems on partitions that large: Not specifically supported.
• Ability to attach external files to the volume snapshot and have them processed by X-Ways Forensics like regular files in the volume snapshot. Useful if you need to translate or decrypt original files and would like to reintegrate the result back in the original volume snapshot, in the original path, for further examination, reporting, filtering, searches etc. Such external files will be completely managed by X- Ways Forensics once attached, copied to the metadata directory, and marked as virtual files. In order to attach a file, you right-click the original file that the external file is based on and invoke “Attach external file”. The new file should be named based on the original file.
• When filling an evidence file container, two new options are now available: One option allows you to copy files partially to the container only. This is possible if the file has been opened in File mode and a block is selected. Useful eg if there is a relevant search hit in the middle of a 2 GB swap file or of a 100 GB virtual free space file, and you would like to forward the context of that search hit to someone via a container, thereby omitting GBs of data that are not related.
• The other option allows you to copy *only* the file system metadata of selected files to a container, totally omitting all file contents. When examing such a container, you can see the entire original directory structure, all filenames, timestamps, file sizes, attributes, etc. and can use various filters.
• Ability to specifically deal with NTFS compression when searching for files via file header signatures (forensic license only). Allows to automatically list NTFS-compressed files of certain types whose FILE records are no longer available. These files are also automatically decompressed for File mode, Preview mode, and the Recover/Copy command.
• Now extracts metadata from JPEG, PNG, TIF, GIF, THM, thumbs.db, ASF, WMV, WMA, MOV, GZ in Details mode in addition to many other file types. Additional metadata now extracted from PPT files. General further improvements for OLE2 compound files.
• When running a file header signature search, WinHex now automatically names Exif JPEG pictures after the model designation and time stamp as stored by the digital camera card. (specialist license or higher)
• The internal creation timestamp that can be found in various file types can now be displayed in a separate directory browser column, once extracted with a new context menu command (“Extract Internal Metadata”) or once seen in Details mode. Thanks to this new column and the timestamp filter, it is now very easy to focus on files/documents that were actually created in a certain time period. Internally stored timestamps are usually less volatile than file system level timestamps and more difficult to manipulate retroactively. The supported file types are: OLE2 compound files (eg pre-2007 MS Office documents), MDI, ASF, WMV, WMA, MOV, various JPEG variants, THM, TIFF, PNG, GZ, SHD printer spool, PF prefetch, LNK shortcut , and DocumentSummary alternate data streams.
• The option to copy/append metadata to comments has been moved to the same new context menu command.
• The hash set column now comes with a filter that allows to more conveniently focus on files whose hash values ​​are contained in selected hash set or are not contained in selected hash sets.
• When using the Recover/Copy command, overlong paths are now truncated and rendered legal if shortening the last path component can achieve that. Any file with a path longer than 259 characters after this attempt will still not be copied and rather associated to a report table because it wouldn’t be possible to deal with this file in Windows anyway.
• UTC-based timestamps displayed in the registry viewer and in the registry report now respect the “Show time zone bias” option so that it’s obvious if and how they have been converted to local time. The same time zone settings as for the active case are used.
• When analyzing small amounts of data (Attachments in original .eml e-mail message files (not virtually produced by X-Ways Forensics itself) can now be extracted if you add *.eml to the series of file masks for e-mail extraction.
• Item numbers in the directory browser are now 1-based instead of 0-based.
• Sectors mode is now labeled either Disk, Partition, Volume, or Container, depending on the nature of the data represented in the data window.
• Several minor improvements.

[break]