Download WinHex 15.9

X-Ways Software Technology has released version 15.9 of WinHex. WinHex is not only a universal hex editor, but is also capable of low-level data processing through an easy interface. The program includes a ram editor, a data interpreter and a disk editor, and can be used, for example, to retrieve deleted information or to inspect files. WinHex works on all Windows versions from Windows 2000 onwards and is available in four different versions, with prices from forty euros. The following changes and improvements have been made in this release:

What’s new?

• Improved and more informative Windows Registry report that can output selected portions of the key path in addition to the values. This is helpful for the interpretation of many registry values ​​and renders it unnecessary for users to search for relevant information in the key path themselves.
• Generally accelerated registry report generation.
• Additional information is extracted for the registry report from Windows 7 registries about volume shadow copies, legacy programs, and Default Gateway MAC.
• Ability to save and load lists of report table names from the report table association dialog window. Useful to start right away with a set of predefined report tables as typically needed for a certain kind of case.
• Ability to import the valid data length of files that originate from NTFS volumes from evidence file containers as created by v15.4 SR-4 and later.
• Kerio Connect store.fdb files that can be processed like PST/OST files added as supported e-mail archive type.
• When creating a case report and copying files for inclusion in the report, the same easily readable representation of $LogFile, $UsnJrnl:$J, restore point change logs, $I recycle bin and Windows XP prefetch files as known from Preview mode will be output instead of the original file.
• Tools | File Tools | Wipe Securely has been accelerated.
• New investigator.ini option +35 prevents users of X-Ways Investigator from deactivating the strict drive letter protection. Before it was generally not possible to deactivate it in X-Ways Investigator, now it is generally possible.
• New investigator.ini option +36 prevents users of X-Ways Investigator from creating case reports.
• New investigator.ini option +37 prevents users of X-Ways Investigator from creating cases.
• Recipients on Bcc in received e-mail (rare and illogical, but apparently possible and seen in real life) are now included in the Recipient field of the directory browser.
• A sophisticated new search algorithm tremendously accelerates conventional (non-index) searches with many search terms and search variants (ie character sets/code pages, case insensitivity). Forensic license only. For example, for a case-insensitive search for 6 search terms in code page 1252 and Unicode, the new search algorithm can be twice as fast. With 18 search terms, it can be 8 times as fast. With 40 search terms, it can be 20 times as fast. (Please note that this comparison is for the mere search algorithm only and excludes the time needed for disk I/O.) In this beta version you can explicitly choose between the new and the old search algorithm.
• With the new search algorithms, the word boundary anchor \b now works in Unicode, too (for English, German, and French letters, just like in code page 1252).
• Two new directory browser columns have been introduced (forensic license only). After you have run keyword searches, the “#ST” column tells you for each file the number of search terms that have been found in it. The “Search terms” column lists up to 10 of these search terms (in a random order). Note that this happens for all search hits that have not been deleted and for all search terms ever used in a case, not for only the search terms that may have been selected in the search term list. The benefits of these two additional columns are that you can see contained search terms even in the normal directory browser (not only in the search hit list) and that you can sort by the #ST column to get files listed first that are likely more relevant (because they contain more of the search terms that you were looking for). These columns are populated only for evidence objects of a case.
• The number of actually contained chunks in .e01 evidence files is now output in the evidence object properties. Useful to know for incomplete images.
• Fixed erroneous output that could occur when searching in an index for characters that were not indexed, when actually no output should have been produced.
• Fixed error message that was output in Beta 1 when invoking the General Options dialog.
• Ability to display the name of the evidence object name where SID/username combinations were found, if recorded.
• Ability to convert Motorola S files to binary that define data in a range of more than 2 GB.
• Ability to export report table associations created in an evidence file container, such that they can be imported back into the original case. That means when you split up the workload in large cases across multiple investigators who work simultaneously, you can now automatically and more easily reconcile their results!
• It is also now possible to export report table associations from original evidence objects (not containers), so even when not working with containers, multiple examiners can work with their own copy of the same case and exchange results with each other or reconcile all results in the main copy of the case, all that by exporting and importing report table associations.
  Both commands, the export and import of report table associations, can be found in the context menu of the case tree. Export is supported at the case and evidence object level, import at the case level.
  Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot after the creation of the evidence file container(s) or if you have removed objects from the volume snapshot.
• Attachments can now be embedded in their respective .eml parent files also when creating a case report, not only when using the Recover/Copy command.
• Usage of the option to embed attachments in .eml files as Base64 code already when extracting e-mail from e-mail archives was discouraged already for some years, for good reasons. The option now has been finally completely removed. The alternatives have already been pointed out over and over again because they were ignored by some users until today.
• When matching hash values ​​against the hash database, if X-Ways Forensics finds a hash value in different hash sets that belong to different categories, a warning is output (since v15.6). Now it is guaranteed that the category that is returned in such a case is always “notable”.
• The standard registry report definition file was split into 8 parts, so that any time you create the report you can choose which parts you need. As before, you can change the definition files as you see fit, or create your own ones for specific purposes/for different kinds of cases.
• Better prepared for certain PST files.
• Ability to carve, confirm, and view Outlook 2011 for Mac emails and extract attachments from them.
• Some minor improvements.
• Memory leak in file header signature search fixed that was specific to v15.9 Beta.
• Memory leak of v15.9 Beta in search engine fixed.
• Registry report errors fixed.
• Filter for the new search term column introduced.
• Displays the number of search hits that would be listed based on current settings for search terms if they were selected.
• Byte-level signature searches did not work before in v15.9 Beta. This was fixed.
• The external virus check did not work correctly (and informed the user about that) in v15.6 through v15.8. This was fixed.
• Fixed a memory leak in email extraction.