Гораздо проще починить горячие клавиши для любых русифицированных версий 16.x так: найти значение 0D006A00DC и заменить на 8D006A00DC. А не ждать пока кто-то сделает исправление за вас.
» X-Ways WinHex
arthorius 00:33 08-01-2013
Цитата:
Хорошая идея.
Проще, чем замена ресурсов. Только нужно немного дополнить значение для поиска: 0D006A00DC. А то 0D006A00 несколько раз встречается.
Добавлено:
Сделал патч на эту тему, вместе с фиксером (там всё в одном флаконе, на выбор
). Если кому надо: http://sendfile.su/737982
Цитата:
найти значение 0D006A00 и заменить на 8D006A00
Хорошая идея.
Проще, чем замена ресурсов. Только нужно немного дополнить значение для поиска: 0D006A00DC. А то 0D006A00 несколько раз встречается. Добавлено:
Сделал патч на эту тему, вместе с фиксером (там всё в одном флаконе, на выбор
). Если кому надо: http://sendfile.su/737982 addhaloka, согласен. Смотрел уникальность последовательности по 8D006A00, которая встречается один раз.
Поправил сообщение выше.
Поправил сообщение выше.
arthorius
addhaloka
Цитата:
Бесспорно проще и удобнее! Можете описать, для общего развития, что именно этим меняется?
addhaloka
Цитата:
Проще, чем замена ресурсов.
Бесспорно проще и удобнее! Можете описать, для общего развития, что именно этим меняется?
WinHex 16.8 SR-9
[more=Изменения:]SR-1:
* Search hits in the decoded version of files were erroneously highlighted in File mode, with their artificial offsets. That was avoided.
* Fixed an error in the way that the 64-bit edition read exFAT file systems.
* Fixed an error that could occur when copying e-mails with extremely long subject lines and attachments to an evidence file container.
* Avoided warning about evidence objects in use in some situations where it is not necessary.
* Fixed incorrect checkmark states in the Type filter dialog after double-clicking that could occur in Windows versions newer than XP.
* Some minor improvements.
* X-Ways Imager download updated with v16.8. Now includes a 64-bit edition, which is very useful as a powerful disk imaging and disk cloning program for the 64-bit edition of the lightweight Windows PE or FE.
SR-2:
* A 64-bit edition of the ordinary (not dongle-based) version of WinHex is now available to users with a professional or specialist license. Memory requirements of WinHex are very low, so that the extended logical memory address space of the 64-bit edition does not count as an advantage, however, unlike the 32-bit edition, the 64-bit edition can be executed from a 64-bit Windows PE such as the one that you can boot from your 64-bit Windows 7 or Windows 8 installation CD. This is useful for example if you wish to edit/repair or wipe sectors in the partition that contains your installation of Windows Vista or later, which are write-protected by Windows otherwise. More information about Windows PE
Licensed users can retrieve the download link of the additional 64-bit files from the usual web page.
The setup program remains a 32-bit program. As a portable application, WinHex does not need to be and should not be installed using the setup program.
* Avoided an infinite loop that could occur in v16.8 when running a file header signature search for index.dat records in free space.
* Fixed an exception error that could occur when loading old variants of the old evidence file container format.
* Prevented a rare exception error that could occur when taking snapshots of Ext file systems.
* Some minor improvements.
SR-3:
* Fixed an exception error in the 32-bit edition of X-Ways Forensics 16.8 that could occur after taking a snapshot of FAT volumes.
* Creating many thousands of report table associations at a time or importing them from an evidence file container could be very slow in v16.8. That was fixed.
* Intelligent naming for prefetch files in file header signature search.
* Some other minor improvements.
SR-4:
* Some issues in X-Ways Imager were fixed.
* The owner ID of files originating from NTFS volumes was not passed on from 1st generation evidence file containers to 2nd generation containers. That was fixed.
* Sorting by evidence object no longer sorts alphabetically, but by the position of the evidence object in the case tree. This is much faster and perhaps even expected or desired by most users.
* The "Do not sort list" command now automatically refills the directory browser with the same items in the order in which they are referenced by the volume snapshot(s). Useful especially for users of X-Ways Investigator who are used to working with an unsorted list, accidentally click a column header and do not know how to refill the directory browser.
* Detects certain non-standard GIF pictures that can cause exception errors and does not try to process them any more to avoid problems.
* Ability to supply your own bitmap (16x16 pixels) that marks files as already viewed in the directory browser if you do not like the standard light green color. Provide it as a file named 9.bmp in the same directory where the .exe file is located.
* Some other minor improvements.
SR-5:
* Improved ability to extract sender and recipient fields from artificial PST e-mail archives created by SysTools NSF to PST conversion.
* Minor improvements in Exchange EDB extraction.
* Registry report for Windows 8 registry hives as complete as for earlier Windows versions.
* X-Tensions that are invoked via Tools | Run X-Tensions are now applied by default to the active data window if a data window is open, just like via Specialist | Refine Volume Snapshot.
* Avoided certain situations where tagging a large number of files in large volume snapshots was extremely slow. (Please report back if you continue to have such a problem.)
* Some other minor improvements.
SR-6:
* Fixed an error that could occur when extracting e-mail from Exchange EDB databases.
* Since v16.4, the Type and Category filters did not reliably address all numeric file types such as .123, .000, .001. That was fixed.
* Fixed an exception error that could occur under certain circumstances when creating previews for index.dat files.
* Fixed a rare exception error that could occur when extracting e-mail from MBox e-mail archives.
* Fixed freeze that could occur when processing certain files named cache.db.
* Improved compatibility of evidence file containers of the new format mounted with Mount Image Pro when copying directories using Windows Explorer.
SR-7:
* File type verification signatures slightly updated.
* Fixed an error that could occur when processing SQLite databases.
* Fixed some errors that could occur when processing certain corrupt files.
* Prevented a situation where the 64-bit edition could hang when using the option "Skip and exclude data in free clusters" in disk imaging.
* Fixed an error in v16.8 that in certain situations (more often on computers with many processor cores) created a small amount of invisible surplus data at the end of compressed .e01 evidence files which could lead to a wrong verification hash and a read or CRC error message in other tools although all the data that was presented and user-accessible in the same tools was 100% correct.
* Fixed errors that could occur when reaching the limit of ~176 million search hits.
SR-8:
* Fixed a data error that occurred when imaging media with more than 4,294,967,295 sectors.
* Avoided an exception error with certain non-standard volume labels in FAT file systems.
* Fixed an exception error that could occur in the 64-bit edition when processing .evtx event log files.
* Fixed an exception error that could occur when processing certain MSG files.
* Some minor improvements and fixes.
SR-9:
* E-mail extraction from MSG files improved.
* Prevented distorted text proportions that could occur on cover pages when printing multiple files with the viewer component at the same time.
* Fixed an error in the search function of the registry viewer.
* Fixed crash of the Recover/Copy function with overlong file paths in the not dongle-based version of WinHex.
* Available as X-Ways Forensics, X-Ways Investigator and WinHex without a forensic license.[/more]
[more=Изменения:]SR-1:
* Search hits in the decoded version of files were erroneously highlighted in File mode, with their artificial offsets. That was avoided.
* Fixed an error in the way that the 64-bit edition read exFAT file systems.
* Fixed an error that could occur when copying e-mails with extremely long subject lines and attachments to an evidence file container.
* Avoided warning about evidence objects in use in some situations where it is not necessary.
* Fixed incorrect checkmark states in the Type filter dialog after double-clicking that could occur in Windows versions newer than XP.
* Some minor improvements.
* X-Ways Imager download updated with v16.8. Now includes a 64-bit edition, which is very useful as a powerful disk imaging and disk cloning program for the 64-bit edition of the lightweight Windows PE or FE.
SR-2:
* A 64-bit edition of the ordinary (not dongle-based) version of WinHex is now available to users with a professional or specialist license. Memory requirements of WinHex are very low, so that the extended logical memory address space of the 64-bit edition does not count as an advantage, however, unlike the 32-bit edition, the 64-bit edition can be executed from a 64-bit Windows PE such as the one that you can boot from your 64-bit Windows 7 or Windows 8 installation CD. This is useful for example if you wish to edit/repair or wipe sectors in the partition that contains your installation of Windows Vista or later, which are write-protected by Windows otherwise. More information about Windows PE
Licensed users can retrieve the download link of the additional 64-bit files from the usual web page.
The setup program remains a 32-bit program. As a portable application, WinHex does not need to be and should not be installed using the setup program.
* Avoided an infinite loop that could occur in v16.8 when running a file header signature search for index.dat records in free space.
* Fixed an exception error that could occur when loading old variants of the old evidence file container format.
* Prevented a rare exception error that could occur when taking snapshots of Ext file systems.
* Some minor improvements.
SR-3:
* Fixed an exception error in the 32-bit edition of X-Ways Forensics 16.8 that could occur after taking a snapshot of FAT volumes.
* Creating many thousands of report table associations at a time or importing them from an evidence file container could be very slow in v16.8. That was fixed.
* Intelligent naming for prefetch files in file header signature search.
* Some other minor improvements.
SR-4:
* Some issues in X-Ways Imager were fixed.
* The owner ID of files originating from NTFS volumes was not passed on from 1st generation evidence file containers to 2nd generation containers. That was fixed.
* Sorting by evidence object no longer sorts alphabetically, but by the position of the evidence object in the case tree. This is much faster and perhaps even expected or desired by most users.
* The "Do not sort list" command now automatically refills the directory browser with the same items in the order in which they are referenced by the volume snapshot(s). Useful especially for users of X-Ways Investigator who are used to working with an unsorted list, accidentally click a column header and do not know how to refill the directory browser.
* Detects certain non-standard GIF pictures that can cause exception errors and does not try to process them any more to avoid problems.
* Ability to supply your own bitmap (16x16 pixels) that marks files as already viewed in the directory browser if you do not like the standard light green color. Provide it as a file named 9.bmp in the same directory where the .exe file is located.
* Some other minor improvements.
SR-5:
* Improved ability to extract sender and recipient fields from artificial PST e-mail archives created by SysTools NSF to PST conversion.
* Minor improvements in Exchange EDB extraction.
* Registry report for Windows 8 registry hives as complete as for earlier Windows versions.
* X-Tensions that are invoked via Tools | Run X-Tensions are now applied by default to the active data window if a data window is open, just like via Specialist | Refine Volume Snapshot.
* Avoided certain situations where tagging a large number of files in large volume snapshots was extremely slow. (Please report back if you continue to have such a problem.)
* Some other minor improvements.
SR-6:
* Fixed an error that could occur when extracting e-mail from Exchange EDB databases.
* Since v16.4, the Type and Category filters did not reliably address all numeric file types such as .123, .000, .001. That was fixed.
* Fixed an exception error that could occur under certain circumstances when creating previews for index.dat files.
* Fixed a rare exception error that could occur when extracting e-mail from MBox e-mail archives.
* Fixed freeze that could occur when processing certain files named cache.db.
* Improved compatibility of evidence file containers of the new format mounted with Mount Image Pro when copying directories using Windows Explorer.
SR-7:
* File type verification signatures slightly updated.
* Fixed an error that could occur when processing SQLite databases.
* Fixed some errors that could occur when processing certain corrupt files.
* Prevented a situation where the 64-bit edition could hang when using the option "Skip and exclude data in free clusters" in disk imaging.
* Fixed an error in v16.8 that in certain situations (more often on computers with many processor cores) created a small amount of invisible surplus data at the end of compressed .e01 evidence files which could lead to a wrong verification hash and a read or CRC error message in other tools although all the data that was presented and user-accessible in the same tools was 100% correct.
* Fixed errors that could occur when reaching the limit of ~176 million search hits.
SR-8:
* Fixed a data error that occurred when imaging media with more than 4,294,967,295 sectors.
* Avoided an exception error with certain non-standard volume labels in FAT file systems.
* Fixed an exception error that could occur in the 64-bit edition when processing .evtx event log files.
* Fixed an exception error that could occur when processing certain MSG files.
* Some minor improvements and fixes.
SR-9:
* E-mail extraction from MSG files improved.
* Prevented distorted text proportions that could occur on cover pages when printing multiple files with the viewer component at the same time.
* Fixed an error in the search function of the registry viewer.
* Fixed crash of the Recover/Copy function with overlong file paths in the not dongle-based version of WinHex.
* Available as X-Ways Forensics, X-Ways Investigator and WinHex without a forensic license.[/more]
MOHCTP 13:33 29-01-2013
Цитата:
Вроде просто ошибка исправляется (в ресурсах). Т. е. восстанавливается правильное значение, как в английской версии.
Цитата:
Можете описать, для общего развития, что именно этим меняется?
Вроде просто ошибка исправляется (в ресурсах). Т. е. восстанавливается правильное значение, как в английской версии.
addhaloka
Спасибо.
Спасибо.
WinHex 16.9
[more=Изменения:]What's new?
* Ability to use GREP syntax specifically for some search terms only, while others are keywords in a natural language. For this setting make sure that the GREP syntax box is half checked, and prepend GREP expressions with "grep:".
* Similarly, when not using GREP syntax, you can now search for only some search terms as whole words, also by checking the corresponding box half only, and by indenting search terms that you want to find as whole words only, i.e. prepend them with a tab character.
* Easy to use settings for the alphabet that defines word boundaries when searching for whole words only in Latin-based languages. The setting for the most thorough search results remains the default. Users that are overwhelmed by garbage hits for short keywords in non-text data such as Base64 or binary garbage may want to try the other two options. These other two options could lead to valid search hits being missed in some constellations (depends on the file format), but can still be justifiable as a great time saver for searches in text documents.
* Option to work with an adjusted virtual free space file that is net of clusters that were identified as belonging to previously existing files, to minimize the amount of space in file systems that is read twice for logical searches and indexing. After changing the option (in Options | Volume Snapshot) the virtual file is updated when it is opened next time, for example selected in File mode or when it is that file's turn during a logical search. Relative offsets of search hits in this virtual file become wrong when the file changes, so they cannot be used to navigate to the search hits in File mode.
* Sorting by path accelerated.
* Also it is now possible to "unsort" the directory browser by clicking the header of the column that represents the primary sort criterion while holding the Shift key.
* Ability to image a physical device (e.g. local hard disk or remote hard disk or RAM opened through F-Response) automatically via the command line. The first parameter should start with a colon and then specify the number of the device in Windows (e.g. ":1" for hard disk No. 1). This will cause that device to be opened automatically upon start-up. The second parameter should start with a pipe, followed by either e01 or raw to indicate the preferred image file format, followed by another pipe and the path and filename of the image (e.g. "|e01|G:\Output filename.e01"). The third parameter can be "auto" to automatically exit X-Ways Forensics after imaging. (That command has always been available in WinHex and X-Ways Forensics, just like you were always able to open files through the command line or execute .whs WinHex scripts.)
* When attaching an external directory to the volume snapshot, usually X-Ways Forensics creates virtual files in a new virtual directory. Now there is an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree. Useful if you copy an entire directory structures off the image to convert/decrypt/translate/... files outside of X-Ways Forensics, and then want to bring the results back into the volume snapshot and see the files next to their original counterparts in the same original subdirectories. This can help for example if you wish to OCR and convert PDF documents that X-Ways Forensics has deemed non-searchable using Adobe Acrobat.
* When attaching an external directory to the volume snapshot, you are now prompted whether the selected directory itself should also be attached (that was the standard behavior in earlier versions) or just its contents.
* Preview of .pf prefetch files improved.
* Revised processing of PLists.
* Ability to display certain non-standard GIF pictures in the gallery and in Preview mode using the internal graphics viewing library that caused exception errors in v16.7 and before and were not attempted to display by v16.8.
* In Gallery mode scrolling using the mouse wheel now always scrolls by exactly one page of thumbnails for reasons of convenience. Everywhere else the mouse wheel scrolls by as many lines as specified in the Windows Control Panel since v16.7. In v16.6 and earlier that was an option in the General Options.
* Menu option to display text in the text column in big-endian UCS-2/UTF-16 Unicode. Useful especially to correctly see East Asian characters for example in HFS* file systems and in binary PLists.
* The Print command in the directory browser context menu now has a convenient option to print any child objects after the selected file(s), e.g. e-mail attachments together with their respective e-mail message.
* X-Tensions API: New flags XWF_SEARCH_WHOLEWORDS2 and XWF_SEARCH_GREP2 to reflect the new search options. New XT_PrepareSearch function supported that allows X-Tensions that monitor search hits to also monitor some search settings and adjust search terms.
* Same fix level as v16.8 SR-5.
Preview 2:
* Ability to generate a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory, when extracting metadata. Conceivable sources include browser histories, Windows event logs, Windows registry hives, e-mails, etc. An event list works exactly like a search hit list and can be displayed by clicking a new button which is located next to the search hit list button, with a clock icon on it. Just like a search hit list, an event list comes with additional columns: the event timestamp, event type, event category, and optionally a file offset.
When an event list is sorted chronologically, by timestamps, it works like a timeline, that may allow you to figure out a sequence of events of different kinds stored in different places (e.g. e-mail received, attachment saved, application started, document printed, file deleted) that otherwise could not be seen together in context. You may see events from different evidence objects at the same time as usually from the case root window, explore recursively or by path, sort by event type or event category, see all the usual file properties, view files, navigate to the definition of an event within a file (if a relative offset is available) and filter for certain date ranges.
Event-based analysis instead of file-based analysis is a progressive new approach with a totally different perspective that may lead to knowledge about activities recorded on computers that otherwise could not be gained. You may see connections (related activity) that otherwise could be overlooked, and may be able to better explain the logic behind what has happened. The sources of events that are exploited by the metadata extraction in this preview release are still limited (file system, index.dat, e-mails, processes in memory dumps). More will be covered in future releases.
* It is now easier to enter dates in the timestamp filter dialogs. You can click buttons to get a calendar control in which to pick a date using mouse clicks.
* File type verification and file header signature search revised.
* New flag U for file header signatures that will cause files (or records) of this type to be carved only in net free space. Useful especially for internal records of Zip files, RAR archives, Internet Explorer index.dat files, and Firefox URL records, to avoid numerous duplications.
* The metadata extraction for index.dat files (HTML preview generation and event extraction) is now also applied to carved fragments of index.dat files (Internet Explorer URL records).
* Maximum number of contained search terms listed in the Search Term column of the directory browser is now 25 instead of 10.
* New verbosity option: If totally unchecked in Options | Security, only exception errors with a potentially serious impact (like considerably incomplete of analysis results) will be brought to your attention in the Messages window. If fully checked, all of them will be output, like before, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The new default option is a reasonable compromise.
Preview 3:
* Error in file header signature search of v16.8 Preview 2 fixed.
* Carved files are now defined to have slack space if they happen to start at a cluster boundary.
* Some minor improvements.
Preview 4:
* Superimposition of sectors on top of disks or interpreted images that are opened as read-only. Useful when you need to make minor temporary adjustments to data in sectors within the program to get it interpreted correctly internally, but do not want to or are not allowed to alter the sectors on the disk or in the image itself (or cannot because it is not a raw image, but an .e01 evidence file), and also do not want to make another complete working copy of an image that is e.g. 2 TB in size if just 1 byte needs to be changed. Such adjustments can be necessary for example in cases of partitioning or file system metadata corruption, where just a missing magic number keeps WinHex from detecting the file system or just one flipped bit keeps WinHex from finding $MFT in NTFS or just one wrong nibble in the partition table keeps WinHex from recognizing a partition as an LVM2 container partition etc. etc. In these situations you can manually provide and superimpose the corrected data and then hopefully work with the disk or image with no further problems, getting all partitions and files listed immediately as if nothing was wrong. This functionality is intended for advanced users that do not give up easily when at first they see "nothing" and have some understanding of low level data structures and know how to fix them.
You can enable and disable superimposition for the disk or partition in the active data window using the Edit | Superimpose Sectors menu command. This command allows you to select any file with the raw contents of disk sectors. For example, you can create such a file by selecting one or more sectors as a block, copying the block into a new file, making the necessary adjustments (possible even in X-Ways Forensics because ordinary files unlike disks or interpreted images can be edited) and saving that file. When applied, the contents of this file are superimposed to the sectors starting with the sector in which the cursor is located, or if the file is named "*.n.superimposition", where n is a number, it will be applied to the sectors starting with sector n, and all other files in the same directory matching the same mask with the same base name will also be applied to sector numbers as indicated within the filename. You will immediately see the superimposed data when navigating to the affected sectors, and can continue making adjustments to the imposed raw data file if you keep it open in a separate window. As soon as you have saved changes in that window, they will take effect in the data window that represents the disk or partition whose data you are trying to fix when you refresh the view, take a new volume snapshot, define the start of a partition, try again to open a file with a corrupt FILE record etc. etc.
Please note that only complete sectors, not partial sectors, can be superimposed. Superimposition can be active only for one disk or disk partition or image at a time. If desired, you can make a copy (image or cloned disk) of the virtually repaired disk or image with the usual commands while the superimposition is in effect, so that the copy will have the superimposed sectors directly embedded.
* Reports the total number of CRC errors in the evidence object properties for each hash computation if chunk CRCs are being verified when reading from .e01 evidence files (see Options | Security).
* File type verification signatures and algorithms updated.
* New hash type available: Adler32
* The values of the bits in the volume attributes of HFS+ file systems are now output in the Technical Details Report.
* Ability to copy up to ~4 GB of data into the internal clipboard (~2 GB before).
* Same fix level as v16.8 SR-7.
Beta 1:
* Extraction of all tables (with all columns except binary data) from all other SQLite databases besides the already supported various Internet browser databases as part of metadata extraction. The first extracted table will also serve as a preview of the SQLite database file itself.
* Ability to copy up to ~4 GB of data into the internal clipboard in the 64-bit edition (~2 GB before and still in the 32-bit edition).
* Buttons that allow to expand or collapse all categories in the file type filter dialog. Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus.
* Option to only make a copy of tagged files for inclusion in a case report instead of all or none. Useful if you wish to reference all notable files with their metadata in your report, but show only a subset of those.
* Whether new report table associations for selected files are created for the selected files only or also for their child objects or duplicates etc. is now a setting that is individual to each report table.
* New icon for renamed/moved directories in FAT and exFAT volumes.
* Support for PC-compatible BSD disklabel partitioning.
* The View | Refresh View menu command now also refills the directory browser if the directory browser has the input focus. Useful for example when a filter for tagged items is active and you remove the tag marks of some of the listed files, if you wish to update the listing in the directory browser and get rid of those files that are no longer tagged.
* Several minor improvements.
* Same fix level as v16.8 SR-8.
Beta 2:
* Some debug code removed.
Beta 3:
* Program help updated for v16.9.
* Ability to check for updates online occasionally (Options | Security). This can report the availability of later versions or new service releases of the currently used version and allow to start the download. Does not send any data from within the program to the Internet, for example no system or user information or dongle ID, neither directly nor encrypted nor anonymized, of course no case data, not even the currently used version number, nothing. This option is active by default only if the program determines that it is running on the examiner's own system (if it is executed from the C: drive or if it was installed using the setup program). The check does not occur when running the program for the first time, so that you definitely have a chance to turn off this option before anything happens. Given the fact that most systems on which X-Ways Investigator and X-Ways Forensics are run do not have an Internet connection, this feature has a limited effect only.
* Prevented erroneous additional physical search after logical search in Beta 2.
Beta 4:
* Prevented an exception error in Beta 3.
Beta 5:
* The file carving flags b (for byte granularity) and g (for greedy allocation) can now be combined. Useful when carving records from files like $UsnJrnl:$J. For $UsnJrnl:$J in particular an internal algorithm is available that can combine multiple contiguous records in a single carved file. The g flag makes sure that those records that have been included already will not be found and carved again separately. Such a carved file that is composed of multiple records can be nicely viewed in Preview mode, and viewing that file is much more efficient than viewing individually carved records.
* Ability to print multiple selected files optionally in separate print jobs like in v16.3 and earlier.
* Changes of v16.8 SR-9 included.
Beta 6:
* Simultaneous creation of 2 copies of .e01 evidence files was unsuccessful if they were given different names. That was fixed.
* Several user interface elements improved.
* Some more statistics in the evidence object properties.
v16.9 was just released.[/more]
[more=Изменения:]What's new?
* Ability to use GREP syntax specifically for some search terms only, while others are keywords in a natural language. For this setting make sure that the GREP syntax box is half checked, and prepend GREP expressions with "grep:".
* Similarly, when not using GREP syntax, you can now search for only some search terms as whole words, also by checking the corresponding box half only, and by indenting search terms that you want to find as whole words only, i.e. prepend them with a tab character.
* Easy to use settings for the alphabet that defines word boundaries when searching for whole words only in Latin-based languages. The setting for the most thorough search results remains the default. Users that are overwhelmed by garbage hits for short keywords in non-text data such as Base64 or binary garbage may want to try the other two options. These other two options could lead to valid search hits being missed in some constellations (depends on the file format), but can still be justifiable as a great time saver for searches in text documents.
* Option to work with an adjusted virtual free space file that is net of clusters that were identified as belonging to previously existing files, to minimize the amount of space in file systems that is read twice for logical searches and indexing. After changing the option (in Options | Volume Snapshot) the virtual file is updated when it is opened next time, for example selected in File mode or when it is that file's turn during a logical search. Relative offsets of search hits in this virtual file become wrong when the file changes, so they cannot be used to navigate to the search hits in File mode.
* Sorting by path accelerated.
* Also it is now possible to "unsort" the directory browser by clicking the header of the column that represents the primary sort criterion while holding the Shift key.
* Ability to image a physical device (e.g. local hard disk or remote hard disk or RAM opened through F-Response) automatically via the command line. The first parameter should start with a colon and then specify the number of the device in Windows (e.g. ":1" for hard disk No. 1). This will cause that device to be opened automatically upon start-up. The second parameter should start with a pipe, followed by either e01 or raw to indicate the preferred image file format, followed by another pipe and the path and filename of the image (e.g. "|e01|G:\Output filename.e01"). The third parameter can be "auto" to automatically exit X-Ways Forensics after imaging. (That command has always been available in WinHex and X-Ways Forensics, just like you were always able to open files through the command line or execute .whs WinHex scripts.)
* When attaching an external directory to the volume snapshot, usually X-Ways Forensics creates virtual files in a new virtual directory. Now there is an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree. Useful if you copy an entire directory structures off the image to convert/decrypt/translate/... files outside of X-Ways Forensics, and then want to bring the results back into the volume snapshot and see the files next to their original counterparts in the same original subdirectories. This can help for example if you wish to OCR and convert PDF documents that X-Ways Forensics has deemed non-searchable using Adobe Acrobat.
* When attaching an external directory to the volume snapshot, you are now prompted whether the selected directory itself should also be attached (that was the standard behavior in earlier versions) or just its contents.
* Preview of .pf prefetch files improved.
* Revised processing of PLists.
* Ability to display certain non-standard GIF pictures in the gallery and in Preview mode using the internal graphics viewing library that caused exception errors in v16.7 and before and were not attempted to display by v16.8.
* In Gallery mode scrolling using the mouse wheel now always scrolls by exactly one page of thumbnails for reasons of convenience. Everywhere else the mouse wheel scrolls by as many lines as specified in the Windows Control Panel since v16.7. In v16.6 and earlier that was an option in the General Options.
* Menu option to display text in the text column in big-endian UCS-2/UTF-16 Unicode. Useful especially to correctly see East Asian characters for example in HFS* file systems and in binary PLists.
* The Print command in the directory browser context menu now has a convenient option to print any child objects after the selected file(s), e.g. e-mail attachments together with their respective e-mail message.
* X-Tensions API: New flags XWF_SEARCH_WHOLEWORDS2 and XWF_SEARCH_GREP2 to reflect the new search options. New XT_PrepareSearch function supported that allows X-Tensions that monitor search hits to also monitor some search settings and adjust search terms.
* Same fix level as v16.8 SR-5.
Preview 2:
* Ability to generate a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory, when extracting metadata. Conceivable sources include browser histories, Windows event logs, Windows registry hives, e-mails, etc. An event list works exactly like a search hit list and can be displayed by clicking a new button which is located next to the search hit list button, with a clock icon on it. Just like a search hit list, an event list comes with additional columns: the event timestamp, event type, event category, and optionally a file offset.
When an event list is sorted chronologically, by timestamps, it works like a timeline, that may allow you to figure out a sequence of events of different kinds stored in different places (e.g. e-mail received, attachment saved, application started, document printed, file deleted) that otherwise could not be seen together in context. You may see events from different evidence objects at the same time as usually from the case root window, explore recursively or by path, sort by event type or event category, see all the usual file properties, view files, navigate to the definition of an event within a file (if a relative offset is available) and filter for certain date ranges.
Event-based analysis instead of file-based analysis is a progressive new approach with a totally different perspective that may lead to knowledge about activities recorded on computers that otherwise could not be gained. You may see connections (related activity) that otherwise could be overlooked, and may be able to better explain the logic behind what has happened. The sources of events that are exploited by the metadata extraction in this preview release are still limited (file system, index.dat, e-mails, processes in memory dumps). More will be covered in future releases.
* It is now easier to enter dates in the timestamp filter dialogs. You can click buttons to get a calendar control in which to pick a date using mouse clicks.
* File type verification and file header signature search revised.
* New flag U for file header signatures that will cause files (or records) of this type to be carved only in net free space. Useful especially for internal records of Zip files, RAR archives, Internet Explorer index.dat files, and Firefox URL records, to avoid numerous duplications.
* The metadata extraction for index.dat files (HTML preview generation and event extraction) is now also applied to carved fragments of index.dat files (Internet Explorer URL records).
* Maximum number of contained search terms listed in the Search Term column of the directory browser is now 25 instead of 10.
* New verbosity option: If totally unchecked in Options | Security, only exception errors with a potentially serious impact (like considerably incomplete of analysis results) will be brought to your attention in the Messages window. If fully checked, all of them will be output, like before, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The new default option is a reasonable compromise.
Preview 3:
* Error in file header signature search of v16.8 Preview 2 fixed.
* Carved files are now defined to have slack space if they happen to start at a cluster boundary.
* Some minor improvements.
Preview 4:
* Superimposition of sectors on top of disks or interpreted images that are opened as read-only. Useful when you need to make minor temporary adjustments to data in sectors within the program to get it interpreted correctly internally, but do not want to or are not allowed to alter the sectors on the disk or in the image itself (or cannot because it is not a raw image, but an .e01 evidence file), and also do not want to make another complete working copy of an image that is e.g. 2 TB in size if just 1 byte needs to be changed. Such adjustments can be necessary for example in cases of partitioning or file system metadata corruption, where just a missing magic number keeps WinHex from detecting the file system or just one flipped bit keeps WinHex from finding $MFT in NTFS or just one wrong nibble in the partition table keeps WinHex from recognizing a partition as an LVM2 container partition etc. etc. In these situations you can manually provide and superimpose the corrected data and then hopefully work with the disk or image with no further problems, getting all partitions and files listed immediately as if nothing was wrong. This functionality is intended for advanced users that do not give up easily when at first they see "nothing" and have some understanding of low level data structures and know how to fix them.
You can enable and disable superimposition for the disk or partition in the active data window using the Edit | Superimpose Sectors menu command. This command allows you to select any file with the raw contents of disk sectors. For example, you can create such a file by selecting one or more sectors as a block, copying the block into a new file, making the necessary adjustments (possible even in X-Ways Forensics because ordinary files unlike disks or interpreted images can be edited) and saving that file. When applied, the contents of this file are superimposed to the sectors starting with the sector in which the cursor is located, or if the file is named "*.n.superimposition", where n is a number, it will be applied to the sectors starting with sector n, and all other files in the same directory matching the same mask with the same base name will also be applied to sector numbers as indicated within the filename. You will immediately see the superimposed data when navigating to the affected sectors, and can continue making adjustments to the imposed raw data file if you keep it open in a separate window. As soon as you have saved changes in that window, they will take effect in the data window that represents the disk or partition whose data you are trying to fix when you refresh the view, take a new volume snapshot, define the start of a partition, try again to open a file with a corrupt FILE record etc. etc.
Please note that only complete sectors, not partial sectors, can be superimposed. Superimposition can be active only for one disk or disk partition or image at a time. If desired, you can make a copy (image or cloned disk) of the virtually repaired disk or image with the usual commands while the superimposition is in effect, so that the copy will have the superimposed sectors directly embedded.
* Reports the total number of CRC errors in the evidence object properties for each hash computation if chunk CRCs are being verified when reading from .e01 evidence files (see Options | Security).
* File type verification signatures and algorithms updated.
* New hash type available: Adler32
* The values of the bits in the volume attributes of HFS+ file systems are now output in the Technical Details Report.
* Ability to copy up to ~4 GB of data into the internal clipboard (~2 GB before).
* Same fix level as v16.8 SR-7.
Beta 1:
* Extraction of all tables (with all columns except binary data) from all other SQLite databases besides the already supported various Internet browser databases as part of metadata extraction. The first extracted table will also serve as a preview of the SQLite database file itself.
* Ability to copy up to ~4 GB of data into the internal clipboard in the 64-bit edition (~2 GB before and still in the 32-bit edition).
* Buttons that allow to expand or collapse all categories in the file type filter dialog. Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus.
* Option to only make a copy of tagged files for inclusion in a case report instead of all or none. Useful if you wish to reference all notable files with their metadata in your report, but show only a subset of those.
* Whether new report table associations for selected files are created for the selected files only or also for their child objects or duplicates etc. is now a setting that is individual to each report table.
* New icon for renamed/moved directories in FAT and exFAT volumes.
* Support for PC-compatible BSD disklabel partitioning.
* The View | Refresh View menu command now also refills the directory browser if the directory browser has the input focus. Useful for example when a filter for tagged items is active and you remove the tag marks of some of the listed files, if you wish to update the listing in the directory browser and get rid of those files that are no longer tagged.
* Several minor improvements.
* Same fix level as v16.8 SR-8.
Beta 2:
* Some debug code removed.
Beta 3:
* Program help updated for v16.9.
* Ability to check for updates online occasionally (Options | Security). This can report the availability of later versions or new service releases of the currently used version and allow to start the download. Does not send any data from within the program to the Internet, for example no system or user information or dongle ID, neither directly nor encrypted nor anonymized, of course no case data, not even the currently used version number, nothing. This option is active by default only if the program determines that it is running on the examiner's own system (if it is executed from the C: drive or if it was installed using the setup program). The check does not occur when running the program for the first time, so that you definitely have a chance to turn off this option before anything happens. Given the fact that most systems on which X-Ways Investigator and X-Ways Forensics are run do not have an Internet connection, this feature has a limited effect only.
* Prevented erroneous additional physical search after logical search in Beta 2.
Beta 4:
* Prevented an exception error in Beta 3.
Beta 5:
* The file carving flags b (for byte granularity) and g (for greedy allocation) can now be combined. Useful when carving records from files like $UsnJrnl:$J. For $UsnJrnl:$J in particular an internal algorithm is available that can combine multiple contiguous records in a single carved file. The g flag makes sure that those records that have been included already will not be found and carved again separately. Such a carved file that is composed of multiple records can be nicely viewed in Preview mode, and viewing that file is much more efficient than viewing individually carved records.
* Ability to print multiple selected files optionally in separate print jobs like in v16.3 and earlier.
* Changes of v16.8 SR-9 included.
Beta 6:
* Simultaneous creation of 2 copies of .e01 evidence files was unsuccessful if they were given different names. That was fixed.
* Several user interface elements improved.
* Some more statistics in the evidence object properties.
v16.9 was just released.[/more]
Говорят, с помощью WinHex можно проверить корректность работы SATA-контроллера с GPT-дисками объемом более 2,5 терабайт: вроде как писать в сектора их номера - если на границе 2,5 TB происходит заворот на начало диска, это будет видно. Не подскажете, как это сделать - пошагово?
Подскажите пожалуйста альтернативный софт с аналогичным Forensic-функционалом у WinHEX-а, можно разные для разных целей.
Hellteh
Какой конкретно функционал имеется ввиду?
Какой конкретно функционал имеется ввиду?
Руссификатор на 16.9 еще не встречался?
Нет, на все последние версии его делал Localiz, можете у него спросить, будет ли русификатор. Его контакты на мсилаб.
Мне потребовалось 5 минут, чтобы сварганить русификатор новой версии для себя.
Nexusesus
На базе от Localiz? А для всех выложить?
На базе от Localiz? А для всех выложить?
WinHex 17.0
[more=Изменения:]What's new?
* Ability to unlock X-Ways Forensics 17.0 and later with network dongles. Network dongles are available as a substitute for regular dongles probably from March 2013. A single network dongle can represent x licenses and substitute x regular dongles and allow the users to run X-Ways Forensics on x machines on the same network at the same time. The network dongle is attached any of the computers on the network and made available to the clients by a dongle server program or service. If multiple network dongles are found by a client, the user may choose one of them when starting up X-Ways Forensics. If one of these dongles is already fully in use, according to the number of licenses that it represents, the user will see that and can choose another dongle. Conveniently, a network dongle can also be used locally just like a regular dongle or multi-user dongle when needed!
When purchasing new licenses, you will have the option to order them with a network dongle instead of regular dongles, depending on the number of licenses either for free or at a surcharge. If you own many licenses already, we can probably offer you to test the network dongle and to swap many or all of your existing regular dongles for a single network dongle, on a case-by-case basis. For more information on the dongles in general and network dongles in particular please see http://www.x-ways.net/forensics/dongle.html#types.
* Ability to rank file types by importance/relevance and filter by the rank using the Type Status filter. For example, filtering out those file types ranked #0 will exclude font files, cursors, icons, themes, skins, clip arts, etc. Files with a low rank are of importance just in very specific investigations, for example source code, in which you would not be interested when looking for office documents or pictures for example, but definitely when hunting a virus programmer. Higher ranked file types are relevant in more cases. Generally the rank is useful in simple cases where you can expect to find what you are looking for in file types that are fairly well known. As another idea, you could make it a habit to only index files with higher ranks.
* Ability to assign file types to a so-called group, a new concept, which is not identical to a file type category. Useful for example if your standard procedure is to let examiner A check out pictures and videos, examiner B documents, e-mail, and other Internet activity, and examiner C operating system files of various kinds, because of their specializations. You can give these groups meaningful names and filter for them, also using the Type Status dialog window. The groups are displayed in the Type filter.
* The new definitions are all made in the "File Type Categories.txt" file. Existing files of that kind will continue to work as before. Suggestions for ranks are already predefined in the new standard file. Both ranks (from 0 to 9, where missing means 0) and groups (letters from A to Z) can be optionally specified following a tab at the end of a line, in any order, for example as "2P" or "DI3". So up to 10 rank levels are possible (but it is not necessary to fully utilize this range), and up to 26 groups (and you do not have to start alphabetically, the case of the letters is ignored). You can also define ranks and groups for an entire category, following a tab in a category line. To give a group a more descriptive name than just a single letter, insert group definition lines at the end of the text file that start with a equal sign, e.g.
=P=Photos and videos for image group
=D=Docs, e-mails and Internet
=I=File types to index
* Logical searches now also specifically cover the transition area from uninitialized (but physically allocated) areas of files to immediately following free space, if the option to cover the transition from slack space to free space is in use.
* Ability to run a logical search in selected files via the directory browser context menu from the case root window.
* Memory requirements for search hits reduced by 17%. Old versions cannot load search hit lists saved by v17.0 and later.
* Ability to refine the volume snapshot for selected files only, via the directory browser context menu.
* Ability to store most filter and all sort settings in the active case and load them again automatically when a case is opened. See Options | Directory Browser.
* If the option to Recover/Copy child objects of selected files is half selected, that now means that the only child objects that will be copied are e-mail attachments.
* Many more events are now output based on timestamps in internal metadata of many different file types.
* Several events now have an individual description, for example events in the Windows registry and in Internet Explorer index.dat files.
* The option to list items in registry hives recursively has been removed.
* Ability to extract video stills reliably using recent MPlayer releases. MPlayer 1.1 for use with v17 is now provided as a download.
* The resolution of videos is now displayed roughly in the Pixels column after at least one video still has been exported.
* Special support to carve thumbcache fragments (CMMM records) at the byte level.
* Since v16.3 it is possible to reconstruct RAID level 5EE. Now it is also possible to reconstruct RAID 5EE systems if one component disk is missing. RAID 5EE with forward and backward parity are supported.
* Directory browser option to display tag marks as check marks.
* Support for binary PLists has been improved to include the undocumented CF$UID data type.
* The Technical Details Report now checks for certain read inconsistencies that can occur with flash media (for example certain USB stick brands/models, but not others) in data areas that have never been written/used, where the data is undefined. The data that is read in such areas, for example when imaging the media, may depend on the amount of data that is read at a time with a single internal read command. The result is mentioned in the report. If inconsistencies are detected ("Inconsistent read results!" in the report), you will see a message box, which offers to read sectors in smaller chunks from that device as long as it is open, which likely yields the expected zero value bytes instead of some random looking non-zero pattern data when reading such areas. Use of this option does not give you data that is somehow more accurate or original (undefined is undefined and does not mean zeroed out) or contains more or less evidence, it can just have a big impact on compression ratio achieved and reproducibility of hash values with other tools, which may use different chunk sizes for reading and thus produce different data and hash values. Note that it is possible that read inconsistencies occur that are not detected by X-Ways Forensics, because a complete check would be very slow. Again, these inconsistencies are not fatal and not the fault of the software, and they can be explained. Does it mean that you should invoke the Specialist | Technical Details Report command prior to imaging? No, the report is routinely created already when imaging starts.
* Ability to specify how many extra threads to use when creating .e01 evidence files, when clicking the tiny little button in the lower right corner of the Create Disk Image dialog window. By default X-Ways Forensics will use no more than 4, and it depends on how many processor cores your system has, but you could try to increase it to up to 8 or even 16 on very powerful systems with even more cores usually without problems, for a chance to further increase the speed.
* The option "Display file sizes always in bytes" can now be found in Options | General | Notation. The alternative .eml preview option can now be found in Options | Viewer Programs.
* Size of the 64-bit executable files noticeably reduced.
* Several minor improvements.
[/more]
[more=Изменения:]What's new?
* Ability to unlock X-Ways Forensics 17.0 and later with network dongles. Network dongles are available as a substitute for regular dongles probably from March 2013. A single network dongle can represent x licenses and substitute x regular dongles and allow the users to run X-Ways Forensics on x machines on the same network at the same time. The network dongle is attached any of the computers on the network and made available to the clients by a dongle server program or service. If multiple network dongles are found by a client, the user may choose one of them when starting up X-Ways Forensics. If one of these dongles is already fully in use, according to the number of licenses that it represents, the user will see that and can choose another dongle. Conveniently, a network dongle can also be used locally just like a regular dongle or multi-user dongle when needed!
When purchasing new licenses, you will have the option to order them with a network dongle instead of regular dongles, depending on the number of licenses either for free or at a surcharge. If you own many licenses already, we can probably offer you to test the network dongle and to swap many or all of your existing regular dongles for a single network dongle, on a case-by-case basis. For more information on the dongles in general and network dongles in particular please see http://www.x-ways.net/forensics/dongle.html#types.
* Ability to rank file types by importance/relevance and filter by the rank using the Type Status filter. For example, filtering out those file types ranked #0 will exclude font files, cursors, icons, themes, skins, clip arts, etc. Files with a low rank are of importance just in very specific investigations, for example source code, in which you would not be interested when looking for office documents or pictures for example, but definitely when hunting a virus programmer. Higher ranked file types are relevant in more cases. Generally the rank is useful in simple cases where you can expect to find what you are looking for in file types that are fairly well known. As another idea, you could make it a habit to only index files with higher ranks.
* Ability to assign file types to a so-called group, a new concept, which is not identical to a file type category. Useful for example if your standard procedure is to let examiner A check out pictures and videos, examiner B documents, e-mail, and other Internet activity, and examiner C operating system files of various kinds, because of their specializations. You can give these groups meaningful names and filter for them, also using the Type Status dialog window. The groups are displayed in the Type filter.
* The new definitions are all made in the "File Type Categories.txt" file. Existing files of that kind will continue to work as before. Suggestions for ranks are already predefined in the new standard file. Both ranks (from 0 to 9, where missing means 0) and groups (letters from A to Z) can be optionally specified following a tab at the end of a line, in any order, for example as "2P" or "DI3". So up to 10 rank levels are possible (but it is not necessary to fully utilize this range), and up to 26 groups (and you do not have to start alphabetically, the case of the letters is ignored). You can also define ranks and groups for an entire category, following a tab in a category line. To give a group a more descriptive name than just a single letter, insert group definition lines at the end of the text file that start with a equal sign, e.g.
=P=Photos and videos for image group
=D=Docs, e-mails and Internet
=I=File types to index
* Logical searches now also specifically cover the transition area from uninitialized (but physically allocated) areas of files to immediately following free space, if the option to cover the transition from slack space to free space is in use.
* Ability to run a logical search in selected files via the directory browser context menu from the case root window.
* Memory requirements for search hits reduced by 17%. Old versions cannot load search hit lists saved by v17.0 and later.
* Ability to refine the volume snapshot for selected files only, via the directory browser context menu.
* Ability to store most filter and all sort settings in the active case and load them again automatically when a case is opened. See Options | Directory Browser.
* If the option to Recover/Copy child objects of selected files is half selected, that now means that the only child objects that will be copied are e-mail attachments.
* Many more events are now output based on timestamps in internal metadata of many different file types.
* Several events now have an individual description, for example events in the Windows registry and in Internet Explorer index.dat files.
* The option to list items in registry hives recursively has been removed.
* Ability to extract video stills reliably using recent MPlayer releases. MPlayer 1.1 for use with v17 is now provided as a download.
* The resolution of videos is now displayed roughly in the Pixels column after at least one video still has been exported.
* Special support to carve thumbcache fragments (CMMM records) at the byte level.
* Since v16.3 it is possible to reconstruct RAID level 5EE. Now it is also possible to reconstruct RAID 5EE systems if one component disk is missing. RAID 5EE with forward and backward parity are supported.
* Directory browser option to display tag marks as check marks.
* Support for binary PLists has been improved to include the undocumented CF$UID data type.
* The Technical Details Report now checks for certain read inconsistencies that can occur with flash media (for example certain USB stick brands/models, but not others) in data areas that have never been written/used, where the data is undefined. The data that is read in such areas, for example when imaging the media, may depend on the amount of data that is read at a time with a single internal read command. The result is mentioned in the report. If inconsistencies are detected ("Inconsistent read results!" in the report), you will see a message box, which offers to read sectors in smaller chunks from that device as long as it is open, which likely yields the expected zero value bytes instead of some random looking non-zero pattern data when reading such areas. Use of this option does not give you data that is somehow more accurate or original (undefined is undefined and does not mean zeroed out) or contains more or less evidence, it can just have a big impact on compression ratio achieved and reproducibility of hash values with other tools, which may use different chunk sizes for reading and thus produce different data and hash values. Note that it is possible that read inconsistencies occur that are not detected by X-Ways Forensics, because a complete check would be very slow. Again, these inconsistencies are not fatal and not the fault of the software, and they can be explained. Does it mean that you should invoke the Specialist | Technical Details Report command prior to imaging? No, the report is routinely created already when imaging starts.
* Ability to specify how many extra threads to use when creating .e01 evidence files, when clicking the tiny little button in the lower right corner of the Create Disk Image dialog window. By default X-Ways Forensics will use no more than 4, and it depends on how many processor cores your system has, but you could try to increase it to up to 8 or even 16 on very powerful systems with even more cores usually without problems, for a chance to further increase the speed.
* The option "Display file sizes always in bytes" can now be found in Options | General | Notation. The alternative .eml preview option can now be found in Options | Viewer Programs.
* Size of the 64-bit executable files noticeably reduced.
* Several minor improvements.
[/more]
WinHex 17.0 SR-1
[more=Изменения:]* Extraction of pictures from .xls documents supported.
* Improved e-mail extraction from Exchange EDB.
* Fixed a rare exception error that could occur when opening FAT volumes with a certain layout.
* v17.0 did not apply information from Windows.edb to thumbnails extracted from thumbcache*. That was fixed.
* An exception error was fixed that could occur when extracting large amounts of e-mail or embedded files from other files.
* An exception error was fixed that could occur when extracting events from Windows registry hive fragments.
* The options to exclude JAR, APK, IPA etc. from archive exploration did not work reliably in v17.0. That was fixed.[/more]
[more=Изменения:]* Extraction of pictures from .xls documents supported.
* Improved e-mail extraction from Exchange EDB.
* Fixed a rare exception error that could occur when opening FAT volumes with a certain layout.
* v17.0 did not apply information from Windows.edb to thumbnails extracted from thumbcache*. That was fixed.
* An exception error was fixed that could occur when extracting large amounts of e-mail or embedded files from other files.
* An exception error was fixed that could occur when extracting events from Windows registry hive fragments.
* The options to exclude JAR, APK, IPA etc. from archive exploration did not work reliably in v17.0. That was fixed.[/more]
Здравствуйте.не подскажете,что нужно записать на usb flash,чтобы после чтения дампов памяти через программатор можно было восстановить или понять работу контроллера,т.е как осуществлялось перемешивание.(обязательно восстановление ручным способ через winhex).При этом на флэш имеются данные для восстановления.
Заранее благодарен.
Заранее благодарен.
Мужики выручайте. Нужно было пофиксить MBR-ку на гигабайтной флешке Transcend. Перед этим сохранил копию MBR в файлик.
После исправлений, винда флешку не признаёт, мол надо форматировать.
Восстановил mbr из файлика 1 в 1. Но тем не менее, винда флешку по прежнему не признаёт.
Больше я ничего на той флешке не менял.
Флешка рабочая 100%.
Выручайте, плииз.
ЗЫ.
Что я делал с МБР?
Дело в том, что моя загрузочная флешка перестала загружаться. И я решил скопировать мбр загрузчик с другой загрузочной флешки. Копировал только нулевой сектор MBR.
После исправлений, винда флешку не признаёт, мол надо форматировать.
Восстановил mbr из файлика 1 в 1. Но тем не менее, винда флешку по прежнему не признаёт.
Больше я ничего на той флешке не менял.
Флешка рабочая 100%.
Выручайте, плииз.
ЗЫ.
Что я делал с МБР?
Дело в том, что моя загрузочная флешка перестала загружаться. И я решил скопировать мбр загрузчик с другой загрузочной флешки. Копировал только нулевой сектор MBR.
deem73
Надо было копировать 2048 секторов MBR (0 - 2047), потом записывать на диск утилитой HDDRawCopy, потом форматировать виндой, опционально расширять раздел прогой EaseUS Partition Master Free Edition. Примечание - если MBR (2048 секторов) снята с диска большего размера, чем на который будет записана - то MBR не будет работать. Поэтому, перед тем как снять образ MBR - уменьшаете размер раздела, а на записанном новом носителе - обратно увеличиваете до конца после 1го форматирования раздела и форматируете новый раздел 2й раз. Так будет всё работать по человечески.
Надо было копировать 2048 секторов MBR (0 - 2047), потом записывать на диск утилитой HDDRawCopy, потом форматировать виндой, опционально расширять раздел прогой EaseUS Partition Master Free Edition. Примечание - если MBR (2048 секторов) снята с диска большего размера, чем на который будет записана - то MBR не будет работать. Поэтому, перед тем как снять образ MBR - уменьшаете размер раздела, а на записанном новом носителе - обратно увеличиваете до конца после 1го форматирования раздела и форматируете новый раздел 2й раз. Так будет всё работать по человечески.
WinHex 17.1
Изменения:
- Extracts much more nicely formatted data from Skype main.db database files than before, such as phone calls, sent text messages (SMS) and chats.
- Improved file type verification of encrypted MS Office 2007/2010 documents.
- Better support for unusually deep subdirectory nestings in Ext file systems.
- Previously, it was possible to open VMKDs only if their name was recorded correctly in the VMDK descriptor. For self-contained VMKDs, this requirement led to the effect that VMDKs would no longer be opened if renamed without updating their internal descriptor. While this requirement continues to stand for VMDKs consisting of multiple parts (the names of the remaining parts must be recorded correctly), this is no longer required for VMKDs consisting of only one part or in the case of multi-part VMKDs, it is no longer required for the first part.
- Now supports non-standard (non-Adaptec/JetStor typical) parity start components for RAID level 6 with backward parity when internally reconstructing RAIDs, as seen in Synology hardware.
- Now supports backward parity dynamic for RAID level 6, with standard or non-standard parity start components.
- Ability to turn on or off usage of the copy log file and configure the copy log right in the Recover/Copy dialog window. That the copy log is written to the _log subdirectory of the case is now optional. It can now also be written to the selected output folder along with the copied files. This is more convenient if you wish to pass the copy log on to others.
- For reasons of convenience, after exploring an object from a recursive list, the .. item is now marked with a "Back" arrow and allows to return to the previous recursive list, just like the Back button in the toolbar, and does not navigate to the parent directory of the explored object. If in some rare situations you do want to navigate to the parent directory of the explored object, just use the Navigation submenu of the directory browser context menu or press the Backspace key on your keyboard.
- When restoring the last window arrangement upon start-up, X-Ways Forensics now also restores search hit list and event list mode if applicable and reselects the last search hit or event that was selected, so that you can resume even review work in search hits and event lists right where you left it, even in the case root window.
- Ability to highlight search hits for GREP expressions in documents in Preview mode just like ordinary search hits, as long as the viewer component can find it (not if the search hit is located for example in the document metadata which the viewer component does not represent in Preview mode).
- Russian translation of the user interface.
- Several minor improvements.
Изменения:
- Extracts much more nicely formatted data from Skype main.db database files than before, such as phone calls, sent text messages (SMS) and chats.
- Improved file type verification of encrypted MS Office 2007/2010 documents.
- Better support for unusually deep subdirectory nestings in Ext file systems.
- Previously, it was possible to open VMKDs only if their name was recorded correctly in the VMDK descriptor. For self-contained VMKDs, this requirement led to the effect that VMDKs would no longer be opened if renamed without updating their internal descriptor. While this requirement continues to stand for VMDKs consisting of multiple parts (the names of the remaining parts must be recorded correctly), this is no longer required for VMKDs consisting of only one part or in the case of multi-part VMKDs, it is no longer required for the first part.
- Now supports non-standard (non-Adaptec/JetStor typical) parity start components for RAID level 6 with backward parity when internally reconstructing RAIDs, as seen in Synology hardware.
- Now supports backward parity dynamic for RAID level 6, with standard or non-standard parity start components.
- Ability to turn on or off usage of the copy log file and configure the copy log right in the Recover/Copy dialog window. That the copy log is written to the _log subdirectory of the case is now optional. It can now also be written to the selected output folder along with the copied files. This is more convenient if you wish to pass the copy log on to others.
- For reasons of convenience, after exploring an object from a recursive list, the .. item is now marked with a "Back" arrow and allows to return to the previous recursive list, just like the Back button in the toolbar, and does not navigate to the parent directory of the explored object. If in some rare situations you do want to navigate to the parent directory of the explored object, just use the Navigation submenu of the directory browser context menu or press the Backspace key on your keyboard.
- When restoring the last window arrangement upon start-up, X-Ways Forensics now also restores search hit list and event list mode if applicable and reselects the last search hit or event that was selected, so that you can resume even review work in search hits and event lists right where you left it, even in the case root window.
- Ability to highlight search hits for GREP expressions in documents in Preview mode just like ordinary search hits, as long as the viewer component can find it (not if the search hit is located for example in the document metadata which the viewer component does not represent in Preview mode).
- Russian translation of the user interface.
- Several minor improvements.
Цитата:
Russian translation of the user interface
Ну наконец то!
Добавлено:
Цитата:
Russian translation of the user interface.
Цитата:
Ну наконец то!
Только вот при попытке выбрать русский видим:
WinHex 17.1 ругается на отсутствие файла Russian2.dat
Без этого файла меню на английском, диалоги на русском.
Без этого файла меню на английском, диалоги на русском.
Цитата:
Без этого файла меню на английском, диалоги на русском.
Вернее - меню частично на русском:
Короче - "руссик" кривой или далеко не полный... Склоняюсь к первому. Печально...
Добавлено:
Цитата:
"руссик" кривой или далеко не полный... Склоняюсь к первому.
Добавлено:
Добавлено:
Автор официального "руссика" с нами? В смысле - на ру-борде обитает? Кто-нибудь знает?
Народ кто поможет разобраться с прогой. Проблема с таблицей на диске. фс на диске exfat. Ситуация следущая. При копировании данных на винт был БСОД и сча папка на которой был бсод не удаляется. chkdsk не может поправить. Как поправить таблицу.
mila22
Вряд ли кто-то на таком уровне знает структуру фс exFAT, поэтому либо ждать ответа(можно ещё раз напомнить о себе) в темах:
http://forum.ru-board.com/topic.cgi?forum=84&topic=4160&glp
http://forum.ru-board.com/topic.cgi?forum=62&topic=20390&glp
Либо попросить платную поддержку у автора DMDE, если он её оказывает конечно же.
Вряд ли кто-то на таком уровне знает структуру фс exFAT, поэтому либо ждать ответа(можно ещё раз напомнить о себе) в темах:
http://forum.ru-board.com/topic.cgi?forum=84&topic=4160&glp
http://forum.ru-board.com/topic.cgi?forum=62&topic=20390&glp
Либо попросить платную поддержку у автора DMDE, если он её оказывает конечно же.
DMDE не может exfat. По большому счету exfat- это fat c некоторыми плюсами, но основные болячки остались
Нашел вот такую фишку, но насколько поможет. хз. в понед буду тестировать.
Initialize Directory Entries: On FAT volumes, WinHex can clear all currently unused directory
entries, to thoroughly remove traces of previously existing files or earlier names/locations of
existing files from the file system. Useful especially in conjunction with the function to initialize
all free space. Available in WinHex only, not in X-Ways Forensics
Нашел вот такую фишку, но насколько поможет. хз. в понед буду тестировать.
Initialize Directory Entries: On FAT volumes, WinHex can clear all currently unused directory
entries, to thoroughly remove traces of previously existing files or earlier names/locations of
existing files from the file system. Useful especially in conjunction with the function to initialize
all free space. Available in WinHex only, not in X-Ways Forensics
Можно ли каким-то образом заставить программу просмотреть папку вместе с подпапками, ища в каждом файле hex-последовательность и менять на другую? Файлов огромное множество, и не нужно, чтоб программа открывала их в своём окне. Просто пробежалась по папке и сделала своё дело.
Как в самой программе, не знаю, но если поиск/замена одинаковы во всех файлах, то я бы так сделал: [more]Total Commander › Поиск файлов › Файлы на панель › Выделить всё › Выделенные файлы -› в редактор WinHex ›
[/more]
[/more] WinHex 17.0. При восстановлении (Recover/Copy) не копирует дату/время восстанавливаемого файла, делает ее текущей. В то же время в помощи явно указано обратное:
"The original timestamps (creation, modification, last access) are re-applied to the recovered/copied files."
В чем может быть проблема? Восстанавливаю из образа.
"The original timestamps (creation, modification, last access) are re-applied to the recovered/copied files."
В чем может быть проблема? Восстанавливаю из образа.
Страницы: 123456789101112131415161718192021222324252627
Предыдущая тема: Как грузануть RedHat при NTLoader в MBR?
Форум Ru-Board.club — поднят 15-09-2016 числа. Цель - сохранить наследие старого Ru-Board, истории становления российского интернета. Сделано для людей.