Есть хоть один редактор где можно искать HeX по маске, например:
90 ?? 33 C0 ?? 11 33
??????
90 ?? 33 C0 ?? 11 33
??????
» X-Ways WinHex
WinHex 18.1
[more=Изменения]
* Better support for larger font sizes in the hex editor display and in character tables. Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, small center screen buttons, the status bar, tag squares, sort arrows. Important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight. File and directory icons generally revised and now more consistent between directory tree and the directory browser.
* When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.
* Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.
* Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.
* The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory.
* The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.
* The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.
* Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the
first report table.
* Ability to include all items in all open evidence objects in the directory browser options dialog of a recursively explore case root window.
* New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.
* X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.
* Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).
* A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key.
* Several minor improvements.
* Same fix level as v18.0 SR-5.[/more]
[more=Изменения]
* Better support for larger font sizes in the hex editor display and in character tables. Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, small center screen buttons, the status bar, tag squares, sort arrows. Important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight. File and directory icons generally revised and now more consistent between directory tree and the directory browser.
* When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.
* Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.
* Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.
* The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory.
* The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.
* The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.
* Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the
first report table.
* Ability to include all items in all open evidence objects in the directory browser options dialog of a recursively explore case root window.
* New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.
* X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.
* Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).
* A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key.
* Several minor improvements.
* Same fix level as v18.0 SR-5.[/more]
Limonica
Как минимум в WinHEX вполне можно - галка Use as wildcard в Hex-поиске, но придется пожертвовать одним (любым из 256) байтом для маски, этот байт нельзя будет искать. Его и вписать в качестве маски в опцию и использовать в искомом Hex-наборе.
Как минимум в WinHEX вполне можно - галка Use as wildcard в Hex-поиске, но придется пожертвовать одним (любым из 256) байтом для маски, этот байт нельзя будет искать. Его и вписать в качестве маски в опцию и использовать в искомом Hex-наборе.
WinHex 18.1 SR-1
Изменения:
* Processing of more zip subtypes.
* Fixed a rare exception error that could occur when processing MBOX files.
* Fixed incomplete representation of WebCacheV01.dat files in v18.1.
* v18.1 did not take correct volume snapshots of certain Ext3/4 partitions. That was fixed.
* No longer blindly adopts certain machine-specific settings from a re-used .cfg file upon start-up that made sense with different hardware only.
Изменения:
* Processing of more zip subtypes.
* Fixed a rare exception error that could occur when processing MBOX files.
* Fixed incomplete representation of WebCacheV01.dat files in v18.1.
* v18.1 did not take correct volume snapshots of certain Ext3/4 partitions. That was fixed.
* No longer blindly adopts certain machine-specific settings from a re-used .cfg file upon start-up that made sense with different hardware only.
Как настроить масштаб окна винхекса??? Открыл файл\появились цифры на полэкрана слева... маленькие масштабом... потом почти пол экрана белое полотно в рабочей области и потом информационная полоска файла... Как растянуть рабочее поле чтоб занять место белого фона??? Или как увеличить масштаб - чтоб увеличивать его до такой степени - чтобы белый фон занять полезной областью...
Заранее благодарен...
Заранее благодарен...
rococo795
Размер шрифта?
Размер шрифта?
Victor_VG
Нет... Шрифт то больше, но рамка не сдвигается и просто кадировка анчи становиться не видна.... раньше, когда становился курсором на грань прокрутки и белого фона - появлялась стрелка и можно было растянуть или ужать эту рабочую область... Щас такого нет... Как побороть???
Нет... Шрифт то больше, но рамка не сдвигается и просто кадировка анчи становиться не видна.... раньше, когда становился курсором на грань прокрутки и белого фона - появлялась стрелка и можно было растянуть или ужать эту рабочую область... Щас такого нет... Как побороть???
Ну, так подстройте число символов на строку. Чего сложного?
Victor_VG
Спасибо....
Спасибо....
Специальная русская раскладка клавиатуры для WinHex - DE.получаются крякозябры
[^] 18.2
WinHex 18.2
Изменения:
* Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.
* Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.
* Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.
* Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.
* Ability to split huge HTML and TSV exports from the directory browser into separate files.
* Ability to tweak CPU and memory utilization of indexing, and more conservative default values are used.
* Exchange EDB extraction slightly revised.
Изменения:
* Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.
* Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.
* Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.
* Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.
* Ability to split huge HTML and TSV exports from the directory browser into separate files.
* Ability to tweak CPU and memory utilization of indexing, and more conservative default values are used.
* Exchange EDB extraction slightly revised.
Я чет ни черта не понимаю! Как в этой программе искать? Вбиваю в Поиск Нех данных 08 8а 76 67 а оно мне какую то херню пишет! За то когда вбиваю 8а спокойно находит.
И если в коде у меня 8 раз повторяется 08 8а 76 67 то мне что - каждый раз нужно открывать окно поиска? Кнопку - ДАЛЬШЕ тоже не придумали?
Я чёт ничего не понял, такая крутая прога а а поиск для неё непозволительная роскошь?
------------------------------
Все разобрался нужно писать БЕЗ пробелов и ВРУЧНУЮ! Если скопипастить и убрать пробелы - ни фига не ищет! Не знаю - баг или фича.
И если в коде у меня 8 раз повторяется 08 8а 76 67 то мне что - каждый раз нужно открывать окно поиска? Кнопку - ДАЛЬШЕ тоже не придумали?
Я чёт ничего не понял, такая крутая прога а а поиск для неё непозволительная роскошь?
------------------------------
Все разобрался нужно писать БЕЗ пробелов и ВРУЧНУЮ! Если скопипастить и убрать пробелы - ни фига не ищет! Не знаю - баг или фича.
Pasametr
088а7667 - здесь "а" русская
088a7667 - здесь "a" английская
разницу видишь? нет, а она есть.
088а7667 - здесь "а" русская
088a7667 - здесь "a" английская
разницу видишь? нет, а она есть.
Если добавить нулевые байты(увеличить размер файла),он выдает ошибку "Отмена невозможна после этой операции из-за заданного ограничения отмены 20МБ"
Если в настройках убрать ограничение он не сохраняет файл!
В чем причина?
Если в настройках убрать ограничение он не сохраняет файл!
В чем причина?
Если открыт файл и известно смещение от начала файла, можно ли узнать смещение соответствующего байта от начала физического диска?
GCRaistlin
Да, если точно известен LBA блок в котором данный фрагмент находится.
Добавлено:
Pasametr
В хекс ввода поиска не должно быть пробелов. Редакторы считают их частью шаблона и ... не находят искомое. Мне когда-то этот фокус напарник на OS/360 PCP нечаянно показал когда мы с ним её ядро дизассемблировали. Он случайно ввёл маску поиска с пробелами и .. дизассемблер ничего не нашёл и мы после вручную полночи нужный паттерн искали в листинге - машинное время кончилось.
Да, если точно известен LBA блок в котором данный фрагмент находится.
Добавлено:
Pasametr
В хекс ввода поиска не должно быть пробелов. Редакторы считают их частью шаблона и ... не находят искомое. Мне когда-то этот фокус напарник на OS/360 PCP нечаянно показал когда мы с ним её ядро дизассемблировали. Он случайно ввёл маску поиска с пробелами и .. дизассемблер ничего не нашёл и мы после вручную полночи нужный паттерн искали в листинге - машинное время кончилось.
Victor_VG
А как его узнать?
Смысл, в общем, в том, чтобы изменить 1 байт в очень большом файле без перезаписи его целиком.
А как его узнать?
Смысл, в общем, в том, чтобы изменить 1 байт в очень большом файле без перезаписи его целиком.
GCRaistlin
Ну, если смещение известно, то поправить конкретный байт. Обычно все хекс редакторы в таком случае сохраняют минимальный объём данных - сектор или блок. Танцуют от структуры файловой системы.
Ну, если смещение известно, то поправить конкретный байт. Обычно все хекс редакторы в таком случае сохраняют минимальный объём данных - сектор или блок. Танцуют от структуры файловой системы.
Victor_VG
Так известно только смещение от начала файла. Я и интересуюсь, как по нему узнать смещение от начала физического диска.
Так известно только смещение от начала файла. Я и интересуюсь, как по нему узнать смещение от начала физического диска.
GCRaistlin
Только восстановив всю цепочку его секторов по служебным записям файловой системы (ФС). Всё одно этими делами ОС заведует, а если это флешка, то установить реальный адрес байта в массиве вообще не возможно - у ней своя внутренняя ФС коей управляет зашитая в её контроллер ОС, а при форматировании создаётся только виртуальная ФС транслируемая контроллером к реальным адресам в массиве памяти устройства.
Возня не на один день без гарантии неизменности адресов во времени (к примеру если произойдёт дефрагментация - повторяем всё с начала), а оно жизненно важно?
Только восстановив всю цепочку его секторов по служебным записям файловой системы (ФС). Всё одно этими делами ОС заведует, а если это флешка, то установить реальный адрес байта в массиве вообще не возможно - у ней своя внутренняя ФС коей управляет зашитая в её контроллер ОС, а при форматировании создаётся только виртуальная ФС транслируемая контроллером к реальным адресам в массиве памяти устройства.
Возня не на один день без гарантии неизменности адресов во времени (к примеру если произойдёт дефрагментация - повторяем всё с начала), а оно жизненно важно?
Victor_VG
Да нет. Просто обратная задача - узнать, на какой файл приходится нечитаемый сектор, - на HDD решаема без проблем, вот и подумал...
Да нет. Просто обратная задача - узнать, на какой файл приходится нечитаемый сектор, - на HDD решаема без проблем, вот и подумал...
GCRaistlin
А, тогда это проще если сектор известен, то пробежаться поиском по таблицам ФС - за кем он числится? Может он вообще числится в пуле не распределённых? Пусть с ним chkdsk разбирается ибо это его прямая обязанность.
А, тогда это проще если сектор известен, то пробежаться поиском по таблицам ФС - за кем он числится? Может он вообще числится в пуле не распределённых? Пусть с ним chkdsk разбирается ибо это его прямая обязанность.
WinHex 18.3
[more=Изменения]* Conditional cell background coloring is now available as an option in Options | Directoy Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either that only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.
If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.
Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.
Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. It is also stored in and loaded from .settings files. .settings files continue to be compatible with previous versions. Up to 8 conditions may be defined.
* Hash set filter considerably accelerated for volume snapshots with a huge number of hash set matches. Previous versions will not be able to load hash set matches saved by v18.3 and later any more.
* Child objects of files now inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.
* Ability to specifically copy text from the text column as Unicode even when the text column is not displayed in Unicode, or specifically as ANSI-encoded text even when the text column is not displayed as ANSI ASCII, using an additional command in the Edit | Copy menu. This command is potentially important because some users are unfamiliar with fundamental computing concepts like character sets or null-terminated strings, and they think that English language text in UTF-16 (where every other byte is 0x00) is not copied correctly by WinHex/X-Ways Forensics just because a text editor or word processing program that pastes the text naturally truncates it at the first null byte. These users may now notice in the GUI that another option exists, and may decide to give it a try. Previously it was necessary to change the text column to Unicode to copy text as Unicode (which is intuitive, because of "what you see is what you get").
* Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.
* New registry report output for remote desktop connections defined.
* IPA file type recognition improved.
* Some new file types with ranks as high as 4 and 5 were added.
* Larger preferred thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.[/more]
[more=Изменения]* Conditional cell background coloring is now available as an option in Options | Directoy Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either that only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.
If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.
Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.
Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. It is also stored in and loaded from .settings files. .settings files continue to be compatible with previous versions. Up to 8 conditions may be defined.
* Hash set filter considerably accelerated for volume snapshots with a huge number of hash set matches. Previous versions will not be able to load hash set matches saved by v18.3 and later any more.
* Child objects of files now inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.
* Ability to specifically copy text from the text column as Unicode even when the text column is not displayed in Unicode, or specifically as ANSI-encoded text even when the text column is not displayed as ANSI ASCII, using an additional command in the Edit | Copy menu. This command is potentially important because some users are unfamiliar with fundamental computing concepts like character sets or null-terminated strings, and they think that English language text in UTF-16 (where every other byte is 0x00) is not copied correctly by WinHex/X-Ways Forensics just because a text editor or word processing program that pastes the text naturally truncates it at the first null byte. These users may now notice in the GUI that another option exists, and may decide to give it a try. Previously it was necessary to change the text column to Unicode to copy text as Unicode (which is intuitive, because of "what you see is what you get").
* Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.
* New registry report output for remote desktop connections defined.
* IPA file type recognition improved.
* Some new file types with ranks as high as 4 and 5 were added.
* Larger preferred thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.[/more]
Подскажите, как написать скрипт для WinHex, чтобы открыть определенный процесс в оперативной памяти, найти определенное hex значение и заменить на свое. Длина у заменяемого и замещающего одинаковые. По конкретному адресу не получается(они всегда разные), нужно именно find and replace.
Искал в интернетах и справке самого WinHex, но там синтаксис как открыть файл, а про Ram найти не удалось. Ну или какие альтернативы сей программы может есть, для поиска и редактирования памяти процесса.
Заранее спасибо
Искал в интернетах и справке самого WinHex, но там синтаксис как открыть файл, а про Ram найти не удалось. Ну или какие альтернативы сей программы может есть, для поиска и редактирования памяти процесса.
Заранее спасибо
WinHex 18.4
[more=Изменения]* A new technology was implemented that can help you to identify known documents (word processing documents, presentations, spreadsheets, e-mails, plain text files, ...) with a much more robust approach than conventional hash values. Even if a document was stored in a different file format (e.g. first PPT, then PPTX, then PDF), it can still be recognized. Internal metadata changes, e.g. after a "Save as" or or after printing (which may update a "last printed" timestamp), do not prevent identification either. Very often even if text was inserted/removed/reordered/revised, a document can still be recognized. This is achieved by using fuzzy hashes. The technology is called FuzZyDoc™.
FuzZyDoc hash values are stored in yet another hash database in X-Ways Forensics. So there are now 5 hash databases available in total, and counting. Hash sets based on selected documents can be added to the FuzZyDoc database exactly like hash sets can be created in ordinary hash databases, and the FuzZyDoc hash database can also be managed in the same dialog window as the other hash databases, so existing users will have no trouble locating and using the new functionality. For each selected document you can create 1 separate hash set, or you can create 1 hash set for all selected documents. Up to 65,535 hash sets are supported in a FuzZyDoc hash database.
FuzZyDoc is available to all users of X-Ways Forensics and X-Ways Investigator (i.e. not only law enforcement). FuzZyDoc should work well with documents in practically all Western and Eastern European languages, many Asian languages (e.g. Chinese, Japanese, Korean, Indonesian, Malay, Tamil, Tagalog, ..., but not Thai, Divehi, Tibetan, Punjabi, ...), and Middle Eastern languages (e.g. Arabic, Hebrew, ..., but not Pashto, ...). Note that numbers in spreadsheet cells are not exploited by the algorithm, only text. Note that only files with a confirmed or newly identified type will be matched against the FuzZyDoc hash database. For that reason, file type verification is applied automatically when FuzZyDoc matching is requested.
Documents whose contents are largely identical (e.g. invoices created by the same company with the same letterhead) are considered similar by the algorithm even if important details change (billing address, price), depending on the amount of identical text. That means that if you have 1 copy of an invoice of a company, matching against unknown documents will easily identify other invoices of the same company. For every document that is matched against the database, up to 4 matching hash sets are returned, and the 4 best matching hash sets are picked for that if more than 4 match. For every matching hash set, X-Ways Forensics also presents a percentage that roughly indicates to what degree the contents of the document match the hash set. For example, 100% means that all the textual contents that X-Ways Forensics deemed relevant in the given document can also be found in the hash set, 50% means half of the contents. 100% does not rule out the possibility that the document(s) that the hash set is based on contain(s) much more (other) text. The matching percentage does not count characters one by one, and it works only on documents that actually make sense, not on small test files that only contain a few words.
Before matching files against the FuzZyDoc hash database (a new operation of Specialist | Refine Volume Snapshot), you can specify which types of files you would like to analyze, and you can unselect hash sets in the database that you are temporarily not interested in. Note that processing less files (e.g. by specifying less file types in the mask) of course will require less time, proportionally, but selecting less hash sets for matching as such does not save time. You may specify a certain minimum percentage that you require for matches (15% by default) to ignore insignificant minor similarities. That option is not meant to save time either.
In order to re-match all documents in the volume snapshot against the FuzZyDoc hash database, please remove the checkmark in the "Already done" box first. Otherwise the same files will not be matched again, for performance reasons. Re-matching the same files may become necessary not only if you add additional hash sets to your FuzZyDoc database, but also if you delete hash sets, as that invalidates some internal links (if that happens, it will be shown in the cells of the result column).
FuzZyDoc should prove very useful for many kinds of white collar crime cases, most obviously (but not limited to) those involving stolen intellectual property (e.g. software source code) or leakage of classified documents. The technology is still in a testing stage.
* Matches with the FuzZyDoc database are presented in the same column as PhotoDNA matches and skin color percentages. That combined column is now more generically named "Analysis". A filter for FuzZyDoc matches is available. Sorting by the Analysis column in descending order now lists files with FuzZyDoc matches first (those files with the most confident matches for any hash set near the top, with lower percentages following), followed by PhotoDNA matches, if any, followed by pictures with no PhotoDNA matches (in descending order of their skin tone percentage). After that, irrelevant pictures are listed (picture with very small dimensions), and then files that are not pictures, and near the bottom black & white and gray scale pictures. Text color coding in that column now makes it easier to distinguish between different kinds of categorizations.
* The web history extracted from Internet Explorer (Webcache* files) is now added to the event list.
* Fixed possible errors when parsing UDF file systems.
* Several minor improvements.[/more]
[more=Изменения]* A new technology was implemented that can help you to identify known documents (word processing documents, presentations, spreadsheets, e-mails, plain text files, ...) with a much more robust approach than conventional hash values. Even if a document was stored in a different file format (e.g. first PPT, then PPTX, then PDF), it can still be recognized. Internal metadata changes, e.g. after a "Save as" or or after printing (which may update a "last printed" timestamp), do not prevent identification either. Very often even if text was inserted/removed/reordered/revised, a document can still be recognized. This is achieved by using fuzzy hashes. The technology is called FuzZyDoc™.
FuzZyDoc hash values are stored in yet another hash database in X-Ways Forensics. So there are now 5 hash databases available in total, and counting. Hash sets based on selected documents can be added to the FuzZyDoc database exactly like hash sets can be created in ordinary hash databases, and the FuzZyDoc hash database can also be managed in the same dialog window as the other hash databases, so existing users will have no trouble locating and using the new functionality. For each selected document you can create 1 separate hash set, or you can create 1 hash set for all selected documents. Up to 65,535 hash sets are supported in a FuzZyDoc hash database.
FuzZyDoc is available to all users of X-Ways Forensics and X-Ways Investigator (i.e. not only law enforcement). FuzZyDoc should work well with documents in practically all Western and Eastern European languages, many Asian languages (e.g. Chinese, Japanese, Korean, Indonesian, Malay, Tamil, Tagalog, ..., but not Thai, Divehi, Tibetan, Punjabi, ...), and Middle Eastern languages (e.g. Arabic, Hebrew, ..., but not Pashto, ...). Note that numbers in spreadsheet cells are not exploited by the algorithm, only text. Note that only files with a confirmed or newly identified type will be matched against the FuzZyDoc hash database. For that reason, file type verification is applied automatically when FuzZyDoc matching is requested.
Documents whose contents are largely identical (e.g. invoices created by the same company with the same letterhead) are considered similar by the algorithm even if important details change (billing address, price), depending on the amount of identical text. That means that if you have 1 copy of an invoice of a company, matching against unknown documents will easily identify other invoices of the same company. For every document that is matched against the database, up to 4 matching hash sets are returned, and the 4 best matching hash sets are picked for that if more than 4 match. For every matching hash set, X-Ways Forensics also presents a percentage that roughly indicates to what degree the contents of the document match the hash set. For example, 100% means that all the textual contents that X-Ways Forensics deemed relevant in the given document can also be found in the hash set, 50% means half of the contents. 100% does not rule out the possibility that the document(s) that the hash set is based on contain(s) much more (other) text. The matching percentage does not count characters one by one, and it works only on documents that actually make sense, not on small test files that only contain a few words.
Before matching files against the FuzZyDoc hash database (a new operation of Specialist | Refine Volume Snapshot), you can specify which types of files you would like to analyze, and you can unselect hash sets in the database that you are temporarily not interested in. Note that processing less files (e.g. by specifying less file types in the mask) of course will require less time, proportionally, but selecting less hash sets for matching as such does not save time. You may specify a certain minimum percentage that you require for matches (15% by default) to ignore insignificant minor similarities. That option is not meant to save time either.
In order to re-match all documents in the volume snapshot against the FuzZyDoc hash database, please remove the checkmark in the "Already done" box first. Otherwise the same files will not be matched again, for performance reasons. Re-matching the same files may become necessary not only if you add additional hash sets to your FuzZyDoc database, but also if you delete hash sets, as that invalidates some internal links (if that happens, it will be shown in the cells of the result column).
FuzZyDoc should prove very useful for many kinds of white collar crime cases, most obviously (but not limited to) those involving stolen intellectual property (e.g. software source code) or leakage of classified documents. The technology is still in a testing stage.
* Matches with the FuzZyDoc database are presented in the same column as PhotoDNA matches and skin color percentages. That combined column is now more generically named "Analysis". A filter for FuzZyDoc matches is available. Sorting by the Analysis column in descending order now lists files with FuzZyDoc matches first (those files with the most confident matches for any hash set near the top, with lower percentages following), followed by PhotoDNA matches, if any, followed by pictures with no PhotoDNA matches (in descending order of their skin tone percentage). After that, irrelevant pictures are listed (picture with very small dimensions), and then files that are not pictures, and near the bottom black & white and gray scale pictures. Text color coding in that column now makes it easier to distinguish between different kinds of categorizations.
* The web history extracted from Internet Explorer (Webcache* files) is now added to the event list.
* Fixed possible errors when parsing UDF file systems.
* Several minor improvements.[/more]
Всем привет. Подскажите пожалуйста как добавляются собственные сигнатуры в WinHex для восстановления удаленных файлов.
Заранее спасибо!
Заранее спасибо!
Вышла 18.5
WinHex 18.5
[more=Изменения]* Option to attach external files as child objects to their original counterparts (after decrypting, translation, convertion, OCRing, ...) in multiple evidence objects at the same time automatically if they are named after the unique ID of the original files. You can name the files after the unique ID when you copy them off the image with the Recover/Copy command, and you do not need to preserve the path, as the unique ID already fully identifies the file. Useful if you wish to apply external tools to the copied files which have problems with overlong paths, if you wish to bring back the result into the volume snapshot. The command to attach external files based on unique ID can be found in the context menu of the case.
* For your 9 most important report tables, keyboard shortcuts are now defined also to remove associations from the selected files. Ctrl+n adds the selected files to the related report table, Alt+n removes the associations. Useful if you accidentally press the wrong key combination or if you change your mind about the classification of a file, and wish to preserve associations with several other report tables (otherwise you could of course simply press Ctrl+0).
* Menu command to close the active case without saving it. Usually the case and volume snapshots of all open evidence objects are always saved, at latest when the evidence objects and the case are closed. This may be undesirable for example if you accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl+0 for all selected files). In such a situation it is just important to invoke the new menu command as soon as possible, before the auto-save interval elapses next time. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.
* File carving approach revised, which may result in faster processing depending on the data.
* If auto-coloring for FILE records etc. is fully checked, FILETIME structures are now highlighted even if not aligned at a 4-byte boundaries.
* Support for HFS+/HFSJ/HFSX when searching for lost partitions. An extra effort is made to reject false positives automatically. Supports sector sizes 512, 4096, and 8192 bytes.
* Some minor improvements.[/more]
[more=Изменения]* Option to attach external files as child objects to their original counterparts (after decrypting, translation, convertion, OCRing, ...) in multiple evidence objects at the same time automatically if they are named after the unique ID of the original files. You can name the files after the unique ID when you copy them off the image with the Recover/Copy command, and you do not need to preserve the path, as the unique ID already fully identifies the file. Useful if you wish to apply external tools to the copied files which have problems with overlong paths, if you wish to bring back the result into the volume snapshot. The command to attach external files based on unique ID can be found in the context menu of the case.
* For your 9 most important report tables, keyboard shortcuts are now defined also to remove associations from the selected files. Ctrl+n adds the selected files to the related report table, Alt+n removes the associations. Useful if you accidentally press the wrong key combination or if you change your mind about the classification of a file, and wish to preserve associations with several other report tables (otherwise you could of course simply press Ctrl+0).
* Menu command to close the active case without saving it. Usually the case and volume snapshots of all open evidence objects are always saved, at latest when the evidence objects and the case are closed. This may be undesirable for example if you accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl+0 for all selected files). In such a situation it is just important to invoke the new menu command as soon as possible, before the auto-save interval elapses next time. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.
* File carving approach revised, which may result in faster processing depending on the data.
* If auto-coloring for FILE records etc. is fully checked, FILETIME structures are now highlighted even if not aligned at a 4-byte boundaries.
* Support for HFS+/HFSJ/HFSX when searching for lost partitions. An extra effort is made to reject false positives automatically. Supports sector sizes 512, 4096, and 8192 bytes.
* Some minor improvements.[/more]
Страницы: 123456789101112131415161718192021222324252627
Предыдущая тема: Как грузануть RedHat при NTLoader в MBR?
Форум Ru-Board.club — поднят 15-09-2016 числа. Цель - сохранить наследие старого Ru-Board, истории становления российского интернета. Сделано для людей.