WinHex 16.2 [more=Изменения]A preview version of X-Ways Forensics 16.2 is now available. The download link can be retrieved as always by querying one's license status.
What's new? * Ability to search and index in up to 5 code pages simultaneously (including UTF-16 Unicode), 2 more than before. Useful for languages for which severalcode pages are commonly in use, e.g. Chinese and Japanese.
* Code pages are now always listed for selection in ascending order of their numeric identifiers.
* Ability to visually compare different single-byte code pages thanks to simultaneous code page tables (View | Tables | Hexadecimal / Code Page).
* Code page independent GREP searches for exact byte values enabled by selecting a "non" code page called "Direct byte-wise translation for GREP", which translates byte values without any mapping for certain code pages or case matching.
* Ability to search in big-endian UTF-16 Unicode. (However, the search hits are readable only in Western European languages.)
* Some other improvements to the GREP search engine.
* Each search hit now remembers in which code page it was found. You can see the code page in the search hit description column.
* X-Ways Forensics now preserves and displays paths/directories when exploring file archives.
* Ability to only include the number of items in a report table in the report, not a list of those items.
* The volume snapshot options are now available directly via the Options menu.
* A new option among the directory browser options allows you tag or hide files in the directory browser non-recursively, such that tagging/untagging/hiding/unhiding a file has no effect on parent or child objects or parent or subdirectories. Useful for example if all child objects of a file should processed in volume snapshot refinement or searched, but not the parent object. Previously it was not possible to have an untagged parent object whose child objects are all tagged. If the recursive tagging option is in its middle state, that means that child objects still inherit the tagged state from their parent at the moment when they are newly added to the volume snapshot, e.g. when you extract e-mail and attachment from an e-mail archive.
* Whether tagging and hiding works recursively or not can now also be controlled by holding the Shift key.
* If main memory is represented as a physical disk, for example because it is the RAM of a remote computer accessible via F-Response or because it is an raw memory dump or .e01 evidence file with a memory dump interpreted as a physical disk, it is now possible to open a "Volume" from within the "physical disk" in which X-Ways Forensics offers its main memory analysis.
* Newly created .e01 evidence files of memory will be internally marked as as images of volumes rather than physical disks such that even older versions will be able to recognize them as memory dumps.
* If a memory dump is misinterpreted as a physical disk image with a sector size of 512 bytes, the "volume" that can be opened from within will be successfully re-interpreted as having the appropriate sector size (or actually page size in this case) of 4 KB.
* Exceptions in metadata extraction fixed.
* .lnk shortcut file interpretation revised.
* Several minor improvements.
Preview 2: * Support for Outlook compressible encryption as a code page for the text column and simultaneous searches.
* Ability to display certain TIFF pictures with old-style JPEG compression.
* Ability to check the consistency of the format of files of known types and output "OK" or "corrupt" in the Type Status column and filter for these properties. In later releases the consistency will be checked, depending on the file type, during file header signature search, file type verification and/or metadata extraction. In this release only the consistency of JPEG files is checked, and only when running a file header signature search.
* Recover/Copy: Ability to copy only direct children and not all descendents recursively, by checking the box only half. That can be useful for example when you want to copy e-mails off the image and embed their attachments, but don't care for further children of the attachments that X-Ways Forensics has extracted from them.
* E-mail extraction from Exchange EDB databases improved (same revision level as v16.1 SR-7).
* Dynamic adaption of the video still export interval based on the video play length when using MPlayer. The longer the video, the longer the interval.
* Until now, report tables were not a good means to categorize more than 10, 000 or 100, 000 files in volume snapshots with millions of files. Filtering and sorting by report tables was slow with such huge numbers. That has changed. It is now quick to filter and sort by report tables with several 100, 000 associations in huge volume snapshots.
* Report table items are now output in the case report in the order of the internal ID within each evidence objects, no longer in the order in which the files were added to the report tables.
* Recover/Copy: The length of the names of artificial subdirectories created in the output folder to accommodate child objects of files is now limited to a user-defined number of characters, 32 by default. This is useful in particular for e-mail messages that are named after the subject line and of course can contain attachments as child objects, to avoid overlong paths.
* Recover/Copy: The suffix used to name artificial subdirectories created in the output folder to accommodate child objects of files is now fully user-definable.
* Proximity searches did not work in the first preview version. That was fixed.
* Several minor improvements.
* Older versions of X-Ways Forensics cannot read the volume snapshot format used by v16.2 and later.
Preview 3: * Ability to sort in the directory browser by up to 3 criteria (instead of 2 as before).
* Sorting by Name and Path is now case-insensitive.
A note about sorting: A few times I got the impression that some users have a wrong idea about how multi-criteria sorting works. They believe that somehow when sorting for example by modification date and access date that both files with either very late modification dates and very late access dates will be listed near the bottom. However, that is a misconception. There is a clear hierarchy. The secondary sort criterion is used to sort items only if these items have exactly the same value for the primary sort criterion (and that is *very* rarely the case for timestamps with such a high precision as provided by the NTFS file system). The separate criteria are not somehow magically "merged" to a unified single criterion that based on some model linearly orders all items. Similarly now with 3 sort criteria, the tertiary criterion is used only if items have exactly the same values for the primary and the secondary sort criterion.
* Option to output files in the report either grouped by evidence object (as before) and sorted by internal ID or (and this is new) in the order as they are currently listed in the case root window, where you can freely change the order thanks to now up to 3 sort criteria. Note that if you choose the second option, files that are not listed in the case root window will not be output, even if they are part of a report table. That means that current filter settings now can have an effect on the generation of the report, too. If files are omitted because they are not listed in the case root window at the time of report generation, you will be notified of that in the report and in a message box.
* Ability to deal with NTFS volumes with more than 2^31 (and up to 2^32) clusters.
* Speed quadrupled (!) for unused areas when imaging volumes with the option to exclude data in free clusters. Depends on compression level.
* Some minor improvements.
Preview 4: * Supports skipping free clusters now even for partitions when imaging MBR- and GPT-partitioned physical disks, not only when imaging pure volumes.
Beta: * Improved support for volumes with more than 2^31 clusters.
* The search engine now assigns search hits to more than one GREP expression if multiple expressions are equivalent.
* Ability to watermark optionally omitted free space in an image at the start of each sector with a Unicode text string, so that when working with the image you are reminded of the omission when you look at data in drive free space.
* Recover/Copy: Ability to copy files with a partial path from the case root window. In that case only the evidence object name is used as the path, not the path within the evidence object.
* Several minor improvements.
Also to be expected in v16.1 SR-8:
* Avoided an exception error that could occur after failed memory allocations.
* Improved compatibility with new viewer component version 8.3.7.
Beta 2: * Includes the computer name and user name in the imaging log.
* The file header signature search classifies found RAR archives as corrupt if they cannot be carved completely.
* Accelerated filling of containers in certain situations.
* Some minor improvements.
v16.2 has just been released.
Additional changes since the last beta version: * Correct encoding of angled brackets that occur in Windows registry values for the output in registry HTML reports based on advice by TronicGuard / Martin Wundram.
* Improved ability to deal with certain corrupt registry hives.[/more]
================
http://www.x-ways.net/winhex.zip ================
Русификатор WinHex 16.2 от Localiz2 http://msilab.net/rus.6641