WinHex 16.4 [more=Изменения:]
Performance * A 64-bit version is now available, first as a 64-bit WinHex add-on for licensed users of X-Ways Forensics. This add-on is added to an installation of the 32-bit version of X-Ways Forensics (where the 32-bit WinHex add-on may also be present), and the 64-bit .exe file must be located in the same directory as the 32-bit .exe file, with some 64-bit versions of other files located in a subdirectory named \x64. Otherwise all files are shared by both versions. That means that all your settings, search terms, file type signature definitions, file type category definitions etc. etc are conveniently remembered and commonly used by both versions. Both versions use exactly the same format for case files and volume snapshots. While this 64-bit version is not yet fully tested (hash computation not optimized yet, progress notification via e-mail and SMART data not yet available), it can already be very helpful in situations where the 32-bit memory address space is insufficient, when dealing with disks or images that contain many millions of files, or when dealing with many millions of search hits, provided that you have plenty of physical RAM installed. A 64-bit version of the viewer component is now also provided. Comments welcome!
* Copying large files (Recover/Copy and adding to containers) accelerated.
* New buffer system at work when reading from .e01 evidence file, which can speed up processing in certain situations.
* Supports more complex GREP search expressions now than before. Such complex expressions required too much main memory in previous versions to run.
File system support * When running a particularly thorough file system data structure search on NTFS volumes, X-Ways Forensics now specially deals with any existing or previously existing volume shadow copies and includes valuable information in the volume snapshot that would not be available otherwise, such as files that cannot be found in the current $MFT any more or old versions of files whose contents have changed (unlike in previous versions for files of any size), and now does that relatively quickly even if you choose not to use the potentially very time consuming "Search FILE records everywhere" option. Processing of volume shadow copies, if any, occurs before all the other operations that are part of the particularly thorough file system data structure search (parsing $LogFile, optionally searching for FILE record outside of $MFT and outside of VSC, searching for index records in the slack of INDX buffers). If there are volume shadow copies, the caption of the small progress indicator window will tell you when they are being parsed.
* The software now distinguishes between deleted files whose contents may have changed and deleted files whose original contents are known to be still available. See Legend for icons. Virtual files now have a different icon, with a "v" for "virtual".
* Reparse points are no longer highlighted by a virtual file whose name reveals the target, but by a comment that is attached to the reparse point host directory.
File format support * E-mail extraction revised for certain e-mail archive file types such as Exchange EDB, DBX, MBOX, and MSG, in particular better support for e-mails in e-mails (e-mails as attachments).
* Metadata extracted from XML files in Office documents are now attached to the outer Office document, no longer to the inner XML files in which they were actually found, but where some users do not expect them.
* OLE2 timestamps can now be translated by the Data Interpreter and in templates optionally in big endian, as they appear in ICQ 7 chat messages.
Usability * Ability to open a directory (File | Open Directory). This new function can list the files and subdirectories of any accessible directory in the directory browser.
* Abilily to add any accessible directory to the case. Useful if a directory or a file of interest resides on a drive with many irrelevant files, if you merely wish to view, hash, or search a few of those files, check their metadata or copy them to an evidence file container etc.
* When pressing a Ctrl+number key combination that is not currently assigned to any report table (e.g. accidentally), X-Ways Forensics now produces an error sound.
* More information in progress indicator window when copying files.
* Several minor improvements.
Preview 2: Usability Automate investigative tasks and extend the functionality of X-Ways Forensics with X-Tensions.
The X-Ways Forensics X-Tension API (application programming interface) allows you to use many of the advanced capabilities of the X-Ways Forensics computer software programmatically and extend them with your own functionality. For example, you could implement some specialized file carving for certain file types, automated triage functionality, alternative report generation, or automatically filter out unwanted search hits depending on your requirements etc.
Among other things, X-Tensions allow you to:
- read from a disk/partition/volume/image
- retrieve abundant information about each file and directory in the volume snapshot
- read from any file
- create new objects in the volume snapshot
- assign files to report tables
- add comments to files
- process, validate and delete search hits
- and do practically everything else that is possible with a Windows program! (thanks to the Windows API)
You can use your programming language of choice, e.g. C++, Delphi, or Visual Basic, and do not have to learn any new programming language. You can use your compiler of choice, for example Visual Studio Express (freeware).
Since an extension is not an interpreted script, but regular compiled executable code that is running in the address space of the application itself, you can expect highest performance, the same as with internally implemented functionality. X-Tensions give you easy and direct access to crucial and powerful functions deep inside X-Ways Forensics.
When X-Tensions functions can get called:
- when refining the volume snapshot
- when running a simultaneous search
- in future versions of X-Ways Forensics via the directory browser context menu
- in future versions of X-Ways Forensics via the search hit context menu
You may distribute your XWF extension DLLs that you compile and/or your source code free of charge or even for a fee, under whatever license terms you see fit.
For more information please see
http://www.x-ways.net/forensics/x-tensions/api.html. * More convenient ability to specify nature, sector size and additional storage location of raw images when holding the Shift key when interpreting images.
* When reading files in the volume snapshot fails when refining the snapshot or running a logical search for example because the storage location of some of the clusters is unknown or because they are contained in corrupt file archives, then only one read error message is output per session and the user is informed of a newly introduced attribute by which you can also filter: "file contents unknown, partially".
Performance * Some corrections in 64-bit version.
* Previously existing files whose first cluster is known to have been overwritten or whose first cluster is unknown (i.e. red X files) are now generally excluded from volume snapshot refinement except if you specifically target them via tagging. They are also excluded from logical searches and from indexing if the recommendable data reduction is active unless targeted specifically via tagging or selection.
File system support * Processing of volume shadow copies further improved.
File format support * Ability to carve MP3 files without ID3 tags with automatic file size detection.
* New flag "c" supported in the file type signature definitions which, if taken into account (depends on user interface settings), ignores header signatures that are found not aligned at cluster boundaries.
* Files carved with the new flag "g" greedily allocate all their sectors exclusively. The file type signature search continues its search for further file headers only after the presumed end of such files.
* Several minor improvements.
* 64-bit X-Ways Forensics add-on now available in addition to the 64-bit WinHex add-on.
* Chinese user interface now available under 64-bit.
Preview 2b: * Fixed inability of 64-bit version to take volume snapshots of FAT volumes.
Preview 3: * Prevented exception errors that could occur during byte level file header signature search in Preview 1 and 2.
* Cases now remember non-standard sector sizes of raw images so that you do not have to specify them again when re-opening a raw image evidence object.
* Specially intercepts and reports exceptions that might occur in X-Tensions.
* Some minor improvements and fixes.
Preview 4: * Improved ability to take a snapshot of volumes with many millions of files, especially in the 64-bit version, but also in the 32-bit version (if used with the /3GB switch or better in a 64-bit Windows).
* File header signature search further accelerated. Automatic file size detection for MPEG, MP3 in general, and index.dat.
* Option to copy child objects of selected files from search hit lists.
* Fixed some errors in earlier 16.4 Preview versions.
* Several minor improvements.
Preview 5: * File header signature search: For each file type that the internally implemented algorithms in X-Ways Forensics know well and support with automatic size detection, the ID of the corresponding algorithm is now specified in the "File Type Signatures Search.txt" definition instead of a footer signature, following a tilde symbol (~). For example that can be useful if you create alternative definitions for a certain file type (e.g. to match a certain subtype only), to ensure that the sophisticated file size detection at work in X-Ways Forensics is still applied.
* Improved slow loading and saving of search hits in the 64-bit edition.
* Warns when trying to load the 64-bit viewer component from the 32-bit edition of X-Ways Forensics. (Some users now think the 64-bit viewer component is for 64-bit Windows, but it is for 64-bit X-Ways Forensics.)
* Fix for EDB processing in the 64-bit edition.
* Some minor fixes, several minor improvements, some internal restructuring.
Preview 6: * Ability to run X-Tensions from the directory browser context menu and apply them to selected files.
* Fixes for several issues in Preview 4 and Preview 5.
Preview 7: * Improved responsiveness when decompressing large file archives.
* Some minor improvements.
* Fixes for some more issues in v16.4 Preview.
* Ability to identify Btrfs file systems.
Preview 8: * Speed for sorting by filename more than tripled.
* Accelerated file carving for large volume snapshots when finding many more files.
* Improvements for Exchange EDB extraction.
* Ability to add a selected block to the volume snapshot as a virtual file even from the case root window (in File mode).
* Ability to use the Name filter for keyword searches in filenames not only with GREP syntax.
* New flag "u" for the file header signature search that allows to carve files in unused clusters only.
* Several fixes and minor improvements.
Beta 1: * Hashing with the MD5 algorithm (the mere computation, excluding disk I/O for reading data) further accelerated in the 32-bit edition by ~30%, with SHA-1 by ~20% (depends on the processor), and in the 64-bit edition it is now optimized, too, and even slightly faster than in the 32-bit edition!
* Further accelerated sorting by various columns.
* Several fixes and minor improvements.
Beta 2: * MD4 and ed2k hash computation now optimized in the 64-bit edition, too.
* New file carving flag "F" (upper case) that makes X-Ways Forensics discard hits of the file header signature search if no corresponding footer can be found, provided that a footer signature is specified in the definition. Can be useful to reduce the number of or totally avoid false positives.
* In newly taken volume snapshots of physical disks, all virtual files covering unpartitioned areas will not be subject any more to volume snapshot refinement (e.g. hash computation) unless specifically targeted via tagging, to save time and because it does not make much sense. The same applies to partitioned areas on GPT+LDM disks that are not treated like partitions because they never contain a file system (only the dynamic volumes do).
Beta 3: * Virtual files are now counted separately in the caption line of the directory browser and no longer included in the count of existing or previously existing files. The icons of virtual files and directories have been changed.
* If not using the crash-safe decoding option and if the viewer component crashes X-Ways Forensics when decoding a certain file, on the next start-up X-Ways Forensics points out more precisely that the crash occurred during the decoding step and recommends to activate crash-safe decoding (which is an option in Options | Viewer Programs).
* New flag "t" for the file header signature search that prevents X-Ways Forensics from listing carved files immediately with a confirmed file type. Useful for example for file format families such as XML, to determine the exact subtype later during file type verification.
* Several fixes and minor improvements.
Beta 4: * When printing multiple selected files (using the viewer component), only a single print job will be submitted, for all files and (if selected) cover pages, such that no other print jobs sent to a shared printer can get in between and such that if you are printing to PDF you will only be prompted for a filename only once and all pages are printed to the same output file.
* Some fixes.
Beta 5: * Files found in volume shadow copies are now specially marked if they are previous versions of files that were known to the volume snapshot already before the thorough file system data structure search. Remember you can sort by ID to see the files they are a previous version of next to them.
* Several minor improvements, some fixes.
Beta 6: * Filter for the Owner column.
* More detailed filter for previously existing files.
* When activating or deactivating a filter, X-Ways Forensics now automatically selects the item in the directory browser again that you had clicked last, if it is still listed in the directory browser.
* Option to avoid that previous versions of files in volume shadow copies are added to the volume snapshot if they are exact duplicates (identical file contents) so that it is much easier to focus on files for which actually previous data is still available. See Options | Volume Snapshot. If fully selected, X-Ways Forensics will compare files up to 128 MB, if half selected, only up to 16 MB, as to not waste too much time on this feature.
* Fixed an error in the direct byte-wise translation for GREP that could cause some additional false hits.
Beta 7: * AES encryption and decryption accelerated by 70% in the 64-bit edition and by 30% in the 32-bit edition.
* Ability to mark important evidence objects in the case root window with a yellow flag.
* More information evidence object selection dialog windows that show the number of files in each evidence object and the yellow flag, if it has one.
* Ability to tag or untag all items in the volume snapshots of all open evidence objects by clicking the case root icon with the middle mouse button.
* Ability to represent large offsets in decimal.
* Several fixes and minor improvements.
Beta 8: * New encryption algorithm for .e01 evidence files: 128-bit AES in BE CTR mode, which is ~67% faster than the already accelerated implementation of 256-bit AES in LE CTR mode, for both encryption and decryption. Previous versions of X-Ways Forensics cannot open .e01 evidence file created with the new algorithm.
* That an iterative SHA-256 hash of both the password and the salt is stored in encrypted .e01 evidence file for password verification purposes is now optional when using the 256-bit AES option (see Security Options). Previous versions of X-Ways Forensics cannot open .e01 evidence file created without such a hash.
* Several fixes.
Beta 9: * Ability to select file types for the file header signature search more conveniently grouped by categories instead of in a flat list.
* If a certain file for which a hash value was computed before or for which a hash value is computed at the same time (volume snapshot refinement) crashes X-Ways Forensics (of which you are usually informed in great detail when restarting X-Ways Forensics), identical files are now skipped automatically if you (continue to) refine the volume snapshot and compute hash values (at least if the protection against identical crasher files is active in the properties of the case). To make the case forget previous crasher files, click the Delete button in the case properties. Skipped files are automatically added to the report table "Reason for crash?".
* Several minor improvements.
* Some fixes.
Beta 10: * Both Position submenus have been renamed Navigation.
* Two neat commands for navigation in the directory browser have been added to the context menu (Navigation submenu):
1) "See selected item in its directory" will show you the selected file or directory among its siblings. Useful to quickly check out whether there are more notable files in the same directory or to better understand the function of the file when you see it in context.
2) "See selected item from volume root" will show you the selected file among all other files in the same volume. Useful for example to see whether there are any files with the same name, the same ID (e.g. previous version from a volume shadow copy), same owner, same sender, or similar timestamps etc. etc. in the same file system (just sort accordingly).
Both commands can be also be used from within the case root window and from within search hit lists (so the previous "Go to file in directory browser" command becomes obsolete). Remember you can click the Back button in the toolbar to conveniently return to the previous view.
* When toggling between normal and recursive exploration of the same directory, e.g. by clicking the button with the turquoise curly arrow, X-Ways Forensics now automatically selects the last selected item again if it is still contained in the directory browser after the change.
* Ability to copy the text in the cell of the directory browser that you right-click to the clipboard. Previously users had to copy from Details mode.
* File format consistency check now supported for EXE, ZIP, RAR, JPEG, GIF, PNG, RIFF, BMP, PDF.
* A few minor improvements.
Beta 11: * The user manual and program help have been updated for v16.4.
* File carving further improved for video files (MP4, f4v, pnot, FLV), iPhone files (sms.db, AddressBook.sqlitedb, notes.db) and binary plists.
* Some small fixes.
v16.4 will be officially released on March 22, 2012.[/more]