WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.
- Ability to completely access and examine media and interpreted image files
with more than 4.3 billion (2^32) sectors. (still testing) Allows to read
data from beyond the 2 TB barrier on media with a sector size of 512 bytes.
Also support for NTFS volumes that consist of more than 2^32 sectors. Other
file systems on partitions that large: Not specifically supported.
- Ability to attach external files to the volume snapshot and have them
processed by X-Ways Forensics like regular files in the volume snapshot.
Useful if you need to translate or decrypt original files and would like to
reintegrate the result back in the original volume snapshot, in the original
path, for further examination, reporting, filtering, searches etc. Such
external files will be completely managed by X-Ways Forensics once attached,
copied to the metadata directory, and marked as virtual files. In order to
attach a file, you right-click the original file that the external file is
based on and invoke "Attach external file". The new file should be
named based on the original file.
- When filling an evidence file container, two new options are now
available: One option allows you to copy files partially to the container
only. This is possible if the file has been opened in File mode and a block
is selected. Useful e.g. if there is a relevant search hit in the middle of
a 2 GB swap file or of a 100 GB virtual free space file, and you would like
to forward the context of that search hit to someone via a container,
thereby omitting GBs of data that are not related.
- The other option allows you to copy *only* the file system metadata of
selected files to a container, totally omitting all file contents. When
examing such a container, you can see the entire original directory
structure, all filenames, timestamps, file sizes, attributes, etc. and can
use various filters.
- Ability to specifically deal with NTFS compression when searching for
files via file header signatures (forensic license only). Allows to
automatically list NTFS-compressed files of certain types whose FILE records
are no longer available. These files are also automatically decompressed for
File mode, Preview mode, and the Recover/Copy command.
- Now extracts metadata from JPEG, PNG, TIF, GIF, THM, thumbs.db, ASF, WMV,
WMA, MOV, GZ in Details mode in addition to many other file types.
Additional metadata now extracted from PPT files. General further
improvements for OLE2 compound files.
- When running a file header signature search, WinHex now automatically
names Exif JPEG pictures after the model designation and time stamp as
stored by the digital camera card. (specialist license or higher)
- The internal creation timestamp that can be found in various file types
can now be displayed in a separate directory browser column, once extracted
with a new context menu command ("Extract Internal Metadata") or
once seen in Details mode. Thanks to this new column and the timestamp
filter, it is now very easy to focus on files/documents that were actually
created in a certain time period. Internally stored timestamps are usually
less volatile than file system level timestamps and more difficult to
manipulate retroactively. The supported file types are: OLE2 compound files
(e.g. pre-2007 MS Office documents), MDI, ASF, WMV, WMA, MOV, various JPEG
variants, THM, TIFF, PNG, GZ, SHD printer spool, PF prefetch, LNK shortcut,
and DocumentSummary alternate data streams.
- The option to copy/append metadata to comments has been moved to the same
new context menu command.
- The hash set column now comes with a filter that allows to more
conveniently focus on files whose hash values are contained in selected hash
set or are not contained in selected hash sets.
- When using the Recover/Copy command, overlong paths are now truncated and
rendered legal if shortening the last path component can achieve that. Any
file with a path longer than 259 characters after this attempt will still
not be copied and rather associated to a report table because it wouldn't be
possible to deal with this file in Windows anyway.
- UTC-based timestamps displayed in the registry viewer and in the registry
report now respect the "Show time zone bias" option so that it's
obvious if and how they have been converted to local time. The same time
zone settings as for the active case are used.
- When analyzing small amounts of data (<50000 bytes) with Tools |
Analyze Data, the compression ratio that zlib achieves for that data is now
displayed in the analysis window caption.
- Attachments in original .eml e-mail message files (not virtually produced
by X-Ways Forensics itself) can now be extracted if you add *.eml to the
series of file masks for e-mail extraction.
- Item numbers in the directory browser are now 1-based instead of 0-based.
- Sectors mode is now labeled either Disk, Partition, Volume, or Container,
depending on the nature of the data represented in the data window.
- Several minor improvements.
Tools and Utilities
Product page: here