Softpedia >Windows >Programming >File Editors >WinHex >  Changelog

WinHex Changelog

What's new in WinHex 19.7

Feb 21, 2019
  • File System Support:
  • Ability to parse the data structures of many APFS volumes to provide a file overview.
  • Cloned files in APFS, of which only the differences to their originals are stored in their own clusters, are marked with a Greek delta as a capital letter in the Attr. Column.
  • Support for APFS timestamps in Data Interpreter and Templates ("APFSDateTime").
  • There is now a thorough file system data structure lookup for exFAT volumes as well.
  • Protection against a rare form of data corruption in NTFS where FILE records in the $ MFT are misplaced.
  • The option of processing only one hard link now has an effect even if only selected or marked files are processed.
  • File format support:
  • Encrypted documents with a known password can now also be synchronized with the FuzZyDoc hash database.
  • The "Scan" report table is no longer used to identify PDF documents with scanned content. Instead, for PDF documents identified as being generated by a scanner, "scanner" is now displayed in the device type column.
  • Extract the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files to the Metadata column.
  • Identification and file header signature search for MP4s files, a proprietary surveillance video format.
  • History for Google Chrome now shows the page transition for each webpage visited, making it easier to assess whether the visit was initiated by the user or by some other action, such as a visit to Google Chrome. a page redirect. The duration of each visit is also listed. Internet searches launched from the Chrome address bar are displayed in a separate table and also added to the event list.
  • Ability to evaluate Google Chrome SNSS session files (current / last session and current / last tabs) in metadata extraction. The resulting session overview shows all open tabs with their respective history.
  • The previous output in detail mode for .automaticdestinations-ms files will now be displayed in preview mode, as well as for the display command and when copying such Jump List files for inclusion in the report.
  • The generation of preview images for the report is now also supported for files of these types: lnk, flnk, TCP / UDP packets, NK2, DBX, Skype chat, WAB, change.log.1, info2, job, IconCache.db, Prefetch, shd, usnjrnl, eiurl, $ I *, travellog, chrome1, automaticdestinations-ms.
  • A rare checksum error in the output of the conversion to Intel Hex has been fixed.
  • To transform UTF-16's ability (for example, for search terms) into various Indian code pages: ISCII Devanagari, Bengali, Tamil, Telugu, Assamese, Oriya, Kannada, Malayalam, Gujarati, Punjabi (Gurmukhi).
  • JPEG metadata support:
  • Irregular EXIF ??metadata encodings that violate the EXIF ??specification are now marked with an asterisk (sometimes bold).
  • "EXIF compliance" is another new aggregated single value; a score that makes it easier to judge whether a poor quality image editor has been used for editing. A good value that JPEG images produced by Nikon or Canon cameras usually have is still only available from high-end image editing programs. A bad value for such images indicates processing with substandard software. Irregular encoded fields in the EXIF ??data are marked with an asterisk. Irregular could mean that the wrong data type was used, or the allowed value limits were exceeded, or tags are duplicated, or a string is not null-terminated or contains a slip. Some tags may not occur at the same time, others must be stored in a specified directory.
  • In general, the EXIF ??representation is not simply an unstructured output of all EXIF ??values, but attempts to provide background information and highlight certain parameters in their context to alert investigators to inconsistencies. Even in their original files, digital cameras produce characteristic EXIF ??metadata errors. Editing may cause more errors or fix others.
  • Revised XMP metadata extraction. New and relevant information is added to the metadata column, but redundant information is not. XMP often contains information about the time zone that is not included in the EXIF ??metadata.
  • The amount of slip memory (zero bytes) at the end of the EXIF ??segment will be displayed in detail mode if there is such slip. Such a variable size area is typically generated by iPhone 4 and iPhone 5, but not by iPhone 7. If the slip is retained even after image rotation, the rotation was minimally invasive without recompressing the data (i.e., without loss of quality). On the other hand, if an image editor rewrites the JPEG data, that slip area disappears.
  • The summary of internal metadata in JPEG file detail mode now has a new field called "Light value". This value is derived from the formula known in photography Ev = log2 (N ** 2 / t) + log2 (100 / ISO). The value range ends at approximately 16, which corresponds to full sunlight. This aggregate value may be of interest to some investigators, as it allows for the distinction between indoor and outdoor shots and because this value can be used to check the plausibility of the local time of a photo.
  • A new value "Rotated" is now possible for the JPEG metadata field Condition.
  • A new "Printer" device type is now displayed for JPEG files created for printing.
  • Firmware data is now also being output for iPhones and other Apple devices.
  • The IMEI of some (high-end) Samsung Galaxy smartphones is stored in the SEFT "trailing data" of JPEG files, depending on the settings of the device, and will now, if any, be displayed in detail mode of the SEFT file. The SEFT file is generated by "Search embedded data in various file types".
  • Generator signatures and device aliases table have been redesigned.
  • e-mail:
  • Extracts more internal timestamps from emails into PST / OST email archives.
  • In the (very rare) case that the names of email recipients include the vertical pipe, such recipients have not yet been correctly classified as To :, Cc :, or Bcc: when expanding the file snapshot , This has been fixed.
  • New option for file overview, (when extracting emails) to convert certain RTF-formatted email bodies from Outlook email archives to normal UTF-8, to better understand the generated .eml files to display external e-mail
  • user interface:
  • When sorting by time stamps in one of the many timestamp columns, it may happen that UTC-based timestamps have to be compared with those stored in an undefined local time zone or stored as in a time zone specified by the (X-Ways) user be interpreted to decide which is earlier and which later. For example, this can happen in the file system timestamp in the evidence repository overview if one evidence object contains an NTFS file and another contains a FAT file system. This can also occur within the same evidence object, for example, sorting for internal creation timestamps extracted from the file contents, such as ordinary EXIF ??timestamps in JPEGs (which are local) and GPS timestamps in JPEGs (stored in UTC). The sorting of such timestamps now takes into account how these timestamps are displayed (in original local time or in a user-defined display time zone), which matches the order with the values ??shown, rather than how the timestamps are internally stored. This means, for example, that the local EXIF ??timestamp 2017-01-01 14:01 OZ * is queued behind * a UTC GPS timestamp 2017-01-01 14:00 +2, which is correct provided the undefined local time zone is identical to the display time zone (UTC +2 in this example). Of course, this order may also be wrong, since the unknown time zone of the locally stored creation date of the content could be somewhere east of UTC +2. The order may be incorrect even if the user-specified reference time zone for FAT file systems is incorrect.programs and to enable the alternative .eml preview.
  • The timestamp column of the event list now respects the user-defined timestamp reference time zone in file systems that store their timestamps in local time, and translates those timestamps to the current display time zone accordingly.
  • Ability to toggle between single and double column display in IM detail mode. With sufficient screen resolution and window width, you can view the entire internal metadata without scrolling, because the summary is displayed to the right.
  • Option to display the data interpreter with a degree of transparency. The practical benefits of this option are yet to be discovered. Looks just cooler.
  • When extending a hitherto untreated file overview, the option to perform a parallel search immediately afterwards is also saved. This is especially useful in connection with command line execution.
  • A new command line command allows you to load a list of search terms: "LST" (= load search terms). If preceded by a colon and the name or full path of a text file with one search term per line, and if this precedes an IDE run with implicit parallel search, those terms will be used for this search.
  • When viewing images with the internal image viewing library, the display window is no longer maximized when the image needs to be resized to be displayed on the screen, and you can now choose to center those images on the screen, as in previous versions, or instead their top one to save the left position or the position of its center after moving it to the screen. To set this, open the system menu of the display window (i.e., click on the window icon in the top left corner). You can also specify whether such display windows should always be in the foreground, ie also in front of the windows of other applications. And last but not least, you can also save the approximate window size. Especially useful in conjunction with the options of having the top left position of the display window saved, allowing only one display window at a time, and automatically updating the display window with just one click on a file, effectively letting you do it at a point on your screen that you define Preview window for images, while the bottom half of the data window may have a different appearance than the preview mode, eg the detail mode.
  • Templates can now display and edit UTF-16 Unicode strings with non-Latin characters.
  • Ability to copy the content of templates as tab-delimited text to the clipboard using the template window's system menu.
  • Ability to display the variables of a template as entries in the Position Manager (either the general or, if the data window represents an evidence object, the item manager of the evidence object). This also means that the corresponding values ??are visually highlighted directly in the hex display and provided with explanatory tool tips. The command for this can also be found in the system menu of the template window.
  • The normal template window can optionally be skipped completely and the entries in the Position Manager can be generated directly if you hold down the Shift key while using the template.
  • Ability to copy text to the clipboard as UTF-16 Unicode, even if the text column does not display UTF-16 Unicode, via the main menu. Ability to copy data to the clipboard as an ANSI character even if the text column displays UTF-16 Unicode.
  • Ctrl + Shift + Delete now removes the "Duplicates Found" tag from the selected files, in addition to removing all types of hash set hits.
  • The search hit context preview in search hit lists can now be activated or deactivated via the context menu.
  • Support for volumes (backups):
  • Can now address up to 128 physical disks in Windows instead of 64 (those with numbers 0 through 127).
  • When the first read operation fires when a minimum backup is generated from a data window representing a partition opened via the parent physical disk, the minimum backup becomes a partition / volume image rather than a full disk image, unlike previous ones versions. Read operations in other data windows (which represent the surrounding physical disk or its other partitions) have no effect on the minimum backup.
  • Support for a new generation date format in certain .e01 evidence files generated by third-party programs.
  • X-Tensions API:
  • The XWF_GetCaseProp function can now be used to query the generation timestamp and internal ID of the current case. XWF_GetVSProp can now be used to set the hash types of a file overview.
  • The X-Tension function XWF_GetHashValue now has the ability to simultaneously query the primary and secondary hash values, and it now has the ability to calculate the desired hash values ??if they are not already stored in the file snapshot.
  • Ask the user if stubborn C # X-Tension DLLs, which can not be unloaded, should be forced to close after execution. Programmers who want to debug their own X-Tensions may prefer this, but apparently this can prevent reuse of the same DLL in the same session of X-Ways Forensics, so ordinary users should probably choose no.
  • Miscellaneous:
  • The password collection for newly created cases is now initialized with the general password collection. The general password collection can now be edited by Options | Security to be opened. The password collection of a case is used for encrypted archives and encrypted documents whenever the case is loaded.
  • When importing hash values ??from Project Vic, the user is now asked if the US or Canadian default categories should be pre-set.
  • An import issue with certain blanks in unexpected locations in Project Vic JSON files has been resolved.
  • When filling blocks / files / volumes with constant hex values, up to 16 double-digit hex values ??are now accepted.
  • Some stability improvements.
  • Countless minor improvements.
  • User manual and program help for v19.7 updated.
  • Oracle has made some corrections to the viewer component, especially for viewing PDF files and to address some security issues (no details available).