We present the release of another update with important improvements, v20.5, and a 3rd party module for X-Ways Forensics and X-Ways Investigator.
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards
Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data, details about their licenses and potentially upgrade/renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.
Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.
Upcoming online live training
Please sign up for our training notifications here if you would like to be kept up to date on future classes.
File Systems Revealed
Excire: Photo Analysis with Artificial Intelligence
Excire for X-Ways Forensics is a separately available product based on technology developed by Pattern Recognition Company GmbH, a German AI company.
- It automatically analyzes photos and identifies image content (objects like buildings, animals, plants, beaches, mountains, people, adults, babies, faces, eyes, beards, naked bodies, text, …) as well as color themes and photo properties, which are all described as keywords. You can focus on photos with particular relevant keywords (combined with AND or OR) or filter out photos with irrelevant keywords.
- It allows you to find photos that are “similar” from the perspective of an artificial intelligence to a collection of typical relevant photos from earlier cases or other photos that you provide.
- It allows you to find faces of particular people in photos of new cases.
Of great benefit for forensic investigators is that Excire works completely offline. Everything happens on your own machine. You don’t need to trust any cloud service to which you would have to upload photos. No Internet connection is required*. That is just like you know it from X-Ways Forensics. *An Internet connection is required once when you acquire your licenses, and for that you could use a different computer. An Internet connection is also required when using trial licenses.
Owners of licenses for X-Ways Forensics with active access to updates (not licenses for educational use) can order Excire for X-Ways Forensics for those licenses with a 25% discount. A coupon code is provided in license status messages (from https://www.x-ways.net/winhex/license.html). This offer is valid only for orders placed by April 24, 2022.
What’s new in v20.5?
- An interface for Excire (see above) is now built into X-Ways Forensics and X-Ways Investigator. The overall integration in X-Ways Forensics is seamless. You use the same operations as always (volume snapshot refinement) and the same filters that you already know (for report table associations or comments or metadata), and the results are stored in the volume snapshot or in evidence file containers. You can assign special cell colors in the directory browser to photos with keywords that are of particular interest to you. Keywords that describe photos are currently available in these languages: English, German, French, Spanish and Italian.
- When computing PhotoDNA hash values and storing the hashes for deduplication and fast re-matching, X-Ways Forensics now also automatically compares embedded thumbnails to their parent files. If the difference is noticable, that will be brought to the user’s attention with two report tables, “Thumbnail discrepancy” and “Thumbnail notable (data corrupt/incomplete)”, where the latter means that there is a difference most likely just because the parent file is corrupt or incomplete. (The thumbnail, which requires little storage space and is located near the start of the file, could be unaffected and therefore helpful.) The former could indicate that someone has retroactively altered /redacted the full resolution picture and left the embedded thumbnail as it was.
File Format Support
- X-Ways Forensics from now on distinguishes between 4 instead of 3 possible file format consistency states: unknown, OK, irregular and corrupt. Important for the Type status filter settings.
- Improved PNG screenshot identification. In particular, a new Exif format is supported that is used mainly for Android screenshots. This allows to verify whether such Android screenshots are original.
- Additional generator signatures defined.
- Support for new Exif tags concerning composite images and time zones.
- Revised recognition of camera original pictures, now with a lower false negative rate, especially for Xiaomi smartphones.
- Further revised generating device identification (esp. smartphones, esp. all Samsung smartphones) with around 34,000 definitions and two new iOS release identifications.
- Evaluates camera debug information in the Application Marker 4 for Samsung smartphones such as camera serial number, timestamp of the last firmware update, and a 2-letter country code. This may enable the examiner to associate a photo with the exact device that took it.
- Provides the last printing date and the internal last modification date of OpenOffice documents as events.
- Revised and improved alternative .eml preview, which is important also for the case report option “Alternative .eml presentation directly in browser”.
- Ability to process carved compressed PF prefetch files.
File System Support
- Supports new style of reparse point text of Windows 11.
- A renamed/moved file in a volume snapshot for a FAT file system that still exists under a different name or in a different directory was handled inconsistently before. Now it is read exactly like its existing counterpart, i.e. following cluster chains as defined in the file allocation table, regardless of the state of the “Deleted files skip used clusters” setting, resulting in identical hash values, duplicate search hits, etc.
- Recognizes Windows 11 as a platform and was confirmed to run on Windows 11 practically as well as on Windows 10.
- Now executable again under Windows XP (with limitations).
- New command “Capture Processes” in the Tools menu in X-Ways Forensics that allows to acquire all data in the memory of running processes on a live system contiguously (i.e. pages in the order as allocated by the process). The creation times of processes can be seen as the creation timestamps of the memory dumps. Pages marked as containing executable code (PAGE_EXECUTE* styles) are optional and if omitted will suitably reduce the amount of data if you are merely interested in keyword searches or carving and not malware analysis. Carving in the memory dumps (files shown as type “mem”) can be performed by uncovering embedded data, one of the functions of volume snapshot refinement.
- This command can also produce a tab-delimited list of all top-level windows with their titles and corresponding processes plus (comma-delimited) the titles of their child windows. Screenshots of some of the top-level windows are taken and output automatically. If this functionality is used without administrator rights, only processes of the current user are covered, otherwise all processes.
- The output folder of “Capture Processes” is by default either a subdirectory of the case or – if no case is active – a subdirectory of the directory for images. It can be automatically explored in Windows File Explorer once the output is complete and/or added to the active case as a directory.
- The memory dumped by “Capture Processes” can also be useful on your own system if an application in which you type text (e.g. an e-mail client) suddenly freezes and you want to recover what you wrote.
- A filter is available for process dumping. You can use it like other file mask filters in X-Ways Forensics. For example “explorer.exe” will only dump memory and windows of the Windows File Explorer process. “:C*” will dump all processes except those whose names starts with the letter “C”, i.e. for example not “Chrome.exe”. The file mask is not case sensitive. Multiple file masks can be concatenated with semicolons. (However, the total length is limited.)
- Ability to interpret unencrypted evidence files in Ex01 format as partitioned physical media or volumes.
- Improved handling of hard disks that were partitioned and formatted as if they had a different sector size.
- An up-to-date English language Tooltips.txt file is now included in the download. If you wish to see those tooltips for the controls (mostly checkboxes) in your dialog windows, please make sure that “Tooltips.txt” is activated in Options | General. A German-language Tooltips.txt is available from the resource download area for users of X-Ways Investigator and X-Ways Forensics. If you wish to share your translation to another language with other users, please send us your copy of the file so that we can put it there as well. Thank you.
- Report tables can now be alphabetically sorted in the dialog windows for filtering and for report table management. By default, they will be listed in the order in which they were created, as before.
- Report tables that were created by the application as hints for the user are now listed optionally, and they are now the only ones that are indented.
- New colors were defined for the various kinds of report tables (ordinary user-created, hints for the user, hash sets, search terms, duplication groups, …), and the triangles in the Name cells that indicate the existence of report table associations for the file are now shown in the same colors. The display of those triangles is now optional, see Options | Notation.
- Registry Viewer: Ability to copy the value data as shown in the list view on the right-hand side. (In order to copy the value data in binary, select the value in the list view, move the registry viewer aside and copy the selected data from File mode.)
- Printing templates did not show formatted GUIDs correctly. That was fixed.
- The rules of advanced sorting are now also applied to the Hash Set column.
- After matching hash values against the hash database, multiple matching hash sets for a given file are now listed within the cell in the same order as they are contained in the hash database, and not in a random order.
- Comments of evidence objects are now also shown in the Comments column in the Case Root window and can be edited from there. The description of evidence objects is now also shown in the Metadata column in the Case Root window.
- If a filter is active with a NOT setting, you are now reminded of that by a red funnel symbol.
- To remind the user that an OR combination of filters is active, the word “OR” is now displayed in larger letters and with pointing fingers in the caption line of the directory browser.
- Colored cells now have an optional color gradient. This can be enabled separately for each cell coloring condition. The exact rules to determine the background color of rows in the directory browser based on focus, selection, mouse hover status, dark mode and cell coloring have been generally revised.
- In conditional cell coloring, you now have the option to color the Name cell in addition to the original cell that the condition is based on. Useful if you wish to be visually alerted of the matching condition even if the triggering column is currently not visible, and if highlighting the entire line would be too much.
- The Notation settings now allow you to see some “internal” flags in the Description column if you wish. Those flags identify the status of a file in volume snapshot refinement.
[Emb]: checked for embedded data to uncover
[Arc]: file archive checked for content
[Enc]: encryption test already performed
[Ext]: e-mail or e-mail archive checked for extractable content
[Met]: checked for internal metadata
[Xtn]: created by an X-Tension.
- Applying X-Tensions to files in selected directories is now optional. (In case a particular X-Tension is useful when applied to directories only.)
- The “Mount as Drive Letter” functionality now comes with a new option named “Apply recursively” to present files from all subdirectories of the currently active evidence object or the selected directory in a flat list. This is useful if you wish to use an external program to view many of the files and don’t wish to bother with directory navigation. When using this option, the int. IDs of the files are inserted into the filenames to make the files better identifiable to X-Ways Forensics.
- Ability to define the maximum size of files for which thumbnails should be created in the gallery. It may be necessary to increase that limit for high resolution Photoshop PSD pictures, for example.
- Automatic verification of newly created images via hash is now applied to an optional 2nd image copy also when adding the 1st copy to the active case.
- Option to hide case backup files with the H attribute.
- Many minor improvements.
Changes of service releases of 20.4
- SR-1: The hash types for disk imaging and volume snapshot refinement can now be selected in the same dialog window, which requires two mouse clicks less and means that .dlg files of these dialog windows will cover the settings more completely.
- SR-1: Avoided a read error that could occur when OCRing files.
- SR-1: Prevents repeated output of hint on use of multiple .settings files.
- SR-2: If you get file creation error messages when running OCR with multiple threads, you can now try an unlabeled, but tooltipped checkbox next to the Tesseract OCR option to make X-Ways Forensics wait longer for Tesseract to finish.
- SR-2: Fixed a potential infinite loop that could occur with certain PDF documents when uncovering embedded data.
- SR-2: Now uses an embedded JPEG picture as the thumbnail of certain camera raw files in the case report.
- SR-2: When the case report is generated, the user now has the option to explore the directory where the report is stored instead of viewing the report directly.
- SR-2: The hint given in fresh installations that the RVS processing state of files in evidence file containers is taken over is now given repeatedly, until the user disables it. Previously it was probably often overlooked or ignored and/or not understood.
- SR-2: Chinese translation of the user interface updated.
- SR-3: Fixed an exception error that could occur in v20.4 with WofCompressed or possibly other kinds of pseudo-sparse files.
- SR-3: Prevented inability to load previously decoded text that was written incompletely because of a crash. Earlier versions of X-Ways Forensics cannot load decoded text stored by v20.4 SR-3 and later.
- SR-4: Faster viewing and previewing of large PSD pictures, using the internal graphics viewing library instead of the viewer component.
- SR-4: Fixed an error in the Tools | Compute Hash command that occurred when applied in File mode.
- SR-4: Attaching files in the case root window previously switched to a file listing that was shown as being not recursive. That was fixed.
- SR-5: Waits longer for closed evidence objects to open if targeted by RVS, to avoid the error message “Sorry, the following evidence object was skipped”.
- SR-5: Fixed a cluster allocation display error of v20.4 SR-4.
- SR-5: Fixed an exception error that could occur in v20.4 under certain circumstances when generating the case report.
- SR-6: The mouse wheel now also works for scrolling in Windows 10 when the cursor hovers over a directory browser tooltip.
- SR-6: Fixed inability to remove certain context menu commands from the Windows shell via Options | General.
- SR-6: Support for a newer variant of Windows 10 thumbcache index files in file type verification and Details mode.
- SR-6: Fixed inability to extract certain tables from some SQLite database as TSV child objects.
- SR-6: Fixed a crash that could occur if the user inserted a trailing blank line at the end of “Event Log Events.txt”.
- SR-6: Fixed inability of v20.4 to properly open ordinary sparse files in NTFS.
- SR-6: In OSDirList volume snapshots, directories were previously skipped if their names started with two dots. That was fixed.
- SR-6: Tooltips now also work in the dialog windows for simple text and hex searches.
- SR-6: Restoring old backups of cases did not always discard all newer components of volume snapshot that did not exist in the backup (e.g. events).
- SR-6: Replacing text or hex values in a file with data of different size did not always work in files larger than 2 GB. That was fixed.