Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v17.3 [Sep 12, 2013]
Events & Timestamps
- Calendar mode now represents all timestamps from all 6 timestamp columns of the regular directory browser (instead of just 3) for all listed files (instead of only selected files). The darker the gray color in the calendar for a day, the more timestamps on that day. Hovering the mouse cursor over a day in the calendar tells you the number of timestamps that fall on that day. Left-clicking on a day sets that day as the left boundary for the combined timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day hones in on that particular day only. If the same file is listed more than once (which can happen in a search hit list if it contains more than 1 search hit), then its timestamps are also represented more than once in the calendar.
- For event lists, Calendar mode now shows the number of events on each day (all events that are currently listed) using different shades of gray (the darker, the more events on that day). That allows you to quickly figure out when there was most activity and when there was no activity. Hovering the mouse cursor over a day in the calendar tells you the number of events on that day. Left-clicking on a day sets that day as the left boundary for the event timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day filter for that particular day only.
- Years in the calendar with no timestamps are now grayed out. The number of a year is now displayed in a darker shade of gray the more timestamps are listed for that. All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity.
- If the corresponding timestamp filter is active, years are printed in blue in Calendar mode to remind you of the filter. To turn off the filter as always click the blue filter symbol in the caption line of the directory browser.
- Event timestamps from FAT file systems are now output adequately. They are not translated to local time and do not show more precision than they actually have.
- Timestamps in the normal directory browser that meet the timestamp filter condition are now highlighted. Timestamps in an event list that are identical to the event timestamp are now also highlighted.
- Timestamps from 0x30 attributes in NTFS file systems are now output as events if actually different from their 0x10 counterparts and not identical to the 0x30 creation timestamp. They are marked as "0x30" in the Event Type column. Malware might give itself harmless looking timestamps after deployment, so that it does not seem to be related to the time of intrusion/infection. The 0x30 attribute timestamps, however, remain unaltered (except if the file is renamed or moved later), and that is the reason why some examiners are interested in them. If the time frame of intrusion/infection is known, related files might be found in the event list with v17.3 and later thanks to original 0x30 attribute timestamps.
- 0x30 timestamps are marked in the event list with an asterisk if they are later than the corresponding 0x10 timestamps, which seems unnatural and in some rare cases might be the result of backdating by the rightful users of the computers themselves. Under certain circumstances, backdating documents is seen as fraudulent and illegal. However, much more commonly 0x10 timestamps predating 0x30 timestamps is just the effort of installation programs or the result of copying a file or moving a file from one volume to another or extracting a file from a zip archive, where Windows or other programs artificially apply the original creation time of the source file to the destination once copying turns out to be successful (internal programmatic backdating).
- If the checkbox "Provide file system level timestamps as events" is only half checked, timestamps in 0x30 attributes are ignored for event generation, which is faster.
- Ability to filter for mere times, matching any possible date. For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working, you could filter for times such as between 22:00:00 and 05:59:59 (on a 24-hour clock). Obviously, selecting the right local time zone for the timestamp filter is crucial for this.
- Omits modification and record update timestamps as events if identical to the corresponding creation timestamp, just as access timestamps already in previous versions.
- More events are now generated from internal file contents: Internal creation in various file formats, last saved in Office documents and RTF, boot time from ETL (event trace log) files, attach timestamps from EDB, signing date from EXE/DLL/SYS/..., Exif timestamps in photos.
- Support for more event types in .evtx event logs.
- Clickable offsets in the HTML representation of Windows .evtx event logs.
Share images, video and music between your Android and Windows devices
