Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v17.9 [Oct 2, 2014]
What's new in v17.9?
(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)
File Type Support
The gallery can now show thumbnails for any file type that is supported by the viewer component, including Office documents, PDF, HTML, e-mails, and pictures that the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...)!
You can choose between normal and shrunk thumbnails of documents. Shrunk thumbnails show much more detail from an original document and the original layout, but at the cost of readability. Larger fonts (in particular captions) in an original document, if not shrunk, are typically readable in the thumbnail and can already give you an idea what kind of document it is even if don't view it, so you can more quickly find the documents that you are looking for. Plus, you will be able to see which documents can be nicely viewed with the viewer component at all. It is recommended run X-Ways Forensics with Aero enabled in Windows when using the gallery.
Files that are larger than 16 MB are not represented with a thumbnail, for performance reasons. X-Ways Forensics tries to abort the generation of a thumbnail if it takes longer than a few seconds. If the generation of a true thumbnail is unsuccessful, you may see a viewer component error message like "Operation cancelled" in tiny red letters in the thumbnail instead. If thumbnail generation is not even attempted by X-Ways Forensics, you will just see the filename and an icon.
Extraction of Internet Explorer browsing history from the Windows.edb database. Visited URLs are added to the event list as part of Windows.edb processing in "Uncover embedded data in various file types". The URLs remain in Windows.edb even after erasing the browser history in Internet Explorer.
Extraction of contacts from Windows Live Messenger's contacts.edb database, using the operation "Uncover embedded data in various file types".
Certain previously valid timestamps of files are now output as events during various suboperations of the particularly thorough file system data structure search on NTFS, depending on a new refinement option "Provide by-catch timestamps from various sources as events", which may also effect other operations whose primary purpose is not the retrieval of timestamps/events.
Support for big data records in registry hives in the registry viewer and registry report.
Support for the Windows 8 version and some other new variants of AppCompatCache in the Windows Registry.
The alternative e-mail preview now supports Base64-encoded e-mail bodies.
Ability to decode fully Base64-encoded files in the volume snapshot and provide the result binary as a child object as part of "Uncover embedded data in various files types", provided that the encoded file has "b64" in the Type column.
An updated version of MPlayer (named 2014) is now downloadable from our web site.
Longer filter expression for video file processing supported.
Fix for geo informationen in BlackBerry JPEGs.
Fixed an exception error that could occur when extracting metadata from PE EXE (RLL).
A stability issue in the parsing for binary PLists (BPLists) has been fixed which could occur with corrupted BPLists where the corruption took very specific forms.
Under certain circumstances, when exporting lists in XML format including the Metadata column, import as a spreadsheet in MS Excel led to an unhelpful structure. XML export has been improved to prevent this from happening.
Fixed a rare exception error that could occur when extracting metadata from .evtx Event Log files.
File System Support
The various optional suboperations of the particularly thorough file system data structure search in NTFS are now selectable more precisely, and in a child dialog window of the Refine Volume Snapshot dialog, and they now work much more efficiently on large volume snapshots.
Avoided inclusion of certain redundant files in the volume snapshot during FILE record searches.
Ability to filter for those 0x30 timestamps that do not predate their corresponding 0x10 counterparts. (Remember that this situation frequently occurs for various "natural" reasons, and only sometimes indicates malicious backdating.) Click the checkbox that is labelled with the "greater than" symbol to use this filter.
Share images, video and music between your Android and Windows devices
Mall Creeps
