Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v19.5 [Nov 28, 2017]
Case Management
- A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will be taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.
- The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.
- Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...) when images are internally interpreting as disks.
- Support for large table sections in .e01 evidence files.
- When trying to open an evidence object of a case that is backed by an image file and the image file cannot be found, X-Ways Forensics now automatically offers to open the evidence object without image, just like with the corresponding context menu command in the Case Data window. Useful if the image is not accessible right now (or has been deleted/lost completely) and you wish to just peek at the file listings, report table associations, your own comments, hash set matches, extracted metadata etc.
File Format Support
- Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.
- Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list. Individual event types for SRUDB make it easier to filter for particular resource usage types.
- Generator signature database significantly further updated.
- New prefix "Mobile::" for many photos taken by mobile devices.
- File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).
- Improved stability with EDB processing.
- Thorough addition of events from EVT event logs (Windows XP or older) to the event list. Optimized HTML preview for EVT event logs to significantly reduce its size.
- Ability to display some rare black & white PNG pictures with the internal graphics viewing library that were not supported previously.
- The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report.
Share images, video and music between your Android and Windows devices
