Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v19.7 [Sep 1, 2018]
File System Support
- Ability to parse data structures of many APFS volumes in order to provide a volume snapshot.
- Cloned files in APFS, of which only differences from their original counterparts are stored in separate clusters, are marked with an uppercase Greek delta in the Attr. column.
- Support for APFS timestamps in the Data Interpreter as well as in templates ("APFSDateTime").
- A particularly thorough file system data structure search is now available for exFAT volumes, too.
- Protection against a rare kind of NTFS corruption, FILE record displacements within $MFT.
- The option to omit additional hard links now has an effect even when processing selected or tagged files specifically.
File Format Support
- Encrypted documents with a known password can now be matched against the FuzZyDoc hash database.
- The report table "Scan" is no longer used to identify PDF documents that have scanned content. Instead, "scanner" is now shown in the device type column for PDF documents that are as having been generated by a scanner.
- Extraction of the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files into the metadata column.
- Identification of and file header signature search for MP4s files, a proprietary surveillance video format.
- Google Chrome history will now display the transition for each visited web site, making it easier to ascertain whether the visit was triggered by the user or by some other action like redirect. The duration of each visit is listed as well. Internet searches run from the address bar of Chrome are listed in a separate table and also added to the event list.
- Ability to parse Google Chrome SNSS session files (Current/Last Session and Current/Last Tabs) during metadata extraction. The resulting session overview lists all open tabs and their browsing history.
- The previous output for .automaticdestinations-ms files in Details mode is now presented in Preview mode, and also for the View command and when copying such jumplist files for inclusion in the report.
- Report thumbnail generation now supported for files of these types: lnk, flnk, TCP/UDP packets, NK2, DBX, Skype chat, WAB, change.log.1, info2, job, IconCache.db, Prefetch, shd, usnjrnl, eiurl, $I*, travellog, chrome1, automaticdestinations-ms, and more.
- Fixed a rare checksum error in Intel Hex conversion output.
- Ability to convert (e.g. search terms) from UTF-16 to various Indian code pages: ISCII Devanagari, Bengali, Tamil, Telugu, Assamese, Oriya, Kannada, Malayalam, Gujarati, Punjabi (Gurmukhi).
JPEG Metadata Support
- Irregular EXIF metadata encodings that violate EXIF specifications are now marked with an asterisk at the end (sometimes additionally with a bold font).
- "EXIF compliance" is another new aggregated single value, a score that allows to see whether a low quality photo editor was used to edit a photo. A good rating that JPEG pictures produced by Nikon or Canon cameras usually have is retained only by high quality photo editing programs. A bad rating for such pictures indicates editing by a low quality program. Irregularly coded fields in the EXIF data are marked with a star. Irregular might mean that a wrong data type was used or the permitted value range was violated or there are duplicate tags or a character string is not null-terminated or contains slack. Some tags must not appear at the same time, some tags must be stored in a designated directory.
- Generally the EXIF presentation is not a simple unstructured output of all EXIF values, but it aims to provide background information and highlights certain parameters within their context to make examiners aware of irregularities. Already in their original files digital cameras produce characteric EXIF metadata errors. By editing a photo additional errors may be produced, or others may be fixed.
- XMP metadata extraction revised. New and relevant information is added to the metadata column while redundant information is not. XMP often contains information about the time zone that is not available from the EXIF metadata.
- The amount of slack (zero-value bytes) at the end of an EXIF segment is presented in Details mode if such slack is present. For example, iPhone 4 and iPhone 5 usually produce such an area of a variable length, but iPhone 7 does not. If the slack remains present after a rotation, that means the rotation was minimally invasive, without recompression (no loss of quality). If however a photo editing program rewrites the JPEG file, the slack will disappear.
- The Summary part of the internal metadata in Details mode for JPEG files now has a new field named "Light value". That value is derived from the well-known photography formula Ev=log2(N**2/t) log2(100/ISO). The value range ends at around 16, which means full sunshine. This aggregated value can be interesting to some examiners because it allows to distinguish indoor and outdoor photos and because it allows to check whether the local time of a photo is plausible.
Share images, video and music between your Android and Windows devices
Mall Creeps
