Today editors are more flexible compared to those in earlier days. Among them, WinHex has a unique place because of its versatile built-in features. The list of the features available will vary depending on the version you licensed.
WinHex comes with a bundle of tools which can save your time and work. On the one hand, WinHex is not a regular editor - it can edit executable files in hex mode showing you even those non-printable characters, such as carriage returns, tabs, and some other special characters. On the other hand, you can perform data analysis from pieces of data recovered via Scandisk or Chkdisk. You can easily perform file recovery and undelete tasks by using its File Recovery utility.
Memory editing is a great bonus for gamers, who can cheat by changing some of the values in order to level up, or by boosting up the energy to be used during the game. Besides, you can check your system’s physical memory searching for malicious activity. This is truly helpful when you are performing forensic works on the system.
If you get tired of making identical disks for a standard installation, try with the Disk Cloning feature inside WinHex. With this tool, you can clone any physical media connected to your system. Furthermore, it allows you to choose which sectors you wish to clone, and compare files or full disks. Its permanent deletion utility will give you extra privacy when sharing your system. WinHex supports deconstructing RAID 0-5 with a maximum of 16 components.
Take some time to read the manuals and the tips provided by experts before using this tool - inexperienced persons may easily make a mess of their computers when using this powerful tool.
v20.0 [Aug 23, 2020]
File System/Disk Support:
- UFS support has been revised. Significantly more UFS variants are now understood.
- APFS: Supports new Catalog ID structure as created by Mac OS Catalina.
- Technical Details Report/evidence object properties now show details of MacOS X Installations on HFS or APFS volumes: Exact OS X version, timezone, the system's network and display names.
- Support for much more deeply nested subdirectories in XFS volumes.
- Supports Ext4 volumes with version 2 of sparse superblocks.
- Slightly more complete output of Ext* file system timestamps.
- Ability to choose which copy of a FAT12/FAT16/FAT32 file allocation table to work with, in Options | Volume Snapshot. This can be either a user-designated copy or the one that is defined as active in the boot sector (in case of FAT32). If neither the user selects a copy nor the boot sector defines a single copy as active, the first copy will be used, labelled as "FAT 1", like in earlier versions. The copy that was selected at the time when the volume snapshot was taken will be used for the whole lifetime of that volume snapshot, even if the settings are changed. It is displayed in the Info Pane. The Technical Details Report now informs which copy or copies are considered active in the file system.
- Identifies unpartitioned physical disks or disk images as such in some rare cases where it previously didn't.
- General option to open volumes including the slack that doesn't add to another cluster just like when opening an entire partition. The data in that area, aside from a potential NTFS backup boot sector, does not belong to that volume logically and was stored there before the volume was created. It is not needed to parse the file system or to mount the volume (though some tools may output an error message if it's not included). Including such data in a volume image can be an IT security leak if only the regularly accessible part of the volume had been sanitized before usage.
- Identifies some new bus types of currently attached storage devices.
- Active sector superimposition is now remembered in an evidence object and automatically re-activated when the evidence object is opened next time, and you will be reminded of that.
- Generally improved handling of incomplete/corrupted .e01 evidence files, similar to storage media with unreadable areas (bad sectors). NTFS: A limited listing of system files is now presented based on $MFTMirr if in an such an incomplete image $MFT is not included, but $MFTMirr is.
- Ability to abort the potentially time-consuming preparation of a cluster allocation map for huge volumes and still proceed with taking the actual volume snapshot if desired (without reverse cluster allocation information).
Picture Support:
- New version of the internal picture viewing library.
- WEBP pictures are now supported in Preview, Gallery, and for the View command.
- Ability to view pictures in some variants of the DICOM format.
- Metadata extraction from WEBP pictures revised. Output of processing states, similar to PNG files. File type identification/verification for DICOM and WEBP revised.
- All JPEG files are now presented with a processing state in Details mode. Two additional state values were introduced.
- The processing state now depends on the detected generator, where each generator is now assigned to one of three generator classes D (device), E (editor), or C (content management system). JPEG files produced by generator class D are absolute originals. The processing state is always "original". JPEG files produced by the generator class E are relative originals. Their processing state is always "Edited normally". Examples are photos published by news agencies like Reuters.
- The detected processing state of the third generator class (CMS like WordPress, Drupal, TYPO3, Joomla etc.) can assume different values. They are usually irregularly edited, i.e. their edited status is not officially indicated. The state can be deducted indirectly based on filename, generator signature, pixel dimension. The state "irregularly edited" can also result from picture manipulations.
- The new processing state "scaled" means that a picture was created with a content management system such as WordPress, TYPO3, Drupal. It can be said with a high probability that such pictures have been released to the public, which entails a reduced intelligence value. Practically such pictures cannot be regarded as documents. They were automatically and individually adapted to the respective output display in order to optimize the loading time of the web page.
- The state "EXIF stripped" refers to JPEG pictures, whose device origin was detected although no EXIF metadata is present. The device can potentially be detected based on generator signature, filename or a characteristic pixel dimension.
Share images, video and music between your Android and Windows devices
