WinHex v8.8 serial key or number

Nov 11, 2015

This  mailing is to announce the release of another notable update with many useful improvements, v18.6.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.

Upcoming Training

Northern California, Nov 30-Dec 4, 2015
London, England, Feb 29-Mar 3, 2016
London, England, Mar 15-23, 2016
Washington DC area, Apr 5-8, 2016
Southern California, Apr 11-19, 2016
Halifax, Canada, May 30-Jun 3, 2016

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, or Asia/Pacific.

Flexible Update Maintenance Terms

It is now possible to order perpetual licenses for X-Ways Forensics with an individual update maintenance period. You may want to choose for example the same update maintenance expiration date as that of your existing licenses, so that co-termed old and new licenses of the same type can be merged in our database in a single entry, for combined volume discounts next time when you upgrade them and so that they can be managed together as a single group by yourself as well. Also useful to match the update maintenance period with your internal financial year or to better utilize the budget that you have available at this very moment.

Similarly, upgrades of existing licenses with new update maintenance may now be offered to you with an expiration date of your choice as well. Please enter your preferred new update maintenance expiration date on the More options page.

What's new in v18.6?
(please note that most changes affect X-Ways Forensics only)

Mounting As Drive Letter

• X-Ways Forensics now has a function to mount the volume that is represented by the active data window as a Windows drive letter. Either entirely (if the command is invoked in the Specialist menu or in the case tree context menu for a whole volume) or partially (if applied to a directory or file with child object using the directory browser context menu or the case tree context menu). This allows for convenient and quick access to all files with external programs where necessary, without the need to copy the files to your own local drive letter first. Very efficient in particular if you wish to check a whole volume or directory or certain files with a virus scanner.
  
  Mounting works for all the file systems that are supported, for all partitioning methods supported and all image types supported (in X-Ways Forensics: raw images, .e01, VDI, VMDK, VHD, and of course evidence file containers), even for images within images, also for partitions of physically attached disks formatted with a file system unknown to Windows. Access to all the files is complete read-only, mounting of images or disk partitions will not changing anything in the image/on the disk. To unmount a drive letter, simply invoke the mount command in any of the menus again and click the Cancel button.
  
  You can choose to see all existing and optionally all known deleted files from the volume in the drive letter, exactly the same files as known from the very thorough volume snapshot of X-Ways Forensics itself, which depends on whether you have refined it already or not. Optionally filtered out files can be omitted from directory listings. Child objects of files (files in files) are optionally exposed as well, presented as files in an artificial directory that has the same name as the parent file, with just a single character appended to render the name unique, as you may know it from the Recover/Copy command. By default, that suffix character is invisible, i.e. a Unicode character with no width, to make the path of the child objects look as original as possible. You may wish to replace that character with something else, e.g. an underscore, for example because you are working with an old external program that is not Unicode-capable. For that you need to remove the invisible character from the edit box first, for example by pressing the Backspace key, which works even if it does not have any visible effect. After that you can insert any other character.
  
  Previously existing files are listed optionally, and if listed, they are presented with the "hidden" attribute, so that they can be visually distinguished from existing files even in the Windows Explorer a.k.a. File Explorer. Virtual directories are presented in the same way. (Of course, hidden files are displayed in Windows only if you choose to see them, see Tools | Folder options | View.) Virtual files in a volume snapshot as well as internal files of the file system (e.g. $MFT in NTFS and Catalog in HFS+) are included optionally, and so are original names and locations of files that that have been renamed/moved. Special objects like alternate data streams, extracted e-mails, video stills, embedded thumbnails, manual file excerpts, etc. etc. are presented in the mounted drive as ordinary files. File slack is not exposed.
  
  Files with identical names in the same directory (e.g. 1 existing, 1 previously existing file, up to 16) are not problematic with mounting. Such files can be opened from within mounted volumes through the drive letter as if they had unique names.
  
  This function requires Windows 7 and later and the installation of a driver (which will be initiated when you use any of the mount commands for the first time) and the Microsoft Visual C++ 2013 Redistributable Package (which is not included in Windows by default and may need to be downloaded). That means that this particular part of X-Ways Forensics is not portable, but it's not a typical function for previews of live systems anyway.

• Interactivity: Deleting a file in a volume mounted by X-Ways Forensics in Windows (e.g. in the Windows Explorer a.k.a. File Explorer) of course does not delete the file in the source image or on the source disk, but can optionally trigger one of the following actions in the volume snapshot:
  1) exclude the file in the volume snapshot
  2) mark the file as already viewed, or
  3) associate the file with a report table of your choice.
  The latter is very useful if you mount the volume in order to check the files for malware with an external virus scanner. Should the virus scanner delete or quarantine any of the files, X-Ways Forensics will sense the deletion in the directory and add the file to the specified report table. Note that if you manually move a file off the volume to some other drive letter this will trigger the same action, because that kind of moving is identical to copying followed by deletion. Moving a file within the same volume is not allowed.
  
  Renaming a file in a mounted volume in Windows also renames the file in the volume snapshot. (The original name is preserved and displayed in the directory browser additionally.)

• Since v18.5 SR-3 WinHex allows to interpret evidence file containers with no more than 1,000 objects with any license type and even in the evaluation version, free of charge, not only for evaluation purposes. And now in WinHex 18.6 without any license type and even in the evaluation version those containers can also be mounted as a drive letter. (Subject to change.) If you acquire files logically in an evidence file container and pass the container on to other parties that do not have a license for X-Ways Investigator or Forensics, the recipients could now save money by mounting the container either for free or in WinHex Lab Edition (see below).

New Product Variant: WinHex Lab Edition

• The new mount functionality is also available in a new product variant of WinHex called WinHex Lab Edition. In WinHex Lab Edition, all the functionality of a specialist license for WinHex will be available, plus the ability to run X-Tensions (except viewer X-Tensions), support for the same file systems as in X-Ways Forensics (i.e. HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, UFS, and XFS additionally), creation of evidence file containers and mounting. So WinHex Lab Edition bridges the gap between WinHex with a specialist license on the one hand and X-Ways Forensics on the other hand to some extent. Still, functionality wise and price wise it will be much closer to WinHex with a specialist license.
  
  For a product and license type comparison, please see this web page (updated, of course incomplete considering that there are hundreds or thousands of functions and options in X-Ways Forensics). Licenses for WinHex Lab Edition can be ordered online.

Description Column

• The Description column now deserves much more attention. It has taken over many of the display responsibilities of the Attr. column that are not file system related, and also half of the Attr. column's filters. Additionally, it has taken over the previously column-independent filters from the Directory Browser Options dialog. This solution should be a little more intuitive and logical for new users (now all filters are column-based), and it clears up some space in the notoriously crowded Directory Browser Options dialog. The filter for carved files (previously in the column "1st sector") was also absorbed by the Description column.

• A new filter settings in the Description filter allows to filter out virtual items just like existing and previously existing items.

• So the Description column's filter is now one of the most important filters. The quickest way to access the filter settings is to right-click the caption line of the directory browser. That shortcut is available even if the Description column is not visible on the screen or not displayed at all. A left click in the same line still quickly opens the directory browser options dialog.

• The funnel symbol that represents the filter of the Description column has four possible colors: 1) Gray when inactive, as usually. 2) Gray with a very, very light tendency to blue, almost indistinguishable from gray, when the filter is on theoretically, but only excluded files would be filtered out, but no excluded files are actually getting filtered out currently because there are none. 3) Blue-gray when only excluded files are filtered out by the filter, and such files have actually been filtered out. 4) Ordinary blue if the Description filter is active and does not only focus on excluded files. This subdued color scheme was introduced because many users consider it rather "normal" that excluded files are filtered out, and thus an active filter that merely targets excluded files should not attract as much attention as other active filters.

• The Description column is now more precise in revealing the object type (e.g. carved file, child objects of file, alternate data stream, video still, etc.) and the deletion status and other properties. Also, this column has become configurable. You can specify in the Notation Options dialog what information to convey in this column. That the settings of the Description column are part of the Notation Options means that you can have two different settings, one generally for the directory browser and the other one specifically for the the Export List command. This is useful because in the exported list there are no icons that can help you to tell certain object types and their deletion status apart, unlike in the directory browser.

• v18.6 (only this version) will not load the width of the (now more important) Description column from cases. That way nobody who starts using v18.6 and loads cases that were last saved by v18.5 or earlier with directory browser settings embedded will lose that column because they didn't use it before.

File Format Support

• Revised detection of and protection against of zip bombs. Newly introduced detection of and protection against recursive zip and gz archives and possibly other archive types. Protection means that processing will stop at a certain level once the malicious nature of the archive is detected. Archives identified in this fashion will be marked as already processed and added to a special internal report table. Please note that if afterwards you wish to manually dig deeper than the level at which the recursive automatic exploration stops, you can do so by marking the inner-most archive reached as still to be processed (by pressing Ctrl+Del) and then applying the Explore command in the context menu to it manually.

• More format variants of MP4, MOV, etc. supported for file carving and file consistency checks.

• Support for Windows 10 registry hives and its new data types. (In previous versions of X-Ways Forensics, the registry report would be incomplete for a Windows 10 registry.) Some new registry report definitions for Windows 10.

• Support for the new prefetch file format of Windows 10 in Preview mode, on Windows 8.1 and Windows 10 platforms. New file carving algorithm for those prefetch files.

• Support for the new $I recycle bin files of Windows 10.

• Extraction of the AppVersion field from new Office document types. Extraction of the absolute path of Office 2013 .xlsx files.

• Unix and DOS attributes of files in zip archives are now output in Details mode in a decoded form.

• Lists groups and group members in the registry viewer and registry report.

• Photoshop metadata in JPEG pictures is now displayed nicely formatted in HTML tables. The relatively new printer metadata field has been added. Better support for UTF-8 encoded metadata. The most frequent IPTC fields now have a readable field name.

• AppCompatCache entries of Windows 8.1 and Windows 10 registries are now supported. Those entry are relevant when analyzing program executions.

• Output of the flag "Executed" of the Shim Cache (AppCompatCache) in the registry viewer. Potentially relevant for malware investigations.

• Output of three timestamps of Google Analytics cookies in Details mode (first visit, previous visit, last visit). Analytics cookies have the filename extension .eiurl. They are encoded as as URL that references a GIF picture with a size of 1x1 pixel and can be optionally carved (cf. "Special interest" category).

• Google Analytics last visit timestamps (URLs with "ie" timestamps) are now also provided as events when extracting embedded files from Google Chrome cache files. Useful in particular for users who do not regularly carve for URLs with "ei" timestamps at the byte level on the whole disk or partition, which is a categorized as a "special interest" carving definition only.

• Time zone changes of Windows systems and the timestamps when applications are installed, uninstalled or updated by the Windows MSI installer are now output as events to the event list.

• Support for an old file format variant of SKP (Google SketchUp).

• More precise in reporting the first sector of certain embedded files.

• The subject of e-mails in original single e-mail files (.eml, .emlx, .olk14msgsource) is now extracted as part of Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and events | [x] "Extract sender, recipients, and subject from original .eml files" and shown in the Name column if different from the name of the file, and unless the file is a carved file (i.e. a file with an artificially generated filename), the original filename will be preserved and shown as an alternative name in the same column.

Volume Snapshot

• There is now an option to limit the total number of produced video stills per video as defined by the user (1-255), regardless of the video play length. Useful to significantly decrease the output compared to fixed-length still intervals for longer videos. (Fixed-length intervals result in number of stills that grows proportionally with the play length.) This may decrease your workload a lot if you are going to look at all stills in the gallery, and also decreases the time to process long videos, but of course at the cost of being less thorough and an increased risk of missing something should any suspect hide relevant content somewhere within an innocuous video. X-Ways Forensics tries to extract the fixed number of stills at even intervals from all over the video to give a representative impression of it.

• Ability to strip certain lines off the extracted metadata in order to not see them in the Metadata column, for example to keep the case report or the output of the Export List command more compact for printing or viewing on the screen, or just because certain metadata fields are not relevant to you. You can identify unwanted metadata fields by a substring. That substring can either match the field name (e.g. "Focal Length") or a certain expected value of the field (e.g. the author name "Joe Huber" in a document). 1 substring is entered per line. You can share your definitions by sharing the file "Unwanted Metadata.txt".

• Support for files with child objects in the volume snapshot of a physical medium, which was not possible in any previous version. And physical media now also get a virtual directory specifically for carved files when running the file header signature search. Consequently, physical media with child objects or virtual directories now have a button for recursive exploration, but please note that a recursive exploration does not include any partitions, as they have their own volume snapshots. Also, please note that directories and files with child objects are still shown in the tree of the Case Data window only for volumes, not for physical media.

• The initials of the user who has carved a file manually in Disk/Partition/Volume mode are now optionally displayed after the filename in square brackets just like for other self-defined files (attached files or manual excerpts).

• When attaching external files (e.g. after decrypting, converting, translating, ...) to their respective original counterparts as identified by the unique ID, through the context menu of the case, you are now given four options:
  1) the attached file can become a child object of the original file (as before)
  or
  2) the attached file can become a sibling of the original file (shown next to it, in the same directory)
  or
  3) the attached file can replace the original file (original file no longer present)
  or
  4) the attached file can replace the original file, and the original file can become a child object of the new file if still needed.
  You can select the attachment method separately for ordinary files and e-mail attachments. The three new methods are particularly useful for e-mail attachments because only direct child objects of .eml files are embeddedd in the parent .eml file when recovering/copying those .eml files. So if you would like to have the decrypted/converted/translated version of an attachment embedded in the .eml file, that version should not become grandchild object as in previous versions. If you want original and new version both to be embedded, make them siblings. If you do not need the original version embedded, replace it completely or preserve it only as a child object of the new version (i.e. grandchild of the .eml file).

• There is now a volume snapshot option for incremental snapshot completion when dealing with OS directory listings as evidence objects (when you add a directory to your case). If selected, the volume snapshot initially just contains the contents of the top-level directory, and it is further completed only on demand, step-by-step when you manually explore subdirectories. This is exactly how the Windows Explorer/File Explorer in Windows works, and useful when dealing with slow and huge network drives that would take a long time up front to scan completely. But it's very different from the usual approach in X-Ways Forensics, and will obviously prevent you from getting a complete listing of all files when exploring recursively, simply because there is no guarantee that all files have been included in the volume snapshot yet until you have explored all subdirectories. If at any time you decide that you wish to include the contents of a certain directory in the volume snapshot recursively, you can use the "Expand all" command in the context menu of the Case Data window (right-clicking that directory) or unselect the option to complete the volume snapshot on demand and then explore that directory. Please remember that the most convenient way to expand an entire subtree is by clicking its root and pressing the multiplication key on the numeric keypad (standard feature in Windows).

• New file carving flag "y", which identifies file types that are known to use encryption internally, which allows to mark carved files of these types in the Attr. column with "e!".

PhotoDNA

•  When importing PhotoDNA hash sets or when creating PhotoDNA hash sets yourself, the new entries are now matched with existing entries exactly as lax as matching works during the analysis phase. This can be important for potential recategorization of existing entries. The benefit of this fuzzy matching is that you can adjust the category of certain entries whose original categorization was from a foreign source (e.g. Project Vic), which may be necessary because of different legislation or jurisdiction in your country or simply because of categorization errors or different interpretation, provided that you have variants of the same pictures (not necessarily the exact same files) in your collection. However, whether the new entries are added to the database as well, in addition to the similar existing entries, still depends on the same relatively strict threshold as before (more strict than the condition for recategorization of existing entries).

• You can now see in the directory browser whether there were matches for more than one PhotoDNA category for a given picture. This has become less likely thanks to the aforementioned improvement, but in those rare cases where it happens this hint can be very important to check manually. If there were matches with different categories, the name of the category with the closest match is shown (as before), now followed by a comma and an ellipsis. Also, you can now filter for such pictures that were found in more than one category. Such pictures may deserve as much attention as duplicates in conventional hash databases that belong to the "irrelevant" category and "notable" category at the same time and are usually the result of an inconsistently populated database, e.g. accidental miscategorizations or correct categorizations made by users in different jurisdictions etc. If the returned best matching category for a picture is wrong in your opinion, you can fix this by adding a hash set of that picture to the PhotoDNA database again, specifying the correct category.

• A stylized P is now displayed in the Analysis column for pictures for which at least one PhotoDNA hash value is stored in the volume snapshot.

• The PhotoDNA hash value of a picture, if stored in the volume snapshot, can now be seen in Details mode.

Search Functions

• Ability to mark search hits for inclusion in the case report, using a new command in the context menu of the search hit list, with the green grid icon. If a file is part of a report table and the report table is output in the report, and if the file contains search hits that have been marked for inclusion in the report, then the context of these search hits is shown below the listing of that file. Inclusion in the report and being notable are two separate properties of search hits. You can filter for both properties with the filter of the Search hits column.
  
  Of course, user search hits can also be included in the report. That means you can select any part of a file in File mode, add it as a user search hit and then get that part quoted automatically in the case report.

• Maximum length for the simple search and replace functions extended from 50 to 100 bytes.

Usability & User Interface

• Scrolling in Calendar mode now updates the view on the fly. Ability to use the mouse wheel in Calendar mode for scrolling. The calendar now no longer shows years that are more than 1 year in the future, even if distant garbage timestamps are listed in the directory browser or event list, to keep the display range more compact.

• Listing the root directory of a volume in the directory browser, in the root directory itself, actually, is kind of illogical, but can be very helpful to see that directory's timestamp (if any, depends on the file system) or to quickly navigate to its clusters (if any, also depends on the file system) or as another place where to quickly tag or untag all items in a volume. Whether the root directory is listed now no longer depends on the file system, but is controlled in the directory browser options.

• Another new directory browser setting renders listing the internal files of the file system optional in the normal directory browser. This affects for example the various $* files in NTFS. Specifically in X-Ways Investigator those files are no longer listed as they are irrelevant to non-technical examiners (the target group of X-Ways Investigator) and might confuse them because they are not familiar with them from using ordinary high-level computer software.

• There is now a second grouping option for the Recover/Copy command. That means you can group by any two of the previously known aspects at the same time, e.g. first by deletion status and then by type, or first by report table and then by file type category.

• The filename extension of an original image (image of the suspect found within evidence objects and added to the case, e.g. VMDK, VHD, VDI, ISO) is no longer removed in the evidence object title, so that you can see it everywhere in the user interface and better understand the context if you find relevant files in such an image.

• Excerpts are now marked with scissors on the icon.

• Files with metadata only (no known file contents) now have an icon with white interior.

• Ability to check or uncheck all file types for the file header signature search with a single mouse click.

Miscellaneous

• Setup program revised.

• Many minor improvements.

• Some minor fixes.

• Program help and user manual updated for v18.6.

Changes of service releases of v18.5

• SR-1: Opening the entire memory of a running process failed in the 32-bit edition since v18.4. That was fixed.

• SR-1: Prevented "Invalid file" error message, which some users experienced repeatedly during volume snapshot refinement. (For those who thought that the only way to stop it was the terminate X-Ways Forensics with the Windows Task Manager, please be reminded that you can abort operations such as volume snapshot refinements by clicking the "x" in the upper right corner of the progress indicator window.)

• SR-1: Fixed potentially incomplete output of the Export List command with the clipboard option depending on the (invisible) "Max. lines per file" setting.

• SR-2: Fixed an exception error that could occur when matching files against the FuzZyDoc hash database.

• SR-2: Fixed an infinite loop that could occur when carving certain rare corrupt zip archives.

• SR-2: Prevents redundant line breaks in the Metadata columns.

• SR-2: Prevents some garbled characters in the registry report for Windows 10 System hives when created with the 64-bit edition.

• SR-3: When searching in files that were opened through the operating system (through your own drive letter), when also searching in their directory browser cells, in GREP syntax, without allowing overlapping hits, if there was a hit in a directory browser cell, additional hits in the file contents were ignored. That was fixed.

• SR-3: The raw Base64 to binary conversion now ignores space and tab characters in addition to line breaks.

• SR-3: Fixed a rare exception error that could occur when viewing an Ext* .journal file.

• SR-3: Russian and Chinese translation of the user interface updated.

• SR-3: Fixed a formatting error in metadata extraction in the previous release.

• SR-4: Proper type display and file type treatment for files carved in unpartitioned space on physical media.

• SR-4: Sector sizes other than 512 bytes supported for Ext file systems.

• SR-4: Fixed omission of file system level timestamps of certain files without file contents in the event list.

• SR-5: v18.5 parsed certain directories in exFAT volumes incompletely. That was fixed.

• SR-6: Fixed an error that could occur when interpreting images that are stored in other images or disks without copying them off the image or disk first.

• SR-6: Fixed a rare error that could occur during e-mail extraction from Outlook Express DBX files.

• SR-6: Fixed inability to display the cell texts of events that are not related to any file.

• SR-6: Fixed certain occurrences of the error message "The viewer component does not accept your path for temporary files" in v18.5.

• SR-7: Now supports path lengths of 255 characters for the temp directory of the viewer component in case the path consists of pure ANSI code page characters only. If at least 1 true Unicode character is present in the path, the limit is 127 characters. In v18.4 and earlier the limit was 255 ANSI code page characters, and true Unicode characters were not allowed. In v18.5 prior to SR-7 the limit was 127 characters, and Unicode characters were allowed.

• SR-7: MSG file processing slightly revised.

• SR-7: No skin color percentages or PhotoDNA hash values are computed any more for JPEG pictures that are considered too corrupt, e.g. truncated in such a way that more than 50% missing.

• SR-7: PhotoDNA hash values are now stored in the volume snapshot for re-matching and deduplication even for trivial single-color pictures.

• SR-8: PDF file carving problems in v18.5 fixed.

• SR-8: Fixed a rare exception error that could occur in recent versions when opening the virtual memory of other processes.

• SR-8: v18.5 did not actually add a manually carved file to the selected report table(s) on request. That was fixed.

• SR-8: Renaming search terms did not always work correctly, depending on the presented search term order. That was fixed.

• SR-9: Greatly reduced free drive space requirements for nested image interpretation.

• SR-9: Fixed occasional corruption of "Partitions by disk signature" table in the registry report in the 64-bit edition.

• SR-9: Fixed an exception error that could occur when sorting block hash matches by the Search hit column.

• SR-9: The "Xtra Atom" format variant was previously supported for carving F4V videos already, now also for MP4.

• SR-9: Potential instability with corrupt SketchUp files fixed.

Viewer Component

Oracle has provided a "critical patch update" for v8.5.2, v8.5.1, and v8.5.0 of the viewer component. The updated versions are downloadable from our web server since  Oct 25, 2015. They are probably recommendable for security reasons. This time it is quite hard to make educated guesses about what was actually fixed because several general utility DLLs are affected. Other DLLs that were patched provide support for PDF, TGA, PDX and WK4 files.

Oracle's description of the patch update for v8.5.2 as always starts with a very promising first line, but is not super enlightening otherwise:

What this Update Fixes:
October 2015 Critical Patch Update for Outside In
This patch is the initial Outside In 8.5.2 Critical Patch Update

There are still a few users who ask about a replacement for their lost dongle although they did not insure the dongle against loss or theft and although we say everywhere that we do not replace lost or stolen dongles if not insured.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

July 29, 2010