·.·. Computer forensics software made in Germany .·.·

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#158: X-Ways Forensics, X-Ways Investigator, WinHex 19.6 released

Mar 9, 2018

This mailing is to announce the release of another notable update with many notable improvements, v19.6.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.

Upcoming Training

Mar 13-16 London, England X-Ways Forensics
Mar 19-22 Gatineau, QC X-Ways Forensics
Apr 30-May 3 Chicago, IL X-Ways Forensics
May 3-4 Liverpool, England X-Ways Forensics II
Jul 9-12 Vancouver, BC X-Ways Forensics

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.

What's new in v19.6?
(please note that most changes affect X-Ways Forensics only)

File Type Support

  • A new directory browser column is now available in X-Ways Forensics and X-Ways Investigator and populated during metadata extraction: Device type. This column shows the class of device that produced a given JPEG file, such as a smartphone's main camera, a smartphone's front/secondary camera, a point and shoot/compact camera, camcorder, DSLR, webcam etc. That information is derived from the generator signature. This column also comes with a filter. Filtering for the device type could be useful for example if you are looking for rather private photos (selfies taken with a smartphone's front camera) or rather professional photos (e.g. DSLR or digital camera back).

  • Scanned pictures used to be identified as such through report table associations. That is no longer the case. That they were generated by a scanner can now be seen in the new aforementioned column.

  • Pictures that were identified as screenshots are now shown with "screen" as the device type. The device type "screen" identifies screenshots and sometimes pictures that seem to be specially sized to match a certain screen resolution (e.g. wallpapers).

  • The GPS processing mode, if available, is listed in Details mode. This mode allows to estimate the reliability/precision of the coordinates. It is used by various manufacturers, and it can be one of the following values: Unknown, GPS, Network, Hybrid, Fused, or CELLID.

  • New entry named "Geolocation" in the extracted metadata and in Details mode, with the GPS coordinates in a notation as accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces the previous fields Latitude and Longitude in the extracted metadata as it is more suitable for automatic processing.

  • Three additional fields for Exif GPS data are output in Details mode where available: Altitude, Image direction, and GPS Error. Altitude might be helpful to judge the reliability of the geo coordinates. Image direction is a feature of high-end smartphones.

  • If there is something unusual about the presence of GPS coordinates in JPEG pictures, those GPS coordinates are now highlighted in blue color. For example if the GPS coordinates are present and a GPS timestamp is absent, for a mobile device type that is known to always include both at the same time (sometimes depending on whether the front or back camera is used), or for a camera type that is known to not have GPS, it could mean that the coordinates have been retroactively embedded. GPS timestamps that are different from the time when the photo was taken are also highlighted in blue color.

  • A new file named PhoneAliasTable.txt contains a translation from internal device designations to human-readable marketing names. In particular device designations used by Samsung, Motorola, LG and Huawei are rather cryptic and better understood if translated. This table can also contain the device's release date and region. That table is currently relatively sparsely populated, but its format is explained in the header so that users can help to complete it.

  • Details mode now shows firmware date and region for JPEG files created by many Samsung mobile phones, which can help to validate other metadata.

  • The table for the generator signature based Exif data validation now supports more than 11,000 devices (where the front cameras of smartphones count as separate devices).

  • Time zone extracted from files that were produced by some new Sony devices.

  • Twitter timestamps in JPEG files are recognized and output in the "Content created" column.

  • Extraction of Content created timestamp from JPEG files improved.

  • Automatic removal of interspersed padding data between two thumbnails in JPEG files created by various digital camera models, which was previously included in (prepended to) the second thumbnail's data.

  • PNG files now also receive a generator signature as part of metadata extraction, to identify PNG files that likely originate from the same source and PNG files that are screenshots.

  • Detection of the generating device type for some PNG files, also shown in the new Device type column.

  • Improved detection of PNG screenshots of old mobile phones.

  • Support for iOS netusage.sqlite files, which record the data usage of apps. Besides the amount of data flowing in and out, they also provides approximate timestamps when apps were used for the first and last times. Appropriate events are extracted and an HTML preview is created containing all relevant information.

  • Improved stability when processing EVTX files.

  • Supports a new format variant of certain registry values in Windows 10.

Picture Display

  • If pictures in Preview mode are shown by the internal graphics viewing library, not the separate viewer component, they can now be rotated in 90° steps by clicking the left mouse button (to rotate to the left) and the right mouse button (to rotate to the right).

  • Photos taken by mobile phones and digital cameras of certain major manufacturers in portrait mode are stored in landscape orientation and marked as to be rotated left or right in the Exif metadata. Both Preview mode and the View command now adjust those photos to the correct orientation automatically, only with the internal graphics viewing library, not the viewer component. The gallery also automatically adjusts the orientation (not for auxiliary thumbnails).

  • Clicking the middle mouse button in Preview mode when a picture is shown by the internal graphics viewing library will mirror the picture (flip horizontally) or if the Shift key is pressed flip the picture vertically. Please note that this operation is applied in addition to any active rotation.

  • The currently active rotation and flip mode are described by some symbols in the upper right corner. Additionally, if no flipping has taken place, but a rotation, the letters "BR" indicate what in the original graphical data was the bottom right corner.

  • Ability to display certain rare PNG files with invalid zlib compression.

User Interface

  • Video files, audio files, Office documents and plain text files can now optionally be represented by special icons, just as previously only picture files. You can enable special icons separately for each such category in the directory browser options dialog window.

  • Many additional icons in the user interface, in particular for the mode buttons and external programs.

  • Closed envelope icons now reflect the known unread status of e-mails.

  • Right-clicking anywhere in the Mode button bar outside of all the buttons will now show or hide the divider line between the directory browser and the lower half of a data window. If the divider line is visible, it is thicker now with high DPI settings to make it easier to grab that line and adjust the height of the directory browser. If the divider line is invisible, you can adjust the window height by left-clicking in the Mode button bar and moving the mouse cursor up and down while holding the mouse button. Without the divider it is also more intuitive that the right-hand side of the Mode button bar acts as a status bar of the directory browser and that the buttons in the right half affect the upper half of a data window.

  • Improved support for high DPI settings in general.

  • The height of the directory browser options dialog window is now automatically increased as the vertical resolution of the main screen allows in order to accommodate as many column labels as possible and ideally do away with the scrollbar if no longer required.

  • Russian translation of the user interface updated.

  • Option to get prompted for each file when printing with direct child objects.

  • Option to output only non-blank fields on the print cover page.


  • Ability to populate the gallery with thumbnails using multiple threads. This makes the biggest difference for high-resolution JPEG pictures whose embedded thumbnails have not been uncovered yet (e.g. during preview of a live machine) or are not used as auxiliary thumbnails, for which the decompression procedure is computationally intensive.

  • Accelerated volume snapshot finalization for large snapshots with many directories in "Path unknown".

  • Ability to refine volume snapshots on storage devices with sector wise access using multiple threads just like on images and in directories.

  • Ability to open large .e01 evidence files faster after the first time, by keeping some internal image metadata for navigation in a separate file. This can make a big difference if the image is stored on media with slow access, in particular remote network drives. Can be turned off in Options | Security, as that is where all the .e01 options are located. If fully checked, the separate file is stored in the same directory as the image itself, so that even other cases / other users that open the same copy of the same image benefit from the increased performance if the separate file has been created before. If half checked, the separate file is stored in the evidence object's internal metadata directory of the current case.

    In an attempt to protect their image files from accidental alteration, deletion, or corruption and to maximize the revenue of hardware write blocker manufacturers, a few of our users do not only write block suspect storage devices, but also their own storage devices if those devices contain image files. Those users are well advised to half-check this option for obvious reasons, and here is a friendly reminder that write blocking interferes with proper functioning of the operating system and application programs because it untruthfully signals write success when actually no data is written, preventing the OS and application programs from realizing that the data that they wanted to write could not be written. Write blocking is meant for special situations only. The recommended method to protect one's own data (e.g. images in the case of a computer forensic examiner) would be official write protection that the OS is aware of or enforces itself, not sneaky write blocking. (And backups are good, too, of course.)

Storage Device Management

  • The list of logical volumes in Tools | Open Disk can now optionally include volumes that are active in Windows, but not currently associated with any drive letter. Please understand that whenever you open volumes, whether with drive letter or without drive letter, no volume slack is presented. Volume slack is included only if you open the physical storage device first and then the partition that contains the volume.

  • Active volumes that are not ordinary volumes are displayed with a special icon and a special description, e.g. "TrueCryptVolumeX". Useful so that on a live system that you wish to preview, examine or acquire you can quickly see which volumes may need to be addressed separately (in additional to physical storage devices) because it would be difficult to reconstruct or unlock them later based on the data on the physical storage device.

  • If volumes without connected drive letter are listed, that also includes volumes that have been mounted within Windows as a junction point in another volume. Such volumes are listed with a special link icon, and the junction point is displayed between volume label and volume size.

  • The list of volumes that do not have drive letters may also include volumes that were previously active in Windows. Those are marked with a crossed out red circle icon. For example a previously mounted TrueCrypt volume that was dismounted might be shown in this fashion. Such volumes cannot be opened any more, they are just listed for informational purposes, which is useful when running X-Ways Forensics on a live system that needs to be examined.

  • A new command in the Specialist menu allows to write-protect locally attached physical storage devices (including removable media, except optical media) with all their volumes everywhere in the operating system, in all applications, even at the sector level in WinHex itself, no matter which edit mode is active. This can be useful to protect original disks that need to be acquired or analyzed (but only after Windows has detected and accessed them) and your own disks that contain images, from accidental alteration, deletion, or data corruption. The effect will last until you remove the write protection again or unplug the devices or reboot your computer. To keep Windows from touching newly attached physical storage devices before you can write-protect them (i.e. to keep them in "offline" mode first), you would need to disable automatic mounting in Windows (and verify that this works). Turning on write-protection for an offline disk will automatically bring the disk online, at the same time while rendering it read-only. Careful, do not write-protect disks that your Windows system needs to write to for proper functioning.

  • This new command also allows to selectively write-protect only specific volumes (if mounted as drive letters), not the entire physical storage device. Please note that the read-only status of a volume cannot be lifted selectively if the entire underlying physical storage device is read only.

  • If a physical storage device is treated as offline or read-only in Windows Disk Management, that information is now displayed in all disk selection dialog windows. Offline disks can be opened for reading/imaging/analysis.

  • Better support for Linux MD RAIDs with container partitions on GPT-partitioned disks.

File System Support

  • Referrer URLs in Zone.Identifier alternate data streams are now presented in the Metadata column if such ADS are not included in the volume snapshot.

  • Support for 1 KB FILE records in NTFS volumes with a sector size of 4 KB.

  • Rejects more invalid/corrupt FAT directory entries than before.

  • Fixed occasional absence of exFAT allocation information for file allocation table entries in the Info pane.

  • Unix style symlinks now have a file icon with a little arrow for easier identification.

  • Reparse points/junction points in NTFS file systems now have a directory icon with a little arrow to identify them as special directories in the directory browser. Such directories are no longer initially marked as "already viewed" in a newly taken volume snapshot.


  • Support for 5-digit filename extensions in segmented raw images.

  • More stable when dealing with corrupt .e01 evidence files.

  • Passing on internal file metadata in evidence file containers is now a 3-state check box. If half checked, only extracted senders and recipients of e-mails will be passed on and not general metadata as known from the Metadata column.

  • The command line parameter “RVS” now includes a screenshot of the volume snapshot refinement dialog in the case activity log showing the active refinement settings. That screenshot is either textual or graphical in nature depending on your case activity log settings.

  • If "Page break after x table rows for printing" is selected for the case report, that will now also insert a page break after each report table.

  • The size of an evidence object that is a directory is now the total recursive size of all its files, not the total capacity of the volume on which it resides. That size is now also shown in the Info Pane as "used space", though the "free space" and "total capacity" are still those of the host volume.

  • The weight of the device type for the generic relevance judgement can now be defined in the file Generator Signatures.txt. The weight factor can be found at the end of the *** line. It may be between 0 and 50.

  • The number of categories per device type in Generator Signatures.txt has increased, and there is a new category "Unknown".

  • Ability to schedule a shutdown or (if supported) hibernation of the machine after a certain number of minutes, in Options | Security. Guaranteed to work only if nothing keeps the machine from powering down, e.g. other application programs with unsaved work etc. If you half-check to proceed "brutally", that should power down the machine even if an application is hung. If fully checked, that will not even wait for other applications that prompt the user what to do with any unsaved work longer than a few seconds. If you exit the instance of WinHex/X-Ways Forensics in which you have scheduled the shutdown, the shutdown won't happen. It is possible to cancel a previously scheduled shutdown without restarting the program.

  • Some stability improvements.

  • Many minor improvements.

  • User manual and program help updated for v19.6.

Changes of service releases of v19.5

  • SR-1: The internal creation date of XML/Zip-based Office documents was incorrectly assumed to be UTC-based during extraction. That was fixed.

  • SR-1: A few filters could not be activated any more in v19.5 by clicking the respective funnel symbols in the column headers, only from within the dialog window with the directory browser options. That was fixed.

  • SR-1: Parses a GUID partition table if present even if the MBR has a valid partition table itself and does not point to the presence of GPT partitioning.

  • SR-2: Ability to use the RAID reconstruction feature to rebuild a JBOD that consists of just a single component. That could be useful to get a single partition of an MD RAID with RAID level 1 interpreted as a physical disk within X-Ways Forensics.

  • SR-2: Processing of SQLite databases with the identification as sqlite3 in the Type column.

  • SR-2: Fixed "Extents cannot be accessed" error that could occur on some highly fragmented HFS+ volumes.

  • SR-2: Fixed an error or crash that could occur when viewing nested files purely with the viewer component in v19.5.

  • SR-2: More stable when trying to decompress corrupt data that is presumed to be XPRESS-compressed.

  • SR-2: Fixed a possible read error in conjunction with image files in v19.5.

  • SR-3: Certain existing files in evidence file containers that originated from exFAT file systems were erroneously not included in the volume snapshot if "Include deleted files in snapshot at all" was not checked. That was fixed.

  • SR-3: Fixed a crash that could occur when adding e-mails with an extremely long list of recipients to an evidence file container.

  • SR-3: Prevented a possible exception error with certain Chome cache files.

  • SR-3: The work-around to view Windows 10 Prefetch files under Windows 7 did not work any more in v19.5. That was fixed.

  • SR-4: Improved stability when decompressing data that is expected to be WofCompressed, but is not really WofCompressed, and for certain unsupported WofCompressed data.

  • SR-4: Fixed an exception error that occurred when creating a case report if an evidence object had positions/bookmarks without description in the Position Manager.

  • SR-4: Fixed a possible exception error when uncovering embedded data from PE executable files.

  • SR-4: The alternative .eml preview now now correctly deals with bodies that contain concatenated HTML documents such as found in Skype conversation that were auto-saved in MS Exchange.

  • SR-4: Fixed an exception error that could occur at the beginning of the file-wise processing of volume snapshot refinement if started from the command line.

  • SR-4: Fixed inability to change the user interface language in X-Ways Investigator right in the user interface.

  • SR-5: Prevented exception errors that could occur with carved corrupt Canon Zoom Browser files (.info).

  • SR-5: Some previously existing directories of which traces were found in $LogFile were erroneously included in the volume snapshot as files. That could lead to consequential parent-child problems for files that were contained in those directories, if traces of these files were also found in $LogFile.

  • SR-5: Fixed an error that under certain circumstances prevented the removal of unwanted hash values from a specifically targeted hash set in the hash database.

  • SR-5: Fixed an exception error that could occur when generating the alternative preview of .eml files.

  • SR-5: Fixed incomplete GPS latitude output.

  • SR-5: Fixed an exception error that occurred in v19.5 when recovering files by type from within uninterpreted raw image files.

  • SR-5: Prevented reproduction of trailing backslashes in evidence object names as top level directory names in evidence file containers.

  • SR-5: Fixed an exception error that could occur in the 64-bit edition when activating the Type filter with a user-defined type list.

  • SR-6: More strict checking of $USNJrnl:$J data before extraction to prevent instabilities with potential data corruption.

  • SR-6: Automatic removal of interspersed padding data between a thumbnail and a low-resolution alternative of a photo in JPEG files created by various digital camera models, which was previously included in (prepended to) the low-resolution alternative and prevented immediate viewing.

  • SR-6: Fixed an exception error that could occur when parsing incomplete sets of thumbcaches of Windows 7.

  • SR-6: Prevented a possible crash that could occur with certain corrupt or irregular ID3 metadata in MP3 files.

  • SR-6: Implemented a more precise handling of Google Chrome's SyncData which results in a more detailed extraction of artifacts.

  • SR-6: Extraction of embedded JPEG attachments from certain original .eml files with an unusual encoding style.

  • SR-6: Better protection against corrupt .evt files.

  • SR-6: Stored search hits were not automatically loaded when an evidence object was opened by the "Last session" project.

  • SR-6: Fixed an error that in v19.3 and later could lead to sector read problems.

  • SR-6: Prevented unnecessary output of "Cannot write..." error messages for certain SQLite databases in certain situations when actually no error had occurred.

  • SR-7: Under certain circumstances, a logical simultaneous searches in v19.5 were aborted prematurely if the "1 hit per file" option was selected, and the user was informed of that. That was fixed.

  • SR-7: Reading uninitialized areas of files is now forced for shadow copy host files when volume shadow copies are parsed, no matter which settings for reading unintialized areas is active.

  • SR-7: If the surrogate pattern for unreadable sectors is completely removed, that will now result in an all zeroes again as documented and as known from v19.1 and earlier, without line breaks.

  • SR-7: When viewing password-protected documents with the viewer component for which the password list did not contain the correct password, after manually entering the correct password, a wrong password was remembered in the metadata column. That was fixed.

  • SR-7: Duplicate identification based on timestamp columns did not work correctly before. That was fixed.

  • SR-7: Fixed an exception error that could occur when uncovering embedded bitmap ressources from corrupt PE executable files.

  • SR-8: Fixed inability of SR-6 and SR-7 to extract attachments from lose .eml files and e-mails in MBOX archives.

  • SR-8: Fixed potentially incomplete processing of some rare SQLite database files.

  • SR-8: Fixed a potential instability when extracting e-mails from MBOX e-mail archives.

  • SR-8: Fixed display error with extremely high DPI settings.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde


> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <