|#158: X-Ways Forensics,
X-Ways Investigator, WinHex 19.6 released
Mar 9, 2018
This mailing is to announce the release of
another notable update with many notable improvements, v19.6.
WinHex evaluation version:
(also the correct download link for anyone with a personal, professional, or
Customers may go to
for download links, the latest log-in data, details about their access to updates, etc. Those customers whose
access to updates or license has
expired can receive upgrade/renewal offers from there.
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
Announcement section of the
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Please sign up for our training newsletter
if you would like to be kept up to date on future classes.
What's new in v19.6?
(please note that most changes
affect X-Ways Forensics only)
File Type Support
A new directory browser column is now available in
X-Ways Forensics and X-Ways Investigator and populated during metadata
extraction: Device type. This column shows the class of device that
produced a given JPEG file, such as a smartphone's main camera, a
smartphone's front/secondary camera, a point and shoot/compact camera,
camcorder, DSLR, webcam etc. That information is derived from the
generator signature. This column also comes with a filter. Filtering for
the device type could be useful for example if you are looking for
rather private photos (selfies taken with a smartphone's front camera)
or rather professional photos (e.g. DSLR or digital camera back).
Scanned pictures used to be identified as such
through report table associations. That is no longer the case. That they
were generated by a scanner can now be seen in the new aforementioned
Pictures that were identified as screenshots are now
shown with "screen" as the device type. The device type "screen"
identifies screenshots and sometimes pictures that seem to be specially
sized to match a certain screen resolution (e.g. wallpapers).
The GPS processing mode, if available, is listed in
Details mode. This mode allows to estimate the reliability/precision of
the coordinates. It is used by various manufacturers, and it can be one
of the following values: Unknown, GPS, Network, Hybrid, Fused, or
New entry named "Geolocation" in the extracted
metadata and in Details mode, with the GPS coordinates in a notation as
accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces
the previous fields Latitude and Longitude in the extracted metadata as
it is more suitable for automatic processing.
Three additional fields for Exif GPS data are output
in Details mode where available: Altitude, Image direction, and GPS
Error. Altitude might be helpful to judge the reliability of the geo
coordinates. Image direction is a feature of high-end smartphones.
If there is something unusual about the presence of
GPS coordinates in JPEG pictures, those GPS coordinates are now
highlighted in blue color. For example if the GPS coordinates are
present and a GPS timestamp is absent, for a mobile device type that is
known to always include both at the same time (sometimes depending on
whether the front or back camera is used), or for a camera type that is
known to not have GPS, it could mean that the coordinates have been
retroactively embedded. GPS timestamps that are different from the time
when the photo was taken are also highlighted in blue color.
A new file named PhoneAliasTable.txt contains a
translation from internal device designations to human-readable
marketing names. In particular device designations used by Samsung,
Motorola, LG and Huawei are rather cryptic and better understood if
translated. This table can also contain the device's release date and
region. That table is currently relatively sparsely populated, but its
format is explained in the header so that users can help to complete it.
Details mode now shows firmware date and region for
JPEG files created by many Samsung mobile phones, which can help to
validate other metadata.
The table for the generator signature based Exif data
validation now supports more than 11,000 devices (where the front
cameras of smartphones count as separate devices).
Time zone extracted from files that were produced by
some new Sony devices.
Twitter timestamps in JPEG files are recognized and
output in the "Content created" column.
Extraction of Content created timestamp from JPEG
Automatic removal of interspersed padding data
between two thumbnails in JPEG files created by various digital camera
models, which was previously included in (prepended to) the second
PNG files now also receive a generator signature as
part of metadata extraction, to identify PNG files that likely originate
from the same source and PNG files that are screenshots.
Detection of the generating device type for some PNG
files, also shown in the new Device type column.
Improved detection of PNG screenshots of old mobile
Support for iOS netusage.sqlite files, which record
the data usage of apps. Besides the amount of data flowing in and out,
they also provides approximate timestamps when apps were used for the
first and last times. Appropriate events are extracted and an HTML
preview is created containing all relevant information.
Improved stability when processing EVTX files.
Supports a new format variant of certain registry
values in Windows 10.
If pictures in Preview mode are shown by the internal
graphics viewing library, not the separate viewer component, they can
now be rotated in 90° steps by clicking the left mouse button (to rotate
to the left) and the right mouse button (to rotate to the right).
Photos taken by mobile phones and digital cameras of
certain major manufacturers in portrait mode are stored in landscape
orientation and marked as to be rotated left or right in the Exif
metadata. Both Preview mode and the View command now adjust those photos
to the correct orientation automatically, only with the internal
graphics viewing library, not the viewer component. The gallery also
automatically adjusts the orientation (not for auxiliary thumbnails).
Clicking the middle mouse button in Preview mode when
a picture is shown by the internal graphics viewing library will mirror
the picture (flip horizontally) or if the Shift key is pressed flip the
picture vertically. Please note that this operation is applied in
addition to any active rotation.
The currently active rotation and flip mode are
described by some symbols in the upper right corner. Additionally, if no
flipping has taken place, but a rotation, the letters "BR" indicate what
in the original graphical data was the bottom right corner.
Ability to display certain rare PNG files with
invalid zlib compression.
Video files, audio files, Office documents and plain
text files can now optionally be represented by special icons, just as
previously only picture files. You can enable special icons separately
for each such category in the directory browser options dialog window.
Many additional icons in the user interface, in
particular for the mode buttons and external programs.
Closed envelope icons now reflect the known unread
status of e-mails.
Right-clicking anywhere in the Mode button bar
outside of all the buttons will now show or hide the divider line
between the directory browser and the lower half of a data window. If
the divider line is visible, it is thicker now with high DPI settings to
make it easier to grab that line and adjust the height of the directory
browser. If the divider line is invisible, you can adjust the window
height by left-clicking in the Mode button bar and moving the mouse
cursor up and down while holding the mouse button. Without the divider
it is also more intuitive that the right-hand side of the Mode button
bar acts as a status bar of the directory browser and that the buttons
in the right half affect the upper half of a data window.
Improved support for high DPI settings in general.
The height of the directory browser options dialog
window is now automatically increased as the vertical resolution of the
main screen allows in order to accommodate as many column labels as
possible and ideally do away with the scrollbar if no longer required.
Russian translation of the user interface updated.
Option to get prompted for each file when printing
with direct child objects.
Option to output only non-blank fields on the print
Ability to populate the gallery with thumbnails using
multiple threads. This makes the biggest difference for high-resolution
JPEG pictures whose embedded thumbnails have not been uncovered yet
(e.g. during preview of a live machine) or are not used as auxiliary
thumbnails, for which the decompression procedure is computationally
Accelerated volume snapshot finalization for large
snapshots with many directories in "Path unknown".
Ability to refine volume snapshots on storage devices
with sector wise access using multiple threads just like on images and
Ability to open large .e01 evidence files faster
after the first time, by keeping some internal image metadata for
navigation in a separate file. This can make a big difference if the
image is stored on media with slow access, in particular remote network
drives. Can be turned off in Options | Security, as that is where all
the .e01 options are located. If fully checked, the separate file is
stored in the same directory as the image itself, so that even other
cases / other users that open the same copy of the same image benefit
from the increased performance if the separate file has been created
before. If half checked, the separate file is stored in the evidence
object's internal metadata directory of the current case.
In an attempt to protect their image files from accidental alteration,
deletion, or corruption and to maximize the revenue of hardware write
blocker manufacturers, a few of our users do not only write block
suspect storage devices, but also their own storage devices if those
devices contain image files. Those users are well advised to half-check
this option for obvious reasons, and here is a friendly reminder that
write blocking interferes with proper functioning of the operating
system and application programs because it untruthfully signals write
success when actually no data is written, preventing the OS and
application programs from realizing that the data that they wanted to
write could not be written. Write blocking is meant for special
situations only. The recommended method to protect one's own data (e.g.
images in the case of a computer forensic examiner) would be official
write protection that the OS is aware of or enforces itself, not sneaky
write blocking. (And backups are good, too, of course.)
Storage Device Management
The list of logical volumes in Tools | Open Disk can
now optionally include volumes that are active in Windows, but not
currently associated with any drive letter. Please understand that
whenever you open volumes, whether with drive letter or without drive
letter, no volume slack is presented. Volume slack is included only if
you open the physical storage device first and then the partition that
contains the volume.
Active volumes that are not ordinary volumes are
displayed with a special icon and a special description, e.g.
"TrueCryptVolumeX". Useful so that on a live system that you wish to
preview, examine or acquire you can quickly see which volumes may need
to be addressed separately (in additional to physical storage devices)
because it would be difficult to reconstruct or unlock them later based
on the data on the physical storage device.
If volumes without connected drive letter are listed,
that also includes volumes that have been mounted within Windows as a
junction point in another volume. Such volumes are listed with a special
link icon, and the junction point is displayed between volume label and
The list of volumes that do not have drive letters
may also include volumes that were previously active in Windows. Those
are marked with a crossed out red circle icon. For example a previously
mounted TrueCrypt volume that was dismounted might be shown in this
fashion. Such volumes cannot be opened any more, they are just listed
for informational purposes, which is useful when running X-Ways
Forensics on a live system that needs to be examined.
A new command in the Specialist menu allows to
write-protect locally attached physical storage devices (including
removable media, except optical media) with all their volumes everywhere
in the operating system, in all applications, even at the sector level
in WinHex itself, no matter which edit mode is active. This can be
useful to protect original disks that need to be acquired or analyzed
(but only after Windows has detected and accessed them) and your own
disks that contain images, from accidental alteration, deletion, or data
corruption. The effect will last until you remove the write protection
again or unplug the devices or reboot your computer. To keep Windows
from touching newly attached physical storage devices before you can
write-protect them (i.e. to keep them in "offline" mode first), you
would need to disable automatic mounting in Windows (and verify that
this works). Turning on write-protection for an offline disk will
automatically bring the disk online, at the same time while rendering it
read-only. Careful, do not write-protect disks that your Windows system
needs to write to for proper functioning.
This new command also allows to selectively
write-protect only specific volumes (if mounted as drive letters), not
the entire physical storage device. Please note that the read-only
status of a volume cannot be lifted selectively if the entire underlying
physical storage device is read only.
If a physical storage device is treated as offline or
read-only in Windows Disk Management, that information is now displayed
in all disk selection dialog windows. Offline disks can be opened for
Better support for Linux MD RAIDs with container
partitions on GPT-partitioned disks.
File System Support
Referrer URLs in Zone.Identifier alternate data
streams are now presented in the Metadata column if such ADS are not
included in the volume snapshot.
Support for 1 KB FILE records in NTFS volumes with a
sector size of 4 KB.
Rejects more invalid/corrupt FAT directory entries
Fixed occasional absence of exFAT allocation
information for file allocation table entries in the Info pane.
Unix style symlinks now have a file icon with a
little arrow for easier identification.
Reparse points/junction points in NTFS file systems
now have a directory icon with a little arrow to identify them as
special directories in the directory browser. Such directories are no
longer initially marked as "already viewed" in a newly taken volume
Support for 5-digit filename extensions in segmented
More stable when dealing with corrupt .e01 evidence
Passing on internal file metadata in evidence file
containers is now a 3-state check box. If half checked, only extracted
senders and recipients of e-mails will be passed on and not general
metadata as known from the Metadata column.
The command line parameter “RVS” now includes a
screenshot of the volume snapshot refinement dialog in the case activity
log showing the active refinement settings. That screenshot is either
textual or graphical in nature depending on your case activity log
If "Page break after x table rows for
printing" is selected for the case report, that will now also insert a
page break after each report table.
The size of an evidence object that is a directory is
now the total recursive size of all its files, not the total capacity of
the volume on which it resides. That size is now also shown in the Info
Pane as "used space", though the "free space" and "total capacity" are
still those of the host volume.
The weight of the device type for the generic
relevance judgement can now be defined in the file Generator
Signatures.txt. The weight factor can be found at the end of the ***
line. It may be between 0 and 50.
The number of categories per device type in Generator
Signatures.txt has increased, and there is a new category "Unknown".
Ability to schedule a shutdown or (if supported)
hibernation of the machine after a certain number of minutes, in Options
| Security. Guaranteed to work only if nothing keeps the machine from
powering down, e.g. other application programs with unsaved work etc. If
you half-check to proceed "brutally", that should power down the machine
even if an application is hung. If fully checked, that will not even
wait for other applications that prompt the user what to do with any
unsaved work longer than a few seconds. If you exit the instance of
WinHex/X-Ways Forensics in which you have scheduled the shutdown, the
shutdown won't happen. It is possible to cancel a previously scheduled
shutdown without restarting the program.
Some stability improvements.
Many minor improvements.
User manual and program help updated for v19.6.
Changes of service releases of v19.5
SR-1: The internal creation date of XML/Zip-based
Office documents was incorrectly assumed to be UTC-based during
extraction. That was fixed.
SR-1: A few filters could not be activated any more
in v19.5 by clicking the respective funnel symbols in the column
headers, only from within the dialog window with the directory browser
options. That was fixed.
SR-1: Parses a GUID partition table if present even
if the MBR has a valid partition table itself and does not point to the
presence of GPT partitioning.
SR-2: Ability to use the RAID reconstruction feature
to rebuild a JBOD that consists of just a single component. That could
be useful to get a single partition of an MD RAID with RAID level 1
interpreted as a physical disk within X-Ways Forensics.
SR-2: Processing of SQLite databases with the
identification as sqlite3 in the Type column.
SR-2: Fixed "Extents cannot be accessed" error that
could occur on some highly fragmented HFS+ volumes.
SR-2: Fixed an error or crash that could occur when
viewing nested files purely with the viewer component in v19.5.
SR-2: More stable when trying to decompress corrupt
data that is presumed to be XPRESS-compressed.
SR-2: Fixed a possible read error in conjunction with
image files in v19.5.
SR-3: Certain existing files in evidence file
containers that originated from exFAT file systems were erroneously not
included in the volume snapshot if "Include deleted files in snapshot at
all" was not checked. That was fixed.
SR-3: Fixed a crash that could occur when adding
e-mails with an extremely long list of recipients to an evidence file
SR-3: Prevented a possible exception error with
certain Chome cache files.
SR-3: The work-around to view Windows 10 Prefetch
files under Windows 7 did not work any more in v19.5. That was fixed.
SR-4: Improved stability when decompressing data that
is expected to be WofCompressed, but is not really WofCompressed, and
for certain unsupported WofCompressed data.
SR-4: Fixed an exception error that occurred when
creating a case report if an evidence object had positions/bookmarks
without description in the Position Manager.
SR-4: Fixed a possible exception error when
uncovering embedded data from PE executable files.
SR-4: The alternative .eml preview now now correctly
deals with bodies that contain concatenated HTML documents such as found
in Skype conversation that were auto-saved in MS Exchange.
SR-4: Fixed an exception error that could occur at
the beginning of the file-wise processing of volume snapshot refinement
if started from the command line.
SR-4: Fixed inability to change the user interface
language in X-Ways Investigator right in the user interface.
SR-5: Prevented exception errors that could occur
with carved corrupt Canon Zoom Browser files (.info).
SR-5: Some previously existing directories of which
traces were found in $LogFile were erroneously included in the volume
snapshot as files. That could lead to consequential parent-child
problems for files that were contained in those directories, if traces
of these files were also found in $LogFile.
SR-5: Fixed an error that under certain circumstances
prevented the removal of unwanted hash values from a specifically
targeted hash set in the hash database.
SR-5: Fixed an exception error that could occur when
generating the alternative preview of .eml files.
SR-5: Fixed incomplete GPS latitude output.
SR-5: Fixed an exception error that occurred in v19.5
when recovering files by type from within uninterpreted raw image files.
SR-5: Prevented reproduction of trailing backslashes
in evidence object names as top level directory names in evidence file
SR-5: Fixed an exception error that could occur in
the 64-bit edition when activating the Type filter with a user-defined
SR-6: More strict checking of $USNJrnl:$J data before
extraction to prevent instabilities with potential data corruption.
SR-6: Automatic removal of interspersed padding data
between a thumbnail and a low-resolution alternative of a photo in JPEG
files created by various digital camera models, which was previously
included in (prepended to) the low-resolution alternative and prevented
SR-6: Fixed an exception error that could occur when
parsing incomplete sets of thumbcaches of Windows 7.
SR-6: Prevented a possible crash that could occur
with certain corrupt or irregular ID3 metadata in MP3 files.
SR-6: Implemented a more precise handling of Google
Chrome's SyncData which results in a more detailed extraction of
SR-6: Extraction of embedded JPEG attachments from
certain original .eml files with an unusual encoding style.
SR-6: Better protection against corrupt .evt files.
SR-6: Stored search hits were not automatically
loaded when an evidence object was opened by the "Last session" project.
SR-6: Fixed an error that in v19.3 and later could
lead to sector read problems.
SR-6: Prevented unnecessary output of "Cannot
write..." error messages for certain SQLite databases in certain
situations when actually no error had occurred.
SR-7: Under certain circumstances, a logical
simultaneous searches in v19.5 were aborted prematurely if the "1 hit
per file" option was selected, and the user was informed of that. That
SR-7: Reading uninitialized areas of files is now
forced for shadow copy host files when volume shadow copies are parsed,
no matter which settings for reading unintialized areas is active.
SR-7: If the surrogate pattern for unreadable sectors
is completely removed, that will now result in an all zeroes again as
documented and as known from v19.1 and earlier, without line breaks.
SR-7: When viewing password-protected documents with
the viewer component for which the password list did not contain the
correct password, after manually entering the correct password, a wrong
password was remembered in the metadata column. That was fixed.
SR-7: Duplicate identification based on timestamp
columns did not work correctly before. That was fixed.
SR-7: Fixed an exception error that could occur when
uncovering embedded bitmap ressources from corrupt PE executable files.
SR-8: Fixed inability of SR-6 and SR-7 to extract
attachments from lose .eml files and e-mails in MBOX archives.
SR-8: Fixed potentially incomplete processing of some
rare SQLite database files.
SR-8: Fixed a potential instability when extracting
e-mails from MBOX e-mail archives.
SR-8: Fixed display error with extremely high DPI
Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
X-Ways Software Technology AG