X-Ways Forensics Newsletter Archive 2002
(You may sign up for the newsletter here.)
|#51: WinHex 10.6 released
Dec 8, 2002
|This mailing is to announce a major update, WinHex 10.6.
* Gather Free Space is now much faster on NTFS drives.
* Filling disk sectors (e.g. for proper sanitizing/clearing) and cloning large disks has become considerably faster, too.
* A command for listing the unused clusters on a logical drive can now be found in the Access button menu.
* NTFS: alternate data streams, which contain hidden data, are now listed in a Drive Contents Table.
* Under Windows XP, WinHex will now detect surplus sectors on physical disks automatically.
* On NTFS drives, Initialize Free Space now also offers to wipe currently unused $Mft file records for security reasons, as they may still contain names and fragments from files previously stored in them.
* An external viewer program (like Quick View Plus etc.) can now be invoked from within WinHex, to view the currently edited file or selected block. An external text editor can now be used for editing the block, if one is selected.
* An easy-to-use DOS disk cloning tool is now included in the specialist license. X-Ways Replica is a simple, separate tool that creates clones of entire hard disks and partitions. It allows you to perform your forensic examination on an exact bit-by-bit copy of the original drive. X-Ways Replica runs in plain DOS mode, e.g. on an MS-DOS floppy boot disk. This works around the problem that many Windows environments tend to access a newly attached drive without asking, thereby e.g. altering the last access dates of some files on the original drive. See http://www.winhex.com/replica.html .
* TIFF has been added to the list of preset file types for the File Recovery by Type function.
* A new API function WHX_SetLastError has been added.
WinHex 10.6 is a free update for all users who purchased WinHex 9.82 or newer (e.g. online after May 1, 2001). If you do not qualify any more, please find out about online upgrading at http://www.winhex.com/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the future 15 months at no cost.
|#50: WinHex 10.55 released
Oct 20, 2002
|This mailing is to announce a minor update, WinHex 10.55.
Some minor improvements and error corrections, like the following:
* When creating compressed and split backups, the compression rate is now only shown once after finishing the last part.
* A new API function GetCurObjName has been introduced that allows to retrieve the name or description of the currently active file or disk, respectively.
* Under Windows XP, a problem with the default press status of dialog buttons was fixed.
* An error in Windows 9x/Me is now avoided that occured when opening binary files with a header similar to that of .ico files if the general option "Show file icons" was enabled.
|#49: Davory released and WinHex 10.54
Sep 6, 2002
|This mailing is to announce the release of both a brand-new
data recovery software based on WinHex - Davory - and a noteworthy update to WinHex
Davory incorporates two automated data recovery mechanisms known from WinHex and concentrates on ease of use. Works on FAT12, FAT16, FAT32, and NTFS drives and specifically recovers JPEG, PNG, GIF, BMP, MS Office (DOC, XLS), PostScript (EPS), Acrobat (PDF), Quicken (QDF), ZIP, RAR, RIFF (WAV, AVI), MPEG (MPG), and other file types.
Davory will guide you through its recovery process step by step. Data recovery finally made easy!
Davory homepage: http://www.winhex.com/davory/
Evaluation version: http://www.winhex.com/davory.zip
To be kept informed about updates to Davory, please subscribe to the Davory newsletter at http://www.winhex.com/davory/ .
What's new in WinHex 10.54?
* "List Directory Clusters" is now called "Directory Browser". It no longer displays a mere list of cluster numbers, but also allows to interactively and easily navigate the disk editor to subdirectories and back, using the mouse or the keyboard. Available for logical drives (FAT and NTFS), and accessible also from the Access button menu.
* Any of the supported hash types (8-bit to 64-bit checksums, CRC16, CRC32, MD5, SHA-1, SHA-256, and PSCHF) can now be included in a WinHex backup.
* The system menu items of table windows ("Always on top") and data analysis windows ("W/o zero bytes", "Print") have been moved to the context menu. From the context menu, the results of a data analysis (the distribution of byte values) can now also be archived in a tab-delimited text file.
* While counting search term occurrences, intermediate results are shown in the small progress window.
* File Recovery by Type, too, will show intermediate results in the progress window (number of files already recovered).
* File Recovery by Type has a new option that allows to limit recovery to file headers that occur in unallocated drive space. That way WinHex it will concentrate on recovering files that presumably have been deleted or otherwise lost.
* The new menu command Create Directory Contents Table (Specialist license only) works the same as Create Drive Contents Table, but for a selected directory and its subdirectories only. Available for FAT12, FAT16, and FAT32.
* Digit grouping and decimal separator characters now depend on the regional settings in Windows, no longer on the language selected in WinHex.
* Specially priced API licenses of WinHex are now available. Purchasing API licenses enables you to distribute WinHex with your own software that makes use of the WinHex API, without the end user having to take care of anything related to WinHex. For details please see http://www.winhex.com/winhex/api/ .
* Some minor improvements and error corrections.
WinHex 10.54 is a free update for all users who purchased v9.74 or newer (e.g. online after March 14, 2001). If you do not qualify any more, you may query your license status and find out about online upgrading at http://www.winhex.com/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released within the future 15 months at no cost.
|#48: WinHex 10.52 released
Aug 29, 2002
|This mailing is to announce a noteworthy update, WinHex
* The "Calculate Digest" command in the Tools menu has been extended. It is now called "Calculate Hash" and allows to select from simple 8-bit to 64-bit checksums, CRC16, CRC32, MD5, SHA-1, SHA-256, and PSCHF.
* The disk contents table now supports all of the above hash types to be calculated for listed files (previously MD5 and PSCHF only).
* One of the above hash types may also be calculated and shown automatically in the Details Panel whenever a file is opened (previously CS32 and CRC32 only). Long hashes can be fully seen and also copied by right-clicking the Details Panel.
* MD5 calculation is now 10% faster. An MD5 can now also be included in a *compressed* backup.
* On Windows NT/2000/XP, WinHex can now access up to 30 physical hard disks with the disk editor.
* The record display options can now be applied either to the current window only or *globally* in WinHex.
* The chosen font size for printing is preserved if the print resolution cannot be determined correctly by WinHex.
* The keyword "unlimited" can now be used in scripts where a numeric value is required. It *must* be used now instead of empty brackets or the number zero to indicate an unlimited number of repetitions in a loop. The number in square brackets can now also be a variable. "unlimited" actually stands for the number 2,147,483,647.
* Templates can now reference integer variables defined as *hexadecimal* as parameters (bug fix).
* Several minor improvements.
WinHex 10.52 is still a free update for all users who purchased WinHex 9.72 or newer (e.g. online after Feb 4, 2001). If you do not qualify any more, please find out about online upgrading at http://www.winhex.com/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the future 15 months at no cost.
FAQ: How should I update my WinHex installation with the new version?
Answer: Terminate WinHex if running. Don't uninstall. Use the setup program of the new version to install it to the same folder as before. In some rare cases it may be necessary to restart Windows for WinHex to run properly.
This applies both to users of the full version and users that still evaluate WinHex.
|#47: WinHex 10.5 released
Jul 30, 2002
|This mailing is to announce a major update, WinHex 10.5.
* In addition to the feature formerly known as "File Retrieval" (meanwhile "File Recovery by Type"), there is a new command named "File Recovery by Name" in the Disk Tools menu. This encapsulates the data recovery mechanism for FAT-formatted drives previously known from the Access button menu in an easier to use, yet extended way. You may now limit the recovery to files that match filename patterns you specify, e.g. "*.gif", "John*.jpg", and "Contract v*.doc", and optionally to files that are specifically marked as deleted in the file system.
Most important, however, this data recovery feature now also works on NTFS!
* WinHex is now able to list *deleted* files on an NTFS volume in the disk contents table, not only existing files (Specialist Tools). Besides, WinHex can now list existing and deleted files on an NTFS partition that was opened via the corresponding physical disk using the Access button menu (e.g. if the volume is not mounted as a drive letter).
* Allows file masks (filename patterns) to be specified as command line parameters.
* Introduces a new script command "Insert", which functions just as the "Write" command, but in *insert* mode.
* The record display options now apply to the current window instead of globally to all open windows. Different settings can be applied to different windows and will even be retained when saved as a project.
* Allows multiple files to be selected in Tools | Specialist Tools | Trusted Download.
* A display problem - invisible message box buttons - was fixed that could occur with large system fonts. Another display problem - white background of the edit window not being cleared - should occur at least less often than before.
* Several minor improvements and bug fixes.
Upgrading to WinHex 10.5 is free for all users who purchased WinHex 9.72 or newer (e.g. online after Feb 4, 2001). If you do not qualify any more, please find details on online upgrading at http://www.winhex.com/winhex/upgrade.html . Purchasing the current version (or upgrading to it) entitles you to switch to future versions at no cost for at least 15 months.
|#46: Evidor released and WinHex 10.47
Jun 3, 2002
|This mailing is to announce the release of a brand-new
specialized computer forensics software based on WinHex.
As you know, WinHex allows you to do about everything and anything on a hard disk. The complexity inevitably associated with this makes quite high demands on the user's computer skills.
Evidor, on the contrary, is a particularly easy-to-use, convenient, automated and fast evidence acquisition tool for lawyers, law firms, corporate law and IT security departments, licensed investigators, and law enforcement agencies. Evidor saves costs and hard, time-consuming manual work of computer forensic experts. Evidor can
be used and understood even by "computer illiterates". It produces reliable, replicable, neutral, and simple results, just as needed before court.
For details please visit http://www.winhex.com/evidor/ . If this is something for you, take advantage of the introductory price (20% off!) valid until June 11, 2002, 11:59 pm (CET, +0200). For purchase orders sent by conventional mail, the postmark counts.
To be kept informed about updates to Evidor, please subscribe to the Evidor newsletter at http://www.winhex.com/evidor/ .
|#45: WinHex 10.46 released
May 24, 2002
|This mailing is to announce a minor update, WinHex 10.46.
* Scripting now supports the commands 'ReadLn' (reading until the next line break is encountered) and 'SaveAs "?"' (letting the user specify the destination).
* Two new functions have been added to the WinHex API. They control whether or not WinHex displays error messages itself and can retrieve the error messages as a string. For details please see http://www.winhex.com/winhex/api/ .
* Some errors have been corrected that affected scrolling, search with wildcards enabled, search for several keywords in all open files, and disk contents table creation. A few more rarely occuring problems have been fixed.
|#44: WinHex 10.45 released
Apr 15, 2002
|This mailing is to announce a minor update, WinHex 10.45.
* WinHex is now marketed by X-Ways Software Technology AG.
* RAM editing now optionally includes free memory regions. With no gaps any more, you may now compare memory dumps to files exactly with one another, e.g. to examine stack and heap states.
* Expanded error messages when template interpretation fails.
* Minor corrections and improvements.
Upgrading to WinHex 10.45 is free for all users who purchased WinHex 9.64 or newer (e.g. online after Jan 4, 2001). If you do not qualify any more, please find details on online upgrading here: http://www.winhex.com/winhex/upgrade.html . Purchasing the current version (or upgrading to it) entitles you to update to future versions at no cost for at least 15 months.
|#43: WinHex 10.44 released
Mar 29, 2002
|This mailing is to announce a noteworthy update, WinHex
* Tools | Disk Tools | File Retrieval: WinHex now offers several file types in a drop-down list, to conveniently select the correct header for recovering files of that type.
* Edit | Modify Data: WinHex can now perform bit-wise AND and OR operations with a fixed byte value.
* A new specialist tool lets you search for several keywords simultaneously. The occurrences can be archived either in the Position Manager, or in a tab-delimited text file, which can be further processed in MS Excel or any database. WinHex will save the offset of each occurrence, the search term, the name of the file or disk searched, and in the case of a logical drive the cluster allocation as well! (i.e. the name and path of the file that is stored at that particular offset, if any)
That means e.g. a forensic examiner is now able to systematically search through an entire hard drive in a single pass for words like "drug", "cocaine", and its street synonyms, dealer names, etc. at the same time! This will narrow down the examination to a list of files upon which to focus. If you do not have WinHex archive the
occurrences, you may use the F3 key to continue the search.
* An error was fixed that occurred in some situations when writing sectors to a physical hard disk under Windows 95/98/Me.
* The Routine feature was finally dropped.
* Some minor improvements.
|#42a: WinHex 10.4 SR-2
Mar 3, 2002
|Unfortunately, the initial WinHex 10.4 version had an error in the Undo command. If you got WinHex 10.4 without the notice "SR-2" in the About box, please download again.|
|#42: WinHex 10.4 released
Mar 3, 2002
|This mailing is to announce a major update, WinHex 10.4.
* The Access button menu has been extended for physical disks. WinHex now allows you to open every partition of a physical disk individually, even if is not mapped as a logical drive by Windows e.g. because the file system is unknown to Windows (such as Ext2) or the drive is not properly formatted. The file system of each partition is now displayed in the Access button menu.
* The RAM editor now allows to limit editing to a variable, user-defined range of memory. Also, opening a process with a huge amount of allocated memory is much more efficient now under Windows NT/2000/XP.
* A new license type ("specialist") has been introduced, targeted mainly at computer forensic and IT security specialists, allowing to use an exclusive set of features to be found in the Tools menu.
* WinHex can now create a disk "catalog" of existing and deleted files and directories (specialist license only), with user-configurable information such as attributes, date&time stamps, size, number of first cluster, MD5, etc. Extremely useful to examine the contents of a disk. The resulting table can be imported by databases or MS Excel.
* Ability to gather all text from any file, disk, or memory range in a destination file (specialist license only). This kind of filter is useful to considerably reduce the amount of data to handle if you are looking for leads in the form of text, such as e-mail messages, documents, etc. The target file can be easily split. This function e.g. can also be applied to a file with collected slack space or free space, or to damaged files in a proprietary format than can
no longer be opened by their native applications, like MS Word, to recover at least unformatted text.
* When opening a folder, you may now specify more than one file mask at a time, and concatenate them like *.exe;*.dll;*.drv.
* The Backup Manager will now list all .whx files found in the folder for backup files, regardless of whether they match its own naming convention (which has changed as well, BTW) or not.
* The Split File function has been improved.
* If the cursor is within a file allocation table of a drive, you will now find the name of the file represented by the current entry in the details panel.
* The small cluster list windows now have a context menu that allows you to copy the listed clusters off the drive into a new file.
* Motorola S5 records are supported.
* Many minor improvements.
Upgrading to WinHex 10.4 is free for all users who purchased WinHex 9.6 or newer (e.g. online after Nov 14, 2000). If you do not qualify any more, please find details on online upgrading here: http://www.winhex.com/winhex/upgrade.html. Note that it is also possible to upgrade from a private to a professional and to a specialist licence. Take advantage of the current introductory price of specialist licenses, valid until March 5, 2002, 11:59 pm (CET, +0100).
Purchasing the current version (or upgrading to it) entitles you to update to future versions at no cost for at least 15 months. Please place your order at http://www.winhex.com/winhex/order.html.
|#41: WinHex 10.3 released
Feb 8, 2002
|This mailing is to announce a major update, WinHex 10.3.
* WinHex now allows to switch from the default Overwrite to the Insert mode by pressing the Ins key on the keyboard, as known from text editors. That way you will be able to conveniently insert and remove bytes in a file.
* The Data Interpreter and templates can now show and accept integer numbers in octal notation, in addition to hexadecimal and decimal (default).
* The new script command ForAllObjDo allows to apply a block of script commands (until EndDo occurs) to all open files and disks. With this addition, the Routine feature to automate tasks becomes obsolete and may not be supported by future WinHex versions any more.
* The new script command ExecuteScript may be used to execute another script from within a running script, at the current execution point, e.g. depending on a conditional statement. Calls to other scripts may even be nested (recursion possible). This feature can help you structure your scripts more clearly.
* A new script and API command GetSize has been added, which returns the file's or disk's total size in bytes.
* Instead of a constant number of block repetitions and a constant array size, you may now use the keyword "unlimited" in templates, so WinHex will continue to create the specified variables till the end of file is encountered.
* WinHex can now copy hex values as Pascal/Delphi source code (in addition to C/C++ source code).
* Some minor improvements and bug fixes.
Upgrading to WinHex 10.3 continues to be free for all users who purchased WinHex 9.54 or newer (e.g. online after Sep 22, 2000). If you do not qualify any more, please find details on online upgrading here: http://www.winhex.com/winhex/upgrade.html . Note that it is also possible to upgrade from a private to a professional licence.
Purchasing the current version (or upgrading to it) entitles you to update to future versions at no cost for at least 15 months.
|#40: WinHex 10.25 released
Jan 22, 2002
|This mailing is to announce a minor update, WinHex 10.25.
* When creating a new file, WinHex now allows you to specify the desired size in either bytes, KB, MB, or GB, and allows floating-point numbers to be entered.
* When Synchronize & Compare is enabled (View menu), WinHex lets you skip to the next and the previous different byte value. Try clicking the two additional buttons, marked with "<" and ">", that appear in the edit window when using this function.
* The program help and manual now contain more examples of typical file headers that can be used by the File Retrieval command for file recovery (JPEG, GIF, MS Office, PDF, PS, ZIP, RAR, Wave, and more).
* Use Alt+Home and Alt+End in a template with the "multiple" statement to access the first and the last record, respectively.
* Previously, some
FAT12 media were erroneously recognized as FAT16. This has been fixed.
|#39: WinHex 10.2 released
Jan 1, 2002
|This mailing is to announce a noteworthy update, WinHex
* WinHex now integrates another powerful automated data recovery mechanism. It is available for logical FAT12, FAT16, and FAT32 drives and accessible via the Access button menu, whenever a cluster with directory entries is visible on the screen. It replicates entire directories, existing or deleted, based on the assumption that files are not fragmented and have not been overwritten. For more information, please see http://www.winhex.com/winhex/forum/messages/174/175.html.
Besides, the Disk Tools menu has been extended:
* Gather Free Space traverses the currently open logical drive and gathers all unused clusters into a destination file you specify. Useful to examine data fragments of previously existing files that have not been deleted securely.
* Gather Slack Space does the same with slack space (=unused bytes at the tail of a cluster chain), for the same purpose.
* Initialize Slack Space overwrites slack space with zero bytes. This may be used in addition to "Initialize Free Space" to securely wipe confidential data on a drive or to minimize the size of compressed disk backups.
All three new commands work with FAT12, FAT16, FAT32, and NTFS.
* Some minor improvements.
If you wish to continue using the original WinHex 10.1 version (without a service release number in the About box), please patch your winhex.exe file at offset 0x3E411 with the hex value FF.