X-Ways WinHex v13.5 SR-3 serial key or number

Dec 13, 2014

This mailing is to announce the release of a notable update with important improvements, v18.0.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.

Upcoming Training

Washington DC, Feb 24-Mar 4, 2015
Hong Kong, Mar 2-5, 2015
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-31, 2015
Ottawa, ON, Jun 1-5, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.

What's new in v18.0?
(please note that most changes affect X-Ways Forensics only)

Conventional Hash Databases

• It is now possible to maintain two separate hash databases at the same time, databases based on the same hash type or different hash types. Useful for example if you receive hash sets from different sources with different hash types (e.g. some with MD5 and some with SHA-1 values) and wish to use them simultaneously.
  
  The second hash database may be stored on a different drive. Useful if for example the primary hash database for general use is shared with colleagues on a network drive and the user wishes to create or import new hash sets, either for temporary use only or while the primary hash database is locked by other users, into a locally stored second database.
  
  When creating a hash set yourself, you can choose to which hash database it should be added. That can be file hash database #1 or file hash database #2 or the block hash database.
  
  The ability to import an entire folder of hash sets has been dropped. You can still import multiple selected hash sets in the same directory at once.

• Ability to compute hash values of two different hash types at the same time when refining the volume snapshot, for general purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values will be matched against any of the two hash databases whose hash type fits. That means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1, and hash database #1 is based on SHA-1 and #2 based on MD5, X-Ways Forensics will match the hash values accordingly. The hash types in the volume snapshot and in the hash databases do not have to be in the same order.

• Which hash value is displayed in the Hash column can be changed in the Directory Browser Options dialog. Either the primary hash value or the secondary hash value or both at the same time (if the box is half checked). The Hash column filter is applied to the hash type(s) that is/are currently displayed. Which hash type(s) is/are displayed in the Hash column can be seen in the column header.

• The Hash Set column shows known matches for both hash databases simultaneously. The filter can be used to filter for selected hash sets of one of the databases at a time. The database to choose hash sets from can be selected in the filter dialog.

• The Hash Category column shows only one category. If you assign the hash value of a certain file in one hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once during matching and given exact information about which hash value in which hash sets in which hash databases are conflicting. The categorization as "notable" will prevail when in doubt.

• Ability to import hash sets in the current JSON/ODATA format layout as used by Project Vic and found in the Hubstream Inbox.

PhotoDNA

• X-Ways Forensics can now employ the PhotoDNA hashing algorithm for photos, until further notice. Because of the robustness of the hash algorithm and its specialization in photos, it usually allows to automatically recognize known photos even if they have experienced lossy compression repeatedly (e.g. JPEG), if they have been stored in a different file format, resized, partially blurred/pixelated, color-adjusted or contrast-adjusted etc. Unlike hash values computed by conventional general purpose algorithms, PhotoDNA hashes are resistant to various such image alterations. Optionally, known photos can be recognized even if they were mirrored (flipped horizontally).
  
  For licensing reasons the PhotoDNA functionality is made available as a separate download, and provided by X-Ways itself only to law enforcement agencies, which may use it to prevent the spread of child sexual abuse content and for investigations targeted to stop its distribution and possession.
  
  For details about PhotoDNA please see this high level technical explanation and this press information.
  
  If the PhotoDNA functionality is present, a 4th (!) database, with PhotoDNA hash values of photos can be created and maintained within X-Ways Forensics, and photos may be matched against that hash database in X-Ways Forensics and X-Ways Investigator to identify known incriminating content.
  
  Law enforcement agencies may want to create and share their own collections of such hash values, or import an extensive existing collection from Project Vic. You can also import  PhotoDNA hash databases of other X-Ways users, you may delete hash categories that you don't need any more, and you may merge or rename categories in your database. When importing someone else's hash database, their categories of the same name will be merged with yours. X-Ways Forensics will attempt to deduplicate hash values of similar photos when adding hash values to the database.
  
  Hash values can be added to the PhotoDNA hash database for pictures in the volume snapshot of an evidence object in the same way as conventional hash sets are added to a conventional hash database, using the “Create Hash Set” command in the directory browser context menu. The database is one of now four databases that can be managed with the Tools | Hash Database command. The PhotoDNA hash database is stored in a directory next to hash database #1.
  
  Matching is part of the "picture analysis and processing" operation in Specialist | Refine Volume Snapshot. If you select more strict matching (allow less variation in a picture), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the now combined SC%/PDNA column. Please note that photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tones.

Performance Enhancements

• File header signature searches, block-wise hash matching, FILE record searches, searches for lost partitions, and physical simultaneous searches are now sparse-aware operations when dealing with compressed and sparse .e01 evidence files. That means that areas that on the original hard disk were never written and zeroed out or areas that had been wiped on the original hard disk or consciously omitted areas in cleansed images are skipped and almost require no time, because their data neither has to be read nor decompressed nor further processed (searched/hashed/matched against the block hash database).
  
  Sparse-awareness is active guaranteed for .e01 evidence files that were created by X-Ways Forensics and X-Ways Imager 16.1 and later (also possibly for images created by 3rd party software, depending on the settings and the internal layout). Operations are not sparse-aware on images of Windows dynamic disks, images of LVM2 disks, and on reconstructed RAIDs based on .e01 evidence files.

• Logical searches in files stored in an NTFS file system are also sparse-aware at the .e01 evidence file level, and generally logical searches in virtual "Free space" files.

• Logical searches in NTFS, Ext*, XFS and UFS file systems are sparse-aware at the file system level. That means no time is wasted on large sparse areas within sparse files. Those areas are ignored, regardless of whether the evidence object is an .e01 evidence file, raw image, RAID, or actual disk.

• Skin tone computation slightly accelerated for high resolution photos.

File Type Support

• Improved stability and quality of e-mail extraction from Exchange databases.

• Supports a new PST/OST data storage method as used in Outlook 2013.

• Support for e-mail extraction from MBOX e-mail archives larger than 4 GB.

• Preview of Skype chat sync files (named "chatsync" in the Type column). Shows the complete chat and the IP addresses of the participants. Events are also extracted.

• Support for newer Photoshop thumbnail cache format.

• Improved Windows account administration section in the registry report.

• Ability to extract alternative names and timestamps from Linux PNG thumbnails as known from Ubuntu and Kubuntu distributions, desktop manager MATE and GNOME ThumbnailFactory during metadata extraction. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a "Content created" timestamp. The complete path of the original file can be seen in the Metadata column.

• More thorough extraction of embedded files in PE executables (not done by default, only if addressed via the file mask).

• Exif metadata extraction revised.

• Some improvements for file type verification.

File Carving

• Option to show results of the file header signature search as child objects of existing files, not in the directory for carved files, if they were found within these other files.

• A new "Special interest" entry allows to either carve Google search URLs with "ei" parameters as files or (better) output events with the contained timestamps (if "Provide by-catch timestamps from various sources as events" is checked).

• Better avoids false positives when carving files with support NTFS compression enabled.

• File carving for Outlook for Mac 2011 improved. 

Memory Editor

• Ability to list loaded modules above the 4 GB barrier in 64-bit processes with Tools | Open Memory. Ability to  read and edit memory in such address ranges. Unicode support for process and module names and paths in the memory editor. Page boundaries are represented by horizontal lines. Boundaries that represent gaps between contiguous allocated regions are represented by darker horizontal lines. The Info Pane now shows more information such as the maximum address represented and the number of allocation gaps (=number of contiguous allocated page ranges -1) as well as protection status and type of the currently displayed page. Several other minor improvements. Please note that you need to run the 64-bit edition to properly deal with 64-bit processes.

Usability

• The ".." item at the top of the directory browser that appears when navigating within a volume from one directory to another is now optional. If displayed, it is now frozen at the top of the directory browser and does not scroll along with all the other items. And it now shows all the information on the directory that it represents (the one that you would navigate to if you double-click it), just like with all the other items in the directory browser.
  
  And a "." item is now also displayed optionally, representing the currently explored directory. Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects. And if the . or .. item is a file and you select it, then you can now see that particular file in File, Preview or Details mode. And it is represented in Gallery mode.

• When clicking any component of the current path in the caption line of the directory browser, this will now navigate directly to that directory (or file with child object) whose name you clicked.

• Ability to toggle column visibility purely with the mouse, by clicking the column labels in Options | Directory Browser.

• Modified unexpected behavior of the option "Full path sorting for parent objects".

• The "Keep track of viewed files" option has been moved to Options | Viewer Programs.

• Separate "Append type as extension if newly identified" checkbox for "Use associated program for viewing". Allows to more easily get Windows to run the right program for misnamed files, files without extension etc.

• Option to specify a user-defined timeout in milliseconds for loading pictures with the internal graphics viewing library, in Options | Viewer Programs. 

• Option to automatically create report table associations for files that have been added to an evidence file container.

• When creating two copies of an image at the same time, ability to automatically verify both of them.

• Chinese translation of the user interface updated.

Miscellaneous

• When printing long paths on the cover page or at the top of the first page, such paths are now broken into multiple lines even if they do not contain any spaces.

• Internal memory allocation tracking can now be enabled in Options | Security for debugging purposes.

• Fixed inability to evaluate equations in templates depending on notation settings.

• Containers of the old format (from more than 3 years ago) can no longer be created or further filled, but can still be used in cases as evidence objects.

• New X-Tension function XWF_GetRasterImage. Provides a standardized true-color raster image representation for any picture file type that is supported internally in X-Ways Forensics (e.g. JPEG, GIF, PNG, ...), with 24 bits per pixel, with some powerful options.

• Support for a variant of FAT12 and FAT16 file systems with unusual directory entries.

• Many minor improvements.

• Program help and user manual updated for v18.0.

Viewer Component

• v8.5 of the viewer component was made available on July 27, 2014 to licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance.

• Support has been added for AutoCAD 2013.

• The LibreOffice 4.0 suite (Impress, Draw, Calc, and Writer) is now supported.

• 64-bit zip compression is now supported in the zip input filter.

• Input filter support for HTML5 and CSS2.1 tags and attributes related to email messages has been added.

• Microsoft Visio 2010 is now supported.

• From Microsoft Office 2013, Access, OneNote, and Visio are now supported.

• From the Apple iWork suite, Pages (iPad) PDF Preview & Text, Numbers (iPad) PDF Preview & Text, and Keynote (iPad) PDF Preview & Text are supported.

• From the WordPerfect X6 suite, Word Processor, Quattro Pro, and Presentations are supported.

• Windows 8.1 is now an officially supported platform.

• HTML tables, which were usually too narrow in previous versions, are now sometimes rather wide, and they always seem to trigger the display of a horizontal scrollbar, even when no scrolling capability is needed because the window is wide enough. Also, some inconsistent spacing and line breaks inside HTML table cells can be seen.

• As always, please remember that different versions of the viewer component must reside in different directories. You must not copy the files of new version to an existing directory with a previous version because that does not necessarily overwrite all files and may cause error messages.
  
  The compressed size of the viewer component has grown by 34%, owing largely to a new file named oit_font_metrics.db, an SQLite font database whose exact purpose is yet to be determined and that at first sight seems to be optional.

• As a user in Switzerland found out, v8.5 of the viewer component was unable to decode the text in PDF files created by Abbyy Fine Reader 11. Ordinary PDF files were processed normally. That was apparently fixed with v8.5.1, available since Nov 26, 2014. Other known improvements of v8.5.1 are that MHT files are no longer displayed with an e-mail header and allegedly support for Ichicatro 2014, though it is unknown what "Ichicatro 2014" is.

Licensing

• Temporary licenses are now available on a daily basis as well. Those come in handy if you have a need to run the software on more computers at the same time than usually, such as for training purposes or if you wish to parallelize processing (keyword searches, volume snapshot refinements) with X-Ways Forensics using multiple instances on multiple computers of an unusually large or urgent case. Useful and cost-effective also when conducting triage on a large number of computers on site, i.e. where you have to quickly verify using special methods (keyword search, filename filter, skin tone computation on 10% of all pictures, ...) whether or not there is potential evidence on a computer, and depending on the result decide to acquire all its data on site or take the hardware away or just leave the computer alone. 1 day usage refers to a whole day (24 hours) in your time zone. Very cost-effective if you need many additional licenses for just a short time or very rarely.

Changes of service releases of v17.9:

• SR-1: Fixed inability to filter by hash sets when the hash database was in use for matching in another instance.

• SR-1: Fixed an exception error that could occur in the original 17.9 version when opening dependent viewer windows from within the viewer component or closing them.

• SR-1: Fixed metadata representation of processes in Details mode in the 64-bit edition.

• SR-1: Fixed inability to open dynamic volumes in certain situations.

• SR-1: Fixed some minor memory leaks.

• SR-2: Fixed HTML export highlighting for search hits in certain code pages.

• SR-2: Files referenced in volume shadow copies are now typically shown again in their original directories, like in earlier versions.

• SR-2: Fix and improvement for TAR carving.

• SR-2: Some minor improvements and fixes.

• SR-3: Fixed an exception error that could occur in SR-2 when opening certain volumes.

• SR-4: Fixed an exception error that could occur when opening partitions of physical disks that were added to the case without parent disk.

• SR-4: Prevented an error message that in certain situations incorrectly stated that the volume snapshot was was changed from outside of the current session.

• SR-4: No longer treats previously existing hash sets in the hash database as existing in certain situations.

• SR-5: Fixed incorrect representation of metadata of processes in memory dumps in the 64-bit edition.

• SR-5: Fixed incomplete NEAR combination of search hits in certain situations.

• SR-6: Fixed an error in certain volume snapshots taken by the 64-bit edition of SR-5.

• SR-7: Fixed misrepresentation of partition table entries in the 64-bit edition of SR-6 when deleted partitions were found.

• SR-8: Fixed corruption of hash set names in certain situations in the 64-bit edition of recent service releases of v17.9 and v18.0 Preview. Garbled hash set names can be manually rectified with the Rename function.

• SR-9: Fixed an instability problem that could occur when processing certain MBOX e-mail archives.

• SR-9: Fixed swapped timestamps of files found in VSC.

• SR-9: Prevents a possible exception error that might occur when parsing certain corrupt LVM2 configurations.

• SR-9: Prevents a rare exception error that could occur when parsing corrupt .evtx event log files.

• SR-9: Fixed a technical problem for a few dongle users.

• SR-9: Registry keys in the registry viewer should now always be sorted alphabetically.

• SR-9: Fixed an error in evidence file container creation in v17.9. (since Dec 4, 2014)

• SR-10: When filling evidence file containers of the old format with v17.8 and v17.9 (a usually hidden option), parent directories were included more than once. That was fixed.

Become a certified user of X-Ways ForensicsBecome an X-PERT (X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

There are still occasionally a few users who ask about a replacement for their lost dongle although they did not insure the dongle and although we say everywhere that we do not replace lost or stolen dongles if not insured against loss or theft.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Happy holidays / Merry Christmas to all readers and users!

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

X-Ways Forensics
20.0

Downloadable
only for customers
(latest download instructions here)

X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016*, 32 Bit/64 Bit, standard/PE/FE. (Windows FE is described here, here and here.) Compared to its competitors, X-Ways Forensics is more efficient to use after a while, by far not as resource-hungry, often runs much faster, finds deleted files and search hits that the competitors will miss, offers many features that the others lack, as a German product is potentially more trustworthy, comes at a fraction of the cost, does not have any ridiculous hardware requirements, does not depend on setting up a complex database, etc.! X-Ways Forensics is fully portable and runs off a USB stick on any given Windows system without installation if you want. Downloads and installs within seconds (just a few MB in size, not GB). X-Ways Forensics is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator.

Training • Certification • User manual • Quick Start Guide Videos • Videos about settings and setup •Ted Smith's Videos • Service release announcements • Book • Older PDF Quick Start Guide •User interface • Administration tips

Evaluation version not publicly available, only on request to law enforcement, government agencies and certain corporations. Please provide us with your full official address and contact details. Eval. version of WinHex.

Registered professional users include:
Microsoft Corp., Hewlett Packard, Deloitte & Touche, KPMG Forensic, Ernst & Young,
Toshiba Europe, Ericsson, National Semiconductor, Siemens AG, Lockheed Martin, BAE Systems,
U.S. federal law enforcement agencies, ... (more)

What's? Please check out the newsletter archiveor support forum.

User interface and program help fully available in English and German.
User interface also partially available in Chinese, Japanese, French, Spanish, Italian, Portuguese.

Installation tips

Old screenshot

*Limitations under Windows Vista/2008 Server/7: Physical RAM cannot be opened. Unable to write sectors on the partitions that contain Windows and WinHex.

Earlier versions may be made available to licensed users on request.