WinHex 17.8 SR-6

• Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (e.g. filenames in particular in FAT), specially encoded (e.g. sender and recipients as quoted printable in e-mails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.
• When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.
• Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.
• Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | ... and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.
• Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other.
• Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.
• You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.
• Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.
• The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).
• User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.

Usability

• A new multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the now removed option "Extended multi-user coordination" from previous versions.
• Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.
• Option to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits).
• Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.
• Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.
• Ability to conveniently load keywords from a text file into the Name filter and save them directly from the dialog window.
• Ability to omit child objects and/or excluded files when running an X-Tension on selected files.

File System Support

• New directory browser columns named CreatedІ, ModifiedІ, and Record changedІ introduced, showing alternative creation, last modification and last FILE record/Inode change timestamps. Specialist license or higher. For NTFS, they are populated in newly taken volume snapshots with timestamps from the 0x30 attribute and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous Creation timestamp tunneling effect, http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally ModifiedІ and Record changedІ only if different from CreatedІ, to avoid cluttering the screen unnecessarily. That means any timestamp that you see there actually contains additional information and is not redundant.
• CreatedІ is also populated for HFS+ file systems, with the relatively new "Added date" timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier. "Added date" timestamps in HFS+ are also output as events.
• All І timestamps shown in the directory browser are now also preserved in evidence file containers.
• NTFS last access timestamps are now displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained and thus not very significant.
• Volume shadow copy exploitation revised.
• Sparse files are now represented with a tilde (~) instead of the word "sparse" in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file, by setting a larger file size in the same dialog window.

File Type Support

• Support for a relatively new Windows registry format specialty found for example in Windows 7 AppCompatCache keys.
• Support for the Windows 8 successor of AppCompatCache, i.e. the Amcache.hve hive, using a dedicated registry report definition file named "Reg Report Amcache.txt", which allows to produce a report and extract related special events.
• File type verification updated.
• Support for nested e-mails when embedding attachments in parent .eml file.
• More complete artificial headers for sent e-mails from Exchange databases, which allow to properly reference attachments in the .eml representation.
• Support for another thumbs.db format variant.

C4All
The popular C4All program, used by law enforcement and others worldwide to categorize pictures and videos, is now available as an X-Tension, from the C4All forum and here, for free. For v17.7 SR-5 and later. About 6 times faster in X-Ways Forensics than in competing software! Thanks to Steve Frawley, D. F., and Trevor F. for their great work. The downloadable guides describe how to best use the X-Tension with the strategy hash sets, but your own hash sets can be used as well.

Benefits of the X-Tension, showcasing the advantages of X-Tensions in comparison to scripts in other forensic software:

• Fewer steps to follow than original C4All process.
• Speed, speed, speed.
• Even faster if run locally and saved locally, up to 30 GB/min speeds on SSD drives observed.
• Crash protection, using X-Ways Forensics' ability to resume if there is a crash during preparation of data.
• If the X-Tension is interrupted, there is the option to resume, start new or if needed just make new XML file.
• Ability to filter out irrelevant files and false positive carved files before C4All extraction.
• Hash sets are connected to X-Ways and not SQL server (this allows for known irrelevant files to be excluded from extraction).
• Hash sets are transferable by simply copying the folder and pointing X-Ways Forensics to storage location, no need to wait all day for the database to be created.
• Ability to use your own hash sets, up to ~65,000.
• Better resulting folder structure, especially when run against many evidence objects in one case.
• Results can be extracted from C4All in HashKeeper format, to be easily brought back in to X-Ways Forensics case, no need to run any bookmarking script.
• Thumbnails are extracted from files that include thumbnails or are created by X-Ways Forensics itself, and if thumbnails exist in a file it is not used twice, reducing duplicate files.
• When processing, all functions of X-Ways Forensics are available during X-Tension run phase.
• Able to use X-Ways Forensics' reporting features for court and presentation.
• Video stills extracted from within X-Ways Forensics.

VirusTotal X-Tension
This new X-Tension allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Thanks a lot to Chad Gough for this effort, based on his own C# adaption of the X-Tension API.

Miscellaneous

• Ability to export the category statistics of listed files via the Category column's filter popup menu if the Category filter is not active, as tab-delimited text.
• The folder for templates, X-Tensions and scripts may now be a relative path. Previously only "." was supported.
• In previously taken volume snapshots of HFS+ file systems, the contents of files with a hard-link count of 1 was not accessible if such files had an associated iNode file. That was fixed. Such files that unexpectedly have an associated iNode file are now marked with a ° in the Link count column.
• That the columns "Term count" and "Search terms" were populated only after the search hit list for an evidence object has been displayed once was fixed.
• Many minor improvements.
• Program help and user manual updated for v17.8.