X-Ways Forensics Newsletter Archive 2000
(You may sign up for the newsletter here.)
|#21: WinHex Online Survey
Dec 15, 2000
|I would like to ask you to participate in a new (anonymous)
online survey on WinHex. By doing so, you can significantly influence future development
of the software. Please feel free to skip as many questions as you like. You will be able
to see the results yourself.
Thanks in advance for your consideration!
|#20: WinHex 9.62 released
Dec 11, 2000
|This mailing is to announce a minor update, WinHex 9.62.
* The "Modify data" command has been extended. It is now able to perform logical left and right shift operations on an entire file or on the selected block. Bits are not lost when shifted over any boundaries (byte, word, dword). This functionality is needed for bitstream editing. By shifting bits, you can simulate inserting or removing single bits into or from a file.
* In addition to separating and unifying odd and even bytes, WinHex can now deal with words (16-bit elements) in the same way. See the File Manager menu.
* Under Windows NT/2000, searching and creating backups is much faster now for logical drives that the operating system resides on.
* Previously, incorrect checksums have been written to Intel Hex files of a certain size. (The data itself was correct.) This error has been fixed.
* Some minor improvements.
|#19: Finally - WinHex 9.6 released
Nov 13, 2000
|This mailing is to announce THE major update of this year,
What's new? (German: http://www.winhex.com/winhex/winhex96-d.html)
The GUI (graphical user interface) has been completely revised:
* The GUI is now available in Italian! Translation by Luca Cantarini.
* Edit windows now support a normal, non-maximized state. In this state, they can be freely resized, cascaded, and tiled!
* The gray details panel can now be switched on or off regardless of whether the main window is maximized or not. It is now a separate window in case the main window is not maximized.
* The details panel is also resizable now. It can reside right or left to an edit window. Its display is finally completely flicker-free.
* There is an optional horizontal line of "tabs" at the top of the edit windows space, as known from dialog boxes in common Windows programs. A "tab" allows you to bring an edit window into the foreground with a single click only.
* The status bar is no longer part of an edit window, but of the main window.
* The number of bytes per line can now be specified directly in the General Options dialog.
* Edit windows optionally provide their own context menu (right-click menu).
* There is an About box, accessible from the help menu.
Apart from the GUI, the following have been updated:
* WinHex is now confirmed to be compatible with Windows Me.
Under Windows NT/2000, the functions disk cloning and sector restoring are much faster
|#18: WinHex 9.54 released
Sep 22, 2000
|I'm very sorry to announce that a bug fix, WinHex 9.54,
Previous versions of WinHex contained an error that under certain circumstances corrupted backups created with compression turned on. This has been fixed.
|#17: WinHex 9.6 scheduled for
Aug 25, 2000
|This mailing is to keep you informed of the upcoming
version WinHex 9.6. Some of you may have been wondering about the lack of news. Indeed,
WinHex 9.6 takes a bit longer than other updates. It is scheduled for September.
A list of the new features you may look forward to can be found here: http://www.winhex.com/winhex/winhex96.html
|#16: WinHex 9.53 released
Aug 1, 2000
|This mailing is to announce a minor update, WinHex 9.53.
* WinHex now accepts UNIX end-of-line characters in Motorola S
and Intel Hex files.
* An error was fixed that could prevent you from applying templates
to physical disks.
|#15: Announcement of a new tutorial on
July 18, 2000
|This mailing is to announce an addition to the WinHex
Paul Mullen (http://www.the-answer.com/pcguru/index.htm), known for his column in the UK's Computer Shopper, Britain's leading computer magazine, has contibuted a tutorial on how to create templates.
Read on for an excerpt:
WinHex has a powerful but often overlooked way of viewing many different data file formats, the template. A template describes the structure of each record in a binary data file, so enabling you to see and edit the actual values within each record. You can use a pre-defined template or very simply create your own each time you need to examine a data file.
To illustrate the use of templates, I will look at data in the popular "dbf", or "xbase", format, which originated with Ashton-Tate's dBase program and has since been adopted by many applications. I have provided a sample file called states.dbf containing information about the 50 states of the USA.
Description of the template feature: http://www.winhex.com/winhex/templates.html
The tutorial can be found here: http://www.winhex.com/winhex/templates/
|#14: WinHex 9.52 released
July 17, 2000
|This mailing is to announce a minor update, WinHex 9.52.
* Some errors were fixed. E.g. the cluster chain inspection previously failed on some FAT16 drives.
* WinHex is now shipped with another template, created by Paul Mullen (http://www.the-answer.com). This template allows to edit the boot sector of an NTFS partition. Remember, your own template creations are greatly appreciated. For details, please visit http://www.winhex.com/winhex/templates.html#User_Templates .
* In a template definition file, the keyword "multiple" may now be followed by an optional parameter that specifies the desired fixed overall size of the data structure. This enables browsing to neighboring records.
* When applied to a disk, the keyword "sector-aligned" ensures the template interpretation starts at the beginning of the current sector, regardless of the exact cursor position.
|#13: WinHex 9.5 released
July 7, 2000
|This mailing is to announce a major update, WinHex 9.5.
* The Disk Cloning functionality has been noticeably enhanced:
WinHex now optionally writes an extensive log file. This suppresses separate error messages when a defective sector on the source disk is encountered. Especially introduced for forensic application.
The sectors can now even be copied to a raw, headerless image file (and vice-versa). Combined with the silent "log file" mode, this is preferable to creating a backup in case of defective sectors that are to be dealt with gracefully.
Disk Cloning also provides a "complete disk" checkbox for your convenience.
Writing zero bytes when encountering defective source sectors is now optional. If disabled, corresponding destination sectors are left unchanged.
* WinHex can now list all clusters allocated to a file or directory on a FAT16/FAT32 drive. This useful new command is part of the Tools -> Disk Accessories menu.
* WinHex now supports conversion from and to 32-bit Intel Hex (instead of only 20-bit Intel Hex).
* The contents of the Position Manager can now be exported as HTML. This means you may further process the list using MS Excel 97 or later.
* Use Ctrl+Left/Right Arrow Key to switch between positions while the Position Manager window is minimized.
* You may now use Ctrl+Shift+S and Ctrl+Shift+E to define the beginning and the end of the block.
* As of v9.5, WinHex can optionally store its configuration in the Windows registry instead of in the winhex.cfg file. For details on how to achieve this, please visit http://www.winhex.com/winhex/setup.html .
* The offset column now provides room for decimal offsets up to 9.9 GB instead of 0.9 GB. For offsets above, WinHex still switches to hexadecimal offset presentation.
Program help and manual have been updated accordingly. In particular, a separate "Disk Cloning" topic has been added.
Thank you for your attention! See you on http://www.winhex.com. BTW, when visiting http://www.winhex.com or http://www.winhex.com/winhex/, your language is now detected automatically.
|#12: WinHex 9.45 released
June 10, 2000
|Hello and hola,
This mailing is to announce a language update, WinHex 9.45.
* WinHex now offers a complete Spanish user interface, program help, and user manual. Spanish has been selected because it is the third most spoken language in the world. Approximately 265 million people in the world speak Spanish as their first language.
(Note, however, that I personally have not been updated, so please keep e-mailing me in one of the other languages...)
* The data area of FAT-formatted drives now starts with cluster #2 instead of #1. Yes, this is the "official" numbering.
|#11: WinHex 9.41 released
May 27, 2000
|This mailing is to announce a minor update, WinHex 9.41.
* There are several enhancements in details.
* Cluster inspection previously aborted with an exception on a few FAT-formatted drives. This has been corrected.
* A Spanish version of the user interface is scheduled for June/July 2000.
|#10: RAM Cheat released
May 7, 2000
|This mailing is to announce the release of a brand-new
program called RAM Cheat.
Download URL: http://www.winhex.com/ramcheat.zip (v0.6 Beta)
RAM Cheat is an "offspring" of WinHex and focusses on a specific kind of RAM manipulation that is particularly useful for, but not limited to, cheating in Windows-based games.
RAM Cheat finds memory addresses where a program maintains certain variables, in the context of games such as the number of lives, ammunition, funds, energy, etc. This is achieved by multiple examination of the program's virtual memory space. You only have to specify the current value of the variable and/or you let RAM Cheat know what happens to the variable
as time passes, e. g. whether its value is increasing or decreasing.
RAM Cheat then allows you to inject a new value of your choice directly into the running process. It can even update this value repeatedly, e.g. in 1/100 second intervals.
RAM Cheat is based on state-of-the-art WinHex technology where reliable access to virtual memory as well as fast search and comparison algorithms are concerned. It is currently available as a beta version only. Shortly, WinHex and RAM Cheat will be even interoperable when it comes to sharing found memory addresses using the POS file format.
For details visit http://www.winhex.com/ramcheat.html. Do you wish to be kept informed of updates to RAM Cheat? Further announcements on RAM Cheat will be distributed via a separate mailing list. To join, please visit http://ramcheat.listbot.com or send blank e-mail to firstname.lastname@example.org.
|#9: WinHex 9.4 released
May 1, 2000
|This mailing is to announce a minor update, WinHex 9.4.
* There is now a menu command for copying hex values as C/C++-formatted source code. Edit | Copy | C Source
* How to follow 32-bit pointers: The four hex values at the current position are to be copied into the clipboard in reverse order and pasted into the Go To Offset dialog. To copy the hex values, you may now right-click the third status bar field and choose the appropriate context menu command.
* Some other minor enhancements
|#8: WinHex 9.38 released
Apr 15, 2000
|This mailing is to announce a noteworthy update, WinHex
* The search and replace maximum string lengths have been extended to 50 characters. The old limit of 30 characters still applies to routines.
* The search dialog has another option that allows to limit the search to certain offsets. For instance, if you search for an occurrence of a string at the beginning of a hard disk sector, you may specify the condition "offset mod 512 = 0" to narrow down the number of hits. Also, when only looking for DWORD-aligned data, this option is for you (offset mod 4 = 0).
* The command "Copy Into New File" no longer needs the clipboard as a buffer. That means it supports data of virtually unlimited size. This is especially useful when copying a large number of disk sectors into a file.
* In previous versions, an error prevented the Clone Disk command from copying sectors from one physical disk to another under certain conditions. This has been corrected.
|#7: WinHex 9.31 released
Apr 4, 2000
|This mailing is to announce a minor update, WinHex 9.31.
* For physical disks, the CHS (cylinder, head, sector) information in the right-hand column now starts sector numbering with 1 instead of 0, for more compliance with other software. The absolute sector numbering in the status bar is still based on zero, in accordance with LBA block adressing.
* When converting Intel-Hex or Motorola-S files to binary, WinHex will ask you for the correct destination file size and fills the remainder of the file with 0xFF values.
|#6: WinHex 9.3 released
Mar 24, 2000
|This mailing is to announce the release of WinHex 9.3.
WinHex 9.3 offers a brand-new template editing feature. That means you can edit any data for that a template exists in a more comfortable and error-preventing way, regardless of whether the data originates from a file, from disk sectors, or from virtual memory.
A template definition is stored in a text file. It contains variable declarations, similar to source code of programming languages. Each declaration consists of a data type and a variable name. The syntax is explained in the program help and the manual. You may start creating your own custom templates within minutes.
WinHex 9.3 comes with the following sample templates:
(To be completed in future versions.)
|#5: WinHex 9.26 released
Mar 12, 2000
|This mailing is to announce a minor update: WinHex 9.26.
* The main window finally has a sizing border.
* Limited support for EBCDIC
The right-hand text display is now capable of using three character sets: ANSI ASCII, IBM/OEM ASCII, and EBCDIC. Try the menu Options->Character Set. You may also press Shift+F7 to switch between the character sets. If EBCDIC is selected, characters entered via the keyboard are interpreted as their respective EBCDIC value. A facility for converting between ANSI ASCII and EBCDIC is provided as well as a character set table. However, EBCDIC is currently not supported by any other function, such as searching, printing, or by the clipboard commands.
As a side effect, a custom translation table e.g. of a proprietary ASCII character set can be realized by editing the supplied EBCDIC.dat file.
|#4: WinHex 9.25 released
Mar 7, 2000
|This mailing is to announce the release of WinHex 9.25.
WinHex 9.25 offers enhanced support for FAT16 and FAT32 drives. When opening a drive, WinHex traverses the cluster chains and thereby generates a drive map. This enables WinHex to determine each sector's current allocation. The gray information column reveals whether a sector/cluster is unused, assigned to a file or directory, or if it holds a file allocation table or the boot sector.
Besides, you may now specify a cluster number when using the Go To Sector command.
The program help and the PDF manual have been updated accordingly.
Because of changes to the initialization mechanism, WinHex cannot reuse your existing configuration this time. Registration codes are to be entered again. Backups, routines, and position tables can be reused, of course.
Upgrading to WinHex 9.25 continues to be free for all users who registered and paid for WinHex 8.51 or later. Online registrations as of July 20th 1999 qualify. For details on upgrading from earlier versions see http://www.winhex.com/winhex/upgrade.html.
|#3: WinHex 9.2 released
Mar 1, 2000
|This mailing is to announce the release of WinHex 9.2.
* Optionally compressed file backups and drive images. Built-in zlib compression algorithms. Same compression ratio as ZIP. Also works in combination with checksums, digests, and encryption.
* Splitting drive images, e.g. into 650 MB volumes for CD-R archiving
* Bad-sector-tolerant drive cloning
* Search algorithm's speed increased by another 7.5% (at maximum, depends on cache situation, search string, etc.)
* Lengthy operations may be paused and resumed by pressing the PAUSE key
* Offset display relative to records of a user-defined length. Try right-clicking the offset display of the status bar. Particularly useful for relative sector offsets (record=sector).
* Minor improvements
The program help and the PDF manual have been updated accordingly.
|#2: New Features in WinHex 9.0 - 9.2
Feb 28, 2000
|This second mailing is to give you a quick overview of the
features added to WinHex since v8.9. The latest WinHex version is WinHex 9.12.
v9.2 is scheduled for March.
|#1: Overview of the WinHex section
Feb 23, 2000
|Thanks for joining the brand-new WINHEX.COM Announcement
List! This first mailing is to give you a quick overview of what kind of information about
WinHex exists on WINHEX.COM.
Main features and latest additions: http://www.winhex.com/winhex/
Miscellaneous additional information: http://www.winhex.com/winhex/moreinfo.html
Hints on distributing WinHex on a network: http://www.winhex.com/winhex/setup.html
Data formats recognized by the Data Interpreter: http://www.winhex.com/winhex/interpreter.html
File formats used by WinHex: http://www.winhex.com/winhex/WHX_Format.html &
The Knowledge Base (http://www.winhex.com/winhex/kb/) covers miscellaneous topics associated with WinHex, e.g. character sets, checksums, hard disks, virtual memory, machine code, cryptography, common file formats, ...
Registration (pricing, ways of payment): http://www.winhex.com/winhex/registration.html
Upgrading (pricing, info on for whom it is free): http://www.winhex.com/winhex/upgrade.html
The WinHex manual is available for free from the following URLs:
PDF files can be viewed and printed using either Adobe Acrobat Reader (http://www.adobe.com/products/acrobat/readstep.html) or GSView (http://www.cs.wisc.edu/~ghost/).