WinHex

21.8

Computer forensics and data recovery software, hex editor and disk editor.

Overview

What's New

Certified

Similars 3

WinHex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security.

An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

Features

Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
Powerful directory browser for FAT, NTFS, Ext2/3, ReiserFS, CDFS, UDF
RAM editor, providing access to other processes' virtual memory
Data interpreter, knowing 20 data types
Editing data structures using templates (e.g. to repair partition table/boot sector)
Concatenating and splitting files, unifying and dividing odd and even bytes/words
Analyzing and comparing files
Particularly flexible search and replace functions
Disk cloning, with a specialist license also under DOS
Drive images & backups (optionally compressed or split into 650 MB archives)
Programming interface (API) and scripting (professional & specialist licenses only)
128-bit encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
Import all clipboard formats, incl. ASCII hex values
Convert between binary, hex ASCII, Intel Hex, and Motorola S
Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
Instant window switching. Printing. Random-number generator.
Supports files >4 GB. Very fast. Easy to use. Extensive online help.

What's New

File Format Support

Carving algorithm significantly improved for certain MPEG video variants.
File carving support for AVIF files.
No longer includes extra Exif Makernote data in the thumbnail child object of JPEG files whose embedded data is uncovered, to achieve more universally usable hash values for such child objects.
Alternative extraction method for attachments encoded in .eml files.
Completely revised parsing of .evtx Windows event log files and more complete output of event data to the event list. More stable with corrupt .evtx files.
Recognizes DocuRay-processed document files as encrypted/DRM-protected.
Identifies hardlinks and symlinks in TAR archives as such. Hardlinks are presented with the original file contents and the hardlink count within the archive.
That certain binary files are included in the case report in a readable format if possible is now optional. This affects for example .job files, .lnk, prefetch files, $I*, $LogFile, $UsnJrnl:$J, wtmp, utmp, btmp, TCP and UDP packets, and many more. If binary copies are preferred that cannot be viewed in the browser along with the report, the new box for this can be unchecked.
Tentatively identifies RTF files that contain embedded pictures, using a label ("No pictures extracted").

Picture Support

Ability of the internal graphics display library and the picture content analyis to load pictures from AVIF files.
HEIC display support completely revised.
PNG and JPEG support updated in the internal graphics display library.
Improved detection of AI-generated pictures through various micropatterns. You can check the software class row in the summary table in Details mode for an assessment. If it does not say "AI-generated", the device class/type "No device" could also raise suspicion, as should Annotation No. 201 if it is output.
Updated picture generating device detection.
Improved picture size+ information in the Summary table in Details mode (called sensor size or paper size in previous versions), with textual descriptions of the resolution, output of the aspect ratio if worth pointing out, and potentially a known previous resolution if a picture was resized. An arrow up indicates an unexpectedly high propensity score. An arrow down indicates an unexpectedly low propensity score, which is correlated with reduced-resolution copies for dissemination and a lower generic relevance. "Picture size" is now marked there with a tiny + symbol to set it apart from the directory browser column of the same name.
A new entry called "Media design" in the Summary table for several picture file types, already introduced in v21.7, is meant to aid the assessment of a picture's aspect ratio. There are about 128 aspect ratios that represent a statistically significant variant. All other aspect ratios are labeled "Random". Particularly common aspect ratios, like e.g. 4:3, which are used by camera sensors, are labeled "Native". The group of "Framed" media designs are further distinguished as "Framed", "Square", "Scaled", "Social media" or "Featured". The latter refers to the "Open Graph" standard introduced by Google, which identifies pictures that are meant to represent a website as a whole. Media design information can be used to assess the overall consistency: A picture with a processing state labeled "Original" should always have a media design labeled "Native". A modified picture would expect a "Framed" variety, while "Featured" or "Social media" correlates with the processing state of "Disseminated". If no other tangible context exists, the media design could still be used for a general assessment.
Improved interpretation of picture aspect ratios in v21.8.

Evidence Object Support

For a while already, UFDR reports can be added as evidence objects just like normal Zip archives, and the file report.xml in .ufdr archives is presented as a virtual file because it contains metadata for the examination and is not an original file. It can optionally be parsed to present all the other files in the archive with their original timestamps and in their original paths whenever possible. In v21.8, the timestamps that the other files have according to the Zip archive records can now optionally be discarded altogether if you find them too unreliable/misleading.
If report.xml interpretation is fully selected instead of just half, X-Ways Forensics can now also extract messages and present them as events. Messages of the following types are usually supported:
Instant Messages: Android CallLog database
Instant Messages: Android
Chats: Kik Messenger
Instant Messages: Phone
Chats: Native Messages
Chats: Kik Messenger
Chats: Snapchat
More detailed feedback on report.xml parsing in case of problems.
Ability to store decoded document text and OCR-derived text in evidence file containers. This allows recipients of such containers to run fast logical searches in the included files without spending time on text decoding and OCR, if they are using v21.7 SR-3 or later.
Ability to continue filling encrypted container archives. (The user needs to enter the same password again.)

File System Support

Ability to detect an exFAT file system in a partition and immediately work with it even if the boot sector was overwritten, as long as the backup boot sector is available.
A template for exFAT boot sectors is now included.
The directory tree depth at which an error in the file system will be presumed and at which recursion will be aborted when taking a volume snapshot of FAT* or Ext* file systems can now be defined in the Volume Snapshot Options, and helps to avoid stack overflow errors, which would otherwise occur in some very rare cases. If this situation occurs, a message will be output: "Probably circular link detected. Recursion depth ...".
Improved ability to cope with a certain type of NTFS file system manipulation.
Broader recognition of BitLocker recovery key files, which are identified as "blkey" in the Type column.
Recovery keys that were encountered in any evidence object in the case already are automatically used to decrypt BitLocker partitions that you open if they fit.
A new security option controls whether BitLockers passwords and keys that you enter manually or that are found automatically (BEK and recovery key files) or that match when trying out passwords from a list are centrally stored in the case (on disk). That is convenient and the default setting, but perhaps not desirable for internal investigations if the case directory itself is not protected/encrypted.

User Interface

More granular setting for what action should be triggered when double-clicking files with child objects (explore or view).
The first 4-state check box in X-Ways Forensics (or maybe in the universe) has been introduced. Grid lines in the directory browser are now available in 3 different shades (and can optionally be completely hidden).
Ctrl+A now works in windows of the viewer component to select all, in text documents and spreadsheets (but not in PDF documents, presentations, ...).
The Description filter can now filter for directories.
Extended UTF-8 support in some functions/parts of the user interface.
The Ukrainian and Russian translations of the user interface were updated.

Notation and Output

A new notation setting allows to see the complete internal path of an evidence object in the evidence object column instead of the user-definable, up to 79 characters long title or number of the evidence object.
Another new notation setting allows to not show filename extensions in the columns "Name" and "Parent name", which could be useful for users of X-Ways Investigator in particular who do not care much about what type a file is or pretends to be.
You can tell X-Ways Forensics what you like to see in the Int. Parent column: The internal ID of the parent as in previous versions, its name, or its description, or a combination of these three. The filename can optionally be truncated before the extension in this column as well.
Another new notation setting allows to display file sizes in units of sectors. If not found on storage devices or images with sector-level access, but e.g. in evidence objects that are zip archives or directories, a standard sector size of 512 bytes is assumed. The display sector count is either rounded up (because a file occupying 1 full sector plus 2 bytes actually utilizes 2 sectors where files are stored as sector-aligned) or it is displayed with one decimal digit. The display style with one decimal digit can give you an idea how precisely or roughly carved files were sized because if a file size is an exact multiple of the sector size, it will be displayed with no decimal, whereas .0 indicates a few extra bytes that just do not amount to one tenth of a sector. This can also give you an idea which file types are naturally rounded in size, e.g. Windows registry hives and OLE compound files. On the other hand, if a JPEG or HEIC or any other usually unrounded file is shown with no decimal digit, that is a candidate for a file that was truncated, e.g. by carving or file system corruption. (Though if file sizes are equally distributed, one in 512 files would happen to be a multiple of the sector size naturally.)
The notation settings dialog window was tidied up and renamed Notation/Output. The main notation/output settings of the graphical user interface itself can now be reached from the main menu. The "Notation..." button in the General Options dialog window will probably be removed at some point.
The option to output either the main filename, an alternative name or both in exported lists and in copylog files, if an alternative filename is known at all, has become a setting in the Notation/Output dialog window.
The two options for the "1st sector" column, previously part of the directory browser options, have become notation settings and thus can now be different for the GUI and exported lists.
The setting to display a triangle in Name cells to indicate the presence of labels has been moved from the notation settings to the directory browser options dialog.

X-Tension API

The XWF_Label() function can now be used to remove a label from a file.
The XWF_OpenItem() function now supports a flag to embed attachments in an .eml file, usually for export purposes.
The functions XWF_GetReportTableAssocs() and XWF_AddToReportTable() got new names: XWF_Label() and XWF_GetLabels(). These functions can still be called by their old names for compatibility purposes, but the old names are now deprecated since the arrival of v21.7 SR-4.

Miscellaneous

When importing hash values, either from an external text file with ASCII hex values or from files selected in the directory browser, you now have the option to merely find out which hash values are already contained in your database and which hash values are new, without actually adding the hash values to the database. This can be used for example to find out how an import would affect your database / if there is any new material included at all etc., or if you get your hands on a list of hash values of files of interest and do not have access to the files themselves (e.g. files that once were in someone's possession) and need to find out whether they are known in your hash database.
The Recover/Copy function's log function, if fully checked, now also logs directories that are being recreated in the output path, with their original names, internal IDs, timestamps, attributes or whatever you select.
X-Ways Forensics now monitors additional threads during volume snapshot refinement and attemps to terminate and resume hanging threads if they are found to be unresponsive for e.g. 15 minutes. This is a new settings under Options | Security and assumes that the user interface itself is still responsive. Even if a particular file takes longer to process (e.g. large Outlook PST e-mail archive with many e-mails and attachments), the corresponding thread makes it known that it is still alive, so that alone will not trigger any recovery measures.
Ability to simulate hanging on a file, using one of the unlabeled, but tooltipped check boxes in Options | Security, only in Preview and Beta releases. (v21.8 Beta is still downloadable for a while.)
Registering at least one e-mail address specifically for the insurance of each dongle is now much more optional (and will also be treated as more optional in future releases of older versions). If no e-mail address is defined for that purpose, the final transaction code to complete the cancelation of the insurance will be e-mailed to all e-mail addresses connected with the entire license group that the dongle belongs to. If you think that is too annoying for too many colleagues, you can still register more specific e-mail addresses just for this purpose like before.
The viewer component was last updated with patches on our server for download on Feb 26, 2026.
An MPlayer release from 2025 is now downloadable.
The NSRL RDS hash sets, in a format for import into X-Ways Forensics, have been updated to release 2026.03.1, and are available for download in both MD5 and SHA-1 versions, now from the alternative download server.
The program help and the user manual were updated.
Many minor improvements.

Fast servers and clean downloads.
Serving tech enthusiasts for over 25 years.
Tested on TechSpot Labs.

Certified clean file download tested by TechSpot

Last updated:

May 26, 2026

Developer:

X-Ways

License:

Free to Try

OS:

Windows

File size:

4.1 MB

Downloads:

31,908

User rating:

54 votes

Software similar to WinHex 3

35 votes
Recover My Files 6.4.2.2597

Recovers deleted files emptied from the Windows Recycle Bin, or lost.
- Free to Try
- Windows
4.2/5

5 votes
R-Undelete File Recovery Software 7.0.180037

File Undelete and file recovery software for FAT & NTFS file systems.
- Freeware
- Windows
5/5

1 votes
Recovery Mechanic 3.0

Improved tool for restoring files deleted from NTFS and FAT disks
- Demo
- Windows

Overview

What's New

Certified

Similars 3

Features

What's New

Software similar to WinHex 3

Search Downloads