Stefan Fleischmann (Admin)
|Posted on Wednesday, Mar 30, 2005 - 20:24: |
A beta version of X-Ways Forensics 12.1 is now available for owners of a forensic license. v12.1 will still be a free update for owners of a license issued for v11.15 and later. The download link can be retrieved by querying one's license status.
* A new internal hash database (forensic license only) allows for very quick matching. You may import existing NSRL RDS 2.x, HashKeeper, or ILook hash sets or create your own ones as before. When creating a contents table, you may now select hash sets in the database for matching individually. Known good files can still be filtered out automatically. However, corresponding hash sets and hash categories can now be seen directly in the directory browser, in new optional columns, which are sortable and thus allow you to manually filter out irrelevant files or address notable files specifically. The hash value itself can now be displayed in an optional column, too.
* We offer an external component that allows to view more than 200 (!) file formats (such as MS Word / Excel / PowerPoint / Access / Works / Outlook, HTML, PDF, CorelDraw, StarOffice, OpenOffice, ...) directly in WinHex and X-Ways Forensics. For details please see http://www.x-ways.net/forensics/viewer.html. This component is now included in newly purchased forensic licenses and also made available at no additional cost to all owners of forensic licenses issued for v12.05. All other registered users can upgrade to a forensic license for v12.1 if they are interested in this new component. ( http://www.x-ways.net/winhex/upgrade.html )
* Windows 2000/XP dynamic disks (with simple, spanned, and striped volumes) are now supported. (specialist and forensic licenses only)
* Evidence files created by WinHex are now compatible with other computer forensics computer programs.
* When creating compressed evidence file images, the default compression is now a quick algorithm that allows to save on time.
* The Create Disk Image dialog now offers the option to tolerate bad source sectors without interrupting the copy process and to select a substitute ASCII pattern for such sectors.
* The maximum number of contents tables that can be associated with an evidence object has been increased from 16 to 32. (since 12.05 SR-4)
* The size of directories is now displayed even for FAT and NTFS file systems (NTFS: contents tables only).
* It is now possible to associate up to 32 externally stored search hits lists (.pos files) with an evidence object. The only search hit list internally stored in an evidence object (which was the default output for newly archived search hits in previous releases) is now considered the "main" one for search hits found to be relevant, moved there specifically from newly created external search hit lists. Only search hits in this main list will be included in a case report. (since 12.05 SR-4)
* There is now a command in the context menu of an evidence objects that allows to replace the object with a new image file, so that e.g. after previewing and imaging a physically connected disk you can continue to work with the same evidence object even when the disk is no longer available. (since 12.05 SR-8)
* The alternative disk access method is now faster on certain computers. (since 12.05 SR-9)
* New script commands: StrCat, GetUserInput, GetUserInputI (since 12.05 SR-11), and Terminate.
* Fixed: File signatures beyond the first 127 were previously ignored for filename/file type mismatch checks. The maximum number of file types supported in the File Type Signatures.txt file is still 255.
* Many other improvements.