X-Ways Forensics 12.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 12.5 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Jun 30, 2005 - 18:57:   

If you have access to a partition formatted with Reiser4 (or an image of such a partition) from a Windows environment and you are interested in trying the upcoming Reiser4 support in a beta version of WinHex or X-Ways Forensics, and you would be willing to share some data from this partition if necessary, please drop us a message. As a small reward we offer a free license or license upgrade after having you run some tests. Thank you!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Jul 10, 2005 - 20:06:   

A beta version of X-Ways Forensics 12.5 is now available for owners of a forensic license. The download link can be retrieved by querying one's license status.

What's new?

* The Apple Macintosh file system HFS Plus (hereafter called HFS+, a.k.a. Mac OS Extended) and the brand-new Linux file system Reiser4 are now natively supported.

* Exploring large directories (including a large fictitious directory "Deleted Objects" in NTFS) now works instantly. Even recursively exploring an entire volume (right-clicking the root directory in the directory tree and using the context menu) now works almost instantly as well! Available for NTFS, Ext2/Ext3, ReiserFS, Reiser4, and HFS+ volumes.

* The initial file system scan performed for newly opened volumes is now considerably faster for Ext2/Ext3.

* NTFS alternate data streams (ADS), non-directory INDX streams and $EFS streams are now listed in the normal directory view, too, not only in contents tables.

* The size of directories is now always displayed on NTFS volumes.

* The number of the first cluster of files and directories can now be listed in the directory browser in an optional column. This allows you to sort files by their physical location on the disk and identify existing and deleted files that reference the same first cluster. Available for FAT, NTFS, Ext2/Ext3, ReiserFS, Reiser4, and HFS+ volumes.

* The five aforementioned improvements are entirely ("1st cluster" column: partly) based on a new kind of file system analysis that takes place immediately when opening volumes. This analysis is more extensive than the former so-called cluster scan and supersedes it. (NTFS, Ext2/Ext3, ReiserFS, Reiser4, HFS+)

* Also the IDs of files and directories as assigned by either the file system or WinHex itself can now be listed in an optional column.

* The former alternative access method is now the default one for optical media. The benefit is that the full sector count of CDs and DVDs will be always detected. That also means, selecting one of the alternative access methods now solely affects physical hard disks.

* In some rare configurations under Windows 2000/XP WinHex previously associated the detected hard disk model number and size with the wrong physical hard disk. This should no longer happen. Plus under Windows 2000/XP WinHex can now detect the bus with that a hard disk is connected (ATA, SATA/SCSI, USB, ...).

* ROT13 is now an additional option in Edit | Modify Data.

* Better support for filenames with non-Western-European characters. (since v12.35)

* All the other improvements and fixes of v12.35 are included.

- To Do (for HFS+ and Reiser4): fictitious filesystem area file still incomplete, no free space or slack space extraction yet, no deleted files found via file system data structures listed yet, HFS+: heavy file fragmentation not yet supported

v12.5 will be a free update for all owners of licenses issued for v11.6 or later.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Jul 12, 2005 - 19:11:   

Beta 2:

* Error accessing compressed files within archives on HFS+ volumes fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Jul 14, 2005 - 18:26:   

Beta 3:

* Error opening "Free Space" file on HFS+ fixed.

* Error interpreting spanned volumes on dynamic disks under certain circumstances fixed.

* Display update improved when holding Cursor Up/Down key in a directory browser with 300,000+ items.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Jul 14, 2005 - 21:15:   

(Ability to sort was temporarily unavailable in directory browser of Beta 3, fixed.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Jul 14, 2005 - 23:44:   

Beta 4:

* Preview mode and gallery mode in HFS+ were erroneously left simply when selecting a file. This was fixed.

* Ability to format large volumes with FAT32, which is not feasible with Windows XP beyond a limit of 32 GB, but often desirable for compatibility with other operating systems (e.g. DOS, to save image files with X-Ways Replica). Open a hard disk partition that is not currently mounted as a logical drive letter and then press Shift+Ctrl+F. You will then be prompted for a cluster size (128 sectors per cluster at most, 8, 16, or 32 recommended). Use this tool on your own risk only.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Jul 15, 2005 - 22:52:   

Beta 5:

* Protection against certain corrupt picture files introduced that caused X-Ways Forensics to hang upon loading, with the help of a timeout of 10 seconds.

* HFS+ file permissions are now listed in the Attribute column. (Remember to refresh volume snapshots taken by previous 12.5 beta versions.)

* The original Find Text dialog box is available again for owners of specialist and forensic licenses, without the need to hold the Shift key.
Top of pagePrevious messageNext messageBottom of page Link to this message

Chris Randle (Narny)
Posted on Saturday, Jul 16, 2005 - 11:20:   

I suggested ROT13 support back in April 2003. You've announced it for Forensics 12.5 beta. I only have the Specialist licence. Will ROT13 appear in the lesser versions, too?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Jul 16, 2005 - 11:25:   

Yes, it will.
Top of pagePrevious messageNext messageBottom of page Link to this message

Chris Randle (Narny)
Posted on Saturday, Jul 16, 2005 - 22:30:   

Thank you. That's good.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Jul 17, 2005 - 18:50:   

Beta 6:

* NTFS: Fictious "Deleted Objects" directory now shows the original paths if known instead of just "?".

* NTFS: Paths of deleted files in directory browser are checked for parent record reuse count mismatches (as in v12.35 and earlier).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Jul 19, 2005 - 22:50:   

Beta 9:

* Hash set renaming bug fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Jul 22, 2005 - 2:40:   

Beta 10:

* Heavily fragmented files in HFS+ should be read correctly now (still unconfirmed).

* Alternative disk access method #1 now works with a timeout as well.

* 7 instead 5 external programs supported.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Jul 22, 2005 - 22:26:   

Beta 11:

* Based on user input, the gallery view has been decoupled from the directory browser. That means, if there is sufficient space on the screen, much more thumbnails can be displayed per page than there are visible items in the directory browser. That also means, the smaller the vertical space allocated to the directory browser, the more thumbnails are now displayed. The major benefit of the previous coupling still exists: When you select thumbnails with the mouse or the keyboard, the corresponding directory browser item is highlighted (+now scrolls into the current view) so that details such as filename and timestamps can be easily checked. Comments welcome.

* Identical timestamp bug in directory browser fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Jul 22, 2005 - 23:41:   

Beta 12:

* When the mouse cursor hovers over a directory browser item's icon, the number of that item in the directory browser is now displayed in addition to the item's path. This number of can be used e.g. to resume examining files exactly where one left the directory browser. The directory browser's context menu (Position submenu) allows you to jump to any item based on the item's number. The number is 0-based. Always remember that the number depends on what exactly has been loaded into the directory browser and on the current and possibly previous sort parameters.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Jul 23, 2005 - 2:18:   

HFS+ file system data structure templates are now available for download.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Jul 23, 2005 - 23:57:   

Beta 13:

* New volume snapshot now considerably faster on volumes with very many files and directories.

* Gallery control improved since Beta 12 (scrollbar, keyboard & mouse wheel, synchronization with directory browser). Reduced memory utilization, too.

* Memory utilization of directory browser reduced.

* Contents table output to file no longer a must with a forensic license.

* Restoring an uninterpreted image to a disk now noticeably faster.

* Some minor improvements and bug fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Jul 24, 2005 - 16:14:   

Beta 14:

* Bug in volume snapshot fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Jul 26, 2005 - 22:10:   

Beta 15:

* Ability to abort on-the-fly extraction of files from large archives, e.g. when in preview mode, in particular from solid RAR archives, which is potentially time-consuming and previously rendered X-Ways Forensics unresponsive until the extraction was complete.

* Ability to type multiple characters in the directory browser in order to jump to the first matching item. This is particularly useful for very long lists of files. E.g. in a list with "Summer", "Tarzan", "Tomato" and "Tornado", typing "tor" with no pause longer than 1 second will first jump to "Tarzan" because of the matching "t", then to "Tomato" when you hit the "o", and finally to "Tornado" when you type "r". NB: The characters typed are matched against the column that is currently selected as the primary sort criterion.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Jul 28, 2005 - 21:48:   

Beta 16:

* When the segments of a raw image are spread across two different drives, it is now possible to specify the other storage location if you hold the Control key when the first segment is about to be interpreted.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Monday, Aug 1, 2005 - 16:39:   

Beta 17:

* Errors in ReiserFS and Reiser4 support fixed.

* Files in a table that is included in the case report can now be included themselves in the report (by way of a picture or link) if the table is output as a flat, vertical list and if the corresponding option in the case properties has been enabled at the time when these files were added to the table and the table was marked as to be included in the report. (Yes, sounds complicated.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Monday, Aug 1, 2005 - 19:18:   

Beta 18:

* Error in Go To Page and record presentation fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Monday, Aug 1, 2005 - 20:17:   

beta-17

> (by way of a picture or link)
This is a great feature, Thank you very much!

--------------------------------------------------

Wish List suggestions for reports:

1. Since a report will often be read by others not familiar with Hard Drive terminology, perhaps (optionally?) inlcude pertinent 'Legend' information in the report. (e.g. 'Ofs' is obvious to us but not always to a client). BTW I do not know what 'Ja' is in the report's 'Deleted' (I do not see 'Ja' in the DB in the 'Deletion' column (or any other column).

2. With this new beta-17 ability to add pictures or links based on whether or not 'Make a copy of files for inclusion ... ' is toggled on or off, I have already created tables that have many included and not-included objects.

Is there already a way to quickly see which objects in an 'Included table' will also have its "picture or link" in the report?

If not can there be added for each included object, a DB column or icon like the green "Contents Table, included in case report" icon?

And/Or an option in the Position menu for:
'Include picture/link in report' if not already ... or
'Exclude picture/link in report' if it is already included?

--------------------------------------------------

BTW in beta-17
On a healthy source test drive, FAT 32:
in DB with 'Sector view' (also Preview & Gallery), while scrolling or opening or viewing some files,
I am often getting the message box with the yellow triangle and exclamtion mark that says "\Program Files \ ..." (or other filename and path). I just dismiss the box and the files are then accessed AOK. Any immediate second attempt is AOK but, but later attempts (after doing other things with WinHex) on the same files will result in the issue repeating.

This does not happen when specifically tested for on the same system with WH 12.35 SR-2, I have not yet tested this issue with earlier 12.5 betas.

Thank you again,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Monday, Aug 1, 2005 - 20:52:   

> I do not know what 'Ja' is

Sorry, an error. Will be fixed.

> Is there already a way to quickly see

No, there isn't, except creating the report...

> And/Or an option in the Position menu for:

Maybe some time later.

> message box with the yellow triangle and exclamtion mark

I cannot reproduce this yet. If you can narrow down the circumstances some more, please let me know. Thank you.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Aug 2, 2005 - 21:09:   

Beta 19:

* The new type of file system analysis has also been implemented for FAT12/FAT16/FAT32, CDFS, and UDF. For example, this means that exploring recursively now works practically instantly. As a side effect, XWF can now more often tell the former cluster allocation of free clusters to deleted files on FAT volumes.

* Timestamp error fixed in directory browser.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Wednesday, Aug 3, 2005 - 10:05:   

Beta 20:

* Some fixes for the new FAT file system support.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Aug 4, 2005 - 15:46:   

Beta 22:

* When printing documents displayed by the viewer component, using the File | Print command or the printer icon in the toolbar, it is now possible to optionally print the complete path of the file as a header on the first page or on a separate cover page. Very long file paths and filenames and not truncuated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Friday, Aug 5, 2005 - 6:52:   

beta-22 (maybe others?)

Source = NTFS

Creating a DCT and including a search for JPGs in thumbs.db generates some damaged images (as seen in the preview and gallery view) from the Thumbs.db files, yet a recovery by type (byte level) directly from these same thumbs.db files generates intact images.

The Thumbs.db appear to be OK, not deleted, or damaged. This is even happening with the Windows sample Thumbs.db in C:\ ... \My Pictures\Sample Pictures that comes with four images.

It does not always happen to all images in a Thumbs.db and I do not see a pattern to the damage. Some Thumbs.db might have partial images because the images no longer belong (e.g. deleted from the folder) but even the Sample Picture folder with only four files still exisitng has this issue with the Thumbs.db?

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Aug 5, 2005 - 10:15:   

I cannot confirm such an anomaly. Since you do not seem to compare the actual data, just how you see pictures being displayed, maybe you are comparing apples and oranges? With non-standard or damaged JPEG files as in thumbs.db, the rendering engine at work in WinHex (preview and gallery view) of course could produce different results or could be less successful than a rendering engine in a dedicated picture viewing program. If WinHex itself displays these thumbnails in different ways depending on whether extracted by File Recovery by Type or by Create Drive Contents Table, please post again.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Aug 5, 2005 - 16:25:   

Beta 23:

* There is now an option to display pictures with the separate viewer component instead of with the internal engine in X-Ways Forensics (preview mode and view command), which will allow you to print them. See Options | External Programs.

* Ability to find deleted files based on file system data structures on HFS+ volumes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Aug 5, 2005 - 16:57:   

Any confirmation that the new printing functionality (see Beta 22 announcement above) works correctly would be appreciated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Albano
Posted on Friday, Aug 5, 2005 - 17:45:   

Beta 23
Printing on a Canon 4000i over the network:

If i'm viewing a JPG,BMP,GIF and try to print, I can see
an almost blank page, with comment in the top left, followed by an Hex display, like normal winhex. The rest
of page is blank. If i put a short comment or none, i can
see numeric values "below" the comment or all numeric values like...

6694371824 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF yyyyyyyyyyyyyy

or

Just testing824 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF yyyyyyyyyyyyyy


nothing more print in the page, but i can see the picture ok in the viewer. If i choose a big bitmap, the viewer open full screen and do not let me minimize, with smaller pictures i can do it.
If an PDF is tried, it prints a blank first page, and then it prints the PDF ok....
Top of pagePrevious messageNext messageBottom of page Link to this message

Albano
Posted on Friday, Aug 5, 2005 - 18:07:   

If i try to print in my local printer old 4039:

It prints in the first page...


X-Ways Forensics 12.5 Beta 23

\NewEsquemas\TVC-14.pdf


Just testing


and then the rest of PDF. But, if i decide to print only
one page of the PDF, i receive a message from the viewer
"Whoops
Unable to view this file [EX]"
Retrying and print all pages , no problem!
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Friday, Aug 5, 2005 - 19:53:   

> compare the actual data

Yes, the resulting recovered JPG files can have differing data content.

Here are more test results focusing on:
C:\Documents and Setting\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db
from and image set of an NTFS partition.

Recovery by Type at the byte level generates healthy little thumbnail JPGs that are viewable in other external software and also AOK in Preview and Gallery View with WinHex (navigate to destination folder).

Create a Drive Contents Table with the option to include a search for JPGs in thumbs.db, the resulting gallery view displays all four samples as damaged/partial JPGs. Select any of these 'Embedded xx.jpg" files, right click, Recover/Copy, the resulting recovered JPG does not have the same data content as the version recovered by type.

Create a Directory Contents Table focusing on just the 'Sample Pictures' folder, generates the same results as the Drive Contents Table test.

Here is some new info: if I recover the 'Thumbs.db' from the 'Sample Pictures' folder and then use beta-22 to navigate to the recovery destination folder and perform a DCT on the recovered folder, all four 'Embedded 0x.jpg' are displayed in Gallery view AOK. When I use beta-22 to compare the two ' ...\Sample Pictures\Thumbs.db' files (the recovered one on the destination drive and the original on the source image), they are the same. I had considered sending a copy of the recovered 'Thumbs.db' but I do not think that will help now? Would sending a copy of one of the damaged 'Embedded 0x.jpg' help?

I believe, under unknown conditions, beta-22 will sometimes render different results from a thumbs.db depending on method of access (i.e. DCT vs. RBT).

Thank you,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Aug 6, 2005 - 12:13:   

Albano,

Thanks for trying.

> if i'm viewing a JPG,BMP,GIF and try to print
> [...]
> followed by an Hex display, like normal winhex

(I was referring to printing the display of the separate viewer component. Pictures are displayed and printed by the viewer component only if this option is enabled in Options | External Programs.)

> PDF
> [...]
> Retrying and print all pages , no problem!

OK.
Top of pagePrevious messageNext messageBottom of page Link to this message

Albano
Posted on Sunday, Aug 7, 2005 - 17:24:   

Yes, you are right...i miss the setup!

I've done it again, and it still not print nothing in the the separator page, allways blank, on the network
printer, images oK now.

Local printer OK!

Now i can print one page at a time with PDFs. The
error message only appear if trying to do a select
printing but none selection attemped first.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Aug 7, 2005 - 17:31:   

Thank you!

> still not print nothing in the the separator page, allways blank

I assume the cover page is only blank because you did not additionally select [x] Print path and/or [x] Comment?
Top of pagePrevious messageNext messageBottom of page Link to this message

Albano
Posted on Sunday, Aug 7, 2005 - 21:59:   

No Stefan, this time i'm doing it right. Selecting all
3, and add the data to the comment field, result allways
in a blank page. Local attached printer OK, as expected!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Aug 9, 2005 - 12:56:   

Beta 24:

* In an attempt to prevent to some issues related to printing with the viewer component, the optional cover page is now printed in a separate print job.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Aug 9, 2005 - 20:26:   

Beta 25:

* Several errors in Reiser4 interpretation fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Aug 11, 2005 - 0:52:   

Beta 26:

* Ability to gather free space and slack space from Reiser4 volumes.

* Focus retained when changing sort criterion in directory browser. -> Visible range will stick to last highlighted item.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Aug 12, 2005 - 12:16:   

v12.5 has just been released. The beta version is no longer available.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Aug 18, 2005 - 19:30:   

v12.5 SR-1:

* Ability to find deleted or otherwise lost files on Reiser4 volumes when creating a drive contents table. Ability to rebuild the internal Reiser4 tree if its root was lost. All of these features should be exclusives that you won't find anywhere else. (since v12.5 SR-1)

* While running a logical or physical search and having WinHex list search hits, it is now possible to view the search hits while the list is being populated and to open files that contain hits via the search hit list's context menu. After opening files like this, you can view them with the separate viewer component (Tools | View) or export them (File | Save As). Also it is now possible to switch between search hit list and the directory browser during an ongoing search operation, by clicking the respective buttons. (since v12.5 SR-1)

* Several other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Monday, Aug 22, 2005 - 19:51:   

v12.5 SR-2:

* In WinHex and X-Ways Forensics v12.1 through v12.5 SR-1, disk images created in the WinHex backup legacy format (.whx) were not encrypted correctly when encryption was enabled. The data in these backups is not securely protected. This error was fixed. If you need to decrypt .whx files created by any of the aforementioned versions, please contact me.
Forum operated by X-Ways Software Technology AG.