X-Ways Forensics 12.65 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 12.65 « Previous Next »

Author Message
Stefan Fleischmann (Admin)
Posted on Monday, Oct 24, 2005 - 2:20:   

A preview version of X-Ways Forensics 12.65 is now available for owners of a forensic license. The download link can be retrieved by querying one's license status.

What's new?

* Ability to add a comment to an item in the directory browser. After entering comments, you can conveniently set the filter such that only commented items are shown or only items with specific comments, e.g. those with a certain relevance. For items in a report table, comments are also included in the report, if the table is output in the flat format. (forensic licenses only)

* Ability to export selected hash sets from the internal hash database, to share them with other users without exchanging the entire hash database.

* Hiding a directory now works recursively, so all its files and subdirectories are automatically hidden as well. If you are only allowed to examine the contents of certain directories, you could initially hide all files in all other directories such that they will be automatically excluded from the directory browser, the gallery view, logical searches, copying actions, additions to an evidence file container, etc.

* It is now possible to add selected files from within archives to evidence file containers. Prerequisite: The volume snapshot has been refined and includes the contents of archives.

* Several other minor improvements. For example, during the creation of hash sets the name of the currently hashed file is displayed in the caption of the small progress indicator window, and the core file in the internal hash database is locked while in use to prevent the user from inadvertently moving or replacing the hash database's directory while X-Ways Forensics is running.

X-Ways Forensics 12.65 will be a free update for all owners of licenses issued for v11.8 or later.
Stefan Fleischmann (Admin)
Posted on Monday, Oct 24, 2005 - 17:41:   

Preview 3:

* Ability to tag directories recursively, i.e. including their files and subdirectories. Ability to hide all untagged items. (Remember that you can make use of the dynamic filter to conveniently tag oder hide certain files.) The directory browser context menu was restructured.

* Ability to limit the operations in Refine Volume Snapshot to all tagged files or to all unhidden files.
Stefan Fleischmann (Admin)
Posted on Monday, Oct 24, 2005 - 20:41:   

Preview 4:

* Directory browser context menu and Refine Volume Snapshot dialog window further reorganized.
Stefan Fleischmann (Admin)
Posted on Monday, Oct 24, 2005 - 22:02:   

Preview 5:

Two new script commands:

GetClusterAllocEx IntVar
May be applied to a logical volume. Retrieves an integer value that indicated whether the cluster at the current position is allocated (1) or not (0), and saves that description in the specified variable.

GetClusterSize IntVar
May be applied to a logical volume. Retrieves the cluster size and saves that value in the specified integer variable.
Stefan Fleischmann (Admin)
Posted on Wednesday, Oct 26, 2005 - 1:15:   

Preview 6:

* New visual concept for "tagging" items. Ability to select all tagged items. (forensic license only)
Stefan Fleischmann (Admin)
Posted on Thursday, Oct 27, 2005 - 12:51:   

X-Ways Forensics 12.65 has just been released.
Stefan Fleischmann (Admin)
Posted on Sunday, Oct 30, 2005 - 13:45:   

SR-2:

* Some problems that may occur when processing certain files for a refined volume snapshot (e.g. .zip archive corrupt and not explorable) are now not only indicated in the message window but also added as a comment to the file itself, so that it is possible to systematically and more conveniently address these files individually and manually later if needed.

* Ability to hide duplicate files in the volume snapshot that are currently listed in the directory browser, based on identical hash values.

* Ability to hide known irrelevant files (based on the hash database) right away when refining the volume snapshot, and to exclude them from further processing in the same and future runs of Refine Volume Snapshot.

* When refining a volume snapshot, the name of the currently processed file is displayed in the progress indicator window. Same when adding files to an evidence file container.

* Items marked as to be hidden, if still visible because hidden items are not actually filtered out, are now displayed in light gray.

* Ability to unhide selected hidden items specifically.

* Items with comments are now marked with a red triangle, visible even if the optional comments column is hidden.

* Display of comment tooltips improved. If exceeding the right-hand screen boundary, the tooltip is moved further to the left automatically.

* Some other minor improvements and bug fixes.
Ross@WinPro.net
Posted on Sunday, Oct 30, 2005 - 16:54:   

12.65 SR-2

Cannot access: Options->General
(tested & confirmed on two machines)

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Sunday, Oct 30, 2005 - 18:41:   

Indeed, sorry. Fixed now with v12.65 SR-3.
Panczel Levente
Posted on Thursday, Nov 3, 2005 - 17:54:   

12.65 SR-3

RVS contains and shows SHA-256 values, contents table exported to a file always contains 00000... hash code (processing does not take the time needed to scan the files to calculate hash). I'd need SHA-256 exported to DCT for import into SQL database ASAP.

Thanks in advance
Panczel Levente
Panczel Levente
Posted on Friday, Nov 4, 2005 - 12:19:   

Could anyone confirm my statement above? I need to know that it's not me doing anything wrong. (But I cannot afford trying workarounds if winhex is mistaken and not me.)
Stefan Fleischmann (Admin)
Posted on Friday, Nov 4, 2005 - 13:45:   

I have to confirm that hash values were not computed for contents tables in v12.65 SR-3. Will be fixed with v12.65 SR-4 shortly.
Ross@WinPro.net
Posted on Saturday, Nov 5, 2005 - 1:08:   

Looks like that includes MD5.

Will SR-2 work OK (until SR-4 is available)?

If so, what are the risks (if any) of opening an SR-3 case in SR-3?

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Saturday, Nov 5, 2005 - 2:30:   

SR-4:

* A memory leak related to .zip archives was mitigated. The effect was noticeable especially when .zip archives with many files were opened many times.

* Mass processing files in archives in recursive views is considerably faster now (copying, hashing, searching).

* Error handling for filling evidence file containers improved.

* Several minor improvements.
Ross@WinPro.net
Posted on Saturday, Nov 5, 2005 - 7:39:   

SR-4

FYI:
Source: a Folder Contents Table created with SR-4, 3311 files, MD5

1. Even on a fresh system restart, clicking on a Contents Table seems to re-populate the Directory Browser much slower than before (recursive speed is still fast).


2. "Remove Duplicates" causes various errors.

The source folder had 3311 items (2 were 0KB in size but not selected). I eventually end up with 178 files remaining that I can "Add To" another CT.

When I re-click on the CT it slowly re-populates (no hour glass or other indicator of activity) with 3311, despite warning that they will be removed. I have not yet confirmed the validity of the 178 being accurate as the remaining non duplicates.


Email of error log will follow later.

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Saturday, Nov 5, 2005 - 14:03:   

SR-4:

* GREP parser error for \x notation fixed.

SR-5:

* Re-associating contents table items with the volume snapshot to allow for tagging and comments is now optional, to allow for speedy contents table loading (see Directory Browser options). This is because identifying several thousand contents table items within a volume snapshots with potentially hundred thousands of items is rather slow, and that association is required for full functionality because tagging and comments are stored in volume snapshots.

* Remove Duplicates should work again in contents tables.

Generally, drive contents tables and directory contents tables have been superseded by the refined volume snapshot in conjunction with the dynamic filter and the ability to hide irrelevant directories. They are not part of the simplified/reduced user interface of X-Ways Forensics any more.
Ross@WinPro.net
Posted on Saturday, Nov 5, 2005 - 15:45:   

> Generally, drive contents tables and directory contents tables have been superseded

I really hope that the (D)CT will be retained for awhile?

I use both RVS and CT.
(abbreviated) reason:
RVS for "dynamic filtering" and (D)CT for a "static" collection.

Thank you,

Ross@WinPro.net
Ross@WinPro.net
Posted on Saturday, Nov 5, 2005 - 16:15:   

SR-5

Upon first use and then upon "Options" -> "General"

A dialogue box pops up and only displays "9428" and "OK".


Just and FYI (in case it is risky to continue using SR-5 with such?)

Thank you

Ross@WinPro.net
Ross@WinPro.net
Posted on Saturday, Nov 5, 2005 - 17:55:   

> * Re-associating contents table items with the volume snapshot to allow for tagging and comments is now optional

Thank you , this works well.

----------------

I can appreciate this requirement ...
> that association is required for full functionality

Thank you for that info, I see that how that works now.

--------------------

I have a need for static and dynamic lists.

I have some comments/questions/wishes:

Static CT pros:
1. While in WinHex, small CT's easy to open externally in Excel.

2. Large CT's can be sent to a text file (found externally in the case folder) and easily edited/sent to a client for review and opened with a WordProcessor.

3. Toggling "Quick contents table loading" allows for a quick switch to compare filtered vs. non-filtered (without losing current filtered by 'Removing all such markings'). [Unless you add an 'Invert Filter' button to the DB?]

4. Creating a CT of a single folder.

5. Creating a "New reports contents table" of a custom defined collection across differing paths.

If comments or tags are known to have been added to items in the source DB then it is pretty easy tell visually if "Quick contents table loading" is on or off while viewing a CT in the DB. When there are no known tags or comments yet (or unsure) then it is a little slower to check(i.e. either review DB settings box or click on CT to see if it is slow or fast to repopulate.

How about a color code CT icon? Light red for "Quick contents table loading" is off and light green for "Quick contents table loading" is on. (or reversed?)

How about adding the ability to toggle "Quick contents table loading" directly to the CT properties box?

How about an hour glass to show that an update with the RVS is occurring?

Of course, with WinHex changes coming so fast,this may already doable with only RVS? Then this post is moot.

Thank you very very much for your time,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Saturday, Nov 5, 2005 - 18:58:   

> I really hope that the (D)CT will be retained for awhile?

Yes. However, I would like to drop contents table creation some time, perhaps in exchange for the ability to export a volume-snapshot-based directory browser view (recursive or not) as a static, flat contents table.

> in case it is risky to continue using SR-5 with such

It's not. Window now removed.

> If comments or tags are known to have been added to
> items in the source DB then it is pretty easy tell visually

Even without: Items in the directory browser that have not been associated with the volume snapshot don't have the square where you can tag them. If in a contents table no item has that square, it was either loaded with the "quick" option or the volume snapshot is incomplete (e.g. aborted).

3x
> How about [...]

Sorry, I don't think I'm going to implement that.
Ross@WinPro.net
Posted on Sunday, Nov 6, 2005 - 19:32:   

>in exchange for the ability to export

Yes, this could retain the current level of output of information to clients but would it still work for a content collection manually created from across various paths of a logical volume?

----

When Content Tables are no longer supported will there be a new mechanism to directly access static collections via the Case Data Window (please)?

For example: I create Content Tables to store collections of evidence (such as email) from across various paths (not just a single folder and its sub-folders). The CT then gives me quick, direct access to that evidence type. I might have a CT that contains all the DBX and PST files found on the logical HD. Then I just click on the "Email CT" in the Case Data Window and the DB repopulates with just those items.


-----------------------------------------------------


How about have the ablity to save/load filter settings?


----------------------------

Thank you,

Ross@WinPro.net
Ross@WinPro.net
Posted on Tuesday, Nov 8, 2005 - 19:21:   

SR-5, W2K host, floppy image source

Lost "Comments" column content.

Small Case (just a floppy).

Never toggled "Quick contents table loading" at all (i.e. left unchecked).

I had about 60 items in the DB, about 40 had comments (only 4 different comments total).

The work, so far, included creating Hash values, tagging, selecting, hiding, commenting, unhiding, untagging, sort by comment, sort by hash value (all in various combinations).

I had selected two items with a common comment (others also had the same comment), I clicked "Edit comment" from the items' context menu, the comment box opened but the cursor would not display, keyboard entries were not accurate, WinHex Screen graphics started acting up, the "Comment" box entries started showing up at odd places on the screen. I shut down WinHex and the computer, restarted, repeated, same thing happened. Shut down, restarted, similar results but all the comments were gone. I shut down, restarted, I switched to the case.xfc.bak but the comments were still gone.

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Friday, Nov 11, 2005 - 1:08:   

> but would it still work for a content collection
> manually created from across various paths of a logical
> volume

Yes, any view in the directory browser, based on recursion and filters, could then be saved as a contents table.

> When Content Tables are no longer supported

I meant the commands Create Drive/Directory Contents Table may not be available in all future versions any more.

> How about have the ablity to save/load filter settings?

Not planned at this time because filters are not that complex to activate.

> I switched to the case.xfc.bak but the comments were still gone

Sorry to hear of this data loss. Comments are part of the volume snapshot files, not the case file.
Ross@WinPro.net
Posted on Friday, Nov 11, 2005 - 2:33:   

12.65 SR-5

View -> Tables -> (any of the "Hexadecimal/..." tables)

You'll see! (or not)

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Friday, Nov 11, 2005 - 16:09:   

Fixed with v12.65 SR-6.
Ross@WinPro.net
Posted on Friday, Nov 11, 2005 - 17:55:   

Thank you.

-----------------

FYI-JIC?

Since I have not yet seen it documented as a feature, I will mention that in SR-6, a right click on an object in the Case Data Window will no longer pop-up the (only) option of 'Recursive' but will just do the recursive automatically.

Is this supposed to be a new feature? If so, any others?

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Friday, Nov 11, 2005 - 18:01:   

Yes, a new feature, improving convenience. Some other minor improvements and fixes in detail.
Stefan Fleischmann (Admin)
Posted on Sunday, Nov 20, 2005 - 22:44:   

SR-7:

* Tagging, hiding, comments etc. no longer lost when refining an existing volume snapshot with the "thorough search" option.

* Some minor fixes.
Stefan Fleischmann (Admin)
Posted on Thursday, Nov 24, 2005 - 21:19:   

SR-9:

* Bug in identification of free clusters fixed for HFS+.
Stefan Fleischmann (Admin)
Posted on Sunday, Jan 29, 2006 - 1:17:   

SR-10:

* Some fixes and improvements. Download URL available on request, to licensed users whose update maintenance expired after v12.65.
Ross@WinPro.net
Posted on Tuesday, Feb 21, 2006 - 4:57:   

Starting with 12.65 (through 12.8 SR-4) I noticed that "File -> New" does not always create a file with all bytes as zero. (i.e. the newly opened window may have non-zero content, plus this will be reflected in any saved output.)


"File -> New" appears to display free space data from the drive where the WinHex temp folder resides. If the free space allocated to the temp file contains non-zero data then it may also appear in the newly opened window. (test by filling free space with pattern then perform File -> New).


This may only happen with W98 or a FAT32 WinHex host (I have not tested all combinations yet; (e.g. combinations of OS, file system, Edit Mode, etc.).


Other OS's do look OK but are unconfirmed.

On a W2k system the latent temp file does not match the AOK opened and saved 'New' file. (probably how the program is supposed to work in this case? but an FYI if not).

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Wednesday, Feb 22, 2006 - 18:53:   

The behavior was changed to speed up the process of creating larger files. The error is that the documentation was not updated, sorry. Will be updated with v12.85.
Forum operated by X-Ways Software Technology AG.