X-Ways Forensics 12.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 12.7 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Nov 24, 2005 - 2:48:   

A preview version of X-Ways Forensics 12.7 is now available for owners of a forensic license. The download link can be retrieved by querying one's license status.

What's new?

* Supports the file systems UFS and UFS2, both in big-endian and little-endian variants.

* In addition to the already available slightly reduced (simplified) user interface, owners of forensic licenses can now switch to the "forensic lite GUI" in General Options (tentatively named). The forensic lite GUI is meant for investigators in law enforcement
- who are specialized in areas such as white-collar crime, tax fraud, etc.
- who do not need profound knowledge of computer forensics
- who do not need technical insights that WinHex and XWF are well-known to offer
- who receive e.g. convenient-to-handle X-Ways evidence file containers from well-versed computer forensics examiners with only selected files from various sources (e.g. "all documents that contain the keywords x and y"), with obviously irrelevant stuff already filtered out
- who need to review hundreds of electronic documents, identify relevant ones, add comments to them, identify logical structures and connections between them with the help of their comments, and print documents, all within the same environment with a few mouse clicks, which saves the time to extract and load each document in its associated application
- who may or may not need to work in an environment severely restricted by the system administrator anyway

The "forensic lite" GUI lacks many advanced technical options, to allow for easier access to non-technical personnel. Forensic licenses that only allow to use the "forensic lite" GUI will be available at 50% the regular rate when X-Ways Forensics 12.7 is released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Nov 25, 2005 - 14:34:   

Preview 2:

* Certain search operations (without GREP, in particular with several keywords, case insensitive) are now considerably faster.

* It is now possible to mix files with UNIX-styled permission and files with DOS/Windows-styled attributes in the same evidence file container.

* In volume snapshots taken by v12.7 Preview 2 and later, there will be a fictitious directory "Orphaned Items" instead of "Deleted Items". That's because a dedicated overview of deleted items is already available in recursive views with the dynamic filter. The only need for such a special directory is now to accomodate lost/deleted files whose path is unknown (=orphaned).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Nov 26, 2005 - 22:09:   

Preview 3:

* Ability to preview a disk on a live system without having to save the volume snapshot files anywhere, e.g. when X-Ways Forensics is run from a CD. For that purpose you can set the folder for temporary files and the folder for cases to the directory where X-Ways Forensics is executed (= "."). X-Ways Forensics will still allow you to create the case and work with it, just won't be able to save it.

* Recursively explored directories are now specially flagged in the directory tree.

* Directories whose contents are either fully or partially tagged are now specially flagged in the directory tree as well.

* The Details Panel is now integrated into a data window, more exactly into the data (or sectors) area in a data window. The benefit is that more screen space is available horizontally for the directory browser, gallery mode, preview mode, calendar mode, and the status bar. To make up for the loss of vertical screen space for the Details Panel (in data windows with a directory browser, with insufficient space) the Details Panel now features a fancy scroll facility. Simply single-click an incompletely visible Details Panel to scroll it.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Nov 27, 2005 - 17:53:   

Preview 4:

* Evidence file containers can now optionally include disk/image names as the first directory level, so that for multiple sources it is still obvious where files originate from when reviewing the containers.

* The middle mouse button can now be used in the directory tree to tag or untag directories.

* The drive letter that contains the folder for image files is now officially considered a legitimate output folder in X-Ways Forensics.

* An exception error that occurred under certain circumstances when reading sectors from optical media is prevented (waiting for confirmation).
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Sunday, Nov 27, 2005 - 18:07:   

Preview-3

>* The Details Panel is now integrated into a data window

Thank you for adding this feature, it makes a big difference!

----------

> Simply single-click an incompletely visible Details Panel to scroll it.

It works pretty well, except when the Details Panel is about less than 50% visible the scrolling may not reveal all.

Also, if the Details Panel width is changed and then WinHex is minimized and restored, the Details Panel is reset to the default width.

-------------------------

(I still 'wish' for the scroll wheel to be applied to the area the mouse is hovering over, i.e. Hex View, Directory Browser, Case Data and now Details Panel. Example reasoning: clicking in the desired area to activate scrolling can sometimes lose selections or cause other undesired changes.)

-------------------------

Thank you,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Nov 27, 2005 - 18:14:   

> It works pretty well, except when [...]

(Should not be a problem because the information at the bottom is not that vital and because one can still increase the height of the lower half of the data window if necessary.)

> Also, if the Details Panel width is changed [...]

Thanks, will be fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Nov 29, 2005 - 1:08:   

Preview 5:

* The Refine Volume Snapshot command now features the statistical entropy test for the detection of fully encrypted files as known from the obsolete Create Drive Contents Table command, plus a new file format specific encryption/password protection test for documents with the extensions .doc (MS Word 4...2003), .xls (MS Excel 2...2003), .ppt, .pps (MS PowerPoint 97-2003), .pst (MS Outlook 97-2003), .mpp (MS Project 98-2003), and .pdf (Adobe Acrobat). If the latter test is positive, these files are flagged with "e!" in the attribute column.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Nov 29, 2005 - 16:09:   

12.7 Beta:

* Some bugs of the preview version fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Tuesday, Nov 29, 2005 - 18:59:   

Just downloaded and installed 12.7 Beta, and find that it does not seem to recognize a dd image (image.001) as a disk. The Access button is missing, and Interpret Image... is also grayed out. Tried a few images with the same result. WinHex loads them with no problem. Thanks.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Nov 29, 2005 - 19:14:   

I don't see a problem X-Ways Forensics 12.7 Beta interpreting image files. If "Interpret Image..." is grayed out, that usually means that the image was interpreted already as a disk. Does the Details Panel confirm this?


Details Panel for a regular file:
Filename
Path
File size:
...



Details Panel for an image file, interpreted as a logical drive/partition:
[Filename]
[Read-only mode]
Total capacity: [x] GB
...



Details Panel for an image file, interpreted as a physical medium:
[Filename] x% free
File system: file system
...



What type of raw image is this, please, and what does the Details Panel reveal?
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Tuesday, Nov 29, 2005 - 20:12:   

Thanks, Stefan. The Details panel indicates:
[RM.001]
File System: ?
[Read-only mode]
Total capacity: 37.3 GB
40,020,664,320 bytes

The image consists of one dd file of a 40GB disk that contains one 37.3GB NTFS partition. I'd be happy to send you screen shots of the view in WinHex and XWF, or any data you desire.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Nov 29, 2005 - 20:24:   

Could you please e-mail me the first sector? Thanks.

Apparently X-Ways Forensics is unable to identify the true nature of this image file (i. e. image of a physical disk). Please hold the Shift key when interpreting the image as a disk to help X-Ways Forensics out. (Note: When you select "image file" as the file type in the file selection dialog box, the image is interpreted automatically right away, so hold the Shift at that time already.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Tuesday, Nov 29, 2005 - 21:03:   

Thanks, Stefan, I held the Shift key as suggested, and received the message asking whether this is an image with an MBR etc. Clicking "yes" opened the image as expected. It will also work that way if I hold down Shift when opening an image file directly from Explorer with the associated program, XWF. I imagine that something must have changed, as I did not have to do this before, and do not have to do it with WinHex. If possible, I'd prefer to avoid using the Shift key.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Wednesday, Nov 30, 2005 - 21:01:   

I was unable to reproduce this behavior with my installation of X-Ways Forensics 12.7 Beta here with an image starting with the sector you sent. I don't know why. All I found out was that XWF 12.7 Beta was unable to automatically identify a logical FAT32 raw image as such. That was fixed now with Beta 2.

Beta 2:

* Some more fixes.

Clarification: The fictitious directory "Orphaned Items" was renamed to "Path unknown" in the meantime. It is only present if files without known path have been found already (either orphaned, or found by header signature).
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Thursday, Dec 1, 2005 - 4:37:   

Thanks, Stefan. I found that the behavior I described presented on some images and not others. Such was the case when running the latest beta on two machines: the same, particular image files would not be interpreted as disks automatically. I tried a variety of image files, containing one NTFS partition and both FAT and NTFS partitions. The "problem" images were on drives that were in eMachines. I could send you the first sector of the other two, if you wish. As you probably noted, the system whose MBR I sent contained four partitions (FAT, NTFS, Linux/Reiser, Linux swap, if I recall. I'm at home and don't have the data handy).

Perhaps this issue will pass with my present case. The Shift key overcomes the issue, and I can live with that for now.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Dec 2, 2005 - 0:04:   

v12.7 is out now.
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Friday, Dec 2, 2005 - 21:13:   

Thanks, Stefan. The behavior still persists. As you did, I added 512K 0x00s to the end of the first sector, and the image opened as a disk. I'll see what happens with the next image I acquire.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Dec 3, 2005 - 14:39:   

SR-2:

I've finally located and fixed the error. Raw images of physical disks (with a partition structure, starting with a MBR) were incorrectly auto-detected as images of individual partitions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg (Jw)
Posted on Sunday, Dec 4, 2005 - 3:42:   

Thanks very much, Stefan!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Dec 6, 2005 - 1:47:   

SR-3:

* For reasons of convenience, the Data Interpreter is now hidden in preview mode, gallery mode, calendar mode, and legend mode (i.e. when not associated with any visible binary data anyway).

* In a recursive view in Sync mode, when selecting files within archives in the directory browser, the selection in the directory tree is now updated and indicates the parent directory of the archive.

* Under certain circumstances, clicking a directory in the directory erroneously brought up the case root window and did not just fill the contents of that directory into the directory browser. This was fixed.

* When cloning with simultaneous I/O, the reported number of successfully copied sectors was incorrect in earlier versions if there were bad sectors on the source disk. However, the reported number of bad sectors and the list of bad sectors were correct.

* The edit mode specified with the second parameter of the WinHex API function WHX_OpenEx was ignored by WinHex. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Tuesday, Dec 6, 2005 - 17:02:   

SR-4:

* Search hits in deleted files are now listed with a gray filename and path to make it more obvious that the link between the data in the cluster and the deleted file is weak. (Such a cluster may have been reused in the meantime 0...100,000 times and its contents may originate from other deleted files, even deleted files that are not listed anywhere in X-Ways Forensics if their traces in the file system have been lost or overwritten.)

* In a recursive view in Sync mode, when selecting picture files that are embedded in documents in the directory browser, the selection in the directory tree is now updated and indicates the parent directory of the host document.

* Files within deleted archives are now always listed as deleted as well.

* Some other improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Dec 8, 2005 - 15:47:   

SR-5:

* An error was fixed that could occur under certain conditions when searching files or disks larger than 2 GB. Among the symptoms were negative search hit offsets and instability.

* Compatibility with overlong file paths further improved.

* When creating bookmarks based on a block selection, the suggested description is now a more complete text excerpt from the block, filtered in the same way as the rudimentary ASCII preview, ignoring null characters and various non-printable characters. That way you can easily create bookmarks around relevant search hits including the context.

* Various templates for UFS are now available online. (more to come)

It is now possible to upgrade one's license(s) as early as 5 months before the actual update maintenance expiration, to start a fresh 1-year or even 2-year update maintenance period.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Thursday, Dec 8, 2005 - 19:33:   

> * An error was fixed that could occur under certain conditions when searching files or disks larger than 2 GB. Among the symptoms were negative search hit offsets and instability.

Since it will take time to re-test, I thought I would ask first, to see if you believe the above fix applies to the issue presented here?

If so, thank you very much!!!

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Dec 8, 2005 - 19:46:   

I would think so, yes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross@WinPro.net
Posted on Thursday, Dec 8, 2005 - 22:13:   

> I would think so, yes.

OK, I will te-test.

------------------
...
------------------

I can now confirm re-test with fix as AOK! The crashes are gone.

Again, thank you.

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Monday, Dec 12, 2005 - 20:12:   

SR-6:

* Some minor improvements. Window focus and redraw problems solved.

* The file mode/permissions in Linux/UNIX file systems are now displayed more completely and include SGID, sticky bit, character device and block device.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Thursday, Dec 15, 2005 - 23:13:   

SR-7:

* When reviewing search hits: Missing file preview update fixed.

* Files identified as notable by the hash database are now highlighted in red.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Saturday, Dec 17, 2005 - 23:12:   

SR-8:

* Auto-detected existing and deleted partitions can now optionally be sorted and numbered based on their location on the disk.

* When reviewing search hit lists with Preview mode enabled, the separate viewer component's preview now highlights the first occurrence of the search term in that document automatically. This is not necessarily the search hit selected in the list. The search can be continued with F3 in that document.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Friday, Dec 30, 2005 - 16:34:   

SR-9, SR-10: Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Jan 29, 2006 - 1:18:   

SR-11:

* Some fixes and improvements. Download URL available on request, to licensed users whose update maintenance expired after v12.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann (Admin)
Posted on Sunday, Mar 5, 2006 - 13:58:   

SR-12:

* Some small fixes. Download URL available on request, to licensed users whose update maintenance expired after v12.7.
Forum operated by X-Ways Software Technology AG.