X-Ways Forensics 12.85 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 12.85 « Previous Next »

Author Message
Stefan Fleischmann (Admin)
Posted on Wednesday, Feb 22, 2006 - 2:31:   

An early debug preview version of X-Ways Forensics 12.85 is now available for owners of a forensic license. The download link can be retrieved by querying one's license status.

What's new?

* Support for Unicode character set in filenames and directory names in most parts of the user interface, notably in the directory browser and the directory tree, implemented so far for NTFS, Ext2/Ext3, ReiserFS/Reiser4 and HFS+. That means Chinese, Russian, Japanese, etc. characters should now be displayed correctly.

* Newly created evidence file containers can now optionally incorporate filenames in Unicode instead of ASCII. For compatibility with older versions of X-Ways Forensics, stick with ASCII.

* New concept: When verifying file types based on signatures, no fictitious items with the presumed correct extensions are listed any more. Instead, the detected type can be seen in the new optional Type column. By default, the Type column shows the same text as the Extension column. The Category column is now based on the Type column, no longer on the Extension column. When a mismatch between filename and type is detected, either when refining the volume snapshot, when previewing files, or when viewing files in the Gallery, both the Type and the Category column turn blue.

* There is also a new filter that conveniently lets you address files of multiple types, in addition to the Category filter. Such filter settings can even be loaded and saved. Works with a slightly adjusted type of File Type Categories.txt file. (forensic licenses only)

* Another new optional column indicates the status of the file type column. Initially "not verified". After checking for filename/file type mismatches: If a file is very small the status is "don't care". If neither the extension nor the signature is known to the file type signature database, the status is "not in list". If the signature matches the extension according to the database, the status is "confirmed". If the extension is referenced in the database, yet the signature is unknown, the status is "not confirmed". If the signature matches a certain file type in the database and the extension matches a different file type or none at all, the status is "newly identified". A filter can be used on this column, too. (forensic licenses only)

* Since for a file with a name/type mismatch there will be no duplicate with the (presumed) right extension any more, a new option was introduced that allows to automatically append the extension shown in the Type column when copying such a file.

* Ability to display timestamps with tenths of seconds in the directory browser. Useful for the file systems NTFS and FAT that provide for this precision in all or some timestamps.

* Support for drive contents table creation finally discontinued.

* The volume snapshot data format has changed. Previously created volume snapshots can be converted automatically for use with v12.85 and later, except for ReiserFS/Reiser4 volumes. Should you encounter problems importing old volume snapshots, you can either recreate the volume snapshot from scratch (thereby losing comments, tags, discovered orphaned files, etc.) or continue using v12.8 for that case/image.

* The way how sorting by the Attribute column works was adjusted. (Help file not yet updated.)

* You may now specify maximum dimensions for the inclusion of pictures in the case report (see Report Table Options in the Case Properties, but also applies to pictures associated with the case as an evidence object). Useful if the report is to be printed and large pictures would be visible partially only on the printout.

* Several other minor improvements.
Ross@WinPro.net
Posted on Wednesday, Feb 22, 2006 - 3:49:   

"Error" in a small square dialogue box is all I see when I start the new 12.85 preview. I cannot do any more than that.

Should I download again or is there a different method for usage or is this an issue?

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Wednesday, Feb 22, 2006 - 17:00:   

It turns out that probably because of the Unicode functionality, X-Ways Forensics 12.85 Preview won't run any more on Windows 95/98/Me. If that is still true for the final release of 12.85, I will announce this when sending the newsletter.
Stefan Fleischmann (Admin)
Posted on Thursday, Feb 23, 2006 - 2:34:   

Preview 2:

* Support for Windows 98/Me finally discontinued.

* The structure of deleted nested subdirectories on Ext2 volumes is now often better represented.

* Some small fixes. Better exception error handling.
Stefan Fleischmann (Admin)
Posted on Friday, Feb 24, 2006 - 0:56:   

Preview 3:

* Several bug fixes. In particular fixed an error in the new signature check.

* ReiserFS volume snapshots are now taken faster.
Stefan Fleischmann (Admin)
Posted on Friday, Feb 24, 2006 - 19:26:   

Preview 4:

* Improvements introduced with v12.8 SR-6.

* Ability to include the contents of archives in a logical search when in a recursive view.

* Some fixes and other improvements.
Ross@WinPro.net
Posted on Friday, Feb 24, 2006 - 23:58:   

12.85 Preview 4

Two issues:

1. New case, added a 55GB "image.001" single file, then added partition #2 to the case, did a recursive on the root, selected all files then used CTRL to click off Volume Slack, Free Space and $BadClus, then used context menu to create a contents table, then added all selected obects to the new contents table, then finally clicked on the new contents table.

The new contents table did not include any data in the columns for Created, Modified or Accessed.

Repeated above in 12.80 SR-6 AOK.


2. In the same 12.85 case, clicking on the "Volume Slack" object always generates error#2 - "Cannot read from the image file etc."

Again, 12.80 SR-6 is AOK doing same thing.

Thank you,

Ross@WinPro.net
Ross@WinPro.net
Posted on Saturday, Feb 25, 2006 - 0:07:   

SORRY, #2 above is NOT an issue, it did also happen with 12.8.

The image was one sector to small, again sorry, forget #2.

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Sunday, Feb 26, 2006 - 16:19:   

1. That's because report tables cannot accomodate timestamps with an accuracy of tenths of seconds. Will make them ignore decimal fractions if the user had enabled them.
Stefan Fleischmann (Admin)
Posted on Thursday, Mar 2, 2006 - 20:56:   

12.85 Beta:

* Several fixes.

* Slack data added to evidence file containers is now marked and sortable as slack in the Attribute column. You can hold the Shift key as before to add a file plus its slack, and now alternatively the Ctrl key to add only the slack.

* Ability to tag or untag an unlimited number of items at a time in a recursive view.

* Several other minor improvements.
Stefan Fleischmann (Admin)
Posted on Saturday, Mar 4, 2006 - 0:10:   

Beta 2:

* Unicode filename support for FAT12/FAT16/FAT32 and CDFS/ISO9660+Joliet.

* Same fix level as v12.8 SR-8.

* Separate viewer component updated on March 3, 2006. Details here. Analogously to WinHex and X-Ways Forensics v12.85, support for the platforms Windows 9x/Me has been discontinued. If the new version of the viewer component is loaded in X-Ways Forensics when the old version had already loaded before in the same session, a restart of X-Ways Forensics if required.
Stefan Fleischmann (Admin)
Posted on Saturday, Mar 4, 2006 - 23:23:   

Beta 3:

* Ability to print case reports optionally with a user-defined header line and logo.

* Ability to convert packed 7-bit ASCII to readable 8-bit ASCII with a script command ("Convert 7BitASCII 8BitASCII").

* Ability to maintain custom sections of the file type signature database separate from the main file in an arbitrary number of files named "File Type Signatures *.txt". These files are loaded in addition to the main file. Their internal format must be the same. Usage of such user-defined files prevents that your own definitions will be overwritten when you install an update.

e.g.
File Type Signatures John.txt
File Type Signatures Backup.txt
File Type Signatures NEW ! ! !.txt
File Type Signatures CAD applications.txt
...
all accepted
Stefan Fleischmann (Admin)
Posted on Monday, Mar 6, 2006 - 20:24:   

Beta 4:

* Optional preface for case report.

* List of recent filenames now Unicode-based.

* Same fix level as v12.8 SR-9.
Stefan Fleischmann (Admin)
Posted on Tuesday, Mar 7, 2006 - 13:19:   

Beta 5:

* Ability to treat and display archives exactly like directories once their contents have been included in the volume snapshot. This is reversible and can also be applied retroactively. One benefit is that archives are not subject to dynamic filters any more as are ordinary files, so it's easier to navigate to the contents of the archives when a filter is active that would normally filter out the archives. Another benefit is that archives turned into directories behave like directories when it comes to tagging.

* Support for NetBSD's UFS file system variant.
Stefan Fleischmann (Admin)
Posted on Wednesday, Mar 8, 2006 - 23:11:   

Beta 6:

* Unicode filename support for UDF.

* Some changes among the directory browser options and some other minor improvements.
Jimmy Weg (Jw)
Posted on Thursday, Mar 9, 2006 - 4:56:   

>Ability to maintain custom sections of the file type
>signature database separate from the main file in an
>arbitrary number of files named "File Type Signatures
>*.txt". These files are loaded in addition to the main
>file.

Thanks, Stefan! I had a brief play with this today, and it works perfectly. At first, I thought that I would prefer the ability to select a distinct sig file. Then, I realized that such an approach may actually be too limiting. With your solution, I have everything presented in one window. It's a better idea. I believe that I can also use some designator in the first field to distinguish my custom headers, should I feel the need.
Stefan Fleischmann (Admin)
Posted on Monday, Mar 13, 2006 - 13:41:   

WinHex and X-Ways Forensics 12.85 were just released.
Stefan Fleischmann (Admin)
Posted on Wednesday, Mar 15, 2006 - 14:38:   

SR-3:

* Fix: Menu command "Select listed tagged items" now functional for recursive case root view.

SR-4:

* Ability to edit comments in a recursive case root view.
Stefan Fleischmann (Admin)
Posted on Saturday, Mar 18, 2006 - 15:03:   

SR-5:

* Recursive listings in case root window considerably faster now in certain situations.

* Taking a standard snapshot of large Ext2/Ext3 volumes now faster, too.
Stefan Fleischmann (Admin)
Posted on Tuesday, Mar 21, 2006 - 17:46:   

SR-6:

* Error fixed that prevented opening encrypted evidence files.
Stefan Fleischmann (Admin)
Posted on Wednesday, Mar 22, 2006 - 17:30:   

SR-7:

* Error fixed that prevented files in "Path unknown" from being copied to evidence file containers.

* Error fixed that caused physical RAM beyond 256 MB to be read from wrong memory addresses.
Stefan Fleischmann (Admin)
Posted on Wednesday, Mar 29, 2006 - 18:44:   

SR-9:

- Calendar mode: The color markers were swapped. This error was specific to v12.85 and now fixed.

- The hash set creation menu command was occasionally unavailable. This was corrected.
Stefan Fleischmann (Admin)
Posted on Tuesday, Apr 4, 2006 - 0:31:   

SR-10:

- Error fixed that occurred with some directory browser context menu commands and overlong path names. The error was specific to v12.85 and its Unicode support.
Ross@WinPro.net
Posted on Tuesday, May 9, 2006 - 4:06:   

regarding:
-------------------------------------------------------
* Ability to maintain custom sections of the file type signature database separate from the main file in an arbitrary number of files named "File Type Signatures *.txt". These files are loaded in addition to the main file. Their internal format must be the same. Usage of such user-defined files prevents that your own definitions will be overwritten when you install an update.

e.g.
File Type Signatures John.txt
File Type Signatures Backup.txt
File Type Signatures NEW ! ! !.txt
File Type Signatures CAD applications.txt
-----------

It appears that if a carriage return is not added after the last entry of a custom sig file, the last entry may not be included in the File Header search dialogue box -> Select file type(s): section (i.e. a blank line may be required at the bottom of each custom sig file; but remembering to add that blank line is easily overlooked, thus accidentally omitting one entry per custom sig file [that does not have the blank line]). (ver12.90sr10)

Thank you,
Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Tuesday, May 9, 2006 - 12:29:   

Yes, thanks for your note, another reason to customize these files with MS Excel instead of with a text editor.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.