X-Ways Forensics 12.95 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 12.95 « Previous Next »

Author Message
Stefan Fleischmann (Admin)
Posted on Monday, Apr 17, 2006 - 20:30:   

An early preview version of X-Ways Forensics 12.95 is now available for owners of a forensic license. More new features to come. The download link can be retrieved by querying one's license status.

What's new?

* Indexing: With a forensic license, it is now possible to create an index of all words in all or certain files in a volume snapshot, for partitions that have been associated with a case as an evidence object. This is a time-consuming process and will require large amount of drive space. However, once completed, the index will allow you to conduct searches very quickly and spontaneously. See Search menu. As a unique feature, our indexing technology optionally supports substrings, which is particularly useful for languages like German, Dutch and Swedish that make heavy use of solid compound words, enabling you to find "paper" in "newspaper" and "card" in "bankcard".

* WinHex and X-Ways Forensics 12.95 will again run under Windows 98/Me. However, these platforms won't be "officially" supported. That means, full functionality under Windows 98/Me is not guaranteed, and we can't assist with problems that are specific to these OS versions.
Stefan Fleischmann (Admin)
Posted on Wednesday, Apr 19, 2006 - 23:07:   

Preview 2:

* There is a new display mode "File", a mixture of the Sectors mode and the Open command in the directory browser context menu. It utilizes the lower half of the screen just like all other modes do and looks similar to Sectors mode, but only covers the clusters/contents of the currently selected file, not all sectors of a volume. Just like the Open command in the directory browser context menu, File mode has an offset column relative to the beginning of the file, it follows file fragmentation, and it shows the decompressed version of NTFS-compressed files. It's generally more convenient than the Open command, e.g. to navigate to file slack, because it takes fewer clicks to get there and leave again.

* Clicking search hits that are associated with relative offsets only (i.e. results of a logical search, with no corresponding physical offset, which can be seen for NTFS-compressed files, and generally results of an index search) will automatically activate File mode as in Sectors mode such search hits cannot be shown at all. Also for those rare hits in a file that are fragmented across non-contiguous clusters only File mode will highlight the hits and show their context correctly, Sectors mode can't.
Stefan Fleischmann (Admin)
Posted on Thursday, Apr 20, 2006 - 23:33:   

Preview 3:

* Fragmented files on UDF volumes now supported.

* Some improvements for the new File mode.

* User-defined comments on a file can now be viewed even if the Comments column is not visible, when the mouse cursor hovers over the file's icon.
Stefan Fleischmann (Admin)
Posted on Friday, Apr 21, 2006 - 12:52:   

Preview 4:

* Some fixes for index search.
Stefan Fleischmann (Admin)
Posted on Friday, Apr 21, 2006 - 22:51:   

Preview 6:

* Index search improved and included in reduced user interface for non-IT investigators
* Some fixes
Stefan Fleischmann (Admin)
Posted on Sunday, Apr 23, 2006 - 0:17:   

Preview 7:

* Ability to enter Unicode-based search terms (e.g. in Chinese, Russian, ...) directly for physical and logical simultaneous search and view them in Unicode in search hit lists (see context menu).

* Improved display for error messages in message boxes and the messages window improved that involve Unicode filenames.

* Some other improvements.
Ross@WinPro.net
Posted on Sunday, Apr 23, 2006 - 5:23:   

Sorry, I missed any reference on the forum to the removal of "No actual recovery, Just list found files." from Search by File Type.

Neither 12.90 or 12.95preview seem to have it (unless there is new way to invoke or enable it?)

the help file for 12.9 & 12.95preview still mentions it:

"Specialist and forensic licenses only: If you enable the option "No actual recovery, just list found files"

Has this been removed?

Sorry, to have not mentioned the above sooner but I have limited my use of 12.9 & 12.95 because my test images (at least three) are generating more errors with 12.9x than for any prior version - too numerous to log so I thought I would wait awhile for the dust settle - but I can quickly mention:
1. F7 toggle key while using FILE view sometimes causes unexpected column resizing.
2. RVS file header error regarding "This disk does not contain offset 4542D400" (after using the new Indexing on a 4GB FAT volume)
3. Error #0 Cannot open \$MFT $MFTMir (earlier versions AOK)
4. Another Image set that 12.9x does not show all the DB content for that earlier versions will show (even with RVS).
5. The "Messages" box popped up with just the letter "A" in it?
6. With one image set, the "Owner" Column enabled would cause errors like "Cannot open $Secure $SDS.3221234688" (but not when disabled).

Sorry, that is the short list ... (the screen shots and error log gathering was becoming robust).

Thank you
Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Sunday, Apr 23, 2006 - 13:11:   

> Has this been removed?

Yes, please see here.

All or some of these test images have a corrupt file system, haven't they?

1. Tried to reproduce here, but cannot.
2. v12.85 and before silently ignored attempts to read too high sectors numbers as already explained some time ago, that's probably the only difference.
3. Could you send me the first 1024 bytes of $MFT and $MFTMirr, please? (Also see my e-mail messages from Apr 6 and Apr 7 where I asked for such information.) Thank you. For these Error #0 messages on NTFS volumes, v12.95 Preview 8 will output one more error code in the message box that I would be interested in.
4. If there is any chance you can share that image with me, please advise via private e-mail.
5. A Windows 2000 issue. Fixed with Preview 8.
6. Perhaps something is wrong with that particular $Secure file, then, but again I would be interested in the extended error message output by v12.95 Preview 8.
Stefan Fleischmann (Admin)
Posted on Sunday, Apr 23, 2006 - 13:12:   

Preview 8:

* True Unicode search ability now also for Windows 2000.

* New Unicode-based messages window now functional also under Windows 98 and 2000.
Ross@WinPro.net
Posted on Wednesday, Apr 26, 2006 - 7:28:   

> All or some of these test images have a corrupt file system, haven't they?

Two are corrupt (as is typical for a data recovery job); one is not (the FAT in #2 above is not). I have many image sets that are used for in house evaluation of each new WinHex version for result comparisons.


> 1. Tried to reproduce here, but cannot.

On a W2K host (two different systems) it has occurred intermittently but not in an observed, predictable way (though, there must be a preceding sequence of activity as a trigger? but it is not a big issue anyway).


>2. v12.85 and before silently ignored attempts to read too high sectors numbers as already explained some time ago ...

In this case the offset error occurred on the 4GB, healthy image set above during the first attempt of an RVS (just after a "Search -> Indexing" effort). However, the RVS with Header search worked AOK (without the offset error) after Closing/reopening Winhex? I do not know if it is related to any earlier discussed offset error. (48hrs later...) Just ran the Index test again, I was able to repeat this scenario with the same results.


> 3. Could you send me ...
> 4. If there is any chance you can share ...
> 6. ... I would be interested in the extended error message

Yes, time permitting. I was hoping that other users with similar issues with 12.9x would also confirm/respond to help justify the need to address. I currently can barely spare the time to report this (in fact I started this message 48 hours ago!, sorry).

BTW, with one image set (#4 above), 12.65 immediately sees many files and folders that 12.9x does not, also 12.65 Template will properly advance to the next record where 12.9x does not (just an FYI in case there is a connection).

Sorry I cannot devote more time at the moment to respond. I hope others can offer confirmation and details. If not, then these may not be issues worth pursuing. At least, for now, I know which version achieve the desired results, so I am OK with a wait.

PS perhaps a little thing to help speed up note taking; could the WinHex version and release info be included in the title bar? When trying to take accurate notes for you, it would avoid a few extra steps for each error, especially for screen shots of errors that have no log entry, and/or also in the title bar of the little error message windows that display the Error#x.

----

24hrs since this message started, sorry ... there will be an email with error logs and screen shots of 4 and 6 above.

48hrs since - finally finished filling some holes above, I think... sending anyway, I am sure you will let me know what is lacking ...

Thank you very much for your patience and thank you for the great product, sorry if not enough details yet.

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Friday, Apr 28, 2006 - 15:00:   

Preview 9:

* Ability to copy selected text in the warnings window to the clipboard. The text will be available in both Unicode and ASCII.

* Ability to recognize BitLocker volumes of Windows Vista Beta as such.

* Several other minor improvements.
Stefan Fleischmann (Admin)
Posted on Sunday, May 7, 2006 - 15:03:   

Preview 11:

* Fixed listing and optimized memory utilization for many million files on a volume.

* Flaw in Sync mode fixed.

* Fixed local search (Ctrl+F) in document preview when reviewing search hit listings.

* Correct setup.exe (unlike in Preview 10).

* Several other minor improvements and fixes.
Stefan Fleischmann (Admin)
Posted on Tuesday, May 9, 2006 - 0:49:   

Preview 12:

* Lock-up fixed that could occur when using the Gallery view.

* On an NTFS volume, part of the volume snapshot (e.g. in the metadata subdirectory of an evidence object) is now automatically compressed at the file system level, which usually saves a lot of drive space and can even improve performance.
Ross@WinPro.net
Posted on Tuesday, May 9, 2006 - 18:06:   

I want to apply the indexing feature of the preview version 12.95preview to a case created in 12.90, can I just open the 12.90 case from 12.95? Or will there be risks involved?

Would it be best to recreate the case anew in 12.95? (Which is what I would like to avoid because of the time.)

If it is safe to use a preview version on a current version case, is it safe to then revert back to the current version and continue work (minus the results, of course)?

If the above are OK, then would alternating between versions to open the same case be OK? (Expecting the preview version to see the changes made with the current version but the current version ignoring the new features of the preview.)

Or perhaps making a complete copy of the case folder created in the current version to use with the preview version would be a better compromise?

(This may have been asked before for earlier versions, sorry)

-------------

> * Indexing: ... will require large amount of drive space.

Do you have any recommendation yet (or rule of thumb) of how much space we should add to our "working drive" size-formula? Perhaps an additional amount equal to the drive size?


---------------------

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Tuesday, May 9, 2006 - 18:14:   

The only risk is that when you open case saved last by a later version again in an earlier version that the earlier version will lose some information next time it saves the case again. There would be a warning, though. No need to recreate the case. Yes, usually it's safe to use a preview version on a current version's case. Yes, alternating usually OK.

The size of the index will likely be between 25% and 75% of the original volume.

There could be extreme cases where it will be much larger:
- 100 copies of an encyclopedia saved on the volume
- many deleted files with GBs in size, all occupying the same drive space
Stefan Fleischmann (Admin)
Posted on Tuesday, May 9, 2006 - 22:25:   

Preview 13:

* Problem with index creation file cache fixed.

* Problem with heavily fragmented $MFTs on NTFS volumes with certain characteristics addressed.
Ross@WinPro.net
Posted on Wednesday, May 10, 2006 - 20:03:   

> * Problem with heavily fragmented $MFTs on NTFS volumes with certain characteristics addressed.

Regarding the above: I can confirm that Preview 13 is now working very well on all our test images on which the last few WH versions were having major issues.

Thank you very much Stefan.


When 12.95 is released it may be wise to issue a notification regarding the recent range of WH versions that were having issues (with the certain $MFT characteristics).

Recoveries performed, with only those WH versions, upon HDs with those certain $MFT characteristics could be incomplete (e.g. with preview 13, one of the test image sets now has 40,000+ files with original paths that the recent WH range was not finding [*note; earlier versions were OK}).

Thank you again Stefan for patiently listening and for the positive and timely fix. I know of no other software company that responds that quickly and correctly, none are even close!

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Thursday, May 11, 2006 - 15:03:   

Preview 14:

* Occasionally incomplete tooltips in Calendar mode fixed.

* Fixed an error in index search that could occur when searching a non-substring index explicitly for substrings.

* Fixed an error that occurred in certain situations with File Recovery by Type and its byte-level option.

* Changed illogical behavior of the checkbox in Refine Volume Snapshot that allows to undo file type verification.
Stefan Fleischmann (Admin)
Posted on Friday, May 19, 2006 - 22:06:   

Preview 15:

* Multiple sessions on a CD formatted with CDFS/ISO9660/Joliet are now listed simultaneously instead of only one at a time. Optionally (see Directory Browser Options), X-Ways Forensics can now list the ISO9660 directory tree even if a Joliet directory tree is present, too, which is useful e.g. if the Joliet part is damaged because of bad sectors.

* The search index file format has changed, so search indexes created by earlier preview versions cannot be reused by this version.

* The minimum and maximum number of consecutive characters that are considered a word by the indexing procedure are now variable.

* A user-defined list keeps frequent irrelevant words such as "and" from being added to the index and thus helps to reduce the size of the index and accelerate its creation. The same list also allows to specify short relevant words such as "XTC" that should be indexed even if they are shorter than the general minimum number of characters.

* Ability to restrict indexing to existing files and free space. Avoids that certain parts of free space are indexed multiple times if they are referenced by several deleted files at the same time. Also the amount of data to be indexed is now displayed.

* Ability to export a list of all words that are contained in the index, e.g. to create a custom dictionary for an individual dictionary password attack. Search | Export Word List.

* Directory Browser Options | [x] "Append correct ext. when copying" now also affects External Programs | Associated Program in the directory browser context menu, so that a misnamed file is executed with the right program for that file type after signatures have been verified.

* Evidence files that are images of large disks can now be opened much faster.

* Context preview now also available for hits in free space.

* Ability to group tagged and untagged items. Allows to conveniently review tagged items as a whole.

* Some minor other improvements.


Preview 16:

* Ability to search for substrings in an index that is not prepared for that temporarily not available.
Ross@WinPro.net
Posted on Saturday, May 20, 2006 - 2:35:   

12.95 preview 16

> * Ability to restrict indexing to existing files ... amount of data to be indexed is now displayed.

This was very helpful, thank you.


While re-indexing a test case (originally indexed with preview-14):
1. Indexing progress and statistics - "Est. total time" is not updating, it stays at 0:00 (the amount being indexed is only 27GB).

2. The new title bar version info no longer toggles to bolder, it stays light.

Thank you,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Saturday, May 20, 2006 - 10:54:   

1. That is not the case here, cannot explain at the moment.

2. You may now use the middle mouse button to increase the contrast.
Stefan Fleischmann (Admin)
Posted on Monday, May 22, 2006 - 21:59:   

Preview 17:

* X-Ways Forensics now shows the directory browser even for volumes with unsupported, unknown or unrecognizable file systems. In such a case, there will be just a fictitious "Idle space" file that covers all drive space. The Refine Volume Snapshot command, however, can then be used to find files based on header signatures, to be listed with generic names in the "Path unknown" directory. Also Preview mode and Gallery mode will be available. (forensic license only)

* Ability to conveniently list thumbnails that are directly incorporated in JPEG pictures, using Refine Volume Snapshot's search for embedded pictures. Those will be listed as fictitious JPEG files with the original filename and "Thumbnail" appended.

* Entropy test for encryption fine-tuned (less false positives).
Ross@winpro.net
Posted on Tuesday, May 23, 2006 - 21:07:   

(12.95 Preview 17)

Does Indexing currently work with Unicode? (or is there a toggle/switch/option?)

When comparing results of an Index search with a Simultaneous Search, it appears that Index results do not include the Unicode text hits.

Thank you,

Ross@winpro.net
Stefan Fleischmann (Admin)
Posted on Tuesday, May 23, 2006 - 21:13:   

Only ASCII characters are indexed (see program help).
Stefan Fleischmann (Admin)
Posted on Tuesday, May 23, 2006 - 22:03:   

Preview 18:

* Fixed an error in the search scope option "Up".

* When copying files from the Case Root including the path, the names of the disks/images involved are recreated in the output location as directories, so that there can be no doubt about which files originate from what evidence object.

* X-Ways Forensics now issues warnings when it takes a snapshot of a FAT volume and when in existing directories it encounters active FAT directory entries that appear to be corrupt for certain reasons. If you find these warnings excessive, please report back, then they will be rendered optional.

* On bootable CDs that are compliant with the El Torito specifications, X-Ways Forensics can now usually find and list the boot image. If you have a CD or CD image where that doesn't work, please report back.
Stefan Fleischmann (Admin)
Posted on Wednesday, May 24, 2006 - 23:52:   

Preview 19:

* Several minor fixes.
Ross@winpro.net
Posted on Thursday, May 25, 2006 - 2:20:   

I have not fully tested/confirmed this yet:

12.95 preview 18
Refined Volume Snapshot selecting "File header signature search" then choosing a single (fully tested custom) sig with an offset of 41 (decimal). I tried at both sector and cluster boundaries (both searching everywhere).

these two RVS produced many fewer hits than a Recovery by type with the same settings. So far it appears that the Recovery by type was including files with the offset 41 bytes from the cluster boundaires in both cases but the RVS was not. Can anyone confirm similar? I will test some more soon.

Thank you,

Ross@winpro.net
Stefan Fleischmann (Admin)
Posted on Thursday, May 25, 2006 - 2:30:   

That's completely normal if files with these clusters are already included in the volume snapshot, regardless of their name/extension/type, as the file header signature search tries to avoid duplication. If this is the reason, a signature check would reveal the true type of these files.
Ross@WinPro.net
Posted on Thursday, May 25, 2006 - 2:47:   

> a signature check would reveal

thank you, I will check that out,

Ross@WinPro.net
Stefan Fleischmann (Admin)
Posted on Saturday, May 27, 2006 - 12:31:   

Preview 20:

* Fixes.

* If the gallery window has the input focus, the Enter key can now be used to show a picture in full size and close it again.
Stefan Fleischmann (Admin)
Posted on Friday, Jun 2, 2006 - 0:33:   

The development of the v12.95 Preview line is continued with v13.0 Beta.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.