X-Ways Forensics 13.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 13.6 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 27, 2006 - 23:41:   

A preview version of X-Ways Forensics 13.6 is now available. The download link can be retrieved by querying one's license status.

What's new?

* A forensic license now allows to separately list and examine e-mail messages and e-mail attachments in the directory browser, as part of the volume snapshot. The following file formats are supported: Outlook Personal Storage (.pst), Outlook Express (versions 4, 5, and 6, .dbx), Mozilla mailbox (including Netscape and Thunderbird), generic mailbox (mbox, Berkeley mail format, BSD mail format, Unix mail format), Eudora mailbox (.toc and .mbx), PocoMail and Barca mailbox (.idx and .mbx), Opera mailbox (.mbs), Forte Agent mailbox (.idx), The Bat! mailbox (.msb and .tbb), Pegasus mailbox (.pmi, .pmm, and .cnm), Calypso and Courier archive, PMMail message files (.msg), FoxMail mailbox (.box), maildir folders (local copies), MHT Web Archive (.mht), and more. Support for .pst files requires a fully functioning Extended MAPI system (available if a recent version of MS Outlook is installed). Still testing.

* In Preview mode, there is a now a button that allows to change from file format specific to generic text preview mode, which is useful e.g. for e-mail messages if you would like to see the entire e-mail source code.

* Filling very large containers (with many hundred thousands of files) is now faster.

* Option to invert the selection in the directory browser with a command in the context menu.

* Various minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 30, 2006 - 1:08:   

Preview 2:

* E-mail attachments are now both incorporated into the .eml messages and extracted to subdirectories. That way it is easily possible to systematically review/list/search messages and attached files separately (e.g. recursively all PDF documents or JPEG pictures, using dynamic filters) as before, and also click attachment links directly in the .eml files to view the attachments for the currently displayed e-mail message.

* If deleted e-mail messages in e-mail archives are found, they are now listed with the question mark icon.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 8, 2006 - 2:08:   

Beta:

* Extracted e-mail messages, e-mail messages with attachments, and e-mail attachments without attachments are now marked as such in the columns Attributes and Description.

* E-mail attachments that are documents like .doc, .xls, .ppt may contain embedded pictures themselves, and such pictures can now be output when refining the volume snapshot.

* That e-mail attachments and embedded files are not only extracted to separate subdirectories, but additionally also embedded directly in the .eml e-mail message files is now optional. The latter takes more time and requires more drive space. It is needed only to be able to directly view pictures embedded in HTML e-mails and to click attachment links in e-mail messages that have been copied to a container.

* By default, OpenOffice documents are now covered by the text decoding option in Logical Search.

* A case can now be deliberately opened as read-only even if it is not password-protected. Useful when opening it twice concurrently, e.g. to avoid losing search results in an ongoing search in one instance of X-Ways Forensics when reviewing files in the same case in another instance. For read-only mode, click the Edit Mode button in the Open Case dialog window.

* Password-protected case files that were saved with the investigator version of X-Ways Forensics can be unlocked with a super-user password if such a password had been specially entered by the administrator. Useful when non-IT investigators forget their passwords.

* A rare error was fixed where containers would associate files with a wrong evidence object.

* Various other improvements and some fixes.

Possible additions in future versions: Special envelope icons for e-mail messages, envelope icons with a small paperclips for e-mail messages with attachments. Additional columns and filters for sender, recipient, date+time sent etc. Ability to filter e-mails based on the Attributes or Description column. More precise error messages if extracting e-mail archives fails.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 8, 2006 - 16:56:   

Beta 2:

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 11, 2006 - 0:06:   

v13.6 has just been released. The e-mail functionality continues to be in a testing stage.

Changes since Beta 2:

* Recursively explored directories are now displayed in turquoise in the directory tree.

* New icons for e-mail messages, for e-mail messages with attachments, and for archives treated like directories.

* Timestamps in e-mail messages are displayed.

* Some fixes and minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 11, 2006 - 15:03:   

SR-1:

* When processing large e-mail archives, X-Ways Forensics now remains reponsive, and the operation can be aborted if needed.

* E-mail extracted from e-mail archives in containers will no longer trigger taking a new volume snapshot when re-opening the case.

* .mbox was added as a signature such that generic mailbox files will show "mbox" in the Type column even if they do not have any extension once file type signatures are verified.

* An error was fixed that could prevent e-mail extraction depending on the case path length.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 12, 2006 - 22:34:   

SR-2:

* An error was fixed that prevented generic mailbox files from being processed.

* The ID column did not work in SR-1. This was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 13, 2006 - 20:17:   

SR-3:

* Generic mailbox files without extension can now be processed.

* Temporary path duplication error in evidence file containers fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 14, 2006 - 23:32:   

SR-4:

* Circular bit rotation added as an option in Edit | Modify Data. Allows to decrypt disk images as saved on tapes by legacy computer forensics software.

* More and more hints/warnings when processing files are now attached to these files as report tables associations instead of comments.

* Files copied off an image as part of a report will now be created as read-only, such that they cannot be inadvertently modified when opening them in applications such as MS Word.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 21, 2006 - 19:37:   

SR-5:

* Ability to specify how cooperative X-Ways Forensics behaves during operations that involve a progress indicator window (e.g. hashing, searching) when competing with other processes for CPU time, by pressing Shift+Ctrl+F5. 0 is the default setting (not specially cooperative). You could try values like 10, 25, 50, or 100 (maximum willingness to share CPU time) e.g. if X-Ways Forensics is executed simultaneously by different users on the same server, for a fairer distribution of CPU time.

* Often there are now more descriptive error messages when e-mail archives cannot be processed (because they are corrupt, unsupported format etc.).

* Fixed an error that prevented correct relative paths of linked files when saving the HTML report in a directory other than the preselected one.

* Fixed an error in the script command GetUserInput.

* Fixed an exception error that could occur when extracting e-mail messages.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 29, 2006 - 0:54:   

SR-6:

* Ability to click attachment links in extracted e-mail messages in containers even if attachments were not embedded in the .eml files. As the main reason to directly embed attachments therefore no longer exists, it is recommended not to use that option any more, considering its downsides (more time needed for extraction and indexing, more drive space needed).

* Now 64 instead of 32 report tables supported in a case.

* An error was fixed that occurred when hiding duplicates based on hash values in the case root.

* The name of the evidence object is now part of the path when printing files with the viewer component and printing the path as the header.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 10, 2007 - 2:22:   

SR-7:

* In newly created volume snapshots, fictitious e-mail subdirectories now get a name different from the e-mail archive file to avoid name conflicts when copying files off an image.

* Dedicated icon for deleted e-mail messages with attachments.

* Windows installation dates as recorded in the registry of Windows 95/98/Me are no longer incorrectly converted when creating the registry report.

* An error was fixed that in case of many report table associations may have caused an exception when saving the case.

* In certain scenarios with repartitioned or reformatted NTFS volumes, previously existing files could cause an infinite loop during indexing. This was fixed.

* Some minor improvements and error corrections.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 1, 2007 - 14:55:   

SR-8:

* Some of the fixes introduced in later versions. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.