X-Ways Forensics 13.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 13.8 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 23, 2007 - 23:49:   

A preview version of X-Ways Forensics 13.8 is now available. The download link can be retrieved by querying one's license status.

What's new?

* The logical simultaneous search has been removed from the directory browser context menu and integrated in Search | Simultaneous Search. It no longer searches the _selected_ files, but either all files or tagged files. Search | Simultaneous Search can now execute both physical and logical searches. Logical searches have been reworked internally and now always process the files in the order in which they appear in the volume snapshot (i.e. sorted by internal ID).

* The physical simultaneous search is finally obsolete in the forensic edition when searching entire media, as the logical simultaneous search now has a solution for the file slack/free space paradox, by searching all file slack/free space transitions separately. (The paradox is that although all file slack and free space is searched, not all occurrences of the search terms in these areas are found by certain standard computer forensics software products.)

* For irrelevant, hidden, or filtered out files, the logical search now allows to limit the search to the file slack. This saves times and reduces the number of irrelevant hits.

* Indexing can now be limited to the slack of irrelevant, hidden, or filtered out files, too.

* It is now possible to start indexing after volume snapshot refinement automatically.

* It is now possible to a certain degree to continue reviewing files while searching logically, as the directory browser is no longer blocked.

* When decoding PDF/OpenOffice/WPD/HTML files for the logical search, the text output is now in 16-bit Unicode instead of ASCII. That means Unicode should be enabled for searching when using this option (will be ensured by the final 13.8 version automatically).

* The volume snapshot can now be refined and an index can be created for _selected_ evidence objects at the same time. If both actions (volume snapshot refinement and indexing) are scheduled at the same time, at first the volume snapshots of the selected evidence objects will be refined, then the index will be created for these evidence objects, and finally the indexes will be optimized (which is optional and can be aborted at any time, as before).

* The volume snapshot can now be refined for physical, partitioned media. This is useful to conveniently list files in unpartitioned space that can be found via a header signature search. Files in _partitioned_ space can be found with a signature search within the corresponding partition only, as before. This prevents duplications.

* Physical media now offer a File mode, a Preview mode, and a Gallery mode. Useful for files found via a header signature search.

* Self-extracting .exe archives as created by WinZip (tested with v9.0 and v11.0), WinRAR (GUI and console .exe files, Zip and RAR compression, tested with v3.0, v3.3, v3.62, and v3.7 beta), 7-Zip (tested with v4.42), and WinACE (tested with SFX-Factory 2.64) are now internally detected by the file signature check. They are classified as the file type "sfx" and assigned to the category "Archives" so that they can be specifically targeted. This prevents that compressed files in such archives go totally unnoticed in an investigation. .exe archives with Zip compression can be viewed in Preview mode, other self-extracting archives need to be copied off the image and opened with an appropriate tool like WinRAR or 7-Zip.

* Reading from compressed evidence files is now considerably faster.

* CRC32 computation is now somewhat faster.

* When assembling a hardware RAID, the header size of a component may now exceed 65,535 sectors.

* Now 48 instead of 32 script variables supported simultaneously.

* Tools | Disk Tools | Set Disk Parameters for a physical disks now accepts blanks for the C/H/S values. If left blank, suitable values will be computed by X-Ways Forensics itself.

* The data analysis feature now works with more than 4 billion occurrences of the same byte value. So although it is meant to be applied to much smaller amounts of data, this functionality can now be safely be applied to many GB of data. The increased computation time was compensated by omitting the checksums. Test results welcome.

The program help has not been updated yet.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 29, 2007 - 22:22:   

Beta 1:

* There are now additional optional administrative security precautions and additional optional usage simplifications in the investigator version of X-Ways Forensics, which can be individually enabled or disabled with an optional file "investigator.ini".

* In Options | Viewer Programs, a list of filename extensions is now maintained that indicates which files should better be viewed with external programs, e.g. because the viewer component and the internal picture display and gallery do not support them. When double-clicking/viewing such files, the program that is associated with the extension on the examiner's system is automatically invoked. Based on the default settings, this applies to *.mdi;*.mdb;*.mpeg;*.mov;*.asf;*.avi;*.mp3. The list is user-editable (see Options | Viewer Programs). In particular MDI (Microsoft Document Imaging), a file type similar to TIFF, usually should not be overlooked, as this format can be used in MS Office to store scanned documents.

* Several minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 2, 2007 - 3:02:   

Beta 2:

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 2, 2007 - 23:02:   

Beta 3:

* Ability to print multiple selected documents without interruption/the need to click somewhere after each document, with the revised context menu command "Print with cover page". The cover page contains the date and time when the print job was started and all the meta-information selected in the report options, e.g. filename, path, evidence object title, file size, description, time stamps, comments, ... The cover page is printed by X-Ways Forensics itself, the following pages with the actual document are printed by the viewer component. In order to print documents with the viewer component without a cover page, as before, use the Print command in the main menu or the Print icon in the tool bar, while in Preview mode or when viewing a document in a separate window.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 7, 2007 - 19:41:   

Beta 4:

* Ability to select the fields to print on a cover page directly in the print dialog window. The selection is now retained separately from the fields selected for the case report.
Known error: The viewer component does not always display the correct printer name while printing although the print job is indeed sent to the selected printer.

* The ability to interpret .e01 evidence files was added to the investigator version of X-Ways Forensics. That means investigators can now be provided with file containers that were turned into (optionally compressed or encrypted) .e01 evidence files.

* The ability to create file containers was added to the investigator version. That means investigators can now create containers themselves and that way copy highly relevant files to separate containers for their own use or to pass them on to colleagues.

* The ability to create search indexes was removed from the investigator version. The meaning of option 6 in investigator.ini has been redefined.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 7, 2007 - 19:46:   

Forgot:

* In the meantime, the program help and the user manual were updated for v13.8 and e.g. cover the latest layout of the simultaneous search facility.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 14, 2007 - 13:17:   

v13.8 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 18, 2007 - 21:17:   

SR-2:

* Decoded text was not indexed correctly in v13.8 before. This was fixed.

* The logical search in v13.8 had a memory leak before. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 22, 2007 - 22:36:   

SR-3:

* Increased the internal buffer for full filenames listed in File Type Categories.txt. If the buffer was previously fully utilized, X-Ways Forensics did not report that the file type filter may not have worked correctly for full filenames. This was fixed.

* Most simultaneous search types cannot be run any more from within a data window that represents a physical disk or image, as they should be run from the case root window instead. A message box notifies the user in such a case.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 4, 2007 - 12:23:   

SR-4:

* The daylight saving bias was not correctly applied to timestamps in southern hemisphere time zones that have daylight saving.

* Fixed labels in comments filter dialog.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 9, 2007 - 13:52:   

SR-5:

* Indexing memory leak fixed.

* Changed sorting in search hit description column such that hits in slack space are not merely grouped, but moved to the end of the list so that they can be easily found (and the slack copied specifically if needed).

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 15, 2007 - 5:15:   

SR-6:

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 1, 2007 - 14:55:   

SR-7:

* Some of the fixes introduced in later versions. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.