X-Ways Forensics 14.0 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.0 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 30, 2007 - 2:52:   

A beta version of X-Ways Forensics 14.0 is now available. The download link can be retrieved by querying one's license status.

What's new?

* X-Ways Forensics can now optionally keep track of which files were already viewed, and flag them visually with a green background color around the tag. This is especially useful when reviewing hundreds or thousands of documents/pictures over a longer period, to avoid accidentially viewing the same documents multiple times and to assure the user of his or her progress. A file can automatically be flagged as already viewed when viewing it in Preview or full window mode, when viewing pictures in the gallery, or when identifying a file as known good based on the hash database. This is customizable in the directory browser options dialog. To manually flag files as already viewed, you can press Alt in combination with the cursor keys. Alt+Left removes the mark. A directory will be marked as fully viewed once all files in it are marked as already viewed. The total number of viewed items in the volume snapshot can be seen under Specialist | Refine Volume Snapshot.

* Ability to delete duplicate search hits with a context menu command. Search hits are considered duplicates if they either have identical physical offsets or, if they don't have physical offsets, if their logical offsets and the corresponding internal file IDs are the same. (Comments by e-mail on the definition of duplicate search hits are welcome. Perhaps the lengths of two search hits should be identical, too, before declaring them duplicates.) No assumption must be made that the duplicate that is selected for deletion is the "less valuable" search hit (but this is subject to improvement in future releases). E.g. a search hit in a deleted file "delivery28924.pdf" might be more helpful than in the virtual file "Free space", even if it's the same search hit. Or a hit for "Smithsonian" may be more helpful than a hit for "Smith".

* Due to popular demand, it is now possible to redefine the order of the columns in the directory browser, in the directory browser options dialog. This will also change the order of the fields in the case report (i.e. in report tables), on print cover pages and in exported file listings. You can select a column for relocation by clicking its radio button. Then use the vertical scrollbar that appears at the top. You can reset the column order to the default one if you right-click that scrollbar.

* There is now a filter for the skin color percentage column, allowing to specifically address e.g. pictures with a high amount of skin tones or gray scale and black and white pictures.

* The attribute filter now allows to specifically list files that are flagged as possibly encrypted based on the entropy test ("e?").

* Improved file signature search at sector boundaries for MPEG files, in that no overlapping MPEG fragments and no MPEG fragments in the middle of known MPEG files will be output/listed any more.

* Now supports up to 75 locally accessible physical media instead of 30.

* Displaying pictures with the separate viewer component instead of with the internal graphics library is now noticeably faster (but still noticeably slower than with the internal graphics library).

* Write access possible to disk sectors under Windows Vista for physical media and partitions opened from within physical media (not opened as a drive letters in WinHex) in most of the situations where this failed with previous versions of WinHex.

* The case root is now a complete overview of all evidence objects. It is now possible to remove evidence objects from the case in the case root window, and in particular to remove multiple selected evidence objects at a time (useful e.g. if you have added multiple ordinary files to the case directly instead of to a file container, which is preferable).

* E-mail messages and attachments can now be extracted from Outlook .msg files.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 5, 2007 - 0:53:   

Beta 2:

* Two more columns, Sender and Recipient, have been introduced, that are filled for e-mail messages. These columns come with convenient substring filters. They can optionally be displayed dynamically, i.e. included in the directory browser only when e-mail messages are actually listed in the visible portion. This avoids wasting space on the screen for these columns when no e-mail messages are currently listed.

* It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.

* The attribute filter now allows to specifically list files with the Hidden attribute, e-mail messages, and e-mail attachments only.

* Ability to view the messages.txt file directly from within the case properties dialog window.

* When using the Recover/Copy command in search hit lists, directories are now recreated in the output folder as files, as the user likely wants to retain the original data with the search hit. The Recover/Copy command in such situations did not branch into selected subdirectories anyway in earlier versions.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 5, 2007 - 17:22:   

Beta 3:

* Dynamic e-mail columns option fixed.

* Improvements of v13.9 SR-2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 15, 2007 - 14:21:   

Beta 4:

* The Recover/Copy command is no longer covered by general logging, but has its own HTML log file, "copylog.html", which can include not only the output filename and path, but also any of the available metadata about the copied files, e.g. original name, original path, size, timestamps, true type, etc. The HTML file is created in the _log subdirectory of a case. (forensic license only)

* The Export command now creates HTML files instead of text files. The result is much more convenient to view (e.g. in a web browser, in MS Word or MS Excel), especially in the case of exported search hits with context, where the actual search term can be highlighted within the context (yellow background color). Search hit highlighting, however, is optional, as it does not have the desired effect when viewing with MS Excel. With the HTML output for search results, the main functionality of Evidor is now available in X-Ways Forensics, too. If needed, programs like MS Excel can still be used to convert the HTML to tab-delimited ASCII or Unicode text as created by earlier versions of X-Ways Forensics.

* The number of backups that X-Ways Forensics keeps for a case file is now user-definable (5 by default) instead of just 1.

* Fixes some problems of earlier beta versions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 19, 2007 - 14:04:   

v14.0 has just been released. The download password for X-Ways Forensics and X-Ways Investigator has changed this time.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Apr 28, 2007 - 20:57:   

SR-1:

* Pressing certain keys in the gallery caused X-Ways Forensics 14.0 to switch to Sectors mode. This was fixed.

* Unique output filenames for "Recover/Copy" now guaranteed also for files where X-Ways Forensics appends the presumed right extension (based on the option in Directory Browser Options).

* Disabling the exception list for indexing caused errors. This was fixed.

* Many more filename extensions were added to the file type category definition file, thanks to Günter Fabian of the state police of Upper Austria.

* Fixed search hit column output of export command. The option to export search hits without search hit context was broken.

* That partitioned areas on physical disks are omitted in file header signature searches (to avoid duplicates as the same searches can also be run on the partitions), is now optional.

* X-Ways Forensics now allows to run byte-level signature searches within evidence file containers. Can be useful to find embedded files other than JPEG and PNG in selected host files. Such files have to be collected in a container first.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross Johnson
Username: ross_winpro_net

Registered: N/A
Posted on Friday, May 4, 2007 - 5:06:   

> * It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.

I have been able to click the search hit list button to pause the searching OK; but how do I resume the search from where it left off?

Is there a simple resume search option? I have tried to find such.

The only method I have figured out so far is to sort the hit list by offset, click on the last offset, then search down from there. I am trying this in a Simulataneous search, Physical (sector-wise), and down. The major disadvantage to this is if the last found hit was much earlier in the search; because that space will be re-searched with this method.


BTW, for this physical search, WinHex keeps toggling Unicode on every time I toggle it off and click "OK" - the first time I do this the 'Decode in text in files:' text also appears and is checked. I can uncheck both but Unicode rechecks itself everytime I click OK and Decode in text stays off?

BTW, when I click the search hit list button, during the search, the search hit list opens briefly, then closes, then a dialog box pops up stating 'Search complete' and listing xx hits found. I then have to dismiss this and click the search hits button a second time to open the list again.

It works better when I do a logical search (on a single, large, tagged object). When I click the search hit list button the hit list opens and stays open and a 'Resume' button appears. But when I click 'Resume', the search stops. Perhaps because only one object is being searched?


Thank you,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross Johnson
Username: ross_winpro_net

Registered: N/A
Posted on Friday, May 4, 2007 - 5:40:   

After letting the physical search continue for awhile (beyond 25% of a 475gb object), I tried clicking the search hit list button again and this time it worked great! I am able to repeat without issue. I did not make intentional changes. Perhpas the only change was the search hits list was open (unsure though) when I restarted the last search vs. not open when I first started it?

Thank you,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 4, 2007 - 10:57:   

Will be fixed for physical searches in v14.0 SR-2.

> But when I click 'Resume', the search stops.

That I cannot reproduce.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 6, 2007 - 22:00:   

SR-2:

* Fixed inability to review search hits during a physical simultaneous search via pause and resume.

* Some minor error corrections, several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 8, 2007 - 22:20:   

SR-3:

* Due to popular demand, "Windows Registry" is back as a separate file type category, and just as in earlier versions it again matches the most important files by name even when no file type verification (signature check) has been executed yet. Still, the file type verification step and the artificial type designation ("registry", formerly "regis") are required to match other registry files, e.g. backups of registry files in restore points.

* An error was fixed that activated Sectors mode when clicking a thumbnail in Gallery mode if Sync mode was enabled in conjunction with recursive exploration.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 21, 2007 - 2:14:   

SR-4:

* Some small fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 1, 2007 - 14:55:   

SR-5:

* Some of the fixes introduced in later versions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:40:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.