X-Ways Forensics 14.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 14.1 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 6, 2007 - 22:19:   

A preview version of X-Ways Forensics 14.1 is now available. The download link can be retrieved by querying one's license status.

What's new?

* X-Ways Forensics now offers a dedicated option to logically combine search hits with a boolean AND operator, i.e. require that a file contains all selected search terms at the same time. If this requirement is not met, the file's search hits are omitted from the list altogether. That way you can reduce the view to those files that contain both search term A and search term B. If you know that the document you are looking for contains both of the search terms you specify, this narrows down the number of listed search hits to the most likely relevant ones. And that is not all: You can select more than two search terms (e.g. 4) and require that the files to be listed contain an arbitrary minimum number of different search terms at the same time (e.g. any 2 or 3 of the search terms, or all 4)!

* If search hits are omitted from the search hits list either because of the reduction to 1 hit per file or because of the logical AND combination, the number of omitted search hits is now displayed with a filter symbol in the directory browser header line, as a visual reminder that the search hit list is not the complete one.

* Reducing a huge search hit list in such a way that only one hit per file is left can be a great time-saver if you intend to look at each such file anyway, but prefer to not have to look at the same file more than once (if there are many hits in the same file). It is now more convenient to limit the output to 1 search hit per file in the first place, with a new checkbox below the search term list. The former context menu command was removed.

* For files and directories on NTFS volumes, X-Ways Forensics can now often display the username instead of the user's SID in the Owner column. X-Ways Forensics collects SIDs and usernames from Windows installations on evidence objects that are added to the case. An overview of all the SID and username combinations that were found can be displayed from within the case properties window.

* Searching for deleted files by header signatures and verifying the true file type based on signatures have become more flexible. The signatures are now defined in GREP syntax. That means it is now possible to allow for alternatives (e.g. "the 4th byte could be either 0xE0 or 0xE1") and undefined gaps ("." wildcard character) within the signatures. The new signature database that comes with WinHex and X-Ways Forensics already utilizes this to further reduce the number of false positives and to reduce the number of definitions needed for the same file type (e.g. HTML). File Type Signatures.txt files from old version can still be read, but cannot use the GREP syntax.

* It is now possible to integrate a free-text description of up to 60,000 Unicode characters in evidence file containers, for the recipient to see in the evidence object properties when he or she adds the container to the case.

* MS Office 2007 and OpenOffice documents are now treated like archives (which makes it easier to extract embedded pictures), but at the same time they retain their special extension in the type column so that they can easily be distinguished from ordinary zip files and still belong to the document category rather than archives. This best of both worlds combination was not possible in earlier versions. Consequently, in the default settings, OpenOffice documents are not subject to text decoding during searches any more, as the contained XML files will already be searched in their decompressed state. The XML files themselves, however, should still be subject to text decoding during searches if your search terms contain non-English characters, because of XML's UTF-8 coding (unless you specifically search in the UTF-8 codepage). Consequently, *.xml was added to the default file masks for text decoding.

* Regular archives as well as MS Office 2007/OpenOffice documents can now also be viewed in a separate window from the directory browser context menu, not just explored or viewed in Preview mode.

* When recovering NTFS-compressed files manually (e.g. because they were found manually or via an adjusted file header signature search tailored for NTFS-compressed files), it is necessary to decompress such files separately. Previously it was possible to successfully decompress a single 16-cluster unit of compressed data with with Edit | Convert. Multiple 16-cluster units could be decompressed in a single step if and only if these units were physically 16 clusters apart from one another (as under Windows XP it's usually the case if an already existing file is compressed on NTFS volume at a later point of time). Now the decompression algorithm also works if there are no physical gaps between the units (as under Windows XP it's usually the case if a file is saved with compression in the first place). It dynamically picks the decompression strategy that yields the highest amount of decompressed data, on a file-by-file basis.

* "Offline" files are now marked with a capital O in the Attributes column. Files with the attribute "temporary" are now marked with a "T".

* Several minor improvements.

* Fixes and improvements of v14.0 SR-2 all included.
Jimmy Weg
Username: jw

Registered: 7-2006
Posted on Monday, May 7, 2007 - 19:19:   

>Searching for deleted files by header signatures . . .

I'm away from work and my dongle for a couple days, and this promises to be yet another very useful enhancement. Is there a way to create a custom database in the new format, so as to allow updates to the standard database without overwriting any added signatures? Thanks!
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 7, 2007 - 20:35:   

Yes, just as before you can customize the tab-delimited text file and have X-Ways Forensics load an additional file if named File Header Signatures *.txt.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 10, 2007 - 21:17:   

14.1 Beta:

* Can now much more precisely recognize and distinguish between various OLE2 compound file types (e.g. pre-2007 MS Office documents).

* HTML format for exporting file lists or search hits is now optional. If disabled, tab-delimited text files will be created as in earlier versions. That may be desirable for huge amounts of data.

* The program help was updated with the changes introduced with v14.1.

* Some errors of the preview version were fixed.

* Changes of v14.0 SR-3.

* An error in the registry viewer was fixed that prevented the user from continuing a search in a hive other than the one in which the first search hit was found.

* It is now possible to pick a registry report definition file before creating the registry report. Useful if you maintain multiple such files, e.g. one that extracts information about hardware, another for information about users, etc.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 11, 2007 - 22:47:   

14.1 Beta accidentally did not contain the new File Type Signatures.txt file. Fixed now.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 14, 2007 - 1:57:   

Beta 2:

* On multi-core processor systems, the performance penalty when working with compressed .e01 evidence files has been considerably reduced, by about 50% on a dual-core processor. On single-core processor systems, there is a slight improvement, too.

* There is a new compression ratio option available for creating .e01 evidence files: "fast". This option comes highly recommended, for it is a very good compromise between "no" compression (with maximum speed) and "normal" compression. For average data, you can expect half the compression ratio that you would get with "normal", and a speed right between "no" compression and "normal" compression. For highly uniform data, you get the same very high compression ratio as with "normal", and possibly even more speed than with "no" compression because the amount of data to write is so drastically reduced. For uncompressable data, you almost get the same speed as with "no" compression (much faster than with "normal").

* Files found via header signature are now listed in a dedicated virtual directory "Carved files" under "Path unknown". This makes it more convenient to address such files separately.

* In newly taken volume snapshots, empty orphaned subdirectories are now listed in a dedicated virtual directory "Empty directories" under "Path unknown". This makes it more convenient to explore and navigate in "Path unknown".

* Auto-coloring on NTFS now also works for FILE records that are not part of the active MFT, if found somewhere on the partition (e.g. in $LogFile or in free space) and visible on the screen.

* Fixed some errors of Beta 1.

* Fixed sparse file support on Ext2/Ext3 file systems.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 15, 2007 - 23:35:   

Beta 3:

* Fixed an error that in Beta 2 could occur when reading from .e01 evidence files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 21, 2007 - 2:14:   

v14.1 has just been released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 22, 2007 - 22:08:   

SR-1:

* Prevented an exception that could occur under certain circumstances some time after having closed a case.

* When in gallery mode, the path and the name of the selected picture are now displayed in the status bar. The path includes the evidence object name.

* The option "+19" in investigator.ini now also prevents the user from changing the case and the temp path in General Options.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 24, 2007 - 14:36:   

SR-2:

Fixed two errors that were introduced with v14.1.

* Under certain circumstances (apparently systems with Internet Explorer 7.0), Internet Explorer windows were opened when copying directories off an image/disk.

* Under certain circumstances, further options in Refine Volume Snapshot were not applied simultaneously to files whose true file type was newly detected.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 31, 2007 - 23:36:   

SR-3:

* Ability to create evidence file containers with X-Ways Investigator now tested and functional.

* Fixed an error in the WinHex API WHX_Open functionality.

* Fixed an issue that could occur under certain circumstances when exporting index search hits with context preview to HTML.

* Fixed an error could occur when copying data formatted as a hex editor display to the clipboard with non-standard settings.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 7, 2007 - 22:35:   

SR-4:

* When including the evidence object names as the top directory level in an evidence file container and when including full paths in the container, items from the virtual "Path unknown" directory previously could end up in a wrong evidence object's "Path unknown" directory when copied to a container. This will no longer occur in newly taken volume snapshots.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 10, 2007 - 22:24:   

SR-5:

* Fixed an exception error that could occur when setting up a recursive view of several physical evidence objects in the case root window.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 17, 2007 - 11:51:   

SR-6:

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 19, 2007 - 10:20:   

SR-7:

* An error was fixed that could occur when decoding the text in certain documents for the logical search.

* Prevents a very slow context preview for search hits in certain compressed files.

* Fixed a type filter error introduced with SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 1, 2007 - 14:55:   

SR-8:

* Some of the fixes introduced in later versions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:41:   

SR-9:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.