X-Ways Forensics 14.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.2 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 21, 2007 - 2:14:   

A preview version of X-Ways Forensics 14.2 is now available. The download link can be retrieved by querying one's license status.

What's new?

* A new mode named "Details" has been introduced that contains all the information on a single selected file from all the directory browser columns, including those that are not currently visible. (forensic license only) Very useful for example if the path is very long and does not fit on the screen in the path column, maybe not even in the path tooltip display. Also allows to easily copy the filename or file path or selected other data to the clipboard. In future, the Details mode may also become the place where to look up additional information on a file, like detailed permissions in NTFS and extracted internal document metadata.

* An additional directory browser column "Type description" was introduced that usually displays the name of the application that a file type belongs to or what the filename extension stands for, whatever is specified as a hint in File Type Categories.txt. (forensic license only) If the same extension occurs multiple times in the definition file, all its meanings are listed. For example, .pm could be a Perl module, a PageMaker document, or Pegasus file, or an X11 Pixmap file.
The file format of File Type Categories.txt has been slightly changed in that category names are now defined in lines that start with *** instead of :incrementing number:, so the user does not have to ensure unique category IDs any more.

* Yet another column was added, labeled "Dimensions". (forensic license only) It denotes the size of a picture in pixels, as the result of width times height, rounded. Computed simultaneously with skin color percentages, plus when viewing pictures (full-screen mode, preview mode, or in the gallery). Useful to easily distinguish between e.g. small browser cache garbage graphics and high-quality digital photos, with the associated filter, which allows you to concentrate on very small or very large pictures, or mid-sized pictures within a user-define range.

* Thumbnail pictures can now be successfully extracted from most thumbs.db files even if internally fragmented. Original filenames and timestamps are now extracted for these thumbnails, too. (forensic license only)

* Ability to totally remove irrelevant items from the volume snapshot if not needed, e.g. meaningless garbage files found via a file header signature search. This can render the volume snapshot more efficient to handle and save main memory. At first, you hide such files, and then you remove all hidden items, clicking a new button in the directory browser options dialog. Available only for volume snapshots created by v14.2 and later. Useful also if you would like X-Ways Forensics to find certain files once again via a file header signature search, but list them with a different default file size if the originally specified default file size proved inadequate.

* Ability to select hidden items listed in the directory browser (only if not filtered out, of course). Useful e.g.
- if you would like to see hidden items specifically (first select them, then tag them, then group tagged and untagged items)
- if relevant files have been assigned to a report table already and you then have X-Ways Forensics hide duplicates among those files based on hash values, and then would like to remove duplicates from the report.

* Volume snapshots created or processed by v14.2 cannot be correctly understood by earlier versions any more. There will be warnings to that effect.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 22, 2007 - 1:57:   

Preview 2:

* Fixed two errors in the original preview version, which occurred when dealing with physical media and the case root window.

* When in gallery mode, the path and the name of the selected picture are now displayed in the status bar. The path includes the evidence object name.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 25, 2007 - 2:30:   

14.2 Beta:

* Now allows to optionally run simultaneous searches in a second code page at the same time. Useful when searching for keywords that contain non-ASCII characters. For example, specifically searching in the UTF-8 code page in addition to your language's typical Windows code page will render decoding the text in XML files (think of MS Office 2007 documents) obsolete.

* When displaying code page search hits with their context, X-Ways Forensics now tries to convert all text to Unicode so that such search hit previews can be properly viewed even if the respective code page that a search hit is based on is not the active code page in the examiner's Windows system.

* Ability to convert text from various code pages to Unicode and vice-versa, with the Edit | Convert command.

* Ability to specify an alternative sector size when interpreting raw images. For that, please hold the Shift key. You will then have to indicate the nature of the image (partitioned physical medium or volume) as in earlier versions, and if you continue to hold the shift key you will be prompted for the sector size. Note that even in earlier versions WinHex already used the sector size specified in a FAT or NTFS boot sector if a raw image contained a volume and started directly with such a boot sector. For an .e01 evidence file, WinHex uses the sector size specified within that file format.

* Fixes and improvements of v14.1 SR-2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 30, 2007 - 1:51:   

14.2 Beta 2:

* Better support for multi-monitor systems. Some display problems were fixed, and dialog boxes and message boxes will now always be centered within the WinHex main window except if that means they are split between two screens (if the main window spans two monitors). In that case they will be centered on the main screen.

* It is now possible to detach the lower half of a data window (with Sectors mode, File mode, Preview, Gallery etc.) from the data window, by clicking the three dots that are located left to the Sectors button. After that, you can freely move and resize it on the screen. This is useful e.g. for multi-monitor systems, so that you can have that part of the user interface on a separate screen and even maximize it there!

Because of this significant change in the user interface, it's likely that minor graphical annoyances (screen artefacts, visible traces of user interface elements that are not completely removed from the screen) that occurred in earlier version will no longer occur, while others may have been inadvertently added. If you encounter such screen artefacts in this beta version, please report back and ideally send a screenshot. Thanks.

* In this beta version (may be removed in future releases), it's possible to have X-Ways Forensics create a log file "RVS.log" in an evidence object's metadata directory when refining the volume snapshot. Useful if that operation freezes/crashes on a certain file, to find out the offending file's internal ID, so that it can be omitted. The new "Log" option can be found in the Refine Volume Snapshot dialog window.

* Clarified effect of using GREP syntax in dialog box (code page translation options disappear).

* Fixed issue in new search functionality.

* Fixed an issue that could occur under certain circumstances when exporting index search hits with context preview to HTML.

* v14.2 Preview 1+2 and v14.2 Beta 1 did not correctly initialize the "Pixels" value for certain embedded files when importing certain volume snapshots from pre-14.2 versions. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 31, 2007 - 23:36:   

14.2 Beta 3:

* X-Ways Forensics now informs about the SMART status of [S]ATA hard disks (connected via [S]ATA), as part of the technical details report. Useful to check for one's own hard disk as well as that of suspects. For example, you can learn how often and how long the hard disk was used and whether it has had any bad sectors (in the sense that unreliable sectors were replaced internally with spare sectors). If a hard disk is returned to a suspect and he or she consequently complains about bad sectors and accuses you of having damaged the disk, a details report created when the hard disk was initially captured can now show whether it was already in a bad shape at that time. Also, seeing that spare sectors are in use means knowing that there is additional data to gain from the hard disk (with the appropriate technical means).

* "Wash me, but don't make me wet" is a German saying that frequently applies when users of X-Ways Forensics select to treat archives like directories and then wonder why (or complain) they cannot copy such archives off the image like files or wonder why the archives are not listed in a recursive view (when they run X-Ways Forensics with directories excluded from recursive views). For the latter "problem" there is now a change: Archives treated like directories are no longer excluded from recursive views depending on this option. Also they are not grouped along with directories any more.

Possible "solutions" for copying: You could reverse treatment as directories in Specialist | Refine Volume Snapshot, or you could open such archives (with the Open command in the directory browser context menu) and then save them with File | Save As.

Note that it was never a "must" to treat archives like directories in the first place. Once the files contained in archives are included in the volume snapshot, they will be included in any recursive listing (unless somehow filtered out, of course), no matter whether the archives are treated like directories or not.

* Certain corrupt OpenOffice2 Writer documents (.odt) previously could cause the file format specific encryption test to freeze forever. Such attempts will now be aborted after a time-out period has elapsed.

* It is now possible to log the internal IDs of processed files both when refining the volume snapshot and when indexing. The log files are named RVS.log and Indexing.log, respectively, and are written to the metadata subdirectory of the evidence object. Should a corrupt file cause X-Ways Forensics to freeze and to clear the display of the currently processed file or should a corrupt file cause X-Ways Forensics to terminate completely, the logs can reveal the offending file so that it can be omitted when trying again.

* Errors of Beta 2 fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 7, 2007 - 22:35:   

Beta 4:

* When creating an image, the SMART information is now queried again upon completion, so that you can see whether the status of a hard disk in bad shape has further deteriorated during imaging. Secondly, you can see how the "power on time" has changed, which is useful to deduce its unit of measurement (usually hours, but can be different on certain hard disk models).

* It is now possible to compute hash values for all files that are copied to an evidence file container. The hash is computed directly for the data as read from the source medium. These hash values are now also automatically imported into the volume snapshot when interpreting the container.

* It is now possible to verify already available hash values for the files in a volume snapshot, with the Refine Volume Snapshot functionality. Most importantly this helps to confirm that the files in an evidence file container have not changed since they were copied from the original source medium. Should there be any files whose hash values have changed, they will be added to a special report table for convenient review.

* It is now possible to apply the data analyis feature to the selected file when in File mode.

* Fixed errors of previous beta version.

* When including the evidence object names as the top directory level in an evidence file container and when including full paths in the container, items from the virtual "Path unknown" directory previously could end up in a wrong evidence object's "Path unknown" directory when copied to a container. This will no longer occur in newly taken volume snapshots or in volume snapshots imported from v14.1 or earlier.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jun 9, 2007 - 16:22:   

Beta 5:

* Filters are now applied to archives even when archives are treated like directories.

* When reviewing search hits, and when in Preview mode a search hit cannot be highlighted, e.g. because the hit is in the file's metadata, which is not displayed by the viewer component, X-Ways Forensics now offers to switch to File mode instead.

* Fixed an error of earlier beta versions.

* Program help further updated.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 17, 2007 - 11:51:   

Beta 6:

* Several minor errors of the previous beta versions found and fixed. For example, the "Other/unknown type" category did not work, and search hits within files that were removed from the volume snapshot were not deleted automatically.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 20, 2007 - 1:53:   

v14.2 is now available.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 25, 2007 - 1:25:   

SR-2:

* When clicking thumbnails in the gallery, the status bar was not updated correctly with the filename. This was fixed. When using the keyboard to navigate, there was no problem.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 26, 2007 - 0:40:   

SR-3:

* Fixed an error that under certain circumstances opened Internet Explorer windows when copying files and directories.

* Fixed a scrollbar display problem that occured when files were opened in WinHex while the main window was minimized.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 6, 2007 - 18:59:   

SR-4:

* An error was fixed that caused duplication of file listings in the Chinese version of X-Ways Forensics after a thorough file system data structure search on NTFS volumes.

* There was a codepage/Unicode mismatch error in the Export command. This was fixed.

* Some minor improvements/fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 19, 2007 - 1:37:   

SR-5:

* Fixed an error that caused certain directory browser operations (copying and creating a hash set) to abort prematurely if applied to a recursive view that contained archives treated like directories.

* Fixed an error that could occur when replacing an evidence object with a new image under certain circumstances after creating a technical details report.

* Prevented certain exceptions that could occur when processing garbage data in NTFS FILE records.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:41:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.