X-Ways Forensics 14.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.3 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 7, 2007 - 17:48:   

A preview version of X-Ways Forensics 14.3 is now available. The download link can be retrieved by querying one's license status.

What's new?

* The indexing feature has been significantly extended. It is now possible to index text both in single-byte character code pages and in Unicode (UTF-16LE)! Also it is possible to have up to three such indexes per evidence object (e.g. Cyrillic characters indexed in Unicode and two Cyrillic code pages). Multiple indexes, if selected, are created consecutively in this version, but with only a single user interaction at the beginning. The index search will search in all created indexes for an evidence object at the same time.

Since Unicode is now supported for indexing, the characters to index are entered as Unicode characters, and X-Ways Forensics allows you to conveniently select characters from more than 22 languages for indexing. Currently, most European and many Asian languages are predefined, e.g. German, Spanish, French, Portuguese, Italian, Scandinavian languages, Russian, South Slavic languages, Eastern European languages, Greek, Turkish, Hebrew, Arabic, Thai, Vietnamese. We appreciate corrections to these character presets (mail@x-ways.com). Please note that it is the responsibility of the user to select the appropriate code page(s) and to enable substring indexing if the words in the language to index are not delimited with spaces (e.g. in Thai).

Also, it is now possible to optionally create an index that is case-sensitive. This is useful e.g. if you create the index for the purpose of creating a word list for a customized dictionary attack.

To do: The Export Word List command is not implemented yet for the new index algorithm. The program help has not been updated yet.

* When selecting Chinese as the user interface language, more parts of the user interface can now be actually seen with Chinese characters even if the Chinese code page is not active in Windows (as long as support for East Asian characters has been installed).

* The Details mode has been significantly extended for OLE2 compound files (e.g. pre-2007 MS Office documents) and .shd printer spool files, in that it shows their metadata. For MS Office documents, you will often see many more timestamps (e.g. Last Printed), subject, author, organization, keywords, total edit time, and much more.

* You will now see accurate listings of the contents of Windows shortcut files (.lnk) when viewing them in Preview or full-window view. The listing includes path, name, size, attributes and timestamps of the file being linked, volume label and serial number, drive type, icon file, link description, and much more.

* When refining the volume snapshot and verifying the true file type based on signatures, X-Ways Forensics now warns when it finds hybrid MS Office files, i.e. merged MS Word and MS Excel documents that can be opened in both applications, showing different contents. A notice in the messages window will be displayed, and any detected files will be associated with a special report table. Hybrid MS Office files are a clever attempt to conceal the contents of one of the merged documents.

* Ability to open CDs/DVDs in external optical drives as physical media.

* Additional hash category filters have been introduced: Output irrelevant files only, output unknown files only.

* In newly taken volume snapshots, files and directory on NTFS volumes that have an object ID are now flagged with a capital I in the Attribute column.

* When replacing a partitioned evidence object with a (new) image file, the child evidence objects (partitions) will now be replaced with the same image automatically.

* Several minor improvements, some of them in relation to the extraction of e-mail messages.

* An exception error was fixed that could occur at the end of a file header signature search in certain situations. Also to be fixed with v14.2 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 11, 2007 - 0:59:   

Preview 2:

* It is now possible to define a character substitution list in Unicode that causes certain letters to be indexed as other letters (e.g. "e" with an accent as just an "e"). This will allow you to find certain spelling variations with a single index search, e.g. both the name "Rene" with an accented e at the end and "Rene" without, with either spelling. This list must have the form

>a
ü>u
...

(i.e. 1 substition per line) and must be saved as a Unicode text file named "indexsub.txt" that starts with the LE Unicode indicator 0xFF 0xFE. "indexsub.txt" is an optional file and expected in the X-Ways Forensics installation directory.

* If a file cannot be copied to an evidence file container, e.g. when filling a container indirectly because an anti-virus tool has intercepted the file and prevented its inclusion in the container, that file is now added to a special report table so that it's easy to specially filter these files and address then separately.

* Ability to extract binary attachments from AOL PFC e-mail archives (still testing).

* Ability to load certain registry files of Windows Vista that could not be loaded before.

* Ability to highlight Unicode search hits in documents in Preview mode even if they contain non-ASCII characters.

* Some other minor improvements.

* The program help was updated to reflect most of changes and improvements of v14.3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 20, 2007 - 0:26:   

Beta:

* Same fix level as v14.2 SR-5.

* When optimizing an index, X-Ways Forensics now creates much more compact output files. Generally, optimization should be much faster now compared with v14.2 and earlier.

* Optimization will not merge .xfi files past the 2 GB barrier any more. This allows to archive these files in old-fashioned zip archives (e.g. if you archive a case and choose to include index files).

* Experimental ability to extract binary attachments from AOL PFC e-mail archives removed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 23, 2007 - 12:32:   

Beta 2:

* Now finds additional sessions on multi-session CDs with larger gaps between the sessions.

* There will be no messages boxes with warnings about unreadable sectors any more (Ignore? Yes/No/Abort). Those warnings will be solely output to the messages window that does not require user interaction (+ during imaging/cloning to the respective log file). The substitute pattern for unreadable sectors can now be defined in the General Options dialog.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 25, 2007 - 22:35:   

Beta 3:

* No longer closes the search hit list when invoking Search | Find Text without the option to list search hits.

* If the subject lines of extracted e-mail messages are not based on the code page that is currently active in Windows, they may be displayed incorrect. X-Ways Forensics can now make an attempt to fix the subjects after extracting e-mail messages if you specify the code pages related to the case in the case properties.

* Index character substitution feature fixed.

* The search term list now has a context menu from which search terms can be deleted. Useful for users of MacBooks that don't have a Del key.

* The user manual on the web site was updated to reflect the changes of v14.3.

* The messages window can now be minimized, maximized, and restored.

* The General Options dialog window was restructured. This is now the place where to define the substitute pattern displayed for unreadable sectors. It was removed from the Create Disk Image dialog window because it affects how bad sectors are treated in any situation.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 30, 2007 - 0:29:   

v14.3 has just been released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 1, 2007 - 0:28:   

SR-1:

* The option to include substrings in indexes did not work for Unicode in the original v14.3 release. This was fixed.

* In substring-enabled indexes created with v14.3 SR-1 and later, XWF can now optionally search for whole words only (more precisely, beginnings of words). This prevents finding e.g. "card" in "bankcard". Useful if there are too many hits in such solid compound words and you are more interested in the word as a whole word.

* XWF now deals more gracefully with truncated FAT partitions in incomplete image files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 1, 2007 - 11:42:   

SR-2:

* Fixed an error in the General Options dialog window in SR-1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 3, 2007 - 12:41:   

SR-3:

* New directory icons. Dedicated icon for deleted partitions in the case tree and in the case root window.

* Ability to delete the case log from within X-Ways Forensics.

* SR-2 initially did not work correctly with the dongles. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 21, 2007 - 20:34:   

SR-4:

* A Japanese translation of the user interface of X-Ways Forensics is now available from our Japanese reseller, Data Recovery Center.

* The Java date+time format now respects the Data Interpreter's Big Endian option. That date+time format can be found in Little Endian in BlackBerry memory dumps. Before, it simply worked always based on Big Endian philosophy.

* Fixed an error that could prevent to correctly open certain extremely fragmented alternate data streams on NTFS.

* Fixed display refresh problem in case root window.

* Manually mixing different index .xfi files in the same index subdirectory (undocumented feature) now works reliably. E.g. like that you can have multiple indexes based on the same character set, like an index of words (a-zA-Z) and an index of numbers (0-9), and search all of them simultaneously.

* Various minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 24, 2007 - 15:32:   

Still SR-4:

* The definitions in File Type Signatures.txt and File Type Categories.txt have slightly changed in that Unix/Linux executable files now have the type "elf" instead of "elfexe", and Windows Vista Event Log Files now have the type "evtx" instead of "elf".
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 31, 2007 - 23:45:   

SR-5:

* Fixed an error that could occur when running an index search from the case root window.

* Search hits based on code page 1251 (Cyrillic) are now displayed correctly in the search hit list.

* Full support for NTFS volumes with exotic FILE record sizes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 9, 2007 - 13:03:   

SR-6:

* Fixed an error that under very special circumstances caused WinHex/X-Ways Forensics to show existing partitions as lost partitions.

* Fixed an error that could occur when opening non-partitioned physical media with v14.3 SR-4 and SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:41:   

SR-7:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.