X-Ways Forensics 14.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 14.6 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Nov 10, 2007 - 2:14:   

A preview version of X-Ways Forensics 14.6 with many noteworthy new features is now available. The download link can be retrieved by querying one's license status.

What's new?

* Ability to completely access and examine media and interpreted image files with more than 4.3 billion (2^32) sectors. (still testing) Allows to read data from beyond the 2 TB barrier on media with a sector size of 512 bytes. Also support for NTFS volumes that consist of more than 2^32 sectors. Other file systems on partitions that large: Not specifically supported.

* Ability to attach external files to the volume snapshot and have them processed by X-Ways Forensics like regular files in the volume snapshot. Useful if you need to translate or decrypt original files and would like to reintegrate the result back in the original volume snapshot, in the original path, for further examination, reporting, filtering, searches etc. Such external files will be completely managed by X-Ways Forensics once attached, copied to the metadata directory, and marked as virtual files. In order to attach a file, you right-click the original file that the external file is based on and invoke "Attach external file". The new file should be named based on the original file.

* When filling an evidence file container, two new options are now available: One option allows you to copy files partially to the container only. This is possible if the file has been opened in File mode and a block is selected. Useful e.g. if there is a relevant search hit in the middle of a 2 GB swap file or of a 100 GB virtual free space file, and you would like to forward the context of that search hit to someone via a container, thereby omitting GBs of data that are not related.

* The other option allows you to copy *only* the file system metadata of selected files to a container, totally omitting all file contents. When examing such a container, you can see the entire original directory structure, all filenames, timestamps, file sizes, attributes, etc. and can use various filters.

* Ability to specifically deal with NTFS compression when searching for files via file header signatures (forensic license only). Allows to automatically list NTFS-compressed files of certain types whose FILE records are no longer available. These files are also automatically decompressed for File mode, Preview mode, and the Recover/Copy command.

* Now extracts metadata from JPEG, PNG, TIF, GIF, THM, thumbs.db, ASF, WMV, WMA, MOV, GZ in Details mode in addition to many other file types. Additional metadata now extracted from PPT files. General further improvements for OLE2 compound files.

* When running a file header signature search, WinHex now automatically names Exif JPEG pictures after the model designation and time stamp as stored by the digital camera card. (specialist license or higher)

* The internal creation timestamp that can be found in various file types can now be displayed in a separate directory browser column, once extracted with a new context menu command ("Extract Internal Metadata") or once seen in Details mode. Thanks to this new column and the timestamp filter, it is now very easy to focus on files/documents that were actually created in a certain time period. Internally stored timestamps are usually less volatile than file system level timestamps and more difficult to manipulate retroactively. The supported file types are: OLE2 compound files (e.g. pre-2007 MS Office documents), MDI, ASF, WMV, WMA, MOV, various JPEG variants, THM, TIFF, PNG, GZ, SHD printer spool, PF prefetch, LNK shortcut, and DocumentSummary alternate data streams.

* The option to copy/append metadata to comments has been moved to the same new context menu command.

* The hash set column now comes with a filter that allows to more conveniently focus on files whose hash values are contained in selected hash set or are not contained in selected hash sets.

* When using the Recover/Copy command, overlong paths are now truncated and rendered legal if shortening the last path component can achieve that. Any file with a path longer than 259 characters after this attempt will still not be copied and rather associated to a report table because it wouldn't be possible to deal with this file in Windows anyway.

* UTC-based timestamps displayed in the registry viewer and in the registry report now respect the "Show time zone bias" option so that it's obvious if and how they have been converted to local time. The same time zone settings as for the active case are used.

* When analyzing small amounts of data (<50000 bytes) with Tools | Analyze Data, the compression ratio that zlib achieves for that data is now displayed in the analysis window caption.

* Attachments in original .eml e-mail message files (not virtually produced by X-Ways Forensics itself) can now be extracted if you add *.eml to the series of file masks for e-mail extraction.

* Item numbers in the directory browser are now 1-based instead of 0-based.

* Sectors mode is now labeled either Disk, Partition, Volume, or Container, depending on the nature of the data represented in the data window.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 11, 2007 - 21:29:   

Preview 2:

* Support for multiple variants in the daylight saving definition for the same time zone in different years. Predefined for USA, Canada, (Western) Australia, and New Zealand with recent daylight saving changes in mind.

* The File Header Signature Search and File Recovery by Type features now distinguish between default file sizes that are used if the internal algorithm does not support a certain file type and a maximum file size that limits the attempt of the internal algorithm to find the end of files of specially supported file types.

* Ability to create partial raw images and .e01 evidence files by specifying a sector number that is not the last sector on the disk as the last sector to copy.

* Support for .e01 evidence files that consist of more than 512 segments.

* Greatly reduced memory requirement for .e01 evidence files that consist of a lot of segments.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 16, 2007 - 2:52:   

Preview 3:

* Some metadata is now extracted from unprotected PDF documents. Details available for zip archives.

* Ability to detect MS Office files (Word, Excel and Power Point) with Microsoft DRM (Digital Rights Management) or Oracle IRM applied. Such files are marked with e! in the Attribute column, just as file format specifically encrypted files are. Requires the latest version of the viewer component.

* Some fixes of errors in earlier preview versions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 19, 2007 - 15:18:   

Preview 4:

* Ability to securely wipe inactive directory entries on FAT volumes, to thoroughly remove traces of previously existing files or earlier names/locations of existing files from the file system. Tools | Disk Tools | Initialize Directory Entries. (still testing) Useful especially in conjunction with the command to initialize all free space.

* Parsing the NTFS system file $LogFile for Preview/View is now considerably faster.

* When adding a container to a case that contains an internal description, that description is now shown in a message box in addition to in the evidence object properties. That is useful because this field allows the preparer of a container to send messages/instructions/hints/comments to the recipient.

* MFT auto coloring now optionally even works on corrupt partitions that are not recogized as NTFS volumes any more and on physical media.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 21, 2007 - 21:41:   

Beta:

* Some fixes of errors in earlier preview versions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 26, 2007 - 2:32:   

Beta 2:

* A logical search can now be optionally applied to all *selected* items, just as in X-Ways Forensics versions up to 13.7, via the directory browser context menu.

* Search terms can now be more variably combined. In particular, using a NOT operator is now much more convenient:

A
B
= search hits for A and search hits for B that occur in any files (normal OR combination)

+A
B
= search hits for A and search hits for B that occur in files that contain A

+A
+B
= search hits for A and search hits for B that occur in files that contain both A and B

+A
-B
= search hits for A that occur in files that do not contain B

To force a search term, select it and press the "+" key. To exclude a search term, select it and press the "-" key. You may also use the context menu of the search term list for that.

* Seconds in timestamps can now optionally be displayed with up to 3 decimal places after the decimal point in the directory browser, whereever that precision is available (e.g. NTFS and Reiser4 file systems and partially in FAT).

* File sizes can now optionally be always displayed in bytes in the directory rather than in KB, MB, or TB.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 29, 2007 - 14:57:   

Beta 3:

* Cases now remember for each evidence object an optional alternative path where additional image file segments are stored. That means you do not have to pick the additional path each time you open the evidence object. Useful if your images are too large to fit on the same drive (letter).

* It is now possible to more conveniently categorize files (i.e. associate them with report tables) using keyboard shortcuts. Try Ctrl+1, Ctrl+2, ..., Ctrl+9 to create report table associations for selected files. You can assign these keyboard shortcuts to your most important report tables yourself by pressing the keys in the dialog window for report table associations. The assigned shortcuts will be remembered by the case.

* You can now easily tell from the Technical Details Report and from the description of the evidence object whether an evidence file container is considered secure (filled with the indirect method) or not.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 1, 2007 - 18:38:   

Beta 4:

* Ability to find files via file header signatures and recover or merely list them with default file sizes larger than 2 GB.

* The internal creation and modification date available in evidence file containers created by X-Ways Forensics 14.5 and later can now be seen in the evidence object properties when a container is added to a case.

* If NumLock is activated, the numpad keys can also be used to conveniently associate files with report tables.

* It is now possible to recursively tag selected directories in an already recursive list.

* An additional column displays the internal ID of the parent directory of a file or directory. Useful e.g. when exporting a list of files and directories to uniquely identify directories if there are name collisions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 6, 2007 - 11:02:   

v14.6 has just been released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 6, 2007 - 23:07:   

SR-1:

* Fixed an error that caused certain GREP search hits to be incorrectly regarded as Unicode hits.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 28, 2007 - 17:31:   

SR-2:

* Two new investigator.ini options: Prevent removal of evidence objects and prevent use of Recover/Copy command (mandatory in X-Ways Investigator, meant as an option in X-Ways Forensics when run with the reduced user interface for non-IT investigators).

* Directories within PST e-mail archives, whose names contain true Unicode characters, can now be recreated when extracting e-mail message. Previously this failed because of illegal names. The Unicode characters are lost and replaced with underscores, though.

* Fixed an exception error that could occur when viewing certain search hits in Preview mode.

* Fixed an error that could lead to incorrect data being shown in sectors above the 2 TB barrier.
Ross Johnson
Username: ross_winpro_net

Registered: N/A
Posted on Monday, Jan 14, 2008 - 20:41:   

14.6 SR-2

Adding to Report Table via Numeric pad

I would the Numeric Pad (adding to a report table) to also work when navigating Gallery View (currently must re-click (activate) the object in the Directory Browser to use the Num-Pad option of adding to a Report Table)

Also would like an option for the Num-Pad to NOT replace Report Tables already associated to the object.

I have checked for options to do such, but have not found ... ??

Thank you,

Ross@WinPro.net
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 14, 2008 - 20:55:   

1) Will try to implement that some time.
2) No such option yet.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 15, 2008 - 19:08:   

SR-3:

* The directory entries in clusters other than the first one in directories on FAT12/FAT16 volumes that are child directories of the root directory and whose names consist of only 1 or 2 characters were ignored. Files defined by ignored directory entries could only be found through a file header signature search. This was fixed.

* Some instability issues in support for certain file types fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 4, 2008 - 20:25:   

SR-4:

* Some of the fixes introduced in later versions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:41:   

SR-5:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 27, 2008 - 19:43:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.