X-Ways Forensics 14.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.7 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 29, 2007 - 1:06:   

A preview version of X-Ways Forensics 14.7 is now available. The download link can be retrieved by querying one's license status.

What's new?

* The virtual "Path unknown" directory on NTFS volumes is now often much better organized. It identifies files and subdirectories whose original parent directories are unknown but known to be the same. Such files and subdirectories are now collected in the same generically named virtual directory, which makes it easier to get an idea what that directory might have been and more quickly identify relevant and irrelevant files. Applies to newly taken volume snapshots only.

* The thorough file system data structure search on NTFS volumes now often turns up even more traces of previously existing files than before, including even more earlier names and earlier paths of renamed/moved files. (forensic license only)

* Support for dynamic volumes defined on GUID partitioned (GPT) disks. Such dynamic volumes can be used under Windows Vista and the 64-bit versions of Windows XP and Windows 2003 Server.

* Now automatically finds all partitions on hard disks that have both valid GPT and MBR partition definitions.

* Ability to conveniently find the e-mail message that contains the selected attachment, via the directory browser context menu, not for AOL PFC. (forensic license only)

* Extracted metadata were previously added to the Comments column. Now there are a separate column and a separate filter for metadata, and the Comments columns is now reserved for the examiner's own comments.

* Metadaten extraction from RTF, MP4, 3GP, M4V, M4A, RIFF files (.wav, .avi, ...) and IE cookies. (forensic license only)

* Intelligent file size detection for MP4, 3GP, M4V, M4A, MOV, DBX during file header signature search.

* File Header Signatures.txt further expanded.

* PDF documents with old, invisible versions of the same document are now associated automatically with a special report table once viewed in Details mode or once internal metdata has been extracted from them. (forensic license only) Once aware that old versions exist, well-versed users can make them visible if needed.

* Extracts the internal creation timestamp from Internet Explorer cookies, Norton Ghost .gho and PGP pubring.pkr keyring files. (forensic license only)

* Ability to preview/view INFO2 files as well as most SPL printer spool files. Ability to automatically extract EMF files from multi-page SPL printer spool files (see Refine Volume Snapshot). (forensic license only)

* Ability to control NTFS compression for raw image files in File | Create Disk Image: none, sparse, or normal.

* Correct conversion from/to the Windows code pages between 50220 and 50230.

* When viewing a file externally that was already copied to the directory for temporary files before for viewing and still exists there, it is not copied again any more.

* New investigator.ini option: Prevent taking new volume snapshots.

* Fixed an exception error that could with very long image file paths and names.

* Same fix level as v14.6 SR-2.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 2, 2008 - 12:52:   

Preview 2:

* When creating raw image files or .e01 evidence files of volumes/partitions with WinHex, there is now an option to store free clusters as zero-value bytes. (specialist or forensic license only) That is useful if you create the image for data backup and not for forensic purposes, in conjunction with compression, to save drive space. This option is not available in X-Ways Forensics, to prevent the unintentional creation of images that are not forensically sound.

* Ability to immediately and automatically verify newly created raw images and .e01 evidence files by recomputing the hash values. (forensic license only)

* Option to immediately replace an evidence object in the active case with a newly created image, if a disk is imaged that is associated with the active case as an evidence object.

* Progress indicator window and ability to abort for metadata extraction.

* More informative progress indicator window for thorough NTFS file system data structure search and file header signature search.

* thumbs.db and many Windows Registry files found via file header signature search are now listed/recovered with their original names. Intelligent file size detection for Windows Registry files.

* Now complete Unicode support in technical details report, technical description of evidence objects, and technical description in .e01 evidence files.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross Johnson
Username: ross_winpro_net

Registered: N/A
Posted on Monday, Jan 7, 2008 - 7:52:   

new Wish List item for new 14.7 feature:

When choosing to immediately and automatically verify newly created raw images; to have the Disk Image report to also include the time duration for the Hash phase and also the cumulative total duration.

Also, perhaps, an option to exclude opening and interpreting the resulting file?? Please?

Thank you,

Ross@WinPro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Ross Johnson
Username: ross_winpro_net

Registered: N/A
Posted on Monday, Jan 7, 2008 - 7:55:   

P.S.

also the MB/min for the hash phase and the combined phases.

Again, thank you,

Ross@Winpro.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 7, 2008 - 10:22:   

> Also, perhaps, an option to exclude opening and
> interpreting the resulting file??

That's necessary for hashing. Not sure why this is a problem.
Top of pagePrevious messageNext messageBottom of page Link to this message

Don Camillo
Username: willybilly

Registered: N/A
Posted on Monday, Jan 7, 2008 - 16:40:   

is there a way to verify an existing image? May be useful if you get an image from another person / company. I found none.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 7, 2008 - 16:56:   

Considering how important it is to verify images, your question is a little surprising. You can recompute and compare the hash value of interpreted images in WinHex/X-Ways Forensics since 2002 (uninterpreted: 199x), yes, and in X-Ways Forensics there has always been a button especially for this in the evidence object properties dialog.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 8, 2008 - 13:49:   

Beta:

* When clicking a value in a loaded hive in the Registry Viewer, if the data window with the drive/image from which the hive was loaded is in File mode, the cursor will automatically jump to the selected value in the registry file in File mode, and the value will automatically be selected as a block in that file. Useful as that allows to see values, in particular binary ones, in both hexadecimal and text and as that allows to easily copy binary values in either binary or as text, not only as hex ASCII.

* New option: The bytes in the display can be represented as characters in the text column one by one, or WinHex can try to combine them, which if the active code page in Windows is a double-byte character set may be desirable to get the characters right (if 2 bytes = 1 character), or undesirable because of the variable row length.

* When using distributed indexing, X-Ways Forensics now tries to detect differences in the index settings used by the various participants (options such as code pages, substring support, character pool etc.). If detected, at least one of the participants will be warned before indexing starts on that machine. Obviously, in a shared indexing effort the settings should be same everywhere.

* Interpreted raw images now show up in the Select Target Disk dialog window of Tools | Disk Tools | Clone Disk in WinHex with a specialist or forensic license (not in X-Ways Forensics). Useful if you wish to selectively copy certain sector ranges from one image or disk to another image.

* The logs for Refine Volume Snapshot, Logical Search, and Indexing, which contain the internal IDs of processed files to identify the offending file in case of a crash, are no longer stored in separate log files and no longer in the evidence object metadata directories. Instead, a single file "VS.log" is now created in the directory from where X-Ways Forensics is run, and it is overwritten each time a new operation is started. This means you no longer have to search for the correct log file for the last operation, and it also saves drive space. As before, the last line in such a file specifies the internal ID of the last file that was processed. New: The operation type and the name of the disk/image can be seen in the first line.

* Fixed an error in the new auto-verify/auto-replace feature for images.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 10, 2008 - 14:46:   

Beta 2:

* Option to create the copylog file as a tab-delimited ASCII or Unicode text file instead of HTML. Option to only output the target filename/path and no original metadata in additional columns. Option to only output original metadata columns and no target filename/path.

* Microsoft's XPS documents are now treated like archives, such that in particular the XML files within are now properly covered in logical searches (as long as the contents of archives have been included in the volume snapshot, of course).

* Partitions formatted with exFAT are now recognized as such. (Does not mean that the exFAT file system is now natively supported.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 15, 2008 - 19:29:   

Beta 3:

* Improved Unicode support for textual values in the registry viewer and in the registry report.

* In the registry report, binary data such as "RecentDocs" can now optionally be interpreted as Unicode text, which e.g. allows to view non-Latin 1 filenames.

* The automatically suggested registry report output filename now depends on the definition file used. Useful to avoid accidentally overwriting reports created on different registry keys for different purposes, and to immediately get an idea of the purpose of the report if the definition file was already adequately named.

* Attachments and embedded files in e-mail messages that are attachments to other e-mail messages (e.g. forwarded) can now be extracted from the outer e-mail message if you add *.eml to the series of file masks for e-mail extraction.

* Some minor improvements.

* Same fix level as v14.6 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 17, 2008 - 14:19:   

v14.7 was just released.

New since Beta 3:

* Improved JPEG file size detection/estimation for File Header Signature Search and File Recovery by Type.

* Improved results of thorough file system data structure search on NTFS volumes that still can be recognized as NTFS volumes, whose MFT however is corrupted and cannot be read any more.

* Two new investigator.ini options: prevent arbitrary files from being opened externally with associated programs, and prevent redefinition of external viewer programs.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 21, 2008 - 23:14:   

SR-1:

* Preview/View support for $I* Vista recycle bin files.

* Better handling of CD-ROM XA, but still most sectors cannot be read. Unlike as so often with the competitors, X-Ways Forensics will alert you that there is a problem. At least many times now it is possible to open the files on such CDs (e.g. Video CDs) through the operating system (see Security Options).

* The Attach External File command in the directory browser context menu is now available in X-Ways Investigator, too.

* Case context menu fixed in X-Ways Investigator.

* Other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 22, 2008 - 14:57:   

SR-2:

* v14.7-specific error fixed in Attach External File command.

* The Attach External File command can now even be used to attach multiple files at the same time. Useful e.g. after having extracting pictures from a video. When you attach the externally stored pictures to the video, a virtual directory will be created named after the video file, and the files will be shown collectively in that directory. If a single file is attached only (e.g. the converted/decrypted/translated version of a document), no artificial directory is needed, so it works as before.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 27, 2008 - 22:56:   

SR-3:

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 29, 2008 - 0:59:   

SR-4:

* Fixed an exception error that under certain circumstances occurred when entering into search hit list mode.

* Fixed a file creation error that could occur when extracting pictures from documents in SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 4, 2008 - 20:08:   

SR-5:

* Since v14.6, if any hash sets were selected for the hash set filter, they were used for hash set matching, too, even if unselected for matching by the user. This was fixed.

* Since v14.6, the option "Not only extract, also embed attachments" only embedded e-mail attachments in .eml files and did not extract them. This was fixed.

* More variants of info2 files now supported in Preview mode and by the View command.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 12, 2008 - 1:42:   

SR-6:

* The registry viewer now allows to search for true Unicode characters in values (data). An error was fixed that prevented finding text in the values (data) in earlier releases of v14.7. The number of hives that can be loaded simultaneously has been increased from 16 to 32.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 13, 2008 - 1:50:   

SR-7:

* The exception list for the indexing algorithm, if enabled by the user, was not correctly utilized any more since v14.3. This was fixed.

* Fixed an exception error that could occur when opening very large FAT16 volumes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 15, 2008 - 12:06:   

SR-8:

* Screen update problem in gallery fixed, for files without known contents (for which file system metadata is available only).

* Minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2008 - 12:41:   

SR-9:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 27, 2008 - 19:43:   

SR-10:

* Some of the fixes introduced in later versions. Available to customers on request. Final release.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.