X-Ways Forensics 14.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.8 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 29, 2008 - 23:07:   

A preview version of X-Ways Forensics 14.8 is now available. The download link can be retrieved by querying one's license status.

What's new?

* Ability to extract JPEG pictures from video files, in a user-defined interval (e.g. every 20 seconds). Immensely useful if you have to systematically check many videos for inappropriate or illegal content (e.g. child pornography). Looking at extracted pictures in the gallery is much faster and more comfortable than having to watch each video entirely one after the other, as the amount of data is vastly reduced, and the extraction process can be run unattended e.g. over night.

Also useful if you need to include still pictures in a printed report. The extracted pictures of each video are collected in a virtual directory named after the orginal video file, as virtual files, in the same path as the original file, so that it's easy to link suspicious still pictures back to a video. The first extracted picture of a video at the same time serves as a preview picture for the video file in Preview and Gallery mode. ASF/WMV videos protected with digital rights management (DRM) cannot be processed and are consequentially marked with e! in the Attr. column.

Requires an external program, either the non-GUI version of MPlayer and its separately downloadable codec package (extract to "codecs" subdirectory of MPlayer), or Forensic Framer (available February 2008). The program has to be selected in Options | Viewer Programs. Pictures can be extracted from these video formats and codecs.

* Ability to rename virtual directories, with a new command in the directory browser context menu.

* Ability to preview/view $EFS logged utility streams (LUS).

* The option to filter out $EFS logged utility streams was removed from the directory browser option dialog. An option was added that keeps NTFS LUS from being included in newly taken volume snapshots in the first place, or only non-$EFS LUS. Useful for NTFS volumes written by Windows Vista if you are not interested in NTFS LUS.

* Attribute filters for NTFS $EFS, other logged utility streams, NTFS offline files, files with object ID, Unix/Linux symlinks, and other Unix/Linux special files.

* Attribute filters for pictures that were extracted from videos and for virtual files that were manually attached to a volume snapshot.

* Option to retain alternate data streams as ADS when using the Recover/Copy command if the output volume is formatted with NTFS. (forensic license only) If disabled or if copied to a different file system, ADS are recreated as conventional files, as before.

* When using the Recover/Copy command to copy files including their path, the name of the evidence object is now recreated as a directory also if "Default to evidence object folders for output" is unchecked in the case properties, not only when copying from a recursively explored case root window.

* Metadata extraction from MP3 files. ID3-embedded files other than JPEG and PNG (which can be automatically extracted) are indicated by a special report table once discovered.

* File Type Signatures.txt, File Type Categories.txt, and file carving further expanded and improved.

* Support for anchors in the GREP syntax: \b for a word boundary, ^ for the start of a file, $ for the end of a file.

* Further improved partial support for CD-ROM XA.

* Should X-Ways Forensics crash during Refine Volume Snapshot, Logical Search or Indexing whenever it is dealing with one of the file in the volume snapshot, you will automatically be pointed to the offending file when you restart the program, so that you can easily omit it when trying again. Depends on a new option in Security Options. The VS.log file known from v14.7 is no longer created.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 4, 2008 - 20:37:   

Beta:

* The Options | Viewer Programs dialog window now allows to define an additional external program specifically for video files (forensic license only). If defined, double-clicking files that belong to the Video category will send them directly to that external program. If MPlayer is detected by X-Ways Forensics (or Forensic Framer, which includes MPlayer), MPlayer will be predefined.

* The option to group tagged and untagged items was removed. However, it is now easily possible to filter by tags (see below).

* The options to filter out existing/previously existing/hidden items have been superseded by options that are defined in a "positive" sense and more in line with other filters: Show existing files, show previously existing items, show tagged items, show untagged items, show hidden items, show non-hidden items. This change also renders is very easy to focus on files that were tagged or hidden.

* A path filter has been introduced. Allows you to focus on files in whose path a certain substrings occurs, e.g. "pic" or "Temporary Int".

* X-Ways Forensics can now distinguish between .wma/.wmv audio/video files when verifying the file type based on signatures. Much more metadata is now extracted from .asf, .wmv, and .wma files. For a MS Excel document, the name of the person that opened it last is now extracted.

* File Type Signatures.txt further expanded.

* Available hashes in the volume snapshot are now reused instead of re-computed when creating hash sets.

* Additional option in investigator.ini that prevents users from deleting report tables.

* Same fix level as v14.7 SR-5.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 12, 2008 - 1:43:   

Beta 2:

* Intelligent file size detection for .rar archives for File Header Signature Search and File Recovery by Type, which allows to extract and not only list files in such archives.

* Files identified as duplicates based on hash values are no longer optionally marked with comments, but with a "duplicates found" mark in the Attribute column, which is more efficient, is retained in evidence file containers (for the recipient to see that he/she can be supplied with the duplicates if needed), and is now filterable.

* Can now identify the exact type of optical media in the technical details report (whether CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RW, etc.). Somewhat faster read access to DVDs.

* Predefined character pool for indexing Japanese text.

* Ability to copy selected text from viewer component windows to the clipboard in Unicode and RTF.

* File Type Categories.txt and File Type Signatures.txt further expanded.

* Other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 15, 2008 - 14:45:   

Beta 3:

* Details mode now more visually appealing and easier to understand. Will be further improved in future releases/versions.

* File header signature search and file type verification improved for HTML, XML, XSD, and DTD.

* There is now an Attr. filter that allows to focus on files for which file system metadata is available only and whose contents are totally unknown (where not even the original location of the data ont he volume is known). Such files are usually part of the volume snapshot after a particularly thorough file system data structure search on NTFS volumes.

* The setup program now shows a progress window when the viewer component is copied (if found in the subdirectory \viewer). It also automatically copies MPlayer (if found in the subdirectory \MPlayer). Remember that if these external components are found in the expected subdirectories, they are activated in Options | Viewer Programs automatically.

* Other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 19, 2008 - 0:25:   

Beta 4:

* When pictures are extracted from video files or when e-mail messages and attachments are extracted from e-mail archives, X-Ways Forensics no longer creates a virtual directory whose name resembles the original filename. Instead, the extracted files are accessible directly by double-clicking the original file. They also can still be seen when exploring recursively. The parent file's icon will be marked with an ellipsis, to indicate that the file's contents were extracted and there is more to find "behind" the file. The main benefit is that it is now much faster to identify the parent file. For example, when tagging an extracted file, the parent file will be half tagged automatically, which makes it easier to e.g. add such files to a report tables later. Or when navigating back upwards from the extracted contents to the parent file by clicking the ".." item, the parent file itself instead of a virtual directory will be automally selected. Also the path of the extracted contents is more authentic because no suffix " Mail" or " Pics" is artificially inserted in the path any more.

* Option to filter out previously existing files available in X-Ways Investigator, unless prevented by new option "+28" in investigator.ini.

* If in the case report options you specify maximum dimensions for pictures as 00, then the pictures will only be linked, just as other files, not displayed directly in the report.

* The Attr. filter was broken in Beta 3. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 20, 2008 - 1:13:   

Beta 5:

* The thorough search for lost partitions now recognizes
Ext2/Ext3/Ext4 superblocks.

* Once found, embedded pictures in documents and thumbs.db files are now accessible directly via their host files rather than via virtual subdirectories, analogously to files extracted from e-mail archives and video files since v14.8 Beta 4.

* The binary contents of recycle bin info2 files, .lnk shortcut files, and $EFS LUS are no longer output directly as part of a case report. Instead, a textual representation of their contents is output, as known from Preview mode.

* Other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 21, 2008 - 17:26:   

Beta 6:

* In previous versions, when totally removing hidden items from a volume snapshot for which hash values had been computed, this operation left inconsistent hash values for some of the remaining items in the volume snapshot. This was fixed.

* Option to automatically compress, encrypt, and/or split a container after creation, offered when closing a container that was opened in the background. (forensic license only, not in X-Ways Investigator) Useful e.g. to be able to ship huge containers on CDs or DVDs.

* When refining the volume snapshot and verifying file types based on signatures, in earlier versions this operation was applied to files even if it had been applied before. Now if you wish to repeat it, e.g. because you have edited the file header signatures database, you need to check [x] Again, or else the same files will not be touched again, to save time. From now on, only files whose types were not verified before will be processed by default.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 24, 2008 - 23:20:   

Beta 7:

* Options to explicitly include or exclude child objects of directories or files when using the Recover/Copy command or when filling evidence file containers. As before, when copying from an already recursive view, however, child objects cannot be included.

* It is now possible to include directory data (i.e. depending on the file system, directory entries, INDX buffers, ...) in evidence file containers. Useful if the user of the container might be interested in timestamps or other metadata in these data structures. If you choose to include directory data in a container when creating it, this has a direct effect only on directories that are selected themselves. If has an effect on parent directories of selected items only if you check an additional option. This is needed because otherwise the directory data might unintentionally reveal the names and other metadata of files that were intentionally omitted from the container, e.g. for reasons of confidentiality. Earlier versions of X-Ways Forensics and X-Ways Investigator do understand it if data is available for directories.

* A recent improvement in v14.8 beta versions was that files from which e.g. pictures or e-mail messages were extracted were represented as files with direct child objects. Note that when you copy files whose parents are other files (not directories) to evidence file containers, older versions of X-Ways Forensics and X-Ways Investigator will not understand the parent-child relationship and show the child objects in "Path unknown" instead. However, it is now possible to optionally have X-Ways Forensics create virtual directories instead of files with child objects (Options | Directory Browser), as before, for compatibility reasons.

* For reasons of consistency and simplicity, the optional special treatment of archives as directories has been removed. Instead, archives are now treated exactly like other files with child objects (see above).

* Removing items from huge volume snapshots is now usually much faster. However, after this operation, you can no longer make conclusions from the internal IDs about the order in which items have been added to the volume snapshots, because the remaining internals IDs may be shuffled when removing items.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 27, 2008 - 1:50:   

v14.8 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Mar 1, 2008 - 17:59:   

SR-1:

* Error fixed that prevented reconstructing RAIDs over 2 TB.

* Possible source of instability in Details mode fixed.

* New option in investigator.ini that allows to prevent attaching external files to a volume snapshot in X-Ways Investigator.

* Under certain circumstances, the progress indicator could be wrong for logical searches conducted in selected evidence objects. This was fixed.

* Quicker display of metadata cells in the directory browser if a lot of metadata has been extracted.

* Some smaller improvements.

A few users have reported problems (exception errors) when continuing to work with volume snapshots in v14.8 that were taken by earlier versions. Before doing so I recommend making a backup of the entire case file and directory, so that you can roll back and finish that case with the earlier version if needed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 6, 2008 - 0:56:   

SR-2:

* Fixed an error that could occur in v14.8 SR-1 when automatically interpreting images with multiple segments directly after creation, for hash verification or evidence object replacement. The images were all OK, however.

* Fixed an error that occurred when copying alternate data streams as alternate data streams.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 9, 2008 - 12:31:   

SR-3:

* An error was fixed that occurred when trying to copy directory data to evidence file containers with the indirect method.

* Using keyboard shortcuts to create report table association now either replaces already existing associations or not, depending on the settings in the dialog window for report table associations.

* X-Ways Forensics now warns, once per session, when using .e01 evidence files created by EnCase 6.x before version 6.9, because an unknown range of 6.x versions under certain circumstances created corrupt image files, and users of the aforementioned product may not be aware of as the existence of that bug, since the bug and its eventual fix were not publicized.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 28, 2008 - 0:48:   

SR-4:

* When exporting search hits to a tab-delimited text file (not HTML) including context, the actual search term was previously represented by "x" characters. This was fixed.

* When exporting metadata to a tab-delimited text file, line breaks and tabs are now replaced with space characters.

* When viewing video files externally, X-Ways Forensics now ensures temporary filenames with Latin 1 characters only, for compatibility with programs such as MPlayer that are not Unicode-aware.

* The warning about possibly corrupt evidence files mentioned above is now limited to 6.x creator versions prior to 6.8 instead of 6.9.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 9, 2008 - 5:01:   

SR-5:

* The first step of the particularly thorough file system data structure search now works on NTFS volumes larger than 2 TB.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 27, 2008 - 19:43:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 8, 2009 - 0:24:   

SR-7:

* Some of the fixes introduced in later versions. Available to customers on request.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.