X-Ways Forensics 14.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 14.9 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Mar 1, 2008 - 18:00:   

A preview version of X-Ways Forensics 14.9 is now available. The download link can be retrieved by querying one's license status.

What's new?

* Better structured and more visually appealing representation of internal file metadata in Details mode for various file types.

* Support for true Unicode filenames for the examination of Zip, RAR, and 7zip archives. Note that for Zip archives with true Unicode filenames to be processed correctly, you need to pick the correct code page in the case properties first. E.g. for Zip archives created under Linux, that's likely UTF-8. For Zip archives created under Windows in Asia, that's likely a regional code page.

* Better support for very large archives in excess of 2 GB. Some other minor improvements in relation to archive handling.

* Some minor improvements/fixes for e-mail processing, concerning filename conflicts, e-mails with unusual line-break formats, Pegasus Mail and PocoMail files.

* The option to not include free drive space in otherwise complete sector-wise images of partitions/volumes is now available in X-Ways Forensics, too, not only in WinHex when run with a specialist or forensic license. It's now included in X-Ways Forensics because more selective instead of complete acquisitions may be preferable or even required in certain jurisdictions and because certain prosecutors wish to limit examinations to existing files anyway. Special precautions help to avoid unintentional use of this option.

* Ability to filter out those previously existing items only whose first cluster is known to be unavailable (most notably the so-called "X files"), by using a new third state of the checkbox entitled "List previously existing items".

* Ability to focus on files that have child objects with the Attribute filter.

* Whenever one or more filters are active that actually filter out items in the currently displayed directory browser, the two blue filter symbols in the directory browser's caption line are now clickable and allow you to deactivate all filters with a single mouse click, to ensure you are not missing any file. This was a frequently requested feature. Comments on the actual implementation are welcome, by e-mail or in the computer forensics section of the forum.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 6, 2008 - 0:56:   

Preview 2:

* Metadata extraction from MS Office 2007 XML, OpenOffice XML, StarOffice XML, .dmp memory dumps, and PNF (precompiled setup information) files.

* Same fix level as v14.8 SR-2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 9, 2008 - 12:46:   

Preview 3:

* Ability to read and write .e01 evidence files with a segment size larger than 2 GB. In fact it is not necessary any more to split them at all (except of course if the target file system is FAT32 or if you need to burn the image on CDs or DVDs). For full compatibility with earlier versions of X-Ways Forensics, with EnCase versions before v6, and with other products, split them at 2,047 MB or less, as before.

* Report tables created by X-Ways Forensics itself (by v14.9 Preview 3 and later) can now be distinguished from user-created report tables in dialog windows.

* The size limit that defines when a picture is considered irrelevant for skin tone analysis is now slightly more strict (width or height no more than 8 pixels, or width and height no more than 16 pixels each).

* Ability to rename virtual attached files in the volume snapshot with the directory browser context menu.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 14, 2008 - 0:47:   

Preview 4:

* Even after exploring a directory by clicking it in the directory tree you will now find a ".." item at the top of the directory browser, which you can double-click to go upwards to the respective parent directory, same as with the backspace key.

* Report field selection list error from Preview 3 fixed.

* Some minor improvements.

* The quick-guides that are downloadable from the X-Ways Forensics product web page have been updated for v14.8/v14.9 where necessary.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 14, 2008 - 16:47:   

Preview 5:

* Metadata extraction from hiberfil.sys files, .wim Vista image files, and GZ archives in Details mode.

* Indexing: Unnecessary interruption by user prompts in certain situations prevented.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 24, 2008 - 1:24:   

Beta:

* When extracting e-mail messages and attachments, attachments now become child objects of their respective parent e-mail messages. That makes it very easy to find the attachments for a given e-mail message, or to find the e-mail message that contains a given attachment. Because of this parent-child relationship, you can now conveniently include the containing e-mail message when copying attachments to an evidence file container. Tagging an e-mail message will also tag its attachments. Tagging an attachment will at least partially tag the containing e-mail message. (forensic license only)

* The names of attached and embedded files that belong to e-mail messages in the same e-mail folder are usually no longer made unique by artificially inserting an incrementing number in square brackets before the extension.

* The body of e-mail messages extracted from PST archives with Outlook 2003 or later present is now more faithful for Asian languages.

* The directory browser context menu command that in previous versions found the containing e-mail message for a given attachment has been renamed "Find parent object", moved to the Position submenu and can now be applied to any file. It's function is now identical to the Backspace key, and it's now available with any license type. It also no longer switches back from a recursive to a non-recursive view if the parent object is already listed in the directory browser in that recursive view.

* Pictures embedded in other files can now be included in the volume snapshot even if their respective parent files are compressed.

* Representation of .lnk shortcut files for Preview mode and View command now more visually appealing. (forensic license only)

* It is now possible to focus on or filter out half tagged items (see Directory Browser Options).

* Ability to export lists as text files in Unicode.

* Stills extracted from videos are now named after the video file, not only after the time index.

* Naming carved JPEG files after camera model and date and time (specialist or forensic license), where possible, is now optional.

* Fixed errors of earlier preview versions.

* Fixed an error that under certain circumstances caused a file header signature search to find and list files that were already part of the volume snapshot before, although this feature is supposed to avoid creating duplicates.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 28, 2008 - 1:05:   

Beta 2:

* X-Ways Forensics now points out if a file in an NTFS volume has been only partially filled with data. Such files are marked with "partial init." (partial initialization) in the Attribute column and can be filtered like that. The size of the actually initialized/defined portion of the file is now displayed in the Details Panel when opening such a file or when looking at it in File mode, labelled as "Valid data length", and the affected data range will be displayed in a different color. Search hits in the uninitialized portion of a file will be marked as search hits in "slack etc.".

All of that is meant to help a skillful forensic examiner to avoid drawing inaccurate conclusions. This risk exists because data that is stored in the allocated clusters of a file may be old data that was present on the disk before the clusters were allocated to that file, if the clusters have never been actually overwritten with new data. Typically, file types that may not always be fully initialized include
- Windows Registry
- Windows Event Log (.evt and .evtx)
- CRMLOG
- Outlook PST
- Outlook Express DBX
- Windows MediaPlayer databases
- Windows Reliability Monitor
- SystemIndex Indexer CiFiles
- Microsoft Network Downloader
- Windows Font Cache
- Windows Vista thumbcache
- Windows rescache
- Microsoft IME User Dictionary
- Java .jsa
and database files, temporary files, and generally files created by applications that like to preallocate storage space for performance reasons or to prevent later file fragmentation.

* Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.sys files, including xpress chunks located in the "slack" of hiberfil.sys that are even older. This feature is available in Edit | Convert. (forensic license only)

* Creation and last access timestamps are now extracted from zip archives when including their contents in the volume snapshot, if these timestamps are available.

* More complete Unicode support in various portions of the user interface, such that the Chinese and Japanese translation can now be used correctly even if the code page that is active in the Windows system is not 936 or 932, respectively. More complete Unicode support also for case HTML reports output in Chinese or Japanese.

* Encrypted files in archives currently cannot be opened in v14.9 Beta.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 7, 2008 - 3:27:   

Beta 3:

* The new e-mail extraction method that associates e-mail attachments with their respective parent e-mail messages as child objects was very slow for large e-mail archives. That problem was solved.

* The old e-mail extraction logic from v14.8 and before, where attachments were collected in a separate directory "Attach", can now be used again by choosing to not allow files with child objects. See Options | Directory Browser. Note that this option will eventually be removed in future versions. It is included for backwards compatibility only.

* Password-protected Outlook PST e-mail archives will now be marked with "e!" if either the encryption test is applied to such files or if you try to extract e-mail from such files.

* For certain file types the file type verification now determines the correct file type without highlighting the type status as "newly identified" even if the type is different from the extension. It does that for Windows Registry files (because it's normal for them not to have any extension) and HTML/XML files (because there are a variety of extensions that are all normal and plausible). That helps to keep the number of files with the type status "newly identified" low and allows to better concentrate on files that were actually misnamed.

* Finds deleted partitions automatically if located 64 sectors apart from a previously found partition (not only 63 or 2048 sectors as before).

* Since the introduction of 256-bit AES in WinHex/X-Ways Forensics, the PC1 encryption algorithm was still supported only for compatibility with earlier versions. Support has now been discontinued.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 14, 2008 - 23:06:   

Beta 4:

* The new button that allows to deactivate all filters now also causes search hits list to be displayed in full, in that if multiple search terms are selected and "Min. x" or "All x" settings are used, they are reduced to "Min. 1". Also it unchecks the "List 1 hit per file only" checkbox, if checked.

* No longer adds XML files to the report table "No detectable textual contents" when no text is extracted from them by the viewer component for the logical search/for indexing.

* An error was fixed that would prevent files beyond the 2 TB barrier from being read correctly, on NTFS volumes larger than 2 TB.

* X-Ways Forensics and X-Ways Investigator now notify you when you get nearer to the end of your update maintenance period.

* The viewer component is now loaded only when actually needed, not when starting the program.

* The e-mail extraction functionality now checks *.pst for their signature and original *.eml for the presence of embedded files before trying to do the extraction. Files embedded in original .eml files are now extracted directly as child objects, and the e-mail message is not duplicated any more.

* The "Text" button that turns the preview provided by the viewer component into a raw text preview (which for example is very helpful when interested in all header lines of an e-mail message), is now labelled "Raw", to increase awareness of the fact that usually it is _not_ desirable to view files in that mode.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 17, 2008 - 3:31:   

v14.9 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 18, 2008 - 13:02:   

SR-1:

* X-Ways Forensics 14.9 did not automatically load the viewer component for the encryption test, so unless the viewer component was utilized in the same session before, an error message appeared. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 28, 2008 - 0:36:   

SR-2:

* Fixed some checkboxes in the Attribute filter dialog.

* When copying files with child objects from a recursive view without recreating the original paths, X-Ways Forensics no longer creates empty subdirectories named after these files.

* Fixed an error that could occur when attaching a file to a file in the root directory of a volume.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 2, 2008 - 11:42:   

SR-3:

* Fixed an infinite loop that could occur in some very rare situations when finding OLE2 compound files via signatures.

* When applying a logical search to selected files in a recursively explored directory, pausing the search to preview search hits previously caused the search to be aborted. This was fixed.

* An instability issue in the indexing algorithm was fixed.

* Fixed a rare error where filenames where incorrectly read from certain Ext* directory entries.

* An error was fixed that under certain circumstances could lead to attachments copied to containers incorrectly showing up in "Path unknown".

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 12, 2008 - 14:24:   

SR-4:

* \b GREP anchor now works when 16-bit option is enabled.

* hiberfil.sys decompression now more like the original Microsoft code.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 20, 2008 - 20:47:   

SR-5:

* Prevented possible accidental duplication of files with child objects in evidence file containers.

* Prevented certain exception error when extracting e-mail messages from e-mail archives.

* Since v14.8, the owner column in the directory browser was not filled any more on certain NTFS volumes. This was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 27, 2008 - 19:43:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 8, 2009 - 0:24:   

SR-7:

* Some of the fixes introduced in later versions. Available to customers on request.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.