X-Ways Forensics 15.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.2 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 25, 2008 - 17:46:   

A preview version of X-Ways Forensics 15.2 is now available. The download link can be retrieved by querying one's license status.

What's new?

* If more than 1 GB of main memory is available, the optimization of an index now better utilizes that memory, which may result in a tremendous acceleration of this step for large indexes.

* There are now two different checkboxes in the Index Search window. Checking the first one helps finding words within words (e.g. "wife" in "housewife", incomplete and slow if the index was not prepared for substring searches). The second one makes it optional to find word extensions (e.g. "houses" when searching for "house" and "skyscraper" when searching for "sky"). Finding word extensions was default behavior in previous versions. Unchecking both options works like a "whole words only" option.

* It is now possible to replace an evidence object with a new medium (drive letter or physical disk). Useful if you are working with original disks, not images, and the drive letter or disk number has changed.

* The graphics library was updated. Some issues with the display of pictures were fixed.

* It is now possible to group existing and deleted files in different output directories when using the Recover/Copy command. Requires that you have X-Ways Forensics recreate the original path.

* Ability to recreate files whose original paths contains directory names with trailing spaces, although not allowed by Windows, by removing such spaces.

* It is now possible to mark files as hidden even in a search hit list. Such files will actually be filtered out if you do not list hidden items when you click the Enter button in the search term list window to recompile the search hit list.

* When adding a file to a report table, it is now also possible to recursively add all its child objects to the same report table, not only direct children.

* Ability to view Unix/Linux wtmp and utmp log-in records.

* Recognizes the TFAT file system as such.

* When enabling the recommendable data reduction for logical searches, files marked as moved/renamed will not be searched any more, as the same data is searched when the same file is searched under in its new location/under its new name.

* Can import SHA-1 hashes from .e01 evidence files as now optionally provided by EnCase 6.12. (Note that in X-Ways Forensics you were never forced to use MD5).

* Naming problem solved for e-mail messages that were extracted from .msg files that were attached to the volume snapshot as virtual files.

* It is now possible to view/search/dump physical RAM on remote computers through F-Response 2.x (works in conjunction with X-Ways Forensics since v15.1 SR-5).

* Several minor improvements.
Greg Freemyer
Username: freemyer

Registered: N/A
Posted on Tuesday, Nov 25, 2008 - 23:38:   

Lots of goodies there.

I really like:

- that you are still trying to accelerate indexing.

- that you continue to enhance the recover / copy option. With this new functionality, can we recover copy from multiple partitions or even images all at once, but have them automatically extracted into their own directory trees?

ie. With 15.1, we have to extract from each partition one at a time and change our destination drive between each recover/copy. If working a large case with lots of images/partitions, it gets tedious having to work one partition at a time.

-- that you continue to enhance the email child - grandchild issues. We had problems with that in a case just last week. We had hits in attachments of emails with multiple layers of child - parent - grandparent. We could not get the tagging to work such that we could even get a count of emails with the keyword in them, so we had to move to another tool to do our work.

-- Support Linux wtmp / utmp. We had a case that could have used that a month ago.

-- One disappointment is not seeing increased functionality around PST/OSTs. Again just last week I had 2 PST files that XWF totally failed to parse. Other tools did much better.

FYI: I exported the PSTs and ran ScanPST against them. They were in need of repair, but Outlook was able to open at least one of them prior to it being repaired.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 26, 2008 - 0:21:   

> With this new functionality, can we [...]

That was possible before, into their own output subdirectories.

> With 15.1, we have to extract from each partition one at
> a time and change our destination drive between each
> recover/copy

If you wish to change the destination drive (drive letter), then yes.

> We could not get the tagging to work such that we could
> even get a count of emails with the keyword in them

Count of e-mail messages that contain a certain keyword or that contain attachments that contain a certain keyword? Untag everything, tag the attachments with the hit, and then output tagged and partially tagged extracted e-mail messages only.

> Other tools did much better.

Yes, for example the separate viewer component does it very well for PSTs and OSTs and allows to extract individual MSGs from them, e.g. in Preview mode.

> Outlook was able to open at least one of them prior to it
> being repaired

Nice, feel free to send us such files for inspection if you can.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 1, 2008 - 16:51:   

Preview 2:

* Some minor improvements.

* Same fix level as v15.1 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 29, 2008 - 18:52:   

Beta 1:

* Main memory analysis. Processes will be listed in the directory browser, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in "Process" mode, with pages concatenated in correct logical order as soon by each process. The "particularly thorough data structure search" will take a little longer and may turn up traces of additional processes including rootkits. Works for memory dumps from many, but not all Windows versions and service packs. Currently requires that the name of file with the memory dump contains the word "RAM" or "dump", for it to be detected as a memory dump.

* For internally reconstructed RAIDs, the number of the component disk from which the current sector (where the cursor is in) was read is now displayed in the Details Panel, along with the relative number that that sector has on that component disk.

* For reasons of convenience, WinHex and X-Ways Forensics now remember and restore the last selected item and other settings of the directory browser when reopening data windows and evidence objects.

* Several minor improvements.

* Same fix level as v15.1 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 4, 2009 - 22:24:   

Beta 2:

* Hash sets can now be classified as to how important they are. This is useful because when matching hash values against the hash database, only one match is returned even if the same hash values is contained in multiple hash sets. Now you can make sure that in such a case you get the most important hash set returned, for example a hash set that identifies CP pictures without any doubt as opposed to hash sets that may contain the hash values of doubtful pictures. Also new: If there is more than one match, a "+" sign will be displayed in the hash set column in the directory browser after the name of one of the matching hash sets.

* Hash set names may now contain Unicode characters.

* Some special information for memory dumps (if they are recognized as such, see above) is now available in Technical Details Reports.

* Now shows attachments as child objects of e-mail messages instead of in a virtual "Attach" folder in some cases where this previously did not happen.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 6, 2009 - 3:08:   

Beta 3:

* Evidence file containers created by v15.2 Beta 3 and later can now also transport the hash category of a file and the skin color percentage.

* Icons of hidden files are now displayed in gray instead of blue. Icons of notable files are now displayed in red instead of blue.

* RAM analysis now also works for local physical RAM opened via Tools | Open RAM, not only for memory dumps.

* An error with the new hash database algorithm in Beta 2 was fixed.

* An error in the "Totally remove hidden items" function was fixed that existed since v14.8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 8, 2009 - 2:09:   

Beta 4:

* Support for mode 1 ISO CD images with 2,352 bytes per sector, if not spanned (segmented).

* Minor improvements and fixes for the new memory analysis feature.

* It is now possible to attach all the files of an entire directory to the volume snapshot, not just individual files, if you hold the Ctrl key while invoking the directory browser menu command. Useful for example after having extracted thousands of .msg files from a .pst or .ost e-mail archive using the viewer component, to integrate them back into X-Ways Forensics for further processing.

* When identifying and hiding duplicate files, previously it was possible that duplicate e-mails with attachments (e-mail/attachment pairs) were separated if the parent (e-mail message) of one pair and the child (attachment) of another pair was hidden. The algorithm was improved and this undesirable situation is now avoided.

* Evidence file containers created by v15.2 Beta 3 should only be used in the same version or in earlier versions. Future versions might misinterpret them. The layout of the new fields in now finalized.

* The "Save As" command is now also available for disks (yet another way how to create a raw image).

* Avoids exception errors with certain corrupt .gif files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 14, 2009 - 2:17:   

Beta 5:

* Memory analysis further improved

* Identical e-mail messages with different attachments (child objects) will be marked as duplicates, but not hidden. Identical attachments (child objects) will be marked as duplicates, but they will be hidden only indirectly if they are part of identical e-mail messages and those are hidden, too. This facilitates the examination and also avoids a situation where the parent (e-mail message) of one e-mail+attachment family and the child object (attachment) of another family is hidden.

* The downloadable PDF user manual has been updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 15, 2009 - 0:01:   

v15.2 was just released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 15, 2009 - 17:56:   

SR-1:

* Fixed an exception error of type 216 at offset 00550348 that could occur when taking volume snapshots.

* Fixed an exception error that could in rare cases when optimizing an index.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 26, 2009 - 0:00:   

SR-2:

* Memory analysis for some 64-bit Windows systems (still testing). Further minor improvements for memory analysis.

* Metadata is extracted from carved TCP, UDP, ICMP packet "files".

* The Windows CD key is now decoded and ouput in plaintext when including the Windows DigitalProductId in the registry report.

* A crash was prevented that occurred when X-Ways Forensics was processing zip archives with a very specific kind of corruption.

* Prevented an infinite loop that occurred in a very special situation when extracting e-mail.

* An error was fixed that caused corruption in hash databases that were newly created by v15.2 until SR-1.

---

* For owners of X-Ways Forensics it is now possible to get quotes from the usual web page for extending one's update maintenance by 1 or 2 years as early as 1 year in advance.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 28, 2009 - 2:21:   

SR-3:

* Another error was fixed that caused corruption in hash databases in v15.2 up to SR-2.

* Minor improvements in memory analysis, for examine in the Technical Details Report and for 64-bit Windows versions (still not fully supported).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 30, 2009 - 0:54:   

SR-4:

* New template command "gotoex n" that allows to jump to an absolute offset on a disk or in a file or in memory, unlike the ordinary "goto" command which is based on the start of the structure where template interpretation starts.

* New template command "exit" that terminates interpretation of the template.

* An exception error was fixed that could occur in v15.2 when returning from a search hit list to the normal directory browser depending on the sort criteria in the search hit list.

* An error was fixed that caused an incorrect decoding of the DigitalProductId from the Windows registry for the registry report.

* Printing multiple selected files via the directory browser context menu always printed the first selected file in v15.2 SR-2 and SR-3. That was fixed.

* In some situations when importing a folder with hash sets the hash sets were unintentionally merged. This was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 16, 2009 - 10:13:   

SR-5:

* Format error in registry report fixed.

* Further improvements of memory analysis.

* New unsigned 48-bit integer type available in the Data Interpreter and in templates (needed for manual 64-bit main memory analysis).

* When errors occur when filling an evidence file container, the filling is not longer aborted in certain situations, and a more specific error code is report in some other situations.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 20, 2009 - 16:29:   

SR-6:

* Various further improvements for memory analysis.

* A new exception error that could occur when viewing externally opened files was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 24, 2009 - 1:34:   

SR-7:

* The path of the loaded registry hive is now (at least partially) displayed in the registry viewer's status bar. Useful for example if you load multiple ntuser.dat files from different images and user profiles at the same time.

* Newly created evidence file containers now remember the owner of files from NTFS file systems as the last part of the SID, no longer as the security identifier index.

* The directory browser and Details mode now show both the translated username (if available) and the SID as the owner of files in NTFS file systems, not only one of them.

* Fixed an error that could occur when copying files into a container from a non-recursive list.

* An exception error was fixed that could occur when clicking directories in the directory tree.

* Minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 24, 2009 - 18:06:   

SR-8:

* Loading error in registry viewer fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 13, 2009 - 1:04:   

SR-9:

* Fixed inability to read raw sectors from audio CDs.

* An asterisk at the end of a registry path in the registry report definition did not match all subkeys and values. This was fixed.

* Several minor improvements.

* The file "File Type Signatures Memory Search.txt" is now downloadable. That file contains signature definitions for TCP, ADR, UDP, ICMP, and IGMP packets, and is applicable only to memory dumps, and the signatures are to be searched byte-aligned.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 27, 2009 - 0:52:   

SR-10:

* Avoids error that occurred when starting a Simultaneous Search with certain settings.

* Fixed a display refresh error that could occur under certain circumstances when navigating from one search hit to another in File mode.

* Avoidance of conflicts when invoking multiple instances of MPlayer simultaneously.

* The size of the buffer for the file mask for the extraction of embedded JPEG/PNG pictures was increased.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 7, 2009 - 2:39:   

SR-11:

* Fixed misinterpretation of special GREP characters $ and ^ in keyword searches run without GREP syntax.

* Files that were virtually attached by the user to the root directory of a volume were ignored in some operations even when selected. This was fixed.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 8, 2009 - 0:34:   

SR-12:

* Deals more gracefully with overlong paths and extremely high numbers of files when taking a volume snapshot of drives with no sector-level access (e.g. remote network drives).

* No longer freezes when taking a volume snapshot of certain very large DVDs.

* Improved compatibility with certain .e01 evidence files as produced by EnCase 6.13.

* Avoided "... is not a valid character" error message in inappropriate situations.

* Fixed an error that in some situation occurred when processing certain thumbs.db files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 2, 2009 - 21:11:   

SR-13:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 17:43:   

SR-14:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-15:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.2. This is the last service release for v15.2.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.