X-Ways Forensics 15.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 15.3 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 27, 2009 - 1:19:   

A preview version of X-Ways Forensics 15.3 is now available. The download link can be retrieved by querying one's license status.

What's new?

* The index optimization step was reworked. It can now utilize an unlimited and user-defined number of processor cores simultaneously and a user-defined amount of main memory, for faster and more thorough optimization.

* Improved memory handling for search hits. No additional memory requirement for search hits any more when loading or saving the case. Memory for search hits is now needed only when the evidence object is open (same as before already with memory for volume snapshots). The limitation of the number of search hits in one evidence object by main memory was slightly increased (now several ten million search hits possible). Search hits saved by v15.3 cannot be loaded by older versions any more.

* Decoding the text in PDF, HTML, and various other documents for the logical search and for indexing can no longer cause the program to freeze or crash if the viewer component has problems processing the file e.g. because the file is corrupt.

* When attempting to view or preview a file with the viewer component that is a known to be a reason for crashes, you are asked whether you are really sure you would like to view the file.

* Detects if hash database is in use to avoid conflicts when updating it.

* When you add an excerpt from a file to the volume snapshot as a virtual file (select a block in File mode and use the Edit menu for that), the resulting file is now marked as "excerpt" in the Attr. column and is filterable like this.

* zip.exe was updated with a version that supports larger .zip files. That program is used for archiving cases.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 8, 2009 - 2:15:   

Preview 2:

* In main memory (local live main memory or memory dumps), Windows kernel data structures and named objects are now conveniently listed in a tree in the volume snapshot. Other objects will be listed per process in the handle table.

* Three additional data types have been added to the Data Interpreter: SID (security identifiers), IP addresses, and packed 7-bit ASCII strings. IP addresses are also available in templates, and the variable type is called
"IP".

* Three additional hash types have been added: RipeMD-128, RipeMD-160, and MD4. Support for MD4 has been added because that hash type is in use e.g. in aMule.

* The integrity test of the hash database can now be aborted.

* The case report can now optionally be split into multiple HTML files if too many pictures are to be included (like hundreds or thousands) that give Internet browsers or other programs headache when loading the HTML file.

* New index optimization further improved.

* Improved compatibility with .e01 evidence files as produced by EnCase 6.13.

* An error was fixed that could case a loss of search hits under certain circumstances when the case was saved in v15.3 Preview 1.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 9, 2009 - 0:54:   

Preview 3:

* Avoided "... is not a valid character" error message in inappropriate situations.

* Supports overlong paths (up to about 510 characters) when taking a volume snapshot of a network drive.

* Clickable links to attachments in e-mails in Preview mode now work in some very rare cases where they previously didn't.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 7, 2009 - 2:13:   

Beta 1:

* When opening main memory, loaded modules are now listed, in a virtual directory named "Modules". That enables X-Ways Forensics to allocate the memory pages in RAM mode that they occupy to them, and to compute hashes for them so that they can be identified via special hash sets.

* Memory analysis more robust.

* It is now possible to output the report for selected evidence objects only, not simply for all evidence objects, via an additional checkbox in the report options dialog. (forensic license only)

* A new filter has been introduced that allows to focus on files that have been already or have not been viewed yet by the examiner. See Directory Browser Options. (forensic license only)

* Some options from the Security Options and the Directory Browser Options that affect the creation of volume snapshots have been moved to a separate dialog box that you can access via a button in the Directory Browser Options.

* A new volume snapshot option is now available that causes deleted partitions to pass on their deleted state to everything that they contain (files, directories, ...), and deleted e-mail archives to pass on their deleted state to all the e-mails, directories and attachments that they contain. This may seem logical, but results in a loss of information (*everything* is listed as deleted). By default, X-Ways Forensics still distinguishes between existing and deleted files and e-mails etc. even in deleted partitions/deleted e-mail archives, as in earlier versions, so that more information is retained.

* Via two other new volume snapshot options you can indicate whether you are interested in earlier names and locations of renamed/moved files in NTFS and whether you are interested in getting files listed for which only filename, size, timestamps and attributes (but no data) are known. By default, such files are listed, as in earlier versions. (specialist or forensic license only)

* ed2k hash values can now be computed for files in the volume snapshot. This hash type is used in file sharing programs. (specialist or forensic license only)

* The menu items for simultaneous search and the index searches have been moved to the top of the menu (for license types in which they are available), since they are the most important ones in the Search menu.

* Fixed an error that in some situation occurred when processing certain thumbs.db files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 11, 2009 - 0:00:   

v15.3 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Danny O'Grady
Username: azurlake

Registered: N/A
Posted on Monday, May 11, 2009 - 13:09:   

Will LVM support be added on next release?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 11, 2009 - 13:23:   

No, it won't.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 25, 2009 - 22:14:   

SR-1:

* If multiple search terms were used in the original 15.3 version in Simultaneous Search with the GREP option enabled, only the first one was actually searched for. This was fixed.

* When the same file is added to the same evidence file container again, and if the version of the file in the container includes metadata only, because it was copied indirectly and only to replicate the path of one of its child objects, and when the same file is to be added again specifically along with its contents, then the new version of the file (with contents) will now replace the old version of the file (without contents). Previously, the file would not have been copied again.

* More user account information is extracted from the SAM registry hive as part of the Windows registry report.

* The Convert script command now supports the parameters "hiberfil Binary" for automated hiberfil.sys decompression.

* More thorough check for file systems in partitions defined by conventional Apple partition maps.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 5, 2009 - 10:51:   

SR-2:

* More information in Messages window when refining the volume snapshots of several evidence objects about which evidence objects is currently being processed.

* A common situation when refining the volume snapshot is that files in carved zip archives cannot be opened because the zip archive is incomplete or corrupted. In that case the number of error messages that is output in the messages window is greatly reduced, the affected files are marked as "File contents unknown" in the Attribute column, and no more attempts are made to open such files, which should accelerate the volume snapshot refinement and result in better stability.

* The NTFS flag for "not indexed" is now output in the Attr. column.

* More information in preview of $UsnJrnl:$J.

* The registry report now extracts disk signatures and partition start sectors from MountedDevices values.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 21, 2009 - 15:10:   

SR-3:

* A virtual loss of search hits could occur in certain special situations. This was related to the new storage method of search hits in v15.3, and it is now prevented. Search hits "lost" because of this error are recovered by v15.3 SR-3 if no new search has been run in the same evidence object.

* Search hits in the decoded version of PDF/HTML/... files could be displayed incorrectly in v15.3 before, depending on the sort criterion, with incorrect contents. This was fixed.

* Opening large NTFS volumes is now much faster.

* The tab labels of windows that represent interpreted images and partitions on images are now shorter, so that more tabs fit on the screen. The partition numbers remain visible in the tabs even if the image name is long.

* Fixed the details panel's display of the RAID component and relative sector number of internally reconstructed RAIDs of level 0. It worked for RAID 5 before only.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 13, 2009 - 0:44:   

SR-4:

* The case is now saved again immediately after a search is completed or aborted, so that search results are not lost if the program crashes or freezes before the case is saved next time after that.

* Ability to recover/copy files in directories whose names consists only of a single dot with their path. Useful for files associated with traces of old NTFS root directories. Just the dot is considered an illegal name by Windows, hence "." is now renamed to "_".

* Avoids that our company name will be used in e-mail extracted from Outlook "Sent Items" as a substitute for a missing original X-Mailer line.

* Inability fixed to open case report after its creation when the filename specified by the user lacked the .html extension.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 29, 2009 - 2:19:   

SR-5:

* Fixes already introduced with v15.4 Beta.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 2, 2009 - 21:11:   

SR-6:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 17:52:   

SR-7:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-8:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.3. This is the last service release for v15.3.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.