X-Ways Forensics 15.4 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 15.4 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 13, 2009 - 0:46:   

A preview version of X-Ways Forensics 15.4 is now available. The download link can be retrieved by querying one's license status.

What's new?

* Considerably reduced main memory requirements for large volume snapshots (i.e. volume snapshot with a lot of files), allowing to open and analyze volumes with many more million files than in earlier versions (roughly 100% more) with the same amount of available main memory. Please note that the volume snapshot format has changed, so that earlier versions cannot open volume snapshots saved by v15.4 and later.

* Even more deleted files can now typically be found on NTFS volumes and included in the refined volume snapshot when running the particularly thorough file system data structure search. This deleted files can be listed with filenames, path, timestamps etc. Forensic license only.

* Often X-Ways Forensics can now also retrieve a true deletion timestamp for previously existing files during the particularly thorough file system data structure search. Even more deletion timestamps can be found when viewing/previewing $UsnJrnl:$J. These is a very unique features, available for NTFS volumes. Forensic license only. Please don't confuse it with so-called deletion timestamps that other forensic tools may show you on NTFS volumes, for files that have not even been deleted from the file system.

* Option to exclude deleted files from volume snapshots when the they are taken. Useful if you are interested or not supposed to look at deleted files.

* Option to exclude the time-consuming search for FILE records outside of the $MFT from the particularly thorough data structure search in NTFS.

* It's now possible to see and copy the hit counts for selected search terms in the search term list. These hit counts are based on the current settings for the search hit list that is on the screen, take all filters into account, the explored path, any active AND combination etc. Forensic license only.

* It is now possible to search for more than 1 search time at a time in an index search. (In this preview version, the edit box for the search terms does not yet work exactly as it is meant to work.) It is now also possible to control the substring and word extension options for index searches run from within the case root window. Forensic license only.

* Improved detection of the sector size and different Apple partition table layouts in CD/DVD raw images.

* Support for HFS+ volumes on optical discs or in images with a sector size of 2048 bytes. Forensic license only.

* Ability to change the attributes "temporary" and "not indexed" of a file in File | Properties, using the letters T and X, respectively.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 21, 2009 - 17:52:   

v15.4 Beta:

* The Back and Forward commands in the Position menu and the Back and Forward buttons in the toolbar now allow to conveniently go back to a certain directory browser setting. This takes into account: explored path, recursive or non-recursive, sort criteria, on/off state of all filters, settings of some of the filters, some directory browser options. The Back and Forward commands also allow to activate the previously active data window again when switching between windows (does not work for viewer windows yet). Forensic license only.

* The filters have been given some "intelligence" when navigating from a parent file to a child file or vice-versa, so that the filters "know" when it's a good time to be turned off. Forensic license only.
For example:
- If you are using a filter to focus on all extracted e-mail messages recursively, and then you double-click an individual e-mail message to have a look at its attachments in the directory browser, the filter is automatically deactivated, so that you can actually see these attachments. A simple click on the Back button returns to the previous point of exploration and restores the previous filter settings and the last selection, so that you can easily continue reviewing the next e-mail message!
- If you are using a filter to focus on videos or documents, and then you double-click a video or a document to see the video stills exported for that video or the embedded pictures in that document, respectively, the filter is automatically deactivated, too.
- When you are viewing video stills only, in a gallery, and you use the Backspace key or "Find parent object" menu command to navigate to the video that this still belongs to (e.g. in order to play that video), then any active filters will be turned off so that the video can actually be listed. A simple click on the Back button returns to the previous overview of stills, enables the previous filters again, and restores the last selected item, so that you can easily continue with the next still!
- This works analogously when systematically looking at e-mail attachments, if occasionally for relevant attachments you would like to view the containing e-mail message (and e.g. print it or include it in a report) and then return to the list of attachments.

These two new features combined, intelligent filters on the one hand and back/forward navigation in the directory browser on the other hand, are expected to further improve the usability of the software tremendously.

* It is now possible to explore directories and files with child objects listed in the case root window, e.g. by double-clicking them. For that, the data window will automatically be activated that represents the evidence object that contains the directory or file. With the Back command you can conveniently return to the case root window.

* Improved StreamMRU decoding for the registry report to reveal folders on removable media.

* Error in index search in v15.4 Preview fixed.

* Toggling decimal and hexadecimal offsets by clicking the offset column stopped working in certain situations in v15.2 and v15.3. This was fixed.

* Various minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 31, 2009 - 3:05:   

v15.4 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Greg Freemyer
Username: freemyer

Registered: N/A
Posted on Friday, Jul 31, 2009 - 17:16:   

It also seems to have fixed an issue with Recovery/Copy of long filenames.

We are working a case where we are extracting lots of files out of about 50 images. With the previous release we were seeing a handful of files that were failing to export due to filename (or path) too long. (Nice error messages and report associations, but none the less, no files even though the paths were less than 540 chars).

We've tested several of the problematic files with 15.4 this morning and no issues. Thanks for fixing it before we had time to complain. (And I'm glad we renewed our maintenance just in time to get the new functionality.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 1, 2009 - 22:22:   

SR-1:

* The skin color percentage was initialized with 0%. This was fixed.

* The column widths could not easily be changed in the Directory Browser Options dialog. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 5, 2009 - 8:59:   

SR-2:

* Improved ability to recognize dummy partitions defined in MBRs on Apple style GPT-partitioned disks as such.

* It is now optionally possible to apply *any* kind of filter to directories, too. Previously that was possible for the Name filter only. Useful for example for timestamp filters or Attribute filters. See Directory Browser Options.

* The filename filter now optionally supports GREP syntax. The conventional notation to find files whose names contain the word "invoice" for example was *invoice*. With the GREP option enabled you just search for "invoice".

* New option +29 in investigator.ini that prevents the menu command "Replace with new image" from appearing in X-Ways Investigator.

* Back and Forward buttons added to toolbar in X-Ways Investigator.

* Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't.

* Support for sector numbers larger than 2^32 in Tools | Disk Tools | Clone Disk.

* The skin color percentage filter did not work in v15.4 before. This was fixed.

* The edit box for search terms in Simultaneous Search now by default allows to enter 100,000 characters instead of about 30,000. When search terms are loaded from a text file, there is no fixed limit.

* Fixed occasional unavailability of menu command "Save hit permanently" (for index search hits).

* Avoided exception error that could occur in v15.4 when attaching external files to a volume snapshot.

* Fixed new search hit count for search hits listed in the case root window.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 12, 2009 - 11:57:   

SR-3:

* Fixed an error that could render an index incomplete if substrings were indexed, words in the exception list were longer than the maximum word length being indexed, and the index was optimized. It did not occur with default settings.

* Fixed an exception error that could occur under certain cirumstances when running an index search.

* Improved certain aspects of directory browser navigation and gallery handling.

* Lifted limitation to a search term length of 50 bytes in Simultaneous Search for some more settings.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 20, 2009 - 16:17:   

SR-4:

* The Recover/Copy command did not apply the original timestamps for files from within archives in v15.4. This was fixed.

* When in the process of filling an evidence file container with selected files in multiple steps, if you open and interpret the container or add it to the case to take a look at what files you had already included in the container, you may now keep that window opened and simply take a new volume snapshot at any time to see the current contents of the container after adding more files.

* When exporting the contents of the metadata column as a tab-delimited ASCII or Unicode text file, line breaks are now replaced with semicolons instead of spaces, so that the data can be better parsed automatically.

* Fixed an error in metadata extraction from QuickTime files.

* Fixed an avoidable sector read error that could occur when real sector read errors occurred in the Clone Disk functionality.

* Now supports both deletion and internal creation timestamps for files in evidence file containers at the same time.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 30, 2009 - 18:04:   

SR-5:

* A new command was added to the case menu that allows to conveniently open previously saved reports and display them in the associated or specified application.

* When identifying duplicate files based on hash value, and one of the files has been marked as already viewed, then the duplicates can optionally be marked as already viewed, too. Similary, if files have been marked already as having duplicates already and their hash values are available, when they are viewed, duplicates within the same volume will be marked as already viewed at the same time.

* The crash-safe text decoding mechanism that was introduced with v15.3 is now optional (see Options | Viewer Programs) as it is slower than the earlier method. Once the results are buffered in the volume snapshot, there is no speed difference any more.

* .eml files are no longer decoded for logical searches and indexing when searching for/indexing 7-bit ASCII characters only anyway. In this case searching in/indexing .eml files in their natural state should be good enough. This saves time (specially with the crash-safe decoding mechanism) and reduces the number of duplicate search hits.

* When storing a hash value along with files that are copied into an evidence file container, that hash value is not re-computed any more if it's already contained in the volume snapshot.

* When in a dialog window for any column-based filter you don't activate a deactivated filter, the directory browser is not unnecessarily filled from scratch any more when closing the dialog, so that you don't have to wait if sorting is slow and so that you don't lose selection and scroll position.

* Search hits found when not working with a case are stored in the Position Manager. Now they are now no longer kept automatically when closing WinHex, but deleted, except those that have been edited using the context menu.

* The legacy option to use the picture viewing library from v13.6 has been removed.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 7, 2009 - 2:46:   

SR-6:

* If a Simultaneous Search is run with search terms A and B, where B is a substring of A, then if a search hit can be counted as a hit for both A and B, it will now be counted as a hit for both. In earlier versions it was counted as 1 hit only, for the search terms that was specified first.

Example: In "Peter Peterson" you will now get 2 hits for "Peter" and 1 hit for "Peterson". In earlier versions you would have received either 1 hit for "Peter" and 1 for "Peterson" or 2 hits for "Peter", depending on your preference.

If you don't like to get both hit for "Peter" and "Peterson" in the text "Peterson", you can still use the search hit list's context menu command "Delete duplicate hits in list". This command will give priority to longer hits, i.e. keep "Peterson" and discard the hit for "Peter".

* Functionality that saves index search hits permanently fixed.

* Searching in indexes of multiple evidence objects at a time from the case root window did not work correctly for some recent service releases. This was fixed.

* When hiding duplicates in the directory browser based on hash values, priority is now given to non-carved files, i.e. when in doubt, carved files are hidden und their equivalents with file system metadata are retained.

* It is now possible to start the volume snapshot refinement for selected evidence object from the case root window.

* Several other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 20, 2009 - 16:36:   

SR-7:

* Based on a request from a major customer, X-Ways Forensics can now be used with a special license type as a pure disk imaging tool (i.e. with disk imaging capability only). The request was based on performance tests in which X-Ways Forensics compared very favorably with other imaging tools. These imaging licenses are available at a special rate. For details please ask.

* Better support for carving Nikon NEF and Canon CR2 raw files as part of the TIFF file type signature definition. Ability to automatically distinguish between these subtypes and detect the file size.

* TIFF metadata extraction revised.

* MS Office 2007, MS Office 2010, OpenOffice 3 metadata extraction revised. The typical fields such as Company, Author and Title now have the same names as in earlier Office versions, which makes it easier to filter by them.

* The search hits produced by physical searches run on physical media or images of physical media that are associated with a case as evidence objects are now also shown in search hit lists and not in the global Position Manager.

* An error that occurred under certain circumstances during a search, related to the message "Unable to record a search hit" or in earlier versions "Internal search term list inconsistent", was fixed.

* The German letter "" will not be considered equivalent to "ss" any more for searches that populate the search term list and the search hit list.

* Fixed an error that could occur in v15.4 SR-6 when hiding duplicates in the directory browser based on hash values in the case root window.

* Several other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 20, 2009 - 19:58:   

More information about the X-Ways Forensics licenses for disk imaging only can now be found here in English and German.
Top of pagePrevious messageNext messageBottom of page Link to this message

Don Camillo
Username: willybilly

Registered: N/A
Posted on Sunday, Sep 20, 2009 - 21:08:   

Would it be possible to offer this dongle in another color or with a special marking so that it is not so problematic to know which one is for the full version and which one is for imaging purposes only?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 20, 2009 - 21:23:   

You or we could put a small sticker on it, yes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 30, 2009 - 0:58:   

SR-8:

* An error was fixed that in v15.4 SR-7 prevented the inclusion of hash values of some files in the volume snapshot.

* It is now possible to open volumes mounted as drive letters even if they are not formatted with a valid file system.

* The backspace key on the keyboard as a shortcut to navigate to a file's parent object now works in the gallery, too. That is useful for example if you look at video stills in the gallery and want to play the video that a certain still belongs to. Remember that when finished you can click the Back button in the toolbar to return to the previous list of stills.

* Ability to find multiple session on images of CD in some cases where previously only the first session was found.

* Fixed an exception error that occured in v15.4 SR-7 when extracting metadata without extracting internal creation timestamps at the same.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 1, 2009 - 11:01:   

In cases where SR-7 did not save the hash values of some files in the volume snapshot, the hash values need to be recomputed, by removing the [ ] "Already done?" checkmark from "Compute hash" and checking [x] "Compute hash", or else these hash values will show as all zeroes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 13, 2009 - 11:30:   

SR-9:

* Now accepts lower case hex digits in record length indicator in Intel Hex files when converting them to binary.

* Ability to extract JPEG and PNG files from Firefox _CACHE_* container files.

* Fixed path errors that occurred when opening a case file using a command line parameter without path.

* Fixed an error that caused X-Ways Forensics to not extract e-mail messages from valid e-mail archives in certain situations. This was accompanied by the "No e-mail found" message.

* More stable when processing corrupt (e.g. carved) AOL PFC e-mail archives.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 28, 2009 - 18:48:   

SR-10:

* Avoids an error message when using the case root window in more than one session simultaneously.

* Shows permissions for files stored in an NTFS file system even in the case root window.

* Exception error from SR-9 fixed that could occur when processing certain AOL PFC e-mail archives.

* Fixed "...is not a valid integer value" error that could occur when extracting e-mail from e-mail archives in SR-9.

* Fixed an error in the GREP search engine.

* Fixed an exception error that could occur when including the contents of encrypted archives in the volume snapshot.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 2, 2009 - 22:08:   

SR-11:

* Individual "File Type Categories.txt" file for each user of a shared installation of X-Ways Forensics/X-Ways Investigator, so that individual file type filter settings are remembered. Depends on whether a user-specific .cfg file is used also, or only one generic WinHex.cfg file.

* When focussing on e-mail messages using e.g. an Attribute filter and selecting e-mail messages that have attachments as child objects for the Recover/Copy command, the attachments were not copied even when [x] "Copy child objects of selected files" was checked, because the filter for e-mail messages did not let any other kinds of files through. This is probably undesirable in most situations, so the behavior was changed in such a way that filters now do not have any effect on the Recover/Copy command any more, and also no effect any more on the command that adds files to an evidence file container.

* Fixed freeze problem that could occur with the new 8.3.2 version of the viewer component in Preview mode in seach hit lists.

* Avoids error message about being unable apply original timestamps to recovered/copied files that were carved within FAT partitions.

* Fixed an error that caused Unicode search hits in the Position Manager to be recorded with a description that was off by 1 character.

* Fixed an error that could cause a path recreation error in the Recover/Copy command of the non-forensic edition of WinHex under certain circumstances.

* Fixed an error that in certain situations within large files could make a search hit be listed once for every search term instead of just for one.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 13, 2009 - 21:26:   

SR-12:

* Fixed read error when scanning e-mail attachments for embedded pictures.

* Fixed an exception error that could occur when processing certain MP3 files.

* Fixed an error that prevented usage of a new output drive when running out of space during indexing.

* Better handling of circular links in deleted directory entries in Ext file systems.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 18:15:   

SR-13:

* Some of the fixes introduced in later versions. Available to customers on request.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-14:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.4. This is the last service release for v15.4.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.