X-Ways Forensics 15.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.7 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 19:11:   

A beta version of X-Ways Forensics 15.7 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Support for the exFAT file system. (requires a specialist license or higher)

* Ability to interpret dynamic Virtual PC VHD images. (requires a specialist license or higher) Such images can also be edited (in WinHex, not X-Ways Forenscis), but not expanded.

* Ability to interpret .e01 evidence files with an internal chunk size of up to 256 KB (previously up to 128 KB). Useful for example for memory dumps created by other software.

* Old versions of files that are found as part of the thorough file system data structure search in volume shadow copies are now marked as (SC) in the Attribute column and can be filtered. The old contents of old versions of large files will be correctly represented in a future release. The file system level metadata of old versions and the contents of small files are already usually correctly represented.

* Old names/paths of renamed/moved files in NTFS as discovered by the thorough file system data structure search are now by default no longer listed as additional items in the volume snapshot and in the directory browser. Instead, they are mentioned as comments that are attached to the renamed/moved files. This keeps directory browser listings smaller and makes searches quicker than before.

* The Simultaneous Search now supports case-insensitive searches generally, not just for English and German letters.

* GREP expressions may now contain true Unicode characters, and it is now possible to search in specific code pages when using GREP syntax.

* The most important MS Office 2007/2010 and OpenOffice 2/3 document types are now by default decoded for the logical search, and (in conjunction with the recommended data reduction) their main XML files are omitted from the search. That ensures that you get search hits in the documents and not in the XML files, which is more convenient, and that you don't get them twice unnecessarily. The other XML files, which may contain important metadata, are still searched (provided that you have included the contents of archives in the volume snapshot).

* Metadata extraction improved for Windows 7 .lnk files.

* Catalogs of JumpList files are now output in Details mode.

* Ability to recursively delete directory with subdirectories that cannot be deleted with Windows Explorer or other Windows tools and commands because of illegal characters, via Tools | File Tools | Delete recursively.

* Improved behavior when encountering already running instances. A new middle state allows to decide on a case-by-case basis whether to start another instance.

* There is now an option to filter by internal ID. Useful for example and very easy to use if you would like to focus on the x files that were added to the volume snapshot last or if you would like to resume a logical search with internal ID y (and filter out files that have already been searched).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 26, 2010 - 0:06:   

Beta 2:

* Introduced an interface that allows to copy files of a certain category from selected evidence objects to a user-defined output directory for analysis by a certain external program. The external program can then identify relevant files or classify files. The result can imported back into the case and will be shown as report table associations, by which you can filter or create reports. The interface works at the case level and requires a forensic license or X-Ways Investigator.

* Through this interface, using the upcoming professional version of the software DoublePics (www.dotnetfabrik.de) and a database of pictures from previous cases as often maintained by law enforcement agencies that have to deal with child pornography cases, it is possible to conveniently and automatically categorize pictures in new cases that are known already, as relevant or irrelevant or "gray area" or whatever. Known pictures can be recognized even if they are stored in a different file format, resized, if the colors or the quality are different or they have been edited, thanks to fuzzy logic and adjustable sensitivity and tolerance.

* When using the non-MAPI method to extract e-mails from PST/OST archives, HTML e-mails are now also usually represented in .eml format (except for outgoing/sent messages). Additionally, a clickable link to the attachments is now included in Preview mode (except for outgoing/sent messages, and not guaranteed to work if attachments have non-English names).

* Fixed an exception error that could occur when taking a volume snapshot.

* Previous limitations for writing sectors in partitioned areas under Windows Vista/7 have been practically removed. In 99% of all cases it is now possible to write sectors in these Windows versions.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 29, 2010 - 0:01:   

v15.7 was just released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 29, 2010 - 11:47:   

SR-1:

* The Sender/Recipient columns were swapped. This was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 29, 2010 - 23:49:   

SR-2:

* Fixed two errors that could interrupt taking a volume snapshot.
Ted Smith
Username: ted_smith

Registered: N/A
Posted on Friday, Jul 30, 2010 - 10:44:   

Stefan

Regarding the support for Virtual Machines. The post above and the manual say "Also dynamic Virtual PC VHD images can be interpreted."

Are you saying it supports just the Microsoft Virtual PC VHD images, or will XWF parse most virtual file formats, such as VirtualBox, VMWare etc? I realise you replied to me by e-mail but it didn't specifcally say which virtual formats are now supported. I'm assuming that by "Virtual PC" you are referring to the Microsoft virtualisation software, or are you using it as a generic phrase to describe all virtual formats?

Ta

Ted
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 30, 2010 - 12:14:   

Really just VHD images, and just the dynamic ones. Upper case "V" in "Virtual PC" because I mean the product with that name.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 13, 2010 - 7:34:   

SR-3:

* Non-MAPI PST/OST processing further improved.

* Ability to restore the last filter settings (via the Back button in the toolbar) also when deactivating all filters with a single mouse click.

* Fixed an exception error that could occur when creating a Technical Details Report for certain not 100% efficiently formatted large FAT32 volumes.

* Fixed inefficient handling of negated GREP expressions for searches in Unicode.

* Fixed HTML export for GREP search hits.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 6, 2010 - 7:15:   

SR-4:

* The Italian translation of the user interface was updated.

* Ability to turn off the strict drive letter protection when saving files.

* If the preferred e-mail extraction method for PST files is MAPI, the non-MAPI method is still used to find traces of e-mail messages in unallocated space within the PST files.

* Ability to distinguish ZIPX and XAP files from ordinary Zip archives.

* Additional registry report definitions.

* Ability to automatically extract SID/username combinations from non-standard SAM hives where previously that failed.

* Otherwise improved Windows Registry support for Windows versions from XP to 7.

* Two exception errors were fixed that could occur when processing registry hives.

* Fixed a problem when exporting search hits without context that were the result of GREP expressions.

* Fixed an crash that could occur when importing a folder with hash sets or hash sets with duplicate hash values.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 12, 2010 - 22:28:   

SR-5:

* "NOT" option for the file type filter.

* Better processing of some unusual FAT volume layouts.

* Fixed an exception error that could occur when opening certain FAT volumes.

* Improved PDF metadata extraction for certain PDF generators.

* Slight improvements for registry report.

* Polish translation of user interface (still being tested).

* Fixed an exception error that could occur when generating the registry report.

* Fixed e-mail extraction path problem of v15.7 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 15, 2010 - 15:55:   

SR-6:

* Better prepared to work with new viewer component version.

* The filename filter is now optionally case-sensitive.

* GREP expressions used for the filename filter may now contain true Unicode characters (e.g. Chinese) and may now use the ^ anchor.

* An error was fixed in the filename filter that affected v15.7 when GREP syntax was used.

* Fixed line breaks in .eml files produced from OST/PST with the non-MAPI method in SR-3 and later.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 23, 2010 - 3:26:   

SR-7:

* Fixed an exception error that could occur when converting
from hex ASCII to binary with the Edit | Convert menu command.

* Certain received e-mails with attachments in OST/PST archives were not represented correctly if extracted with the non-MAPI method. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 4, 2010 - 9:13:   

SR-8:

* Certain malformed start directory entries of subdirectories in FAT file systems are now tolerated.

* Multipliers in GREP notation may not have worked correctly in Unicode in v15.7. That was fixed.

* Hex values in square brackets were not evaluated correctly in GREP notation in v15.7. That was fixed.

* Fixed an exception error that could occur when completing a physical search with no search hits.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-9:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:28:   

SR-10:

* Many of the fixes introduced in later versions and some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v15.7. This is the last service release for v15.7.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.