X-Ways Forensics 15.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 15.8 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 20, 2010 - 1:53:   

A preview version of X-Ways Forensics 15.8 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to internally reconstruct JBOD, i.e. virtually concatenate spanned physical disks (or images of physical disks), via the menu command Specialist | Reconstruct RAID System. Requires a specialist license or higher.

* Recover/Copy: Ability to group existing and deleted files even when not recreating the original path. Forensic license only.

* Recover/Copy: Ability to group files by other parameters such as file type, category, description, sender, owner, hash set, hash category, report table association. Forensic license only.

* Recover/Copy: The single-character suffix that is used to name output folders for child objects of files (distinguish them from the name of the parent files, avoid name conflicts) is now user-definable. It can also be disabled to return to the behavior of v15.5 and earlier, where the words " child objects" were appended. Forensic license only.

* Recover/Copy no longer recreates the original Windows attributes when copying files because hidden and system attributes often make it unnecessarily complicated to see the output files.

* For e-mail extracted by v15.8, you can now see in the Attribute column if an e-mail message is marked as unread. Forensic license only.

* Revised ability to filter for e-mail messages via the Attr. column. Note that the additional e-mail properties by which you can filter are combined with a logical AND, not OR, as otherwise common within the Attr. filter. Forensic license only.

* The number of files that are contained in a directory or in evidence objects (recursively) is now optionally displayed in the directory tree and in the directory browser directly following the directory name, in parentheses. This allows you to easily find directories or evidence objects/partitions that contain most files. A file count is also provided for files that have child objects. File counts are also presented in a new directory browser column, which is sortable. Forensic license only.

Comments about this new feature and its visual presentation are welcome (e.g. color, preference to display 0 file counts or not, ...)

* Numeric columns in the directory browser such as 1st sector, skin color percentage, internal ID etc. are now right-aligned.

* If recursive selection statistics are enabled, in the directory browser X-Ways Forensics now shows as the size of a directory the total size of all the files directly or indirectly contained in that directory, not the size of the data structures of the directory any more. Comments about this new feature are welcome. The recursive selection statistics now exclude the size of the data structures of the directories themselves.

* The recursive selection statistics are now considerably faster to compute for directories on large volume snapshots.

* It is now possible to monitor lengthy operations in X-Ways Forensics from other computers in the same network, i.e. see whether they are still ongoing or completed. In General Options you can enable progress notifications via text files (that can be created in a directory on a network drive) and via e-mail in user-defined intervals. Forensic license only.

* Detection of eCryptfs-encrypted files (files stored by the Enterprise Cryptographic FileSystem for Linux). Based on material provided by Ted Smith and implementations for Ubuntu 8.10, 9.04, 9.10 and 10.04. Such files will by marked with E in the Attributes column, just like EFS-encrypted files in NTFS, but only after the encryption test has been run. Forensic license only.

* New default directory for cases under Windows Vista and 7 if X-Ways Forensics has been installed with the setup program.

* Several minor improvements.

Please note that volume snapshots created or imported by v15.8 cannot be used by earlier versions any more.
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg
Username: jw

Registered: 7-2006
Posted on Monday, Sep 20, 2010 - 17:28:   

I like the directory content numbering, and I think that including the number of children in a file is particularly useful, e.g., with respect to thumbnail stores. I'm not sure yet whether I like the numbers in the case tree, though you were thoughtful enough to provide a three-way check box to turn off that aspect. I would like to see zero count folders, just for the sake of completeness. The color is fine with me, but may be a little light for some. Number-wise, I take it that we're counting files and subfolders are not included in the statistics, regardless of whether the option to list folders in a recursive view is enabled. The Selected number bears that out whan I gave it a test (it does say "files").

I think that the new presentation of the selection statistics for directories is more meaningful. It's also configuarable for those with different preferences.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 23, 2010 - 3:27:   

Preview 2:

* Sent e-mails in PST/OST archives are now extracted as .eml files by the non-MAPI extraction method, too, and their timestamps are now shown in the timestamp columns.

* Outlook calendar entries, contacts, notes, and tasks will now also be shown with timestamps.

* GPS module timestamps and coordinates are now extracted from JPEG files that contain them.

* Certain deleted files that are found during the particularly thorough file system data structure search in NTFS volumes can now be represented with correct contents even if they are fragmented and their FILE records are not available any more.

* The category filter popup menu has a tentatively introduced gimmick that allows to see statistics about the categories of the files currently listed.

* Some minor improvements, e.g. in file type detection.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 23, 2010 - 17:14:   

Preview 3:

* Outlook journal entries are now better represented.

* Comments in zip archives will be extracted by the metadata extraction.

* Zip archives that contain hidden files will now be flagged with a report table association.
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Yarrish
Username: cdtdelta

Registered: N/A
Posted on Monday, Sep 27, 2010 - 5:36:   

Did something happen with the 15.8 update? When I queried my account to get the links, the email states the current version is 15.7 SR7.

Thanks,
Tom
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 27, 2010 - 10:46:   

No, nothing happened with it, and yes, v15.8 has not been released yet so the current version is 15.7 SR-7. In addition to the link to v15.7 SR-7 there is also a link to 15.8 Preview in the same message, just 1 line below, should be easy to find.
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Yarrish
Username: cdtdelta

Registered: N/A
Posted on Monday, Sep 27, 2010 - 13:57:   

My mistake, I missed the word "preview" in your original announcement. I did see the link for the preview version in the email as well.

Sorry about that....
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 28, 2010 - 1:22:   

Beta:

* Recover/Copy: Ability to embed attachments that are part (but not the only contents) of e-mail messages in their respective parent .eml files, if both the attachment(s) and the e-mail message are selected for copying and not excluded by any filter. Not yet 100% flawless, but usable. The ability to embed attachments in .eml files already when extracting e-mail from e-mail archives will be removed only in the next version after 15.8.

* Support for non-English attachment names in artificially generated .eml representation of e-mails that were extracted from OST/PST with the non-MAPI method.

* New checkbox for logical searching and indexing that allows to specifically omit directories (i.e. not search NTFS INDX buffer, FAT directory entries etc. etc.).

* Maximum number of search terms that can be logically combined for a fuzzy AND combination slightly increased from 7 to 8.

* Contiguous bad clusters in FAT volumes are now represented as separate virtual files.

* Correct representation of FAT and root directory in the volume snapshot for FAT volumes with only 1 file allocation table.

* Ability to specify non-zero header sizes in component disks of JBODs. Note that if not all the sectors on the component disks are actually used (some reserved at the end) then prior to reconstructing the RAID you can specify the used sector count for each component via Tools | Disk Tools | Set Disk Parameters.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 3, 2010 - 22:34:   

Beta 2:

* Recover/Copy: Encoded size of embedded attachments now always correct. Warning if attachments are to be added and filters are affecting the scope of the operation as that may inadvertently exclude the attachments.

* Fixes of v15.7 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 4, 2010 - 21:34:   

Beta 3:

* Polish translation of the menu.

* PNG metadata extraction revised.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 10, 2010 - 21:39:   

v15.8 was just released.

Improvements since Beta 3:

* Support for the Linux file system next3. The exclude bitmap inode will be evaluated, and snapshot files are marked with (SF) in the Attribute column. Specialist license or higher required.

* Table "Partitions by disk signature" in registry report now supported for Windows 7 registries, too. New table "Windows portable devices".
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Oct 23, 2010 - 15:55:   

SR-1:

* Slight improvements in non-MAPI e-mail extraction from OST/PST archives.

* New option to exclude the e-mail header area from .eml files in Preview mode (not Raw mode). See Directory Browser Options. Useful if you would like to see more of the body of the e-mail without scrolling. You can see subject, sender, recipient and dates already in the directory browser. Attachments are listed when exploring the parent .eml file.

* Recover/Copy: Ability to embed attachments in .eml files in certain situations where that was not supported before.

* The option that allows to append the presumed correct extension to misnamed files or files without extension when copying them has been moved to the Recover/Copy dialog window. That this option had no effect under certain cirumstances in the original 15.8 version has been fixed.

* More file signature and file type definitions for Mac OS X.

* Preview mode: Ability to decrypt the Mac OS X 10.5 and 10.6 auto-login password that is stored in /private/etc/kcpassword.

* Ability open reconstruct JBODs that consist of just 2 components. Ability to load previously reconstructed JBODs that were saved in cases as evidence objects.

* Displays the number of items in a report table in the report table filter dialog window and in the report options dialog window.

* Ability to change the order of report tables in the dialog windows for report table filter, report table associations and report options when selecting 1 report table.

* An exception error was fixed that occurred when listing search hits that resulted from a physical search.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 8, 2010 - 22:46:   

SR-2:

* Recover/Copy: When embedding e-mail attachments in their respective parents, the resulting .eml files are now compatible with Thunderbird in most cases (allow to open the attachments).

* Fixed an error that occurred when exporting spanned .whx disk backup files to a single raw image.

* Minor revisions of PDF metadata extraction. Missing separators in .lnk metadata fixed.

* Fixed an exception error that could occur when opening certain FAT volumes.

* Visual representation of restore point change log files improved. They are now parsed for viewing and in Preview mode, not in Details mode any more.

* Fixed an error that could cancel the effect of daylight saving activation or deactivation for certain time zone variants.

* Fixed an exception error that could occur when carving GIF files.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 28, 2010 - 15:44:   

SR-3:

* E-mail extraction from PST/OST: Ability to reference original attachments in .eml files for e-mails with TNEF/winmail.dat attachment style.

* Better representation of meeting requests extracted from Outlook PST/OST files.

* Generally slightly improved representation of e-mail in OST files.

* Some few generated .eml files were displayed without body in the viewer component and in Thunderbird (but OK for example in Outlook Express). This was improved.

* Files with miscellaneous Outlook data such as contacts appointments etc. now have the icons of virtual files.

* Ability to import automatic analysis results (e.g. from DoublePics) back into a case even if evidence objects have been removed or added after the export.

* Memory utilization was inefficient when taking a volume snapshot of Reiser file systems in v15.6 through v15.8 SR-2. This was fixed.

* The progress notification option could not be activated. This was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 16, 2010 - 9:30:   

SR-4:

* Fixed an error that could occur when using the disk reading cache with very large media.

* Fixed "child objects of files" filter.

* More detailed report when memory allocations fail.

* Ability to deactivate the strict drive letter protection in X-Ways Investigator. New investigator.ini option -36 prevents disabling the strict drive letter protection.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 21, 2010 - 23:20:   

SR-5:

* Recover/Copy: Now the same options that are known from the normal directory browser are also available when copying files from a search hit list. For example, you can automatically copy child objects of selected files and embed attachments in .eml parent files.

* Error messages in message boxes are now additionally logged in messages.txt.

* Some other minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 16, 2011 - 9:46:   

SR-6:

* Fixed inability of v15.8 to correctly convert volume snapshots of v15.3 and before.

* Improved processing of .mht files.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 24, 2011 - 18:26:   

SR-7:

* Fixes that were already announced for v15.9 Beta 10.

* Fixed inability of v15.8 to correctly convert volume snapshots of certain earlier versions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:00:   

SR-8:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 30, 2011 - 21:05:   

SR-9:

* Some of the fixes and improvements introduced in later versions. Available on request to customers whose update maintenance covered v15.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:29:   

SR-10:

* Many of the fixes introduced in later versions and some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v15.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:42:   

SR-11:

* Some of the fixes and improvements introduced in later versions. Highly recommended and available on request to users whose update maintenance covered no more than v15.8. This is the last service release for v15.8.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.