X-Ways Forensics 16.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 16.1 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 8, 2011 - 21:51:   

A preview version of X-Ways Forensics 16.1 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* X-Ways Forensics can now process Exchange EDB databases and extract user mailboxes with their e-mail, attachments, contacts, appointments and tasks. Requires X-Ways Forensics to run under Windows Vista or later. Tested with and designed for MS Exchange 2007. Feedback much appreciated, also for Exchange versions 2003 and 2010.

* Additional information included in imaging log.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 9, 2011 - 5:29:   

Also in v16.1 Preview:

* New version of the internally used graphics viewing library.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ted Smith
Username: ted_smith

Registered: N/A
Posted on Monday, May 9, 2011 - 16:20:   

It always amazes me how such major steps are introduced into XWF so quickly! Thanks for introducing this feature Stefan

Ted
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 22, 2011 - 17:10:   

Preview 2:

* More powerful and convenient batch processing thanks to an option to automatically trigger logical searches (previously only indexing) after volume snapshot refinement and thanks to an option to trigger the volume snapshot refinement (and therefore indirectly also logical searches) immediately after adding images to the case. That means you click through all the dialog windows initially and then run the selected operations without further user interaction. The operations will be run in this order: First all images are added to the case. Then the volume snapshots will be taken and refined if selected. After that, for selected evidence objects (previous or newly added ones) a logical search will be run if selected. Finally for each selected evidence object an index can be created.

* Ability to invoke the menu commands to refine volume snapshots and run logical searches in selected evidence objects even when no data window is open at that time. As always, these operations will open data windows themselves when needed and close them automatically when no longer needed, to avoid unnecessary main memory utilization by loaded volume snapshots.

* A new case tree context menu command that allows to export any portion of the tree to a Unicode text file. The tree will be represented exactly in its current state of expansion and can span all evidence objects. To export a subtree, right-click a directory while holding the control key. Use a fixed font to view the text file. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.

* Some errors fixed in Exchange EDB processing, support for some more Exchange EDB variants, and more output about conditions when Exchange EDB processing does not succeed.

* New version of the internally used library for archive decompression.

* Same fixed level as v16.0 SR-6.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 25, 2011 - 17:43:   

Preview 3:

* During lengthy Exchange EDB processing, the main window of X-Ways Forensics now remains responsive, and the progress indicator window provides updates. Also EDB extraction can now be aborted liked any other length operation.

* More efficient memory management for EDB processing.

* Filename conflict fixed that could occur in case report creation in v16.0 SR-3 through v16.0 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 2, 2011 - 22:12:   

Preview 4:

* Case Report: File naming conflict fixed that existed in v16.0 SR-3 through v16.0 SR-6. And filenames are now truncated at latest at 127 characters.

* Ability to change the order of evidence objects in the case tree, via the properties dialog window, except for "dependent" evidence objects (partitions that belong to a physical disk).

* Many additional file signature definitions, mostly for file type verification only.

* The thorough file system data structure search will now check for INDX buffers for index records referencing existing files that are not referenced in the $MFT any more because the $MFT is in a corrupt or incomplete state, for example because the image is incomplete.

* Further improved Exchange EDB support. We ask for more testing. Thank you very much!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 8, 2011 - 16:30:   

Preview 5:

* Ability to interpret VMware's Virtual Machine Disk images (VMDK) in addition to .e01 evidence files, raw/dd images, ISO images and VHD images.

* New Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.

* Additional edit window in the registry viewer that tells you the logical size of the selected value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8). More to come.

* New special table "External Memory Device" included in registry report that can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.

* Extracting e-mail from Exchange EDB databases: Memory requirements reduced and further improvements.

* You can now conveniently close viewer windows (whose contents are provided by the viewer component) by hitting the Esc key on your keyboard.

* Notification when opening a case if it can only be opened as read-only because of the read-only file attribute or because of insufficient file permissions.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 14, 2011 - 20:31:   

Preview 6:

* It is now possible to close filter dialogs by clicking the "x" in the upper right corner or by pressing Alt+F4 without deactivating the filter if its active and without losing selection and scroll position in the directory browser.

* When using the Recover/Copy command and the output filename has to be shortened to fit in the maximum path length specified by the user, the filename is now shortened in a nicer way, by preserving the extension whenever possible. (forensic license only)

* Ability to automatically hibernate the system after disk imaging, image restoration and disk cloning. (Previously the only option was to shut down the system.) If Windows signals that hibernation fails, X-Ways Forensics will instead try to shut down the system.

* Better response during lengthy Exchange EDB extractions.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 17, 2011 - 12:13:   

Preview 7:

* Registry Viewer: Special interpretation of MountedDevices, OpenSavePidlMRU, and LastVisitedPidlMRU

* Indexing slightly accelerated.

* Imaging with compressed .e01 evidence files as the output format accelerated for disks that contain large areas of binary zeroes, for example because they were wiped by the user some time or zeroed out by the manufacturer and never completely filled.

* New "sparse" compression option for .e01 evidence files that only compresses large areas of zero value bytes in a very efficient way.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 3, 2011 - 21:00:   

Beta 1:

* Ability to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if not supported by Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode. For this new editing capability, the file must been opened from within the already opened volume that contains it, via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image.

Previously it was only possible to edit files when opened via File | Open, using operating system file write commands or indirectly by editing disk sectors. In File mode (forensic license only) and when opening files from within already opened volumes, the only available mode so far was read-only mode. All of this has changed. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read-only mode. For owners of a license for X-Ways Forensics, this change only affects the special WinHex version that they receive additionally, not X-Ways Forensics itself.

In forensic computing, electronic discovery and IT security, the new edit capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values.

It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.

* New file wiping functionality for files that are selected in the directory browser, via a command in the context menu. The data in the logical portion of the file (i.e. excluding the file slack) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. This functionality is only available in WinHex, not in X-Ways Forensics.

Useful for example if copies of images are forwarded to investigators/examiners who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).

Both successfully erased files and files that could not be successfully erased will be added to separate report tables by which you can filter to verify the result.

* The metadata extraction functionality has been removed from the directory browser context menu. It is now part of the Refine Volume Snapshot command and thus cannot be applied to selected files any more, but to either all files, tagged files or not hidden files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 11, 2011 - 12:56:   

Beta 2:

* The new wiping functionality in the directory browser context menu now also erases data of selected directories, not only file contents.

* Cool new function to create hard links of files on NTFS volumes. Useful for example to play around with hard links during our File Systems Revealed training, or if you would like to add the same image to the same case again, which is only possible under a different name. The hard links will be created in the same directory and of course can be renamed and moved by you after they have been created. Tools | Disk Tools | Create Hard Link.

* Shorter and language-independent case subdirectory names in all cases created by v16.1 and later.

* More convenient procedure when the path or drive letter of an image in a case has changed, especially if the image was added to the case in v16.1 and later and you have updated the standard directory for images in the General Options already.

* New special table in the registry report called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage.

* The number of data types that are interpreted by the new edit window further increased. The new edit window now also displays the access rights/permissions of the registry keys if (Default) is selected. Several small improvements in the registry viewer/report.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 17, 2011 - 18:31:   

v16.1 has just been released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Lawrence Lewis
Username: hminus

Registered: N/A
Posted on Wednesday, Jul 20, 2011 - 15:58:   

The release notes claim that this version requires windows vista or later to process EDB databases. Will XP users still have functionality with this version or do we need to upgrade to a newer windows os?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 20, 2011 - 16:47:   

On computers running Windows XP you cannot use this particular functionality. You need to execute X-Ways Forensics on a computer running Windows Vista or later for that. You may not have to upgrade your Windows on computer X, maybe you can just use a different computer Y that already has Vista or later.
Top of pagePrevious messageNext messageBottom of page Link to this message

Ted Smith
Username: ted_smith

Registered: N/A
Posted on Monday, Jul 25, 2011 - 16:12:   

I've just upgraded from ver 15.9 to 16.1

Really pleased to see so many requested features added, Stefan. e.g. the option to conduct indexing immediately after RVS, the inclusion of the ability to extract internal metadata, the MS Exchange support and the support for virtualised files such as VMWare.

Very impressive.

Ted
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 25, 2011 - 22:17:   

Thank you!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 30, 2011 - 22:46:   

SR-1:

* Dongle insurance. It has always been the policy of X-Ways that lost, misplaced or stolen dongles are not replaced. If you are afraid that your dongle eventually might get lost or stolen, in particular when travelling or working on site (not only in your own office) or when leaving it to contractors, consultants, auditors, lawyers, externally working or temporary employees, or students, you will be happy to hear that it is now possible to insure your dongle against loss! Only if your dongle is insured, you can buy a replacement dongle. Read more.

* Use of intelligent and interactive file write operations that allow you to retry when running out of drive space, after you have freed up more space, without data loss, for volume snapshots and search hits.

* Exchange EDB processing accelerated.

* Support for ShellBags and related data structures in registry viewer and report further improved.

* Some minor improvements.

* Already in original v16.1: Fixed an instability error that could occur in v15.6 through v16.0 when reading from ISO images.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 5, 2011 - 16:46:   

SR-2:

* The keyboard shortcuts for report table associations were not correctly saved in recent releases. This was fixed.

* .eml files will now be decoded for logical searches even searching for 7-bit ASCII characters only, if one of those characters might be specially encoded in quoted printable.

* The behavior of the "Attach external directory" command in the directory browser context menu has changed slightly.

* Improved compatibility with new viewer component version 8.3.7.

* Fixed an internal directory naming error that occurred when adding dynamic volumes to a newly created case.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 11, 2011 - 13:46:   

SR-3:

* v16.1 SR-2 was unable to explore archives and reported this properly. Also when it tried, sometimes Windows showed an error message "Bad image". Fixed now.

* Ability to extract attachments from certain .eml files that were not processed by earlier releases.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 24, 2011 - 16:57:   

SR-4:

* Fixed errors in Exchange EDB extraction.

* Exception prevented that could occur when naming certain carved JPEG files.

* Accelerated loading of registry hives.

* Decoding of V values of the SAM hive directly in the registry viewer.

* Error fixed that could prevent the output of registry reports.

* Registry report: Modification dates are now displayed in gray for values that are not the only values in their respective key, as a visual aid to remind the reader that they are not the modification dates of the values.

* Additional information output in registry report.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 3, 2011 - 13:10:   

SR-5:

* Fixed an exception that could occur when decoding e-mail messages for logical searches in SR-2 to SR-4.

* Fixed an error that could prevent to get search hits at the physical end of a file in v16.0 and v16.1.

* Fixed inactivity of multipliers that occur at the end of GREP expressions.

* Improved extraction of certain e-mail header fields if non-standard formatted.

* Jump list metadata presentation in Details mode was incomplete since v16.0. This was fixed.

* Sorting of keys in Registry Viewer fixed.

* Registry report: Output of dummy entries fixed.

* SECURITY hive processing slightly further improved.

* Interpretation of V account structure in SAM hives now almost perfect.

* Fixed an exception error that could occur when searching in an index for characters that were not indexed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Sep 16, 2011 - 15:13:   

SR-6:

* Improved ability to show text encoded in multi-byte code pages in the text column in Windows 7.

* Avoided message boxes during volume snapshot refinement.

* Avoided message about invalid or unsupported owner ID when including the evidence object level of Windows 7 NTFS volumes in file containers.

* Fixed memory leak that could occur in v16.1 when exploring Gzip archives.

* Automatic file size detection fo Gzip archives in the file header signature search.

* v16.1 did not associate LFN entries in FAT file systems with SFN entries if the latter contained code page dependent characters. That was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 27, 2011 - 23:52:   

SR-7:

* Considerably improved processing of Exchange EDB databases.

* Avoids freeze when encountering a circular loop in a FAT.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 4, 2011 - 9:07:   

SR-8:

* Avoided an exception error that could occur after failed memory allocations.

* Improved compatibility with new viewer component version 8.3.7.

* Ability to create readable .eml files even with certain malformed e-mail headers as sent/stored by MS Outlook in certain situations when extracting e-mail from PST archives. In earlier versions of X-Ways Forensics such e-mail messages were shown as blank by the viewer component (except in Raw mode) and other programs that can view .eml files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 13, 2011 - 19:49:   

SR-9:

* Correct encoding of angled brackets that occur in Windows registry values for the output in registry HTML reports based on advice by TronicGuard / Martin Wundram.

* Improved ability to deal with certain corrupt registry hives.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:41:   

SR-10:

* Some of the fixes and improvements introduced in later versions. Highly recommended and available on request to users whose update maintenance covered no more than v16.1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 22, 2012 - 14:59:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.1. This is the last service release for v16.1.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.