X-Ways Forensics 16.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 16.3 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 25, 2011 - 23:00:   

A preview version of X-Ways Forensics 16.3 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

Evidence file containers

* A new evidence file container format was introduced. The new format can be understood by computer forensic tools other than from X-Ways. Older versions of WinHex (with a specialist license or higher), X-Ways Forensics and X-Ways Investigator can also understand it. They can all read the contents of all files and show the most essential metadata (e.g. filename, path, many attributes, most timestamps, existing or deleted). To see the maximum amount of metadata as known from the old format, however, please use WinHex/XWF/XWI 16.3 and later. For compatibility purposes you can still create containers in the old format.

* The new format will prevent that the same files will be erroneously copied twice to the same container.

* Writing and reading very large containers could be faster with the new format (still to be verified).

* Artificial directories can be optionally created in containers of the new format to accommodate child objects of files, for compatibility with tools that do not accept files as child objects of other files in the new container format (non X-Ways tools and WinHex/XWF/XWI 15.9 and earlier). WinHex/XWF/XWI 16.0 and later (latest release, respectively) do not need such artificial directories.

* Containers (both the old and the new format) now remember the valid data length of a file that originates from file systems that support this field even if it is not smaller than the logical file size.

* Files that are encrypted in NTFS or in Zip/RAR archives are no longer completely skipped when selected for inclusion in evidence file containers. They are now included with their metadata, so that the recipient of the container can easily see that there were encrypted files originally. The encrypted data is still not copied for such files. The outer Zip/RAR archives that use encryption for some or all files that they contain are fully copied, of course, and have always been copied.

* Initial zero values bytes are now skipped when copying the slack of a file to an evidence file container separately, and marks that object in the container as an excerpt.

File header signature search

* The individual default file sizes of the file header signature search are now specified in bytes instead of KB for more precise carving. That is useful especially when not carving complete files, but just records, entries, micro-formats, main memory network traffic artifacts etc.

* Ability to search certain file types at the sector level and other file types at the byte level simultaneously. For that purposes, the flag "b" can be set in a new last column of the file header signature definition. Allows to search for whole files and entries at the same time.

* File header signature searches at the byte level can now also be applied to evidence objects that are physical disks (where partitioned areas are skipped because partitions are treated as additional evidence objects separately).

* Another flag "f" can be set in the new last column to indicate that the specified footer signature is used to find data that is not part of the file any more and should excluded. Ordinary footers are included in the carved file.

The "f" flag is useful for file formats that do not have a well defined footer, where the end of the file can be detected by the occurrence of data that does not belong to the file any more. That could be the same signature as the header (if files of that type occur typically in groups, back to back) or just \x00 (for file formats such as text files that do not contain zero-value bytes, where however \x00 can be expected with a high likelihood in the RAM slack). Such footer signatures should be marked as exclusive because the data matched by it is not part of the file itself.

* The option to search for file header signatures just a cluster boundaries has been discontinued.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 31, 2011 - 16:01:   

Preview 2:

* Support for Windows 8 registry hives

* Separate menu command to add memory dumps to the case.

* Fixed disk imaging bug in original v16.3 Preview version.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 9, 2011 - 20:44:   

Beta:

Evidence file containers

* Evidence file containers of the new format now store examiner comments and report table associations internally, no longer in separate files in a metadata subdirectory. Both comments and report table associations can also be seen in 3rd party tools that understand the new container format.

Usability

* It is now possible to press the Esc key in the search hit list to leave the search hit list (i.e. return to the normal directory browser) and navigate to the file that the selected search hit is contained in, if any.

* It is now possible to press the multiplication key on the numeric keypad of the keyboard or the asterisk key to explore a directory or file with child objects. Useful if you have selected to use double-clicks and the Enter key already for the View command.

* It is now possible to use the asterisk key just like the multiplication key (Windows standard) to fully recursively expand the directory tree from the selected directory downwards.

* It is now possible to navigate back and forward by pressing Ctrl and the cursor keys left and right, just like with the Back and Forward menu and toolbar commands.

* The Back and Forward commands now also remember switches from the normal directory browser to the search hit list and back and are able to undo them.

* It is now possible to explore a directory or file with child objects that contain search hits from within the search hit list. Just that note that you would see any of the child objects only if they also contain search hits. If they don't contain any search hits, you will see a reminder that you can use the Back functionality or press Esc to return to the normal directory browser.

* The number of filtered out search hits in the search hit list when a filter is active is now a more intuitively understandably count.

File format support

* Support for file archives revised. Proven ability to find and read files in corrupt zip archives that WinZip, WinRAR and 7-Zip cannot find.

* Support for pictures with extremely high resolutions (larger than ~ 25 MP).

* Ability to filter for pictures with a skin color percentage of x % or *less*. For example a very low percentage or 0% only can be useful to find scanned documents that have been scanned with full color depth instead of just with a gray scale.

* Additional overview of log-in and log-off operations at the end of the interpretation of .evtx event logs.

* No internal metadata extraction is attempted any more for files marked with a red X.

* A report table association is now created for multi-page TIFF files when extracting metadata.

* Ability to extract internal creation dates from certificates (*.cat, *.cer, *.ctl).

* Performance of JPEG consistency check improved.

* Several minor improvements.

* Same fix level as v16.2 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 10, 2011 - 15:58:   

Beta 2:

* Avoided exception error that could occur in the original beta version when switching between windows.

* Ability to distinguish between user-created and application-created report tables in evidence file containers.

* v16.3 Beta version also available for X-Ways Investigator.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 16, 2011 - 20:44:   

Beta 3:

* Exchange EDB extraction accelerated by a factor of 2-3.

* File Header Signature Search.txt: Another flag "h" can now be set in the new last column to indicate that the specified header signature is used to find data that is not part of the file any more and should excluded. Ordinary headers are included in the carved file.

* Better support for pictures with an extremely high resolution.

* Revised standard e-mail extraction mask now includes MS Office 2011 for Mac .olk14MsgSource files to allow for extraction of attachments.

* Original individual e-mail message files present on a disk (like .eml, .emlx or .olk14MsgSource) are now marked in the Attr. column as processed original .eml once they have been processed (e-mail extraction in Refine Volume Snapshot) and thus can be filtered as such. Useful to cover all original individual e-mail files and artifically produced .eml files (representing extracted e-mail) with a single filter (the Attr. filter).

* Avoid exception error that could occur in v16.3 Preview/Beta when starting a file header signature search.

* Fixed a rare "Internal error 2010" that could occur in earlier versions when running logical searches.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 17, 2011 - 10:39:   

Beta 4:

* Ability to reconstruct RAID level 6 systems, more precisely these variants: backward parity (Adaptec), forward parity, and forward delayed parity with non-zero start component (as used by WiebeTech/CRU-Dataport). Information on which manufacturers use which variant and which other variants need to be supported would be very welcome.

* Ability to reconstruct RAID level 5 forward delayed parity (in case it's used anywhere).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 17, 2011 - 17:04:   

Beta 5:

* The parameters of reconstructed RAID level 6 systems can now be remembered by cases.

* The new container format is now compatible with Mount Image Pro v4 (first add image, then mount file system).

* More Exif metadata extracted from JPEG files: focal length, lens model, F number, serial number, firmware, image unique ID

* Signing date extracted from executable files (.exe, .dll, ...) where present.

* Internal creation timestamp extracted from certificate files (.cat, .cer).

* Path representation of the registry report's verbose mode for printing revised.

* The crash safe decoding option, if fully selected, now also applies to .eml files, which in previouos versions for performance reasons it did not.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 18, 2011 - 21:13:   

Beta 6:

* Ability to reconstruct RAID level 5 forward dynamic delayed parity.

* Mode Disk/Partition/Container in X-Ways Investigator now hides the hex/text column and instead shows some useful information about the container and the volume snapshot.

* Template for GPT partition tables included and invocable via the directory browser context menu (when right-clicking the virtual file that represents the beginning of a GPT-partitioned disk) and via the drop-down menu of the white arrow button.

* When unlocked with a dongle just for disk imaging purposes, X-Ways Forensics now identifies itself as X-Ways Imager, and a smaller download of just the files that are needed to run X-Ways Forensics as X-Ways Imager is now available separately.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 24, 2011 - 11:50:   

Beta 7:

* Memory requirements for Exchange EDB e-mail extraction limited and reduced.

* Prepared to carve .itc2 iTunes artwork cache files and PNG files within them.

* Files in evidence files containers that had child objects in the original volume are no longer shown as having child objects if none of the child objects have not been included in the container.

* Some minor improvements. Same fix level as v16.2 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 28, 2011 - 10:55:   

Beta 8:

* Ability to use File | Create Disk Image for physical RAM when opened under Windows XP or 2000.

* Search hits and their context can now also be correctly displayed if in UTF-8.

* Interpretation of timestamps in Ext* file systems now independent of data interpreter settings for UNIX/C timestamps as it should be

* new investigator.ini options:
+40 prevent GREP searches
+41 prevent skin tone detection
+42 prevent inclusion of log in report
+43 prevent inclusion of basic report in report
+44 prevent export of report table associations
+45 prevent file export for analysis
+46 prevent export tree command

* Minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 28, 2011 - 21:03:   

X-Ways Forensics proved to be around twice as fast as competing products (the usual suspects) in a network disk acquisition test ran by the highly competent F-Response development team! (for details please see their blog post at http://www.f-response.com/index.php?option=com_content&view=article&id=324)

New product variant number 1:

* What was formerly called "additional X-Ways Forensics dongles just for disk imaging" is now officially a separate product called X-Ways Imager, which can be purchased by anyone, not just by existing users of X-Ways Forensics. One more function that has been added on top of disk imaging and disk cloning, and that is the reconstruction of RAID systems (JBOD, RAID 0, RAID 5, RAID 6). For details please see http://www.x-ways.net/forensics/imager.html.

New product variant number 2:

* X-Ways Investigator CTR is a new even further reduced version of X-Ways Investigator, which can only open the evidence file containers of X-Ways Forensics and X-Ways Investigator, no other images an no disks/media. X-Ways Investigator CTR is suitable exclusively as an add-on to X-Ways Forensics when splitting up the analysis work across multiple investigators/specialist or when providing files in containers to lawyers or other people involved in the case, like an extremely powerful viewer program for containers. For details please see http://www.x-ways.net/investigator/index-m.html#CTR.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 3, 2011 - 10:37:   

Beta 9:

* Exchange EDB extraction improved

* New investigator.ini options:
+47 prevent export list command
+48 prevent metadata extraction

* Security option to verify the chunk CRCs when reading from .e01 evidence files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 7, 2011 - 8:36:   

Beta 10:

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 9, 2011 - 12:31:   

Beta 11:

* Some exception errors fixed that could occur during metadata extraction.

* Output of dummy entries in registry report fixed.

* Ability to sort by search term column.

* Fixes for Exchange EDB extraction.

* Relative path to viewer component (like .\viewer) now fully supported.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 15, 2011 - 2:14:   

v16.3 has just been released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 30, 2011 - 16:18:   

SR-1:

* Improved UTF-8 encoding of GREP expressions.

* Fixed code page display problem with very long search terms.

* Fixed non-acceptance of containers of the new format with certain investigator.ini settings.

* Avoided one more situation where writing sectors could fail under Windows Vista and later.

* Fixed inability of v16.3 to explore nested archives.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 25, 2012 - 20:59:   

SR-2:

* Fixed an exception error that could occur when opening files with certain filenames when Asian code pages were active in Windows.

* Fixes and improvements for Exchange EDB extraction.

* Some minor fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 16, 2012 - 9:20:   

SR-3:

* Some of the improvements and fixes introduced already in the v16.4 Preview releases, among them:

* Fixes for Exchange EDB extraction.

* When extracting e-mail from certain e-mail archive types like DBX or MBOX, identical attachments that were attached to different e-mail messages (same name, same contents) were only provided as child objects to 1 e-mail message. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 17, 2012 - 15:19:   

SR-4:

* \b anchors did not work correctly in v16.3. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:41:   

SR-5:

* Fixed errors that could occur in certain cases when extracting embedded pictures from carved files (I/O errors and inability to display the pictures in the gallery).

* Fixed inability to read alternate data streams from evidence file containers of the new format.

* Improved representation of file slack that is deliberated included in evidence file containers of the new format.

* Included buffer overrun fix of libpng 1.5.9 (http://www.libpng.org/pub/png/libpng.html) in the internal graphics viewing library. This fix will also be included in v16.4 Beta 5, v16.2 SR-12, v16.1 SR-10, v16.0 SR-13, v15.9 SR-10, v15.8 SR-11.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 22, 2012 - 14:13:   

SR-6:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.3. This is the last service release for v16.3.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.