X-Ways Forensics 16.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 16.5 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 22, 2012 - 19:16:   

A preview version of X-Ways Forensics 16.5 is now available (32-bit edition). The download link can be retrieved as always by querying one's license status.

What's new?

File Format Support

* Ability to view browser SQLite databases after generating previews for them using a new option in Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and more, which also requires that the files have been checked for their true file type. Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, and Safari feeds. Still testing.

* Ability to view Internet Explorer index.dat files after generating previews for them with the same function.

* Ability to generate previews as child objects for Windows Event Logs (.evt and .evtx).

(Future releases are supposed to generate such previews for even more file formats.)

* The new HTML child objects can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of these tables in an external program such as your preferred browser or in MS Excel by sending these child object to the program of your choice (directory browser context menu). The existence of HTML child object with searchable text for browser data, event logs and more data sources in future releases also improves effectiveness of searches and indexing.

* Ability to view Outlook NK2 auto-complete files, Outlook WAB address books, and Internet Explorer travellog files (a.k.a. RecoveryStore).

* Ability to extract metadata from MS Access database files.

File System Support

* Support for MBR LVM2 and GPT LVM2 partitioned disks as commonly used by Fedora/Red Hat and also available in Debian. Single-disk approaches (like the default behaviour when installing Fedora on an ordinary hard drive) and spanned volumes (i.e. logical volumes spanning several physical disks) are supported, the latter require all constituent disks/images to be open in X-Ways Forensics in order to find all data required.

* NTFS FILE record 0x30 attribute timestamps are now displayed in Details mode next to their 0x10 counterparts.

* Ability to recognize the new ReFS file system as such.

File Carving

* File header signature search: That the start sectors of files that are already known to the volume snapshot are always excluded from file carving is now optional. Of course, X-Ways Forensics still tries to prevent duplicates, but if the file header signature definition or the internal file size detection is strong enough to suggest that a known deleted file was overwritten with a new file, then that new file will be carved although it shares the same start sector with the known file.

* If you intentionally abort the file header signature search or if the file header signature search causes X-Ways Forensics to crash, next time when you start a file header signature search in the same evidence object, you will find an option to resume it right where you had interrupted it, or where it was when the volume snapshot was last saved before the crash occurred (depends on the auto-save interval of the case).

Image Support

* Support for VMDK snapshot images. The base image and any preceding snapshot images have to be open and interpreted already when interpreting a later snapshot.

* Ability to create evidence file containers from File | Create Disk Image where some new users may expect that kind of functionality. (X-Ways Forensics only, not WinHex)

* The field to include notes in an .e01 evidence file when creating an image is now larger and allows to use line breaks. Useful if you wish to use it for more information and structure the notes more clearly.

Usability

* When starting volume snapshot refinements, simultaneous searches or indexing, most other functionality now remains accessible and usable. The directory browser, the case tree and all other user interface elements including all menus remain reasonably responsive most of the time. That means for example you can continue to view files, enter comments about them, add them to report tables, explore directories, activate or deactivate filters, sort files, print files, open and close other evidence objects. BTW, there is an option to minimize the small progress indicator window if you right-click its caption.

* Multiple dongles attached to the same computer (e.g. terminal server) are now supported, to allow for multiple simultaneous users at the same computer not only with multi-user dongles (cf. http://www.x-ways.net/forensics/dongle.html). Each user can select which dongle to use when starting up the software. The ID of the dongle that he or she had used last will be preselected. The textual notes that are stored in the dongles, if any, will also be displayed to make it easier to choose the right dongle.

* If the only filter that is active is the "naturally active" filter that causes hidden items not to be listed, and when items that are hidden are actually filtered out in the directory browser, then the additional filter icons that indicate an active filter are now displayed in gray, no longer in glaring blue, to reinforce the notion that is it *normal* that hidden items are not listed and nothing else is filtered out.

* Options in Name filter dialog clarified.

* The option to power down or hibernate the computer after completion of imaging or disk cloning is now available in the progress indicator window, so that you can still see during the process whether you had selected it and so that you can still change your mind.

* Virtually attached files now have a paperclip icon.

* Pressing the backspace key and spacebar now work in the case tree.

* Several minor improvements. Same fix level as v16.4 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Janko Savnik
Username: janko

Registered: N/A
Posted on Sunday, Apr 22, 2012 - 20:34:   

Incredible! Congratulations:-)

Nearly all of my to-be wish list issues are fulfilled.

Just keep up excelent work!!!
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg
Username: jw

Registered: 7-2006
Posted on Sunday, Apr 22, 2012 - 23:38:   

Absolutely! Stefan, is there supposed to be a setup.exe included?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 23, 2012 - 7:24:   

No, I have left it out this time.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 25, 2012 - 21:54:   

Preview 2:

* Revised extraction of e-mail messages and attachments from MSG files that does not require MAPI. Still testing.

* Ability to use the General Position Manager in File mode.

* Automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc. etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value.

* The volume snapshot option "Include files whose clusters are unknown" has turned into one of the infamous 3-state options. If fully checked, all previously existing files of which metadata only is known will be included in a volume snapshot. If not checked at all, those files will be ignored. If half checked, only files for which more than just the name is known (e.g. size, attributes, and timestamps) will be included, e.g. found in index records in INDX buffers or in $LogFile in NTFS, but not directory entry remnants in Ext* or Reiser file systems.

* Some fixes and improvements, among them for Internet browser previews.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 26, 2012 - 20:04:   

Preview 3:

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 4, 2012 - 15:46:   

Preview 4:

* Support for various UDF file system versions and specialties revised and considerably extended: Improved support for UDF when used on media other than optical discs, as well as added support for UDF virtual partitions and UDF metadata partitions.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 8, 2012 - 18:27:   

Beta 1:

* New X-Tension API functions: XWF_CreateContainer, XWF_CopyToContainer, XWF_CloseContainer, XWF_CreateEvObj. New functionality was added to the XWF_SetItemInformation function. Cf. http://www.x-ways.net/forensics/x-tensions/api.html.

* A plug-in to run Python scripts as X-Tensions can now be downloaded from the X-Tension API web page, along with 2 sample scripts. Still in a testing stage!

* Automatic extraction of .lnk shortcut files from automaticdestinations-ms jump lists during volume snapshot refinement.

* Revised extraction of attachments from original .eml files.

* Preview available for Outlook Express DBX e-mail archives.

* Registry report definition files revised. New definition file Reg Report Autorun.txt included.

* View command now works for SQLite database and index.dat files that have HTML child object in the same way as Preview mode. Improved processing of SQLite databases.

* Support for named streams in UDF (the UDF implementation of alternate data streams as known from NTFS).

* Fixed inability to read from flat VMDK images.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 11, 2012 - 14:28:   

Beta 2:

* Ability to reconstruct Linux software RAIDs from partitions. The partitions need to be opened before they can be selected.

* Revised support for SQLite databases.

* Ability to split HTML tables for browser databases and event logs after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component.

* Ability to interpret certain VMDK images that previous v16.5 releases could not deal with.

* Improved ability to deal with corrupt .evtx event log files.

* Minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 11, 2012 - 14:37:   

PS: Users who had run previous v16.5 preview or beta versions please make sure that the maximum number of rows per table in the options dialog for "Extract internal metadata" is not 0. A recommended value is 100. Thank you.

"VHD" in previous posting corrected to "VMDK".
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 18, 2012 - 11:56:   

Beta 3:

* The X-Tension API was noticeably extended:
Ability to load X-Tension DLLs from any directory. By default, X-Ways Forensics expects X-Tension DLL in the directory for scripts and templates.
Only selected X-Tensions will be executed, not all X-Tensions that were added to the list.
A new version of the Python plug-in and a minimal Python installation are now downloadable.
3 important new functions XWF_Search, XWF_OpenItem and XWF_Close were added.
XT_ProcessSearchHit now receives a handle of the item or volume in which a search hit was found, for optional further reading.
More return values for XT_Prepare supported.
New flag for XWF_OutputMessage function.

* A permanent preview can now be generated for $UsnJrnl:$J as part of metadata extraction, so that it does not have to be generated on demand when viewing or previewing this journal, which can be potentially time-consuming for large specimen (0.5 - 1.5 GB).

* Ability to only include associations with user-created report tables in evidence file containers, not those created by X-Ways Forensics itself. To make use of this feature, make sure that the option to export report table associations is only half checked when you create a container. This is now also the new default setting.

* Several minor improvements, some bug fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 22, 2012 - 8:50:   

Beta 4:

* Metadata extraction from Manifest.mbdx and Manifest.mbdb iPhone backup files.

* Revised extraction of e-mail messages and attachments from DBX e-mail archives. Still testing.

* HTML preview generation for certain file types updated.

* Fixed a byte level file header signature search error that occurred in Beta 3.

* Fixed error that occurred when sorting by the ST# column.

* Last parameter in XWF_GetItemInformation API function fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 23, 2012 - 10:44:   

Beta 5:

* Ability to select new e-mail extraction methods individually for PST, MSG, DBX, MBOX, and EML. The old extraction method for PST and MSG is a method previously described as "MAPI". The new method for PST was introduced long ago already and is the recommended standard setting. The new methods for all other file types are really new in v16.5. The old extraction methods will probably not be offered any more in future versions of X-Ways Forensics.

* One more option for the Internal ID filter.

* The simultaneous search could not be started from the context menu in some earlier beta versions. That was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 27, 2012 - 20:23:   

v16.5 was just released.

Changes since the last beta version:

* Ability to generate previews of Skype's main.db database with contacts and file transfers.

* Extraction of e-mail messages and miscellaneous Outlook data from PST archives slightly updated and completed.

* Path filter extended. Multiple substrings (one per line) are now permitted, and there is a NOT option.

* Fix for NTFS support for media with a sector size of 4096 bytes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 28, 2012 - 22:06:   

User manual updated for v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 29, 2012 - 8:13:   

SR-1:

* Certain types of VMDK snapshots failed to be recognized as such. This has been fixed.

* The new extraction method for e-mail attachments had flaws. Those were fixed.

* The attempt to view files externally or explore archives during ongoing other operations closed the progress indicator window for those other operations. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 29, 2012 - 18:09:   

SR-2:

* The preview of $UsnJrnl:$J is now a true tab-delimited text file, according to user wishes. That means columns are not aligned any more when displayed internally by the viewer component.

* Avoided possible exception error that could occur when identifying SQLite databases.

* Fixed inability to sort in the case root window in certain situations.

* The Replace Hex Values command sometimes failed to find a sequence of hex values. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 31, 2012 - 12:36:   

SR-3:

* Ability to carve in evidence file containers of the new format at the byte level. Useful as a work-around to find unaligned small files in selected other larger files (which have to be copied to the container first, though), without having to run the file header signature search at the byte level on an entire image or disk, which would output too many garbage files and require too much time.

* Hitting the Esc key now closes all filter dialog windows without activating or deactiving the filter. Before the same behavior was possible to achieve already by clicking the "x" button in the upper right corner of a dialog window.

* Important for those users who have customized the "File Type Categories.txt" file, file types had to be written in lower case characters, just like in the original file as provided by us, or else the file type filter and the category filter did not work correctly any more. This requirement has been removed.

* Adding the block as a virtual file to the volume snapshot did not work in search hit lists. This was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 1, 2012 - 20:33:   

A new version of the Python plug-in can now be downloaded from the X-Tensions API web page.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 4, 2012 - 22:25:   

SR-4:

* Message "Please stop ongoing operation first" avoided in situations during logical searches where it should not occur.

* Extracting files from small other files using File Recovery by Type failed with a read error. That was fixed.

* Fixed an exception error that could occur under certain circumstances when using the Search | Continue Search command.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 8, 2012 - 13:56:   

SR-5:

* Improved stability when parsing corrupted $UsnJrnl:$J.

* Virtual directory "Modules" in Windows memory dumps preserved when running a thorough file system data structure search.

* Some fields in sent e-mails in Outlook PST/PST e-mail archives were not parsed correctly in v16.5. That was fixed.

* Several minor improvements/fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 12, 2012 - 20:08:   

SR-6:

* Faster, less memory intensive, and slightly more error-tolerant processing of Exchange EDB databases.

* Improved ability to list processes and DLL names in a 64-bit Windows via Tools | Open RAM.

* Filter for viewed items fixed.

* Fixed an error that could occur when searching for embedded pictures in files with a very long path.

* Error in Chinese user interface in v16.5 fixed.

* Avoided the message "Invalid, corrupt or simply unexpected directory entry found at offset ..." and the omission of invalid directory entries in FAT that can sometimes be found for files or directories with East Asian names.

* Some minor fixes and improvements.

This service release is first available for X-Ways Forensics, from tomorrow also for X-Ways Investigator and WinHex (specialist license and lower).
Top of pagePrevious messageNext messageBottom of page Link to this message

Wojciech Jasiniecki
Username: wojcio

Registered: N/A
Posted on Thursday, Jun 14, 2012 - 15:18:   

File Type Signatures Search.txt - ERROR !!!

Open file in notepad, find SQLite 2.x.... and press Tab on "t" :-)
that's all
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 14, 2012 - 18:36:   

(Sorry, you are right. Was fixed yesterday.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 19, 2012 - 17:19:   

A new version of the Python plug-in is now available for download from the X-Tensions API web page.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 22, 2012 - 19:16:   

SR-7:

* Slight further improvements of Exchange EDB processing.

* More stable when extracting metadata from corrupt iPhone Backup files.

* More stable when processing .evtx event log files.

* More stable when detecting the size of SQLite databases when carving.

* More stable when extracting metadata from flash video files.

* More stable when extracting attachments from DBX e-mail archives (new method).

* Avoided endless loop when processing .msg files.

* Now based on libpng 1.5.11. Includes vulnerability fix of libpng 1.5.10.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 22, 2012 - 22:27:   

X-Ways Investigator now also available as SR-7.
X-Ways Forensics add-on just updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 27, 2012 - 10:16:   

SR-7 x86 needs the Microsoft Visual C++ 2010 Redistributable Package as linked in the download instructions meanwhile. This dependency was unintentional and will be removed with SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 27, 2012 - 14:49:   

SR-8:

* Accepts invalid FAT short filename directory entries as seen on Android smartphones. Previous versions reported such entries as invalid.

* Ability to display certain JPEG variants in the gallery that previous were not displayed.

* Avoided DLL dependencies that existed in v16.5 SR-7 x86.

* Fixed inability to display a list of physical search hits.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 27, 2012 - 15:43:   

* Understands Linux extended partitions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 4, 2012 - 23:07:   

SR-9:

* Fixed one more error that could occur when extracting metadata from iPhone backup files.

* Prevented a crash that occurred when extracting metadata from corrupt .evtx event logs.

* Fixed extraction error with certain kinds of damaged thumbs.db files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 23, 2012 - 15:25:   

SR-10:

* More stable when processing $UsnJrnl:$J.

* Prevents endless loop when exporting stills from certain corrupt video files.

* Prevents exception errors that could occur when processing corrupt .evtx event logs and further stability improvements in conjunction with .evtx event logs. (not included in v16.6 Beta 2)

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 29, 2012 - 19:34:   

SR-11:

* Fixed index search error that appeared in v16.5.

* Prevented exception errors that occurred in v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 22, 2012 - 11:54:   

SR-12:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.5. This is perhaps the last service release for v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 2, 2013 - 11:38:   

SR-13:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.5. This is probably the last service release for v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 22, 2013 - 13:15:   

SR-14:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and recommended to users whose update maintenance covered no more than v16.5. This is the last service release for v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 19, 2013 - 20:04:   

SR-15:

Final service release for v16.5.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.