X-Ways Forensics 16.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 16.6 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jun 23, 2012 - 12:28:   

A preview version of X-Ways Forensics 16.6 is now available (32-bit edition). The download link can be retrieved as always by querying one's license status.

What's new?

* Support for the XFS file system. Requires a forensic license.

* Ability to add a single file in a directory to the case using the File | Add File command in the Case Data window or via drag & drop to the Case Data window. If you wish to add more than 1 file from the same directory, continue to add the whole directory, just hide or remove those files that are irrelevant. This new kind of evidence object is backward compatible with v16.4 and v16.5. That means if you add a single file to the case, you can also work it in those older versions as well!

* .e01 evidence files with larger chunk sizes supported.

* Ability to use the registry viewer during ongoing other operations such as simultaneous searches and volume snapshot refinement.

* The progress indicator window now displays filenames in the same color in which they are displayed in the directory browser, as described in the legend.

* When indexing multiple evidence objects in a single step, those that are opened automatically by X-Ways Forensics for indexing will now be automatically closed again when indexing has completed for them (and the same again for optimization), so that the screen is not cluttered with data windows and not all volume snapshots need to be loaded at the same time, which can consume a lot of memory if they contain many millions of files.

* Many other minor improvements.

* Same fix level as v16.5 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jun 23, 2012 - 12:30:   

By way of exception, the 64-bit edition of v16.5 SR-7 may be added on top of the 32-bit v16.6 Preview. (Usually only exactly identical versions may be mixed in the same directory.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 28, 2012 - 6:25:   

Preview 2:

* The contents of JAR archives are now included in volume snapshots only optionally. These archives usually contains many, many irrelevant files and are often deeply nested.

* Further improved stability when parsing corrupted $UsnJrnl:$J.

* Same fix level as v16.5 SR-8.

By way of exception, the 64-bit edition of v16.5 SR-8 may be added on top of the 32-bit v16.6 Preview 2. (Usually only exactly identical versions may be mixed in the same directory.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 29, 2012 - 14:57:   

Preview 3:

* Exchange EDB extraction further improved.

* For the Export List command all control codes <0x20 now filtered out from the Metadata column, except for line breaks and tabs that are still replaced with semicolons.

* Unlimited path substring lengths in the Path filter.

* Deals more gracefully with temporary dongle connection problems. Automatically resumes normal operation once the connection is re-established without user interaction. Useful for example if the dongle is attached to a dongle server when the network connection temporarily does not work.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 29, 2012 - 18:29:   

(Preview 3 is the last preview that may be mixed with the 64-bit edition of v16.5 SR-8 in the same directory.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 5, 2012 - 21:26:   

Preview 4:

* XFS file system support further completed. Now traces of deleted files can be found. (In future releases only when running the particularly thorough file system data structure search.)

* Avoids duplicate search hits when searching unnecessarily in multiple code pages that are essentially equivalent for all or some of the search terms used. For example, many users seem to select both Latin-1 and UTF-8 even when searching for English language words only.

* Certain HTML e-mails extracted from PST/EDB are now more clearly marked as HTML format which in some cases helps to view them properly.

* Reliability of Exchange EDB processing further improved.

* Options | Volume Snapshot | [x] "NTFS: Search FILE records everywhere" is now one of the infamous three-state checkboxes. If fully checked, FILE records are searched as part of the particularly thorough file system data structure search everywhere in an NTFS partition, if half checked (default setting) only in volume shadow copy host files.

* Some minor improvements. Same fix level as v16.5 SR-9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 10, 2012 - 23:42:   

Preview 5:

* If the particularly thorough file system data structure search in an NTFS volume is aborted, X-Ways Forensics now remembers which volume shadow copies (if any) have been processed already and will skip those when you run this operation again.

* When extracting received e-mails from e-mail archives with no Delivery-Date: line in the header, X-Ways Forensics now takes the modification date from the end of the first Received: line.

* The paths for cases, images, temporary files, and the hash database maybe now be relative to the directory from where X-Ways Forensics is executed, e.g. like .\Cases and .\Temp. Useful as a configuration that you take on site to preview live systems so that all files will be created on your own external drive, yet in separate directories.

* That the slack of files that are omitted from logical searches is still searched is now optional. If the box for "Open and search files incl. slack" is fully checked, this option still has priority over all the options that can cause files to be omitted from the search, but not any more if only half checked.

* XFS file system support slightly revised.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 10, 2012 - 23:53:   

* A few fixes for Exchange EDB support.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 13, 2012 - 23:44:   

Beta 1:

* Revised representation of wtmp/utmp/btmp log-in records.

* Supports high-precision timestamps and creation timestamps in Ext4 file systems, where available.

* XFS support further revised.

* Now supports relative paths in Options | General starting with .. (the parent directory of the directory from where X-Ways Forensics is executed), not only . (the directory from where X-Ways Forensics is executed).

* Ability to extract all kinds of files from Safari cache.db browser cache files when refining the volume snapshot.

* Fixed a rare heap corruption error that was caused by a certain kind of GIF files.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 22, 2012 - 23:33:   

Beta 2:

* Ability to verify multiple selected images in a case in a single operation, i.e. compute their hash values and automatically compare it to already known hash values, if any. You can find the menu command in the context menu of the case (i.e. the context menu that appears when right-clicking the case title where it is printed in bold letters).

* External viewer programs can now be specified with a relative path, too (one that starts with .\ or ..\).

* The Tools | Analyze ... command did not work in the 64-bit edition before. That was fixed.

* Some minor improvements.

* Fixes of v16.5 SR-10.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 23, 2012 - 12:13:   

Error in 64-bit edition of Beta 2 fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 25, 2012 - 11:11:   

Beta 3:

* Ability to define search hits manually. Whenever you come across some relevant text, for example floating around in free space in Disk/Partition/Volume mode or within a certain file in File mode, you can select it as a block and right-click the block to add it as a so-called user search hit (i.e. some kind of search hit not found by the program). You can assign the search hit to an arbitrarily named search term/category. For example, if what you have found is related to suspect A, assign it as a search hit to a search term named after suspect A. If also related to suspect B, you can also assign it to another search term. You could also assign it to a real search term that you have used for an automatic search.

User search hits can be conveniently listed in and nicely exported from search hit lists just like ordinary (automatically generated) search hits. You can specify the correct code page for user search hits yourself when you define them, which may be essential to get the text displayed correctly. User search hits are stored related to an object in the volume snapshot if you define them in File mode. User search hits are forward compatible, i.e. older versions (v16.2 and later) can also see user search hits created by v16.6.

* Search hits may now have a theoretical maximum length of 65,535 bytes and are no longer truncated after 255 bytes.

* The maximum amount of context that can be included when exporting search hits was increased from 340 bytes to 1000 bytes, and can now be specified separately for context that precedes and context that follows the search hit, even 0 for one or the other. The latter is useful especially for technical searches (not keyword searches), where you have searched for example for a signature that indicates the start of a certain data record, where the data before the hit is irrelevant.

* Ability to execute X-Tensions in X-Ways Forensics directly from the main menu (Extra | Run X-Tensions). Useful for X-Tensions that don't interact with the volume snapshot or search hits of any particular volume, but for example create or otherwise manage evidence objects themselves. The nOpType parameter in the XT_Prepare function is XT_ACTION_RUN when executed that way. (http://www.x-ways.net/forensics/x-tensions/api.html)

* Ability to create a second copy of an image immediately when imaging a disk, which is much quicker than copying the image file later and makes sense if the 2nd copy is created on a different drive. Only the first copy will be automatically verified if desired. File spanning (i.e. when to start another image file segment) is kept in sync between both copies even when running out of space on one of the two target drives only.

* Deals more gracefully with the situation when the connection to the dongle is lost because the computer has been put in hibernation or on standby.

* Ability to center full window pictures views (not using the viewer component) on a 2nd monitor if you are operating windows with a desktop that spans two monitors.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 25, 2012 - 22:57:   

Beta 4:

* Imaging write error of Beta 3 fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Greg Freemyer
Username: freemyer

Registered: N/A
Posted on Wednesday, Jul 25, 2012 - 23:52:   

Stefan,

Thank you, thank you for the search improvements.

I haven't tried them out yet, but they sound like great improvements to our workflow in certain circumstances.

I can't decide if I like the user hits or the extra context more, but both are great.

Greg
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 26, 2012 - 23:12:   

Beta 5:

* Fixed index search error that appeared in v16.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 29, 2012 - 13:35:   

Beta 6:

* Two new columns in the directory browser are now available with a forensic license: "Parent name" and "Child objects". Both columns come with filters. The filter for child object allows you for example to quickly find all e-mails that have an attachment with a certain name. The filter for parent name for example allows you to quickly find all attachments that were attached to e-mail with a subject that contains certain words. Note that filters for the columns Name, Parent name, and Child objects share the same settings and are mutually exclusive (cannot be active at the same time, one will deactivate the other).

* Revised support for word boundary anchors (\b) and whole word searches in the Simultaneous Search. (forensic license only) You can now define which characters should be considered parts of word. This is useful to avoid false hits for short words in binary garbage data or Base64 code and generally for users that consider numbers to be parts of words (such as in "GIF89"). Example: An undesirable hit for "band" in "7HZsIF9BaND4TpkSbSBS" can be prevented if you search for it as a whole word and if you additionally redefine the alphabet of word characters to include digits 0-9, so that the positions between "9" and "B" as well as between "D" and "4" are not considered word boundaries.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 1, 2012 - 17:07:   

v16.6 was just released.

Changes since the last beta version:

* New option in Options | Viewer Programs that allows to automatically close the preview picture viewer window when a new picture is viewed (only when the internal graphics viewing library is used for pictures, not the viewer component).

* Refresh error fixed in templates with the "multiple" option.

* Notices in the Messages window when files are not included in a container of the new format again because of duplication.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 2, 2012 - 7:21:   

(The 32-bit edition in the X-Ways Investigator download was corrupt. This was just fixed.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 3, 2012 - 11:42:   

SR-1:

* No longer prevents duplication in evidence file containers of the new format for the same object in the same file system if the origin is a different evidence object or if a new volume snapshot has been taken (e.g. because of changes in the evidence object). The messages about avoided duplications are no longer output.

* Improved attachment name decoding for extraction from DBX and MBOX.

* Fixed Export List command for user search hits.

* Fixed an exception error that could occur when running a file header signature search.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 6, 2012 - 12:13:   

v16.6 SR-1 is now available for download as X-Ways Imager, too.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 9, 2012 - 22:23:   

SR-2:

* Fixed an exception error that could occur when processing certain MSG files with the new extraction method.

* Fixed an exception error that could occur when viewing certain DBX e-mail archives.

* For e-mail messages extracted from PST/OST/EDB, ability to slightly adjust the e-mail header in such a way that the HTML message body is shown directly in other programs such as Outlook Express and Windows Live Mail 2011, not like an attachment.

* Fixed inability of the x64 edition to process .evtx event log files.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 14, 2012 - 8:57:   

SR-3:

* E-mail extraction better protected from certain kind of malformed e-mail headers.

* Hash set import better protected from malformed hash set text files.

* In the registry report for user accounts defined in a SAM hive, the timestamps for last log-off, last PW change, and last failed log-in were not converted to local time. That was fixed.

* "..." button with more options in Recover/Copy dialog window now always available when these options might make a difference.

* The user ID (last segment) in the SID of files originating from NTFS file systems is now displayed for evidence file containers of the new format.

* Other minor improvements and fixes.

* User manual and program help updated for v16.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 17, 2012 - 9:30:   

A new version of the Python plug-in is now available from http://www.x-ways.net/forensics/x-tensions/api.html.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 22, 2012 - 11:14:   

SR-4:

* Ability to render a message box modeless in an emergency situation by double-clicking its caption. For example if an error message appears repeatedly in a loop when you click OK, this will give you a chance to save your work (e.g. save the case via the menu) before you have to terminate the program. Otherwise when an ordinary (i.e. modal) message box is on the screen, the main window, the Case Data window and their menus are inaccessible.

* Fixed file carving errors that could occur in Ext4 volumes.

* List of devices in registry report no longer limited to 100 items.

* Fixed an Undo command error that could occur when hex editing a file since v16.4.

* Fixed an exception error that could occur when extracting metadata from OLE2 compound files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 28, 2012 - 13:11:   

SR-5:

* Detection of multi-page JPEG pictures as created by Sony and Panasonic devices. A report table association will be created just as for multi-page TIFF pictures. Additional pages can be found by the search for JPEG pictures in JPEG files.

* Fixed inability of v16.6 to display search hits in the Outlook code page correctly.

* Fixed an input focus problem of v16.5 and v16.6 in the directory browser that could occur after changing filter settings.

* Fixed an error that could occur when adding more items after loading an already very large volume snapshot (> 6 million).

* Incorrect warning of inefficient .e01 table layout in certain situations avoided.

* Fixed truncated error messages in EDB processing (64-bit edition only).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 10, 2012 - 22:23:   

SR-6:

* More diligent reconstruction of files in volume shadow copies.

* Fixed an exception error that could occur in v16.5 and later when parsing FAT file systems.

* The new e-mail extraction methods for EML and MBOX in some cases produced invalid and random attachment filenames. That was fixed.

* Exception error fixed that could occur when using the filter of the Child Objects column.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 12, 2012 - 22:35:   

SR-7:

* Fixed an error that could cause incomplete 2nd copies of .e01 evidence files.

* Prevents some exception errors that could occur during volume snapshot refinements, in particular metadata extractions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 23, 2012 - 21:39:   

SR-8:

* Avoids that a window with the title "Please wait" may become permanent when extracting data from large archives to generate context previews in search hit lists.

* Fixed a crash that could occur when trying to extract e-mails from certain carved corrupt MSG files with the new method.

* Correct extraction of e-mail header fields from original .eml files with UNIX line breaks.

* Free space representation error in XFS fixed.

* User search hits are now marked with a in both the search term list and the search hit list (Descr. column).

* Disk imaging compression slightly tweaked.

* Some minor improvements for XFS support and other functions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 25, 2012 - 7:21:   

X-Ways Imager download updated with v16.6 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 12, 2012 - 12:14:   

SR-9:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 2, 2013 - 11:38:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.6. This is perhaps the last service release for v16.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 22, 2013 - 13:15:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and recommended to users whose update maintenance covered no more than v16.6. This is the last service release for v16.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 19, 2013 - 20:04:   

SR-12:

Final service release for v16.6.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.