X-Ways Forensics 16.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 16.7 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 17, 2012 - 11:22:   

A preview version of X-Ways Forensics 16.7 is now available (32-bit and 64-bit edition). The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to execute dongle-based product variants (X-Ways Forensics, X-Ways Imager and the special version of WinHex that users of X-Ways Forensics get) under Windows 8. Dongle-free product variants were executable under Windows 8 already before.

* Ability to extract browser history and browser cache management information from Internet Explorer 10 databases (from Windows 8) as part of metadata extraction in conjunction with file type verification. Requires Windows Vista or later.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 23, 2012 - 22:02:   

Preview 2:

* Relative paths supported for MPlayer/Forensic Framer and the external video player program.

* Ability to use the Back and Forward extra mouse buttons if available to navigate backward and forward. (not tested yet)

* Supports an additional variant of geodata in JPEG exif data.

* Improved representation of extensible metadata (Adobe-XMP) in JPEG and PDF files.

* Gigatribe (P2P) signature definitions added.

* Fixed inability of v16.6 to display search hits in the Outlook code page correctly.

* Fixed an input focus problem of v16.5 and v16.6 in the directory browser that could occur after changing filter settings.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 26, 2012 - 22:35:   

Preview 3:

* Fixed an error that could occur when adding more items after loading an already very large volume snapshot (> 6 million).

* Program help now in .chm HTML help format.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 2, 2012 - 22:09:   

Beta 1:

File System Support

* Faster and more diligent reconstruction of files in volume shadow copies (up to 1 GB).

* Support for Ext4 volumes larger than 2 TB.

* When switching from Volume/Partition to File mode and File mode represents the file that is known to occupy the cluster last seen in Volume/Partition mode, the relative offset in the file that corresponds to the last cursor position in Volume/Partition mode is calculated, and the cursor is automatically moved there. Useful for example if wish to see how the data continues in the file if the file is fragmented, or (in WinHex) to edit th data in the next fragment. Does not work if the file is compressed.
Remember you can press the Sync button to automatically highlight the file that is known to occupy the cluster on the screen in Volume/Partition mode. Which file is known to occupy the currently displayed cluster can be seen in the Info Pane.

* WinHex only: Ability to securely wipe files in NTFS file systems that are compressed or use sparse storage, using the directory browser context menu command.

* Support for Mode 2 Form 1 ISO images with 2,352 bytes per sector. Previously only Mode 1 was suppported.

File Format Support

* File size detection for ELF executable and shared object files as part of file header signature search.

Hashing

* Filter for the hash column. Allows to filter for files that have a hash value, do not have a hash value, whose hash values start with certain hex values (if you specify only the beginning of a hash value) or have a certain value (if you specify a complete hash value). This filter can compare the hash values of files to up to 4 hash values that the user supplies as hex ASCII. Quicker alternative to creating a small hash set in the hash database if you just wish to quickly find a few files, e.g. duplicates of files with a known hash value that you can just copy from the hash column in the directory browser. Available with a specialist and forensic license.

* The easiest way to use this filter when looking for duplicates, which does not require copy & paste of hash values, is to right-click a hash value of a given file in the directory browser in hex ASCII notation (not Base32) and invoke the new "Filter by" command in the context menu.

* Ability to import SHA-1 hash sets in Base32 notation for hash set matching in P2P investigations. Such a hash set text file must have "SHA-1" in the first line, followed by the hash values in Base32 notation, one per line.

* Option to display SHA-1 hash values in Base32 notation in the directory browser.

Usability

* Option to save the program settings in the .cfg file either when the program terminates (cleanly), i.e. like before, or every time when you click OK in any dialog window (could be useful if the program does not terminate cleanly, to avoid that you lose your later settings). Can be found in Options | General. If totally unchecked, the program settings will not be saved at all, except if you hold the Shift key when exiting the program, which is necessary once if you would like to save in the .cfg file the setting that from then on the settings should not be saved again.

* Whenever the program detects that you are using the .cfg file of a later version in an earlier version, which is not permitted, v16.7 will change the aforementioned option such that the program settings will not be saved, as to not corrupt the .cfg file.

* New investigator.ini option that allows to prevent users from changing the option to save the program settings as desired by some agencies for their users of X-Ways Investigator so that they always start the program with the same canonical settings as predefined by their more experienced colleagues.

* The optional preface for a case report now supports HTML code.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Eric Peterson
Username: ericpeterson87

Registered: N/A
Posted on Tuesday, Sep 4, 2012 - 1:15:   

Love the beta 1 changes! a few questions

are the base32 hashes stored as base32 in the hash set or converted to base16?

Depending on the answer to the question above, in point 2 under Hashing you mention right clicking and using the new "Filter by" command as not being base32, so i have to assume this is hex encoded then. This leads back to my first question. if i import a list of SHA1 base32 encoded values, wouldnt i be filtering on those hashes?

my preference would be to store and denote the hashes as base32 and display them that way as well (which you have covered with the last option under hashing) so as to be consistent with the hash set we are starting with.

Thank you for the changes!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 4, 2012 - 7:57:   

> are the base32 hashes stored as base32 in the hash set or
> converted to base16?

In the internal hash database all hashes are always stored in some sophisticated highly optimized binary form that allows for very efficient matching, regardless of the format of the hash set files (the notation of the hash values in those text files) that were originally imported. It would be inefficient to store hash values in hex ASCII or Base32 internally.

> so i have to assume this is hex encoded then

No, just the hash filter dialog does not understand Base32 notation.

> if i import a list of SHA1 base32 encoded values, wouldnt
> i be filtering on those hashes?

You would, of course. Base32 for hash values is just a notation or display option, nothing fundamentally different.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 6, 2012 - 9:19:   

Beta 2:

* Support for Ext2, Ext3, ReiserFS and Reiser4 volumes larger than 2 TB.

* Option to get all search hits in a file highlighted in File mode at the same time, either only when a search hit list is displayed (if half checked) or permanently once search hits have been loaded for an evidence object (if fully checked), i.e. even when working with the normal directory browser. Search hits are loaded after an evidence object has been opened as soon as search hits are listed. This new feature also applies to user search hits.

* Ability to delete highlighted search hits when right-clicking them in File mode.

* Much more efficient storage of files that are manually carved within other files (i.e. in File mode, using the Add Block as Virtual File command). Older versions of X-Ways Forensics see these excerpt files as complete copies of the original host files.

* Already carved areas in host files are now highlighted in File mode. Useful to remind the user whether he or she already has created excerpts from a file and where (e.g. from a large free space virtual file) when continuing to look at that host file.

* New X-Tensions API function XWF_CreateFile (named XWF_CreateFileEx in Beta 2) that allows to attach an external file to the volume snapshot and efficiently carve files within other files (i.e. create files that are marked as "excerpts" in the volume snapshot).

* Ability to omit files from volume snapshot refinement operations that are filtered out. That is a new powerful option scope-defining option that can target files in advance that are not yet part of the volume snapshot when the refinement starts. For example when additional files are added to the snapshot by the file header signature search, depending on the file type these files can be further processed (e.g. hashed) or not, if the Type filter is active during the later stages of the volume snapshot refinement.

* The hash filter dialog and the "Filter by..." context menu command now both understand Base32 SHA-1 hash values, too.

* Print command in the directory browser context menu: Ability to print just the cover page by choosing to print only the pages 0 through 0 of the document or picture itself.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 9, 2012 - 22:44:   

Beta 3:

* Ability to run a new simultaneous search while reviewing existing search hits. Additional search hits will be listed when you refresh the search hit list, by clicking the Enter button in the search term list as usually.

* When clicking the search hit list button to review preliminary search hits during an ongoig search, that search will not be paused, but continue.

* Ability to create user search hits when in search hit list mode.

* New filter in the search hit description column that allows to focus on notable hits, user search hits, hits in a certain code page, hits in the text extraction of documents, and hits in slack space or uninitialized tail areas of files. This is a very powerful filter and the first search hit specific filter in the search hit list!

* User search hits are now marked with an asterisk (*) in the search hit description column.

* Provides human-readable previews of binary PLists from Mac computers.

* The refine volume snapshot operations last applied by the user to a fresh volume snapshot are now preselected when refining another fresh (i.e. totally unrefined) volume snapshot next time, for reasons of convenience.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 13, 2012 - 21:42:   

Beta 4:

* Binary PLists (.bplist) have been added to the list of file masks in which to search embedded JPEG and PNG pictures (Specialist | Refine Volume Snapshot). It is recommended to verify file types at the same time so X-Ways Forensics can distinguish between traditional (XML-formatted) PLists and binary PLists (BPLists). Many PLists do not have a .plist extension and need to be identified as PLists first.

* Data blocks embedded as Base64 in XML-formatted PLists (.plist) can also be extracted as separate child objects by the same operation. Since the type of the embedded data is not identified by the PList as such, the output also benefits from a simultaneous file type verification. Nested PLists (PLists embedded in PLists) will also be identified and processed recursively.

* File header signature search: The flag for greedy sector allocation is now "G" instead of "g". "g" (lower case) is now a weaker version of the same flag. Only if an internal file size detection algorithm exists for a file type and if a file with the same start sector number exists already with the same file size as detected, the "g" flag will cause X-Ways Forensics to skip the affected sectors. This can help to prevent overlapping zip files and thereby avoid potentially many contained duplicate files.

* Some minor improvements.

* Same fix level as v16.6 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 20, 2012 - 20:59:   

Beta 5:

* Most of the fixes of v16.6 SR-8, which will be available from Sep 24.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 20, 2012 - 21:03:   

* The Export List command did work correctly in v16.7 Beta 4 if the output format was TSV. That was also fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 24, 2012 - 8:58:   

Beta 6:

* Ability to quickly merge hash sets in the internal hash database. Note that duplicate hash values in the resulting hash set are not removed immediately, but next time when you import a hash set, and that you are not warned if you are merging hash sets of different categories.

* More efficient internal storage of some identified embedded pictures.

* Extraction of metadata from original .eml files is now a separate option of the metadata extraction operation.

* Ability to associate a manually carved file ("Add Block as Virtual File" command) to report tables immediately upon its creation.

* Ability to activate or deactivate column-based filters individually, with a single mouse click on the column header's filter symbol when holding the Shift key. The options of the respective filter remain unchanged.

* New case report option that makes the Internet browser start a new page after x rows with files when printing the HTML report.

* More reliable to find lost Ext* partitions and more reliable to identify Ext* file systems, in cases were an Ext* partition was previously formatted with a Microsoft file system.

* In the context menu of data windows, in the English and German user interface, bookmarks have been renamed positions. This is more consistent with the term "Position Manager" and enforces the notion that entries in the Position Manager are no longer the preferred way to bookmark locations in the forensic user interface, when working with cases, where you ideally create so-called
user search hits for these purposes, which are much more powerful (they can be listed, selected, viewed and exported with their context just like ordinary search hits).

* The file messages.txt is now named msglog.txt and encoded in UTF-8 instead of UTF-16.

* Several other minor improvements.

* Same fix level as v16.6 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 25, 2012 - 21:54:   

Beta 7:

* Data blocks embedded as in binary PLists (.bplist) are now also extracted as separate child objects by the same operation as in XML PLists.

* Many minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 30, 2012 - 22:32:   

v16.7 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 2, 2012 - 13:45:   

v16.7 SR-1 of the WinHex version for owners of personal, professional and specialist licenses released yesterday that fixes a license file / exception error.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 3, 2012 - 15:32:   

SR-1:

* Fixed inability to recognize the partitioning style on partitioned media in some random situations, which caused errors when opening partitions that were detected before.

* Fixed a problem which could lead to duplicate listings of logon/logoff activity in extracted security eventlog files.

* Avoided false hits when searching for lost Ext* partitions.

* Minor fixes for Exchange EDB and SQLite database processing.

* A few minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 3, 2012 - 17:56:   

* Ability to extract browser history and browser cache management information from Internet Explorer 10 databases in Windows 2012 Server as part of metadata extraction. Requires Windows Vista or 7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 4, 2012 - 9:52:   

Users who cannot view the program help in Windows Vista and later because they got the .chm file with a Zone.Identifier alternate data stream for some reason, please remove that alternate data stream. To do this double-click the .chm file in the Windows Explorer, in the window that appears uncheck the box for "Always ask before opening the file", and then click Open. Future releases of WinHex and X-Ways Forensics will invalidate the alternate data stream automatically when the program help is invoked from within the program.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 5, 2012 - 22:52:   

SR-2:

* Fixed exception error in v16.7 that occurred when opening excerpts carved from the slack area of other files.

* Automatic removal of alternate data streams from .chm files when invoking the program help from within the application.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 16, 2012 - 9:02:   

SR-3:

* Fixed an erroneous item in index search hit lists in v16.7.

* Fixed a memory leak that occurred when carving binary PList files.

* Fixed inability to write sectors in some situations under Windows Vista/7.

* Fixed an error that could prevent opening files on remote network drives.

* Fixed an error that could prevent the output of devices as part of the registry report.

* Fixed an error that under certain circumstances could lead to a random hash value when creating encrypted .e01 evidence files.

* Fixed an error that could cause different versions and editions of X-Ways Forensics not to understand each others partitioning information for evidence objects once a search for lost partitions has been run.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Alessandro Borra
Username: albo

Registered: N/A
Posted on Tuesday, Oct 16, 2012 - 10:28:   

What did happen to "X-Ways Forensics 16.7 SR-3 Add-Ons (= 64-bit edition and WinHex)"?

Can we use 16.7 SR-2 Add-Ons on 16.7 SR-3?

Thanks,
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 16, 2012 - 14:17:   

Now contained in the main download.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 17, 2012 - 11:00:   

* Incompatible entry "~74" in "File Header Signatures.txt" of SR-3 now removed. Please remove it in your download if you have SR-3 already.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 21, 2012 - 22:08:   

SR-4:

* The search hit description filter did not work when used together with other filters. That was fixed.

* Ability to use system and user environment variables in standard paths (for cases, images etc.), where the variable name has to be enclosed in percentage signs, e.g. %TEMP%.

* Memory leak in processing of corrupt PList files fixed.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 30, 2012 - 20:40:   

SR-5:

* Fixed an error that could occur when interpreting VHD Virtual PC images.

* Rare "The virtual System Area file will be incomplete" error fixed for Ext4 volumes.

* Misidentification of free space as idle space fixed on certain versions of Ext4.

* Fixed an exception error that could occur when clicking physical search hits.

* Fixed a memory leak that could occur during skin tone detection.

* Some minor fixes for Exchange EDB processing and other functions.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 9, 2012 - 13:49:   

SR-6:

* Fixed an error that occurred in the 64-bit edition when saving volume snapshots with more than 77 million objects.

* Prevented a rare exception error that could occur in Details mode for files extracted from other files in NTFS volumes under certain circumstances.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 12, 2012 - 21:34:   

SR-7:

* Prevented errors during EDB database processing from potentially crashing X-Ways Forensics.

* Fixed a memory leak that could occur when reading fragmented files in HFS+ volumes.

* Avoided an endless recursion that could occur when trying to parse XML-formatted PLists whose capitalization does not follow the established norms.

* Fixed an exception error that could occur in the 64-bit edition when extracting metadata from e-mail messages.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 21, 2012 - 22:23:   

SR-8:

* Fixed an exception error that could occur when extracting e-mails from Outlook Express DBX e-mail archives with the new extraction method.

* In previous versions, a new snapshot was taken of the physical disk when lost partitions were found at any later point of time, unfortunately without warning, causing a loss of search hits found on the physical disk (not search hits in the partitions) and anything else that was newly defined in the volume snapshot (e.g. files carved in unpartitioned space). That does no longer happen.

* Files that are excerpts of other files in the volume snapshot were opened incorrectly in v16.7, with a wrong logical file size. This could prevent hashing such artificially defined files and may have caused repeated recursive detection of embedded JPEG files. Fixed now.

* Fixed an exception error that could occur under certain circumstances when running a byte level file header signature search.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 26, 2012 - 16:28:   

SR-9:

* PDF file carving results had deteriorated with v16.4. That was fixed.

* Avoided an unnecessary error message when creating report table associations in v16.7 SR-8.

* Fixed a possible crash that could occur when creating a technical details report of disks with an extreme number of partitions in v16.7 SR-8.

* Available as X-Ways Forensics, X-Ways Investigator and WinHex without a forensic license.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 2, 2013 - 11:39:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 22, 2013 - 13:16:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.7. This is perhaps the last service release for v16.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 19, 2013 - 20:05:   

SR-12:

Final service release for v16.7.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.