X-Ways Forensics 16.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Forum » Public Announcements » X-Ways Forensics 16.8 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 5, 2012 - 23:23:   

A preview version of X-Ways Forensics 16.8 is now available (32-bit and 64-bit edition). The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to extract e-mails and indexed files from Windows.edb files. Requires Windows Vista or 7.

* XML is now supported as a new output format for the Export List command. The way how the Metadata column is processed, which may contain many more separate fields, will still be improved.

* File type identification and file size detection supported for Chrome session files, which are identified in the Type column as "snss". These files store information about opened tabs, their histories and visited web sites.

* Revised internal algorithm and automatic length detection for carving JPEG files. This new algorithm also improves intelligent naming of carved JPEG files in that certain JPEG files can be given an original name as found in Photoshop metadata. Also the quality of uncovering JPEG pictures that are embedded in other files is greatly improved.

* The generator signatures of JPEG files are now output in Details mode. These signatures reveal the creating software and are available even if other metadata is removed. For JPEG files with ordinary metadata they can be used for corroboration.

* Ability to view certain misformed JPEG pictures with a lagging header signature in Gallery and Preview mode.

* HTML previews and views of index.dat Internet Explorer browser cache/history files now contain an extra column with the offset of the record where the data of each row has been found. This offset is presented as a link. If you click it, you will automatically navigate to that offset in the corresponding index.dat file in File mode so that it is convenient to verify the information that X-Ways Forensics has extracted from the record at that location. (Note that this works correctly only if the link is not broken into 2 lines, which may happen in v8.4 of the viewer component, but not in v8.3.7. Anyway you can still navigate to that offset manually.)

* By default now uses the viewer component to view and preview .mdb MS Access database files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 18, 2012 - 17:26:   

Preview 2:

* Accelerated .e01 evidence file creation.

* Ability to compute two hash values simultaneously when creating disk images.

* Revised chunk CRC definition in encrypted .e01 evidence files.

* Containers of the new format no longer need to be optimized for a certain number of files
and now have a fixed limit of around 1 billion objects that they can hold.

* Improved XML export of selected individual metadata fields in the Metadata column.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 21, 2012 - 22:55:   

Preview 3:

* When aborting the disk imaging process, X-Ways Forensics now at least finalizes the .e01 evidence file format to guarantee a valid file even though it is not a complete image. Useful for example in an emergency situation when imaging media on site, because a usable incomplete image is better than an unusable corrupt image. If hashing was enabled, incomplete images even have a hash value that can later be verified manually, to show that the available data in the image has not changed.

* Same fix level as v16.7 SR-4.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 31, 2012 - 19:03:   

Preview 4:

* Slightly improved compression ratio for the slow strong compression option (but still does not usually justify the additional time needed).

* Ability to adjust the compression option while .e01 evidence files are being created. Useful if your priorities (higher compression rate or higher speed) change, for example when you see that drive space suddenly seems scarce or you have to finish the process quicker than previously thought. Also useful to experiment, when not sure which compression option might be best for a particular system configuration (e.g. when on site and having to write the image to an external hard disk via USB, where I/O is slow and the overall process may be faster with compression than without).

* Support for Virtual PC snapshots/differencing VHD image files.

* Internal type detection of Apple iWork Pages and Numbers files, and special treatment of iWork documents during volume snapshot refinement and logical searches (recommended data reduction option).

* Ability to detect file format specific encryption of various MS Office 2007 and 2010 file types as part of volume snapshot refinement.

* Ability to view and preview MacOS X finder bookmarks (flnk).

* New clipboard output option of the Export List command.

* New file header signature definitions added.

* Fixed two rare exception errors in Registry Viewer.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 2, 2012 - 10:38:   

Preview 5:

* Ability to enter timestamps in the timestamp column filter dialog based on an arbitrary time zone. In previous versions the timestamps had to be specified in UTC.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 6, 2012 - 12:19:   

Preview 6:

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 7, 2012 - 20:30:   

Preview 7:

* Blank lines entered as simultaneous search keywords or substrings for the filters Name, Path, Parent name or Child objects are now silently ignored and filtered out for the next use of the same function.

* In the Report table column, if a file is associated with multiple report tables, their names are now listed exactly in the order as the report tables are defined. (In earlier versions the order was not deterministic.) You can change that order in any dialog window that deals with report tables, and for example sort report tables alphabetically or by importance or topic.

* When changing the order of report tables, an entire selected group of report tables can now be moved up or down at the same time, which for example makes it easy to move all internally created report tables to the bottom of the list below your own report tables in a single step.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 9, 2012 - 12:44:   

Preview 8:

* When 2 search terms are selected in the search term list and combined with a logical AND (using either of the two available methods), additionally you can now require that search hits must be "near" to each other to be listed, to find more likely relevant combinations of both search terms in the same file, exactly like with a proximity search. The maximum distance between the search hits that constitutes "near" can be defined by the user in bytes.

* The new disk imaging engine of v16.8 caused errors on systems with more than 8 reported processor cores. That was fixed.

* Same fix level as v16.7 SR-6.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 11, 2012 - 20:35:   

Beta 1:

* Ability to collect Internet Explorer history and browser cache records that are floating around in free drive space or file slack in a virtual single file named "index.dat" as part of the file header signature search. The URL records collected cluster-wise. An HTML preview of the resulting "artificial" raw index.dat file can be created automatically as part of metadata extraction just as for natural index.dat files. The offsets in that preview refer to the index.dat file. To locate the corresponding offset in the volume and see the actual basis for the interpretation in the HTML file, simply switch from the index.dat in File mode to Partition/Volume mode.

* Ability to populate the columns Sender, Recipient and Int. Creation for .olk14MsgSource e-mail messages when extracting metadata just as for original .eml files. (Attachments are extracted from .olk14MsgSource already since v16.3.)

* Ability to view search hits in UTF-16 Big Endian. UTF-16 Big Endian is common for example in the Apple Mac world, for filenames in the file systems Joliet and UDF, and in Java.

* The number of notable search hits is now displayed in parentheses in the search term window.

* Ability to open files in an external program that you select ad hoc, via the directory browser context menu, Viewer Programs submenu. The program that you select will be saved as standard custom viewer program if you have not used all slots for external viewer programs yet, and then also remembered for next time when you invoke the same menu command.

* Ability to unselect all file types in the Type filter with a single mouse click.

* Several other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 14, 2012 - 23:12:   

Beta 2:

* Ability to automatically decompress hiberfil.sys files as part of volume snapshot refinements and add them to the case as evidence objects because they can be treated like memory dumps. You can find this new feature in the newly named multi-purpose Swiss army knife refinement option "Uncover embedded data in miscellaneous file types".

* Same fix level as v16.7 SR-7.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 19, 2012 - 14:07:   

Beta 3:

* Optional alternative e-mail representation in Preview mode (see directory browser options) and in the case report. The latter allows you nicely view e-mails in the report, without invoking external programs.

* To see the decoded text that the viewer component can extract from a document for the logical search/indexing or that it has extracted already, you may hold the Shift key while clicking the Raw button in Preview mode.

* Ability to view carved TCP and UDP packets in Preview mode instead of Details mode.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 21, 2012 - 6:56:   

Beta 4:

* Support for shared analysis work and distributed volume snapshot refinement in the same case. Use this feature
1) when several examiners are available to deal with a large case, to review different evidence objects with multiple machines on the same network or with separate accounts on a terminal server, simultaneously
or
2) to refine the volume snapshots of different evidence objects with multiple machines on the same network, simultaneously.

Each user/computer opens the same .xfc case file (the same copy on the same computer). All participating users/computers or all except for one (the master session) have to open the case as partially read-only, i.e. only allowing for distributed analysis work/volume snapshot refinement. This can be done by selecting View mode in the Open Case dialog window, or you will be prompted automatically when opening the case if the case if already open in another session as not read-only (i.e. in the master session). When completed, the results (the refined volume snapshot, comments, report table associations, search hits, tag marks, etc.) will be visible when opening the evidence object in the master session next time, and a notice about successful synchronization appears in the Messages window. If two users try to open the same evidence object as not read-only at the same time, the second one will be warned and advised to open it as read-only to avoid conflicts. Only one user may change the volume snapshot of an evidence object at a time.

* Ability to specifically open individual evidence objects (not the entire case) with the volume snapshot treated as read-only, using a dedicated command in the evidence object context menu in the Case Data window. Just as with the option to open a case as read-only, this is useful for cooperative work, if you know your colleagues may want to open the same case (the same copy) and the same evidence object and if you wish to let them makes changes in that evidence object's volume snapshot, but keep control of the case as such (i.e. run the master session). Again, that has nothing to do with how the evidence object itself (the disk or the image) is treated. X-Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence object. Only the volume snapshot, i.e. the database with information about all the files and directories found, is either read-only or (and that is the normal situation) changeable.

* X-Tension API function XWF_GetHashValue implemented and XWF_GetSize officially available now.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 23, 2012 - 12:09:   

Beta 5:

* All the fixes of v16.7 SR-8.

* Improved support for Windows Task Scheduler (file header signature database and registry report).

* Several other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 29, 2012 - 7:45:   

v16.8 was just released.

Additional changes since Beta 5:

* Interpretation of file allocation table entries in exFAT file systems in the Info Pane. Brackets indicate that the displayed information is not actually retrieved from the file allocation table (but from other sources) and that the entry where the cursor is located is actually unused.

* File header signature search: Rough file size detection for .olk14MsgSource e-mail message files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 2, 2012 - 19:52:   

SR-1:

* Search hits in the decoded version of files were erroneously highlighted in File mode, with their artificial offsets. That was avoided.

* Fixed an error in the way that the 64-bit edition read exFAT file systems.

* Fixed an error that could occur when copying e-mails with extremely long subject lines and attachments to an evidence file container.

* Avoided warning about evidence objects in use in some situations where it is not necessary.

* Fixed incorrect checkmark states in the Type filter dialog after double-clicking that could occur in Windows versions newer than XP.

* Some minor improvements.

* X-Ways Imager download updated with v16.8. Now includes a 64-bit edition, which is very useful as a powerful disk imaging and disk cloning program for the 64-bit edition of the lightweight Windows PE or FE.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 4, 2012 - 21:09:   

SR-2:

* A 64-bit edition of the ordinary (not dongle-based) version of WinHex is now available to users with a professional or specialist license. Memory requirements of WinHex are very low, so that the extended logical memory address space of the 64-bit edition does not count as an advantage, however, unlike the 32-bit edition, the 64-bit edition can be executed from a 64-bit Windows PE such as the one that you can boot from your 64-bit Windows 7 or Windows 8 installation CD. This is useful for example if you wish to edit/repair or wipe sectors in the partition that contains your installation of Windows Vista or later, which are write-protected by Windows otherwise. More information about Windows PE

Licensed users can retrieve the download link of the additional 64-bit files from the usual web page.

The setup program remains a 32-bit program. As a portable application, WinHex does not need to be and should not be installed using the setup program.

* Avoided an infinite loop that could occur in v16.8 when running a file header signature search for index.dat records in free space.

* Fixed an exception error that could occur when loading old variants of the old evidence file container format.

* Prevented a rare exception error that could occur when taking snapshots of Ext file systems.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 7, 2012 - 7:53:   

SR-3:

* Fixed an exception error in the 32-bit edition of X-Ways Forensics 16.8 that could occur after taking a snapshot of FAT volumes.

* Creating many thousands of report table associations at a time or importing them from an evidence file container could be very slow in v16.8. That was fixed.

* Intelligent naming for prefetch files in file header signature search.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 14, 2012 - 15:59:   

SR-4:

* Some issues in X-Ways Imager were fixed.

* The owner ID of files originating from NTFS volumes was not passed on from 1st generation evidence file containers to 2nd generation containers. That was fixed.

* Sorting by evidence object no longer sorts alphabetically, but by the position of the evidence object in the case tree. This is much faster and perhaps even expected or desired by most users.

* The "Do not sort list" command now automatically refills the directory browser with the same items in the order in which they are referenced by the volume snapshot(s). Useful especially for users of X-Ways Investigator who are used to working with an unsorted list, accidentally click a column header and do not know how to refill the directory browser.

* Detects certain non-standard GIF pictures that can cause exception errors and does not try to process them any more to avoid problems.

* Ability to supply your own bitmap (16x16 pixels) that marks files as already viewed in the directory browser if you do not like the standard light green color. Provide it as a file named 9.bmp in the same directory where the .exe file is located.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 3, 2013 - 20:05:   

SR-5:

* Improved ability to extract sender and recipient fields from artificial PST e-mail archives created by SysTools NSF to PST conversion.

* Minor improvements in Exchange EDB extraction.

* Registry report for Windows 8 registry hives as complete as for earlier Windows versions.

* X-Tensions that are invoked via Tools | Run X-Tensions are now applied by default to the active data window if a data window is open, just like via Specialist | Refine Volume Snapshot.

* Avoided certain situations where tagging a large number of files in large volume snapshots was extremely slow. (Please report back if you continue to have such a problem.)

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 14, 2013 - 18:10:   

SR-6:

* Fixed an error that could occur when extracting e-mail from Exchange EDB databases.

* Since v16.4, the Type and Category filters did not reliably address all numeric file types such as .123, .000, .001. That was fixed.

* Fixed an exception error that could occur under certain circumstances when creating previews for index.dat files.

* Fixed a rare exception error that could occur when extracting e-mail from MBox e-mail archives.

* Fixed freeze that could occur when processing certain files named cache.db.

* Improved compatibility of evidence file containers of the new format mounted with Mount Image Pro when copying directories using Windows Explorer.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 20, 2013 - 6:48:   

SR-7:

* File type verification signatures slightly updated.

* Fixed an error that could occur when processing SQLite databases.

* Fixed some errors that could occur when processing certain corrupt files.

* Prevented a situation where the 64-bit edition could hang when using the option "Skip and exclude data in free clusters" in disk imaging.

* Fixed an error in v16.8 that in certain situations (more often on computers with many processor cores) created a small amount of invisible surplus data at the end of compressed .e01 evidence files which could lead to a wrong verification hash and a read or CRC error message in other tools although all the data that was presented and user-accessible in the same tools was 100% correct.

* Fixed errors that could occur when reaching the limit of ~176 million search hits.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 25, 2013 - 15:52:   

SR-8:

* Fixed a data error that occurred when imaging media with more than 4,294,967,295 sectors.

* Avoided an exception error with certain non-standard volume labels in FAT file systems.

* Fixed an exception error that could occur in the 64-bit edition when processing .evtx event log files.

* Fixed an exception error that could occur when processing certain MSG files.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 2, 2013 - 11:39:   

SR-9:

* E-mail extraction from MSG files improved.

* Prevented distorted text proportions that could occur on cover pages when printing multiple files with the viewer component at the same time.

* Fixed an error in the search function of the registry viewer.

* Fixed crash of the Recover/Copy function with overlong file paths in the not dongle-based version of WinHex.

* Available as X-Ways Forensics, X-Ways Investigator and WinHex without a forensic license.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Mar 23, 2013 - 9:36:   

SR-10:

* Ability to use the new network dongles just like in v17.0 and v16.9 SR-5.

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 22, 2013 - 13:16:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and recommended to users whose update maintenance covered no more than v16.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 19, 2013 - 20:06:   

SR-12:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.8. This is perhaps the last service release for v16.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 17, 2013 - 21:18:   

SR-13:

Final service release for v16.8.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.