X-Ways Forensics 17.0 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.0 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 21, 2013 - 21:05:   

A preview version of X-Ways Forensics 17.0 is now available (32-bit and 64-bit edition). The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to unlock X-Ways Forensics 17.0 and later with network dongles. Network dongles are available as a substitute for regular dongles probably from March 2013. A single network dongle can represent x licenses and substitute x regular dongles and allow the users to run X-Ways Forensics on x machines on the same network at the same time. The network dongle is attached any of the computers on the network and made available to the clients by a dongle server program or service. If multiple network dongles are found by a client, the user may choose one of them when starting up X-Ways Forensics. If one of these dongles is already fully in use, according to the number of licenses that it represents, the user will see that and can choose another dongle. Conveniently, a network dongle can also be used locally just like a regular dongle or multi-user dongle when needed!

When purchasing new licenses, you will have the option to order them with a network dongle instead of regular dongles, depending on the number of licenses either for free or at a surcharge. If you own many licenses already, we can probably offer you to test the network dongle and to swap many or all of your existing regular dongles for a single network dongle, on a case-by-case basis. For more information on the dongles in general and network dongles in particular please see http://www.x-ways.net/forensics/dongle.html#types.

* Ability to rank file types by importance/relevance and filter by the rank using the Type Status filter. For example, filtering out those file types ranked #0 will exclude font files, cursors, icons, themes, skins, clip arts, etc. Files with a low rank are of importance just in very specific investigations, for example source code, in which you would not be interested when looking for office documents or pictures for example, but definitely when hunting a virus programmer. Higher ranked file types are relevant in more cases. Generally the rank is useful in simple cases where you can expect to find what you are looking for in file types that are fairly well known. As another idea, you could make it a habit to only index files with higher ranks.

* Ability to assign file types to a so-called group, a new concept, which is not identical to a file type category. Useful for example if your standard procedure is to let examiner A check out pictures and videos, examiner B documents, e-mail, and other Internet activity, and examiner C operating system files of various kinds, because of their specializations. You can give these groups meaningful names and filter for them, also using the Type Status dialog window. The groups are displayed in the Type filter.

* The new definitions are all made in the "File Type Categories.txt" file. Existing files of that kind will continue to work as before. Suggestions for ranks are already predefined in the new standard file. Both ranks (from 0 to 9, where missing means 0) and groups (letters from A to Z) can be optionally specified following a tab at the end of a line, in any order, for example as "2P" or "DI3". So up to 10 rank levels are possible (but it is not necessary to fully utilize this range), and up to 26 groups (and you do not have to start alphabetically, the case of the letters is ignored). You can also define ranks and groups for an entire category, following a tab in a category line. To give a group a more descriptive name than just a single letter, insert group definition lines at the end of the text file that start with a equal sign, e.g.
=P=Photos and videos for image group
=D=Docs, e-mails and Internet
=I=File types to index

* Logical searches now also specifically cover the transition area from uninitialized (but physically allocated) areas of files to immediately following free space, if the option to cover the transition from slack space to free space is in use.

* Ability to run a logical search in selected files via the directory browser context menu from the case root window.

* Memory requirements for search hits reduced by 17%. Old versions cannot load search hit lists saved by v17.0 and later.

* Ability to refine the volume snapshot for selected files only, via the directory browser context menu.

* Ability to store most filter and all sort settings in the active case and load them again automatically when a case is opened. See Options | Directory Browser.

* If the option to Recover/Copy child objects of selected files is half selected, that now means that the only child objects that will be copied are e-mail attachments.

* Many more events are now output based on timestamps in internal metadata of many different file types.

* Several events now have an individual description, for example events in the Windows registry and in Internet Explorer index.dat files.

* The option to list items in registry hives recursively has been removed.

* Ability to extract video stills reliably using recent MPlayer releases. MPlayer 1.1 for use with v17 is now provided as a download.

* The resolution of videos is now displayed roughly in the Pixels column after at least one video still has been exported.

* Special support to carve thumbcache fragments (CMMM records) at the byte level.

* Since v16.3 it is possible to reconstruct RAID level 5EE. Now it is also possible to reconstruct RAID 5EE systems if one component disk is missing. RAID 5EE with forward and backward parity are supported.

* Directory browser option to display tag marks as check marks.

* Support for binary PLists has been improved to include the undocumented CF$UID data type.

* The Technical Details Report now checks for certain read inconsistencies that can occur with flash media (for example certain USB stick brands/models, but not others) in data areas that have never been written/used, where the data is undefined. The data that is read in such areas, for example when imaging the media, may depend on the amount of data that is read at a time with a single internal read command. The result is mentioned in the report. If inconsistencies are detected ("Inconsistent read results!" in the report), you will see a message box, which offers to read sectors in smaller chunks from that device as long as it is open, which likely yields the expected zero value bytes instead of some random looking non-zero pattern data when reading such areas. Use of this option does not give you data that is somehow more accurate or original (undefined is undefined and does not mean zeroed out) or contains more or less evidence, it can just have a big impact on compression ratio achieved and reproducibility of hash values with other tools, which may use different chunk sizes for reading and thus produce different data and hash values. Note that it is possible that read inconsistencies occur that are not detected by X-Ways Forensics, because a complete check would be very slow. Again, these inconsistencies are not fatal and not the fault of the software, and they can be explained. Does it mean that you should invoke the Specialist | Technical Details Report command prior to imaging? No, the report is routinely created already when imaging starts.

* Ability to specify how many extra threads to use when creating .e01 evidence files, when clicking the tiny little button in the lower right corner of the Create Disk Image dialog window. By default X-Ways Forensics will use no more than 4, and it depends on how many processor cores your system has, but you could try to increase it to up to 8 or even 16 on very powerful systems with even more cores usually without problems, for a chance to further increase the speed.

* The option "Display file sizes always in bytes" can now be found in Options | General | Notation. The alternative .eml preview option can now be found in Options | Viewer Programs.

* Size of the 64-bit executable files noticeably reduced.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 1, 2013 - 11:47:   

Preview 2:

* User-specific configurations are now stored in the Windows user profile, in a subdirectory of \AppData\Local\X-Ways. The configuration now becomes user-specific automatically when running X-Ways Forensics not as administrator from a directory on the C: drive where a user does not have write access, such as C:\Program Files. Otherwise by default X-Ways Forensics still runs with a non user-specific configuration so that it remains a portable program and does not unnecessarily alter live systems that you wish to preview/triage. For details please see http://www.x-ways.net/winhex/setup.html. Whether a user-specific configuration is active or not (and if active, for what reason and where it is stored) can be seen in the Help | About box. The reason can be "necessarily" if no write access to the installation directory or "forced" a file named winhex.user is found in the installation directory or "for this user" if the user has an individual configuration already from previous executions for either of the other reasons. The inconsistent use of Virtual Store subdirectories is now avoided.

* In newly taken volume snapshots of NTFS volumes, hard-linked files now get a special treatment. An additional hard link just to provide a short filename that satisfies the 8.3 requirements of old Microsoft DOS/Windows versions is not counted any more as a hard link. Instead, such files get their hard link count marked with a in the Links column of the directory browser. That way, the hard link count more accurately reflects the hard links actually present in the volume snapshot of X-Ways Forensics, and normal files always have a count of 1, whereas 2 or more means something more special.

* In newly taken volume snapshots of NTFS volumes, all "real" hard links (i.e. hard links other than SFN) except for one can be conveniently excluded from logical searches and indexing by enabling the so-called recommended data reduction. Nowadays on Windows installations often between 10,000 and 100,000 hard links of system files exist, for example 27 links to a file like "Ph3xIB64MV.dll" in directories such as
\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035
\Windows\System32\DriverStore\FileRepository\ph3xibc2.inf_amd64_neutral_7621f5d62d77f42e
\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb
\Windows\winsxs\amd64_ph3xibc9.inf_31bf3856ad364e35_6.1.7600.16385_none_a0a14b454657e48e
\Windows\winsxs\amd64_ph3xibc5.inf_31bf3856ad364e35_6.1.7600.16385_none_9e7d0270e1def2ea
\Windows\winsxs\amd64_ph3xibc12.inf_31bf3856ad364e35_6.1.7600.16385_none_64d7af985f2a04e4
etc.
By searching only in one hard link of a file, you can typically exclude several GB of duplicate data and yet don't miss anything if you search all other files. Those additional hard links that are excluded by the recommended data reduction get their hard link count marked with an asterisk (*). Search hits in the only hard link that does get searched are marked with the hint "-> Links!" in the Descr. column to remind you of the other hard links of the same file in case those search hits are relevant.

* A filter is now available for the ID column, which makes it more convenient to find other hard links of a given file.

* When viewing a hard-linked file, the other hard links of the same file are now optionally marked as already viewed as well at the same time, just as known in previous versions for duplicates based on hash values.

* When creating report table associations optionally for duplicates of the selected files at the same time, this now includes other hard links of the same file.

* Support for another artifically defined code page, which allows to search for and read UTF-16 text encoded by the MS Outlook cipher called compressible encryption.

* It is now possible to search and index in up to 6 code pages at the same time.

* The already previously supported non-Unicode artificial code page for MS Outlook compressible encryption now works based on a user-defined code page (by default equal to the code page active in your Windows system for non-Unicode programs), not just Latin 1. Potentially important for languages other than Western European languages. Outlook uses the Windows system code page in its old non-Unicode capable variant of PST.

* PST and OST files are now no longer omitted by logical searches and indexing if the recommended data reduction is active and e-mail and other Outlook data has been extracted from them.

* Search hits in all variants of UTF-16 that are not aligned at even offsets are now marked in the Descr. column as "unaligned", as a small hint and explanation why you can read the text only in the alignment-aware context preview of the Search hits column, and not in the text column.

* Tools | File Tools | Delete Recursively can now automatically delete files for which you do not currently have the right to delete (for example because "Trusted Installer" is the owner), but for which you can get all rights (if you are running WinHex with administrator rights).

* Minimum memory requirements for loaded volume snapshots reduced. More data of volume snapshots can now be kept in memory optionally for higher performance.

* More compact internal organization of certain files in volume snapshots (extracted e-mails, video stills, virtual attached files).

* Volume snapshots from v16.3 (released in October 2011) and later can be imported, from v15.8 (October 2010) to v16.2 as well if no e-mail was extracted by those versions. Incompatible volume snapshot will be identified and not converted.

* Several minor improvements.

* Same fix level as v16.9 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 3, 2013 - 21:27:   

Preview 3:

* Ctrl+A now works in all edit boxes and all multi-selection list windows in all dialog windows.

* Exploring the contents of 5 more usually irrelevant Zip subtypes is now optional when refining the volume snapshot, compared to just JAR in previous versions.

* The check for updates can now be found in the Help | Online menu.

* Program help updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 4, 2013 - 21:12:   

Network dongles are now available ("as long as stock lasts"). The information at http://www.x-ways.net/forensics/dongle.html#types has been updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 7, 2013 - 18:40:   

Preview 4:

* Carving support for "Gatherer Transaction Log". Event extraction from carved fragments of this log (.gthr2) and existing .NTfy.gthr files.

* Preliminary event extraction from Firefox cache fragment files (.firefox).

* Avoids more irrelevant identical traces of files found in volume shadow copies.

* A few other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 17, 2013 - 12:52:   

Preview 5:

* The "Uncover embedded data" function uses some special algorithms for certain file types (Windows.edb, thumbs.db, PLists) and byte-level carving for all other host file types. This carving was limited to embedded JPEG and PNG files in previous versions (+EMF in multi-page printer spool .spl files). Now embedded files of any type whose definition in the File Type Signatures Search.txt file comes with a tilde (~) algorithm and is marked with a new flag "e" (for "embedded") will be carved. As a very good example of this new flexibility, .lnk shortcut files are now carved within customdestinations-ms jumplists.

* If you choose to not sort the directory browser initially after start-up, there will now also be no sorting when turning off all filters with a single mouse click, to avoid longer delays when suddenly all files are listed again recursively.

* When copying files or alternate data streams or other objects that do not have any or all timestamps with the Recover/Copy command, X-Ways Forensics now approximates the fact that a timestamp is not available by setting the corresponding timestamps of the output files to ~0 (Jan 1, 1601 in NTFS). This behavior was already active in versions before April 2012. It can be avoided by holding the Shift key when clicking OK in the dialog box, for example if you wish to use some other programs with these files that do not want to open files with such timestamps (it has been reported for VLC).

* Some errors from earlier preview releases fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 18, 2013 - 20:29:   

Beta 1:

* Ability to save filter and sort settings to a separate file and load them again at any time, by clicking on the Open/Save icons on the right-hand side of the caption line of the directory browser. Such files are given the extension ".settings".

* The selected file types of the Type filter are now also optionally stored in cases, like other filter settings. Note that collisions among file type designations become apparent when selections for the file type filter are loaded. For example if you had originally selected "mmf" = "MailMessage File" (category e-mail), then you will find that "mmf" is also selected as "Yamaha SMAF" (category Sound/Music). This is normal and does not change what the Type filter does. When in doubt, the Type filter also includes other types with the same designation, to avoid that anything is overlooked.

* Includes the contents of the Pixels column in evidence file containers of the new type.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 18, 2013 - 20:37:   

Below is an overview of file formats from which events are currently extracted:

.firefox (~55) fragments
_CACHE_001_ and _CACHE_002_
.lnk shortcuts
.automaticDestination-ms
.chrome Chromium cache data_1, data_2
.usnjrnl fragments
Registry hives
.hbin Registry hive fragments
.doc (last printed)
.msg
rp.log XP restore point
INFO2 XP recycle bin
.recycler Vista recyle bin
.snapprop Vista volume shadow copy properties
.cookie
.gthr;.gthr2 Gatherer and Gatherer fragments
.pf prefetch
JPEG GPS
OLE2 last modification
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 20, 2013 - 21:25:   

Beta 2:

* Exploring zip-based Office document files such as those of MS Office 2007/2010, LibreOffice, OpenOffice, iWork is now optional when refining the volume snapshot. Useful if you or the recipients of evidence file containers that you create only wish to see the documents as a whole, no embedded pictures or XML files separately, and don't need to extract metadata from these XML files and can recognize nested documents (documents embedded in other documents) themselves if necessary.

* A filter for the event type column is now available.

* Ability to filter for "unequal to" in the ID and internal ID filters. Useful should the volume snapshot refinement crash with a file that was not part of the volume snapshot when it was last saved during the refinement. In that case you can filter out and omit the offending file with the future assigned internal ID in advance when you try again.

* Some minor improvements and fixes.

* Program help updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 21, 2013 - 19:50:   

Beta 3:

* Activating Sync mode now automatically deactivates all filters if filters keep the directory browser from listing the file that the current cursor position in Partition/Volume mode is contained in. As always you can click the Back button to return to the previous listing in the directory browser, but remember that this works only if the directory browser has the input focus, not the lower half of the data window where you navigated in Partition/Volume mode, where jumps from one offset to the other can be undone or redone with the Back & Forward functionality.

* In newly taken snapshots of HFS+ volumes with hard links, you can now view hard-linked files directory and do not have to look up the corresponding so-called indirect node file manually (the one whose name contains the inode number, which is specified in the Comments column).

* Newly taken volume snapshots now support a concept of "related" files, related in ways other than a parent-child or sibling relationship. For example, the related file for hard links in HFS+ is the corresponding indirect node file. The related file for files that were found volume shadow copies in NTFS is the volume shadow copy host file. The related file for a volume shadow copy host file is the corresponding snapshot properties file (called "snapprop" in the Type column). More kinds of n:1 relationships are conceivable in future versions. Files that have related files get their icon marked with a small blue downward pointing arrow on the left-hand side of their icon.

* A new command in the directory browser context menu (Navigation submenu) allows to conveniently find the related file if one exists for the selected file. You may also press Shift+Backspace to navigate to the related file. This is similar to just hitting the Backspace key, which navigates to the parent file or directory.

* For files found by v17.0 and later in volume shadow copies, the Attr. column now points out the sequential number of the snapshot in which they were found, as indicated by the snapshot properties file.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Mar 23, 2013 - 20:36:   

Beta 4:

* Special extraction of objects (pictures and others) embedded in MS Word .doc and MS PowerPoint .ppt OLE2 compound files, in which previously only JPEG and PNG were found and only through ordinary carving. Embedded pictures are now often output with their original name or designation in the document and are extracted correctly even if fragmented within the OLE2 compound file.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 27, 2013 - 5:49:   

v17.0 has just been released.

Some of the not yet announced improvements include detection of Windows dynamic volumes > 2 TB, extended processing of OLE2 compound files other than .doc and .ppt, and a separate checkbox for the optional exclusion of hard links from logical searches and indexing.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 3, 2013 - 18:44:   

SR-1:

* Extraction of pictures from .xls documents supported.

* Improved e-mail extraction from Exchange EDB.

* Fixed a rare exception error that could occur when opening FAT volumes with a certain layout.

* v17.0 did not apply information from Windows.edb to thumbnails extracted from thumbcache*. That was fixed.

* An exception error was fixed that could occur when extracting large amounts of e-mail or embedded files from other files.

* An exception error was fixed that could occur when extracting events from Windows registry hive fragments.

* The options to exclude JAR, APK, IPA etc. from archive exploration did not work reliably in v17.0. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 4, 2013 - 4:46:   

* Now when about to convert the old volume snapshot format of v16.9 and before to the new one, the software highly recommends to make a backup of the case and all its subdirectories first, as apparently some conversions are not successful.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 7, 2013 - 11:37:   

* SR-1 of the regular (non-forensic) edition of WinHex now available. Fixed an exception error in the Position Manager.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 10, 2013 - 19:13:   

SR-2:

* All operations with EDB database files now also work under Windows 8.

* Fixed exception errors that could occur when first uncovering embedded data in miscellaneous files and then running a simultaneous search in the same session.

* Selection error for more than 5 type groups in the Type Status filter dialog fixed.

* Ability to convert a network dongle to a "pure" network dongle that even if connected locally can only be used through the network interface, which can be enforced as described in the network dongle package.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 17, 2013 - 20:04:   

SR-3:

* More thorough exploitation of volume shadow copies.

* Fixed error "Cannot open '...\External". Please check the path and your access rights." when processing PLists.

* v17.0 did not always automatically include the contens of archives if they were misnamed. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 22, 2013 - 13:18:   

SR-4:

* Forces MPlayer to use the directory for temporary files for the export of video stills.

* Can share the same local dongle simultaneously on the same machine with instances of v16.5 SR-14, v16.6 SR-11, v16.7 SR-11, v16.8 SR-11, v16.9 SR-6 (not older releases), and v17.1 if executed by the same user.

* More consistent treatment of garbage timestamp values.

* Some other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 26, 2013 - 19:24:   

SR-5:

* When creating report table associations for the parent file of the selected file, if the direct parent is no file, but the grandparent or great grandparent etc., then the grandparent will get the association. E.g. XML file in a directory in a ZIP-style Office document.

* Fixed an error message that occurs when not keeping .xfc backup files.

* Prevents a rare error message that could occur when processing empty e-mail messages in unusually named directories within in Outlook PST e-mail archives.

* Fixed a rare error that could occur with corrupt FAT32 boot areas.

* XFS support improved to better recognize and ignore corrupted file system data that might otherwise cause issues.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 9, 2013 - 20:41:   

SR-6:

* Non-deterministic "The specified resource name is not found in an image file" error fixed in Chinese and Japanese user interface.

* Some of the radio buttons in the case report options did not behave as they should. That was fixed.

* The export of report table associations for multiple selected evidence objects was potentially incomplete if one of the selected evidence objects did not have any report table associations. That was fixed.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 19, 2013 - 20:08:   

SR-7:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.0.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 17, 2013 - 21:19:   

SR-8:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.0. This is perhaps the last service release for v17.0.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 30, 2013 - 17:43:   

SR-9:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.0. This is the last service release for v17.0.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.