X-Ways Forensics 17.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.2 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 18, 2013 - 12:45:   

A preview version of X-Ways Forensics 17.2 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Yet another acquisition option for users who need to or want to exclude certain data from forensic images. You can now create ordinary images, in raw format or as an .e01 evidence file - with all the known options such as hashing, compression, encryption, splitting - and exclude the data in clusters associated with files that you hide before starting the acquisition process. The resulting image is called a cleansed image. The affected sectors are zeroed out in the image and optionally marked with an easily recognizable "watermark" of your choice. All other data is copied to the image normally.

Useful for anyone who needs to redact certain files in the file system, but otherwise wants to create an ordinary forensically sound sector-wise image, compatible with other tools. A must in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets (e.g. lawyers and physicians, whose profession swears them to secrecy/confidentiality). For a comparison of evidence file containers, skeleton images and cleansed images, which all serve similar purposes, please see http://www.x-ways.net/investigator/containers_vs_skeleton_images.html.

Before you start the imaging process for a partitioned disk, open the partitions in which the files are located that you would like to exclude from the image. Wait till the volume snapshot has been taken if it was not taken before. Then hide the files. You do not need to open and take volume snapshots of partitions whose data you would like to include completely.

Note that alternatively you can retroactively cleanse (redact) already created complete raw images, in WinHex, by securely wiping files selected files via the directory browser context menu. The granularity of this operation is not limited to entire clusters. For example, that means it can also wipe files in NTFS file systems with so-called resident/inline storage and it does not erase file slack along.

* Totally revised indexing engine with many advantages: Created optionally at the same time when then volume snapshot is refined (synergy saves time), faster to create than before, no separate optimization step, just 1 index for multiple code pages/character sets, just 1 word list for multiple code pages/character sets (i.e. less duplicates), GREP searches in the index possible, multiple indexes with different names for different purposes may coexist for the same evidence object, indexing with regular expressions possible (details to be revealed later), more convenient search hit review (exactly like for ordinary search hits, search hits are stored permanently immediately, allowing for immediate logical AND and NEAR combinations), and more.

At the moment the old and the new indexing engines coexist within the program. To use the old indexing engine use the menu commands Search | Indexing (to create an index) and Search | Search in Index (to search in the index). To use the new indexing engine use the menu commands Specialist | Refine Volume Snapshot (to create an index) and Search | Simultaneous Search (to search in the index, select "Search in Index" in the drop-down box).

* Events recorded by Skype are now output to the event list (chats, calls, file transfers, account creation, ...). When sorting these events by their timestamps, you can read all chats messages in chronological order.

* Metadata extraction from PE .exe files with version resources.

* New directory browser column: Unique ID. Similar to the internal ID, but unique within the entire case, not just within the evidence object. A filter for this column will probably be added at a later time.

* The options "Group files and directory", "List dir.s when exploring recursively" and "Apply filters to directories, too" are now remembered separately by the normal directory browser, search hit lists and event lists.

* X-Tensions API: Ability to retrieve the result of the skin tone/gray scale analysis of pictures programmatically, via XWF_GetItemInformation.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 28, 2013 - 22:16:   

Preview 2:

* Option to extract the oldest revision of PDF documents with changes and provide convenient access to it as a child object (see metadata extraction). The child objects are marked as excerpts. Old revisions can also easily be carved manually in File mode.

* User IDs (including last SID components) larger than 65,535 supported in Owner filter.

* Ability to filter for files whose internal IDs or unique IDs are contained in (mathematically "element of") an entire list of IDs, or exclude them (mathematically "not element of"). Useful if you first export a list of files including IDs for someone, and then receive back a list of IDs of files that you should copy. Remember internal IDs are specific to an evidence object and volume snapshot (and each partition of a partitioned disk has its own volume snapshot and counts as a separate evidence object), unique IDs are unique for the entire case.

* New Edit | Convert functions: Percentage URL Encode, Percentage URL Decode, Quoted Printable Decode.

* New X-Tensions API function XWF_GetCaseProp available, which retrieves properties of the current case.

* Same fix level as v17.1 SR-4.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 2, 2013 - 22:55:   

Preview 3:

* Resolving hard links in HFS+ file systems has been accelerated. You can always abort that step if it takes too long.

* Ability to choose completely numeric unique IDs for a case instead of unique IDs with a delimiter, when creating a case.

* Several minor improvements.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 4, 2013 - 9:31:   

Preview 4:

* Fixed indexing error in Preview 3.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 4, 2013 - 20:56:   

Preview 5:

* Fixed search error in Preview 4.

* Same fix level as v17.1 SR-5.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 6, 2013 - 20:02:   

Preview 6:

* The crash-safe text decoding option for logical searches and indexing is now much faster, almost as fast as the regular decoding option.

* Ability to retrieve the hardware serial numbers of USB media.

* Fixed an error that occurred when writing to symlinks in Ext* and XFS file systems.

* Fixed hash database import error of earlier v17.2 Preview releases.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 9, 2013 - 18:47:   

Preview 7:

* The Hash column now displays pseudo-hash values in light gray color until real hash values have been computed. Pseudo-hash values are based on the file metadata, not on the file contents. They are available instantly even for very large files. They allow you to list files in a random order just like when you sort by real hash values, but without having to invest time to compute real hash values first. Useful for example for triage, if you have limited time and just wish to quickly look at some randomly selected files in a large evidence object first (e.g. pictures in a gallery) to determine how relevant an evidence object might be.

Looking at files in a random order might give you a more complete and accurate impression of what is stored in an evidence object, because the first x% of the files listed are more varied and more representative of the evidence object as a whole if they are in a truely random order. If you sort by name or path or size or timestamps on the other hand, many of the files you see will likely be somewhat similar (created by the same application or by the operating system, by the same user, for a similar purpose, created or copied or received around the same time, same file format, ...), so with some bad luck you will only see irrelevant files even if there is an equally large group of relevant files. Remember that if you don't sort in the directory browser at all, the view is skewed as well, because you will see the files in the order in which they are referenced by the volume snapshot, which is more or less the order in which they are referenced by the file system and thus not random.

Sorting by hash values can be combined with any filter, for example to see only pictures larger than 1 MB in a random order or only files of a certain user. Pseudo-hashes are not guaranteed to be unique or even remain the same when you close and re-open the evidence object.

* For a similar purpose, there is now a modulo option for the internal ID filter. For evidence objects that contain a huge number of files, it allows you to focus on a subset of files that is more or less representative of all files (though less random than files selected by hash value). Applying the modulo operation to the internal ID will pick files from any directory, with any name, creation date etc. To see only 1,000 out of 100,000 files, i.e. every 100th file, use the operation "internal ID modulo 100 = 0". Also useful for testing purposes: If you wish to compare the performance of different hard disks, RAID systems, processors, configurations for volume snapshot refinements, you don't have to process all files in an evidence object. You can get quicker, yet likely representative results for example in 1/10 of the time if you only process every 10th file, pseudo-randomly selected by internal ID.

Even for normal work, examiners may not be required by their bosses/their prosecutor to conduct a 100% complete examination, for example because after review of a reasonably sized and representative subset you can extrapolate that about 10% of several 10,000 photos is illegal material.

* Some optimizations for volume snapshot refinements.

* Random access to large .e01 evidence file segments accelerated.

* Ability to attempt a recovery of an unresponsive previous instance by starting another instance (executing the same .exe file again) if the option "Allow multiple program instances" is half checked. For example, should X-Ways Forensics get into an infinite loop when processing a certain file during volume snapshot refinement, this can potentially help the already running instance break out of that loop and proceed with the next file. The second instance also shows some technical information about what the already running instance is doing at the moment, and can do so even without recovering a supposedly hanging previous instance.

* Meanwhile, a C# port of the X-Tension API is available from https://github.com/chadgough/x-tensions (also http://www.4discovery.com/our-tools/#8) to make it easier to develop X-Tensions in .Net, thanks to Chad Gough.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 11, 2013 - 22:09:   

Preview 8:

Same fix level as v17.1 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 17, 2013 - 13:18:   

Beta 1:

* Revised e-mail extraction from MS Exchange databases and Outlook PST e-mail archives.

* Same fix level as v17.1 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 17, 2013 - 22:19:   

Beta 2:

* A few fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 18, 2013 - 21:06:   

Beta 3:

* Various minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 20, 2013 - 20:14:   

Beta 4:

* Hiding files is now called excluding files.

* Program help updated.

* Fixed an exception error that could occur when parsing volume shadow copies.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 21, 2013 - 21:22:   

Beta 5:

* Some more fixes and minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jun 22, 2013 - 11:17:   

Beta 6:

* Metadata from the XML files in zip-styled Office documents can now be extracted even if the XML files are not included in the volume snapshot.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 26, 2013 - 19:28:   

Beta 8:

* Better readable font in dialog boxes for the Chinese, Japanese and Russian user interface.

* Option to use the standard Windows GUI font for the WinHex/X-Ways Forensics GUI (see additional font checkbox in General Options).

* Better support for NNTP-encoded e-mails.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 28, 2013 - 18:58:   

Beta 9:

* Traditional Chinese predefined for indexing.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 1, 2013 - 8:22:   

Beta 10:

* Option to define the size of the extra gap between rows in the hex editor display in pixels, which together with the official height of the selected font defined the distance between the rows. The default value has always been 3, but now it can be decreased, to display more rows at the same time and see more data. For example with the Courier font the display still looks fine with an extra gap of 1, but you see 15% more data (based on font size 10). Even negative values are possible. With -1 you may see 35% more data than before. See Options | General.

* Better support for large system fonts for high screen resoutions.

* Ability to copy up to 64 KB of data in a selected block into the clipboard in X-Ways Investigator (subject to change).

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 1, 2013 - 17:02:   

Beta 11:

* Fixed a PTFSDSS error that was specific to v17.2 Beta.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 2, 2013 - 13:49:   

Beta 12:

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 4, 2013 - 18:17:   

Beta 13:

* More stable when decompressing corrupt zip archives.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 4, 2013 - 21:14:   

* Separate file type category "Chats, Messaging" defined. If anyone has more ideas which file types to add to that category, please send e-mail. Thanks.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 5, 2013 - 13:04:   

v17.2 was just released. The log-in data for users of X-Ways Forensics was changed (for the first time in two years).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 8, 2013 - 12:09:   

SR-1:

* Fixed an exception error that occurred with thumbcache_256.db files.

* Fixed an exception error that could occur when extracting e-mail from Outlook Express DBX archives.

* Resolving same-target references on FAT volumes is now faster.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 11, 2013 - 20:49:   

SR-2:

* PST/OST e-mail extraction in v17.2 depended on the presence of MSVCR100.dll, which may not be present in all Windows systems. This was avoided.

* Fixed an error that could lead to freezing when extracting data from Skype databases.

* Fixed an exception error that could occur during metadata extraction.

* Prevented a rare infinite loop that could occur when processing certain hive fragment files.

* Special handling of # in filenames when generating the case report.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 16, 2013 - 8:34:   

SR-3:

* Several minor improvements and fixes for handling of certain file types, including Windows Registry files.

* Pipes now allowed in Name filter expressions (can be useful for GREP expressions).

* Fixed an error that could cause a wrong file size display in the directory browser for certain files found in volume shadow copies that had alternate data streams.

* Fixed inability to explore certain TAR archives automatically.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 17, 2013 - 19:30:   

SR-4:

* Empty volume snapshots of partitions could result in v17.2 from exploring recursively from the case root when no volume snapshots of partitions had been taken previously. That was fixed.

* Some fixes for handling of certain file types.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 24, 2013 - 9:09:   

SR-5:

* Miscellaneous fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 27, 2013 - 21:45:   

A simplified graphical comparison of skeleton images, cleansed image and evidence file containers can now be found here: http://www.x-ways.net/investigator/containers_vs_skeleton_images.html
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 3, 2013 - 17:13:   

SR-6:

* Better handling of corrupt archives.

* Fixed memory leak in new indexing.

* Improvements for Exchange EDB extraction.

* Miscellaneous fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 20, 2013 - 22:24:   

SR-7:

* Fixed inability of X-Ways Investigator 17.2 to read from the very end of .e01 evidence files.

* Fixed an error in metadata extraction from certain executable files.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 28, 2013 - 11:18:   

SR-8:

* Event generation from .evtx Windows event log files was introduced in v17.2, but was not announced before.

* Fixed infinite recursion that could occur when extracting old versions from certain PDF documents.

* Prevents some problems with video processing using the new MPlayer version.

* Fixed an exception error that could occur when interpreting differencing VMDK disk images.

* Fixed an exception error that could occur in v17.2 when extracting information about meetings or contacts from Outlook PST e-mail archives.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 9, 2013 - 22:31:   

SR-9:

* Fixed an error in the "Skip already zeroed out source sectors" option of skeleton images.

* Fixed an exception error that could occur when exporting stills from videos.

* Fixed an error that could occur when parsing PLists.

* Export of user search hits improved.

* Internet Explorer 10 web history extraction failed with an error message in some releases of v17.2. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 30, 2013 - 17:44:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jan 25, 2014 - 15:10:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.2. This is probably the last service release for v17.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:47:   

decode.dat files in SR-11 replaced to mitigate text decoding problems.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.