X-Ways Forensics 17.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.3 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 6, 2013 - 0:09:   

A preview version of X-Ways Forensics 17.3 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Calendar mode now represents all timestamps from all 6 timestamp columns of the regular directory browser (instead of just 3) for all listed files (instead of only selected files). The darker the gray color in the calendar for a day, the more timestamps on that day. Hovering the mouse cursor over a day in the calendar tells you the number of timestamps that fall on that day. Left-clicking on a day sets that day as the left boundary for the combined timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day hones in on that particular day only. If the same file is listed more than once (which can happen in a search hit list if it contains more than 1 search hit), then its timestamps are also represented more than once in the calendar.

* For event lists, Calendar mode now shows the number of events on each day (all events that are currently listed) using different shades of gray (the darker, the more events on that day). That allows you to quickly figure out when there was most activity and when there was no activity. Hovering the mouse cursor over a day in the calendar tells you the number of events on that day. Left-clicking on a day sets that day as the left boundary for the event timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day filter for that particular day only.

* If the corresponding timestamp filter is active, years are printed in blue in Calendar mode to remind you of the filter. To turn off the filter as always click the blue filter symbol in the caption line of the directory browser.

* Event timestamps from FAT file systems are now output adequately. They are not translated to local time and do not show more precision than they actually have.

* Timestamps in the normal directory browser that meet the timestamp filter condition are now highlighted. Timestamps in an event list that are identical to the event timestamp are now also highlighted.

* Better support for high DPI settings in Windows (larger than 125, non-XP style scaling), display no longer blurred. Still settings in the 100-125 range are recommended.

* Ability to create report table associations for files based on search terms that they contain. Useful if you wish to keep the information about which file contains which search terms even after deleting search hits, or to preserve it in evidence file containers. Report tables representing contained search terms are the 3rd kind of report tables, the first two being report tables created by X-Ways Forensics to make the user aware of certain file specialities and user-created general purpose report tables. Report tables representing search terms are recognized in evidence file containers by v17.3 and later.

* Ability to automatically associate siblings of selected files with report tables. Useful for example when reviewing search hits, if you find a relevant search hit in the attachment of an e-mail message and want to be sure to include other attachments of the same e-mail message in further processing, even if they do not contain search hits.

* Gallery display accelerated and flickering avoided in certain situations.

* Gallery thumbnails remain visible when proceeding to the next page until replaced by the new thumbnails of the next page, and can usually still be double-clicked. Useful if you still spot a potentially relevant picture after having pressed Page Dn or rolled the mouse wheel too early.

* Progress shown in taskbar in Windows 7 and later.

* Relative progress displayed when indexing large files and in some other situations.

* Includes hardlinks of the same file in containers of the new file format even if they have the same name.

* When copying selected files to an evidence file container, reports how many files were selected in addition to the number of files that were actually copied, for reasons of convenience. If all selected files were copied, that will be pointed out by the word "all". Previously the number of selected files could only be seen in the selection statistics below the directory browser.

* New flag "W" (upper case) supported in File Type Header Signatures Check Only.txt", which identifies header signatures that are too weak to newly detect the type of a file and are merely used to confirm the type suggested by the name extension of the file.

* X-Ways Forensics now remembers the sort criteria and the "Group files and directories" option separately
1) for the normal directory browser of a volume,
2) for the normal directory browser of a partitioned disk,
3) for search hit lists and
4) for event lists.

* Whole word searches now work for words in Western European languages in UTF-16 BE.

* The virtual "Free space" file is now shown in gray if the "net free space computation" option is active, as a reminder of the fact that it does not represent the entire free space when opened.

* Clickable offsets in the HTML representation of Windows .evtx event logs.

* The presence of a file named winhex.nouser in the installation directory forces a generic (not user-specific) configuration. Useful for example for portable use on an external USB hard disk, to avoid that you will inadvertently use an existing user-specific configuration on the same system when executing X-Ways Forensics. For more information about storing configurations please see http://www.x-ways.net/winhex/setup.html.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 9, 2013 - 18:46:   

Preview 2:

* Ability to open physical disks, partitions and volumes like a file, via File | Open or when selecting a source file for disk cloning, by clicking a new button labeled "Device..." in the file selection dialog. You can enter a device path such as
\\.\PhysicalDrive1 (for hard disk 1)
\\?\ Volume{12345678-9abc-11a1-abcd-0123456789ab} (for a volume with that GUID)
\\.\C: (for a volume mounted as drive letter C: )

This new functionality allows to open volumes that are not mounted as drive letters. To get an overview of volumes known to Windows, type "mountvol" in a command prompt window.

You can also try to open exotic devices supported by Windows such as tapes and changers (not tested)

Also this is how you can open alternate data streams whose path and name you know, which cannot be opened through the ordinary File | Open dialog, without opening the volume on which they reside.

Opening a hard disk as a file can be useful for example if you wish to clone that disk and if source and destination disk have different sector sizes (whether it makes sense in the first place to clone a hard disk despite the sector mismatch depends on the data). When treated as a file, there is no defined sector size and hence no possibility for a sector size mismatch.

Device files can also be interpreted as disks like images can.

* Excluded volume shadow copy host files are now ignored by the particularly thorough file system data structure search.

* Fixed instability when processing certain GIF pictures.

* Internal graphics viewing library for JPG, PNG, TIFF revised.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 15, 2013 - 22:11:   

Preview 3:

* Ability to change the user interface of X-Ways Forensics to that of X-Ways Imager, for evaluation purposes or when no other functionality is needed on an imaging workstation.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 21, 2013 - 21:35:   

Preview 4:

* The drive letters that correspond to the partitions on real physical disks (not images interpreted as disks) are now displayed by the partition number in the directory browser. Also you will see the partition size for a drive letter in the Open Disk dialog.

* Ability to specify the type of selected files yourself, via a new command in the directory browser context menu. Useful if you wish to identify types or subtypes in an individual way unknown to X-Ways Forensics, for example to be able to filter by these types later. How about categorizing TIFF pictures that are digitally stored faxes as type "fax"? Remember you can define your own file types in File Type Categories.txt.

* The title of the currently open case is now displayed in the main window caption.

* Some other minor improvements.

* Same fix level as v17.2 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 22, 2013 - 22:49:   

Preview 5:

* Support for Windows 8 .pf Prefetch files.

* Ability to add newly created images to the case and start refining their volume snapshot(s) automatically without further user interaction if the source disk had not been added to the case yet and if a case is open at that time.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 24, 2013 - 18:05:   

Beta 1:

* Timestamps from 0x30 attributes in NTFS file systems are now output as events if actually different from their 0x10 counterparts and not identical to the 0x30 creation timestamp. They are marked as "0x30" in the Event Type column. Malware might give itself harmless looking timestamps after deployment, so that it does not seem to be related to the time of intrusion/infection. The 0x30 attribute timestamps, however, remain unaltered (except if the file is renamed or moved later), and that is the reason why some examiners are interested in them. If the time frame of intrusion/infection is known, related files would be found in the event list with v17.3 and later thanks to the original 0x30 attribute timestamps.

0x30 timestamps are marked in the event list with an asterisk if they are later than the corresponding 0x10 timestamps, which seems unnatural and in some rare cases might be the result of backdating by the rightful users of the computers themselves. Under certain circumstances, backdating documents is seen as fraudulent and illegal. However, much more commonly 0x10 timestamps predating 0x30 timestamps is just the work of installation programs or the result of copying a file or moving a file from one volume to another or extracting a file from a zip archive, where Windows or other programs artificially apply the original creation time of the source file to the destination once copying turns out to be successful (internal programmatic backdating).

If the checkbox "Provide file system level timestamps as events" is only half checked, timestamps in 0x30 attributes are ignored for event generation, which is faster.

* Years in the calendar with no timestamps are now grayed out. The number of a year is now displayed in a darker shade of gray the more timestamps are listed for that. All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 26, 2013 - 21:24:   

Beta 2:

* Ability to filter for mere times, matching any possible date. For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working, you could filter for times such as between 22:00:00 and 05:59:59 (on a 24-hour clock). Obviously, selecting the right local time zone for the timestamp filter is crucial for this.

* Shows the first extracted video still as a thumbnail in the case report to represent the video itself.

* Video still extraction is now completely silent.

* Estimates the total size of the resulting compressed .e01 image while creating it and updates the estimate continuously.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 28, 2013 - 11:07:   

Beta 3:

* Several fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 4, 2013 - 14:41:   

Beta 4:

* Omits modification and record update timestamps as events if identical to the corresponding creation timestamp, just as access timestamps already in previous versions.

* File type identification of and metadata extraction from JIDX (Java applet cache).

* File type verification generally updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 10, 2013 - 12:56:   

Beta 5:

* More events are now generated from internal file contents: Internal creation in various file formats, last saved in Office documents and RTF, boot time from ETL (event trace log) files, attach timestamps from EDB, signing date from EXE/DLL/SYS/..., Exif timestamps in photos.

* Warns users who try to interpret the .001 segment of a split raw image when a segment named .000 exists. Users need to know that they have to specify the first segment when interpreting split images or adding them to a case.

* Same fix level as v17.2 SR-9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 12, 2013 - 8:33:   

v17.3 was just released. Additional improvements since Beta 5:

* .evt event logs supported as a source of events.

* Improved recognition of original names of files embedded in .mht files.

* Extraction from .mht files did not work in recent releases of v17.2. That was fixed.

* User manual and program help updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 12, 2013 - 13:50:   

SR-1:

* Support for more event types in .evtx event logs.

* Fixed an exception error that could occur when embedding attachments in .eml files as Base64 code.

* Fixed an error in the Edit | Convert | Base64 -> Binary function.

* Avoided unnecessary error messages that could occur when generating events based on 0x30 timestamps.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 17, 2013 - 12:58:   

SR-2:

* Some collisions of report table shortcuts resolved.

* Improved identification of .emlx files.

* Avoided a rare exception error when getting out of Calendar mode.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Sep 20, 2013 - 12:53:   

SR-3:

* Fixed an exception error that could occur when extracting 0x30 timestamps of certain previously existing files as events.

* Fixed an exception error that could occur when processing certain file archives.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 26, 2013 - 22:07:   

SR-4:

* Tools | Disk Tools | Initialize MFT Records did not work when using WinHex in languages other than Western European ones. That was fixed.

* Prefetch file viewing and metadata extraction support was not active in SR-3. That was fixed.

* Some special code pages were not offered for selection in all functions related to code pages in SR-3. That was fixed.

* Some pictures were not checked for their amount of skin colors in v17.3, resulting in "?" in the SC% column. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 2, 2013 - 22:37:   

SR-5:

* Fixed an exception error that occurred in v17.3 under Windows PE/FE when starting operations with a progress bar.

* Fixed some rare exception errors.

* Improved processing of volume shadow copies.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 14, 2013 - 22:17:   

SR-6:

* The alternative e-mail presentation in the report now works even if not selected also for Preview mode, as it should.

* Fixed text decoding option in the new indexing engine.

* Fixed inability of v17.2 and v17.3 to open objects internally marked as alternate data streams in evidence file containers.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 30, 2013 - 17:46:   

SR-7:

* v17.2 and v17.3 did not save comments in a volume snapshot when the evidence object was closed if nothing else was changed in the volume snapshot. That was fixed.

* Fixed a stability error that could occur when processing certain .evtx files.

* Fixed two errors that could occur when processing EDB database files.

* Fixed an error in the "Embed pictures in HTML as inline code" option in the 64-bit edition of X-Ways Forensics.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 5, 2013 - 2:00:   

SR-8:

* Fixed an error that could occur when opening files in certain GZ archives.

* Fixed a timestamp filter problem that for time zones with daylight saving sometimes erroneously rejected a certain end date and time as invalid.

* No potentially misleading hit count is diplayed any more for unselected search terms when using the "List 1 hit per file only" option.

* Verification after imaging was reported to take 0:00 minutes in v17.3. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 7, 2013 - 19:19:   

SR-9:

* Fixed an infinite loop that could occur in SR-8 when reading from certain file archives.

* Enhanced stability when processing SQLite databases.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 2, 2013 - 10:46:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jan 25, 2014 - 15:10:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.3. This is perhaps the last service release for v17.3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 22, 2014 - 11:42:   

SR-12:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.3. This is the last service release for v17.3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:47:   

decode.dat files in SR-12 replaced to mitigate text decoding problems.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.