X-Ways Forensics 17.4 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.4 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 6, 2013 - 22:01:   

A preview version of X-Ways Forensics 17.4 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to freely carve any kind of file within any kind of file, not just those marked with the "e" flag, with a second sub-operation of "Uncover embedded data in certain file types". Use great caution to avoid delays and copious amounts of garbage files (false positives) and duplicates.

Signatures marked with the "E" flag (upper case) are never carved within other files, to prevent the worst effects, for example MPEG frames carved within MPEG videos, zip records carved within zip archives, .eml, .html and .mbox files carved within e-mail archives, .hbin registry fragments carved within registry hives. If you know what you are doing, of course you could remove the E flag.

Please apply this new function very carefully and only with a good reason to specifically targeted files only, such as swap files or storage files in which backup application concatenate other files without compression, not blindly to all files or random files. Remember with great power comes great responsibility.

There is an option to apply the carving procedure recursively, that means to files again that were already carved within other files. This can lead to many duplicates if the outer file at level 1 is carved too big so that files can be carved in it that were also carved at level 0 (the original file).

For situations were you want to carve embedded files that are not aligned at 512-byte boundaries in the original file, you may make use of the extensive byte-level option. In such a case one of the biggest mistakes to make would be to carve at the byte level in $MFT, which typically contains many small files with resident storage, but which of course is fully processed already when taking the volume snapshot. Hence the option to always exclude $MFT at least.

* Uncovering embedded data in various files based on byte-level file carving with the "e" flag is no longer limited to file types with a tilde ("~") method.

* NEAR combination of search hits is now available for more than 2 selected search terms. The effect is that a search hit is listed only if *any* of the other selected search terms occurs nearby.

* .evtx event log preview shows the username, old time and new time for system time changes.

* New investigator.ini option +51 prevents listing of excluded items (opposite of +31). Useful to intentionally keep users of X-Ways Investigator from seeing certain files.

* Greatly accelerated loading of large registry hives into the registry viewer.

* Support for .e01 evidence file with an exotic internal chunk size of more than 0.5 MB as apparently used by default by Wiebetech Ditto devices. (Note that the standard size is 32 KB).

* Improved support for volume shadow snapshot properties files of Windows 8.1.

* No longer loses the block definition when switching from Partition to File mode and back.

* The directory browser column "Internal creation" is now called "Content creation".

* Italian translation updated.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 8, 2013 - 18:04:   

Preview 2:

* Ability to conveniently run non-GREP index searches for search terms that contain space characters, just like conventional searches. This is very important for names (e.g. "John Doe" or "XYZ Technology Ltd") and spaced compound words (e.g. "bank account" or "credit card limit"). New index only.

This works even if the individual components of the compound already exceed the maximum word length that was indexed (by default 7 characters), so that you will have no trouble finding "basketball positions" (10+9 letters) or "skyscraper architecture" (10+12 letters). Just as always the components are only matched up to the length that was indexed, which is not a big problem because there are not many words other than "basketball" and "skyscraper" that start with "basketb" or "skyscra", respectively.

In fact the spaces in the search terms match unindexed word delimiters other than spaces as well, such as hyphens, so you will also find "Spider-Man" and "freeze-dried" when searching for "spider man" and "freeze dried", or underscores as in "bank_account" (think of a filename like "bank_account.html") or plus signs as in "credit+card" (e.g. common in Google search URLs when searching for more than 1 word). So in that respect index searches are now even more powerful than conventional searches.

At least now defining spaces as being part of words is a big no-no.

* Support for Windows.edb of Windows 8.1.

* Greatly improved ability to repair inconsistent EDB databases. Several changes and fixes which improve reliability when processing EDB databases in general.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 10, 2013 - 21:08:   

Preview 3:

* When taking a volume snapshot, symbolic links are now connected to their targets in the volume snapshot as so-called related files, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also one of potentially several symlinks pointing to a certain target will become the related file of the target, so that you can conveniently navigate to the symlink or quickly see in the first place that one or more symlinks exist that point to a certain target, since any file that has a "related" file in the volume snapshot is marked with a tiny blue arrow next to its icon. Also the same arrow will tell you whether the target of a symlink can actually be found in the file system. If a symlink links to other symlinks, those are not recursively linked. If resolving symlink takes to long because there are many symlinks in a volume, you may safely abort that step at any time.

* A secondary tooltip now appears for files with a "related" file when hovering the mouse cursor over the icon, which tells you the path and name of that related file, for example the target of a symbolic link.

* A filter for event descriptions is now available.

* Improved tooltips in Calendar mode.

* Improved ability to write certain sectors on drive letters.

* New X-Tensions API function XWF_GetVSProp introduced.

* Support for Unicode characters in template filenames.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 14, 2013 - 22:17:   

Preview 4:

* When in Calendar mode and not showing events, you can now select which column's timestamp should be included in the calendar. Columns that are hidden (have a width of 0 pixels) are excluded, all other columns are included. The status bar reminds you which columns are included even if not currently visible because of horizontal scrolling.

* It is now possible to store the hash values of files in evidence file containers even when including only metadata of the files, as long as the hash value of the files have been computed already and stored in the volume snapshot.

* Ability to filter for duplicates of files in X-Ways Investigator, by right-clicking a given file in the directory browser with an available hash value. Actually filters for that hash value. As in previous versions, the actual hash values are not displayed in X-Ways Investigator. The same command is also used in X-Ways Forensics and supersedes the "Filter by [hash value]" command that required to right-click the cell with the hash value.

* When taking a snapshot of volumes with Windows installations, certain reparse points (a.k.a. junction points) are now connected to their targets in the volume snapshot just like as symlinks in Unix-based file systems, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also there will be a back-reference to one reparse point, so that you can conveniently navigate to that reparse point or quickly see in the first place that one or more reparse points exist that link to a certain directory, since any directory that has a "related" directoy in the volume snapshot is marked with a tiny blue arrow next to its icon. Forensic license only. Reparse points that do not get connected with their target directories will still show a comment that advises you of the target path as in earlier versions of X-Ways Forensics.

* For reparse points in NTFS, File mode now shows the reparse point target information instead of the directory's empty index root.

* Improved support for thumbcaches in Windows 8 and Windows 8.1.

* New Venezuela time zone defined.

* Acoustic signals before shutdowns (e.g. after imaging or volume snapshot refinement) to give users a better chance to abort it if they have changed their mind.

* Separate file type category for spreadsheets.

* More timestamps extracted from Prefetch files.

* Same fix level as v17.3 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 17, 2013 - 21:27:   

Beta 1:

* For large JPEG, PNG, GIF and TIFF files, at the same time when analyzing the colors in the pictures during volume snapshot refinement, X-Ways Forensics can now optionally also create thumbnails in advance for much quicker display updates in Gallery mode later. Internal thumbnails are only created if no original thumbnails are embedded in the files and extracted at the same time, and they are actually utilized for the gallery only if auxiliary thumbnails are enabled (see Options | General).

(To discard all internal thumbnails, but keep the computed skin color percentages, you may delete the file "Secondary 1" in the "_" subdirectory of an evidence object behind X-Ways Forensics' back, when the evidence object is not currently open.)

* X-Ways Forensics now outputs all entries in .evtx event log files as events. Most of these events now come with a description that includes the event source, the event ID and the record number. The record number allows you to quickly search for the record in the HTML preview if you need further details about that particular event.

* Some minor improvements.

* Some fixes of errors in the Preview releases.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 20, 2013 - 22:06:   

Beta 2:

* Improved representation of videos with extracted stills in the gallery, showing all stills in a loop, to give a much more complete impression of the contents of videos without further user interaction (without having to explore them).

An alternative efficient way to review a large number of videos now seems to be this: Explore recursively, filter for videos, sort in descending order by number of child objects (so that videos with a similar number of stills are shown together), and activate Gallery mode. Watch the various video stills for each video. Proceed to the next gallery page when you are confident that no incriminating videos are represented on the current page, for example when all stills have been shown, which you will know is the case when the gallery has rotated back to the first still for each video.

"Allow auxiliary thumbnails" is now a 3-state checkbox. To disable the new representation of videos described above, you can half-check that box.

* X-Ways Forensics now by default extracts embedded JPEG thumbnails from .cr2 raw files. The first extracted thumbnail becomes the preview and gallery representation of a .cr2 raw file.

* Extraction of MS Windows operating system update events from DataStore.edb.

* Minor fixes and improvements for EDB and SQLite database extraction.

* Reduced memory consumption of the registry viewer.

* New file type category "Page Layout".

* New file types in the ZIP and XML families defined.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 1, 2013 - 16:09:   

Beta 3:

* Block-wise hashing may allow to identify complete or incomplete remnants of known notable files that are still floating around in free drive space even if they were fragmented and the location of the fragments is unknown, to show with some or very high certainty that these files once existed on that medium.

Most suitable for selected notable files larger than a few sectors, files that are ideally compressed or at least not only sparsely populated with non-zero data and do not contain otherwise trivial combinations of bytes values that occur frequently. Good examples are zip-styled Office documents, pictures and video files. Very trivial blocks within a file that consist of mostly just 1 byte value are ignored and not hashed (the same already when creating the hash set). For quicker matching, ideally work with a small hash database and do not select a hash type stronger than MD5.

Hash sets of block hashes can be created or imported in the same way as ordinary hash sets, but are handled by a separate hash database, which internally is stored in a subdirectory of the main hash database directory. You can create hash sets consisting of the block hashes of 1 file at a time, or combined hash sets of multiple selected files. The block size is currently always 512 bytes and might be user-definable in a future version.

Block hash matches may be found as part of volume snapshot refinements. The hash values are computed when reading from the evidence object sector-wise, and that happens at the same time when running a file header signature search if selected, to avoid unnecessary duplicated I/O, with the same sector scope. Matches are returned as a special kind of search hits. Multiple matches for contiguous block are more meaningful than isolated individual matches, as they are even less likely the result of some coincidence, and they are usually combined in a single hit. The size of all such hits is shown when listing search hits. The larger the size, the higher the evidentiary value of the match. Please note that X-Ways Forensics does not verify itself that contiguous matching blocks are in the same order as in the original file(s), but that can be verified manually and for data that is as unique as compressed data that is most likely the case.

* The View window that displays a picture, if existing already, if limited to one such window, will be updated when you press the cursor keys in the gallery. Useful especially if the View window is centered on the second monitor if the gallery is on the first monitor, on a spanned desktop. Avoids having to press the Enter key to view the picture and another key to close the View window to get the input focus back to the gallery.

* Same fix level as v17.3 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 3, 2013 - 20:05:   

Beta 4:

* Improved detection and omission of certain trivial sequences of byte values in files that unsuspecting users may try to create a block hash set of.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 4, 2013 - 15:42:   

(The download and forum password has changed. The latest password can be retrieved as always from http://www.x-ways.net/winhex/license.html.)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 7, 2013 - 19:19:   

Beta 5:

* Chinese translation of the user interface updated.

* The non-forensic version of WinHex did not write the hash value of created raw images into the text file. That will be fixed with v17.4.

* Some new file type signature definitions.

* Prevents a crash that could occur in the 64-bit edition under Windows 8 when running the encryption test.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 8, 2013 - 7:18:   

Beta 6:

* Some fixes for block hash matching.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 11, 2013 - 6:24:   

Beta 7:

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 13, 2013 - 17:01:   

v17.4 was just released. User manual and program help were updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 14, 2013 - 21:07:   

SR-1:

* Works again with the old version of MPlayer.

* Fixed an error that could occur in the Attr. filter for special files in Unix/Linux file systems.

* Fixed hanging after volume snapshot refinements if the error "Parent of ... undefined" occurred.

* Quicker EDB file subtype identification.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 18, 2013 - 18:38:   

SR-2:

* When the gallery dynamically shows the stills of a video in a loop, you may now press Esc to stop the animation, + to accelerate and resume the animation, and - to slow down and resume it.

* Fixed an error that could stop the gallery from working.

* Fixed an error that occurred when exporting hash sets from the block hash database.

* Fixed some truncated descriptions for events collected from SQLite database in the 64-bit edition.

* Proper timezone adjustment of event timestamps from SQLite databases.

* Potentially fixed an error that could occur on some computers when closing data windows after cloning with the "copy entire medium" setting.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 25, 2013 - 13:42:   

SR-3:

* Fixed an error that could occur when using the gallery.

* Prevented output of some unnecessary messages when taking snapshots of Ext4 volumes.

* If the Help | Dongle dialog informs you that a new activation code is required for v17.5, please request it from X-Ways.

* Fixed a skeleton image verification error that could occur in certain situations.

* Fixed an exception error that could occur during index searches in v17.4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 2, 2013 - 10:47:   

SR-4:

* Fixed an error that could cause the gallery to not be fully populated in certain situations.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 11, 2013 - 6:29:   

SR-5:

* v17.4 SR-2 and later did not close the case root window when closing a case, which triggered errors. That was fixed.

* The gallery was not updated in v17.4 when sorting the directory browser. That was fixed.

* Fixed instability of the 64-bit edition with certain EDB database files.

* Child objects that have been viewed no longer propagate this status to a parent file.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 8, 2014 - 16:53:   

SR-6:

* Fixed an exception error that could occur when filling evidence file containers in v17.3 and v17.4.

* Fixed an exception error that could occur when resolving symlinks in the 64-bit edition of v17.4.

* Fixed a recurring delay that could occur on volumes with a lot of clusters when reviewing search hits in free space for which only a logical/relative offset is known (index search hits).

* Fixed inability of v17.4 to process Windows.edb databases of Windows 7 under Windows 8 and Windows 8.1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jan 25, 2014 - 15:10:   

SR-7:

* Ability to create evidence file containers of the new type larger than 4 TB correctly. Fix also contained in v17.3 SR-11, v17.2 SR-11, and v17.1 SR-11.

* Fixed an error in the Copy Sparse function.

* The gallery was not updated in v17.4 when excluding files. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 22, 2014 - 11:42:   

SR-8:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 15, 2014 - 22:08:   

SR-9:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.4. This is probably the last service release for v17.4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:51:   

decode.dat files in SR-9 replaced to mitigate text decoding problems.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.