X-Ways Forensics 17.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.5 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 4, 2013 - 14:33:   

A preview version of X-Ways Forensics 17.5 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Extended multi-user support for large cases. Useful when multiple examiners process the same case at different times or different evidence objects of the same case at the same time, and wish to tell apart their own results from their colleagues' results. Report table associations, comments and search terms/hits of different examiners can optionally be distinguished, by showing the creating examiner's initials (default) or other abbreviations of their names or (if no abbreviation is specified) their complete usernames. The same file can be associated with the same report table only by 1 examiner.

Examiners can choose whether or not they get to see report table associations of other users. All related options can be found by clicking the "..." button for the extended multi-user support. Extended multi-user support can only be enabled for new cases, in the case properties dialog window. Older versions cannot open cases with support enabled. Examiners are recognized internally by their Windows user accounts. A maximum of 255 examiners is supported per case.

* Ability to review the processing history of a case in its properties, which reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later, even without extended multi-user support).

* The existence of extended attributes for files in NTFS ($EA attributes) is now revealed in the Attr. column in newly taken volume snapshots, and you can filter for the presence of such attributes. Useful to detect certain malware as seen in recent high-profile cases.

* Considerably improved treatment of hard-linked files in HFS+. Resolving hard links is now much faster and thorough in current HFS+ volumes that heavily use hard links because of Time Machine. Hard links to directories and resource-only files are now also resolved. The hard link count is accurately represented. All hard links except for 1 are optionally omitted from logical searches, just as in NTFS, to avoid excessive duplication of data to be searched and duplication of search hits. Hard links that are ignored are identified by a grayed out hard-link count (no longer by an asterisk as in previous versions). Additionally, iNode files (indirect node files) that got connected with the hard links that reference them as so-called "related items" in the volume snapshot are omitted. Should the hard-link count of an iNode file be not grayed out, that indicates an orphaned iNode file (one that is not referenced by any hard-linked file, at least not in the volume snapshot). Comments are no longer used for hard-linked files in HFS+.

* The names of the authors of documents of various types (DOC, XLS, PPT, RTF, PDF, more in future releases) are now output in a new column named "Author" after metadata extraction.

* The page count is now extracted from PDF and some Office file types (more in future releases) as part of metadata extraction and shown in a new column.

* Extraction of pictures that are embedded as Base64 in VCF files (electronic business cards).

* Option to create report table associations for files that were successfully added to a skeleton image using the directory browser context menu command.

* Extraction of events from Unix/Linux/Macintosh system logs. These events are practically of significance especially for USB device history examinations.

* File type identification of MMAP, IDML, INCX, EDX, ENML, NBI.

* Sorting and filtering by comments and extracted metadata greatly accelerated for huge volume snapshots in which a huge number of files have comments or extracted metadata.

* Sorting by certain directory browser columns such as owner, author, sender, recipients, report tables, comments, extracted metadata, search terms, hash set is now more user-friendly, in that items with blanks (i.e. unknown owner, unknown author, no report table associations, no comments, ...) are listed last, not first. Also, the default sort order of the hash category column is now descending.

* Improved detection of non-standard LVM2 container partitions.

* Several minor improvements.

* Same fix level as v17.4 SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 6, 2013 - 21:10:   

v17.5 Preview 2:

* Fixed an error with comments and extracted metadata in v17.5 Preview.

* File type definitions updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 12, 2013 - 6:18:   

v17.5 Preview no longer downloadable until the next preview release is ready.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 15, 2013 - 22:32:   

Preview 3:

* All cases opened with v17.5 Preview 3 and later now have extended multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time. Cases opened with v17.5 Preview 3 and later cannot be open any more with earlier releases/versions.

* It is now possible for multiple users to open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for preventing and making users aware of access conflicts before they occur.

* X-Ways Forensics now remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects, if the goal is to avoid duplicate work and if you are not interested in reviewing files that were reviewed by any of your colleagues already. Individual statuses and search hits of other users are lost if one examiners removes items from the volume snapshot.

* Search hits and keywords are now stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and keywords stored in the case by v17.4 or earlier. In some future release it should be possible to import other examiners' search hits.

* If the same user wishes to open the same case (the same copy) in more than one session simultaneously, that user has 3 options. Either the entire case is opened as read-only, OR the user is responsible for opening evidence objects that are open in one session already as read-only in the other session to avoid conflicts OR the user opens the case as a separate, fictitious user (called "alter ego") with separate file statuses, search hits, report table associations etc. If the latter option is selected, shared use of the case is coordinated by X-Ways Forensics exactly as if the alter ago was a real, different examiner, even though the username is the same. The maximum number of users for a case, including any alter egos, is 255.

* The new "Options..." checkbox when opening a case allows to open a case in any of the three modes known from earlier versions: Entire case read-only (case file and volume snapshots), cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files), or full access. Plus, the dialog box allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program. Plus, if permitted by other examiners, you may open the case as one of them in read-only mode, to see their results (report table associations, search hit hits, tagged files, already viewed files, excluded files).

* Running searches, creating report table associations, entering comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else is forbidden. The goal is support for concurrent analysis/review work by multiple examiners. Volume snapshot refinements on the other hand should be done systematically beforehand. Removing files from a volume snapshot is not considered ordinary review/analysis work.

* The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can now be seen in square brackets after the name, so that it is easy to tell who has introduced them to the case.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 18, 2013 - 7:53:   

Preview 4:

* Some fixes of errors in earlier preview releases.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 30, 2013 - 21:38:   

Preview 5:

* Revised look of the user interface (toolbar, menus, directory browser, gallery). Unavailable commands are no longer represented by an icon in the toolbar to make it look less cluttered.

* VMDK virtual disk images which have been compressed for transport purposes (the VMDK format variant referred to as "stream-optimized"), as used by the OVF appliance export format, are now supported.

* More file type signatures defined.

* Files embedded in Norton Backup files (N360 backup, *.nb20) can now be automatically uncovered.

* Several minor improvements, some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 8, 2014 - 17:03:   

Beta 1:

* Improved extraction of files from Firefox caches based on "_CACHE_MAP_" files and Chrome caches based on "index" files. Retrieves metadata such as original filenames and timestamps. Metadata extraction from "index" files.

* Gridlines in the directory browser are now optional, and if displayed can be either light gray or light blue. Without gridlines and without the grayed out icons in the toolbar, the screen looks a little less cluttered.

* The entire row over which the mouse cursor hovers is now highlighted. That makes it easier to identify other far away cells in the same row.

* File type verification updated. New file type category GPS/Navigation.

* Ability to import search hits of another user.

* Same fix level as v17.4 SR-6.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jan 11, 2014 - 19:22:   

Beta 2:

* Support for more deeply nested directory trees in Ext*.

* Some clusters of significantly fragmented files in Ext4 were incorrectly contained in idle space as well. This has been fixed.

* Support for VMDK snapshots where the VMDK images are stored in segments, each usually representing 2 GB of the virtual disk. Previously only monolithic VMKDs were supported, i.e. where the entire VMDK image is stored in one file (whether sparse or not).

* Fixed errors in VMDK support in previous preview and beta versions of v17.5.

* Fixed potential exception error in Firefox cache extraction in v17.5 Beta 1.

* Colored icons for excluded and notable files now displayed with no noticeable delay even when Aero is enabled.

* The file type filter dialog now remembers which categories were expanded.

* Stability of EVTX processing improved.

* Program help and user manual updated for v17.5.

* Some other improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 12, 2014 - 21:58:   

Beta 3:

* Creating the descriptive text file when imaging disks is now optional.

* The option to define the number of extra compression threads when creating .e01 evidence files is no longer hidden.

* Some minor fixes.

* Some improvements for very large scaled system fonts.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 15, 2014 - 21:27:   

Beta 4:

* Reconstruction of indexed e-mails messages from the indexing database of the Thunderbird email client and output as child objects in the volume snapshot, as part of extraction of embedded data in SQLite databases.

* Exclusion of known SQLite databases from the embedded data extraction if it's know that there is no valuable binary data to be found.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 21, 2014 - 11:27:   

Beta 5:

* Improved support for high dpi display settings in Windows (150% and larger), in message boxes, file selection dialogs, info pane, mode buttons, toolbar, progress indicator window, directory browser, and search hit context preview.

* Improved support for MS Internet Explorer recovery travellog files.

* Windows Registry report and event extraction revised.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 21, 2014 - 18:49:   

A user may want to turn off "Extended multi-user coordination" in future releases of v17.5 if he or she is sure to be the only concurrent user of a case and doesn't need some of the advanced options, for performance benefits in some very few situations.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 23, 2014 - 17:43:   

Indexes of the new type previously became unusable if the drive letter or path of the case changed. This will no longer be the case for existing and newly created indexes in the final version of v17.5.

As an immediate fix, open the file(s)
[name of the case]\_[name of the evidence object]\Index\Index.cfg
with File | Open and replace all occurrences of the old path with the new path with the Search | Replace Text in Unicode. The new path may be shorter or longer than the old path. Sorry for the inconvenience.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jan 25, 2014 - 15:11:   

Beta 6:

* Ability to interpret evidence file containers larger than 4 TB.

* Support for NTFS file systems larger than 2^32 clusters (which are not supported in Windows 8 and earlier, but perhaps in later versions).

* File type verification updated.

* Same fix level as v17.4 SR-7.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 28, 2014 - 11:13:   

v17.5 was just released.

* Ability to specify separate virtual output directories for separate file carving runs, for example to distinguish operations of different scopes or for different purposes (e.g. first ordinary sector-level file carving in an entire partition, then byte-level file carving of e-mails in free space).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 29, 2014 - 13:35:   

The full-text search in the program help did not work in v17.5. That was fixed just now.

Please note that when searching in indexes created by v17.3 or v17.4 in a newer version, search hits contained in the decoded text of a file will not be displayed correctly. Sorry for the inconvenience.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 30, 2014 - 11:36:   

SR-1:

* Fixed output of erroneous timestamps extracted from Firefox SQLite databases.

* Fixed timezone adjustment of timestamps in the metadata of some file types (PDF, MDB, RTF, PNG, Flash and GZip).

* Fixed erroneous selection of the radio button for evidence file containers when selecting the target image path in X-Ways Imager.

* Word frequencies in exported index word lists were not entirely accurate. That was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 5, 2014 - 16:43:   

SR-2:

* More thorough sorting by "Type status", which takes the detected file format consistency into account.

* Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

* Fixed an exception error that could occur when processing certain incomplete Chrome caches.

* Avoided a misleading and unnecessary error message when finalizing the index and searching in the index.

* Avoided misleading and unnecessary error messages when importing search hits from another user.

* Avoided instability when processing IE travellog files.

* X-Tensions API: XT_Prepare now receives a handle to the evidence object.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 15, 2014 - 13:05:   

SR-3:

* Prevented a possible crash that could occur when extracting e-mails from PST/OST e-mail archives.

* Deleting hash sets command corrupted hash databases in v17.5 and v17.6 Preview. That was fixed.

* The Include command in the directory browser context menu did not work in v17.5 and v17.6 Preview. That was fixed.

* Fixed potentially incomplete previews of Google Chrome WebData databases.

* Fixed an exception error that could occur with irregular PDF files.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 19, 2014 - 21:50:   

SR-4:

* Fixed a read error that could occur with XML files extracted from PDF documents.

* Better support for extremely fragmented files in NTFS volumes.

* Fixed a file creation error in the "Export report table associations" command at the case level.

* Prevented exception errors that could occur when selecting more than the currently supported 57 simultaneously open images of physical disks and 99 simultaneously open partitions of physical disks or images of partitions for recursive exploration from the case root window and the trying to run commands in the directory browser context menu on them.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 22, 2014 - 11:42:   

SR-5:

* Improved/fixed coordination of simultaneous usage of the hash database by multiple users.

* Fixed a link error that could when generating case reports for files with overlong paths.

* Prevented an exception error that could occur when parsing corrupt 0x30 attributes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 27, 2014 - 14:59:   

SR-6:

* Improved representation of Base64-encoded e-mails extracted from MBOX e-mail archives.

* v17.3 and later did not always include all NTFS file system level timestamps in the event list when they were different from the creation timestamp. That was fixed.

* Progress indicator for the time when X-Ways Forensics finalizes indexes of the new kind.

* Fixed an error that could cause the loss of newly created report table associations in shared analysis mode.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 6, 2014 - 21:25:   

SR-7:

* Fixed an instability error that could occur when recursively exploring from the case root and listing many millions of files.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2014 - 22:20:   

SR-8:

* Fixed an exception error that could occur when extracting files from Google Chrome caches.

* Fixed inability of X-Ways Investigator to convert container raw images to .e01 evidence file format.

* Fixed an exception error that could occur when extracting certain recovered corrupt e-mail messages from Outlook PST/OST e-mail archives.

* Removes certain superfluous parts in certain multi-part e-mail message to keep the viewer component from showing e-mails as blank.

* Fixed an error that could cause a loss of user comments in the volume snapshot.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 17, 2014 - 8:48:   

SR-9:

* Some minor improvements.

* Fixed an exception error that occurred in the original and regular WinHex 17.5 when displaying the Data Interpreter context menu.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 15, 2014 - 22:09:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 25, 2014 - 22:53:   

SR-11:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.5. This is probably the last service release for v17.5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:52:   

decode.dat files in SR-11 replaced to mitigate text decoding problems.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.