X-Ways Forensics 17.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.6 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 31, 2014 - 10:39:   

A preview version of X-Ways Forensics 17.6 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* X-Ways Imager:
1) Ability to immediately verify newly created images.
2) Ability to convert raw images to .e01 evidence files or vice versa (after opening and interpreting the existing images).
3) Ability to open ordinary binary files in X-Ways Imager.
4) Ability to copy selected sectors or byte ranges from ordinary files, images or disks into the clipboard or into new files.
5) Ability to navigate to specific sector numbers.

* Metadata extraction from IconCache.db files. Important Windows artifact that can help to prove executions of programs for example in malware investigations.

* Ability to reconstruct e-mail messages from the Livecomm.edb database, which is used by the Windows Mail client (Windows 7 and newer) as part of the "uncover embedded data" operation. Also extracts contact and account information.

* File type detection and categorization updated.

* X-Tensions API: A new function named XWF_AddEvent was introduced, which allows to add events to the event hit list of an evidence object. XT_Prepare and XT_Finalize now receive a handle to the evidence object that the X-Tension is applied to.

* The old indexing engine was removed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 4, 2014 - 21:33:   

Preview 2:

* User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.

* X-Tension API: Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integrating so-called Viewer X-Tensions. Such X-Tensions provide special views of any supported file type by responding to calls of an XT_View function that they have to export. For details please see http://www.x-ways.net/forensics/x-tensions/api.html. Users can load Viewer X-Tensions in the Options | Viewer Programs dialog.

* X-Tension API: New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED, and XWF_ITEM_INFO_FLAG_METADATAEXTRACTED. For details please see http://www.x-ways.net/forensics/x-tensions/api.html.

* The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.

* A new investigator.ini option +52 prevents the use of Viewer X-Tensions, for example for security reasons. Remember that X-Tensions are Windows DLLs, which can potentially do harmful things to your system.

* Ability to uncover embedded pictures from the caches of Google's Picasa 3 image organizer and viewer software (thumbindex.db and related files).

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 6, 2014 - 13:22:   

Preview 3:

* Ability to manually enter the Recover/Copy output path by clicking a new "..." button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list automatically.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 9, 2014 - 17:12:   

Preview 4:

* New metadata extraction feature, which allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename according to the file system can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will find both the original and the current name, so that current filename is not completely lost.

* Event extraction from Picasa 3.

* File type verification updated.

* New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS-compressed source files as NTFS-compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively compress such files after their creation, but writes them immediately as compressed, which is more efficient. However, it still has to copy/send the decompressed amount of data of the source file. Select the source directory first, then specify/create the destination directory. This function is useful for example if you wish to copy or move a case directory, which contains a few NTFS-compressed files that would be inefficient to store as uncompressed. Note that alternatively you can open a case and use the Save As command in the Case Data window for the same effect.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 16, 2014 - 6:47:   

Preview 5:

* Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (.info), and Paint Shop Pro caches (.jbf).

* File type verification updated.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 17, 2014 - 21:03:   

Preview 6:

* The search term list can now be sorted by search terms alphabetically in ascending order or by the listed search hit count in descending order, via the context menu of the search term list, to make it easier to locate a certain search term in lengthy lists.

* Certain kinds of files with child objects such as e-mail archives are now included in the directory tree in the Case Data window, along with their subdirectories.

* You can make Raw preview mode persistent by holding the Shift key when activating Raw mode.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 18, 2014 - 13:00:   

Preview 7:

* Some minor improvements and fixes.

* The hash database of block hash values is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus " [block hash values]" appended.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 19, 2014 - 21:57:   

Preview 8:

* Support for Mac Absolute Time in the Data Interpreter.

* The Data Interpreter is now able to interpret UNIX/C, Java/BlackBerry/Android and Mac Absolute timestamps stored as decimal ASCII text instead of in binary. You will find a context menu item for that as well as a checkbox in the options dialog.

* The Data Interpreter now optionally translates timestamps of all formats except MS-DOS date & time to local time (the time zone defined in the General Options). You will find a context menu item for that as well as a checkbox in the option dialog.

* Ability to convert so-called Nandroid backup files of the NAND flash memory of Android devices to regular raw images via Edit | Convert.

* Same fix level as v17.5 SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 20, 2014 - 22:23:   

Preview 9:

* Increased capacity for large cases:

Maximum number of simultaneously open images of physical media and reconstructed RAIDs combined:
v15-v17.1: 46
v17.2-v17.5: 57
from v17.6: 100

Maximum number of simultaneously open partitions on physical media (not counting drive letters) and partitions in images of physical media and images of volumes:
v15-v15.5: 64
v15.6-v17.5: 99
from v17.6: 256

Some background information: Note that it is not a must to always have all evidence objects in a case open at the same time. In fact it can be desirable to not open them all at the same time if the volume snapshots are very big (i.e. reference many millions of files) and not much RAM is available. Simultaneous searches and volume snapshot refinements across multiple selected evidence objects can be started even when no evidence object is open at all. In this setting, X-Ways Forensics will open the evidence objects one by one automatically when it is their turn, and close them again when fully processed, to minimize memory requirements. Only when you recursively explore from the case root, all evidence objects whose files you wish to include need to be open at the same time.

Maximum number of addressable local physical media:
from v17.2: 64

* More complete output of serial numbers of USB devices.

* New date type "MacAbsTime" supported in templates.

* New modifier "local" supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the timezone specified in the General Options.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 23, 2014 - 11:30:   

Beta 1:

* Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.

* Internal file carving algorithms for INDD, Bridge Cache and Picasa3 index files implemented.

* Improved support for Magix Photo Manager Cache .mxc2 and .mxc3 and other files.

* Ability to see model and serial numbers of physical media without administrator rights.

* Some minor improvements.

* Same fix level as v17.5 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 27, 2014 - 20:18:   

Beta 2:

* Ability to mark events as notable and filter for notable events via the Timestamp column.

* Ability unmark multiple selected search hits and events as notable, by holding the Shift key when invoking the "Mark as notable" context menu command.

* That the directory for images that specified in the General Options is preselected for newly created images is now optional.

* Option to always suggest to open a case with extended multi-user coordination in shared analysis mode. That mode can be useful even for the first of many simultaneous users of the case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).

* Imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited mode.)

* Unicode support for e-mail excerpt reconstruction from Thunderbird indexing databases.

* Ability to uncover various potentially relevant resources in 32-bit and 64-bit Windows PE executables (programms and libraries) as child objects, in particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you specifically target executable files via a suitable series of file masks.

* More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.

* Metadata and internal file carving support for AMR voice recording files.

* File type verification updated.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 3, 2014 - 8:29:   

Beta 3:

* Hash database dialog window revised.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 6, 2014 - 21:28:   

Beta 4:

* Ability to store additional custom definitions of file types and categories in a separate file named "File Type Categories User.txt", which will be read and maintained in addition to the standard definitions in "File Type Categories.txt" and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so that you can easily continue to use it even when overwriting your installation with a new version.

* The Replicate Directory command can now operate on overlong paths.

* Support for even more deeply nested (recursively forwarded) e-mail messages in OST/PST e-mail archives.

* Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several commands in the Case Data window's context menu during various ongoing operations.

* Displays the amount of free space on the output drive in the Create Disk Image dialog window.

* Performance of uncovering thumbnails in large JPEG files improved.

* Several minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 9, 2014 - 16:47:   

Beta 5:

* New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 13, 2014 - 22:21:   

Beta 6:

* Some internal improvements.

* Same fix level as v17.5 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 17, 2014 - 8:09:   

Beta 7:

* Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and produces much less redundant thumbnails especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (which will in turn target the corresponding thumbcache*.db files) via the provided mask and not the thumbcache*.db files directly as in previous versions of X-Ways Forensics.

* Structure of the technical details report for physical media slightly improved.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Mar 18, 2014 - 15:18:   

Beta 8:

Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 24, 2014 - 11:35:   

Beta 9:

* Supports certain .bmp graphics with larger headers.

* Some other improvements in the internal graphics viewer.

* Fixed an exception error that could occur when processing SQLite databases.

* Some minor fixes for EDB processing.

* Program help and user manual updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 26, 2014 - 3:32:   

v17.6 was just released.

Additional news:

* Available for download to users of X-Ways Forensics (click the "All versions" link) is now a text file that, if named language.txt and put into the installation directory of v17.6, can override most texts in the user interface (except for example the main menu) and is easily user-editable. Useful if for example you wish to produce case reports in your own language.

* Support for a variant of thumbs.db files found in Windows 7 in certain constellations.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 26, 2014 - 18:26:   

SR-1:

* Fixed an obscure heap overflow exception error that could occur when using the hash database in v17.6.

* Fixed disarranged Search menu in the regular version of WinHex.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 30, 2014 - 15:44:   

SR-2:

* Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

* Floating point error in Apple bookmark processing fixed.

* Some type detection problems fixed (e.g. .thumbsw7).

* Fixed an error that could occur when importing search hits from another users in a case with extended multi-user coordination.

* In newly created cases, the status of the option "Auto-detect deleted partitions" now remains frozen forever to prevent the situation of being unable to open partitions that were once auto-detected, but are no more.

* If you prefer to have a single-column search term list as in v17.5 and earlier, you can change the byte at offset 15414 in your WinHex.cfg from 0x00 to 0x01. One way to ensure that this change is not overwritten by X-Ways Forensics is to do it when Options | General | [ ] "Save program settings in .cfg file" is unchecked.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 2, 2014 - 20:15:   

SR-3:

* Fixed an instability error that could occur when Recover/Copy embedded attachments in .eml files.

* More immediate ability to import another user's search hits, when his or her search has just completed.

* File type verification slightly revised.

* Fixed a read or exception error that could occur when running a file header signature search with compensation for NTFS compression.

* Fixed an exception error that could occur when uncovering embedded data in Windows.edb files.

* Fixed an error that could occur when uncovering embedded thumbnails from certain malformed JPEG files.

* Fixed an error in the hash database.

* Recover/Copy no longer optionally reflects missing original timestamps by setting the corresponding timestamps of output files to Jan 1, 1601 in NTFS. Unsuspecting users were using faulty video playing software, did not read the program help or user manual topic about the Recover/Copy function and messaged us instead of the developers of the other software that refused to open files with such timestamps.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Apr 5, 2014 - 13:28:   

SR-4:

* Fixed an instability problem that could occur in v17.6 when extracting metadata from files larger than 2 GB.

* Some fixes in uncovering embedded data in PE EXE and other files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 7, 2014 - 17:39:   

SR-4 x64:
(now included in SR-4 download)

* Fixed an exception error that could prevent uncovering embedded data in some Windows.edb files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 8, 2014 - 22:31:   

SR-5:

* Fixed faulty utilization of the header size in RAID 5 reconstruction with 1 missing component in some recent versions.

* Fixed "Unable to read (1)" error in the gallery for photos from which original embedded thumbnails have been uncovered and additional thumbnails have been created by X-Ways Forensics itself to accelerate the gallery.

* Fixed an error in the gallery of the Case Root window that could lead to the representation of a picture with a wrong thumbnail.

* Fixed an exception error that could occur when changing the sort order in the directory browser while the gallery was being populated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 13, 2014 - 19:29:   

SR-6:

* Provides modification dates for more extracted e-mail messages.

* Slightly improved internal graphics viewing library.

* Fixed an infinite loop that could occur when generating the registry report.

* Fixed stability errors that could occur when processing certain MSG/MBOX/DBX e-mail archives.

* Fixed reported Windows installation language in the registry report.

* Fixed missing value output in registry viewer after extracting metadata from registry hives.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 8, 2014 - 21:47:   

SR-7:

* Prevented a message box from popping up repeatedly when applying simple text and hex searches to all open windows.

* "Export subtree" command now supports larger subtrees.

* Fixed a possible infinite loop when processing certain registry hives.

* Fixed an exception error that could occur when extracting metadata from OLE2 Office documents.

* More accurate representation of different recipient types in sent (not received) e-mails extracted from Outlook e-mail archives.

* Fixed incorrect representation of alternate filenames in the Name column after metadata extraction.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 13, 2014 - 19:12:   

SR-8:

* In certain situations the associations of search hits with their corresponding search terms were potentially lost in some evidence objects after deleting search terms. That was fixed.

* Fixed a crash in v17.6 that could occur when viewing pictures while the gallery was being populated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 25, 2014 - 22:53:   

SR-9:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 21, 2014 - 19:23:   

SR-10:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.6. This is probably the last service release for v17.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:52:   

SR-11:

* A few of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.6.

SR-12:

* Fixed an instability in the Recover/Copy dialog window in SR-11.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.