X-Ways Forensics 17.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.7 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 30, 2014 - 15:40:   

A preview version of the dongle-based edition of X-Ways Forensics 17.7 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* New Directory Browser option for advanced sorting of the Name column. Takes 4 to 6 times more time than the highly optimized standard Unicode sorting from previous versions (noticeable when sorting millions of files), but has several useful settings and characteristics:
- Language-specific character equivalence rules (treat like ss, treat similar to e, ü similar to u etc.)
- Linguistically improved case insensitivity
- Special treatment of hyphens and apostrophes (they are treated differently from other non-alphanumeric characters to ensure that words such as "coop" and "co-op" stay together in a sorted list).
- Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for hexadecimal notation, available under Windows 7 and later only)
- Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters)
- Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same)

Advanced sorting depends on the regional settings of the currently logged on user. For example, if regional settings of a Nordic country are active, comes after Z, as defined in the alphabets of that region, otherwise near A, as perhaps expected by non-locals. Advanced sorting rules are also applied when sorting the search hits by the Search Hit column.

* Files that are included in an evidence file container without contents just to complete the full original path of child objects that they contain with their names are now shown in the directory tree.

* Option to abort copying files into an evidence file container upon a read error and to not include affected files partially. Useful when acquiring files from a network location and the connection might be interrupted, if you assume that if that happens you will get the connection back and will be more successful when you try again, to avoid having incomplete files in the container, which cannot be replaced with a complete copy retroactively. Available only when not filling containers indirectly.

* The active display time zone of the active case or of any evidence object is now shown directly on the button in the properties dialog window.

* Ability to specifically filter for 0x30 timestamps in the event list, using the event type filter.

* If an original name is found for a file in the Windows recycle bin or in an iPhone backup during metadata extraction, that name is displayed in the Name column with the current unique name in square brackets. The current unique name is now also shown in square brackets in the case report. Both names are targeted by the Name filter.

* Two new X-Tension API functions: XWF_GetBlock and XWF_SetBlock.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 2, 2014 - 20:15:   

Preview 2:

* Accelerated multi-threadedblock hash matching.

* New X-Tensions API functions XWF_GetExtractedMetadata and XWF_AddExtractedMetadata.

* Improved presentation of e-mail extracted from Outlook PST/OST archives that contains forwarded other e-mail messages as attachments.

* Some internal improvements.

* Same fix level as v17.6 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Apr 5, 2014 - 13:38:   

Preview 3:

* Revised Exchange database extraction (up to version 2007) with improved support of internal e-mail communication and a wider set of metadata.

* As not all users know, when they recreate original paths of files in evidence file containers, the parent objects of files in files are included (and need to be included) in the container even if not selected themselves, just to guarantee that the child objects are shown with their complete correct path. But then these parent files are included without file contents, of course, just with file system metadata, as obvious for example from the Attr. column. Such parent files with metadata only are now no longer listed in containers when exploring recursively, just like directories, because in fact they function like mere directories in the container, even though they were real files in the source file system. They were not deemed relevant by the creator of the container (as they were not selected for inclusion themselves), so it is perhaps more logical that only if users explicitly wish to list directories even when exploring recursively (one of the directory browser options), such files will be listed as well.

* If the parent file of a file in a file has been assigned to one or more report tables by the user, then this will now be pointed out in the "Report table" column for the child object as well, in gray color and with an arrow. Reminds the user that the parent was reviewed and marked as relevant already, which can spare him or her the extra step of navigating to the parent again.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 6, 2014 - 21:16:   

Preview 4:

* New X-Tension function XWF_GetMetadata.

* Fixed an error in the display of report table associations in the directory browser in v17.7 Preview 3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 8, 2014 - 22:32:   

Preview 5:

* Tentatively extended the amount of text that can be pasted into the Name filter to 2 million characters (30,000 before). That doesn't guarantee that X-Ways Forensics can efficiently use a filter with many ten thousands of characters or more. When in doubt, use the "Match against full name" option, not the substring search.

* Minor improvements of the revised Exchange database extraction.

* Fixed a persisting error in the display of the Report table column in v17.7 Preview 4.

* Same fix level as v17.6 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 15, 2014 - 21:22:   

Preview 6:

* The header of the Name column now allows to tag or untag all listed items with a single mouse click. It also indicates whether among the listed items are any tagged or untagged items.

* The number of listed tagged files is now displayed in the caption line of the directory browser if there any tagged files are listed.

* Tagging and excluding recursively are now two separate options.

* Recover/Copy: Ability to group output files in directories by the search terms that they can contain according to the Search terms column.

* New investigator.ini option +53 that prevents storing filter and sort settings in cases.

* Some other minor improvements.

* Same fix level as v17.6 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 21, 2014 - 21:40:   

Preview 7:

* Ability to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode-capable, which allows for example for original Chinese notation of dates. See Options | General | Notation. Please see http://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspx for a complete explanation of what kind of notation is possible.
Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4.
Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014 (Wed)

* Creating report table associations at the same time for known duplicates of directly targeted files now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

* When files are viewed that have duplicates, marking the duplicates as already viewed as well now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

* Support for the MacOS artifact .DS_Store, which helps to analyze recycle bin activity.

* New file type category "Address Book".

* Better support of Samsung and Nokia .tec graphics files.

* X-Tensions API: Function XWF_GetFileCount available.

* X-Tensions API: Parameters for XWF_OpenItem defined.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 28, 2014 - 22:18:   

Beta 1:

* When creating a new case, you now have the option to make X-Ways Forensics recognize evidence objects that are physical media (not images) by their own properties, not by the Windows disk number. Using this option will prevent earlier versions of X-Ways Forensics from opening the case. The advantage is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk. Useful especially for triage, when not working with images. Please note that X-Ways Forensics may be unable to recognize external media already known to the case if next time they are attached through a different hardware write blocker. In that situation you can still use the "Replace with new disk" command in the evidence object context menu to point X-Ways Forensics to the correct disk. Just as a reminder: You can open an evidence objects even if the disk is not currently attached to the system, just to see and work with the volume snapshot, using a command in the evidence object context menu.

* Greatly accelerated recursive tagging, untagging, excluding and including of a large number of selected files, which previously was potentially very slow in large refined volume snapshots.

* Recover/Copy: Option to name output files after their unique ID. Available only when copying without original path, selectable when clicking the "..." button.

* Log-on events in Windows event logs are now presented in the event list with domain name, log-on ID and IP address when available.

* New X-Tension functions XWF_GetReportTableInfo and XWF_GetEvObjReportTableAssocs.

* X-Tensions API: 0x00100000 flag of XWF_ITEM_INFO_FLAGS now deprecated.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 29, 2014 - 9:37:   

Beta 2:

* Fixed some errors in Beta 1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 6, 2014 - 21:11:   

Beta 3:

* Metadata extraction from RecentFilecache.bcf, an important Windows 8 artifact.

* X-Tension API: New XWF_GetItemInformation capabilitiy added: XWF_ITEM_INFO_EMBEDDEDOFFSET. New function XWF_GetSearchTerm.

* Report table associations for e-mail messages with recipients on Bcc:.

* Ability to import multiple selected hash set files at a time.

* Ability to efficiently delete individual hash values from an existing hash set, by importing a hash set file (simple 1-column format, 1 hash value per line), where the hash values to delete must be listed first and must be prepended with a minus sign ("-"). The file must have the same name as the existing hash set that you wish to update (additional filename extension allowed).

* Avoided a rare exception error that could occur when parsing corrupt LVM2 partitioning data structures.

* Some minor improvements.

* Some fixes of errors in Beta 2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 8, 2014 - 21:47:   

Beta 4:

* Same fix level as v17.6 SR-7.

* X-Tension API: 2 more flags for XWF_ITEM_INFO_FLAGS.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 11, 2014 - 18:08:   

Beta 5:

* Ability to schedule in advance subsequent disk imaging operations in additional instances that wait until ongoing imaging operations in previous instances complete, to avoid inefficient simultaneous creation of multiple images on the same output disk (which is unnecessarily slow and produces highly fragmented image files).

* Larger tooltip for cells with a lot of text, e.g. in the Metadata column.

* Special paragraph in Details mode about previous names and paths of files, if known.

* Detection of some full disk/partition encryption schemes.

* Data Interpreter option for a binary representation of 16 or 32 bits instead of just 8 bits.

* Directory browser column widths are now stored in cases along with filter and sort settings, as well as in .settings files.

* Excluding files in search hit lists and event lists now has an immediate effect (if excluded files are actually filtered out) and usually auto-selects the next remaining search hit or event in the list.

* In certain situations the associations of search hits with their corresponding search terms were potentially lost in some evidence objects after deleting search terms. That was fixed.

* Several minor improvements.

* Program help and user manual updated for v17.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 12, 2014 - 14:32:   

Beta 7:

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 13, 2014 - 20:08:   

v17.7 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 21, 2014 - 22:38:   

SR-1:

* After using the [x] "Replace evidence object with image" option of disk imaging with active [x] "Improved recognition of physical media", partitions could not be opened any more until the image was removed from and added back to the case. That was fixed.

* Fixed inability of the Exchange EDB extraction to use a folder for temporary files on a network drive.

* Fixed inability to select hash sets for filtering when the hash database was in use already.

* Fixed an exception error that could occur when extracting metadata from certain SQLite databases in some rare constellations.

* Slightly more thorough processing of volume shadow copies.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 25, 2014 - 22:54:   

SR-2:

* Fixed an exception error that could occur in some random situations when creating registry reports.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 28, 2014 - 10:47:   

SR-3:

* Fixed inability of v17.6 and later to read sectors of all disks when just 1 disk was inaccessible.

* Fixed inability of v17.6 and later to automatically add multiple decompressed hiberfil.sys files to the same case as evidence objects.

* Fixed misrepresentation of alternative filenames for volume shadow copy host files that reference recycle bin files in v17.6 and later.

* Fixed unnecessary "device not ready" error message for optical drives.

* New flag 0x10 supported for the XWF_OpenItem X-Tension function: open alternative file data if available, and fail if not.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 3, 2014 - 21:03:   

SR-4:

* Fixed uninherited deletion statuses of e-mail attachments in original .eml files, DBX and MBOX.

* Fixed a rare infinite loop when taking a volume snapshot of Ext4 file systems.

* Fixed inability to determine original filenames for thumbnails from thumbcache*.db in certain cases.

* Fixed missing case association of automatically re-opened partitions when restarting the program or using the File menu history.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 17, 2014 - 15:39:   

SR-5:

* Fixed inability of the Registry Viewer in v16.9 and later to show extended key information and value sizes and to highlight values in File mode for additionally loaded hives beyond the first one.

* X-Tensions API: New flags "Flagged" and "Selected for operations" supported in XWF_GetEvObjProp.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 1, 2014 - 21:48:   

SR-6:

* Fixed an error of missing search hits representing block hash matches.

* Fixed an exception error that could occur when deleting duplicate block hash matches.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 4, 2014 - 12:38:   

SR-7:

* Fixed an error that could occur under certain circumstances in video processing when working with a relative MPlayer path.

* Tries to avoided a potential time-out error that may have occurred when searching in extremely large indexes.

* Fixed an exception error that could occur when automatically adding known duplicates of selected files to report tables.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 21, 2014 - 19:23:   

SR-8:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:52:   

SR-9:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.7.

SR-10:

* Fixed an instability in the Recover/Copy dialog window in SR-9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 24, 2014 - 19:35:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 17, 2014 - 20:43:   

SR-12:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.7. This is probably the last service release for v17.7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 28, 2015 - 19:42:   

SR-13:

* Last service release, only for dongle users.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.