X-Ways Forensics 17.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.8 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 20, 2014 - 22:48:   

A preview version of the dongle-based edition of X-Ways Forensics 17.8 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (e.g. filenames in particular in FAT), specially encoded (e.g. sender and recipients as quoted printable in e-mails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.

When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.

Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.

* Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | ... and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.

Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other.

Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.

You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.

* Several minor improvements.

* Some of the fixes of v17.7 SR-1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 25, 2014 - 22:54:   

Preview 2:

* Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.

* The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).

* User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.

* Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.

* Ability to conveniently load keywords from a text file into the Name filter and save them directly from the dialog window.

* Some minor improvements.

* Same fix level as v17.7 SR-2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 28, 2014 - 21:51:   

Preview 3:

* Fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 3, 2014 - 21:11:   

Preview 4:

* Sparse files are now represented with a tilde (~) instead of the word "sparse" in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file by setting a larger file size in the same dialog window.

* Same fix level as v17.7 SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 6, 2014 - 21:39:   

Preview 5:

* New directory browser columns named CreatedČ and ModifiedČ introduced, showing alternative creation and last modification timestamps. For NTFS, they are populated in newly taken volume snapshots with timestamps from the 0x30 attribute and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous Creation timestamp tunneling effect, http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally ModifiedČ only if different from CreatedČ, to avoid cluttering the screen unnecessarily. That means any timestamps that you see there actually contain additional information and are not redundant.

* CreatedČ is also populated for HFS+ file systems, with the relatively new "Added date" timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier. "Added date" timestamps in HFS+ are also output as events.

* All CreatedČ and ModifiedČ timestamps shown in the directory browser are now also preserved in evidence file containers.

* A new multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the new removed option "Extended multi-user coordination", from previous versions.

* Support for a relatively new Windows registry format specialty found for example in Windows 7 AppCompatCache keys.

* Support for the Windows 8 successor of AppCompatCache, i.e. the Amcache.hve hive, using a dedicated registry report definition file named "Reg Report Amcache.txt", which allows to produce a report and extract related special events.

* Sparse files are now represented with a tilde (~) instead of the word "sparse" in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file, by setting a larger file size in the same dialog window.

* File type verification slightly revised.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 8, 2014 - 18:55:   

Preview 6:

* Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 9, 2014 - 18:36:   

Preview 7:

* Some search hit list fixes and minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 17, 2014 - 15:40:   

Beta 1:

* Volume shadow copy exploitation revised.

* File type verification updated.

* New directory browser column named Record changedČ, showing timestamps from NTFS 0x30 attributes.

* Option to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits).

* Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.

* Several minor improvements.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 17, 2014 - 22:32:   

Beta 2:

* Fixed an error of the internal graphics viewing library in Beta 1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 23, 2014 - 19:29:   

Beta 3:

* Support for nested e-mails when embedding attachments in parent .eml file.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 1, 2014 - 21:57:   

Beta 4:

* Support for another thumbs.db format variant.

* Ability to export the category statistics of listed files via the Category column's filter popup menu if the Category filter is not active, as tab-delimited text.

* Several minor improvements.

* Some fixes of errors in Beta 3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 3, 2014 - 21:36:   

Beta 5:

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 4, 2014 - 12:26:   

Beta 6:

* NTFS last access timestamps are now displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained and thus not very significant.

* The folder for templates, X-Tensions and scripts may now be a relative path. Previously only "." was supported.

* In previously taken volume snapshots of HFS+ file systems, the contents of files with a hard-link count of 1 was not accessible if such files had an associated iNode file. That was fixed. Such files that unexpectedly have an associated iNode file are now marked with a ° in the Link count column.

* More complete artificial headers for sent e-mails from Exchange databases, which allow to properly reference attachments in the .eml representation.

* Same fix level as v17.7 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 6, 2014 - 21:32:   

Beta 7:

* Some fixes and minor improvements.

* Program help and user manual updated for v17.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 7, 2014 - 18:30:   

v17.8 was just released.

* That the columns "Term count" and "Search terms" were populated only after the search hit list for an evidence object has been displayed once was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 10, 2014 - 21:10:   

SR-1:

* Accelerated hash set matching if hash values were computed before.

* Under certain circumstances, Exchange EDB databases were not processed by X-Ways Forensics, but ignored. That was fixed.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 17, 2014 - 21:49:   

SR-2:

* Fixed incorrect encoding of spaces in filenames in case reports in v17.8.

* Supports :n parameters in the command line again as v17.5 and earlier did, to automatically open hard disk n (and optionally image it automatically).

* Fixed missing FAT32 volume label in Technical Details Report in some recent versions.

* Fixed inability to remove hashes values from hash databases using certain import hash set files.

* Fixed display of certain double byte code pages in the text column.

* Fixed output of certain fields in case reports in v17.8, e.g. timestamps and matching hash sets.

* Prevented inclusion of invalid "Content created" timestamps in the volume snapshot.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 21, 2014 - 17:49:   

SR-3:

* The specified maximum resulting file size for file carving is now ignored for file types with an internally implemented "~" algorithm. It now has an effect only on file types with a defined footer signature.

* Fixed inability of recent versions to carve zip archives with certain statistical properties.

* Fixed an interpretation error for Java Date+Time in v17.6 and later.

* Hash set matching in v17.7 and later did not work for selected files. That was fixed.

* Simultaneous hash set matching in multiple instances supported again.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 27, 2014 - 22:21:   

SR-4:

* Fixed an exception error that could occur in the "jump-as-you-type" function.

* Fixed an exception error in XML export.

* Fixed inability to open dynamic volumes in certain situations.

* Fixed an error in the ability to delete hash values from hash sets.

* Fixed some inconsistencies in the handling of ANSI SQL and Java Date in the Data Interpreter.

* Some minor improvements.

An updated version of MPlayer is now downloadable.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 31, 2014 - 21:23:   

SR-5:

* Fixed non-inclusion of file associations with freshly created report tables in evidence file containers.

* Fixed inability to import report table associations and comments from encrypted evidence file containers in certain situations.

* Minor fix and improvement for XML PList processing.

* The author, if extracted from an XML file in a zip-styled Office document, is now shown for the Office document file, not the XML file itself.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 7, 2014 - 14:29:   

SR-6:

* Accelerated metadata extraction.

* Fixed an exception error that could occur when dealing with certain rare inconsistent FILE records in NTFS.

* Fixed output of some rare malformed .eml files during e-mail extraction.

* Certain e-mail messages created by Lotus Notes and received by Outlook that were not stored by Outlook in a consistent way were not presented correctly. That was fixed.

* Fixed inability to locate all LVM2 volumes in some situations.

* Fixed missing additional case open dialog for multiple simultaneous users in v17.8.

* Fixed an error in v17.8 that occurred importing an entire directory of hash sets or renaming a hash set.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 12, 2014 - 21:32:   

SR-7:

* Revised date definitions for e-mails extracted from MSG.

* Fixed an error in the hash database handling in v17.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 25, 2014 - 20:51:   

SR-8:

* Fixed an exception error that could occur when adding media whose model designation X-Ways Forensics could not determine to cases with active "Improved recognition of physical media".

* Accelerated byte-level JPEG carving in partitions with certain data.

* Various minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 28, 2014 - 23:29:   

SR-9:

* Fixed computed total capacity for certain internally reconstructed RAIDs.

* Fixed an error in the crash-safe text decoding option which could lead to incomplete decoding results in certain situations.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 21:57:   

SR-10:

* The option "Omit directories" for logical searches did not have an effect for some file systems. That was fixed.

* Avoided unnecessary error messages when copying from a directory on a remote network drive to an evidence file container with certain settings.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 8, 2014 - 14:18:   

SR-11:

* Fixed an instability in the Recover/Copy dialog window in SR-10.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 15, 2014 - 22:47:   

SR-12:

* Fixed logical AND combination of associations with automatically generated report table.

* Fixed occasional inability to remove report table associations.

* More thorough support for certain Exif GPS data.

* Fixed an exception error that could occur when processing livecomm.edb files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 24, 2014 - 19:41:   

SR-13:

* Certain extremely fragmented files in NTFS volumes were not opened correctly in v17.7 SR-9 and SR-10 as well as v17.8 SR-6 through SR-12. That was fixed.

* Avoided garbage characters in the table "Partitions by disk signature" of the registry report in the 64-bit edition.

* Fixed an exception error that could occur when importing report table definition files whose names are enclosed in square brackets in v17.5 and later.

* Support for Apple partitionining on disks with a sector size of 4 KB.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 2, 2014 - 8:43:   

SR-14:

* Fixed an error in the option to update existing hash sets in the hash database by importing a hash set of the same name.

* v17.8 SR-13 was marked as expiring, so it needs to be replaced now with v17.8 SR-14 or v17.9, please.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 17, 2014 - 20:43:   

SR-15:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 2, 2014 - 19:44:   

SR-16:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 28, 2015 - 19:42:   

SR-17:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.8. This is probably the last service release for v17.8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 22, 2015 - 19:43:   

SR-18:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.8. This is the last service release for v17.8.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.