X-Ways Forensics 17.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 17.9 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 31, 2014 - 21:28:   

A preview version of the dongle-based edition of X-Ways Forensics 17.9 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to extract contacts from Windows Live Messenger's contacts.edb database, using the operation "Uncover embedded data in various file types".

* The various optional suboperations of the particularly thorough file system data structure search in NTFS are now selectable more precisely, and in a child dialog window of the Refine Volume Snapshot dialog, and they now work much more efficiently on large volume snapshots.

* Avoided inclusion of certain redundant files in the volume snapshot during FILE record searches.

* Certain previously valid timestamps of files are now output as events during various suboperations of the particularly thorough file system data structure search on NTFS, depending on a new refinement option "Provide by-catch timestamps from various sources as events", which may also effect other operations whose primary purpose is not the retrieval of timestamps/events.

* Ability to filter for those 0x30 timestamps that do not predate their corresponding 0x10 counterparts. (Remember that this situation frequently occurs for various "natural" reasons, and only sometimes indicates malicious backdating.) Click the checkbox that is labelled with the "greater than" symbol to use this filter.

* "Show user initials for report table associations" is now a 3-state option. If half-checked, it has an effect on the directory browser only, not for the Export List or Recover/Copy command for example and not in the case report.

* Pseudo-hash values are now shown in the directory browser only, not in the output of the Export List command or in the case report any more.

* Ability to byte-wise reverse units of more than 2 or 4 bytes via Edit | Modify.

* Various minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 4, 2014 - 20:45:   

Preview 2:

* Extended attributes in NTFS are now optionally included in the volume snapshot as child objects of the directory or file to which they belong, with the name "$EA" and marked in the Attr. column with "($EA)". Either all such attributes (if the box in Options | Volume Snapshot is fully checked) or only non-resident ones (if half-checked, default). If none at all, the clusters that belong to non-resident extended attributes of existing objects will be covered by the virtual file "misc non-resident attributes" as before. (Background information: Microsoft uses extended attributes on system binaries as part of the secure boot components. Attackers have been using large extended attributes to hide malware in some high profile cases. Large extended attributes are still flagged automatically by report table associations as introduced with v17.5.)


* New file carving flag "C" (upper case) introduced, which denotes file type signatures that should not be used to search for NTFS-compressed files if compensation for NTFS compression is active, because they are too weak and would yield too many false positives or would not be actually stored as compressed anyway.

* Newly taken snapshots of Ext* volumes now include directories and files that are merely orphaned because of file system errors (no longer referenced by a directory higher in the hierarchy, not deleted).

* Copy command in context menu of status bar in Details, Preview and Gallery mode.

* A stability issue in the parsing for binary PLists (BPLists) has been fixed which could occur with corrupted BPLists where the corruption took very specific forms.

* Under certain circumstances, when exporting lists in XML format including the Metadata column, import as a spreadsheet in MS Excel led to an unhelpful structure. XML export has been improved to prevent this from happening.

* Some of the fixes and minor improvements of v17.8 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 7, 2014 - 14:33:   

Preview 3:

* The alternative e-mail preview now supports Base64-encoded e-mail bodies.

* The 1st sector column now optionally shows physical start sector numbers for files in partitions (counted from the start of the physical disk or disk image) instead of logical start sector numbers, if the partition was opened from within the physical disk/disk image. In that case the column label contains a P in a circle (P for physical). Can be changed in the directory browser options dialog. Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.

* The Go To Sector dialog, when applied to a physical disk, now optionally allows to jump to the designated sector within the respective partition window, so that you can immediately see the allocation status of the corresponding cluster. Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.

* Same fix level as v17.8 SR-6.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 12, 2014 - 21:48:   

Preview 4:

* Same fix level as v17.8 SR-7.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 25, 2014 - 20:51:   

Preview 5:

* New file carving flag "B" (upper case) introduced, which prevents a byte-level search for that particular signature, for performance reasons.

* Fixed a rare exception error that could occur when extracting metadata from .evtx Event Log files.

* Various minor improvements.

* Same fix level as v17.8 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 28, 2014 - 23:30:   

Preview 6:

* The new columns with alternative timestamp can now be shown dynamically, i.e. only when items that have such timestamps are displayed in the visible portion of the directory browser.

* Support for new variants of AppCompatCache and big data records in registry hives in the registry viewer and registry report.

* Fix for geo informationen in BlackBerry JPEGs.

* Improved file carving algorithm for zip.

* Fixed an exception error that could occur when extracting metadata from PE EXE (RLL).

* Same fix level as v17.8 SR-9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 3, 2014 - 14:00:   

Preview 7:

* Checks for and warns of overlapping partitions when creating a cleansed image of a partitioned physical disk. Does not omit clusters in affected disk areas and recommends to image relevant partitions separately.

* Some fixes of errors in Preview 6.

* Some of the fixes of v17.8 SR-10.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 7, 2014 - 22:01:   

Preview 8:

* Checks for and warns of overlapping partitions when creating a cleansed image of a physical partitioned disk. Does not omit clusters in affected disk areas as intended and recommends to image relevant partitions separately.

* Same fix level as v17.8 SR-10.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 8, 2014 - 14:07:   

Preview 9:

* Ability to use different versions of the viewer component for viewing on the one hand and decoding text on the other hand at the same time. You can now specify separate directories in the Options | Viewer Programs dialog window. This is useful to benefit from the extended file format support of the latest version 8.5 and at the same time employ the more reliable text decoding capabilities of the previous version 8.4.1 for PDF files produced by the OCR software Abbyy Fine Reader 11 and possibly others.

* Same fix level as v17.8 SR-11.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 15, 2014 - 22:49:   

Beta 1:

* The gallery can now show thumbnails for any file type supported by the viewer component, including Office documents, PDF, HTML, e-mails, and pictures that the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...). You can choose between normal and shrunk thumbnails of documents. Shrunk thumbnails show much more detail from an original document and the original layout, but at the cost of readability. Larger fonts (in particular captions) in an original document, if not shrunk, are typically readable in the thumbnail and can already give you an idea what kind of document it is even if don't view it, so you can more quickly find the documents that you are looking for. Plus, you will be able to see which documents can be nicely viewed with the viewer component at all. It is recommended run X-Ways Forensics with Aero enabled in Windows when using the gallery.

Files that are larger than 16 MB are not represented with a thumbnail, for performance reasons. X-Ways Forensics tries to abort the generation of a thumbnail if it takes longer than a few seconds. If the generation of a true thumbnail is unsuccessful, you may see a viewer component error message like "Operation cancelled" in tiny red letters instead. If thumbnail generation is not even attempted by X-Ways Forensics, you will just see the filename and an icon.

* All options related to Gallery mode have been moved from Options | General to Options | Viewer Programs.

* When removing existing report table associations from selected files, they are now also removed from relatives of the selected files depending on the connection options of the report table (selected file, direct children, parent objects, known duplicates etc.).

* Ability to override the sector size in .e01 evidence file when interpreting the image/adding it to a case, as usually by holding the Shift key. Useful for incorrectly marked .e01 evidence file, to get the partition and file system interpretation right. Such erroneous .e01 evidence files can be the result of a conversion from an incorrectly interpreted raw image to .e01 or of an incorrect sector size emulation by a USB adapter or of previous cloning of a hard disk to another hard disk with a different sector size. If you override the sector size when adding an image to a case, that sector size will be remembered in the evidence object.

* Tools | Disk Tools | Scan For Lost Partitions now supports disks with 4 KB sector size.

* Downloaded files in NTFS can now be more conveniently recognized because in newly taken volume snapshots their alternative data stream "Zone.Identifier" is represented as a report table association (see Options | Volume Snapshot). That means you do not need to navigate to the child object to find out what the child object might be. "ZoneId=3" as the name of the report table identifies files downloaded from the Internet.

* Filter for the 1st sector column. Allows to focus on files whose contents start in certain sector ranges, for example to identify files that are definitely affected by known bad sectors or to identify files whose contents are stored past the end of a known incomplete image. Also allows to focus on carved files that are either aligned at sector boundaries or not, for example after having run a file header signature search at the byte level, to remove garbage files, which are more frequently those that are not aligned.

* The number of active filters is now displayed in the caption line of the directory browser, next to the blue filter symbol on the left. Column-based and column-independent active filters are counted separately. Useful because there might be column-based filters active for columns that are not currently visible in the directory browser, and that column-independent filters are active may be otherwise apparent only when checking in the directory browser options dialog.

* Ability to decode fully Base64-encoded files in the volume snapshot and provide the result binary as a child object as part of "Uncover embedded data in various files types", provided that the encoded file has "b64" in the Type column.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 18, 2014 - 13:08:   

Beta 2:

* Improved support for non-picture thumbnails in the gallery, and a stronger shrink option (now a 3-state checkbox).

* More thorough listing of DLLs of other processes in Tools | Open RAM in the 64-bit edition.

* Extraction of Internet Explorer browsing history from the Windows.edb database. Visited URLs are added to the event list as part of Windows.edb processing in "Uncover embedded data in various file types". The URLs remain in Windows.edb even after erasing the browser history in Internet Explorer.

* Some of the fixes of v17.8 SR-13.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 24, 2014 - 19:51:   

Beta 3:

* New filename conventions for sector superimposition. The expected filenames are now like "n.sector", where n is the name of the start sector and the new extension is ".sector".

* New variant of skeleton imaging called "snippet imaging". After invoking the File | Create Skeleton Image menu command, click the "Snippet imaging" button in the file selection dialog window. Any sectors that are being read by X-Ways Forensics from any disk or image while snippet imaging is active are written into separate files named after the sector number, with a .sector extension, in a subdirectory of the default directory for images named after the disk or volume. Contiguous sector reads are copied to a single file.

Snippet imaging mode can be deactivated by invoking the File | Snippet Imaging menu command. Helpful in very specific situations only, for example for debugging purposes, when in need for very specific sectors only that are best located by the software automatically (e.g. data structures needed when opening a particular file). Compared to skeleton imaging, snippet imaging can be beneficial because no image file of the same size as the source disk is created. (Even if it's a nominal size only and the image is sparse, sparse does not help if the file needs to be sent via Internet or copied to a file system that does not preserve the sparse nature of the file.)

Because of their compatible names, snippet image files can be directly used for sector superimposition. They can also be conveniently and very, very restored to a other disks (all such files in the same directory at the same time) by clicking the new button "Snippet imaging" in the File | Restore Image dialog window.

* The digit grouping option has moved from the Data Interpreter options to the general notation options and now has a global effect in the program.

* Option to rename ordinary files in the volume snapshot, not just virtual and carved files, if the Shift key is pressed when a file is right-clicked. Although not exactly forensically sound when dealing with original evidence, this can prove helpful in special situations, for example if a filename or directory name is too long to copy a file out of an image etc. The original filename will be kept as the alternative filename. Note that this does not rename the file in the file system, only in the volume snapshot, i.e. the internal database in X-Ways Forensics about the file system.

* Some minor improvements.

* Same fix level as v17.8 SR-13.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 30, 2014 - 10:02:   

Beta 4:

* Support for Windows 8 AppCompatCache in the Windows Registry.

* The decomposition of V1 GUIDs into timestamp, sequence number and MAC address in the Data Interpreter as well as in templates is now optional. In the Data Interpreter options you can now choose to force the decomposition as before (fully checked) or prevent it (to always get the standard GUID notation is braces) or to see the decomposition only if the timestamp is not too implausible (half checked). The latter setting is helpful for example for Apple GPT values that claim to be V1 GUIDs, but contain twisted ASCII text instead of valid timestamps.

* The gallery now has its own "Dbl-click=View instead of Explore" 3-state option, analogously to the directory browser. By default, double-clicking will still mean View in the gallery.

* Longer filter expression for video processing supported.

* Program help and user manual updated for v17.9.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 2, 2014 - 6:15:   

v17.9 has just been released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 20, 2014 - 7:38:   

SR-1:

* Fixed inability to filter by hash sets when the hash database was in use for matching in another instance.

* Fixed an exception error that could occur in the original 17.9 version when opening dependent viewer windows from within the viewer component or closing them.

* Fixed metadata representation of processes in Details mode in the 64-bit edition.

* Fixed inability to open dynamic volumes in certain situations.

* Fixed some minor memory leaks.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 4, 2014 - 7:34:   

SR-2:

* Fixed HTML export highlighting for search hits in certain code pages.

* Files referenced in volume shadow copies are now typically shown again in their original directories, like in earlier versions.

* Fix and improvement for TAR carving.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 4, 2014 - 20:36:   

SR-3:

* Chinese translation of the user interface updated.

* Fixed an exception error that could occur in SR-2 when opening certain volumes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 11, 2014 - 17:52:   

SR-4:

* Fixed an exception error that could occur when opening partitions of physical disks that were added to the case without parent disk.

* Prevented an error message that in certain situations incorrectly stated that the volume snapshot was was changed from outside of the current session.

* No longer treats previously existing hash sets in the hash database as existing in certain situations.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 17, 2014 - 20:43:   

SR-5:

* Fixed incorrect representation of metadata of processes in memory dumps in the 64-bit edition.

* Fixed incomplete NEAR combination of search hits in certain situations.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 19, 2014 - 10:52:   

SR-6:

* Fixed an error in certain volume snapshots taken by the 64-bit edition of SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 20, 2014 - 20:02:   

SR-7:

* Fixed misrepresentation of partition table entries in the 64-bit edition of SR-6 when deleted partitions were found.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 24, 2014 - 11:02:   

SR-8:

* Fixed corruption of hash set names in certain situations in the 64-bit edition of recent service releases of v17.9 and v18.0 Preview. Garbled hash set names can be manually rectified with the Rename function.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 2, 2014 - 19:44:   

SR-9:

* Fixed an instability problem that could occur when processing certain MBOX e-mail archives.

* Fixed swapped timestamps of files found in VSC.

* Prevents a possible exception error that might occur when parsing certain corrupt LVM2 configurations.

* Prevents a rare exception error that could occur when parsing corrupt .evtx event log files.

* Fixed a technical problem for a few dongle users.

* Registry keys in the registry viewer should now always be sorted alphabetically.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 4, 2014 - 15:56:   

Dec 4, 2014:

* Fixed an error in evidence file container creation in v17.9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 28, 2015 - 19:43:   

SR-10:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 22, 2015 - 19:43:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 28, 2015 - 19:11:   

SR-12:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v17.9. This is probably the last service release for v17.9.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.