X-Ways Forensics 18.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.1 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 4, 2015 - 22:15:   

A preview version of the dongle-based edition of X-Ways Forensics 18.1 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Better support for larger font sizes in the hex editor display and in character tables. Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, small center screen buttons, the status bar, tag squares, sort arrows. Important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight. File and directory icons generally revised and now more consistent between directory tree and the directory browser.

* When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.

* Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.

* Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.

* The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory.

* The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.

* The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.

* Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the
first report table.

* Ability to include all items in all open evidence objects in the directory browser options dialog of a recursively explore case root window.

* New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.

* X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.

* Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).

* A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key.

* Several minor improvements.

* Same fix level as v18.0 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 16, 2015 - 11:23:   

Preview 2:

* Support for Project VIC JSON files format 1.1.

* Additional information provided to X-Tensions via the XT_Init call.

* File type verification revised. Category order revised (based on typical frequency).

* Now up to 2 alter egos of the same user may open the same case at the same time. Some users might find this useful for parallelized simultaneous volume snapshot refinement of different evidence objects in the same case on the same computer.

* Support for the updated database format of the Chrome history. Support for Opera browsing history since version 15.0 (the switch to the Chromium engine).

* .evtx event log processing slightly revised.

* Several minor improvements.

* Same fix level as v18.0 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 18, 2015 - 16:31:   

Preview 3:

* Support for the hash types Tiger128, Tiger160, and Tiger192.

* "Name output files after unique ID" is now a 3-state checkbox. If half checked, the files will not be named purely after the unique ID (+extension) any more. Instead, the unique ID will be inserted between base filename and filename extension.

* Nicer names for files that are extracted from Google Chrome caches.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 22, 2015 - 19:33:   

Preview 4:

* Support for Tiger Tree Hashes (TTH). Useful for investigations that involve Direct Connect P2P file sharing programs. Base32 notation for TTH can be enabled in the directory browser options.

* Type verification revised.

* New file carving method for Quickbooks .qbw files.

* Some fixes and minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 27, 2015 - 20:33:   

Beta 1:

* Support for Windows 10 (Technical Preview) as a platform.

* Several toolbar and menu icons have been revised. In particular, almost all icons are now available in high resolution for high DPI settings (for owners of 4K or 5K displays). New icons are now shown to represent pictures, e-mails, and miscellaneous Outlook data.

* It is now easier to use CSS (cascading style sheets) for case report format definitions. In addition to defining the parameters for standard HTML elements (which would have been possible previously already), key elements of the report are now assigned "class" parameters to simplify targeting those for formatting purposes. Example style sheets are available to use as a basis for further modification. The report options allow picking or editing a CSS file as part of the reporting process. The new default is "Case Report.txt". The previous default is still available as "Case Report Classic.txt".

* Minor fix in the HTML code of search hit exports.

* Special carving support for EDB (ESE) log files (.edblog). These log files of forensically relevant in that Microsoft stores more and more internal data about EDB databases in these files. The log file record and keep the complete data that is added to a database at a certain point, until it is eventually deleted in the log file. Typically multiple such log files can be recovered from Windows systems, and search hits in such a log file are more meaningful than in ordinary free space. Metadata is also extracted from these log files.

* Better support for the CAB file format family, which includes Windows Installer files (less interesting), Windows Cabinet (more interesting, may contain e-mails) and Microsoft OneNote packages (also more interesting).

* Same fix level as v18.0 SR-8.

Beta 1 is also available to BYOD users.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 1, 2015 - 21:31:   

Beta 2:

* A few minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 9, 2015 - 6:33:   

Beta 3:

* In newly taken Volume Snapshots of Ext3 and Ext4 file systems, X-Ways Forensics now considers the contents of these file systems' journals as alternative sources for information. This may lead to the listing of additional previously existing files, or the listing of previously existing files that were found without contents in previous versions now also found with contents, or the identification of previous names for currently existing files (in the latter case, a note to that effect would be added to the existing file's Metadata column). Important caveat: Since Ext3/4 journaling involves copies of entire file system blocks, journal rollover will occur quite quickly on very active partitions, with the most recent entries in the journal being identical to the current state of affairs, of course.

* Retrieves some essential information about Windows installations, if found, from partitions or images that are added to a case, and displays them in the evidence object properties.

* Support for Deflate64 compression in zip archives.

* Fixed an exception error that could occur when extracting e-mails from certain MBOX e-mail archives.

* Minor fix for and improvement of event extraction from .evtx event logs in case events had been deleted in the event log by the user.

* Option to show pictures above the text in report tables in the case report, not below.

* Italian translation of the user interface updated.

* Some other minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 12, 2015 - 13:00:   

Beta 4:

* Reconciles information from Ext3/4 directory entry remnants and the journal, for a more complete and faithful representation of previously existing files, with contents and timestamps that were not available previously.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 12, 2015 - 19:07:   

Beta 5:

* Files whose representations are based on an inode in the Ext3/Ext4 journal are marked with (Jrnl) in the Attr. column. A filter for such files is available.

* Fixed potential spill-over of sender and recipients to other e-mail fragments extracted from Windows.edb.

* Some file type verification improvements.

* Some minor improvements.

* Program help and user manual updated for v18.1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 16, 2015 - 6:17:   

v18.1 was just released.

Additional change: Fixed an error that could occur when processing file archives larger than 2 GB.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 17, 2015 - 20:45:   

SR-1:

* Processing of more zip subtypes.

* Fixed a rare exception error that could occur when processing MBOX files.

* Fixed incomplete representation of WebCacheV01.dat files in v18.1.

* v18.1 did not take correct volume snapshots of certain Ext3/4 partitions. That was fixed.

* No longer blindly adopts certain machine-specific settings from a re-used .cfg file upon start-up that made sense with different hardware only.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 22, 2015 - 19:44:   

SR-2:

* Fixed extremely slow progress that could occur in v17.9 and later when carving MPEG files.

* Fixed an error that could occur under certain circumstances when processing file archives larger than 4 GB in the 64-bit edition.

* Fixed a crash that could occur in the 64-bit edition when extracting metadata from certain HTML files.

* Some minor file type verification fixes.

* Fixed some unnecessary error messages that were potentially output in v18.1 when searching for embedded data in OLE2 compound files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 8, 2015 - 21:24:   

SR-3:

* Sender and recipients now shown for e-mails that are extracted from livecomm.edb.

* Fixed an exception error that occurred in v18.1 when running searches in the Registry Viewer.

* An exception error was fixed that could occur in v18.0 and later when carving certain PDF files.

* Fixed an error that could lead to data corruption in remaining extracted files when removing other excluded extracted files from the volume snapshot.

* Fixed a memory corruption error that could occur during net free space computation.

* Fixed an exception error that could occur in v18.1 when taking a snapshot of certain Ext3 or Ext4 volumes.

* Fixed various exception errors in very specific situations and some minor errors.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 18, 2015 - 19:04:   

SR-4:

* Fixed considerable inefficiency in dealing with very large nested file archives.

* Fixed an exception error that could occur when extracting metadata from Windows Registry hive fragments.

* Fixed an exception error that could occur when uncovering embedded data in PDF files.

* Fixed code page error in Italian translation of the user interface in v18.1.

* Updated language.txt files for custom translation (e.g. just report generation) now available for download for v17.9, v18.0, and v18.1.

* X-Ways Forensics did not always remember X-Tensions listed in the dialog window from previous sessions. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 26, 2015 - 8:34:   

SR-5:

* Prevented excessive memory consumption that could occur in very specific constellations when decoding text during logical searches or indexing.

* Fixed missing scrollbars in preview of PDF documents after non-picture files were represented in the gallery.

* Fixed an exception error that could occur when processing corrupt RIFF files.

* Prevented a possible infinite loop when processing corrupt EVT files.

*** The log-in data for password-protected downloads and web pages has changed for users of the dongle-based edition of X-Ways Forensics. ***
(for the first time in ~ 1 1/2 years)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 28, 2015 - 19:12:   

SR-6:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 16, 2015 - 17:36:   

SR-7:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.1.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 13, 2015 - 19:00:   

SR-8:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.1. This is probably the last service release for v18.1.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.