X-Ways Forensics 18.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.2 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 22, 2015 - 19:48:   

A preview version of the dongle-based edition of X-Ways Forensics 18.2 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.

* Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.

* Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.

* Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.

* Ability to split huge HTML and TSV exports from the directory browser into separate files.

* Ability to tweak CPU and memory utilization of indexing, and more conservative default values are used.

* Exchange EDB extraction slightly revised.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 24, 2015 - 8:51:   

Preview 1+:

* Fixed an infinite loop that could occur in the original Preview release.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 24, 2015 - 19:03:   

Preview 2:

* Both default and maximum file sizes for carving are now individually specified in the "File Header Signatures Search.txt" file on a per file type basis, no longer generically in the user interface. That allows for better output quality because different file types have different variances in typical file sizes (larger or smaller deviations from their respective average file size).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 26, 2015 - 10:33:   

Preview 2+:

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 9, 2015 - 13:37:   

Preview 3:

* The virtual "Free space" file is now frozen also once it is indexed, to avoid later invalidation of index offsets.

* Faster processing of huge numbers of original .eml and .msg files in very large volume snapshots. Volume snapshots saved by earlier releases have to be converted to a new format by v18.2 Preview 3 and later.

* Various minor improvements.

* Same fix level as v18.1 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 12, 2015 - 9:52:   

Preview 4:

* Avoided garbled look of toolbar icons on systems with only 16-bit color depth (High Color).

* Exchange EDB support slightly revised.

* Support for Project VIC JSON files format 1.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 13, 2015 - 20:10:   

Preview 5:

* Tentative support for Exchange 2010 EDB databases. Feedback appreciated!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 16, 2015 - 8:56:   

Preview 6:

* More efficient processing of solid 7zip archives.

* Substring filter for the Author column.

* Extended support for relative paths to external programs.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Mar 17, 2015 - 21:09:   

Beta 1:

* Volume shadow copy processing revised, delivering better results.

* Extraction of browsing history information from Safari's icon database. This alternative source is very interesting because it records browsing history even when Safari is in private browsing mode.

* Ability to copy the path of the selected key in the Registry Viewer using a new context menu command.

* Maintains a history of the last 8 search terms used in the Registry Viewer.

* Ability to view .DS_Store in more detail in Preview mode.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 18, 2015 - 19:08:   

Beta 2:

* A new button labelled "XT" is now shown when viewer X-Tensions are available (loaded), next to the "Raw" button. Allows you to conveniently change the preview to the representation provided by the first viewer X-Tension that feels responsible for the type of the selected file. Or back to the regular preview if not helpful, in both directions with a single mouse click. You may also combine Raw and XT submodes of Preview mode, for example for debugging purposes if you are programming a viewer X-Tension of your own and have it return HTML code that you wish to check in X-Ways Forensics.

* Improved dealing with incomplete Ext* partitions, in particular those that are part of Linux software RAIDs if not reconstructed by the user, but processed directly by themselves.

* Same fix level as v18.1 SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 22, 2015 - 19:41:   

Beta 3:

* For the file systems Ext2/Ext3/Ext4, there is now a "Particularly thorough file system data structure search" functionality, which checks the entire volume for previously existing directory structures whose contents are no longer known from corresponding inodes (these would have been looked at as part of the regular volume snapshot already). Such directories are listed with a generic name, usually in "Path unknown", but potentially in the root directory, if that is where they existed previously (the root directory is special in this situation, as it has an unchangeable ID).

* New directory browser context menu command to exclude files based on identical names instead of identical hash values. This is a case-insensitive comparison and of course should be used only if you know what you are doing, as it does not compare the file contents at all. Could be useful for example if you wish to get rid of multiple copies of the same files found in backups if you do not need to keep different versions of these files. If prior to the comparison for example you sort by last modification date in descending order, this will ensure that the newest version of the file will be kept and all older versions will be excluded. Files with identical names are not marked as duplicates in the Attr. column. That happens only if you identify identical files based on hash values, in previous versions.

* Context menu for directories in the Case Data window. Available if "More context menus" in Options | General is fully checked or if the Shift key is pressed while right-clicking a directory. Allows to recursively explore the right-clicked directory (just like when no context menu is shown), allows to tag the directory recursively (just like when pressing the Space bar), to expand the directory recursively (just like when pressing the multiply key of the numeric keypad), to collapse all, export a subtree into an ASCII text file, or copy the entire path of that directory into the clipboard.

* "Create main report" is now a 3-state checkbox in the case report options dialog. If only half checked, details about the evidence objects are not included in the case report, the evidence objects are merely listed. Evidence objects details, if included, now precede report tables in the report. Links to report tables now work even if the report is optionally split into multiple HTML files, and there is a link back from each report table to the report table overview. The report is now split based on the number of items that are referenced, not based on the number of pictures that are displayed in the report. If the report is split, the next segment is now linked from the bottom of the previous segment.

* Improved support for logical memory addresses in the Position Manager (previously called "virtual" memory addresses).

* Various minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 26, 2015 - 11:03:   

v18.2 was just released.

Additional changes:

* The case log, if output along with the case report, is now a separate HTML file. If the report is saved in a directory other than the case directory and screenshots of the case log are to be included, they are now copied to the appropriate subdirectory.

* The Chinese translation of the user interface was updated.

* Slightly revised file type verification.

* The downloadable user manual has been updated for v18.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 27, 2015 - 18:38:   

SR-1:

* Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the "Hash set" column with the word "deleted" to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values of files against the hash database again, might have confused that they cannot target files with matches using the "Hash set" column filter, which only offers existing hash sets.

* More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table assocations.

* The newly introduced optional commas in the column "Default size" in "File Type Signatures Search.txt" have been replaced with colons for better compatibility with MS Excel.

* Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well (as introduced with v18.0).

* Prevented erroneous "Please stop ongoing operation first." message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors.

* Fixed an error with message "Unable to release memory" that could occur during file header signature searches.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 1, 2015 - 8:14:   

As of today, downloading X-Ways Forensics requires a Facebook account, requires you to be logged in to Facebook, and requires you to "like" our Facebook page. And you must have invited all of your Facebook friends to "like" our page, and at least 10 of them must actually "like" it. You also have to share all your contacts in your e-mail client and in your smartphone with us, and your location every time when you want to download. Thank you.
Top of pagePrevious messageNext messageBottom of page Link to this message

W. Spiegl
Username: ws

Registered: N/A
Posted on Wednesday, Apr 1, 2015 - 8:59:   

no problem on April 1st!
Top of pagePrevious messageNext messageBottom of page Link to this message

Jimmy Weg
Username: jw

Registered: 7-2006
Posted on Wednesday, Apr 1, 2015 - 16:26:   

(And you must proclaim that you have traded your XWF dongle for a copy of the the "World's Leading Forensic Tool.")
Top of pagePrevious messageNext messageBottom of page Link to this message

JAMES BISHOP
Username: medexguy

Registered: N/A
Posted on Wednesday, Apr 1, 2015 - 20:15:   

I've done all of that and even have already named my next child "Stefan".
Top of pagePrevious messageNext messageBottom of page Link to this message

Ted Smith
Username: ted_smith

Registered: N/A
Posted on Friday, Apr 3, 2015 - 14:45:   

I'll take your suggestion and raise it - I've named my next child "Stephanie" :-)
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Apr 4, 2015 - 11:19:   

SR-2:

* Fixed errors that occurred when dealing with medium to large hash databases. Symptoms were reports of a corrupt hash database by the integrity test (although as stored on the disk the database was not necessarily corrupt), as well as potentially some other non-specific errors. If you have altered an existing hash database in v18.2, the integrity test in v18.2 SR-2 may still report errors in the database, and in that case the errors are permanent and you would have to set up your database again. Sorry.

* Fixed an exception error that occur in v18.2 when resetting items in the volume snapshot with Ctrl+Del.

* Fixed an instability problem that could occur when parsing certain PList files.

* Softened filtering for events from Windows event logs. Improved stability and responsiveness for event log processing, and sub-progress indication added.

* Exception error fixed that could occur when extracting metadata from .eml files.

* Fixed very rare type misidentification for some very small files.

* Fixed an exception error that could occur in v18.2 after imaging a disk before automatic verification if in Gallery mode.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 28, 2015 - 19:12:   

SR-3:

* Fixed potential stack overflow error when dealing with certain constellations of deeply nested archives.

* Fixed a potential crash that could occur after running a search for several lengthy search terms with hits for many of those search terms in the same file.

* HTML previews of SQLite databases sometimes appeared incomplete in the 64-bit edition. That was fixed.

* Fixed a few rare exception errors.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 10, 2015 - 20:06:   

SR-4:

* An error has been fixed that could lead to duplicated and very slow inclusion of previously existing files in volume snapshots of Ext2/Ext3/Ext4 file systems.

* Prevented possible infinite loop when processing newsgroup archives in DBX format.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 16, 2015 - 17:36:   

SR-5:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 13, 2015 - 19:00:   

SR-6:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 16, 2015 - 11:04:   

SR-7:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.2. This is probably the last service release for v18.2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 25, 2015 - 18:09:   

SR-8:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.2. This is the last service release for v18.2.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.