X-Ways Forensics 18.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.6 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 15, 2015 - 21:18:   

A preview version of the dongle-based edition of X-Ways Forensics 18.6 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Option to limit the number of produced video stills per video as defined by the user (1-255), no matter the play length. Useful to significantly decrease the output compared to fixed-length still intervals for longer videos. (Fixed-length intervals result in number of stills that grows proportionally with the play length.) This may decreases your workload a lot if you are going to look at all stills in the gallery, and also decreases the time to process long videos, but of course at the cost of being less thorough and an increased risk of missing something should any suspect hide relevant content somewhere within an innocuous video. X-Ways Forensics tries to extract the fixed number of stills evenly from all over the video to give a representative impression of it.

* Revised detection of and protection against of zip bombs. Newly introduced detection of and protection against recursive zip and gz archives and possibly other archive types. Protection means that processing will stop at a certain level once the malicious nature of the archive is detected. Archives identified in this fashion will be marked as already processed and added to a special internal report table. Please note that if afterwards you wish to manually dig deeper than the level at which the recursive automatic exploration stops, you can do so by marking the inner-most archive reached as still to be processed (by pressing Ctrl+Del) and then applying the Explore command in the context menu to it manually.

* Maximum length for the simple search and replace functions extended from 50 to 100 bytes.

* Lists groups and group members in the registry viewer and register report.

* Unix and DOS attributes of files in zip archives are now output in Details mode in a decoded form.

* Some minor improvements.

* Same fix level as v18.5 SR-2.



On a different note: It is now possible to order perpetual licenses for X-Ways Forensics with a user-defined update maintenance period, i.e. an expiration date of your choice, for example the same expiration date as that of your existing licenses, so that old and new licenses can be merged in our database in a single entry (for combined volume discounts next time when you upgrade them) and managed together as a single group by yourself as well. Also useful to match the update maintenance period with your internal financial year or to better utilize the budget that you have available at this very moment.

Similarly, upgrades of existing licenses with new update maintenance may now be offered to you with an expiration date of your choice as well, on the More options page.

And the web site is mobile-friendly now.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 21, 2015 - 8:38:   

Preview 2:

* X-Ways Forensics now has a function to mount the volume that is represented by the active data window as a Windows drive letter. This allows for convenient and quick access to all files with external programs where necessary (without the need to copy the files to your own local drive letter first). Very efficient in particular if you wish to check a whole volume or directory or certain files with a virus scanner. Mounting works for all the file systems that are supported, for all partitioning methods supported and all image types supported (in X-Ways Forensics: raw images, .e01, VDI, VMDK, VHD, and of course evidence file containers), even for images within images, also for partitions of physically attached disks formatted with a file system unknown to Windows. Access to all the files is complete read-only, mounting of images or disk partitions will not changing anything in the image/on the disk.

The command to mount an entire volume as a drive letter has been added to the Specialist menu. A similar command can be found in the directory browser context menu as well as the Case Data window context menu, where it allows to mount only the selected directory and its contents if so desired, or even only a selected file that has child objects. To unmount a drive letter, simply invoke the mount command in any of the menus again and click the Cancel button.

You can choose to see all existing and optionally all known deleted files from the volume in the drive letter, exactly the same files as known from the very thorough volume snapshot of X-Ways Forensics itself, which depends on whether you have refined it already or not. Optionally filtered out files can be omitted from directory listings. Child objects of files (files in files) are optionally exposed as well, presented as files in an artificial directory that has the same name as the parent file, with just a single character appended to render the name unique, as you may know it from the Recover/Copy command. By default, that suffix character is invisible, i.e. a Unicode character with no width, to make the path of the child objects look as original as possible. You may wish to replace that character with something else, e.g. an underscore, for example because you are working with an external program that is not Unicode-capable. For that you need to remove the invisible character from the edit box first, for example by pressing the Backspace key, which works even if it does not have any visible effect. After that you can insert any other character.

Previously existing files are listed optionally, and if listed, they are presented with the "hidden" attribute, so that they can be visually distinguished from existing files even in the Windows Explorer a.k.a. File Explorer. Virtual directories are presented in the same way. (Of course, hidden files are displayed in Windows only if you choose to see them, see Tools | Folder options | View.) Virtual files in a volume snapshot as well as internal files of the file system (e.g. $MFT in NTFS and Catalog in HFS+) are included on request only.

Special objects like alternate data streams, extracted e-mails, video stills, embedded thumbnails, manual file excerpts, etc. etc. are presented in the mounted drive as ordinary files. File slack is not exposed.

This function requires Windows 7 and later and the installation of a driver (which will be started when you use any of the mount commands for the first time) and the Microsoft Visual C++ 2013 Redistributable Package (which is not included in Windows by default and may need to be downloaded). That means that this particular part of X-Ways Forensics is not portable, but it's not a typical function for previews of live systems anyway.

* Support for Windows 10 registry hives and its new data types. (In previous versions of X-Ways Forensics, the registry report would be incomplete for a Windows 10 registry.) Some new registry report definitions for Windows 10.

* Support for the new prefetch file format of Windows 10, including a new file carving algorithm for those prefetch files.

* Support for the new $I recycle bin files of Windows 10.

* Extraction of the AppVersion field from new Office document types. Extraction of the absolute path of Office 2013 .xlsx files.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 21, 2015 - 20:26:   

Once v18.6 is released, the new mount functionality will also be available in a new product variant of WinHex called WinHex Lab Edition. In WinHex Lab Edition, all the functionality of a specialist license for WinHex will be available, plus the ability to run X-Tensions (except viewer X-Tensions), support for the same file systems as in X-Ways Forensics (i.e. HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, UFS, and XFS additionally), and creation of evidence file containers. So WinHex Lab Edition will bridge the gap between WinHex with a specialist license on the one hand and X-Ways Forensics on the other hand to some extent. Still, functionality wise and price wise it will be much closer to WinHex with a specialist license.

In WinHex 18.5 SR-3, once released, with any license type and even in the evaluation version, it is possible to to interpret evidence file containers with no more than 1,000 objects, free of charge, not only for evaluation purposes. Subject to change: In WinHex 18.6 without any license type and even in the evaluation version those containers can also be mounted as a drive letter.

If you acquire files logically in an evidence file container and pass the container on to other parties who do not have a license for X-Ways Investigator or Forensics, the above changes should make the recipients happy. They could use either the free version or save money by purchasing only WinHex Lab Edition instead of X-Ways Investigator or Forensics.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 24, 2015 - 15:00:   

Preview 3:

* Same fix level as v18.5 SR-3 and a little more.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 28, 2015 - 12:48:   

Preview 4:

* The Description column now deserves more attention. It has taken over many of the display responsibilities of the Attr. column that are not file system related, also half of the Attr. column's filters. Additionally, it has taken over the previously column-independent filters from the Directory Browser Options dialog. This solution should be a little more intuitive and logical for new users, and it clears up some space in the notoriously crowded Directory Browser Options dialog. A new filter settings in the Description filter allows to filter out virtual items just like existing and previously existing items. The filter for carved files (previously in the column "1st sector") was also absorbed by the Description column.

* The Description column is now more precise in revealing the object type (e.g. carved file, child objects of file, alternate data stream, video still, etc.) and the deletion status and other properties. Also, this column has become configurable. You can decide in the Notation Options dialog what information to include in this column. That the settings of the Description column are part of the Notation Options means that you can have two different settings, one generally for the directory browser and the other one specifically for the the Export List command. This might be useful because in the exported list no icon can help you to tell certain object types and their deletion status apart, unlike in the directory browser.

* Ability to have files with child objects in the volume snapshot of a physical medium, which was not possible before. And physical media now get a virtual directory specifically for carved files when running the file header signature search. Consequently, physical media with child objects or virtual directories now have a button for recursive exploration, but please note that a recursive exploration does not include any partitions, which have their own volume snapshots. Also please note that directories and files with child objects are still shown in the tree of the Case Data window only for volumes, not physical media.

* The initials of the user who has carved a file manually in Disk/Partition/Volume mode are now optionally displayed after the filename in square brackets just like for other self-defined files (attached files or manual excerpts).

* Excerpts are now marked with a scissor icon.

* Listing the root directory of a volume in the directory browser, in the root directory itself, actually, is kind of illogical, but can be very helpful to see that directory's timestamp (if any, depends on the file system) or to quickly navigate to its clusters (if any, also depends on the file system) or as another place where to quickly tag or untag all items in a volume. Whether the root directory is listed now no longer depends on the file system, but is controlled in the directory browser options.

* Another new directory browser setting renders listing the internal files of the file system optional in the normal directory browser. This affects for example the various $* files in NTFS. Specifically in X-Ways Investigator those files are no longer listed as they are irrelevant to non-technical examiners (the target group of X-Ways Investigator) and might confuse them because they are not familiar with them from using ordinary high-level computer software.

* Photoshop metadata in JPEG pictures is now displayed nicely formatted in HTML tables. The relatively new printer metadata field has been added. Better support for UTF-8 encoded metadata. The most frequent IPTC fields now have a readable field name.

* AppCompatCache entries of Windows 8.1 and Windows 10 registries are now supported. Those entry are relevant when analyzing program executions.

* Analysis of Windows 10 Prefetch files now support in Preview mode on Windows 8.1 and Windows 10 platforms.

This preview version is also available to BYOD users.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 29, 2015 - 21:34:   

Preview 5:

* You can now right-click the caption line of the directory browser to quickly invoke the Description filter dialog window, even if the Description column is not visible on the screen or not displayed at all. A left click still quickly invokes the directory browser options.

* Several other minor improvements.

* Some fixes of the new functions in Preview 4.

* Same fix level as v18.5 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 2, 2015 - 8:08:   

Preview 6:

* There is now a volume snapshot option for incremental snapshot completion when dealing with OS directory listings as evidence objects (when you add a directory to your case). If selected, the volume snapshot initially just contains the contents of the top-level directory, and it is further completed only on demand, step-by-step when you manually explore subdirectories. This is exactly how the Windows Explorer/File Explorer in Windows works, and useful when dealing with slow and huge network drives that would take a long time up front to scan completely. But it's very different from the usual approach in X-Ways Forensics, and will obviously prevent you from getting a complete listing of all files when exploring recursively, simply because there is no guarantee that all files have been included in the volume snapshot yet until you have explored all subdirectories. If at any time you decide that you wish to include the contents of a certain directory in the volume snapshot recursively, you can use the "Expand all" command in the context menu of the Case Data window (right-clicking that directory) or unselect the option to complete the volume snapshot on demand and then explore that directory. Please remember that the most convenient way to expand an entire subtree is by clicking its root and pressing the multiplication key on the numeric keypad (standard feature in Windows).

* Various minor improvements and a few fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 6, 2015 - 20:12:   

Preview 7:

* Output of the flag "Executed" of the Shim Cache (AppCompatCache) in the registry viewer. Potentially relevant for malware investigations.

* More information is now output for Windows 10 Prefetch files.

* Output of three timestamps of Google Analytics cookies in Details mode (first visit, previous visit, last visit). Analytics cookies have the filename extension .eiurl. They are encoded as as URL that references a GIF picture with a size of 1x1 pixel and can be optionally carved (cf. "Special interest" category).

* Same fix level as v18.5 SR-6.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 11, 2015 - 21:52:   

Beta 1:

* Interactive investigative mounting: Deleting a file in a volume mounted by X-Ways Forensics in Windows of course does not delete the file in the image or on the disk, but can now optionally trigger one of the following actions in the volume snapshot: 1) exclude the file, 2) mark the file as already viewed, or 3) associate the file with a report table of your choice. The latter is very useful if you mount the volume in order to check the files for malware with an external virus scanner. Should the virus scanner delete or quarantine any of the files, X-Ways Forensics will notice that and add the file to the specified report table. Note that if you manually move a file off the volume to some other drive letter this will trigger the same action, because that kind of moving is identical to copying followed by deletion. Moving a file within the same volume is not allowed.

* Renaming a file in a mounted volume in Windows also renames the file in the volume snapshot. (The original name is preserved and displayed in the directory browser additionally.)

* Listing files that in the volume snapshot are known as renamed/moved is now optional when mounting a volume or directory as a drive letter.

* Files with identical names in the same directory (e.g. 1 existing, 1 previously existing file, up to 16) are not problematic with mounting. Such files can be opened from within mounted volumes through the drive letter as if they had unique names.

* Google Analytics last visit timestamps (URLs with "ie" timestamps) are now also provided as events when extracting embedded files from Google Chrome cache files. Useful in particular for users who do not regularly carve for URLs with "ei" timestamps at the byte level on the whole disk or partition, which is a categorized as a "special interest" carving definition only.

* Ability to strip certain lines off the extracted metadata in order to not see them in the Metadata column, for example to keep the case report or the output of the Export List command more compact for printing or viewing on the screen, or just because certain metadata fields are not relevant to you. You identify unwanted metadata fields by a substring. That substring can either match the field name (e.g. "Focal Length") or the value of the field. 1 substring is entered per line. You can share your definitions by sharing the file "Unwanted Metadata.txt".

* There is now a second grouping option for the Recover/Copy command. That means you can group by any two of the previously known aspects at the same time, e.g. first by deletion status and then by type, or first by report table and then by file type category.

* The funnel symbol that represents the filter of the Description column now has four possible colors: 1) Gray when inactive, as usually. 2) Gray with a very, very light tendency to blue, almost indistinguishable from gray, when the filter is on theoretically, but only excluded files would be filtered out, but no excluded files are actually getting filtered out currently. 3) Blue-gray when only excluded files are filtered out by the filter, and such files have actually been filtered out. 4) Ordinary blue if the Description filter is active and does not only focus on excluded files. This color scheme was introduced because it is considered rather "normal" that excluded files are filtered and should not attract as much attention as other active filters.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 18, 2015 - 11:59:   

Beta 2:

* When attaching external files (e.g. after decrypting, converting, translating, ...) to their respective original counterparts as identified by the unique ID, through the context menu of the case, you are now given four options:
1) the attached file can become a child object of the original file (as before)
or
2) the attached file can become a sibling of the original file (shown next to it, in the same directory)
or
3) the attached file can replace the original file (original file no longer present)
or
4) the attached file can replace the original file, and the original file can become a child object of the new file if still needed.
You can select the attachment method separately for ordinary files and e-mail attachments. The three new methods are particularly useful for e-mail attachments because only direct child objects of .eml files are embeddedd in the parent .eml file when recovering/copying those .eml files. So if you would like to have the decrypted/converted/translated version of an attachment embedded in the .eml file, that version should not become grandchild object as in previous versions. If you want original and new version both to be embedded, make them siblings. If you do not need the original version embedded, replace it completely or preserve it only as a child object of the new version (i.e. grandchild of the .eml file).

* A stylized P is now displayed in the Analysis column for pictures for which at least one PhotoDNA hash value is stored in the volume snapshot.

* The PhotoDNA hash value of a picture, if stored in the volume snapshot, can now be seen in Details mode.

* Setup program revised.

* Time zone changes of Windows systems and the timestamps when applications are installed, uninstalled or updated by the Windows MSI installer are now output as events to the event list.

* New file carving flag "y", which identifies file types that are known to use encryption internally, which allows to mark carved files of these types in the Attr. column with "e!".

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 25, 2015 - 18:15:   

Beta 3:

* When importing PhotoDNA hash sets or when creating PhotoDNA hash sets yourself, the new entries are matched with existing entries exactly as lax as matching works during the analysis phase. This can be important for potential recategorization of existing entries. The benefit of this fuzzy matching is that you can adjust the category of certain entries whose original categorization was from a foreign source (e.g. Project Vic), which may be necessary because of different legislation or jurisdiction in your country or because of simple categorization errors or different interpretation, provided that you have variants of the same pictures (not necessarily the exact same files) in your collection. However, whether the new entries are added to the database as well, in addition to the similar existing entries, still depends on the same relatively strict threshold as before (more strict than the condition for recategorization of existing entries).

* You can now see in the directory browser whether there were matches for more than one PhotoDNA category for the same picture. This has become less likely given the aforementioned improvement, but in rare cases where it happens can be very important to check manually. If there were matches with different categories, the name of the category with the closest match is shown (as before), now followed by a comma and an ellipsis. Also, you can now filter for such pictures that were found in more than one category. Such pictures may deserve as much attention as duplicates in conventional hash databases that belong to the "irrelevant" category and "notable" category at the same time and are usually the result of an inconsistently populated database, e.g. accidental miscategorizations or correct categorizations made by users in different jurisdictions etc. If the returned best matching category for a picture is wrong in your opinion, you can fix this by adding a hash set of that picture to the PhotoDNA database again, specifying the correct category.

* The filename extension of an original image (image of the suspect found within evidence objects and added to the case, e.g. VMDK, VHD, VDI, ISO) is no longer removed in the evidence object title, so that you can see it everywhere in the user interface and better understand the context if you find relevant files in such an image.

* The subject of e-mails in original single e-mail files (.eml, .emlx, .olk14msgsource) is now extracted as part of Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and events | [x] "Extract sender, recipients, and subject from original .eml files" and shown in the Name column if different from the name of the file, and unless the file is a carved file (i.e. a file with an artificially generated filename), the original filename will be preserved and shown as an alternative name in the same column.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 26, 2015 - 16:21:   

Beta 3+:

* Fixed an error in Beta 3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 30, 2015 - 14:10:   

Beta 4:

* v18.6 (only that version) will not load the width of the (now more important) Description column from cases. That way nobody who starts using v18.6 and loads cases that were last saved by v18.5 or earlier with directory browser settings embedded will lose that column because they didn't use it before.

* Some fixes and minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 8, 2015 - 21:21:   

Beta 5:

* Ability mark search hits for inclusion in the case report, using a new command in the context menu of the search hit list, with the green grid icon. If a file is part of a report table and the report table is output in the report, and if the file contains search hits that have been marked for inclusion in the report, then the context of these search hits is shown below the listing of that file. Inclusion in the report and being notable are two separate properties of search hits. You can filter for both properties with the filter of the Search hits column.

Of course user search hits can also be included in the report. That means you can select any part of a file in File mode, add it as a user search hit and then get that part quoted automatically in the case report.

* Support for an old file format variant of SKP (Google SketchUp).

* Ability to check or uncheck all file types for the file header signature search with a single mouse click.

* Scrolling in Calendar mode now updates the view on the fly. Ability to use the mouse wheel in Calendar mode for scrolling. The calendar now no longer shows years that are more than 1 year in the future, even if distant garbage timestamps are listed in the directory browser or event list, to keep the display range more compact.

* Some other minor improvements.

* Some internal improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 11, 2015 - 11:37:   

v18.6 was just released. Additional changes since the last beta version:

* Program help and user manual updated for v18.6.

* More format variants of MP4, MOV, etc. supported for file carving and file consistency checks.

* More precise in reporting the first sector of certain embedded files.
Top of pagePrevious messageNext messageBottom of page Link to this message

Martin Besser
Username: de_martin

Registered: N/A
Posted on Wednesday, Nov 11, 2015 - 14:11:   

Is there a summary or newsletter about all changes/innovations in v18.6 since v18.5 in german language?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 11, 2015 - 14:35:   

It will be available here as always once translated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 18, 2015 - 18:06:   

SR-1:

* Improved FuzZyDoc matching results for PDF documents.

* Time zone awareness of timestamps now defined on a per-file basis in exFAT.

* Ability to find the virtual allocation table of virtual UDF partitions on certain non-standard (incomplete) disk images as produced by other software.

* Fixed an exception error that occurred in v18.6 when carving files in a data window that represents a single file with no volume snapshot and no directory browser.

* Fixed effect of unselected "List internal file system files" option for files in archives.

* Fixed unsuccessful conversion of certain Base64 code.

* Prevented an extremely rare exception error that could occur when matching hash values against the hash database.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 22, 2015 - 19:36:   

SR-2:

* Fixed inability of X-Ways Imager 18.6 to image disks.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Bridgey the Geek
Username: bridgey

Registered: N/A
Posted on Monday, Nov 23, 2015 - 11:24:   

Stefan,

Please can you confirm that given the "[e]rror in disk imaging in X-Ways Imager 18.6", any images that were made with this version are still entirely valid?

That is, as a resut of these errors, any images made with this version do not have incorrect data compared to the original media, or incorrect metadata compared to that entered by the user?

Thank you,
Bridgey
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 23, 2015 - 11:46:   

Adam,

Images made with X-Ways Imager 18.6 before SR-2 do not exist. X-Ways Imager 18.6 before SR-2 did not create images. Non-existent images are neither valid nor invalid. X-Ways Forensics was not affected. I will replace the word "error" in the announcement.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 30, 2015 - 19:35:   

SR-3:

* Fixed occasional incomplete extraction of embedded JPEGs in PDF documents.

* Fixed potential time zone information error in the properties of evidence objects with a Windows installation.

* Fixed an exception error that could occur with certain corrupt Zoom Browser files (Canon).

* Some other minor fixes.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 9, 2015 - 20:34:   

SR-4:

* Fixed time zone conversion in the second column of previews of certain index.dat files.

* Fixed occasional incomplete exclusion of duplicates based on hash values.

* Deduplication of multiple very similar PhotoDNA hash values now even when importing them into an empty (newly created) PhotoDNA hash database.

* Since v18.6, if a new PhotoDNA hash value is close enough to be considered a match for an existing one, but different enough to warrant a separate entry in the PhotoDNA hash database, the existing entry is updated and the new one added. This double entry previously did not happen if both similar hash values were added during the same import operation, but now does.

* Some other minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 12, 2015 - 17:31:   

SR-5:

* Fixed size detection of Ext* partitions larger than 2^32 blocks in situations where they are not referenced by any partition table.

* Fixed memory leak in HFS file system support.

* Fixed inability to deactivate all filters with a single mouse click in SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 23, 2015 - 21:04:   

SR-6:

* Fixed an exception and instability error that could occur when extracting metadata from certain documents in OLE2 format.

* In Ext4 file systems, some very rare files with uninitialized parts were previously read with partially incorrect data. That was fixed.

* Fixed parsing of FAT32 file systems with cluster sizes of 128 KB or more in X-Ways Forensics.

* Ability to show rough pixel counts for pictures that have PhotoDNA database matches.

* investigator.ini options related to the new Description filter did not work in v18.6. That was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 11, 2016 - 12:12:   

SR-7:

* Fixed a rare exception error that could occur when generating HTML previews of files of certain types.

* Fixed potential inability to select thumbnails in the gallery while viewing pictures with the viewer component.

* Improved stability for processing of SQLite databases.

* Improved imaging behavior after media disconnect error.

* Prevented way around investigator.ini option +51 in v18.6.

* Some minor fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 14, 2016 - 19:15:   

The command to exclude duplicate pictures based on PhotoDNA hash values currently does not work correctly when applied to files in different evidence objects at the same time (in the Case Root window). This will be fixed in all future releases.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 19, 2016 - 19:38:   

SR-8:

* Fixed potential incomplete listing of partitions in the directory browser when more than one partition was semi-automatically detected starting from the sector pointed at by the user.

* Fixed an error that could occur when reading from partitions with a file system based on a sector size different from the sector size of the physical disk.

* Fixed incorrectly displayed file size for huge files in UDF file systems.

* Fixed a rare error in symlink resolving.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 29, 2016 - 20:12:   

SR-9:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 20, 2016 - 10:14:   

SR-10:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.6. This will probably be the last service release for v18.6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 23, 2016 - 7:50:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.6. This is the last service release for v18.6.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.