X-Ways Forensics 18.8 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.8 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 12, 2016 - 20:24:   

A preview version of the dongle-based edition of X-Ways Forensics 18.8 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* The type status "newly identified" was split up into "newly identified" (in a weaker sense, for example meaning that X-Ways Forensics had no idea about the file type before verification because the file didn't have any filename extension) and "mismatch detected" (which indicates a misleading filename extension, more suspicious). The type status "newly identified" from volume snapshots that were refined in previous versions is automatically adopted as "mismatch detected".

* File type signature definitions may now exploit the first 1024 bytes of a file (previously only the first 512 bytes).

* Ability to uncover embedded files from .p7m S/MIME files.

* NOT option for the Name filter.

* Clicking the caption of the text column (where the name of the currently active code page is displayed in light gray) now allows to quickly change the active code page).

* New CSS definitions supported for thumbnails in the case report (RTpicthumb and RTdocthumb, for thumbnails representing pictures and non-pictures, respectively).

* The Data Interpreter now respects the Big Endian setting also for FILETIME structures. That is useful because FILETIME timestamps can be found in big endian in Windows Storage Spaces.

* Information about the audio sound quality in videos (sampling frequency and number of channels) is now extracted when capturing still images from videos. "No audio" is output if the video does not have audio. This allows to filter for videos that have or have no audio.

* The X-Tension API function XWF_GetHashValue can now be used to retrieve PhotoDNA hash values if those were computed by X-Ways Forensics and stored permanently in the volume snapshot.

* Same fix level as v18.7 SR-3.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 20, 2016 - 18:57:   

Preview 2:

* Ability to display incomplete JPEG pictures with progressive compression with the internal graphics viewing library.

* Fixed an exception error that could occur with certain corrupt or very large GIF pictures.

* Option to filter for recipients specifically on Cc: and Bcc: or just Bcc: or just To:, in e-mail messages and attachments where the recipients were extracted by v18.8. Useful for example if in your jurisdiction e-mails sent to a lawyer on Cc: or Bcc: are less protected by attorney-client privilege than e-mails addressed specifically to a lawyer.

* Metadata extraction from e-mail messages slightly more precise.

* Revised support for TAR archives. Ability to extract from certain TAR archives that could not be processed before. More exact representation of files in TAR archives. Faster processing, and caching of TAR archives in GZ archives.

* Ability to confirm and extract GZ archives with the "extra" flag.

* Archives of additional types are now represented in the directory tree on the left once their contents have been included in the volume snapshot.

* Underflows and overflows in timestamp columns in the directory browser (timestamps outside of the supported range) are now marked with the text "out of bounds" and can be distinguished and properly sorted and filtered. (The supported range is May 5, 1829 through May 14, 2514.)

* Support for the new file type "service_worker", which is part of the new Chrome Offline Cache. Such files can now be type-checked, carved and metadata and embedded files can be extracted.

* Several minor improvements.

* Same fix level as v18.7 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 24, 2016 - 18:20:   

Preview 3:

* Revised internal file archive handling and fixed some rare errors.

* Specific support for jump lists of Windows 10.

* Greatly improved carving of XML files (almost all subtypes). Simplified XML definition in FTSS.txt and FTSCO.txt.

* Rudimentary CSV file carving.

* Can now employ the fast search algorithm even when you get close to the maximum number of search terms per simultaneous search, i.e. around 8190. (Please note that the total number of accumulated search terms in a case is also limited to ~8190.)

* The advanced full path sort option is now a display option of the directory browser. It can still be used to achieve a sort order where child objects follow their respective parents, but now also has a visual effect in that the path now optionally includes the name of the object itself, for example if needed to copy it directly from the Path column.

* Option in the case properties to show the search term list in a single column next time when it is created. This enables you to scroll the list vertically instead of horizontally. Might be beneficial for example if your search terms are rather long.

* Some fixes.

* Also available for BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 29, 2016 - 20:32:   

Preview 4:

* Identification of the zip subtype appx, which in newly initialized installations is now defined as part of the special interest group of archives (along with jar, apk, and ipa) and thus processed optionally.

* File carving support for Microsoft ONE files.

* Improved context sensitivity for better XML, CSV and Base64 file carving results.

* Extraction of ranks from jump list entries as well as from jump lists as a whole. These are floating-point numbers that are roughly proportional to the access frequency and therefore potentially relevant information. The ranks are computed by Windows.

* Some fixes.

* Same fix level as v18.7 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 7, 2016 - 20:20:   

Preview 5:

* The Description filter for still images from videos now has an additional option that allows to also list the corresponding video, directly preceding its stills. That way it is easy to see which still images belong to which video, and you can comment on the video or add the video to a report table without navigating back and forth and without using the slightly less intuitive way to apply report table associations to an item that you cannot see (with the "for parent file" option). The tiles that represent the videos may act as visual delimiters if you disable auxiliary thumbnails in the gallery options, so that you can easily see where still images of the next video begin.

* Showing the file size in white tiles in the gallery is now optional, to reduce unnecessary screen cluttering for users who do not usually need this information.

* File carving definitions for OECustomProperty objects, which may contain e-mail metadata from MS Outlook, often stored as alternate data streams.

* Ability to carve fragments of Windows.edb from Windows 10, containing Internet browsing events (cf. "special interest" group).

* Some minor improvements.

* Same fix level as v18.7 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 17, 2016 - 19:46:   

Preview 6:

* Firefox cache extraction revised.

* Extracts e-mail messages and attachments from .olk14message files of MS Outlook 2011 for Apple Mac OS X.

* File type category entry for .dash video streaming files in browser caches. It's an MP4 subtype, but needs to be converted to be playable with regular video players.

* Algorithmic identification of URL-encoded ESC files from browser caches, and human readable representation, currently in Details mode, in future in Preview mode. Contains metadata of video streaming services.

* Option to detach or attach the lower halves of all data windows at the same time.

* Some minor improvements.

* Same fix level as v18.7 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 28, 2016 - 19:12:   

Preview 7:

* When identifying duplicate files, pairs of duplicates in the same volume snapshot can now be optionally linked as so-called "related" items, so that it's easy to navigate from one such file to at least one duplicate. Excluding all duplicates but one in a group is now optional, too, and marking the files as duplicates in the Description column is also optional.

* Identifying duplicate pictures based on stored PhotoDNA hash values is now m-u-c-h faster than before, depending on main memory availability and number of processor cores.

* When attaching external files to a volume snapshot, X-Ways Forensics can now optionally adopt the timestamps of these files as well (creation, modification and/or access), if you are sure that they are original and not the result of any file copy activity.

* Description filter for files that were indexed in X-Ways Forensics.

* Manual log entries now support Unicode. Option to output only manual entries in the log.

* Option to limit metadata output in the case report to Name and Comment specifically for video still images.

* Now re-detects the file system of volumes without re-opening them when taking a new volume snapshot if sector superimposition is active.

* Several minor improvements.

* Same fix level as v18.7 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 6, 2016 - 20:50:   

Beta 1:

* Chrome cache extraction revised and improved especially for large caches. Support for a recent extension of the file format. Support for multiple streams of the same cache entry: The HTTP response (named .chrome1) is output as well as, if present, as are compiled JavaScript entries (.js1). If a no-cache directive was sent by the web server, at least the HTTP response is still cached. In Preview mode you can see a special representation of HTTP responses.

* Chrome caches can now also be processed if their index is not available, for example if cache fragments have been carved or if the cache was partially deleted or corrupted. It may be possible in some cases that a better extraction result can be achieved without the index, even if it is present. To try that, if the index has not been processed before, you can have the uncover function process "data_4" files and omit the index. data_4 is now part of the optional "special interest" group.

* File type verification further improved.

* File type "locky" is now defined, nowadays relatively widespread thanks to the ransom ware "Locky". Such files are automatically marked as encrypted for easier recognition.

* Support for a very recent new version of Windows 10 jumplists.

* Support for the new thumbcache_idx.db format of Windows 10.

* Prevented an infinite recursion in certain rare damaged registry hives.

* The X-Tension API function XWF_GetItemType now allows to alternatively retrieve the category that the type of a file belongs to.

* If the text column shows text in a code page that is not the active code page in your Windows system and if you copy some data from the hex editor display into the clipboard, WinHex now asks you whether you would like the text to be converted from the code page active in the text column to UTF-16, for pasting in external programs.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 12, 2016 - 21:13:   

Beta 2:

* Disk imaging: You may now specify an overflow location in advance where further image file segments will be stored should space on the primary output drive be exhausted. If you leave that field blank or if even the overflow location has no more space left, you will be prompted for a new path as before when needed. If an overflow location is specified in advance and at the same time you chose to create two copies of the image, then please note that the overflow location is used only for the first image copy that runs out of space, if any. For the other image copy you would be prompted if space is scarce.

* Hash values of raw images that were created by X-Ways Forensics are now taken automatically from the accompanying descriptive text file if available and shown in the evidence object properties.

* New option of the Recover/Copy command to create a 2nd copy of all selected files in a separate directory. Useful if you need to provide two parties with copies of relevant files and wish to save time. The logging option is for the 1st copy only, though.

* The Recover/Copy dialog window has been more clearly structured. The option to embed e-mail attachments in .eml files no longer depends on the option to also copy child objects or on the explicit selection of the attachments, which makes it more intuitive and easier to use.

* When multiple users share an installation of X-Ways Forensics or X-Ways Investigator, with individual configurations in the user profiles, error.log files are now no longer created in the installation directory if it's writable, but in the user profile as well, in case other users are not supposed to see some of the metadata from evidence objects that may end up in the error.log file. Similarly, the msglog.txt file is now also created in the user profile if messages are output while no case is active (but still in the case's log subdirectory if a case is active).

* Support for $I files of Windows 10.

* Processing of iPhone backups of newer iOS versions as part of metadata extraction.

* Modulo setting for the internal ID filter now more flexible.

* Same fix level as v18.7 SR-9.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 20, 2016 - 9:28:   

Beta 3:

* JPEG generator signatures are now more helpful. A plain text description is now provided in addition to the hex notation for almost all signatures.

* "Make copy of pictures for inclusion in report" will now also copy one still image per video if available and show it directly in the report to represent the video. The video itself is not copied with this setting, to save drive space, only if "Make copy of files for inclusion in report" is fully checked.

* Evidence file containers now specifically remember the RVS status of the files that they contain, e.g. whether still images have been captured already from a video or whether embedded data already has been uncovered from a file. If you choose to accept and trust this status, which is a new volume snapshot option, these files will not be processed again if you decide to refine the volume snapshot of the container. You may occasionally not want to accept the RVS status of files in containers, to avoid missing something, if you suspect that the original examiner did not apply as thorough settings as you would or that they may have used an older, less capable version of X-Ways Forensics to process the files. Adopting the RVS status is also a must to get videos within a container represented in the gallery with rotating captured still images.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Apr 23, 2016 - 11:41:   

v18.8 was just released.

Additional changes:

* Ext journal parsing has been optimized. The result now looks better if the option is half checked, and that is the new default. Rare problems with a full selection of this option should not longer occur.

* Quoted printable is now decoded in the alternative .eml preview/presentation.

* Fixed an exception error that could occur when extracting metadata from certain .eml files with malformed quoted printable encoding.

* Improved processing of certain corrupt file archives.

* Italian translation of the user interface updated.

* Program help and user manual updated for v18.8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 3, 2016 - 22:03:   

SR-1:

* The option "Default to evidence object folders for output" did not have any effect on the Recover/Copy functionality in the original v18.8 release. That was fixed.

* The case report option "Copy and link each file only once" counted even previous report outputs if the order of files in the case root window was used. That was fixed.

* v18.8 miscounted directories recreated by the Recover/Copy command. That was fixed.

* The option to exclude all but one duplicate in each group did not have an effect in all situations in v18.8. That was fixed.

* PhotoDNA matching did not have any effect when not computing skin tone percentages at the same time. That was fixed.

* Avoids a time-out when loading certain corrupt picture files with the internal graphics viewing library.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 10, 2016 - 6:56:   

SR-2:

* The entropy check for fully encrypted files was not applied to all files in v18.8. That was fixed.

* In Ext* partitions with very few blocks, the file system was not recognized by an internal plausibility check. That was fixed.

* Virtual files generated by X-Ways Forensics v18.8 for examination purposes were potentially output with timestamps of when they were generated. That is now prevented.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 16, 2016 - 16:44:   

SR-3:

* Ability to display certain PNG pictures with certain illegal compression with the internal graphics viewing library in the 64-bit edition. Those pictures were previously shown as all black.

* Fixed an exception error that could occur when trying to list more than 134 million search hits at the same time.

* Ability to import plain text files with 1 PhotoDNA hash value per line in hex ASCII or Base64 no matter whether the last line is followed by another line break or not.

* Fixed potential miscounting of child objects that were targeted for inclusion in an evidence file container, leading to an incorrect confirmation message ("x of y files were added to ___.ctr").

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 23, 2016 - 8:09:   

SR-4:

* Fixed an exception error that could occur in v18.8 when uncovering embedded data in P7M and VCF files.

* The file header signature search option "Output as child objects of existing files if suitable" did not work correctly. It did not check the surroundings of carved files thoroughly enough and occasionally made wrong decisions about whether to present newly added files as child objects. That was fixed.

* Fixed an error in Quoted Printed decoding.

* X-Tension API: In all releases from today, ProcessItem[Ex] is also called for virtual files such as "Free space" as part of volume snapshot refinement although these files are otherwise largely ignored by that operation.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 25, 2016 - 8:23:   

SR-5:

* Fixed missing conversion of search hits in certain code pages to Unicode in the search hit list display.

* The "Full path display" option had no effect on items in the root directory. That was fixed.

* Previously, when working with multiple open data windows, the category statistics in the Category filter's pop-up menu may have been shown for another data window after changing the filter settings, not the active data window. That was fixed.

* The case report may have been output incompletely under certain circumstances if the option "Position pictures above the text" was not selected. That was fixed. The error occurred if the "successfully saved" confirmation message at the end was absent.

* Fixed an exception error that could occur under certain circumstances when analyzing documents with FuzZyDoc.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 3, 2016 - 12:11:   

SR-6:

* Fixed incomplete import of large plain-text files with PhotoDNA hash values.

* The descriptive imaging text file may have reported a certain number of unreadable sectors when creating a cleansed image although no sectors were unreadable. That was fixed.

* Fixed a possible exception error when extracting events from .evt event log files.

* Fixed a stability problem that occurred later in the same session after X-Ways Forensics recommended to decode text in HTML and RTF files for indexing due to the presence of non 7-bit ASCII characters, if that message had not been yet suppressed yet with the "Do not show again" option.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 7, 2016 - 9:10:   

* EDBex.dat replaced. This new version does not make X-Ways Forensics wait for a user reaction in case of exception errors during EDB processing.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 9, 2016 - 8:27:   

SR-7:

* Timestamps of files in evidence file containers that were based on an unknown local time zone (e.g. from a FAT file system), not on UTC, were treated as if they were based on UTC. That was fixed.

* Prevented an exception error with corrupt (typically carved) jumplists.

* Under certain circumstances, files that were classified as irrelevant in a previous volume snapshot refinement run already were touched again by subsequent runs when they should have been omitted. That was fixed.

* Fixed exception errors that could occur when starting a logical search in v18.8 under certain circumstances.

* The case report option "Position pictures above the text" prevented the output links to non-pictures files from the report. That was fixed.

* v8.5.3 of the viewer component hangs with various versions of the NTFS $UpCase file. That file is now no longer sent to the viewer component to generate a non-picture thumbnail for the gallery.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 14, 2016 - 17:19:   

SR-8:

* The XML list export did not include the contents of the "Report table" column. That was fixed.

* Prevented an exception error that could occur when the case was saved.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 22, 2016 - 16:18:   

SR-9:

* GREP syntax: # now has its special meaning even inside square brackets.

* Fixed an exception error that could occur with physical search hits on physical media without case association.

* Prevented a possible infinite recursion and an exception error when searching for embedded data in carved DLLs.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 27, 2016 - 19:02:   

SR-10:

* Fixed the report table independent listing of Unicode search hits in the case report.

* Ability to identify more PDF and HTML documents with no extractable text.

* Fixed an exception error that could occur in v18.8 when trying to decode text in files of certain types that do not contain extractable text, if the crash-safe decoding option was not selected.

* Fixed duplicated output of the case log if output at the same time as the case report.

* Prevented an exception error that could occur when searching embedded data in corrupt service_worker files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 6, 2016 - 18:33:   

* File EDBex.dat in the X-Ways Forensics download replaced. In some previous versions, if something went wrong during EDB database processing, the user had to click away an error message to proceed. This is now avoided.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 25, 2016 - 11:21:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 22, 2016 - 13:15:   

* Incomplete representation of WebCacheV01.dat fixed (file EDBex.dat replaced).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 23, 2016 - 9:25:   

* EDBex.dat replaced again to fix a problem with Windows.edb processing.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 11, 2016 - 12:50:   

SR-12:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 14, 2016 - 8:36:   

SR-13:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.8. This is probably the last service release for v18.8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 1, 2017 - 18:02:   

SR-14:

* Many of the fixes introduced in later versions. Highly recommended to users whose update maintenance covered no more than v18.8. Available to these users on request for a limited time. This is the last service release for v18.8.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.