X-Ways Forensics 18.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.9 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 28, 2016 - 20:59:   

A preview version of the dongle-based edition of X-Ways Forensics 18.9 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Events that are adopted into the event list from Windows .evtx event log files now always carry the event ID and record number in the Description column for filtering purposes.

* Events in .evtx event logs can now optionally be adopted completely. Previously, only a subset was processed, the presumably "more important" event types.

* It is now possible to cleanse a PhotoDNA hash database from unwanted hash values. The hash values to remove are provided as a plain text file, with 1 hash value in hex ASCII notation per line and "PhotoDNA" in the first line. The specified hash values match exact equivalents contained in the hash database and also small variations (same deviation permitted as set for matching). It may become necessary to cleanse a PhotoDNA hash database if you have imported hash sets from a foreign source whose contents partially do not meet your requirements, which becomes apparent when you get false hits, if you do not wish to remove the entire hash set, or if you have accidentally included a wrong picture in your hash database yourself.

* When creating a PhotoDNA hash set of selected pictures, you may now choose to not add the hash set into the internal database, but create a separate plain text file with PhotoDNA hash values instead. For that, please check the "Save as..." box. Such files can be passed on to other users if they wish to add the specified hash values to their databases or remove them (see above).

* If the option to insert an artificial top directory level in evidence file containers is half selected, that now means that only the the names of partition evidence objects are included that have a physical evidence object as a parent. Useful if the parent evidence object name is very long and redundant to include because you will fill your entire container only with files from that physical evidence object and will reference that object's name in the container name already.

* The Size filter works slightly differently now in that files with an unknown size do not always pass through the filter any more. And you now have the option to focus specifically on files with an unknown size with the condition <= -1.

* New option in the Recover/Copy dialog window to overwrite files with identical names instead of generating a new unique name as it always happened in previous versions.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 7, 2016 - 10:17:   

Preview 2:

* PhotoDNA hash entries can now optionally be classified as notable or irrelevant, or they can remain uncategorized. Uncategorized can be interpreted to mean "not decided yet" or "uncertain".

* Matches with PhotoDNA now show the related categories in the Hash category column and can be filtered accordingly through this column.

* Conventional hash sets may now also remain uncategorized. Which could be useful for example for hash sets that are temporarily needed only within a certain case to find certain duplicate files.

* User-definable text descriptions for JPEG generator signatures in the new file "Generator Signatures.txt".

* Tentative support for v3 inodes in XFS support added. Unlike already supported v1 and v2 inodes, v3 inodes contain a creation date (now also shown in XWF, if available) for the file/directory in question. They also contain a changed directory structure for directories stored within the inode ("local directories" in XFS parlance would be called "resident" or "inline" in NTFS), which is now also supported in XWF.

* Some minor internal improvements in XFS support.

* It is now possible to delete individual history entries of edit boxes, by selecting them from the pop-up menu when the Shift key is held.

* Alternate filenames are now output in HTML format by the Export List function and in the Recover/Copy log just like in the directory browser.

* Fixed an exception error that could occur when parsing Ext4 file systems.

* X-Tension API: Ability to find out via XWF_GetItemInformation whether or not alternative file data is available through XWF_OpenItem if desired, e.g. a thumbnail generated by X-Ways Forensics. Query the flag 0x400000000 (XWF_ITEM_INFO_FLAG_ALTERNATIVE_DATA_AVAILABLE).

* Several minor improvements.

* Same fix level as v18.8 SR-1, plus some of the fixes of SR-2.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 16, 2016 - 17:09:   

Preview 3:

* A generic relevance of files can now be estimated as part of metadata extraction. This relevance is based on a variety of factors, such as the type of the file, its generator if known (for JPEG and PDF files), its currentness (last modification date), whether it is known from any hash database, the wealth of internal metadata that it contains, its size, the image data of pictures, etc. More factors will be taken into account in future releases, the algorithm will be further tweaked, and more of the parameters may become user-definable in future. The relevance is not merely content-based, but the result of a fundamental characterization. In particular the generator signature is a provenance-based criterion.

The main idea is that if your time for examination is limited, you can start with the files that have the highest generic relevance, to maximize your chance to find what you are looking for, if it exists, and find it rather early. To sort listed files by relevance in descending order, i.e. prioritize them for review, select Navigation | Sort by Relevance from the directory browser context menu. A check mark in that column indicates that the relevance of a file was actually judged and taken into account for sorting.

* The format of the "Generator Signatures.txt" file was revised. It is now similar to the other user-editable text files in X-Ways Forensics. You can edit it to customize the above-mentioned relevance estimation. If for example knowing that a JPEG file was generated by a scanner is important for you (because you are a tax fraud or other white collar crime investigator interested in scanned documents), you would make sure that the "JPEG/Scan" group has a high weight (e.g. 9). That's the number after the tab in the line with the *** group definition. If such a file is of less importance to you (e.g. because the pictures that you have to look for are CP photos), then you reduce the weight of that group (setting it e.g. to 1). You can also edit the individual relevance of each generator in a group on a scale from 0 to 9, where 9 signifies highest relevance.

* Generator signatures are now output also for PDF documents. Analogously to JPEG files, this helps to learn something about the origin of PDF files and identify PDF files that likely have the same source as a given PDF file. For example, the generator signature reveals whether a PDF file was generated by a scanner.

* When importing PhotoDNA hash values from ProjectVic that have conflicting categorizations in the hash collection file (for example "Child Exploitation" and "non-pertinent" for the same picture), X-Ways Forensics will now assign such hash values to "ProjVic Cat5 - Uncategorized", except if they are hash values of uninteresting, monochromatic pictures (e.g. all black), then "ProjVic Cat0 - non-pertinent". X-Ways Forensics will also report this in great detail for the first 10 conflicts to give you or the publisher a chance to improve the quality of their hash collection. After 10 conflicts it will become less talkative. In recent ProjectVic data sets you can apparently expect much more than one thousand of conflicting categorizations, so it is important that X-Ways Forensics prevents numerous duplicate entries in the database and in particular misleading categorizations.

* Slightly improved handling of huge search hit counts.

* Support for certain 3-byte escape sequences in certain East Asian ISO-2022 code pages in the text column.

* "Created > Modified -> copied" is now a display and filter setting of the Description column. So the word "copied" has become part of the description.

* Several other improvements.

* Same fix level as v18.8 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 23, 2016 - 8:20:   

Preview 4:

* Support for certain new and so far rare XFS variants, with new a Inode version and new directory data structure variants.

* Now includes filenames and timestamps from certain partially wiped index record in the volume snapshot that were rejected in previous versions due to corruption, as part of the particularly thorough file system data structure search.

* Better protection against corrupt PDF files, which can destabilize or totally crash the viewer component in certain situations (logical search or indexing with text decoding, file format specific encryption test, FuzZyDoc). The protection requires metadata extraction. Crash-safe text decoding also prevents crashes of the main X-Ways Forensics process in such cases.

* More PDF generator signatures defined to cover more files.

* Relevance estimation improved.

* Increased stability when processing EDB databases. Events from EDB databases are added to the event list again like in v18.6 and earlier. Some minor improvements for EDB database processing.

* Experimental parallelization option for the logical simultaneous search that allows to better utilize multiple processor cores by employing multiple threads. Has an effect only when searching in evidence objects that are images or directories, not disks. The faster your mass storage solution performs (in terms of seek times and data transfer speed), the more time you save percentage-wise. In perfect conditions, this can more than double the speed of logical searches. If you select just 1 thread for the logical search, it will work as before. If you select 2 or more threads, searching is done in additional worker threads, and the main thread of the process will be idle, which means the GUI will remain highly responsive. In X-Ways Investigator up to 2 worker threads may be used, in X-Ways Forensics up to 6 (less if an insufficient number of processor cores was found).

* Slightly revised status representation in the progress indicator window.

* Some minor fixes.

* Also available as a BYOD version.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 25, 2016 - 8:29:   

Preview 5:

* Ability to find search terms that consist of at least 2 Asian language characters in East Asian ISO-2022 code pages (JIS), even if not directly adjacent to the leading escape sequence.

* If you enter a non-existing output path for the Recover/Copy dialog, you will be notified and may now proceed anyway, and that path will be created automatically.

* Resolving reparse points in NTFS when finished taking a volume snapshot is faster now in certain Windows installations.

* A new directory browser context menu command in the Navigation submenu now allows to conveniently seek the item with a given internal ID, no matter whether file or directory. If a filter prevents listing that item, all filters will be deactivated automatically.

* Some minor improvements.

* Same fix level as v18.8 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 30, 2016 - 6:52:   

Beta 1:

* When adding PhotoDNA hash values to the internal PhotoDNA hash database with the Create Hash Set command, you now have the option to store your comments about the selected files in that hash database as descriptions. These descriptions can be automatically adopted as comments again next time when the same pictures are found in another case. They can either replace existing comments in the other case or (if the corresponding check box is half checked) be appended to existing comments. This is very useful for example for police investigators who are required by the court to provide a textual description of each and every child pornography picture, to at least spare them the work of entering descriptions of the same known pictures more than once. Also useful to store information such as known identities of the persons in the photo, previous case numbers etc., for future reference if the same photos are found elsewhere.

The descriptions in the hash database can be updated with your comments by simply adding the PhotoDNA hash values of the same files to the internal database again through the Create Hash Set command. When you import a colleague's internal hash database (by selecting their RHDB file), be sure to have not only the corresponding RHCN file (with the category names) present in the same directory, but also the new subdirectories that contain the descriptions, if any, if you wish to import these descriptions.

To delete all internal descriptions, you can simply delete the D* subdirectories of the PhotoDNA hash database directory. Or if you wish to share your database with other users without the descriptions, simply do not include the D* subdirectories. You may also manually delete or update any individual descriptions in the text files in the D* subdirectories at any time. Descriptions that you already have in your database will not get lost if you import hash values of the same pictures again from other sources, except they will be overwritten if that other source is a PhotoDNA hash database of X-Ways Forensics that has descriptions of the same pictures.

* More information in the About box, such as how much free space is available on the drive for temporary files and image files, whether the program is running with administrator rights, whether the MS Visual C++ 2013 Redistributable Package (for the latest version of the viewer component and Dokan) is installed and if not whether at least the MS Visual C++ 2005 Package is installed (for v8.5.2 of the viewer component and older).

* Option to change the text colors for slack space and uninitialized space in Options | General.

* Recover/Copy: The unique ID can now be inserted not only in the middle of the filename if desired, but also be prepended to it.

* Now up to 4 filter expressions are supported for the Metadata, Comments, and Event Description filters. (Previously just 2.) These filter expressions are now stored along with all other filter settings in cases and in .settings files.

* Relevance estimation for PNG files based on generator signatures. This will result in a higher relevance for potential screenshots for example.

* Relevance estimation extraction for PDF files revised. Metadata extraction from PDF files slightly improved.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 30, 2016 - 12:49:   

Beta 1+:

* Metadata, Comments, and Event Description filter expressions can now be more flexibly combined with AND and OR. The last combination always has priority. For example "A and B or C" is interpreted as "A and (B or C)". "A or B and C" is interpreted as "A or (B and C)".

* Metadata, Comments, and Event Description filter expressions may now start with a colon to indicate NOT at the expression level.

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 3, 2016 - 13:13:   

Beta 2:

* Improved recognition and representation of BitLocker and BitLocker To Go volumes. Metadata is output in the Technical Details Report: Volume creation timestamp, textual volume description, encryption method, protection type, and volume master key last modification timestamps. BitLocker-related timestamps are also output as events. Improved representation of the encrypted and unencrypted files in the wrapper file system of BitLocker To Go volumes.

* File carving support for English language BitLocker recovery key text files.

* X-Ways Investigator now has the ability to manage and fill a PhotoDNA hash database. On the other hand, the functionality to run raw file header signatures within files to find embedded data has been removed.

* The "Create Hash Set" command has been renamed to "Include in Hash Database" because it does not necessarily create a hash set and because one of its purposes is now to just update descriptions of PhotoDNA database entries with comments from the volume snapshot.

* Additional PDF generator signatures defined, meanwhile 1,300 in total.

* Improved PNG picture relevance judgement, in particular for Smartphone screenshots.

* Several minor improvements and some small fixes.

* Same fix level as v18.8 SR-6.

* Also available as X-Ways Investigator.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 9, 2016 - 8:58:   

Beta 3:

* PhotoDNA hash value import from ProjectVic slightly revised again to deal with the numerous categorization conflicts among redundant hash values. The documentation was updated accordingly with details about the employed strategy.

* Indexing is now a sparse-aware operation as well, so that it will skip unallocated areas of sparse files in NTFS and other file systems as well as zeroed out disk areas identified as such at the .e01 evidence file level.

* Some minor improvements.

* Same fix level as v18.8 SR-7.

* Also available as X-Ways Investigator.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 12, 2016 - 18:32:   

Beta 4:

* Command line syntax supported in X-Ways Forensics (not X-Ways Investigator) to 1) create a case, 2) add images, and 3) refine the volume snapshot of all added evidence objects. Example:
xwforensics64.exe "NewCase:D:\Cases\My case" "AddImage:Z:\Images\My image.e01" "AddImage:Z:\Images\My other image.dd" RVS:~ auto

The quotation marks are required only for parameters that contain spaces. If no path is specified for the case, it will be created in the default directory for cases. "auto" will make X-Ways Forensics terminate itself at the end. To refine the volume snapshot ("RVS:~" command), X-Ways Forensics will run the same operations as were applied to a "virgin" (i.e. completely unrefined) volume snapshot last time according to the WinHex.cfg file. If you wish to apply different settings to different kinds of cases, you need to store these settings in separate WinHex.cfg files (in different directories or with different names) and restore the desired one before executing X-Ways Forensics. Also, please note that a few settings are stored in other files, e.g. "X-Tensions.txt" and "Unwanted Metadata.txt".

* HTML metadata extraction and HTML file type identification improved. Relevance computation for HTML files, which assigns a higher relevance to HTML files that were manually saved by the user locally.

* X-Tensions API: New function XWF_GetMetadataEx. XWF_GetMetadata is now deprecated.

* X-Tensions API: XWF_GetItemInformation now supports another info type, XWF_ITEM_INFO_PIXELINDEX.

* X-Tensions API: XT_Init should now return 2 instead of 1 if the X-Tension considers itself thread-safe. If your X-Tension does not identifies itself as thread-safe, that may result in suboptimal performance of future versions of X-Ways Forensics during operations which invoke your X-Tension.

* The key combination Shift+Del can now be used to include listed excluded items.

* Some fixes and other minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 14, 2016 - 20:38:   

Beta 4b:

* Same fix level as v18.8 SR-8.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 15, 2016 - 10:16:   

Beta 4c:

* The X-Tension API function XWF_GetItemType was revised to support the output of the type description of a file.

* The X-Tension API demo DLLs were recompiled, and a demo X-Tension about XWF_GetItemType was added to the Delphi download.

* Documentation of return value of XWF_GetCaseProp corrected.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jun 18, 2016 - 8:07:   

Beta 5:

* PDF generator signatures are now output in the Metadata column, and they are available even for PDF files from which no metadata is extracted (if protected with certain encryption or if double-compressed). Now 2,749 PDF generator signatures are defined, covering approximately 95% of all PDF files.

* A new PDF generator signature category "Reporting/Records" identifies documents like bank account statements and invoices. This also improves the automatic relevance judgement.

* Some fixes and minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 22, 2016 - 17:26:   

Beta 6:

* Disk imaging through the command line interface now involves image hash verification (if selected in the user interface before), and the optional descriptive text file contains the so-called Technical Details Report.

* Ability to hash files, interpreted images and disks in X-Ways Imager.

* Same fix level as v18.8 SR-9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 27, 2016 - 19:02:   

Beta 6b:

* Same fix level as v18.8 SR-10.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 8, 2016 - 18:57:   

Beta 6c:

* Fixed inability to read the data of embedded files within large compressed files correctly.

* Fixed a rare crash with certain TIFF files.

* User manual and program help updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 10, 2016 - 7:15:   

v18.9 was just released.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 13, 2016 - 19:05:   

* The time zone information shown in the evidence object properties of partitions with a Windows installation is now taken from the "current" control set instead of control set 1.

SR-1:

* Fixed inability to convert certain old volume snapshots to the current format.

* Fixed synchronization of report table associations for multiple examiners in the same case.

* Fixed exception errors that could occur when viewing the SAM registry hive.

* Inline files embedded in original .eml/.emlx files are now extracted and provided as child objects.

* Avoided "Hash database not suitable for matching" error message in certain situations.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 18, 2016 - 19:48:   

SR-2:

* No longer ignores certain FILE records deleted by certain non-Windows NTFS file system drivers.

* Fixed an instability issue that could occur when parsing certain olk14Message files.

* Fixed problems with EDB database processing.

* The Description filter option "list respective parent video as well" had a problematic effect when checked if the check box was invisible. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 19, 2016 - 17:43:   

FYI, the new external program file EDBex.dat is detected as a generically suspicious file (e.g. "Gen:Variant.Barys.6920") by currently 9 out 53 virus scanners on virustotal.com, perhaps because of how it interacts with the main X-Ways Forensics process and does not have a user interface of its own, or for other reasons that we cannot guess. Please be advised that the file is no threat. Its only task is to extract data from EDB databases such as Windows.edb, Livecomm.edb, MS Exchange database, etc. outside of X-Ways Forensics, without causing instability in the main X-Ways Forensics process in case of EDB database corruption.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 25, 2016 - 4:19:   

SR-3:

* Fixed crashes that could occur when loading certain TIFF and olk14message files.

* The creation of report tables for group IDs of files whose group permissions are different from the permissions of others (only v18.9) is now optional (see volume snapshot options), and should best be inactive when parsing Android Ext4* file systems because of the sheer number of defined user groups.

* Quoted printable decoding in the alternative .eml preview now also for multi-part messages.

* Creation timestamps in orphaned inodes of Ext4 file systems, where available, are now included in the volume snapshot.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 28, 2016 - 7:14:   

SR-4:

* Automatic hash verification of multi-segment images immediately after creation failed in v18.9 even though the images were fine. That was fixed.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 31, 2016 - 10:14:   

SR-5:

* In v18.6 SR-4 and later (but not v18.8), when trying to resolve conflicting categorizations in newly imported PhotoDNA hash values, the category of some existing hash values in the database may have been inadvertently changed. That was fixed.

* Accelerated duplicate and consistency checks when importing huge PhotoDNA hash set collections.

* PhotoDNA import logic generally slightly revised.

* If during the import of a ProjectVic database it is discovered that the same picture is categorized as child abuse and child exploitation at the same time, this is still counted as an inconsistency, but such instances are no longer specifically brought to the user's attention. The first 10 encountered other conflicting classifications, if any, are still output in great detail, and the affected PhotoDNA hash values are now listed in Base64 notation instead of Hex ASCII, i.e. in the same encoding as used in ODATA JSON files for easier reference.

* Classification inconsistencies are now reported also when importing X-Ways Forensics PhotoDNA hash databases.

* Ability to import extracted metadata from evidence file containers as stored in containers by v19.0 and later.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 21, 2016 - 17:48:   

SR-6:

* The recommended data reduction no longer causes directory browser cells of red X files to be omitted from logical searches.

* An exception error was avoided that could occur during assembler opcode interpretation by the Data Interpreter in v18.9.

* Fixed a rare exception error that could occur when parsing .evt event log files.

* The values of some integer fields in .evtx event log files were not output in the HTML previews. That was fixed.

* With certain case report settings certain copied files were not linked. That was fixed.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 22, 2016 - 13:02:   

* Incomplete representation of WebCacheV01.dat fixed now (file EDBex.dat replaced).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 23, 2016 - 9:26:   

* EDBex.dat replaced again to fix a problem with Windows.edb processing.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 25, 2016 - 5:52:   

SR-7:

* A change of internal Windows behavior introduced with Windows 10 Anniversary Update caused instability when using Details mode. That effect is now prevented.

* Fixed missing update of the gallery in certain situations when the listing of files in the directory browser was changed.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 11, 2016 - 12:50:   

SR-8:

* X-Tension API: A new flag (XT_PREPARE_TARGETZEROBYTEFILES) now allows an X-Tension to tell X-Ways Forensics that it wishes to be called also for files with a size of 0 bytes.

* The "Other" option of the Owner filter did not always work correctly for files from file systems other than NTFS. That was fixed.

* The option to jump to a specified absolute disk sector number within its respective partition did not work quite right if partitions overlapped. That was fixed.

* Fixed problem of missing date in the 2nd timestamp column of weekly index.dat files.

* Fixed an exception error that could occur when taking a snapshot of Ext3/Ext4 volumes with WinHex Lab Edition or WinHex with a specialist license.

* Some other exception errors fixed.

* Several minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 3, 2016 - 8:27:   

SR-9:

* In the registry viewer in v18.9 some rare values or keys were not displayed or triggered an exception error. That was fixed.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 9, 2016 - 17:54:   

SR-10:

* Fixed an exception error in the Export List command that occurred when not working with a case.

* Fixed instability resulting from SQLite databases with 100,000 embedded binary objects or more.

* Selecting values in the registry viewer that are stored beyond the first 64 MB of a registry hive did not update the block in the underlying data window and or the information in the lower right corner of the registry viewer. That was fixed.

* Timestamps extracted from registry hives were not presented correctly to local time for the event list. That was fixed.

* Fixed an exception error that could occur when running a file header signature search on a partitioned disk with overlapping partitions.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 14, 2016 - 8:36:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.9.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 1, 2017 - 18:04:   

SR-12:

* Many of the fixes introduced in later versions. Highly recommended to users whose update maintenance covered no more than v18.9. Available to these users on request for a limited time.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 16, 2017 - 20:08:   

SR-13:

* Many of the fixes introduced in later versions. Highly recommended to users whose update maintenance covered no more than v18.9. Available to these users on request for a limited time. This is probably the last service release for v18.9.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.