X-Ways Forensics 19.0 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.0 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 15, 2016 - 5:49:   

A preview version of the dongle-based edition of X-Ways Forensics 19.0 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* The cascading style sheet (CSS) definitions for the case report in the text file "Case Report.txt" now come with plenty of built in explanations that should make it easier to adjust the formatting to your liking.

* Option to classify files that you specifically attach to a certain directory or file as what they actually are, e.g. video stills produced outside of X-Ways Forensics, e-mails extracted from e-mail archives outside of X-Ways Forensics, OLE2 objects, attachments of various kinds (in particular of PDF documents), etc. etc. If properly classified as video stills, the attached pictures will be used as previews for the respective parent video file for example. The classification can be seen in the Description column.

* Files that are attached to their respective original counterparts in the volume snapshot automatically via Unique ID now adopt the classification of the original files. Except if the original files have no special classification, in which case the attached files will be marked as attached files.

* Ability to specify the internal description of an image and the examiner name when imaging media automatically through the command line interface. For example,
:1 "|e01|G:\Test.e01|My description|Inspector Columbo
will acquire the disk with the internal number 1 in Windows in .e01 evidence file format with the name "Test.e01" in the directory G:, with the "My description" as the description and "Inspector Columbo" as the examiner. The parameters are delimited with pipes and may contain spaces. The order of these parameters is fixed. Description and examiner name are optional.

* Recover/Copy: Option to skip files if files with identical names already exist in the output directory.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 18, 2016 - 19:56:   

Preview 2:

* Now 2^31 hash values supported per hash set and per hash database instead of 2^30.

* Ability to export selected hash collections from the internal PhotoDNA hash database into text files to share them with other users or to check which hash values are contained/which ones were deduplicated etc.

* Option to check the internal PhotoDNA hash database for the presence of a specific hash value, with the same degree of precision/fuzziness as used for ordinary matching. If there is a hit, you will be shown the name of the hash collection that contains the hash value (if there are multiple matches, then the collection with the best match). If the matching entry in the database has a textual description, that description will be shown as well.

* Same fix level as v18.9 SR-2.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 25, 2016 - 9:08:   

Preview 3:

* New directory browser column "Group". For newly taken volume snapshots that columns shows the ID of the assigned group of a file in Linux file systems.

* New directory browser column for the optional 2nd hash value, with a separate filter. Previously, a single column optionally showed both hash values.

* New directory browser column "Existent" that shows whether a file is an existing file or a child object of an existing file or not (existing based on its point of reference, e.g. file system), either with a check mark or a mathematical symbol or in natural language, depending on the Notation options. A third state is "virtual". To filter for the existence status, please continue to use the Description filter. Remember you can group files by existence status using the directory browser options, or you can now sort by this new column.

* New separate directory browser column for the full path, i.e. the path including the name of the file or directory itself. Previously, it depended on a directory browser option whether the path was fully displayed or not. Remember that sorting by full path can yield a convenient order because child objects follow their respective parents.

* Some minor improvements.

* Same fix level as v18.9 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 31, 2016 - 10:15:   

Preview 4:

* Option to totally skip duplicate and consistency checks during PhotoDNA imports, to potentially save hours of time, with the disadvantage that matching during volume snapshot refinement will take more time and that for variations of the same picture you may get different classifications returned.

* PhotoDNA hash values that you wish to find in the database may now be alternatively specified in Base64 notation instead of Hex ASCII.

* When importing hash values from NSRL RDS, if you categorize the hash set as irrelevant, hash values marked as special or malicious will be ignored (not imported). If you categorize the hash set as notable, only hash values that are marked as malicious will be imported. If you set the hash set to the uncategorized state, only hash values that are marked as special or have an unknown flag will be imported. If you wish to import all hash values, you can import the same NSRL hash set file three times, with different categorizations, and all hash values will end up in suitably categorized internal hash sets.

* Option to store already extracted metadata of files in evidence file containers, for the recipient to see immediately without having to extract metadata again.

* X-Tension API: Redefined flag to include comments about files in evidence file containers.

* Some minor improvements.

* Same fix level as v18.9 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 8, 2016 - 11:08:   

Preview 5:

* Accelerated PhotoDNA matching by roughly 20%.

* Checking the PhotoDNA database for a given hash value manually now returns up to 19 matches and points out how precise each match is (the higher, the more precise; same basic scale as the user-specified strictness for matching, i.e. level 1 means very rough match). You have the option to narrow down the result list to more precise matches by enforcing a higher minimum strictness level.

* Double-checks with the user if the lowest possible strictness level is selected for PhotoDNA matching (level 1), as that level is known to occasionally deliver false matches. That level is offered in X-Ways Forensics only because it is provisionally suggested by the original developers of PhotoDNA. The recommended and default level in X-Ways Forensics is level 3.

* The option to avoid damaged hard disk areas when cloning disks, by skipping sectors once a bad sector was detected, can now perform much larger jumps and always jumps exactly by the desired sector count as specified by the user.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 9, 2016 - 10:27:   

Preview 6:

* Option to conveniently and freely select the path of the PhotoDNA database in the General Options dialog. Users may change from one database to the other at any time.

* Recategorization of existing PhotoDNA database entries that match new entries during import is now more exhaustive and no longer only affects the best matching entry. This comes at the cost of slower import procedures.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 9, 2016 - 16:33:   

Preview 7:

* Option to mark selected PhotoDNA categories as "preferred", with a black star. That way they will get priority if for a picture in the volume snapshot matches are found with hash values in different categories. Such preferred categories will be reported as a match even if alternative matches with non-preferred categories are much closer matches. That is useful for example if you have categories in your database that you trust to be accurate and suitable and others that you trust less, for example because they are known to contain errors (e.g. the same picture classified as CP and non-pertinent at the same time) and/or because they are from a foreign source and based on different laws and jurisdiction.

* When importing new hash values into the internal PhotoDNA database and one of the new hash values is similar to an existing or another new hash value, X-Ways Forensics may choose to overwrite the previous hash value with the new hash value and not keep the previous hash value, to keep the database compact and less redundant. This happens if the deviation between the two hash values is below a certain threshold. That threshold was now increased, which means more hash values are discarded if similar.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 11, 2016 - 13:55:   

Preview 8:

* The matching strictness settings for PhotoDNA database imports that allow to reduce redundancy and enhance consistency are now user-definable.

* The import statistics at the end now also reveal how many previously existing entries in the database adopted a new classification.

* Processing of EDB databases was revised, for higher speed and reliability while using less system resources. Fixed a very rare occurrence of an infinite loop while processing WebCache databases.

* Timestamps in the HTML previews of EDB databases are now output based on the user-defined timezone instead of UTC.
Ross Johnson
Username: ross_winpro_net

Registered: 1-1997
Posted on Friday, Aug 12, 2016 - 1:57:   

Preview 8:
Clone Disk (Copy Sectors)

1. the value entered into "Start Sector Destination" is no longer retained between uses (i.e. needs to be re-entered).

2. selecting "Avoid damaged areas" now FORCES use of "write pattern" when proceeding!


Thank you,
Ross@WinPro.net
Coast Two Data Recovery
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 17, 2016 - 21:11:   

Preview 9:

* Ability to view and preview files with the viewer component that are larger than 2 GB.

* Maximum number of search terms listed in the Search terms column increased from 25 to 50.

* X-Ways Forensics now supports multiple images with the same name in the same case, for any case created by v16.1 or later. Useful for example for users who for some reason acquire media with an imaging device that assigns the same filename to all images. Also useful if you encounter multiple images with the same name within images (not uncommon for virtual machine disks used by a suspect) so that you do not have to individually name those files. Please note that you should not work with evidence objects affected by conflicting image filenames in v18.9 or earlier as these versions may load the wrong volume snapshot.

* Extraction of Windows PowerShell events and their most important values from Windows event logs and output to the event list. These events include starting and stopping the console and execution of or failure to execute scripts (including their paths). Potentially useful for malware investigations.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 25, 2016 - 8:04:   

Preview 10:

* 16-bit, 32-bit, and 64-bit checksums are now no longer computed byte-wise on an accumulator of the specified length, but are the sums of 16-bit, 32-bit, and 64-bit integer units, respectively.

* Some minor improvements.

* Same fix level as v18.9 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 6, 2016 - 13:42:   

Beta 1:

* To better utilize widescreen monitors and to assist examiners in particular in Asia, who may encounter text encoded in many different character sets and code pages in the same case, it is now possible to see multiple text interpretations of binary data in the hex editor's text diplay at the same time depending on the license type. You can choose the character sets/code pages in the View menu separately for each column. This is also useful to walk through the raw data of Outlook PST files that use cipher coding, to be able to read encoded ANSI text, encoded Unicode text, and totally unencoded text at the same time.

Personal license for WinHex: no more than 1 character set at a time
Professional license for WinHex: up to 2 character sets at a time
Specialist license for WinHex, X-Ways Investigator: up to 3 character sets at a time
WinHex Lab Edition, X-Ways Forensics: up to 4 character sets at a time

Please note that any text input from the keyboard is interpreted as being based on the ANSI code page that is active in Windows, except if the primary text column is set to the IBM/OEM/DOS code page 850 (Latin I), in which case input is based on that code page, just as in previous versions of WinHex/X-Ways Forensics.

* If the user forces the interpretation of a volume as NTFS because the boot sector does not identify the file system as NTFS any more and the backup boot sector is not present either, WinHex will now prompt you for the presumed cluster size so that you do not have to superimpose a dummy boot sector to get the location of file data right (assuming FILE records are found by the particularly thorough file system data structure search).

* A new column named "FS offset" (specialist license or higher) shows the offset of the defining data structure of a file or directory in the file system, i.e. the structure that is the basis for the inclusion of a file in the volume snapshot. That offset is where you can check details manually in case there are any doubts about where X-Ways Forensics got the file system level metadata from. This is also where you may apply a suitable template to get an alternative interpretation and where you can point disadvantaged users of other tools to as they may not be able to find such a crucial location otherwise or don't even get certain deleted files listed. Carved files and files that are embedded in other files for obvious reasons do not have such an offset in the file system (or in the case of carved files at least it is not known to X-Ways Forensics). The file system offset is also where you navigate to when you use the dedicated context menu command to locate a file's FILE record/inode/file entry/catalog key etc., as known from all versions. The context menu command to sort by defining data structures' offsets has become obsolete now that users can sort by the new column.

* A new option for image verification immediately after creation allows to exhaust system memory prior to the verification to invalidate and thwart any file buffers employed by Windows so that the data of the image is read directly from the disk for the verification and not taken from the memory buffer. This option exists for small images and for somewhat paranoid or uber-diligent users. It is not required for images that are much larger than the physical amount of RAM that is installed in your machine because by the time when the final parts of the image have been written, the initial parts are no longer in the buffer, and once the final parts are about to be verified they are no longer in the buffer because at that time the initial parts are in the buffer as they have been verified just before. Your system may behave a little bit sluggish for a while when using this option, and verification may be slightly slower than normally.

* The Chinese translation of the user interface is now available with any license type.

* Generator signatures updated.

* Parsing of ODATA/JSON files revised.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 11, 2016 - 12:51:   

Beta 2:

* Block hash matches can now be larger than ~ 64 KB. Thus longer matches no longer need to be split up into fragments of ~ 64 KB each.

* Physical user search hits (i.e. those defined in Disk/Partition/Volume mode) may now be larger than ~ 64 KB as well.

* The comparison function of the File Tools menu has been moved to the Tools menu and was revised for users of X-Ways Forensics. It now has an option to output identified different or identical data areas as search hits (1 entry per matching area) instead of a text file (1 line per matching byte), for convenient review and navigation right within the program in the search hit list, similar to block hash matches. This option is only available if at least the 2nd data source is an evidence object. The result can be seen in the search hit list of that evidence object. Useful for example for users who wish to compare cloned disks with minor changes, if they have different hashes or one of them has been used a little more, to actually locate the differences and better understand what has caused them. Useful also to compare component disks of a hardware RAID level 0 system or a mirrored volumes, to check whether they are really absolutely identical, and if not to easily find the areas that differ, see how large they are, what kind of data these areas contain, and assess whether the second copy requires full treatment itself including carving, keyword searches etc. Please remember that to visually check the data in multiple data windows for differences at corresponding offsets, you can use the Synchronize and Compare command.

* The length of block hash matches, physical user search hits and comparison results in the search hit list is now shown in the Size column. This is useful for example to be able to sort block hash matches by the lengths and review more important (larger) matches first.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 15, 2016 - 12:21:   

Beta 3:

* When starting up another instance, you are now shown which instances are already running with which cases loaded, and you can pick which exact instance you would like to analyze or recover, and you now have the option to kill a specific instance, just like with the Windows Task Manager (however, you can be more sure which instance you want to kill because you see the name of the loaded cases).

* PhotoDNA hash values are now computed and matched only if the picture contains a total number of pixels that is larger than a user-defined minimum (width times height). This avoids database look-ups that can be time-consuming in very large PhotoDNA hash databases and typically have no benefit for small garbage pictures. The minimum dimensions allowed as a condition are 50x50 pixels, and that was also the implicit condition in previous versions. The PhotoDNA algorithm intrinsically requires a certain minimum number of pixels to provide meaningful results.

* Generator signature definitions significantly extended.

* Internal file archive handling revised.

* The options to highlight free space and slack space for specialist licenses and higher have been moved to the General Options dialog window.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 26, 2016 - 6:52:   

Beta 4:

* Analogously to the logical search, the file processing part of volume snapshot refinements now supports multiple threads (only if not applied to a selection). Depending on the selected operations and the types of the files in the volume, and depending on I/O speed, this can double, triplicate or even quadruplicate the performance. The faster your mass storage solution (HDD, SSD, RAID) in terms of seek times and data transfer speed, the more time you save percentage-wise. This parallelization feature is still considered experimental and not complete yet, but the potential time saving in one of the most important and most time-consuming functions of the program is already enormous.

Selecting multiple threads has an effect only when searching in evidence objects that are images or directories, not disks. If you select just 1 thread, it will work as in X-Ways Forensics versions before 19.0. If you select 2 or more threads, processing is done in additional worker threads (as many as you select), and the main thread of the process will be idle, which means the GUI will remain highly responsive. In X-Ways Investigator up to 2 worker threads may be used, in X-Ways Forensics up to 8, if your CPU supports that. If multi-threaded processing crashes, next time when you restart the program it cannot tell you which file presumably caused the crash.

File-wise processing conducted by X-Tensions (through calls of XT_ProcessItem or XT_ProcessItemEx) are also parallelized if the X-Tensions identifies itself as thread-safe. Processing of files in file archives is currently excluded from parallelization internally. Parallelization is currently not offered as an option if indexing is selected.

* The option exhaust system memory before image verification has been improved, and its performance penalty has been minimized.

* Progress notifications are now optionally sent only if the workstation is locked, i.e. if the user has left his or her workplace.

* Ability to parse Ext* file systems with a block size that is smaller than the sector size of the surrounding physical image, as possible in Android devices.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 9, 2016 - 17:59:   

Beta 5:

* File header signatures may now be optionally defined in the "File Type Signatures *.txt" files in direct (not GREP) notation, with the new flag "d". Useful for example if you are not very familiar with GREP notation or don't need GREP and just want to get all characters interpreted literally according to the code page that is active in your Windows system, without thinking much about whether the characters are considered special characters in GREP. For example, <?xml version="1 is a valid signature for certain XML files, but it works only with the new direct flag because the question mark has a special meaning in GREP, which results in a different byte value sequence for the signature internally if the entire expression is interpreted as GREP, and would not yield any matches if GREP interpretation is active.

* A new flag "L" in "File Type Signatures Search.txt" identifies links that merely link to other definitions. Useful for example to have an entry for OpenOffice files, which was missed by some users and whose absence could lead to the misconception that it is not possible to carve OpenOffice files with WinHex or X-Ways Forensics. If the entry for OpenOffice is selected for carving, this internally automatically selects zip archives for carving, which makes sense because OpenOffice files technically are zip files and can be carved as such. The disadvantage is just that other zip archives that are not OpenOffice files are also carved. However, those files will be distinguishable thanks on the internal file type detection, for example based on the automatically assigned filename extension.

* Ability to see the description of report tables directly in the dialog windows for the report table filter and the creation and management of of report tables and report table associations.

* Ability to load larger parts of large hash databases into main memory when matching hash values against them, for higher performance, and the user may now customize how much of the available memory should be allocated.

* The minimum total number of pixels in a picture required to compute the skin tone percentage and check for black & white is now user-definable. If a picture has less pixels, it will show as "irrelevant" in the Analysis column, and a little bit time will be saved by not checking the pixel colors. The minimum width and height used to be 16 pixels in all previous versions. The new default now is 32x32=1024 pixels in total.

* The weight with which the currentness and the size of a file affect its computed generic relevance is now user-definable. 100% means default weight. 50% means half of that. 0% means the factor has no effect at all. The maximum is 255%.

* The computed generic relevance of files is now presented as a value.

* LVM2 container partitions are now recognized as such even if the designated partition type in the MBR or GPT is wrong.

* Extraction of Exif metadata from Nikon cameras improved.

* The amount of time that volume snapshot refinement took is now shown in the Messages window if applied to selected evidence objects. Useful to run your own performance tests with single or multiple threads.

* Generator signature coverage brought further to perfection.

* Several minor improvements.

* Some fixes.

* Same fix level as v18.9 SR-10.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 11, 2016 - 12:46:   

Beta 6:

* Reduced the number of false file carving hits with presumed NTFS compression.

* If the file header signature search crashes when parsing the data starting from a certain sector, assuming a certain file format, previously only one such sector was remembered and automatically skipped when running the file header signature again. Now up to 8 such sector numbers are remembered, and they are stored in the evidence object properties instead of the volume snapshot, which means they do not get lost any more when taking a new volume snapshot. They can be seen and edited when clicking the new "..." button in the evidence object properties dialog window.

* New X-Tensions API function: XWF_SetHashValue

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 14, 2016 - 11:38:   

Beta 7:

* Metadata extraction support for the spartan.edb database of the Edge browser. An HTML-formatted preview is generated and events will be added to the event list for all favorites and ReadingList entries.

* Presenting .eml files without headers and alternative .eml preview are now two separate options and can be combined with one another.

* New case report option: If .eml files are represented in HTML directly in the browser, attachments can now be optionally copied along with the .eml files and linked from the HTML representation.

* New general option: Always request user input for raw images to confirm the kind of the image (volume or disk), the sector size to assume and the path for potentially existing additional image file segments. Exactly what happens if you hold the Shift key while the image invoking image interpretation or while adding the image to a case. Usually not necessary if the image was created by X-Ways Forensics itself, but still some removable media (USB sticks and memory cards) may have been used and formatted as both volume and partitioned medium at different times. In such a situation interpretation as volume and as partitioned medium may reveal different file systems that overlap each other.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2016 - 6:02:   

v19.0 was just released. Additional improvements since Beta 7:

* For performance reasons, a new option allows to not hash very large files. This can save a lot of time and disk I/O. Often no hash values are required for very large files (such as backups, virtual machine disk files, databases, pagefiles, $UsnJrnl:$J, ...) because many of them are quite unique and not what users are looking for based on hash values, nor are they usually included in known-files hash databases. A reason not to use this option for example perhaps would be if you are looking for high quality pirated copies of movies.

* For performance comparison tests you may find it desirable to discard all the file buffers that Windows maintains when it has more than enough memory, so that you can run the same operations on the same image again, without skewed results for the second attempt because less disk I/O is required thanks to buffering. A function to recycle/exhaust excess main memory can now be found in the Options | Security dialog. Click the button with the recycling symbol.

* An unlabelled (but tooltipped) check box in the volume snapshot refinement dialog window can now make X-Ways Forensics reveal which suboperation is currently applied to the currently processed file. A 3-digit abbreviation will be displayed with the following meaning:
Sig: file type verification
Hsh: hashing
Vid: capture sporadic still images from videos
Idx: preprocessing original file contents for indexing
Dec: text decoding for indexing
IdX: preprocessing decoded text for indexing
Emb: search for embedded data
PDN: PhotoDNA database matching
Pic: other picture analysis steps
Eml: e-mail extraction
Fuz: FuzZyDoc database matching
Met: metadata extraction
Enc: file format specific encryption test
Ent: entropy check
Arc: inclusion of files in archives into the volume snapshot
This may be helpful for "educational" reasons, to give users a better idea of how computationally expensive certain suboperations are and how much time could be saved by not selecting them if not absolutely necessary. It may also prove useful for debugging purposes. Whether this option might slow down processing on certain computers has not been tested.

* MP3 metadata extraction revised. A reasonable subset will be output in the Metadata column to better distinguish between MP3 files of different natures/origins.

* User manual and program help updated for v19.0.
Ross Johnson
Username: ross_winpro_net

Registered: 1-1997
Posted on Monday, Oct 17, 2016 - 9:12:   

OK, I'll bite ...

#152: X-Ways Forensics, X-Ways Investigator, WinHex 19.0 released
includes the following line under "File Type Support":

" Thank you for reading every single bullet point!"

I assume this not a new file type?haha?

Thank you,
Ross@WinPro.net
Coast Two Data Recovery
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2016 - 10:51:   

If anyone working for a UK government agency reads this, please be advised that you may have missed today's newsletter because of your recurring technical problem with Symantec:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address(es)
failed:

***@***.pnn.police.uk:
SMTP error from remote server for TEXT command, host: ***.eu.messagelabs.com (193.1**.***.***) reason: 553-Message filtered. Refer to the Troubleshooting page at
553-http://www.symanteccloud.com/troubleshooting for more
553 information. (#5.7.1)


If you didn't receive it, you can read the newsletter in the newsletter archive instead. If you were affected, please also inform your colleagues. Thanks.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 18, 2016 - 9:23:   

v19.0 has a problem with Options | Security | Track memory allocations if fully checked. If your installation crashes when opening a case, please uncheck that box. Will be fixed in the next service release. The default state of that box in v19.0 is not checked. In previous versions the default state was half checked.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 27, 2016 - 6:57:   

SR-1:

* Fixed inability of v19.0 to recognize a few file types (those with the "x" flag), including SQLite 3.

* Fixed an instability problem in the registry viewer.

* Fixed crashes that could occur since v18.9 when extracting metadata from certain Linux PNG thumbnails.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 28, 2016 - 13:08:   

SR-1b:
(X-Ways Investigator only)

* Fixed an error in File mode in X-Ways Investigator.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 1, 2016 - 14:15:   

SR-2:

* Fixed inability of v19.0 to read a few sectors on very large hard disks.

* Fixed error in file type verification and uncovering embedded data when run with multiple threads.

* Fixed an error where attachments were not extracted from certain .eml files.

* Fixed new option to link attachments from HTML previews of e-mails in the case report.

* Fixed potentially wrong time zone translation of timestamps in transcoded Nikon photos.

* Some minor fixes and improvements.

Two users confirmed independently that the anti-virus software Webroot SecureAnywhere causes random crashes (program terminations) in X-Ways Forensics. So it is not recommended to use the two on the same computer at the same time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Nov 4, 2016 - 8:18:   

SR-3:

* Fixed a volume snapshot data corruption problem in multi-threaded picture analysis and processing.

* More complete extraction of Chrome web history in some cases.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 6, 2016 - 13:38:   

SR-4:

* Fixed an exception error that could occur when providing the alternative e-mail representation for certain e-mail messages.

* Fixed a potential exception error that could occur when running a file header signature search on physical, partitioned media.

* Fixed inability of X-Ways Forensics 19.0 to view contained files in separate windows from within representations of the viewer component.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 8, 2016 - 19:08:   

In v19.0 through SR-4, before refining large volume snapshots (large volume snapshot = volume snapshot consisting of many files and directories, i.e. millions) with multiple threads, with operations that produce plenty child objects, such as in particular "Include contents of ZIP and RAR archives etc.", it is recommended to disable the auto save interval in the case properties.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 14, 2016 - 8:37:   

SR-5:

* Fixed an I/O error that could occur when the case auto-save interval elapsed while refining the volume snapshot with multiple threads.

* Report table descriptions were not handled correctly when deleting a report table. That was fixed.

* Fixed a crash that could occur with certain SQLite databases.

* Fixed a rare exception error that could occur during multi-threaded relevance computation.

* Fixed an exception error that could occur when exporting search hits with context in TSV format.

* Extraction of certain embedded pictures in .eml files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Nov 19, 2016 - 17:15:   

SR-6:

* The hash filter did not correctly target the 2nd and 4th hash value if the hash type was 2 or 4 bytes in size (e.g. CRC32). That was fixed.

* Fixed an I/O error that could occur in v18.9 and v19.0 when applying File Recovery by Type to an uninterpreted image file.

* The internal graphics viewing library now represents Windows Bitmaps with 32 bits per pixel in correct colors. Fixed skin tone computation for certain Bitmaps with 8 bits per pixel.

* Fixed a potential infinite loop that could occur during a file header signature search for Zip archives when data of JNX files was found.

* Upward searches did not run correctly in v19.0. That was fixed.

* Minor fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 23, 2016 - 20:01:   

SR-7:

* Support for previously unsupported SQLite database files.

* Multi-threaded operations generally more reliable now.

* When matching the files in a volume snapshot against hash databases more than once, previous matches according to the "Hash set" column are now automatically discarded. The hash category remains. This is for performance reasons. Keeping previous and new matches consistent and free of duplications potentially took a lot of time and was not optimized. Users of v18.7 through v18.9 have the option to discard hash set matches and categorizations for selected files with Ctrl+Shift+Del first to accelerate re-matching.

* Fixed problems when loading certain GIF files that contain extension blocks.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 24, 2016 - 4:57:   

SR-7b:

* Fixed error in hash database matching with multiple threads.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 4, 2016 - 19:09:   

SR-8:

* Fixed a crash that could occur when exploring certain keys in registry hives.

* Fixed an exception error that could occur when uncovering embedded data in certain executable files.

* Fixed a rare exception error that could occur when verifying the type of zip archives.

* Sorting by filename extension is now case-insensitive.

* Fixed a crash that could occur in v19.0 when extracting e-mails/attachments from MBOX e-mail archives and original .eml files.

* Prevented unnecessary inclusion of traces of existing files from volume shadow copies in the volume snapshot in certain situations.

* Fixed a cause for multi-threading instability.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 5, 2016 - 20:05:   

The DLLs of the internal graphics viewing library were updated in the download.

* Improved stability with special GIF and TIFF pictures.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 11, 2016 - 17:02:   

SR-9:

* For some few JPEG/TIFF files the extracted "Content created" date was wrong or incorrectly marked as local time. That was fixed.

* There was a problem with the multi-threading option on VMDK images and in Ext* file systems. That was fixed.

* Prevented potential instability with carved .lnk shortcut files.

* Warns the user of GUID conflicts among Windows dynamic disks if open at the same time, to prevent wrong volume-disk connections.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 19, 2016 - 8:08:   

SR-10:

* Fixed inability of v19.0 SR-8 and SR-9 to make certain changes to PhotoDNA databases.

* The category of PhotoDNA hash database matches no longer supersedes that of regular hash database matches during the same snapshot refinement run.

* Fixed a potential crash that could occur when extracting metadata from $UsnJrnl:$J.

* Fixed an exception error that could occur when uncovering embedded data from PE executable files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 1, 2017 - 18:07:   

SR-11:

* Newly identified 3GP files were erroneously assigned to the category "Other/unknown type" by the file type verification in v19.0 SR-1 and later. That does no longer happen now.

* X-Tension API: Two new kinds of evidence object IDs can now be retrieved with the XWF_GetEvObjProp function (nPropType 3 and 4).

* Fixed inability of v19.0 to copy certain files along with the case report under certain circumstances if the type status was "newly identified".
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 12, 2017 - 19:20:   

SR-12:

* Fixed an I/O error that could occur when extracting e-mails from e-mail archives while multiple threads were active.

* Full filename matches in the Type filter did not count if the type status was "newly identified" or "confirmed". That was fixed. In v18.8 and later, full filename matches should have been ignored only if the type status was "mismatch detected".

* Fixed an exception error or crash that could occur under certain circumstances when opening partitions in X-Ways Investigator without opening the parent disk first.

* LVM2 container partitions are now interpreted properly even if the designated partition type in the MBR or GPT is wrong.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 16, 2017 - 20:10:   

SR-13:

* Many of the fixes introduced in later versions. Highly recommended to users whose update maintenance covered no more than v19.0. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 26, 2017 - 7:30:   

SR-14:

* Many of the fixes and some very few of the minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.0. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 15, 2017 - 5:44:   

SR-15:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.0. Available to these users on request for a limited time. This is probably the last service release for v19.0.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.