|Posted on Tuesday, Feb 7, 2017 - 19:29: |
A preview version of the dongle-based edition of X-Ways Forensics 19.2 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.2 Preview 1?
* A new filter concept was introduced, called FlexFilters. Two such filters are available in WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. They can target any column in the ordinary directory browser (i.e. not search hit list or event list specific columns) that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.
For example, these new filters are useful if you wish to target files that were created or modified not in a particular contiguous period of time, but generally on certain weekdays or on weekends, i.e. where either of these columns contain the word "Saturday" or "Sunday" in the long date notation format. Also useful whenever the column-specific column filter does not give you as many options as you need (e.g. for Author, Sender, Recipients currently you can only enter one name or address or substring, and with the Description filter you cannot currently specifically target additional hard links that are optionally omitted from certain operations).
The color that indicates that a FlexFilter is active is violet instead of blue, so that it can be better distinguished from a regular column filter. Both FlexFilters come with a NOT option, and they may also target the same column, so that you can achieve results like "show all e-mail messages sent with the name John Doe in the sender field where the sender field does NOT contain the domain name company.com".
* Previous hash set matches for all files in a volume snapshot are not completely discarded any more when re-matching only selected or tagged files. Now only previous matches for those particular files are discarded.
* When taking a volume snapshot without sector level access, e.g. of a remote network drive or a directory or a local drive letter without administrator rights, overlong paths are now supported, up to ~1000 characters long.
* The most essential functions in X-Ways Forensics are now able to open files with overlong file paths up to ~1000 characters long (File mode, Preview mode, volume snapshot refinement, logical search).
* Sector superimposition used to affect specifically the disk/partition/volume represented by the data window to which it was applied. From now on, it also has an effect on partitions opened from within a physical, partitioned disk to which sector superimposition was applied.
* Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files. All messages are added to the event database, where they can be filtered based on phone number or email address.
* Improved support for regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.
* Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.
* A new option allows to restrict picture loading to just 1 worker thread at a time, with a new check box next to "Picture analysis and processing", either strictly (fully checked) or not so strictly (half checked). Please give this option a try if you experience exception errors or crashes when multiple pictures are processed simultaneously.
* A few file type designations were assigned to multiple categories previously. That was tidied up.
* Several minor improvements.
* Same fix level as v19.1 SR-3.
|Posted on Tuesday, Feb 14, 2017 - 11:57: |
* Ability to output a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.
* Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.
* Type group designations are now displayed along with the type description in the "Type description" column.
* Outputs a file named ResIL.log in case of certain instability problems with picture processing for debugging purposes.
* Some minor improvements.
* Same fix level as v19.1 SR-4.
|Posted on Tuesday, Feb 21, 2017 - 20:39: |
* Ability to decompress files in file archives even if the archives are encrypted, provided that the password is known or can be guessed. X-Ways Forensics will quickly try any password listed in the case's password collection, which you can edit from within the case properties and which is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". Almost all Unicode characters are supported, including space characters and Chinese characters etc. Passwords are case-sensitive. If the collection contains the right password, that password will be remembered in the file's extracted metadata and taken directly from there instead of the case's password collection if needed again later to open the files in the archive. Alternatively, you can provide a specific password for a particular file archive manually by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". Files within encrypted file archives are not treated and shown as encrypted ("e") any more if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute, though. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.
* Disk I/O X-Tensions now cannot only intercept sector-wise I/O at the disk level (for example to decrypt encrypted disks or partitions on the fly and make X-Ways Forensics see the decryption data), but can also intercept I/O at the file level (for example to decrypt encrypted files). The new function to export for that purpose is XT_FileIO. For details please see http://www.x-ways.net/forensics/x-tensions/api.html#diskio.
* A new X-Tension API function named XWF_FindItem1 allows to conveniently find out the internal ID of a file with a given name in a given directory.
* Ability to recognize Linux MD RAID container partitions as such. They are represented as two distinct items: A static header area that contains metadata about the RAID (usually at relative offset 4096), and an explorable partition that serves as a RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.
* Same fix level as v19.1 SR-5.
|Posted on Friday, Mar 3, 2017 - 18:20: |
* Thumbnails can now be created for and shown in the case report even when not copying and linking the original files.
* When clicking the link to an attachment from within the alternative e-mail preview, this now triggers the same action as if that file had been viewed from within the directory browser. That means that 1) it will be marked as already viewed, 2) depending on your preferences, if it's a picture, it will be either presented by the viewer component or the internal graphics display library, and 3) depending on your other viewer settings the file may be opened in an external program, for example if it is a video file.
* X-Ways Forensics can now try either a case-specific password collection or a general password collection for attacks on encrypted file archives.
* File type verification further improved.
* Files can now be extracted from e-mail related MIM archives as part of e-mail processing.
* Trailing data in JPEG files is now provided as a separate child object.
* Terminology: What was formerly designated as the stripe size is now correctly referred to as the strip size. The stripe size is the strip size multiplied by the number of RAID component disks, i.e. a whole row.
* Several minor improvements.
|Posted on Tuesday, Mar 14, 2017 - 18:31: |
* Ability to recognize Windows storage pool container partitions.
* Ability to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes.
* The search for lost partitions now finds NTFS storage space partitions within storage space container partitions despite sector size discrepancies, which is a useful work-around for simple single-disk storage spaces.
* Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.
* Extraction of metadata from JPEG files improved.
* Generator signatures further revised.
* Right-clicking a column header in the directory browser now quickly activates or deactivates that column's filter without showing the settings dialog window, just like when left-clicking the filter icon with the Shift key pressed.
* A notification sound is output when running a simple linear search for a single match when that match has been found if the program is running in the background, to alert the user.
* Some minor improvements.
|Posted on Friday, Mar 17, 2017 - 17:03: |
* Structure of Access button menu improved for partitioned disks. (Access button is the official name of the button with the white arrow, below the Sync button.)
* Technical details report slightly more complete now with partition names as per GUID partition tables.
* Slightly improved support for 4-digit 0-based filename extensions of segmented raw images.
* Some minor improvements.
* Same fix level as v19.1 SR-6.
|Posted on Monday, Mar 27, 2017 - 5:50: |
v19.2 was just released. Additional improvements:
* The case directory is the directory that has the same name as the .xfc case filename just without the extension. It is a subdirectory of the cases directory. There is now special support for the case directory as an image storage location. If images are moved to the case directory first and then added to the case or if the path of an existing image in the case is changed to that in the case directory with the "Replace with New Image" command, these images will be referenced internally without path, and thus the image can always be found instantly even if the case is moved to a different directory or if the drive letter changes. A case that has all images in its own directory can be considered fully self-contained. References to images in the case directory without path are understood by v19.0 SR-14, v19.1 SR-7, and v19.2.
* More metadata presented for JPEG files in Details mode.
* Changing the display time zone for an evidence object that is a partitioned, physical disk now automatically also changes the display time zone for all its partitions (dependent evidence objects).
* GPT partition names are now shown in the Name column as alternative names and should be helpful when examining Android phone images containing large numbers of partitions, revealing their respective functions.
* Indexing is now permitted as a sub-operation of a volume snapshot refinement run with multiple threads, though it is not further parallelized itself when multiple refinement threads are active.
* Updated file mask for uncovering embedded data.
* In replace mode for report table associations, the currently associated report tables are now automatically preselected, so that it's less work and less error-prone to remove or add one report table specifically.
* User manual and program help updated for v19.2.
|Posted on Tuesday, Mar 28, 2017 - 20:41: |
* Fixed an exception error that occurred in v19.2 with sector size 2048 bytes.
|Posted on Friday, Mar 31, 2017 - 16:46: |
I am new with X-Ways.
Does the final versions include all the improvements mentioned in Preview and Beta versions?
For example v19.2 released on Mar 27 in this case.
|Posted on Friday, Mar 31, 2017 - 16:55: |
Well, yes, of course. Why would we put an improvement into a Beta version and then remove it again for the release?
You can also subscribe to our newsletter which will contain the official full list of features, improvements and changes when a new release version comes out.
|Posted on Friday, Mar 31, 2017 - 17:37: |
Why would we put an improvement into a Beta version and then remove it again for the release?
Just to be sure. I don't know about your management of versions.
I found the official full list of features in the newsletter.
|Posted on Wednesday, Apr 5, 2017 - 12:32: |
* Fixed inability of v19.2 to remember the default volume snapshot refinement operations when run from the command line.
* Fixed inability of v19.2 to uncover embedded data from selected files.
* Fixed inability of v19.2 to take volume snapshots of drive letters without sector level access.
* Metadata extraction from certain irregular DOCX files supported.
* Improved internal handling of FlexFilters.
|Posted on Tuesday, Apr 18, 2017 - 20:29: |
* Now able again to cope with .e01 evidence files that are incorrectly marked as images or physical disks by 3rd party software although they are just volume images.
* Fixed incorrect extraction of attachments encoded by Gmail found in MBOX archives and lose EML files.
* Fixed a cause of instability when the "Search in directory browser cells (metadata)" option was used for the Simultaneous Search.
* Fixed a rare exception error that could occur when extracting metadata from certain corrupt Zip-styled Office document files.
* The option to show non-picture files in the gallery is now represented by a three-state check box. If half checked, only those non-picture files will be represented as thumbnails in the gallery whose type can be confirmed or newly identified by X-Ways Forensics. That means that files of unknown types and garbage files will not be represented in the gallery any more. This will speed up the gallery, reduce the number of thumbnails with just ASCII character gibberish in them, and perhaps most importantly prevent an error in the viewer component from occurring, which exhausts the pool of available GDI objects (handles in the graphics device interface of Windows) in the process and leads to graphical screen artifacts, loss of functionality or even crashes. So far only files with garbage data are known to trigger this error. The error is probably very rarely encountered when specifically viewing or previewing individual files only, but when reviewing large amounts of non-picture files in the gallery it becomes more likely to occur. The error is known to Oracle as bug #25430258. No fix has been made available yet.
* Images stored in nested subdirectories of the case directory instead of directly in the case directory are now also found immediately even if drive letter or absolute path of the case have changed.
* Chinese translation of the user interface updated.
* Some minor fixes.
|Posted on Sunday, Apr 23, 2017 - 20:30: |
* The time out for the generation of thumbnails of non-picture files in the gallery is now the same user-defined value as previously used only for pictures that are loaded by the internal graphics viewing library. It can be adjusted in Options | Viewer Programs. A smaller value may result in a faster display of the gallery, but at the cost of interrupting the loading process of the viewer component for some files, in which case the gallery tile shows "Error - operation cancelled".
* v19.2 SR-2 did not properly execute external viewer programs. That was fixed.
* Videos are now again represented in the case report by their first extracted still as a thumbnail.
* If the output of the Compare function was a text file and the comparison start offsets in the two data windows were different, the second offset reported for a found difference was off. That was fixed.
* Fixed a problem in LVM2 support.
* Fixed a rare exception error that could occur when producing a registry report based on Reg Report Free Space.txt.
* Prevented rejection of certain ProjectVic JSON files for PhotoDNA import.
|Posted on Saturday, May 6, 2017 - 19:02: |
* Ability to show gallery tiles with rotating still images for processed videos in situations in which that did not work previously.
* Prevented a situation where the category statistics in the Category column's pop-up menu filter could be that of another data window.
* Fixed inability of v19.2 to take a volume snapshot of a directory with a network path (UNC path).
* The Exif metadata field formerly officially called "Daten taken" is now called "Content modified" in X-Ways Forensics.
* A relative path for the PhotoDNA hash database is now supported and preserved in Options | General.
* Fixed slightly corrupted presentation of e-mail attachments in some specific situations (e.g. Facebook e-mail received via Hotmail).
* Run counts from Windows 10 Prefetch files while shown correctly in Preview mode were not extracted correctly into the Metadata column. That was fixed.
|Posted on Friday, May 26, 2017 - 7:33: |
* If original pictures were not included in the case report, but thumbnails of pictures were supposed to be output, those thumbnails were not generated for very small pictures. That was fixed.
* Under certain circumstances the detection of scanned images/PDF documents failed. That was fixed.
* The whole words only option of the Simultaneous Search is no longer applied to search hits that are not words according to the user's selected alphabet definition (checking only the first and the last character in the hit). However, the GREP word boundary indicator \b is still applied in such a case, for example to be able to search for certain data in between words, data that is not considered a word itself.