|Posted on Tuesday, Feb 7, 2017 - 19:29: |
A preview version of the dongle-based edition of X-Ways Forensics 19.2 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.2 Preview 1?
* A new filter concept was introduced, called FlexFilters. Two such filters are available in WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. They can target any column in the ordinary directory browser (i.e. not search hit list or event list specific columns) that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.
For example, these new filters are useful if you wish to target files that were created or modified not in a particular contiguous period of time, but generally on certain weekdays or on weekends, i.e. where either of these columns contain the word "Saturday" or "Sunday" in the long date notation format. Also useful whenever the column-specific column filter does not give you as many options as you need (e.g. for Author, Sender, Recipients currently you can only enter one name or address or substring, and with the Description filter you cannot currently specifically target additional hard links that are optionally omitted from certain operations).
The color that indicates that a FlexFilter is active is violet instead of blue, so that it can be better distinguished from a regular column filter. Both FlexFilters come with a NOT option, and they may also target the same column, so that you can achieve results like "show all e-mail messages sent with the name John Doe in the sender field where the sender field does NOT contain the domain name company.com".
* Previous hash set matches for all files in a volume snapshot are not completely discarded any more when re-matching only selected or tagged files. Now only previous matches for those particular files are discarded.
* When taking a volume snapshot without sector level access, e.g. of a remote network drive or a directory or a local drive letter without administrator rights, overlong paths are now supported, up to ~1000 characters long.
* The most essential functions in X-Ways Forensics are now able to open files with overlong file paths up to ~1000 characters long (File mode, Preview mode, volume snapshot refinement, logical search).
* Sector superimposition used to affect specifically the disk/partition/volume represented by the data window to which it was applied. From now on, it also has an effect on partitions opened from within a physical, partitioned disk to which sector superimposition was applied.
* Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files. All messages are added to the event database, where they can be filtered based on phone number or email address.
* Improved support for regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.
* Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.
* A new option allows to restrict picture loading to just 1 worker thread at a time, with a new check box next to "Picture analysis and processing", either strictly (fully checked) or not so strictly (half checked). Please give this option a try if you experience exception errors or crashes when multiple pictures are processed simultaneously.
* A few file type designations were assigned to multiple categories previously. That was tidied up.
* Several minor improvements.
* Same fix level as v19.1 SR-3.
|Posted on Tuesday, Feb 14, 2017 - 11:57: |
* Ability to output a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.
* Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.
* Type group designations are now displayed along with the type description in the "Type description" column.
* Outputs a file named ResIL.log in case of certain instability problems with picture processing for debugging purposes.
* Some minor improvements.
* Same fix level as v19.1 SR-4.
|Posted on Tuesday, Feb 21, 2017 - 20:39: |
* Ability to decompress files in file archives even if the archives are encrypted, provided that the password is known or can be guessed. X-Ways Forensics will quickly try any password listed in the case's password collection, which you can edit from within the case properties and which is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". Almost all Unicode characters are supported, including space characters and Chinese characters etc. Passwords are case-sensitive. If the collection contains the right password, that password will be remembered in the file's extracted metadata and taken directly from there instead of the case's password collection if needed again later to open the files in the archive. Alternatively, you can provide a specific password for a particular file archive manually by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". Files within encrypted file archives are not treated and shown as encrypted ("e") any more if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute, though. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.
* Disk I/O X-Tensions now cannot only intercept sector-wise I/O at the disk level (for example to decrypt encrypted disks or partitions on the fly and make X-Ways Forensics see the decryption data), but can also intercept I/O at the file level (for example to decrypt encrypted files). The new function to export for that purpose is XT_FileIO. For details please see http://www.x-ways.net/forensics/x-tensions/api.html#diskio.
* A new X-Tension API function named XWF_FindItem1 allows to conveniently find out the internal ID of a file with a given name in a given directory.
* Ability to recognize Linux MD RAID container partitions as such. They are represented as two distinct items: A static header area that contains metadata about the RAID (usually at relative offset 4096), and an explorable partition that serves as a RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.
* Same fix level as v19.1 SR-5.
|Posted on Friday, Mar 3, 2017 - 18:20: |
* Thumbnails can now be created for and shown in the case report even when not copying and linking the original files.
* When clicking the link to an attachment from within the alternative e-mail preview, this now triggers the same action as if that file had been viewed from within the directory browser. That means that 1) it will be marked as already viewed, 2) depending on your preferences, if it's a picture, it will be either presented by the viewer component or the internal graphics display library, and 3) depending on your other viewer settings the file may be opened in an external program, for example if it is a video file.
* X-Ways Forensics can now try either a case-specific password collection or a general password collection for attacks on encrypted file archives.
* File type verification further improved.
* Files can now be extracted from e-mail related MIM archives as part of e-mail processing.
* Trailing data in JPEG files is now provided as a separate child object.
* Terminology: What was formerly designated as the stripe size is now correctly referred to as the strip size. The stripe size is the strip size multiplied by the number of RAID component disks, i.e. a whole row.
* Several minor improvements.
|Posted on Tuesday, Mar 14, 2017 - 18:31: |
* Ability to recognize Windows storage pool container partitions.
* Ability to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes.
* The search for lost partitions now finds NTFS storage space partitions within storage space container partitions despite sector size discrepancies, which is a useful work-around for simple storage spaces.
* Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.
* Extraction of metadata from JPEG files improved.
* Generator signatures further revised.
* Right-clicking a column header in the directory browser now quickly toggles that column's filter without seeing the settings dialog window, just like when left-clicking the filter icon with the Shift key pressed.
* A notification sound is output when running a simple linear search for a single match when that match has been found if the program is running in the background, to alert the user.
* Some minor improvements.
|Posted on Friday, Mar 17, 2017 - 17:03: |
* Structure of Access button menu improved for partitioned disks. (Access button is the official name of the button with the white arrow, below the Sync button.)
* Technical details report slightly more complete now with partition names as per GUID partition tables.
* Slightly improved support for 4-digit 0-based filename extensions of segmented raw images.
* Some minor improvements.
* Same fix level as v19.1 SR-6.