X-Ways Forensics 19.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.3 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 2, 2017 - 9:23:   

A preview version of the dongle-based edition of X-Ways Forensics 19.3 is now available. The download link can be retrieved as always by querying one's license status.

What's new in v19.3 Preview 1?

* If the file header signature search in volumes with a supported file system other than Ext2/Ext3 finds the start of a file in free space, at a cluster boundary, the data is now by default assumed to flow around potentially following clusters that are marked by the file system as in use. This will correctly reconstruct files that were created after and stored around other files and then deleted, as long as the released clusters were not re-used and overwritten afterwards. To prevent file carving purely in free space this way, i.e. to make it work as in previous versions, you can UNcheck the new option "Carve files in free clusters around used clusters". This option takes effect only at the moment when files are added to the volume snapshot, not retroactively for files that were added previously. Carved files purely in free space retain the storage location that was assumed when they were added to the volume snapshot even if the option is changed afterwards. However, older versions of X-Ways Forensics will not understand that certain files are assumed to flow around allocated clusters and thus would present them as contiguous files as usually when they work with the same volume snapshot.

* Tools | Disk Tools | File Recovery by Type offers the same cluster assignment logic.

* If the file carving definition has the strong greedy flag ("G"), after carving a file that flows around allocated clusters, the file header signature search will only skip first fragment of the carved file. The "h" flag for header exclusion prevents the new carving method from being applied to the affected file types.

* The same logic to skip in-use clusters is now by default also applied to deleted files in volume snapshots of FAT12, FAT16, FAT32, and exFAT file systems, if not disabled in Options | Volume Snapshot. That means that data of deleted files is now not necessarily assumed to be contiguous any more, but assumed to occupy as many free clusters from the start cluster number as are necessary to accommodate the known file size, while skipping clusters that are marked as in use by existing files. If the end of the volume is reached that way, the next free clusters are taken from the start of the volume, replicating the built-in logic of typical FAT32 file system drivers to rotate through the volume on the search for allocatable clusters. As this volume snapshot option retroactively changes the assumption about the storage location of files that are already contained in the volume snapshot, changing this option will also cause hash values to change if they are re-computed.

* The volume snapshot options are now more clearly structured, split into file system specific settings and file system independent settings.

* The "List Clusters" command in the directory browser context menu has been revised. It can now be applied to some more "exotic" objects that it could not deal with before, such as certain embedded files, certain file system area files, and carved files. It automatically outputs sector instead of cluster numbers for any objects that are not aligned at cluster boundaries. It outputs the total number of clusters or sectors even if contiguous series of clusters are represented in the optional compact fashion. If exported to a text file, the cluster list is automatically opened in the user's preferred text editor. The effects of the aforementioned new cluster assignment logic options are visible in newly populated cluster lists.

* Significantly improved ability to recover deleted files and directories in FAT32 volumes (ability to get the start location right, in newly taken volume snapshots only).

* In the properties of evidence objects with a FAT file system you can now optionally define which time zone the local timestamps in that file systems are based on, if you have an opinion about that. That time zone depends on the settings of the computer or device that wrote to the file system. (Keep in mind that those settings may have changed over time and thus a single time zone may not be adequate to get all timestamps right.) If you define the time zone reference, file system level timestamps are presented according to the selected display time zone and not in their original local time any more. They are internally converted from local time to UTC (based on your time zone reference) and then from UTC to the display time zone, at the moment when the timestamps are displayed. The effect is not permanent, the reference time zone settings can be changed at any time. The definition of a time zone reference is lost if you open a case in versions older than v19.3.

* When copying files from FAT file systems to an evidence file container, file system level timestamps of these files are usually marked in the container as based on an unknown local time zone so that they will not be time zone adjusted when reviewing the container in the future. If however you are certain about the original time zone and define the time zone reference for the source evidence object, the timestamps are converted to UTC within the container based on the reference time zone and marked in the container as timestamps in UTC, permanently. In that state the timestamps later will be adjusted according to the selected display time zone, even if you change your mind and change the reference time zone in the source evidence object. The evidence file container is self-contained and separate from the source evidence object once files have been copied.

* Display of internal creation timestamps in the "Content created" column with millisecond precision, where available.

* The timezone conversion hints after timestamps in the directory browser (the number of hours that have been added to or subtracted from UTC) are now included in tooltips for these cells.

* Consistency of timestamp notation and Unicode capability of timestamp notation improved in a few places in the GUI and in the case report/log.

* X-Tension API: The XWF_GetItemType function now allows to find out the detected file format consistency for a file.

* X-Tensions API: The XWF_ShouldStop function now does not only check whether the user wishes to abort lengthy operations, it also helps to keep the GUI responsive when the X-Tension is not executed in a separate worker thread. Calling this function regularly will process mouse and keyboard input, allow the windows to redraw etc. The user realizes that the application is not hanging, and potential attempts of the user to close the progress indicator window will be noticed. Even if you ignore the result of this function call during lengthy operations conducted by your X-Tension, you are doing something good already by making the calls in the first place.

* FlexFilters are now optionally case-sensitive. Case-sensitive operations are always faster and should be used for performance reasons unless you require otherwise.

* Uncovers embedded data from some more .vcf files.

* Byte-wise checksum computation for multi-byte accumulators as was the standard in v18.9 and earlier is now an option in Options | Security. The newer variant is to compute multi-byte checksums by adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.

* Recover/Copy: Ability to specify the name of the log file if the file is created in the output directory. Useful if you run multiple Recover/Copy operations specifically for different purposes, to produce one separate log file for each output.

* Ability to index words that contain characters with special GREP meaning, such as #.?()[]{}\*, without masking them, both with the "range:" prefix and without.

* Larger font in the text column display for UTF-16 for better readability, especially of Chinese characters.

* Avoided some rare graphical artifacts in the text column display for code pages with a variable number of bytes per character.

* Manual relocation or resize operations on search hits through the context menu may now exceed 32,767 bytes (up to 2,147,483,647 supported in both directions).

* The size of a carved file can now be set manually as an absolute number instead of as an adjustment to the previous size (through the directory browser context menu). The maximum size supported by this operation is 4,294,967,295 bytes.

* More complete representation of the logical memory address space of 64-bit processes.

* File mode now offers a "raw" submode for NTFS-compressed files. In Raw mode you can actually see the compressed data as well as the sparse clusters, not the decompressed state of the file. This is useful for research or educational purposes and because theoretically small amounts of data could have been manually hidden in the not clearly defined, but implicitly existing slack area of each compression unit, which follows the compressed payload data.

* Text representations of dialog windows now by default omit unselected list box items and unchecked check boxes and radio buttons. This is a new option in the special menu that you get when you click the small unlabeled button in the upper left corner of a dialog window. It also affects the textual summary of active filters.

* Export List: The search hit context size units now correctly designated as characters instead of bytes.

* Ability to open spanned LVM2 volumes if the other disk is missing. Available data will be incomplete, but potentially still very helpful.

* Checking the passwords in the password collection provided for file archive exploration is now more thorough, avoiding some rare false password matches.

* As the number of years represented in Calendar mode is limited, garbage timestamps in the far past can keep you from seeing the years that you are interested in if you don't set a filter or don't delete events with garbage timetamps. A new option now allows to set the minimum year that will be represented by the calendar. Any timestamps in earlier years will be disregarded by the calendar even if no filter is active. By default, the minimum year is the year 2000. To change it, click the number of the first year on the left in Calendar mode.

* More tolerant to corruption in internal metadata storage files.

* Category pop-up menu statistics are retained when activating the filter.

* The blue funnel symbol on both sides of the caption line of the directory browser is now always present when filters are active, even if the filters do not actually filter out any items.

* Details mode for JPEG files now shows an additional table at the bottom. This table contains the generator signature as well as the "condition" of the file, which may be "incomplete" (if the file was truncated) or "trailing data" (if surplus data was appended to the JPEG data) or in some cases "original" (if the file is believed with great certainty to be in a pristine, unaltered state). "Original" is based on the presence of thumbnails, the absence of color correction certificates, the absence of unoriginal metadata such as XMP, based on timestamps, based on artifacts left behind by known editing software, and on whether a resize operation is detected.

* Improved detection of scanned images. The model designations of known scanning devices can be manually extended in the section "KnownScanner" of "Generator Signatures.txt". Identification by model name can help to identify scanned images if they contain Exif data or were edited. Generally the detection as scanned images is based on 1) generator signature, 2) generic properties of the Exif metadata (FileSource, Density, ...) and 3) the KnownScanner list.

* Improved detection of screenshots in JPEG format.

* Recognition of JPEG files produced by Twitter through their generator signature.

* Prefix "Reporting::" inserted in generator signature definitions for easier filtering for the category reporting/records.

* Carving method ~109 implemented for Blu-ray videos.

* Ability to open an evidence object that is a directory even if that directory does not exist any more, to be able to at least check out the volume snapshot again, using the command "Open (without disk/image)".

* Dedicated icon for evidence file containers in the Case Data window.

* Italian translation updated.

* Several minor improvements, several internal optimizations, and some fixes of minor errors.
Top of pagePrevious messageNext messageBottom of page Link to this message

Michael Felber
Username: michaelfelber

Registered: N/A
Posted on Friday, May 5, 2017 - 8:17:   

Chapeau! Now XWF is the only forensic tool in the world that is able to use two algorithms of reconstructing the cluster chain of deleted FAT-files. In some cases the older "straight" logic may be right but the new one is much more near the way a file system driver does.
Do you remember ?EMF2B08.TMP from Ripper XW.e01? Now this deleted picture flowing around allocated clusters will be automatically reconstructed.
Regards!
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 6, 2017 - 19:10:   

Preview 2:

* The Info window is now called Output window, as that more precisely describes its purpose. And it now gets its own screen coordinates and a centered position initially, and its coordinates are remembered separately from those of the Messages window, as otherwise some users seem to completely overlook that window, and they even contact us when they don't see the output that they expect, although it's visible on their screens.

* Option to unload the hash database if loaded at the moment when all data windows are closed (the moment when the last open data window is closed), to save main memory or to specifically allow other concurrent users or instances to change the hash database.

* Some minor improvements.

* Same fix level as v19.2 SR-4.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 10, 2017 - 12:43:   

Preview 3:

* New menu command available to collapse the entire case tree when right-clicking the case title.

* Ability to set the alternative name of a file by holding the Shift key when renaming it (at the moment when clicking the OK button).

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 19, 2017 - 14:14:   

Beta SYMOE:

* There is a new, powerful option to define up to 10 custom keyboard shortcuts for commands in the directory browser context menu, to be found in Options | Directory Browser. Currently available only in X-Ways Forensics. It's meant to increase your productivity when performing your most frequently used activities. Only key combinations that involve the Ctrl key or the Alt Gr key are supported. The second key can be relatively freely defined by just pressing it when the grayed out edit box has the input focus. In case no human-readable description of the selected key is provided and you later forget what key you had defined, you can check out this list of hexadecimal key codes: www.goo.gl/RuAXvi

The following ~80 menu command codes can theoretically be used (not all tested) and have to be entered as a number:

9800: View with external viewer program #1
9801: View with external viewer program #2
9802: View with external viewer program #3
...
9831: View with external viewer program #32

9919: Define file type
9920: Go to related file
9921: Refine volume snapshot for selected files
9927: Run X-Tension on selected files
9928: Attach external file
9931: Edit metadata
9932: See this file in its directory
9933: See this file from volume root
9934: Find parent object
9935: Logical search within selected files
9937: Attach external directory
9938: Erase securely
9939: Leave search hit list for specific directory
9940: Delete duplicate search hits in list
9941: Select excluded items
9942: Edit comment
9944: Include
9945: Select tagged items
9946: Exclude all except tagged items
9947: Hide tagged items
9948: Add to evidence file container OR skeleton image if active in the background
9949: Resize search hit
9950: Convert search hit to carved file
9951: Resize carved and virtual files
9952: Assign search hit to other search term
9953: Extract consecutive video frames
9954: Include search hit in report
9955: Mount as drive letter (makes sense only if a directory is selected, and only one)
9956: Watch with preferred video player
9957: View with preferred HTML viewer
9958: View with preferred text editor
9959: Execute/open in associated external program
9960: Select viewed items
9961: View with to-be-selected external program
9962: Remove duplicates based on hash
9963: Seek item based on int. ID
9964: Sort by relevance
9965: Print
9966: Seek item based on list item number
9967: Sort by nothing
9968: Select all
9969: Filter by the selected file's hash value (to find duplicates)
9971: Explore
9972: Mark search hit as notable
9973: Open
9974: Navigate to defining data structure
9975: Export list
9976: List clusters
9977: Recover/copy
9978: Explore/view
9979: Invert selection
9980: Include in hash database

You may notice a few suspicious gaps in between the incrementing numbers. The missing numbers are either unassigned or discouraged to invoke or simply don't make much sense to define as a keyboard shortcut. As an example for the latter, 9929 will delete selected search hits or events, something that can of course be accomplished already by pressing the Del key. This information should reduce your urge to randomly try numbers not listed here, although who knows whether one undocumented number might trigger a secret "Find all evidence" command (computer says no).

Please note that even without defining any such keyboard shortcut you can reach all directory browser context menu commands purely with the keyboard by pressing the context menu key. (Usually to be found between the right-hand Windows key and the right-hand Ctrl key.) Some menu commands already have a predefined keyboard shortcut. For example the Enter key is the same as a double click (either View or Explore, depending on your settings). The multiplication key of numeric keypad triggers the Explore command. Del means Exclude. Ctrl+Del resets files to the "still to be processed by volume snapshot refinement" state and undoes some refinement operations. Ctrl+Shift+Del removes hash set matches, hash category, and PhotoDNA categorization. Ctrl+Caps Lock+Del removes the "file contents unknown" flag from a file. (Useful for example if because of temporary I/O problems X-Ways Forensics marked files that way although generally the files can be read just fine.) Ctrl+C copies the selected items into the clipboard using special settings of the Export List dialog window.

* The user-defined keyboard shortcuts should be able to invoke practically all commands from the main menu as well, and even if parts of the user interface other than the directory browser have the input focus. If the command code of a menu command changes in a future version, X-Ways Forensics will ensure that any keyboard shortcut targeting that code will automatically become inactive, to prevent accidental misuse. To find out the command codes of commands in the main menu (also called IDs of menu items), you can open the main executable file in a so-called resource editor and have a look at the menu resource in your preferred language. A highly recommendable light-weight example of such a tool is "Pelles C for Windows", which also happens to be a fine C compiler and complete development kit suitable for creating X-Tensions. Keyboard shortcuts for main menu commands should be less important than for directory browser context menu commands because the main menu already has many dedicated keyboard shortcuts predefined, or even if not can be reached without taking one's hands off the keyboard starting with the Alt key. To give you some ideas about useful applications, FYI the command code to toggle between recursive and non-recursive exploration is 122, and the command code to take a new volume snapshot is 109. With all these possibilities you can hopefully stick with your keyboard and sell your mouse on eBay, hence this beta release is dubbed the SYMOE release.

* New command line parameter "Cfg:", which determines the name of the configuration file from which X-Ways Forensics will read during start-up and to which it will write when terminating, in situations when you need to use an alternative configuration (not the one stored in the main WinHex.cfg file). For example useful if for automated processing you need different settings than for manual execution, with specific volume snapshot refinement operations selected or to avoid the prompt whether a second instance should be started. Such a parameter looks like "Cfg:My other settings.cfg". The quotation marks are required only if the name contains spaces. The maximum length of the name is 31 characters. Only ANSI/ASCII characters supported currently.

* The command line parameter AddImage can now be used to add multiple image files to the case at the same time, with an asterisk in the filename, such as "AddImage:Z:\My Images\*.e01".

* The X-Tension function XWF_CreateEvObj can now add multiple image files to the case with a single function call.

* Reduced the number of false positives when scanning for lost Ext3/Ext4 partitions.

* For UserAssists program executions the event description column now has the plain text description after ROT13 decoding.

* RAR hybrid files now automatically receive a child object named "Trailing data" so that no manual effort is required any more to access the hidden data.

* Ability to interpret image files in TAR archive as disks without having to copy/extract them out. Very handy for VMDK virtual machine disks within OVA files (open virtualization archives in TAR format).

* Ability to run the simple search functions (Find Text, Find Hex Values) with the "List search hits" option in File mode even in evidence objects. The search hits will be collected in the General Position Manager.

* Search hits in the General Position Manager are now optionally deleted as soon as the General Position Manager is closed, to avoid confusion as positions in the General Position Manager have no reference to a particular file or disk and are intentionally applied to whatever data source is active when invoked. The option can be found in the Position Manager's context menu.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 19, 2017 - 16:26:   

Now also available to BYOD users.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 22, 2017 - 8:28:   

Beta 2:

* Now up to 20 custom keyboard shortcuts can be defined.

* Keyboard shortcuts can now be loaded from and saved to a .dlg file for sharing and backup purposes.

* Shift and Space are now supported base keys for keyboard shortcuts, in addition to Alt Gr and Ctrl. Please note that if you use the Space key for any keyboard shortcut, you cannot use it any more to tag or untag items.

* New command codes defined for filters:

9700: Name
9701: Type
9702: Type status
9703: Category
9704: Size
9705: Path
9706: Sender
9707: Recipients
9708: Timestamp
9709: Attr
9710: Hash 1
9711: Hash set
9712: Hash category
9713: Report table
9714: Comment
9715: Metadata
9716: Analysis
9717: Pixels
9718: Int. ID
9719: Unique ID
9720: Search terms
9721: Owner
9722: Parent name
9723: Child objects
9724: ID
9725: Author
9726: Search hit description
9727: Event timestamp
9728: Event type
9729: Event description
9730: Search hit
9731: First sector
9732: Description
9733: Hash 2
9734: Full path
9735: Flex filter 1
9736: Flex filter 2

The order is the historical order in which filters were introduced.

* Command codes for the Mode buttons and related buttons:

122: Toggle recursive exploration
138: Open Access button popup menu
172: Toggle Directory Browser
186: Toggle Position Manager
223: Toggle Search Hit List
224: Toggle Event Hit List
225: Enable Disk/Partition/Volume/Container mode
226: Enable/Disable File mode
227: Enable/Disable Preview mode
228: Enable/Disable Details mode
229: Enable/Disable Gallery mode
230: Enable/Disable Calendar mode
231: Enable/Disable Legend mode
232: Toggle Sync mode
249: Toggle Raw preview mode
250: Toggle Viewer X-Tension preview mode

* Keyboard shortcuts for switching modes are now predefined (Shift + F1...F7 keys).

* The command to view the selected file with another selected program now invokes the standard Windows dialog to pick such an external program.

* PDF metadata extraction revised.

* Detection of scanned PDF documents further improved.

* Google Analytics signature moved from the "Special Interest" category to "Internet", as it has proven to be quite worthwhile to collect web surfing events.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 26, 2017 - 7:54:   

Beta 3:

* The Data Interpreter and also templates can now display and edit FILETIME timestamps with a precision of milliseconds, depending on the settings in Options | Notation.

* There is a new volume snapshot option that causes X-Ways Forensics to read known uninitialized portions at the end of a file (valid data length < logical file size) as binary zeroes instead of as whatever data is stored in the clusters allocated. This mimics the behavior of Windows when ordinary applications open files through the operating system instead of reading the contents of the file directly from the sectors in the volume. Useful for example to achieve hash compatibility with such applications. This new option does not apply to read operations for logical searches, so that logical searches remain forensically thorough and clusters allocated to uninitialized portions of files are still searched. This option has an immediate effect even on already opened files, for the next read operation.

* The whole words only option of the Simultaneous Search works with a user-defined alphabet of characters of which words are composed, in order to identify what a word is and where its boundaries are. In previous versions, only an alphabet of characters from the Latin 1 code page was supported (for all Western European languages). Now an additional alphabet can be defined for letters of certain other languages. If activated, it is used for searches in UTF-16 and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1 byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew, Vietnamese, and various Central/Eastern/South Eastern European languages. The Cyrillic alphabet is predefined.

* Some minor improvements.

* Same fix level as v19.2 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 9, 2017 - 21:17:   

Beta 4:

* Ability to extract metadata from some new PDF format variants.

* Improved detection of PDF documents are scans or as documents for reporting/record purposes (try to search for "Reporting::" with the Metadata filter).

* Carved files are now identified as such not only by the Description column, but also by their icons, with by default either a stylized C (Windows 7) or a hammer (Windows 10, unavailable in Windows 7). The exact character can be entered in the Options | Notation dialog. Hopefully that way some users will no longer find it necessary to name all carved files with a prefix like "Carved_".

* The information that a file was originally a carved file is now preserved in evidence file containers and shown in the Description column and icon even for files within containers.

* The special file icon for pictures now by default no longer gets symbols like question marks, arrows, scissors, hammers, etc. superimposed, which is easier on the eye. You can still tell the exact deletion status from the Description column, and the rough deletion/existence status is still obvious from the contrast of the icon. However, if the box for this option is half checked, the icon is displayed as in previous versions, with full details.

* The Technical Details Report now has an option to show a byte-swapped version of hard disk serial numbers in addition to the serial number reported through the operating system, when in doubt. Some users of certain interfering hardware write blockers may find that useful.

* Fixed a rare exception error that could occur with password-protected RAR archives. Fixed another rare exception error in conjunction with file archive handling.

* New X-Tensions API function XWF_GetHashSetAssocs. Retrieves the name(s) of the hash set(s) that the specified file is associated with.

* Same fix level as v19.2 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 14, 2017 - 13:10:   

v19.3 was just released.

Additional changes since Beta 4:

* Whether the viewer component or the internal graphics viewing library should be used for pictures is now remembered by X-Ways Forensics separately for Preview mode and the View command. For the View command the behavior can be changed in Options | Viewer Programs.

* When not allowing to view multiple pictures at the same time with the View command and the internal graphics viewing library, a new "Auto update" option is now available in Options | Viewer Programs, which will refresh the View window for a picture immediately when a new picture is selected in the directory browser, one way or the other, for example with a single mouse click or when advancing to the next file after defining a report table association. This behavior was previously limited to the arrow keys in the gallery. It should be useful mainly for work with multiple monitors.

* Different e-mail recipient groups (To:, Cc:, and Bcc:, if present) are now more clearly separated from each other in the Recipients column and the alternative .eml presentation.

* Cc: and Bcc: recipients are now separated from To: recipients in the Recipients column for MSG e-mail files as well.

* Timestamps of files in OS directory listings and remote network drives are now displayed with higher precision.

* Text in message boxes that usually need to be clicked away by the user is now redirected to the Messages window while processing the command line parameters "AddImage" and "RVS". Dialog boxes, if any, would still pop up normally.

* The "AddImage" command line parameter now supports optional sub-parameters to force interpretation of an image as either a physical, partitioned medium (P) or a logical volume (V) and to force interpretation with a certain sector size, where the sector size is optional, e.g.

AddImage:#P#Z:\Images\*.dd
AddImage:#P,4096#Z:\Images\*.dd

If you do not specify these sub-parameters, a dialog window might pop up to ask the user for this input, but only in some very rare cases, only it not obvious to X-Ways Forensics from the data in the first few sectors what kind of image it is and if the image was not created by X-Ways Forensics or X-Ways Imager and if the image is in raw format. Only if all three conditions are met at the same time plus you do not specify the sub-parameters, the dialog window will pop up and interrupt automatic processing.

* The program help and user manual were updated for v19.3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Eugene
Username: eugene_777

Registered: N/A
Posted on Wednesday, Jun 14, 2017 - 14:20:   

"The whole words only option of the Simultaneous Search works with a user-defined alphabet of characters of which words are composed, in order to identify what a word is and where its boundaries are. In previous versions, only an alphabet of characters from the Latin 1 code page was supported (for all Western European languages). Now an additional alphabet can be defined for letters of certain other languages. If activated, it is used for searches in UTF-16 and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1 byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew, Vietnamese, and various Central/Eastern/South Eastern European languages. The Cyrillic alphabet is predefined. "

Thank you that include this function in the program. It`s very useful and necessary for me.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 25, 2017 - 21:00:   

SR-1:

* Fixed an exception error that could occur when Canon zoom browser Thumbnail.info files were processed.

* RVS processing of files that are embedded in other files was not always completely done. That was fixed.

* Ability to detect newer versions of Wine under Linux as the operating system.

* Some improvements for execution in Wine under Linux.

* Prevented division by zero exception in v19.3 when running a file header signature search in uninterpreted lose files.

* Fixed an exception error that could occur with certain settings when producing thumbnails of non-picture files for the report.

* More debug information output for certain errors.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

W. Spiegl
Username: ws

Registered: N/A
Posted on Sunday, Jun 25, 2017 - 21:32:   

* Ability to detect newer versions of Wine under Linux as the operating system.
* Some improvements for execution in Wine under Linux.

Just to be sure if I have understood this correct: XWF can run - under certain conditions - with Linux / Wine now? If yes: Which Linux / Wine versions are tested?
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 26, 2017 - 10:01:   

As far as I can tell, it has always been possible to run the executable files of WinHex, X-Ways Forensics and X-Ways Investigator in Wine. But that does not necessarily mean that the programs are suitable for reasonable use and fully functional in Wine or that Wine is an officially supported platform. Which operating systems are officially supported platforms can be seen in the program help and user manual. Linux+Wine has not been added.

The ability of the programs to detect Wine as the environment in order to adjust their behavior in certain areas (for example text display) had been lost some time during the past 10 years due to changes in Wine. This ability has been restored now.

Only some copy protection methods work in Wine. USB dongles cannot be found by the program in Wine, unfortunately.

Some testing has been done on ArchLinux and Debian with the current version of Wine, but there will probably be little difference e.g. on Ubuntu or Mint.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 4, 2017 - 19:58:   

SR-2:

* More generator signatures defined.

* Ability to add images to an existing case through the command line. The first parameter for that is the path of the .xfc case file, and the next parameter is the usual AddImage command.

* The program no longer suggests to subscribe to the newsletter if run with command line parameters.

* Fixed an error that could occur in v19.3 when carving files in Ext2/Ext3 volumes.

* Some document excerpts were not extracted from the Windows.edb database correctly any more. That was fixed.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 5, 2017 - 11:55:   

The network dongle package has been updated.

* The readme file by X-Ways now contains a hint that specifying the IP address of the machine with the network dongle is probably a must if that machine is on a different subnet.

* A tool named NrMon.exe is now included that was designed by the manufacturer to monitor the activities of all NetROCKEY4ND devices on the network.

* Some plain-text excerpts from the manufacturer's user's guide about the .ini files, the service programs and the monitor program are now included (without the screenshots).
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 5, 2017 - 19:50:   

Apparently not everyone is aware of this: Download URLs have been provided already to anyone who is eligible when purchasing or upgrading licenses, and they usually remain the same for many years or forever, and when needed can be retrieved again within a few seconds by querying one's license status at http://www.x-ways.net/winhex/license.html, as promised every so often.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 10, 2017 - 7:22:   

SR-3:

* Fixed potential error messages about failing to write into a file when processing SQLite databases.

* Fixed "... is an invalid character" error message during the particularly thorough file system data structure search in NTFS volumes in v19.3 for users with special regionally preferred digit grouping characters such as a non-breaking space.

* In v19.3, particularly thorough file system data structure searches for FILE records failed with an exception error on volumes whose treatment as NTFS the user had to force for example because they were reformatted with another file system. That was fixed.

* The internal marking of carved files changes with this service release, for future compatibility with v19.4, so older versions or releases will not describe carved files as carved files when they load volume snapshots previously opened or created by this release.

* X-Tension API: XWF_GetItemInformation with XWF_ITEM_INFO_DELETION now returns 5 instead 1 for carved files.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 15, 2017 - 6:00:   

SR-4:

* Ability to open Linux block devices with Tools | Open Disk under Wine. Internally this requires interpretation of the files as disks, just like with raw image files, and thus works only in WinHex with a specialist license, WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. The device storage capacity is determined automatically, the sector size not necessarily.

* Creating report table associations based on matching hash sets did not work on multiple files in v19.3 if no second hash database existed. That was fixed.

* Fixed an exception error that could occur when processing TAR archives.

* The investigator.ini file had no effect in X-Ways Investigator v19.2 and v19.3. That was fixed.

* Improved stability when handling certain picture files.

* Improved ability to display GIF pictures with special header extensions.

* Prevented a handle leak in message boxes resulting from an error in Windows API functions that deal with icons.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 24, 2017 - 7:32:   

SR-5:

* The preview of an SQLite database file now reliably shows the human readable representation in HTML format, if available, instead of potentially one of the other child object of that database.

* More reliable identification of Skype chat databases for adequate processing.

* Superimposition now has an effect on a partition again if the superimposition was applied to that partition directly instead of to the disk from within which the partition has been opened.

* Under very specific circumstances, files stored in Ext4 file systems were opened as corrupted despite being intact. The areas affected would have been displayed as sequences of binary zeroes. This was fixed.

* Simultaneous search: GREP set syntax (square brackets) now works in conjunction with the "MS Outlook cipher based on UTF-16" code page.

* In HFS+ volumes with many extended attributes not all of them were parsed. That was fixed.

* Fixed an infinite loop that could occur when parsing certain decompressed hiberfil.sys files.

* Fixed an error that could occur in v19.3 when splitting up report tables in the case report into multiple HTML file segments.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 10, 2017 - 5:36:   

SR-6:

* Ability to extract files from GZ archives that are larger than 4 GB.

* Fixed an exception error and instability that could occur with corrupt PST files.

* Fixed a problem with EDB processing.

* Some minor improvements and fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 29, 2017 - 5:18:   

SR-7:

* Removed size limitation for file carving within files.

* Prevented filename conflicts and potential loss of report table associations in shared analysis work mode.

* Deactivating the FlexFilters after they were both active and combined with a logical OR rendered filtering non-functional. That was fixed.

* Fixed an error in conversion from binary to Intel Hex and Motorola S format that existed since v18.9.

* Internal functioning of the Tools | Compare command improved.

* Ability to fully decompress some compressed files in HFS+ that could not be fully decompressed previously.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 11, 2017 - 6:23:   

SR-8:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.3. Available to these users on request for a limited time.

* The file header signature search in v19.3 (only v19.3) produced some rare files that were shown without known size (blank cell in the Size column) which open with no data. That was fixed. To set the presumed size of carved files manually, you can employ the Resize command in the directory browser context menu.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.