|Posted on Monday, Jul 10, 2017 - 7:35: |
A preview version of X-Ways Forensics 19.4 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.4 Preview 1?
* File carving, file type verification and tentative e-mail extraction support for Outlook 11 and Outlook 14 for Mac.
* Metadata extraction revised for MS Word documents. The content created timestamp is now provided for more files than before. There are two new metadata fields called "Format version" and "Generator". The generator is not necessarily MS Word itself, but could be Open Office. "Product created" is now output with a 2-digit year so that it is easier to recognize as a timestamp.
* "Content created" timestamps can now be provided for some more PDF documents as some more special coding variants are now supported.
* More thorough extraction of messages from certain Skype databases. The presentation of the conversation was simplified and duplicate information removed. The individual conversations in the chat files are now listed in one consecutive table with highlighted indicators when each conversation started or ended. This improvement will also be retroactively applied to v19.3 and v19.0 with those versions' respective next service releases.
* Sorting by full path now ensures the correct hierarchical order with child objects following their respective parent objects even if some parent files or directories or e-mail messages have the exact same name.
* When exporting a list of files or directories along with their child objects sorted by full path, so that child objects directly follow their respective parents, in TSV or HTML format, a new option called "Indention" allows to indent the names of the child objects so that it is easy to see in the output which objects are child objects of which other objects even when not looking at or when not even including the potentially very long full path as an additional column.
* The Recover/Copy command now allows name output files optionally not only after their unique IDs, but after any other column in the directory browser column, such as hash value, ID, comment, offset in the file system etc. etc. Such metadata information can also be prepended or appended to the name, which for example could be useful to do with alternative name, existence status, report table, timestamps, author, sender, description, attributes, analysis result, hash set, ... If the cell text consists of multiple lines (e.g. comments or metadata column), only the first line is used.
* When files are copied to include them in the case report, they can now be named not only after their original name or unique ID, but also after hash values and various other more or less unique properties. If those happen to be blank, the original name will be used.
* Ability to decompress "WofCompressed" executable files as compressed by the CompactOS feature of Windows 10, with WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. Such files are recognized as WofCompressed by X-Ways Forensics since v19.1 and marked in the Attr. column with P and ~.
* Ability to view or preview certain password-protected documents if the password is available. Only certain encryption variants of Microsoft Office and PDF documents, Microsoft Outlook PST 97-2013, and Zip files are supported. When previewing such a file, the password will be taken from the Metadata cell of that file (if available from there in a line that starts with "Password: ") or otherwise all passwords from the currently active case's password collection will be tried automatically. If one of the passwords from the password collection matches, it will be remembered in the Metadata cell of the file for future re-use and the user's information. When viewing such a file, if no matching password is found, the user will be additionally prompted for the password repeatedly until he or she provides the correct password or gives up (clicks Cancel).
* The file format specific encryption test now automatically tries the passwords in the current case's password collection with such files as well and remembers the matching password, if any, in the file's Metadata cell.
* Carved files can now be filtered with the Description column filter as a special kind of previously existing files, which should be more logical and internally slightly faster.
* The file mask for "Use associated program for viewing..." now takes precedence over the internal graphics display library and (if it's a video) even the specified preferred video player (which may be different from the program associated with a particular video file type).
* Ctrl+Alt is identified as different from Alt Gr and can now be selected as a base key combination for user-defined keyboard shortcuts.
* The X-Tension API function XWF_OutputMessage now has a flag that allows to output the message to the case log instead of the Messages window.
|Posted on Saturday, Jul 15, 2017 - 6:26: |
* Several more columns of the directory browser are now offered for grouping in the Recover/Copy command, such as Evidence object, Analysis, Dimensions, Comments, Sender, Recipients, and many others. Please note that grouping by evidence object has always been possible when recovering files from the case root with a partial path, long before the special grouping option was introduced, but that possibility, although available and documented from day one, has been overlooked by some users, even when they asked and were explicitly told about it, and it has now been removed (now only when recovering files from the case root with a full path).
* It is now possible to limit the Recover/Copy grouping directory name to a certain number of characters. That could be very useful for example in order to group files by year (the first four characters in creation or modification timestamps, given suitable notation settings) or to simply to split up a huge number of output files into roughly equally large subdirectories (with the first one or two characters of the hash value, for 16 or 256 such subdirectories), based on the law of large numbers, or simply to reduce the risk of overlong paths.
* Several minor improvements.
* Same fix level as v19.3 SR-4.
|Posted on Monday, Jul 24, 2017 - 8:04: |
* In NTFS volumes and in evidence file containers in raw format the "Erase securely" command in the directory browser context menu in WinHex (X-Ways Forensics only when running as WinHex) can now optionally also wipe the main file system level metadata / the defining file system data structures of selected files (in containers the only such metadata), in addition to the file contents. If you would like to do that, just check the new box "Initialize MFT records". This option has no effect on files in other file systems or files that are embedded in other files or carved files.
* In newly taken snapshots of Ext3* volumes, the vast majority of files that utilize sparse storage or that are only partially initialized are marked as such in the Attr. column immediately. Some very few files will be identified as such once they were opened for reading/searching/processing.
* Ext4: For files whose contents are not defined/initialized at the end, the valid data length of files is now displayed in File mode.
* The actually (but not officially) unused area at the end of the last block of a directory in Ext* file systems is now nicely highlighted like slack space in File mode, and once opened (for File mode or logical searches or whatever) the logical size of the directory will also be reflected in the volume snapshot (visible in the directory browser's Size column only if recursive selection statistics are disabled).
* "List directories when exploring recursively" is now a 3-state check box and by default half-checked. In that state directories are listed when exploring recursively only if a non-trivial filter is active (non-trivial = for more than just not excluded items) and when actually applying filters to directories, too. In this combination the user is potentially interested in directories because they may have certain timestamps or names etc. of interest, but in ordinary situations probably not, so this new middle state could be a very good compromise.
* Those few extended attributes in HFS+ that contain only short plain text are now output in the Metadata column instead of as child objects.
* Many hardlinked dir_* directories in .HFS+ Private Directory Data in HFS+ now point back to their first source as a so-called related item. This information is based on extended attributes of the "firstlink" type.
* The volume snapshot option "Include EA in snapshot" for extended attributes in HFS+ file systems has been revised and renamed to "Complete output of EA". By default, it is not checked. All extended attributes deemed relevant by X-Ways Forensics are still processed and output either in the Metadata column if they are textual in nature (that is new) or as file contents of resident or compressed files or as links to related directories, or as child objects that are marked in the Attr. column with (EA). If the new option is half selected, "firstlink" attributes and "quarantine" attributes are output in the Metadata column additionally. If the new option is fully checked, even empty binary PLists and ordinary "Security" attributes are output as child objects.
* Several minor improvements.
* Same fix level as v19.3 SR-5.
|Posted on Monday, Jul 24, 2017 - 16:11: |
* Some DLLs updated retroactively in Preview 3. Ability to process certain zip archives with a rare header signature variant (extended local header).
|Posted on Thursday, Jul 27, 2017 - 8:40: |
* Ability to extract files from GZ archives that are larger than 4 GB. (Will also be available in v19.3 SR-6.)
* X-Ways Forensics and WinHex Lab Edition now have a special highlighting feature for file header signatures, right in the hex display (X-Ways Forensics: Disk/Partition/Volume and File mode). The identification is done by matching the raw GREP-enabled expressions in "File Header Signatures Search *.txt" to every single offset in the currenly visible page. The enhancing effect of the "~" algorithms, which can identify false negatives or further distinguish between different subtypes during file header signature searches, is not applied, though. This new feature can be enabled or disabled in Options | General, in the automatic coloring section on the right. If only half selected, signatures will only be searched and highlighted at sector boundaries. Generally this kind of highlighting will help you spot start positions of well known data/file types, even if embedded within one another, immediately, for example thumbnails in JPEG files, individual records in zip archives, TIFF signatures in Exif metadata, certificates in Windows Registry hives, etc. etc.
* New flag for file header signature definitions: "H" means that a definition is meant only for the new highlighting feature, not for regular file header signature searches or for file type verification. Such definitions only require three pieces of information: The keyword or GREP expression, the relative offset (typically 0) and the flag "H". The description at the start of the line is optional, but recommended because the color depends on the description, and for different descriptions you will likely see different colors. You could even create a dedicated text file, for example named "File Type Signatures Search Highlighting.txt", that defines various keywords or GREP expressions that you are always interested in and would like to get highlighted immediately in every case even before running appropriate searches. Also useful if you analyze or reverse-engineer file formats, where for example records do not have a fixed length (so that the record presentation option in WinHex is not applicable), but are identifiable by signatures.
* FILETIME highlighting is now separately selectable and not covered by the MFT FILE record auto coloring option any more.
* New flag for file header signature definitions: "A" means that a definition heavily depends on the associated algorithm (the one defined with the ~ character) and is too generic for identification without it.
* Grouping files and directories is now a 3-state check box and by default groups only when not exploring recursively, i.e. only when directories are needed for navigation and thus expected at the top of the list.
* 3-state check boxes now have the superscript 3 next to the box instead of after the text label, which looks more tidy.
* Users can now define their own tooltips for three types of control items (check boxes, radio buttons, and in future even drop-down boxes/combo boxes and ordinary push buttons except "OK", "Cancel", and "Help"). This is done by clicking such items with the Shift key pressed and can be useful for personal notes and ideas, so that you can describe and better remember your preferred settings for different situations and their meaning. The tooltip texts will be stored in a file named Tooltips.txt and can be shared with other users, for example within an organization to remind your colleagues of which settings should be used according to your defined standards. Tooltip texts are stored in Unicode, may be up to 510 characters long, and may contain line breaks for formatting purposes. You can tell that a user-defined tooltip is available for a control item if it has a gray asterisk on its left.
* The Technical Details Report for a physical disk with GPT partitioning now includes the unique partition GUIDs.
* Immediate effect when changing the setting for a case-specific temp directory.
* Some minor improvements.