X-Ways Forensics 19.4 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.4 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 10, 2017 - 7:35:   

A preview version of X-Ways Forensics 19.4 is now available. The download link can be retrieved as always by querying one's license status.

What's new in v19.4 Preview 1?

* File carving, file type verification and tentative e-mail extraction support for Outlook 11 and Outlook 14 for Mac.

* Metadata extraction revised for MS Word documents. The content created timestamp is now provided for more files than before. There are two new metadata fields called "Format version" and "Generator". The generator is not necessarily MS Word itself, but could be Open Office. "Product created" is now output with a 2-digit year so that it is easier to recognize as a timestamp.

* "Content created" timestamps can now be provided for some more PDF documents as some more special coding variants are now supported.

* More thorough extraction of messages from certain Skype databases. The presentation of the conversation was simplified and duplicate information removed. The individual conversations in the chat files are now listed in one consecutive table with highlighted indicators when each conversation started or ended. This improvement will also be retroactively applied to v19.3 and v19.0 with those versions' respective next service releases.

* Sorting by full path now ensures the correct hierarchical order with child objects following their respective parent objects even if some parent files or directories or e-mail messages have the exact same name.

* When exporting a list of files or directories along with their child objects sorted by full path, so that child objects directly follow their respective parents, in TSV or HTML format, a new option called "Indention" allows to indent the names of the child objects so that it is easy to see in the output which objects are child objects of which other objects even when not looking at or when not even including the potentially very long full path as an additional column.

* The Recover/Copy command now allows name output files optionally not only after their unique IDs, but after any other column in the directory browser, such as hash value, ID, comment, offset in the file system etc. etc. Such metadata information can also be prepended or appended to the name, which for example could be useful to do with alternative name, existence status, report table, timestamps, author, sender, description, attributes, analysis result, hash set, ... If the cell text consists of multiple lines (e.g. comments or metadata column), only the first line is used. Blackslashes in the path columns are automatically replaced with underscores. That allows to name a file after its complete original path.

* When files are copied to include them in the case report, they can now be named not only after their original name or unique ID, but also after hash values and various other more or less unique properties. If those happen to be blank, the original name will be used.

* Ability to decompress "WofCompressed" executable files as compressed by the CompactOS feature of Windows 10, with WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. Such files are recognized as WofCompressed by X-Ways Forensics since v19.1 and marked in the Attr. column with P and ~.

* Ability to view or preview certain password-protected documents if the password is available. Only certain encryption variants of Microsoft Office and PDF documents, Microsoft Outlook PST 97-2013, and Zip files are supported. When previewing such a file, the password will be taken from the Metadata cell of that file (if available from there in a line that starts with "Password: ") or otherwise all passwords from the currently active case's password collection will be tried automatically. If one of the passwords from the password collection matches, it will be remembered in the Metadata cell of the file for future re-use and the user's information. When viewing such a file, if no matching password is found, the user will be additionally prompted for the password repeatedly until he or she provides the correct password or gives up (clicks Cancel).

* The file format specific encryption test now automatically tries the passwords in the current case's password collection with such files as well and remembers the matching password, if any, in the file's Metadata cell.

* Carved files can now be filtered with the Description column filter as a special kind of previously existing files, which should be more logical and internally slightly faster.

* The file mask for "Use associated program for viewing..." now takes precedence over the internal graphics display library and (if it's a video) even the specified preferred video player (which may be different from the program associated with a particular video file type).

* Ctrl+Alt is identified as different from Alt Gr and can now be selected as a base key combination for user-defined keyboard shortcuts.

* The X-Tension API function XWF_OutputMessage now has a flag that allows to output the message to the case log instead of the Messages window.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Jul 15, 2017 - 6:26:   

Preview 2:

* Several more columns of the directory browser are now offered for grouping in the Recover/Copy command, such as Evidence object, Analysis, Dimensions, Comments, Sender, Recipients, and many others. Please note that grouping by evidence object has always been possible when recovering files from the case root with a partial path, long before the special grouping option was introduced, but that possibility, although available and documented from day one, has been overlooked by some users, even when they asked and were explicitly told about it, and it has now been removed (now only when recovering files from the case root with a full path).

* It is now possible to limit the Recover/Copy grouping directory name to a certain number of characters. That could be very useful for example in order to group files by year (the first four characters in creation or modification timestamps, given suitable notation settings) or to simply to split up a huge number of output files into roughly equally large subdirectories (with the first one or two characters of the hash value, for 16 or 256 such subdirectories), based on the law of large numbers, or simply to reduce the risk of overlong paths.

* Several minor improvements.

* Same fix level as v19.3 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 24, 2017 - 8:04:   

Preview 3:

* In NTFS volumes and in evidence file containers in raw format the "Wipe securely" command in the directory browser context menu in WinHex (X-Ways Forensics only when running as WinHex) can now optionally also wipe the main file system level metadata / the defining file system data structures of selected files (in containers the only such metadata), in addition to the file contents. If you would like to do that, just check the new box "Initialize MFT records". This option has no effect on files in other file systems or files that are embedded in other files or carved files.

* In newly taken snapshots of Ext3* volumes, the vast majority of files that utilize sparse storage or that are only partially initialized are marked as such in the Attr. column immediately. Some very few files will be identified as such once they were opened for reading/searching/processing.

* Ext4: For files whose contents are not defined/initialized at the end, the valid data length of files is now displayed in File mode.

* The actually (but not officially) unused area at the end of the last block of a directory in Ext* file systems is now nicely highlighted like slack space in File mode, and once opened (for File mode or logical searches or whatever) the logical size of the directory will also be reflected in the volume snapshot (visible in the directory browser's Size column only if recursive selection statistics are disabled).

* "List directories when exploring recursively" is now a 3-state check box and by default half-checked. In that state directories are listed when exploring recursively only if a non-trivial filter is active (non-trivial = for more than just not excluded items) and when actually applying filters to directories, too. In this combination the user is potentially interested in directories because they may have certain timestamps or names etc. of interest, but in ordinary situations probably not, so this new middle state could be a very good compromise.

* Those few extended attributes in HFS+ that contain only short plain text are now output in the Metadata column instead of as child objects.

* Many hardlinked dir_* directories in .HFS+ Private Directory Data in HFS+ now point back to their first source as a so-called related item. This information is based on extended attributes of the "firstlink" type.

* The volume snapshot option "Include EA in snapshot" for extended attributes in HFS+ file systems has been revised and renamed to "Complete output of EA". By default, it is not checked. All extended attributes deemed relevant by X-Ways Forensics are still processed and output either in the Metadata column if they are textual in nature (that is new) or as file contents of resident or compressed files or as links to related directories, or as child objects that are marked in the Attr. column with (EA). If the new option is half selected, "firstlink" attributes and "quarantine" attributes are output in the Metadata column additionally. If the new option is fully checked, even empty binary PLists and ordinary "Security" attributes are output as child objects.

* Several minor improvements.

* Same fix level as v19.3 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 24, 2017 - 16:11:   

* Some DLLs updated retroactively in Preview 3. Ability to process certain zip archives with a rare header signature variant (extended local header).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 27, 2017 - 8:40:   

Preview 4:

* Ability to extract files from GZ archives that are larger than 4 GB. (Will also be available in v19.3 SR-6.)

* X-Ways Forensics and WinHex Lab Edition now have a special highlighting feature for file header signatures, right in the hex display (X-Ways Forensics: Disk/Partition/Volume and File mode). The identification is done by matching the raw GREP-enabled expressions in "File Header Signatures Search *.txt" to every single offset in the currenly visible page. The enhancing effect of the "~" algorithms, which often can identify false positives or further distinguish between different subtypes during file header signature searches, is not applied, though. This new feature can be enabled or disabled in Options | General, in the automatic coloring section on the right. If only half selected, signatures will only be searched and highlighted at sector boundaries. Generally this kind of highlighting will help you spot start positions of well known data/file types, even if embedded within one another, immediately, for example thumbnails in JPEG files, individual records in zip archives, TIFF signatures in Exif metadata, certificates in Windows Registry hives, etc. etc.

* New flag for file header signature definitions: "H" means that a definition is meant only for the new highlighting feature, not for regular file header signature searches or for file type verification. Such definitions only require three pieces of information: The keyword or GREP expression, the relative offset (typically 0) and the flag "H". The description at the start of the line is optional, but recommended because the color depends on the description, and for different descriptions you will likely see different colors. You could even create a dedicated text file, for example named "File Type Signatures Search Highlighting.txt", that defines various keywords or GREP expressions that you are always interested in and would like to get highlighted immediately in every case even before running appropriate searches. Also useful if you analyze or reverse-engineer file formats, where for example records do not have a fixed length (so that the record presentation option in WinHex is not applicable), but are identifiable by signatures.

* FILETIME highlighting is now separately selectable and not covered by the MFT FILE record auto coloring option any more.

* New flag for file header signature definitions: "A" means that a definition heavily depends on the associated algorithm (the one defined with the ~ character) and is too generic for identification without it.

* Grouping files and directories is now a 3-state check box and by default groups only when not exploring recursively, i.e. only when directories are needed for navigation and thus expected at the top of the list.

* 3-state check boxes now have the superscript 3 next to the box instead of after the text label, which looks more tidy.

* Users can now define their own tooltips for three types of control items (check boxes, radio buttons, drop-down boxes/combo boxes, and ordinary push buttons except "OK", "Cancel", and "Help"). This is done by clicking such items with the Shift key pressed and can be useful for personal notes and ideas, so that you can describe and better remember your preferred settings for different situations and their meaning. The tooltip texts will be stored in a file named Tooltips.txt and can be shared with other users, for example within an organization to remind your colleagues of which settings should be used according to your defined standards. Tooltip texts are stored in Unicode, may be up to 510 characters long, and may contain line breaks for formatting purposes. You can tell that a user-defined tooltip is available for a control item if it has a gray asterisk on its left.

* The Technical Details Report for a physical disk with GPT partitioning now includes the unique partition GUIDs.

* Immediate effect when changing the setting for a case-specific temp directory.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 9, 2017 - 10:30:   

Preview 5:

* The Full Path filter now supports asterisks at the end of each line. For example, \Windows\Prefetch\* matches all files in the directory \Windows\Prefetch.

* Several other minor improvements and a few fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 9, 2017 - 20:27:   

Preview 5b:

* Output of the official InstallDate of a Windows 10 installation from the SOFTWARE hive in addition to the SYSTEM hive's original "Source OS *" InstallDate if present as an "Upgrade" timestamp in the properties of newly added evidence objects, so that users find both dates there and don't suspect a bug in X-Ways Forensics if the installation date that they think is correct does not match the date shown. Anyway, for more complete information please generate the registry report.

* The extra effort that X-Ways Forensics makes to include deleted objects in FAT32 file systems correctly in the volume snapshot since v19.3 is now optional (see Options | Volume Snapshot). If only half checked, the extra effort is made only for subdirectories, not files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 23, 2017 - 6:03:   

Beta 1:

* Previously, search hits for identical search terms were always merged and made accessible through the same item in the search term list. This is useful for example when running searches for the same keywords / GREP expressions incrementally (in multiple runs) in different evidence objects. Now there is a new box on the left-hand side of the Simultaneous Search dialog window, which you can UNcheck in order to always produce a new item in the search term list, even if the keyword that you are looking for is identical to a previously used keyword or a keyword in the same run. This is useful if you run the searches with different settings (e.g. same keyword as a whole word and not as a whole word at the same time), in order to be able to distinguish the resulting search hits later.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 29, 2017 - 5:23:   

Beta 2:

* A new command line parameter named "Override" was introduced, which overrides message boxes and dialog boxes until the last command line parameter has been processed. The text of those boxes will be output to the Messages window (and thus indirectly also to msglog.txt, unless disabled), and either an automatic click on OK will be simulated (if the parameter is "Override:1") or a click on Cancel (in case of "Override:2"). If a message box has only one button, it does not matter which parameter value was specified. All of this helps to avoid interruptions and delays of automatic processing when the program is waiting for user input.

The default setting and recommended behavior (if no Override parameter is specified) is like "Override:0", where message boxes and dialog boxes are shown normally and potentially alert the user of critical error conditions and anomalies such as incomplete images, undetectable image format etc. The parameter takes effect immediately upon start-up, before regular processing of other parameters begins, even if the Override parameter is specified last in the command line.

* The Override parameter also outputs the entire command line to the Messages window (even with the value "0"), and this happens at a time that depends on the position of the parameter within the command line. This allows users who study the log later to know what the simulate response to the suppressed message boxes and dialog boxes was.

* Ability to preserve illegal filename characters in report table names in shared analysis work mode.

* Some minor improvements.

* Same fix level as v19.3 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 5, 2017 - 9:01:   

v19.4 was just released.

Additional changes since Beta 2:

* Offers a work-around when trying to view Windows 10 prefetch files under Windows 7.

* Better file carving results for RAR, large PST, 7Zip, DWF, and JPEG.

* New file type "vdata" defined in the Special category, for picture and video files that were specially hidden by an Android app called Vaulty.

* Support for a new version of Windows Thumbcache files.

* Previous releases potentially missed some files in newer variants of XFS file systems. A tentative fix for that has now been applied.

* Some minor improvements.
Michael Felber
Username: michaelfelber

Registered: N/A
Posted on Friday, Sep 8, 2017 - 7:41:   

What a nice idea to illustrate the infamous three state boxes with a user specific tooltip. Thanks to the X-Ways folks at Cologne and allover the world for implementing that and many thanks to my colleagues from the National Criminal Police Office at Mainz for providing a german Tooltips.txt.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 19, 2017 - 7:33:   

SR-1:

* The Simultaneous Search as invoked from Refine Volume Snapshot did not work when RVS was triggered from the command line. That was fixed. (The fix will also be included in v19.1 SR-10, v19.2 SR-8, and v19.3 SR-8.)

* Mounting (volume snapshots of) drive letters as drive letters is now allowed.

* E-mail extraction from olk15message files revised.

* The auto-save interval did not have any effect in cases that were newly created from the command line with the NewCase command. That was fixed.

* Fixed a very rare infinite loop that could occur while processing corrupt Skype databases.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 27, 2017 - 7:45:   

SR-2:

* Previously, hidden files in the case directory were not included when cases were archived. That was fixed.

* Ability to recognize APFS volumes.

* Ability to buffer 4 GB instead of 2 GB of decoded file contents per evidence object and prevent buffer overflow and corruption.

* Shift+Click to open "File Type Signatures *.txt" from within the program has been changed to Ctrl+Click.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 4, 2017 - 5:51:   

SR-3:

* Fixed an exception error that could occur with certain VCF files since v19.3.

* Fixed a handle leak in the report generation with thumbnail creation for non-picture files.

* Limited the inclusion of excessive amounts of metadata in the Metadata column for certain files created by Photoshop.

* With the crash-safe decoding option, encrypted documents were not decrypted for the text decoding part of the logical search. That has been improved now.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Oct 6, 2017 - 18:50:   

SR-4:

* Fixed stability problems in decompressing WofCompressed data.

* Support for exFAT volumes with more than 2^32 sectors.

* The XWF_CTR_OPEN flag of the X-Tension function XWF_CreateContainer did not work. That was fixed.

* The dependent Description filter options for e-mails had a filter effect in v19.4 even when invisible and not applicable. That was fixed.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 11, 2017 - 6:30:   

SR-5:

* In WinHex with a specialist license or less, the Recover/Copy command did not work in v19.4. That was fixed.

* Improved decoding of certain e-mail header lines with quoted printable and code page indicators.

* Matching hash values against hash databases as part of volume snapshot refinement did not work when triggered through the command line. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 5, 2017 - 10:24:   

SR-6:

* Improved speed and stability when processing EVTX logs. Avoided a possible infinite loop condition.

* Fixed a rare exception error that could occur when taking volume snapshots of HFS+ volumes.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 15, 2017 - 14:37:   

SR-6:

* The logical simultaneous search would not run in WinHex with a specialist license in v19.4. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 22, 2017 - 10:57:   

SR-7:

* Skipping hash databases when matching hash values did not always work in v19.3 and v19.4. That was fixed.

* Fixed an infinite loop that could occur under rare circumstances when opening files in TAR.GZ archives.

* Fixed an exception error that could occur when processing certain e-mail messages in v19.4 SR-6.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 5, 2018 - 7:36:   

SR-8:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.4. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 8, 2018 - 18:19:   

SR-9:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.4. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 14, 2018 - 6:07:   

SR-10:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.4. Available to these users on request for a limited time. This is the probably last service release for v19.4.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.