|Posted on Wednesday, Sep 27, 2017 - 7:49: |
A preview version of X-Ways Forensics 19.5 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.5 Preview 1?
* A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.
* The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.
* The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report.
* Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...).
* Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents
dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.
* Ability to run file header signature searches not only in files whose names or types match a certain file mask, but optionally also all files of unknown type.
* Ability to buffer 8 GB instead of 4 GB of decoded file contents per evidence object in newly created volume snapshots.
* When analyzing or recovering a previous instance that employs additional threads, it is now possible to select one of those worker threads instead of the main thread.
* Some minor improvements.
|Posted on Wednesday, Oct 4, 2017 - 5:56: |
* Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list.
* A new option in Options | Viewer Programs allows to provisionally clean up after GDI font object leaks as exhibited by the viewer component when loading some rare files, in the x64 edition only (possibly functional also in the x86 edition in an x86 Windows as well, but that was not tested). This prevents graphical errors in the user interface as well as program instabilities and freezes. Users who have encountered such rare files occasionally because they view/preview so many files or extensively use the gallery with thumbnails of non-picture files are encouraged to switch to v19.5 early.
* An additional column shows the unique ID formatted and extended as a GUID, for users who need to have a GUID for each file in their cases. The GUID can also be used to name output files in the case report and in Recover/Copy.
* A new directory browser column shows the number of search hits in a file.
* Additional columns after "Recipients" show To:, Cc:, and Bcc: recipients of e-mails and e-mail attachments separately.
* The generator signature that is known from the Metadata column is now additionally presented in its own separate column, for sorting purposes, which may allow to identify logical connections.
* Generator signature database further updated.
* The dialog window that allows to define keyboard shortcuts is now accessible from the General Options, no longer from the Directory Browser Options.
* The height of the Directory Browser Options dialog window has been shrunk, so that it should now fit on the screen even on laptop computers with unnecessarily high DPI settings in Windows 10 or generally on displays or projectors with a poor vertical resolution.
* Recognizes files that were encrypted in FAT and exFAT volumes by Windows 10 with EFS.
* Ability to run X-Tensions as part of a volume snapshot refinement that is triggered from the command line.
* Ability to run a simultaneous search neither in the original file contents nor in the directory browser metadata cells, but only in the decoded text of documents.
* File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).
* Improved stability with EDB processing.
* WinHex Lab Edition now allows to use File mode.
* In WinHex with a specialist license or less the legend can now be displayed with a command in the Access button popup menu, and toggling between recursive and normal exploration is also possible now with a command in that menu.
* Several minor improvements.
* Also available as a BYOD version.
* Same fix level as v19.4 SR-3.
|Posted on Wednesday, Oct 11, 2017 - 6:57: |
* Individual event types for SRUDB, which make it easier to filter for particular resource usage types.
* Ability to export, import and merge FuzZyDoc hash sets. The result of the export can be used with the import function or alternatively is also valid as a stand-alone database by itself.
* X-Ways Forensics, X-Ways Investigator and WinHex Lab Edition now support a new API called the Image I/O API. It's described at http://www.x-ways.net/forensics/x-tensions/Image_IO_API.html and allows interested parties to add support for other physical disk image formats. It is even possible to add alternative support for an already supported image type, for example certain virtual machine disk images with currently unsupported special features or segmented raw images with a currently unsupported segment filename scheme. When such DLLs are made available by trusted sources, users would just add them to the installation directory of X-Ways Forensics. They have to be named Image*.dll, and will be loaded automatically by the program. (Adding them to the installation directory is considered to signify consent for that.)
* X-Tensions API: C++ function definitions and C++ sample projects updated.
* Generator signature definitions further updated. New prefix "Mobile::" for many photos taken by mobile devices.
* Same fix level as v19.4 SR-5.
|Posted on Sunday, Oct 15, 2017 - 16:46: |
* Duplicate files can now also be identified based on the textual representation of dates in some of date columns, and how many characters in these columns and in the Name column are compared is optional.
* New directory browser context command Navigation | Seek Path helps to locate a file or directory in the directory browser whose full path you specify.
* X-Tensions API: XWF_ITEM_INFO_ATTR of the XWF_GetItemInformation function now documented.
* Some fixes.
|Posted on Sunday, Oct 22, 2017 - 17:23: |
* "Read uninitialized areas as zeroes" is now a 3-state check box. If fully checked, it has an effect on all read operations except logical searches, indexing, and search hit context preview. If half checked, it has an effect on all read operations except those three and on how files contents are presented in File mode and in separate data windows. If checked (fully or half), that is a useful setting to achieve file hash compatibility with ordinary (user level) Windows applications. If not checked at all, that is the setting required for hash compatibility with ordinary forensic tools, and it causes all file-specific read operations to return the data that is stored in the allocated (but uninitialized) clusters from previous usage, for example also for the Recover/Copy command.
* Several minor improvements.