X-Ways Forensics 19.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.5 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 27, 2017 - 7:49:   

A preview version of X-Ways Forensics 19.5 is now available. The download link can be retrieved as always by querying one's license status.

What's new in v19.5 Preview 1?

* A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will be taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.

* The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.

* The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report.

* Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...).

* Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.

* Ability to run file header signature searches not only in files whose names or types match a certain file mask, but optionally also all files of unknown type.

* Ability to buffer 8 GB instead of 4 GB of decoded file contents per evidence object in newly created volume snapshots.

* When analyzing or recovering a previous instance that employs additional threads, it is now possible to select one of those worker threads instead of the main thread.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 4, 2017 - 5:56:   

Preview 2:

* Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list.

* A new option in Options | Viewer Programs allows to provisionally clean up after GDI font object leaks as exhibited by the viewer component when loading some rare files, in the x64 edition only (possibly functional also in the x86 edition in an x86 Windows as well, but that was not tested). This prevents graphical errors in the user interface as well as program instabilities and freezes. Users who have encountered such rare files occasionally because they view/preview so many files or extensively use the gallery with thumbnails of non-picture files are encouraged to switch to v19.5 early.

* An additional column shows the unique ID formatted and extended as a GUID, for users who need to have a GUID for each file in their cases. The GUID can also be used to name output files in the case report and in Recover/Copy.

* A new directory browser column shows the number of search hits in a file.

* Additional columns after "Recipients" show To:, Cc:, and Bcc: recipients of e-mails and e-mail attachments separately.

* The generator signature, which is known from the Metadata column, is now additionally presented in its own separate column, for sorting purposes, which may allow to identify logical connections.

* Generator signature database further updated.

* The dialog window that allows to define keyboard shortcuts is now accessible from the General Options, no longer from the Directory Browser Options.

* The height of the Directory Browser Options dialog window has been shrunk, so that it should now fit on the screen even on laptop computers with unnecessarily high DPI settings in Windows 10 or generally on displays or projectors with a poor vertical resolution.

* Recognizes files that were encrypted in FAT and exFAT volumes by Windows 10 with EFS.

* Ability to run X-Tensions as part of a volume snapshot refinement that is triggered from the command line.

* Ability to run a simultaneous search neither in the original file contents nor in the directory browser metadata cells, but only in the decoded text of documents.

* File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).

* Improved stability with EDB processing.

* WinHex Lab Edition now allows to use File mode.

* In WinHex with a specialist license or less, the legend can now be displayed with a command in the Access button popup menu, and toggling between recursive and normal exploration is also possible now with a command in that menu.

* Several minor improvements.

* Also available as a BYOD version.

* Same fix level as v19.4 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 11, 2017 - 6:57:   

Preview 3:

* Individual event types for SRUDB, which make it easier to filter for particular resource usage types.

* Ability to export, import and merge FuzZyDoc hash sets. The result of the export can be used with the import function or alternatively is also valid as a stand-alone database by itself.

* X-Ways Forensics, X-Ways Investigator and WinHex Lab Edition now support a new API called the Image I/O API. It's described at http://www.x-ways.net/forensics/x-tensions/Image_IO_API.html and allows interested parties to add support for other physical disk image formats. It is even possible to add alternative support for an already supported image type, for example certain virtual machine disk images with currently unsupported special features or segmented raw images with a currently unsupported segment filename scheme. When such DLLs are made available by trusted sources, users would just add them to the installation directory of X-Ways Forensics. They have to be named Image*.dll, and will be loaded automatically by the program. (Adding them to the installation directory is considered to signify consent for that.)

* X-Tensions API: C++ function definitions and C++ sample projects updated.

* Generator signature definitions further updated. New prefix "Mobile::" for many photos taken by mobile devices.

* Same fix level as v19.4 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 15, 2017 - 16:46:   

Preview 4:

* Duplicate files can now also be identified based on the textual representation of dates in some of date columns, and how many characters in these columns and in the Name column are compared is optional.

* New directory browser context command Navigation | Seek Path helps to locate a file or directory in the directory browser whose full path you specify.

* X-Tensions API: XWF_ITEM_INFO_ATTR of the XWF_GetItemInformation function now documented.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 22, 2017 - 17:23:   

Preview 5:

* "Read uninitialized areas as zeroes" is now a 3-state check box. If fully checked, it has an effect on all read operations except logical searches, indexing, and search hit context preview. If half checked, it has an effect on all read operations except those three and on how files contents are presented in File mode and in separate data windows. If checked (fully or half), that is a useful setting to achieve file hash compatibility with ordinary (user level) Windows applications. If not checked at all, that is the setting required for hash compatibility with ordinary forensic tools, and it causes all file-specific read operations to return the data that is stored in the allocated (but uninitialized) clusters from previous usage, for example also for the Recover/Copy command.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 5, 2017 - 10:35:   

Beta 1:

* Details mode now has a sub-mode, which can be activated by pressing the new "IM" button, which shows ONLY the internal metadata of a files. That makes it more efficient to check multiple files for that kind of metadata without having to scroll. In particular this is useful for forensic review of photos, to check the Exif data. Also new: Values in the internal metadata of JPEG files that have X-Ways Forensics thinks have changed/are not original are highlighted in blue color.

* Thorough addition of events from EVT event logs (Windows XP or older) to the event list. Optimized HTML preview for EVT event logs to significantly reduce its size.

* That previously existing files are represented with the Hidden attribute (H) when mounting as a drive letter is now optional.

* Hierarchical indention in the Export List command can now be stronger (fully checked) or not so strong (half checked).

* The Hash category filter can now target uncategorized files.

* When filters are applied to directories, too, that now concerns only suitable filters. Filters that do not make sense to apply to directories (Type, Type Status, Hash, Hash Set, Author, ...) are not applied.

* If "List directories when exploring recursively" is half checked, i.e. when directories are not needed for navigation, just of interest if they match filters of interest, that now means that directories will only be listed if only filters are active that are actually applicable to directories (Name, timestamp filters, Owner, Int. ID, Attributes, ...) and if those filters let directories pass through. If for example both the Name filter and the Type filter are active at the same time, directories will not be listed, because even if they satisfy the Name filter, they cannot possibly satisfy the Type filter (directories do not have a file type). But if the Name filter is on and the filter for timestamps, then directories are listed if they match both filter conditions.

* Recover/Copy now uses the same notation options as the Export List command.

* Improved behavior when running on multiple monitors with negative horizontal screen coordinates.

* Support for large table sections in .e01 evidence files.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 15, 2017 - 16:06:   

Beta 2:

* Check box to do FuzZyDoc matching "again" for files that were matched against the FuzZyDoc hash database already before.

* When trying to open an evidence object of a case that is backed by an image file and the image file cannot be found, X-Ways Forensics now automatically offers to open the evidence object without image, just like with the corresponding context menu command in the Case Data window. Useful if the image is not accessible right now (or has been deleted/lost completely) and you wish to just peek at the file listings, report table associations, your own comments, hash set matches, extracted metadata etc.

* The directory browser settings including all filters can now also be saved and loaded from within the system menu of the Directory Browser Options dialog window.

* Ability to display some rare black & white PNG pictures with the internal graphics viewing library that were not supported previously.

* Files in NTFS volumes that have grown or shrunk and whose previous file size is known from the FILE record now get their previous file size shown in the Info pane.

* Many minor improvements.

* A Tooltips.txt file with tooltip assistance for many check boxes in various dialog windows has been compiled by Michael Yasumoto, thankfully, copied verbatim from the explanations in the English language program help / user manual, and is available for download now, from the "Additional resources" directory. Tooltip text truncations after 512 characters are normal and by design.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 20, 2017 - 9:42:   

Beta 3:

* By default, the Path column now displays a partial path from the current exploration base when exploring recursively. That is the same path that you would get with the Recover/Copy command when reproducing a partial path only. Useful for example if you wish to share directory listings including subdirectories with someone (Export List command), distinguishing files in different subdirectories, without revealing the complete path of the files (e.g. on your own storage drive).

* Fast re-matching specifically of selected and tagged files against a hash database even when there are lots of matches in the volume snapshot already.

* Options of the Print command reorganized. In particular it is now easy to print *only* a cover page, not the actual file, if you are mainly interested in a printout of the metadata and your own comments.

* The print cover page now better utilizes the page width.

* There is now an option to print a preview of the file (picture or non-picture) at the bottom of the cover page. The format of this preview depends on the settings of the viewer component in Preview mode, e.g. "Best Fit" or "Actual Pixels" or "Fit to Window Width" etc. This is a 3-state check box. If only half checked, the preview is printed in much lighter colors, either to save ink/toner or to improve readability of the metadata fields if you output many of those and they spill over onto the preview.

* Directories can now be previewed. The preview of a directory shows that directory's subdirectories in a tree and optionally the respective file counts.

* Directories can now also be printed. The printout shows exactly the same as Preview mode.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 22, 2017 - 11:09:   

Beta 4:

* When defining German as the language of the user interface, users can now choose to get almost all occurrences of the letter ß replaced with ss. Useful especially (but not only) for customers in the German speaking parts of Switzerland.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 27, 2017 - 8:27:   

v19.5 was just released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 29, 2017 - 18:43:   

SR-1:

* The internal creation date of XML/Zip-based Office documents was incorrectly assumed to be UTC-based during extraction. That was fixed.

* A few filters could not be activated any more in v19.5 by clicking the respective funnel symbols in the column headers, only from within the dialog window with the directory browser options. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 29, 2017 - 18:47:   

* Parses a GUID partition table if present even if the MBR has a valid partition table itself and does not point to the presence of GPT partitioning.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 8, 2017 - 15:39:   

SR-2:

* Ability to use the RAID reconstruction feature to rebuild a JBOD that consists of just a single component. That could be useful to get a single partition of an MD RAID with RAID level 1 interpreted as a physical disk within X-Ways Forensics.

* Processing of SQLite databases with the identification as sqlite3 in the Type column.

* Fixed "Extents cannot be accessed" error that could occur on some highly fragmented HFS+ volumes.

* Fixed an error or crash that could occur when viewing nested files purely with the viewer component in v19.5.

* More stable when trying to decompress corrupt data that is presumed to be XPRESS-compressed.

* Fixed a possible read error in conjunction with image files in v19.5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 20, 2017 - 20:44:   

SR-3:

* Certain existing files in evidence file containers that originated from exFAT file systems were erroneously not included in the volume snapshot if "Include deleted files in snapshot at all" was not checked. That was fixed.

* Fixed a crash that could occur when adding e-mails with an extremely long list of recipients to an evidence file container.

* Prevented a possible exception error with certain Chome cache files.

* The work-around to view Windows 10 Prefetch files under Windows 7 did not work any more in v19.5. That was fixed.

* Potentially increased stability when processing .evtx event log files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 14, 2018 - 19:35:   

SR-4:

* Improved stability when decompressing data that is expected to be WofCompressed, but is not really WofCompressed, and for certain unsupported WofCompressed data.

* Fixed an exception error that occurred when creating a case report if an evidence object had positions/bookmarks without description in the Position Manager.

* Fixed a possible exception error when uncovering embedded data from PE executable files.

* The alternative .eml preview now now correctly deals with bodies that contain concatenated HTML documents such as found in Skype conversation that were auto-saved in MS Exchange.

* Fixed an exception error that could occur at the beginning of the file-wise processing of volume snapshot refinement if started from the command line.

* Fixed inability to change the user interface language in X-Ways Investigator right in the user interface.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 22, 2018 - 9:54:   

SR-5:

* Prevented exception errors that could occur with carved corrupt Canon Zoom Browser files (.info).

* Some previously existing directories of which traces were found in $LogFile were erroneously included in the volume snapshot as files. That could lead to consequential parent-child problems for files that were contained in those directories, if traces of these files were also found in $LogFile.

* Fixed an error that under certain circumstances prevented the removal of unwanted hash values from a specifically targeted hash set in the hash database.

* Fixed an exception error that could occur when generating the alternative preview of .eml files.

* Fixed incomplete GPS latitude output.

* Fixed an exception error that occurred in v19.5 when recovering files by type from within uninterpreted raw image files.

* Prevented reproduction of trailing backslashes in evidence object names as top level directory names in evidence file containers.

* Fixed an exception error that could occur in the 64-bit edition when activating the Type filter with a user-defined type list.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 5, 2018 - 7:57:   

SR-6:

* More strict checking of $USNJrnl:$J data before extraction to prevent instabilities with potential data corruption.

* Automatic removal of interspersed padding data between a thumbnail and a low-resolution alternative of a photo in JPEG files created by various digital camera models, which was previously included in (prepended to) the low-resolution alternative and prevented immediate viewing.

* Fixed an exception error that could occur when parsing incomplete sets of thumbcaches of Windows 7.

* Prevented a possible crash that could occur with certain corrupt or irregular ID3 metadata in MP3 files.

* Implemented a more precise handling of Google Chrome's SyncData which results in a more detailed extraction of artifacts.

* Extraction of embedded JPEG attachments from certain original .eml files with an unusual encoding style.

* Better protection against corrupt .evt files.

* Stored search hits were not automatically loaded when an evidence object was opened by the "Last session" project.

* Fixed an error that in v19.3 and later could lead to sector read problems.

* Prevented unnecessary output of "Cannot write..." error messages for certain SQLite databases in certain situations when actually no error had occurred.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 19, 2018 - 11:27:   

SR-7:

* Under certain circumstances, a logical simultaneous searches in v19.5 were aborted prematurely if the "1 hit per file" option was selected, and the user was informed of that. That was fixed.

* Reading uninitialized areas of files is now forced for shadow copy host files when volume shadow copies are parsed, no matter which settings for reading unintialized areas is active.

* If the surrogate pattern for unreadable sectors is completely removed, that will now result in an all zeroes again as documented and as known from v19.1 and earlier, without line breaks.

* When viewing password-protected documents with the viewer component for which the password list did not contain the correct password, after manually entering the correct password, a wrong password was remembered in the metadata column. That was fixed.

* Duplicate identification based on timestamp columns did not work correctly before. That was fixed.

* Fixed an exception error that could occur when uncovering embedded bitmap ressources from corrupt PE executable files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 8, 2018 - 18:23:   

SR-8:

* Fixed inability of SR-6 and SR-7 to extract attachments from lose .eml files and e-mails in MBOX archives.

* Fixed potentially incomplete processing of some rare SQLite database files.

* Fixed a potential instability when extracting e-mails from MBOX e-mail archives.

* Fixed display error with extremely high DPI settings.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 26, 2018 - 13:23:   

SR-9:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.5. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 14, 2018 - 6:10:   

SR-10:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.5. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 25, 2019 - 6:46:   

SR-11:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.5. Available to these users on request for a limited time. This is probably the last service release for v19.5.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.