|Posted on Wednesday, Sep 27, 2017 - 7:49: |
A preview version of X-Ways Forensics 19.5 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.5 Preview 1?
* A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.
* The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.
* The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report.
* Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...).
* Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents
dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.
* Ability to run file header signature searches not only in files whose names or types match a certain file mask, but optionally also all files of unknown type.
* Ability to buffer 8 GB instead of 4 GB of decoded file contents per evidence object in newly created volume snapshots.
* When analyzing or recovering a previous instance that employs additional threads, it is now possible to select one of those worker threads instead of the main thread.
* Some minor improvements.
|Posted on Wednesday, Oct 4, 2017 - 5:56: |
* Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list.
* A new option in Options | Viewer Programs allows to provisionally clean up after GDI font object leaks as exhibited by the viewer component when loading some rare files, in the x64 edition only (possibly functional also in the x86 edition in an x86 Windows as well, but that was not tested). This prevents graphical errors in the user interface as well as program instabilities and freezes. Users who have encountered such rare files occasionally because they view/preview so many files or extensively use the gallery with thumbnails of non-picture files are encouraged to switch to v19.5 early.
* An additional column shows the unique ID formatted and extended as a GUID, for users who need to have a GUID for each file in their cases. The GUID can also be used to name output files in the case report and in Recover/Copy.
* A new directory browser column shows the number of search hits in a file.
* Additional columns after "Recipients" show To:, Cc:, and Bcc: recipients of e-mails and e-mail attachments separately.
* The generator signature that is known from the Metadata column is now additionally presented in its own separate column, for sorting purposes, which may allow to identify logical connections.
* Generator signature database further updated.
* The dialog window that allows to define keyboard shortcuts is now accessible from the General Options, no longer from the Directory Browser Options.
* The height of the Directory Browser Options dialog window has been shrunk, so that it should now fit on the screen even on laptop computers with unnecessarily high DPI settings in Windows 10 or generally on displays or projectors with a poor vertical resolution.
* Recognizes files that were encrypted in FAT and exFAT volumes by Windows 10 with EFS.
* Ability to run X-Tensions as part of a volume snapshot refinement that is triggered from the command line.
* Ability to run a simultaneous search neither in the original file contents nor in the directory browser metadata cells, but only in the decoded text of documents.
* File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).
* Improved stability with EDB processing.
* WinHex Lab Edition now allows to use File mode.
* In WinHex with a specialist license or less the legend can now be displayed with a command in the Access button popup menu, and toggling between recursive and normal exploration is also possible now with a command in that menu.
* Several minor improvements.
* Also available as a BYOD version.
* Same fix level as v19.4 SR-3.
|Posted on Wednesday, Oct 11, 2017 - 6:57: |
* Individual event types for SRUDB, which make it easier to filter for particular resource usage types.
* Ability to export, import and merge FuzZyDoc hash sets. The result of the export can be used with the import function or alternatively is also valid as a stand-alone database by itself.
* X-Ways Forensics, X-Ways Investigator and WinHex Lab Edition now support a new API called the Image I/O API. It's described at http://www.x-ways.net/forensics/x-tensions/Image_IO_API.html and allows interested parties to add support for other physical disk image formats. It is even possible to add alternative support for an already supported image type, for example certain virtual machine disk images with currently unsupported special features or segmented raw images with a currently unsupported segment filename scheme. When such DLLs are made available by trusted sources, users would just add them to the installation directory of X-Ways Forensics. They have to be named Image*.dll, and will be loaded automatically by the program. (Adding them to the installation directory is considered to signify consent for that.)
* X-Tensions API: C++ function definitions and C++ sample projects updated.
* Generator signature definitions further updated. New prefix "Mobile::" for many photos taken by mobile devices.
* Same fix level as v19.4 SR-5.
|Posted on Sunday, Oct 15, 2017 - 16:46: |
* Duplicate files can now also be identified based on the textual representation of dates in some of date columns, and how many characters in these columns and in the Name column are compared is optional.
* New directory browser context command Navigation | Seek Path helps to locate a file or directory in the directory browser whose full path you specify.
* X-Tensions API: XWF_ITEM_INFO_ATTR of the XWF_GetItemInformation function now documented.
* Some fixes.
|Posted on Sunday, Oct 22, 2017 - 17:23: |
* "Read uninitialized areas as zeroes" is now a 3-state check box. If fully checked, it has an effect on all read operations except logical searches, indexing, and search hit context preview. If half checked, it has an effect on all read operations except those three and on how files contents are presented in File mode and in separate data windows. If checked (fully or half), that is a useful setting to achieve file hash compatibility with ordinary (user level) Windows applications. If not checked at all, that is the setting required for hash compatibility with ordinary forensic tools, and it causes all file-specific read operations to return the data that is stored in the allocated (but uninitialized) clusters from previous usage, for example also for the Recover/Copy command.
* Several minor improvements.
|Posted on Sunday, Nov 5, 2017 - 10:35: |
* Details mode now has a sub-mode, which can be activated by pressing the new "IM" button, which shows ONLY the internal metadata of a files. That makes it more efficient to check multiple files for that kind of metadata without having to scroll. In particular this is useful for forensic review of photos, to check the Exif data. Also new: Values in the internal metadata of JPEG files that have X-Ways Forensics thinks have changed/are not original are highlighted in blue color.
* Thorough addition of events from EVT event logs (Windows XP or older) to the event list. Optimized HTML preview for EVT event logs to significantly reduce its size.
* That previously existing files are represented with the Hidden attribute (H) when mounting as a drive letter is now optional.
* Hierarchical indention in the Export List command can now be stronger (fully checked) or not so string (half checked).
* The Hash category filter can now target uncategorized files.
* When filters are applied to directories, too, that now concerns only suitable filters. Filters that do not make sense to apply to directories (Type, Type Status, Hash, Hash Set, Author, ...) are not applied.
* If "List directories when exploring recursively" is half checked, i.e. when directories are not needed for navigation, just of interest if they match filters of interest, that now means that directories will only be listed if only filters are active that are actually applicable to directories (Name, timestamp filters, Owner, Int. ID, Attributes, ...) and if those filters let directories pass through. If for example both the Name filter and the Type filter are active at the same time, directories will not be listed, because even if they satisfy the Name filter, they cannot possibly satisfy the Type filter (directories do not have a file type). But if the Name filter is on and the filter for timestamps, then directories are listed if they match both filter conditions.
* Recover/Copy now uses the same notation options as the Export List command.
* Improved behavior when running on multiple monitors with negative horizontal screen coordinates.
* Support for large table sections in .e01 evidence files.
* Several minor improvements.
|Posted on Wednesday, Nov 15, 2017 - 16:06: |
* Check box to do FuzZyDoc matching "again" for files that were matched against the FuzZyDoc hash database already before.
* When trying to open an evidence object of a case that is backed by an image file and the image file cannot be found, X-Ways Forensics now automatically offers to open the evidence object without image, just like with the corresponding context menu command in the Case Data window. Useful if the image is not accessible right now (or has been deleted/lost completely) and you wish to just peek at the file listings, report table associations, your own comments, hash set matches, extracted metadata etc.
* The directory browser settings including all filters can now also be saved and loaded from within the system menu of the Directory Browser Options dialog window.
* Ability to display some rare black & white PNG pictures with the internal graphics viewing library.
* Files in NTFS volumes that have grown or shrunk and whose previous file size is known from the FILE record now get their previous file size shown in the Info pane.
* Many minor improvements.
* A Tooltips.txt file with tooltip assistance for many check boxes in various dialog windows has been compiled by Michael Yasumoto, thankfully, copied verbatim from the explanations in the English language program help / user manual, and is available for download now, from the "Additional resources" directory. Tooltip text truncations after 512 characters are normal and by design.
|Posted on Monday, Nov 20, 2017 - 9:42: |
* By default, the Path column now displays a partial path from the current exploration base when exploring recursively. That is the same path that you would get with the Recover/Copy command when reproducing a partial path only. Useful for example if you wish to share directory listings including subdirectories with someone (Export List command), distinguishing files in different subdirectories, without revealing the complete path of the files (e.g. on your own storage drive).
* Fast re-matching specifically of selected and tagged files against a hash database even when there are lots of matches in the volume snapshot already.
* Options of the Print command reorganized. In particular it is now easy to print *only* a cover page, not the actual file, if you are mainly interested in a printout of the metadata and your own comments.
* The print cover page now better utilizes the page width.
* There is now an option to print a preview of the file (picture or non-picture) at the bottom of the cover page. The format of this preview depends on the settings of the viewer component in Preview mode, e.g. "Best Fit" or "Actual Pixels" or "Fit to Window Width" etc. This is a 3-state check box. If only half checked, the preview is printed in much lighter colors, either to save ink/toner or to improve readability of the metadata fields if you output many of those and they spill over onto the preview.
* Directories can now be previewed. The preview of a directory shows that directory's subdirectories in a tree and optionally the respective file counts.
* Directories can now also be printed. The printout shows exactly the same as Preview mode.
|Posted on Wednesday, Nov 22, 2017 - 11:09: |
* When defining German as the language of the user interface, users can now choose to get almost all occurrences of the letter ß replaced with ss. Useful especially (but not only) for customers in the German speaking parts of Switzerland.
* Some fixes.