|Posted on Friday, Dec 8, 2017 - 15:40: |
A preview version of X-Ways Forensics 19.6 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.6 Preview 1?
* Accelerated volume snapshot finalization for large snapshots with many directories in "Path unknown".
* Retroactively embedded GPS data in JPEG pictures is now highlighted in blue color. GPS timestamps that are different from the time when the photo was taken are also highlighted in blue color.
* Better support for Linux MD RAIDs with container partitions on GPT-partitioned disks.
* Support for iOS netusage.sqlite files, which record the data usage of apps. Besides the amount of data flowing in and out, they also provides approximate timestamps when apps were used for the first and last times. Appropriate events are extracted and an HTML preview is created containing all relevant information.
* Ability to display certain rare PNG files with invalid zlib compression.
* Same fix level as v19.5 SR-2.
* Some minor improvements.
|Posted on Wednesday, Dec 20, 2017 - 21:00: |
* The list of logical volumes in Tools | Open Disk can now optionally include volumes that are active in Windows, but not currently associated with any drive letter. Please understand that whenever you open volumes, whether with drive letter or without drive letter, no volume slack is presented. Volume slack is included only if you open the physical storage device first and then the partition that contains the volume.
* Active volumes that are not ordinary volumes are displayed with a special icon and a special description, e.g. "TrueCryptVolumeX". Useful so that on a live system that you wish to preview, examine or acquire you can quickly see which volumes may need to be addressed separately (in additional to physical storage devices) because it would be difficult to reconstruct or unlock them later based on the data on the physical storage device.
* If volumes without connected drive letter are listed, that also includes volumes that have been mounted within Windows as a junction point in another volume. Such volumes are listed with a special link icon, and the junction point is displayed between volume label and volume size.
* The list of volumes that do not have drive letters may now also include volumes that were previously active in Windows. Those are marked with a crossed out red circle icon. For example a previously mounted TrueCrypt volume that was dismounted might be shown in this fashion. Such volumes cannot be opened any more, they are just listed for informational purposes, which is useful when working on a live system that needs to be examined.
* Reparse points/junction points in NTFS file systems now have a directory icon with an arrow to identify them as special directories in the directory browser. Such directories are no longer initially marked as "already viewed" in a newly taken volume snapshot.
* Support for 5-digit filename extensions in segmented raw images.
* The table for the generator signature based file type verification now supports 8,649 camera models.
* Passing on internal file metadata in evidence file containers is now a 3-state check box. If half checked, only extracted senders and recipients of e-mails will be passed on and not general metadata as known from the Metadata column.
* Several minor improvements.
* Same fix level as v19.5 SR-3.
|Posted on Sunday, Jan 7, 2018 - 20:11: |
* A new directory browser column is now available in X-Ways Forensics and X-Ways Investigator and populated after metadata extraction: Camera type. This column shows by which class of device a JPEG file was produced, such as smartphone main camera, smartphone front/secondary camera, point and shoot compact camera, camcorder, DSLR etc. That information is derived from the generator signature. A question mark means unknown device type. This column also comes with a filter. Filtering for the camera type could be useful for example if you are looking for rather private photos (selfies taken with a smartphone's front camera) or rather professional photos (e.g. DSLR or digital camera back).
* Scanned pictures used to be identified as such through report table associations. That is no longer the case. That they were generated by a scanner can now be seen in the new column. Scanner is their "camera" type.
* Option to get prompted for each file when printing with direct child objects.
* Option to output only non-blank fields on the print cover page.
* Video, audio, Office documents and plain text files can now optionally be represented by special icons, just as previously only pictures. You can enable special icons separately for each such category.
* Closed envelope icons now reflect the known unread status of e-mails.
* Many additional icons in the user interface, in particular for the mode buttons and external programs.
* Russian translation of the user interface updated.
* Several minor improvements.
|Posted on Sunday, Jan 14, 2018 - 19:41: |
* Even more icons in the user interface.
* PNG files now also receive a generator signature as part of metadata extraction, to identify PNG files that likely originate from the same source and PNG files that are screenshots.
* The new column "Camera type" was renamed to "Device type". Pictures that were identified as screenshots are shown with "screen" as the device type.
* A new file named PhoneAliasTable.txt contains a translation from internal device designations to human-readable marketing names. In particular device designations used by Samsung, Motorola, LG und Huawei are rather cryptic and better understood if translated. This table can also contain the device's release date and region. That table is currently relatively sparsely populated, but its format is explained in the header so that users can help to complete it.
* The command line parameter RVS now includes a screenshot of the volume snapshot refinement dialog in the case activity log showing the active refinement settings. That screenshot is either textual or graphical in nature depending on your case activity log settings.
* Same fix level as v19.5 SR-4.
|Posted on Monday, Jan 22, 2018 - 20:19: |
* Improved stability when processing EVTX files.
* Camera type detection improved.
* Improved detection of PNG screenshots of old mobile phones.
* Extraction of Content created timestamp from JPEG files improved.
* Time zone extracted from files that were produced by some new Sony devices.
* GPS processing mode listed in Details mode. This mode allows to estimate the reliability/precision of the coordinates, is used by various manufacturers, and it can be one of the following values: unknown, GPS, Network, Hybrid, Fused, or CELLID.
* Automatic removal of interspersed padding data between two thumbnails in JPEG files created by various digital camera models, which was previously included in (prepended to) the second thumbnail's data.
* Some minor improvements.
* Same fix level as v19.5 SR-5.
|Posted on Wednesday, Jan 31, 2018 - 19:43: |
* Use of icons in the user interface further revised. For example, symlinks now have an icon with a little arrow for easier identification.
* If "Page break after x table rows for printing" is selected for the case report, that will now also insert a page break after each report table.
* New entry named "Geolocation" in the extracted metadata and in Details mode, with the GPS coordinates in a notation as accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces the previous fields Latitude und Longitude in the extracted metadata as it is more suitable for automatic processing.
* Three additional fields for Exif GPS data are output in Details mode where available: Altitude, Image direction, and GPS Error. Altitude might be helpful to judge the reliability of the geo coordinates. Image direction is a feature of high-end smartphones.
* If pictures in Preview mode are shown by the internal graphics viewing library, not the separate viewer component, they can now be rotated in 90° steps by clicking the left mouse button (to rotate to the left) and the right mouse button (to rotate to the right).
* Photos taken by mobile phones and digital cameras of certain major manufacturers in portrait mode are stored in landscape orientation and marked as to be rotated left or right. Preview mode with the internal graphics viewing library now adjusts those photos to the correct orientation automatically.
* Clicking the middle mouse button in Preview mode when a picture is shown by the internal graphics viewing library will mirror the picture (flip horizontally) or if the Shift key is pressed flip the picture vertically. Please note that this operation is applied in addition to any active rotation.
* The currently active rotation and flip mode are described by some symbols in the upper right corner. If no flipping has taken place, but a rotation, the letters "BR" indicate what in the original graphical data was the bottom right corner.
* Several minor improvements.
|Posted on Monday, Feb 5, 2018 - 8:29: |
* Gallery thumbnails now also automatically adjust the orientation of JPEG photos based on Exif data.
* The View command (if pictures are not viewed with the viewer component) now also automatically adjusts the orientation of JPEG photos based on Exif data.
* Same fix level as v19.5 SR-6.
* Now also available as a BYOD version.