X-Ways Forensics 19.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.6 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 8, 2017 - 15:40:   

A preview version of X-Ways Forensics 19.6 is now available. The download link can be retrieved as always by querying one's license status.

What's new in v19.6 Preview 1?

* Accelerated volume snapshot finalization for large snapshots with many directories in "Path unknown".

* If there is something unusual about the presence of GPS coordinates in JPEG pictures, those GPS coordinates are now highlighted in blue color. For example if the GPS coordinates are present and a GPS timestamp is absent, for a mobile device type that is known to always include both at the same time (sometimes depending on whether the front or back camera is used), or for a camera type that is known to not have GPS, it could mean that the coordinates have been retroactively embedded. GPS timestamps that are different from the time when the photo was taken are also highlighted in blue color.

* Better support for Linux MD RAIDs with container partitions on GPT-partitioned disks.

* Support for iOS netusage.sqlite files, which record the data usage of apps. Besides the amount of data flowing in and out, they also provides approximate timestamps when apps were used for the first and last times. Appropriate events are extracted and an HTML preview is created containing all relevant information.

* Ability to display certain rare PNG files with invalid zlib compression.

* Same fix level as v19.5 SR-2.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 20, 2017 - 21:00:   

Preview 2:

* The list of logical volumes in Tools | Open Disk can now optionally include volumes that are active in Windows, but not currently associated with any drive letter. Please understand that whenever you open volumes, whether with drive letter or without drive letter, no volume slack is presented. Volume slack is included only if you open the physical storage device first and then the partition that contains the volume.

* Active volumes that are not ordinary volumes are displayed with a special icon and a special description, e.g. "TrueCryptVolumeX". Useful so that on a live system that you wish to preview, examine or acquire you can quickly see which volumes may need to be addressed separately (in additional to physical storage devices) because it would be difficult to reconstruct or unlock them later based on the data on the physical storage device.

* If volumes without connected drive letter are listed, that also includes volumes that have been mounted within Windows as a junction point in another volume. Such volumes are listed with a special link icon, and the junction point is displayed between volume label and volume size.

* The list of volumes that do not have drive letters may now also include volumes that were previously active in Windows. Those are marked with a crossed out red circle icon. For example a previously mounted TrueCrypt volume that was dismounted might be shown in this fashion. Such volumes cannot be opened any more, they are just listed for informational purposes, which is useful when working on a live system that needs to be examined.

* Reparse points/junction points in NTFS file systems now have a directory icon with an arrow to identify them as special directories in the directory browser. Such directories are no longer initially marked as "already viewed" in a newly taken volume snapshot.

* Support for 5-digit filename extensions in segmented raw images.

* Passing on internal file metadata in evidence file containers is now a 3-state check box. If half checked, only extracted senders and recipients of e-mails will be passed on and not general metadata as known from the Metadata column.

* Several minor improvements.

* Same fix level as v19.5 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 7, 2018 - 20:11:   

Preview 3:

* A new directory browser column is now available in X-Ways Forensics and X-Ways Investigator and populated after metadata extraction: Camera type. This column shows by which class of device a JPEG file was produced, such as smartphone main camera, smartphone front/secondary camera, point and shoot compact camera, camcorder, DSLR etc. That information is derived from the generator signature. A question mark means unknown device type. This column also comes with a filter. Filtering for the camera type could be useful for example if you are looking for rather private photos (selfies taken with a smartphone's front camera) or rather professional photos (e.g. DSLR or digital camera back).

* Scanned pictures used to be identified as such through report table associations. That is no longer the case. That they were generated by a scanner can now be seen in the new column. Scanner is their "camera" type.

* Option to get prompted for each file when printing with direct child objects.

* Option to output only non-blank fields on the print cover page.

* Video, audio, Office documents and plain text files can now optionally be represented by special icons, just as previously only pictures. You can enable special icons separately for each such category.

* Closed envelope icons now reflect the known unread status of e-mails.

* Many additional icons in the user interface, in particular for the mode buttons and external programs.

* Russian translation of the user interface updated.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 14, 2018 - 19:41:   

Preview 4:

* Even more icons in the user interface.

* PNG files now also receive a generator signature as part of metadata extraction, to identify PNG files that likely originate from the same source and PNG files that are screenshots.

* The new column "Camera type" was renamed to "Device type". Pictures that were identified as screenshots are shown with "screen" as the device type.

* A new file named PhoneAliasTable.txt contains a translation from internal device designations to human-readable marketing names. In particular device designations used by Samsung, Motorola, LG and Huawei are rather cryptic and better understood if translated. This table can also contain the device's release date and region. That table is currently relatively sparsely populated, but its format is explained in the header so that users can help to complete it.

* The command line parameter RVS now includes a screenshot of the volume snapshot refinement dialog in the case activity log showing the active refinement settings. That screenshot is either textual or graphical in nature depending on your case activity log settings.

* Same fix level as v19.5 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 22, 2018 - 20:19:   

Preview 5:

* Improved stability when processing EVTX files.

* Camera type detection improved.

* Improved detection of PNG screenshots of old mobile phones.

* Extraction of Content created timestamp from JPEG files improved.

* Time zone extracted from files that were produced by some new Sony devices.

* The GPS processing mode, if available, is listed in Details mode. This mode allows to estimate the reliability/precision of the coordinates. It is used by various manufacturers, and it can be one of the following values: Unknown, GPS, Network, Hybrid, Fused, or CELLID.

* Automatic removal of interspersed padding data between two thumbnails in JPEG files created by various digital camera models, which was previously included in (prepended to) the second thumbnail's data.

* Some minor improvements.

* Same fix level as v19.5 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 31, 2018 - 19:43:   

Preview 6:

* Use of icons in the user interface further revised. For example, symlinks now have an icon with a little arrow for easier identification.

* If "Page break after x table rows for printing" is selected for the case report, that will now also insert a page break after each report table.

* New entry named "Geolocation" in the extracted metadata and in Details mode, with the GPS coordinates in a notation as accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces the previous fields Latitude und Longitude in the extracted metadata as it is more suitable for automatic processing.

* Three additional fields for Exif GPS data are output in Details mode where available: Altitude, Image direction, and GPS Error. Altitude might be helpful to judge the reliability of the geo coordinates. Image direction is a feature of high-end smartphones.

* If pictures in Preview mode are shown by the internal graphics viewing library, not the separate viewer component, they can now be rotated in 90° steps by clicking the left mouse button (to rotate to the left) and the right mouse button (to rotate to the right).

* Photos taken by mobile phones and digital cameras of certain major manufacturers in portrait mode are stored in landscape orientation and marked as to be rotated left or right. Preview mode with the internal graphics viewing library now adjusts those photos to the correct orientation automatically.

* Clicking the middle mouse button in Preview mode when a picture is shown by the internal graphics viewing library will mirror the picture (flip horizontally) or if the Shift key is pressed flip the picture vertically. Please note that this operation is applied in addition to any active rotation.

* The currently active rotation and flip mode are described by some symbols in the upper right corner. If no flipping has taken place, but a rotation, the letters "BR" indicate what in the original graphical data was the bottom right corner.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 5, 2018 - 8:29:   

Preview 7:

* Gallery thumbnails now also automatically adjust the orientation of JPEG photos based on Exif data.

* The View command (if pictures are not viewed with the viewer component) now also automatically adjusts the orientation of JPEG photos based on Exif data.

* Same fix level as v19.5 SR-6.

* Now also available as a BYOD version.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 19, 2018 - 11:30:   

Beta 1:

* Ability to populate the gallery with thumbnails using multiple threads. This makes the biggest difference for high-resolution JPEG pictures whose embedded thumbnails have not been uncovered yet (e.g. during preview of a live machine), for which the decompression procedure is computationally intensive.

* Ability to refine volume snapshots on storage devices with sector wise access using multiple threads just like on images and in directories.

* Support for 1 KB FILE records in NTFS volumes with a sector size of 4 KB.

* The size of an evidence object that is a directory is now the total recursive size of all its files, not the total capacity of the volume on which it resides. That size is now also shown in the Info Pane as "used space", though the "free space" and "total capacity" are still those of the host volume.

* The height of the directory browser options dialog window is now automatically increased as the vertical resolution of the main screen allows in order to accommodate as many column labels as possible and ideally do away with the scrollbar if no longer required.

* More stable when dealing with corrupt .e01 evidence files.

* Generating device type detection for some PNG files.

* Rejects more invalid/corrupt FAT directory entries than before.

* Referrer URLs in Zone.Identifier alternate data streams are now presented in the Metadata column if such ADS are not included in the volume snapshot.

* The weight of the device type for the generic relevance judgement can now be defined in the file Generator Signatures.txt. The weight factor can be found at the end of the *** line. It may be between 0 and 50. The number of categories per device type has increased, and there is a new category "Unknown".

* Supports a new format variant of certain registry values in Windows 10.

* Twitter timestamps in JPEG files are recognized and output in the "Content created" column.

* Several minor improvements.

* Same fix level as v19.5 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 26, 2018 - 10:28:   

Beta 2:

* Fixed occasional absence of exFAT allocation information for file allocation table entries in the Info pane.

* Ability to open large .e01 evidence files faster after the first time, by keeping some internal image metadata for navigation in a separate file. This can make a big difference if the image is stored on media with slow access, in particular remote network drives. Can be turned off in Options | Security, as that is where all the .e01 options are located. If fully checked, the separate file is stored in the same directory as the image itself, so that even other cases / other users that open the same copy of the same image benefit from the increased performance if the separate file has been created once before. If half checked, the separate file is stored in the evidence object's internal metadata directory of the current case.

In an attempt to protect their image files from accidental alteration, deletion, or corruption and to maximize the revenue of hardware write blocker manufacturers, a few of our users do not only write block suspect storage devices, but also their own storage devices if they contain images. Those users are well advised to half-check this option for obvious reasons, and here is a friendly reminder that write blocking interferes with proper functioning of the operating system and application programs because it untruthfully signals write success when actually no data is written, preventing the OS and application programs from realizing that the data that they wanted to write could not be written. Write blocking is meant for special situations only. The recommended method to protect one's own data (e.g. images in the case of a computer forensic examiner) would be official write protection that the OS is aware of or enforces itself, not sneaky write blocking. (And backups are good, too, of course.)

* A new command in the Specialist menu allows to write-protect locally attached physical storage devices (including removable media, except optical media) with all their volumes everywhere in the operating system, in all applications, even at the sector level in WinHex itself, no matter which edit mode is active. This can be useful to protect original disks that need to be acquired or analyzed (but only after Windows has detected and accessed them) and your own disks that contain images, from accidental alteration, deletion, or data corruption. The effect will last until you remove the write protection again or unplug the devices or reboot your computer. To keep Windows from touching newly attached physical storage devices before you can write-protect them (i.e. to keep them in "offline" mode first), you would need to disable automatic mounting in Windows (and verify that this works). Turning on write-protection for an offline disk will automatically bring the disk online, at the same time while rendering it read-only. Careful, do not write-protect disks that your Windows system needs to write to for proper functioning.

* This new command also allows to selectively write-protect only specific volumes (if mounted as drive letters), not the entire physical storage device. Please note that the read-only status of a volume cannot be lifted selectively if the entire underlying physical storage device is read only.

* If a disk is treated as offline or read-only in Windows, that information is now displayed in all disk selection dialog windows. Offline disks can be opened for reading/imaging/analysis.

* Improved processing of olk14 and olk15 of Outlook for Macintosh.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 4, 2018 - 19:44:   

Beta 3:

* Improved support for high DPI settings in general.

* Some stability improvements.

* Right-clicking anywhere in the Mode button bar outside of all the buttons will now show or hide the divider line between the directory browser and the lower half of a data window. If the divider line is visible, it is thicker now with high DPI settings to make it easier to grab that line and adjust the height of the directory browser. If the divider line is invisible, you can adjust the window height by left-clicking in the Mode button bar and moving the mouse cursor up and down while holding the mouse button. Without the divider it is also more intuitive that the right-hand side of the Mode button bar also acts as a status bar of the directory browser (which saves precious vertical space on today's movie/consumer oriented widescreen monitors).

* Details mode now shows firmware date and region for JPEG files created by many Samsung mobile phones, which can help to validate other metadata.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 9, 2018 - 4:15:   

v19.6 was just released. Additional changes:

* Ability to schedule a shutdown or hibernation of the machine after a certain number of minutes, in Options | Security. Guaranteed to work only if nothing keeps the machine from powering down, e.g. other application programs with unsaved work etc. If you half-check to proceed "brutally", that should power down the machine even if an application is hung. If fully checked, that will not even wait for other applications that prompt the user what to do with any unsaved work longer than a few seconds. If you exit the instance of WinHex/X-Ways Forensics in which you have scheduled the shutdown, the shutdown won't happen. It is possible to cancel a previously scheduled shutdown without restarting the program.

* The table for the generator signature based Exif data validation now supports more than 11,000 devices (where the front cameras of smartphones count as separate devices).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Mar 11, 2018 - 18:51:   

SR-1:

* No longer loads incompatible parts of .settings files from v19.5.

* No longer uses uncovered thumbnails with type status "not confirmed" as auxiliary thumbnails in the gallery.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 26, 2018 - 13:27:   

SR-2:

* Automatically changes the "Store .e01 metadata for fast re-open" option from fully to half selected if it is detected that the storage device or volume containing the image is write-protected.

* Fixed a problem detecting the size of evidence objects that are files or directories.

* Ability to add multiple single files that are located in the same directory to the same case as evidence objects. Previous versions cannot open cases with single-file evidence objects that were saved by v19.6 SR-2.

* Ability to process certain Windows thumbcaches with an unusual signature variant.

* When viewing pictures with the internal graphics viewing library, the generated windows are now guaranteed to be in the foreground, even if the gallery has been decoupled from the data window.

* Securely wiping selected files failed with an error message on logical drive letters. That was fixed. (It worked fine when applied to the physical disk's partition instead.)

* Proper identification of SQLite database subtype in some rare cases where this did not happen previously.

* Fixed an exception error that could occur when saving the case with a new name if the case root window was open.

* Ability to decrypt files in certain file archives that could not be decrypted previously.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 5, 2018 - 21:30:   

SR-3:

* Fixed a potential source of instability when populating the gallery with multiple threads in the x64 edition.

* Fixed inability to open files in certain GZ archives more than once while the evidence object is open.

* Fixed a rare exception error that could occur at the beginning the "examining files" phase of volume snapshot refinement in Ext* file systems.

* Fixed an error that could prevent storage of performance enhancing image metadata in some rare configurations.

* Fixed an error in carving of TIFF files.

* Fixed a problem with white text on white background in the directory browser that could occur when using conditional cell coloring.

* For some columns the FlexFilters never returned a result. That was fixed.

* When naming recovered/copied files after a selected column, the extension of the current filename in the volume snapshot is now no longer appended to the alternative name.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 26, 2018 - 6:09:   

SR-4:

* The RunCount for Windows 8 Prefetch files was shown correctly in Details mode, but not in the Metadata column. That was fixed.

* The contents of the Metadata column is now always shown in Details mode if it contains marked user-defined or X-Tension defined entries. It is suggested that users mark their manual additions with their initials in square brackets and that X-Tensions mark their additions with [XT], so that they can be recognized as such. Any 1-4 characters between square brackets will have the described effect.

* An exception error occurred in v19.6 when opening drive letters without sector level access. That was fixed.

* The print cover page preview was not updated when printing multiple selected files at a time. That was fixed.

* Extraction of RTF-formatted e-mail bodies from PST/OST e-mail archives in cases where no alternative HTML or plain text e-mail body is available.

* Prevented an exception error that could occur when extracting metadata from Samsung style JPEG trailing data.

* A new option in Options | Volume Snapshot will allow recipients of evidence file containers to confirm that they have the exact same PhotoDNA hash database as the creator of the container, so that any PhotoDNA categories assigned to files (stored in the container as category numbers) will be matched with the corresponding category name in the user's current PhotoDNA hash database. If this option is not selected, only the original category numbers in the container's creator's database will be presented to the recipient of a container, no category name.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 17, 2018 - 20:44:   

SR-5:

* Fixed a potential exception error that could occur with carved or corrupt files of Outlook 2011 for Mac.

* Improved stability when extracting Thunderbird index databases

* Presents previous visits to a website from the Chrome history in addition to the last one, also as events, and the duration of each visit.

* Prevented the insertion of a disruptive line break when exporting a list of files with generator signatures included.

* Fixed possible infinite recursion with JPEG files created by Galaxy S3 Mini VE smartphones.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 2, 2018 - 20:28:   

SR-6:

* Fixed extraction of e-mails from MBOX e-mail archives in v19.6 without .eml extension in the name.

* Fixed a rare error where certain attachment names in a original .eml files and a few other formats could be truncated if encoded in Quoted Printable.

* If a logical search was run in encrypted/protected PDF documents with the crash-safe decoding option without having checked for encryption prior to that, the search would have been unsuccessful even if the right password was provided. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 14, 2018 - 6:14:   

SR-7:

* X-Tension API: The XWF_CreateEvObj function returned a handle to a wrong evidence objects when called for evidence objects of types 0, 3 and 4. That was fixed.

* Case report: Under certain circumstances, report thumbnails of pictures were generated as if they were non-pictures (e.g. documents). That was fixed.

* Prevented a potential crash when extracting metadata from MP3 files that contain an ID3 tag with an incompatible GEOB entry.

* Extraction of modification timestamps from TAR archives with certain non-standard encoding with the alternative extraction method.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 1, 2018 - 21:08:   

SR-8:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.6. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 25, 2019 - 6:53:   

SR-9:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.6. Available to these users on request for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 25, 2019 - 22:56:   

SR-10:

* Several of the fixes introduced in later versions. Highly recommended to users whose access to updates covered no more than v19.6. Available to these users on request for a limited time. This is probably the last service release for v19.6.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.