|Posted on Friday, Apr 6, 2018 - 20:20: |
A preview version of X-Ways Forensics 19.7 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.7 Preview 1?
* A particularly thorough file system data structure search is now available for exFAT volumes, too.
* Irregular EXIF metadata encodings that violate EXIF specifications are now marked with an asterisk at the end (sometimes additionally with a bold font).
* Ability to toggle between single and double column modes when viewing internal JPEG metadata in IM details mode. Given a sufficient screen resolution and window width, no scrolling is required any more to quickly review the entire internal metadata, as the summary table is on the right-hand side.
* Firmware dates are now also output for iPhones and other Apple devices.
* Extracts more internal timestamps from e-mails in PST/OST e-mail archives.
* Some minor improvements.
* Same fix level as v19.6 SR-3.
|Posted on Sunday, Apr 29, 2018 - 7:13: |
* Tentative ability to parse various data structures of APFS file systems in order to provide a volume snapshot. Please give this a try.
* Cloned files in APFS, of which only differences from their original counterparts are stored in separate clusters, are marked with an uppercase Greek delta in the Attr. column.
* Support for APFS timestamps in the Data Interpreter as well as in templates ("APFSDateTime").
* Option to display the Data Interpreter window with a certain degree of transparency. The practical value of this option remains to be discovered. It just looks cool.
* Now supports up to 128 physical storage devices instead of 64, for Tools | Open Disk and to add to a case.
* If volume snapshot refinement is invoked for a virgin volume snapshot, this will now remember the option to conduct a simultaneous search immediately after refinement. That is useful in particular in conjunction with the command line interface.
* A new command line command allows to load a list of search terms: "LST" (=load search terms). If followed by a colon and the name or complete path of a text file with 1 search term per line and if this precedes an RVS run with an implicitly triggered simultaneous search, the terms will be utilized for that search.
* The Summary part of the internal metadata in Details mode for JPEG files now have a new field named "Light value". That value is derived from the well-known photography formula Ev=log2(N**2/t)+log2(100/ISO). The value range ends at around 16, which means full sunshine. This aggregated value can be interesting to some examiners because it allows to distinguish indoor and outdoor photos and because it allows to check whether the local time of a photo is plausible.
* A new value "Rotated" is now possible for the Condition field in JPEG metadata.
* The amount of slack (zero-value bytes) at the end of an EXIF segment is presented in Details mode if such slack is present. For example, iPhone 4 and iPhone 5 usually produce such an area of a variable length, but iPhone 7 does not. If the slack remains present after a rotation, that means the rotation was minimally invasive, without recompression (no loss of quality). If however a photo editing program rewrites the JPEG file, the slack will disappear.
* "EXIF compliance" is another new aggregated single value, a score that allows to see whether a low quality photo editor was used to edit a photo. A good rating that JPEG pictures produced by Nikon or Canon cameras usually have is retained only by high quality photo editing programs. A bad rating for such pictures indicates editing by a low quality program. Irregularly coded fields in the EXIF data are marked with a star. Irregular might mean that a wrong data type was used or the permitted value range was violated or there are duplicate tags or a character string is not null-terminated or contains slack. Some tags must not appear at the same time, some tags must be stored in a designated directory.
* Generally the EXIF presentation is not a simple unstructured output of all EXIF values, but it aims to provide background information and highlights certain parameters within their context to make examiners aware of irregularities. Already in their original files digital cameras produce characteric EXIF metadata errors. By editing a photo additional errors may be produced, or others may be fixed.
* Generator signatures and phone alias table were revised.
* The device type "scanner" is now shown for PDF documents that are recognized as the product of scanners.
* A new device type "printer" is now shown for JPEG files that were meant to be printed.
* Extraction of the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files into the metadata column.
* When viewing pictures with the internal graphics display library, the view window is no longer maximized if the picture has to be shrunk to fit the screen, and you now have a choice to either center such view windows on the screen as in previous versions or remember their left top position or their center position after you move them somewhere else on the screen. To make your choice, open the system menu of the view window (i.e. click the icon in the left top corner of the window). You can also decide whether or not such view windows should always be in the foreground, even in front of windows of other applications. Last no least you can choose to roughly remember the window size. Especially useful in conjunction with the options to remember the left top position of the view window, to have only one view window at a time, and to update the view window automatically with just a single click on a file, so that at place on your screen of your own choice you essentially have a fixed preview of pictures while the lower half of the data window can show something other than Preview mode, for example Details mode.
* Prompts the user whether or not stubborn C# X-Tension DLLs should be completely unloaded after execution. Programmers may prefer to do that when debugging their own X-Tensions, but apparently this can prevent usage the same DLL a second time in the same session of X-Ways Forensics, so ordinary users better choose No.
* Several minor improvements.
* Same fix level as v19.6 SR-4.
* Also available to BYOD users.
|Posted on Monday, Apr 30, 2018 - 16:12: |
* Some improvements and a fix for APFS parsing.
|Posted on Thursday, May 17, 2018 - 20:48: |
* The X-Tension function XWF_GetHashValue now has the ability to retrieve the primary hash value and the secondary hash value at the same time, and it has the ability to compute the requested hash values if they are not stored in the volume snapshot yet.
* When creating a skeleton image, if the first read operation is triggered from a data window that represents a partition opened from within a physical disk, the skeleton image will become a partition/volume image instead of a full disk image, unlike in previous versions. Read operations in other data windows (representing the surrounding physical disk or its other partitions) have no effect on the skeleton image.
* If e-mail recipient names contain pipes, the recipients were previously not correctly classified as To:, Cc:, or Bcc: when refining the volume snapshot. That was fixed.
* Several minor improvements.
* Same fix level as v19.6 SR-5.
|Posted on Tuesday, Jun 5, 2018 - 20:58: |
* Improved tentative support for volumes with the APFS file system.
* Ability to copy the contents of templates as tab-delimited text into the clipboard through the template's system menu.
* Ability to present the member variables of a template as entries in the Position Manager (either the general Position Manager or, if the data window is an evidence object, in the evidence object's Position Manager). The command for that can be found in the template's system menu as well.
* Optionally, the regular template window can be skipped altogether and Position Manager entries can be generated right away, if you hold the Shift key when you apply a template.
* XMP metadata extraction revised. New and relevant information is added to the metadata column while redundant information is not. XMP often contains information about the time zone that is not available from the EXIF metadata.
* The report table "Scan" is no longer used to identify PDF documents that have scanned content. Please refer to the device type column for that information.
* Identification of and file header signature search for MP4s files, a proprietary surveillance video format.
* Some minor improvements.
|Posted on Monday, Jun 11, 2018 - 11:24: |
* Some fixes.
|Posted on Wednesday, Jun 20, 2018 - 9:53: |
* Google Chrome history will now display the transition for each visited web site, making it easier to ascertain whether the visit was triggered by the user or by some other action like redirect. The duration of each visit is listed as well. Internet searches run from the address bar of Chrome are listed in a separate table and also added to the event list.
* Support for a new acquisition date format in certain third party .e01 evidence files.
* Understands some more APFS data structure variants.
* Some minor improvements.