X-Ways Forensics 19.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 19.7 « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 6, 2018 - 20:20:   

A preview version of X-Ways Forensics 19.7 is now available. The download link can be retrieved as always by querying one's license status.

What's new in v19.7 Preview 1?

* A particularly thorough file system data structure search is now available for exFAT volumes, too.

* Irregular EXIF metadata encodings that violate EXIF specifications are now marked with an asterisk at the end (sometimes additionally with a bold font).

* Ability to toggle between single and double column modes when viewing internal JPEG metadata in IM details mode. Given a sufficient screen resolution and window width, no scrolling is required any more to quickly review the entire internal metadata, as the summary table is on the right-hand side.

* Firmware dates are now also output for iPhones and other Apple devices.

* Extracts more internal timestamps from e-mails in PST/OST e-mail archives.

* Some minor improvements.

* Same fix level as v19.6 SR-3.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 29, 2018 - 7:13:   

Preview 2:

* Tentative ability to parse various data structures of APFS file systems in order to provide a volume snapshot. Please give this a try.

* Cloned files in APFS, of which only differences from their original counterparts are stored in separate clusters, are marked with an uppercase Greek delta in the Attr. column.

* Support for APFS timestamps in the Data Interpreter as well as in templates ("APFSDateTime").

* Option to display the Data Interpreter window with a certain degree of transparency. The practical value of this option remains to be discovered. It just looks cool.

* Now can address and open up to 128 physical storage devices in Windows instead of 64 (those numbered 0 through 127).

* If volume snapshot refinement is invoked for a virgin volume snapshot, this will now remember the option to conduct a simultaneous search immediately after refinement. That is useful in particular in conjunction with the command line interface.

* A new command line command allows to load a list of search terms: "LST" (=load search terms). If followed by a colon and the name or complete path of a text file with 1 search term per line and if this precedes an RVS run with an implicitly triggered simultaneous search, the terms will be utilized for that search.

* The Summary part of the internal metadata in Details mode for JPEG files now has a new field named "Light value". That value is derived from the well-known photography formula Ev=log2(N**2/t)+log2(100/ISO). The value range ends at around 16, which means full sunshine. This aggregated value can be interesting to some examiners because it allows to distinguish indoor and outdoor photos and because it allows to check whether the local time of a photo is plausible.

* A new value "Rotated" is now possible for the Condition field in JPEG metadata.

* The amount of slack (zero-value bytes) at the end of an EXIF segment is presented in Details mode if such slack is present. For example, iPhone 4 and iPhone 5 usually produce such an area of a variable length, but iPhone 7 does not. If the slack remains present after a rotation, that means the rotation was minimally invasive, without recompression (no loss of quality). If however a photo editing program rewrites the JPEG file, the slack will disappear.

* "EXIF compliance" is another new aggregated single value, a score that allows to see whether a low quality photo editor was used to edit a photo. A good rating that JPEG pictures produced by Nikon or Canon cameras usually have is retained only by high quality photo editing programs. A bad rating for such pictures indicates editing by a low quality program. Irregularly coded fields in the EXIF data are marked with a star. Irregular might mean that a wrong data type was used or the permitted value range was violated or there are duplicate tags or a character string is not null-terminated or contains slack. Some tags must not appear at the same time, some tags must be stored in a designated directory.

* Generally the EXIF presentation is not a simple unstructured output of all EXIF values, but it aims to provide background information and highlights certain parameters within their context to make examiners aware of irregularities. Already in their original files digital cameras produce characteric EXIF metadata errors. By editing a photo additional errors may be produced, or others may be fixed.

* Generator signatures and phone alias table were revised.

* The device type "scanner" is now shown for PDF documents that are recognized as the product of scanners.

* A new device type "printer" is now shown for JPEG files that were meant to be printed.

* Extraction of the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files into the metadata column.

* When viewing pictures with the internal graphics display library, the view window is no longer maximized if the picture has to be shrunk to fit the screen, and you now have a choice to either center such view windows on the screen as in previous versions or remember their left top position or their center position after you move them somewhere else on the screen. To make your choice, open the system menu of the view window (i.e. click the icon in the left top corner of the window). You can also decide whether or not such view windows should always be in the foreground, even in front of windows of other applications. Last no least you can choose to roughly remember the window size. Especially useful in conjunction with the options to remember the left top position of the view window, to have only one view window at a time, and to update the view window automatically with just a single click on a file, so that at place on your screen of your own choice you essentially have a fixed preview of pictures while the lower half of the data window can show something other than Preview mode, for example Details mode.

* Prompts the user whether or not stubborn C# X-Tension DLLs should be completely unloaded after execution. Programmers may prefer to do that when debugging their own X-Tensions, but apparently this can prevent usage the same DLL a second time in the same session of X-Ways Forensics, so ordinary users better choose No.

* Several minor improvements.

* Same fix level as v19.6 SR-4.

* Also available to BYOD users.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 30, 2018 - 16:12:   

Preview 2b:

* Some improvements and a fix for APFS parsing.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 17, 2018 - 20:48:   

Preview 3:

* The X-Tension function XWF_GetHashValue now has the ability to retrieve the primary hash value and the secondary hash value at the same time, and it has the ability to compute the requested hash values if they are not stored in the volume snapshot yet.

* When creating a skeleton image, if the first read operation is triggered from a data window that represents a partition opened from within a physical disk, the skeleton image will become a partition/volume image instead of a full disk image, unlike in previous versions. Read operations in other data windows (representing the surrounding physical disk or its other partitions) have no effect on the skeleton image.

* If e-mail recipient names contain pipes, the recipients were previously not correctly classified as To:, Cc:, or Bcc: when refining the volume snapshot. That was fixed.

* Several minor improvements.

* Same fix level as v19.6 SR-5.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 5, 2018 - 20:58:   

Preview 4:

* Improved tentative support for volumes with the APFS file system.

* Ability to copy the contents of templates as tab-delimited text into the clipboard through the template's system menu.

* Ability to present the member variables of a template as entries in the Position Manager (either the general Position Manager or, if the data window represents an evidence object, in the evidence object's Position Manager). This also means they will be visually highlighted directly in the hex editor display and equipped with explanatory tooltips. The command for that can be found in the template's system menu as well.

* Optionally, the regular template window can be skipped altogether and Position Manager entries can be generated right away, if you hold the Shift key when you apply a template.

* XMP metadata extraction revised. New and relevant information is added to the metadata column while redundant information is not. XMP often contains information about the time zone that is not available from the EXIF metadata.

* The report table "Scan" is no longer used to identify PDF documents that have scanned content. Please refer to the device type column for that information.

* Identification of and file header signature search for MP4s files, a proprietary surveillance video format.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 11, 2018 - 11:24:   

Preview 5:

* Some fixes.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 20, 2018 - 9:53:   

Beta 1:

* Google Chrome history will now display the transition for each visited web site, making it easier to ascertain whether the visit was triggered by the user or by some other action like redirect. The duration of each visit is listed as well. Internet searches run from the address bar of Chrome are listed in a separate table and also added to the event list.

* Support for a new acquisition date format in certain third party .e01 evidence files.

* Understands some more APFS data structure variants.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 2, 2018 - 20:27:   

Beta 2:

* Ability to copy text into the clipboard as UTF-16 Unicode even when the text column does not show UTF-16 Unicode, through the main menu. Ability to copy data into the clipboard as ANSI characters even when the text column shows UTF-16 Unicode.

* Ctrl+Shift+Del now removes the "Duplicates found" marker from the selected files in addition to removing all kinds of hash set matches.

* Encrypted documents with a known password can now be matched against a FuzZyDoc hash database.

* The password collection of a newly created case is now initialized with the general password collection. The general password collection can now opened for editing from within Options | Security. The password collection of a case is used with encrypted archives as well as encrypted documents whenever the case is loaded.

* Some minor improvements.

* Same fix level as v19.6 SR-6.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 11, 2018 - 23:12:   

Beta 3:

* Ability to parse Google Chrome SNSS session files (Current/Last Session and Current/Last Tabs) during metadata extraction. The resulting session overview lists all open tabs and their browsing history.

* X-Tension API: The XWF_GetCaseProp function can now be used to learn the creation timestamp and the internal ID of the current case. XWF_GetVSProp can now be used to define the hash types of a volume snapshot.

* Some minor improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 19, 2018 - 20:18:   

v19.7 was just released. Additional changes since Beta 3:

* When sorting timestamps in one of the many timestamp columns, it may happen that UTC-based time stamps have to be compared to local timestamps with an undefined time zone reference or local timstamps with a user-defined time zone reference (user-defined meaning defined by the examiner), to see which one is earlier and which one is later. That happens for example for file system based timestamps in the case root window if one evidence object has an NTFS file system and the other a FAT file system. It also happens within the same evidence object for example when sorting internal creation timestamps retrieved from file contents, such as ordinary Exif timestamps in JPEG (which are local) and GPS timestamps in JPEG (which are stored in UTC). Sorting all such timestamps now takes into account how these timestamps are displayed (in original local time or in a user-defined display time zone) such that the order is consistent with the displayed values, and not with how the timestamps are internally stored. That means for example that the local Exif timestamp 2017-01-01 14:01 LT is sorted *after* a UTC GPS timestamp 2017-01-01 14:00 +2, which is right if the undefined local time zone is equal to the display time zone, which in this example is UTC +2. That order of course can be wrong, as the unknown time zone of a local Content created timestamp could be somewhere to east of UTC +2. The order could also be wrong if the user-defined time zone reference of timestamps from a FAT file system is wrong.

* The event list's Timestamp column now respects the user-defined reference time zone for timestamps for file systems that store timestamps in local time and translates these timestamps to the current display time zone accordingly.

* Fixed a rare checksum error in Intel Hex conversion output.

* Ability to convert (e.g. search terms) from UTF-16 to various Indian code pages: ISCII Devanagari, Bengali, Tamil, Telugu, Assamese, Oriya, Kannada, Malayalam, Gujarati, Punjabi (Gurmukhi)

* Templates can now display and edit UTF-16 Unicode string variables containing non-Latin characters.

* The search hit context preview in search hit lists can now be turned on and off in the context menu.

* The previous output for .automaticdestinations-ms files in Details mode is now presented in Preview mode, and also for the View command and when copying such jumplist files for inclusion in the report.

* Report thumbnail generation now supported for files of these types: lnk, flnk, TCP/UDP packets, NK2, DBX, Skype chat, WAB, change.log.1, info2, job, IconCache.db, Prefetch, shd, usnjrnl, eiurl, $I*, travellog, chrome1, automaticdestinations-ms, and more.

* The option to omit additional hard links now has an effect even when processing selected or tagged files specifically.

* New volume snapshot option to convert certain RTF-formatted e-mail bodies from Outlook e-mail archives to plain UTF-8 (when extracting e-mails) to better view generated .eml files in external e-mail clients and to allow for the alternative .eml preview.

* When importing hash values from Project Vic, the user is now asked whether US or Canadian standard categories should be preset.

* Solved an import problem with certain surprising whitespace characters in Project Vic JSON files.

* When filling blocks/files/disks with constant hex values, now any number of two-digit hex values up to 16 is allowed.

* The IMEI of some Samsung Galaxy smartphones (high end models) is stored in the SEFT trailing data of JPEG files, depending on the phone's settings, and if so is now presented in Details mode of the SEFT file. The SEFT file is generated by "Uncover embedded data in various file types".

* Protection against a rare kind of NTFS corruption, FILE record displacements within $MFT.

* Fixed a stability issue.

* Several minor improvements.

* User manual and program help updated.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 3, 2018 - 19:50:   

SR-1:

* Ability to open certain fragmented files in APFS that could not be opened previously (that were just presented with no contents available or lead to further errors).

* Some extended attributes in APFS are now shown as information in the Metadata column, if suitable, others not at all, depending on the same volume snapshot settings as previously just for HFS+.

* Prevented unnecessary output of messages and further fixed the new "Convert RTF e-mail bodies to plain UTF-8" option.

* Fixed an exception error that could occur when overriding the detected sector size of raw images.

* Fixed inability to correctly embed multiple attached e-mail messages with file attachments in certain single parent .eml files for the Recover/Copy command or the case report.

* Fixed incomplete HTML representation of $UsnJrnl:$J.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 6, 2018 - 20:56:   

SR-2:

* Metadata is now extracted from volume shadow copy files even when the volume snapshot options are set to read uninitialized areas of files as binary zeroes.

* Fixed inability of v19.7 to open image-based evidence objects without the image.

* Previews of directories can now be enabled or disabled, for example disabled for directory browser navigation performance reasons, with an unlabelled (but tooltipped) check box in Options | Viewer Programs.

* Logical searches additionally target the raw data in certain clusters of NTFS compression units, now more clusters than before.

* Some minor fixes and improvements.
Top of pagePrevious messageNext messageBottom of page Link to this message

Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 4, 2018 - 21:57:   

SR-3:

* Prevented crashes with certain SNSS files.

* Reading from a partition of a physical disk now triggers skeleton image acquisition again if the physical disk is the target of the acquisition, like in earlier versions.

* On-the-fly calculations of edk2 hash values when copying files into evidence file containers are not supported, but if such hash values are stored in the volume snapshot already, they are now correctly copied into the container, if so desired.

* Fixed an exception error that could occur in v19.7 when carving certain JPEG files.

* Registry viewer: The value data types REG_DWORD_BIG_ENDIAN and REG_QWORD were previously treated like REG_BINARY, and now are more properly interpreted.

* Registry viewer: An exception error was fixed that occurred when exploring more than 80 nested keys.

* Registry viewer: Keys with overlong names (more than 260 characters) were not processed correctly and could result in crashes. That was fixed.

* Registry viewer: ASCII characters in the 0x01 to 0x1F range in value names were not processed consistently. That was improved.

* Multi-threading in the gallery caused problems in conjunction with the filter for still images and the option "list respective parent video as well", so that it is now prevented with these settings.

* Fixed a potential crash with some rare finder bookmark (flnk) files.

* Some minor improvements.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.