|Posted on Thursday, Oct 4, 2018 - 22:01: |
A preview version of X-Ways Forensics 19.8 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.8 Preview 1?
* Same fix level as v19.7 SR-3.
* The phone alias table now has 2,850 entries and supports more than 13,000 camera models.
* Ability to interpret VHDX virtual machine disk images and add them to a case like other supported image types.
* Ability to show directory subtrees in Preview mode with directory sizes instead of or in addition to file counts (see new settings in Options | Viewer Programs).
* Two additional internal metadata timestamps are now extracted from MS Word OLE2 compound file documents, which can be useful for corroboration. The "nRevision" field is now also extracted, which according to its documentation contains the number of save operations applied to a document.
* The Report Table filter now has an option to output child objects of files at the same time, in addition to siblings.
* That newly discovered names (e.g. e-mail subjects original names of files in iPhone backups) become the new main names in a volume snapshot (and thus also potentially part of paths if they have child objects) is now optional. If not enabled, they become the alternative names, displayed in a lighter color in square brackets as additional information.
* Option to right-align the path columns in case you are more interested in the end of the path and would like to keep the column width compact.
* Several minor improvements.
|Posted on Sunday, Oct 21, 2018 - 15:05: |
* Ability to open and interpret VHDX images right from within other images or file systems on disks parsed by X-Ways Forensics itself.
* Some GUI adjustments for high DPI settings in Windows.
* Some internal revisions to the indexing algorithm.
* The DHT marker in JPEG files is now evaluated during metadata extraction. If the marker has the values as defined by the JPEG standard, it will be marked as "Standard", otherwise the number of table entries will be output. Practically all digital cameras use standard tables, but JPEGs encoded by social networks don't. They use optimized tables and achieve a file size reduction by around 5%.
* The Phone Alias Table now has 3,600 entries. Thanks to more and more regionally specific smartphone model variants, more and more photos can be attributed to a certain region of the world.
* Some fixes.
|Posted on Tuesday, Oct 23, 2018 - 20:56: |
* More comprehensive understanding of APFS file system data structures.
* Tentative support for RAR archive format version 5.
* Improved recognition of photos taken with front cameras.
* Size of the internal camera device database doubled compared to v19.7.
* Output of "Assessment: Edited" if it was detected that a digital photo (image data or metadata) was edited.
* Decoding and output of additional firmware timestamps.
* Correction of some formerly incorrect JPEG metadata output.
|Posted on Friday, Nov 2, 2018 - 9:36: |
* Jump list hash values are now translated to application names in the presented metadata of customDestionations-ms and automaticDestinations-ms jump list files, based on a new user-editable text file named JumpListNames.txt. The translation table currently consists of around 500 entries. If you add entries, please make sure to insert them at the correct place such that all entries remain sorted by the CRC in ascending order. Leading zeroes in the CRC obviously must be preserved. There is a tab character between the CRC and the application name.
* Some more revisions for APFS.
* "Log messages in msglog.txt" is now a three-state checkbox. The default behavior has not changed, and it is now the middle state. Fully checked means that messages in the Progress indicator window (descriptions of operations as well as names of processed files) are also output.
* Some minor improvements.