|Posted on Thursday, Oct 4, 2018 - 22:01: |
A preview version of X-Ways Forensics 19.8 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.8 Preview 1?
* Same fix level as v19.7 SR-3.
* The phone alias table now has 2,850 entries and supports more than 13,000 camera models.
* Ability to interpret VHDX virtual machine disk images and add them to a case like other supported image types.
* Ability to show directory subtrees in Preview mode with directory sizes instead of or in addition to file counts (see new settings in Options | Viewer Programs).
* Two additional internal metadata timestamps are now extracted from MS Word OLE2 compound file documents, which can be useful for corroboration. The "nRevision" field is now also extracted, which according to its documentation contains the number of save operations applied to a document.
* The Report Table filter now has an option to output child objects of files at the same time, in addition to siblings.
* That newly discovered names (e.g. e-mail subjects original names of files in iPhone backups) become the new main names in a volume snapshot (and thus also potentially part of paths if they have child objects) is now optional. If not enabled, they become the alternative names, displayed in a lighter color in square brackets as additional information.
* Option to right-align the path columns in case you are more interested in the end of the path and would like to keep the column width compact.
* Several minor improvements.
|Posted on Sunday, Oct 21, 2018 - 15:05: |
* Ability to open and interpret VHDX images right from within other images or file systems on disks parsed by X-Ways Forensics itself.
* Some GUI adjustments for high DPI settings in Windows.
* Some internal revisions to the indexing algorithm.
* The DHT marker in JPEG files is now evaluated during metadata extraction. If the marker has the values as defined by the JPEG standard, it will be marked as "Standard", otherwise the number of table entries will be output. Practically all digital cameras use standard tables, but JPEGs encoded by social networks don't. They use optimized tables and achieve a file size reduction by around 5%.
* The Phone Alias Table now has 3,600 entries. Thanks to more and more regionally specific smartphone model variants, more and more photos can be attributed to a certain region of the world.
* Some fixes.
|Posted on Tuesday, Oct 23, 2018 - 20:56: |
* More comprehensive understanding of APFS file system data structures.
* Tentative support for RAR archive format version 5.
* Improved recognition of photos taken with front cameras.
* Size of the internal camera device database doubled compared to v19.7.
* Output of "Assessment: Edited" if it was detected that a digital photo (image data or metadata) was edited.
* Decoding and output of additional firmware timestamps.
* Correction of some formerly incorrect JPEG metadata output.
|Posted on Friday, Nov 2, 2018 - 9:36: |
* Jump list hash values are now translated to application names in the presented metadata of customDestionations-ms and automaticDestinations-ms jump list files, based on a new user-editable text file named JumpListNames.txt. The translation table currently consists of around 500 entries. If you add entries, please make sure to insert them at the correct place such that all entries remain sorted by the CRC in ascending order. Leading zeroes in the CRC obviously must be preserved. There is a tab character between the CRC and the application name.
* Some more revisions for APFS.
* "Log messages in msglog.txt" is now a three-state checkbox. The default behavior has not changed, and it is now the middle state. Fully checked means that messages in the Progress indicator window (descriptions of operations as well as names of processed files) are also output.
* Some minor improvements.
|Posted on Sunday, Nov 18, 2018 - 22:00: |
* Representation of more digital camera raw formats in Gallery and Preview mode after uncovering embedded pictures: NEF, ARW, ORF
* Recognition of 4271 smartphone models as sources of digital photos, more than twice the previous number. For each model X-Ways Forensics distinguishes between front and back camera.
* Ability to decode region information from Huawei firmware designations.
* Extraction of epoch timestamps from Facebook filenanames.
* Improved recognition of Twitter JPEG files.
* JPEG metadata representation slightly improved.
* Unlabelled, but tooltipped new checkbox in the center of the General Options dialog window that allows to use alternative file selection dialog windows throughout the program in case the original style dialog windows cause problems in your system.
|Posted on Sunday, Dec 2, 2018 - 18:19: |
* Identification of duplicate pictures with PhotoDNA now allows to group duplicates in report tables.
* Notation options now include a setting to show report tables representing groups of identical files.
* Already for many versions it was possible to decouple the lower half of a data window and treat it like a separate window, for example to move it to another monitor. With the same control it is now also possible to show that part of a data window on the right-hand side of the directory browser instead of below it. That can be useful on today's widescreen monitors, where vertical screen space is scarce, so that you can now have a long vertical list of files visible and at the same time also fully utilize the available vertical screen space for example for previews of page-based documents that were meant to be viewed in portrait mode as opposed to landscape orientation. Also useful for the gallery, and very efficient for portrait mode photos, Details mode, and hex editor displays in Disk/Partition/Volume and File mode with traditionally just 16 bytes per line.
* X-Ways Forensics now prompts before losing existing tag marks when mass tagging or untagging an entire directory or file listing with a single mouse click.
* When opening the logical memory of a running process, shows the process creation timestamps in the Info pane.
* A new condition of JPEG files was introduced: "embedded". This condition identifies pictures that were not generated as stand-alone files, but embedded in larger files, as thumbnails or reduced resolution alternates. That condition may also occur if JPEG metadata was retroactively removed with a tool.
* Identification of now 4,700 smartphone models via PhoneAliasTable.
* General device type identification slightly improved.
* Generator signature table slightly revised. A new type "Adobe embedded" was added.
* Timestamps taken from filenames are now explicitly listed in the summary table of JPEG metadata (previously used only for the Content created column). Useful for pictures shared on social media, where available metadata is scarce and where they may indicate the time when the picture was shared.
* Many metadata extraction improvements in detail.
* Some improvements in other areas not listed here.
|Posted on Tuesday, Dec 18, 2018 - 20:48: |
* The character set / code page of text files is no longer pointed out in the Type column, but rather (for in some cases) in the Metadata column.
* Identification of now 5,000 smartphone models via PhoneAliasTable. The table must now be alphabetically sorted as that allows for enhanced performance.
* Generator signatures have been slightly revised to better detect social media pictures as such. Specifically Facebook and Twitter pictures are now better detected than before.
* Generic relevance computation slightly adjusted for picturs to favor camera originals, pictures whose creation time and location are precisely defined, device type, available metadata and more.
* Some minor improvements.
|Posted on Tuesday, Jan 8, 2019 - 12:17: |
* When matching hash values against hash databases (ordinary hashes like MD5, SHA-1, SHA-256, ...), there is now an option to make a local copy of the database and work with that copy. This can be helpful if you share the database with your colleagues and your colleagues want to update the database (e.g. add additional hash sets) while it's in use for matching, which otherwise would not be possible for the whole duration of volume snapshot refinement. It could also enhance performance if the database is large and does not fit into main memory and is stored on a remote network drive. The local copy is created in the directory for temporary files if it does not exist yet, and updated only if the master copy of the hash database has changed (all users should have v19.8 or newer to avoid unnecessary copying of an unchanged database).
* E-mail attachments now show the same timestamps in the Creation and Modification columns as the e-mail messages to which they belong, so that you can see directly when they were sent ("Created" column) and delivered ("Modified" column).
* The functionality of several three-state checkboxes for the Simultaneous Search has been split up into two separate ordinary checkboxes each. Users of a German Tooltips.txt please download a new version of that file.
* The middle state the whole words option of the Simultaneous Search now allows to match starts of words only (require a word boundary at the beginning of the search hit). That means e.g. with "box" you can find "boxes" at the same time (but not "checkbox") and with "tend" you can find "tends" and "tended" at the same time (but not "attended" or "extended"). This was previously possible with GREP syntax only, and if you wish to search some search terms as whole words and others as starts of words at the same time you still need to use GREP syntax, please.
* The whole words option of the simultaneous search now supports non Latin I characters in many languages (Eastern European, Russian, Arabic, Hebrew, Greek, ..., depends on what which characters you enter) also for searches in UTF-8.
* The Summary table for JPEGs now identifies a "processing state", which can one of the following: original (=as originally produced by a digital device), edited normally (processing was marked by the program used), social media (as published on various social media, blogs, photo sharing services, or even eBay), irregular editing detected (meaning there is uncertainty about what was actually changed, could be processing by social media if not detected as such), and EXIF stripped.
* JumpListNames.txt as updated.
* There are now 5,800 smartphone models PhoneAliasTable. (Note that this is just an auxiliary table. Corresponding entries in Generator Signatures.txt are essential for detection and for categorization into device classes).
* Some more GUI adjustments for high DPI settings.
* Several minor improvements.
|Posted on Wednesday, Jan 23, 2019 - 5:14: |
* The maximum number of additional worker threads in volume snapshot refinement and logical searches, subject to a sufficient number of processors, has been increased to 16 in X-Ways Forensics and 3 in X-Ways Investigator.
* Support for a new variant of the Ext4 file system. Parsing this new variant (to generate a volume snapshot) without understanding its implications would necessarily fail. Previous versions of X-Ways Forensics informed the user of the presence of an unsupported feature in the file system.
* Filling newly created surrogate .e01 segments with a special watermark ("MISSING IMAGE FILE SEGMENT!") is now optional, for performance reasons. Zeroed out blocks are faster to generate.
* Now supports up to ~58.8 million PhotoDNA hash values in the hash database instead of ~29.4 million (64-bit edition only). Please note that it is not recommendable to have that many hash values in the PhotoDNA database because matching will take quite some time, even if processed by all available CPU cores at the same time.
* A new option in the case properties allows to automatically verify the hash value when adding an image to the case, if such a hash value is present, or (if the checkbox is fully checked) to compute the hash value from scratch if the image doesn't have one. Newly created cases inherit the state of this option from the last case whose settings were defined. This also means that you can verify images from the command line, with the AddImage command. The result will be output 1) in the Messages window, 2) in msglog.txt if desired, and 3) in the properties of the evidence object, i.e. the representation of the image in the case.
* The new processing state and the generic relevant of JPEG pictures were further revised. The median relevance of JPEG pictures is now roughly 4.0. The weight of the processing state "Social media" for the relevance computation can be adjusted in the file Generator Signatures.txt (look for the line "JPEG/Social Media"). The default is an average weight.
* A generator signature for WeChat was defined. The processing state "Social Media" now includes WeChat.
* Number of identified smartphone models: Now more than 5900.
* Two new device types have been defined: Action cams and monitor cameras (=game cameras, trail cams, also used for surveillance purposes).
* Some minor improvements.
* Same fix level as v19.7 SR-4 at least.
|Posted on Wednesday, Jan 30, 2019 - 19:20: |
* The journal parsing option for Ext3/Ext4 had proven somewhat tricky and has now been removed from the volume snapshot options.
* Association of data with certain previously existing files that otherwise would be presented only with file system metadata and no contents using the Ext3/Ext4 journal is now an option of the particularly thorough file system data structure search.
* More extensive preview/view of Ext3/Ext4 journals than in previous versions.
* Users can now choose between the larger high-resolution icons for the toolbar, context menus and the mode button through an unlabelled new checkbox in Options | General. By default, the larger icons are now used on systems with higher than 150% DPI settings.
* Some GUID partition table partition attributes are now shown in the Attr. column: system (=required by operating system), hidden (=not mounted as drive letter), read-only, shadow copy.
* Support for GUID partition table partition names in ASCII.
* Some minor improvements.
* Same fix level as v19.7 SR-5.
|Posted on Thursday, Feb 14, 2019 - 17:52: |
* Ability to export a list of selected files in Project Vic JSON format.
* Mathematical formulas in templates may now reference variables of the uint_flex type .
* Improved representation of MD RAIDs and LVM2. For example, container header areas are now shown as files instead of partitions and mere container partitions are not automatically added to the case any more. Support for LVM2 containers in level 1 MD RAID containers. Cases with evidence objects that have MD RAID or LVM2 partitioning that were created with earlier versions should not be further processed in v19.8.
* Partitions that are retroactively added as child evidence objects to the case tree when their parent is not at the bottom of the tree now receive evidence object numbers that reflect their position and order within the tree, which makes a difference when sorting in the directory browser by evidence object.
* The graphical or textual screenshot of the Refine Volume Snapshot settings for the case activity log now include screenshots of nested dialog window with further settings, even if the user did not open them and close them with OK.
* Generator signatures defined for the QuickTime video format family (MOV, MP4, 3GP, ...). A device type is assigned to videos of that format family as well as AVI. The detected device type of videos will also affect the generic relevance, based on the weight that you can adjust in the file "Generator Signatures.txt" for JPEG files, at the end of the *** lines.
* Additional metadata extracted from QuickTime video files. For example the values for pixel dimensions and handler are new. The presence of trailing data is mentioned as well as an incomplete condition of a QuickTime video file.
* New version of the indexing and index search engine.
* Some minor improvements. Same fix level as v19.7 SR-6.