|Posted on Thursday, Aug 8, 2019 - 23:47: |
A preview version of X-Ways Forensics 19.9 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.9 Preview 2?
* Same fix level as v19.8 SR-7.
* Project Vic categories for the USA are now predefined in the user-editable text file PVicCat.txt. Law enforcement users from UK and Canada can download their own definitions from the PhotoDNA download section on our web server and replace the default PVicCat.txt file in their installations. Users in other countries with differing categories can gladly share them with us.
* No longer makes copies of files with a size of 0 bytes for the case report.
* Generation of gallery and report thumbnails for non-picture files with or without shrinking possible now in the latest versions of Windows 10 (1809 and 1903).
* Improved ability to abort potentially slow gallery build up by switching to another mode.
* Shows another line item in the directory browser even when a horizontal scrollbar is present that obscures it partially.
* Ability to display fractions of seconds in timestamps more precisely. More than 3 decimals are now supported depending on the precision of the original timestamp format and depending on where the timestamps are stored. (Timestamps in the volume snapshot are displayed with up to 4 decimals, where the 4th digit is rounded.) In previous versions the higher precision was already employed for sorting, even if not displayed.
* Improved extraction of metadata from MSG files.
* Extraction of original filenames from old style INFO2 recycle bin files.
* The first sector of a completely uninitialized file (valid data length = 0) is no longer omitted from the file header signature search.
* Preview mode reads uninitialized portions of files now exactly as File mode, depending on the corresponding volume snapshot option.
* Ignores clusters belonging to more virtual machine disk image types when searching for FILE records everywhere.
* More space for the file mask for text decoding for logical searches.
* The algorithm to compute the generic relevance of pictures has been revised. It now tries to put more emphasis on intelligence value rather than news value, and to weigh evidential value higher than informational value.
* Technically minded users now have the ability to set the desired attributes of newly created image files, such as "read-only" or "encrypted", as well as buffering flags for performance tweaking in unusual environments such as "write through". Attributes are defined most thoroughly at https://docs.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants, flags at https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea. The flag for "no buffering" should not be used. Attributes and flags hare combined by oring or adding them and have to be specified in hexadecimal notation.
* Ability to preview inactive versions of utmp, wtmp and btmp logs.
* Relevance computation was revised for JPEG and PNG pictures. It now puts more emphasis on the intelligence value rather than the news value and the evidential value.
3.0 is the base value defined for JPEG files in File Type Categories.txt. 3.0 is also a value that you can expect from pictures that are just advertising. 3.2 = typical browser cache picture. 3.5 = typical for a picture from the system partition. 3.9 = social media. 4.1 = webcam. 4.2 = backup. 4.7 = photo as originally taken by a digital camera. Sorting picture by relevance achieves a grouping effect in the gallery because pictures from a similar context are sorted next to each other.
* Details mode: The summary field "Timestamp from file name" is now more generally named "Filename analysis". It shows the recognized naming scheme, such as Twitter, and/or a timestamp. Statistically, about every 4th JPEG picture contains an additional timestamp in its name. The recognized naming scheme affects the relevance computation.
* Generator signatures are now computed for more files, which may include the file types GIF, HTML, WEBP, AVI und the RIFF format family.
* The generator signature table was updated. For example it now has a new signature for the Samsung Galaxy S10.
* The table of iOS release dates was updated.
* The Content created timestamp is now inherited from the parent file by extracted thumbnails.
* Several minor improvements.
|Posted on Monday, Sep 2, 2019 - 10:45: |
* Picture viewing library updated, revised especially for GIF pictures.
* Indexing and index searches were revised in v19.9 Preview.
* Some fixes of errors in v19.9 Preview 2.
* Relevance computation for some more exotic file types.
* Recognition of device types screen and front camera updated for newer iPhone and Samsung smartphone models.
* A new video generator signature was added.
* Some minor improvements.
|Posted on Wednesday, Sep 25, 2019 - 15:37: |
* Ability of the Recover/Copy command and the Create Report command to convert files of certain supported types to PDF format, for recipients that otherwise would not have suitable applications to view the files. You can define the file types that do not need to be converted, e.g. those that can easily be displayed by your web browser or with Windows tools. If no conversion is possible, the original file is copied unconverted.
* Ability of the Recover/Copy command to extract pure text from the selected files and output it as plain text files. That is the same representation that you get when switching from ordinary Preview mode to raw Preview mode with the Shift key held, and the same text that a logical search would see of a file when you have X-Ways Forensics "decode" the text in a file. Files that are not suitable for text extraction (e.g. pictures) or from which no text can be extracted for whatever other reasons are copied normally if the corresponding checkbox is only half checked, or are omitted if fully checked.
* The X-Tension API command XWF_OpenItem (in conjunction with XWF_Read) can now be used to retrieve a PDF representation of the requested file.
* The X-Tension API command XWF_GetItemName now allows to retrieve the alternative name of a file in the volume snapshot.
* Improved detection of spanned archives. Archive processing revised in general.
* The generator signature table was expanded.
* Improved relevance computation for JPEG and PNG files.
* Extraction of an creation timestamps from iPhone screenshots in PNG format.
* Various minor improvements.
* Requires the latest version of the viewer component (readme file from July 28).
|Posted on Sunday, Sep 29, 2019 - 20:29: |
* Some rare creation timestamps extracted from XMP metadata in JPEG files.
* Reduced cases of misidentification of device type "Scanner".
* Some minor improvements.
* Some fixes, including fixes of v19.8 SR-9.
|Posted on Sunday, Oct 20, 2019 - 21:34: |
* Export List and Recover/Copy: Option to output the alternate name of a file, or both the main name and the alternate name.
* Output of simple extended attributes in Apple file systems as special lines in the Metadata column instead of child objects is now optional. If included in the Metadata column, the Metadata field will now also be shown in Details mode.
* PLists and BPLists are now parsed for Preview mode when needed if the volume snapshot has not been refined yet and the child object with the parsed contents does not exist yet.
* PNG and WEBP file processing revised. The generic relevance is now computed analogously to JPEG files.
* Two more timestamps are extracted from the PNG file format.
* Two more timestamps in JPEG files are now considered candidates for the Content created column. If an official creation timestamp is found in the internal metadata, that timestamp will be shown there. If not, practically any other plausible timestamp may be used as a substitute, even a timestamp derived from the filename if necessary. That way around 60% of all JPEG files can be presented with a Content created value.
* The list of recognized smartphone models was considerably extended and updated with new models.
* Hex editing: Allows to replace a fixed-length series of hex values that are all wildcards with other hex values.
* Some minor improvements.
* Contains fixes from v19.8 SR-9.
|Posted on Thursday, Nov 7, 2019 - 23:32: |
* Ability to permanently remember friendly names for complex GREP expressions when you rename search terms in the search term list. Future searches for the same expressions will immediately add entries in the search term list with the more easily recognizable friendly names. Friendly names and corresponding GREP expressions are stored in the text file "GREP Expressions.txt", which you can share with your colleagues and from which you can easily copy and paste GREP expressions when needed. The file can be opened from within the Simultaneous Search dialog window by clicking on the button with the yellow lightbulb (lightbulb for "ideas" for expressions to search for). You can edit the file directly with any text editor. Just keep the structure intact: Always 1 friendly name followed by 1 GREP expression, 2 lines for each such pair, in UTF-16.
* Recover/Copy: Option to turn all selected files into a single PDF document. This includes even file types that would usually not be converted to PDF individually.
* Ability to convert the HTML case report to PDF format. Cannot be used in conjunction with the option to split the report file after a certain number of files. If the box with the PDF option is fully checked, that means that you wil receive *only* a PDF version of the report. If half checked, that means that you you will receive both an HTML and a PDF version of the report. Please note that if you delete one of them in the Windows Explorer/File Explorer, this will automatically also deleted the subdirectory with the copied files if there is one, even if it is still needed for the respective other version of the report.
* Ability to omit files that are known from a hash database from logical searches (whether known good or known bad).
* Some minor improvements.
|Posted on Thursday, Nov 14, 2019 - 21:47: |
v19.9 was just released. Additional improvements:
* Ability to detect Windows 10 PE as a platform.
* Some more improvements for high DPI settings.
* Improved logic for the search hit filter: Ability to focus on search hits whose context does NOT contain a certain word. Ability to logically combine all filter options with a logical OR or AND.
* Context menu command to unmark all search hits in the evidence object(s) represented by the current data window as notable. This allows for incremental filtering. Example: You filter for search hits whose context contains the word "Hello". Then you mark those hits as notable (Ctrl+A plus context menu command). Then you filter for search hits that are notable AND contain the word "Hey". Then you unmark all search hits (even those that are currently not listed), which has no immediate effect on the presented list, and mark those that are listed as notable. The result is that all search hits that contain both "Hello" and "Hey" in their context are now marked as notable.
* Images of a case are now found automatically in the case directory if they are not remembered to be there previously (this condition existed in earlier versions). This works even if the path of a case has changed.
* A dedicated case-specific default path for images can now be defined in the properties of a case, which then overrides the generic default path for images. The case-specific path may be a relative path, where a . refers to the case directory and .. to the parent directory of the case directory. Please note that for performance reasons it can be advisable to store cases and images on different physical storage devices. If you define a case-specific image path in v19.9 and open the case in v19.8 or earlier, you will get a warning about unknown data being ignored and lost, but can still work with that case in the older version.
* Merely switching from one data window to another, for example using the tab control, does not highlight the evidence object or its current directory in the Case Data window any more if Sync mode is disabled in the Case Root window. The Case Root window does not support directory navigation, hence its newly introduced Sync button can have this special meaning.
* Ability to uncover JPEG objects in PDF documents with a certain wrong encoding.
* Some minor improvements.