|Posted on Thursday, Aug 8, 2019 - 23:47: |
A preview version of X-Ways Forensics 19.9 is now available. The download link can be retrieved as always by querying one's license status.
What's new in v19.9 Preview 2?
* Same fix level as v19.8 SR-7.
* Project Vic categories for the USA are now predefined in the user-editable text file PVicCat.txt. Law enforcement users from UK and Canada can download their own definitions from the PhotoDNA download section on our web server and replace the default PVicCat.txt file in their installations. Users in other countries with differing categories can gladly share them with us.
* No longer makes copies of files with a size of 0 bytes for the case report.
* Generation of gallery and report thumbnails for non-picture files with or without shrinking possible now in the latest versions of Windows 10 (1809 and 1903).
* Improved ability to abort potentially slow gallery build up by switching to another mode.
* Shows another line item in the directory browser even when a horizontal scrollbar is present that obscures it partially.
* Ability to display fractions of seconds in timestamps more precisely. More than 3 decimals are now supported depending on the precision of the original timestamp format and depending on where the timestamps are stored. (Timestamps in the volume snapshot are displayed with up to 4 decimals, where the 4th digit is rounded.) In previous versions the higher precision was already employed for sorting, even if not displayed.
* Improved extraction of metadata from MSG files.
* Extraction of original filenames from old style INFO2 recycle bin files.
* The first sector of a completely uninitialized file (valid data length = 0) is no longer omitted from the file header signature search.
* Preview mode reads uninitialized portions of files now exactly as File mode, depending on the corresponding volume snapshot option.
* Ignores clusters belonging to more virtual machine disk image types when searching for FILE records everywhere.
* More space for the file mask for text decoding for logical searches.
* The algorithm to compute the generic relevance of pictures has been revised. It now tries to put more emphasis on intelligence value rather than news value, and to weigh evidential value higher than informational value.
* Technically minded users now have to ability to set the desired attributes of newly created image files, such as "read-only" or "encrypted", as well as buffering flags for performance tweaking in unusual environments such as "write through". Attributes are defined most thoroughly at https://docs.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants, flags at https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea. The flag for "no buffering" should not be used. Attributes and flags have to be combined by oring or adding them and specified in hexadecimal notation.
* Ability to preview inactive versions of utmp, wtmp and btmp logs.
* Relevance computation was revised for JPEG and PNG pictures. It now puts more emphasis on the intelligence value rather than the news value and the evidential value.
3.0 is the base value defined for JPEG files in File Type Categories.txt. 3.0 is also a value that you can expect from pictures that are just advertising. 3.2 = typical browser cache picture. 3.5 = typical for a picture from the system partition. 3.9 = social media. 4.1 = webcam. 4.2 = backup. 4.7 = photo as originally taken by a digital camera. Sorting picture by relevance achieves a grouping effect in the gallery because pictures from a similar context are sorted next to each other.
* Details mode: The summary field "Timestamp from file name" is now more generally named "Filename analysis". It shows the recognized naming scheme, such as Twitter, and/or a timestamp. Statistically, about every 4th JPEG picture contains an additional timestamp in its name. The recognized naming scheme affects the relevance computation.
* Generator signatures are now computed for more files, which may include the file types GIF, HTML, WEBP, AVI und the RIFF format family.
* The generator signature table was updated. For example it now has a new signature for the Samsung Galaxy S10.
* The table of iOS release dates was updated.
* The Content created timestamp is now inherited from the parent file by extracted thumbnails.
* Several minor improvements.
|Posted on Monday, Sep 2, 2019 - 10:45: |
* Picture viewing library updated, revised especially for GIF pictures.
* Indexing and index searches were revised in v19.9 Preview.
* Some fixes of errors in v19.9 Preview 2.
* Relevance computation for some more exotic file types.
* Recognition of device types screen and front camera updated for newer iPhone and Samsung smartphone models.
* A new video generator signature was added.
* Some minor improvements.
|Posted on Wednesday, Sep 25, 2019 - 15:37: |
* Ability of the Recover/Copy command and the Create Report command to convert files to PDF format, for recipients that otherwise would not have suitable applications to view the files. You can define the file types that do not need to be converted, e.g. those that can easily be displayed by an Internet browser.
* Ability of the Recover/Copy command to extract pure text from the selected files and output it as plain text files. That is the same representation that you get when switching from ordinary Preview mode to raw Preview mode with the Shift key held, and the same text that a logical search would see of a file when you have X-Ways Forensics "decode" the text in a file. Files that are not suitable for text extraction (e.g. pictures) or from which no text can be extracted for whatever other reasons are copied normally if the corresponding checkbox is only half checked, or are omitted if fully checked.
* The X-Tension API command XWF_OpenItem (in conjunction with XWF_Read) can now be used to retrieve a PDF representation of the requested file.
* The X-Tension API command XWF_GetItemName now allows to retrieve the alternative name of a file in the volume snapshot.
* Improved detection of spanned archives. Archive processing revised in general.
* The generator signature table was expanded.
* Improved relevance computation for JPEG and PNG files.
* Extraction of an creation timestamps from iPhone screenshots in PNG format.
* Various minor improvements.
* Requires the latest version of the viewer component (readme file from July 28).
|Posted on Sunday, Sep 29, 2019 - 20:29: |
* Some rare creation timestamps extracted from XMP metadata in JPEG files.
* Reduced cases of misidentification of device type "Scanner".
* Some minor improvements.
* Some fixes, including fixes of v19.8 SR-9.