|#168: X-Ways Forensics,
X-Ways Investigator, WinHex 20.5 released
Apr 11, 2022
This mailing is to announce the release of
another update with important improvements, v20.5, and a 3rd
party module for X-Ways Forensics and X-Ways Investigator.
Customers please go to https://www.x-ways.net/winhex/license.html
for the latest download instructions including
current log-in data, details about their
licenses and potentially upgrade/renewal offers. Please do not ask us about
the download password. Your organization has access to it already if
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
Announcement section of the
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Online Live Training
Please sign up for our training notifications
if you would like to be kept up to date on future classes.
Excire: Photo Analysis with Artificial Intelligence
Excire for X-Ways Forensics is a separately available
product based on technology developed by Pattern Recognition Company
GmbH, a German AI company.
It automatically analyzes photos and identifies image content (objects
like buildings, animals, plants, beaches, mountains, people, adults,
babies, faces, eyes, beards, naked bodies, text, ...) as well as color
themes and photo properties, which are all described as keywords. You
can focus on photos with particular relevant keywords (combined with AND
or OR) or filter out photos with irrelevant keywords.
It allows you to find photos that are “similar” from the perspective of
an artificial intelligence to a collection of typical relevant photos
from earlier cases or other photos that you provide.
It allows you to find faces of particular people in photos of new cases.
Of great benefit for forensic investigators is that Excire works
completely offline. Everything happens on your own machine. You don't
need to trust any cloud service to which you would have to upload
photos. No Internet connection is required*. That is just like you know
it from X-Ways Forensics. *An Internet connection is required once when
you acquire your licenses, and for that you could use a different
computer. An Internet connection is also required when using trial
Owners of licenses for X-Ways Forensics with active
access to updates (not licenses for educational use)
can order Excire for X-Ways Forensics for those licenses with a 25%
discount. A coupon code is provided in license status messages (from
https://www.x-ways.net/winhex/license.html). This offer is valid only
for orders placed by April 24, 2022. Prices and an order form can be found
here. Technical details
What's new in v20.5?
(please note that most
changes affect X-Ways Forensics only)
An interface for Excire (see above) is now built into X-Ways Forensics
and X-Ways Investigator. The overall integration in X-Ways Forensics is
seamless. You use the same operations as always (volume snapshot
refinement) and the same filters that you already know (for report table
associations or comments or metadata), and the results are stored in the
volume snapshot or in evidence file containers. You can assign special
cell colors in the directory browser to photos with keywords that are of
particular interest to you. Keywords that describe photos are currently
available in these languages: English, German, French, Spanish and
When computing PhotoDNA hash values and storing the
hashes for deduplication and fast re-matching, X-Ways Forensics now also
automatically compares embedded thumbnails to their parent files. If the
difference is noticable, that will be brought to the user's attention
with two report tables, "Thumbnail discrepancy" and "Thumbnail notable
(data corrupt/incomplete)", where the latter means that there is a
difference most likely just because the parent file is corrupt or
incomplete. (The thumbnail, which requires little storage space and is
located near the start of the file, could be unaffected and therefore
helpful.) The former could indicate that someone has retroactively
altered /redacted the full resolution picture and left the embedded
thumbnail as it was.
File Format Support
X-Ways Forensics from now on distinguishes between 4
instead of 3 possible file format consistency states: unknown, OK,
irregular and corrupt. Important for the Type status filter settings.
Improved PNG screenshot identification. In
particular, a new Exif format is supported that is used mainly for
Android screenshots. This allows to verify whether such Android
screenshots are original.
Additional generator signatures defined.
Support for new Exif tags concerning composite images
and time zones.
Revised recognition of camera original pictures, now
with a lower false negative rate, especially for Xiaomi smartphones.
Further revised generating device identification
(esp. smartphones, esp. all Samsung smartphones) with around 34,000
definitions and two new iOS release identifications.
Evaluates camera debug information in the Application
Marker 4 for Samsung smartphones such as camera serial number, timestamp
of the last firmware update, and a 2-letter country code. This may
enable the examiner to associate a photo with the exact device that took
Provides the last printing date and the internal last
modification date of OpenOffice documents as events.
Revised and improved alternative .eml preview, which
is important also for the case report option "Alternative .eml
presentation directly in browser".
Ability to process carved compressed PF prefetch
File System Support
Supports new style of reparse point text of Windows
A renamed/moved file in a volume snapshot for a FAT
file system that still exists under a different name or in a different
directory was handled inconsistently before. Now it is read exactly like
its existing counterpart, i.e. following cluster chains as defined in
the file allocation table, regardless of the state of the "Deleted files
skip used clusters" setting, resulting in identical hash values,
duplicate search hits, etc.
New command "Capture Processes" in the Tools menu in
X-Ways Forensics that allows to acquire all data in the memory of
running processes on a live system contiguously (i.e. pages in the order
as allocated by the process). The creation times of processes can be
seen as the creation timestamps of the memory dumps. Pages marked as
containing executable code (PAGE_EXECUTE* styles) are optional and if
omitted will suitably reduce the amount of data if you are merely
interested in keyword searches or carving and not malware analysis.
Carving in the memory dumps (files shown as type "mem") can be performed
by uncovering embedded data, one of the functions of volume snapshot
This command can also produce a tab-delimited list
of all top-level windows with their titles and corresponding processes
plus (comma-delimited) the titles of their child windows. Screenshots of
some of the top-level windows are taken and output automatically. If
this functionality is used without administrator rights, only processes
of the current user are covered, otherwise all processes.
The output folder of "Capture Processes" is by
default either a subdirectory of the case or - if no case is active - a
subdirectory of the directory for images. It can be automatically
explored in Windows File Explorer once the output is complete and/or
added to the active case as a directory.
The memory dumped by "Capture Processes" can also be
useful on your own system if an application in which you type text (e.g.
an e-mail client) suddenly freezes and you want to recover what you
A filter is available for process dumping. You can
use it like other file mask filters in X-Ways Forensics. For example
"explorer.exe" will only dump memory and windows of the Windows File
Explorer process. ":C*" will dump all processes except those whose names
starts with the letter "C", i.e. for example not "Chrome.exe". The file
mask is not case sensitive. Multiple file masks can be concatenated with
semicolons. (However, the total length is limited.)
Ability to interpret unencrypted evidence files in
Ex01 format as partitioned physical media or volumes.
Improved handling of hard disks that were partitioned
and formatted as if they had a different sector size.
An up-to-date English language Tooltips.txt file is
now included in the download. If you wish to see those tooltips for the
controls (mostly checkboxes) in your dialog windows, please make sure
that "Tooltips.txt" is activated in Options | General. A German-language
Tooltips.txt is available from the resource download area for users of
X-Ways Investigator and X-Ways Forensics. If you wish to
share your translation to another language with other users, please send
us your copy of the file so that we can put it there as well. Thank you.
Report tables can now be alphabetically sorted in the
dialog windows for filtering and for report table management. By
default, they will be listed in the order in which they were created, as
Report tables that were created by the application as
hints for the user are now listed optionally, and they are now the only
ones that are indented.
New colors were defined for the various kinds of
report tables (ordinary user-created, hints for the user, hash sets,
search terms, duplication groups, ...), and the triangles in the Name
cells that indicate the existence of report table associations for the
file are now shown in the same colors. The display of those triangles is
now optional, see Options | Notation.
Registry Viewer: Ability to copy the value data as
shown in the list view on the right-hand side. (In order to copy the
value data in binary, select the value in the list view, move the
registry viewer aside and copy the selected data from File mode.)
Printing templates did not show formatted GUIDs
correctly. That was fixed.
The rules of advanced sorting are now also applied to
the Hash Set column.
After matching hash values against the hash database,
multiple matching hash sets for a given file are now listed within the
cell in the same order as they are contained in the hash database, and
not in a random order.
Comments of evidence objects are now also shown in
the Comments column in the Case Root window and can be edited from
there. The description of evidence objects is now also shown in the
Metadata column in the Case Root window.
If a filter is active with a NOT setting, you are now
reminded of that by a red funnel symbol.
To remind the user that an OR combination of filters
is active, the word "OR" is now displayed in larger letters and with
pointing fingers in the caption line of the directory browser.
Colored cells now have an optional color gradient.
This can be enabled separately for each cell coloring condition. The
exact rules to determine the background color of rows in the directory
browser based on focus, selection, mouse hover status, dark mode and
cell coloring have been generally revised.
In conditional cell coloring, you now have the option
to color the Name cell in addition to the original cell that the
condition is based on. Useful if you wish to be visually alerted of the
matching condition even if the triggering column is currently not
visible, and if highlighting the entire line would be too much.
The Notation settings now allow you to see some
"internal" flags in the Description column if you wish. Those flags
identify the status of a file in volume snapshot refinement.
[Emb]: checked for embedded data to uncover
[Arc]: file archive checked for content
[Enc]: encryption test already performed
[Ext]: e-mail or e-mail archive checked for extractable content
[Met]: checked for internal metadata
[Xtn]: created by an X-Tension.
Applying X-Tensions to files in selected directories
is now optional. (In case a particular X-Tension is useful when applied
to directories only.)
The "Mount as Drive Letter" functionality now comes
with a new option named "Apply recursively" to present files from all
subdirectories of the currently active evidence object or the selected
directory in a flat list. This is useful if you wish to use an external
program to view many of the files and don't wish to bother with
directory navigation. When using this option, the int. IDs of the files
are inserted into the filenames to make the files better identifiable to
Ability to define the maximum size of files for which
thumbnails should be created in the gallery. It may be necessary to
increase that limit for high resolution Photoshop PSD pictures, for
Automatic verification of newly created images via
hash is now applied to an optional 2nd image copy also when adding the
1st copy to the active case.
Option to hide case backup files with the H
Many minor improvements.
Changes of service releases of 20.4
SR-1: The hash types for disk imaging and volume
snapshot refinement can now be selected in the same dialog window, which
requires two mouse clicks less and means that .dlg files of these dialog
windows will cover the settings more completely.
SR-1: Avoided a read error that could occur when
SR-1: Prevents repeated output of hint on use of
multiple .settings files.
SR-2: If you get file creation error messages when
running OCR with multiple threads, you can now try an unlabeled, but
tooltipped checkbox next to the Tesseract OCR option to make X-Ways
Forensics wait longer for Tesseract to finish.
SR-2: Fixed a potential infinite loop that could
occur with certain PDF documents when uncovering embedded data.
SR-2: Now uses an embedded JPEG picture as the
thumbnail of certain camera raw files in the case report.
SR-2: When the case report is generated, the user now
has the option to explore the directory where the report is stored
instead of viewing the report directly.
SR-2: The hint given in fresh installations that the
RVS processing state of files in evidence file containers is taken over
is now given repeatedly, until the user disables it. Previously it was
probably often overlooked or ignored and/or not understood.
SR-2: Chinese translation of the user interface
SR-3: Fixed an exception error that could occur in
v20.4 with WofCompressed or possibly other kinds of pseudo-sparse files.
SR-3: Prevented inability to load previously decoded
text that was written incompletely because of a crash. Earlier versions
of X-Ways Forensics cannot load decoded text stored by v20.4 SR-3 and
SR-4: Faster viewing and previewing of large PSD
pictures, using the internal graphics viewing library instead of the
SR-4: Fixed an error in the Tools | Compute Hash
command that occurred when applied in File mode.
SR-4: Attaching files in the case root window
previously switched to a file listing that was shown as being not
recursive. That was fixed.
SR-5: Waits longer for closed evidence objects to
open if targeted by RVS, to avoid the error message "Sorry, the
following evidence object was skipped".
SR-5: Fixed a cluster allocation display error of
SR-5: Fixed an exception error that could occur in
v20.4 under certain circumstances when generating the case report.
SR-6: The mouse wheel now also works for scrolling in
Windows 10 when the cursor hovers over a directory browser tooltip.
SR-6: Fixed inability to remove certain context menu
commands from the Windows shell via Options | General.
SR-6: Support for a newer variant of Windows 10
thumbcache index files in file type verification and Details mode.
SR-6: Fixed inability to extract certain tables from
some SQLite database as TSV child objects.
SR-6: Fixed a crash that could occur if the user
inserted a trailing blank line at the end of "Event Log
SR-6: Fixed inability of v20.4 to properly open ordinary
sparse files in NTFS.
SR-6: In OSDirList volume snapshots, directories were
previously skipped if their names started with two dots. That was fixed.
SR-6: Tooltips now also work in the dialog windows
for simple text and hex searches.
SR-6: Restoring old backups of cases did not always
discard all newer components of volume snapshot that did not exist in
the backup (e.g. events).
SR-6: Replacing text or hex values in a file with
data of different size did not always work in files larger than 2 GB.
That was fixed.
Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways
Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you
will be part of an exclusive circle and enjoy various benefits such as
special recognition, training discounts, updated training material. For
further details, please check
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or on our
You may also follow us on
Twitter. Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
X-Ways Software Technology AG