X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

 

#173: X-Ways Forensics, X-Ways Investigator, WinHex 21.0 released

Dec 17, 2023

This mailing is to announce the release of another update with important improvements, v21.0. The release date was 13 December.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the new log-in data/password (!), details about their licenses, and upgrade or renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible, as described.

Please be reminded that if you are interested in receiving information about service releases as soon as they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version, you should at least use the last service release of that version.


Upcoming Training Events

Dates Location Target Region Course Delivered by

Jan 15-19

Online (5x6¼ hrs!) Europe, Asia X-Ways Forensics I X-Ways

Jan 29-Feb 2

Online (5x6¼ hrs!) America (incl. West Coast) X-Ways Forensics I X-Ways

Jan 30-Feb 2

Online (4x6¼ hrs!) Europe, Asia X-Ways Forensics II X-Ways

Feb 5-8

Online (4x6¼ hrs!) America (incl. West Coast) X-Ways Forensics II X-Ways

Feb 5-8

Nancy (in French) France X-Ways Forensics I Tracip

Feb 12-15

Birmingham, England Europe X-Ways Forensics I X-Ways

Feb 26-Mar 1

Online (5x6¼ hrs!) Europe, Asia X-Ways Forensics I X-Ways

Feb 26-29

Ft. Lauderdale, FL USA X-Ways Forensics I H-11

Mar 5-8

Canberra Australia X-Ways Forensics I CDFS

Mar 11-14

Online (4x8 hrs) Europe, Asia X-Ways Forensics I X-Ways

Mar 12-15

Salt Lake City, UT USA X-Ways Forensics I H-11

Mar 19-21

Online (3x8 hrs) Europe, Asia X-Ways Forensics II X-Ways

Mar 25-28

Ontario, CA USA X-Ways Forensics I H-11

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v21.0?
(please note that most changes affect X-Ways Forensics only)

User Interface

  • The case tree now visibly tracks the mouse pointer position and highlights the node corresponding to the mouse position, similar to the directory browser.

  • The case tree now also supports full row reactivity, meaning you can click anywhere to the left or right of a node for the desired response, so that you do not have to aim so precisely any more. The supported actions are left-clicking to select and explore, middle-clicking to tag or untag, right-clicking to explore recursively, and double-clicking to expand or collapse subdirectories or partitions.

  • Improved understandability of the user interface in various areas.

  • Ability to access the column header functionality solely with the keyboard, without using the mouse, by pressing Ctrl+H (H for header), to activate or deactivate filters and to select columns as sort criteria.

  • If you store and load directory browser settings in cases, the current DPI settings are now stored along with the column widths, so that those column widths can be automatically adjusted proportionally when opening the same cases in Windows systems with different DPI settings. (Only in newly created cases of v21.0. Releases of v20.6 and later from Oct 27, 2023 can still load the directory browser settings from such cases, but will ignore the DPI settings.)

  • Improved ability to abort previewing or viewing large files with the viewer component, by moving the mouse cursor in the lower right corner of the viewer window, when a notice appears there to make you aware of this option.

  • The auto update function was improved (the ability to update, with a single mouse click, the picture shown by the graphics display library in a separate window).

  • When running multiple instances (sessions, processes) of WinHex/X-Ways Forensics at the same time on the same machine, those instances are now numbered starting with 1 instead of 0. The instance number can now not only be seen in the so-called About box (the box that pops up when clicking the version number in the upper right corner), but for additional instances also in the caption of the main window, so that it's easier to tell them apart in the Windows Task Bar and the Windows Task Switcher. That depends on a new checkbox in the General Options dialog window. Note that if you end earlier instances and then start new ones, the new instances will re-use slots with instance numbers starting with 1.

  • If the new check box to better distinguish between sessions fully checked, different instances can have their own background colors, which currently is not compatible with dark mode.

  • A few function/command icons were revised. More icons were added in various areas of the graphical user interface.

  • The directory browser can now show file archives with a dedicated archive icon or the regular blue icon with a superimposed capital A, depending on the settings in the directory browser options.

  • The option to mark pictures in the gallery as already viewed now extends to pictures that are displayed by the viewer component, not the internal graphics display library. This affects for example JPEG 2000, DXF, WMF, and EMF files.

  • Revised visual marking of check boxes with user tooltips.

  • An optional special simplified RVS+search dialog window was introduced in the triage user interface of X-Ways Investigator (option +104 in investigator.ini).

  • The legacy option to omit previously existing files when adding selected files to a hash set was removed.

  • Fixed a graphical glitch in certain list boxes at high DPI settings.

Timestamp Analysis

  • The timestamp filter can now optionally combine the conditions for the various timestamp types (creation, modification, ...) with a logical AND instead of the default OR.

  • There are two different types of AND combinations for timestamp filters. A strict AND combination (fully checked) requires that all targeted timestamps are actually present/available. A soft AND combination (half checked) requires only all available timestamps to meet the filter condition (and at least one must be available).

  • The event timestamp filter and the general timestamp filter are now fully independent of each other, so that it's possible to filter for example for events after July 2022 in files that were created before March 2017.

  • The timestamp filter now allows to focus on NTFS 0x10 timestamps that look like significantly backdated compared to their their 0x30 counterparts, and also on creation timestamps from the file system that are earlier than content creation timestamps from the internal file metadata.

    You can define a threshold in milliseconds, seconds, minutes, hours, days, weeks, months or years that makes such timestamp discrepancies relevant to you, i.e. you can require that the main creation timestamp is that much older than the corresponding 0x30 timestamp or the content creation timestamp. If you compare UTC-based creation timestamps from the file system to content created timestamps that were recorded in an unknown local time zone (e.g. in PNG files), you could take into account how many hours difference could be attributed merely to this base effect. To assist you, the UTC creation timestamp is rendered more comparable to a local content creation timestamp by adjusting it to display time zone.

    Please note that backdating most often occurs automatically, for various reasons (e.g. file archive extraction or setup programs), and is not necessarily the result of intervention by a suspect or by malware activity with malicious intent. If you are interested in potential manual interventions by a suspect, it could be useful to employ the file type filter at the same time and focus on file types for which timestamps could make a difference in your case e.g. documents.

  • All NTFS 0x10 timestamp cells now show a backdating icon if they predate their corresponding 0x30 counterparts (the columns with the superscript 2 in the header) by more than the threshold that is defined in the timestamp filter dialog window. Creation timestamp cells show such an icon also if they predate the "Content created" timestamp, if any such timestamp exists and was extracted. The arithmetic difference between the two timestamps that are compared is displayed after the icon, rounded to milliseconds, seconds, minutes, hours, days, weeks, months or years.

  • The general timestamp filter now has an "All" setting that allows to focus on files with any value for the selected timestamp types, for example to combine that with the Backdating condition or simply to focus on files that have a timestamp of the select timestamp type(s) at all.

Cases and Evidence Objects

  • When adding a single archive file to the case as an evidence object (using the Add File menu command or via drag & drop), that archive will be explored immediately and only its contents will be presented in the directory browser, not the archive file itself, just like when adding an image or an evidence file container to the case. That works for all supported archive subtypes whose contents you have X-Ways Forensics include in a volume snapshot when refining it.

    Spanned/segmented Zip and 7z archives in 7-Zip and WinZip styles are also supported, just please make sure that you add the first segment to the case, which in case of 7-Zip style is the segment named .001 and in WinZip style the one named .z01. For password-protected (encrypted) Zip, 7z and Rar archives you will be prompted for the password. The password can be saved in the case so that you do not need to enter it again when re-opening such an evidence object.

  • Ability to hash (and after that verify) ordinary files and archive files that are evidence objects, using the "Hash/verify evidence objects" command.

  • In newly created cases, the two internal subdirectories for evidence objects that are directories or single files now get shorter names, which no longer include the original paths of those directories or single files. The uniqueness of the subdirectory names is now ensured in the same way as for images (should multiple directories or single files with the same names be added to the same case). The new naming conventions are also understood by v20.8 from SR-6 and v20.9 from SR-5.

  • If the user tries to open an evidence object that is a single file or a directory, and if that file or directory does not exist any more in its original path, X-Ways Forensics now conveniently offers the user to either provide the new path or to open the evidence object anyway without the underlying data (loading only the volume snapshot).

  • For convenience, no longer requires the user repeatedly to select evidence objects for processing (volume snapshot refinements, logical searches, index searches, case report, ...) or confirm the selection while the same case is open and no new evidence objects are added.

Volume Snapshot Refinement

  • The picture content analysis functionality is now also available when volume snapshot refinement is applied to selected files.

  • Discarding results of picture analysis and processing (by unchecking the "already done" box) now removes labels for identified photo content.

  • The maximum number of worker threads in X-Ways Forensics (not X-Ways Investigator) has been increased from 16 to 24 (subject to availability of processor cores).

  • A previously existing file whose first cluster was reallocated according to the file system (shown as "1st cluster not available") can now be processed by volume snapshot refinement if you uncheck a new checkbox that by default causes them to be omitted. That means in particular that unrelated random data that does not belong to the file can now be hashed and presented as that file's hash value although it most certainly was not that file's hash value. Previously X-Ways Forensics would have only budged and processed such a file if it was specifically targeted via tagging or selecting. If X-Ways Forensics is forced to compute them, hashes of nonsensical data are displayed in the directory browser in gray color, to remind the user that they should not be overinterpreted or expected to be found on other storage devices.

  • Volume snapshot refinement now refuses to run on evidence objects that were opened without their data sources (without the storage device, image, directory, ...) because that does not make sense.

  • Ability to compute and store MD5 hash values of half the regular length ("folded", i.e. first half xor'ed with the second half, yielding 64 bits), as an economical compromise between CRC32 (32 bit) and regular MD5 hashes (128 bits), to bridge the gap between the two and save memory and/or drive space, for example for deduplication purposes.

  • Ability to compute EDRM MIH hash values for extracted e-mail messages and original .eml and .emlx files (if they contain complete headers), to search for e-mails with a known MIH value, for database matching, or for deduplication purposes. If an MIH is assigned to an .eml file in a volume snapshot and the .eml file was extracted from an .msg file, the same MIH will automatically be assigned to the parent .msg file as well. Two copies of the same e-mail message may have different regular hash values, but the same MIH, for example if the file format is different (raw .eml file vs. OLE2 MSG file) or if body format and/or content are stored differently. If EDRM MIH is selected as the hash type, but no MIH can be computed because the targeted file is not an e-mail message of a supported type, the hash value cell remains blank. As a compromise, you can choose MD5/MIH as the hash type, where an MIH is computed if possible, or an MD5 hash value if not, so that all hashable files get a hash value usable for deduplication or matching. MIH is an eDiscovery standard, and was described as a "groundbreaking solution" by a leading supplier.

Search Functionality

  • Regular expressions now support \u Unicode values within square brackets, i.e. within sets of characters.

  • The search term list now has an option in its context menu to thin out potentially very long lists of search terms by excluding non-responsive ones (search terms that never yielded any search hits). That is not guaranteed to work with search terms in case files written by older versions.

  • Right-clicking in the search term list no longer makes you lose a selection of multiple search terms.

File Type Support

  • The internal graphics display library was updated.

  • The recognition of generating device was updated as always. Among other improvements, recognition of iPhone 15 as a generating device has been added.

  • The generating "software class" reported in Details mode was revised. There are now two more classes: scanner and web site builder. Examples of the latter include WIX, JIMDO, Site123, Squarespace, and Shopify.

  • Another change in the Summary Table in Details mode is the new entry "propensity score". It can assume values from 1 to 99. The relevance computation is mainly based on that value. That value is an objective statistical probability for the picture having additional, removable, relevant metadata. It could also be designated as documentality, the quality of being able to serve as a document. One can check this additional information for its consistency. The propensity score generally exists for raster images (that are measured in pixels), in particular also for the formats PNG and WEBP.

  • A new internal label was introduced for Avatar/Identicon JPEG pictures. Such identicons are often smaller versions of avatars and exist on Tiktok, Twitter, Facebook, Instagram, Youtube, Quora, Gravatar, Pinterest and elsewhere.

  • Support for previews of a newer version of jump lists (.automaticdestinations-ms files).

  • Details mode now points out the presence of JUMBF metadata blocks in JPEG files, a voluntary marker of computer (AI) generated pictures.

System Tools

  • A new command in Tools | File Tools submenu allows to take control of all the files in a directory that you select (in the currently active Windows system). It gives all users full access, recursively. Requires administrator rights.

  • The OS-Wide Write Protection function was slightly revised. When applied to a volume on an MBR-partitioned storage device, the user is now offered to target all volumes on that device instead because the protection cannot be enabled for just a single volume in that case.

Templates and Scripts

  • Ability to use variable names with spaces in them (if enclosed in round brackets) in formulas in templates.

  • Ability to define constants in templates, with a name, an integer type and a value of your choice, and use those constants in calculations. If the name contains a space, it needs to be enclosed in quotation marks. The value can be a formula and may depend on other constants or variables that are already defined at the time when the constant is defined. Constants are listed in the template window along with variables. Example:

    const int16 100 "My constant"
    const int16 ("My constant"*10) "My other constant"
    goto ("My other constant"*5)


    This will change the current position of template interpretation to offset 5000.

  • Ability to use internal predefined constants named Bytes_per_sector and Bytes_per_cluster in formulas, in templates that are applied to storage devices or interpreted images or partitions/volumes.

  • Another new predefined constant is Bytes_per_record. It depends on the record size defined in View | Record Presentation, if active. If that display option is not active, on partitions/volumes with an Ext2/Ext3/Ext4, XFS or UFS file system it is the inode size, or in NTFS file systems the FILE record size.

  • Another new predefined constant is Base_offset. That's the offset in the active data window that the template was applied to by the user, which may change when navigating to adjacent records.

  • The keyword multiple in a template definition may now appear in the body. When used there, it must be accompanied by a parameter that provides the amount of data covered by the template in bytes, and may be a formula and (unlike in the header) may use constants or variables. This allows to navigate to adjacent records to the left and to the right. If that amount of data is not explicitly defined in the body, i.e. the multiple keyword is used only in the header without parameter, then the amount is deducted indirectly based on the current read position at the end of template interpretation like in previous versions, and may be considered variable in length if variables in the template have a variable size, in which case no navigation to the left is possible.

  • The legacy WinHex script command UseLogFile was revised. It now has an effect on more messages that are output, and the resulting log file is now Unicode-capable (UTF-8).

Miscellaneous

  • Files created with the File | New command can now be optionally held in memory instead of in a temporary file, for performance or storage quota or security reasons. If the checkbox is fully checked, that means the user insists on memory storage and the menu command fails if not enough memory is available (or not enough contiguous memory address space in case of the 32-bit edition). The same setting applies when pasting data from the clipboard into a new file via Edit | Clipboard Data | Paste Into New File. The Info Pane will show the buffer address in the memory address space instead of a path for the newly created file. Please note that the data you are handling could still be written to disk by Windows for example as part of pagefile.sys. Also, if your goal is to avoid disk I/O and the usage of temporary files, you may want to disable file backups for the Undo function, in Options | Undo.

  • When printing selected files along with direct child objects, excluded and filtered out child objects are now omitted.

  • The NSRL RDS hash sets, in a format for import into X-Ways Forensics, have been updated to release 2023.12.1, and are available for download from the resource directory in both MD5 and SHA-1 versions as always.

  • The downloadable Tesseract package has been updated with the latest version in October. It includes updated WebP support with a fix of a potential heap buffer overflow.

  • For those who were wondering: The two vulnerabilities that were identified in the WinRAR software in August do not affect X-Ways Forensics even though X-Ways Forensics can decompress RAR archives.

  • The program help and the user manual were updated.

  • Many minor improvements.


Changes of service releases of 20.9

  • SR-1: Fixed a read error that could occur with extracted files since v20.8.

  • SR-1: Fixed handling of line breaks in comments in the hash comment database.

  • SR-1: Certain ZSTD-compressed files in Btrfs could not be decompressed. That was fixed.

  • SR-2: Auxiliary directories in evidence file containers whose purpose is to accommodate child objects of files for the benefit of external tools that would not accept files contained in other files are no longer included in volume snapshots by X-Ways Forensics itself, so that regardless of your use of the option to create such artificial directories child objects are associated directly with the parent files to which they actually belong. This facilitates navigation and enables users for example to conveniently access e-mail attachments right from within e-mail previews like in the volume snapshot of the original evidence object, without any navigation in the directory browser.

  • SR-2: The U flag in "File header signature search.txt" can no longer override the user's disabled net free space setting. It will instead be treated like a lower case u if no net free space computation is meant to be run.

  • SR-2: Adding file hashes and comment to the hash comment database now automatically adopts that database's hash type in the volume snapshot as its first hash type if the first hash type was undefined until that moment.

  • SR-2: Btrfs: Fixed opening compressed files in the 64-bit version.

  • SR-2: Under some special circumstances conditional cell coloring could render the text in some non-targeted cells invisible. That was fixed.

  • SR-2: Fixed an exception error that could occur when copying files with a lot of extracted metadata to an evidence file container.

  • SR-2: Got away with a performance bottleneck that became apparent after storing extracted metadata for more than 8.4 million files in a volume snapshot.

  • SR-3: SR-2 erroneously behaved like a pre-release version and will expire (stop working) around Aug 28, sorry. SR-3 no longer has that problem.

  • SR-3: The option "Copy and link each file only once" of the case report could treat original files and their respective auxiliary child object representations the same. This was changed/fixed so that both can be listed, linked and copied in the same report if desired.

  • SR-4: Certain files that X-Ways Forensics decided should not be touched again, like archive bombs and files that caused crashes, were previously shown with a hash value of all zeroes. That was fixed/improved.SR-4: A rare exception error in APFS free space parsing has been prevented.

  • SR-4: Removing labels from a file with the Remove button did not work if at least one label was selected that the file did not have. That was improved.

  • SR-4: Discarding results of picture analysis and processing (by unchecking the "already done" box) now allows to have the same pictures processed by the picture content analysis again.

  • SR-4: Fixed a potential integer underflow error that could occur when processing specially prepared 7-Zip archives.

  • SR-4: Fixed an error that could occur when capture memory of running processes with an optional process name mask.

  • SR-5: Updated WebP support in the internal graphics display library including a fix for a potential heap buffer overflow.

  • SR-5: Avoided an exception error with certain .evtx event log files.

  • SR-6: Fixed a harmless memory error message and an instability problem that could occur when running an index search.

  • SR-6: The Notation button in Recover/Copy linked to the general notation settings, not the one used by the Recover/Copy command, since v20.7. That was fixed.

  • SR-6: Fixed a potential instability at the end of an import of ordinary hash values from a ProjectVic JSON file, and a potential infinite loop when importing PhotoDNA hash values.

  • SR-7: User-supplied passwords were not applied to certain zip archives for automatic decryption. That was fixed.

  • SR-7: The light bulb icon was not visible in event lists with low DPI settings in SR-6. That was fixed.

  • SR-7: Prevented a potential volume snapshot corruption in v20.9 that affected some extracted files (led to read errors and refinement performance issues), given a certain combination of settings. .


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#172: X-Ways Forensics, X-Ways Investigator, WinHex 20.9 released

Jul 27, 2023

This mailing is to announce the release of another update with important improvements, v20.9. The release date was 26 July.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data/password (!), details about their licenses and upgrade or renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible as described.

Please be reminded that if you are interested in receiving information about service releases as soon as they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.


Upcoming Training Events

Dates Location Target Region Course Delivered by

Jul 31-Aug 4

Online (5x6 hrs!) America (incl. West Coast) X-Ways Forensics I X-Ways

Jul 31-Aug 3

Salt Lake City, UT USA X-Ways Forensics I H-11

Aug 14-17

Columbia BWI, MD USA X-Ways Forensics I H-11

Aug 21-24

Online (4x6 hrs!) America (incl. West Coast) X-Ways Forensics II X-Ways

Aug 21-24

Ontario, CA USA X-Ways Forensics I H-11

Sep 4-8

Online (5x6 hrs!) Europe, Asia X-Ways Forensics I X-Ways

Sep 18-21

Online America, Europe X-Ways Forensics I X-Ways

Sep 19-22

Fyshwick ACT Australia X-Ways Forensics I CDFS

Sep 19-22

St. Paul, MN USA X-Ways Forensics I H-11

Oct 10-12

Online Europe, Asia X-Ways Forensics II X-Ways

Oct 10-13

Ottawa, ON Canada X-Ways Forensics I F111th

Oct 10-13

Paris France X-Ways Forensics I (in French) Tracip

Oct 16-19

London, England Europe X-Ways Forensics I X-Ways

Oct 16-19

Ft. Lauderdale, FL USA X-Ways Forensics I H-11

Oct 23-27

Online America, Europe File Systems Revealed X-Ways

Oct 24-27

Melbourne Australia X-Ways Forensics I CDFS

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.9?
(please note that most changes affect X-Ways Forensics only)

Hash Databases

  • What's better than five hash databases? Right, six hash databases. In addition to two conventional hash databases, a block hash database, a FuzZyDoc database and (if eligible) a PhotoDNA hash database, you can now maintain a database of recurring files that you have descriptions of. For example that may be useful if you are required to include descriptions of illegal photos in your case reports for the court. If the same photos occur in multiple cases, the new database can save you work and make it unnecessary to view the photos again. Whatever you enter as comments can be saved in the database along with the corresponding hash value. For that to happen you select the relevant files and invoke the command "Include in Hash Database" in the directory browser context menu. Whether hash values were already computed for the selected files is not important. They are computed on the fly if not. You can get the same comments back in another case if you match the hash values in the other case against the database as part of volume snapshot refinement.

  • The database is stored in the file "Hash Comments.txt". You can easily share the database by simply sharing that file with other users. The file is independent of the conventional hash databases, meaning it does not matter which user has which conventional hash database with hash sets from which source(s). You do not need a conventional hash database at all to create a "Hash Comments.txt" file or match the hash values in your cases against the "Hash Comments.txt" file of someone else. So the "Hash Comments.txt" is quite universal and suitable for inter-agency exchange.

  • You can merge text files of different colleagues/sources with your own database in the user interface: Open the Tools | Hash Database dialog window and click the Import button. If X-Ways Forensics detects duplicate entries (same hash value), it will either keep the previous comment or adopt the new comment, depending on the state of a checkbox in the same dialog window. Keep that in mind when importing entries from other users. The rule also has an effect if duplicate entries are found within the same text file because you have merged entries manually.

  • Since we are talking about a simple text file, you can merge "Hash Comments.txt" files from different sources easily in a simple text editor, or edit the descriptions as needed, get them automatically translated etc. Just keep the general layout of 1 hash value + description per line intact. The first line (header line) in "Hash Comments.txt" must contain the designation of the hash type in ASCII (e.g. "MD5" or "SHA-1"), followed by a tab and the ASCII letters "Cmt", and this is all case-sensitive. All the following lines start with a hash value in hex ASCII (both upper or lower case allowed), followed by a tab and the description in UTF-8. Both Windows and Unix/Linux line breaks are allowed.

  • There is an unlabeled, but tooltipped checkbox that allows you to get existing comments on files replaced when successfully matching hash values against hash comments. That means previous comments will be lost if there is a comment for the same files in the hash comment database.

  • There is an option to prepend comments that were automatically derived from "Hash Comments.txt" with the initials "[HC] " to distinguish them from comments entered by the user manually.

File Type Support

  • Now 40,000 definitions of photo generating devices.

  • A fallback code page for plain text representations by the viewer component can now be selected via a new "..." button in Options | File Viewing. The list of available code pages there is more extensive than in the options dialog window of the viewer component itself (the one that can be accessed via the right-click menu in any window maintained by the viewer component).

  • When playing videos with MPlayer that were recorded by smartphones, or when extracting individual frames/stills from them, these videos are now rotated as needed. (Does not work if metadata was previously extracted by volume snapshot refinement in earlier releases.)

  • Several new compression and decompression options are now available in X-Ways Forensics and WinHex Lab Edition via Edit | Convert, which can be applied to the entire data represented in an active data window, if not in read-only mode. They allow you to manually decompress data found in and compressed by various file systems if X-Ways Forensics does not have the corresponding files in its volume snapshot or cannot decompress them automatically.

  • The relevance calculation for pictures based on dimensions in pixels was improved.

  • PNG support in the internal graphics display library updated.

  • Proper aspect ratio of report thumbnails for JPEG pictures that need to be rotated as per Exif orientation metadata.

  • Ability to process certain SRUDB.dat files that previously could not be processed successfully or were not recognized as SRUDB.dat files.

  • Addressed an exception error that could occur when extracting metadata from certain PDF and Adobe Illustrator files.

  • Eliminated a restriction that could prevent automatic carving of Base64 code.

  • Files with pure Base64 code (e.g. carved from HTML files in which they are embedded) that have their decoded data in a child objects can now be previewed and represented in the gallery with their decoded data directly.

File System Support

  • Additional hard links for the same file in NTFS can now optionally be omitted already when taking a volume snapshot, which means they will not be included at all and not shown in the directory browser as additional files. That could be helpful for example when making sense of storage space utilization, where counting the same files 10 or 100 times does not make sense. The "Link count" column still shows the true number of hard links (which, however, as before ignores pure 8.3 character filenames and which, by the way, as before may differ significantly from the not very well maintained hard-link count in the FILE record).

  • Ability to detect unusual or suspicious short filenames (SFNs, 8+3 character names) in NTFS. Such short filenames can optionally be output in the volume snapshot either as alternative names or as fully valid hardlinks themselves (i.e. like additional copies of the same files). They can also be labeled as "peculiar SFNs" to make you aware of them. Unexpected SFNs that don't seem to match their corresponding LFNs could be interesting if they reflect previous names of files that have been renamed, or because they may have been specially engineered to replace sensitive files with fixed names (such as DLLs or configuration files), while their LFNs are different and perfectly innocuous. The settings for SFN treatment can be found in Options | Volume Snapshot. If you find that too many normal files are flagged that way, you can report back to us and try UNchecking the box for "more strict matching", so that some of the less severe discrepancies are ignored.

  • Improved interpretation of certain incomplete/corrupted NTFS file system data structures.

  • Support for more compressed storage variants in APFS, including inline storage.

  • Support for ZSTD compression in Btrfs.

  • Inline compression in BtrFS supported.

  • Improved cluster/block listing output for compressed data in BtrFS.

  • The new XFS timestamp format known as "Big time" is now supported and the timestamps are shown correctly. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume.

  • Should an XFS volume be flagged internally as "needing repair", XWF now issues a message to that effect, warning of damaged file system structures potentially causing issues. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume, without further specifics.

  • Volume snapshots based on directory listings of the active operating system ("OS dir list") for local storage now include "Record changed" timestamps and hard-link counts.

  • If the incremental completion option for directory listings of the active operating system ("OS dir list") is active, directories that have not been explored yet are now marked with an asterisk (*) in the Attr. column.

  • In volume snapshots based on directory listings of the active operating system ("OS dir list"), write-locked files that are open in other processes and cannot be changed are now optionally shown with an upper-case "L" in the Attr. column (for "locked"). Files that are merely kept option may be shown with a lower-case "o" if the box that represents this option is fully checked (for "open"). This could be useful when previewing or acquiring a live system, to find out which files are/were open in running processes or background services, or which executable files appear(ed) to be running/loaded. Please note that checking this for many files will take a long time. It may be practical only for specific directories of interest. This option has no effect on mapped network drives. It is possible to use the Attr. filter to quickly target open or write-locked files, and these files are higher in the sort order for the Attr. column.

Storage Device Support

  • Improved handling of HPAs/DCOs.

  • Treats presumably inactive GPT partitioning (replaced with ordinary MBR partitioning) properly as such, by presenting partitions that are defined in the GUID partition table as previously existing instead of existing, and by confirming MBR as the (active) partitioning style.

  • If a file system in a partition assumes a sector size of 4 KB while the physical storage device or image that it's contained in has a sector size of 512 bytes, and if the number of 512-byte sectors in the partition is not evenly divisible by 8, then an incomplete additional 4 KB sector is now defined to cover the existing extra 512-byte sectors even if this exceeds the capacity of the partition, the device or the image, so that the extra space is included in the virtual volume slack file and targeted by logical searches etc., for more thorough coverage, at the risk of producing read errors.

  • Ability to specify a footer size in sectors on components of a RAID that you reconstruct, to exclude sectors at the end. This could be useful in particular for JBODs if the interspersed unused space disturbs the consistency of the resulting data.

Disk Imaging

  • Support for a much more modern compression algorithm in .e01 evidence files, which compared to the historically used algorithm offers a much better trade-off between compression ratio and compression speed plus decompression speed. Roughly speaking, with an almost as strong compression ratio as the "normal" setting of the compatible algorithm (a few % points less), the modern "normal" setting requires only 1/4 of the time for compression and 1/3 of the time for decompression. (We are referring to the mere computational work with a single thread here, excluding time needed for I/O.) When set to "stronger+", the modern algorithm achieves a comparable compression ratio as the former "normal" (or slightly better), but requires only 1/2 the time for compression and 40% of the time for decompression (or less). "Stronger++" takes noticeably more time and is usually not recommendable because the extra compression that it can achieve is usually limited, but it may still be faster than the old compression algorithm, especially for decompression (which typically occurs more than once, e.g. for immediate image verification after creation, for image verification at a later date, a file header signature search, one or more more keyword searches, analysis and copying of files, etc.).

  • Please note that the modern compression style will render an image suitable for use in X-Ways Forensics and X-Ways Investigator v20.9 and later only. The "sparse" setting of the modern compression style, however, which is already extremely efficient when acquiring storage devices that have been minimally used, in fact 11 times (!) more efficient for zeroed space than the sparse setting of the compatible compression style, is understood by v18.9 and later already.

  • The descriptive text file that is generated along with an image now has an additional line at the end that describes whether the image is expected to be generally compatible or compatible only with X-Ways products or only with X-Ways products of a particular version, depending on compression settings and encryption.

  • Please note that the additional savings of the stronger compression settings are often minimal. If the compression ratio is very important to you and random access speed within the interpreted image is not, you may want to consider larger chunk sizes instead (or additionally).

  • Faster decompression of .e01 evidence files with the original/compatible compression method in x86.

  • The compression statistics window of .e01 evidence files can now be turned into a data density statistics window by way of a mouse click, which is simply the indication of the reverse. The new default is data density. Taller blue bars previously indicated and still indicate higher compression = lower data density = no encryption = less storage space requirement for the image = less data to analyze = less work. Taller red bars (new) represent higher data density = more storage space requirement = more data to analyze = (if the bars reach the ceiling) potentially encryption. Please note that the lengths of the bars may vary depending on the selected compression method/strength.

  • Prevents accidental overwriting of an image that is to be re-imaged to a new image itself, if the filename is kept the same.

Evidence File Containers

  • Alternative filenames are now preserved in evidence file containers (if together with the respective main filename they are not too long).

  • When copying files into an evidence file container from the root directory of an evidence object or the case root, then the middle option between recreating the full original path and no path at all is now to make child objects of selected files also child objects of those files in the container and not place them at the same top level as the parents. In all other cases the middle option remains the same, i.e. only the part of the path below the currently explored directory is recreated, and the effect is now made more clear by the dynamic labeling of the checkbox.

User Interface

  • With the timestamp filter active, matching timestamps are now highlighted in different colors depending on whether they merely fall into the targeted time period or whether they are actually in one of the targeted columns. Similarly, the funnel icons in headers of not directly targeted timestamp columns now appear in a different color, suggesting they are "less" active.

  • Remembers the preferred initials of the last user for the next case and the "Distinguish between different users" option.

  • New notation setting to provide descriptions of files that are child objects of files recursively including their parents.

  • More metadata in the list of restorable volume snapshot backups.

  • Ctrl+0 no longer removes labels that were assigned automatically by X-Ways Forensics and serve as hints for the user or labels that represent detected picture content.

  • It is now easier to find the option to make a label definition available in the report for output as a report table.

  • Chinese translation updated.

Miscellaneous

  • If the command Tools | File Tools | Delete Recursively fails to remove a directory the regular way because of insufficient access rights, it can now make a second attempt if run with administrator rights and have a good chance at removing the directory that way. It requires your consent to use administrator power and take ownership of the selected directory structure prior to deletion.

  • Better resilience against certain corrupted volume snapshots (active only in Preview and Beta releases).

  • Slightly improved internal coordination between sessions.

  • X-Tension API: XWF_SelectVolumeSnapshot now has a return value that allows to determine success or failure.

  • Fixed a reason for a crash that could occur when exporting search hits with context. If exporting a search hit list with context around search hits still crashes, the exact search hit that is responsible for that should now be brought to the user's attention when restarting the next time.

  • When evidence objects are opened automatically for volume snapshot refinements or simultaneous searches, a certain rare problem with that should be eliminated now.

  • The program help and the user manual were updated.

  • Many minor improvements.


Changes of service releases of 20.8

  • SR-1: Accepts XFS volumes with just 2 or 3 allocation groups as valid.

  • SR-1: Fixed an exception error that could occur when running a file header signature search in Btrfs, QNX or XFS volumes.

  • SR-1: A very rare exception has been fixed that could theoretically occur when opening a file in APFS if the very first data block was sparse.

  • SR-1: X-Ways Imager can now interpret images again after their creation so that they can be verified immediately and automatically.

  • SR-1: Fixed read errors in logical process memory.

  • SR-1: Ukrainian translation of the user interface available.

  • SR-1: The Russian translation of the user interface was updated.

  • SR-2: A very rare exception error was fixed that could occur when parsing NTFS file systems.

  • SR-2: Fixed an exception error that occurred when removing all extracted metadata.

  • SR-2: Fixed a rare exception error that could occur when updating the edit box history.

  • SR-2: Fixed a rare erroneous message about a hash mismatch after verifying evidence objects.

  • SR-3: An internal limitation of 4 TB of extracted data in a volume snapshot was overcome.

  • SR-3: Fixed an exception error that occurred when previewing PLists before they were processed by "Uncover embedded data from various files".

  • SR-3: Fixed a potentially crash that could occur on some systems when starting X-Ways Forensics 20.8 for the first time.

  • SR-4: X-Ways Forensics is now more careful when adopting files that were previously carved at the partition/volume level as child objects of other files in which they seem to be contained when uncovering embedded data because that could lead to unwanted data truncation. This improvement will be applied to all affected versions (v20.6 and later).

  • SR-4: Fixed processing of overlong command line parameters.

  • SR-4: The Description filter filtered out all files if certain invisible dependent boxes were checked. That was fixed.

  • SR-4: Fixed inability to open certain newly extracted files in very specific circumstances when refining the volume snapshot.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany
 

 

 

#171: X-Ways Forensics, X-Ways Investigator, WinHex 20.8 released

Apr 25, 2023

This mailing is to announce the release of another update with important improvements, v20.8.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data/password (!), details about their licenses and upgrade or renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible as described.

Please be reminded that if you are interested in receiving information about service releases as soon as they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.


Upcoming Training Events

Dates Location Target Region Course Delivered by

May 2-5

Online Europe, Asia X-Ways Forensics I X-Ways
May 16-19

St. Paul, MN

USA X-Ways Forensics I H-11
May 30-Jun 2

Paris

France X-Ways Forensics I Tracip

May 30-Jun 2

Online Middle East, APAC X-Ways Forensics I X-Ways

Jun 6-9

Online America, Europe X-Ways Forensics I X-Ways

Jun 20-23

Online Europe, Asia X-Ways Forensics I X-Ways

Jun 20-22

Online Europe, Asia X-Ways Forensics II X-Ways
Jun 20-23

Fyshwick ACT

Australia X-Ways Forensics I CDFS

Jul 3-6

Birmingham, England Europe X-Ways Forensics I X-Ways

Jul 10-13

Online America, Europe X-Ways Forensics I X-Ways

Jul 11-13

Online America, Europe X-Ways Forensics II X-Ways

Jul 18-21

Online (4x6 hrs!) Middle East, APAC X-Ways Forensics II X-Ways
Jul 31-Aug 3

Salt Lake City, UT

USA X-Ways Forensics I H-11

Aug 14-17

London, England Europe X-Ways Forensics I X-Ways
Aug 14-17

Columbia BWI, MD

USA X-Ways Forensics I H-11
...

Oct 23-27

Online America, Europe File Systems Revealed X-Ways

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.8?
(please note that most changes affect X-Ways Forensics only)

Picture Analysis

  • v20.8 requires a new Excire package, which is now downloadable and which is compatible with v20.7 SR-7 and later (also older releases of v20.7 if you don't use the search for known faces). The previous version of the package for use with v20.7 SR-6 and older can still be found in the resource download directory as well.

  • Face markings for the search for known faces are now remembered even if the path of the picture collection changes.

  • The picture collection for the face search may now be stored in a path that contains spaces.

  • Option to abort face markings and volume snapshot refinement by pressing Esc while in the face marking process.

  • Identified content in pictures now optionally affects the computed relevance of those files depending on what objects/keywords you define as notable or irrelevant.

  • If the results of picture content analysis are output as labels, videos now also get labeled automatically if the stills that were extracted from them are processed.

  • A new automatic label "metadata added retroactively" was introduced. It is used for pictures whose metadata was automatically or manually added after the content already existed, such as copyright information or keywords.

  • The Summary table for JPEG files in Details mode now does not only assess the compression quality roughly as either "high", "medium", "low" or "very low", but also quantifies it in a linear scale from 0 to 100. This number is not to be confused with the nominal/official JPEG quality, which does not take the actually achieved compression into account.

  • Generating device recognition capabilities updated.

  • The option to falsify the colors of pictures in the gallery to reduce their psychological impact can now be limited to just notable pictures.

  • Gallery thumbnails can now alternatively or additionally be blurred for the same reason, if desired (thumbnails of all pictures or only notable pictures), where half-checked means less blurred.

File Analysis

  • The function to uncover embedded data now has a verbose report mode that makes you aware of files which were previously listed in the virtual directory for carved files (found by signature at the general partition/volume level) but have since been turned into child objects of other files because they seem to logically belong to them and are contained in them.

  • The option to mark files as duplicates in the Description column is now available when checking for listed files with identical start offsets.

  • Time zone information in the summary table of Quicktime videos in Details mode for the Quicktime timestamp, with identification of files that have the so-called "incorrect time zero" issue.

  • For each "family" of file archives (general purpose, Office, special interest, ...) you can now decide whether such archives should be presented in the directory tree once their contents have been included in the volume snapshot.

  • Moderately accelerated dictionary attack on encrypted file archives. Now ~50% faster than in v20.7 and earlier.

  • Encryption test for documents slightly accelerated.

File Type Support

  • Ability to treat CAB Windows installation packages like file archives. If you wish to include their contents in the volume snapshot, please make sure that the type designation cab is listed in an active archive family like "general purpose" or "special interest". By default (in new installations) cab will become part of "special interest" only because most cab archives are just irrelevant Microsoft installation packages and not user-created file archives. The type designation "cab1" tries to identify most Microsoft installation packages, whereas "cab" could be more interesting, manually created file archives.

  • Ability to view and preview the first frame of animated WEBP pictures, also in the gallery.

  • Produces thumbnails of e-mail messages in the report with the alternative .eml presentation if that presentation is active for viewing e-mails right in the browser.

  • Revised handling of file archives for better stability with some rare unusual archives.

Searching

  • If previously decoded text in files was stored in the volume snapshot for re-use, it is now possible to discard that and decode again from scratch, for example after enabling the special decoding option for spreadsheets.

  • Option to display search hits in the search hit list along with their context in hexadecimal notation. Useful especially for technical searches, i.e. not keyword searches, but searches for header signatures, delimiters, binary markers etc. The option can be found in the context menu. It will also affect the output of search hits in the "Export list" command.

  • The special search commands for integer numbers and floating point numbers can now be applied in File mode, and their output messages are now Unicode-capable and thus readable if the user interface is set to a non Western European language.

User Interface

  • Selecting an evidence object in the Case Root window now automatically also selects it in the Case Data window, and expands the tree for that if necessary (if the selected evidence object is a partition) and scrolls vertically if necessary, so that it now becomes easy to locate a particular evidence object in a large case, considering that in the case root window you can sort evidence objects by name and use filters etc.

  • Drag & drop is now supported in the Case Data window to move top-level evidence objects up or down in the tree.

  • The expanded status of top-level evidence objects with partitions is now remembered and restored when opening a case.

  • Notation setting to show forward slashes instead of backslashes in the path columns, in the caption line of the directory browser, in the Info Pane, and in the status bar, either always or only in data windows that represent a volume with a non-Microsoft file system.

  • Special icons in the Case Root window for evidence file containers, RAIDs and process acquisitions.

  • A new 3-state checkbox in the directory browser option controls whether clicking/selecting a file or directory in the directory browser will navigate to the data associated with that object in Disk/Partition/Volume mode or to the object's defining data structure in the file system. Please remember that a quick jump to the latter can also be achieved by clicking the "FS offset" cell of that object even if a click elsewhere navigates to the former. If the box is unchecked, no navigation in the lower half of the data window will take place at all, which could be beneficial if you are operating directly on a physically damaged disk, where accessing certain sectors or regions may cause hanging in the application or a crash in the operating system.

  • In newly taken volume snapshots of physical, partitioned storage devices, the "FS offset" column now shows the exact offset where in a partition table a partition is defined, and thus allows to jump to that location with a simple mouse click. The absence of such an offset indicates that the partition was found not by following any pointers in partition tables, but merely based on its own data, in which case the Description column shows the partition as "not referenced in partition table".

  • Recover/Copy command: In case of problems with output path length, the exact offending path is now mentioned in the Messages window so that the issue can be better understood.

  • If multiple cell coloring conditions are met by the same item in the directory browser, they always produce a mixed color so hopefully none of the targeted properties go unnoticed. Selecting items in the directory browser that have active conditional line coloring will alter the color so that both the selected status and alerts of special conditions will be apparent.

  • Improved some aspects of dark mode when Windows does not use a dark theme (e.g. alternative e-mail preview) and greatly improved compatibility with some dark themes of Windows 11.

  • Improved GUI appearance of most arrow buttons in dialog windows under Windows 11.

  • Option to adjust the size of the standard Windows GUI font used for example in the directory browser and in the Case Data window. A positive number of pixels increases the size, a negative number decreases it. Restarting the application is recommended after making any adjustments.

    Generally it is much better to adjust the DPI scaling settings in Windows instead because that has a more consistent effect on all elements of the GUI, including clickable controls etc., not just on the font size in certain areas. However, there are situations in which it is more practical to control the font sizes in X-Ways Forensics specifically, for example if your eyesight is above or below average and you frequently use a portable installation of X-Ways Forensics on computers other than your own.

  • Some GUI elements are now automatically resized proportionally if you use the same WinHex.cfg file in a portable installation in Windows systems with different DPI settings (i.e. usually on machines with different display resolutions), for example for on-site triage, so that you roughly keep the perceived sizes that you are used to. Among others, the following are resized: the font in the hex and text display, directory browser columns (their widths), the Case Data window (its width), and thumbnails in the gallery. This works with WinHex.cfg files last saved by v20.7 SR-7 or later.

  • Loading .settings files saved by v20.7 SR-7 and later now also adjusts previous directory browser column widths based on current DPI settings if necessary.

  • File and folder selection dialog windows are now larger.

Case and Volume Snapshot Management

  • Option to make a backup of the volume snapshot automatically once refinement has completed, so that you can quickly return to this state if necessary instead of taking a new volume snapshot and refining it again. Useful for example if you make some mistake in your manual review of files or if the volume snapshot gets corrupted somehow. If the checkbox for this (in Specialist | Refine Volume Snapshot) is fully checked instead of only half-checked, an intermediate additional backup if made after the operations of step 1 (at the disk/partition level) have completed. The menu command to restore volume snapshot backups can still be found in the context menu of the evidence object in the Case Data window.

  • Option to create the subdirectories for case and volume snapshot backups with the hidden attribute (H) so that they do not clutter up the directory listing if you check out the case directory occasionally in the Windows File Explorer, or at least are identified by a fainter version of the folder icon. This option will also affect volume snapshot backups created automatically when completing steps of the volume snapshot refinement.

  • Ability to split copylog files of the Recover/Copy command into segments of x MB, to keep them more manageable when viewing them or importing them elsewhere.

File System Support

  • Btrfs: Now includes multiple hardlinks of the same file in the volume snapshot also when they are in the same directory.

  • The option "Always ignore start sectors of known files" of the file header signature search now treats previously existing files in FAT32 file systems as known even though their start cluster numbers are just guesswork, so that more duplicates are prevented (since v20.7 SR-8).

  • Improved treatment of NTFS reparse points (since v20.7 SR-2).

  • Recognition of the Tuxera Flash File System (TFFS).

Storage and Imaging

  • When creating a cleansed image in which the virtual file "Free space" is excluded while the net free space computation is active, the Messages window now reminds the user of the fact that the cluster associations of that file are highly variable and depend on which previously existing files are known in the current volume snapshot, which may in turn depend on to what extent it has been refined already. If you need to exclude the entire free space as defined by the file system, the net free space option may not be suitable for you (turn it off in Options | Volume Snapshot), or alternatively you also need to specifically exclude previously existing file in free space whose contents are not supposed to make it into the cleansed image.

  • X-Ways Forensics now accepts Windows drive letters as components to internally reconstruct RAIDs. That doesn't make much sense, but allows you to reinterpret a drive letter as a physical storage device in X-Ways Forensics if necessary, by selecting it as the sole component of a JBOD. This could be useful if for some reason you need to apply menu commands to it that only make sense to apply to physical storage devices and are only available for physical storage devices, such as Scan For Lost Partitions. For example a RAID that is reconstructed/mounted outside of X-Ways Forensics may somehow present itself as a drive letter (although it does not have a volume boot sector / file system starting at sector 0 and thus cannot be put to any good use in Windows itself).

  • Excluded files and subdirectories are no longer included when mounting a volume snapshot or directory.

Miscellaneous

  • Improved support for Microsoft Azure cloud machines as a platform.

  • Improved support for machines in the Google cloud as a platform (since v20.7 SR-3).

  • X-Tensions are now by default loaded in such a way that additional DLLs required by the X-Tension will be found in the same directory where the X-Tension itself is located. This new behavior is optional and can be turned off by the user by way of a checkbox.

  • The program help and the user manual were updated.

  • Many minor improvements.


Changes of service releases of 20.7

  • SR-1: Fixed an I/O error that could occur after using the gallery to display files in nested disk images.

  • SR-1: Fixed an infinite loop that could occur in v20.6 and the original v20.7 release when uncovering Windows resource data embedded within carved DLLs.

  • SR-1: Fixed a memory corruption error that could occur on some machines in the 32-bit edition when trying analyze photos with artificial intelligence.

  • SR-1: Prevented a message box that had to be clicked away when trying to add inaccessible drive letters to the active case through the command line.

  • SR-1: Potentially prevented instabilities with the internal graphics display library.

  • SR-2: Fixed inability to run a picture content analysis in v20.7 SR-1.

  • SR-2: Improved treatment of NTFS reparse points.

  • SR-2: Fixed an exception error that could occur in v20.6 and v20.7 when imaging storage devices from the command line.

  • SR-3: Fixed a memory leak that could occur during volume snapshot refinement.

  • SR-3: Fixed caching of compressed TAR archives processed with the alternative extraction method if they contained additional nested archives.

  • SR-3: Prevented multi-threading read errors in certain kinds of nested images.

  • SR-3: X-Ways Forensics parsed directory entries in XFS incompletely when unaligned entries were encountered. That was fixed in v20.7 and will also be fixed in all future service releases of older versions.

  • SR-3: Ability to read uninitialized areas of files before the last defined portion as binary zeroes in Btrfs depending on the corresponding volume snapshot option.

  • SR-3: When reporting a data/parameter/parity inconsistency for newly reconstructed RAIDs, X-Ways Forensics now mentions the offset on the component disks where the problem was first detected. Note that X-Ways Forensics does not check the entire disks, just the first 16 strips (previously 10).

  • SR-3: Some target paths in jumplists were improperly truncated in the event list. That output was fixed.

  • SR-3: Improved support for machines in the Google cloud as a platform.

  • SR-4: Better compatibility with the Aquatic high contrast dark theme of Windows 11.

  • SR-4: *.service_worker is now included in fresh installations in the file mask for the file header signature search portion of "Uncover embedded data in various file types" to target cache files.

  • SR-4: Support for certain streamed MP4 video files in the internal carving algorithm ~27 for the file header signature search.

  • SR-4: Fixed an error in the "Find Text" function in the Registry Viewer in v20.6 and v20.7.

  • SR-4: Fixed failure to decode Base64-encoded e-mail bodies that could occur depending on the characters in the search terms.

  • SR-4: Fixed an error in the "Filename analysis" for pictures sent via WhatsApp.

  • SR-5: Fixed an exception error that could occur in v20.7 SR-3 and SR-4 when trying to access storage devices.

  • SR-5: Fixed an exception error that could occur in v20.7 with the "OS dir list: Compute total amount of data" option.

  • SR-5: Fixed recycle bin file naming error in v20.7.

  • SR-5: Prevented data interpretation of some invalid ANIS SQL timestamps as nonsensical dates.

  • SR-5: Fixed a rare time zone problem with carved partial QuickTime video files.

  • SR-6: Fixed a rare instability that could occur when parsing corrupt inactive data of HFS+ file systems.

  • SR-6: Fixed sector number display in the progress indicator window of simple searches (searches that don't output to the search hit list).

  • SR-6: Avoided an error message that could occur under Windows XP and Vista when opening storage devices.

  • SR-6: Fixed an exception error that could occur with the alternative .eml presentation.

  • SR-7: Fixed a rare instability that could occur when processing MSG files with forwarded other e-mail messages with very long subject lines.

  • SR-7: Better prepared for the transition to v20.8.

  • SR-8: The option "Always ignore start sectors of known files" of the file header signature search now treats previously existing files in FAT32 file systems as known even though their start cluster numbers are just guesswork, so that more duplicates are prevented.

  • SR-8: Fixed display of certain SIDs in the Data Interpreter when shown alongside of GUIDs.

  • SR-8: Highlights more recent FILETIME values in the hex and text display.

  • SR-8: Fixed inability to extract thumbnails in some old JPEG pictures with very small Exif segments.

  • SR-8: Reducing the case's auto-save interval now takes effect immediately instead of next time when the previous interval elapses.

  • SR-9: Labels derived from hash set matches are now always of the special "hash set" type, not the generic "hint" type, no matter whether they are created immediately when matching hash values against the database or retroactively.

  • SR-9: The File Header Signature Search will not skip JPEG signatures within a known JPEG file any more assuming the function to uncover embededed data will pick up the inner file later, if the outer known JPEG file is a previously existing file. That can make a difference if the outer JPEG file is not intact any more and there is no logical connection between the inner and the outer file (thumbnail representation or alternative resolution), in which case the function to uncover embedded data would not find the inner file.

  • SR-9: More compact representation of PhotoDNA matches in Details mode.

  • SR-9: Ability to understand information about additionally found partitions as stored in .xfc case files by v20.8. Ability to gracefully deal with case files in which that kind of information is not understood.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany
 

 

 

#170: X-Ways Forensics, X-Ways Investigator, WinHex 20.7 released

Jan 9, 2023


This mailing is to announce the release of another update with very important improvements, v20.7. The official release date was the 15th of November 2022.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data (the passwords have changed recently!), details about their licenses and upgrade or renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.

Please be reminded that if you are interested in receiving information about service releases at the moment when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.


Upcoming Training Events

Dates Location Target Region Course Delivered by

Jan 9-12

Online America, Europe X-Ways Forensics X-Ways

Jan 16-19

London, England

Europe X-Ways Forensics X-Ways
Jan 23-26

Las Vegas, NV

USA X-Ways Forensics H-11
Jan 23-26

Seattle, WA

USA X-Ways Forensics H-11

Jan 24-27

Online Europe, Asia X-Ways Forensics X-Ways

Feb 7-10

Online Europe, Asia X-Ways Forensics X-Ways

Feb 20-23

Liverpool, England Europe X-Ways Forensics X-Ways
Feb 21-24

Ft. Lauderdale

USA X-Ways Forensics H-11

Feb 27-Mar 2

Online America, Europe X-Ways Forensics X-Ways

Mar 6-9

DC Area USA X-Ways Forensics X-Ways
Mar 13-16

Mexico City

Mexico X-Ways Forensics H-11

Mar 20-24

Online America, Europe File Systems Revealed X-Ways
Mar 27-30

Salt Lake City

USA X-Ways Forensics H-11

Mar 28-30

Online America, Europe X-Ways Forensics II X-Ways
Apr 17-20

Santa Ana, CA

USA X-Ways Forensics H-11

Apr 18-20

Online America, Europe X-Ways Forensics II X-Ways

Apr 25-27

Online Europe, Asia X-Ways Forensics II X-Ways

Please sign up for our training notifications here if you would like to be kept up to date on future classes. Training vouchers for 2023 are available from here.


What's new in v20.7?
(please note that most changes affect X-Ways Forensics only)

Picture Analysis

  • The functionality of Excire Forensics is now included in X-Ways Forensics! That means an artificial intelligence can check the pictures in your case (when refining volume snapshots from the main menu) and make you aware of identified content via labels or comments, by which you can filter. The complete hierarchy of identifiable content can be found here. Photo content descriptions are available in English, German, French, Spanish and Italian. Users of X-Ways Investigator please consider upgrading to X-Ways Forensics to get access to the Excire functionality.

  • Excire requires a 64-bit Windows 10, Windows 11, Windows Server 2016, Windows Server 2019 or Windows Server 2022. Download instructions for this separate package can be retrieved by querying one's license status here as always. It's simply another zip archive in the resource directory. By default the additional files will be expected in a subdirectory \Excire in the installation directory, but you can change the path in Options | File Viewing so that multiple installations of X-Ways Forensics can share the same installed package.

  • Pictures can be automatically categorized as irrelevant or notable. In the extensive hierarchy of identifiable objects you can select individual objects or entire subtrees that render a picture irrelevant from your point of view with a high degree of certainty, such as any kinds of animals, plants, sports, musical instruments etc. You can also define what renders a picture notable for you, such as nudity, pornography, guns, powdery substances, pills, children, vehicles, text, paper texture (for documents) etc. "Notable" always overrides "irrelevant" when in doubt, if for example dogs are considered as important in a particular case, but animals otherwise are still marked as irrelevant. Logical AND combinations are supported when categorizing photos as notable. Some AND combinations are predefined that are meant to assist in child pornography investigations.

  • Excire also allows you to find photos that are “similar” from the perspective of an artificial intelligence to a collection of typical relevant photos from earlier cases or other photos that you provide (in JPEG, PNG, Bitmap, or TIFF format).

  • Excire also allows you to find faces of particular people in photos of new cases. (The application will require you to mark faces of interest in JPEG, PNG, Bitmap, or TIFF pictures.)

File Type Support

  • A patch was applied to the viewer component download that improves rendering for certain PDF documents.

  • The internal graphics display library was revised and updated in particular for the formats PNG, WEBP, and PCX.

  • 5% more definitions of photo generating devices.

  • Front camera recognition improved, especially for Samsung, also for Xiaomi and Apple smartphones.

  • The average number of bits per pixel in an actual JPEG picture in Details mode is now accompanied by the known median value of bits per pixel for the same generator signature to put it into perspective.

  • The Summary table for JPEG pictures has a new entry called "software class", which aggregates information previously spread across various other metadata details. The following values are possible: Adobe, Facebook/Instagram, Whatsapp, Twitter, Google/Picasa, Windows, Android, Firmware, Apple, Social media, Editor, General, Beautifier.

  • A new possible condition in the summary table for JPEG files is "cropped". Cropped means that the dimensions of the picture in pixels are not known to be one of the standard dimensions of the generating device. That also means that the picture is not even considered to be potentially "relatively original", and its relevance will be reduced compared to pictures that are considered "relatively original". The dimension will be displayed in blue in such a case.

  • Improved grouping of small pictures without metadata when sorting by relevance.

  • Relevance computation revised. The number of bits per pixel in a JPEG picture now has an effect on the computed relevance so that rather monotonous and blurred pictures get a lower score.

  • Some target paths in jumplists were improperly truncated in the event list. That output was fixed.

File System Support

  • Improved treatment of NTFS reparse points.

  • Ability to read uninitialized areas of files located before the last defined portion as binary zeroes in Btrfs depending on the corresponding volume snapshot option.

  • An error in XFS processing has been corrected that prevented the reading of certain directory structures if the directory used an EA fork.

  • X-Ways Forensics parsed directory entries in XFS incompletely when unaligned entries were encountered. That was fixed in v20.7 and will also be fixed in all future service releases of older versions.

  • Fixed an exception error that occurred when trying to preview extracted e-mail messages in extracted text mode.

User Interface

  • Report table associations are now called labels for reasons of simplicity and because v20.7 even more so than previous versions can generate a lot of such associations that will not usually become the basis of a report. If all the files with a particular label are output in a report in tabular form, the result of that, however, is still called a report table.

  • Option to adjust American spelling to British spelling in most parts of the user interface when setting English as the active language. British spelling is also the default setting now in new installations of WinHex/X-Ways Forensics/X-Ways Investigator if the Windows installation language is UK English, Australian English or New Zealand English.

  • The Chinese translation of the user interface was updated.

  • The option to display offsets in either hexadecimal or decimal has been moved to the Notation settings. As such, you can have for example hexadecimal offsets in the GUI when using the application, but decimal offsets for example when exporting data from the directory browser for external use.

  • Hexadecimal numbers and code can now optionally be written with lower-case letters from a through f. This affects hexadecimal offsets, the hex column, hash value display and more, and this is another option in the Notation settings.

  • Prevented a message box that had to be clicked away when trying to add inaccessible drive letters to the active case through the command line.

Miscellaneous

  • Filtering for a particular Windows event ID in the event description column without hitting on the same number elsewhere in the description is now easy because the event ID is now prepended with the letters "ID" and a space. (In newly refined volume snapshots only.)

  • When reporting a data/parameter/parity inconsistency for newly reconstructed RAIDs, X-Ways Forensics now mentions the offset on the component disks where the problem was first detected. Note that X-Ways Forensics does not check the entire disks, just the first 16 strips (previously 10).

  • The old Bates numbering function now supports Unicode filenames.

  • The latest NSRL hash database version 2.79 is now downloadable in XWF format from the resource directory.

  • The program help and the user manual were updated.

  • Many minor improvements.

Various fixes until v20.7 SR-3

  • Fixed an I/O error that could occur after using the gallery to display files in nested disk images.

  • Fixed an infinite loop that could occur in v20.6 and the original v20.7 release when uncovering Windows resource data embedded within carved DLLs.

  • Fixed a memory leak that could occur during volume snapshot refinement.

  • Fixed caching of compressed TAR archives processed with the alternative extraction method if they contained additional nested archives.

  • Prevented multi-threading read errors in certain kinds of nested images.


Changes of service releases of 20.6

  • SR-1: The option to keep archive contents in the cache, if half-checked, caused errors (exceptions or unreadable files) when dealing with file archives in the GB range in the original v20.6 release. That was fixed.

  • SR-1: Compatible with the new version of the Excire PhotoAI package from today.

  • SR-2: Fixed an exception error that could occur in v20.6 when converting extracted e-mail bodies in RTF format to plain text.

  • SR-2: Fixed an exception error that occurred in v20.6 when applying the thorough file system data structure search to an Ext volume.

  • SR-2: Fixed an error that could occur in report table management in v20.5 and later.

  • SR-2: Fixed an exception error that could occur when clicking OK in the evidence object properties window in v20.5 and later.

  • SR-2: Fixed inability to automatically add newly created images to the case and refine their volume snapshots.

  • SR-2: Fixed a potential archive cache problem.

  • SR-3: Fixed inability to pick a column to name copied files in the case report.

  • SR-3: In some situations, files copied along with the report, if named after a particular property of theirs in the directory browser, were not given a filename extension. That was fixed.

  • SR-3: Fixed an exception error that could occur when parsing Windows event log files with certain metadata extraction settings.

  • SR-3: Avoided an exception error with minimal impact related to floating point numbers in SQLite databases.

  • SR-4: Fixed the definition of a generator signatures for a few devices by Huawei and Apple (retroactively also in v20.1 SR-14 and v20.2 SR-10). This is relevant for device class identification and processing state.

  • SR-4: Fixed a potential loss of entries in the user-defined file "Regular Expressions.txt" in the 64-bit edition of X-Ways Forensics and X-Ways Investigator.

  • SR-4: Fixed inability to refine volume snapshots or run a physical search if no information for crash reports was collected.

  • SR-4: Avoided read error messages when carving certain files in certain other files.

  • SR-5: Some fixes in Event Log Events.txt.

  • SR-5: Very large data associated with in Windows event logs events previously were not output at all and caused malformed lines in the TSV representation. That was improved. Up to 8 KB of that data are now included.

  • SR-5: The X-Tension API function XWF_GetWindow() was improved and can now also target the active data window.

  • SR-5: Fixed a rare memory corruption error that could occur when extracting metadata from JPEG files.

  • SR-5: Fixed an exception error that occurred when importing NSRL RDS hash sets in the 64-bit edition with certain settings.

  • SR-5: Fixed inability to define a keyboard shortcut for associations with certain report tables if the total number of report tables is very high.

  • SR-5: Fixed intermittent failure to highlight FILE records in situations where the number of lines in the hex editor display was not a multiple of 4, if the box for this highlighting option was only half checked.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
 

 

 

 

 

> Archive of the year 2022 <

> Archive of the year 2021 <

> Archive of the year 2020 <

> Archive of the year 2019 <

> Archive of the year 2018 <

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <