WinHex & X-Ways Forensics Newsletter Archive

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.

UPCOMING X-WAYS FORENSICS CLASSES

London, Feb 5-9 http://www.x-ways.net/signup_london1.html (new!)

London, Feb 19-23 http://www.x-ways.net/signup_london.html (waiting list)

Atlanta, GA: Mar 26-30 http://www.x-ways.net/signup_atlanta.html

For details please follow these links or ask us.

WHAT'S NEW IN V13.6?

* X-Ways Forensics now allows to separately list and view e-mail messages and file attachments and search them for keywords. E-mails are seamlessly integrated in the directory tree, below the e-mail archives that contain them. They can be listed recursively (all e-mail messages and attachments from all directories simultaneously) and can be filtered and sorted by various criteria just like ordinary files.

Deeply nested files can be fully automatically listed and detected as well. Example: JPEG pictures that were embedded in MS Word documents, which are intentionally misnamed (wrong extension) in an attempt to conceal them, compressed an arbitrary number of times in nested zip archives, and finally send by e-mail.

The following file formats are supported: Outlook Personal Storage (.pst), Outlook Express (versions 4, 5, and 6, .dbx), Mozilla (including Netscape and Thunderbird), generic mailbox (mbox, Berkeley, BSD, Unix), Eudora (.toc and .mbx), PocoMail and Barca (.idx and .mbx), Opera (.mbs), Forte Agent (.idx), The Bat! (.msb and .tbb), Pegasus (.pmi, .pmm, and .cnm), Calypso and Courier, PMMail (.msg), FoxMail (.box), maildir folders (local copies), MHT Web Archive (.mht), and more. The e-mail functionality is still in a testing stage.

* In Preview mode, there is a now a button that allows to change from file format specific to generic text preview mode, which is useful e.g. for e-mail messages if you would like to see the entire e-mail source code including its header.

* New icons for e-mail messages, for e-mail messages with attachments, and for archives treated like directories.

* Recursively explored directories are now displayed in turquoise in the directory tree.

* A case can now be deliberately opened as read-only even if it is not password-protected. Useful when opening it twice concurrently, e.g. to avoid losing search results in an ongoing search in one instance of X-Ways Forensics when reviewing files in the same case in another instance. For read-only mode, click the Edit Mode button in the Open Case dialog window.

* Password-protected case files that were saved with the investigator version of X-Ways Forensics can be unlocked with a super-user password if such a password had been specially entered by the administrator. Useful when non-IT investigators forget their passwords.

* Filling very large containers (with many hundred thousands of files) is now faster.

* A rare error was fixed where containers would associate files with a wrong evidence object.

* By default, OpenOffice documents are now covered by the text decoding option in Logical Search.

* Option to invert the selection in the directory browser with a command in the context menu.

UPCOMING X-WAYS FORENSICS CLASSES

For details please follow these links or ask us.

WHAT'S NEW IN V13.5?

* When searching for keywords and you are not interested in each and every search hit, but merely in a list of files that contain at least one the specified keywords, the logical search now allows you to accelerate the process with the new "one hit per file needed only" option. This saves time because it allows X-Ways Forensics to skip the remainder of a file once a hit is recorded and to continue with the next file. The resulting search hit list will be incomplete, however, it is guaranteed that it contains all the files for which there was at least one hit, and it contains each such file only once. Such a list is sufficient (and efficient!) to manually review the affected files, comment on them, copy the files off an image or pass them on to other investigators in an evidence file container etc.

* Performance improved for searches with hundreds of search terms at the same time.

* After creating a search index (unless distributed indexing is enabled), X-Ways Forensics now automatically starts an optional optimization step, which you can safely abort at any time if you wish to continue using the program (i.e. for an index search). During optimization, the various *.xfi index component files will be consolidated, which improves the performance of index searches and ensures that the Export Word List feature won't export duplicate words. The optimization step can also be executed separately later at any time.

* Adding files to an evidence file container with their complete path is now optional. That means, if you select the directory "Vacation2006" for inclusion in the container without its complete path, then the target path will be \Vacation2006, no matter whether it originally was \Vacation2006 or \Pictures\Vacation2006 or \My Files\Pictures\Vacation2006. If you select the files directly with the new option, then they will end up directly at the root level. The new option is useful when adding preprocessed files (e.g. relevant excerpts from free space) from one's own hard disk to a container, where the complete path is irrelevant.

* Ability to conveniently select from a drop down box whether to add the slack of selected files to an evidence file container.

* The new dialog window that allows to add files to an evidence file container now confirms the indirect filling method if enabled.

* Newly created container files now get the extension .ctr, so that they can be better distinguished from conventional image files.

* The parity delay in HP/Compaq RAID 5 assembly is now variable.

* Compatibility with certain exotic NTFS volumes. (still testing)

* When imaging media, a log about the operation is now created as a text file and automatically opened after completion so that it can be viewed and printed (forensic licenses only). Warnings about bad sectors are included in that log file. (since v13.4 SR-1/2)

* The gallery did not work correctly for pictures in evidence file containers in a recursive view in the global case root window. This was fixed. (since v13.4 SR-1)

* Error fixed that in v13.2 through v13.4 under certain circumstances caused the logical search not to turn up any search results at all. (since v13.4 SR-2)

* Error fixed that when deleting a report table may have caused X-Ways Forensics to lose unrelated report table associations. (since v13.4 SR-2)

* Error fixed that occurred when renaming hash sets in the internal database with v13.4 and v13.4 SR-1. (since v13.4 SR-2)

* Some text strings in Windows registry files were previously truncated at null characters. This was improved. (since v13.4 SR-5)

* Several other minor improvements and fixes.

* An evaluation version of X-Ways Forensics is now pre-installed on TreCorder© portable forensic PCs built by mh Service GmbH.

UPCOMING X-WAYS FORENSICS CLASSES

For details please follow these links or ask us.

WHAT'S NEW IN V13.4?

* Ability to assign one or several files to multiple report tables in a single step. Ability to create new report tables, rename and delete existing ones directly in the same dialog window.

* Ability to filter out items that already belong to a report table ("NOT" operator) in order to concentrate on those that may still need to be associated with such a table.

* Report tables in case reports can now be considerably condensed in that multiple items can now be output in the same line. E.g. you could select a small thumbnail size for pictures and save a lot paper or screen space by grouping 5 pictures per line in the report.

* The filename of the case report is now freely selectable. When files in report tables are to be included in the report, they are now extracted from the evidence object (copied to a subdirectory) only when the report is created. That way it is easier to distinguish between multiple reports that consist of different report tables and to distinguish between their corresponding subdirectories and files, e.g. if different reports are created for different recipients, where each recipient should only be provided with the files he/she needs to see.

* Ability to export items in the directory browser in exactly the same format and columns as displayed in the program. Unlike before, the names of matching hash sets and associated report tables are included as are free text comments. Columns are selectable. The output text file can be either Unicode or ASCII. As the descriptive icons cannot be seen in the exported list, an additional optional column has been introduced that provides a textual description of exported items (indicating whether they are existing files or deleted directories etc.). That same column is also optionally available in the directory browser, even if not really needed there.

* The list of file type category definitions has been notably extended. E.g. file signature and type definitions for MS Office 2007 and OpenOffice.org 2 were added.

* The file type filter is now faster.

* Supported number of RAID component disks increased from 5 to 10.

* When multiple examiners share the same image file, yet all of them work with their own case files because they examine different aspects of the same case simultaneously, or when providing non-IT examiners with evidence file containers and pre-compiled search indexes, or when using the distributed indexing feature to accelerate index creation, there is now the option to have a shared metadata subdirectory with the search index for that image, which saves drive space, accelerates access because of improved Windows file buffering, and facilitates handling of the search index files.

Such a single metadata directory for search index files (.xfi files) is used for both index creation and index search, however only if it is specifically created by the user, i.e. if it already exists when needed. It is expected as a sub- directory of the directory where the image file is located, with the same base name as the image file, without extension, and the suffix " Metadata". If you prefer to store the index files on a different drive for performance reason, simply create the metadata directory as an NTFS reparse point that redirects to a different drive. But this and whether this feature is used at all is at the user's discretion.

* The same generic metadata subdirectory is now used when creating an evidence file container, if individual free text comments about files are to be passed on with that container, which is a new option for newly created containers. The recipient of the container will see those comments if he/she is not only provided with the container, but also with the metadata subdirectory of that container. Useful to not only forward a collection of files to other investigators as before, but also customized information and preliminary findings. E.g. computer specialists could add the real name of the owner of a file for non-IT examiners to see, or the reason why a file was selected for inclusion in the container.

* Ability to wipe hard disks with pseudo-random data that looks like highly encrypted data (quite fast). Ability to wipe with cryptographically secure pseudo-random numbers (very slow). The data transfer rate is now displayed in the progress indicator window.

* Ability to execute WinHex/X-Ways Forensics in a path that contains true Unicode characters. Various directories such as the folder for image files and for temporary files may now contain true Unicode characters in the path (still testing). However, the viewer component does not accept such paths for its own temporary files.

* StrToInt script commands now supports integer values larger than 4 billion (32-bit unsigned).

* Ability to cope with date formats set in the Windows Control Panel that do not end with either month, day or year, but with a closing special character such as another period (.). That character is omitted from the display in WinHex/X-Ways Forensics, but the order of month, day, and year is now adapted correctly.

* Because of its minor significance, the command to add individual files to the case by default is not available in the directory browser's context menu any more, only if you hold the Shift key when right-clicking.

* Changing font size error fixed that could occur in conjunction with Calendar mode under certain circumstances. (since v13.3 SR-3)

* Number of screenshot files in the case log previously incorrectly displayed, since v13.2. This was fixed with v13.3 SR-3.

* Fixed command "Hide duplicates in directory browser." with v13.3 SR-3.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.

UPCOMING X-WAYS FORENSICS CLASSES

Phoenix, AZ: Oct 9-12 http://www.x-ways.net/signup_phoenix.html

Hong Kong: Nov 7-9 http://www.x-ways.net/signup_hong_kong.html

For details please follow these links.

WHAT'S NEW IN V13.3?

* Please be reminded that you can check out the reduced user interface for investigators that are specialized in areas other than computers (such as accounting, money laundering, corruption, child pornography, ...) if you click that corresponding checkbox in Options | General Options twice. Licenses for only this simplified version of X-Ways Forensics are available at half the price. With that user interface, investigators can browse e.g. evidence file containers prepared by computer forensic examiners, view documents, comment on them, print them, search them, and create reports on them. They are spared most technical details of the full version of X-Ways Forensics.

* Support for GUID partition tables (GPT) as created by Intel Macs and (if specially selected) by Windows Vista. Requires a specialist or forensic license. Ability to automatically and manually find deleted partitions same as for conventional partition tables (MBR/EMBR concept).

* Partitioned media such as hard disks now have a directory browser that lists the partitions. (Internally, a kind of volume snapshot is used for that.) Supersedes the Access button menu (the popup menu that appears when clicking the button with the big black arrow pointing down), which will soon be removed for physical media in future releases. Allows to easily access partition start sectors, optionally with templates, and all unpartitioned areas. Also allows to include all unpartitioned areas in a global Logical Search run from the case root. Reveals the partitioning type (MBR, GPT, dynamic, Apple, floppy/superfloppy) and the partitions' file systems.

Allows to sort the partition listing by physical location, file system, and partition size.

* Ability to index all evidence objects with volume snapshots in a case in a single step.

* Ability to search the indexes of all evidence objects in a case at the same time if they are open and have been indexed, from within the case root.

* Support for distributed indexing, to accelerate index creation in time-critical cases. If n computers participate in indexing the same evidence object, each computer can index approx. 1/n of the total data (may vary depending on the size of very large files within the volume snapshot). If all resulting index files (.xfi files) are created or eventually collected in the same metadata folder, they are treated exactly like an index created by just one computer. To ensure that no part of the volume snapshot is indexed twice or accidentally left out, all participants need to agree on the same index settings and get unique numbers assigned. E.g. if 9 computers are involved, each of the numbers 1...9 needs to be specified for indexing exactly once.

* Specialist | Gather Text is now considerably faster. Unicode text is converted to ASCII text.

* With identical settings, indexing is now somewhat faster than before.

* File masks for decoding text in logical searches are now applied to the true file types in addition to the filenames, if signatures have been verified by refining the volume snapshot. It is recommended to apply this text decoding option to RTF and HTML documents depending on the characters used in your search terms, as in these kinds of documents non-7-bit ASCII characters like e.g. German umlauts are typically encoded. (since v13.2 SR-3)

* Analogously to the Logical Search command, *indexing* can now cover the encoded, compressed or otherwise garbled text in PDF, WordPerfect, RTF, HTML and other documents as well.

* An error in indexing was fixed that caused the "Exception" option not to work reliably in earlier releases of v13.2. (since v13.2 SR-3)

* Search hit preview improved for very long matches for GREP expressions.

* When archiving a case, index files can be optionally excluded.

* Enhanced compatibility of .e01 evidence files created by X-Ways Forensics. (since v13.2 SR-7)

* Ability to extract information about hardware devices from Windows 2000/XP registry files ("SYSTEM" file) when creating the registry report.

* The registry report definition file Reg Report Keys.txt now supports multiple wildcards in registry paths.

* Reg Report Keys.txt now supports the specification of registry branches that are Windows version independent. E.g. application program settings no longer need to be specified twice, but only once, with ?? as the OS identifier instead of NT and/or 9x.

* Overlapping GREP search hits for the same GREP expression now prevented for physical searches, too.

* Configuration file now user-specific by default, i.e. multiple users sharing the same installation folder (e.g. on a server) will have individual winhex*.cfg files. For details please go to http://www.x-ways.net/winhex/setup.html. (since v13.2 SR-5)

* Incomplete directory tree error after hash computation fixed. (since v13.2 SR-5)

* When reviewing index search hits in Preview mode, you can now use F3 to search for additional hits in the same file in the Preview area. (since v13.2 SR-5)

* Notable search hits are now marked with a flag instead of a paperclip icon, to avoid confusion, as that icon is already used on the button that brings up the Position Manager and bookmarks. (since v13.2 SR-5)

* Graphical anomalies under Windows 2000 fixed. (since v13.2 SR-8)

* FAT timestamps no longer translated to local time in calendar view. (since v13.2 SR-9)

UPCOMING X-WAYS FORENSICS CLASSES

For details please follow these links.

WHAT'S NEW IN V13.2?

* There are new (optional) quick filter buttons in the directory browser column headers that allow to activate and modify dynamic filter settings more instantly.

* The indexing algorithm was revised. The index files are now considerably smaller and certain worst case data will no longer cause the algorithm to almost freeze. The index file format has changed, so existing indexes created by earlier versions cannot be reused.

* Report tables have evolved from tab-delimited text files that are associated with just one evidence object to virtual, case-wide categories, by which you can dynamically filter or sort, even in the case root, not unlike comments. However, while comments are best for free text, report tables can now serve as convenient user-defined categories such "related to company x", "incriminating pictures", "unjustified expenses", depending on what the objective of your examination is. Using report tables that way for filtering instead of keywords in free text comments can prevent errors due to typos.

The same file can be part of multiple report tables. An optional column in the directory browser indicates to which report table(s) a file has assigned.

The report tables fields you can select for output to the case report are now the same as for the directory browser. Report tables created and filled by v12.9 and later can be imported by v13.2. Report table titles now use Unicode instead of ASCII. Filenames in report tables are now output to the case report in Unicode.

* Comments now use the Unicode character set instead of the ASCII throughout the user interface and the case report.

* Case titles, case filenames, case descriptions, examiner names, image filenames, evidence object titles, comments, command line parameters, and the case log now all work with Unicode.

* It is now possible to select evidence objects for recursive viewing in the case root.

* Cases last saved by v13.2 cannot be opened any more by earlier versions of X-Ways Forensics. v13.2 won't import certain items from cases saved by earlier versions: search hit lists from v12.9 and earlier; free space, slack space, and text that was captured in a separate file and associated with a case.

* The bookmark list associated with an evidence object can no longer be brought up via an icon in the case tree, but by clicking the button with a paperclip icon in the middle of the screen.

* The name of the evidence object that a directory browser item belongs to is now displayed in a separate column. This field is useful in a recursively explored case root and for reports that include the new case-level report tables, as it helps establishing the original location of files.

* When associating a hard disk and its partitions with a case as evidence objects, the case tree now lists the partitions as child nodes of the disk. Volumes/partitions are now represented by a different icon in the case tree to better tell them apart from physical media. They no longer employ separate icons for access to the root directory, but provide access directly. All of this allows to more conveniently handle larger cases that involve many hard disks with many partitions and to utilize screen space more economically.

* Lost partitions that were found through a thorough search are now remembered by X-Ways Forensics if the hard disk/hard disk image is associated with a case as an evidence object.

* The particularly thorough file system data structure search on NTFS volumes has a new second step that usually turns up much more previously existing files than before, files that have been deleted, renamed, or moved. Known earlier names/locations of renamed/moved files will be displayed with new arrow icons. For many of the additionally discovered deleted files, however, only the metadata is available (filename, timestamps, ID, ...), not the file contents.

* Newly created volume snapshots for FAT volumes now identify directory entries that indicate that files have been renamed or moved. They are displayed with an arrow icon as well. Requires a specialist or forensic license.

* Support for multiple sessions on optical media formatted with UDF. The first and the last session will be listed automatically. Additional sessions in the middle can be found through a particular thorough file system structure search.

* Strict drive letter based write protection is now optional (yet still enabled by default) in X-Ways Forensics. See Options | Security.

* Auto-save option for cases.

* The directory browser options now allow to lock columns on the left, i.e. prevent them from scrolling horizontally.

* Memory management is now more efficient when dealing with millions of files on a volume.

* Ability to totally disable sorting with a command in the directory browser context menu. Can save time when dealing with huge file lists. 

* All text output in the messages window can now be optionally logged in a file messages.txt. See Options | Security. This file is created in the log subfolder of the case, if a case is active, or else in the installation directory.

* Newly created evidence file containers can now be optimized for better performance if a huge number of files is to be added. All three options related to containers are now presented whenever creating a new container, no longer in Options | Security. 

* The Copy/Recover command now offers a convenient option to copy files including their slack or the slack separately. (forensic licenses only)

* You can now view Windows Event Log (.evt) files. (forensic licenses only)

* File Type Signatures.txt: More legitimate extensions per file type supported. 

* During the creation of image files, X-Ways Forensics now displays the average data transfer rate in MB per minute and the average compression ratio for compressed evidence files.

* The case report is now more flexible. All components (basic report, report tables, log) are optional. Also you can now optionally omit times from the case log, e.g. if you do wish to pass on the log to someone else, but feel uncomfortable disclosing the pace you worked at.

* The program to view HTML reports (case reports, registry reports, event log conversions) can now be selected in Options | Viewer Programs. MS Word can be more useful than an Internet browser because e.g. it allows to further process the report and can display directly embedded TIFF pictures. If no program is specified in that dialog window (like by default), HTML files will be viewed with the default program for that file type in your system as before, i.e. usually your preferred Internet browser.

* When the hash of an evidence object is verified or computed for the first time, the result is added to the technical description of the evidence object.

* The standard extension of template text files has been changed from .txt to .tpl. Like that, templates can be more easily told apart from other text files.

UPCOMING X-WAYS FORENSICS CLASSES

Phoenix, AZ: Oct 9-12

WHAT'S NEW IN V13.0?

* WinHex and X-Ways Forensics again run on Windows 98/Me. However, full functionality under Windows 98/Me is not guaranteed, and we can't assist with problems that are specific to these OS versions.

* Indexing: With a forensic license, it is now possible to create an index of all words in all or certain files in a volume snapshot, for partitions that have been associated with a case as an evidence object (see Search menu). This is a time-consuming process and will require large amount of drive space. However, once completed, the index will allow you to conduct searches very quickly and spontaneously.

As a unique feature, our indexing procedure optionally supports substrings, which is particularly useful for languages like German, Dutch and Swedish that make heavy use of solid compound words, enabling you to find e.g. "paper" in "newspaper" and "card" in "bankcard". 

Please note that the indexing algorithm is still in a testing stage.

* A totally new concept for reviewing search hits has been introduced. Available when working with a case. It supersedes the two main output methods known from logical searches before and combines the best of both worlds:

From the former "List search hits" output option it inherits the ability to see search hit offsets and a context preview, the ability to see more context in Sectors or File mode by simply clicking a search hit, and to specially flag important search hits.

From the former "Table of files with hits" output option it inherits the ability to see all properties of the files that contain the hits (i.e. all columns known from the directory browser), the ability to use a filter in conjunction with the search results, e.g. to view hits in all .doc and .xls files with certain timestamps only, and the ability to copy, view, tag or comment on files.

* The new search hit review concept allows to list search hits based on any position and level in the directory tree, e.g. all search hits in files in \Documents and Settings and subdirectories of the same, and even search hits from all evidence objects of the entire case at the same time, using the case root window.

* Also it's possible to conveniently select one or several search terms for search hit viewing, in the search term list in the Case Data window. Like that it's also an easy task to find out how many search hits there are for any given search term for any hierarchy level in the case tree.

* The new search hit lists are "dynamic" in that they are composed "on the fly" depending on selected search terms, current filter settings etc. and in that they can be non-destructively "thinned out" with the directory browser's context menu such that each file with at least one hit is listed no more than once. This allows to use the search hit list conveniently to copy files to one's own hard disk or to an evidence file container without duplicates.

* Search hits can be marked as notable with the directory browser context menu or by pressing the Space key. With the Space key you may also remove such a mark. The keyword list allows to create a quick overview of all hits marked as notable.

* Ability to enter Unicode-based search terms (e.g. in Chinese, Russian, ...) directly for physical and logical simultaneous search.

* There is now a true Unicode context preview for search hits. 

* Context preview now also available for hits in free space.

* Display for error messages in message boxes and the messages window improved that involve Unicode filenames.

* There is a new display mode "File", a mixture of the Sectors mode and the Open command in the directory browser context menu. It utilizes the lower half of the screen just like all other modes do and looks similar to Sectors mode, but only covers the clusters/contents of the currently selected file, not all sectors of a volume. Just like the Open command in the directory browser context menu, File mode has an offset column relative to the beginning of the file, it follows file fragmentation, and it shows the decompressed version of NTFS-compressed files. It's generally more convenient than the Open command, e.g. to navigate to file slack, because it takes fewer clicks to get there and leave again.

* Clicking search hits that are associated with relative offsets only (i.e. results of a logical search, with no corresponding physical offset, which can be seen for NTFS-compressed files, and generally results of an index search) will automatically activate File mode as in Sectors mode such search hits cannot be shown at all. Also for those rare hits in a file that are fragmented across non-contiguous clusters only File mode will highlight the hits and show their context correctly, Sectors mode can't.

* Fragmented files on UDF volumes now supported. 

* User-defined comments on a file can now be viewed even if the Comments column is not visible, when the mouse cursor hovers over the file's icon. 

* Ability to copy selected text in the messages window to the clipboard. The text will be available in both Unicode and ASCII.

* Ability to recognize BitLocker volumes of Windows Vista Beta as such.

* Ability to tag files in a recursively explored case root.

* Multiple sessions on a CD formatted with CDFS/ISO9660/Joliet are now listed simultaneously instead of only one at a time. Optionally (see Directory Browser Options), X-Ways Forensics can now list the ISO9660 directory tree even if a Joliet directory tree is present, too, which is useful e.g. if the Joliet part is damaged because of bad sectors.

* Ability to export a list of all words that are contained in the above-mentioned search index, e.g. to create a custom dictionary for an individual dictionary password attack. Search | Export Word List.

* Evidence files that are images of large disks can now be opened much faster.

* Ability to _group_ tagged and untagged items. Allows to conveniently review tagged items as a whole.

* X-Ways Forensics now shows the directory browser even for volumes with unsupported, unknown or unrecognizable file systems. In such a case, there will be just a fictitious "Idle space" file that covers all drive space. The Refine Volume Snapshot command, however, can then be used to find files based on header signatures, to be listed with generic names in the "Path unknown" directory. Also Preview mode and Gallery mode will be available. (forensic license only)

* Ability to conveniently list thumbnails that are directly incorporated in JPEG pictures, using Refine Volume Snapshot's search for embedded pictures. Those will be listed as fictitious JPEG files with the original filename and "Thumbnail" appended.

* When copying files from the Case Root including the path, the names of the disks/images involved are recreated in the output location as directories, so that there can be no doubt about which files originate from what evidence object.

* X-Ways Forensics now issues warnings when it takes a snapshot of a FAT volume and when in existing directories it encounters active FAT directory entries that appear to be corrupt for certain reasons.

* On bootable CDs that are compliant with the El Torito specifications, X-Ways Forensics can now usually find and list the boot volume if a recognizable file system on its own.

* Entropy test for encryption fine-tuned (less false positives).

* Fixed an error in the search scope option "Up".

* When decoding the text in PDF documents for a logical search and no text is found (e.g. because the PDF document is composed of graphical data only, which can be readable text but will not be recognized as text), the ability to detect this situation and issue a warning has been improved. (since v12.9 SR-1)

* Most PDF documents can now be recovered "by type" with their original, correct size. (since v12.9 SR-2)

* Problem with heavily fragmented $MFTs on NTFS volumes with certain characteristics addressed. This may have caused incomplete file listings. (since v12.9 SR-12)

WinHex download URL: http://www.x-ways.net/winhex.zip

Registered users and in particular users of X-Ways Forensics please go to http://www.x-ways.net/winhex/upgrade.html for more information such as update maintenance, download links, and upgrade offers. Upgrading starts a new update maintenance period of 12 months.

UPCOMING X-WAYS FORENSICS CLASSES

Washington DC: May 8-11 http://www.x-ways.net/signup_washington_dc.html
Washington DC: May 16-19 http://www.x-ways.net/signup_rosslyn.html
Phoenix, AZ: Oct 9-12 http://www.x-ways.net/signup_phoenix.html

Please follow the links for details or send e-mail to mail@x-ways.com. Thank you!

WHAT'S NEW IN V12.9?

* The directory browser is now directly based on volume snapshots. Since one abstraction layer of data has become obsolete that way, memory utilization per item has been reduced by more than 50%, which is measurable e.g. for a recursive listing of 100,000s items. That also means, items in report tables that are loaded are mandatorily matched against the volume snapshot, and any items that are not part of the volume snapshot cannot be listed in the directory browser.

* There is now a fictitious file "Idle space" in each newly created volume snapshot. That file covers clusters that are marked as allocated, whose exact allocation, however, X-Ways Forensics could not determine, e.g. because these clusters were only previously allocated and then not properly freed in the file system.

* Additional fictitious files for Ext2/Ext3, ReiserFS, NTFS, FAT, and HFS+ in newly created volume snapshots. There is a brief description of most fictitious files in the program help chapter about the directory browser. The root directory itself is now listed as a special searchable directory for most file systems. Selecting the root directory for searching will search its directory entries, not all subdirectories as well. For that you still need to select all in the directory browser (Ctrl+A). BTW, whether Ctrl+A includes non-recoverable files can now be controlled in the directory browser options.

* The contents of archives that are explored in the directory browser manually (e.g. double-clicked) are now incorporated into the volume snapshot right away, as known from Refine Volume Snapshot. (forensic licenses only)

* New optional directory browser columns reveal the owner and the hard link count of files and directories on NTFS/Ext2/Ext3/ReiserFS/Reiser4/HFS+/UFS volumes. Hard links on NTFS volumes are now listed.

* Support for advanced UDF features such as resident files and directories, variably positioned file set descriptors, and sparing tables on sparable partitions. That means a wider range of DVD media can be examined.

* Improvements in UFS support.

* A dynamic file size filter and a filter for some special values in the Attribute column have been introduced.

* Logging user activity separately for each evidence object becomes optional and is even disabled by default in a fresh installation. If disabled, X-Ways Forensics will generate one large chronological log for the entire case, spanning all evidence objects. Note that a log recorded either way cannot later be converted to the other style.

* "File Type Categories.txt" now supports full filenames in addition to filename extensions. Useful for certain files with a well-defined name whose extension is not specific enough: 
-;index.dat; Internet Explorer history/cache
-;history.dat; Mozilla/Firefox browser history

* The "File Type Signature.txt" database was updated.

* The text column now supports 16-bit Unicode characters (little-endian UTF-16), e.g. Chinese, Cyrillic. See Options | Character Set. Unicode characters are expected at even offsets. Keyboard input in Unicode is not supported in the text column.

* There is now a bigger internal buffer for archives (.zip, .rar, ...), which can speed up access to compressed files. Also there is no practical limitation any more to the levels of nested "archives in archives". The specific option to include the contents of archives in logical searches has been removed. If the contents of archives have been included in the volume snapshot and they are selected in the directory browser or if the containing archive is selected and treated like a directory, they will be searched as well. Refining the volume snapshot first is preferable anyway because at the same time that feature can also identify misnamed archives with the signature check. Also the logical search thereby is no longer limited to 2 levels of nested archives.

* The skin tone detection feature now serves a second purpose: It now also reveals pictures that are black & white or grayscale pictures. This is useful to find scanned documents and digitally transmitted faxes (e.g. TIFF). Such pictures are flagged as "b/w" in the SC% column.

* Since TIFF files may contain multiple pages, they are now displayed by the separate viewer component instead of by the internal picture viewer, even if the viewer component is not generally activated for pictures. Note that the additional pages in TIFF files are not listed in the gallery.

* As an alternative and easier to discover way for new users to bring up a recursive view of a directory, there is now an additional button next to "Sync". (specialist and forensic licenses only)

* File | Create Disk Image is now potentially faster, depending on the system and various outer circumstances.

* A faster implementation of the hash algorithms MD5, SHA-1 and SHA-256 is now available to owners of professional licenses or higher. The X-Ways Forensics download includes a special DLL, owners of professional and specialist licenses can download the DLL separately from the web at http://www.x-ways.net/winhex/setup.html . The Help | About box confirms if the quick hashing feature is loaded.

* Compression/decompression algorithm for evidence files updated from zlib 1.2.1 to 1.2.3.

* Optionally, files on the logical drive letters A: through Z: can now be opened with the help of the operating system instead of with the built-in logic at the sector level. Please note that this is forensically sound only for write-protected media. On writeable media, Microsoft Windows will at least update (i.e. alter, falsify) the last access timestamp of files you open. The benefit, however, is that access to such files may be noticeably faster in many situations, especially on slow media such as CDs and DVDs, e.g. when you compute hashes or skin color percentages for files in a volume snapshot. This is because Windows employs read-ahead mechanisms and a file caching system. See Options | Security.

* The folder for temporary files used by the separate viewer component is now controlled by WinHex/X-Ways Forensics, i.e. set to the one the user specifies in General Options. X-Ways Forensics more or less silently accepts unsuitable paths on read-only media, which is useful when running X-Ways Forensics from a CD to preview a live system. However, the viewer component would not accept such a path, so running X-Ways Forensics from a USB stick instead may be preferable. Please note that the viewer component, if actually used, also leaves entries in the system registry.

* In report tables created by v12.9, duplications can no longer occur, i.e. the same file is never (e.g. accidentally) added twice to the same report table. 

* Support for unified contents/report tables and for the category view of tables was dropped. Redirecting the output of File Recovery by Type to lists is not available any more in v12.9.

* The disk selection dialog window already reveals on which physical disks the volumes mounted as drive letters C: through Z: reside.

* The Sync mechanism was reworked internally.

* The gallery is better synchronized with the directory browser.

* Special treatment for $BadClus:$Bad in NTFS, so that this particular system data stream can be efficiently viewed and searched. Now listed with a size of 0 bytes if no clusters are marked as bad and a size of > 0 bytes if there are such clusters.

* When cloning over a partition that is mounted as a drive letter or when restoring an image over it, X-Ways Forensics now tries to disable Windows' internal buffers, so that the new contents of the target partition are visible everywhere in the system immediately after copying.

* Ability to undo/reset the signature check for all items in a volume snapshot, by removing the "Already done"  checkmark. This initializes the Status column and is useful if an important update to the signature database has been made.

* The ability to delete the case log was removed in X-Ways Forensics (but not from WinHex).

* Calendar mode: Color markers were swapped in v12.85. This was fixed with v12.85 SR-9.

* Error fixed that prevented files in "Path unknown" from being copied to evidence file containers in v12.85. (fixed since v12.85 SR-7)

* Error fixed that caused physical RAM beyond 256 MB to be read from wrong memory addresses. (since v12.85 SR-7)

Please follow the links for details or send e-mail to mail@x-ways.com. Thank you!

WHAT'S NEW IN V12.85?

* Support for Unicode characters in file and directory names in most parts of the user interface, notably in the directory browser and the directory tree.

* Newly created evidence file containers can now optionally incorporate filenames in Unicode instead of ASCII. For compatibility with older versions of X-Ways Forensics, stick with ASCII.

* Support for the platforms Windows 95/98/Me has finally been discontinued. v12.8 remains the last version to run under those Windows versions.

* When verifying file types based on signatures, no fictitious items with the presumed correct extensions are listed any more. Instead, the detected type can be seen in the new optional Type column. Only initially the Type column shows the same as the Extension column. The Category column is now based on the Type column, no longer on the Extension column. When a mismatch between filename and type is detected, either when refining the volume snapshot, when previewing files, or when viewing files in the Gallery, both the Type and the Category column are updated and turn blue.

* There is also a new filter that conveniently lets you address files of selected types, in addition to the Category filter. (forensic licenses only)

* Another new optional column indicates the status of the file type column. Initially "not verified". After checking for filename/file type mismatches: If a file is very small, the status is "don't care". If neither the extension nor the signature is known to the file type signature database, the status is "not in list". If the signature matches the extension according to the database, the status is "confirmed". If the extension is referenced in the database, yet the signature is unknown, the status is "not confirmed". If the signature matches a certain file type in the database and the extension matches a different file type or none at all, the status is "newly identified". A filter can be used on this column, too. (forensic licenses only)

* The separate viewer component has been updated on March 3, 2006.

* Ability to display timestamps with tenths of seconds in the directory browser. Useful for the file systems NTFS and FAT that provide for and even exceed this precision in all or some timestamps.

* The volume snapshot data format has changed. Previously created volume snapshots can be converted automatically for use with v12.85 and later, except for ReiserFS/Reiser4 volumes. Should you encounter problems importing old volume snapshots, you can either recreate the volume snapshot from scratch (thereby losing comments, tags, discovered orphaned files, etc.) or continue using v12.8 for that case/image. Backup copies of the original volume snapshot files are left in the metadata subdirectories.

* Support for drive/directory contents table creation has finally been discontinued.

* The priorities when sorting by the Attribute column have been redefined.

* Ability to maintain custom sections of the file type signature database separate from the main file in an arbitrary number of files named "File Type Signatures *.txt". These files are loaded in addition to the main file. Their internal format must be the same. Usage of such user-defined files prevents that your own definitions will be overwritten when you install an update.

* NetBSD UFS now supported.

* The structure of deleted nested subdirectories on Ext2 volumes is now often better represented.

* ReiserFS volume snapshots are now taken faster.

* Ability to include the contents of archives in a logical search when in a recursive view.

* Slack data added to evidence file containers is now marked and sortable as slack in the Attribute column. You can hold the Shift key as before to add a file plus its slack, and now alternatively the Ctrl key to add _only_ the slack.

* Ability to tag or untag an unlimited number of items at a time in a recursive view.

* Ability to print case reports optionally with a user-defined header line, a logo, and a preface (see Case Properties, Report Options).

* Ability to treat and display archives exactly like directories once their contents have been included in the volume snapshot.

This is reversible and can also be applied retroactively. One benefit is that archives are not subject to dynamic filters any more as are ordinary files, so it's easier to navigate to the contents of the archives when a filter is active that would normally filter out the archives. Another benefit is that archives turned into directories behave like directories when it comes to tagging.

* Ability to convert packed 7-bit ASCII to readable 8-bit ASCII with a script command.

* Right-clicking a file in the directory browser now updates the Preview area. (since v12.8 SR-6)

* .tif pictures now included directly in the HTML case report, not as a link, as they can be displayed by Firefox. (since v12.8 SR-6)

* When adding files to containers with the indirect method, the name of the externally output file is now checked better for compliance with Windows filename restrictions. (since v12.8 SR-6)

* An error was fixed that on certain partitions prevented the fictitious "Free space" file from being read. (since v12.8 SR-8)

* An error was fixed that in certain situations prevented the prompt for an output filename when exporting a file list from a recursively explored Case Root window. (since v12.8 SR-9)