|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||
|
|||||||||
| #116: WinHex, X-Ways
Forensics and X-Ways Investigator 15.5 released Dec 18, 2010 |
This mailing is to announce a major update, v15.5. WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license) Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Please be advised that if you are interested in receiving information about service releases when made available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net We wish our users and readers a Merry Christmas and Happy Holidays. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Washington DC http://www.x-ways.net/training/washington_dc.html Feb 15-19 London http://www.x-ways.net/training/london.html Apr 12-16 For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW IN V15.5? * New e-mail extraction function for Outlook PST and OST e-mail archives. Ability to recover deleted e-mail messages if they can still be found. More information extracted from contact entries, calendar entries, and tasks stored in PST archives. Ability to process encrypted PST archives without the password. Faster processing than before. An Outlook/MAPI installation is not needed. Some plain text e-mail messages are presented as .eml files (i.e. header and body combined in one), others as text files, HTML e-mail messages as HTML files. They are all marked as extracted e-mail messages in the Attribute column. To see extracted e-mail messages, filter by the Attribute column, not by type. Except for the .eml files, e-mail headers are presented as child objects. The old PST processing via MAPI is still used if the "MAPI" checkbox is checked, but the new method is then still used additionally just to try to find deleted content. The program help topic and the user manual chapter about e-mail extraction have been completely revised. * Based on a request from a major customer, X-Ways Forensics can now be used with a special license type as a pure disk imaging tool (i.e. with disk imaging capability only). The request was based on performance tests in which X-Ways Forensics compared very favorably with other imaging tools, especially when used together with hardware write blockers. These imaging licenses are available at a special rate. For details please see http://www.x-ways.net/forensics/dongle.html#imaging. * New "fast, adaptive" compression option for imaging that provides an even better speed/compression compromise than before. This is the new default setting. The previous fast adaptive compression option is still available as "average, adaptive". * The HTML registry report is now output completely in tabular form, for much better readability and import into other programs such as MS Excel for further processing (sorting, filtering). Comments about this new format are welcome. The name and key of each value are not output explicitly any more by the default, but can be seen as a tooltip when moving the mouse cursor over a small white box. If you need to see the name and key explicitly for each and every reported value for some reason, you can include them optionally via the registry viewer's context menu. * The second part of the registry report now gives an overview of installed drivers, file systems, and services in addition to the very helpful tables "Attached devices by serial number" and "Partitions by disk signature". * The index optimization now fully utilizes the memory space advantages 64-bit Windows environments. * X-Ways Forensics has been found to run on Windows 7 just as well as under Windows Vista, i.e. the same limitations (but no additional limitations) apply. * Improved support for dynamic disks created by Windows Vista. * Ability to distinguish between DOCX, XLSC, PPTX, and other file types when running a file header signature search. * Information about the detected true type of a file (confirmed or newly identified) is now included in evidence file containers. That information can be imported by v15.5 and later version. Consequently, the option "Append correct extension when copying" is not needed any more for filling evidence file containers and from now on will only have an effect on the Recover/Copy command. * In newly taken snapshots of NTFS volumes, alternate data streams, logged utility streams etc. are now represented as child objects of the file to which they belong. This is a more faithful representation of the actual organization of the file system, since ADS are not listed in the directories to which their host files belong. Instead ADS are attached to their respect host files. Another advantage is that it is easy to navigate from any relevant alternate data stream to its parent (e.g. by pressing the Backspace key). Also the listing of a directory that contains many files with ADS becomes less crowded thanks to this change. Feedback about this new feature in particular is welcome. * Ability to use certain Position menu commands in the case root window: Find parent object, Navigate to FILE record/index record/inode/directory entry etc., Jump to item number. * When you click a deleted file in an Ext file system for which only a directory entry is known and no inode, in Partition/Volume mode, X-Ways Forensics will now automatically jump to the directory entry. * Ability to navigate to the parent object from within a search hit list in the case root window without losing that search hit list view. * When viewing pictures with the graphics viewing library (not the viewer component) in a separate window, you can now press Page Down/Up to proceed to the next file in the list and view it in a new window. Press Ctrl additionally for the same effect in a window provided by the viewer component. * The icon displayed for a ".." item in the directory browser now accurately presents the parent object, i.e. indicates an existing, deleted or dummy directory or an existing or deleted or dummy file. Tentative feature only. * Ability to filter out hidden items in X-Ways Investigator. (In X-Ways Investigator, files can be hidden when identifying duplicates based on hash values.) * The special rule for hiding duplicate e-mail messages and attachments in the directory browser based on hash values is now optional. * Fixed an error with the representation of volume slack on Ext* volumes. * Fixed non-deterministic listing of unpartionable space for physical media. * Revised uninstall procedure that in case of X-Ways Forensics does not require the dongle. * Ability to manually rename automatically carved files. Useful to get the hive names of carved registry files right for the registry report. * The interpreted version of a raw image of a physical hard disk can now be selected as the destination for cloning. This is useful for example if you want to copy a range of sectors from one image to another. Supported in WinHex only, not X-Ways Forensics. * Ability to shut down the computer after completion of disk cloning or after restoring an image back to a disk. * Improved support for deconstruction of MHT files. * Fixed an error that could occur in the representation of GUIDs in templates. * The Details Panel has been renamed to Info Pane in the English user interface, to avoid confusion with Details mode. * In the original v15.4 version, the skin color percentage was initialized with 0%, and the column widths could not easily be changed in the Directory Browser Options dialog. This was all fixed with v15.4 SR-1. * Improved ability to recognize dummy partitions defined in MBRs on Apple style GPT-partitioned disks as such. (since v15.4 SR-2) * It is now optionally possible to apply *any* kind of filter to directories, too. Previously that was possible for the Name filter only. Useful for example for timestamp filters or Attribute filters. See Directory Browser Options. (since v15.4 SR-2) * The filename filter now optionally supports GREP syntax. The conventional notation to find files whose names contain the word "invoice" for example was *invoice*. With the GREP option enabled you just search for "invoice". (since v15.4 SR-2) * New option +29 in investigator.ini that prevents the menu command "Replace with new image" from appearing in X-Ways Investigator. (since v15.4 SR-2) * Back and Forward buttons added to toolbar in X-Ways Investigator. (since v15.4 SR-2) * Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't. (since v15.4 SR-2) * Support for sector numbers larger than 2^32 in Tools | Disk Tools | Clone Disk. (since v15.4 SR-2) * The skin color percentage filter did not work in v15.4 up to SR-1. This was fixed with v15.4 SR-2. * The edit box for search terms in Simultaneous Search now by default allows to enter 100,000 characters instead of about 30,000. When search terms are loaded from a text file, there is no fixed limit. (since v15.4 SR-2) * Fixed occasional unavailability of menu command "Save hit permanently" (for index search hits). (since v15.4 SR-2) * Avoided exception error that could occur in v15.4 up to SR-1 when attaching external files to a volume snapshot. (since v15.4 SR-2) * Fixed new search hit count for search hits listed in the case root window. (since v15.4 SR-2) * Fixed an error that could render an index incomplete if substrings were indexed, words in the exception list were longer than the maximum word length being indexed, and the index was optimized. It did not occur with default settings. (since v15.4 SR-3) * Fixed an exception error that could occur under certain cirumstances when running an index search. (since v15.4 SR-3) * Improved certain aspects of directory browser navigation and gallery handling. (since v15.4 SR-3) * Lifted limitation to a search term length of 50 bytes in Simultaneous Search for some more settings. (since v15.4 SR-3) * The Recover/Copy command did not apply the original time-stamps for files from within archives in v15.4 up to SR-3. This was fixed with SR-4. * When in the process of filling an evidence file container with selected files in multiple steps, if you open and interpret the container or add it to the case to take a look at what files you had already included in the container, you may now keep that window opened and simply take a new volume snapshot at any time to see the current contents of the container after adding more files. (since v15.4 SR-4) * When exporting the contents of the metadata column as a tab-delimited ASCII or Unicode text file, line breaks are now replaced with semicolons instead of spaces, so that the data can be better parsed automatically. (since v15.4 SR-4) * Fixed an error in metadata extraction from QuickTime files. (since v15.4 SR-4) * Fixed an avoidable sector read error that could occur when real sector read errors occurred in the Clone Disk functionality. (since v15.4 SR-4) * Now supports both deletion and internal creation time-stamps for files in evidence file containers at the same time. (since v15.4 SR-4) * A new command was added to the case menu that allows to conveniently open previously saved reports and display them in the associated or specified application. (since v15.4 SR-5) * When identifying duplicate files based on hash value, and one of the files has been marked as already viewed, then the duplicates can optionally be marked as already viewed, too. Similary, if files have been marked already as having duplicates already and their hash values are available, when they are viewed, duplicates within the same volume will be marked as already viewed at the same time. (since v15.4 SR-5) * The crash-safe text decoding mechanism that was introduced with v15.3 is now optional (see Options | Viewer Programs) as it is slower than the earlier method. Once the results are buffered in the volume snapshot, there is no speed difference any more. (since v15.4 SR-5) * .eml files are no longer decoded for logical searches and indexing when searching for/indexing 7-bit ASCII characters only anyway. In this case searching in/indexing .eml files in their natural state should be good enough. This saves time (specially with the crash-safe decoding mechanism) and reduces the number of duplicate search hits. (since v15.4 SR-5) * When storing a hash value along with files that are copied into an evidence file container, that hash value is not re-computed any more if it's already available from the volume snapshot. (since v15.4 SR-5) * When in a dialog window for any column-based filter you don't activate a deactivated filter, the directory browser is not unnecessarily filled from scratch any more when closing the dialog, so that you don't have to wait if sorting is slow and so that you don't lose selection and scroll position. (since v15.4 SR-5) * Search hits found when not working with a case are stored in the Position Manager. Now they are now no longer kept automatically when closing WinHex, but deleted, except those that have been edited using the context menu. (since v15.4 SR-5) * The legacy option to use the picture viewing library from v13.6 has been removed. (since v15.4 SR-5) * If a Simultaneous Search is run with search terms A and B, where B is a substring of A, then if a search hit can be counted as a hit for both A and B, it will now be counted as a hit for both. In earlier versions it was counted as 1 hit only, for the search terms that was specified first. (since v15.4 SR-6) Example: In "Peter Peterson" you will now get 2 hits for "Peter" and 1 hit for "Peterson". In earlier versions you would have received either 1 hit for "Peter" and 1 for "Peterson" or 2 hits for "Peter", depending on your preference. If you don't like to get both hit for "Peter" and "Peterson" in the text "Peterson", you can still use the search hit list's context menu command "Delete duplicate hits in list". This command will give priority to longer hits, i.e. keep "Peterson" and discard the hit for "Peter". * Functionality that saves index search hits permanently fixed. (since v15.4 SR-6) * Searching in indexes of multiple evidence objects at a time from the case root window did not work correctly for some recent service releases. This was fixed with v15.4 SR-6. * When hiding duplicates in the directory browser based on hash values, priority is now given to non-carved files, i.e. when in doubt, carved files are hidden und their equivalents with file system metadata are retained. (since v15.4 SR-6) * It is now possible to start the volume snapshot refinement for selected evidence object from the case root window. (since v15.4 SR-6) * Better support for carving Nikon NEF and Canon CR2 raw files as part of the TIFF file type signature definition. Ability to automatically distinguish between these subtypes and detect the file size. (since v15.4 SR-7) * TIFF metadata extraction revised. (since v15.4 SR-7) * MS Office 2007, MS Office 2010, OpenOffice 3 metadata extraction revised. The typical fields such as Company, Author and Title now have the same names as in earlier Office versions, which makes it easier to filter by them. (since v15.4 SR-7) * The search hits produced by physical searches run on physical media or images of physical media that are associated with a case as evidence objects are now also shown in search hit lists and not in the global Position Manager. (since v15.4 SR-7) * An error that occurred under certain circumstances during a search, related to the message "Unable to record a search hit" or in earlier versions "Internal search term list inconsistent", was fixed. (since v15.4 SR-7) * The German letter "ß" will not be considered equivalent to "ss" any more for searches that populate the search term list and the search hit list. (since v15.4 SR-7) * Fixed an error with SR-7 that could occur in v15.4 SR-6 when hiding duplicates in the directory browser based on hash values in the case root window. * An error was fixed with SR-8 that in v15.4 SR-7 prevented the inclusion of hash values of some files in the volume snapshot. * It is now possible to open volumes mounted as drive letters even if they are not formatted with a valid file system. (since v15.4 SR-8) * The backspace key on the keyboard as a shortcut to navigate to a file's parent object now works in the gallery, too. That is useful for example if you look at video stills in the gallery and want to play the video that a certain still belongs to. Remember that when finished you can click the Back button in the toolbar to return to the previous list of stills. (since v15.4 SR-8) * Ability to find multiple session on images of CD in some cases where previously only the first session was found. (since v15.4 SR-8) * Fixed an exception error with SR-8 that occured in v15.4 SR-7 when extracting metadata without extracting internal creation timestamps at the same. * Now accepts lower case hex digits in record length indicator in Intel Hex files when converting them to binary. (since v15.4 SR-9) * Ability to extract JPEG and PNG files from Firefox _CACHE_ * container files. (since v15.4 SR-9) * Fixed path errors that occurred when opening a case file using a command line parameter without path. (since v15.4 SR-9) * Fixed an error that caused X-Ways Forensics to not extract e-mail messages from valid e-mail archives in certain situations. This was accompanied by the "No e-mail found" message. (since v15.4 SR-9) * More stable when processing corrupt (e.g. carved) AOL PFC e-mail archives. (since v15.4 SR-9) * Avoids an error message when using the case root window in more than one session simultaneously. (since v15.4 SR-10) * Shows permissions for files stored in an NTFS file system even in the case root window. (since v15.4 SR-10) * Exception error fixed with SR-10 that in SR-9 could occur when processing certain AOL PFC e-mail archives. * Fixed "...is not a valid integer value" error that could occur when extracting e-mail from e-mail archives in SR-9. * Fixed an error in the GREP search engine. (since v15.4 SR-10) * Fixed an exception error that could occur when including the contents of encrypted archives in the volume snapshot. (since v15.4 SR-10) * Individual "File Type Categories.txt" file for each user of a shared installation of X-Ways Forensics/X-Ways Investigator, so that individual file type filter settings are remembered. Depends on whether a user-specific .cfg file is used also, or only one generic WinHex.cfg file. (since v15.4 SR-11) * When focussing on e-mail messages using e.g. an Attribute filter and selecting e-mail messages that have attachments as child objects for the Recover/Copy command, the attachments were not copied even when [x] "Copy child objects of selected files" was checked, because the filter for e-mail messages did not let any other kinds of files through. This is probably undesirable in most situations, so the behavior was changed in such a way that filters now do not have any effect on the Recover/Copy command any more, and also no effect any more on the command that adds files to an evidence file container. (since v15.4 SR-11) * Fixed freeze problem that could occur with the new 8.3.2 version of the viewer component in Preview mode in seach hit lists. (since v15.4 SR-11) * Avoids error message about being unable apply original timestamps to recovered/copied files that were carved within FAT partitions. (since v15.4 SR-11) * Fixed an error that caused Unicode search hits in the Position Manager to be recorded with a description that was off by 1 character. (since v15.4 SR-11) * Fixed an error that could cause a path recreation error in the Recover/Copy command of the non-forensic edition of WinHex under certain circumstances. (since v15.4 SR-11) * Fixed an error with SR-11 that in certain situations within large files could make a search hit be listed once for every search term instead of just for one in v15.4 SR-6 through SR-10. * Fixed read error in SR-11 that occurred when scanning e-mail attachments for embedded pictures. (since v15.4 SR-12) * Fixed an exception error that could occur when processing certain MP3 files. (since v15.4 SR-12) * Fixed an error that prevented usage of a new output drive when running out of space during indexing. (since v15.4 SR-12) * Better handling of circular links in deleted directory entries in Ext file systems. (since v15.4 SR-12) * MANY other minor improvements. |
| #115: WinHex, X-Ways
Forensics and X-Ways Investigator 15.4 released July 31, 2010 |
This mailing is to announce a major update, v15.4. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. -------------------------------------------------------------
UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Washington DC
http://www.x-ways.net/training/washington_dc.html Sep 17+18 London
http://www.x-ways.net/training/london.html Sep 23-25 Hong Kong
http://www.x-ways.net/training/hong_kong.html Nov 9-11 For more information:
http://www.x-ways.net/training/
WHAT'S NEW IN V15.4? |
| #114: WinHex, X-Ways
Forensics and X-Ways Investigator 15.3 released May 11, 2009 |
This mailing is to announce a noteworthy update, v15.3. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Los Angeles, June 10-12 http://www.x-ways.net/training/los_angeles.html Seattle, June 15-17 http://www.x-ways.net/training/seattle.html For more information: http://www.x-ways.net/training/ A second training date in Seattle might be scheduled soon. ------------------------------------------------------------- A new version of the viewer component is now available for download to licensed owners of X-Ways Forensics with update maintenance. Changes include: * Open Office 2.x / Star Office 8.0 Calc enhancements * MS Office 2007 chart support (most chart types) * support for AutoCAD 2007 * enhancement of AutoCAD 2005 & 2006 beyond text only * JPEG2000 support extended * other improvements and presumably error corrections ------------------------------------------------------------- WHAT'S NEW IN V15.3? * The index optimization step was reworked. It can now use a user-defined number of processor cores simultaneously and a user-defined amount of main memory per process, optimize faster and more thoroughly and better utilize memory. * Improved memory handling for search hits. No additional memory requirement for search hits any more when loading or saving the case. Memory for search hits is now needed only when the evidence object is open (same as before already with memory for volume snapshots). The limitation of the number of search hits in one evidence object by main memory was slightly increased (now several ten million search hits possible). Search hits saved by v15.3 cannot be loaded by older versions any more. * The menu items for simultaneous search and the index searches have been moved to the top of the menu (for license types in which they are available), since they are the most important ones in the Search menu. * Decoding the text in PDF, HTML, and various other documents for the logical search and for indexing can no longer cause the program to freeze or crash if the viewer component has problems processing the file e.g. because the file is corrupt. * When attempting to view or preview a file with the viewer component that is a known to be a reason for crashes, you are asked whether you are really sure you would like to view the file. * The Raw option of preview mode is now automatically disabled when viewing file of a different type. This is because too many users forget about it after having viewed e-mail or HTML or XML files in Raw mode (where it makes sense) and continue using it for other file types as well, thereby missing a faithful representation of important document types. * Detects if hash database is in use, to avoid conflicts when updating it. * The integrity test of the hash database can now be aborted. * When you add an excerpt from a file to the volume snapshot as a virtual file (select a block in File mode and use the Edit menu for that), the resulting file is now marked as "excerpt" in the Attr. column and is filterable like this. * In main memory (local live main memory or memory dumps), Windows kernel data structures and named objects are now conveniently listed in a tree in the volume snapshot. Other objects will be listed per process in the handle table. * Also loaded modules are now listed, in a virtual directory named "Modules". That enables X-Ways Forensics to allocate their memory pages in RAM mode to them, and to compute hashes for them so that they can be identified via special hash sets, where optionally and ideally only their invariable headers are hashed. * Various other improvements in main memory analysis, better support for 64-bit Windows versions, and generally more robust now. * The file "File Type Signatures Memory Search.txt" extends the file header signature search and is now downloadable from http://www.x-ways.net/winhex/templates/File%20Type%20Signatures%20Memory%20Search.txt . That file contains signature definitions for TCP, ADR, UDP, ICMP, and IGMP packets, and is applicable only to memory dumps, and the signatures are to be searched byte-aligned. * 4 additional data types have been added to the Data Interpreter: SID (security identifiers), IP addresses, packed 7-bit ASCII strings, and unsigned 48-bit integers. IP addresses and unsigned 48-bit integers are also available in templates, and the variable type is called "IP". They are both helpful for manual 64-bit main memory analysis. * 4 additional hash types have been added: RipeMD-128, RipeMD-160, MD4, and (specialist or forensic license only) ed2k. ed2k is based on MD4 and used in file sharing programs. * The case report can now optionally be split into multiple HTML files if too many pictures are to be included (like hundreds or thousands) that give Internet browsers or other programs headache when loading the HTML file. * It is now possible to output the report for selected evidence objects only, not simply for all evidence objects, via an additional checkbox in the report options dialog. (forensic license only) * Clickable links to attachments in e-mails in Preview mode now work in some very rare cases where they previously didn't. * A new filter has been introduced that allows to focus on files that have been already or have not been viewed yet by the examiner. See Directory Browser Options. (forensic license only) * Some options from the Security Options and the Directory Browser Options that affect the creation of volume snapshots have been moved to a separate dialog box that you can access via a button in the Directory Browser Options. * A new volume snapshot option is now available that causes deleted partitions to pass on their deleted state to everything that they contain (files, directories, ...), and deleted e-mail archives to pass on their deleted state to all the e-mails, directories and attachments that they contain. This may seem logical, but results in a loss of information (*everything* is listed as deleted). By default, X-Ways Forensics still distinguishes between existing and deleted files and e-mails etc. even in deleted partitions/deleted e-mail archives, as in earlier versions, so that more information is retained. * Via two other new volume snapshot options you can indicate whether you are interested in earlier names and locations of renamed/moved files in NTFS and whether you are interested in getting files listed for which only filename, size, time-stamps and attributes (but no data) are known. By default, such files are listed, as in earlier versions. (specialist or forensic license only) * zip.exe was updated with a version that supports larger zip files. That program is used for archiving cases. * Several minor improvements. * Fixed an exception error that could occur when taking volume snapshots. (since v15.2 SR-1) * Metadata is now extracted from carved TCP, UDP, ICMP packet "files". (since v15.2 SR-2) * A crash was prevented that occurred when X-Ways Forensics was processing zip archives with a very specific kind of corruption. (since v15.2 SR-2) * Prevented an infinite loop that occurred in a very special situation when extracting e-mail. (since v15.2 SR-2) * Errors were fixed that caused corruption in hash databases up to v15.2 SR-2. * In some situations when importing a folder with hash sets, the hash sets were unintentionally merged. This was fixed with v15.2 SR-4. * New template command "gotoex n" that allows to jump to an absolute offset on a disk or in a file or in memory, unlike the ordinary "goto" command which is based on the start of the structure where template interpretation starts. (since v15.2 SR-4) * New template command "exit" that terminates interpretation of the template. (since v15.2 SR-4) * An exception error was fixed that could occur in v15.2 when returning from a search hit list to the normal directory browser depending on the sort criteria in the search hit list. (since v15.2 SR-4) * The Windows CD key is now decoded and ouput in plaintext when including the Windows DigitalProductId in the registry report. (since v15.2 SR-4) * Format error in registry report fixed. (since v15.2 SR-5) * The path of the loaded registry hive is now (at least partially) displayed in the registry viewer's status bar. Useful for example if you load multiple ntuser.dat files from different images and user profiles at the same time. (since v15.2 SR-7) * An asterisk at the end of a registry path in the registry report definition did not match all subkeys and values. This was fixed. (since v15.2 SR-9) * When errors occur when filling an evidence file container, the filling is not longer aborted in certain situations, and a more specific error code is report in some other situations. (since v15.2 SR-5) * Fixed an error that could occur when copying files into a container from a non-recursive list.(since v15.2 SR-7) * Newly created evidence file containers now remember the owner of files from NTFS file systems as the last part of the SID, no longer as the security identifier index. (since v15.2 SR-7) * A new exception error that could occur when viewing externally opened files was fixed. (since v15.2 SR-6) * The directory browser and Details mode now show both the translated username (if available) and the SID as the owner of files in NTFS file systems, not only one of them. (since v15.2 SR-7) * An exception error was fixed that could occur when clicking directories in the directory tree. (since v15.2 SR-7) * Fixed inability to read raw sectors from audio CDs. (since v15.2 SR-9) * Avoids error that occurred when starting a Simultaneous Search with certain settings. (since v15.2 SR-10) * Fixed a display refresh error that could occur under certain circumstances when navigating from one search hit to another in File mode. (since v15.2 SR-10) * Avoidance of conflicts when invoking multiple instances of MPlayer simultaneously. (since v15.2 SR-10) * The size of the buffer for the file mask for the extraction of embedded JPEG/PNG pictures was increased. (since v15.2 SR-10) * Fixed misinterpretation of special GREP characters $ and ^ in keyword searches run without GREP syntax. (since v15.2 SR-11) * Files that were virtually attached by the user to the root directory of a volume were ignored in some operations even when selected. This was fixed. (since v15.2 SR-11) * Deals more gracefully with overlong paths and extremely high numbers of files when taking a volume snapshot of drives with no sector-level access (e.g. remote network drives). (since v15.2 SR-12) * No longer freezes when taking a volume snapshot of certain very large DVDs. (since v15.2 SR-12) * Improved compatibility with .e01 evidence files as produced by EnCase 6.13. (since v15.2 SR-12) * Avoided "... is not a valid character" error message in inappropriate situations. (since v15.2 SR-12) * Fixed an error that in some situation occurred when processing certain thumbs.db files. (since v15.2 SR-12) |
| #113: WinHex, X-Ways
Forensics and X-Ways Investigator 15.2 released Jan 15, 2009 |
This mailing is to announce a noteworthy update, v15.2. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES DC area, Mar 16-20 http://www.x-ways.net/training/washington_dc.html London, Mar 30-Apr 3 http://www.x-ways.net/training/london.html For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * Main memory analysis. Requires a forensic license. This analysis is available for local RAM (opened via Tools | Open RAM) and for memory dumps. Supports the 32-bit versions of Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, and Windows 2008 Server. Processes will be listed in the directory browser, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in "Process" mode, with pages concatenated in correct logical order as seen by each process. The "particularly thorough data structure search" will take a little longer and may turn up traces of additional terminated processes as well as rootkits. The Technical Details Report informs you of important system-wide parameters as well as of the current addresses of kernel data structures. In Details mode you can find the addresses of process-related data structures for each process, and the ID of its parent process. In RAM mode, the Details Panel shows for each memory page a process to which it is allocated (if any) and its memory management status. With the appropriate background knowledge, the new functionality can be used learn more about the current state of the machine and its processes, sockets, open files, loaded drivers, and attached media, to identify malware, to find the decrypted version of other encrypted data, to analyze network traces in incident response, and to do further research in the field of memory forensics. * Memory can be acquired remotely with X-Ways Forensics in conjunction with F-Response 2.x since v15.1 SR-5 (Tools | Open Disk). * If more than 1 GB of main memory is available, the optimization of an index now better utilizes that memory, which may result in a tremendous acceleration of this step for large indexes. * There are now two different checkboxes in the Index Search window. Checking the first one helps finding words within words (e.g. "wife" in "housewife"), which however is likely incomplete and slow if the index was not prepared for substring searches The second one makes it optional to find word extensions (e.g. "houses" when searching for "house" and "skyscraper" when searching for "sky"). Finding word extensions was default behavior in previous versions. Unchecking both boxes works like a "whole words only" option. * Hash sets can now be classified as to how important they are. This is useful because when matching hash values against the hash database, only one match is returned even if the same hash values is contained in multiple hash sets. Now you can make sure that in such a case you get the most relevant hash set returned, for example a hash set that identifies CP pictures without any doubt as opposed to hash sets from a different source that may contain the hash values of doubtful pictures. Also new: If there is more than one match, a "+" sign will be displayed in the hash set column in the directory browser after the name of one of the matching hash sets. * You may now use Unicode characters in hash set names. * For reasons of convenience, WinHex and X-Ways Forensics now remember and restore the last selected item and other settings of the directory browser when reopening data windows and evidence objects. That makes it much easier to resume your work after a break or interruption when reviewing files. * Evidence file containers created by the new version now also remember the hash category of a file and the skin color percentage. * X-Ways Forensics can import SHA-1 hashes from .e01 evidence files as now optionally provided by EnCase 6.12. (Note that in X-Ways Forensics you were never ever implicitly forced to use MD5 hashes.) * It is now possible to replace an evidence object with a new medium (drive letter or physical disk). Useful if you are working with original disks, not images, and the drive letter or disk number has changed. * The graphics library was updated. Some issues with the display of pictures were fixed. * Ability to interpret mode 1 ISO CD images with 2,352 bytes per sector, if not spanned (segmented). * It is now possible to group existing and deleted files in different output directories when using the Recover/Copy command. Requires that you have X-Ways Forensics recreate the original path. * Ability to recreate files whose original paths contains directory names with trailing spaces, although not allowed by Windows, by removing such spaces. * For internally reconstructed RAIDs, the number of the component disk from which the current sector (where the cursor is in) was read is now displayed in the Details Panel, along with the relative number that that sector has on that component disk. * It is now possible to mark files as hidden even in a search hit list. Such files will actually be filtered out if you do not list hidden items when you click the Enter button in the search term list window to recompile the search hit list. * When identifying and hiding duplicate files, previously it was possible that duplicate e-mails with attachments (e-mail/attachment pairs) were separated if the parent (e-mail message) of one pair and the child (attachment) of another pair was hidden. The algorithm was changed to improve the quality of the examination, and this undesirable situation is now avoided. Identical e-mail messages with different attachments (child objects) will be marked as duplicates, but not hidden any more. Identical attachments (child objects) will be marked as duplicates, but they will be hidden only indirectly if they are part of identical e-mail messages and those are hidden. * After processing e-mail, X-Ways Forensics now shows attachments as child objects of e-mail messages instead of in a virtual "Attach" folder in some cases where this previously did not happen. * Naming problem solved for e-mail messages that were extracted from .msg files which were attached to the volume snapshot as virtual files. * It is now possible to attach all the files of an entire directory to the volume snapshot, not just individual files, if you hold the Ctrl key while invoking the directory browser menu command. Useful for example after having extracted thousands of .msg files from a .pst or .ost e-mail archive using the viewer component, to integrate them back into X-Ways Forensics for further processing. * An error in the "Totally remove hidden items" function was fixed that existed since v14.8. * The "Save As" command is now also available for disks (yet another way how to create a raw image). * Icons of hidden files are now displayed in gray instead of blue. Icons of notable files are now displayed in red instead of blue. * When adding a file to a report table, it is now also possible to recursively add all its child objects to the same report table, not only direct children. * Ability to view Unix/Linux wtmp and utmp log-in records. * Recognizes the TFAT file system as such. * When enabling the recommendable data reduction for logical searches, files marked as moved/renamed will not be searched any more, as the same data is searched when the same file is searched under in its new location/under its new name. * Several minor improvements. * There are now two interpretations of $LogFile in Preview mode and for the View command. The new interpretation gives an easy to understand overview of deleted files including deletion timestamps (unavailable before and another unique feature). In cases where the deletion timestamp is missing, the time frame in which the deletion occurred can be deduced manually. The old interpretion, a much more complete and detailed view of $LogFile, is still accessible if you enable Raw mode. (since v15.1 SR-1) * An exception that could occur during an index search was fixed. (since v15.1 SR-1) * Tagging files in a recursive view did not always have the correct effect on directories. This was fixed. (since v15.1 SR-1) * A resource leak was fixed that had an effect when trying to extract e-mail from thousands of files. (since v15.1 SR-1) * Moved or renamed files in NTFS volumes of which only index records are available and whose file size in unknown can now be seen in Gallery mode, too, not only in Preview mode. (Only if the new state of the file as defined by a FILE record allows to open it.) (since v15.1 SR-2) * When e-mail from password-protected Outlook PST archives is to be extracted and the user does not react and agree to provide the password within 30 seconds, X-Ways Forensics will continue with the next file. (since v15.1 SR-2) * Evidence file containers can now optionally be frozen when they are closed and enclosed in an .e01 file, such that they cannot be further filled (even after converted back to a raw image). Such containers are marked as read-only in the Technical Details Report. (since v15.1 SR-2) * Ability to detect hybrids of RAR and JPEG or Bitmap files when extracting metadata and in Details mode. (since v15.1 SR-2) * More information about RAR files in Details mode. (since v15.1 SR-2) * Fixed registry viewer instability under Windows Vista. (since v15.1 SR-2) * An instability error was fixed that could occur when decompressing certain hiberfil.sys files. (since v15.1 SR-2) * Fixed an issue processing signed emails (x-pkcs7-signature) from Eudora. (since v15.1 SR-2) * Improved conversion accuracy of certain kinds of emails stored in Office Outlook. (since v15.1 SR-2) * Some other minor improvements and issues fixed in e-mail processing. (since v15.1 SR-2) * An error no longer occurs that prevented the display of GIF pictures for the remainder of a session after one particular GIF picture was displayed. (since v15.1 SR-3) * The Windows disk signature is now output as part of the Technical Details Report for hard disks. (since v15.1 SR-4) * OpenOffice document zip files are now usually carved again with the correct file size. (since v15.1 SR-4) * After having matched hash values against the hash database, when loading a different hash database and not re-matching the hash values against that new database, references to hash sets in the old database are no longer considered valid by X-Ways Forensics, which avoids that a wrong matching hash set may be displayed in the hash set column. The hash category was always stored independently of the hash database. (since v15.1 SR-4) * Progress indicator for Recover/Copy command fixed. (since v15.1 SR-4) * Avoided two message boxes that required user interaction in very specific situations when refining the volume snapshot. (since v15.1 SR-4) * Unchecking the "copy child objects of selected files" checkbox did not always have the intended effect. That was fixed. (since v15.1 SR-5) * The $ GREP anchor did not work correctly for larger files. This was fixed. (since v15.1 SR-5) * Inability of Edit | Modify Data to fully process large files was fixed. (since v15.1 SR-6) * Some exception errors prevented. (since v15.1 SR-6) * An error in the Recover/Copy command was fixed that could cause display errors in the progress indicator window and could cause it to not recover certain files (followed by an error message saying that the original timestamps or attributes could not be applied to the file because the file could not be found). (since v15.1 SR-7) * Timestamp bias error in new $LogFile interpretation (not raw mode) fixed. (since v15.1 SR-7) * Ability to apply the menu command Edit | Select All (not the keyboard shortcut) to windows of the viewer component. (since v15.1 SR-7) * The Save As command for cases can now deal with overlong paths in the case subdirectories (up to 510 characters). (since v15.1 SR-8) * Fixed an error that could cause an incorrect reconstruction pattern for internally reconstructed forward parity RAID 5 systems under certain circumstances. (since v15.1 SR-8) |