X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#164: X-Ways Forensics, X-Ways Investigator, WinHex 20.1 released

Dec 23, 2020

This mailing is to announce the release of another update with many notable improvements, v20.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Time Zone Course Delivered by
Jan 12-15 Online Europe, Asia X-Ways Forensics X-Ways
Jan 26-29 Online America, Europe X-Ways Forensics X-Ways

Feb 17+18

Online Europe, Asia X-Ways Forensics II X-Ways

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.1?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • Ability to parse BtrFS file systems on single devices and take a volume snapshot. Multiple disks via LVM2 or RAID setups are supported, but not BtrFS multi-device setups. Multiple subvolumes within one BtrFS volume are supported and shown as such.

  • You have a chance to find deleted files in BtrFS with the particularly thorough file system data structure search. X-Ways Forensics can distinguish between 100% recoverable and uncertain previously existing files in BtrFS. Recoverable files (those with the description "data unchanged") can include fragmented files.

  • Ability to read files that are zlib-compressed in BtrFS file systems.

  • Ability to present a cluster list for NTFS-compressed files.

  • Volume snapshot option to reveal fragmented files and directories in newly taken volume snapshots. In evidence objects such items are associated with a special report table. When not working with a case such items are partially tagged. The identification can be useful for educational purposes (to find files for which the file system needs to rememember non-contiguous cluster chains with special data structures, and to better understand using which logic free clusters are picked by file system drivers for allocation) or to draw some rough conclusions about volume usage. (Files are more likely fragmented if they were created later in the lifetime of the file system, at a time when many other files had already been deleted, but many others still existed, leaving allocation holes.)

  • When presenting the logical memory address space of a running process, the Info Pane now shows the exact boundaries and size of the allocation range that the cursor position is located in. The boundary addresses can be copied into the clipboard so that you can quickly jump to these addresses.

  • The file header signature search in APFS partitions is now considerably faster.

  • For some files stored in shared spaces in APFS, the Δ attribute was previously not shown. This is now fixed in newly taken volume snapshots.

  • In some rare cases, the initial volume snapshot did not identify the actual first sector for a file in APFS. This is now updated automatically, when the file is opened for the first time.

  • Accepts two new incompatibility feature flags in XFS as normal.

File Format Support

  • Identification of more generating devices, for example based on smartphone screen resolution.

  • New file header signature for Firefox sessions (lists of remembered open and closed tabs). A good way to convert such files to human readable HTML is to use www.jeffersonscher.com/ffu/scrounger.html.

  • Analysis filter extended for unprocessed / not recognized files.

  • The Author column is now populated for pictures that contain copyright information.

  • Certain iPhone thumbnail BMP pictures can now be displayed, in particular not upside down.

  • Identifies image orientation based on Exif data in JPEG pictures of some more devices like iPhone 12.

  • Preview mode now automatically mirrors/flips JPEG pictures if instructed to do so by the Exif metadata (in addition to the proper rotation).

  • Embedded JPEG thumbnails are now rotated and flipped in Preview mode just like their respective parent (if Metadata extraction took place before).

  • Support for a very rare JPEG format variant.

  • Ability to view/preview PNG pictures of Apple's CgBI variant with the internal graphics display library.

File Analysis

  • A new directory browser column named "Structure type" is now available. This column can be populated as part of metadata extraction. It's an improvement on the generator signature concept with the idea of a scalable typology, filling the gap between file type and hash value.

    The structure type is presented as a 32-bit integer number in hexadecimal notation. Identical numbers typically identify pictures/videos/documents/fles that belong to the same sequence (for example photos that were likely taken during the same photoshoot). The structure type is computed for JPEG, PNG, GIF, WEBP, BMP, DOC, EML, MSG, GZIP, ordinary ZIP, TAR, MP3, HTML, PDF, Quicktime videos (MP4, MOV, 3GP, ...), and tentatively for DOCX, PPTX, XLSX. You can copy the structure type for a file of interest and use the column's filter to search for files with the same structure type. Please validate any insights gained with this column using timestamps and additional metadata.

  • A new context menu command named "Filter for similar files" uses the "Structure type" filter to find files of the same type, likely and roughly created around the same time as the selected file, by the same application or device with the same settings or for the same purpose. This functionality is available only once the "Structure type" column has been populated.

  • "Find duplicates in list" now gives an immediate example of how truncated timestamps look like based on the number of characters that you want to compare and the current notation settings. Note that both the number of characters to compare limit the precision (intentionally or inadvertantly) as well as the number of decimals allowed by your notation settings. Limited precision may be desirable for example to recognize files as identical even if the modification times of file copies in NTFS and FAT differ by 1 second because of FAT timestamp rounding. The notation settings can now be accessed right from within the deduplication options dialog.

  • Option to use one or two additional criteria for the identification of duplicates: Modification time (in full available precision) and size. Those two combined with filename as the main criterion are quite reliable for not 100% strictly forensic use.

  • Option to use the structure type for deduplication, which actually identifies groups of similar or related files. Combined with modification time and size this is relatively reliable for the identification of duplicates.

    Computation of hash values can be very time-consuming in large data sets, so any reasonable deduplication option that does not require hash values is hopefully appreciated by some users.

  • Revised ability to resize carved, virtual and manually attached files as well as search hits, both with an absolute new size or with a positive or negative relative size adjustment. Ability to resize multiple files at the same time with the same new size or same relative adjustment.

Search Functionality

  • An alternative method to extract data from spreadsheets as text is now available in Options | Viewer Programs. This option is still somewhat experimental. The new method improves the fidelity of the extracted text in terms of cell order and arrangement, normalizes the formatting of date cells in the decoded text to the notation that is active in X-Ways Forensics for more reliable search results, and it reliably includes hidden cells. If you need to preserve characters that your active Windows code page does not support (e.g. Chinese characters on a typical computer in America or Western Europe) because you are going to search for them, you need to check one extra box ("Must support Unicode"), and with that option the new method will require usage of the Windows clipboard.

  • Ability to apply a character adjustment list not only when indexing, but also as part of the Simultaneous Search, in a slightly different manner. This list is expected in a UTF-16 text file now named "Character Adjustment.txt" (previously: "indexsub.txt"), which is optionally used for indexing purposes as well. It starts with a little-endian byte order mark, followed by one instruction per line, with an arrow (greater than symbol) in the middle, which maps one character to another. You can edit it as you see fit for searches in your own language.

    An example for French language searches: The line
    É>E
    means that the letter É in the original data to which the Simultaneous Search is applied (when searching in suitable code pages) will be accepted as a variant of E in your search term. You only need to search for Edith Piaf and will find both Edith Piaf and Édith Piaf. Both variants will be searched internally.

    ç>c
    means that searching for Francois you can find both Francois (simplified spelling) and François (original French spelling). You may find that useful in particular if your keyboard cannot easily produce the ç character. The other way around can also make sense:
    c>ç
    means that searching for François (which you may prefer if it looks more correct to you) you can find both François and Francois. However, this direction of substitution is not recommended for indexing.

    Even if you are not interested in matching multiple spelling variants, you could define such substitutions once (e.g. using copy & paste) if you cannot easily produce special letters with your keyboard.

    Case insensitivity does not work on top of the character adjustment. So for example with the adjustment é>e active, a case-insensitive search for e will find e and é as well as E, but not É. For that you need to add the adjustment É>E. Note that you could theoretically define your own case-insensitivity rules solely using character adjustments. Up to 16 mappings are possible for the same target character. Character adjustments also work in conjunction with GREP syntax (only with target characters that have no special GREP meaning and are not contained in [] sets).

  • Filtering out overlapping GREP search hits now also works consistently when running the Simultaneous Search with additional threads. (Not if you use redundant GREP expressions at the same time that target the same data.).

Character Set Support

  • Ability to interpret data as misaligned text in UTF-16 LE as well as misaligned UTF-16 BE in Disk/Partition/Volume and File mode. Misaligned means starting at odd offsets. That makes a difference in non Western European languages and renders text stored in that fashion actually readable.

  • Fixed context preview of misaligned UTF-16 search hits in some rare situations.

  • 1 additional text column available in Disk/Partition/Volume and File mode, in X-Ways Forensics only.

  • The substitute character for non-printable ASCII characters of values below 0x20 in the text columns, selected in Options | General, typically a space or period, can now also be used for high Unicode character values. It's easier on the eye if characters in languages other than your own are not actually displayed, and you can probably afford to not see them if you are not looking for foreign language text (e.g. Chinese, Japanese, Korean) anyway. To see only pure 7-bit ASCII characters (sufficient for English), in ANSI ASCII and all UTF-16 variants, you can apply the substitute character to above 0x0080. To see letters at least from other Western European languages like Spanish, French, German you can apply it to > 0x00FF. To see Eastern European languages, apply it only to > 0x04FF.

User Interface

  • Clicking the FS offset cell of a file or directory in the directory browser now automatically navigates to that offset instead of to the first data sector when in Disk/Partition/Volume mode.

  • The cursor position and the defined block in Disk/Partition/Volume or File mode are now remembered in an evidence object when you close it, and automatically restored later.

  • The last active mode is now also remembered for each evidence object.

  • Timeouts for loading pictures for picture analysis and processing and for the XWF_GetRasterImage() API function and for the report are now twice as long as the timeouts for loading pictures in the gallery.

  • Ability to specify a timeout in milliseconds for thumbnail generation of non-picture files in the report. Please note that timeouts for generation of such thumbnails cannot be strictly applied to all file types.

  • Options | Viewer Programs dialog window rearranged.

  • Ability to quickly open the default output directory for an evidence object in the case, with a click on a new button in the evidence object's properties. Hold the Ctrl key while clicking to navigate to the internally used directory instead, where the volume snapshot is stored.

  • Registry Viewer context menu command to remove an already loaded hive from the viewer, to reduce the scope of the registry report if needed.

  • The name of the evidence object that the current hive belongs to is now shown in the status bar of the Registry Viewer.

  • The command line interface is now able to run an X-Tension, with a command named "XT", followed by a colon and the path and filename of the X-Tension.

  • Option in Options | Viewer Programs to includes files in the tree-like preview of directories. If enabled, directory names will be printed in bold to distinguish them from files.

Storage Device Support

  • Ability to immediately correctly detect the full capacity of virtual storage devices simulated by certain drivers that don't respond to all information requests as previously expected.

  • Easier handling of unusual partitions that contain a GPT partitioning structure themselves.

  • User advice on how to deal with MD RAID levels -1 and -4 added to the GUI as comments where applicable.

  • The scan for lost partitions can now find XFS and BtrFS partitions, and accepts a few rare Ext partitions that would previously have been rejected as implausible.

Miscellaneous

  • More efficient data I/O in usage of viewer component.

  • The volume snapshot statistics in the Refine Volume Snapshot dialog window now also point out the number of partially tagged items.

  • List export in JSON format slightly more complete.

  • Option to include the unique ID in JSON exports.

  • Many minor improvements.

  • User manual and program help updated for v20.1.


Changes of further service releases of 20.0

  • SR-2: Can now reliably convert PDF documents with RC4 encryption to not password-protected PDF files with the "Convert to PDF format" option of Recover/Copy if you provide the password in the metadata cell, prepended with "Password: ".

  • SR-2: Improved clipboard format selection dialog when pasting external data.

  • SR-2: More reliable ability to copy text in UTF-16 Unicode from within windows of the viewer component (Preview mode or View command).

  • SR-2: The keyboard shortcuts / and ÷ (different keys, but same function) are now available in the directory browser and in the case tree. They toggle between recursive and normal exploration.

  • SR-2: Ability to extract data from certain GZ archives with a corrupt size field in the footer.

  • SR-2: Fixed: Extended timestamps from the extra field in zip records are now extracted and presented in the timestamp columns based on Apple specifications, which however is not always how these timestamps are meant. (For the more likely correct interpretation, especially in GrayKey collections, check the box for "Zip: alternative ext. timestamp interpretation" in Options | Volume Snapshot, which already worked in the original release of v20.0.)

  • SR-2: Fixed: The Technical Details Report now show details of MacOS X installations on HFS+ or APFS volumes. These details now also become part of the evidence object properties if the volume is added to the case only after a volume snapshot exists.

  • SR-2: Fixed an exception error that could occur under rare circumstances when starting up X-Ways Forensics.

  • SR-3: Fixed a crash that could occur with the 64-bit executable of SR-2 under certain circumstances when the viewer component was in use.

  • SR-4: Fixed an error that could occur in v20.0 when searching for embedded data in multiple PDF documents in multiple threads at the same time.

  • SR-4: Some carved files erroneously excluded the footer and in v20.0 some carved files were not described as carved. That was fixed.

  • SR-4: Timeout increased for the generation of thumbnails of non-picture files for the case report (now 4 times the standard time-out in the gallery).

  • SR-4: Prevented a possible division by zero error in the graphics display library.

  • SR-4: Error messages about file archive processing are now output in the Metadata cells of the affected archive files, not in the Messages window any more.

  • SR-4: Conversion from Intel Hex to binary now supports target files up to 4 GB instead of just 2 GB.

  • SR-5: * Addressed memory consumption issue in v20.0 with certain corrupt PNG and GIF pictures.

  • SR-5: File archive libraries revised.

  • SR-5: Recognition (identification) of the Btrfs file system fixed.

  • SR-5: "Convert binary storage of numbers/dates in spreadsheets to text" is now inactive by default because that is faster and therefore more practical for all searches where numbers and dates are not among the search terms.

  • SR-5: Fixed an exception error that could occur in v20.0 when extracting metadata from carved JPEG files.

  • SR-6: Some user-defined dialog window tooltips from v19.5 and earlier were not targeted at the right dialog window any more. That was fixed.

  • SR-6: Improved representation of contents of fragmented deleted files in exFAT.

  • SR-6: Fixed an exception error that could occur in v20.0 when opening APFS volumes.

  • SR-6: No longer ignores certain unusual FAT directory entries.

  • SR-6: Fixed incomplete handling of evidence file containers with more than ~4.2 million items.

  • SR-6: Improved stability in case of exceptions compared to previous service releases of v20.0.

  • SR-6: Gallery now more stable with multiple threads.

  • SR-7: Fixed a rare source of instability when processing pictures with multiple threads.

  • SR-7: DRM-protected documents were detected as encrypted only if file type verification was applied instead of the encryption test. That was improved.

  • SR-7: Reduced excessive memory consumption of tooltips of cells with extremely long lines of text, as possible in the Comments and Metadata columns.

  • SR-7: Fixed an error that prevented the exploration of certain nested file archives.

  • SR-7: Certain APFS volumes for which X-Ways Forensics would have reported "No Superblock found" previously are now supported.

  • SR-7: Ability to carve a new variant of RAR archives.

  • SR-7: The occasional presence of an unexpected additional header in IPTC metadata prevented the output of IPTC metadata. That was fixed.

  • SR-7: Zip files are no longer marked with the E flag in FTSS.txt, so that they can now be selected for file header signature searches within other files.

  • SR-8: UUDecode now works with the newer padding character.

  • SR-8: Fixed an exception error that occurred when adding images with extremely long paths/names to a case.

  • SR-8: Evidence objects that are images stored on network shares may not have had the "Replace with new image" context menu command. That was fixed.

  • SR-8: The total virtual capacity of interpreted VHD images was slightly overestimated in most cases. That was fixed.

  • SR-8: Fragmented files in externally decrypted APFS volumes were not opened with the correct data. That was fixed.

  • SR-8: The option "FAT32: Extra effort for deleted objects" did not work correctly any more since v19.4. That was fixed.

  • SR-8: Picture thumbnails were not output correctly in the case report in v20.0 SR-7. That was fixed.

  • SR-9: Fixed an exception error that could occur when opening certain files in older evidence file container in v20.0 SR-6 and SR-7.

  • SR-9: Fixed an exception error that occurred if an I/O error occurred when updating the PhotoDNA database.

  • SR-9: Zip-styled Office documents could not be viewed with a double-click in v20.0, only explored. That was fixed.

  • SR-9: FAT short filename directory entries with certain Japanese characters were rejected as corrupt or unexpected and brought to the user's attention. That was improved.

  • SR-9: The directory browser context menu commands for exclusion and inclusion are now available in X-Ways Investigator, unless suppressed via investigator.ini ("+7").


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

#163: X-Ways Forensics, X-Ways Investigator, WinHex 20.0 released

Aug 18, 2020

This mailing is to announce the release of another update with many notable improvements, v20.0.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Course Delivered by
Sep 1-4 new Online X-Ways Forensics X-Ways
Sep 8-11 new Online X-Ways Forensics X-Ways

Sep 28-29 new

Online X-Ways Forensics II X-Ways
Sep 28-Oct 1 Salt Lake City X-Ways Forensics H-11

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.0?
(please note that most changes affect X-Ways Forensics only)

File System/Disk Support

  • UFS support has been revised. Significantly more UFS variants are now understood.

  • APFS: Supports new Catalog ID structure as created by Mac OS Catalina.

  • Technical Details Report/evidence object properties now show details of MacOS X Installations on HFS+ or APFS volumes: Exact OS X version, timezone, the system's network and display names.

  • Support for much more deeply nested subdirectories in XFS volumes.

  • Supports Ext4 volumes with version 2 of sparse superblocks.

  • Slightly more complete output of Ext* file system timestamps.

  • Ability to choose which copy of a FAT12/FAT16/FAT32 file allocation table to work with, in Options | Volume Snapshot. This can be either a user-designated copy or the one that is defined as active in the boot sector (in case of FAT32). If neither the user selects a copy nor the boot sector defines a single copy as active, the first copy will be used, labelled as "FAT 1", like in earlier versions. The copy that was selected at the time when the volume snapshot was taken will be used for the whole lifetime of that volume snapshot, even if the settings are changed. It is displayed in the Info Pane. The Technical Details Report now informs which copy or copies are considered active in the file system.

  • Identifies unpartitioned physical disks or disk images as such in some rare cases where it previously didn't.

  • General option to open volumes including the slack that doesn't add to another cluster just like when opening an entire partition. The data in that area, aside from a potential NTFS backup boot sector, does not belong to that volume logically and was stored there before the volume was created. It is not needed to parse the file system or to mount the volume (though some tools may output an error message if it's not included). Including such data in a volume image can be an IT security leak if only the regularly accessible part of the volume had been sanitized before usage.

  • Identifies some new bus types of currently attached storage devices.

  • Active sector superimposition is now remembered in an evidence object and automatically re-activated when the evidence object is opened next time, and you will be reminded of that.

  • Generally improved handling of incomplete/corrupted .e01 evidence files, similar to storage media with unreadable areas (bad sectors). NTFS: A limited listing of system files is now presented based on $MFTMirr if in an such an incomplete image $MFT is not included, but $MFTMirr is.

  • Ability to abort the potentially time-consuming preparation of a cluster allocation map for huge volumes and still proceed with taking the actual volume snapshot if desired (without reverse cluster allocation information).

Picture Support

  • New version of the internal picture viewing library.

  • WEBP pictures are now supported in Preview, Gallery, and for the View command.

  • Ability to view pictures in some variants of the DICOM format.

  • Metadata extraction from WEBP pictures revised. Output of processing states, similar to PNG files. File type identification/verification for DICOM and WEBP revised.

  • All JPEG files are now presented with a processing state in Details mode. Two additional state values were introduced.

  • The processing state now depends on the detected generator, where each generator is now assigned to one of three generator classes D (device), E (editor), or C (content management system). JPEG files produced by generator class D are absolute originals. The processing state is always "original". JPEG files produced by the generator class E are relative originals. Their processing state is always "Edited normally". Examples are photos published by news agencies like Reuters.

  • The detected processing state of the third generator class (CMS like WordPress, Drupal, TYPO3, Joomla etc.) can assume different values. They are usually irregularly edited, i.e. their edited status is not officially indicated. The state can be deducted indirectly based on filename, generator signature, pixel dimension. The state "irregularly edited" can also result from picture manipulations.

  • The new processing state "scaled" means that a picture was created with a content management system such as WordPress, TYPO3, Drupal. It can be said with a high probability that such pictures have been released to the public, which entails a reduced intelligence value. Practically such pictures cannot be regarded as documents. They were automatically and individually adapted to the respective output display in order to optimize the loading time of the web page.

  • The state "EXIF stripped" refers to JPEG pictures, whose device origin was detected although no EXIF metadata is present. The device can potentially be detected based on generator signature, filename or a characteristic pixel dimension.

  • The state "social media" is indicated separately because such pictures often have a higher intelligence value. Unlike news agency pictures they are rather semi-public in nature.

  • The state "minimized" is also new and indicates that the JPEG quality was reduced or that the file size was reduced by optimized recompression (jpeg-recompress, JPEGMini).

  • The state "undefined" means that the status cannot be determined. It's a category for everything that remains. Such pictures are usually also the output of content management systems, those that do not identify themselves and whose format is not yet identified (which may change in future versions).

  • The processing state and other values (size, bits per pixel, filename analysis) are now also output for PNG files. The same processing states as for JPEG are used, except "Irregularly edited" and "EXIF stripped" are not possible. The value "Original" is used only for screenshots, if they have passed a special test.

  • The "size" reported for JPEG pictures in Details mode now always has 1 or 2 values. Sizes that are not standard sizes with a common name (such as "XGA") are described as "thumbnail", "medium", "medium large", "large" or "big" based on the terminology established by Wordpress. If a generating device is identified, the field is named "sensor size" instead or - in the case of scanners - "paper size".

  • Reduced false positive rate when detecting scanned documents.

  • JPEG screenshot identification now based on generating device recognition.

  • Improved classification of pictures based on pixel dimensions.

  • X-Ways Forensics now knows an additional 5000+ devices to better identify the origins of JPEG pictures and other files. The generator signature table and video signature table updated.

  • Simplified output of "Quality" in the summary table for JPEG files. It can assume one of the values High, Medium, Low and Very low. It is based on the lossy compression percentage of the DQT segment.

  • Additional test in the check for camera originals based on whether the EXIF tags are sorted or not.

  • Output of GPS coordinates with up to 6 digits after the decimal point. This is useful because of the habit of newer Samsung device models to specify more decimals and indirectly express the precision of the value by that, contrary to the convention to use the GPS Error tag for that information, unlike Apple and older Samsung models.

  • If the GPS format encountered is "unexpected" based on the assumed source of the JPEG file, that is brought to the user's attention in Details mode. The GPS format will be shown as "unknown" if it is not used in camera original pictures (for example the format of the Geosetter application).

  • Generally improved GPS format consistency tests.

  • Some more "content created" timestamps are now extracted from pictures, in particular from XMP metadata.

  • Output of Photoshop's "Preserved file name" in the metadata.

File Archive Support

  • Support for split zip archives in PKZIP/WinZip and 7-Zip styles (a.k.a. spanned or segmented archives).

  • Extended timestamps from the extra field in zip records are now extracted and presented in the timestamp columns based on Apple specifications, which however is not always how these timestamps are meant. An alternative interpretation can be seen for each zip record in Details mode when selecting the zip archive. The latter interpretation shows these timestamps with the "UT" prefix and tries to recognize the actual format variant, for example that used in GrayKey collections, and from GrayKey collection also extracts an additional type of timestamp (a record change timestamp).

  • The alternative interpretation of extended timestamps can also be made available in the directory browser. This is an option in Options | Volume Snapshot. The alternative processing currently takes some more time.

  • In newly refined volume snapshots, the column "1st sector" is now populated properly for files in Zip archives with the sector that contains the local zip record of the respective file. Clicking a file in a zip archive now automatically jumps directly to its local zip record, which is followed by the (usually) compressed file data. Does not apply to files in nested zip archives.

  • Detection and avoidance of more variants of zip bombs.

  • The alternative TAR extraction method now estimates the size of the MBOX e-mail archive in a Google Takeout TGZ file if that size was erroneously stored as 0, which apparently happens in real life. Only that work-around allows to extract the MBOX e-mail archive file from such a takeout at all, and once that has happened of course the e-mail messages and attachments can usually be extracted from the e-mail archive.

  • Navigation within a file archive with directories is now possible without leaving File mode when touching a directory.

  • Archive subtypes in a section that is not selected for automatic inclusion in the volume snapshot are now still explored when manually double-clicked by the user.

  • Support for .ctx Chrome Extensions as file archives. That file type is now included in the "Special interest" section of archives in a fresh installation.

  • Improved ability to extract attachments in PDF files, in particular in so-called PDF portfolios (user-compiled collections of arbitrary files), with the original names and internal paths of the attached/embedded files, where the Description column identifies these files as attachments.

Spreadsheet Support

  • New ability of the logical Simultaneous Search to find numbers and dates not only if stored literally as text, but also if numbers or dates are stored in binary form in certain spreadsheet files (e.g. in OLE2 compound file format) or in some other encoded form (e.g. dates encoded as textual integer numbers in XML), if the "decode text" option is on. This works pretty well with numbers in Excel and LibreOffice Calc spreadsheets, but can be tricky occasionally with the format of dates if the original Excel user has selected a custom date format instead of one of the standard date formats and also because of some specialties with certain Calc files where it's not 100% predictable that a date will be extractable in the expected format. This kind of search likely works with some other file types as well, e.g. older spreadsheet types like MS Works or Lotus 123. You can try and define the file types in Options | Viewer Programs if needed. To quickly see and double-check the extraction of numbers and dates from a particular file of interest, you select that file in the directory browser and switch from ordinary to raw preview mode with the Shift key pressed. Please feel encouraged to completely remove that new file mask there for faster text decoding if you do not need to search for numbers and dates in spreadsheets.

    Some more details about number searches: Consider a cell in an MS Excel spreadsheet that contains the number 1234567. You can now find that number with the Simultaneous Search searching simply for "1234567" (without the quotation marks). Even if you just know part of the sequence of digits and search for "34567", you will get a search hit (unless the "whole words only" option is on). If the cell has the "number" format (not "general"), with digit grouping enabled, you can optionally get the number with digit grouping when the file is searched/indexed/decoded in that volume snapshot for the first time, using the digit grouping symbol that is defined in X-Ways Forensics in Options | General | Notation, but that is not generally recommended because you would have to search for the same number both with and without the grouping symbol if you don't know whether the original spreadsheet cells were formatted as "number" with or without digit grouping or as "general". Anyway, to give you another example, if you enable that option for digit grouping in number cells in Options | Viewer Programs and you live in an English speaking country, using a comma as the digit grouping symbol, you would thus search for "1,234,567" to find that number in a number cell. You can also search for just ",567" to find the digit group "567" at the end or in the middle of any longer number in that notation.

    If the number that you are looking for is a floating point number, the same rules apply, and you can optionally enter the number with as many decimals as you expect to be visible in the cell in the original application (or less), with the same decimal symbol as in your notation settings in X-Ways Forensics (either a point or comma). If a floating point number is stored for example as 9.876 and formatted to show 2 decimals, it will be shown rounded as 9.88 in the original application and will also be searchable like that in X-Ways Forensics. The same rules apply to currency amounts. You can append or prepend the currency symbol if you know for sure that it was shown in the original formatting, and how (e.g. with or without space between currency symbol and number), or you just omit symbol.

    You can search for dates in pure date cells using the notation that is active in X-Ways Forensics as the so-called simple date format. If your simple date format is MM/dd/YY, you would search for 12/31/19 to find the date Dec 31, 2019. Partial date searches are also possible, and make sense especially if you do not use American date styles. For example in ISO notation "yyyy-MM-dd" you can search for "2019-07-". Or in German notation "dd.MM.yy" you can search for ".07.19" to find any date in July 2019.

    Pure time cell searches have also become possible (with partial or whole time expressions). Just make sure to use the separator that is active in X-Ways Forensics for the display of times. Searches for combined date and time values are supported, however, the delimiter between date and time that you can expect is not the delimiter defined in Options | General | Notation, but typically a single space, or an individual delimiter defined by the user of the spreadsheet.

    If an Excel worksheet is embedded in a .docx, .pptx, or .odt file and the volume snapshot has been sufficiently refined, the worksheet will be processed and searched in the same way as if it was a separate file. If embedded in a .doc file, you would get a notification in the form of a report table association "Contains embedded document(s)", which is often useful to check manually anyway.

    The number search capabilities should prove very useful especially in forensic accounting, tax fraud investigations etc. Please note that the simple search function of the viewer component (Ctrl+F) in ordinary ("pretty") Preview mode or the View command cannot find numbers or dates in spreadsheets, no matter how you type them.

  • Preview mode and the View command now use the same digit grouping character, decimal character, date separator, time separator and date order as active elsewhere X-Ways Forensics, to format numbers and dates in spreadsheets.

E-mail Support

  • Alternative extraction methods are now available for PST/OST/MBOX e-mail archives (still in a testing stage). These methods will be used if the main extraction method fails to extract e-mails or if preferred by the user. There is a new check box for that preference, not labelled but tooltipped. The alternative method for PST/OST does not work with password-protected e-mail archives and cannot find previously existing objects.

  • When attaching a directory with external files to an e-mail archive (PST, OST or MBOX), the contents of that directory will be treated like the result of an e-mail extraction performed by the viewer component. That means for example that redundant empty top-level directories like "Top of Personal Folders", "Root - Mailbox", "IPM_SUBTREE" will be skipped and that the MSG files will automatically be split up into to EML files with e-mail headers and bodies plus separate attachment files. Such an extraction can be performed with the context menu commands "Extract Selected Files" and "Extract All Files" in the preview or view of those e-mail archives.

  • E-mails that are extracted from PST/OST e-mail archives and that are attached to other e-mails are now described as extracted e-mails and attachments at the same time.

  • Support for more code pages in e-mail extraction from MSG.

  • The alternative .eml preview option now affects PDF representations of e-mails generated by the Recover/Copy command.

General File Format Support

  • Revised and more thorough metadata extraction from HTML files. In particular, "Open Graph" metadata is now extracted.

  • Support for certain copy-protected PDF documents used by X-Ways.

  • Ability to import hash values from v2.0 of Project VIC JSON files.

  • Can now find search terms in ISO-2022 code pages (Japanese, Korean, Chinese) that span an escape sequence in the original data. Can now find individual characters that require escape sequences in Korean and Chinese ISO-2022 code pages.

  • Improved conversion from/to ISO-2022 code pages.

  • UTF-16 text from the clipboard is now pasted without the null terminator.

User Interface

  • WinHex and X-Ways Forensics now respect Windows settings for window text and background colors. We are referring to the settings that you were able to reach with a few mouse clicks in the Control Panel in Windows XP, which in Windows 7 you can still find via Personalization | Window Color | Advanced appearance settings, and which in Windows 10 can still be edited as raw RGB value with the Registry Editor in this key: HKEY_CURRENT_USER | Control Panel | Colors (followed by logging in and out).

    Black backgrounds for almost all parts of the user interface (main window, data window, Case Data window, ...) in particular are now supported in X-Ways Forensics, which can be helpful when working in an environment with little ambient light, which generally benefits users who think they can work longer with a less bright screen, and which in general should reduce the disruption of melatonin production and the circadian rhythm among people who face screens emitting unnatural light. The viewer component already previously respected those settings for most document types (it does not or cannot respect them for PDF files for example).

    For the most complete dark screen experience you would change your entire Windows system to a dark theme. The easiest way to achieve that not only for "apps", but also real desktop applications, is to activate the black high contrast theme. In Windows 10 you would go to PC Settings | Personalization | Settings for high contrast | Activate high contrast | Contrast black.

  • A "forced" dark mode just within WinHex/X-Ways Forensics is now also readily available, even without any of the above procedures or settings, in Options | General, which you can activate when needed for night time or generally, for health reasons or to attract less attention during secretive work in a dark adversary environment. It is not 100% complete, as for example it does not affect user interface elements such as window captions, pop-up menus, scrollbars, standard file selection windows or date selection boxes. For those dark mode support from Windows is needed (see above).

  • Various meaningful colors in the graphical user interface had to be adjusted in X-Ways Forensics' own dark mode or when a black background color in Windows settings is detected and adopted, for example the color of file types depending on the type status. In the calendar, the grayscale coding of days with lots of activities is inversed if the background color is black. If you discover text that is unreadable in dark mode, please report back. Color preferences for block selections, tag marks, "already viewed", modified bytes, and positions/search hits highlighting are now remembered separately for normal mode and dark mode.

  • A new option useful in conjunction with dark mode is the ability to render pictures with the internal graphics viewing library as well as all thumbnails in the gallery darker. If that check box, which can be found next to the check box for dark mode in Options | General, is half checked, that means the pixels will be darkened a little less.

  • Some more GUI adjustments for high DPI settings.

  • The Windows username of the current user is now logged in each section of msglog.txt, in addition to the exact program release, which was previously logged already.

  • The command line parameter for automated (unsupervised) imaging is now supported in X-Ways Imager just like in X-Ways Forensics.

  • The filters for size and first sector now have a modulo option. With that option in the Size filter you can for example filter out files that are not a multiple of the sector size, when looking for raw disk images or TrueCrypt/VeraCrypt container files. With that option in the First Sector filter you can for example focus on files that are cluster-aligned or not.

  • Settings of the Size filter, the Hash Value filter, and the Device Type filter are now stored in .settings files and in .xfc case files like the settings of other column-based filters.

  • The Flex filters now have the option for a logical AND combination of all filter terms, so that for example you can filter for e-mails that at the same time are described as attachments.

  • Improved option to filter for carved files with the Description column.

  • The text filters for comments, metadata, and event descriptions now have an option for case sensitivity.

X-Tension API

  • New X-Tension API function XWF_ManageSearchTerm().

  • Ability of the X-Tension API XWF_Search() function to specify the alphabet(s) that define word boundaries.

  • XWF_OpenItem now supports a new flag to open only the plain text of files, which X-Ways Forensics is able to extract from various file types.

  • C++ function definitions and C++ sample projects updated on the X-Tension API web page.

  • Fixed an error in the disk I/O X-Tension API.

Miscellaneous

  • More efficient generation of thumbnails of non-pictures in the gallery.

  • The generation of thumbnails of non-picture files for the report is now more consistent in the results it produces.

  • Usage of internal keyboard hooks for enhanced keyboard shortcuts is now optional, cf. Options | Security.

  • Some improvements in stability and error handling.

  • SR-1: Fixed an exception error that could occur when extracting embedded data from PDF documents.

  • Users who are cut off from their offices and/or have no access to their dongles due to a regional lockdown, quarantine measures, travel restrictions or mail service disruptions have this option since May 2020: As long as someone else has access to your dongle (a colleague), they can temporarily deactivate (mothball) the dongle in v20.0, which allows you to use X-Ways Forensics with other means instead, for the time being, at a nominal price. For details please see www.x-ways.net/dongle_protection2.html.

  • Many minor improvements.

  • User manual and program help updated for v20.0.


Changes of further service releases of v19.9

  • SR-8: Password detection using a dictionary did not work in certain encrypted archives. That was fixed.

  • SR-8: Big-endian interpretation of data as FILETIME timestamps in the Data Interpreter failed when interpretation as a big-endian floating point number was active and not successful ("NAN"). That was fixed.

  • SR-8: Fixed processing of Windows.edb and SRUDB.dat files in v19.9.

  • SR-9: Prevented a rare exception error that could occur when resolving symlinks.

  • SR-9: Prevented a very rare exception error that could occur when parsing Zone.Identifier ADS.

  • SR-9: A rare error that could occur when reading XFS directories has been fixed.

  • SR-9: Ability to process certain MBOX files with unusual line break characters between e-mails.

  • SR-9: Fixed inability to read from files in some GZ archives that occurred if these files were opened repeatedly and the evidence object was not closed in between.

  • SR-9: Fixed RunCount interpretation of certain Windows 10 Prefetch files.

  • SR-10: Fixed an internal recoding error for search terms that could occur when the simultaneous search was run as part of volume snapshot refinement.

  • SR-10: Prevented a crash that could occur when extracting metadata from certain MP3 files with a corrupt ID3 tag.

  • SR-10: Under certain circumstances, logical searches with multiple threads unnecessarily processed the same file more than once. That was fixed.

  • SR-10: The alternative TAR extraction method no longer omits files with a size of 0 bytes in TAR archives.

  • SR-10: X-Tension API: XWF_GetVSProp() with XWF_VSPROP_SET_HASHTYPE1* and XWF_SetHashValue() did not work in volume snapshots with no previous or simultaneous hash value computation. That was fixed.

Viewer Component

  • A new download of v8.5.4 of the viewer component was made available on July 16. Oracle security fixes from July have been applied. The below issues were addressed. Some of these bullet points are quoted verbatim, others have been rephrased for better general understanding where possible.

    E-mail with background color set to white color will make the white body text disappear
    Email header is in a dark background
    Issue with text extraction from One Note with non-ASCII characters
    Issue with text extraction from PDF with broken words with spaces
    Issue with text extraction from PDF incorrect Hebrew texts from PDF file
    Conversion from MS Word DOC to PDF could produce garbage character
    Viewer hangs while rendering a certain PDF file with formulas
    Conversion from MS Word DOC to PDF could print certain paragraph numbers twice
    Enhancement for support of HWP files 5.0.4 and above
    Outlook Appointment files show as corrupted when viewing/exporting.
    Candidate Word file attachments received corrupted from Outside-In service
    Selecting from both body and header of MSG document creates redaction more than
    Viewer failed to display content of a particular MS Excel document properly
    msg file converted with extra question mark like character
    OutsideIn garbles Japanese and other multi-byte characters
    Drawpage produces half size view for the tiff file
    Exporting PDF file results in inverted text
    Conversion to PDF skips some text and graphics elements
    Crashes when viewing a particular MS Excel document


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

#162: Various news related to X-Ways Forensics

May 25, 2020

This mailing is to announce various news and changes, about service releases, an upcoming new version and more.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data (!!), details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Course Delivered by
May 26-27 Online X-Ways Forensics II (almost full) X-Ways
Jun 4-9 Online X-Ways Forensics X-Ways
Jun 22-25 new Online X-Ways Forensics X-Ways
Jun 29-Jul 2 new Online File Systems Revealed X-Ways

Jul 8-9 new

Online X-Ways Forensics II X-Ways
Aug 24-27 Salt Lake City X-Ways Forensics H-11
Sep 28-Oct 1 Salt Lake City X-Ways Forensics H-11

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new to report?
(please note that most changes affect X-Ways Forensics only)

v19.9 SR-1

  • Fixed usage of predefined Project Vic categories.

  • PDF conversion failed for certain extracted files. That was fixed.

  • Some timestamps in UTC were displayed in v19.9 as if they were stored in local time. That was fixed.

  • Fixed an exception error that could occur in v19.9 when extracting internal metadata specifically without "Content created" timestamps.

  • Fixed an exception error that could occur when extracting metadata from certain QuickTime video files.

  • Fixed screenshot paths in the activity log of cases created with v19.9.

  • FYI, "converting" individual original PDF documents to PDF format for report generation or during Recover/Copy can make sense to security-minded users because it will not transfer potentially malicious JavaScript code from the original files to the newly generated PDF files.

v19.9 SR-2

  • Updated RunCount interpretation in Prefetch files based on Windows 10 versions 1903 and 1909.

  • On request (after prompting the user), accepts certain malformed Ext* superblocks as valid.
    Recognizes Ext4 volumes with the bigalloc feature as Ext4.

  • More precise type classifications of events extracted from WebCacheV01.dat files as Cookie timestamps and modification timestamps.

  • Avoided indexing interruption by "Numeric limits exceeded" error in v19.8 and v19.9.

  • New notation option that uses a special backslash character in paths in order to force path components to be displayed strictly in left-to-right order even if multiple consecutive components are in Arabic or Hebrew. Currently this has an effect in the Path columns of the directory browser, the caption line of the directory browser, and the path line in the Info Pane.

  • Internal graphics viewing library updated for PNG.

  • Avoided certain unnecessary reminders to use the latest version of the viewer component.

  • Fixed occasional change of the "Omit unchecked/unselected items" setting of textual dialog window representations.

  • Several minor improvements..

v19.9 SR-3

  • Fixed reset of the amount of memory used for indexing when the dialog window with the settings was opened.

  • Fixed potential rejection of indexes as invalid.

  • Prevented some loss of functionality that could occur when parsing certain misidentified CDFS data structures.

  • APFS: Unnecessary repeats of the message informing the user about unsupported high Catalog IDs are now avoided.

  • The option to omit unselected items in dialog windows from text representations does not have an effect on checkboxes and radio buttons any more, only lists.

  • That option is now more prominently shown in the Case Properties dialog window for textual screenshots of the case's activity log.

  • Output of a reserved backward compatibility GUID variant by Microsoft in the Data Interpreter and in templates.

  • Some other minor improvements.

  • Supersedes expiring previous service release.

v19.9 SR-4

  • Fixed problem with exchanging clipboard data between multiple simultaneous instances.

  • Fixed certain unsuccessful index searches for sequences of Asian language characters.

v19.9 SR-5

  • Fixed an infinite loop that could occur in v19.9 when indexing large amounts of data.

  • Fixed exception error in API function XWF_CreateEvObj when applied to empty cases.

  • Some minor fixes and improvements.

v19.9 SR-6

  • Fixed an infinite loop that could occur when processing a TAR archive that is stored in a corrupt parent archive.

  • Fixed a sector read error that could occur in v19.9 when re-opening evidence objects that are physical storage devices.

v19.9 SR-7

  • Fixed an infinite loop that could occur when processing nested TAR archives within a corrupt parent archive.

  • Prevented a very rare exception error that could occur when loading the file signature table.

  • Fixed a display problem with GIF pictures in v19.9.

  • Ability to create and fill evidence file containers with WinHex Lab Edition.

  • Fixed an exception error that could occur when extracting metadata from certain PNG files.

  • The device type filter now also works for PNG.

  • New X-Tension API functions XWF_GetWindow() and XWF_GetProp().

  • New nPropType 50 for the X-Tension API function XWF_GetEvObjProp().

  • Processes zip archives with certain non-standard headers.

  • Several other improvements.

Viewer Component

  • A new download of v8.5.4 of the viewer component was made available on April 18, and was updated again on May 23. Oracle security fixes from April have been applied. Known addressed bugs/issues:

    Web-view export crashes when exporting PDF file
    Installation of 8.5.4 breaks conversion in .NET application
    Fidelity Issues with HTML5 Conversion of PDF
    Attachments of message eml files with winmail.dat not extracted
    Infinite loop with certain pdf files
    Certain MSG files generate out of memory error
    PDF file with ZAPFDINGBATS does not display properly
    MSG converted to PDF has striked out lines
    EMF OUTPUT QUALITY OF PDF FILE WITH EMBEDDED FONTS IS NOT GOOD
    PDF to Image produces improper outputs on WCC11G Patches
    A separate embedded email does not get extracted
    Certain PDF file does not render
    Spacing issue after PDF export
    Viewing of PDF with embedded Fonts results in garbled text
    PDF File rendered with garbage characters
    Not all the characters are being displayed
    Issue with the attachments and Message Body in the eml samples
    PDF text shows as garbled in viewer
    No attachments get extracted for 201401_00943057_winmail.dat
    Text and Spacing issues
    PDF garbled
    PDF conversion issue
    Extra spaces and new lines are found in content of some pdf file
    External Compute Instance Can Not Preview PDF (BIDI)
    Rendering issues in 8.5.4 but not in 8.5.3
    Multiple degradation after upgrade to 854 from 853
    Lines are struck out when viewing certain msg file
    Viewer hangs on attached PDF file
    Conversion to PDF: Header text is shown on the wrong side
    PDF export fails to process certain pptx files
    Attachments not extracted from tnef encoded eml files.
    Overprint issue with some .DOCX files
    SOME CHARACTERS ARE OUT OF THE VIEWING AREA AND SOME ARE OVERWRITTEN
    Special characters (ö,ä,ü,ß) are not displayed correctly and missing
    OIT should support LATEST HWP Version 5.0.4.x and 5.0.5.x
    Unknown error when opening doc in viewer
    "Unknown chunker failure" error when viewing the attached docx file
    Support additional properties from winmail.dat
    Extraction of an attachment does not work in a certain eml file
    Redactions shifted in Excel documents

Other News

  • v20.0 Beta is available for download and can be recommended. Changes are described here.

  • Dongle users who are away from their offices for a while and need to work from other locations because of quarantine, lockdown, or travel restrictions and who do not have their dongles with them can find a possible temporary solution here.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

 

 

 

> Archive of the year 2019 <

> Archive of the year 2018 <

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <