|#167: X-Ways Forensics,
X-Ways Investigator, WinHex 20.4 released
Nov 24, 2021
This mailing is to announce the release of
another update with important improvements, v20.4. The release
date was Nov 23, 2021.
Customers please go to https://www.x-ways.net/winhex/license.html
for the latest download instructions including
current log-in data, details about their
licenses and potentially upgrade/renewal offers. Please do not ask us about
the download password. Your organization has access to it already if
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
Announcement section of the
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
New videos are available
on YouTube that depict how to set up X-Ways Forensics and discuss various
Online Live Training
Please sign up for our training notifications
if you would like to be kept up to date on future classes.
What's new in v20.4?
(please note that most
changes affect X-Ways Forensics only)
File System Support
Support has been added for the QNX file system as
commonly found in current car entertainment systems. X-Ways Forensics,
if supplied with an image extracted from such a system, can now parse
the file system structures, including timestamps and UNIX permissions,
as known from other file systems. Individual virtual files representing
the key file system structures are also shown, and Specialist |
Technical Details Report will show fundamentals of the file system as
Btrfs volumes using snapshots are now supported.
Up to 127 subvolumes (incl. snapshots) are now
supported per volume in Btrfs, up from 31 subvolumes previously. Unlike
other subvolumes, which are all shown on the first level of the main
volume, snapshots are shown within the subdirectory of .snapshots that
corresponds with the snapshot’s creation date.
For all subvolumes (incl. snapshots) of Btrfs, the
Technical Details Report identifies their respective official parent
(sub)volumes, as before.
When taking a volume snapshot of directories (or
entire drive letters without sector-level access), where it's not X-Ways
Forensics itself that parses the file system, but Windows (internally
referred to as file system "OS dir list"), alternate data streams can
now also be included. This is a new setting in Options | Volume Snapshot
and can be turned off if you are not interested in ADS and/or wish to
save time. In new installations of X-Ways Investigator it is turned off
Computing the total amount of data in files found in
OS directory listings is now optional (cf. Options | Volume Snapshot).
Any discrepancy between the original amount of data and the new amount
detected when re-opening the evidence objects is brought to the user's
attention and triggers an offer to take a new volume snapshot.
The x86 edition is no longer subject to internal path
redirections of Windows, for example when traversing directories on the
C: drive without sector-level access ("OS dir list") in some directories
like C:\Windows\System32\config. The x64 edition never was.
Parsing symlinks when taking a volume snapshot
(depending on the file system) is now optional, cf. Options | Volume
Ability to identify partitions formatted with the
F2FS file system as such.
File Format Support
Support for spanned 7z archives.
Ability to detect and defend against one more type of
Increased maximum number of zip records presented in
Details mode of zip archives from 10,000 to 20,000.
Recognition of more generating devices including
iPhone 13. Updated evaluation of pictures.
Thumbnails in JPEG format can now be generated for
HEIC pictures in the case report.
If the creation of a special human-readable
representation of certain file types in the case report fails (for lnk,
flnk, info2, wab, job, ...), such files are now copied verbatim.
(This change will also be applied to v20.3 SR-9.)
The File Header Signature Search now accepts more
partially available data as NTFS-compressed.
Raw submode is now available for WofCompressed files
in File mode to see the complete compressed data with slack. The List
Clusters command now lists all clusters of such files including the
slack. The slack area of the WofCompressed data is highlighted also in
There is now a dedicated checkbox for the logical
search to control whether certain slack areas of NTFS compression are
targeted. It's unlabeled, but has a tooltip. If fully checked, the
undefined slack area at the end of each compression unit of ordinary
NTFS-compressed files is searched raw (as is, without decompression),
like in previous versions. If that check box is at least half checked,
the well-defined slack of WofCompressed files is targeted (searched raw,
without decompression), and this is a new feature of v20.4.
When text in files is decoded for the simultaneous
search or indexing and saved in the volume snapshot for future re-use,
and the special option for numbers and dates in spreadsheets is not
active at that time, and later you run a search again *with* the special
spreadsheets option, then you may not benefit from it if the originally
decoded text is searched. That's why you will now get a warning in such
a situation if the volume snapshot's decoded text is already loaded, or
it will be discarded altogether upon loading.
The option to open files with slack has been moved
from Options | Directory Browser to Options | Volume Snapshot.
Text derived by OCR now has Windows line breaks
instead of Unix style line breaks.
Directory Browser Filters
If multiple filters are active, they were previously
always ANDed, meaning each file had to pass the first active filter AND
also all other active filters to be listed in the directory browser.
However, now you can also filter files with a logical OR, meaning any
file that passes the first active filter OR any other active filter will
be listed. If active filters are combined with a logical OR, that is
shown in the directory browser caption line next to the active filter
count. A click on the filter count or the word OR toggles between AND
and OR combination.
If multiple filters are combined with OR, the
Description filter can still be optionally ANDed and is ANDed by
default, as you can tell from an additional checkbox labeled AND in the
Description filter dialog window, visible when other filters are ORed.
If ANDed, the Description filter is counted and treated separately.
Ability to load multiple .settings files at the same
time, which each can target different files using different filters
(internally combined with AND or OR), and all matching files will be
added to a single report table. This allows for complex nested filter
conditions like this: Files of type A only if contained in path X plus
files of type B if not deleted plus files whose names contain the word Y
or Z and who have the System attribute etc. etc. A filter for the
resulting report table is automatically activated.
Option to select multiple file type categories for
filtering instead of just one, in a dialog window instead of the pop-up
An easier-to-use and simplified version of the dialog
window to create report table associations is now available, with less
settings that might confuse new users, which is the new default in
X-Ways Investigator, and optionally available in both X-Ways Forensics
and X-Ways Investigator. For example, in the simplified version report
tables that are created by the application to make the user aware of
something will not be listed, and it's possible to specifically remove
report table associations from selected files without the use of
Directory Browser Context Menu
New Recover/Copy option: If "Apply original
timestamps to copies" is half checked, Recover/Copy works as in previous
version, plus the content creation timestamp if available may substitute
for a missing file system level creation timestamp.
If the box is fully checked, that means X-Ways Forensics will make extra
efforts to set creation, modification and last access to some original
timestamps to avoid that any of these three standard timestamps will
reflect the time when the Recover/Copy command was used. For example
extracted e-mails or attachments or files in archives or carved files
may not have all or any timestamps. X-Ways Forensics may resort to
record change timestamps, alternative creation timestamps, content
creation timestamps, and modification timestamps as substitutes for
creation, modification as well as last access.
There is now an additional checkbox that will
make recovered/copied files inherit timestamps from parent
files/directories. It is a 3-state box. If half checked, only timestamps
of parent files are inherited (think of e-mails that contain e-mail
attachments or pictures that contain thumbnails). If fully checked,
timestamps can also be inherited from parent directories (or grandparent
directories or great-grandparent directories etc.).
An extreme example is a carved files with no timestamps at all. Its
parent directories are virtual directories and have no original
timestamps either. Hence the creation timestamp of the root directory
will be adopted, if available (not in FAT file systems). A parent
directory creation timestamp could helpful because it can be regarded as
a lower limit for the unknown creation timestamp of the file. A parent
file creation timestamp could be regarded as an upper limit for the
unknown creation timestamp of a file if the parent is a file archive or
an e-mail message. If the file is a thumbnail embedded in a JPEG file,
the creation timestamp of the parent should be exactly right for the
A new command in the directory browser context menu
named "Copy: Extracted text" allows to copy text that is decoded or
OCRed from selected files to other places. The scope can be limited to
files that specifically need OCR (i.e. pictures and certain PDFs) if you
are only after such files. The extracted text can be buffered internally
in the volume snapshot for future logical searches or indexing and the
context preview of search hits. It can be copied into comments of the
respective files (suitable esp. for small amounts of text OCRed from
pictures), for example to include the text in the case report or
exported lists, optionally with an explanatory prefix like [OCR] or
[Extracted text]. The extracted text can also be output as child objects
(text files). Or it can be collected in a single text file on your own
storage device, or copied into the clipboard, and any combination of the
above is also possible.
A new command line command named "AddDir" is now
supported. It is followed by a colon, and after that you specify which
directory you wish to add to the case, e.g. AddDir:X:\. If the character
after the colon in an asterisk, the root directories of all available
drive letters will be added to the case: AddDir:*. However, network
drives are optional because they can be excessively large and slow to
explore. Addition of network drives depends on a new option in Options |
Volume Snapshot. If you run X-Ways Forensics from a volume that has a
drive letter, that drive letter will be ignored, assuming that you are
doing this to triage a live system and run X-Ways Forensics from your
own removable device. The AddDir command also allows to add single files
to a case.
A new command line command named "AddDrive" is now
available. It is followed by a colon, and after that you specify which
drive letter you wish to add to the case, in upper case, e.g. AddDir:C.
Unlike a directory, which is accessed and explored through the operating
system, drive letters require sector-level access (and therefore
administrator rights), and any present file system will be parsed by
X-Ways Forensics itself, if supported. If the character after the colon
in an asterisk, all available drive letters in the system will be added
to the case: AddDrive:*. However, network drives are optional because
they can be excessively large and slow to explore and cannot be read by
X-Ways Forensics with sector-level access. Addition of network drives
depends on a new option in Options | Volume Snapshot. If you run X-Ways
Forensics from a volume that has a drive letter, that drive letter will
be ignored, assuming that you are doing this to triage a live system and
run X-Ways Forensics from your own removable device. If you specify the
AddDrive:* command although you run the software without administrator
rights, then the AddDir:* command will be run instead.
The command line command "NewCase" followed by a
semicolon instead of a colon generates a unique filename if the
specified .xfc file already exists. With a colon, the existing case is
deleted and overwritten (without prompt or mercy), like in previous
The "NewCase" command now supports relative case
paths as well as references to environment variables.
The "Dlg" command line parameter now supports
relative paths for .dlg files and file masks, so that you can load
multiple .dlg files in the same directory at the same time.
New investigator.ini customizations are now supported
in X-Ways Investigator and when running X-Ways Forensics as X-Ways
-18 prevent ability to show/hide toolbar
-20 prevent most commands in directory browser context menu
-54 prevent more options for report table associations
-55 prevent creation and deletion and properties of report tables
-56 predefine report table in new cases: "Include in report" (if you use
the ~ character in this string, it will be replaced with the examiner
-57 prevent display of case report options
-58 prevent report filename selection (automatically generate a unique
-59 prevent opening of newly created case report in browser
-60 prevent report file visibility (set H attribute)
-69 prevent usage of most keyboard shortcuts, esp. the main menu related
-70 prevent File menu
-71 prevent Edit menu
-72 prevent Search menu
-74 prevent View menu
-75 prevent Tools menu
-76 prevent Specialist menu
-77 prevent Options menu
-78 prevent Window menu
-79 prevent Help menu
-80 prevent Version menu
-81 disable Disk/Partition/Volume button (mode still available)
-82 disable File button
-83 disable Preview button
-84 disable Details button
-85 disable Gallery button
-86 disable Calendar button
-87 disable Legend button
A new mode of operation in X-Ways Investigator can
guide users through a simple triage process, by exploring all drive
letters recursively, suggesting a file category filter and a simple
keyword search before reviewing files, for example in conjunction with
AddDir:* in the command line:
+100 special guided process, with this main window title: "X-Ways
If you wish to output hash values of the files in
your case report, and you did not compute hash values previously by
refining the volume snapshot, the hash values can now optionally be
computed on the fly when generating the report.
"Clean up after GDI font object leaks" now mainly has
the function to allow for mass operations with the viewer component that
potentially permanently consume GDI handles. To avoid a crash for
example when generating thumbnails for thousands of PDF files for the
case report, this option should be active. The option is now also
available in the 32-bit edition of X-Ways Forensics. By default the
check box is now half checked. Fully checked means that the necessary
checks for handle leakage are performed more often.
More precise enforcement of the maximum simultaneous
user count with network dongles in multi-modal mode and multi-user
There is now a progress bar when creating a case
report for which files are copied or thumbnails are created (or both).
Logs command line parameters in the activity log of a
case if those parameters create or open a case.
If Tesseract is unsuccessful with a particular file
to which you apply OCR in Preview mode, its error messages are now
output by X-Ways Forensics in the Messages window..
More complete listing of RAID reconstruction
parameters in the Technical Details Report, so that you can find out
exactly at any time later how you had managed to rebuilt a particular
Support for overlong paths within the case directory.
The downloadable English-language Tooltips.txt file
The resource download directory now contains
ready-to-use XWF hash databases with the NIST NSRL RDS 2.74 hash values
as MD5 and SHA-1.
Which hash databases are used for matching is no
longer controlled by Skip buttons, but rather by checkboxes in the
Specialist | Refine Volume Snapshot dialog window, so that this behavior
can be better controlled when running RVS from the command line.
X-Tension API: Ability to store hashes in the volume
snapshot even if hashes had never been computed for that evidence object
with user interface functionality. (This capability will also be added
to v20.3 SR-9.)
The already established Metadata refinement function
to estimate the generic relevance of files has been further revised and
improved, in particular for pictures: A new Propensity Score Table
predicts the probability that a particular picture file will possess
embedded additional metadata based on the larger of the picture's pixel
dimensions. (The actual table is available for download to registered
customers in the resource directory: PropensityScore.html.)
This is based on empirical assessment and the fact that certain specific
picture dimensions are themselves indicative of e.g. smart device
screenshots (whose dimensions are identical to the screen resolution of
the device) and thus might hold particular interest. In some cases, the
generic assessment of a particular pixel dimension is replaced by a more
specific verdict in the case of certain aspect ratios (e.g. 1:1 or 4:3)
or specific pixel dimensions (e.g. 5488x4096) known to be exact camera
resolutions and the like. Some specific resolutions or aspect ratios are
also identified in the table as being associated with a particular
source device, e.g. Smartphone, Scanner, etc.
The propensity score further considers the embedded metadata: firstly,
whether it is present at all, but also its completeness, original or
modified nature and the actual meaning of the metadata, e.g. EXIF
information identifying a smartphone's front ("selfie") camera as the
of a picture.
Many minor improvements.
User manual and program help updated for v20.4.
Changes of further service releases of 20.3
SR-1: Option to immediately output new hash set
matches also as report table associations, either all of them, or (if
half selected) only for notable hash sets.
SR-1: Improved fidelity when producing .eml
representations of certain single-part plain-text e-mails in MSG format.
SR-1: If OCR was unsuccessful for the last page of a
PDF document, text from preceding pages was previously discarded. That
SR-1: Shows pictures in WEBP format in the case
report just like various other picture file types that are typically
supported by web browsers.
SR-1: Dialog window selections, which are saved in
and loaded from .dlg files, in the case of the directory browser options
dialog now include the order of the columns in the directory browser.
SR-1: The service release number is now reflected in
the modification timestamps of the installation files in the zip
archive, as the number of seconds, so that you can automatically parse
it if needed.
SR-2: The file format specific encryption test did
not work as intended in v20.3. That was fixed.
SR-2: Prevented an unnecessary read operation from a
physical storage device when opening a partition from the case tree
(potentially relevant when creating skeleton images).
SR-2: The Recover/Copy command was unable to create
directories with very long paths in certain constellations. That was
SR-2: The "Hash computed" filter option of Hash 2 was
erroneously applied to the Hash 1 column. That was fixed already in the
original release of v20.3.
SR-3: Avoids a conflict between processing of command
line parameters and recovery from a crash upon restarting.
SR-3: Addresses a potential cause of inavailability
of the "Refine volume snapshot" command.
SR-3: The X-Tension API function XWF_GetItemCount()
now has additional capabilities.
SR-4: Fixed a rare exception error that could occur
when creating text representations of dialog windows.
SR-4: Applied the latest security fixes of the FFmpeg
SR-5: The X-Tension API function XWF_GetCellText()
did not work for all columns. That was fixed.
SR-5: The FlexFilter did not always target the right
columns in v20.3 if the column order was redefined by the user. That was
SR-5: Fixed an error in the alternative processing
method of TAR archives that appended garbage characters to certain very
SR-5: Double-clicks on already selected items in the
directory browser did not always work in v20.3. That was fixed.
SR-5: Fixed an occasional OCR problem with multiple
SR-5: Case report: No thumbnail placeholders are
output any more for directories in report tables.
SR-5: Fixed an exception error that could occur when
viewing unprocessed PList files.
SR-6: No more (futile) attempts to back up cases that
are opened as read-only.
SR-6: When opening files that were carved and that
contain NTFS-compressed data, the resulting decompressed file contents
no longer contain a few surplus bytes.
SR-6: Avoids possible duplication when carving
SR-6: Some necessary initializations are now
performed when triggering a logical search from the command line
indirectly via RVS.
SR-6: Since v20.1, with the internal algorithm ~29
not all RAR archives were carved. That was fixed.
SR-7: Since v20.1, multipliers in regular expressions
when applied to characters other than letters in Western languages did
not work in UTF-16. That was fixed.
SR-7: Fixed inability to cleanly remove an evidence
object from a case that is a reconstructed RAID once it had been opened
in that session.
SR-7: Fixed a re-use error that could occur when
viewing files externally from different evidence objects in the same
session that had the same filenames and the same internal IDs in their
respective volume snapshots.
SR-8: Fixed an exception error that could occur since
v20.2 when processing certain .evtx event log files.
SR-8: An error in the alternative spreadsheet text
decoding method was fixed. This fix will also be available in v20.1
SR-13 and v20.2 SR-8. Please keep the application's main window in the
foreground if you run a search with that option.
SR-8: The gallery now reflects the directory
browser's scrollbar position when switching to gallery mode, like in
v20.1 and earlier.
Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways
Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you
will be part of an exclusive circle and enjoy various benefits such as
special recognition, training discounts, updated training material. For
further details, please check
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or on our
You may also follow us on
Twitter. Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
X-Ways Software Technology AG