WinHex & X-Ways Forensics Newsletter Archive

This mailing is to announce the availability of version 21.6 with official release date Oct 19, 2025.

License owners please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in Exponent™:

• The 2nd generation of Exponent, a powerful collection of X-Tensions for X-Ways Forensics, is now available. In particular, it has undergone a major facelift with its Exponent Faces™ X-Tension. Face matching accuracy and reliability now provides dramatically improved results with minimal or no false positives.

• New module included: SQLite Explorer provides a powerful interface for examining and reporting on evidence stored in SQLite databases. Users can build dynamic queries by selecting table columns or writing custom SQL, while timestamp fields can be instantly converted into readable formats for easier timeline analysis. A visual designer helps build complex queries and JOINS without requiring advanced SQL expertise. For deeper validation, the Forensics tab exposes raw database structures at the byte level with predefined offsets for known values. Results and entire tables can be exported to CSV for reporting or further analysis. This tool turns complex SQLite files into transparent, actionable evidence.

• New module included: CSV to SQLite allows investigators to import CSV files—whether tab, comma, semicolon, or pipe-delimited—into new or existing SQLite databases. This makes it easy to consolidate evidence from multiple sources, even when filenames overlap, such as Chrome download history from different directories. Table names can be edited before import, and once in SQLite, the data can be refined or cross-analyzed using the SQLite Explorer X-Tension. This combination provides a robust workflow for merging and interrogating diverse datasets under a single framework. By transforming raw CSV exports into a structured database environment, investigators gain speed, flexibility, and clarity in timeline reconstruction.

• For a complete product overview please refer to this overview. X-Ways sells Exponent here.

What's new in X‑Ways Forensics 21.6?
(where applicable, changes also affect X‑Ways Investigator, WinHex, and X‑Ways Imager)

Encryption/Decryption

• X-Ways Forensics can now decrypt BitLocker volumes that are protected with a startup key if the right startup key is available. Startup keys are stored in .BEK files, which in turn are usually stored on removable USB storage devices. Whenever X-Ways Forensics encounters a .BEK file in any evidence object while taking the volume snapshot, it copies the .BEK file to the case directory and keeps it there. (The case directory, not the directory for cases.) In that directory .BEK files are automatically found whenever a BitLocker volume is opened to see if any of them fits. You can also manually copy .BEK files that you have found into the same directory to get X-Ways Forensics to try them.

• Supports file systems other than NTFS in BitLocker partitions in regular (not "to go") style for internal decryption.

• Tentative fix for only partially encrypted BitLocker volumes.

• There is now an option to always prompt the user before decrypting a BitLocker partition when opening it. If declined, all data in all sectors will be shown exactly as they are stored on the storage device, i.e. usually (but not necessarily) encrypted.

• Informs users that and why switching to any mode other than read-only mode is not possible with a decrypted BitLocker partition.

• Ability to try the passwort collection of the active case (Passwords.txt) when prompted for the password of a BitLocker volume.

• Before trying the password collection on a BitLocker volume, X-Ways Forensics now first attempts decryption with the passwords of other BitLocker volumes in the same case, if there are any, for which a password is known. For that reason it can be beneficial to unlock BitLocker volumes with a known password instead of with a known recovery key when prompted if you happen to have both.

• The verified password or recovery key of a BitLocker volume is now saved in the Description box of the evidence object properties for your future reference.

• Internal passwords/encryption keys, such as for encrypted .e01 evidence files and cases, now optionally support Unicode, depending on the state of the new check box "Encode internal passwords as UTF-8" in the Options | Security dialog window. Make sure the box is UNchecked if you have previously used passwords that contain non-ASCII characters to preserve compatibility.

• Unicode support for password prompts of the viewer component.

• Non-Latin 1 passwords are now supported when entering passwords manually to decrypt archives.

File Archive Support

• When creating a container for selected files that you wish to acquire, store together in a separate place or share, you can now opt for a Zip archive instead of a regular file container (with a file system). Already created zip archive containers can be opened for further filling (only unencrypted ones). Many of the advanced properties of a regular evidence file container are not available that way, but using Zip archives has the following advantages:
  + The file contents can be encrypted immediately, which can be useful not only to prevent them from being read by unauthorized people, but also to prevent virus scanners from detecting malware that you intentionally wish to pack up/quarantine in a dedicated archive, for example with a password like "infected". This function is also called "secure export".
  + Ordinary tools that do not understand file systems at a computer forensic level as required for regular evidence file containers may be able to read zip archives and allow to view the included files. That includes the Windows File Explorer (which, however, does not support Zip archives with AES encryption).
  
  Regular evidence file containers still have these unique advantages:
  + ability to distinguish between existing and deleted files
  + store an incredible amount of other metadata
  + protection against duplication (user adding the same file multiple times)
  + Ability to include file slack or only the slack or only the selected block or to only include metadata.
  + files as child objects of other files
  + original file system data structures for directories,
  + pass on labels, comments, hash values
  + embed attachments in .eml e-mail messages

• When adding spanned/segmented file archives in WinZip style (.z01, .z02, ..., .zip) to a case, you do not need to make sure any more to select the first segment (.z01) as stated in the documentation. If you add the last segment (.zip) instead, which is intuitive because of its well-known extension, that will now also work, i.e. all segments will be found and internally concatenated as needed. This also works if the extension of the last segment is .ufdr instead, i.e. in the case of a spanned Cellebrite UFDR report.

• Slightly improved handling of .fctar files as evidence objects.

File System Support

• Redundant timestamps from 0x30 attributes in NTFS FILE records are now included in newly taken volume snapshots and no longer rejected as irrelevant already at the time when the file system is parsed. Now you can decide in the Notation settings whether redundant timestamps should be displayed/output or not. By default, they are hidden, just like in previous versions, in order to not unnecessarily clutter up the screen, with the goal in mind to require the user's time and attention only for timestamps that actually contain additional information. However, if you feel you temporarily need to see all timestamps to double-check or if the recipients of exported lists that you are sharing wish to see all timestamps, you can now selectively enable redundant timestamps for where they are needed. A middle setting allows to see redundant timestamps dimmed in a light gray color in the directory browser just like previously known from never updated last access timestamps. (The middle setting is not available in the Notation settings for case reports, the Export List command or the Recover/Copy command.) Filters and sorting used to treat redundant timestamps as non-existent in previous versions because they were simply not included in the volume snapshot. Now they are treated like any other timestamps, no matter whether they are currently visible or not. If a timestamp filter specifically targets a column with redundant timestamps, those timestamps will be displayed and highlighted even if they were otherwise invisible.

• If you wish to see timestamps in the volume snapshot of an NTFS file system with more than 4 digits after the decimal point (fractions of seconds), you do not have to point the Data Interpreter any more to the timestamp in the 0x10 attribute of a FILE record, but can now simply open the file of interest or switch to File mode for the selected file and refer to the Info Pane for the maximum of 7 such digits. This full precision is also available in the Info Pane for files in an evidence object that is a directory in an NTFS file system as well as for files opened directly with the File | Open command.

• The threshold above which backdating is brought to your attention in the display of a timestamp column in the directory with the clock+arrow icon and a brief representation of the time discrepancy and which is used for the backdating filter can now be set in the directory browser options.

• The detection of backdating activities in NTFS timestamps can now be limited to instances where the subsecond part of the timestamp (the digits after the decimal point) is zeroed out, with the expectation that backdating was performed manually by some timestomping tool that did not bother to create randomized subsecond digits and rather set those parts of the timestamps to zero. (Malware that tries to cover its tracks and backdates files automatically and algorithmically may be better than that.)

• Suitable timestamp precision in the directory browser and in the Info Pane display for files listed by the operating system if the underlying file system is FAT, not NTFS.

• APFS: More extended attributes (EA) will generally be picked up and output in the Metadata cell of a particular file if the volume snapshot option "Output simple EAs as metadata" is enabled. That means fewer child objects and more EAs showing as legible text in the Metadata cell of the file that the EA actually belongs to. Some additional data are parsed that way and presented in legible form, for com.apple.assetsd.UUID, com.apple.assetsd.timeZoneOffset and the timestamp in the com.apple.quarantine EA. If "Output simple EAs as metadata" is disabled, an EA child object will have the same information in its Metadata cell. For the output of com.apple.quarantine EA, the check box "HFS+/APFS: Complete output of EA" needs to be at least be half checked. Any timestamps found in quarantine EAs will be output as events of the type "Operating system: Quarantine" in newly taken volume snapshots, and associated with the file that the EA belongs to. If the quarantine entry contains an application name, and perhaps even a GUID, those end up in the event description.

Storage Device Support

• That the username of the logged-in user who creates an image is included in the descriptive text file is now optional. Fully unchecked even the examiner name known in X-Ways Forensics is not included.

• Support for more LVM volume groups open at the same time.

• More tolerant of certain corrupt GPT partition tables.

• Improved detection of GPT-partitioned disk data occurring paradoxically within a partition when opening such a partition. Can happen for example with level 1 MD-RAIDs. An automatically generated comment advises the user how to get such data interpreted correctly: You can right-click the virtual file that spans the entire partition and open it, and because it is like a raw image of a partitioned storage device, you can afterwards interpret it as a disk and add it to the case as an additional evidence object by right-clicking its tab.

Picture File Support

• The list of recognized picture generating devices was updated.

• A propensity score is now only output for pictures that were not known to have been generated by a sensor-based device.

• The status "disseminated" is now also defined for WEBP and PNG files. The status "edited" can be detected in some WEBP files (they can now edited in Photoshop or GIMP).

• Extraction of creator/author names from certain JPEG files like in older versions of X-Ways Forensics.

• No more extraction of blank "light values". Whether a "light value" is presented in the metadata column now depends on whether the output of indoor/outdoor is selected for the picture content analysis.

• Metadata extraction from AVIF picture files.

• Generator signatures are now defined for AVIF files. Device types are assigned. A new generating software class is defined specifically for AVID: Airbnb.

• Improved identification of original (unaltered) and editied JPEG files produced by Xiaomi, OPPO and OnePlus devices.

• Labeling of JPEG, PNG and WEBP pictures as pictograms where applicable. Such pictures also get a lower generic relevance assigned.

• Extended detection of certain AI-generated pictures. Certain pictograms, AI-generated pictures and graphical elements are now shown with the device type "no device" to show that they were not generated by any image capturing devices.

• Improved information about color profiles (ICC).

• Slightly improved output of PNG metadata.

Volume Snapshot Refinement

• Updated detection of eCryptfs-encrypted files on Linux file systems as part of the "File format specific and statistical encryption test".

• Indexing engine slightly revised.

• X-Ways Forensics no longer needs to resort to a single thread when restarting itself after a crash in order to single out a problematic file, omit it and label it as the reason for the crash. This will improve performance.

• Whether detections of the picture content analysis shall be used for categorizations based on rules that the user defines can now be decided separately for notable and irrelevant content.

• When the metadata extraction finds out that multi-media files in the MP4 container format contain only audio, no video, it now confirms the file type as M4A (an audio-only file type) so that users that are interested in the video category do not need to invest time checking out those files.

User Interface

• Regular filters (which internally can be combined with AND or OR) can now be combined with the FlexFilters (which internally can be combined with AND or OR) with a logical OR in addition to a logical AND.

• The Description filter dialog window now has an option to focus on non-trivially hard-linked files.

• Another Notation option has been introduced for the "Existent" column. Users can now describe the "existent" or "non-existent" status in their own words. Particularly useful for example for the Export List command to match the expectations of a 3rd party and for the Recover/Copy command when grouping files by their existence/deletion status so that you get directories named accordingly.

• There is now a dedicated symbol (a lower-case i in a circle) in the caption line of the directory browser where you can left-click to get a textual summary of all active filters with their settings.

• The icon with the keys next to a BitLocker partition in the case tree as well as in the directory browser is now grayed out if the right password or key for decryption is already stored in the case, to confirm that the encryption is no obstacle any more. For similar reasons, BitLocker partitions with clear-key encryption are presented with the same icon.

• The Override command line parameter for unsupervised automated processing can now skip the BitLocker password prompt, with either value 1 or 2, or it can make X-Ways Forensics try the internal password collection (in Passwords.txt) if a value of 4 is combined with the usual 1, which gives Override:5. [Note that Override:5 is not compatible with earlier versions of X-Ways Forensics.]

• More intuitive options to select the gradient colors for tag marks and for the "already viewed" status.

Miscellaneous

• Exporting and importing selected label names as UTF-16 text files now not only includes the optional descriptions, but also the type of label (e.g. "user-defined") and the label settings (the check marks on the right-hand side of the dialog window to manage labels).

• Templates now support a new modifier called "hidden", which identifies variables whose values you wish to set during parsing and may need for subsequent calculations, but do not want to show to the user. Also useful for constants that you define and use in calculations that the user should not be distracted with.

• Fixed an error where OCR was involuntarily executed retroactively after picture content analysis was applied to selected files.

• A revision of v8.5.7 of the viewer component is now downloadable. Oracle fixes until Jul 2025 have been applied.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.5:

• SR-0+: The "Do not display again" check box was unusable in message boxes with only one button in the original v21.5 release. That was fixed.

• SR-1: More forms of compressed data storage in APFS are now supported.

• SR-1: OCR can now also be triggered by the detection of paper texture in a picture.

• SR-1: More consistent in which button in a message box (e.g. OK or Cancel) is compatible with the "Do not display this message again" option.

• SR-1: Fixed an instability that could occur when decrypting partially encrypted Windows 11 BitLocker volumes.

• SR-2: v21.5 SR-1 became unstable when the user interface was set to British English spelling. That was fixed.

• SR-2: Improved keyboard navigation. Even with no data window, you can now press the Tab key to give the case tree the focus. You can now navigate up and down in that tree with the cursor keys without inadvertently opening the Case Root window. You can press the context menu key to open the context menu of an evidence object is one is selected in the case tree, or the context menu of a directory within an evidence object, e.g. to explore recursively.

• SR-3: Italian translation of the user interface updated.

• SR-3: Prevented an error message about the inability to find the Cache file of a volume snapshot that could occur in certain situations in v21.5.

• SR-3: Prevented an infinite recursion when deconstructing certain Windows executable files (DLLs) in v21.4 and later.

• SR-3: Prevented a floating point exception error when processing certain SQLite database files.

• SR-4: Prevented a possible infinite recursion when parsing UFS file systems.

• SR-4: An error in LVM2 handling prevented the volumes within an LVM2 Container partition, if it was not the first in a group of LVM2 Containers, to be listed correctly, unless the first LVM2 Container in the sequence was opened first. This was fixed.

• SR-4: Fixed inability to explore certain large nested archives with caching enabled when not using additional threads.

• SR-4: Prevents the identification of certain audio-only MPEG-4 file as MP4 video.

• SR-4: Prevents an exception error that could occur in v21.4 in certain situations when using older WinHex.cfg files.

• SR-4: v21.4 and later did not fully explore RAR archive files that in turn contained ZIP archives. That was fixed now in v21.5 SR-4 with an updated zip.dll file that can be recognized by its modification date (later than all the other files).

• SR-5: X-Tension API: The XWF_GetEvObjProp() function can now replace an evidence object with a new image using an nPropType of 100.

• SR-5: Fixed a hanging error that occurred rarely with certain cells in the directory browser when presented with a very wide column width.

• SR-5: Fixed an error that occurred when decrypting data in sectors at the end of very large BitLocker partitions (> 1 TB).

• SR-5: Presenting certain HEIC files in Details mode updated the "Content created" cell with a timestamp in a wrong time zone. That was fixed.

• SR-6: When opening files in NTFS file systems from within the directory browser in a separate data window, the Info Pane optionally showed up to 7 digits after the decimal point for the creation timestamp as a sub-second value although the available precision in the volume snapshot only justified the display of 4 such digits. That was fixed.

• SR-6: Presenting certain JPEG files in Details mode updated the "Content created" cell with a timestamp in a wrong time zone. That was fixed.

• SR-6: v21.5 SR-3, SR-4 and SR-5 did not properly rotate certain JPEG photos for viewing and OCR. That was fixed.

• SR-6: Fixed processing of the command line parameter "GetLicID:".

• SR-7: The internal graphics display library now supports TIFF pictures with CCITT compression.

• SR-7: Slightly revised support for PNG pictures in the internal graphics display library.

• SR-7: Prevented an exception error that could occur when extracting e-mails from certain rare PST e-mail archives.

• SR-7: Fixed usage "structure type" as a criterion to identify duplicates and fixed "+ Modified" as an additional criterion.

• SR-7: Fixed certain "Do not display this message again" behavior.

• SR-7: Prevented a rare division by zero error with certain RIFF files.

• SR-8: If the Windows operation system lost control over a storage device that was in the process of being imaged, signaling a certain error condition, v21.2 and later reported the error description from Windows correctly and reported the total number of unreadable sectors correctly, but only listed the first affected internal range of sectors individually although it (pointlessly) continued the operation. In v21.5 SR-8 and also all future releases of v21.2 and later the same error condition will stop the imaging procedure.

• SR-8: One more error condition is now recognized as permanent loss of connection to a storage device.

• SR-8: Fixed an exception error that could occur in v21.5 if text or paper texture detection was selected as a reason to run OCR on a picture.

• SR-8: The selected hash types in the Refine Volume Snapshot dialog window were not stored in .dlg selection files. That was fixed.

• SR-8: The number of extra threads set in the Refine Volume Snapshot dialog window can now be optionally stored in .dlg selection files (although it is machine-specific) if you hold the Shift key while creating the .dlg file.

• SR-8: Prevented an error that could occur with overlong paths within the case directory when a volume snapshot backup was created with labels.

• SR-8: Prevented occasional misidentifications of the device type "Screen?".

• SR-8: The registry viewer now always presents the decoded form of the TrayNotify IconStreams texts instead alternatingly the original and the decoded form.

• SR-9: Automatically resuming crashed sessions did not work if temporary files were stored in a case-specific temp path. That was fixed.

• SR-9: Prevented an exception error that could occur when opening certain rare BitLocker volumes.

Become a certified user of X‑Ways Forensics
Become an X-PERT (X‑Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X‑Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

This mailing is to announce the availability of version 21.5 with official release date June 8, 2025.

License owners please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in X‑Ways Forensics 21.5?
(where applicable, changes also affect X‑Ways Investigator, WinHex, and X‑Ways Imager)

Storage Device and File System Support

• A picture is worth a thousand words: The partition layout of physical storage devices is now depicted graphically below the list of partitions in the directory browser. The horizontal locations and widths of all partitions are directly proportional to the capacity of the entire storage device. It is not guaranteed that every partition will be visible because tiny partitions on a very large storage device might turn out just a few pixels wide or even rounded down to a width of 0 pixels because the representation is truly proportional and unbiased. If a suspect has set aside a dedicated partition for unlawful or suspicious content, the capacity chosen is not inflated or minimized in the depiction compared to other partitions just for the sake of easy clickability of all partitions.
  
  Partitions/volumes that are not referenced in any active partition table (usually deleted partitions) are presented in a lighter color. Partitions manually defined by the user (of WinHex/X-Ways Forensics) are depicted in a different color to make them stand out more. Areas that are not occupied by any partition are shown as hollow, with dotted outlines.
  
  Thanks to simple 3D rendering and the angle, you can still see the full width (i.e. true size) of partitions even if they partially intersect with other partitions because those are set apart. The overlapping of partitions is problematic because the question may arise which data in the affected disk area logically belongs to which partition. The depiction is intended to alert users of this issue. On Windows LDM disks, for dynamic volumes that consist of multiple discontiguous storage space fragments (on potentially more than one physical storage devices), only the start locations are hinted at, where their names appear, along with the word "spanned". The other fragments of such volumes are not shown.
  
  The partition layout depiction responds to mouse-over events, left-clicks, right-clicks and double-clicks. Large rectangles are more convenient to target with the mouse than narrow rows in the directory browser, so this feature addition may naturally change the way you explore partitions.

• Ability to decrypt BitLocker volumes in WinHex Lab Edition, X-Ways Imager, X-Ways Investigator and X-Ways Forensics. This requires that you have and enter (e.g. copy & paste) the right password or recovery key, if one of those is actually required to decrypt the volume (not in case of clearkey encryption). The option to enter a password or key is not given in X-Ways Investigator. However, X-Ways Investigator can use a password or recovery key that was already entered for a particular evidence object in a case by someone using X-Ways Forensics, so users of X-Ways Investigator can work on a case that includes BitLocker volumes if that case was properly set up for them by a colleague.

• Support for more variants of GPT LDM dynamic disks.

• Now warns when you select the physical storage device that contains the active Windows system for imaging because typical users would only want to image *other* devices and atypical users that really want to do this for backup purposes or to acquire a live system need to be aware that the partition with the Windows installation is in a state of flux while that same Windows system is running.

• Manually defined partitions are now described as user-defined in the Description column.

• NTFS: Zone.Identifier URLs in non-resident storage are now automatically included in the Metadata column. They are additionally output as child objects to get the cluster allocations right.

• Several more forms of compressed data storage in APFS are now supported in newly taken volume snapshots. Files that previously caused the "unsupported compression" message can now be opened successfully.

• Files that are marked as compressed in APFS, but are in fact not stored compressed but "inline" (resident storage), are now reliably recognized as such and can be opened normally in newly taken volume snapshots. Files marked in APFS as using "plain compression" (=no actual compression) are no longer shown with the C attribute, unlike before. These files would previously also have cause the "unsupported compression" message.

• Taking a volume snapshot of large APFS volumes is now faster.

• A rare error has been prevented, where the virtual file "BtrFS System Chunks" was erroneously reported as not readable at the very end.

X-Tension API, 3rd Party Tool Support

• X-Ways Forensics now prompts before actually executing/loading an X-Tension, in particular also when the execution is triggered through the command line, unless disabled in Options | Security.

• Users can decide whether to share their original dongle ID or BYOD license ID with with 3rd-party software (X-Tensions), in the dialog window where the nLicID is displayed.

• X-Tensions can now see the original dongle ID or BYOD license ID if the user agrees to share that information, when responding to the call of the XT_Init() function.

• Third-party tools that control X-Ways Forensics from outside via command line parameters may specify the command line parameter "GetLicID:" to find out the so-called nLicID, a hash value that uniquely identifies a dongle or a BYOD license. Nothing else will be done in a session started with that parameter, and X-Ways Forensics exits automatically. You could license your tool based on that ID and only allow use of your tool if the ID matches your expectations (if the ID is in your unlock list, if the user has a key file for that ID etc.). The first 4 bytes of the nLicID are returned as an exit code. Additionally, the full 16 bytes of the nLicID plus an 8-byte FILETIME value with the current timestamp in UTC can be written to a file whose path you designate optionally after the colon of "GetLicID:". By providing a unique, randomly generated filename, you can make extra sure that you get a freshly generated output file with an up-to-date nLicID and not a static, potentially outdated or manipulated value. And/or you can compare the first four bytes stored in the file with the exit code to make sure they match and/or check that the timestamp is not older than a second or so. If the first four bytes are all 0x00, that means that the X-Ways Forensics installation is not unlocked or that (re)writing the output file (if requested) has failed. This feature is also present in v21.4 SR-6 and later.

• Various XWF_*() functions of the X-Tension API now deal more gracefully with incorrectly supplied nItemID values and indicate failure through the return value instead of throwing an exception error. More return values now defined for XWF_GetItemSize() in particular.

• XWF_GetItemInformation() and XWF_SetItemInformation() can now retrieve and set the value in the Relevance column of a file or directory.

• The hVolume handle provided to the function XT_Prepare() and XT_Finalize() is now zero if the X-Tension is applied to the Case Root window, so that you can more easily recognize this special situation and reject use of your X-Tension if necessary. This change is also incorporated in v21.4 SR-5 and later.

• Three rarely used hash IDs have changed in the X-Tension API, six have been marked as deprecated (not recommended for use any more), SHA-512 has been added. Please see the documentation of the XWF_GetVSProp() function for the updated list.

Cryptography

• Support for the SHA-512 hash type.

• Simple checksums with a multi-byte accumulator, but using 8-bit integer additions, are now available as separate hash types, named "Checksum (8 on 16 bit)", "Checksum (8 on 32 bit)", and "Checksum (8 on 64 bit)". This renders the security option "Byte-wise checksum computation" obsolete. It has thus been removed.

• Revised hash computation and encryption algorithms, newly optimized for different processors.

• 256-bit AES encryption/decryption is now about 30% faster (even on old processors).

Text Extraction, OCR

• OCR can now optionally be restricted to picture files produced by/for certain device types, e.g. produced by a scanner, produced as a screenshots, or generated for printing, because such pictures are more likely to contain relevant text and because omitting other pictures can save time.

• Picture files for which device type recognition was unsuccessful ("unknown") or to which it was not applied because metadata extraction was not yet run or because device type recognition is not supported for the respective file type (resulting in a blank device type cell) can optionally be OCRed, too.

• OCR can now optionally also be applied to pictures if the regular conditions (file type, resolution and device type) are not met, but if text is detected by the picture content analysis.

• If OCR is applied to pictures retroactively at the end of volume snapshot refinement because the presence of text was detected in those pictures by the picture content analysis, the resulting text is immediately indexed if indexing is also selected.

• Text extracted from documents or pictures in Preview mode can now be optionally stored in the volume snapshot as well. This option is remembered separately just for Preview mode and disabled by default, so that you can experiment with different OCR settings and different PDF decoding settings and see fresh results instead of always the same text as stored in the volume snapshot after the first attempt. To access the Decoding/OCR settings specifically for Preview mode, please right-click the Text/OCR submode button.

• The Comment column can now display a preview of extracted text that is stored in the volume snapshot if so desired (depends on a new Notation setting). Such extracted text is displayed in a gray color to set it apart from actual user comments. To see more text, you can move the mouse cursor over the respective cell. The Comment filter still works only based on actual comments.

• To reset files to the "still to be processed" state selectively, as always you can select them and press Ctrl+Del. That will now also reliably discard extracted text that is stored in the volume snapshot, so that running the text decoding + OCR operations via RVS (e.g. after adjusting "PDF Requiring OCR.txt") will make another attempt.

File Type Support

• Internal graphics display library updated. (Also included in v21.4 SR-5 and later.)

• The number of picture files to which X-Ways Forensics can assign a device class or a software class has been further increased.

• The keyword "Dissemination" next to the generator signature identifies picture files that were transmitted as copies of single use, e.g. in a web browser display. The keyword "Edited" next to a JPEG generator signature identifies a copy that was provided permanently.

• Concurrent scrolling through pages of multiple PDF documents for OCR is now optional and disabled by default. This can yield more complete results for certain documents that are slow to render.

• Text in PDF files from certain sources cannot easily be decoded. It may be output incompletely or garbled or as total gibberish. Whenever in a real-life scenario you come across a series of uniform PDF files with that problem (generated by the same mechanism for the same purpose, e.g. bank account statements, invoices, product specifications, ...), so that their decoded text is not legible and searchable/indexable, you can add their creator name, producer name or generator signature to a list that X-Ways Forensics checks before decoding PDF files. If is a match with either of these properties, X-Ways Forensics will apply OCR to such files rather than attempt (presumably futile) text decoding. You can find this special option in the dialog window with the decoding settings. This is a rather technical option and therefore not available in X-Ways Investigator. Without that option, the only situation in which a PDF file is OCRed is if no text can be extracted from it at all, just like in all previous versions.
  
  The list is maintained in a file named "PDF Requiring OCR.txt" and can easily be shared with other users. The format is explained in the text file itself when it is created. It is expected in the same directory where your WinHex.cfg file and various other user-editable text files are. The generator signatures, creators and producers of PDF files can be found in and copied from Details mode. For the generator signature only the 8 hexadecimal digits are required.

• More meaningful names are given to uncovered embedded data in SQLite databases.

• Accepts certain slightly malformed zlib-compressed data.

• Thorough evaluation of DQT (quantization tables) in JPEG files.

• The device type filter now allows to focus on files for which device type identification has not been attempted, e.g. because metadata extraction has not been run or because the file type is not supported for that. Such files have a blank device type cell, which means undetermined.

Case Management

• There is now a command in the directory browser context menu that allows you to bookmark a file or directory. You can also enter an individual description. Bookmarks are useful to quickly navigate back to an item of interest. To see a list of all bookmarks in the case, use the Edit menu of the Case Data window. All bookmarks can be seen and navigated to even if the evidence objects to which they refer are not currently open. When you create a bookmark, that creates a label at the same time, which is useful for filtering and because creating a backup of the volume snapshot and restoring such a backup will back up and restore the label, but not the bookmark.

• The Edit menu of the Case Data window is now always the same and identical to the context menu of the case. Previously, if an evidence object was selected in the case tree, the Edit menu was identical to the context menu of that evidence object.

• When opening cases, more granular way to report and deal with unknown data from future versions, at the case and the evidence object levels.

• Does not so easily sacrifice (replace/overwrite) case file backups any more if changes to the current case file are small, i.e. more likely keeps older backups that are significantly different around for longer.

• The functionality to re-include all excluded items and the functionality to totally remove excluded items from the volume snapshot have been moved from the directory browser options dialog to the directory browser context menu (the "Exclude" submenu).

• More thorough consistency check for volume snapshots that detects certain problems in the cache and in the storage of extracted data.

Miscellaneous

• The Relevance column now has a filter.

• .dlg files now remember the positions of trackbar controls, like the ones for PhotoDNA sensitivity and Excire matching strictness, which they previously did not.

• The Resize dialog window that allows you to tailor offsets and sizes of carved files and search hits as needed has been revised and now remembers more settings separately for files and search hits. There is a new option to double the intended offset and size changes in bytes for search hits in UTF-16.

• The memory editor now identifies processes as either 32 bit or 64 bit.

• The "whole words only" restriction of logical searches did not work when searching for single Latin letters as ASCII/Latin 1 in extracted text that was internally stored in Unicode. That was fixed.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.4:

• SR-1: Fixed a sector read error that could occur in NTFS partitions in interpreted nested images since v21.1.

• SR-1: .msg files whose metadata have been extracted now respond to the Sender and Recipient filters.

• SR-1: Fixed an exception error that could occur when extracting metadata from certain PDF documents.

• SR-1: Prevented a misleading message about unknown chunks that could be seen under certain circumstances when opening cases.

• SR-2: The viewer component now remembers more display settings between sessions.

• SR-2: The default scaling mode for PDF documents is now "Fit to window" instead of "Fit to window width".

• SR-2: No longer tries to decode document files whose types cannot even be confirmed, just based on filename extension, which could yield lots of garbage characters as extracted "text".

• SR-2: More complete OCR results for certain multi-page PDF documents.

• SR-3: Slightly improved OCR quality for PDF files.

• SR-3: Fixed a very rare exception error that could occur when reading the Content created timestamp of a file from the volume snapshot under certain circumstances.

• SR-3: Fixed incomplete or missing search hit context preview for search hits in extracted text in v21.4.

• SR-3: Fixed an error that depending on the cover page settings could make X-Ways Forensics print the same file multiple times when multiple files were selected, since v21.3.

• SR-4: Fixed an error with SQLite processing that could (rarely) abort data storage in the volume snapshot.

• SR-4: When multiple threads are active dealing with SQLite databases at the same time, the creation of temporary files could fail with a misleading error description ("used by another process") provided by Windows. To address this issue, multiple re-attempts are made until the creation succeeds.

• SR-4: Fixed incorrect reporting of duplicate hash values when importing them from JSON files (Project VIC/CAID) and a potentially incomplete import from such files.

• SR-4: Fixed a rare error that could occur when converting Intel Hex data with Linux style line breaks to binary.

• SR-4: Ability to identify Windows Server 2025 as a platform.

• SR-5: Prevented unnecessary scrolling of the search term list back to the start of the list after selecting search terms and hitting the Enter key/clicking the Enter button/double-clicking.

• SR-5: Avoids that picture content analysis reports the fallback colors black and gray for incomplete JPEG pictures.

• SR-5: Prevented a rare error writing to temporary files in conjunction with certain archives, which were reported with just a question mark as the filename.

• SR-5: An automatic restart of X-Ways Forensics after a crash no longer decrements the number of remaining executions granted by an insured dongle.

• SR-5: Binary PList files with a minimal size are now processed.

• SR-5: More stable with certain rare SQLite database files.

• SR-5: Sometimes better readable floating point numbers in the output for SQLite databases.

• SR-6: Fixed misidentification of some rare .docx files as archive bombs with zip record overlaps.

Become a certified user of X‑Ways Forensics
Become an X-PERT (X‑Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X‑Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

This mailing is to announce the availability of version 21.4 with official release date Feb 17, 2025.

License owners please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in X‑Ways Forensics 21.4?
(where applicable, changes also affect X‑Ways Investigator, WinHex, and X‑Ways Imager)

Volume Snapshot Refinement

• Text decoding and OCR are now separate and independent suboperations of volume snapshot refinement, no longer only available in conjunction with indexing. This enables you to invest time up front for these operations in preparation for accelerated future logical searches. The number of extracted characters can be seen in the Description column if "other" is enabled for that column in the Notation settings.

• It is now easier to control whether OCR is applied to only documents (most importantly certain PDF files) and/or pictures. In volume snapshot refinement, picture OCR is now part of picture analysis processing, and you can save time by not getting pictures OCRed that have a poor resolution anyway and are likely not documents.

• You do not need to enable OCR or text decoding for logical searches if you had performed these operations already during volume snapshot refinement and if the extracted text was stored in the volume snapshot. It will be searched along with the regular file contents automatically. You can still enable text decoding or OCR for the logical search if desired to decode/OCR files that were not processed that way previously.

• You do not need to enable OCR or text decoding any more when you create an index if you had performed these operations already during volume snapshot refinement previously and if the extracted text was stored in the volume snapshot. It will be indexed along with the regular file contents automatically. You can still enable text decoding or OCR in RVS when you create an index if desired to decode/OCR files that were not processed that way in the previous RVS run.

• The settings for text decoding in files are now centralized in a single dialog window so that users are less likely to overlook the special spreadsheet support feature, which was previously selectable and customizable under Options | File Viewing because it's technically related to the viewer component.

• The new method to discard previously stored decoded text and OCR-derived text from the volume snapshot and start text decoding/OCR from scratch (e.g. now with spreadsheet support enabled) is to remove the checkmark from the "Already done" box of these operations in the Refine Volume Snapshot dialog window.

• The so-called alternative (actually active by default) text extraction method for spreadsheets is now more stable and no longer requires you to keep X‑Ways Forensics in the foreground.

• More complete text decoding of Excel spreadsheet files that contain charts.

• Some internal reorganization and optimization of volume snapshot refinement, especially with multiple worker threads.

• The picture content analysis now has an even stronger impact on the computed generic relevance. For example, depending on how unusual the detected content is and the confidence of such a finding, the relevance may be increased.

• The picture content analysis is now applied to a few exotic file format variants to which it could not be applied before.

• Prevented some potential crashes during SQLite database processing.

• Improved handling of special floating point values (negative values including negative zeroes, NaNs, and infinities) in SQLite database processing.

• Under Options | Security you can now not only deliberately simulate a crash, for example to test the auto-resume feature of volume snapshot refinement or to see how an automated environment that you set up with command line parameters will behave in case of a crash, but also an exception error that is caught by the application and does not cause a crash, for example to see in which directory the error.log entry is created and what information it contains. This function continues to be available only in preview and beta releases.

• Slightly re-organized the RVS dialog window.

• Two more methods to potentially recover a hung previous instance (showing a progress indicator window) from a second instance. If you reject both, you will see the usual list of threads.

File Archive Support

• Ability to decompress files in .xz archives and in some Nullsoft .cab archives.

• Ability to deconstruct Windows executable files (EXE, DLL, ...) and Unix/Linux executable files (ELF), as if they were file archives. If you are interested in that, you can add file type designations like ,exe,dll,elf to one of the lists of file types with a check mark under Specialist | Refine Volume Snapshot | Include contents of file archives | ... They are now listed in the "Special interest" section by default, which is not actively used and mainly meant to give you ideas about file types that you could get processed if you like.

• The settings for the inclusion of files in archives in the volume snapshot can now not only be reached from volume snapshot refinement, but also from the general volume snapshot options because they are also relevant when adding archives to a case as evidence objects.

• Avoids a rare error in which a wrong password is recognized as correct for an encrypted file archive when automatically trying each entry in the provided password list.

• Specifically sped up parallelized file archive handling with multiple threads, especially for evidence objects that are very large file archives like smartphone acquisitions.

• In v21.3 and earlier, when one RVS thread was processing a file in an archive, other threads had to wait if they want to read from other files in the same archive, unless the contents of those files were already in the cache. In v21.4 other threads don't wait any more and instead proceed with other files in the volume snapshot that are not in that archive. And the thread that is busy with that archive will be tasked specifically with processing the remaining files in that archive. If the entire evidence object is a single file archive, then all threads can read files in that archive at the same time.

• Sped up extraction of certain large GZ file archives.

Picture Support

• Improved partial display of incomplete JPEG files with the internal graphics display library.

• More resilient display of corrupt/incomplete WEBP pictures with the internal graphics display library.

• Updated support for PNG and TIFF in the internal graphics display library.

• Revised recognition of the device type Scanner and the software class Twitter/X.

• Device type detection generally further refined.

Case Management

• Ability to categorize entire evidence objects as notable or irrelevant or uncategorized, via the context menu, and show them in the case tree with a corresponding icon.

• Ability to choose specifically which evidence objects to import from another case. Previously either all or all marked evidence objects were imported. The import function can also be used just to get a sneak peek into another case (its list of evidence objects with their categorizations) without loading that case entirely, which would displace the current case, and without starting a second instance, and without actually importing anything. This is entirely read-only for the other case and possible even if that other case is currently being worked on by another user.

• Improved depiction of dependent evidence objects in selection dialog windows.

• The compression algorithm used in newly added .e01 evidence files is now shown in the evidence object properties.

• Option to store the password of an encrypted .e01 evidence file in the case not only immediately when adding the image to that case.

User Interface

• French and Romanian language abbreviations of KB, MB, GB and TB units, i.e. Ko, Mo, Go, and To, are now usable even in user interface languages other than French thanks to a new option in the Notation settings, and by virtue of being part of the Notation settings they can now be turned on or off just for export/data exchange purposes if needed.

• The French translation of the user interface was revised and updated.

• ISO/IEC 80000-13 is now another notation option (KiB, MiB, GiB, TiB) in addition to the traditional and more compact Windows/JEDEC 100B.01 standard (KB, MB, GB, TB).

• Displays the word "Admin" next to the version number in the upper right corner in a session that was run as administrator, so that unaware users have a chance to become aware of that.

• After deduplicating what is listed in the directory browser, X‑Ways Forensics now restores the order of the items to what it was prior to the operation (because that order is changed internally to identify duplicates). And if the last selected file is not excluded by the deduplication, that file will automatically be re-selected afterwards.

• More simultaneously applicable cell coloring constellations result in a color mix.

• A second type of color gradient is available for cell coloring on a per-definition basis (a diagonal gradient).

• You can now generally opt for stronger gradients if desired.

• Slightly revised display of unused exFAT file allocation table entries to avoid misinterpretation.

• Dynamic e-mail columns are now responsive to processed .msg files listed in the visible part of the directory browser.

• Directory browser cell tooltips are now darker in dark mode. In particular comment tooltips are no longer displayed with a bright yellow background.

• In Preview mode you can now conveniently right-click the Text/OCR button to change text decoding settings and OCR settings, respectively.

Data Interpreter

• The Data Interpreter now optionally also translates decimal ASCII text integer representations of HFS/HFS+ and FILETIME timestamps.

• The Data Interpreter can now translate dates and times that you enter back into decimal ASCII text integer representations (for the timestamp formats for which decimal ASCII text is supported) if decimal ASCII text integer representations of dates are active. The user needs to ensure proper termination of the resulting string as needed (e.g. via a space character or line break or null character or end of file). Only possible in a data window that is not in read-only mode.

• The Data Interpreter can now translate Base64 to ASCII (one way).

• When translating dates that you enter, into binary or decimal ASCII, if you do not enter a time, this will now assume a time of 00:00:00 instead of annoying you with an error message.

• The interpretation of data at the cursor position in the status bar now supports any of the formats known from the Data Interpreter, not just integer numbers. As before, you can left-click the status bar cell with the interpretation to select the desired format. (Display of times in addition to dates will follow in SR-1.)

X-Tension API

• The X-Tension API function XWF_GetVSProp() now supports a new type of operation: XWF_VSPROP_RESET: This takes a new volume snapshot programmatically and resets that evidence object's section of the case tree.

• To leave it up to the user whether files that your X-Tension identifies as ignorable should be further processed by volume snapshot refinement, you could set the ignorable flag via XWF_SetItemInformation() in an early call of the XT_ProcessItem() function.

• X-Tensions API: Some more flags are now defined for the XWF_AddToReportTable() function.

Miscellaneous

• Ability to locate the dynamic volumes on certain LDM disks based on GPT partitioning that were not supported previously.

• The Recover/Copy command and the command to copy selected files to an evidence file container now both have the new option to also copy child objects of selected files (as separate files) only if those child objects are not e-mail attachments. That could be a useful setting if you already embed those attachments in the parent .eml file and don't want their data to be output twice.

• Option to embed e-mail attachments into the parent .eml file when copying e-mails into an evidence file container.

• The Path and Full Path filter dialog windows can now accommodate up to 4 million characters.

• It is now possible to apply logical searches only to OCR-derived text.

• Index search results now distinguish between search hits in decoded text and OCR-derived text.

• Extended support for proxy servers in BYOD+.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.3

• SR-1: Different shades of basic colors with unique names (e.g. deep sky blue, fuchsia, aquamarine, yellow green, khaki, dark salmon, ...) are now optionally detected in picture analysis if the box for color identification is fully checked. Special colors are always output in English and not translated to German, French, Spanish or Italian. If the box is only half checked, only basic colors are output.

• SR-1: All color names, whether a basic color or special shade, can now be optionally prefixed with the word "Color: " (language-specific), so that all color labels are listed as a contiguous block if sorted alphabetically.

• SR-1: Some less dominant colors detected in pictures are now also output.

• SR-2: Reviewing and confirming already defined bounding boxes for the search for known faces is now optional. That step is now skipped if faces are already marked in Labels.xml for all pictures in the template directory, unless forced.

• SR-2: Fixed dongle activation code processing in v21.3.

• SR-3: MD RAID handling is now more straight forward and convenient. MD RAID container partitions are now included in cases as well when adding the physical storage device that contains them or its image. That enables X‑Ways Forensics to remember the components of the reconstructed MD RAID if you add the RAID to the case as well, for when you re-open it later. The container partitions are by default not selected for recursive exploration or for volume snapshot refinement because their storage space is (hopefully) already covered, and more properly so, as part of the reconstructed RAID.

• SR-3: Prevented an exception error that could occur when copying files from evidence objects that are file archives into an evidence file container with the option to reproduce a partial path in the target container.

• SR-3: X-Tension API: XWF_VSPROP_SET_HASHTYPE1 and XWF_VSPROP_SET_HASHTYPE2 of XWF_GetVSProp() were unable to set a new hash type if no hash type was defined yet. That was fixed.

• SR-4: Fixed inability of the simple Find functions to locate data when searching upwards in certain situations.

• SR-5: Fixed extreme slowness of the recursive selection statistics in v21.3 in already recursively explored lists in certain situations.

• SR-5: Fixed a very rare infinite loop when loading certain jpeg files

• SR-5: Less abundant detection of the color gray.

• SR-5: Support for more dongle configurations.

• SR-6: Volume snapshot backups are now properly deleted when an evidence object is removed from a case.

• SR-6: Ability to import evidence objects with their volume snapshots from older cases that were created by v20.9 and earlier and use other internal subdirectory naming conventions.

• SR-6: Prevented an exception error that could occur in v21.3 when moving the mouse cursor over icons in a no longer recursively explored Case Root window.

• SR-6: Fixed potential inability to enable or disable some picture analysis and processing suboperations in v21.3.

• SR-6: Now sets specific exit codes in certain situations.

• SR-7: Remembers which hash sets in a hash database are selected for matching, in the database itself. Thus for this reason and general consideration, to get consistent results with automated command line execution it is recommended to not use a hash database that is shared with active users who may change the selection.

• SR-7: Improved JPEG size detection in the presence of empty COM markers, which may be required to be able to display the picture.

• SR-8: Prevents that users use the installation directory itself directly for temporary files.

• SR-8: Ability to identify RAR and 7z archives with full filename encryption as encrypted if no matching password is supplied.

• SR-8: The optional alternative extended timestamp interpretation for zip archives had no effect since v20.6. That was fixed.

• SR-8: "Find duplicates in list" did not always identify all duplicates if extra criteria were selected or if name was the primary criterion for comparisons.

• SR-8: Fixed a problem extracting attachments from certain original .eml files or MBOX e-mail archives in v21.1 and later.

• SR-9: Improved compatibility with proxy servers in BYOD+.

• SR-9: Fixed failing automatic restart of RVS in a special situation.

Become a certified user of X‑Ways Forensics
Become an X-PERT (X‑Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X‑Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.