| |
(You may sign up for the newsletter here.)
| #122: WinHex, X-Ways
Forensics, X-Ways Investigator 16.1 released
Jul 17, 2011 |
This mailing is to announce the release of a noteworthy update,
v16.1.
WinHex evaluation version:
http://www.x-ways.net/winhex.zip (also the correct download
link for anyone with a personal, professional, or specialist
license)
Owners of X-Ways Forensics/X-Ways Investigator and licensed
users whose update maintenance has expired please go to
http://www.x-ways.net/winhex/license.html for download
links, log-in data, update maintenance, upgrade offers, and
more. Note that licensed users of X-Ways Forensics with active
update maintenance can conveniently find all older versions for
download if needed.
Please be advised that if you are interested in receiving
information about service releases of v16.1 when available, you
can create an account on the support forum and enable e-mail
notification of postings in the Announcement section:
http://www.winhex.net.
Upcoming X-Ways Forensics & File Systems Training
London, UK: Oct 25-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our
Facebook page.
What's new in v16.1?
-
X-Ways Forensics can now process Exchange
EDB databases and extract user mailboxes with their e-mail,
attachments, contacts, appointments and tasks. Requires
X-Ways Forensics to run under Windows Vista or later. Still
in a testing stage, and can be very slow for huge databases.
File editing and tools
-
Ability to edit files without using
operating system file write commands, directly on a disk/in
a raw disk image in any file system supported, even if not
supported by Windows, even files not seen by Windows (e.g.
deleted files), even in partitions not seen by Windows (e.g.
by damaged or deleted), without changing any timestamps or
attributes, in in-place mode. For this new editing
capability, the file must been opened from within the
already opened volume that contains it, via the Open command
in the directory browser context menu or in File mode
(forensic license only). Compressed files or generally files
within other files (e.g. e-mails and attachments in e-mail
archives) cannot be edited, except in an evidence file
container if they have been copied there from the original
disk/image.
Previously it was only possible to edit files when opened
via File | Open, using operating system file write commands
or indirectly by editing disk sectors. In File mode
(forensic license only) and when opening files from within
already opened volumes, the only available mode so far was
read-only mode. All of this has changed. Note that files
cannot be shortened or expanded that way, only the data in
already allocated areas can be modified. Editing files
opened directly from within disks/raw images as described
above is possible in WinHex only, not in X-Ways Forensics or
X-Ways Investigator, where sector level write access (to
which file editing is internally translated) is disabled and
where the only mode available for disks and interpreted
images and files opened from within volumes continues to be
read-only mode. For owners of a license for X-Ways
Forensics, this change only affects the special WinHex
version that they receive additionally, not X-Ways Forensics
itself.
In forensic computing, electronic discovery and IT security,
the new edit capability can be helpful to manually redact
(e.g. overtype) specific data that should not be
examined/disclosed/seen or to securely erase specific areas
within files (e.g. define as a block and fill the block).
Note that evidence file containers are raw images if they
have not been converted to the .e01 evidence file format and
thus allow for retroactive file editing, which, however will
invalidate any accompanying hash values. It is even possible
to edit directories, i.e. the clusters with directory data,
e.g. INDX buffers in NTFS, for example if you need to redact
the names of certain files.
-
New file wiping functionality for files
and directories that are selected in the directory browser,
via a command in the context menu. The data in the logical
portion of a file (i.e. excluding the file slack) and the
major data structures of a directory (such as INDX buffers
in NTFS and directory entries in FAT) will be
erased/overwritten with a hex value pattern of your choice.
The existence status of the file in its file system will not
be changed. No file system level metadata such as timestamps
or attributes will updated because no operating system file
level write commands are used. No file system data data
structures are changed, and no filenames will be erased,
only the contents of files will be overwritten. Compressed
files or generally files within other files (e.g. e-mails
and attachments in e-mail archives) cannot be erased.
Previously existing files whose clusters are known to have
been reused will not be erased. Note that by erasing deleted
files you might erase data in clusters that belong to other
files, so only select existing files if you want to avoid
that (assuming consistent file systems). Also note that by
erasing carved files you may erase too much or not enough
data, depending on the detected file size and depending on
whether the file was originally fragmented. This
functionality is only available in WinHex, not in X-Ways
Forensics.
Useful for example if copies of images are forwarded to
investigators/examiners who are not allowed to see the
contents of certain files. Useful also if you have to return
computer media on which child pornography has been found to
the owner after clearing these files. Also useful if you are
preparing images for training purposes that you would like
to publish and would like to retroactively erase the
contents of copyrighted files (e.g. operating system or
application program files).
Both successfully erased files and files that could not be
successfully erased will be added to separate report tables
by which you can filter to verify the result.
-
Cool new function to create hard links of
files on NTFS volumes. Useful for example to play around
with hard links during our File Systems Revealed training,
or if you would like to add the same image to the same case
again, which is only possible under a different name. The
hard links will be created in the same directory and of
course can be renamed and moved by you after they have been
created. Tools | Disk Tools | Create Hard Link.
Case management
-
More powerful and convenient batch
processing thanks to an option to automatically trigger
logical searches (previously only indexing) after volume
snapshot refinement and thanks to an option to trigger the
volume snapshot refinement (and therefore indirectly also
logical searches) immediately after adding images to the
case. That means you click through all the dialog windows
initially and then run the selected operations without
further user interaction. The operations will be run in this
order: First all images are added to the case. Then the
volume snapshots will be taken and refined if selected.
After that, for selected evidence objects (previous or newly
added ones) a logical search will be run if selected.
Finally for each selected evidence object an index can be
created.
-
Ability to invoke the menu commands to
refine volume snapshots and run logical searches in selected
evidence objects even when no data window is open at that
time. As always, these operations will open data windows
themselves when needed and close them automatically when no
longer needed, to avoid unnecessary main memory utilization
by loaded volume snapshots.
-
A new case tree context menu command that
allows to export any portion of the tree to a Unicode text
file. The tree will be represented exactly in its current
state of expansion and can span all evidence objects. To
export a subtree, right-click a directory while holding the
control key. Use a fixed font to view the text file.
Remember to fully recursively expand a portion of the tree
that you want to export, you can click the root of that
portion and press the asterisk (multiplication) key on the
numeric keypad.
-
Ability to change the order of evidence
objects in the case tree, via the properties dialog window,
except for "dependent" evidence objects (partitions that
belong to a physical disk).
-
Shorter and language-independent case
subdirectory names in all cases created by v16.1 and later.
-
More convenient procedure when the path
or drive letter of an image in a case has changed,
especially if the image was added to the case in v16.1 and
later and you have updated the standard directory for images
in the General Options already.
-
Notification when opening a case if it
can only be opened as read-only because of the read-only
file attribute or because of insufficient file permissions.
Images
-
Ability to interpret VMware's Virtual
Machine Disk images (VMDK) in addition to .e01 evidence
files, raw/dd images, ISO images and VHD images.
-
Ability to automatically hibernate the
system after disk imaging, image restoration and disk
cloning. (Previously the only option was to shut down the
system.) If Windows signals that hibernation fails, X-Ways
Forensics will instead try to shut down the system.
-
Imaging with compressed .e01 evidence
files as the output format accelerated for disks that
contain large areas of binary zeroes, for example because
they were wiped by the user some time or zeroed out by the
manufacturer and never completely filled.
-
New "sparse" compression option for .e01
evidence files that only compresses large areas of zero
value bytes in a very efficient way.
-
Additional information included in
imaging log.
Registry viewer
-
Additional edit window in the registry
viewer that tells you the logical size of the selected value
and the size of its slack. It also interprets registry
values of the following types, as known from the registry
report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu),
ViewView2, SlowInfoCache, IconStreams (Tray notifications),
UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8),
MountedDevices, OpenSavePidlMRU, LastVisitedPidlMRU, and
more. The new edit window now also displays the access
rights/permissions of the registry keys if (Default) is
selected.
-
New special table "External Memory
Device" included in registry report that can be retrieved
from Software hives of Windows Vista and later that lists
external media with access timestamps, hardware serial
number, volume label, volume serial number and volume size
(size often only under Vista). Select the definition file
"Reg Report Devices.txt" to get the table.
-
New special table in the registry report
called "Browser Helper Objects", compiled with data from the
hives NTUSER.DAT and SOFTWARE, about browser usage.
-
New Export List command in the registry
viewer context menu allows to export all values in the
selected hive to a tab-delimited text file.
-
Several small improvements in the
registry viewer/report.
Miscellaneous
-
New version of the internally used
graphics viewing library.
-
New version of the internally used
library for archive decompression.
-
Many additional file signature
definitions, mostly for file type verification only.
-
The thorough file system data structure
search will now check for INDX buffers for index records
referencing existing files that are not referenced in the
$MFT any more because the $MFT is in a corrupt or incomplete
state, for example because the image is incomplete.
-
The metadata extraction functionality has
been removed from the directory browser context menu. It is
now part of the Refine Volume Snapshot command and thus
cannot be applied to selected files any more, but to either
all files, tagged files or not hidden files.
-
You can now conveniently close viewer
windows (whose contents are provided by the viewer
component) by hitting the Esc key on your keyboard.
-
It is now possible to close filter
dialogs by clicking the "x" in the upper right corner or by
pressing Alt+F4 without deactivating the filter if its
active and without losing selection and scroll position in
the directory browser.
-
When using the Recover/Copy command and
the output filename has to be shortened to fit in the
maximum path length specified by the user, the filename is
now shortened in a nicer way, by preserving the extension
whenever possible. (forensic license only)
-
Indexing slightly accelerated.
Changes of v16.0 SR-1 to SR-11:
SR-1
SR-2
SR-3
-
Filenames are now maintained whenever
possible when copying files off the evidence objects for
inclusion in the case report.
-
Larger Windows system fonts now have an
effect also on the directory browser.
-
WinHex and X-Ways Forensics never
supported recognition of date order if the date format was
specified in Windows with only single-digit days or months
(e.g. d.m.yyyy or m/d/yy). That was fixed.
-
Script command "Find" can now run a
case-insensitive search even if the search terms is a
variable.
SR-4
-
The style "level 5 forward parity
dynamic" could not be selected when reconstructing RAIDs
since v15.8. That was fixed.
-
Exception errors avoided in metadata
extraction.
-
In v16.0, X-Ways Forensics did not
correctly resolve usernames when adding evidence objects
with Windows installations to the case. That was fixed.
SR-5
-
File header signature searches in v16.0
did not find file types whose signatures were defined at
relative offsets larger than 0. That was fixed.
-
Unicode support in registry hives further
completed, now also covers usernames and the Owner column in
the directory browser.
-
Support for Windows Image Acquisition
folder MRU in registry report.
-
The option to not overwrite an already
existing index when starting to index again did not work.
That was fixed.
SR-6
SR-7
SR-8
-
Fixed memory leak in particularly
thorough file system data structure search for ReiserFS file
systems.
-
Some memory-intensive functions were slow
in SR-7. That was fixed.
-
Minor fix for dealing with NTFS volumes
in excess of 2 TB.
-
Some minor improvements.
SR-9
-
Support for larger sector numbers in
Tools | Disk Tools | Set Disk Parameters.
-
Special registry table "Attached devices
by serial number" was incomplete in v16.0 SR-8. That was
fixed.
-
Able to cope with certain malformed
multi-part e-mail messages.
SR-10
-
Fixed a problem with illegal filenames
when copying files off the image for inclusion in the
report.
-
Updated registry report definition files.
-
Ability to extract creation dates from
e-mail messages with a Microsoft FILETIME date.
SR-11
-
An error was fixed in the file header
signature search in v16.0 that could occur with some
signatures when searching at the byte level.
-
Avoided a rare error that could
apparently occur when interpreting evidence file containers
that contained files without names.
-
Avoided an exception error that could
occur when taking a snapshot of large Ext4 volumes with many
inodes and small blocks.
-
Disk cloning did not report the complete
number of sectors copied correctly if over 2 TB. That was
fixed.
-
Ready to open case files created by
v16.1.
-
Some minor fixes and improvements.
Thank you for your attention! We hope to see you soon
somewhere on
http://www.x-ways.net or on our
Facebook page.
Please forward this newsletter to anyone who you think will be
interested.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany
|
| #121: WinHex, X-Ways
Forensics, X-Ways Investigator 16.0 released
Apr 26, 2011 |
This mailing is to announce the release of a noteworthy update,
v16.0.
WinHex evaluation version:
http://www.x-ways.net/winhex.zip (also the correct download
link for anyone with a personal, professional, or specialist
license)
Owners of X-Ways Forensics/X-Ways Investigator and licensed
users whose update maintenance has expired please go to
http://www.x-ways.net/winhex/license.html for download
links, log-in data, update maintenance, upgrade offers, and
more. Note that licensed users of X-Ways Forensics with active
update maintenance can now conveniently find all older versions
for download if needed.
Please be advised that if you are interested in receiving
information about service releases of v16.0 when available, you
can create an account on the support forum and enable e-mail
notification of postings in the Announcement section:
http://www.winhex.net.
Upcoming X-Ways Forensics & File Systems Training
London, UK: May 9-13, 2011
Washington DC, May 23-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our
Facebook page.
What's new in v16.0?
-
There is no performance penalty any more
for selecting many or all file types for the file header
signature search. File header signature searches are now
considerably faster and basically limited in speed only by
the medium from which the data is read.
-
Tools | Disk Tools | Clone Disk now
allows for reverse disk cloning and reverse disk imaging
(requires a specialist or forensic license). Useful if
the disk to acquire has severe physical defects that for
example cause a disk imaging program or the entire Windows
system to freeze or crash when reaching a certain sector. In
such a case you can create an image in reverse order, by
reading sectors from the end of the disk backwards, and it
is even possible to automatically fill an existing
incomplete ordinary ("forward") image additionally backwards
to get an image that is as complete as possible, with only a
small zeroed gap somewhere in the middle that represents the
unreadable damaged spot on the source hard disk. Yes, X-Ways
Forensics is quite a sophisticated disk imaging tool not
only because of its speed, and we would like to remind
everyone that additional dongles just for disk imaging are
available for much less than the cost of a full license (see
here).
-
With the additional dongles for X-Ways
Forensics just for disk imaging (details)
you can now additionally use the Tools | Disk Tools | Clone
Disk functionality.
-
Ability to interpret data in the text
column as text encoded in an arbitrary code page. That is
very useful for East Asian code pages, Eastern European code
pages and UTF-8 if the text is found outside of files that
can be nicely viewed by the viewer component, e.g. floating
around in free drive space. The character set/code page for
the text column can now be selected via View | Character
Set. Please note that you may need to select a font in
General Options that contains all characters that you intend
to read, and for East Asian characters you need to have
support for these kinds of languages installed in Windows.
The ability to select the character set/code page for
Disk/Partition/File mode is now tentatively available also
in X-Ways Investigator.
-
Ability to view Windows Vista and Windows
7 event log files (.evtx), based on work by Andreas
Schuster.
-
Completely revised and more robust
registry hive handling. Ability to find deleted keys
and values in hives that contain unused space and lost
keys/values in damaged/incomplete hives. In the report,
deleted values are highlighted in red. If no complete path
is known for keys, they will be listed as children of a new
virtual key called "Path unknown".
-
Analysis of free space in registry hives
with the report definition file "Reg Report Free Space.txt".
The free space can be as large as several MB, especially as
a consequence of the use of virus scanners and registry
cleaning programs.
-
Registry value slack has a relevant size
in NTUSER.DAT hives. This fact is now exploited with 2
measures:
1) If the slack contains text strings, it will be output in
the registry report (in green). This new feature can
optionally be turned off the registry viewer context menu.
2) For values that contain item lists (i.e. are binary) you
can use the "Reg Report Free Space.txt" definitions to
output registry report will output lists of filenames with
timestamps in green. The first timestamps is an access date,
the second one is a creation date. If no timestamps can be
output, these are artifacts from "RecentDocs".
-
The registry viewer now allows to
recursively explore all the keys and values in a hive and
sort them in a chronological order.
-
The search function in the registry
viewer is now more thorough and robust.
-
Better Unicode support in the registry
report for registry hives from computers in Asia.
-
Tray notifications artifacts from Windows
7 registry hives are now supported and decoded. The
timestamps render these artifacts useful for computer
forensics. Further improved support for shell bags.
-
Windows registry report: New data type %I
(ITEM list) covers not only Shell Bag (as in previous
versions), but also for example desktop shortcuts. Format
adjusted for Windows Vista and 7.
-
Ability to customize the notation of
dates, times, and numbers (see new button in Options |
General). Useful to be independent of the settings of live
system that you want to preview. Ability to display years
with 2 digits only.
-
The option to display fractions of
seconds in high resolution timestamps has been moved from
the directory browser options to the new notation options.
The option to display the time zone bias has also been moved
to the notation options.
-
Ability to open an evidence object even
if the disk or image is not currently available, via a
special command in the evidence object's context menu, to
see the volume snapshot. That means you can see all the file
metadata stored in the volume snapshot (filename, path, file
size, timestamps, attributes, etc.), can use all filters
etc., but cannot see any data in sectors and cannot
open/view any files.
-
Improved thumbnails extraction from
Windows Vista's and Windows 7's thumbcache_*.db files.
Ability to assign original filenames, file paths, and
modification timestamps to certain thumbnails that were
previously just named with a 16-digit hex number.
-
When switching from File mode to
Partition/Volume mode, X-Ways Forensics will now
automatically point you to the offset from the point of view
of the partition/volume that is equivalent to the offset
within the file where the cursor was positioned last, even
if the file is fragmented, if there is an equivalent
position (not if the file is a compressed or virtual
attached file or an extracted e-mail message or an exported
video still etc.).
-
Ability to specify the directory in which
to create a case when creating a new case, for that
particular case only.
-
Directories with search hits that are
copied from a search hit list now receive a special name
when they are created as files in the output folder.
-
Sorting by search term count column has
been accelerated.
-
Fixed an exception error that could occur
when extracting metadata from carved MP4 and ASF files.
-
Hash database functions internally
reworked. When importing the NSRL RDS hash database, X-Ways
Forensics now checks for records with the flags "s"
(special) and "m" (malicious) so that these hash values are
not erroneously included in the same internal hash set that
should be categorized as irrelevant.
-
It is now possible to abort lengthy sort
operations. The directory browser is now unsorted after
start-up by default. This new behavior can be turned off in
the directory browser options.
-
The grouping options now have an effect
even if the directory browser is not sorted.
-
The report table filter has a new option
that allows to additionally include siblings of the
associated files, i.e. files in the same directory as the
files that are part of the selected report table(s). Useful,
especially when exploring recursively and sorting by path,
to check whether there are any further notable files in the
neighborhood.
-
Ability to optionally also add any known
duplicates of the selected file(s) in the same evidence
object to a report table (files which have been identified
as duplicates based on hash values and marked as such in the
Attr. column).
-
New investigator.ini option +38 allows to
prevent imports of report table associations.
-
Ability to identify animated GIFs.
Animated GIFs will be added to a special report table during
the file type verification.
-
Support for two new zip subtypes: APK
Android smartphone packages and KEY Apple iWork keynote
presentation files..
-
Many minor improvements.
Changes of v15.9 SR-1 to SR-8:
SR-1:
-
General support for sector sizes up to 8
KB (previous maximum: 4 KB).
-
Support for GPT partitioning on media
with 4 KB and 8 KB sector sizes.
-
Ability to deal with HFS+/HFSX volumes on
media with sector sizes larger than 2 KB, as seen in iPhones
and iPads.
-
Ability to auto-detect the sector size in
raw images of GPT-partitioned disk with sector sizes of 4 KB
and 8 KB.
-
Ability to auto-detect the sector size in
most raw images of MBR-partitioned disks with a sector size
of 4 KB.
-
Partial progress of volume snapshot
refinements is now saved when the case auto-save interval
elapses.
SR-2:
-
The "List 1 hit per file only" option did
not work correctly in v15.9. This was fixed.
-
Improved function to delete duplicate
search hits. When in doubt, X-Ways Forensics will now keep
the longer search hit (as a hit for "Smithsonian" for
example is more specific than "Smith") and favors search
hits in existing files.
-
Accelerated time to list millions of
search hits.
-
The Open Disk dialog window was wrong
when not working with a case. That was fixed.
SR-3:
-
The hash set filter did not work in
v15.9. That was fixed.
-
Avoided an exception error that could
occur under certain circumstances when running a byte-level
signature search.
-
If the context preview of search hits in
files in large archives is too slow, it can now be disabled
by unselecting the existing option "Gallery: Show pictures
in archives".
SR-4:
-
Avoided an exception error that could
occur when the case root window was automatically opened at
start-up.
-
Avoided (potentially annoying, but
harmless) messages that could be displayed by Windows when
working with images on write-protected drives.
-
Fixed an error that could occur when
loading volume snapshots with more than 6 million objects.
-
Drive letters were missing in the special
tables of the registry report in earlier releases of 15.9.
That was fixed.
SR-5:
SR-6:
-
Avoids an exception error that occurred
in v15.9 SR-5 when trying to refine the volume snapshot
without a case.
-
Fixed erroneous disappearance of
partitions in the case tree when removing hidden items from
the volume snapshot of a physical disk.
-
Avoided an exception error that could
occur when starting to use the Recover/Copy functionality.
-
Fixed an error that occurred with .e01
evidence files that have more than 775 segments.
-
Japanese translation updated.
SR-7:
-
HFS+ partition size detection on disks
with Apple partition table fixed.
-
Ability to deal with volumes with cluster
sizes of more than 128 sectors, which seem to be not
uncommon in the exFAT file system.
-
Fixed an exception error that could occur
in certain situations with the new v15.9 search algorithm.
-
In WinHex 15.7 through 15.9 with a
specialist license, the simultaneous search function was
unable to run a case-insensitive search correctly. That was
fixed.
-
Improved handling of the internal volume
snapshot files if reading or writing these files fails
because of insufficient drive space or other system
resources, file system errors, or other reasons.
-
More complete assignment of drive letters
in the "Attached Devices" section of the registry report.
SR-8:
-
Internal technical information about .e01
evidence files were potentially included more than once in
the evidence object properties before. That was fixed.
-
Windows 7 compatible import of regional
settings (date format).
What to expect in v16.1?
Support for Exchange EDB e-mail databases, and more! Please
check
the forum for a preview version next week!
Thank you for your attention! We hope to see you soon
somewhere on
http://www.x-ways.net or on our
Facebook page.
Please forward this newsletter to anyone who you think will be
interested.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany |
| #120: WinHex, X-Ways
Forensics, X-Ways Investigator 15.9 released
Jan 25, 2011 |
This mailing is to announce the release of a noteworthy update,
v15.9.
WinHex evaluation version:
http://www.x-ways.net/winhex.zip (also the correct download
link for anyone with a personal, professional, or specialist
license)
Owners of X-Ways Forensics/X-Ways Investigator and licensed
users whose update maintenance has expired please go to
http://www.x-ways.net/winhex/license.html for download
links, log-in data, update maintenance, upgrade offers, and
more.
Please be advised that if you are interested in receiving
information about service releases of v15.9 when available, you
can create an account on the support forum and enable e-mail
notification of postings in the Announcement section:
http://www.winhex.net.
Upcoming X-Ways Forensics & File Systems Training
London, UK: May 9-13, 2011
More information
Events are also posted on our
Facebook page.
What's new in v15.9?
-
Three main improvements were already
announced in newsletter issue #119b for v15.9 Beta:
1) the sophisticated new search algorithm that tremendously
acceleratess conventional (non-index) searches with many
search terms and search variants,
2) the new directory browser columns with search terms and
search term counts,
3) the greatly improved registry report.
Since then, the following additional improvements have been
made:
-
Ability to export report table
associations created in an evidence file container, such
that they can be imported back into the original case. That
means when you split up the workload in large cases across
multiple investigators who work simultaneously, you can now
automatically and more easily reconcile their results!
-
It is also now possible to export report
table associations from original evidence objects (not
containers), so even when not working with containers,
multiple examiners can work with their own copy of the same
case and exchange results with each other or reconcile all
results in the main copy of the case, all that by exporting
and importing report table associations.
-
Both aforementioned commands, the export
and import of report table associations, can be found in the
context menu of the case tree. Export is supported at the
case and evidence object level, import at the case level.
Please note that you cannot import report table associations
in the original case any more if you have taken a new volume
snapshot after the creation of the evidence file
container(s) or if you have removed objects from the volume
snapshot.
-
Ability to display the name of the
evidence object name where SID/username combinations were
found, if recorded.
-
Attachments can now be embedded in their
respective .eml parent files also when creating a case
report, not only when using the Recover/Copy command.
-
Usage of the option to embed attachments
in .eml files as Base64 code already when extracting e-mail
from e-mail archives was discouraged already for some years.
The option now has been finally completely removed as it
became obsolete.
-
Ability to carve, confirm, and view
Outlook 2011 for Mac e-mails and extract attachments from
them.
-
Better prepared for certain PST files.
-
Filter for the new search term column
introduced.
-
Displays the number of search hits that
would be listed based on current settings for search terms
if they were selected.
-
The standard registry report definition
file was split into 8 parts, so that any time you create the
report you can choose which parts you need. As before, you
can change the definition files as you see fit, or create
your own ones for specific purposes/for different kinds of
cases.
-
When matching hash values against the
hash database, if X-Ways Forensics finds a hash value in
different hash sets that belong to different categories, a
warning is output (since v15.6). Now it is guaranteed that
the category that is returned in such a case is always
"notable".
-
Ability to convert Motorola S files to
binary that define data in a range of more than 2 GB.
-
Several minor improvements.
Changes of v15.8 SR-5 to SR-7:
-
Recover/Copy: Now the same options that
are known from the normal directory browser are also
available when copying files from a search hit list. For
example, you can automatically copy child objects of
selected files and embed attachments in .eml parent files.
-
Error messages in message boxes are now
additionally logged in messages.txt.
-
Fixed inability of v15.8 to correctly
convert volume snapshots of certain earlier versions.
-
Improved processing of .mht files.
-
Fixed a memory leak in e-mail extraction.
-
The external virus check did not work
correctly (and informed the user about that) in v15.6
through v15.8. This was fixed.
Thank you for your attention! We hope to see you soon
somewhere on
http://www.x-ways.net or on our
Facebook page.
Please forward this newsletter to anyone who you think will be
interested.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany |
> Archive of the year 2010 <
> Archive of the year 2009 <
> Archive of the year 2008 <
> Archive of the year 2007 <
> Archive of the year 2006 <
> Archive of the year 2005 <
> Archive of the year 2004 <
> Archive of the year 2003 <
> Archive of the year 2002
<
> Archive of the year 2001
<
> Archive of the year 2000
<
|