WinHex & X-Ways Forensics Newsletter Archive

This  mailing is to announce the release of a noteworthy update, v16.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be advised that if you are interested in receiving information about service releases of v16.1 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.

Upcoming X-Ways Forensics & File Systems Training

London, UK: Oct 25-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our Facebook page.

What's new in v16.1?

• X-Ways Forensics can now process Exchange EDB databases and extract user mailboxes with their e-mail, attachments, contacts, appointments and tasks. Requires X-Ways Forensics to run under Windows Vista or later. Still in a testing stage, and can be very slow for huge databases.

File editing and tools

• Ability to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if not supported by Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode. For this new editing capability, the file must been opened from within the already opened volume that contains it, via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image.
  
  Previously it was only possible to edit files when opened via File | Open, using operating system file write commands or indirectly by editing disk sectors. In File mode (forensic license only) and when opening files from within already opened volumes, the only available mode so far was read-only mode. All of this has changed. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read-only mode. For owners of a license for X-Ways Forensics, this change only affects the special WinHex version that they receive additionally, not X-Ways Forensics itself.
  
  In forensic computing, electronic discovery and IT security, the new edit capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values. It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.

• New file wiping functionality for files and directories that are selected in the directory browser, via a command in the context menu. The data in the logical portion of a file (i.e. excluding the file slack) and the major data structures of a directory (such as INDX buffers in NTFS and directory entries in FAT) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. This functionality is only available in WinHex, not in X-Ways Forensics.
  
  Useful for example if copies of images are forwarded to investigators/examiners who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).
  
  Both successfully erased files and files that could not be successfully erased will be added to separate report tables by which you can filter to verify the result.

• Cool new function to create hard links of files on NTFS volumes. Useful for example to play around with hard links during our File Systems Revealed training, or if you would like to add the same image to the same case again, which is only possible under a different name. The hard links will be created in the same directory and of course can be renamed and moved by you after they have been created. Tools | Disk Tools | Create Hard Link.

Case management

• More powerful and convenient batch processing thanks to an option to automatically trigger logical searches (previously only indexing) after volume snapshot refinement and thanks to an option to trigger the volume snapshot refinement (and therefore indirectly also logical searches) immediately after adding images to the case. That means you click through all the dialog windows initially and then run the selected operations without further user interaction. The operations will be run in this order: First all images are added to the case. Then the volume snapshots will be taken and refined if selected. After that, for selected evidence objects (previous or newly added ones) a logical search will be run if selected. Finally for each selected evidence object an index can be created.

• Ability to invoke the menu commands to refine volume snapshots and run logical searches in selected evidence objects even when no data window is open at that time. As always, these operations will open data windows themselves when needed and close them automatically when no longer needed, to avoid unnecessary main memory utilization by loaded volume snapshots.

• A new case tree context menu command that allows to export any portion of the tree to a Unicode text file. The tree will be represented exactly in its current state of expansion and can span all evidence objects. To export a subtree, right-click a directory while holding the control key. Use a fixed font to view the text file. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.

• Ability to change the order of evidence objects in the case tree, via the properties dialog window, except for "dependent" evidence objects (partitions that belong to a physical disk).

• Shorter and language-independent case subdirectory names in all cases created by v16.1 and later.

• More convenient procedure when the path or drive letter of an image in a case has changed, especially if the image was added to the case in v16.1 and later and you have updated the standard directory for images in the General Options already.

• Notification when opening a case if it can only be opened as read-only because of the read-only file attribute or because of insufficient file permissions.

Images

• Ability to interpret VMware's Virtual Machine Disk images (VMDK) in addition to .e01 evidence files, raw/dd images, ISO images and VHD images.

• Ability to automatically hibernate the system after disk imaging, image restoration and disk cloning. (Previously the only option was to shut down the system.) If Windows signals that hibernation fails, X-Ways Forensics will instead try to shut down the system.

• Imaging with compressed .e01 evidence files as the output format accelerated for disks that contain large areas of binary zeroes, for example because they were wiped by the user some time or zeroed out by the manufacturer and never completely filled.

• New "sparse" compression option for .e01 evidence files that only compresses large areas of zero value bytes in a very efficient way.

• Additional information included in imaging log.

Registry viewer

• Additional edit window in the registry viewer that tells you the logical size of the selected value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8), MountedDevices, OpenSavePidlMRU, LastVisitedPidlMRU, and more. The new edit window now also displays the access rights/permissions of the registry keys if (Default) is selected.

• New special table "External Memory Device" included in registry report that can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.

• New special table in the registry report called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage.

• New Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.

• Several small improvements in the registry viewer/report.

Miscellaneous

• New version of the internally used graphics viewing library.

• New version of the internally used library for archive decompression.

• Many additional file signature definitions, mostly for file type verification only.

• The thorough file system data structure search will now check for INDX buffers for index records referencing existing files that are not referenced in the $MFT any more because the $MFT is in a corrupt or incomplete state, for example because the image is incomplete.

• The metadata extraction functionality has been removed from the directory browser context menu. It is now part of the Refine Volume Snapshot command and thus cannot be applied to selected files any more, but to either all files, tagged files or not hidden files.

• You can now conveniently close viewer windows (whose contents are provided by the viewer component) by hitting the Esc key on your keyboard.

• It is now possible to close filter dialogs by clicking the "x" in the upper right corner or by pressing Alt+F4 without deactivating the filter if its active and without losing selection and scroll position in the directory browser.

• When using the Recover/Copy command and the output filename has to be shortened to fit in the maximum path length specified by the user, the filename is now shortened in a nicer way, by preserving the extension whenever possible. (forensic license only)

• Indexing slightly accelerated.

• Many minor improvements.

Changes of v16.0 SR-1 to SR-11:

SR-1

• In the original release it was not possible to change the codepage for the text column. That was fixed.

SR-2

• Fixed a number notation issue that was present on the first execution of the program with a fresh installation only.

SR-3

• Filenames are now maintained whenever possible when copying files off the evidence objects for inclusion in the case report.

• Larger Windows system fonts now have an effect also on the directory browser.

• WinHex and X-Ways Forensics never supported recognition of date order if the date format was specified in Windows with only single-digit days or months (e.g. d.m.yyyy or m/d/yy). That was fixed.

• Script command "Find" can now run a case-insensitive search even if the search terms is a variable.

SR-4

• The style "level 5 forward parity dynamic" could not be selected when reconstructing RAIDs since v15.8. That was fixed.

• Exception errors avoided in metadata extraction.

• In v16.0, X-Ways Forensics did not correctly resolve usernames when adding evidence objects with Windows installations to the case. That was fixed.

SR-5

• File header signature searches in v16.0 did not find file types whose signatures were defined at relative offsets larger than 0. That was fixed.

• Unicode support in registry hives further completed, now also covers usernames and the Owner column in the directory browser.

• Support for Windows Image Acquisition folder MRU in registry report.

• The option to not overwrite an already existing index when starting to index again did not work. That was fixed.

SR-6

• Memory leak in file header signature search of v16.0 fixed.

• Some minor improvements in registry hive processing.

SR-7

• Registry report further improved. One exception error fixed.

• Small memory leak in file header signature search fixed.

• Some minor improvements.

SR-8

• Fixed memory leak in particularly thorough file system data structure search for ReiserFS file systems.

• Some memory-intensive functions were slow in SR-7. That was fixed.

• Minor fix for dealing with NTFS volumes in excess of 2 TB.

• Some minor improvements.

SR-9

• Support for larger sector numbers in Tools | Disk Tools | Set Disk Parameters.

• Special registry table "Attached devices by serial number" was incomplete in v16.0 SR-8. That was fixed.

• Able to cope with certain malformed multi-part e-mail messages.

SR-10

• Fixed a problem with illegal filenames when copying files off the image for inclusion in the report.

• Updated registry report definition files.

• Ability to extract creation dates from e-mail messages with a Microsoft FILETIME date.

SR-11

• An error was fixed in the file header signature search in v16.0 that could occur with some signatures when searching at the byte level.

• Avoided a rare error that could apparently occur when interpreting evidence file containers that contained files without names.

• Avoided an exception error that could occur when taking a snapshot of large Ext4 volumes with many inodes and small blocks.

• Disk cloning did not report the complete number of sectors copied correctly if over 2 TB. That was fixed.

• Ready to open case files created by v16.1.

• Some minor fixes and improvements.

Upcoming X-Ways Forensics & File Systems Training

London, UK: May 9-13, 2011
Washington DC, May 23-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our Facebook page.

What's new in v16.0?

• There is no performance penalty any more for selecting many or all file types for the file header signature search. File header signature searches are now considerably faster and basically limited in speed only by the medium from which the data is read.

• Tools | Disk Tools | Clone Disk now allows for reverse disk cloning and reverse disk imaging (requires a specialist or forensic license). Useful if the disk to acquire has severe physical defects that for example cause a disk imaging program or the entire Windows system to freeze or crash when reaching a certain sector. In such a case you can create an image in reverse order, by reading sectors from the end of the disk backwards, and it is even possible to automatically fill an existing incomplete ordinary ("forward") image additionally backwards to get an image that is as complete as possible, with only a small zeroed gap somewhere in the middle that represents the unreadable damaged spot on the source hard disk. Yes, X-Ways Forensics is quite a sophisticated disk imaging tool not only because of its speed, and we would like to remind everyone that additional dongles just for disk imaging are available for much less than the cost of a full license (see here).

• With the additional dongles for X-Ways Forensics just for disk imaging (details) you can now additionally use the Tools | Disk Tools | Clone Disk functionality.

• Ability to interpret data in the text column as text encoded in an arbitrary code page. That is very useful for East Asian code pages, Eastern European code pages and UTF-8 if the text is found outside of files that can be nicely viewed by the viewer component, e.g. floating around in free drive space. The character set/code page for the text column can now be selected via View | Character Set. Please note that you may need to select a font in General Options that contains all characters that you intend to read, and for East Asian characters you need to have support for these kinds of languages installed in Windows. The ability to select the character set/code page for Disk/Partition/File mode is now tentatively available also in X-Ways Investigator.

• Ability to view Windows Vista and Windows 7 event log files (.evtx), based on work by Andreas Schuster.

• Completely revised and more robust registry hive handling. Ability to find deleted keys and values in hives that contain unused space and lost keys/values in damaged/incomplete hives. In the report, deleted values are highlighted in red. If no complete path is known for keys, they will be listed as children of a new virtual key called "Path unknown".

• Analysis of free space in registry hives with the report definition file "Reg Report Free Space.txt". The free space can be as large as several MB, especially as a consequence of the use of virus scanners and registry cleaning programs.

• Registry value slack has a relevant size in NTUSER.DAT hives. This fact is now exploited with 2 measures:
  
  1) If the slack contains text strings, it will be output in the registry report (in green). This new feature can optionally be turned off the registry viewer context menu.
  
  2) For values that contain item lists (i.e. are binary) you can use the "Reg Report Free Space.txt" definitions to output registry report will output lists of filenames with timestamps in green. The first timestamps is an access date, the second one is a creation date. If no timestamps can be output, these are artifacts from "RecentDocs".

• The registry viewer now allows to recursively explore all the keys and values in a hive and sort them in a chronological order.

• The search function in the registry viewer is now more thorough and robust.

• Better Unicode support in the registry report for registry hives from computers in Asia.

• Tray notifications artifacts from Windows 7 registry hives are now supported and decoded. The timestamps render these artifacts useful for computer forensics. Further improved support for shell bags.

• Windows registry report: New data type %I (ITEM list) covers not only Shell Bag (as in previous versions), but also for example desktop shortcuts. Format adjusted for Windows Vista and 7.

• Ability to customize the notation of dates, times, and numbers (see new button in Options | General). Useful to be independent of the settings of live system that you want to preview. Ability to display years with 2 digits only.

• The option to display fractions of seconds in high resolution timestamps has been moved from the directory browser options to the new notation options. The option to display the time zone bias has also been moved to the notation options.

• Ability to open an evidence object even if the disk or image is not currently available, via a special command in the evidence object's context menu, to see the volume snapshot. That means you can see all the file metadata stored in the volume snapshot (filename, path, file size, timestamps, attributes, etc.), can use all filters etc., but cannot see any data in sectors and cannot open/view any files.

• Improved thumbnails extraction from Windows Vista's and Windows 7's thumbcache_*.db files. Ability to assign original filenames, file paths, and modification timestamps to certain thumbnails that were previously just named with a 16-digit hex number.

• When switching from File mode to Partition/Volume mode, X-Ways Forensics will now automatically point you to the offset from the point of view of the partition/volume that is equivalent to the offset within the file where the cursor was positioned last, even if the file is fragmented, if there is an equivalent position (not if the file is a compressed or virtual attached file or an extracted e-mail message or an exported video still etc.).

• Ability to specify the directory in which to create a case when creating a new case, for that particular case only.

• Directories with search hits that are copied from a search hit list now receive a special name when they are created as files in the output folder.

• Sorting by search term count column has been accelerated.

• Fixed an exception error that could occur when extracting metadata from carved MP4 and ASF files.

• Hash database functions internally reworked. When importing the NSRL RDS hash database, X-Ways Forensics now checks for records with the flags "s" (special) and "m" (malicious) so that these hash values are not erroneously included in the same internal hash set that should be categorized as irrelevant.

• It is now possible to abort lengthy sort operations. The directory browser is now unsorted after start-up by default. This new behavior can be turned off in the directory browser options.

• The grouping options now have an effect even if the directory browser is not sorted.

• The report table filter has a new option that allows to additionally include siblings of the associated files, i.e. files in the same directory as the files that are part of the selected report table(s). Useful, especially when exploring recursively and sorting by path, to check whether there are any further notable files in the neighborhood.

• Ability to optionally also add any known duplicates of the selected file(s) in the same evidence object to a report table (files which have been identified as duplicates based on hash values and marked as such in the Attr. column).

• New investigator.ini option +38 allows to prevent imports of report table associations.

• Ability to identify animated GIFs. Animated GIFs will be added to a special report table during the file type verification.

• Support for two new zip subtypes: APK Android smartphone packages and KEY Apple iWork keynote presentation files..

• Many minor improvements.

Changes of v15.9 SR-1 to SR-8:

SR-1:

• General support for sector sizes up to 8 KB (previous maximum: 4 KB).

• Support for GPT partitioning on media with 4 KB and 8 KB sector sizes.

• Ability to deal with HFS+/HFSX volumes on media with sector sizes larger than 2 KB, as seen in iPhones and iPads.

• Ability to auto-detect the sector size in raw images of GPT-partitioned disk with sector sizes of 4 KB and 8 KB.

• Ability to auto-detect the sector size in most raw images of MBR-partitioned disks with a sector size of 4 KB.

• Partial progress of volume snapshot refinements is now saved when the case auto-save interval elapses.

SR-2:

• The "List 1 hit per file only" option did not work correctly in v15.9. This was fixed.

• Improved function to delete duplicate search hits. When in doubt, X-Ways Forensics will now keep the longer search hit (as a hit for "Smithsonian" for example is more specific than "Smith") and favors search hits in existing files.

• Accelerated time to list millions of search hits.

• The Open Disk dialog window was wrong when not working with a case. That was fixed.

SR-3:

• The hash set filter did not work in v15.9. That was fixed.

• Avoided an exception error that could occur under certain circumstances when running a byte-level signature search.

• If the context preview of search hits in files in large archives is too slow, it can now be disabled by unselecting the existing option "Gallery: Show pictures in archives".

SR-4:

• Avoided an exception error that could occur when the case root window was automatically opened at start-up.

• Avoided (potentially annoying, but harmless) messages that could be displayed by Windows when working with images on write-protected drives.

• Fixed an error that could occur when loading volume snapshots with more than 6 million objects.

• Drive letters were missing in the special tables of the registry report in earlier releases of 15.9. That was fixed.

SR-5:

• With the new search algorithm, GREP expressions of variable length were found in v15.9 with their shortest matches instead of their longest possible matches as before. This was changed.

SR-6:

• Avoids an exception error that occurred in v15.9 SR-5 when trying to refine the volume snapshot without a case.

• Fixed erroneous disappearance of partitions in the case tree when removing hidden items from the volume snapshot of a physical disk.

• Avoided an exception error that could occur when starting to use the Recover/Copy functionality.

• Fixed an error that occurred with .e01 evidence files that have more than 775 segments.

• Japanese translation updated.

SR-7:

• HFS+ partition size detection on disks with Apple partition table fixed.

• Ability to deal with volumes with cluster sizes of more than 128 sectors, which seem to be not uncommon in the exFAT file system.

• Fixed an exception error that could occur in certain situations with the new v15.9 search algorithm.

• In WinHex 15.7 through 15.9 with a specialist license, the simultaneous search function was unable to run a case-insensitive search correctly. That was fixed.

• Improved handling of the internal volume snapshot files if reading or writing these files fails because of insufficient drive space or other system resources, file system errors, or other reasons.

• More complete assignment of drive letters in the "Attached Devices" section of the registry report.

SR-8:

• Internal technical information about .e01 evidence files were potentially included more than once in the evidence object properties before. That was fixed.

• Windows 7 compatible import of regional settings (date format).

What to expect in v16.1?

Support for Exchange EDB e-mail databases, and more! Please check the forum for a preview version next week!

This  mailing is to announce the release of a noteworthy update, v15.9.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more.

Please be advised that if you are interested in receiving information about service releases of v15.9 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.

Upcoming X-Ways Forensics & File Systems Training

London, UK: May 9-13, 2011
More information
Events are also posted on our Facebook page.

What's new in v15.9?

• Three main improvements were already announced in newsletter issue #119b for v15.9 Beta:
  1) the sophisticated new search algorithm that tremendously acceleratess conventional (non-index) searches with many search terms and search variants,
  2) the new directory browser columns with search terms and search term counts,
  3) the greatly improved registry report.
  Since then, the following additional improvements have been made:

• Ability to export report table associations created in an evidence file container, such that they can be imported back into the original case. That means when you split up the workload in large cases across multiple investigators who work simultaneously, you can now automatically and more easily reconcile their results!

• It is also now possible to export report table associations from original evidence objects (not containers), so even when not working with containers, multiple examiners can work with their own copy of the same case and exchange results with each other or reconcile all results in the main copy of the case, all that by exporting and importing report table associations.

• Both aforementioned commands, the export and import of report table associations, can be found in the context menu of the case tree. Export is supported at the case and evidence object level, import at the case level. Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot after the creation of the evidence file container(s) or if you have removed objects from the volume snapshot.

• Ability to display the name of the evidence object name where SID/username combinations were found, if recorded.

• Attachments can now be embedded in their respective .eml parent files also when creating a case report, not only when using the Recover/Copy command.

• Usage of the option to embed attachments in .eml files as Base64 code already when extracting e-mail from e-mail archives was discouraged already for some years. The option now has been finally completely removed as it became obsolete.

• Ability to carve, confirm, and view Outlook 2011 for Mac e-mails and extract attachments from them.

• Better prepared for certain PST files.

• Filter for the new search term column introduced.

• Displays the number of search hits that would be listed based on current settings for search terms if they were selected.

• The standard registry report definition file was split into 8 parts, so that any time you create the report you can choose which parts you need. As before, you can change the definition files as you see fit, or create your own ones for specific purposes/for different kinds of cases.

• When matching hash values against the hash database, if X-Ways Forensics finds a hash value in different hash sets that belong to different categories, a warning is output (since v15.6). Now it is guaranteed that the category that is returned in such a case is always "notable".

• Ability to convert Motorola S files to binary that define data in a range of more than 2 GB.

• Several minor improvements.

Changes of v15.8 SR-5 to SR-7:

• Recover/Copy: Now the same options that are known from the normal directory browser are also available when copying files from a search hit list. For example, you can automatically copy child objects of selected files and embed attachments in .eml parent files.

• Error messages in message boxes are now additionally logged in messages.txt.

• Fixed inability of v15.8 to correctly convert volume snapshots of certain earlier versions.

• Improved processing of .mht files.

• Fixed a memory leak in e-mail extraction.

• The external virus check did not work correctly (and informed the user about that) in v15.6 through v15.8. This was fixed.