X-Ways Forensics 12.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 12.9 « Previous Next »

Author Message
Stefan Fleischmann (Admin)
Posted on Saturday, Mar 25, 2006 - 3:29:   

An early debug preview version of X-Ways Forensics 12.9 is now available for owners of a forensic license. Announced features are subject to change. The download link can be retrieved by querying one's license status.

What's new?

* The directory browser is now directly based on volume snapshots. That means, items in report tables that are loaded are mandatorily matched against the volume snapshot, and any items that are not part of the volume snapshot cannot be listed in the directory browser. Since one abstraction layer of data has become obsolete that way, memory utilization per item has been reduced by more than 50%, which is measurable e.g. for a recursive listing of 100,000s items. Filling the directory browser with that many items is also even quicker now. (Loading large report tables with many thousand items is slow, though.)

* Fictitious file "Idle space", in newly created volume snapshots. Covers clusters that are marked as allocated, whose exact allocation, however, X-Ways Forensics could not determine, e.g. because these clusters were only previously allocated and then not properly freed in the file system.

* Additional fictitious files for Ext2/Ext3, ReiserFS, NTFS, FAT, and HFS+ in newly created volume snapshots. There is a brief description of most fictitious files in the program help chapter about the directory browser. The root directory itself is now listed as a special searchable directory for several file systems.

* The contents of archives that are explored in the directory browser (e.g. double-clicked) are now incorporated into the volume snapshot right away, as known from Refine Volume Snapshot.

* New optional directory browser columns reveal the owner and the hard link count of files and directories on NTFS/Ext2/Ext3/ReiserFS/Reiser4/HFS+/UFS volumes. Hard links are now listed on NTFS volumes.

* Support for advanced UDF features such as resident files and directories and variably positioned file set descriptors.

* Improvements in UFS support.

* File size filter.

* Filter for some special values in the Attribute column.

* Optionally, files on the logical drive letters A: through Z: can be opened with the help of the operating system instead of with the built-in logic at the sector level. Please note that this is forensically sound only for write-protected media. On writeable media, Microsoft Windows will at least update (i.e. alter, falsify) the last access timestamp of files you open. The benefit, however, is that access to such files may be noticeably faster in many situations, especially on slow media such as CDs and DVDs, e.g. when you compute hashes or skin color percentages for files in a volume snapshot, because Microsoft Windows employs read-ahead mechanisms and entertains a file caching system. See Options | Security.

* Logging user activity separately for each evidence object becomes optional and is even disabled by default in a fresh installation. If disabled, X-Ways Forensics will generate one large chronological log for the entire case, spanning all evidence objects. Note that a log recorded in either way cannot later be converted to the other style.

* The folder for temporary files used by the separate viewer component is now controlled by WinHex/X-Ways Forensics, i.e. set to the one the user specifies in General Options. However, unlike X-Ways Forensics, the viewer component does not silently accept unsuitable paths on read-only media. Please note that the viewer component, if actually used, also leaves entries in the system registry.

* "File Type Categories.txt" now supports full filenames in addition to filename extensions. Useful for certain files with a well-defined name whose extension is not specific enough:
-;index.dat; Internet Explorer history/cache
-;history.dat; Mozilla/Firefox browser history

* Support for unified contents/report tables and for the category view of tables was dropped.

* The "File Type Signature.txt" database was updated.

* The disk selection dialog window already reveals on which physical disks the volumes mounted as drive letters A: through Z: reside.

* Calendar mode: color markers were swapped in v12.85. This was fixed.

* Several other minor improvements and same fix level as v12.85 SR-8.
Posted on Tuesday, Mar 28, 2006 - 11:25:   

12.9 errors (and 12.85 does similar)

(AOK with some earlier versions of WinHex)

I can always repeat the errors, but I cannot explain the cause.

The errors occur with two different image sets

I have retested both images sets twice, with new W2K host builds.

One image set is RAW and is about 10GB.

The other is a compressed evidence file that expands to about 60GB.

In the Directory Browser (recursive or normal), highlighting (selecting) certain files will always cause some errors, the errors are always repeatable. I do not see any significant pattern to the files.

The errors do not happen with earlier WinHex versions. The same files can be viewed just fine with earlier versions. (I do not know, off hand, if the updated External Viewer is common only to the WinHex versions that have the errors).

Error #6 cannot read from [image.000], partition 2

same files but right click, context menu, click External programs then Associated Program
Error #0 cannot open "Program files\...\filename.ext" 3597279232

The 'Messages' dialog will always display the same message for each error:
"cannot read from [image.000], partition 2 Sector 4,294,967,295"
(this overly large sector number is always the same no matter wich file is selected).

The file content does show up in Hex View AOK.

The only hint of a pattern is:
files observed so far that cause errors are either zero bytes or over 25MB (but not all files of those sizes).

no pattern to:
Cluster location
existing vs. deleted

I am sorry there are not more details yet, but I thought I would post in case other have additional details.

Thank you,

Stefan Fleischmann (Admin)
Posted on Thursday, Mar 30, 2006 - 18:21:   

Preview 2:

* The text column now supports 16-bit Unicode characters (little-endian UTF-16), e.g. Chinese, Cyrillic. See Options | Character Set. Unicode characters are expected at even offsets. Keyboard input in Unicode is not supported in the text column.

* In report tables created by v12.9, duplications can no longer occur, i.e. the same file is never (e.g. accidentally) added twice to the same report table.

* There is now a bigger internal buffer for archives (.zip, .rar, ...), which can speed up access to compressed files. And there is no practical limitation any more to the levels of nested "archives in archives". The specific option to include the contents of archives in logical searches has been removed. If the contents of archives have been included in the volume snapshot and they are selected in the directory browser or if the containing archive is selected and treated like a directory, they will be searched as well. Refining the volume snapshot first is preferable anyway because at the same time that feature can also identify misnamed archives with the signature check. Also the logical search thereby is no longer limited to 2 levels of nested archives.

* The skin tone detection feature now serves a second purpose: It now also reveals pictures that are black & white or grayscale pictures. This is useful to find scanned documents and digitally transmitted faxes (e.g. TIFF). Such pictures are flagged as "b/w" in the SC% column.

* As an alternative and easier to discover way for new users to bring up a recursive view of a directory, there is now an additional button next to "Sync". (specialist and forensic licenses only)

* File | Create Disk Image is now potentially faster, depending on the system and various outer circumstances.
Stefan Fleischmann (Admin)
Posted on Friday, Mar 31, 2006 - 15:35:   

Preview 4:

* Exception error in new accelerated image creation prevented.

* Faster implementation of hash algorithms MD5, SHA-1 and SHA-256. (requires a professional license or higher)

* Compression/decompression algorithm for evidence files and WinHex backups updated from zlib 1.2.1 to 1.2.3.

* Ability to hide duplicates based on hash values (directory browser context menu) not available in this preview version.
Stefan Fleischmann (Admin)
Posted on Saturday, Apr 1, 2006 - 18:36:   

Preview 6:

* Sync mechanism reworked internally.

* Some small fixes and improvements.
Stefan Fleischmann (Admin)
Posted on Sunday, Apr 2, 2006 - 13:24:   

12.9 Beta:

* More small fixes and improvements.
Stefan Fleischmann (Admin)
Posted on Tuesday, Apr 4, 2006 - 0:32:   

Beta 2:

* More fixes.
Stefan Fleischmann (Admin)
Posted on Tuesday, Apr 4, 2006 - 18:44:   

Beta 3:

* More fixes.

* The ability to delete the case log was removed in X-Ways Forensics (but will not be removed in WinHex).
Jimmy Weg (Jw)
Posted on Tuesday, Apr 4, 2006 - 22:09:   

Might I suggest that you leave the preference in XWF, too? (Perhaps the log can be deleted manually outside of XWF or not enabled when creating a case.) In the US, there are differences among agencies and investigators within agencies as to whether one keeps notes. Some of us prepare extensive reports and outlines that cover what we've done in a case, and those items supercede our notes, which we may destroy. Logs maintained by the various tools would likely constitute "notes," which, if preserved, may be discoverable by the adverse party. That's not to say that anyone is attempting to hide anything, but, for example, many prosecutors prefer that we destroy our notes after properly documenting our exams otherwise. Thanks.
Stefan Fleischmann (Admin)
Posted on Tuesday, Apr 4, 2006 - 22:13:   

Other users have indicated they would prefer not to have the ability to delete the log. Please consider that you could load the same case in WinHex and delete the log there. Would that be feasible?
Jimmy Weg (Jw)
Posted on Tuesday, Apr 4, 2006 - 23:30:   

Thanks, Stefan. Yes, that would certainly work, although I'd obviously prefer to just disable logging from the start. That, however, won't work for the others, and the workaround can satisfy everyone's requirements.
Stefan Fleischmann (Admin)
Posted on Thursday, Apr 6, 2006 - 21:07:   

Beta 4:

* Gallery better synchronized with directory browser

* Special treatment for $BadClus:$Bad in NTFS, so that this particular system data stream can be efficiently viewed and searched. Now listed with a size of 0 bytes if no clusters are marked as bad and a size of > 0 bytes if there are such clusters.

* Ability to remove duplicates based on hash values back.

* Some minor improvements and fixes.
Stefan Fleischmann (Admin)
Posted on Saturday, Apr 8, 2006 - 2:29:   

Beta 5:

* When cloning over a partition that is mounted as a drive letter or restoring an image over it, X-Ways Forensics now tries to disable Windows' internal buffers, so that the new contents of the target partition are visible everywhere immediately after copying.

* Ability to undo/reset the signature check for all items in a volume snapshot, by removing the "Already done" checkmark. This initializes the Status column and is useful if an important update to the signature database has been made.

* Some minor improvements and fixes.
Stefan Fleischmann (Admin)
Posted on Tuesday, Apr 11, 2006 - 14:12:   

v12.9 has just been released.
Stefan Fleischmann (Admin)
Posted on Thursday, Apr 13, 2006 - 0:10:   


* When decoding the text in PDF documents for a logical search and no text is found (e.g. because the PDF document is composed of graphical data only, which can be readable text but will not be recognized as text), the ability to detect this situation and issue a warning has been improved.

* Logic for processing cross-linked deleted directories on FAT volumes improved.

* Path length problem with pictures embedded in documents fixed.

* Some other minor improvements.
Stefan Fleischmann (Admin)
Posted on Thursday, Apr 13, 2006 - 14:10:   


* Context preview for search hits in file slack fixed.

* Most PDF documents can now be recovered "by type" with their original, correct size.
Stefan Fleischmann (Admin)
Posted on Monday, Apr 17, 2006 - 13:28:   


* Exception errors fixed in embedded picture search and File Recovery by Name.
Stefan Fleischmann (Admin)
Posted on Wednesday, Apr 19, 2006 - 1:21:   


* Case root window and archive processing fixed.
Stefan Fleischmann (Admin)
Posted on Friday, Apr 21, 2006 - 23:12:   


* Some exception errors fixed.
Stefan Fleischmann (Admin)
Posted on Friday, Apr 28, 2006 - 12:36:   


* Some minor fixes and improvements.
Stefan Fleischmann (Admin)
Posted on Saturday, Apr 29, 2006 - 17:02:   


* "Open files through operating system" option fixed.

* Type column fixed (error in SR-8).
Stefan Fleischmann (Admin)
Posted on Sunday, May 7, 2006 - 15:16:   


* Some minor fixes and improvements. For example, the version number is now displayed in the main window caption. NTFS volumes with totally corrupted $MFT and $MFTMirr can be opened again.
Stefan Fleischmann (Admin)
Posted on Tuesday, May 9, 2006 - 0:49:   


* Lock-up fixed that could occur when using the Gallery view.
Stefan Fleischmann (Admin)
Posted on Thursday, May 11, 2006 - 17:43:   


* Problem with heavily fragmented $MFTs on NTFS volumes with certain characteristics addressed.

* Occasionally incomplete tooltips in Calendar mode fixed.

* Fixed an error that occurred in certain situations with File Recovery by Type and its byte-level option.

* Changed illogical behavior of the checkbox in Refine Volume Snapshot that allows to undo file type verification.
Stefan Fleischmann (Admin)
Posted on Friday, May 19, 2006 - 21:02:   


* Some minor fixes and changes. E.g. the External Programs menu is now available in the reduced user interface for non-IT investigators. If both JPEG and PNG files are embedded in the same document, they are now all listed in the documents fictitious directory in a non-recursive view (previously in a recursive view only and only JPEG in the non-recursive view).
Stefan Fleischmann (Admin)
Posted on Tuesday, Jun 6, 2006 - 21:05:   


* Some minor fixes. E.g. the Windows installation date is now correctly output in the registry report.

Add Your Message Here
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Options: Enable HTML code in message
Automatically activate URLs in message
Forum operated by X-Ways Software Technology AG.