X-Ways Forensics 15.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.1 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 9, 2008 - 3:54:   

A beta version of X-Ways Forensics 15.1 is now available. The download link can be retrieved by querying one's license status.

What's new?

* Ability to detect simple attempts at masking any files of any type as executable files. Such files will not be confirmed as executable files any more.

* Allows to better focus on unusual executable files by assigning them to report tables when they contain unknown segments or an unexpected tail.

* Can better distinguish between various .exe file types including legacy formats, DLLs, fonts, VXDs, and other drivers.

* Special support for executable files when running the file header signature search. The file size and the precise file type will be detected. The exact file size helps to exclude known irrelevant files with the help of hash databases.

* Ability to add a selected block as a virtual file (Edit menu) now in File mode, too. In that case it will be added as a child object of the original file.

* It is now possible to automatically associate the parent file and child objects of a selected file with a report table as well. Useful for example if you do not only want to add a certain e-mail message to a report, but also it's attachments or the other way around, or not only a certain video still, but also the corresponding video. Report table associations can also be removed from parent and child objects in a single step.

* Files that are child objects of a file (i.e. whose parent is not a directory) are now specially marked in the directory browser with 3 light blue dots in the upper left corner of the icon.

* When extracting thumbnails from JPEGs, they are now listed as child objects of the respective JPEG file. Such thumbnails and other generically named embedded pictures are now considered virtual files.

* Attached external files will now always be added as child objects of the selected object, even if you add a single file only, unless you hold the Shift key. It is now also possible to attach external files to a directory.

* Support for viewing the NTFS system file $UsnJrnl, another unique feature.

* Ability to deal with FAT32 volumes whose main boot sector is corrupt if the backup boot sector is intact. Ability to automatically find lost FAT32 partitions when scanning for lost partitions even if the main boot sector is corrupt.

* Ability to deal with extremely large directories in FAT volumes.

* Size detection for very large zip archives during file header signature search. Size detection for 7zip file newly introduced.

* Copying files off an image to your own drive or into a container, these actions now internally work slightly differently. They can now include the contents of selected directories even in an already recursive view, and when doing that they automatically make sure not to copy directly and indirectly selected files twice. Or if the same file is listed multiple times in a search hit list, because it contains many search hits, it is copied once only even if selected multiple times, which is very convenient. Another consequence is that you will not see the message "This command cannot branch into selected directories in an already recursive view." any more. Another benefit is that there are now 3 instead of 2 options for recreating the original path in the output directory or file container: full path, no path, or partial path (based on the currently explored directory, not available from case root).

* A new option labelled "recommendable data reduction" for the logical search and indexing allows to save time by excluding the logical portion of certain files automatically: File archives such as ZIP and RAR whose contents have been included in the volume snapshot, and PST and DBX e-mail archives whose e-mail messages and attachments have been extracted. The latter is helpful in particular for indexing, since Base64 code inflates the index extremely and slows down the indexing process.

* There is now a "NOT" option in the Attributes filter. Allows you to easily filter out alternate data streams, symlinks, files with unknown contents, etc. etc. when you do NOT want see such items.

* There is now a progress indicator for the hashing process when creating a hash set.

* Individual filenames for cloning logs based on start time.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 23, 2008 - 12:59:   

Beta 2:

* Examination of $LogFile as part of thorough file system data structure search on NTFS volumes even more complete now.

* Ability to reset selected files in the volume snapshot such that the options in Refine Volume Snapshot would touch them again even if they have been processed before. This function is available via Ctrl+Del. It does not clean up after the selected files, i.e. does not delete any already extracted child objects.

* Fixed scope inconsistency when running a search from the case root window.

* Italian translation further updated.

* Fixed metadata extraction error that occurred in v15.1 Beta 1.

* Updates of v15.0 SR-7 included, too.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 3, 2008 - 2:38:   

v15.1 was just released. The following has changed since Beta 2:

* The Recover/Copy command now optionally allows to output files with overlong paths (more than 260, up to 510 characters, for output path + original path + original filename). Note that you cannot access (e.g. view, copy or delete) such files with ordinary tools like the Windows Explorer. The option is useful if you are dealing with these files with tools that support overlong paths. Otherwise you can specifically limit path lengths to 260 characters and get report table associations for omitted files, as before. Forensic license only.

* It is now much more convenient to supply lengthy filename lists for use as a filename filter. Multiple filenames or filename masks are no longer concatenated with semicolons, but entered (or pasted from the clipboard!) one per line. Useful if you have a list of relevant filenames or keywords and want to find out quickly whether files with such names are present.

* The interpretation of $LogFile now shows you the date range coverered (see bottom of Preview/View), so that you can easily determine whether relevant dates are covered by $LogFile at all. It is now easier to determine or at least narrow down the date and time when a file was deleted if that action is covered, by looking for an "Undo: Initialize File Record Segment" operation for a given file or by looking for the LSN as seen in the FILE record header. The following EndPage statement indicates the time frame for that operation. Generally improved representation.

* Fixed an error in the new indexing algorithm of v15.0, where files were decoded by the viewer component even when hidden.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 8, 2008 - 15:17:   

SR-1:

* There are now two interpretations of $LogFile in Preview mode and for the View command. The new interpretation gives an easy to understand overview of deleted files including deletion timestamps (unavailable before and another unique feature). In cases where the deletion timestamp is missing, the time frame in which the deletion occurred can be deducted manually. The old interpretion, a much more complete and detailed view of $LogFile, is still accessible if you enable Raw mode.

* An exception that could occur during an index search was fixed.

* Tagging files in a recursive view did not always have the correct effect on directories. This was fixed.

* A resource leak was fixed that had an effect when trying to extract e-mail from thousands of files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 15, 2008 - 17:39:   

SR-2:

* Moved or renamed files in NTFS volumes of which only index records are available and whose file size in unknown can now be seen in Gallery mode, too, not only in Preview mode. (Only if the new state of the file as defined by a FILE record allows to open it.)

* When e-mail from password-protected Outlook PST archives is to be extracted and the user does not react and agree to provide the password within 30 seconds, X-Ways Forensics will continue with the next file.

* Evidence file containers can now optionally be frozen when they are closed and enclosed in an .e01 file, such that they cannot be further filled (even after converted back to a raw image). Such containers are marked as read-only in the technical details report.

* Ability to detect hybrids of RAR with JPEG and Bitmap files when extracting metadata and in Details mode.

* More information about RAR files in Details mode.

* Fixed registry viewer instability under Windows Vista.

* An instability error was fixed that could occur when decompressing certain hiberfil.sys files.

* Fixed an issue processing signed emails (x-pkcs7-signature) from Eudora.

* Improved conversion accuracy of certain kinds of emails stored in Office Outlook.

* Some other minor improvements and issues fixed in e-mail processing.
Greg Freemyer
Username: freemyer

Registered: N/A
Posted on Saturday, Sep 20, 2008 - 5:34:   

Stefan,

Can you explain the new E01 collections?

Are they in some way supposed to be Encase E01 type files?

What are they supposed to be compatible with?

I tried to open one in 15.1 (instead of 15.1 SR2). And via FTK Imager.

In both cases, no joy. It did work via 15.1 SR2.

Thanks
Greg
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 20, 2008 - 12:00:   

> Can you explain the new E01 collections?

Collections? Not sure. You mean that evidence file containers can be converted from raw images to .e01 evidence files? That is really old stuff, was possible since containers were introduced. That's because an evidence file container is like an ordinary raw image (of an XWFS volume), just with a specialized file system (XWFS) that can replicate and remember many, many properties and specialties of other file systems (so that file system level metadata can be retained in the container, which is one of the main design goals).

Whether the format of an image is raw image or .e01 evidence file does not make a difference, of course, both formats can be analyzed in exactly the same way. And images can be converted from raw image to .e01 evidence file containers and the other way around, that's nothing new either.

The news was merely that you can freeze a container (or more precisely, the file system in it), so that it's no longer possible to add further files to it, even after converting a finalized (and optionally compressed and/or encrypted) .e01 evidence file back to a raw image.

> Are they in some way supposed to be Encase E01 type files?

In some way?? They are .e01 evidence files, yes, as originally introduced by Expert Witness, as also used by EnCase and FTK.

> What are they supposed to be compatible with?

With X-Ways Forensics and X-Ways Investigator and any other program that supports .e01 evidence files. The XWFS file system in the images, however, is understood by X-Ways Forensics and X-Ways Investigator only.

> In both cases, no joy. It did work via 15.1 SR2.

FTK does not understand the XWFS file system, and X-Ways Forensics supports frozen containers only as of v15.1 SR-2, and that was the very news.

To cut a long story short: One has to distinguish of course between the file format of the image (raw - i.e. no special file format - or .e01 evidence file) and the partitioning style or file system(s) in the image.
Greg Freemyer
Username: freemyer

Registered: N/A
Posted on Saturday, Sep 20, 2008 - 18:10:   

To make sure I understand correctly, my understanding is:

As of 15.1 SR2, X-ways has enhanced the x-ways proprietary XWFS file system to support a new frozen state.

The change is not backword compatible, thus only X-Ways 15.1 SR-2 or newer are able to correctly work with a XWFS filesystem in the frozen state.

Specifically earlier versions of X-Ways will refuse to open a e01 file containing a frozen XWFS filesystem.

(I believe that is what I saw when I tried this. I'm not in the office today, so I can't test it right now.)
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 20, 2008 - 18:25:   

Yes, earlier versions do not and are not meant to support frozen containers.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 22, 2008 - 15:47:   

SR-3:

* An error no longer occurs that prevented the display of GIF pictures for the remainder of a session after one particular GIF picture was displayed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Oct 11, 2008 - 14:57:   

SR-4:

* The Windows disk signature is now output as part of the Technical Details Report for hard disks.

* OpenOffice document zip files are now usually carved again with the correct file size.

* After having matched hash values against the hash database, when loading a different hash database and not re-matching the hash values against that new database, references to hash sets in the old database are no longer considered valid by X-Ways Forensics, which avoids that a wrong matching hash set may be displayed in the hash set column. The hash category was always stored independently of the hash database.

* Progress indicator for Recover/Copy command fixed.

* Avoided two message boxes that required user interaction in very specific situations when refining the volume snapshot.

* Some other minor error corrections and various minor improvements.

* User manual updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 22, 2008 - 10:30:   

SR-5:

* Unchecking the "copy child objects of selected files" checkbox did not always have the intended effect. That was fixed.

* The $ GREP anchor did not work correctly for larger files. This was fixed.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 18, 2008 - 19:07:   

SR-6:

* Inability of Edit | Modify Data to fully process large files was fixed.

* Some exception errors prevented.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 27, 2008 - 18:10:   

SR-7:

* An error in the Recover/Copy command was fixed that could cause display errors in the progress indicator window and could cause it to not recover certain files (followed by an error message saying that the original timestamps or attributes could not be applied to the file because the file could not be found).

* Timestamp bias error in new $LogFile interpretation (not raw mode) fixed.

* Ability to apply the menu command Edit | Select All (not the keyboard shortcut) to windows of the viewer component.
Rick Samuelson
Username: prsgroup

Registered: N/A
Posted on Saturday, Dec 27, 2008 - 5:29:   

Possibly, but I downloaded what I thought was the latest version of Winhex today--it shows as SR-6. Where do I find SR-7?

Thanks,

Rick
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 27, 2008 - 11:38:   

Oh only the forensic edition has been updated so far. You will find the same fix in the regular version of WinHex in SR-8 some time soon.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 29, 2008 - 18:27:   

SR-8:

* The Save As command for cases can now deal with overlong paths in the case subdirectories (up to 510 characters).

* Fixed an error that could cause an incorrect reconstruction pattern for internally reconstructed forward parity RAID 5 systems under certain circumstances.

* Several minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 8, 2009 - 0:25:   

SR-9:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 2, 2009 - 21:11:   

SR-10:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 17:25:   

SR-11:

* Some of the fixes introduced in later versions. Available to customers on request.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.