X-Ways Forensics 15.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.5 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Oct 24, 2009 - 18:39:   

A preview version of X-Ways Forensics 15.5 is now available. The download link can be retrieved by querying one's license status.

What's new?

* New e-mail extraction function for Outlook PST and OST e-mail archives (still testing). Ability to recover deleted e-mail messages if they can still be found. More information extracted from contact entries, calendar entries, and tasks stored in PST archives. Ability to process encrypted PST archives without the password. Faster processing than before. Outlook/MAPI installation not needed.

Plain text e-mail messages are presented as text files, HTML e-mail messages as HTML files. They are all marked as extracted e-mail messages in the Attribute column. E-mail headers are presented as child objects. This new kind of representation may still change.

Known problems: Non-English e-mails extracted with the new method at the moment might be displayed based on an incorrect code page. (For plaintext e-mail messages with this problem it should help to set the code page of the viewer component to UTF-8 to get non-English characters right.) Certain signed e-mail messages cannot be extracted.

Comments about this new feature are welcome. The old PST processing via MAPI is still available optionally if you check the "MAPI" checkbox.

* The HTML registry report is now output completely in tabular form, for much better readability and import into other programs such as MS Excel for further processing (sorting, filtering). Comments about this new format are welcome. The name and key of each value is not output explicitly any more by the default, but can be seen in as a tooltip when moving the mouse cursor over a small white box. If you need to see the name and key explicitly for each and every reported value for some reason, you can include it optionally via the registry viewer's context menu.

* The second part of the registry report now gives an overview of installed drivers, file systems, and services in addition to the very helpful tables "Attached devices by serial number" and "Partitions by disk signature".

* The Details Panel has been renamed to Info Pane in the English user interface, to avoid confusion with Details mode.

* The index optimization now fully utilizes the memory space advantages 64-bit Windows environments.

* X-Ways Forensics has been found to run on Windows 7 just as well as under Windows Vista, i.e. the same limitations (but no additional limitations) apply.

* Ability to distinguish between DOCX, XLSC, PPTX, and other file types when running a file header signature search.

* Various minor improvements.
W. Spiegl
Username: ws

Registered: N/A
Posted on Saturday, Oct 24, 2009 - 20:03:   

Did you change the path / filename to the preview version? The last name I know was:
xw_forensics-preview.zip
Michael Felber
Username: michaelfelber

Registered: N/A
Posted on Saturday, Oct 24, 2009 - 21:49:   

Hey, that's not nice: Never again announce us a version suspected to become a milestone because of it's pst-features and then forget to provide a valid download url simultaneously... ;-)

Cu Michael
W. Spiegl
Username: ws

Registered: N/A
Posted on Saturday, Oct 24, 2009 - 22:21:   

Hi Michael,
don't be astonished - as much as I know the boss is not at home - suppose he is on a trip to bring in money which he needs to keep the low prices of the product. I was astonished to see this message today as usually there is no new version available if he is not at home.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Oct 24, 2009 - 22:30:   

Sorry, link fixed!
W. Spiegl
Username: ws

Registered: N/A
Posted on Saturday, Oct 24, 2009 - 22:44:   

Just started test! Thx.
Timo Jobst
Username: jot

Registered: N/A
Posted on Sunday, Oct 25, 2009 - 13:30:   

Just tested the new registry report output.
I experienced one problem, if I try to create the default registry report including the output value names & address in report option XWF crashes all the time.
I have no problem using this option with my own created regstry reports.

One question, is it possible to include the new second part of registry report in the own created registry reports
Timo Jobst
Username: jot

Registered: N/A
Posted on Sunday, Oct 25, 2009 - 16:42:   

Did a little more testing.
Doesn´t occure if I include NTUSER.DAT file in registry report.
Till now not reproducible with other images.

But still the question if it is possible to include the new "second part of registry report" with personalized registry reports
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 25, 2009 - 17:43:   

"Crashes" means what...? Terminates without any error message? Could you send me the registry hive files with which it crashes?

> One question, is it possible to include the new second
> part of registry report in the own created registry reports

If you copy the Reg Report.txt entries named "Dummy" to your own definition file, yes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 27, 2009 - 17:08:   

Preview 2:

* Inability of the new PST processing method to extract e-mails from non-English PST files fixed.

* Fixed an exception error that could occur when carving zip files with v15.5 Preview.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 4, 2009 - 1:05:   

Preview 3:

* New "fast, adaptive" compression option for imaging that provides an even better speed/compression compromise than before. This is the new default setting. The previous fast adaptive compression option is still available as "average, adaptive".

* Better error handling for new PST processing.
Bruno Kerouanton
Username: bkerouan

Registered: N/A
Posted on Wednesday, Nov 4, 2009 - 12:23:   

Did some testing, and found that although XWF still displays and opens virtually mounted drives such as Trucrypt, network drive letters that were able to be opened and parsed (files only, not sector level obviously) are no longer visible when opening a disk drive (F9).

As far as I know, the first time I was able to open network drives was with XWF 14.4 SR-8.

Is this (really useful) feature no longer implemented in 15.5 ?
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 4, 2009 - 12:48:   

Nothing has changed in that respect, and (here) it still works beautifully in v15.5 Preview.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 2, 2009 - 13:29:   

Beta:

* Ability to find deleted contents of Outlook PST archives with the new extraction method even when existing contents are extracted with the old method (MAPI).

* Information about the detected true type of a file (confirmed or newly identified) is now included in evidence file containers. That information can be imported by this version and later version. Consequently, the option "Append correct extension when copying" becomes obsolete for filling evidence file containers and from now on will only have an effect on the Recover/Copy command.

* In newly taken snapshots of NTFS volumes, alternate data streams, logged utility streams etc. are now represented as child objects of the file to which they belong. This is a better representation of the actual organization of the file system, since ADS are not listed in the directories to which their host files belong. Instead ADS are attached to their respect host files. Another advantage is that it is easy to navigate from any relevant alternate data stream to its parent (e.g. by pressing the Backspace key). If there are reasonable objections to this new feature, it might become optional, otherwise it will become the new standard behavior.

* Ability to use certain Position menu commands in the case root window: Find parent object, Navigate to FILE record/index record/inode/directory entry etc., Jump to item number.

* Ability to navigate to the parent object from within a search hit list in the case root window without losing that search hit list view.

* When viewing pictures with the graphics viewing library (not the viewer component) in a separate window, you can now press Page Down/Up to proceed to the next file in the list and view it in a new window. Press Ctrl additionally for the same effect in a window provided by the viewer component.

* The icon displayed for a ".." item in the directory browser now accurately presents the parent object, i.e. indicates an existing, deleted or dummy directory or an existing or deleted or dummy file. Tentative feature only.

* Ability to filter out hidden items in X-Ways Investigator. (In X-Ways Investigator, files can be hidden when identifying duplicates based on hash values.)

* The special rule for hiding duplicate e-mail messages and attachments in the directory browser based on hash values is now optional.

* Fixed an error with the representation of volume slack on Ext* volumes.

* Fixed non-deterministic listing of unpartionable space for physical media.

* Revised uninstall procedure that in case of X-Ways Forensics does not require the dongle.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 5, 2009 - 2:40:   

Beta 2:

* Ability to manually rename automatically carved files. Useful to get the hive names of carved registry files right for the registry report.

* Improvements in new e-mail extraction method.

* Prevented an exception error that could occur when extracting e-mail with the new method.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 5, 2009 - 12:23:   

Beta 3:

* The interpreted version of a raw image of a physical hard disk can now be selected as the destination for cloning. This is useful for example if you want to copy a range of sectors from one image to another. Supported in WinHex only, not X-Ways Forensics.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 9, 2009 - 0:30:   

Beta 4:

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 13, 2009 - 23:19:   

Beta 5:

* Fixes of errors in Beta 4.

* Same fix level as v15.4 SR-12.

* E-mail messages that contain 7-bit ASCII characters only are now output as .eml files by the new extraction method, i.e. header and body in 1 file.

* Ability to shut down the computer after completion of disk cloning or after restoring an image back to a disk.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 18, 2009 - 0:02:   

v15.5 was just released.

Additional changes since last beta version:

* When you click a deleted file in an Ext file system for which only a directory entry is known and no inode, in Partition/Volume mode, X-Ways Forensics will now automatically jump to the directory entry.

* Improved support for dynamic disks created by Windows Vista.

* Improved support for deconstruction of MHT files.

* Fixed an error that could occur in the representation of GUIDs in templates.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 20, 2009 - 2:03:   

SR-1:

* Fixed an error that occurred when opening files with very long names on HFS+ volumes.

* The creation of sparse raw image files was faulty in the original 15.5 version. This was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 23, 2009 - 2:30:   

SR-2:

* The new 64-bit index optimization process in v15.5 caused user interface problems (debug messages were output, and hits on the Enter key were expected). This was fixed.

* File Type Categories.txt updated and extended.

* Mismatches were fixed that occurred when importing report table associations and comments from evidence file containers into the volume snapshot in v15.5 until SR-1.

* Exception errors fixed that in rare situations could in occur when verifying the type of certain kinds of text files.

* Some smaller improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 18, 2010 - 20:18:   

SR-3:

* The filename filter was not case-insensitive for non-English characters. This was fixed.

* Removes trailing dots from directory names when recovering/copying files with path, so that Windows will allow to create such directories.

* Prevented an exception error that could occur when about to select a disk.

* Support for .e01 evidence files with more than 2^32 sectors.

* Fixed an error that in recent releases caused a misinterpretation of the sector size in raw images of certain Apple disks.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 2, 2010 - 3:34:   

SR-4:

* Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't.

* Information in Details mode about newer hiberfil.sys files in Windows Vista and Windows 7 fixed.

* Two rare exception errors fixed in file type identification.

* Wiping free space left the wiped free space allocated in v15.5. This was fixed.

* Fixed an exception error that could occur in v15.5 when exporting the Sender and Recipient columns.

* Fixed an error when writing disk sectors past the 2 TB barrier.

* Fixed an exception error that could occur when editing disk sectors on media with a sector size of 4 KB.

* Virtual file "Unpartitionable space" avoided in a case where it does not make sense.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 18:25:   

SR-5:

* Some of the fixes introduced in later versions. Available to customers on request.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-6:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:28:   

SR-7:

* Many of the fixes introduced in later versions and some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v15.5. This is the last service release for v15.5.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.