X-Ways Forensics 15.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.6 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 5, 2010 - 0:08:   

A beta version of X-Ways Forensics 15.6 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* X-Ways Forensics can now identify the true sector count according to ATA on ATA/SATA hard disks where that failed (returned a question mark only) in previous versions. Useful to detect an attempt to limit the addressable capacity of a hard disk using an HPA (host-protected area) or DCO (device configuration overlay). (forensic license only)

* Whenever X-Ways Forensics checks for an HPA/DCO (that is when imaging a hard disk, when adding it to a case, or when creating a Technical Details Report for it) and actually detects one, it now offers to either temporarily or permanently deactivate the HPA/DCO and make the full official disk capacity accesssible, so that you can e.g. image the hard disk in its full size before it returns to its original state next time when it powers down. (forensic license only)

* The Technical Details Report can now retrieve the internal error count recorded by hard disks if available through the SMART interface.

* Better plausibility checks for deleted files in Ext* file systems.

* Representation of file system areas in certain Ext4 volumes corrected.

* The link reference (inode number) of a hard-link file in HFS+ is now shown in the Comments column. You can use the Comments filter to filter for a given inode number.

* Representation of the system files Attributes and Startup in the root directory of HFS+ volumes, if defined.

* Convenient display and deconstruction of the objects ID(s) of files stored in NTFS volumes in Details mode.

* Matches for multiple hash sets are now supported in the hash set column.

* Encryption/decprytion with AES accelerated on computers with multiple processor cores thanks to parallelization.

* Indexing and index optimization revised. They are now slightly faster, and are more efficient in memory utilization.

* Improved sorting performance for the columns for which sorting became slower with v15.4 (date columns, SC%, pixels, owner, hard-link count, ...).

* That .eml files are renamed to .txt when copying files off the image for inclusion in the report so that Internet Explorer can open them, is now optional, so that Firefox can send such files to Outlook Express.

* Pictures can now be optionally embedded directly in the HTML report as inline code, so that there is no need any more for separate files in the report subdirectory. Of course, this greatly increases the size of the HTML file.

* The folder for scripts is now also used as the folder for templates.

* That the general folder for images is preselected when adding images to the case is now optional.

* Many minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 16, 2010 - 5:55:   

Beta 2:

* When importing a hash set, X-Ways Forensics automatically filters out duplicate hash values within that hash set. This has a big effect on the US NIST NSRL RDS database for example and reduces its size tremendously. If your hash database already contains hash sets with duplicates, those will be eliminated by v15.6 as well next time when you import any other hash set. Hash databases used by v15.6 and later cannot be opened any more by v15.1 or earlier.

* The Sender and Recipients columns are now populated for e-mail attachments, too, so that even when you focus on attachments you can immediately tell who sent that file to whom, and don't have to navigate to the parent e-mail message to find out (e.g. by pressing the Backspace key). You can also filter for attachments via Sender/Recipient.

* The Sender and Recipients fields are now copied into evidence file containers for e-mail messages extracted from PST/OST files without the MAPI method.

* Sorting many e-mail messages by Sender or Recipients was potentially very slow in earlier versions, except in v15.5 for e-mails extracted from PST/OST archives not via MAPI. Sorting by Sender or Recipients is now generally fast for e-mail extracted with v15.6.

* Sender and Recipients as well as an internal creation date are now extracted from original .eml files (i.e. .eml files not created by X-Ways Forensics when extracting e-mails from e-mail archives) when extracting internal metadata from such files.

* Fixed an error that could cause instability when using the Sender/Recipient filter.

* The Attribute filter for "e?" did not work for files that were marked as e-mail attachments. This was fixed.

* Ability to finalize/convert/encrypt evidence file container in X-Ways Investigator after filling them, just like in X-Ways Forensics. Useful for example when investigators need to forward identified incriminating files (e.g. CP) to other departments/agencies in an encrypted state. In order to not unnecessarily confuse users of X-Ways Investigator who don't need this ability, it can be disabled with the new switch +32 in investigator.ini.

* Option to always specifically run WinHex/X-Ways Forensics
as administrator under Windows Vista/7 (see General Options).

* Option to automatically restart the program when a restart
is necessary after changing certain settings.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 22, 2010 - 3:00:   

Beta 3:

* Some bugs from v15.6 Beta 2 were fixed that concerned hash set matching and keyword searches.

Hash set matches gathered with earlier v15.6 releases unfortunately cannot be imported by v15.6 Beta 3 and later.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 24, 2010 - 0:31:   

Beta 4:

* Ability to optionally store the key for already added AES-encrypted .e01 evidence files in the case file, so that you don't have to enter it over and over again when opening the evidence object. This is convenient, but 100% secure only if you protect your case files.

* Fixed an error in the hash set filter from Beta 3.

* Fixed an error that could corrupt the loaded file type category definitions and lead to an empty File Type Categories.txt file.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 26, 2010 - 18:08:   

Beta 5:

* Metadata extraction from HTML documents.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 1, 2010 - 14:47:   

v15.6 was just released.

Additional changes since last beta version:

* Simple and quick plausibility check for internally reconstructed RAID 5 that warns you immediately after reconstruction if the parity does not match.

* A new directory browser option now controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted whenever double-clicking such a file. In earlier versions such a file was always explored, altough it might have been more intuitive to view it (think of a MS Office 2007 or OpenOffice document with XML files as child objects).
Michael Felber
Username: michaelfelber

Registered: N/A
Posted on Monday, Mar 1, 2010 - 14:59:   

download link broken?
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 1, 2010 - 15:11:   

No.
Michael Felber
Username: michaelfelber

Registered: N/A
Posted on Monday, Mar 1, 2010 - 16:16:   

sorry, it's no Beta anymore....
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 1, 2010 - 17:34:   

SR-1:

* Avoids a memory allocation error message when trying to open certain files with a size of 0 bytes on NTFS volumes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 3, 2010 - 14:18:   

SR-2:

* The preview of various system files was unavailable. This was fixed.

* Exception error prevented that could occur when processing certain malformed e-mail header lines.

* Fixed an error that prevented opening extracted e-mail messages or attachments with a long internal path.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 18, 2010 - 7:17:   

SR-3:

* Support for very long paths and subject lines of e-mails in PST/OST e-mail archives for extraction with the non-MAPI method, in excess of 259 characters.

* When attaching a directory on one of your own drives to the volume snapshot of an evidence object, subdirectories are now included as well, recursively, and the partial directory tree is replicated in the volume snapshot with the help of virtual directories. This functionality is now available through a separate context menu command, no longer by holding the Ctrl key when invoking the "Attach external file" menu command.

* Help button and separate help topic for Recover/Copy.

* Support for restore points in metadata extraction: internal creation date extracted from rp.log and Details mode extended for change.log

* New Attributes filter for files that are child objects of other files (not of directories).

* Windows system SIDs now resolved in Owner column also, not only in NTFS permissions display.

* Base64 file type verification improved.

* $I file support in file type verification and carving.

* Fixes in metadata extraction.

* Fix for AOL PFC processing.

* Fix for an error that could occur on some computers when executing pff.dat and a certain DLL was missing.

* Correct HTML line breaks for metadata fields in case report.

* Avoided the necessity to click away an error message about failure to open files when indexing in v15.6 through SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 7, 2010 - 15:48:   

SR-4:

* Sender name and recipient names (in addition to e-mail addresses) are now included in the respective columns for sent messages in Outlook PST/OST e-mail archives, too.

* Path coloring and the turquoise arrow in the Case Data window now reflect recursive exploration of the Case Root window if it's open and active, otherwise as before the status of the individual data windows of the evidence objects. (Path coloring feature not available in Windows Vista/7.)

* Exception error in metadata extraction from certain OLE2 documents fixed.

* Exception error in e-mail extraction prevented.

* "Unable to record a search hit" problem fixed for certain search terms containing German umlauts.

* Fixed a memory leak that could occur when taking a volume snapshot of certain volumes formatted with Ext* file system.

* That hidden items are mandatorily listed in X-Ways Investigator is no longer enforced at every start-up of the program if investigator.ini option 31 is not in use.

* PST e-mail archive extraction with the non-MAPI method: Avoided some unnecessary error messages about items that were supposedly missing in the export, but actually were not.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 8, 2010 - 3:11:   

SR-5:

* Enabled certain keyboard shortcuts in dialog and message boxes generally that before worked only when certain button styles were active.

* Fixed an error that in SR-4 could truncate search terms.

* Time zone settings updated for Western Australia.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 19, 2010 - 22:26:   

SR-6:

* Improved representation of contacts, appointments, tasks and files stored in PST e-mail archives with the non-MAPI method. For example, no longer is each and every such object organized in an additional subdirectory, and you can now easily focus on such objects with the help of a new Attr. filter because they are now marked in the Attr. column as "(Misc. Outlook data)".

* Fixed memory leaks.

* Now 99 volumes can be open simultaneously in addition to the 26 drive letters (99 instead of 64 before).

* Internal creation date extracted from EDB, ETL, and SQM files.

* Fixed an exception error that could occur when trying to open deleted files on Ext* volumes that cannot be opened.

* .eml files with HTML-formatted e-mails are now optionally named .html instead of .txt when copied off the image for the case report, for viewing as HTML.

* An error was fixed that caused X-Ways Forensics to misread the true type of files within evidence file containers under certain circumstances.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 15, 2010 - 11:09:   

SR-7:

* The Recover/Copy command and the function to add files to an evidence file container now optionally respect any active filters and omit files that are filtered out even if directories that contain them are selected.

* When attempting to add files to a container that are not completely readable, previously that failed, such files were not added at all. Now if they are partially readable they will be added to the container with the notice "Excerpt" in the Attribute column, and if their contents cannot be read at all, they will be added with the notice "file contents unknown".

* Fixed inability to find lost Ext* partitions if formatted with certain block sizes. More options when searching for lost partitions, to avoid many false positives with new default settings.

* Special rules for e-mails when hiding duplicates now also takes header.txt files into account that are often child objects of e-mail messages in PST/OST e-mail archives.

* Extended and improved file type verification algorithms

* Fixed an infinite loop that could occur under certain circumstances during the file header signature search.

* Prevented a recursion error when processing large archives containing many nested archives.

* Fixed an exception error that could occur when processing Reiser4 volumes with a very large internal tree.

* Support for many new file types in file type verification and file header signature search (e.g. TravelLog .dat files, sessionrestore.js, jump list files, various XML subtypes, various zip subtypes, ...).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 17, 2010 - 10:33:   

SR-8:

* An error was fixed that in SR-7 could cause X-Ways Forensics to misread carved files under certain circumstances.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 4, 2010 - 2:03:   

SR-9:

* Improved error tolerabilty and recovery as well as completeness of the non-MAPI e-mail extraction method.

* Fixed hiberfil.sys decompression for Windows 7.

* Descriptive text files that accompany images created by X-Ways Forensics are now UTF-8 encoded.

* Description field for images is now Unicode capable.

* Examiner field for images introduced, also Unicode capable.

* If the creation of a thumbnail picture for the gallery causes X-Ways Forensics to freeze or crash, you will be notified of the offending file when you restart the program.

* Avoids an exception error that in SR-8 could occur after reconstructing RAID system.

* Various minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 9, 2010 - 15:56:   

SR-10:

* Avoids an exception error that could occur when verifying file types.

* Accelerated the process of marking duplicate files as already viewed when viewing one file that is marked as having duplicates.

* Base64 to binary conversion now automatically filters out line breaks.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 20, 2010 - 17:55:   

SR-11:

* If there are multiple hash set matches for the same files after matching hash values against the hash database, they are now always listed in the same order.

* If there are matches for multiple hash sets and these hash sets do not all belong to the same category, a warning is output to the Messages window.

* Avoided more redundant duplicate files/directories when adding files from volume shadow copies to the volume snapshot as part of a thorough file system data structures search on NTFS volumes.

* E-mail extraction with the non-MAPI method in rare situations produced subdirectories in the folder for temporary files that could not be deleted any more. This was fixed.

* The Ctrl+Del keyboard shortcut now additionally clears already extracted metadata for selected files.

* New version of the graphics library included. Avoids an exception error that could occur when loading certain Photoshop PSD files.

* Fixed an exception error that could occur in recent releases when using the Position Manager.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 27, 2010 - 17:29:   

SR-12:

* Skin color and b/w detection in pictures did not work correctly in v15.6 SR-11. This was fixed.

* Improved representation of notes in PST archives with the non-MAPI extraction method.

* Metadata extraction from cookies improved visually (formatting) and content-wise (often now with remote timestamp).

* Ability to use the Ctrl+Del keyboard shortcut to reset files in the volume snapshot in X-Ways Investigator, unless prevented by the new investigator.ini option +33.

* Supports larger NTFS-compressed files in NTFS.

* Fixed export of Unicode search hits.

* Avoided a rare exception error in the registry viewer and in metadata extraction.

* Some minor improvements and fixes.
glenn.andersson@broadpark.no
Username: gan

Registered: N/A
Posted on Monday, Jun 28, 2010 - 16:36:   

When i download winhex.zip from this site and start the installation it says "X-Ways Ivestigator 14.8. I was actually expecting Winhex 15.6. Is there something wrong with the download link or does the file winhex.zip contain the wrong application?

-gan
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 28, 2010 - 17:11:   

Please try again now. The setup program if used showed the wrong product name. Thanks.
Glenn
Username: gan

Registered: N/A
Posted on Tuesday, Jun 29, 2010 - 22:12:   

Thanks, it's working now.

gan
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 18, 2010 - 18:56:   

SR-13:

* Fixed a file creation error when using the Recover/Copy command.

* Access to physical RAM under Windows 2000/XP did not work
in v15.6 SR-12. This was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:01:   

SR-14:

* Some of the fixes introduced in later versions. Available on request to customers whose update maintenance covered v15.6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:28:   

SR-15:

* Many of the fixes introduced in later versions and some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v15.6. This is the last service release for v15.6.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.