X-Ways Forensics 15.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 15.9 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 28, 2010 - 15:46:   

A preview version of X-Ways Forensics 15.9 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Improved and more informative Windows Registry report that can output selected portions of the key path in addition to the values. This is helpful for the interpretation of many registry values and renders it unnecessary for users to search for relevant information in the key path themselves.

* Generally accelerated registry report generation.

* Additional information is extracted for the registry report from Windows 7 registries about volume shadow copies, legacy programs, and Default Gateway MAC.

* Ability to save and load lists of report table names from the report table association dialog window. Useful to start right away with a set of predefined report tables as typically needed for a certain kind of case.

* Ability to import the valid data length of files that originate from NTFS volumes from evidence file containers as created by v15.4 SR-4 and later.

* Kerio Connect store.fdb files that can be processed like PST/OST files added as supported e-mail archive type.

* When creating a case report and copying files for inclusion in the report, the same easily readable representation of $LogFile, $UsnJrnl:$J, restore point change logs, $I recycle bin and Windows XP prefetch files as known from Preview mode will be output instead of the original file.

* Tools | File Tools | Wipe Securely has been accelerated.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 4, 2010 - 5:42:   

Preview 2:

* New investigator.ini option +35 prevents users of X-Ways Investigator from deactivating the strict drive letter protection. Before it was generally not possible to deactivate it in X-Ways Investigator, now it is generally possible.

* New investigator.ini option +36 prevents users of X-Ways Investigator from creating case reports.

* New investigator.ini option +37 prevents users of X-Ways Investigator from creating cases.

* Recipients on Bcc in received e-mail (rare and illogical, but apparently possible and seen in real life) are now included in the Recipient field of the directory browser.

* Fixed an error of Preview 1 that could prevent the user from closing the Simultaneous Search dialog window.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 16, 2010 - 10:06:   

Beta 1:

* A sophisticated new search algorithm tremendously accelerates conventional (non-index) searches with many search terms and search variants (i.e. character sets/code pages, case insensitivity). Forensic license only. For example, for a case-insensitive search for 6 search terms in code page 1252 and Unicode, the new search algorithm can be twice as fast. With 18 search terms, it can be 8 times as fast. With 40 search terms, it can be 20 times as fast. (Please note that this comparison is for the mere search algorithm only and excludes the time needed for disk I/O.) In this beta version you can explicitly choose between the new and the old search algorithm.

* With the new search algorithms, the word boundary anchor \b now works in Unicode, too (for English, German, and French letters, just like in code page 1252).

* Two new directory browser columns have been introduced (forensic license only). After you have run keyword searches, the "#ST" column tells you for each file the number of search terms that have been found in it. The "Search terms" column lists up to 10 of these search terms (in a random order). Note that this happens for all search hits that have not been deleted and for all search terms ever used in a case, not for only the search terms that may have been selected in the search term list. The benefits of these two additional columns are that you can see contained search terms even in the normal directory browser (not only in the search hit list) and that you can sort by the #ST column to get files listed first that are likely more relevant (because they contain more of the search terms that you were looking for). These columns are populated only for evidence objects of a case.

* The number of actually contained chunks in .e01 evidence files is now output in the evidence object properties. Useful to know for incomplete images.

* Some minor improvements.

* Same fix level as v15.8 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 18, 2010 - 19:35:   

Beta 2:

* Fixed erroneous output that could occur when searching in an index for characters that were not indexed, when actually no output should been produced.

* Fixed error message that was output in Beta 1 when invoking the General Options dialog.

* PST/OST e-mail extraction slightly revised.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 19, 2010 - 20:05:   

Beta 3:

* Ability to display the name of the evidence object name where SID/username combinations were found, if recorded.

* Ability to convert Motorola S files to binary that define data in a range of more than 2 GB.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 22, 2010 - 0:15:   

Beta 4:

* Ability to export report table associations created in an evidence file container, such that they can be imported back into the original case. That means when you split up the workload in large cases across multiple investigators who work simultaneously, you can now automatically and more easily reconcile their results!

* It is also now possible to export report table associations from original evidence objects (not containers), so even when not working with containers, multiple examiners can work with their own copy of the same case and exchange results with each other or reconcile all results in the main copy of the case, all that by exporting and importing report table associations.

Both commands, the export and import of report table associations, can be found in the context menu of the case tree. Export is supported at the case and evidence object level, import at the case level.

Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot after the creation of the evidence file container(s) or if you have removed objects from the volume snapshot.

* Attachments can now be embedded in their respective .eml parent files also when creating a case report, not only when using the Recover/Copy command.

* Usage of the option to embed attachments in .eml files as Base64 code already when extracting e-mail from e-mail archives was discouraged already for some years, for good reasons. The option now has been finally completely removed. The alternatives have already been pointed out over and over again because they were ignored by some users until today.

* When matching hash values against the hash database, if X-Ways Forensics finds a hash value in different hash sets that belong to different categories, a warning is output (since v15.6). Now it is guaranteed that the category that is returned in such a case is always "notable".
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 29, 2010 - 12:56:   

Beta 5:

* The standard registry report definition file was split into 8 parts, so that any time you create the report you can choose which parts you need. As before, you can change the definition files as you see fit, or create your own ones for specific purposes/for different kinds of cases.

* Better prepared for certain PST files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 5, 2011 - 20:53:   

Beta 6:

* Ability to carve, confirm, and view Outlook 2011 for Mac e-mails and extract attachments from them.

* Some smaller improvements.

* Memory leak in file header signature search fixed that was specific to v15.9 Beta.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 11, 2011 - 20:54:   

Beta 7:

* Memory leak of v15.9 Beta in search engine fixed.

* Registry report errors fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 14, 2011 - 12:12:   

Beta 8:

* Filter for the new search term column introduced.

* Displays the number of search hits that would be listed based on current settings for search terms if they were selected.

* Byte-level signature searches did not work before in v15.9 Beta. This was fixed.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 16, 2011 - 10:09:   

Beta 9:

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 20, 2011 - 12:21:   

Beta 10:

* The external virus check did not work correctly (and informed the user about that) in v15.6 through v15.8. This was fixed.

* Fixed a memory leak in e-mail extraction.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 24, 2011 - 16:15:   

v15.9 has just been released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 28, 2011 - 7:53:   

SR-1:

* General support for sector sizes up to 8 KB (previous maximum: 4 KB).

* Support for GPT partitioning on media with 4 KB and 8 KB sector sizes.

* Ability to deal with HFS+/HFSX volumes on media with sector sizes larger than 2 KB, as seen in iPhones and iPads.

* Ability to auto-detect the sector size in raw images of GPT-partitioned disk with sector sizes of 4 KB and 8 KB.

* Ability to auto-detect the sector size in most raw images of MBR-partitioned disks with a sector size of 4 KB.

* Partial progress of volume snapshot refinements is now saved when the case auto-save interval elapses.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 31, 2011 - 18:28:   

SR-2:

* The "List 1 hit per file only" option did not work correctly in v15.9. This was fixed.

* Improved function to delete duplicate search hits. When in doubt, X-Ways Forensics will now keep the longer search hit (as a hit for "Smithsonian" for example is more specific than "Smith") and favors search hits in existing files.

* Accelerated time to list millions of search hits.

* The Open Disk dialog window was wrong when not working with a case. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 6, 2011 - 14:28:   

SR-3:

* The hash set filter did not work in v15.9. That was fixed.

* Avoided an exception error that could occur under certain circumstances when running a byte-level signature search.

* If the context preview of search hits in files in large archives is too slow, it can now be disabled by unselecting the existing option "Gallery: Show pictures in archives".

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Feb 16, 2011 - 0:26:   

SR-4:

* Avoided an exception error that could occur when the case root window was automatically opened at start-up.

* Avoided (potentially annoying, but harmless) messages that could be displayed by Windows when working with images on write-protected drives.

* Fixed an error that could occur when loading volume snapshots with more than 6 million objects.

* Drive letters were missing in the special tables of the registry report in earlier releases of 15.9. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 22, 2011 - 11:22:   

SR-5:

* With the new search algorithm, GREP expressions of variable length were found in v15.9 with their shortest matches instead of their longest possible matches as before. This was changed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 9, 2011 - 16:00:   

SR-6:

* Avoids an exception error that occurred in v15.9 SR-5 when trying to refine the volume snapshot without a case.

* Fixed erroneous disappearance of partitions in the case tree when removing hidden items from the volume snapshot of a physical disk.

* Avoided an exception error that could occur when starting to use the Recover/Copy functionality.

* Fixed an error that occurred with .e01 evidence files that have more than 775 segments.

* Japanese translation updated.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 30, 2011 - 21:05:   

SR-7:

* HFS+ partition size detection on disks with Apple partition table fixed.

* Ability to deal with volumes with cluster sizes of more than 128 sectors, which seem to be not uncommon in the exFAT file system.

* Fixed an exception error that could occur in certain situations with the new v15.9 search algorithm.

* In WinHex 15.7 through 15.9 with a specialist license, the simultaneous search function was unable to run a case-insensitive search correctly. That was fixed.

* Improved handling of the internal volume snapshot files if reading or writing these files fails because of insufficient drive space or other system resources, file system errors, or other reasons.

* More complete assignment of drive letters in the "Attached Devices" section of the registry report.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 13, 2011 - 11:39:   

SR-8:

* Internal technical information about .e01 evidence files were potentially included more than once in the evidence object properties before. That was fixed.

* Windows 7 compatible import of regional settings (date format).

* Fixed an exception error that could occur when using the old search algorithm from prior to v15.9.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:29:   

SR-9:

* Many of the fixes introduced in later versions and some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v15.9.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:42:   

SR-10:

* Some of the fixes and improvements introduced in later versions. Highly recommended and available on request to users whose update maintenance covered no more than v15.9. This is the last service release for v15.9.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.