X-Ways Forensics 16.0 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 16.0 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 14, 2011 - 23:21:   

A preview version of X-Ways Forensics 16.0 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* There is no performance penalty any more for selecting many or all file types for the file header signature search. File header signature searches are now considerably faster and basically limited in speed only by the medium from which the data is read.

* Ability to interpret data in the text column as text encoded in an arbitrary code page. That is very useful for East Asian code pages, Eastern European code pages and UTF-8 if the text is found outside of files that can be nicely viewed by the viewer component, e.g. floating around in free drive space. The character set/code page for the text column can now be selected via View | Character Set. Please note that you may need to select a font in General Options that contains all characters that you intend to read, and for East Asian characters you need to have support for these kinds of languages installed in Windows.

* Ability to view Windows Vista and Windows 7 event log files (.evtx), based on work by Andreas Schuster.

* Completely revised and more robust registry hive handling. Ability to find deleted keys and values in hives that contain unused space and lost keys/values in damaged/incomplete hives. If no complete path is known for keys, they will be listed as children of a new virtual key called "Path unknown". The search function in the registry viewer is now more thorough and robust.

* Analysis of free space in registry hives with the report definition file "Reg Report Free Space.txt". The free space can be as large as several MB, especially as a consequence of the use of virus scanners and registry cleaning programs.

* Windows registry report: New data type %I (ITEM list) covers not only Shell Bag (as in previous versions), but also for example desktop shortcuts. Format adjusted for Windows Vista and 7.

* When switching from File mode to Partition/Volume mode, X-Ways Forensics will now automatically point you to the offset from the point of view of the partition/volume that is equivalent to the offset within the file where the cursor was positioned last, even if the file is fragmented, if there is an equivalent position (not if the file is a compressed or virtual attached file or an extracted e-mail message or an exported video still etc.).

* New investigator.ini option +38 allows to prevent imports of report table associations.

* Ability to specify the directory in which to create a case when creating a new case, for that particular case only.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 2, 2011 - 10:48:   

Preview 2:

* File header signature searches are now even faster.

* Registry report function further improved and revised. Deleted values are now highlighted in red in the report.

* Directories with search hits that are copied from a search hit list now receive a special name when they are created as files in the output folder.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 30, 2011 - 21:06:   

Beta 1:

* Ability to open an evidence object even if the disk or image is not currently available, via a special command in the evidence object's context menu, to see the volume snapshot. That means you can see all the file metadata stored in the volume snapshot (filename, path, file size, timestamps, attributes, etc.), can use all filters etc., but cannot see any data in sectors and cannot open/view any files.

* Improved thumbnails extraction from Windows Vista's and Windows 7's thumbcache_*.db files. Ability to assign original filenames, file paths, and modification timestamps to certain thumbnails that were previously just named with a 16-digit hex number.

* Ability to customize the notation of dates, times, and numbers (see new button in Options | General). Useful to be independent of the settings of live system that you want to preview. Ability to display years with 2 digits only.

* The registry viewer now allows to recursively explore all the keys and values in a hive and sort them in a chronological order.

* Better Unicode support in the registry report for Asian registry hives.

* Tray notifications artifacts from Windows 7 registry hives are now supported and decoded. The timestamps render these artifacts useful for computer forensics.

* Further improved support for shell bags.

* Support for two new zip subtypes: APK Android smartphone packages and KEY Apple iWork keynote presentation files.

* Sorting by search term count column has been accelerated.

* An exception error was fixed that could occur when viewing EVTX event log files.

* Fixed an exception error that could occur when extracting metadata from carved MP4 and ASF files.

* Hash database functions internally reworked. When importing the NSRL RDS hash database, X-Ways Forensics now checks for records with the flags "s" (special) and "m" (malicious) so that these hash values are not erroneously included in the same internal hash set that should be categorized as irrelevant.

* All improvements of v15.9 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 31, 2011 - 9:58:   

Beta 2:

* Technical information about segmented .e01 evidence files could occur repeatedly in the evidence object properties. This was fixed.

* Beta 1 was missing a file when starting up the program.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 13, 2011 - 0:32:   

Beta 3:

* It is now possible to abort lengthy sort operations. The directory browser is now unsorted after start-up by default. This new behavior can be turned off in the directory browser options.

* The grouping options now have an effect even if the directory browser is not sorted.

* The option to display fractions of seconds in high resolution timestamps has been moved from the directory browser options to the new notation options. The option to display the time zone bias has also been moved to the notation options.

* The report table filter has a new option that allows to additionally include siblings of the associated files, i.e. files in the same directory as the files that are part of the selected report table(s). Useful, especially when exploring recursively and sorting by path, to check whether there are any further notable files in the neighborhood.

* Ability to optionally also add any known duplicates of the selected file(s) in the same evidence object to a report table (files which have been identified as duplicates based on hash values and marked as such in the Attr. column).

* Ability to identify animated GIFs. Animated GIFs will be added to a special report table during the file type verification.

* Ability to select the character set/code page for Disk/Partition/File mode in X-Ways Investigator (tentatively included).

* Licensed users of X-Ways Forensics with active update maintenance can now conveniently find older versions for download if needed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 13, 2011 - 12:11:   

Also in Beta 3:

* Registry value slack has a relevant size in NTUSER.DAT hives. This fact is now exploited with 2 measures:

1) If the slack contains text strings, it will be output in the registry report (in green). This new feature can optionally be turned off the registry viewer context menu.

2) For values that contain item lists (i.e. are binary) you can use the "Reg Report Free Space.txt" definitions to output registry report will output lists of filenames with timestamps in green. The first timestamps is an access date, the second one is a creation date. If no timestamps can be output, these are artifacts from "RecentDocs".

* Deleted registry values are now highlighted in the report in red color.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 19, 2011 - 13:13:   

Beta 4:

* Tools | Disk Tools | Clone Disk now allows for reverse disk cloning and reverse disk imaging (requires a specialist or forensic license). Useful if the disk to acquire has severe physical defects that for example cause a disk imaging program or the entire Windows system to freeze or crash when reaching a certain sector. In such a case you can create an image in reverse order, by reading sectors from the end of the disk backwards, and it is even possible to automatically fill an existing incomplete ordinary ("forward") image additionally backwards to get an image that is as complete as possible, with only a small zeroed gap somewhere in the middle that represents the unreadable damaged spot on the source hard disk. Yes, X-Ways Forensics is quite a sophisticated disk imaging tool not only because of its speed, and we would like to remind everyone that additional dongles just for disk imaging are available for much less than the cost of a full license (see http://www.x-ways.net/forensics/dongle.html#imaging).

* With additional dongles for X-Ways Forensics just for disk imaging you can now additionally use the Tools | Disk Tools | Clone Disk functionality.

* Some further improvements in registry report generation.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 26, 2011 - 9:03:   

v16.0 has just been released.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 26, 2011 - 13:30:   

SR-1:

* In the original release it was not possible to change the codepage for the text column. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 27, 2011 - 7:30:   

SR-2:

* Fixed a number notation issue that was present on the first execution of the program with a fresh installation only.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 28, 2011 - 12:42:   

For everyone's information: WinHex and X-Ways Forensics do not support and never have supported a date format with only single-digit days or months. Never d.m.yyyy, only dd.mm.yyyy. If you have problems with the date notation, then please choose a 2-digit notation of days and months in Options | General | Notation. Thank you.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 4, 2011 - 8:48:   

SR-3:

* Filenames are now maintained whenever possible when copying files off the evidence objects for inclusion in the case report.

* Larger Windows system fonts now have an effect also on the directory browser.

* WinHex and X-Ways Forensics never supported recognition of date order if the date format was specified in Windows with only single-digit days or months (e.g. d.m.yyyy or m/d/yy). That was fixed.

* Script command "Find" can now run a case-insensitive search even if the search terms is a variable.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 11, 2011 - 14:59:   

SR-4:

* The style "level 5 forward parity dynamic" could not be selected when reconstructing RAIDs since v15.8. That was fixed.

* Exception errors avoided in metadata extraction.

* In v16.0, X-Ways Forensics did not correctly resolve usernames when adding evidence objects with Windows installations to the case. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 17, 2011 - 20:58:   

SR-5:

* File header signature searches in v16.0 did not find file types whose signatures were defined at relative offsets larger than 0. That was fixed.

* Unicode support in registry hives further completed, now also covers usernames and the Owner column in the directory browser.

* Support for Windows Image Acquisition folder MRU in registry report.

* The option to not overwrite an already existing index when starting to index again did not work. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 21, 2011 - 16:01:   

SR-6:

* Memory leak in file header signature search of v16.0 fixed.

* Some minor improvements in registry hive processing.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, May 21, 2011 - 23:27:   

SR-6+:

* File header signature search and file type verification did not work together in SR-6. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 2, 2011 - 13:56:   

SR-7:

* Registry report further improved. One exception error fixed.

* Small memory leak in file header signature search fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 14, 2011 - 17:50:   

SR-8:

* Fixed memory leak in particularly thorough file system data structure search for ReiserFS file systems.

* Some memory-intensive functions were slow in SR-7. That was fixed.

* Minor fix for dealing with NTFS volumes in excess of 2 TB.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 17, 2011 - 12:06:   

SR-9:

* Support for larger sector numbers in Tools | Disk Tools | Set Disk Parameters.

* Special registry table "Attached devices by serial number" was incomplete in v16.0 SR-8. That was fixed.

* Able to cope with certain malformed multi-part e-mail messages.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 26, 2011 - 19:56:   

SR-10:

* Fixed a problem with illegal filenames when copying files off the image for inclusion in the report.

* Updated registry report definition files.

* Ability to extract creation dates from e-mail messages with a Microsoft FILETIME date.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jul 11, 2011 - 11:37:   

SR-11:

* An error was fixed in the file header signature search in v16.0 that could occur with some signatures when searching at the byte level.

* Avoided a rare error that could apparently occur when interpreting evidence file containers that contained files without names.

* Avoided an exception error that could occur when taking a snapshot of large Ext4 volumes with many inodes and small blocks.

* Disk cloning did not report the complete number of sectors copied correctly if over 2 TB. That was fixed.

* Ready to open case files created by v16.1 Beta 2 and later.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 21:29:   

SR-12:

* Many of the fixes introduced in later versions, some of them important. Some improvements. Highly recommended and available on request to users whose update maintenance covered no more than v16.0.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:42:   

SR-13:

* Some of the fixes and improvements introduced in later versions. Highly recommended and available on request to users whose update maintenance covered no more than v16.0. This is probably the last service release for v16.0.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.