X-Ways Forensics 16.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 16.2 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 18, 2011 - 18:42:   

A preview version of X-Ways Forensics 16.2 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Ability to search and index in up to 5 code pages simultaneously (including UTF-16 Unicode), 2 more than before. Useful for languages for which severalcode pages are commonly in use, e.g. Chinese and Japanese.

* Code pages are now always listed for selection in ascending order of their numeric identifiers.

* Ability to visually compare different single-byte code pages thanks to simultaneous code page tables (View | Tables | Hexadecimal / Code Page).

* Code page independent GREP searches for exact byte values enabled by selecting a "non" code page called "Direct byte-wise translation for GREP", which translates byte values without any mapping for certain code pages or case matching.

* Ability to search in big-endian UTF-16 Unicode. (However, the search hits are readable only in Western European languages.)

* Some other improvements to the GREP search engine.

* Each search hit now remembers in which code page it was found. You can see the code page in the search hit description column.

* X-Ways Forensics now preserves and displays paths/directories when exploring file archives.

* Ability to only include the number of items in a report table in the report, not a list of those items.

* The volume snapshot options are now available directly via the Options menu.

* A new option among the directory browser options allows you tag or hide files in the directory browser non-recursively, such that tagging/untagging/hiding/unhiding a file has no effect on parent or child objects or parent or subdirectories. Useful for example if all child objects of a file should processed in volume snapshot refinement or searched, but not the parent object. Previously it was not possible to have an untagged parent object whose child objects are all tagged. If the recursive tagging option is in its middle state, that means that child objects still inherit the tagged state from their parent at the moment when they are newly added to the volume snapshot, e.g. when you extract e-mail and attachment from an e-mail archive.

* Whether tagging and hiding works recursively or not can now also be controlled by holding the Shift key.

* If main memory is represented as a physical disk, for example because it is the RAM of a remote computer accessible via F-Response or because it is an raw memory dump or .e01 evidence file with a memory dump interpreted as a physical disk, it is now possible to open a "Volume" from within the "physical disk" in which X-Ways Forensics offers its main memory analysis.

* Newly created .e01 evidence files of memory will be internally marked as as images of volumes rather than physical disks such that even older versions will be able to recognize them as memory dumps.

* If a memory dump is misinterpreted as a physical disk image with a sector size of 512 bytes, the "volume" that can be opened from within will be successfully re-interpreted as having the appropriate sector size (or actually page size in this case) of 4 KB.

* Exceptions in metadata extraction fixed.

* .lnk shortcut file interpretation revised.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Sep 24, 2011 - 19:38:   

Preview 2:

* Support for Outlook compressible encryption as a code page for the text column and simultaneous searches.

* Ability to display certain TIFF pictures with old-style JPEG compression.

* Ability to check the consistency of the format of files of known types and output "OK" or "corrupt" in the Type Status column and filter for these properties. In later releases the consistency will be checked, depending on the file type, during file header signature search, file type verification and/or metadata extraction. In this release only the consistency of JPEG files is checked, and only when running a file header signature search.

* Recover/Copy: Ability to copy only direct children and not all descendents recursively, by checking the box only half. That can be useful for example when you want to copy e-mails off the image and embed their attachments, but don't care for further children of the attachments that X-Ways Forensics has extracted from them.

* E-mail extraction from Exchange EDB databases improved (same revision level as v16.1 SR-7).

* Dynamic adaption of the video still export interval based on the video play length when using MPlayer. The longer the video, the longer the interval.

* Until now, report tables were not a good means to categorize more than 10,000 or 100,000 files in volume snapshots with millions of files. Filtering and sorting by report tables was slow with such huge numbers. That has changed. It is now quick to filter and sort by report tables with several 100,000 associations in huge volume snapshots.

* Report table items are now output in the case report in the order of the internal ID within each evidence objects, no longer in the order in which the files were added to the report tables.

* Recover/Copy: The length of the names of artificial subdirectories created in the output folder to accommodate child objects of files is now limited to a user-defined number of characters, 32 by default. This is useful in particular for e-mail messages that are named after the subject line and of course can contain attachments as child objects, to avoid overlong paths.

* Recover/Copy: The suffix used to name artificial subdirectories created in the output folder to accommodate child objects of files is now fully user-definable.

* Proximity searches did not work in the first preview version. That was fixed.

* Several minor improvements.

* Older versions of X-Ways Forensics cannot read the volume snapshot format used by v16.2 and later.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 26, 2011 - 0:16:   

Preview 3:

* Ability to sort in the directory browser by up to 3 criteria (instead of 2 as before).

* Sorting by Name and Path is now case-insensitive.

A note about sorting: A few times I got the impression that some users have a wrong idea about how multi-criteria sorting works. They believe that somehow when sorting for example by modification date and access date that both files with either very late modification dates and very late access dates will be listed near the bottom. However, that is a misconception. There is a clear hierarchy. The secondary sort criterion is used to sort items only if these items have exactly the same value for the primary sort criterion (and that is *very* rarely the case for timestamps with such a high precision as provided by the NTFS file system). The separate criteria are not somehow magically "merged" to a unified single criterion that based on some model linearly orders all items. Similarly now with 3 sort criteria, the tertiary criterion is used only if items have exactly the same values for the primary and the secondary sort criterion.

* Option to output files in the report either grouped by evidence object (as before) and sorted by internal ID or (and this is new) in the order as they are currently listed in the case root window, where you can freely change the order thanks to now up to 3 sort criteria. Note that if you choose the second option, files that are not listed in the case root window will not be output, even if they are part of a report table. That means that current filter settings now can have an effect on the generation of the report, too. If files are omitted because they are not listed in the case root window at the time of report generation, you will be notified of that in the report and in a message box.

* Ability to deal with NTFS volumes with more than 2^31 (and up to 2^32) clusters.

* Speed quadrupled (!) for unused areas when imaging volumes with the option to exclude data in free clusters. Depends on compression level.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 27, 2011 - 1:35:   

Preview 4:

* Supports skipping free clusters now even for partitions when imaging MBR- and GPT-partitioned physical disks, not only when imaging pure volumes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 3, 2011 - 21:55:   

Beta:

* Improved support for volumes with more than 2^31 clusters.

* The search engine now assigns search hits to more than one GREP expression if multiple expressions are equivalent.

* Ability to watermark optionally omitted free space in an image at the start of each sector with a Unicode text string, so that when working with the image you are reminded of the omission when you look at data in drive free space.

* Recover/Copy: Ability to copy files with a partial path from the case root window. In that case only the evidence object name is used as the path, not the path within the evidence object.

* Several minor improvements.

Also to be expected in v16.1 SR-8:

* Avoided an exception error that could occur after failed memory allocations.

* Improved compatibility with new viewer component version 8.3.7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 10, 2011 - 17:36:   

Beta 2:

* Includes the computer name and user name in the imaging log.

* The file header signature search classifies found RAR archives as corrupt if they cannot be carved completely.

* Accelerated filling of containers in certain situations.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 13, 2011 - 15:01:   

v16.2 has just been released.

Additional changes since the last beta version:

* Correct encoding of angled brackets that occur in Windows registry values for the output in registry HTML reports based on advice by TronicGuard / Martin Wundram.

* Improved ability to deal with certain corrupt registry hives.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 13, 2011 - 22:44:   

SR-1:

* Recover/Copy: Fixed inability to preserve timestamps when copying extracted e-mail messages.

* Fixed inability of the original v16.2 release to run a file header signature search when at the same time verifying file types.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 17, 2011 - 19:38:   

SR-2:

* Fixed an exception error that could occur when running a file header signature search for Gzip archives in v16.1 SR-6 and later.

* Under certain circumstances, files with child objects were often copied twice to evidence file containers by v16.2. That was fixed.

* Child objects of zip-styled Office documents were not correctly copied to evidence file containers using volume snapshots refined by v16.2. The volume snapshot refinement was fixed.

* Fixed an exception error that could occur when extracting metadata from certain ASF/WMV files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 24, 2011 - 21:49:   

SR-3:

* The file header signature search did not work for some file types in v16.2 SR-2. That was fixed.

* Chinese translation of the user interface updated.

* Slightly more complete e-mail header field extraction.

* Avoided exception error when processing certain corrupt registry hives.

* The registry report could be slightly incomplete for certain hives. That was fixed.

* Fixed problem with very long strings in registry viewer.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 31, 2011 - 16:01:   

SR-4:

* Fixed a rare exception error that could occur when opening exFAT volumes.

* Filenames (not paths) limited to 255 characters in Recover/Copy.

* Event log output revised.

* Thumbnails extracted from thumbcache*.db are no longer named after the original picture. However, the original filename and path can still be seen in the comments if available from Windows.edb.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 1, 2011 - 14:40:   

SR-5:

* Fixed an exception error that occurred in v16.2 SR-3 and SR-4 when exploring file archives.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 7, 2011 - 12:03:   

SR-6:

* Fixed a crash that could occur when loading large registry hives.

* Fixed a crash that occurred when viewing or decoding files with the viewer component that have names longer than 255 characters.

* Fixed naming problem of SR-4 and SR-5 that could occur when copying files.

* Fixed "off by one" error in listed search hit count in search term list when using logical AND combinations (existed since v15.9).

* Fixed exception error that could occur when extracting metadata from zip archives.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 10, 2011 - 19:05:   

SR-7:

* Fixed inability to type Unicode characters other than Latin 1 into the Index Search window. That error existed since v16.1.

* Sending dongle transaction codes to the server directly did not work, only when using copy & paste on the web site. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 23, 2011 - 11:36:   

SR-8:

* Fixed an error in hiberfil.sys decompression.

* Self-similar archives such as OpenOffice documents that contain old versions when explored by v16.2 through SR-7 were not copied correctly to evidence file containers and caused exception errors when reading the container. The exception errors are now prevented and the actual cause (the erroneous exploration of certain archives) has been fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 3, 2011 - 10:29:   

SR-9:

* Recover/Copy scope error fixed

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 7, 2011 - 8:43:   

SR-10:

* Some small fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 11, 2011 - 21:52:   

SR-11:

* Fixed an exception error that could occur with index searches in certain situations.

* Fixed an instability error that could occur when taking a snapshot of ReiserFS volumes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 24, 2012 - 21:41:   

SR-12:

* Some of the fixes and improvements introduced in later versions. Highly recommended and available on request to users whose update maintenance covered no more than v16.2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Aug 22, 2012 - 14:41:   

SR-13:

* Some of the fixes and a few of the minor improvements introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v16.2. This is the last service release for v16.2.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.