X-Ways Forensics 18.3 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.3 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 6, 2015 - 14:46:   

A preview version of the dongle-based edition of X-Ways Forensics 18.3 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Conditional cell background coloring is now available as an option in Options | Directoy Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either that only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.

If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.

Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.

Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. It is also stored in and loaded from .settings files. .settings files continue to be compatible with previous versions. Up to 8 conditions may be defined.

* Hash set filter considerably accelerated for volume snapshots with a huge number of hash set matches. Previous versions will not be able to load hash set matches saved by v18.3 and later any more.

* Child objects of files now inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.

* Ability to specifically copy text from the text column as Unicode even when the text column is not displayed in Unicode, or specifically as ANSI-encoded text even when the text column is not displayed as ANSI ASCII, using an additional command in the Edit | Copy menu. This command is potentially important because some users are unfamiliar with fundamental computing concepts like character sets or null-terminated strings, and they think that English language text in UTF-16 (where every other byte is 0x00) is not copied correctly by WinHex/X-Ways Forensics just because a text editor or word processing program that pastes the text naturally truncates it at the first null byte. These users may now notice in the GUI that another option exists, and may decide to give it a try. Previously it was necessary to change the text column to Unicode to copy text as Unicode (which is intuitive, because of "what you see is what you get").

* Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.

* New registry report output for remote desktop connections defined.

* IPA file type recognition improved.

* Some new file types with ranks as high as 4 and 5 were added.

* Larger preferred thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 7, 2015 - 20:00:   

Preview 2:

* Now up to 255 conditional coloring definitions supported. The definitions are now stored in a separate .cfg file named "Conditional Coloring.cfg".

* Some errors fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 9, 2015 - 18:58:   

Preview 3:

* PNG metadata extraction updated.

* New file carving algorithm for sessionrestore. sessionrestore is file type ranked 4, an essential source of information from Firefox usage aside from the cache. The new algorithm can carve fragments of sessionrestore. That is important because few sessionrestore objects remain fully intact. Most artifacts found are typically from Facebook or webmail.

* New carving algorithm for e-mail fragments.

* Two separate file masks are now maintained for uncovering embedded data in various file types, for reasons of convenience. The second mask is optional and labelled as "special interest". For example malware investigators may process executable files that way when needed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 19, 2015 - 19:30:   

Beta 1:

* Ability to more easily print at least the cover page for file types which the viewer component does not support, for which it shows the message "The display engine for this format is not installed", e.g. Corel Draw or Wave files.

* No longer lists previously existing printers in print dialogs.

* Ability to enable or disable the representation of a loaded viewer X-Tension in situations where it was not supported before.

* Significantly smaller preview HTML for Windows event logs, which makes them easier to view with the viewer component. The number of processed records is listed at the bottom of the preview. Terminal Service connection events are now added to the event list with username and IP address.

* Support for another VMDK variant.

* Ability to create multiple hash sets in a single step, where the hash values of the selected files are put into hash sets that are named after each file's report table association(s). This is useful if you categorize notable files in one case using report tables (e.g. based on different types of CP), and wish to quickly identify the same files again in other cases later, and automatically see the category that you had originally assigned, as the hash set name. The new checkbox in the Create Hash Set command's dialog window is labelled "Name after report table associations, if any". If a selected file does not have any report table association, its hash value will be assigned to the hash set named as you specify, as in previous version or as if you do not check the new checkbox.

* Ability to import PhotoDNA hash values that are stored in text files, with "PhotoDNA" in the first line, followed by 1 hash value per line in hex ASCII or Base64.

* Some operations such as Specialist | Refine Volume Snapshot and logical searches are now slightly faster when applied to actual disks, not images, most notably when these operations are applied to the C: drive opened as a drive letter C:.

* Ability to explicitly choose a larger chunk size when creating .e01 evidence files. Might be regarded as useful by some to achieve a marginally better compression ratio for ordinary data, at the expense of more time needed when creating the image and when later randomly accessing data in the image, but improves compression noticeably for extremely compressible data (e.g. a wiped or largely unused hard disk). A 512 KB chunk size reduces the image size with ideal data (e.g. only 0x00 bytes) ceteris paribus by an additional 40% compared to a 32 KB chunk size.

* Fixed simultaneous creation of multiple copies of an .e01 evidence file if encrypted.

* Combined tag status now initially displayed in Name column header even in search hit lists and event lists.

* For users who are unfamiliar with the concept of null-terminated strings and do not understand the implications of UTF-16 and binary data when they copy selected data in order to paste it as text in other Windows programs, X-Ways Forensics now displays a hint. Time and again unsuspecting users report "WinHex does not copy the text properly", when it fact the receiving application does not paste everything. These false error reports will hopefully stop.

Please remember that it is easy to eliminate zero-value bytes, by pasting the copied data in WinHex itself first (into a new data window, via Shift+Ins, which of course supports binary data and includes zero-value bytes as well as data that follows them) and then replacing 0x00 with spaces, line breaks or nothing, as you like. Another way to extract only printable characters and most likely readable text (actual words in English, German and French) from an entire data window is the Specialist | Gather Text command.

* Slightly revised context preview for search hits in nested archives.

* Several other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 24, 2015 - 20:16:   

Beta 2:

* The internal logic of the Type filter was slightly revised, which may be noticeable for overlapping definitions (such as the full filename "pagefile.sys" in the Windows Internals category and "sys" Program Files) and when using the NOT setting.

* Ability to totally remove excluded items from the volume snapshots of all the evidence objects that are included in an existing recursive exploration in the case root window, in a single step. Previously, that had to be done separately for each evidence object.

* Including child object of selected files when creating hash sets is now optional.

* Several more file header signature defined for carving, among them special Base64 encodings of JPEG, PNG, PDF, OLE2.

* Several minor improvements.

Additional downloads such as different viewer component versions and customizable language files as well new conditional color definitions are now available for download from a dedicated resource directory (query your license status).
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 28, 2015 - 19:14:   

Beta 3:

* Some fixes.

* Chinese translation of the user interface updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 1, 2015 - 7:20:   

Beta 4:

* Support for GREP expressions with \unnnn in simultaneous searches, where nnnn are four hexadecimal digits that designate a certain Unicode value in human notation (big endian order). Depending on the code page(s) selected for the search, this constant Unicode character value is translated to different byte values and potentially also different numbers of bytes.

* Improved and more thorough carving of individual e-mail messages floating around in free space and pagefile.sys etc., with a dedicated signature definition named "E-mail fragment" and a dedicated internal algorithm. Most thorough if you employ it with the "b" flag for byte-level carving.

* Some fixes.

This beta release is also available to BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, May 10, 2015 - 20:13:   

Beta 5:

* Supports simultaneous searches where some search terms are to be considered case-sensitive (if prepended with "case:") and others not, at the same time.

* The option to list 1 search hit per item only now no longer filters out search hits in slack space. This is useful because the slack of a file is typically not related to the contents of that file, so any search hits in the slack would likely have a totally different context than search hits in the logical portion of the file and thus need to be reviewed additionally. Please note that it is usually still necessary to unselect the "1 hit per item" option to separately check out search hits in conglomerates such as pagefile.sys and the virtual "Free space" file, which contain data from totally different sources. The "1 hit per item" option remains most useful for documents only, for which you can often tell after a quick look in Preview mode whether the entire file is relevant or not.

* New directory browser option to display the file type ranks in the Type status column, which also causes sorting by that column to sort by those ranks.

* Automatically selecting the next item in the list after associating the current item with a report table is now optional. A 3-state checkbox allows you to do that either never or only for associations created with keyboard shortcuts or for all association methods.

* Lists sent files in Skype chat history previews with filename and size as well as in the event list. The latter allows to quickly filter for files that were sent or received via Skype.

* Pages in the user address space of 32-bit processes that are not mapped are no longer included in Process mode when analyzing memory dumps.

* Accepts certain non-standard FAT12 boot sectors.

* The delimiter for default size and size detection limit in File Type Signatures Search.txt is now a forward slash instead of a colon, to avoid some rare incompatibility issues with editing in MS Excel. The colon will still be accepted for a while if you have your own definition files that use colons already.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 14, 2015 - 18:12:   

v18.3 was just released.

Additional changes:

* Option to skip a hash database altogether when matching hash values.

* MSO files are now checked for embedded files.

* PSPImage files (newer Paint Shop Pro pictures) are now checked for embedded thumbnails by default.

* ?, * and {0,n} at the end of a GREP expression did not always match 0 occurrences. This error is now avoided.

* Some minor improvements and fixes.

* User manual and program help updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 18, 2015 - 21:13:   

SR-1:

* Improved character filter for text decoding.

* Fixed an instability problem that could occur when attaching files to large volume snapshots.

* Conditional coloring did not work correctly for users who had changed the column order before. That was fixed.

* Fixed occasional inability to import hash matches from previous versions.

* Fixed an exception error that could occur when parsing .evtx event log files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 21, 2015 - 17:33:   

SR-2:

* Fixed an exception error that could occur in v18.3 when processing files in archives of different evidence objects in a single operation.

* Fixed unnecessary assignment of certain files to the "Path unknown" directory in HFS+.

* Some minor improvements and fixes
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 26, 2015 - 20:57:   

SR-3:

* Fixed a rare memory corruption error that could occur when extracting metadata from large .pf Prefetch files.

* Fixed an exception error that could occur in v18.3 when reading from the logical memory address space of processes in memory dumps.

* Fixed a layout inefficiency in .e01 evidence file created by v18.3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 28, 2015 - 20:45:   

SR-4:

* Fixed a possible exception error in EDB processing.

* Specifications of the XWF_GetHashValue API function revised.

* Fixed potentially incomplete parsing of highly fragmented directories in Ext4 in v18.1 through v18.3.

* Fixed potentially extremely slow and redundant carving of MPEG videos.

* Recognizes certain FAT boot sectors that violate official Microsoft specifications.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 8, 2015 - 19:01:   

SR-5:

* Fixed incomplete HTML export in v18.3 SR-3 and SR-4.

* The Type filter did not always work correctly for full filename matches in v18.3. That was fixed.

* Fixed some errors in the new address space representation of 32-bit processes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 16, 2015 - 17:37:   

SR-6:

* Recover/Copy: The "Name output files after unique ID" option did not work for files without filename extension. That was fixed.

* Fixed a possible exception error that could occur under certain circumstances in v18.1 and later when exploring recursively.

* Fixed incomplete still extraction from some videos.

* Fixed time zone translation of event list timestamps extracted from Mac OS X's system.log.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 18, 2015 - 11:31:   

The default file mask for "Uncover embedded data in various file types" in new installations of v18.3 SR-5 and SR-6 was slightly too long, so that the last character could get overwritten and hiberfil.sys files, if present, were potentially not automatically decompressed and added to the case as memory dumps. In the latest download, the default mask is now not too long any more. If you started with a fresh configuration in v18.3 SR-5 or SR-6 and never adjusted the mask (so that you didn't get the error message about the mask being too long), please shorten it by 2 characters, for example by removing one of the less important file types. Note that the maximum length of file mask has been extended in v18.4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 24, 2015 - 18:21:   

SR-7:

* Fixed an exception error that could occur when filling an evidence file container from a source that was not added to a case as an evidence object.

* Fixed inability to parse exFAT file systems with extremely large cluster sizes.

* Fixed incomplete extraction of certain embedded data in PDF documents.

* Fixed an instability error that could occur when parsing the journal in certain Ext3/Ext4 volumes in v18.2 and v18.3.

* Some minor fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 7, 2015 - 18:51:   

SR-8:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 16, 2015 - 11:09:   

SR-9:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 25, 2015 - 18:10:   

SR-10:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.3. This is probably the last service release for v18.3.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.