X-Ways Forensics 18.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.5 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 9, 2015 - 7:41:   

A preview version of the dongle-based edition of X-Ways Forensics 18.5 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Option to attach external files as child objects to their original counterparts (after decrypting, translation, convertion, OCRing, ...) in multiple evidence objects at the same time automatically if they are named after the unique ID of the original files. You can name the files after the unique ID when you copy them off the image with the Recover/Copy command, and you do not need to preserve the path, as the unique ID already fully identifies the file. Useful if you wish to apply external tools to the copied files which have problems with overlong paths, if you wish to bring back the result into the volume snapshot. The command to attach external files based on unique ID can be found in the context menu of the case.

* For your 9 most important report tables, keyboard shortcuts are now defined also to remove associations from the selected files. Ctrl+n adds the selected files to the related report table, Alt+n removes the associations. Useful if you accidentally press the wrong key combination or if you change your mind about the classification of a file, and wish to preserve associations with several other report tables (otherwise you could of course simply press Ctrl+0).

* Menu command to close the active case without saving it. Usually the case and volume snapshots of all open evidence objects are always saved, at latest when the evidence objects and the case are closed. This may be undesirable for example if you accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl+0 for all selected files). In such a situation it is just important to invoke the new menu command as soon as possible, before the auto-save interval elapses next time. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.

* File carving approach revised, which may result in faster processing depending on the data.

* If auto-coloring for FILE records etc. is fully checked, FILETIME structures are now highlighted even if not aligned at a 4-byte boundaries.

* Support for HFS+/HFSJ/HFSX when searching for lost partitions. An extra effort is made to reject false positives automatically. Supports sector sizes 512, 4096, and 8192 bytes.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 19, 2015 - 7:08:   

Preview 2:

* Sync mode in non-recursive exploration mode now has the same effect as the option "Automatically expand to current folder" in the Windows Explorer. That means that when navigating from one directory to another using the directory browser while Sync mode is off, the directory tree on the left will not reflect the current directory any more, will neither expand its parent if necessary nor select the current directory. Whether Sync mode is active or not is now remembered separately for recursive and non-recursive exploration. The other effect that Sync mode used to have, that when navigating from one cluster to another the file whose data is stored in the current cluster is automatically selected in the directory browser, is now only achieved through the Info Pane's context menu (the command now named "Select file"). And whether the parent directory of that file is automatically selected in the directory tree at that occasion depends on whether Sync mode is active or not.

* X-Tensions API: XT_Prepare may return a new flag to indicate that even if the users wants to omit certain files (for any of the three possible reasons) the X-Tensions wants to be called to process them. Another flag indicates that an X-Tension wants to be called for directories. (For details please see http://www.x-ways.net/forensics/x-tensions/api.html.) The Delphi source code and sample demo project was also updated.

* X-Tensions API: New function XWF_GetUserInput allows to request textual or integer number input from the user, e.g. a password.

* File carving improved, especially and most importantly the quality of the internal algorithms for the Quicktime file format family (MP4, MOV, 3GP, ...) and GIF.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jul 23, 2015 - 21:57:   

Preview 3:

* A new timestamp column filter setting is available that allows you to focus on files whose creation date is later than the modification date, i.e. which apparently were copied and that way got a new creation date. The Notation options now allow to mark all such files with the word "(copied)" in the Creation column. The presence of that word can also be used for conditional cell coloring, so that you can quickly see which files are likely original files and which files were copied. Note that a search for the word "copied" is language-specific, so you may want to define the condition based on the presence of a round bracket in the Creation timestamp cell instead.

* The Export List command now remembers its own notation settings, different from the notation settings in the General Options. That is useful because the database or spreadsheet program of your choice may not like the formatting that you prefer to see in the directory browser (e.g. fractions of seconds in timestamps, time zone bias, weekdays in dates, delimiter between date and time, integer digit grouping, ...). While the Export list dialog window is on the screen, the directory browser in the background reflects the notation settings of the Export List command, as a kind of preview.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 29, 2015 - 0:21:   

Preview 4:

* Same fix level as v18.4 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 3, 2015 - 21:15:   

Beta 1:

* New directory browser context menu command to identify and exclude listed duplicate pictures using PhotoDNA. All duplicates will be marked as "duplicates found" in the Attr. column, and all except one will be excluded. When in doubt, deleted files or pictures with a poor resolution will be excluded and existing files and pictures with a higher resolution will be kept. Please note that the hash value comparison is a potentially time-consuming operation if many pictures are listed in the directory browser, much more so than for conventional hash values. However, you can abort the comparison at any time. This operation requires that PhotoDNA hash values have been computed beforehand, using Specialist | Refine Volume Snapshot | Picture processing | Compute PhotoDNA hash values. It is useful for example for law enforcement agencies that wish create PhotoDNA hash sets of unique pictures only and for that purpose maintain a lawful collection of incriminating pictures without duplicates. The strictness of the picture comparison is the same as set in the Specialist | Refine Volume Snapshot | Picture processing dialog window for matching against the PhotoDNA hash database.

* A new context menu command in search hit lists named "Resize" allows to resize or reposition the selected search hits. If for example you are searching for a signature that identifies records in some kind of database, and you get many search hits for these signatures, but what you are really interested in is the record data that follows the signature, and you wish to export that data, then you could adjust the offsets and the lengths of the search hits in a suitable way. Also useful if the current limit for search hit context in the Export List command doesn't suit your needs. Instead of exporting more context around the search hits you could instead enlarge the search hits themselves prior to exporting them. The effect is visible immediately in the search hit preview in the search hit list (but not necessarily immediately in the highlighting in the lower half of the data window).

* Another context menu command in search hit lists allows to convert search hits to carved files. Useful if you wish to include your search hits as files in a report, add them to a report table, comment on them, print the contents, Recover/Copy them etc. Note that search hits that have both a physical and a logical offsets will be carved at the sector level and will appear in the virtual directory for carved files. Search hits that only have a logical offset will be carved within the file in which they were found and will appear as a child object. Search hits in the decoded text of a file as well as search hits in directory browser columns cannot be carved and will be omitted.

* Files found through a file header signature search and files that were carved within other files can now be manually resized by the user (another directory browser context menu command).

* The search hit context in the Export List command is now limited to around 16,384 bytes on each side (previously 1,000 bytes). The total amount of text including the search hit itself is limited to around 32,768 bytes.

* Recover/Copy: Option to try to encode zeroed out areas in a file as sparse when writing the data. This will have an effect only if the zeroed areas are somewhat aligned and sufficiently large, and of course only when writing to an NTFS or ReFS volume, not FAT. Works no matter whether the source file is defined as sparse or not. This option will reduce the data transfer rate and is only recommendable if you know that the data that you are copying is probably suitable.

* The filters for comments, metadata, and event descriptions now have a NOT option.

* Option to output the complete metadata in the case report as known from Details mode, in HTML format, instead of the extracted subset in the Metadata column in plain text.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 10, 2015 - 13:30:   

Beta 2:

* Ability to decompress the partially contained compressed file at the end of an incomplete (truncated) zip archive as far as possible.

* Some improvements for parsing exFAT volumes.

* Ability to enter a free text description for any report table, by clicking the button with the "properties" icon in the report table association dialog. The description will be included in the case report if the report table is output. Useful for some explanation of what the report table is about. Helps to keep the report table name itself, which appears at many places in the user interface, more concise.

* Several minor improvements.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Aug 15, 2015 - 14:39:   

Beta 3:

* It is now possible to interpret images of various kinds (unsegmented raw images and most VHD/VMDK) and nature (disk/volume) even if they are stored within other images (forensic disk images created by yourself), without copying them off the outer image first. That can save a considerable amount of time, especially if after interpreting the contained image you can quickly see that it is not really relevant, and of course also drive space. First right-click the image in the directory browser and open it with the context menu's Open command in a separate data window. After that, use the command Specialist | Interpret Image File As Disk in the main menu to interpret the image. And then, once the volume snapshot has been taken, if you think that the image is relevant, you can add it to the active case as usually with the "Add to active case" command in context menu of the data window's tab or with the Add command in the Case Data window's File menu.

* Some minor improvements.

Beta 3 is also available to BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 20, 2015 - 11:45:   

Beta 4:

* Support for Virtual Box disk images (.vdi) of the default subtype "sparse" and the subtypes "fixed size" and "diff" (snapshots). VDI images can also be opened and interpreted from within other images (e.g. .e01 evidence files). Snapshot images as usually can only be interpreted if the parent is available and open and interpreted itself

* Ability to categorize search hits by moving them over to other search terms. If for example you get several relevant hits when running a search for the search term "invoice", and some hits are relevant in a different way than others, then you could assign them to other search terms like "Invoice ABC Ltd.", "Invoice XYZ Corp." etc. Those newly created search terms will appear in the search term list, but they function more like categories because they were not searched for literally themselves.

How it works: In the search hit list you select the search hits that you wish to categorize, right-click them, and invoke the new context menu command "Assign to other search term". You can assign them to a search term/category that already exists or create a new one. You can also rename search terms/categories now with a new command in the context menu of the search term list. Artificially created search terms are marked with °, just like the search terms/categories that manually found search hits (so-called user search hits) are assigned to.

* X-Tension API: XWF_AddSearchTerm allows you to add search terms to a case programmatically. Use this function for example if you wish to automatically categorize search hits (assign them to different search terms) while responding to XT_ProcessSearchHit calls.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 25, 2015 - 20:46:   

Beta 5:

* Some fixes and minor improvements.

Beta 5 is also available to BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 30, 2015 - 19:52:   

Beta 6:

* When adding new evidence objects to the case, X-Ways Forensics now includes technical information about more than one Windows installation per partition in the evidence object properties if traces of more than one are found. That can happen for example if a Windows.old backup directory exists because of a Windows upgrade.

* Support for Ext4 journals with 64-bit block numbers.

* If partitions overlap, for example because one previously existing partition was partially overwritten by another partition, then a note is now displayed in the Messages window (only if you have the program number partitions by disk location). This note should make unsuspecting users aware of the possible consequences, for example make them realize that potential errors when parsing the file system in the overwritten partition might be normal and not a reason to ask for assistance.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 1, 2015 - 19:32:   

v18.5 was just released. Additional changes since the last beta version:

* Fixed swapped creation and access timestamps in the extracted metadata of zip records (extra field).

* Prevents the output of runaway timestamp values in registry hives to the event list.

* Fixed an exception error that occurred when trying to view Windows registry hives <= 4 KB.

* Program help and user manual updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 2, 2015 - 21:16:   

Forgot to announce:

* Filtering for search hits with no certain keyword in their context (with the NOT option) did not work. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 8, 2015 - 21:45:   

SR-1:

* Opening the entire memory of a running process failed in the 32-bit edition since v18.4. That was fixed.

* Prevented "Invalid file" error message, which some users experienced repeatedly during volume snapshot refinement. (For those who thought that the only way to stop it was the terminate X-Ways Forensics with the Windows Task Manager, please be reminded that you can abort operations such as volume snapshot refinements by clicking the "x" in the upper right corner of the progress indicator window.)

* Fixed potentially incomplete output of the Export List command with the clipboard option depending on the (invisible) "Max. lines per file" setting.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 15, 2015 - 21:21:   

SR-2:

* Fixed an exception error that could occur when matching files against the FuzZyDoc hash database.

* Fixed an infinite loop that could occur when carving certain rare corrupt zip archives.

* Prevents redundant line breaks in the Metadata columns.

* Prevents some garbled characters in the registry report for Windows 10 System hives when created with the 64-bit edition.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 22, 2015 - 20:31:   

SR-3:

* When searching in files that were opened through the operating system (through your own drive letter), when also searching in their directory browser cells, in GREP syntax, without allowing overlapping hits, if there was a hit in a directory browser cell, additional hits in the file contents were ignored. That was fixed.

* The raw Base64 to binary conversion now ignores space and tab characters in addition to line breaks.

* Fixed a rare exception error that could occur when viewing an Ext* .journal file.

* Russian and Chinese translation of the user interface updated.

* Fixed a formatting error in metadata extraction in the previous release.

* The evaluation version of WinHex may now be used free of charge to interpret evidence file containers that contain no more than 1000 objects. (subject to change)

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 28, 2015 - 19:22:   

SR-4:

* Proper type display and file type treatment for files carved in unpartitioned space on physical media.

* Sector sizes other than 512 bytes supported for Ext file systems.

* Fixed omission of file system level timestamps of certain files without file contents in the event list.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 29, 2015 - 21:29:   

SR-5:

* v18.5 parsed certain directories in exFAT volumes incompletely. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 6, 2015 - 20:11:   

SR-6:

* Fixed an error that could occur when interpreting images that are stored in other images or disks without copying them off the image or disk first.

* Fixed a rare error that could occur during e-mail extraction from Outlook Express DBX files.

* Fixed inability to display the cell texts of events that are not related to any file.

* Fixed certain occurrences of the error message "The viewer component does not accept your path for temporary files" in v18.5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 13, 2015 - 20:31:   

SR-7:

* Now supports path lengths of 255 characters for the temp directory of the viewer component in case the path consists of pure ANSI code page characters only. If at least 1 true Unicode character is present in the path, the limit is 127 characters. In v18.4 and earlier the limit was 255 ANSI code page characters, and true Unicode characters were not allowed. In v18.5 prior to SR-7 the limit was 127 characters, and Unicode characters were allowed.

* MSG file processing slightly revised.

* No skin color percentages or PhotoDNA hash values are computed any more for JPEG pictures that are considered too corrupt, e.g. truncated in such a way that more than 50% missing.

* PhotoDNA hash values are now stored in the volume snapshot for re-matching and deduplication even for trivial single-color pictures.

* Some other minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 25, 2015 - 18:10:   

SR-8:

* PDF file carving problems in v18.5 fixed.

* Fixed a rare exception error that could occur in recent versions when opening the virtual memory of other processes.

* v18.5 did not actually add a manually carved file to the selected report table(s) on request. That was fixed.

* Renaming search terms did not always work correctly, depending on the presented search term order. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Nov 1, 2015 - 10:54:   

SR-9:

* Greatly reduced free drive space requirements for nested image interpretation.

* Fixed occasional corruption of "Partitions by disk signature" table in the registry report in the 64-bit edition.

* Fixed an exception error that could occur when sorting block hash matches by the Search hit column.

* The "Xtra Atom" format variant was previously supported for carving F4V videos already, now also for MP4.

* Potential instability with corrupt SketchUp files fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Dec 27, 2015 - 12:21:   

SR-10:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 29, 2016 - 20:09:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.5. This is the last service release for v18.5.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.