X-Ways Forensics 18.7 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.7 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 18, 2015 - 18:15:   

A preview version of the dongle-based edition of X-Ways Forensics 18.7 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* As part of the volume snapshot refinement, X-Ways Forensics can generate thumbnails of high-quality digital photos to accelerate the gallery. It is now possible to select the resolution (maximum width or height in pixels) and quality (JPEG compression factor) in the user interface. However, the maximum amount of data that can be stored in the volume snapshot for a thumbnail is limited, to 64 KB, so if a generated thumbnail gets larger than that, X-Ways Forensics will automatically reduce the user-defined resolution accordingly.

* Smaller versions of pictures can now optionally be generated specifically for the report, to greatly reduce the memory requirements of the Internet browser or word processing application when loading the HTML report, and to accelerate. This can make a big difference for reports with many high-resolution photos. The JPEG compression factor is user-definable. The resolution depends on the specified "maximum dimensions of pictures".

The checkbox that represents this option is a 3-state checkbox. If half checked, the smaller versions of the pictures are used only for the preview directly in the HTML report. If fully checked, even when clicking the picture in the report you will only see the smaller version, and the original larger file is not included in the report at all. This can be beneficial if your main concern is the drive space requirement of your report with linked files, not the output quality of pictures.

* The report can now optionally also show previews/thumbnails of non-picture files, e.g. Office documents, e-mails, web pages, programming source code, etc. etc., similar to the gallery. You can shrink the preview representation slightly or a lot or not at all, to either be able to read some of the text right in the report without opening the document or to get a better impression of the overall formatting of the text and just see logos etc.

* If you output one specific report table in the case report, the suggested report name is now automatically based on the name of that report table.

* In the properties of a case you can now specify whether you prefer to have X-Ways Forensics use the case-specific directory of temporary files (the _temp subdirectory of that case) instead of the general one, when that case is active.

* Loose $MFT files can now be directly and conveniently interpreted as if they were NTFS volumes, to get at least a full listing of all files and directories, with their paths, timestamps and attributes. It's possible to open resident files (files whose contents is small enough to fit into the FILE records), but no other files, of course. Useful if in special situations all you have is the $MFT, not the entire volume.

* Finds more sessions of multi-session CDs/DVDs with CDFS immediately, without having to run a particularly thorough file system data structure search.

* Avoids session duplication on CDs/DVDs with CDFS where additional sessions are found only through a particularly thorough file system data structure search.

* The "1 hit per file needed only" option of the logical simultaneous search now no longer skips the slack of a file once a hit in the logical part has been found if "Open and search files incl. slack" is fully checked. It will check the slack for at most 1 additional hit as well.

* Previews and views of pictures (not with the viewer component) now additional show the names of associated report tables in the upper left corner and the names of matching PhotoDNA categories in the lower right corner.

* There is now an option to limit the search for lost partitions on physical media to the sectors that follow the current cursor position.

* Reports the total number of unreadable sectors in the disk imaging log in addition to the affected sector ranges.

* Same fix level as v18.6 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 18, 2015 - 20:55:   

Preview 1+:

* Fixed a sector read error in Preview 1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 25, 2015 - 7:16:   

Preview 2:

* Gallery screen space is now much better utilized as thumbnails are no longer forced to be squares. You can now specify your preferred thumbnail width and height separately, in the Options | Viewer Programs dialog. The specified dimensions will be dynamically adjusted (increased) to best fill the available screen space without partial thumbnails being visible. Since most photos and practically all videos are shot in landscape format, you may want to select width and height accordingly (width larger than height) when viewing pictures. Document thumbnails can often be freely adjusted to any rectangle shape, for example those representing word processing documents or spreadsheets, but not presentations. For most documents other than presentations, portrait format feels like a more natural way of representation. The aspect ratio of the width and height that you specify is displayed in the options dialog to quickly give you a rough idea how compatible the measures will be with ordinary photos, videos or documents.

* The colors of tag marks (if they are not represented by check marks) are now slightly different, and they are now user-definable in Options | Directory Browser. Useful for example if you prefer stronger colors or if the default colors conflict with pictures that you are viewing in the gallery (e.g. many outdoor photos with blue sky at the top). If you liked the slightly more unobstrusive colors of previous versions, you can get them back manually: Color 1 = RGB 225, 225, 255 (for the upper left corner) and Color 2 = RGB 163, 163, 255 for the (lower right corner).

* The colors that mark files as already viewed are now user-definable as well, via Options | Viewer Programs | Keep track of viewed files | .... If you liked the colors of previous versions, you can get them back manually: Color 1 = RGB 233, 225, 223 (for the upper left corner) and Color 2 = RGB 145, 250, 103 (for the lower right corner). In v18.7 they have been simply swapped.

* Ability to convert assigned hash sets to report table associations, in the dialog window for report table associations, where you can also convert contained search terms to report table associations. This can be useful for example if you wish to recreate your hash database from scratch or delete your hash database, and do not only wish to preserve the hash category of known files in the volume snapshot, but also the exact matching hash set names. Also useful if you wish to add files to an evidence file container and wish to let the recipient know the original hash set matches, not only the hash category. These auxiliary report tables are highlighted in a different color to distinguish them from 1) ordinary user-created report tables, 2) internally created report tables that make the user aware of something special, and 3) search term based report tables. Associations with hash set based report tables can also be created on the fly when copying files to an evidence file container.

* Including comments and/or report table associations of files in an evidence file container is now optional for each copy action and does not have to be decided up front once and for all when creating the container.

* More metadata is now extracted from videos (only when exporting stills), usually coding/compression format, resolution, bits per pixel, frames per second, data rate per second for video data.

* A new 64-bit edition of MPlayer from 2015 is now downloadable from the web server in addition to the 32-bit edition from 2014. The only video extraction program supported is now MPlayer.

* A new context menu command has been introduced to extract all frames specifically from a defined section of a selected video. Useful if a certain part of a video is of high interest and you need to carefully check visual details in certain frames or include them in the report. You can specify how many consecutive frames to extract and starting from which second. The number of frames that you need to cover a certain period of time can be deducted from the frame rate as shown in the Metadata cell (fps = frames per second). Please note that the start second may be interpreted very roughly only, depending on the frequency of keyframes (a.k.a. I-frames in MPEG) in the video. MPlayer can seek into a video file only based on keyframes. If for example a certain video file contains keyframes only every 4 seconds for example, then the start second of the extraction may be off by up to 4 seconds. Keep this in mind when you enter the number of frames that you need or the start second. That is, to be on the safe side, extract more frames than you may actually need and perhaps from an earlier start second.

The frames are saved as JPEG files in a directory of your choice on your own drive, where you can review them outside of X-Ways Forensics. If you like, you can of course attach the most relevant frames to the original video file in the volume snapshot as child objects. The frames are not stored within the volume snapshot by default so that the size of the volume snapshot does not unreasonably inflate with potentially mostly irrelevant and redundant pictures. If the output directory already contains extracted frames, files with identical relative frame numbers will be overwritten. Relative frame numbers always start with 00000001 for each extraction and increment with each frame. You may adjust the JPEG compression if necessary for stronger compression or better quality. (Of course you usually cannot expect a very good quality because videos are typically highly compressed already.) The volume snapshot refinement operation to produce representative still images from videos (sporadically, in certain larger intervals) has been renamed to point out the difference from the new context menu command for exhaustive frame extraction.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 30, 2015 - 19:42:   

Preview 3:

* iNode* files (indirect node files) in HFS+ now point to one of their hardlinked counterparts as a "related item" in the volume snapshot, so that it is very convenient to locate at least one of those hardlinks and see the actual use and location of the file. To find other hardlinks for the same iNode* file, you can for example sort by the column "1st sector".

* HFS and HFS+ resource forks are now presented as child objects, analogously to alternate data streams and extended attributes in NTFS.

* Attribute filter for resource forks added.

* Option to omit additional hard links for the same file in NTFS/HFS+ from volume snapshot refinement just as from logical searches previously, to save time and reduce the number of redundant identical child objects etc. This can make a big difference on partitions with Windows installations that have a lot of hard links and HFS+ partitions with Mac OS X Time Machine. Which hard links are considered the "additional" hard links internally can be seen in the "Link count" column as before (gray number means to be omitted) and now also in the Description column, which identifies all hard links (i.e. files with a hard link count larger than 2) and the additional ones in particular textually. The hard link that is not marked as "optionally omitted" in the Description column is considered the "main" hard link internally.

* Verification of some additional file types.

* Same fix level as v18.6 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 9, 2015 - 6:42:   

Preview 4:

* Enhanced Attr. filter settings for Unix style file permissions. You can now filter for any of the 9+3 bits specifically and combine them with OR, AND, or EQUAL. EQUAL requires a status of all 12 bits exactly as selected (whether set or not set). AND means you require ALL of the checked bits to be set, but don't care about the others. OR means you are satisfied already if ANY of the checked bits is set. SUID and SGID bits can now be combined with a logical OR or AND as well (previously they were always OR'ed). Please remember that if you are interested in directories with the sticky bit, you will need to include directories when exploring recursively and apply filters to directories, too (not the default setting). Please note that the logical operator for permissions should not be usually set to EQUAL because that will result in active filtering for permissions even if no permission bits are selected in the dialog box at all, unlike the OR or AND operators. EQUAL with no permission bits selected means to filter for files that have no permission bits set or files whose permissions are unknown.

* Lifted internal limitation on the amount of data extracted from files per volume snapshot (previously 1 TB). Volume snapshots saved by v18.7 cannot be opened in v18.6 and earlier any more.

* If e-mail messages have a Sender: line in addition to a From: line, then the sender according to the Sender: line is now shown in the Sender column of the directory browser additionally, after the From: sender, if actually different. They are delimited by spaces and a pipe (|). For example, an English language MS Outlook shows such e-mails as having been sent "on behalf of" someone else (by the Sender: sender on behalf of the From: sender). You can filter for such e-mails by entering a pipe as a substring for the Sender column. Analogously, different kinds of recipients ( To:, Cc:, and Bcc: ) are now delimited by pipes in the Recipient column.

* In newly refined volume snapshots, the "1st sector" column now points out that certain figures are approximate, for example for embedded files, using gray color and a tilde. When clicking a file in Partition/Volume mode, the jump to the start of the data of certain files is now more precise, for example for resident files in NTFS it leads directly to the body of the 0x80 attribute and for certain embedded files directly to the start of the data. Sorting by the "1st sector" column reflects the physical start location of files more precisely now for certain unaligned files.

* Rename events from $J and fragments thereof are now output to the event list.

* A new keyboard shortcut, Shift+Ctrl+Del, allows to remove matches with ordinary hash sets, FuzZyDoc hash sets, and PhotoDNA categories from selected files in the volume snapshot, which even if the hash sets are deleted from the hash database are not discarded otherwise.

* Pressing Ctrl+C in the directory browser now copies the textual data of the selected items into the clipboard, with the same notation as in the directory browser itself, otherwise similar to the Export List command.

* The main executable files are now digitally signed.

* Many minor improvements.

* Some fixes of errors in v18.7 Preview 3.

* Preview 4 is also available for BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 12, 2015 - 12:30:   

Preview 5:

* Prevents crashes when dealing with certain EDB databases.

* When excluding duplicates based on hash value or name, X-Ways Forensics now prefers to keep the copy whose owner is known.

* Recover/Copy and Create Report now even name embedded .eml files after their unique ID if the corresponding option is selected.

* E-mail extraction adjusted in such a way that certain Base64-encoded e-mails are shown correctly by external programs after Recover/Copy.

* Revised hiberfil.sys support for 64-bit Windows.

* Some minor improvements.

* Same fix level as v18.6 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 17, 2015 - 21:34:   

Preview 6:

* Tentative support for older VirtualBox VDI virtual disk images from Sun Microsystems.

* Lists purely physical user search hits in the case root window, even if in that window you cannot navigate to the sector contents by clicking the search hits.

* Option to output incrementing numbers in the case report, for each item in a report table, to uniquely identify a file in that report.

* Thumbnail generation for the report now always in JPEG format.

* Prevented an error that could occur in simultaneous computation of two hashes when imaging media in very special configurations that involve a specific hardware write blocker model and Windows version. The data in the images was OK anyway.

* Support for certain old Outlook PST e-mail archives with previously unsupported text encoding. Requires that you select the correct regional ANSI code page in the case properties and check the unlabelled box next to it, the one that has a tooltip saying "Assume this code page in Outlook PST".
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 1, 2016 - 19:43:   

Preview 7:

* All edit boxes throughout the program (except for password edit boxes and column width boxes) now remember a history of up to 10 last entries. The history can be seen when clicking the tiny button that appears in an edit box for which a history is available. Alternatively, you can press the F4 key just like in a normal drop-down box (combo box). If you select a previous entry from the pop-up menu, it will be inserted into the edit box automatically. Users who wish to delete these histories or pass them on to others, please be advised that they are stored in the file History.dat when the program is ended. If you do not wish to keep histories between sessions, you can create an empty file named History.dat yourself and render it read-only.

* File type verification improved.

* hiberfil.sys slack (compressed data from previous usage of a hiberfil.sys file, as found near the end, if the last usage achieved stronger compression than previous usages) is now automatically extracted and decompressed as part of "Uncover embedded data in various file types" and provided as a child object.

* Purely physical user search hits (defined in Disk/Partition mode, not File mode) can now also be output in the report, in the section about the evidence objects. File-related search hits are still output in the report table section about that file.

* Files with only partially initiliazed contents (valid data length < logial file size) are now marked in the Attr. column with the # sign, and an explanation of the # sign can be found in the legend.

* Some minor improvements.

* Same fix level as v18.6 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 12, 2016 - 19:58:   

Preview 8:

* Records are now numbered starting with 0 instead of 1 by default. 1-based record numbers are still available optionally. The record size is now specified in hexadecimal if hexadecimal offsets are active in the user interface.

* Imaging aborts after media disconnect error.

* Some minor improvements.

* Same fix level as v18.6 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 19, 2016 - 19:39:   


* File type verification further improved with support for additional file types and higher accuracy. Much less file types with generic extensions are now unnecessarily marked as "newly identified", but confirmed if the full filename is appropriate for the file type. In total the file type verification can now recognize more than 3,000 file types.

* Larger files can now be attached to the volume snapshot.

* Fixed slight and rare inaccuracy in the representation of GeoTagging coordinates of JPEG files.

* New internal report table for animated PNG pictures.

* Extraction of embedded data in PNG files (e.g. GIF pictures) supported.

* New internal report table for PNG pictures that are likely mobile device screenshots. That assumption is based solely on typical smartphone screen resolutions. Useful in case such screenshots do not have the typical filenames (if they were carved, received via apps, copied to other media and renamed by the user, or takes by certain apps and stored in the cache of that app).

* New X-Tension API function GetEvObj().

* Same fix level as v18.6 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 21, 2016 - 18:28:   

Beta 2:

* File carving methods implemented for .cwm (screen capture videos) and Windows 8's .accountpicture-ms files. .accountpicture-ms files are now by default targeted for uncovering embedded files.

* Type verification supported for .thumbdata3 files (Android files that are found for example on SD cards).

* Fixed a potential exception error that could occur when processing damaged OLE2 compound files.

* Fixed misinterpretation of literally specified # characters in square bracket sets in GREP expressions.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 27, 2016 - 8:50:   

v18.7 was just released.

Additional changes:

* Prevents overlapping hits in directory browser cell text when searching with variable-size GREP expressions.

* Program help and user manual updated for v18.7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 29, 2016 - 10:19:   


* If multiple images were added to a case simultaneously, they had to be closed and re-opened in v18.7 to get the volume snapshot taken. That was fixed.

* File type recognition of certain lose Hotmail e-mails improved.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 9, 2016 - 20:18:   


* Fixed blank Owner column in v18.7 for NTFS file systems.

* Fixed inability of 18.7 to maximize the detached lower half of a data window in most modes.

* Edit box histories now accessible additionally by scrolling with the mouse wheel and by pressing the Down cursor key.

* Fixed bad quality carving of NTFS-compressed files in recent versions.

* Improved interaction with MPlayer.

* Some minor issues resolved.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 11, 2016 - 20:03:   


* Fixed inability of v18.7 to extract files from large GZ archives completely.

* Avoided a condition in which no still images were captured from videos.

* Fixed an exception error that could occur when extracting metadata from certain huge AVI video files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Feb 20, 2016 - 18:54:   


* The Unique ID filter now allows to enter a list of unique IDs consisting of up to 2,000,000 characters instead of 30,000 characters before. (Characters = digits, dashes, and line breaks).

* Thumbnails in thumbs.db were extracted without original filename if the names were very long. That was fixed.

* The Sender and Recipients filters are now applied to e-mail attachments again as well.

* Fixed an exception error that occurred in v18.6 and v18.7 when ending the program if unlocked with a network dongle.

* Fixed jump to wrong offset when clicking certain embedded files in Partition mode. Fixed incorrectly displayed 1st sector values for the same files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 29, 2016 - 20:17:   


* Fixed an exception error that could occur in v18.7 when adding entries to the history of edit boxes.

* The scope of the file header signature search on a physical, partitioned evidence object now includes very small auxiliary partitions that do not contain any known file system and that have not been added to the case as evidence objects.

* Fixed an error that could occur when opening evidence objects without accessible disk or image.

* When exploring archives with subdirectories without computing hash values at the same time, the primary hash value was set as all zeroes. That was fixed.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 7, 2016 - 20:15:   


* Fixed an exception error that could occur under certain circumstances when copying data from a data window with no directory browser.

* Fixed an error that occurred in v18.7 when reading from reconstructed RAID5 systems with a missing component.

* Fixed a potential exception error with CAB files that are smaller than 256 bytes.

* Fixed a potential infinite loop when carving JNX files.

* Fixed a rare volume snapshot anomaly where the files of a certain directory became part of "Path unknown" although the path should have been known to X-Ways Forensics.

* Fixed a rare exception error that could occur in the Export List command in the registry viewer.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 16, 2016 - 20:34:   


* Fixed inability to import PhotoDNA hash values from certain current ProjectVic ODATA JSON files.

* Some other aspects of PhotoDNA hash value imports improved.

* Fixed a miscategorization issue when importing conventional hash values from certain current ProjectVic ODATA JSON files.

* Ability to import hash values from JSON files belonging to previously unexpected, newly defined category numbers 4 and 5.

* Avoided certain unnecessary messages about corrupt directory entries in exFAT.

* More convenient option to have a user-specific configuration only for selected users of a shared installation, by creating an empty file named winhex.user.[username] in the installation directory for every user that shall be allowed to maintain his or her individual configuration, while using a shared configuration for everyone else, e.g. using a write-protected general WinHex.cfg file with predefined settings as deemed appropriate for your organization.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 28, 2016 - 18:56:   


* Ability to import hash values from current Project Vic/Hubstream ODATA JSON files.

* Accepts category numbers up to 9 in ODATA JSON files.

* Search hits in the case report could be empty or garbled depending on the Export List options for search hits. That was fixed.

* Fixed an exception error that occurred when running a logical search immediately after removing items from the volume snapshot.

* Prevents annoying, lengthy and unnecessary font cache initialization in MPlayer versions from 2015.

* Alternative e-mail preview: Fixed encoding error in the header representation at the bottom.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 12, 2016 - 21:20:   


* Fixed an exception error that could occur in v18.7 when extracting metadata from XML files.

* Fixed a rare floating point exception error that could occur when dealing with timestamps in certain formats.

* Less false positives and fast processing of full file encryption test.

* BLOBs (binary data chunks) are now also optionally provided as child objects for SQLite database of an unknown purpose/subtype.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 22, 2016 - 8:34:   


* Now preserves the original filename extension when naming original single .eml files after their subject lines.

* Support for .evtx event log files larger than 2 GB.

* Fixed problems with PhotoDNA hash databases that contain no hash values.

* Fixed output of Boolean values in BPLists.

* More stable when processing corrupt BPList files.

* Prevents occurrence of zeroed out primary hashes in volume snapshots in certain situations.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 23, 2016 - 7:59:   


* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jul 12, 2016 - 5:51:   


* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.7. This is the last service release for v18.7.

Add Your Message Here
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Options: Enable HTML code in message
Automatically activate URLs in message
Forum operated by X-Ways Software Technology AG.