X-Ways Forensics 20.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.1 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 30, 2020 - 20:36:   

A preview version of X-Ways Forensics 20.1 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.1 Preview 1?

* An alternative method to extract data from spreadsheets as text is now available in Options | Viewer Programs. This option is still somewhat experimental. The new method improves the fidelity of the extracted text in terms of cell order and arrangement, normalizes the formatting of date cells in the decoded text to the notation that is active in X-Ways Forensics for more reliable search results, and it reliably includes hidden cells. If you need to preserve characters that your active Windows code page does not support (e.g. Chinese characters on a typical computer in America or Western Europe) because you are going to search for them, you need to check one extra box ("Must support Unicode"), and with that option the new method will require usage of the Windows clipboard.

* Options | Viewer Programs dialog window rearranged.

* More efficient data I/O in usage of viewer component.

* Ability to interpret data as misaligned text in UTF-16 LE as well as misaligned UTF-16 BE in Disk/Partition/Volume and File mode. Misaligned means starting at odd offsets. That makes a difference in non Western European languages and renders text stored in that fashion actually readable.

* 1 additional text column available in Disk/Partition/Volume and File mode, in X-Ways Forensics only.

* The substitute character for non-printable ASCII characters of values below 0x20 in the text columns, selected in Options | General, typically a space or period, can now also be used for high Unicode character values. It's easier on the eye if characters in languages other than your own are not actually displayed, and you can probably afford to not see them if you are not looking for foreign language text (e.g. Chinese, Japanese, Korean) anyway. To see only pure 7-bit ASCII characters (sufficient for English), in ANSI ASCII and all UTF-16 variants, you can apply the substitute character to above 0x0080. To see letters at least from other Western European languages like Spanish, French, German you can apply it to > 0x00FF. To see Eastern European languages, apply it only to > 0x04FF.

* Fixed context preview of misaligned UTF-16 search hits in some rare situations.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 1, 2020 - 21:44:   

Preview 1b:

* Fixed inability to remove no longer needed additional text columns.

* Minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 6, 2020 - 20:16:   

Preview 2:

* Fixed a crash that could occur with the 64-bit executable of Preview 1 under certain circumstances when the viewer component was in use.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 15, 2020 - 11:16:   

Preview 3:

* X-Ways Forensics and X-Ways Investigator only: Ability to apply a character adjustment list not only when indexing, but also as part of the Simultaneous Search. This list is expected in a UTF-16 text file now named "Character Adjustment.txt" (previously: "indexsub.txt"). It starts with a little-endian byte order mark, followed by one instruction per line, with an arrow (greater than symbol) in the middle, which maps one character to another. You can edit it as you see fit for searches in your own language.

An example for French language searches: The line
É>E
means that the letter É in the original data to which the Simultaneous Search is applied (when searching in suitable code pages) will be accepted as a variant of E in your search term. You only need to search for Edith Piaf and will find both Edith Piaf and Édith Piaf.

ç>c
means that searching for Francois (which you may find preferable if your keyboard cannot easily produce the ç character) you can find both Francois (simplified spelling) and François (original French spelling). The other way around can also make sense:
c>ç
means that searching for François (which you may prefer if it looks more correct to you) you can find both François and Francois.

Even if you are not interested in matching multiple spelling variants, you could define such substitutions once (e.g. using copy & paste) if you cannot easily produce special letters with your keyboard.

Case insensitivity does not work on top of the character adjustment. So for example with the adjustment é>e active, a case-insensitive search for e will find e and é as well as E, but not É. For that you need to add the adjustment É>E. Note that you could theoretically define your own case-insensitivity rules solely using character adjustments. Up to 16 mappings are possible for the same target character. Character adjustments also work in conjunction with GREP syntax (only with target characters that have no special GREP meaning and are not contained in [] sets).

* The cursor position and the defined block in Disk/Partition/Volume or File mode are now remembered in an evidence object when you close it, and automatically restored later.

* Timeouts for loading pictures for picture analysis and processing and for the XWF_GetRasterImage() API function and for the report are now twice as long as the timeouts for loading pictures in the gallery.

* Ability to specify a timeout in milliseconds for thumbnail generation of non-picture files in the report. Please note that timeouts for generation of such thumbnails cannot be strictly applied to all file types.

* Fixed an error in the alternative text decoding option.

* When presenting the logical memory address space of a running process, the Info Pane now shows the exact boundaries and size of the allocation range that the cursor position is located in. The boundary addresses can be copied into the clipboard so that you can quickly jump to these addresses.

* Several minor improvements.

* Same fix level as v20.0 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Sep 18, 2020 - 16:13:   

Preview 4:

* The alternative processing variant of "Convert binary storage of numbers/dates in spreadsheets to text" should now be usable with multiple threads.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 23, 2020 - 15:58:   

Preview 5:

* Some fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 28, 2020 - 16:58:   

Preview 6:

* Ability to quickly open the default output directory for an evidence object in the case, with a click on a new button in the evidence object's properties. Hold the Ctrl key while clicking to navigate to the internally used directory instead, where the volume snapshot is stored.

* The alternative processing method of "Convert binary storage of numbers/dates in spreadsheets to text" is now more stable with multiple threads.

* New file header signature for Firefox sessions (lists of remembered open and closed tabs). A good way to convert such files to human readable HTML is to use https://www.jeffersonscher.com/ffu/scrounger.html.

* The volume snapshot statistics in the Refine Volume Snapshot dialog window now also point out the number of partially tagged items.

* Ability to present a cluster list for NTFS-compressed files.

* The command line interface is now able to run an X-Tension, with a command named "XT", followed by a colon and the path and filename of the X-Tension.

* Identification of more devices, for example based on smartphone screen resolution.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 14, 2020 - 21:24:   

Preview 7:

* Registry viewer context menu command to remove an already loaded hive from the viewer, to reduce the scope of the registry report if needed.

* The name of the evidence object that the current hive belongs to is now shown in the status bar of the Registry Viewer.

* Filtering out overlapping GREP search hits now also works consistently when running the Simultaneous Search with additional threads. (Not if you use redundant GREP expressions at the same time that target the same data.)

* Analysis filter extended for unprocessed / not recognized files.
* Volume snapshot option to reveal fragmented files and directories in newly taken volume snapshots. In evidence objects such items are associated with a special report table. When not working with a case such items are partially tagged. The identification can be useful for educational purposes (to find files for which the file system needs to rememember non-contiguous cluster chains with special data structures, and to better understand using which logic free clusters are picked by file system drivers for allocation) or to draw some rough conclusions about volume usage. (Files are more likely fragmented if they were created later in the lifetime of the file system, at a time when many other files had already been deleted, but many others still existed, leaving allocation holes.)

* Several minor improvements.

* Some unannounced improvements.

* Most of the fixes from v20.0 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 15, 2020 - 19:23:   

Preview 8:

* Ability to parse BtrFS file systems on single devices and take a volume snapshot. Multiple disks via LVM2 or RAID setups are supported, but not BtrFS multi-device setups. Multiple subvolumes within one BtrFS volume are supported and shown as such.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 22, 2020 - 20:29:   

Preview 9:

* Option in Options | Viewer Programs to includes files in the tree-like preview of directories. If enabled, directory names will be printed in bold to distinguish them from files.

* List export in JSON format slightly more complete.

* Certain iPhone thumbnail BMP pictures can now be displayed, in particular not upside down.

* Remembers the last active mode for each evidence object.

* Some minor improvements.

* Same fix level as v20.0 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 5, 2020 - 21:09:   

Preview 10:

* Several of the fixes of v20.0 SR-7.

* Revised ability to resize carved, virtual and manually attached files as well as search hits, both with an absolute new size or with a positive or negative relative size adjustment. Ability to resize multiple files at the same time with the same new size or same relative adjustment.

* Accelerated file header signature search in APFS partitions.

* Easier handling of unusual partitions that contain a GPT partitioning structure themselves.

* The Author column is now populated for pictures that contain copyright information.

A new directory browser column named "Structure type" is now available. This column can be populated as part of metadata extraction. It's an improvement on the generator signature concept with the idea of a scalable typology, filling the gap between file type and hash value. The structure type is presented as a 32-bit integer number in hexadecimal notation. Identical numbers typically identify pictures/videos/documents/fles that belong to the same sequence (for example photos that were likely taken during the same photoshoot). You can copy the structure type for a file of interest and use the FlexFilter to search for files with the same structure type. (A dedicated filter will probably be added later.) Please validate any insights gained with this column using timestamps and additional metadata.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 9, 2020 - 20:59:   

Preview 11:

* Identifies image orientation based on Exif data in JPEG pictures of some more devices like iPhone 12.

* Preview mode now automatically mirrors/flips JPEG pictures if instructed to do so by the Exif metadata (in addition to the proper rotation).

* Embedded JPEG thumbnails are now rotated and flipped in Preview mode just like their respective parent (if Metadata extraction took place before).

* The structure type is now also defined for these file types: BMP, ZIP, TAR, DOC, XLS, PPT, PDF, and HTML.

* BtrFS support improved.

* Some minor improvements.

* Most of the fixes of v20.0 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 10, 2020 - 21:12:   

Beta 1:

* The column "Structure type" now comes with a filter.

* A new context menu command named "Filter for similar files" uses the "Structure type" filter to find files of the same type, likely and roughly created around the same time by the same application or device with the same settings. This functionality is available only once the "Structure type" column has been populated.

* Some more fixes of v20.0 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 19, 2020 - 18:29:   

Beta 1c:

* A few minor changes and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 23, 2020 - 9:02:   

Beta 2:

* Ability to find deleted files in BtrFS with the particularly thorough file system data structure search.

* Ability to immediately correctly detect the full capacity of virtual storage devices simulated by certain drivers that don't respond to all information requests as expected.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 24, 2020 - 6:40:   

Beta 2b:

* The Structure type column is now populated for the following formats: JPEG, PNG, WEBP, GIF, BMP, PDF, DOC, ZIP, TAR, GZip, HTML, MP3, EML, MSG.

* Ability to distinguish between 100% recoverable and uncertain previously existing files in BtrFS. Recoverable files (those with the description "data unchanged") can include fragmented files.

* Some of the fixes of v20.0 SR-8.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Dec 10, 2020 - 11:09:   

Beta 3:

* Support for a very rare JPEG format variant.

* User advice on how to deal with MD RAID levels -1 and -4 added to the GUI as comments where applicable.

* Several other minor improvements.

* Same fix level as v20.0 SR-8.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 15, 2020 - 10:49:   

Beta 4:

* Option to use one or two additional criteria for the identification of duplicates: Modification time and size. Those two combined with filename as the main criterion are quite reliable for not 100% strictly forensic use.

* Option to use the structure type for deduplication, which actually identifies groups of similar or related files. Combined with modification time and size this is relatively reliable for the identification of duplicates.

Computation of hash values can be very time-consuming in large data sets, so any reasonable deduplication option that does not require hash values is hopefully appreciated by some users.

* Ability to view/preview PNG pictures of Apple's CgBI variant with the internal graphics display library.

* Clicking the FS offset cell of a file or directory in the directory browser now automatically navigates to that offset instead of to the first data sector when in Disk/Partition/Volume mode.

* Complete coverage of all JPEG files for structure type computation.

* Various minor improvements.

* Some fixes.

* All fixes of v20.0 SR-9 included.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 16, 2020 - 17:21:   

Beta 4b:

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 23, 2020 - 17:47:   

v20.1 was just released. Additional changes since Beta 4b:

* Option to include the unique ID of files in cases in JSON exports.

* "Find duplicates in list" now gives an immediate example of how truncated timestamps look like based on the number of characters that you want to compare and the current notation settings. Note that both the number of characters to compare limit the precision (intentionally or inadvertantly) as well as the number of decimals allowed by your notation settings. Limited precision may be desirable for example to recognize files as identical even if the modification times of file copies in NTFS and FAT differ by 1 second because of FAT timestamp rounding. The notation settings can now be accessed right from within the deduplication options dialog.

* For some files stored in shared spaces in APFS, the delta symbol attribute was previously not shown. This is now fixed in newly taken volume snapshots.

* In some rare cases, the initial volume snapshot did not identify the actual first sector for a file in APFS. This is now updated automatically, when the file is opened for the first time.

* Scanning for lost partitions can now find XFS and BtrFS partitions, and accepts a few rare Ext partitions that would otherwise have been rejected as implausible.

* Accepts two new incompatibility feature flags in XFS as normal.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 28, 2020 - 19:44:   

SR-1:

* Some minor fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 3, 2021 - 19:30:   

SR-2:

* Finds certain Ext* partitions with an unusual configuration when searching for lost partitions.

* Identifies extended partitions as such even when wrongly described as a different partition type in the MBR, as seen in Kindle storage.

* Fixed I/O error that occurred in v20.1 when splitting up the case report into segments.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jan 13, 2021 - 12:29:   

SR-3:

* Ability to define the alphabet to detect word boundaries for the commands Find Text and Replace Text, with any kind of license.

* Fixed an infinite loop that could occur when processing GZ archives with very long filenames.

* The X-Tension API function XWF_Read() returned 0 after reading between 2 and 4 GB of data instead of the actually amount of data that was read. That was fixed.

* Fixed an exception error that apparently could occur in certain cases when right-clicking multiple selected files in the case root window.

* Fixed an error that occurred when interpreting .e01 evidence files with a user-defined sector size.

* Fixed an exception error that could occur when parsing unexpected LVM2 container data.

* msglog.txt is now slightly more complete, showing which button was clicked in message boxes and showing when a case was closed if messages were output while the case was open.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jan 25, 2021 - 19:56:   

SR-4:

* Corrupt files found by the file header signature search are now included optionally (and are now included by default when searching for embedded files).

* Fixed trailing spaces at the end of the names of some rare files in FAT in recent releases.

* Fixed a rare exception error that could occur with the gallery in freshly refined volume snapshots.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 2, 2021 - 20:33:   

SR-5:

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 14, 2021 - 19:16:   

SR-6:

* The gallery option "Use auxiliary thumbnails" did not work correctly in v20.1 SR-4 and SR-5 and showed the wrong thumbnails for some pictures. That was fixed.

* Fixed an exception error that could occur in v20.1 when right-clicking multiple selected items from different evidence objects.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 22, 2021 - 17:40:   

SR-7:

* If the creation of an .e01 evidence file is interrupted, a notice about that is now also left in the image itself, when it is provisionally finalized.

* When copying files with child objects to evidence file containers and including those child objects in the container and including the path, then the parent files would have been copied with their contents even if "Copy only metadata" was selected. That was fixed.

* Fixed an instability problem that could occur when extracting e-mails and attachments from MSG files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 28, 2021 - 18:41:   

SR-8
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 3, 2021 - 5:39:   

SR-9:

* File mode did not work in the previous service release. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 8, 2021 - 9:56:   

SR-10:

* thumbcache*.db thumbnail stores were previously not processed in certain rare situations, namely if they were targeted only indirectly and the main thumbcache_idx.db file was a newer version than expected or could not be parsed as expected. In many such cases they are now checked for embedded thumbnails directly, independent of thumbcache_idx.db.

* Detects the XFS file system based on less strict rules again, like previous versions.

* File mode did not show slack correctly in NTFS in the previous service release. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 13, 2021 - 6:06:   

SR-11:

* Some of the fixes and improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.1. Available to these users on request usually, for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 31, 2021 - 19:17:   

SR-12:

* Some of the fixes and improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.1. Available to these users on request usually, for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 11, 2022 - 10:23:   

SR-13:

* Some of the fixes and improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.1. Available to these users on request usually, for a limited time. This is probably the last service release for v20.1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 27, 2022 - 9:31:   

SR-14:

* Some of the fixes and improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.1. Available to these users on request usually, for a limited time. This is the last service release for v20.1.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.