X-Ways Forensics 20.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.1 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 30, 2020 - 20:36:   

A preview version of X-Ways Forensics 20.1 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.1 Preview 1?

* An alternative method to extract data from spreadsheets as text is now available in Options | Viewer Programs. This option is still somewhat experimental. The new method improves the fidelity of the extracted text in terms of cell order and arrangement, normalizes the formatting of date cells in the decoded text to the notation that is active in X-Ways Forensics for more reliable search results, and it reliably includes hidden cells. If you need to preserve characters that your active Windows code page does not support (e.g. Chinese characters on a typical computer in America or Western Europe) because you are going to search for them, you need to check one extra box ("Must support Unicode"), and with that option the new method will require usage of the Windows clipboard.

* Options | Viewer Programs dialog window rearranged.

* More efficient data I/O in usage of viewer component.

* Ability to interpret data as misaligned text in UTF-16 LE as well as misaligned UTF-16 BE in Disk/Partition/Volume and File mode. Misaligned means starting at odd offsets. That makes a difference in non Western European languages and renders text stored in that fashion actually readable.

* 1 additional text column available in Disk/Partition/Volume and File mode, in X-Ways Forensics only.

* The substitute character for non-printable ASCII characters of values below 0x20 in the text columns, selected in Options | General, typically a space or period, can now also be used for high Unicode character values. It's easier on the eye if characters in languages other than your own are not actually displayed, and you can probably afford to not see them if you are not looking for foreign language text (e.g. Chinese, Japanese, Korean) anyway. To see only pure 7-bit ASCII characters (sufficient for English), in ANSI ASCII and all UTF-16 variants, you can apply the substitute character to above 0x0080. To see letters at least from other Western European languages like Spanish, French, German you can apply it to > 0x00FF. To see Eastern European languages, apply it only to > 0x04FF.

* Fixed context preview of misaligned UTF-16 search hits in some rare situations.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 1, 2020 - 21:44:   

Preview 1b:

* Fixed inability to remove no longer needed additional text columns.

* Minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Sep 6, 2020 - 20:16:   

Preview 2:

* Fixed a crash that could occur with the 64-bit executable of Preview 1 under certain circumstances when the viewer component was in use.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 15, 2020 - 11:16:   

Preview 3:

* X-Ways Forensics and X-Ways Investigator only: Ability to apply a character adjustment list not only when indexing, but also as part of the Simultaneous Search. This list is expected in a UTF-16 text file now named "Character Adjustment.txt" (previously: "indexsub.txt"). It starts with a little-endian byte order mark and followed by one instruction per line, with an arrow (greater than symbol) in the middle, which maps one character to another. You can edit it as you see fit for searches in your own language.

An example for French language searches: The line
╔>E
means that the letter ╔ in the original data to which the Simultaneous Search is applied (when searching in suitable code pages) will be accepted as a variant of E in your search term. You only need to search for Edith Piaf and will find both Edith Piaf and ╔dith Piaf.

š>c
means that searching for Francois (which you may find preferable if your keyboard cannot easily produce the š character) you can find both Francois (simplified spelling) and Franšois (original French spelling). The other way around can also make sense:
c>š
means that searching for Franšois (which you may prefer if it looks more correct to you) you can find both Franšois and Francois.

Even if you are not interested in matching multiple spelling variants, you could define such substitutions once (e.g. using copy & paste) if you cannot easily produce special letters with your keyboard.

Case insensitivity does not work on top of the character adjustment. So for example with the adjustment Ú>e active, a case-insensitive search for e will find e and Ú as well as E, but not ╔. For that you need to add the adjustment ╔>E. Note that you could theoretically define your own case-insensitivity rules solely using character adjustments. Up to 16 mappings are possible for the same target character. Character adjustments also work in conjunction with GREP syntax (only with target characters that have no special GREP meaning and are not contained in [] sets).

* The cursor position and the defined block in Disk/Partition/Volume or File mode are now remembered in an evidence object when you close it, and automatically restored later.

* Timeouts for loading pictures for picture analysis and processing and for the XWF_GetRasterImage() API function and for the report are now twice as long as the timeouts for loading pictures in the gallery.

* Ability to specify a timeout in milliseconds for thumbnail generation of non-picture files in the report. Please note that timeouts for generation of such thumbnails cannot be strictly applied to all file types.

* Fixed an error in the alternative text decoding option.

* When presenting the logical memory address space of a running process, the Info Pane now shows the exact boundaries and size of the allocation range that the cursor position is located in. The boundary addresses can be copied into the clipboard so that you can quickly jump to these addresses.

* Several minor improvements.

* Same fix level as v20.0 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Sep 18, 2020 - 16:13:   

Preview 4:

* The alternative processing variant of "Convert binary storage of numbers/dates in spreadsheets to text" should now be usable with multiple threads.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 23, 2020 - 15:58:   

Preview 5:

* Some fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Sep 28, 2020 - 16:58:   

Preview 6:

* Ability to quickly open the default output directory for an evidence object in the case, with a click on a new button in the evidence object's properties. Hold the Ctrl key while clicking to navigate to the internally used directory instead, where the volume snapshot is stored.

* The alternative processing method of "Convert binary storage of numbers/dates in spreadsheets to text" is now more stable with multiple threads.

* New file header signature for Firefox sessions (lists of remembered open and closed tabs). A good way to convert such files to human readable HTML is to use https://www.jeffersonscher.com/ffu/scrounger.html.

* The volume snapshot statistics in the Refine Volume Snapshot dialog window now also point out the number of partially tagged items.

* Ability to present a cluster list for NTFS-compressed files.

* The command line interface is now able to run an X-Tension, with a command named "XT", followed by a colon and the path and filename of the X-Tension.

* Identification of more devices, for example based on smartphone screen resolution.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Oct 14, 2020 - 21:24:   

Preview 7:

* Registry viewer context menu command to remove an already loaded hive from the viewer, to reduce the scope of the registry report if needed.

* The name of the evidence object that the current hive belongs to is now shown in the status bar of the Registry Viewer.

* Filtering out overlapping GREP search hits now also works consistently when running the Simultaneous Search with additional threads. (Not if you use redundant GREP expressions at the same time that target the same data.)

* Analysis filter extended for unprocessed / not recognized files.

* Volume snapshot option to either partially tag fragmented files and directories in newly taken volume snapshots or (in evidence objects, if a case is active) associate them with a report table. That can be useful for educational purposes (to find files for which the file system needs to rememember non-contiguous cluster chains with special data structures, and to better understand using which logic free clusters are picked by file system drivers for allocation) or to draw some rough conclusions about volume usage. (Files are more likely fragmented if they were created later in the lifetime of the file system, at a time when many other files had already been deleted, but many others still existed.)

* Several minor improvements.

* Some unannounced improvements.

* Most of the fixes from v20.0 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 15, 2020 - 19:23:   

Preview 8:

* Ability to parse BtrFS file systems on single devices and take a volume snapshot. Multiple disks via LVM2 or RAID setups are supported, but not BtrFS multi-device setups. Multiple subvolumes within one BtrFS volume are supported and shown as such.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 22, 2020 - 20:29:   

Preview 9:

* Option in Options | Viewer Programs to includes files in the tree-like preview of directories. If enabled, directory names will be printed in bold to distinguish them from files.

* List export in JSON format slightly more complete.

* Certain iPhone thumbnail BMP pictures can now be displayed, in particular not upside down.

* Remembers the last active mode for each evidence object.

* Some minor improvements.

* Same fix level as v20.0 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 5, 2020 - 21:09:   

Preview 10:

* Several of the fixes of v20.0 SR-7.

* Revised ability to resize carved, virtual and manually attached files as well as search hits, both with an absolute new size or with a positive or negative relative size adjustment. Ability to resize multiple files at the same time with the same new size or same relative adjustment.

* Accelerated file header signature search in APFS partitions.

* Easier handling of unusual partitions that contain a GPT partitioning structure themselves.

* The Author column is now populated for pictures that contain copyright information.

* A new directory browser column named "Structure type" is now available. This column can be populated as part of metadata extraction. It contains 32-bit integer numbers. Identical numbers typically identify pictures and videos that belong to the same sequence (that are supposed to have been taken during the same photoshoot). You can copy the structure type for a file of interest and use the FlexFilter to search for files with the same structure type. (A dedicated filter will probably be added later.) Please validate any insights gained with this column using timestamps and additional metadata.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 9, 2020 - 20:59:   

Preview 11:

* Identifies image orientation based on Exif data in JPEG pictures of some more devices like iPhone 12.

* Preview mode now automatically mirrors/flips JPEG pictures if instructed to do so by the Exif metadata (in addition to the proper rotation).

* Embedded JPEG thumbnails are now rotated and flipped in Preview mode just like their respective parent (if Metadata extraction took place before).

* The structure type is now also defined for these file types: BMP, ZIP, TAR, DOC, XLS, PPT, PDF, and HTML.

* BtrFS support improved.

* Some minor improvements.

* Most of the fixes of v20.0 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 10, 2020 - 21:12:   

Beta 1:

* The column "Structure type" now comes with a filter.

* A new context menu command named "Filter for similar" uses the "Structure type" filter to find files of the same type, likely and roughly created around the same time by the same application or device with the same settings. This functionality is available only once the "Structure type" column has been populated.

* Some more fixes of v20.0 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 19, 2020 - 18:29:   

Beta 1c:

* A few minor changes and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 23, 2020 - 9:02:   

Beta 2:

* Ability to find deleted files in BtrFS with the particularly thorough file system data structure search.

* Ability to immediately correctly detect the full capacity of virtual storage devices simulated by certain drivers that don't respond to all information requests as expected.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 24, 2020 - 6:40:   

Beta 2b:

* The Structure type column is now populated for the following formats: JPEG, PNG, WEBP, GIF, BMP, PDF, DOC, ZIP, TAR, GZip, HTML, MP3, EML, MSG.

* Ability to distinguish between 100% recoverable and uncertain previously existing files in BtrFS. Recoverable files (those with the description "data unchanged") can include fragmented files.

* Some of the fixes of v20.0 SR-8.

* Some minor improvements.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.