X-Ways Forensics 20.2 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.2 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 2, 2021 - 20:41:   

A preview version of X-Ways Forensics 20.2 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.2 Preview 1?

* The gallery can now operate in an alternative mode, activated with the button left to the Sync button. In that mode the gallery does not present the items currently listed in the directory browser, but instead all the child objects of a single selected item, if there are any such child objects. Those are either only direct child objects or (in mode) child objects recursively. This is a unique way to get a quick overview of entire directories or file archives with a single mouse click. Also very useful for videos from which stills have been extracted. You can right-click any listed child object in the gallery and perform various operations on that particular object. Most commands known from the directory browser context menu are available. In particular you can associate a child object with report tables that way, exclude it, tag it, or navigate to see it in its native parent directory in the directory browser with all metadata (and then you can click the Back button to return to the previous view). The child objects are listed in the gallery in ascending order of internal ID.

* Ability to extract specific data from the event payload in .evtx event logs and list them directly in the event list. This makes working with event logs much more powerful, as it allows to quickly filter for usernames, IP addresses from log-in or RDP events, task or service names, PowerShell commands, etc. The new tab-separated definition file "Event Log Events.txt" in the installation directory contains a list of event IDs, (optional) log provider and the list of individual data fields to extract. The definition file can be adjusted to your own requirements.

* Windows .evtx event logs are now parsed and exported into one single TSV file, replacing the previously output multiple HTML preview files. The generated TSV file contains the complete payload of each event. It is ideally viewed in MS Excel or similar applications.

* Events are now listed with less clutter in the event list.

* Ability to extract e-mail attachments from TNEF files once they are identified as such. (Such files are usually named winmail.dat.)

* Several minor improvements.

* Same fix level as v20.1 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 14, 2021 - 19:26:   

Preview 2:

* Ability to see the presentations of Preview and Details mode for the same file at the same time, side by side, after clicking the "+" on the Details button when in Preview mode. Clicking the Details or Preview button again will make that mode the only active mode.

* Ability to view and preview pictures in HEIC format. The gallery loads and displays HEIC thumbnails. Picture analysis and processing also supports HEIC files now.

* Android .thumbdata4 archives and HEIC files are now by default in the list to uncover embedded data. (Thumbnails in HEIC files will be output in JPEG format.)

* Keyboard shortcuts for the context menu commands to view the selected file(s) in X-Ways Forensics or in the associated program.

* The command line interface now allows to load dialog window selections. This will usually override specific parts of the configuration that is initially read from a WinHex.cfg file, at the moment when the command line parameter is processed (not when those parts of the configuration might affect what the application does). The command is "Dlg:", directly followed by the path of the .dlg file. After you save dialog window selections please verify that they can be accepted by clicking OK after saving them. Only .dlg files created in v20.2 can be used. Older versions of X-Ways Forensics can still read .dlg files written by v20.2.

* More generated devices are recognized.

* Prevents that the viewer component tries to display NTFS system files like $UpCase in Preview mmode, which was problematic.

* Various improvements.

* Same fix level as v20.1 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 15, 2021 - 13:10:   

Preview 3:

* The approximate scroll position in Details mode is now restored when selecting a different file in the directory browser or when closing and re-opening the data window or the application.

* Fixed occasional inability in Preview 2 to leave Details mode.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 19, 2021 - 10:22:   

Beta 1:

* WinHex Lab Edition and higher: Ability to open and read uncompressed files on Windows Server NTFS volumes with active deduplication.

* Option to name MSG files after the e-mail subject when extracting e-mail messages and attachments from them. That could be useful for generically named MSG files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 22, 2021 - 17:46:   

Beta 2:

* The selection in the gallery usually exactly replicates the selection in the directory browser. However, when representing child objects of a file that is selected in the directory browser, the gallery now allows a separate selection in itself, among the child objects.

* Ability to save the contents of Details mode into an HTML file, by clicking the new floppy disk icon in the status bar.

* Some minor improvements.

* Same fix level as v20.1 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 28, 2021 - 18:49:   

Beta 3:

* Several minor improvements.

* Same fix level as v20.1 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 3, 2021 - 5:52:   

Beta 4:

* Option to filter out spaces around common Chinese characters in decoded text (cf. Options | Viewer Programs). Such spaces can appear unexpectedly for example when processing certain PDF documents and can thwart keyword searches in Chinese.

* Raw previews with decoded text (i.e. Shift + click on "Raw") in Chinese were not displayed properly previously because the viewer component did not always identify the data as UTF-16. That was improved.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 8, 2021 - 10:08:   

Beta 5:

* The alternative processing method of spreadsheet text decoding was revised. For example, the boundaries and ordinal numbers of worksheets are now marked with separator lines.

* Some minor improvements.

* Same fix level as v20.1 SR-10.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 18, 2021 - 9:50:   

Beta 6:

* If there are multiple matches for a file in the PhotoDNA hash database, which is indicated by an ellipsis after the first match, and if the PhotoDNA hash value was stored in the volume snapshot, Details mode loads the hash database and returns all matches.

* The Notation options in Recover/Copy are now accessible also when the "Group by" options are used because the former are relevant to the latter.

* More generating devices recognized.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 22, 2021 - 4:16:   

v20.2 was just released. Additional changes since Beta 6:

* When adding more report table associations to the same file, the associations are now consistently shown in the order in which the report tables are defined.

* True-color pictures can now be presented in the gallery not only in grayscale, but also with mismatched colors, to reduce the psychological impact of certain photos. The new option is the middle state of the checkbox. The grayscale conversion (if fully checked) was slightly optimized.

* Fixed a rare infinite loop that could occur when trying to open files in APFS.

* Mitigated a very rare exception error that can apparently occur when applying the particularly thorough file system data structure search in exFAT.

* Fixed a rare exception error that could occur under certain circumstances after re-opening a recursively explored volume/partition on a physical device in the case and choosing to take a new volume snapshot if prompted to do so.

* User manual and program help updated for v20.2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 22, 2021 - 13:30:   

Additional changes since v20.1 SR-10:

* "File header signature search in files not processed above" now fully supports file type notation with asterisks like *.xyz.

* Fixed an exception error that could occur under special circumstances when listing the evidence objects in the Case Root window.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 9, 2021 - 17:19:   

SR-1:

* Supports one more variant of HEIC files.

* In certain situations Preview mode remained blank in v20.2 until a different file was selected in the directory browser. That was fixed.

* Prevented one situation in which the error message "The file does not contain offset ..." could pop up when opening a case with evidence objects in search hit list mode.

* Slightly reduced strain on the dongle.

* If the connection to the dongle gets lost, the open case will be saved immediately in addition to the interval-based automatic save.

* Reduced impact of a certain floating point exception error in SQLite processing.

* Fixed slow text extraction from spreadsheets that could occur previously when searching logically with more than 8 threads.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.