|Posted on Monday, Aug 9, 2021 - 7:00: |
A preview version of X-Ways Forensics 20.4 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.
What's new in v20.4 Preview 1?
* Support has been added for the QNX file system as commonly found in current car entertainment systems. X-Ways Forensics, if supplied with an image extracted from such a system, can now parse the file system structures, including timestamps and UNIX permissions, as known from other file systems. Individual virtual files representing the key file system structures are also shown, and Specialist | Technical Details Report will show fundamentals of the file system as well.
* Btrfs volumes using snapshots are now supported.
* Up to 127 subvolumes (incl. snapshots) are now supported per volume in Btrfs, up from 31 subvolumes previously. Unlike other subvolumes, which are all shown on the first level of the main volume, snapshots are shown within the subdirectory of .snapshots that corresponds with the snapshot’s creation date.
* For all subvolumes (incl. snapshots) of Btrfs, the Technical Details Report identifies their respective official parent (sub)volumes, as before.
* A new command line command named "AddDir" is now understood. It is followed by a colon, and after that you specify which directory you wish to add to the case, e.g. AddDir:X:\. If the character after the colon in an asterisk, the root directories of all available drive letters will be added to the case: AddDir:*. However, network drives are optional because they can be excessively large and slow to explore. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device.
* A new command line command named "AddDrive" is now understood. It is followed by a colon, and after that you specify which drive letter you wish to add to the case, in upper case, e.g. AddDir:C. Unlike a directory, which is accessed and explored through the operating system, drive letters require sector-level access (and therefore administrator rights), and any present file system will be parsed by X-Ways Forensics itself, if supported. If the character after the colon in an asterisk, all available drive letters in the system will be added to the case: AddDrive:*. However, network drives are optional because they can be excessively large and slow to explore and cannot be read by X-Ways Forensics with sector-level access. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device. If you specify the AddDrive:* command although you run the software without administrator rights, then the AddDir:* command will be run instead.
* The command line command "NewCase" followed by a semicolon instead of a colon generates a unique filename if the specified .xfc file already exists. With a colon, the existing case is deleted and overwritten (without prompt or mercy).
* The "NewCase" command now supports relative case paths as well as references to environment variables.
* Option to select multiple file type categories for filtering instead of just one, in a dialog window instead of the pop-up menu.
* Computing the total amount of data in files found in OS directory listings is now optional. Any discrepancy between the original amount of data and the new amount detected when re-opening the evidence objects is brought to the user's attention and triggers an offer to take a new volume snapshot.
* An easier-to-use and simplified version of the dialog window to create report table associations is now available, with less settings that might confuse new users, which is the new default in X-Ways Investigator, and optionally available in both X-Ways Forensics and X-Ways Investigator. For example, in the simplified version report tables that are created by the application to make the user aware of something will not be listed, and it's possible to specifically remove report table associations from selected files without the use of keyboard shortcuts.
* Parsing symlinks when taking a volume snapshot (depending on the file system) is now optional, cf. Options | Volume Snapshot.
* Raw submode is now available for WofCompressed files in File mode to see the complete compressed data with slack. The List Clusters command now lists all clusters of such files including the slack. The slack area of the WofCompressed data is highlighted also in Partition/Volume mode.
* There is now a dedicated checkbox for the logical search to control whether certain slack areas of NTFS compression are targeted. It's unlabeled, but has a tooltip. If fully checked, the undefined slack area at the end of each compression unit of ordinary NTFS-compressed files is searched raw (as is, without decompression), like in previous versions. If that check box is at least half checked, the well-defined slack of WofCompressed files is targeted (searched raw, without decompression), and this is a new feature of v20.4.
* When text in files is decoded for the simultaneous search or indexing and saved in the volume snapshot for future re-use, and the special option for numbers and dates in spreadsheets is not active at that time, and later you run a search again *with* the special spreadsheets option, then you may not benefit from it if the originally decoded text is searched. That's why you will now get a warning in such a situation if the volume snapshot's decoded text is already loaded, or it will be discarded altogether upon loading.
* Several minor improvements.
* At least some of the fixes of v20.3 SR-2.
|Posted on Friday, Aug 13, 2021 - 13:36: |
* The Dlg: command line parameter now supports relative paths for .dlg files and file masks, so that you can load multiple .dlg files in the same directory at the same time.
* If you wish to output hash values of the files in your case report, and you did not compute hash values previously by refining the volume snapshot, the hash values can now optionally be computed on the fly when generating the report.
* Several minor improvements.
* Same fix level as v20.3 SR-2.
|Posted on Tuesday, Aug 17, 2021 - 16:07: |
* All filters can now optionally be ORed instead of ANDed, see Options | Directory Browser.
* The option to open files with slack has been moved from Options | Directory Browser to Options | Volume Snapshot.
* Some minor improvements.
|Posted on Monday, Aug 23, 2021 - 18:40: |
* Thumbnails in JPEG format can now be generated for HEIC pictures in the case report.
* New investigator.ini customizations are now supported in X-Ways Investigator and when running X-Ways Forensics as X-Ways Investigator:
-18 prevent ability to show/hide toolbar
-20 prevent most commands in directory browser context menu
-54 prevent more options for report table associations
-55 prevent creation and deletion and properties of report tables
-56 predefine report table in new cases: "Include in report" (if you use the ~ character in this string, it will be replaced with the examiner name)
-57 prevent display of case report options
-58 prevent report filename selection (automatically generate a unique report filename)
-59 prevent opening of newly created case report in browser
-60 prevent report file visibility (set H attribute)
-69 prevent usage of most keyboard shortcuts, esp. the main menu related ones
-70 prevent File menu
-71 prevent Edit menu
-72 prevent Search menu
-74 prevent View menu
-75 prevent Tools menu
-76 prevent Specialist menu
-77 prevent Options menu
-78 prevent Window menu
-79 prevent Help menu
-80 prevent Version menu
-81 disable Disk/Partition/Volume button (mode still available)
-82 disable File button
-83 disable Preview button
-84 disable Details button
-85 disable Gallery button
-86 disable Calendar button
-87 disable Legend button
* Same fix level as v20.3 SR-3.
|Posted on Sunday, Aug 29, 2021 - 14:05: |
|Posted on Tuesday, Aug 31, 2021 - 19:26: |
* Same fix level as v20.3 SR-4.
|Posted on Tuesday, Sep 14, 2021 - 18:27: |
* If active filters are combined with a logical OR, that is now shown in the directory browser caption line next to the active filter count. A click on the filter count or the word OR toggles between AND and OR combination.
* The Description filter can be optionally ANDed and is ANDed by default even if other filters are ORed, and it is then counted and treated separately.
* New Recover/Copy option: If "Apply original timestamps to copies" is half checked, Recover/Copy works as in previous version, plus the content creation timestamp if available may substitute for a missing file system level creation timestamp.
If the box is fully checked, that means X-Ways Forensics will make extra efforts to set creation, modification and last access to some original timestamps to avoid that any of these three standard timestamps will reflect the time when the Recover/Copy command was used. For example extracted e-mails or attachments or files in archives or carved files may not have all or any timestamps. X-Ways Forensics may resort to record change timestamps, alternative creation timestamps, content creation timestamps, and modification timestamps as substitutes for creation, modification as well as last access.
If you check an extra box, the output files may even inherit creation timestamps of parent files and directories. An extreme example is a carved files with no timestamps at all. Its parent directories are virtual directories and have no original timestamps either. Hence the creation timestamp of the root directory will be adopted, if available (not in FAT file systems). A parent directory creation timestamp could be regarded as a lower limit for the unknown creation timestamp of a file. A parent file creation timestamp could be regarded as a lower limit for the unknown creation timestamp of a file if the parent is a file archive or an e-mail message. If the file is a thumbnail embedded in a JPEG file, the creation timestamp of the parent should be exactly right for the child object.
* Updated internal device recognition and evaluation of pictures.
* Increased maximum number of zip records presented in Details mode of zip archives from 10,000 to 20,000.
* Some minor improvements.
|Posted on Thursday, Sep 16, 2021 - 18:43: |
* The check box to allow recovered/copied files to inherit the timestamps is now a 3-state box. If half checked, only timestamps of parent files are inherited (think of e-mails that contain e-mail attachments or pictures that contain thumbnails). If fully checked, timestamps can also be inherited from parent directories (or grandparent directories or great-grandparent directories etc.).
* The AddDir: command line command now also allows to add single files to a case.
* Ability to load multiple .settings files at the same time, which each can target different files using different filters (internally combined with AND or OR), and all resulting files will be added to a single report table. This allows for complex nested filter conditions like this: Files of type A only if contained in path X plus files of type B if not deleted plus files whose names contain the word Y or Z and who have the System attribute etc. etc. A filter for the resulting report table is automatically activated.
* Some minor improvements.
* Some of the fixes of v20.3 SR-5.
|Posted on Wednesday, Sep 22, 2021 - 19:34: |
* Some minor improvements.
* Most fixes of v20.3 SR-5.