X-Ways Forensics 20.4 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.4 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 9, 2021 - 7:00:   

A preview version of X-Ways Forensics 20.4 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.4 Preview 1?

* Support has been added for the QNX file system as commonly found in current car entertainment systems. X-Ways Forensics, if supplied with an image extracted from such a system, can now parse the file system structures, including timestamps and UNIX permissions, as known from other file systems. Individual virtual files representing the key file system structures are also shown, and Specialist | Technical Details Report will show fundamentals of the file system as well.

* Btrfs volumes using snapshots are now supported.

* Up to 127 subvolumes (incl. snapshots) are now supported per volume in Btrfs, up from 31 subvolumes previously. Unlike other subvolumes, which are all shown on the first level of the main volume, snapshots are shown within the subdirectory of .snapshots that corresponds with the snapshot’s creation date.

* For all subvolumes (incl. snapshots) of Btrfs, the Technical Details Report identifies their respective official parent (sub)volumes, as before.

* A new command line command named "AddDir" is now understood. It is followed by a colon, and after that you specify which directory you wish to add to the case, e.g. AddDir:X:\. If the character after the colon in an asterisk, the root directories of all available drive letters will be added to the case: AddDir:*. However, network drives are optional because they can be excessively large and slow to explore. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device.

* A new command line command named "AddDrive" is now understood. It is followed by a colon, and after that you specify which drive letter you wish to add to the case, in upper case, e.g. AddDir:C. Unlike a directory, which is accessed and explored through the operating system, drive letters require sector-level access (and therefore administrator rights), and any present file system will be parsed by X-Ways Forensics itself, if supported. If the character after the colon in an asterisk, all available drive letters in the system will be added to the case: AddDrive:*. However, network drives are optional because they can be excessively large and slow to explore and cannot be read by X-Ways Forensics with sector-level access. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device. If you specify the AddDrive:* command although you run the software without administrator rights, then the AddDir:* command will be run instead.

* The command line command "NewCase" followed by a semicolon instead of a colon generates a unique filename if the specified .xfc file already exists. With a colon, the existing case is deleted and overwritten (without prompt or mercy).

* The "NewCase" command now supports relative case paths as well as references to environment variables.

* Option to select multiple file type categories for filtering instead of just one, in a dialog window instead of the pop-up menu.

* Computing the total amount of data in files found in OS directory listings is now optional (cf. Options | Volume Snapshot). Any discrepancy between the original amount of data and the new amount detected when re-opening the evidence objects is brought to the user's attention and triggers an offer to take a new volume snapshot.

* An easier-to-use and simplified version of the dialog window to create report table associations is now available, with less settings that might confuse new users, which is the new default in X-Ways Investigator, and optionally available in both X-Ways Forensics and X-Ways Investigator. For example, in the simplified version report tables that are created by the application to make the user aware of something will not be listed, and it's possible to specifically remove report table associations from selected files without the use of keyboard shortcuts.

* Parsing symlinks when taking a volume snapshot (depending on the file system) is now optional, cf. Options | Volume Snapshot.

* Raw submode is now available for WofCompressed files in File mode to see the complete compressed data with slack. The List Clusters command now lists all clusters of such files including the slack. The slack area of the WofCompressed data is highlighted also in Partition/Volume mode.

* There is now a dedicated checkbox for the logical search to control whether certain slack areas of NTFS compression are targeted. It's unlabeled, but has a tooltip. If fully checked, the undefined slack area at the end of each compression unit of ordinary NTFS-compressed files is searched raw (as is, without decompression), like in previous versions. If that check box is at least half checked, the well-defined slack of WofCompressed files is targeted (searched raw, without decompression), and this is a new feature of v20.4.

* When text in files is decoded for the simultaneous search or indexing and saved in the volume snapshot for future re-use, and the special option for numbers and dates in spreadsheets is not active at that time, and later you run a search again *with* the special spreadsheets option, then you may not benefit from it if the originally decoded text is searched. That's why you will now get a warning in such a situation if the volume snapshot's decoded text is already loaded, or it will be discarded altogether upon loading.

* Several minor improvements.

* At least some of the fixes of v20.3 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Aug 13, 2021 - 13:36:   

Preview 2:

* The Dlg: command line parameter now supports relative paths for .dlg files and file masks, so that you can load multiple .dlg files in the same directory at the same time.

* If you wish to output hash values of the files in your case report, and you did not compute hash values previously by refining the volume snapshot, the hash values can now optionally be computed on the fly when generating the report.

* Several minor improvements.

* Same fix level as v20.3 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 17, 2021 - 16:07:   

Preview 3:

* All filters can now optionally be ORed instead of ANDed, see Options | Directory Browser.

* The option to open files with slack has been moved from Options | Directory Browser to Options | Volume Snapshot.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 23, 2021 - 18:40:   

Preview 4:

* Thumbnails in JPEG format can now be generated for HEIC pictures in the case report.

* New investigator.ini customizations are now supported in X-Ways Investigator and when running X-Ways Forensics as X-Ways Investigator:
-18 prevent ability to show/hide toolbar
-20 prevent most commands in directory browser context menu
-54 prevent more options for report table associations
-55 prevent creation and deletion and properties of report tables
-56 predefine report table in new cases: "Include in report" (if you use the ~ character in this string, it will be replaced with the examiner name)
-57 prevent display of case report options
-58 prevent report filename selection (automatically generate a unique report filename)
-59 prevent opening of newly created case report in browser
-60 prevent report file visibility (set H attribute)
-69 prevent usage of most keyboard shortcuts, esp. the main menu related ones
-70 prevent File menu
-71 prevent Edit menu
-72 prevent Search menu
-74 prevent View menu
-75 prevent Tools menu
-76 prevent Specialist menu
-77 prevent Options menu
-78 prevent Window menu
-79 prevent Help menu
-80 prevent Version menu
-81 disable Disk/Partition/Volume button (mode still available)
-82 disable File button
-83 disable Preview button
-84 disable Details button
-85 disable Gallery button
-86 disable Calendar button
-87 disable Legend button

* Same fix level as v20.3 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Aug 29, 2021 - 14:05:   

Preview 5:

[...]
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 31, 2021 - 19:26:   

Preview 6:

* Same fix level as v20.3 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Sep 14, 2021 - 18:27:   

Preview 7:

* If active filters are combined with a logical OR, that is now shown in the directory browser caption line next to the active filter count. A click on the filter count or the word OR toggles between AND and OR combination.

* The Description filter can be optionally ANDed and is ANDed by default even if other filters are ORed, and it is then counted and treated separately.

* New Recover/Copy option: If "Apply original timestamps to copies" is half checked, Recover/Copy works as in previous version, plus the content creation timestamp if available may substitute for a missing file system level creation timestamp.

If the box is fully checked, that means X-Ways Forensics will make extra efforts to set creation, modification and last access to some original timestamps to avoid that any of these three standard timestamps will reflect the time when the Recover/Copy command was used. For example extracted e-mails or attachments or files in archives or carved files may not have all or any timestamps. X-Ways Forensics may resort to record change timestamps, alternative creation timestamps, content creation timestamps, and modification timestamps as substitutes for creation, modification as well as last access.

If you check an extra box, the output files may even inherit creation timestamps of parent files and directories. An extreme example is a carved files with no timestamps at all. Its parent directories are virtual directories and have no original timestamps either. Hence the creation timestamp of the root directory will be adopted, if available (not in FAT file systems). A parent directory creation timestamp could be regarded as a lower limit for the unknown creation timestamp of a file. A parent file creation timestamp could be regarded as a lower limit for the unknown creation timestamp of a file if the parent is a file archive or an e-mail message. If the file is a thumbnail embedded in a JPEG file, the creation timestamp of the parent should be exactly right for the child object.

* Updated internal device recognition and evaluation of pictures.

* Increased maximum number of zip records presented in Details mode of zip archives from 10,000 to 20,000.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Sep 16, 2021 - 18:43:   

Preview 8:

* The check box to allow recovered/copied files to inherit the timestamps is now a 3-state box. If half checked, only timestamps of parent files are inherited (think of e-mails that contain e-mail attachments or pictures that contain thumbnails). If fully checked, timestamps can also be inherited from parent directories (or grandparent directories or great-grandparent directories etc.).

* The AddDir: command line command now also allows to add single files to a case.

* Ability to load multiple .settings files at the same time, which each can target different files using different filters (internally combined with AND or OR), and all resulting files will be added to a single report table. This allows for complex nested filter conditions like this: Files of type A only if contained in path X plus files of type B if not deleted plus files whose names contain the word Y or Z and who have the System attribute etc. etc. A filter for the resulting report table is automatically activated.

* Some minor improvements.

* Some of the fixes of v20.3 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 22, 2021 - 19:34:   

Beta 1:

* Some minor improvements.

* Most fixes of v20.3 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 12, 2021 - 5:34:   

Beta 2:

* There is now a progress bar when creating a case report for which files are copied or thumbnails are created (or both).

* "Clean up after GDI font object leaks" now mainly has the function to allow for mass operations with the viewer component that potentially permanently consume GDI handles. To avoid a crash for example when generating thumbnails for thousands of PDF files for the case report, this option should be active. The option is now also available in the 32-bit edition of X-Ways Forensics. By default the check box is now half checked. Fully checked means that the necessary checks for handle leakage are performed more often.

* Ability to identify partitions formatted with the F2FS file system as such.

* Logs command line parameters in the activity log of a case if those parameters create or open a case.

* If Tesseract is unsuccessful with a particular file to which you apply OCR in Preview mode, its error messages are now output by X-Ways Forensics in the Messages window.

* Support for spanned 7z archives.

* The File Header Signature Search now accepts more partially available data as NTFS-compressed.

* Several minor improvements.

* Same fix level as v20.3 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Oct 24, 2021 - 19:47:   

Beta 3:

* More complete listing of RAID reconstruction parameters in the Technical Details Report.

* More precise enforcement of the maximum simultaneous user count with network dongles in multi-modal mode and multi-user dongles.

* Other improvements, some of which will be described later.

* Same fix level as v20.3 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 1, 2021 - 17:58:   

Beta 4:

* Ability to detect and defend against one more type of archive bomb.

* Support for overlong paths within the case directory.

* The resource download directory now contains ready-to-use XWF hash databases with the NIST NSRL RDS 2.74 hash values as MD5 and SHA-1.

* Some minor improvements.

* Same fix level as v20.3 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 8, 2021 - 18:30:   

Beta 5:

* Recognition of more generating devices including iPhone 13.

* Which hash databases are used for matching is no longer controlled by Skip buttons, but rather by checkboxes in the Specialist | Refine Volume Snapshot dialog window, so that this behavior can be better controlled when running RVS from the command line.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Nov 13, 2021 - 16:27:   

Beta 6:

* When taking a volume snapshot of directories (or entire drive letters without sector-level access), where it's not X-Ways Forensics itself that parses the file system, but Windows (internally referred to as file system "OS dir list"), alternate data streams can now also be included. This is a new setting in Options | Volume Snapshot and can be turned off if you are not interested in ADS and/or wish to save time. In new installations of X-Ways Investigator it is turned off by default.

* The x86 edition is no longer subject to internal path redirections of Windows, for example when traversing directories on the C: drive without sector-level access ("OS dir list"). The x64 edition never was.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 16, 2021 - 18:28:   

Beta 7:

* A new command in the directory browser context menu named "Copy: Extracted text" allows to copy text that is decoded or OCRed from selected files to other places. The scope can be limited to files that specifically need OCR (i.e. pictures and certain PDFs) if you are only after such files. The extracted text can be buffered internally in the volume snapshot for future logical searches or indexing and the context preview of search hits. It can be copied into comments of the respective files (suitable esp. for small amounts of text OCRed from pictures), for example to include the text in the case report or exported lists, optionally with an explanatory prefix like [OCR] or [Extracted text]. The extracted text can also be output as child objects (text files). Or it can be collected in a single text file on your own storage device, or copied into the clipboard, and any combination of the above is also possible.

* Text derived by OCR now has Windows line breaks instead of Unix style line breaks.

* The already established Metadata refinement function to estimate the generic relevance of files has been further revised and improved, in particular for pictures: A new Propensity Score Table predicts the probability that a particular picture file will possess embedded metadata based on the larger of the picture's pixel dimensions. (The actual table is available for download to registered customers in the resource directory: PropensityScore.html.)

This is based on empirical assessment and the fact that certain specific picture dimensions are themselves indicative of e.g. smart device screenshots (whose dimensions are identical to the screen resolution of the device) and thus might hold particular interest. In some cases, the generic assessment of a particular pixel dimension is replaced by a more specific verdict in the case of certain aspect ratios (e.g. 1:1 or 4:3) or specific pixel dimensions (e.g. 5488x4096) known to be exact camera resolutions and the like. Some specific resolutions or aspect ratios are also identified in the table as being associated with a particular source device, e.g. Smartphone, Scanner, etc.

The propensity score further considers the embedded metadata: firstly, whether it is present at all, but also its completeness, original or modified nature and the actual meaning of the metadata, e.g. EXIF information identifying a smartphone's front ("selfie") camera as the originating device
of a picture.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 23, 2021 - 18:01:   

v20.4 was just released. The user manual was updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 30, 2021 - 10:27:   

SR-1:

* The hash types for disk imaging and volume snapshot refinement can now be selected in the same dialog window, which requires two mouse clicks less and means that .dlg files of these dialog windows will cover the settings more completely.

* Avoided a read error that could occur when OCRing files.

* Prevents repeated output of hint on use of multiple .settings files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 20, 2021 - 8:43:   

SR-2:

* If you get file creation error messages when running OCR with multiple threads, you can now try an unlabeled, but tooltipped checkbox next to the Tesseract OCR option to make X-Ways Forensics wait longer for Tesseract to finish.

* Fixed a potential infinite loop that could occur with certain PDF documents when uncovering embedded data.

* Now uses an embedded JPEG picture as the thumbnail of certain camera raw files in the case report.

* When the case report is generated, the user now has the option to explore the directory where the report is stored instead of viewing the report directly.

* The hint given in fresh installations that the RVS processing state of files in evidence file containers is taken over is now given repeatedly, until the user disables it. Previously it was probably often overlooked or ignored and/or not understood.

* Chinese translation of the user interface updated.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jan 6, 2022 - 18:11:   

SR-3:

* Fixed an exception error that could occur in v20.4 with WofCompressed or possibly other kinds of pseudo-sparse files.

* Prevented inability to load previously decoded text that was written incompletely because of a crash. Earlier versions of X-Ways Forensics cannot load decoded text stored by v20.4 SR-3 and later.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 25, 2022 - 17:42:   

SR-4:

* Faster viewing and previewing of large PSD pictures, using the internal graphics viewing library instead of the viewer component.

* Fixed an error in the Tools | Compute Hash command that occurred when applied in File mode.

* Attaching files in the case root window previously switched to a file listing that was shown as being not recursive. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 28, 2022 - 17:41:   

SR-5:

* Waits longer for closed evidence objects to open if targeted by RVS, to avoid the error message "Sorry, the following evidence object was skipped".

* Fixed a cluster allocation display error of v20.4 SR-4.

* Fixed an exception error that could occur in v20.4 under certain circumstances when generating the case report.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 11, 2022 - 10:42:   

SR-6:

* The mouse wheel now also works for scrolling in Windows 10 when the cursor hovers over a directory browser tooltip.

* Fixed inability to remove certain context menu commands from the Windows shell via Options | General.

* Support for a newer variant of Windows 10 thumbcache index files in file type verification and Details mode.

* Fixed inability to extract certain tables from some SQLite database as TSV child objects.

* Fixed a crash that could occur if the user inserted a trailing blank line at the end of "Event Log Events.txt".

* Fixed inability of v20.4 to properly open ordinary sparse files in NTFS.

* In OSDirList volume snapshots, directories were previously skipped if their names started with two dots. That was fixed.

* Tooltips now also work in the dialog windows for simple text and hex searches.

* Restoring old backups of cases did not always discard all newer components of volume snapshot that did not exist in the backup (e.g. events).

* Replacing text or hex values in a file with data of different size did not always work in files larger than 2 GB. That was fixed.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 27, 2022 - 10:22:   

SR-7:

* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.4. Available to these users on request usually, for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Aug 30, 2022 - 15:31:   

SR-8:

* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.4. Available to these users on request usually, for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 15, 2023 - 15:40:   

SR-9:

* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.4. Available to these users on request usually, for a limited time.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Mar 28, 2023 - 5:55:   

SR-10:

* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v20.4. Available to these users on request usually, for a limited time. This is probably the last service release for v20.4.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.