X-Ways Forensics 20.5 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.5 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 11, 2022 - 17:58:   

A preview version of X-Ways Forensics 20.5 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.5 Preview 1?

* New command "Capture Processes" in the Tools menu in X-Ways Forensics that allows to acquire all data in the memory of running processes on a live system contiguously (i.e. pages in the order as allocated by the process). The creation times of processes can be seen as the creation timestamps of the memory dumps. Pages marked as containing executable code (PAGE_EXECUTE* styles) are optional and if omitted will suitably reduce the amount of data if you are merely interested in keyword searches or carving and not malware analysis. Carving in the memory dumps (files shown as type "mem") can be performed by uncovering embedded data, one of the functions of volume snapshot refinement.

* This command can also produces a tab-delimited list of all top-level windows with their titles and corresponding processes plus (comma-delimited) the titles of their child windows. Screenshots of some of the top-level windows are taken and output automatically. If this functionality is used without administrator rights, only processes of the current user are covered, otherwise all processes.

* The output folder of "Capture Processes" is by default either a subdirectory of the case or - if no case is active - a subdirectory of the directory for images. It can be automatically explored in Windows File Explorer once the output is complete and/or added to the active case as a directory.

* The memory dumped by "Capture Processes" can also be useful on your own system if an application in which you type text (e.g. an e-mail client) suddenly freezes and you want to recover what you wrote.

* Recognizes Windows 11 as a platform and was confirmed to run on Windows 11 practically as well as on Windows 10.

* Supports new style of reparse point text of Windows 11.

* Applying X-Tensions to files in selected directories is now optional. (In case a particular X-Tension is useful when applied to directories only.)

* The rules of advanced sorting are now also applied to the Hash Set column.

* Improved PNG screenshot identification. In particular, a new Exif format is supported that is used mainly for Android screenshots. This allows to verify whether such Android screenshots are original.

* Further revised generating device identification (esp. smartphones, esp. all Samsung smartphones) with around 34,000 definitions and two new iOS release identifications.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 25, 2022 - 17:47:   

Preview 2:

* Ability to interpret unencrypted evidence files in Ex01 format as partition physical media or volumes.

* The "Mount as Drive Letter" functionality now comes with a new option named "Apply recursively" to present files from all subdirectories of the currently active evidence object or the selected directory in a flat list. This is useful if you wish to use an external program to view many of the files and don't wish to bother with directory navigation. When using this option, the int. IDs of the files are inserted into the filenames to make the files better identifiable to X-Ways Forensics.

* Comments of evidence objects are now also shown in the Comments column in the Case Root window and can be edited from there. The description of evidence objects is now also shown in the Metadata column in the Case Root window.

* Ability to define the maximum size of files for which thumbnails should be created in the gallery. It may be necessary to increase that limit for high resolution Photoshop PSD pictures for example.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 6, 2022 - 14:12:   

Preview 3:

* Additional generator signatures defined.

* Support for new Exif tags concerning composite images and time zones.

* Revised recognition of camera original pictures, now with a lower false negative rate, especially for Xiaomi smartphones.

* Evaluates camera debug information in the Application Marker 4 for Samsung smartphones such as camera serial number, timestamp of the last firmware update, and a 2-letter country code. This may enable the examiner to associate a photo with the exact device that took it.

* Provides the last printing date and the internal last modification date of OpenOffice documents as events.

* Automatic verification of newly created images via hash is now applied to an optional 2nd image copy also when adding the 1st copy to the active case.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 7, 2022 - 12:55:   

Preview 4:

* A renamed/moved file in a volume snapshot for a FAT file system that still exists under a different name or in a different directory was handled inconsistently before. Now it is read exactly like its existing counterpart, i.e. following cluster chains as defined in the file allocation table, regardless of the state of the "Deleted files skip used clusters" setting, resulting in identical hash values, duplicate search hits, etc.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 18, 2022 - 3:28:   

Preview 5:

* Report tables can now be alphabetically sorted in the dialog windows for filtering and for report table management. By default, they will be listed in the order in which they were created, as before.

* Report tables that were created by the application as hints for the user are now listed optionally, and they are now the only ones that are indented.

* New colors were defined for the various kinds of report tables (ordinary user-created, hints for the user, hash sets, search terms, duplication groups, ...), and the triangles in the Name cells that indicate the existence of report table associations for the file are now shown in the same colors. The display of those triangles is now optional, see Options | Notation.

* If a filter is active with a NOT setting, you are now reminded of that by a red funnel symbol.

* To remind the user that an OR combination of filters is active, the word "OR" is now displayed in larger letters and with pointing fingers in the caption line of the directory browser.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Feb 18, 2022 - 4:56:   

* Option to output textual representations of dialog windows as text files when dumping processes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 28, 2022 - 18:09:   

Preview 6:

* When computing PhotoDNA hash values and storing the hashes for deduplication and fast re-matching, X-Ways Forensics now also automatically compares embedded thumbnails to their parent files. If the difference is noticable, that will be brought to the user's attention with two report tables, "Thumbnail discrepancy" and "Thumbnail notable (data corrupt/incomplete)", where the latter means that there is a difference most likely just because the parent file is corrupt or incomplete. (The thumbnail, which requires little storage space and is located near the start of the file, could be unaffected and therefore helpful.) The former could indicate that someone has retroactively altered /redacted the full resolution picture and left the embedded thumbnail as it was.

* X-Ways Forensics from now on distinguishes between 4 instead of 3 possible file format consistency states: unknown, OK, irregular and corrupt. This is in the process of being revised. Important for the Type status filter settings.

* Improved handling of hard disks that were partitioned and formatted as if they had a different sector size.

* Same fix level as v20.4 SR-5.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 3, 2022 - 11:26:   

Preview 6b:

* Colored cells now have an optional color gradient. This can be enabled separately for each cell coloring condition. The exact rules to determine the background color of rows in the directory browser based on focus, selection, mouse hover status, dark mode and cell coloring have been generally revised.

* One of the fixes of v20.4 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 3, 2022 - 19:30:   

Preview 7:

* After matching hash values against the hash database, multiple matching hash sets for a given file are now listed within the cell in the same order as they are contained in the hash database, and not in a random order.

* One of the improvements of v20.4 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 24, 2022 - 10:08:   

Beta 1:

* Now executable again under Windows XP (with limitations).

* In condition cell coloring, you now have the option to color the Name cell in addition to the original cell that the condition is based on. Useful if you wish to be visually alerted of the matching condition even if the triggering column is currently not visible, and if highlighting the entire line would be too much.

* Revised and improved alternative .eml preview, which is important also for the case report option "Alternative .eml presentation directly in browser".

* A filter is now available for process dumping. You can use it like other file mask filters in X-Ways Forensics. For example "explorer.exe" will only dump memory and windows of the Windows File Explorer process. ":C*" will dump all processes except those whose names starts with the letter "C", i.e. for example not "Chrome.exe". The file mask is not case sensitive. Multiple file masks can be concatenated with semicolons. (However, the total length is limited.)

* Registry Viewer: Ability to copy the value data as shown in the list view on the right-hand side. (In order to copy the value data in binary, select the value in the list view, move the registry viewer aside and copy the selected data from File mode.)

* The Notation settings now allow you to see some "internal" flags in the Description column if you wish. Those flags identify the status of a file in volume snapshot refinement.
[Emb]: checked for embedded data to uncover
[Arc]: file archive checked for content
[Enc]: encryption test already performed
[Ext]: e-mail or e-mail archive checked for extractable content
[Met]: checked for internal metadata
[Xtn]: created by an X-Tension

* Printing templates did not show formatted GUIDs correctly. That was fixed.

* Beta version also available as X-Ways Investigator.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Mar 24, 2022 - 15:28:   

* Interface for "Excire". Excire for X-Ways Forensics is an artificial intelligence module created by a 3rd party, sold by X-Ways, that analyzes photos automatically. It can identify content, known faces and similarity between photos. Please see https://www.x-ways.net/excire.html for details.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 30, 2022 - 15:39:   

Beta 2:

* Some fixes in the interface for Excire. Users with licenses or trial licenses for Excire please also need to download the updated Excire.zip package.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 11, 2022 - 12:18:   

v20.5 was just released. The following was changed since the last beta release:

* An up-to-date English language Tooltips.txt file is now included in the download. If you wish to see those tooltips for controls (mostly checkboxes) in your dialog windows, please make sure that "Tooltips.txt" is activated in Options | General. A German-language Tooltips.txt is available from the resource download area for users of X-Ways Investigator and X-Ways Forensics. If you wish to share your translation to another language with other users, please send us your copy of the file so that we can put it there as well. Thank you.

* Option to hide case backup files with the H attribute.

* Ability to process carved compressed PF prefetch files.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 13, 2022 - 11:52:   

SR-1:

* The table of generating devices was updated.

* Some new video generator signatures.

* Some more format variants added for the device type "Video publishing".

* Structure types are now computed for the file types XLS, WEBP, and WAV.

* More formats supported for filename analysis.

* Keyboard shortcut assignments in the report table association dialog did not always work in v20.5. That was fixed.

* Program help and user manual updated for v20.5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 26, 2022 - 8:25:   

* Program help files updated in v20.5 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 27, 2022 - 10:40:   

SR-2:

* Improved Unicode support for EVTX processing.

* The definitions in "Event Log Events.txt" were not applied completely when processing .evtx event logs since v20.4 SR-6. That was fixed.

* Fixed unintended dependency of the alternative e-mail presentation in the case report on the setting in Options | Viewer Programs.

* Originally WofCompressed files in evidence file containers could not be opened for reading. That was fixed.

* The particularly thorough file system data structure search in NTFS now skips some volume areas that could only result in unnecessary duplicate findings, and grouping orphaned files now always happens in virtual directories that have a connection to the root directory via the virtual "Path unknown" directory.

* Fixed some report table management functions for the new optional report table listing in alphabetical order.

* Clarified supported file types in online Excire product description. Clarified supported file types for face definitions in marker-help.txt in the Excire package. Face marking now accepts supported picture files with any filename extension or without filename extension.

* Several minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 26, 2022 - 15:02:   

SR-3:

* The directory browser context menu command to copy extracted text to various output channels had encoding issues with some settings. That was fixed.

* The alternative e-mail preview did not present Date and Recipient fields in some rare cases. That was fixed.

* Fixed occasional inability to preview compressed Prefetch files in v20.5.

* Fixed sorting partitions by size in the directory browser.

* Fixed a user interface error that could occur in some installations in v20.5 SR-2.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 20, 2022 - 17:11:   

SR-4:

* Some minor improvements and fixes.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.