X-Ways Forensics 20.6 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.6 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 27, 2022 - 11:28:   

A preview version of X-Ways Forensics 20.6 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.6 Preview 1?

* The relevance scale for PNG files is now comparable to that of JPEG files, so that sorting files of both types by relevance gives a more plausible result now.

* The compression level of PNG files is now output in the internal metadata in Details mode. It also affects the relevance computation. The conditions "trailing data" and "incomplete" (also in Details mode) are new for PNG files.

* Fixed a problem with false detection of a scanner as the generating device of PNG files.

* If the IFD GPS field in Exif metadata is available, but empty, or if it contains unvalid coordinates, this is an irregular situation, different from the IFD GPS not being present at all, and often means that the GPS data have been removed retroactively. It is now reflected as "GPS format: NaN", where NaN means "not a number".

* Fixed a rare situation in which a geolocation was not output previously.

* The Summary table in Details mode for JPEG files now specifies the confidence with which the generating device type was identified.

* Generator signature concept for JPEG pictures improved.

* Users may now specify a minimum confidence in % that they require for the identification of generating devices of JPEG and PNG pictures.

* Ability to analyze pictures in HEIC format with Excire PhotoAI.

* Ability to choose the minimum resolution of pictures that should be analyzed with Excire PhotoAI. The previous minimum was 224x224 pixels. If you are interested only in high quality digital photos, you can save time by increasing this minimum a lot. If you are also interested in low resolution photos, including thumbnails (for example because you think thumbnails are sometimes all you can find of incriminating photos), you can use a lower minimum. The absolute minimum accepted is 48x48 pixels, but it is not recommended to go much lower than 80x80 as detection errors will be more frequent if the picture quality is very bad.

* Redesigned pixel filter dialog window for improved understanding of how it works.

* Better support for some PNG pictures with transparency.

* Option to conveniently access the keyword list and keywords translation of objects detectable with Excire PhotoAI, from the dialog window where to specify which keywords you are not interested in. You may also change the wording. For example, photos identified as act photography can be marked as "nudity" instead of "act", if you change the word after the comma.

* Changed the way thumbnails are created for the case report, for file types supported by the internal graphics display library. Among other file types this affects Photoshop PSD, which apparently cannot be properly rendered by the 64-bit edition of the viewer component, but by the internal graphics display library.

* Improved readability of directory browser tooltips that represent very long text without line breaks, e.g. comments.

* Ability to create two copies of an image files when imaging from the command line. The path of the second copy, if desired, may be appended after the path of the first copy, delimited by a forward slash. Example: "|e01|Z:\First Copy.e01/V:\Second Copy.e01|Image description|Examiner name".

* Improved representation of HFS+ file systems with redundant inactive catalog entries.

* Option to restrict the search for NTFS FILE records to the currently defined block. (If no block is defined, the search will be carried out in all sectors of the volume as usually.)

* The number of characters extracted from a file (be it via text decoding or OCR) is now shown in the Description column (if the box "other" is checked in the Notation options of the Description column), and with the filter you can require a certain minimum number of characters (like 5 or 10, 255 at most), for example to avoid pictures in which a few characters have been recognized merely erroneously, i.e. pictures that not actually do contain text.

* The "Event Log Events.txt" config file now accepts a line beginning (1st column position) with a semicolon to signify a comment line. Obviously this can be used either to remove lines from parsing or to add comments to particular sections. The configuration file now accepts an optional fourth column that can be used to add a plain text comment to the Event's Description column. This was a suggestion from Pontus Perhamn who asked to able to add a comment to the Event's Description in addition to or in lieu of data field values.

* Directory browser option to display the start offset of the data of a file in the First Sector column instead of the number of the first sector. This is more precise information and available for most files. The title of the column will be changed accordingly in most places of the user interface. The offset can optionally be made a physical offset (from the point of view of the physical disk/image if shown in a partition) just like the sector number can be made a physical sector number. The filter of that column expects numbers of the same meaning as shown in the directory browser (i.e. either offsets or sectors, either logical or physical), and in the same notation (decimal for sector numbers, decimal or hexadecimal for offsets).

* The directory browser context menu command "Find duplicates in list" can now also identify duplicates based on exact identical start offsets instead of just identical start sectors if the "First sector" column is populated with offsets.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 30, 2022 - 13:08:   

* The kind of data structure to be found at the designated file system offset is now printed right in the "File system offset" column, for files and directories in NTFS.

* "Event Log Events.txt" now contains some explanations as comments and has an example of a comment that is taken over into the event description in the event list.

* The original download of v20.6 Preview 1 had a display problem with Exif-rotated JPEG pictures. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 3, 2022 - 11:43:   

Preview 2:

* Applying Exif orientation metadata in Preview mode, for the View command, in the gallery, for OCR and for Excire PhotoAI was partially revised and is now optional and controlled by a 3-state checkbox. If fully checked, the Exif orientation is strictly applied. If half checked (the previous behavior and still the default), it not applied if X-Ways Forensics thinks it is most likely correct to *not* (further) rotate or flip the picture.

* Improved Exif orientation compliance in the gallery. In particular, thumbnails and low-resolution alternatives embedded in JPEG files now inherit the Exif orientation from their parent files.

* JPEG generator signatures were revised to decrease the number of error rates to less than 0.1%, by avoiding hash collisions (one signature matching two devices). This may be noticeable when dealing with Samsung Galaxy devices.

* Mention of AMPF (presumably for "Apple Multi Picture Format") in the JFIF header in Details mode.

* Now filters out leading white spaces resulting from OCR text recognition.

* Internal graphics display library updated.

* Some minor improvements.

* Some of the fixes of v20.5 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Jun 6, 2022 - 8:24:   

Preview 3:

* A new option in Options | Viewer Programs makes X-Ways Forensics ignore OCR-derived text if it does not contain at least x contiguous useful characters. Such OCR results will not be stored/output/copied/indexed/searched. This is beneficial if you apply OCR to unknown/random/ordinary pictures (i.e. not known textual data), to reduce the number of files that later will (misleadingly) respond to the Description filter for files with OCR-derived text or for which child objects are (unnecessarily) created by the "Copy: Extracted Text" function etc. A "useful" character is defined here as a character with an ASCII/Unicode value of 0x30 or higher. That means whitespaces <=0x20 are not counted, and neither are the printable characters !=#$%&'()*+,-.& (0x21-0x2F range) because some of them are occasionally misdetected in random pixels. All real letters in any language count, and so do numbers ("0" through "9").

* The controls in the Options | Viewer Programs dialog window were reorganized, and the Tesseract OCR settings got more space and are now more intuitive.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 8, 2022 - 11:52:   

Preview 4:

* New option to accelerate various operations such as volume snapshot refinement, logical searches, and especially the optional dynamic context preview rendering around search hits in the search hit list, by keeping more decompressed contents of file archives in the volume snapshot cache. This option can be found in Options | Volume Snapshot. It generally accelerates opening files in archives again after the first time, especially nested archives.

The volume snapshot cache could become very large that way. It can be discarded optionally whenever closing the data window if you like (useful if you are done dealing with that evidence object for the moment, or done with the entire case), and that is a case-specific setting in the case properties. Once discarded, files can get cached again afterwards at any time if/when they are opened again, if the option for that is active. If the box for caching is half checked, that means only compressed TAR archives are cached, like in previous versions.

* The more complex version of the dialog window that allows you to manage report tables and report table association now also has a button to remove associations with the selected report tables.

* There is now a small blank button in the lower right corner of the "Picture analysis and processing" dialog window. Clicking the button will show user interface controls for usage of PhotoDNA and Excire PhotoAI, even if the functionality is unavailable, to give you an idea of how they can be used. PhotoDNA is provided for free to users in law enforcement agencies. Excire PhotoAI is commercially available and described here: https://www.x-ways.net/excire.html.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jun 12, 2022 - 21:48:   

Preview 5:

* The Hash Category column, which shows which files are considered irrelevant or notable, has been tentatively renamed "Assessment". Hash database matching is just one method to populate this column. Files can also be designated as irrelevant or notable by X-Tensions, by adopting data from evidence file containers, and now in v20.6 also simply using the directory browser context menu.

* Pictures can now be automatically categorized as irrelevant or notable using Excire PhotoAI. In the extensive hierarchy of identifiable objects you can select individual objects or entire subtrees that render a picture irrelevant from your point of view, such as any kinds of animals, plants, sports, musical instruments etc. You can also define what renders a picture notable for you, such as nudity ("act"), children, text etc. "Notable" always overrides "irrelevant" when in doubt, if for example dogs are marked as important in a particular case, but animals in general are still marked as irrelevant.

* To reduce the number of report tables associations generated using Excire PhotoAI, within irrelevant subtrees you can choose to not output findings at a lower level. If for example the subtress "Animal" is marked as irrelevant, then if a photos shows an identifiable butterfly, you won't get the report tables "Butterfly" and "Insect", but only "Animal". (Optionally you can get to see in the Comment column which exact animal was identified.)

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 15, 2022 - 14:12:   

Preview 6:

* Logical AND combinations are now supported when categorizing photos as notable based on content detected by Excire PhotoAI. To add a new AND combination, you select the first object name, click the AND button, then select the second object name, and click the AND button again. If you have misclicked, exit the dialog window via Cancel OR simply remove the checkmark in front of your accidental AND combination so that it will not be remembered when you click OK. Two AND combinations are predefined in fresh installations that are meant to assist in searches for child pornography. You can combine any items in the tree, not only those from the bottom-most level that are represented by file icons. Irrelevant and notable detections are defined in these two text files: "Excire Irrelevant.txt" and "Excire Notable.txt".

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 21, 2022 - 19:49:   

Preview 7:

* Exporting and importing selected report tables to/from text files now include the descriptions in addition to just the report table names.

* HFS+: Duplicate entries in the Catalog (one inactive and one active) for the same file or directory (same ID, same name) are apparently created under Linux, under certain circumstances. In newly taken volume snapshots now usually only the active one will be included.

* HFS+: If an inactive Catalog entry and an active entry was found for the same directory (same ID, same name) and both were included in the volume snapshot, in newly taken volume snapshots the content of that directory will be shown for the existing directory, and not randomly in one of the two.

* Some of the fixes of v20.5 SR-3.

* Some minor improvements.

Add Your Message Here
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Options: Enable HTML code in message
Automatically activate URLs in message
Forum operated by X-Ways Software Technology AG.