|Posted on Tuesday, Feb 7, 2023 - 17:54: |
A preview version of X-Ways Forensics 20.8 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.
What's new in v20.8 Preview 1?
* Improved some aspects of dark mode when Windows does not use a dark theme (e.g. alternative e-mail preview) and greatly improved compatibility with some dark themes of Windows 11.
* Option to decode text in files from scratch in case previous decoding efforts were stored in the volume snapshot for re-use, but you wish to discard those, for example after enabling the special decoding option for spreadsheets.
* Option to make a backup of the volume snapshot automatically once refinement has completed, so that you can quickly return to this state if necessary instead of taking a new volume snapshot and refining it again. Useful for example if you make some mistake in your manual review of files or if the volume snapshot gets corrupted somehow. If the checkbox for this (in Specialist | Refine Volume Snapshot) if fully checked instead of only half checked, an intermediate additional backup if made after the operations of step 1 (at the disk/partition level) have completed. The menu command to restore volume snapshot backups can still be found in the context menu of the evidence object in the Case Data window.
* Btrfs: Now includes multiple hardlinks of the same file in the volume snapshot also when they are in the same directory.
* Notation setting to show forward slashes instead of backslashes in the path columns, in the caption line of the directory browser, in the Info Pane, and in the status bar, either always or only in data windows that represent a volume with a non-Microsoft file system.
* A new automatic label "metadata added retroactively" was introduced. It is used for pictures whose metadata was automatically or manually added after the content already existed, such as copyright information or keywords.
* Revised handling of file archives for better stability with some rare unusual archives.
* Ability to treat CAB Windows installation packages like file archives. If you wish to include their contents in the volume snapshot, please make sure that the type designation cab is listed in an active archive family like "general purpose" or "special interest". By default (in new installations) cab will become part of "special interest" only because most cab archives are just irrelevant Microsoft installation packages and not user-created file archives. The type designation "cab1" tries to identify most Microsoft installation packages, whereas "cab" could be more interesting manually created file archives.
* Time zone information in the summary table of Quicktime videos in Details mode for the Quicktime timestamp, with identification of files that have the so-called "incorrect time zero" issue.
* Improved support for Microsoft Azure cloud machines as a platform.
* Several minor improvements.
|Posted on Tuesday, Feb 14, 2023 - 14:30: |
* Fixed a problem with file archives in the 64-bit edition.
|Posted on Thursday, Feb 23, 2023 - 2:15: |
* Moderately accelerated dictionary attack on encrypted file archives. Now ~50% faster than in v20.7 and earlier.
* Same fix level as v20.7 SR-5 plus some of the fixes of v20.7 SR-6.
|Posted on Monday, Feb 27, 2023 - 9:42: |
* Option to adjust the size of the standard Windows GUI font used for example in the directory browser and in the Case Data window. A positive number of pixels increases the size, a negative number decreases it. Restarting the application is recommended after making any adjustments.
Generally it is much better to adjust the DPI scaling settings in Windows instead because that has a more consistent effect on all elements of the GUI, including clickable controls etc., not just on the font size in certain areas. However, there are situations in which it is more practical to control the font sizes in X-Ways Forensics specifically, for example your eyesight is above or below average and you frequently use a portable installation of X-Ways Forensics on computers other than your own.
* Option display search hits in the search hit list along with their context in hexadecimal notation. Useful especially for technical searches, i.e. not keyword searches, but searches for header signatures, delimiters, binary markers etc. The option can be found in the context menu. It will also affect the output of search hits in the "Export list" command.
* Option to create the subdirectories for case and volume snapshot backups with the hidden attribute (H) so that they do not clutter up the directory listing if you check out the case directory occasionally in the Windows File Explorer, or at least are identified by a fainter version of the folder icon. This option will also affect volume snapshot backups created automatically when completing steps of the volume snapshot refinement.
* Generating device recognition capabilities updated.
* Several minor improvements.
|Posted on Wednesday, Mar 8, 2023 - 16:42: |
* Ability to view and preview the first frame of animated WEBP pictures, also in the gallery.
* Recognition of the Tuxera Flash File System (TFFS).
* Produces thumbnails of e-mail messages in the report with the alternative .eml presentation if that presentation is active for viewing e-mails right in the browser.
* Several minor improvements.
* The search for pictures with known faces does not currently work in v20.8 Preview.
* Some of the fixes of v20.7 SR-6.
|Posted on Monday, Mar 13, 2023 - 7:34: |
* For each "family" of file archives (general purpose, Office, special interest, ...) you can now decide whether such archives should be presented in the directory tree once their contents have been included in the volume snapshot.
* The Summary table for JPEG files in Details mode now does not only assess the compression quality roughly as either "high", "medium", "low" or "very low", but also quantifies it in a linear scale from 0 to 100. This number is not to be confused with the nominal/official JPEG quality, which does not take the actually achieved compression into account.
|Posted on Friday, Mar 24, 2023 - 12:34: |
* Drag & drop is now supported in the Case Data window to move top-level evidence objects up or down in the tree.
* Selecting an evidence object in the Case Root window now automatically also selects it in the Case Data window, and expands the tree for that if necessary (if the selected evidence object is a partition) and scrolls vertically if necessary, so that it now becomes easy to locate a particular evidence object in a large case, considering that in the case root window you can sort evidence objects by name and use filters etc.
* The expanded status of top-level evidence objects with partitions is now remembered and restored when opening a case.
* Some GUI elements are now automatically resized proportionally if you use the same WinHex.cfg file in a portable installation in Windows systems with different DPI settings (i.e. usually on machines with different display resolutions), for example for on-site triage, so that you roughly keep the perceived sizes that you are used to. Among others, the following are resized: the font in the hex and text display, directory browser columns (their widths), the Case Data window (its width), and thumbnails in the gallery. This works with WinHex.cfg files last saved by v20.7 SR-7 or later.
* Loading .settings files saved by v20.7 SR-7 and later now also adjusts previous directory browser column widths based on current DPI settings if necessary.
* File and folder selection dialog windows are now larger.
* Special icons in the Case Root window for evidence file containers, RAIDs and process acquisitions.
* The option to mark files as duplicates in the Description column is now available when checking for listed files with identical start offsets.
* Encryption test for documents slightly accelerated.
* The special search commands for integer numbers and floating point numbers can now be applied in File mode, and their output messages are now Unicode-capable and thus readable if the user interface is set to a non Western European language.
* Identified content in pictures now optionally affects the computed relevance of those files depending on what objects/keywords you define as notable or irrelevant.
* If the results of picture content analysis are output as labels, videos now also get labeled automatically if the stills that were extracted from them are processed.
* Face markings for the search for known faces are now remembered even if the path of the picture collection changes.
* The picture collection for the face search may now be stored in a path that contains spaces.
* Option to abort face markings and volume snapshot refinement by pressing Esc while in the face marking process.
Requires a new Excire package, which is now downloadable and which is compatible with v20.7 SR-7 (also older releases of v20.7 if you don't use the search for known faces). The previous version of the package for use with v20.7 SR-6 and older can still be found in the resource download directory as well.