Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 7, 2023 - 17:54:   

A preview version of X-Ways Forensics 20.8 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.8 Preview 1?

* Improved some aspects of dark mode when Windows does not use a dark theme (e.g. alternative e-mail preview) and greatly improved compatibility with some dark themes of Windows 11.

* Option to decode text in files from scratch in case previous decoding efforts were stored in the volume snapshot for re-use, but you wish to discard those, for example after enabling the special decoding option for spreadsheets.

* Option to make a backup of the volume snapshot automatically once refinement has completed, so that you can quickly return to this state if necessary instead of taking a new volume snapshot and refining it again. Useful for example if you make some mistake in your manual review of files or if the volume snapshot gets corrupted somehow. If the checkbox for this (in Specialist | Refine Volume Snapshot) is fully checked instead of only half checked, an intermediate additional backup if made after the operations of step 1 (at the disk/partition level) have completed. The menu command to restore volume snapshot backups can still be found in the context menu of the evidence object in the Case Data window.

* Btrfs: Now includes multiple hardlinks of the same file in the volume snapshot also when they are in the same directory.

* Notation setting to show forward slashes instead of backslashes in the path columns, in the caption line of the directory browser, in the Info Pane, and in the status bar, either always or only in data windows that represent a volume with a non-Microsoft file system.

* A new automatic label "metadata added retroactively" was introduced. It is used for pictures whose metadata was automatically or manually added after the content already existed, such as copyright information or keywords.

* Revised handling of file archives for better stability with some rare unusual archives.

* Ability to treat CAB Windows installation packages like file archives. If you wish to include their contents in the volume snapshot, please make sure that the type designation cab is listed in an active archive family like "general purpose" or "special interest". By default (in new installations) cab will become part of "special interest" only because most cab archives are just irrelevant Microsoft installation packages and not user-created file archives. The type designation "cab1" tries to identify most Microsoft installation packages, whereas "cab" could be more interesting manually created file archives.

* Time zone information in the summary table of Quicktime videos in Details mode for the Quicktime timestamp, with identification of files that have the so-called "incorrect time zero" issue.

* Improved support for Microsoft Azure cloud machines as a platform.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 14, 2023 - 14:30:   

Preview 1b:

* Fixed a problem with file archives in the 64-bit edition.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Feb 23, 2023 - 2:15:   

Preview 2:

* Moderately accelerated dictionary attack on encrypted file archives. Now ~50% faster than in v20.7 and earlier.

* Same fix level as v20.7 SR-5 plus some of the fixes of v20.7 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 27, 2023 - 9:42:   

Preview 3:

* Option to adjust the size of the standard Windows GUI font used for example in the directory browser and in the Case Data window. A positive number of pixels increases the size, a negative number decreases it. Restarting the application is recommended after making any adjustments.

Generally it is much better to adjust the DPI scaling settings in Windows instead because that has a more consistent effect on all elements of the GUI, including clickable controls etc., not just on the font size in certain areas. However, there are situations in which it is more practical to control the font sizes in X-Ways Forensics specifically, for example if your eyesight is above or below average and you frequently use a portable installation of X-Ways Forensics on computers other than your own.

* Option display search hits in the search hit list along with their context in hexadecimal notation. Useful especially for technical searches, i.e. not keyword searches, but searches for header signatures, delimiters, binary markers etc. The option can be found in the context menu. It will also affect the output of search hits in the "Export list" command.

* Option to create the subdirectories for case and volume snapshot backups with the hidden attribute (H) so that they do not clutter up the directory listing if you check out the case directory occasionally in the Windows File Explorer, or at least are identified by a fainter version of the folder icon. This option will also affect volume snapshot backups created automatically when completing steps of the volume snapshot refinement.

* Generating device recognition capabilities updated.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Mar 8, 2023 - 16:42:   

Preview 4:

* Ability to view and preview the first frame of animated WEBP pictures, also in the gallery.

* Recognition of the Tuxera Flash File System (TFFS).

* Produces thumbnails of e-mail messages in the report with the alternative .eml presentation if that presentation is active for viewing e-mails right in the browser.

* Several minor improvements.

* The search for pictures with known faces does not currently work in v20.8 Preview.

* Some of the fixes of v20.7 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 13, 2023 - 7:34:   

Preview 5:

* For each "family" of file archives (general purpose, Office, special interest, ...) you can now decide whether such archives should be presented in the directory tree once their contents have been included in the volume snapshot.

* The Summary table for JPEG files in Details mode now does not only assess the compression quality roughly as either "high", "medium", "low" or "very low", but also quantifies it in a linear scale from 0 to 100. This number is not to be confused with the nominal/official JPEG quality, which does not take the actually achieved compression into account.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 24, 2023 - 12:34:   

Beta 1:

* Drag & drop is now supported in the Case Data window to move top-level evidence objects up or down in the tree.

* Selecting an evidence object in the Case Root window now automatically also selects it in the Case Data window, and expands the tree for that if necessary (if the selected evidence object is a partition) and scrolls vertically if necessary, so that it now becomes easy to locate a particular evidence object in a large case, considering that in the case root window you can sort evidence objects by name and use filters etc.

* The expanded status of top-level evidence objects with partitions is now remembered and restored when opening a case.

* Some GUI elements are now automatically resized proportionally if you use the same WinHex.cfg file in a portable installation in Windows systems with different DPI settings (i.e. usually on machines with different display resolutions), for example for on-site triage, so that you roughly keep the perceived sizes that you are used to. Among others, the following are resized: the font in the hex and text display, directory browser columns (their widths), the Case Data window (its width), and thumbnails in the gallery. This works with WinHex.cfg files last saved by v20.7 SR-7 or later.

* Loading .settings files saved by v20.7 SR-7 and later now also adjusts previous directory browser column widths based on current DPI settings if necessary.

* File and folder selection dialog windows are now larger.

* Special icons in the Case Root window for evidence file containers, RAIDs and process acquisitions.

* The option to mark files as duplicates in the Description column is now available when checking for listed files with identical start offsets.

* Encryption test for documents slightly accelerated.

* The special search commands for integer numbers and floating point numbers can now be applied in File mode, and their output messages are now Unicode-capable and thus readable if the user interface is set to a non Western European language.

* Identified content in pictures now optionally affects the computed relevance of those files depending on what objects/keywords you define as notable or irrelevant.

* If the results of picture content analysis are output as labels, videos now also get labeled automatically if the stills that were extracted from them are processed.

* Face markings for the search for known faces are now remembered even if the path of the picture collection changes.

* The picture collection for the face search may now be stored in a path that contains spaces.

* Option to abort face markings and volume snapshot refinement by pressing Esc while in the face marking process.

Requires a new Excire package, which is now downloadable and which is compatible with v20.7 SR-7 (also older releases of v20.7 if you don't use the search for known faces). The previous version of the package for use with v20.7 SR-6 and older can still be found in the resource download directory as well.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Apr 6, 2023 - 11:31:   

Beta 2:

* A new 3-state checkbox in the directory browser option controls whether clicking/selecting a file or directory in the directory browser will navigate to the data associated with that object in Disk/Partition/Volume mode or to the object's defining data structure in the file system. Please remember that a quick jump to the latter can also be achieved by clicking the FS offset cell of that object even if a click elsewhere navigates to the former. If the box is unchecked, no navigation in the lower half of the data window will take place at all, which could be beneficial if you are operating directly on a physically damaged disk, where accessing certain sectors or regions may cause hanging in the application or a crash in the operating system.

* In newly taken volume snapshots of physical, partitioned storage devices, the "FS offset" column now shows the exact offset where in a partition table a partition is defined, and thus allows to jump to that location with a simple mouse click. The absence of such an offset indicates that the partition was found not by following any pointers in partition tables, but merely based on its own data, in which case the Description column shows the partition as "not referenced in partition table".

* When creating a cleansed image in which the virtual file "Free space" is excluded while the net free space computation is active, the Messages window now reminds the user of the fact that the cluster associations of that file are highly variable and depend which previously existing files are known in the current volume snapshot, which may in turn depend on to what extent it has been refined already. If you need to exclude the entire free space as defined by the file system, the net free space option may not be suitable for you (turn it off in Options | Volume Snapshot), or alternatively you also need to specifically exclude previously existing file in free space whose contents are not supposed to make it into the cleansed image.

* Potentially fixed output problems in msglog.txt when running X-Ways Forensics with multiple threads.

* Ability to split copylog files of the Recover/Copy command into segments of x MB, to keep them more manageable when viewing them or importing them elsewhere.

* Several minor improvements.

* Same fix level as v20.7 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 18, 2023 - 5:04:   

Beta 3:

* The option to falsify the colors of pictures in the gallery to reduce their psychological impact can now be limited to just notable pictures.

* Gallery thumbnails can now alternatively or additionally be blurred for the same reason, if desired (thumbnails of all pictures or only notable pictures), where half checked means less blurred.

* X-Ways Forensics now accepts Windows drive letters as components to internally reconstruct RAIDs. That doesn't make much sense, but allows you to reinterpret a drive letter as a physical storage device in X-Ways Forensics if necessary, by selecting it as the sole component of a JBOD. This could be useful if for some reason you need to apply menu commands to it that only make sense to apply to physical storage devices and are only available for physical storage devices, such as Scan For Lost Partitions. For example a RAID that is reconstructed/mounted outside of X-Ways Forensics may somehow present itself as a drive letter (although it does not have a volume boot sector / file system starting at sector 0 and thus cannot be put to any good use in Windows itself).

* X-Tensions are now by default loaded in such a way that additional DLLs required by the X-Tension will be found in the same directory where the X-Tension itself is located. This new behavior is optional and can be turned off by the user by way of a checkbox.

* Recover/Copy command: In case of problems with output path length, the exact offending path is now mentioned in the Messages window so that the issue can be better understood.

* Some of the fixes of v20.7 SR-9.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Apr 19, 2023 - 20:26:   

Beta 4:

* Improved GUI appearance of most arrow buttons in dialog windows under Windows 11.

* Excluded files and subdirectories are no longer included when mounting a volume snapshot or directory.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 24, 2023 - 11:53:   

Beta 5:

* If multiple cell coloring conditions are met by the same item in the directory browser, they always produce a mixed color so hopefully none of the targeted properties go unnoticed. Selecting items in the directory browser that have active conditional line coloring will alter the color so that both the selected status and alerts of special conditions will be apparent.

* The function to uncover embedded data now has a verbose report mode that makes you aware of files that were previously carved at the general partition/volume level and output in the virtual directory for carved files, that have since been turned into child objects of other files because they seem to logically belong to them and are contained in them.

* Same improvements as v20.7 SR-9.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 25, 2023 - 9:24:   

v20.8 was just released.

The program help and user manual were updated for v20.8.

The v20.8 Beta 5 release will remain downloadable for a while for use by interested license owners whose last covered version was v20.7, within the next few weeks.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 22, 2023 - 10:53:   


* Accepts XFS volumes with just 2 or 3 allocation groups as valid.

* Fixed an exception error that could occur when running a file header signature search in Btrfs, QNX or XFS volumes.

* A very rare exception has been fixed that could theoretically occur when opening a file in APFS if the very first data block was sparse.

* X-Ways Imager can now interpret images again after their creation so that they can be verified immediately and automatically.

* Fixed read errors in logical process memory.

* Ukrainian translation of the user interface available.

* The Russian translation of the user interface was updated.

* Some minor improvements and fixes.

