X-Ways Forensics 20.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.9 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 2, 2023 - 20:45:   

A preview version of X-Ways Forensics 20.9 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.9 Preview 1?

* What's better than 5 hash databases? Right, 6 hash databases. In addition to 2 conventional hash databases, a block hash database, a FuzZyDoc database and (if eligible) a PhotoDNA hash database, you can now maintain a database of recurring files that you have descriptions of. For example that may be useful if you are required to include descriptions of illegal photos in your case reports for the court. If the same photos occur in multiple cases, the new database can save you work and make it unnecessary to view the photos again. Whatever you enter as comments can be saved in the database along with the corresponding hash value. For that to happen you select the relevant files and invoke the command "Include in Hash Database" in the directory browser context menu. Whether hash values were already computed for the selected files is not important. They are computed on the fly if not. You can get the same comments back in another case if you match the hash values in the other case against the database as part of volume snapshot refinement.

The database is stored in the file "Hash Comments.txt". You can easily share the database by simply sharing that file with other users. The file is independent of the conventional hash databases, meaning it does not matter which user has which conventional hash database with hash sets from which source(s). You do not need a conventional hash database at all to create a "Hash Comments.txt" file or match the hash values in your cases against the "Hash Comments.txt" file of someone else. So the "Hash Comments.txt" is quite universal and suitable for inter-agency exchange.

You can merge text files of different colleagues/sources with your own database in the user interface: Open the Tools | Hash Database dialog window and click the Import button. If X-Ways Forensics detects duplicate entries (same hash value), it will either keep the previous comment or adopt the new comment, depending on the state of a checkbox in the same dialog window. Keep that in mind when importing entries from other users. The rule also has an effect if duplicate entries are found within the same text file because you have merged entries manually.

Since we are talking about a simple text file, you can merge "Hash Comments.txt" files from different sources easily in a simple text editor, or edit the descriptions as needed, get them automatically translated etc. Just keep the general layout of 1 hash value + description per line intact. The first line (header line) in "Hash Comments.txt" must contain the designation of the hash type in ASCII (e.g. "MD5" or "SHA-1"), followed by a tab and the ASCII letters "Cmt", and this is all case-sensitive. All the following lines start with a hash value in hex ASCII (both upper or lower case allowed), followed by a tab and the description in UTF-8. Both Windows and Unix/Linux line breaks are allowed.

* Now 40,000 definitions of photo generating devices.

* Support for compressed files with inline storage in APFS.

* Some minor improvements.

* Some of the fixes and improvements of v20.8 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 8, 2023 - 9:37:   

Preview 2:

* The new XFS timestamp format known as "Big time" is now supported and the timestamps are shown correctly. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume.

* Should an XFS volume be flagged internally as "needing repair", XWF now issues a message to that effect, warning of damaged file system structures potentially causing issues. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume, without further specifics.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 22, 2023 - 18:12:   

Preview 3:

* A fallback code page for plain text representations by the viewer component can now be selected via a new "..." button in Options | File Viewing. The list of available code pages there is more extensive than in the options dialog window of the viewer component itself (the one that can be accessed via the right-click menu in any window maintained by the viewer component).

* When playing videos with MPlayer that were recorded by smartphones, or when extracting individual frames/stills from them, these videos are now rotated as needed. (Does not work if metadata was previously extracted by volume snapshot refinement in earlier releases.)

* There is an unlabeled, but tooltipped checkbox that allows you to get existing comments on files replaced when successfully matching hash values against hash comments. That means previous comments will be lost if there is a comment for the same files in the hash comment database.

* Several new compression and decompression options are now available in X-Ways Forensics and WinHex Lab Edition via Edit | Convert, which can be applied to the entire data represented in an active data window, if not in read-only mode. They allow you to manually decompress data found in and compressed by various file systems if X-Ways Forensics does not have the corresponding files in its volume snapshot or cannot decompress them automatically.

* Support for more compressed storage variants in APFS.

* If a file system in a partition assumes a sector size of 4 KB while the physical storage device or image that it's contained in has a sector size of 512 bytes, and if the number of 512-byte sectors in the partition is not evenly divisible by 8, then an incomplete additional 4 KB sector is now defined to cover the existing extra 512-byte sectors even if this exceeds the capacity of the partition, the device or the image, so that the extra space is included in the virtual volume slack file and targeted by logical searches etc., for more thorough coverage, at the risk of producing read errors.

* Several minor improvements.

* Same fix level as v20.8 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 1, 2023 - 20:52:   

Preview 4:

* Additional hard links for the same file in NTFS can now optionally be omitted already when taking a volume snapshot, which means they will not be included at all and not shown in the directory browser as additional files. That could be helpful for example when making sense of storage space utilization, where counting the same files 10 or 100 times does not make sense. The "Link count" column still shows the true number of hard links (which, however, as before ignores pure 8.3 character filenames and which, by the way, as before may differ significantly from the not very well maintained hard-link count in the FILE record).

* Volume snapshots based on directory listings of the active operating system ("OS dir list") for local storage now include "Record changed" timestamps and hard-link counts.

* If the incremental completion option for directory listings of the active operating system ("OS dir list") is active, directories that have not been explored yet are now marked with an asterisk (*) in the Attr. column.

* In volume snapshots based on directory listings of the active operating system ("OS dir list"), write-locked files that are open in other processes and cannot be changed are now optionally shown with an upper-case "L" in the Attr. column (for "locked"). Files that are merely kept option may be shown with a lower-case "o" if the box that represents this option is fully checked (for "open"). This could be useful when previewing or acquiring a live system, to find out which files are/were open in running processes or background services, or which executable files appear(ed) to be running/loaded. Please note that checking this for many files will take a long time. It may be practical only for specific directories of interest. This option has no effect on mapped network drives. It is possible to use the Attr. filter to quickly target open or write-locked files, and these files are higher in the sort order for the Attr. column.

* The compression statistics window of .e01 evidence files can now be turned into a data density statistics window by way of a mouse click, which is simply the indication of the reverse. The new default is data density. Taller blue bars previously indicated and still indicate higher compression = lower data density = no encryption = less storage space requirement for the image = less data to analyze = less work. Taller red bars (new) represent higher data density = more storage space requirement = more data to analyze = (if the bars reach the ceiling) potentially encryption.

* If the command Tools | File Tools | Delete Recursively fails to remove a directory the regular way because of insufficient access rights, it can now make a second attempt if run with administrator rights and have a good chance at removing the directory that way. It requires your consent to use administrator power and take ownership of the selected directory structure prior to deletion.

* Some minor improvements.

* One of the fixes of v20.8 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 7, 2023 - 14:12:   

Beta 1:

* Option to prepend comments that were automatically derived from "Hash Comments.txt" with the initials "[HC] " to distinguish them from comments entered by the user manually.

* Remembers the preferred initials of the last user for the next case and the "Distinguish between different users" option.

* Better resilience against certain corrupted volume snapshots (active only in Preview and Beta releases).

* Several minor improvements.

* One more of the fixes of v20.8 SR-2.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.