X-Ways Forensics 20.9 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 20.9 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 2, 2023 - 20:45:   

A preview version of X-Ways Forensics 20.9 is now available. The URL of the download directory for all recent versions can be retrieved by querying one's license status as always.

What's new in v20.9 Preview 1?

* What's better than 5 hash databases? Right, 6 hash databases. In addition to 2 conventional hash databases, a block hash database, a FuzZyDoc database and (if eligible) a PhotoDNA hash database, you can now maintain a database of recurring files that you have descriptions of. For example that may be useful if you are required to include descriptions of illegal photos in your case reports for the court. If the same photos occur in multiple cases, the new database can save you work and make it unnecessary to view the photos again. Whatever you enter as comments can be saved in the database along with the corresponding hash value. For that to happen you select the relevant files and invoke the command "Include in Hash Database" in the directory browser context menu. Whether hash values were already computed for the selected files is not important. They are computed on the fly if not. You can get the same comments back in another case if you match the hash values in the other case against the database as part of volume snapshot refinement.

The database is stored in the file "Hash Comments.txt". You can easily share the database by simply sharing that file with other users. The file is independent of the conventional hash databases, meaning it does not matter which user has which conventional hash database with hash sets from which source(s). You do not need a conventional hash database at all to create a "Hash Comments.txt" file or match the hash values in your cases against the "Hash Comments.txt" file of someone else. So the "Hash Comments.txt" is quite universal and suitable for inter-agency exchange.

You can merge text files of different colleagues/sources with your own database in the user interface: Open the Tools | Hash Database dialog window and click the Import button. If X-Ways Forensics detects duplicate entries (same hash value), it will either keep the previous comment or adopt the new comment, depending on the state of a checkbox in the same dialog window. Keep that in mind when importing entries from other users. The rule also has an effect if duplicate entries are found within the same text file because you have merged entries manually.

Since we are talking about a simple text file, you can merge "Hash Comments.txt" files from different sources easily in a simple text editor, or edit the descriptions as needed, get them automatically translated etc. Just keep the general layout of 1 hash value + description per line intact. The first line (header line) in "Hash Comments.txt" must contain the designation of the hash type in ASCII (e.g. "MD5" or "SHA-1"), followed by a tab and the ASCII letters "Cmt", and this is all case-sensitive. All the following lines start with a hash value in hex ASCII (both upper or lower case allowed), followed by a tab and the description in UTF-8. Both Windows and Unix/Linux line breaks are allowed.

* Now 40,000 definitions of photo generating devices.

* Support for compressed files with inline storage in APFS.

* Some minor improvements.

* Some of the fixes and improvements of v20.8 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 8, 2023 - 9:37:   

Preview 2:

* The new XFS timestamp format known as "Big time" is now supported and the timestamps are shown correctly. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume.

* Should an XFS volume be flagged internally as "needing repair", XWF now issues a message to that effect, warning of damaged file system structures potentially causing issues. Previous versions of XWF would simply warn the user of an unknown incompatibility feature being in use in the volume, without further specifics.

* Some fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, May 22, 2023 - 18:12:   

Preview 3:

* A fallback code page for plain text representations by the viewer component can now be selected via a new "..." button in Options | File Viewing. The list of available code pages there is more extensive than in the options dialog window of the viewer component itself (the one that can be accessed via the right-click menu in any window maintained by the viewer component).

* When playing videos with MPlayer that were recorded by smartphones, or when extracting individual frames/stills from them, these videos are now rotated as needed. (Does not work if metadata was previously extracted by volume snapshot refinement in earlier releases.)

* There is an unlabeled, but tooltipped checkbox that allows you to get existing comments on files replaced when successfully matching hash values against hash comments. That means previous comments will be lost if there is a comment for the same files in the hash comment database.

* Several new compression and decompression options are now available in X-Ways Forensics and WinHex Lab Edition via Edit | Convert, which can be applied to the entire data represented in an active data window, if not in read-only mode. They allow you to manually decompress data found in and compressed by various file systems if X-Ways Forensics does not have the corresponding files in its volume snapshot or cannot decompress them automatically.

* Support for more compressed storage variants in APFS.

* If a file system in a partition assumes a sector size of 4 KB while the physical storage device or image that it's contained in has a sector size of 512 bytes, and if the number of 512-byte sectors in the partition is not evenly divisible by 8, then an incomplete additional 4 KB sector is now defined to cover the existing extra 512-byte sectors even if this exceeds the capacity of the partition, the device or the image, so that the extra space is included in the virtual volume slack file and targeted by logical searches etc., for more thorough coverage, at the risk of producing read errors.

* Several minor improvements.

* Same fix level as v20.8 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 1, 2023 - 20:52:   

Preview 4:

* Additional hard links for the same file in NTFS can now optionally be omitted already when taking a volume snapshot, which means they will not be included at all and not shown in the directory browser as additional files. That could be helpful for example when making sense of storage space utilization, where counting the same files 10 or 100 times does not make sense. The "Link count" column still shows the true number of hard links (which, however, as before ignores pure 8.3 character filenames and which, by the way, as before may differ significantly from the not very well maintained hard-link count in the FILE record).

* Volume snapshots based on directory listings of the active operating system ("OS dir list") for local storage now include "Record changed" timestamps and hard-link counts.

* If the incremental completion option for directory listings of the active operating system ("OS dir list") is active, directories that have not been explored yet are now marked with an asterisk (*) in the Attr. column.

* In volume snapshots based on directory listings of the active operating system ("OS dir list"), write-locked files that are open in other processes and cannot be changed are now optionally shown with an upper-case "L" in the Attr. column (for "locked"). Files that are merely kept option may be shown with a lower-case "o" if the box that represents this option is fully checked (for "open"). This could be useful when previewing or acquiring a live system, to find out which files are/were open in running processes or background services, or which executable files appear(ed) to be running/loaded. Please note that checking this for many files will take a long time. It may be practical only for specific directories of interest. This option has no effect on mapped network drives. It is possible to use the Attr. filter to quickly target open or write-locked files, and these files are higher in the sort order for the Attr. column.

* The compression statistics window of .e01 evidence files can now be turned into a data density statistics window by way of a mouse click, which is simply the indication of the reverse. The new default is data density. Taller blue bars previously indicated and still indicate higher compression = lower data density = no encryption = less storage space requirement for the image = less data to analyze = less work. Taller red bars (new) represent higher data density = more storage space requirement = more data to analyze = (if the bars reach the ceiling) potentially encryption. Please note that the lengths of the bars may vary depending on the selected compression method/strength.

* If the command Tools | File Tools | Delete Recursively fails to remove a directory the regular way because of insufficient access rights, it can now make a second attempt if run with administrator rights and have a good chance at removing the directory that way. It requires your consent to use administrator power and take ownership of the selected directory structure prior to deletion.

* Some minor improvements.

* One of the fixes of v20.8 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jun 7, 2023 - 14:12:   

Beta 1:

* Option to prepend comments that were automatically derived from "Hash Comments.txt" with the initials "[HC] " to distinguish them from comments entered by the user manually.

* Remembers the preferred initials of the last user for the next case and the "Distinguish between different users" option.

* Better resilience against certain corrupted volume snapshots (active only in Preview and Beta releases).

* Several minor improvements.

* One more of the fixes of v20.8 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 13, 2023 - 18:25:   

Beta 2:

* Support for ZSTD compression in Btrfs.

* Support for a much more modern compression algorithm in .e01 evidence files, which compared to the historically used algorithm offers a much better trade-off between compression ratio and compression speed plus decompression speed. Roughly speaking, with an almost as strong compression ratio as the "normal" setting of the compatible algorithm (a few % points less), the modern "normal" setting requires only 1/4 of the time for compression and 1/3 of the time for decompression. (We are referring to the mere computational work with a single thread here, excluding time needed for I/O.) When set to "stronger+", the modern algorithm achieves a comparable compression ratio as the former "normal" (or slightly better), but requires only 1/2 the time for compression and 40% of the time for decompression (or less). "Stronger++" takes noticeably more time and is usually not recommendable because the extra compression that it can achieve is usually limited, but it may still be faster than the old compression algorithm, especially for decompression (which typically occurs more than once, e.g. for immediate image verification after creation, for image verification at a later date, a file header signature search, one or more more keyword searches, analysis and copying of files, etc.).

* Please note that the modern compression style will render an image suitable for use in X-Ways Forensics and X-Ways Investigator v20.9 and later only. The "sparse" setting of the modern compression style, however, which is already extremely efficient when acquiring storage devices that have been minimally used, in fact 11 times (!) more efficient for zeroed space than the sparse setting of the compatible compression style, is understood by v18.9 and later already.

* The descriptive text file that is generated along with an image now has an additional line at the end that describes whether the image is expected to be generally compatible or compatible only with X-Ways products or only with X-Ways products of a particular version, depending on compression settings and encryption.

* Please note that the additional savings of the stronger compression settings are often minimal. If the compression ratio is very important to you and random access speed within the interpreted image is not, you may want to consider larger chunk sizes instead (or additionally).

* Prevents accidental overwriting of an image that is to be re-acquired, if the filename is kept the same.

* Improved handling of HPAs/DCOs.

* Treats presumably inactive GPT partitioning (replaced with ordinary MBR partitioning) properly as such, by presenting partitions that are defined in the GUID partition table as previously existing instead of existing, and by confirming MBR as the (active) partitioning style.

* Several minor improvements.

* Same fix level as v20.8 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 22, 2023 - 13:02:   

Beta 3:

* With the timestamp filter active, matching timestamps are now highlighted in different colors depending on whether they merely fall into the targeted time period or whether they are actually in one of the targeted columns. Similarly, the funnel icons in headers of not directly targeted timestamp columns now appear in a different color, suggesting they are "less" active.

* Ability to detect unusual or suspicious short filenames (SFNs, 8+3 character names) in NTFS. Such short filenames can optionally be output in the volume snapshot either as alternative names or as fully valid hardlinks themselves (i.e. like additional copies of the same files). They can also be labeled as "peculiar SFNs" to make you aware of them. Unexpected SFNs that don't seem to match their corresponding LFNs could be interesting if they reflect previous names of files that have been renamed, or because they may have been specially engineered to replace sensitive files with fixed names (such as DLLs or configuration files), while their LFNs are different and perfectly innocuous. The settings for SFN treatment can be found in Options | Volume Snapshot. If you find that too many normal files are flagged that way, you can report back to us and try UNchecking the box for "more strict matching", so that some of the less severe discrepancies are ignored.

* Ability to specify a footer size in sectors on components of a RAID that you reconstruct, to exclude sectors at the end. This could be useful in particular for JBODs if the interspersed unused space disturbs the consistency of the resulting data.

* Improved relevance calculation for pictures based on dimensions in pixels.

* Some minor improvements.

* Some of the fixes of v20.8 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jun 23, 2023 - 19:01:   

Beta 3b:

* Some fixes related to starting X-Ways Forensics for the first time in a fresh installation.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 7, 2023 - 17:29:   

Beta 4:

* Faster decompression of ordinary .e01 evidence files in x86.

* PNG support in the internal graphics display library updated.

* Proper aspect ratio of report thumbnails for JPEG pictures that need to be rotated as per Exif orientation metadata.

* New notation setting to provide descriptions of files that are child objects of files recursively including their parents.

* Ability to process certain SRUDB.dat files that previously could not be processed successfully or were not recognized as SRUDB.dat files.

* More information in the list of volume snapshot backups.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 9, 2023 - 14:37:   

Beta 4b:

* Ctrl+0 no longer removes labels that were assigned automatically by X-Ways Forensics and serve as hints for the user or labels that represent detected picture content.

* Some of the improvements of v20.8 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jul 14, 2023 - 13:55:   

Beta 5:

* More user-friendly way to find the option to output labels in the report as a report table.

* Fixed an e-mail extraction error in v20.9 Beta 4.

* Same fix level as v20.8 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 16, 2023 - 8:24:   

Beta 6:

* Eliminated a restriction that could prevent automatic carving of Base64 code.

* Files with pure Base64 code (e.g. carved from HTML files in which they are embedded) that have their decoded data in a child objects can now be previewed and represented in the gallery with their decoded data directly.

* Improved interpretation of certain incomplete/corrupted NTFS file system data structures.

* Slightly improved internal coordination between sessions.

* Same fix level as v20.8 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 23, 2023 - 18:08:   

Beta 7:

* Alternative filenames are now preserved in evidence file containers (if together with the respective main filename they are not too long).

* When copying files into an evidence file container from the root directory of an evidence object or the case root, then the middle option between recreating the full original path and no path at all is now to make child objects of selected files also child objects of those files in the container and not place them at the same top level as the parents. In all other cases the middle option remains the same, i.e. only the part of the path below the currently explored directory is recreated, and the effect is now made more clear by the dynamic labeling of the checkbox.

* X-Tension API: XWF_SelectVolumeSnapshot now has a return value that allows to determine success or failure.

* In case exporting a search hit list with context around search hits in archives crashes, the exact search hit that is responsible for that will now be brought to the user's attention when restarting the next time.

* Program help and user manual have been revised for v20.9.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Jul 26, 2023 - 19:20:   

v20.9 was just released.

Additional changes:

* Inline compression in BtrFS now supported.

* Improved cluster/block listing output for compressed data in BtrFS.

* When evidence objects are opened automatically for volume snapshot refinements or simultaneous searches, a certain rare problem with that should be eliminated now.

* Fixed an exception error that could occur when extracting metadata from certain PDF and Adobe Illustrator files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jul 30, 2023 - 17:17:   

SR-1:

* Fixed a read error that could occur with extracted files since v20.8.

* Fixed handling of line breaks in comments in the hash comment database.

* Certain ZSTD-compressed files in Btrfs could not be decompressed. That was fixed.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Aug 7, 2023 - 13:57:   

SR-2:

* Auxiliary directories in evidence file containers whose purpose is to accommodate child objects of files for the benefit of external tools that would not accept files contained in other files are no longer included in volume snapshots by X-Ways Forensics itself, so that regardless of your use of the option to create such artificial directories child objects are associated directly with the parent files to which they actually belong. This facilitates navigation and enables users for example to conveniently access e-mail attachments right from within e-mail previews like in the volume snapshot of the original evidence object, without any navigation in the directory browser.

* The U flag in "File header signature search.txt" can no longer override the user's disabled net free space setting. It will instead be treated like a lower case u if no net free space computation is meant to be run.

* Adding file hashes and comment to the hash comment database now automatically adopts that database's hash type in the volume snapshot as its first hash type if the first hash type was undefined until that moment.

* Btrfs: Fixed opening compressed files in the 64-bit version.

* Under some special circumstances conditional cell coloring could render the text in some non-targeted cells invisible. That was fixed.

* Fixed an exception error that could occur when copying files with a lot of extracted metadata to an evidence file container.

* Got away with a performance bottleneck that became apparent after storing extracted metadata for more than 8.4 million files in a volume snapshot.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Aug 24, 2023 - 15:22:   

SR-3:

* SR-2 erroneously behaved like a pre-release version and will expire (stop working) around Aug 28, sorry. SR-3 no longer has that problem.

* The option "Copy and link each file only once" of the case report could treat original files and their respective auxiliary child object representations the same. This was changed/fixed so that both can be listed, linked and copied in the same report if desired.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Sep 27, 2023 - 15:29:   

SR-4:

* Certain files that X-Ways Forensics decided should not be touched again, like archive bombs and files that caused crashes, were previously shown with a hash value of all zeroes. That was fixed/improved.

* A rare exception error in APFS free space parsing has been prevented.

* Removing labels from a file with the Remove button did not work if at least one label was selected that the file did not have. That was improved.

* Discarding results of picture analysis and processing (by unchecking the "already done" box) now allows to have the same pictures processed by the picture content analysis again.

* Fixed a potential integer underflow error that could occur when processing specially prepared 7-Zip archives.

* Fixed an error that could occur when capture memory of running processes with an optional process name mask.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.