X-Ways Forensics 21.1 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 21.1 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 21, 2024 - 15:38:   

A preview version of X-Ways Forensics 21.1 is now available. The latest download instructions including password can be retrieved by querying one's license status, as always.

What's new in v21.1 Preview 1?

* Better support for larger volume snapshots, suitable for more than 500 million items in a single volume, assuming an average filename length of 16 characters. With shorter filenames theoretically 1 billion items or more are possible. This is subject to sufficient RAM, only works in the 64-bit edition, and assumes you have enough time to wait for the completion of the volume snapshot. If only the space for filenames is exhausted, more files can still be included in the volume snapshot, but they will be shown with a dummy filename (a question mark character).

* Slightly accelerated volume snapshot creation for large NTFS file systems.

* Two kinds of proactive filters, based on names and timestamps, can now be activated in the properties of a case. Proactive filters allow you to restrict the initial volume snapshot. Files that don't pass these filters will not be included in any volume snapshot that is taken while such filters are active. Directories are still included. This pertains only to partitions/volumes and file archives that are evidence objects, and all the files that are found in them directly, following the defining data structures of the file system or the archive. It does not restrict the addition of files that are found in any other way, for example by a file header signature search or when checking files that are already contained in a volume snapshot for embedded data etc.

Proactive filters are special in that they can prevent files from involuntarily getting into a volume snapshot, files that you do not need or want to be there or that you are not supposed to see. Either if your task or search scope is limited to specific files whose names or timestamp ranges are known beforehand or if the evidence object (image or file archive) is so big that by avoiding hundreds of millions of other files you save time and main memory or can make the volume digestible at all (i.e. keep the volume snapshot size within the supported boundaries). The creation of the volume snapshot itself may be noticeably accelerated that way if the evidence object is an image file, plus all subsequent steps (navigating, listing, sorting, filtering, volume snapshot refinement) are less computationally expensive if you proactively prevent the inclusion of large numbers of unwanted files.

A count of how many files are proactively omitted during the creation of the volume snapshot is displayed in the progress indicator window. After completion, the total number of such files can always be checked in the status of the volume snapshot in the dialog window for volume snapshot refinement. A warning that a proactive filter is active is output in the Messages window once per session, when a volume snapshot is taken.

* Report HTML files are now generated automatically for the Windows Registry hive files NTUSER.DAT, SYSTEM, SOFTWARE, SECURITY, and SAM as part of metadata extraction. These files are stored as child objects. The benefit is that they can serve as human-readable previews of selected interesting values, and they contain some encoded text in plain text such as UserAssist entries, so that the logical search can find them.

* Ability to decode .json files for logical searches, indexing, and Text Preview mode, including files with specially encoded Unicode characters from the Basic Multilingual Plane (e.g. Chinese).

* error.log file entries are now stored in UTF-8 instead of the ANSI code page active in Windows.

* Improved error message when encountering non-standard internal timestamps in .e01 evidence files.

* More consistent and thorough error and plausibility checks of user-provided file masks.

* "Social media" was one of multiple possible values of the processing state in the Summary table of JPEG files in Details mode. It has now instead become one of the possible values of the reported software class.

* Other new possible values of software class are now "stock" (for stock photos), "Amazon" (for product photos from Amazon's shopping web site), "Mastodon" (the Twitter/X competitor), and "MS Office". About 75% of all JPEG and PNG (plus some WEBP) pictures now get a software class assigned.

* Some iPhone-related generator signatures are now properly identified as iPhone.

* Various minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 4, 2024 - 16:35:   

Preview 2:

* Volume snapshots of extraordinarily huge volumes now support files that are defined in the file system at offsets beyond 131 TB or have their data starting more than 131 TB into such a volume. The new limit is 262 TB.

* Ability to recognize SquashFS compressed file systems and treat their contents like file archives. The supported compression algorithms for SquashFS in X-Ways Forensics are GZIP/zlib, LZMA, LZO and XZ.

* Support for some more TIFF picture variants with the internal graphics display library.

* 27 software classes are now supported for JPEG and WEBP pictures: Firmware, Adobe, PHP, Apple, Windows, Facebook/Instagram, Android, General, WordPress, Editor, Social Media, Google/Picasa, Scanner, WhatsApp, Video still, Website builder, Stock, Twitter, Amazon, Screenshot, Pinterest, Content, Camera, LinkedIn, Beautifier, Bing, MSN.

* Output of Exif metadata in WEBP pictures in addition to XMP metadata.

* Improved output of metadata for ICC color profiles.

* Several minor improvements.

* Same fix level as v21.0 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 12, 2024 - 9:53:   

Preview 3:

* Directory listings obtained from the operating system ("OSDirList"), which you get for example when adding a directory or a single file to a case as an evidence object, can now be made to NOT show any timestamps from the file system or only the modification timestamp. That is a volume snapshot option and useful if the timestamps of the files rather reflect when you collected the files and not what timestamps they had when at their original location and thus do not have the usual significance.

* When X-Tensions add directories to a case as an evidence object, they can choose to have X-Ways Forensics ignore any of the four regular timestamps of NTFS.

* In new installations the default setting of the volume snapshot option "Newly identified names as main names" is now half selected, which means only for original .eml files, for which it's useful to see the subject instead of a potentially unhelpful generic filename.

* Block hash matches are now displayed with their sizes in the search hit column.

* Option to define the block size for block hash databases. 512 bytes is still the default and recommended unless you are certain of what you are doing. A larger block size of 4 KB for example can be compatible with volumes/partitions that have a cluster size of 4 KB and hard disks with a sector size of 4 KB physically and logically, but thwarts any attempt to find the data that you are looking if the clusters in the target file system are not aligned at 4 KB boundaries themselves from the point of view of the evidence object. The latter may be the case for example because the file system has an irregularly sized header area before the first cluster (like FAT) or because you apply the block-wise hashing (only) to a partitionable storage device in which the partitions are not aligned at a 4 KB boundary. The good news, however, is that, just like the file header signature search, block-wise hashing is applied specifically to partitions if partitions are known on a partitionable storage device (or image thereof), and only the area outside of known and explorable partitions is processed at the level of the partitionable storage device.

* CRC32 hash values are now supported in ordinary hash databases. This is useful (only) if you really only know the CRC32 values of files that you are looking for, no more advanced hash values and not the full original file contents, for example from encrypted zip archives as such archives have the CRC32 values of the unencrypted data in the metadata. If you find CRC32 matches and the file size is the same as known from the metadata in such an encrypted zip archive, then it is very likely that you have found an unencrypted copy of the very same file.

If you wish to import CRC32 hash values from a text file (with "CRC32" in the first line, followed by one checksum in hex ASCII per line), please note that their hex ASCII values are expected in big-endian ("human-readable") byte order, as displayed in software like 7-Zip and WinZip and also X-Ways Forensics itself, which unlike MD5, SHA-1 etc. is not the byte order in which they are stored in binary, in X-Ways Forensics internally as well as in zip files themselves and presumably elsewhere.

* When interpreting a file as a raw image that does not have a multiple of the presumed sector size as the file size, the extra data at the end that doesn't add to another full sector is now included, unlike in previous versions, which affects hash computation and potentially file carving. You will still get a warning about the unexpected file size when interpreting such an image, unless you have suppressed it for an evidence object. You may also get read error messages when operations that are applied sector-wise try to read the last (incomplete) "sector".

* Extracts Microsoft Teams messages stored in certain PST archives that were exported via the Admin Center of Microsoft 365.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Feb 20, 2024 - 10:34:   

Preview 4:

* Ability to extract e-mail messages from OLM databases of Microsoft Outlook for Mac.

* Some minor improvements.

* Same fix level as v21.0 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Mar 5, 2024 - 13:37:   

Beta 1:

* PhotoDNA matches (notably multiple matches for the same picture) can now optionally be output as labels. This is useful if you need to see all matches and/or if you wish to see PhotoDNA matches in the same place as ordinary hash database matches, which can also be output as labels.

* You can change the order of labels in either the dialog window for label management or the filter dialog, if labels in that dialog window are not sorted by name, using the arrow buttons. Changing the order there now has an immediate effect on the order in which labels are listed in the Labels column. That way you can make sure that the labels that are most important to you are listed first.

* Label names in the Labels column can now optionally be truncated, so that more label names fit into the cells of the directory browser. This is a notation setting. Half-checked means that truncations are marked with an ellipsis.

* Reorganized and tidied up the extended dialog window for labeling.

* The option "dynamic e-mail and date columns" now properly controls visibility of the "Content created" column.

* A new Excire version is available for download now, and required for use with X-Ways Forensics 21.1. The search for "similar" pictures was improved, and the accuracy of content detection has been improved. The number of pictures that get more than one wrong keyword assigned (false positives) has been reduced by 75%. The number of pictures with no wrong keyword has been doubled.

* The new Excire version has dropped 69 keywords from its detection capabilities that yielded less reliable results. None of these keywords are very important. Support for 87 new keywords was added, including one that was previously requested from law enforcement/government agencies: identification documents, plus various body parts (not complete people).

* A new text file "Remarks.txt" is now included, which documents and explains numbered remarks that you may find in Details mode.

* Updated Galaxy S23 and S24 generator signatures.

* Metadata extraction from WEBP files extended.

* Option to potentially improve synchronization of multiple gallery threads.

* Ukrainian and Russian translation of the user interface updated.

* Several minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Mar 15, 2024 - 6:26:   

Beta 2:

* Slightly revised compression / data density chart for .e01 evidence files.

* Date filter setting to focus on files that do not have certain timestamps set at all.

* The X-Tension API got two additional functions: XWF_Mount and XWF_Unmount. If your X-Tensions need to give external programs read access to many or large files in a volume snapshot, it may be faster to mount the volume snapshot as a drive letter than to copy those files to a path that is accessible to those external programs.

* Same fix level as v21.0 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 18, 2024 - 15:41:   

Beta 3:

* If you need to call external programs from within X-Ways Forensics with certain parameters in addition to the name of the file that they should open, you can now specify those parameters in the same line of Programs.txt, delimited from the path of the executable file with a tab. The name of the file will be appended at the end, after your own parameters, unless you include the placeholder %1 anywhere in your list of parameters. That placeholder will be replaced with the filename.

* More remark references to Remarks.txt in Details mode. The summary table was revised. More definitions of photo generating devices.

* Many minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Mar 25, 2024 - 5:28:   

Beta 4:

* The "Capture Processes" command for Windows live systems was revised. Improved ability to take window screenshots of certain applications, especially Internet browsers. More control over what information is included in the tab-delimited list of Windows, e.g. comprehensive lists of child windows and (also new) hash values of screenshots.

* Normal use of the hash database for reading purposes (to retrieve the names of matching hash set for display in the "Hash set" column of the directory browser), if it's shared, no longer prevents other users from updating the database or replacing the database (i.e. the directory) because the hash set names will be kept in a local cache/buffer.

* Checks certain temporary files of MS Edge for embedded pictures automatically as part of the "File header signature search in files not processed above" procedure. The file mask for this procedure is reset in this release for that purpose.

* To associate a portable installation of X-Ways Forensics or X-Ways Investigator and its icon with .xfc case files on a particular machine, you could consciously run the application at least once explicitly as administrator and end it while any of the customizable standard paths is located on the same drive letter as your Windows installation, to give the application a hint that you are the owner of that Windows system and feel comfortable that data is written to it. That's either the path from where you run the application, the path where to create and expect case files, the path where to create and expect image files, or the path where to create temporary files.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Apr 1, 2024 - 15:52:   

Beta 5:

* If Preview mode is combined with Details mode, and the lower half of the data window is moved to the right-hand side, preview and details are now split vertically instead of horizontally, with the preview appearing above the details.

* Several other minor improvements.

* The program help and user manual were updated.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 5, 2024 - 13:43:   

v21.1 was just released.

Additional changes:

* The Excire package for v21.1 was updated again, and v21.1 can only work with this new version.

* The description cell in Details mode is now always quite detailed regardless of the notation settings for the Description column.

* The video files from which to extract still images are now targeted with a comma-delimited type list instead of a filename mask.

* Extracts plain text attachments from original .eml files and MBOX e-mail archives as child objects.

* The output of QWORD values in the registry viewer was previously only for 32 bits. It now covers the complete 64 bits.

* All the fixes of v21.0 SR-6 are included.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Apr 14, 2024 - 19:02:   


* The function to merge labels (previously report tables) did not work correctly under all circumstances since v20.5. That was fixed.

* Some picture files were previously not processed by picture content analysis, mostly PNG files and a variant of WEBP. That was fixed.

* Fixed potentially incomplete output of error.log entries in the original v21.1 release.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Apr 19, 2024 - 15:36:   


* The dedicated picture content analysis stage after volume snapshot refinement now always uses the maximum number of threads possible with the available CPU, regardless of the setting for the volume snapshot refinement itself.

* Some predefined tooltips were mismatched in v21.1. That was fixed.

* Fixed an exception error that could occur in v21.1 when decoding .json files for a logical search.

* A number of minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, May 3, 2024 - 14:31:   


* Now optimized for and requires the newer Tesseract version that we have made available for download in Oct 2023. OCR is now considerably faster with multiple threads.

* The "Dlg:" command no longer continues execution if values fed to a the dialog window are not accepted by X-Ways Forensics. Instead, execution will pause until the user fixes the problem manually and clicks the OK or Cancel button. That will allow users to become aware of and pinpoint problems in their .dlg files. A new command named DLG: in all upper-case letters now works as Dlg: previously did, i.e. forces continued processing no matter whether there is a problem or not. If there is a problem with a certain value, that means that other values in the same .dlg file that would be acceptable might be ignored!

* Cases now remember all 9 keyboard shortcuts for labels.

* The special parameters of the AddImage command in the command line did not work as intended. That was fixed.

* Fixed mismatched information in recipient columns for MSG files with certain received e-mail messages.

* A rare error in LVM2 handling could occur, when a single physical disk
held multiple LVM2 containers and a partition within that LVM2 setup
spanned across those LVM2 containers. This was fixed.

* Remarks have been renamed Annotations.

* Some minor fixes and improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, May 14, 2024 - 12:12:   


* Ability to redo the picture content analysis if you reset selected files to the "still to be processed" state by pressing Ctrl+Del.

* The 64-bit edition of earlier releases of v21.1 had problems with certain volume snapshots of older versions. That was fixed. Older versions cannot load volume snapshots any more once saved by v21.1 SR-4, except future releases of older versions can load them as read-only.

* Fixed inability of v21.1 in some environments to find out whether it was running with administrator rights.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, May 23, 2024 - 11:35:   


* Prevented the message box "Please stop ongoing operation first" that could be shown in earlier releases of v21.1 in certain situations.

* Ability to explore very small partitions with SquashFS.

* TAR archives can now be added to a case directly as evidence objects even if the alternative processing method for TAR is active.

* The internal graphics display library was updated slightly.

Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, May 29, 2024 - 17:47:   


* Fixed an instability that could occur when adding positions to the Position Manager when the latter was not yet visible.

* Fixed an instability that could occur when a long path for temporary files was set.

* Prevented an unintended activation of a different data window in certain situations when activating or deactivating a filter.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Jun 13, 2024 - 17:00:   


* Fixed an exception error that occurred when filling the hash comment database with very long texts.

* Fixed read errors that could occur when reading from a reconstructed RAID or JBOD with a sector size of 4 KB.

* Fixed potentially incorrect extraction of e-mail attachments from MBOX e-mail archives and original .eml files.

Add Your Message Here
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Options: Enable HTML code in message
Automatically activate URLs in message
Forum operated by X-Ways Software Technology AG.