| Author |
Message |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Aug 14, 2024 - 3:46: | |
A preview version of X-Ways Forensics 21.3 is now available. The latest download instructions including password can be retrieved by querying one's license status, as always.
What's new in v21.3 Preview?
* Ability to present the files in Cellebrite UFDR reports with their original names, paths, timestamps and additional hard links. Directories that are not original directories and just used to accommodate files whose paths are unknown are marked as virtual, as are files with metadata for examination purposes. UFDR files can be added to a case just like any other file archives, as files.
* The gallery and RVS with multiple threads are now faster for evidence objects that are file archives in conjunction with fully enabled caching of archive contents.
* The maximum total output path length supported by the Recover/Copy command is now 1023 characters instead of 510.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Aug 19, 2024 - 17:40: | |
Preview 1b:
* Fixed a caching error with file archives in v21.3.
* UFDR parsing accelerated.
* Same fix level as v21.2 SR-3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Aug 21, 2024 - 6:42: | |
Preview 1c:
* Fixed the aforementioned caching error completely.
Please note that v21.3 Preview requires the latest Excire package from Aug 18. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Aug 24, 2024 - 15:56: | |
Preview 2:
* Recognition of generating devices updated.
* Same fix level as v21.2 SR-4. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Sep 5, 2024 - 23:12: | |
Preview 3:
* The maximum number of search terms listed in the "Search terms" column was increased from previously 50 to 100. Any additional search terms are and were represented by an ellipsis.
* The Chinese translation of the user interface was updated.
* X-Tension API: You may now return the flag 0x02 in XT_Finalize() to indicate that the volume snapshot of the specified volume should be saved because the X-Tension has applied changes to it. This is not really necessary and currently ignored when run as part of volume snapshot refinement, but now recommended for consistency.
* Some minor improvements.
* Same fix level as v21.2 SR-5. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Sep 18, 2024 - 14:41: | |
Preview 4:
* Ability to decode little and big endian variable-length representations of unsigned integer numbers in the Data Interpreter as well as in templates. In little endian this is compatible with (U)LEB128 (=Little Endian Base 128). In big endian this is compatible with SQLite3's varint. In templates the variable type is called "varint".
* The XOR function in Edit | Modify now supports not only 8 bit, but also 16 and 32 bit constants. The desired granularity of the mathematical operation will be deducted from the number of hex digits that you enter (2, 4, or 8), so you can use leading zeroes to force interpretation as a 16-bit or 32-bit integer constant even if the actual value is as small as an 8-bit integer.
* Labels can be temporarily set and removed if an evidence object was specifically opened in read-only mode, and these changes are discarded when the evidence object is closed.
* Blocks alterations of volume snapshots by X-Tensions if an evidence object was opened as write-protected (either by itself or if the entire case is opened as read-only).
* X-Tensions API: The list of possible return values of the XT_Init function has been slightly extended for X-Tensions that understand the revised meaning of the nOpType parameter of the XT_Prepare function, which can now tell an X-Tension whether it is applied to an evidence object that was opened as read-only (meaning the volume snapshot cannot be changed).
* X-Tensions API: The functions XWF_SetItemSize, XWF_SetItemOfs, XWF_SetItemParent, XWF_SetItemType now have a return value to indicate success or failure.
* Some minor improvements.
* Same fix level as v21.2 SR-7. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Sep 21, 2024 - 7:21: | |
Preview 5:
* Improved picture content detection thanks to better resilience against file format corruption or file truncation (e.g. incompletely carved files).
* Some minor improvements and fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Sep 26, 2024 - 19:37: | |
Beta 1:
* When distinguishing between different users of a case, that the currently logged on user's own initials are listed for each label assigned by that user and for each file manually carved by that user is now optional. By default, only the work of other users is marked with their initials, to avoid screen clutter.
* In a case with thousands of search terms, in which many or all search terms are selected, populating the search term list is now much faster if the search terms are listed in default/chronological order (i.e. based on the search history).
* Ability to configure a hash database for matching, e.g. by selecting the hash sets to use, proactively already from within the RVS dialog window. If the user doesn't make use of that option, X-Ways Forensics will still prompt the user, but now only once per session, not every time when matching against a hash database.
* Details mode now has 4 instead of 3 submodes. The new mode is described as IM+ and shows internal metadata as well as certain metadata from the file system, where available (NTFS permission, NTFS object ID deconstruction, known previous paths and files).
* Ability to print the contents of Details mode (any of the now 4 available submodes) along with selected files via the directory browser context menu Print command, where the check mark refers to the complete Details mode, including all cells of the directory browser, which may render the inclusion of a cover page obsolete.
* Ability to decide for child objects separately whether they should be prepended with a cover page when printing.
* Several minor improvements.
* Same fix level as v21.2 SR-8. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Sep 30, 2024 - 8:46: | |
Beta 2:
* Enhanced compatibility with the latest version of the viewer component (v8.5.7), functional currently only when not run as administrator.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Oct 7, 2024 - 8:51: | |
Beta 3:
* Improved handling of GIF pictures in the internal graphics display library that have a large image pixel offset.
* Fixed a potential and theoretical infinite loop with TIFF pictures in the internal graphics display library.
* The meaning and functionality of the last parameter of the X-Tension API function XWF_GetReportTableAssocs() was extended. The return value has been extended to 64-bit and now provides additional information.
* The documentation of the API function XWF_GetReportTableAssocs() has been updated. The documentation of the flag values supported by the XWF_AddToReportTable() function was updated as well.
* Recycle bin information, known previous names/paths and Zone.Id=3 information is now reliably shown in the Metadata cell in Details mode if present in the extracted metadata as per the directory browser.
* The metadata column's filter is now a filter that is applied also to directories, if desired by the user, because a directory may have text in its metadata cell if it's in the Windows recycle bin and metadata is retrieved from the corresponding $I file or if previous names or paths of the directory are known from NTFS index records.
* Same fix level as v21.2 SR-9. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Oct 9, 2024 - 8:20: | |
Beta 4:
* The search term list now displays not only the number of search hits currently listed for a selected search terms, but also the total number of search hits of that search term in the current evidence object (or in case of the case root window in the evidence objects selected for recursive exploration), after a slash, if that number is greater. That can be helpful when not seeing all hits for a given search term, either because either a filter is active or because a directory is selected or because search hit listing is impacted by any of the special combination options of the search term list. Unless a special combination option is active, this also works for search terms that are not currently selected.
* Some otherwise rarely used facets of the Excire picture content detection now slightly affect the computed relevance of files. For example the relevance of of picture files is reduced if X-Ways Forensics considers them to be icons, logos and catalog-style presentations. This is in addition to the optional user-definable boost or reduction in relevance based on selected content.
* The Excire picture content detection now helps with the identification of the device types scanner and digital camera.
* A Japanese translation of the user interface is included.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Oct 18, 2024 - 14:28: | |
Beta 5:
* The maximum chunk size that you can set for the creation of .e01 evidence files is now 1 MB instead of 512 KB, for slight compression benefits, if you don't mind the performance impact when reading from the interpreted image.
* The middle state of the check box for the recursive selection statistics now lists the direct selection and the total of direct and indirect selection separately.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Oct 21, 2024 - 9:51: | |
Beta 6:
* Further accelerated the file header signature search and the simultaneous search with .e01 evidence files that specially identify empty (zeroed) areas of the original storage devices. This now also and in particular applies to .e01 evidence files with the modern kind of compression that can be created by v20.9 and later.
* Pictures can now be categorized by the user as irrelevant or notable based on dominant color. Please note that for colors the required confidence is actually the percentage of pixels with that color, so unless a picture is monochromatic, typical values are lower than the confidences of other detected picture content. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Oct 26, 2024 - 18:17: | |
v21.3 has just been released. Additional changes:
* Full support for Unicode characters in the XMP metadata block.
* Program help and user manual updated.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Oct 31, 2024 - 11:11: | |
SR-1:
* Different shades of basic colors with unique names (e.g. deep sky blue, fuchsia, aquamarine, yellow green, khaki, dark salmon, ...) are now optionally detected if the box for color identification is fully checked. Special colors are always output in English and not translated to German, French, Spanish or Italian. If the box is only half checked, only basic colors are output.
* All color names, whether a basic color or special shade, can now be optionally prefixed with the word "Color: " (language-specific), so that all color labels are listed as a contiguous block if sorted alphabetically.
* Some less dominant colors detected in pictures are now also output. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Nov 6, 2024 - 19:31: | |
SR-2:
* Reviewing and confirming already defined bounding boxes for the search for known faces is now optional. That step is now skipped if faces are already marked in Labels.xml for all pictures in the template directory, unless forced.
* Fixed dongle activation code processing in v21.3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Nov 8, 2024 - 14:05: | |
SR-3:
* MD RAID handling is now more straight forward and convenient. MD RAID container partitions are now included in cases as well when adding the physical storage device that contains them or its image. That enables X-Ways Forensics to remember the components of the reconstructed MD RAID if you add the RAID to the case as well, for when you re-open it later. The container partitions are by default not selected for recursive exploration or for volume snapshot refinement because their storage space is (hopefully) already covered, and more properly so, as part of the reconstructed RAID.
* Prevented an exception error that could occur when copying files from evidence objects that are file archives into an evidence file container with the option to reproduce a partial path in the target container.
* X-Tension API: XWF_VSPROP_SET_HASHTYPE1 and XWF_VSPROP_SET_HASHTYPE2 of XWF_GetVSProp() were unable to set a new hash type if no hash type was defined yet. That was fixed. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Nov 10, 2024 - 6:30: | |
SR-4:
* Fixed inability of the simple Find functions to locate data when searching upwards in certain situations. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Nov 13, 2024 - 15:25: | |
To avoid a potential longer wait in v21.3 when selecting all files in a recursive listing before the fix is released with SR-5, please consider not exploring recursively before you press Ctrl+A (you will target the same files anyway for most operations) or turn off the recursive selection statistics in the directory browser options. Thanks and sorry. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Nov 15, 2024 - 10:47: | |
SR-5:
* Fixed extreme slowness of the recursive selection statistics in v21.3 in already recursively explored lists in certain situations.
* Fixed a very rare infinite loop when loading certain jpeg files
* Less abundant detection of the color gray.
* Support for more dongle configurations. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Nov 19, 2024 - 10:26: | |
SR-6:
* Volume snapshot backups are now properly deleted when an evidence object is removed from a case.
* Ability to import evidence objects with their volume snapshots from older cases that were created by v20.9 and earlier and use other internal subdirectory naming conventions.
* Prevented an exception error that could occur in v21.3 when moving the mouse cursor over icons in a no longer recursively explored Case Root window.
* Fixed potential inability to enable or disable some picture analysis and processing suboperations in v21.3.
* Now sets specific exit codes in certain situations.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Dec 9, 2024 - 19:22: | |
SR-7:
* Remembers which hash sets in a hash database are selected for matching, in the database itself. Thus for this reason and general consideration, to get consistent results with automated command line execution it is recommended to not use a hash database that is shared with active users who may change the selection.
* Improved JPEG size detection in the presence of empty COM markers, which may be required to be able to display the picture. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Jan 15, 2025 - 13:41: | |
SR-8:
* Prevents that users use the installation directory itself directly for temporary files.
* Ability to identify RAR and 7z archives with full filename encryption as encrypted if no matching password is supplied.
* The optional alternative extended timestamp interpretation for zip archives had no effect since v20.6. That was fixed.
* "Find duplicates in list" did not always identify all duplicates if extra criteria were selected or if name was the primary criterion for comparisons.
* Fixed a problem extracting attachments from certain original .eml files or MBOX e-mail archives in v21.1 and later.
* Some minor improvements and fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Feb 15, 2025 - 12:12: | |
SR-9:
* Improved compatibility with proxy servers in BYOD+.
* Fixed failing automatic restart of RVS in a special situation.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Mar 18, 2025 - 17:13: | |
SR-10:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.3. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Jul 15, 2025 - 16:46: | |
SR-11:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.3. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Oct 15, 2025 - 14:45: | |
SR-12:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.3. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Dec 8, 2025 - 18:02: | |
SR-13:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.3. Available to these users on request usually, within the next 90 days. This may be the final service release for v21.3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 26, 2026 - 11:15: | |
SR-14:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.3. Available to these users on request usually, within the next 90 days. This is the final service release for v21.3. |