| Author |
Message |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Nov 19, 2024 - 11:12: | |
A preview version of X-Ways Forensics 21.4 is now available. The latest download instructions including password can be retrieved by querying one's license status, as always.
What's new in v21.4 Preview?
* Avoided some delays in volume snapshot refinement with multiple threads.
* Sped up parallelized file archive handling with multiple threads, especially for evidence objects that are very large file archives like smartphone acquisitions.
In v21.3 and earlier, when one RVS thread was processing a file in an archive, other threads had to wait if they want to read from other files in the same archive, unless the contents of those files were already in the cache. In v21.4 other threads don't wait any more and instead proceed with other files in the volume snapshot that are not in that archive. And the thread that is busy with that archive will be tasked specifically with processing the remaining files in that archive. If the entire evidence object is a single file archive, then all threads can read files in that archive at the same time.
* Sped up extraction of certain large GZ file archives.
* Ability to deconstruct Windows executable files (EXE, DLL, ...) and Unix/Linux executable files (ELF), as if they were file archives. If you are interested in that, you can add file type designations like ,exe,dll,elf to one of the lists of file types with a check mark under Specialist | Refine Volume Snapshot | Include contents of file archives | ... They are now by default listed in the "Special interest" section, which is not actively used and mainly meant to give you ideas about file types that you could get processed if you like.
* The settings for the inclusion of files in archives in the volume snapshot can now not only be reached from volume snapshot refinement, but also from the general volume snapshot options because they are also relevant when adding archives to a case as evidence objects.
* The picture content analysis now has an even stronger impact on the computed generic relevance. For example, depending on how unusual the detected content is and the confidence of such a finding, the relevance may be increased.
* The picture content analysis is now applied to a few exotic files to which it could not be applied before.
* The compression algorithm used in newly added .e01 evidence files is now shown in the evidence object properties.
* Several minor improvements.
* Same fix level as v21.3 SR-6. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Dec 2, 2024 - 12:56: | |
Preview 2:
* French and Romanian language abbreviations of KB, MB, GB and TB units, i.e. Ko, Mo, Go, and To, are now usable even in user interface languages other than French thanks to a new option in the Notation settings, and by virtue of being part of the Notation settings they can now be turned on or off just for export/data exchange purposes if needed.
* ISO/IEC 80000-13 is now another notation option (KiB, MiB, GiB, TiB) in addition to the traditional and more compact Windows/JEDEC 100B.01 standard (KB, MB, GB, TB).
* Displays the word "Admin" next to the version number in the upper right corner in a session that was run as administrator, so that unaware users have a chance to become aware of that.
* After deduplicating what is listed in the directory browser, restores the order of the items to what it was prior to the operation (because that order is changed internally to identify duplicates). And if the last selected file is not excluded by the deduplication, that file will automatically be re-selected afterwards.
* Ability to categorize entire evidence objects as notable or irrelevant or uncategorized, via the context menu, and show them in the case tree with a corresponding icon.
* Ability to choose specifically which evidence objects to import from another case. Previously either all or all marked evidence objects were imported. The import function can also be used just to get a sneak peek into another case (its list of evidence objects with their categorizations) without loading that case entirely, which would displace the current case, and without starting a second instance, and without actually importing anything. This is entirely read-only for the other case and possible even if that other case is currently being worked on by another user.
* Improved depiction of dependent evidence objects in selection dialog windows.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Dec 6, 2024 - 18:12: | |
Preview 3:
* The Path and Full Path filter dialog windows can now accommodate up to 4 million characters.
* Avoids a rare error in which when automatically trying each entry in the provided password list with an encrypted file archive a wrong password is recognized as correct.
* More resilient display of corrupt/incomplete WEBP pictures.
* Device type detection further refined.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Dec 23, 2024 - 20:56: | |
Preview 4:
* Option to embed e-mail attachments into the parent .eml file when copying e-mails into an evidence file container.
* The Recover/Copy command and the command to copy selected files to an evidence file container now both have the new option to also copy child objects of selected files (as separate files) only if those child objects are not e-mail attachments. That could be a useful setting if you already embed those attachments in the parent .eml file and don't want their data to be output twice.
* Some minor improvements.
* Several of the fixes of v21.3 SR-8. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Jan 2, 2025 - 19:32: | |
Preview 5:
* Prevented some potential crashes during SQLite database processing.
* Improved handling of special floating point values (negative values including negative zeroes, NaNs, and infinities) in SQLite database processing.
* The Data Interpreter now optionally also translates decimal ASCII text integer representations of HFS/HFS+ and FILETIME timestamps.
* The Data Interpreter can now translate dates and times that you enter back into decimal ASCII text integer representations (for the timestamp formats for which decimal ASCII text is supported) if decimal ASCII text integer representations of dates are active. The user needs to ensure proper termination of the resulting string as needed (e.g. via a space character or line break or null character or end of file). Only possible in a data window that is not in read-only mode.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Jan 7, 2025 - 17:41: | |
Preview 6:
* Ability to locate the dynamic volumes on certain LDM disks based on GPT partitioning that were not supported previously.
* More simultaneously applicable cell coloring constellations result in a color mix.
* A second type of color gradient is available for cell coloring on a per-definition basis (a diagonal gradient).
* You can now generally opt for stronger gradients if desired. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 13, 2025 - 17:43: | |
Beta 1:
* Text decoding and OCR are now separate and independent suboperations of volume snapshot refinement, no longer only available in conjunction with indexing. This enables you to invest time up front for these operations in preparation for accelerated future logical searches.
* The settings for text decoding in files are now centralized in a single dialog window so that users are less likely to overlook the special spreadsheet support feature, which was previously selectable and customizable under Options | File Viewing because it's technically related to the viewer component.
* The new method to discard previously stored decoded text and OCR-derived text from the volume snapshot and start text decoding/OCR from scratch (e.g. then with spreadsheet support enabled) is to remove the checkmark from combined the "Already done" box of these operations in the Refine Volume Snapshot dialog window.
* It is now possible to apply the logical searches only to OCR-derived text.
* Slightly re-organized the RVS dialog window.
* Index search results now distinguish between search hits in decoded text and OCR-derived text.
* Under Options | Security you can now not only deliberately simulate a crash, for example to test the auto-resume feature of volume snapshot refinment or to see how an automated environment that you set up with command line parameters will behaves in case of a crash, but also an exception error that is caught by the application and does not cause a crash, for example to see in which directory the error.log entry is created and what information it contains. This function continues to be available only in preview and beta releases.
* Slightly revised display of unused exFAT file allocation table entries to avoid misinterpretation.
* The French translation of the user interface was revised and updated.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 20, 2025 - 18:48: | |
Beta 2:
* Improved partial display of incomplete JPEG files with the internal graphics display library.
* Updated support for WEBP, PNG and TIFF in the internal graphics display library.
* Extended support for proxy servers in BYOD+.
* Some minor improvements.
* Same fix level as v21.3 SR-8. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Jan 28, 2025 - 16:28: | |
Beta 3:
* Dynamic e-mail columns are now responsive to processed .msg files listed in the visible part of the director browser.
* Option to store the password of an encrypted .e01 evidence file in the case not only immediately when adding the image to that case.
* More complete text decoding of spreadsheet files that contain charts.
* The X-Tension API function XWF_GetVSProp now supports a new type of operation: XWF_VSPROP_RESET: This takes a new volume snapshot programmatically.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Feb 2, 2025 - 19:01: | |
Beta 4:
* It is now easier to control whether OCR is applied to only documents (most importantly certain PDF files) and/or pictures. In volume snapshot refinement, picture OCR is now part of picture analysis processing, and you can save time by not getting pictures OCRed that have a poor resolution anyway and are likely not documents.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Feb 5, 2025 - 19:53: | |
Beta 5:
* You do not need to enable OCR or text decoding for logical searches if you had performed these operations already during volume snapshot refinement and if the extracted text was stored in the volume snapshot. It will be searched along with the regular file contents automatically. You can still enable text decoding or OCR for the logical search if desired to decode/OCR files that were not processed that way previously.
* You do not need to enable OCR or text decoding any more when you create an index if you had performed these operations already during volume snapshot refinement previously and if the extracted text was stored in the volume snapshot. It will be indexed along with the regular file contents automatically. You can still enable text decoding or OCR in RVS when you create an index if desired to decode/ORC files that were not processed that way in the previous RVS run.
* Some fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Feb 10, 2025 - 15:42: | |
Beta 6:
* The so-called alternative (actually active by default) text extraction method for spreadsheets is now faster, more stable and no longer requires you to keep X-Ways Forensics in the foreground.
* Some internal reorganization of volume snapshot refinement, especially with multiple worker threads.
* Revised recognition of the device type Scanner and the software class Twitter/X.
* X-Tensions API: To leave it up to the user whether files that your X-Tension identifies ignorable should be further processed by volume snapshot refinement, you could set the ignorable flag via XWF_SetItemInformation() in an early call of the XT_ProcessItem() function.
* X-Tensions API: Some more flags are now defined for the XWF_AddToReportTable() function.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Feb 17, 2025 - 15:17: | |
v21.4 has just been released. Additional changes:
* Directory browser cell tooltips are now darker in dark mode. In particular comment tooltips are no longer displayed with a bright yellow background.
* Ability to decompress files in .xz archives and in some Nullsoft .cab archives.
* In Preview mode you can now conveniently right-click the Text/OCR button to change text decoding settings and OCR settings, respectively.
* The Data Interpreter can now translate Base64 to ASCII (one way).
* When translating dates that you enter into binary or decimal ASCII, if you do not enter a time, this will now assume a time of 00:00:00 instead of annoying you with an error message.
* The interpretation of data at the cursor position in the status bar now supports any of the formats known from the Data Interpreter, not just integer numbers. As before, you can left-click the status bar cell with the interpretation to select the desired format. (Display of times in addition to dates will follow in SR-1.)
* Two more methods to potentially recover a hung previous instance (showing a progress indicator window) from a second instance. If you reject both, you will see the usual list of threads.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Feb 23, 2025 - 10:37: | |
SR-1:
* Fixed a sector read error that could occur in NTFS partitions in interpreted nested images since v21.1.
* .msg files whose metadata have been extracted now respond to the Sender and Recipient filters.
* Fixed an exception error that could occur when extracting metadata from certain PDF documents.
* Prevented a misleading message about unknown chunks that could be seen under certain circumstances when opening cases.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Mar 2, 2025 - 19:02: | |
SR-2:
* The viewer component now remembers more display settings between sessions.
* The default scaling mode for PDF documents is now "Fit to window" instead of "Fit to window width".
* No longer tries to decode document files whose types cannot even be confirmed, just based on filename extension, which could yield lots of garbage characters as extracted "text".
* More complete OCR results for certain multi-page PDF documents. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Mar 18, 2025 - 16:47: | |
SR-3:
* Slightly improved OCR quality for PDF files.
* Fixed a very rare exception error that could occur when reading the Content created timestamp of a file from the volume snapshot under certain circumstances.
* Fixed incomplete or missing search hit context preview for search hits in extracted text in v21.4.
* Fixed an error that depending on the cover page settings could make X-Ways Forensics print the same file multiple times when multiple files were selected, since v21.3.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Apr 10, 2025 - 18:31: | |
SR-4:
* Fixed an error with SQLite processing that could (rarely) abort data storage in the volume snapshot.
* When multiple threads are active dealing with SQLite databases at the same time, the creation of temporary files could fail with a misleading error description ("used by another process") provided by Windows. To address this issue, multiple re-attempts are made until the creation succeeds.
* Fixed incorrect reporting of duplicate hash values when importing them from JSON files (Project VIC/CAID) and a potentially incomplete import from such files.
* Fixed a rare error that could occur when converting Intel Hex data with Linux style line breaks to binary.
* Ability to identify Windows Server 2025 as a platform.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, May 7, 2025 - 15:01: | |
SR-5:
* Prevented unnecessary scrolling of the search term list back to the start of the list after selecting search terms and hitting the Enter key/clicking the Enter button/double-clicking.
* Internal graphics display library revised.
* Avoids that picture content analysis reports the fallback colors black and gray for incomplete JPEG pictures.
* Prevented a rare error writing to temporary files in conjunction with certain archives, which were reported with just a question mark as the filename.
* An automatic restart of X-Ways Forensics after a crash no longer decrements the number of remaining executions granted by an insured dongle.
* Binary PList files with a minimal size are now processed.
* X-Tension API: The hVolume handle provided to the function XT_Prepare() and XT_Finalize() is now 0 if the X-Tension is applied to the Case Root window, so that you can more easily recognize this special situation and reject use of your X-Tension if necessary.
* More stable with certain rare SQLite database files.
* Sometimes better readable floating point numbers in the output for SQLite databases.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Jun 8, 2025 - 9:16: | |
SR-6:
* Third-party tools that control X-Ways Forensics from outside via command line parameters may specify the command line parameter "GetLicID:" to find out the so-called nLicID, a hash value that uniquely identifies a dongle or a BYOD license. Nothing else will be done in a session started with that parameter, and X-Ways Forensics exits automatically. You could license your tool based on that ID and only allow use of your tool if the ID matches your expectations (if the ID is in your unlock list, if the user has a key file for that ID etc.). The first 4 bytes of the nLicID are returned as an exit code. Additionally, the full 16 bytes of the nLicID plus an 8-byte FILETIME value with the current timestamp in UTC can be written to a file whose path you designate optionally after the colon of "GetLicID:". By providing a unique, randomly generated filename, you can make extra sure that you get a freshly generated output file with an up-to-date nLicID and not a static, potentially outdated or manipulated value. And/or you can compare the first four bytes stored in the file with the exit code to make sure they match and/or check that the timestamp is not older than a second or so. If the first four bytes are all 0x00, that means that the X-Ways Forensics installation is not unlocked or that (re)writing the output file (if requested) has failed.
* Fixed misidentification of some rare .docx files as archive bombs with zip record overlaps.
* Some minor improvements and fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Jul 16, 2025 - 11:20: | |
SR-7:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.4. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Jul 25, 2025 - 15:22: | |
SR-7:
* v21.4 did not fully explore RAR archive files that in turn contained ZIP archives. That was fixed now in v21.4 SR-7 with an updated zip.dll file that can be recognized by its modification date (later than all the other files). |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Oct 15, 2025 - 14:51: | |
SR-8:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.4. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Dec 9, 2025 - 14:56: | |
SR-9:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.4. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 26, 2026 - 11:36: | |
SR-10:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.4. Available to these users on request usually, within the next 90 days. |