| Author |
Message |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Feb 23, 2025 - 11:02: | |
A preview version of X-Ways Forensics 21.5 is now available. The latest download instructions including log-in credentials can be retrieved by querying one's license status, as always.
What's new in v21.5 Preview?
* A picture is worth a thousand words: The partition layout of physical storage devices is now depicted graphically below the list of partitions in the directory browser. The horizontal locations and widths of all partitions are directly proportional to the capacity of the entire storage device. It is not guaranteed that every partition will be visible because tiny partitions on a very large storage device might turn out just a few pixels wide or even rounded down to a width of 0 pixels because the representation is truly proportional and unbiased. If a suspect has set aside a dedicated partition for unlawful or suspicious content, the capacity chosen is not inflated or minimized in the depiction compared to other partitions just for the sake of easy clickability of all partitions.
Partitions/volumes that are not referenced in any active partition table (usually deleted partitions) are presented in a lighter color. Partitions manually defined by the user (of WinHex/X-Ways Forensics) are depicted in a different color to make them stand out more. Areas that are not occupied by any partition are shown as hollow, with dotted outlines.
Thanks to simple 3D rendering and the angle, you can still see the full width (i.e. true size) of partitions even if they partially intersect with other partitions because those are set apart. The overlapping of partitions is problematic because the question may arise which data in the affected disk area logically belongs to which partition. The depiction is intended to alert users of this issue. On Windows LDM disks, for dynamic volumes that consist of multiple discontiguous storage space fragments (on potentially more than one physical storage devices), only the start locations are hinted at, where their names appear, along with the word "spanned". The other fragments of such volumes are not shown.
The partition layout depiction responds to mouse-over events, left-clicks, right-clicks and double-clicks. Large rectangles are more convenient to target with the mouse than narrow rows in the directory browser, so this feature addition may naturally change the way you explore partitions.
* Manually defined partitions are now described as user-defined in the Description column.
* Supports more variants of GPT LDM dynamic disks.
* When opening cases, more granular way to report and deal with unknown data from future versions, at the case and the evidence object levels.
* The number of picture files to which X-Ways Forensics can assign a device class or a software class has been further increased.
* Several minor improvements.
* Same fix level as v21.4 SR-1. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Mar 2, 2025 - 19:06: | |
Preview 2:
* To reset files to the "still to be processed" state selectively, as always you can select them and press Ctrl+Del. That will now also reliably discard extracted text that is stored in the volume snapshot, so that running the text decoding + OCR operations via RVS (e.g. after adjusting "PDF Requiring OCR.txt") will make another attempt.
* Concurrent scrolling through pages of multiple PDF documents for OCR is now optional and disabled by default. This can yield more complete results for certain documents that are slow to render.
* The Comment column can now display a preview of extracted text that is stored in the volume snapshot if so desired (depends on a new Notation setting). Such extracted text is displayed in a gray color to set it apart from actual user comments. To see more text, you can move the mouse cursor over the respective cell. The Comment filter still works only based on actual comments.
* The keyword "Dissemination" next to the generator signature identifies picture files that were transmitted as copies of single use, e.g. in a web browser display. The keyword "Edited" next to a JPEG generator signature identifies a copy that was provided permanently.
* Same fix level as v21.4 SR-2. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Mar 7, 2025 - 17:45: | |
Preview 3:
* Support for the SHA-512 hash type.
* Simple checksums with a multi-byte accumulator, but using 8-bit integer additions, are now available as separate hash types, named "Checksum (8 on 16 bit)", "Checksum (8 on 32 bit)", and "Checksum (8 on 64 bit)". This renders the security option "Byte-wise checksum computation" obsolete. It has thus been removed.
* Revised hash computation and encryption algorithms, newly optimized for different processors.
* 3 rarely used hash IDs have changed in the X-Tension API, 6 have been marked as deprecated (not recommended for use any more), SHA-512 has been added. Please see the documentation of the XWF_GetVSProp() function for the updated list.
* 256-bit AES encryption/decryption is now about 30% faster (even on old processors).
* More meaningful names are given to uncovered embedded data in SQLite databases.
* Some fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Mar 16, 2025 - 15:27: | |
Preview 4:
* Now warns when you select the physical storage device that contains the active Windows system for imaging because typical users would only want to image *other* devices and atypical users that really want to do this for backup purposes or to acquire a live system need to be aware that the partition with the Windows installation is in a state of flux while that same Windows system is running.
* The memory editor now identifies processes as either 32 bit or 64 bit.
* Does not so easily sacrifice (replace/overwrite) case file backups any more if changes to the current case file are small, i.e. more likely keeps older backups that are significantly different around for longer.
* Text in PDF files from certain sources cannot easily be decoded. It may be output incompletely or garbled or as total gibberish. Whenever in a real-life scenario you come across a series of uniform PDF files with that problem (generated by the same mechanism for the same purpose, e.g. bank account statements, invoices, product specifications, ...), so that their decoded text is not legible and searchable/indexable, you can add their creator name, producer name or generator signature to a list that X-Ways Forensics checks before decoding PDF files. If is a match with either of these properties, X-Ways Forensics will apply OCR to such files rather than attempt (presumably futile) text decoding. You can find this special option in the dialog window with the decoding settings. This is a rather technical option and therefore not available in X-Ways Investigator. Without that option, the only situation in which a PDF file is OCRed is if no text can be extracted from it at all, just like in all previous versions.
The list is maintained in a file named "PDF Requiring OCR.txt" and can easily be shared with other users. The format is explained in the text file itself when it is created. It is expected in the same directory where your WinHex.cfg file and various other user-editable text files are. The generator signatures, creators and producers of PDF files can be found in and copied from Details mode. For the generator signature only the 8 hexadecimal digits are required.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Mar 21, 2025 - 11:04: | |
Preview 5:
* More thorough consistency check for volume snapshots that detects certain problems in the cache and in the storage of extracted data.
* Some of the improvements and fixes of v21.4 SR-4. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Mar 27, 2025 - 10:12: | |
Preview 6:
* The Relevance column now has a filter.
* X-Tension API: XWF_GetItemInformation() and XWF_SetItemInformation() can now retrieve and set the value in the Relevance column of a file or directory.
* Some of the fixes of v21.4 SR-4. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Mar 30, 2025 - 19:01: | |
Preview 7:
* NTFS: Zone.Identifier URLs in non-resident storage are now automatically included in the Metadata column. They are additionally output as child objects to get the cluster allocations right.
* Text extracted from documents or pictures in Preview mode can now be optionally stored in the volume snapshot as well. This option is remembered separately just for Preview mode and disabled by default, so that you can experiment with different OCR settings and different PDF decoding settings and see fresh results instead of always the same text as stored in the volume snapshot after the first attempt. To access the Decoding/OCR settings specifically for Preview mode, please right-click the Text/OCR submode button.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Apr 4, 2025 - 14:55: | |
Preview 8:
* The Edit menu of the Case Data window is now always the same and identical to the context menu of the case. Previously, if an evidence object was selected in the case tree, the Edit menu was identical to the context menu of that evidence object.
* There is now a command in the directory browser context menu that allows you to bookmark a file or directory. You can also enter an individual description. Bookmarks are useful to quickly navigate back to an item of interest. To see a list of all bookmarks in the case, use the Edit menu of the Case Data window. All bookmarks can be seen and navigated to even if the evidence objects to which they refer are not currently open. When you create a bookmark, that creates a label at the same time, which is useful for filtering and because creating a backup of the volume snapshot and restoring such a backup will back up and restore the label, but not the bookmark.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Apr 13, 2025 - 13:21: | |
Preview 9:
* OCR can now optionally be restricted to picture files produced by/for certain device types, e.g. produced by a scanner, produced as a screenshots, or generated for printing, because such pictures are more likely to contain relevant text and because omitting other pictures can save time.
Picture files for which device type recognition was unsuccessful ("unknown") or to which it was not applied because metadata extraction was not yet run or because device type recognition is not supported for the respective file type (resulting in a blank device type cell) can optionally be OCRed, too.
* OCR can now optionally also be applied to pictures if the regular conditions (file type, resolution and device type) are not met, but if text is detected by the picture content analysis.
* .dlg files now remember the positions of trackbar controls, like the ones for PhotoDNA sensitivity and Excire matching strictness, which they previously did not.
* The "whole words only" restriction of logical searches did not work when searching for single Latin letters as ASCII/Latin 1 in extracted text that was internally stored in Unicode. That was fixed.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Apr 21, 2025 - 17:47: | |
Beta 1:
* Ability to decrypt BitLocker volumes in WinHex Lab Edition, X-Ways Imager, X-Ways Investigator and X-Ways Forensics. This requires that you have and enter (e.g. copy & paste) the right password or recovery key, if one of those is actually required to decrypt the volume (not in case of clearkey encryption). The option to enter a password or key is not given in X-Ways Investigator. However, X-Ways Investigator can use a password or recovery key that was already entered for a particular evidence object in a case by someone using X-Ways Forensics, so users of X-Ways Investigator can work on a case that includes BitLocker volumes if that case was properly set up for them by a colleague.
* The Resize dialog window that allows you to tailor offsets and sizes of carved files and search hits as needed has been revised and now remembers more settings separately for files and search hits. There is a new option to double the intended offset and size changes in bytes for search hits in UTF-16.
* Thorough evaluation of DQT (quantization tables) in JPEG files.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Apr 28, 2025 - 18:08: | |
Beta 2:
* Files that are marked as compressed in APFS, but are in fact not stored compressed but "inline" (resident storage), are now reliably recognized as such and can be opened normally in newly taken volume snapshots. Files marked in APFS as using "plain compression" (=no actual compression) are no longer shown with the C attribute, unlike before. These files would previously also have cause the "unsupported compression" message.
* Taking a volume snapshot of large APFS volumes is now faster.
* A rare error has been prevented, where the virtual file "BtrFS System Chunks" was erroneously reported as not readable at the very end.
* Internal graphics display library updated.
* Several minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Apr 30, 2025 - 10:31: | |
Beta 2b:
* More forms of compressed data storage in APFS are now supported in newly taken volume snapshots. Files that previously caused the "unsupported compression" message can now be opened successfully.
* Some of the fixes and improvements of v21.4 SR-5. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, May 6, 2025 - 19:12: | |
Beta 3:
* Some more forms of compressed data storage in APFS are now supported in newly taken volume snapshots.
* Some more information about BitLocker volumes in the Technical Details Report. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, May 7, 2025 - 19:01: | |
Beta 3b:
* Some more forms of compressed data storage in APFS are now supported in newly taken volume snapshots.
* All the improvements and fixes of v21.4 SR-5. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, May 8, 2025 - 15:26: | |
Beta 3c:
* Some more forms of data storage in APFS are now supported in newly taken volume snapshots.
* More binary p-list files are now parsed. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, May 9, 2025 - 12:01: | |
Beta 3d:
* Some fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, May 15, 2025 - 7:47: | |
Beta 4:
* Accepts certain slightly malformed zlib-compressed data.
* Users can decide whether to share their original dongle ID or BYOD license ID with with 3rd-party software (X-Tensions), in the dialog window where the nLicID is displayed.
* X-Tension API: X-Tensions can now see the original dongle ID or BYOD license ID if the user agrees to share that information, when responding to the call of the XT_Init() function.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, May 19, 2025 - 13:05: | |
Beta 5:
* If OCR is applied to pictures retroactively at the end of volume snapshot refinement because the presence of text was detected in those pictures by the picture content analysis, the resulting text is immediately indexed if indexing is also selected.
* The functionality to re-include all excluded items and the functionality to totally remove excluded items from the volume snapshot have been moved from the directory browser options dialog to the directory browser context menu (the "Exclude" submenu).
* Now prompts before actually executing/loading an X-Tension, in particular also when the execution is triggered through the command line, unless disabled in Options | Security.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jun 2, 2025 - 17:30: | |
Beta 6:
* X-Tension API: Various XWF_*() functions now deal more gracefully with incorrectly supplied nItemID vales and indicate failure through the return value instead of throwing an exception error. More return values now defined for XWF_GetItemSize() in particular.
* The device type filter now allows to focus on files for which device type identification has not been attempted, e.g. because metadata extraction has not been run or because the file type is not supported for that. Such files have a blank device type cell, which means undetermined.
* Several minor improvements.
* Program help and user manual updated for v21.5. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Jun 8, 2025 - 15:36: | |
v21.5 was just released. The improvements and fixes of v21.4 SR-6 are included. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Jun 11, 2025 - 8:13: | |
SR-0+:
* The "Do not display again" check box was unusable in message boxes with only one button in the original v21.5 release. That was fixed. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jun 23, 2025 - 10:57: | |
SR-1:
* More forms of compressed data storage in APFS are now supported.
* OCR can now also be triggered by the detection of paper texture in a picture.
* More consistent in which button in a message box (e.g. OK or Cancel) is compatible with the "Do not display this message again" option.
* Fixed an instability that could occur when decrypting partially encrypted Windows 11 BitLocker volumes.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jun 30, 2025 - 14:01: | |
SR-2:
* v21.5 SR-1 became unstable when the user interface was set to British English spelling. That was fixed.
* Improved keyboard navigation. Even with no data window, you can now press the Tab key to give the case tree the focus. You can now navigate up and down in that tree with the cursor keys without inadvertently opening the Case Root window. You can press the context menu key to open the context menu of an evidence object is one is selected in the case tree, or the context menu of a directory within an evidence object, e.g. to explore recursively. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jul 14, 2025 - 8:35: | |
SR-3:
* Italian translation of the user interface updated.
* Prevented an error message about the inability to find the Cache file of a volume snapshot that could occur in certain situations in v21.5.
* Prevented an infinite recursion when deconstructing certain Windows executable files (DLLs) in v21.4 and later.
* Prevented a floating point exception error when processing certain SQLite database files.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Jul 22, 2025 - 4:36: | |
SR-4:
* Prevented a possible infinite recursion when parsing UFS file systems.
* An error in LVM2 handling prevented the volumes within an LVM2 Container partition, if it was not the first in a group of LVM2 Containers, to be listed correctly, unless the first LVM2 Container in the sequence was opened first. This was fixed.
* Fixed inability to explore certain large nested archives with caching enabled when not using additional threads.
* Prevents the identification of certain audio-only MPEG-4 file as MP4 video.
* Prevents an exception error that could occur in v21.4 in certain situations when using older WinHex.cfg files.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Jul 25, 2025 - 9:37: | |
SR-4:
* v21.4 and later did not fully explore RAR archive files that in turn contained ZIP archives. That was fixed now in v21.5 SR-4 with an updated zip.dll file that can be recognized by its modification date (later than all the other files). |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Aug 20, 2025 - 14:46: | |
SR-5:
* X-Tension API: The XWF_GetEvObjProp() function can now replace an evidence object with a new image using an nPropType of 100.
* Fixed a hanging error that occurred rarely with certain cells in the directory browser when presented with a very wide column width.
* Fixed an error that occurred when decrypting data in sectors at the end of very large BitLocker partitions (> 1 TB).
* Presenting certain HEIC files in Details mode updated the "Content created" cell with a timestamp in a wrong time zone. That was fixed. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Sep 1, 2025 - 17:07: | |
SR-6:
* When opening files in NTFS file systems from within the directory browser in a separate data window, the Info Pane optionally showed up to 7 digits after the decimal point for the creation timestamp as a sub-second value although the available precision in the volume snapshot only justified the display of 4 such digits. That was fixed.
* Presenting certain JPEG files in Details mode updated the "Content created" cell with a timestamp in a wrong time zone. That was fixed.
* v21.5 SR-3, SR-4 and SR-5 did not properly rotate certain JPEG photos for viewing and OCR. That was fixed.
* Fixed processing of the command line parameter "GetLicID:". |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Sep 20, 2025 - 16:51: | |
SR-7:
* The internal graphics display library now supports TIFF pictures with CCITT compression.
* Slightly revised support for PNG pictures in the internal graphics display library.
* Prevented an exception error that could occur when extracting e-mails from certain rare PST e-mail archives.
* Fixed usage "structure type" as a criterion to identify duplicates and fixed "+ Modified" as an additional criterion.
* Fixed certain "Do not display this message again" behavior.
* Prevented a rare division by zero error with certain RIFF files.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Oct 5, 2025 - 15:51: | |
SR-8:
* If the Windows operation system lost control over a storage device that was in the process of being imaged, signaling a certain error condition, v21.2 and later reported the error description from Windows correctly and reported the total number of unreadable sectors correctly, but only listed the first affected internal range of sectors individually although it (pointlessly) continued the operation. In v21.5 SR-8 and also all future releases of v21.2 and later the same error condition will stop the imaging procedure.
* One more error condition is now recognized as permanent loss of connection to a storage device.
* Fixed an exception error that could occur in v21.5 if text or paper texture detection was selected as a reason to run OCR on a picture.
* The selected hash types in the Refine Volume Snapshot dialog window were not stored in .dlg selection files. That was fixed.
* The number of extra threads set in the Refine Volume Snapshot dialog window can now be optionally stored in .dlg selection files (although it is machine-specific) if you hold the Shift key while creating the .dlg file.
* Prevented an error that could occur with overlong paths within the case directory when a volume snapshot backup was created with labels.
* Prevented occasional misidentifications of the device type "Screen?".
* The registry viewer now always presents the decoded form of the TrayNotify IconStreams texts instead alternatingly the original and the decoded form.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Oct 15, 2025 - 15:01: | |
SR-9:
* Automatically resuming crashed sessions did not work if temporary files were stored in a case-specific temp path. That was fixed.
* Prevented an exception error that could occur when opening certain rare BitLocker volumes.
* Some minor improvements and fixes. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Saturday, Nov 1, 2025 - 13:56: | |
SR-10:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.5. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Dec 9, 2025 - 17:40: | |
SR-11:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.5. Available to these users on request usually, within the next 90 days. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Jan 26, 2026 - 11:46: | |
SR-12:
* Some of the fixes and minor improvements introduced in later versions. Highly recommended to users whose access to updates covered no more than v21.5. Available to these users on request usually, within the next 90 days. |