| Author |
Message |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Feb 26, 2026 - 11:26: | |
A preview version of X-Ways Forensics 21.8 is now available. The latest download instructions including log-in credentials can be retrieved by querying one's license status, as always.
What's new in v21.8 Preview?
* Carving algorithm significantly improved for certain MPEG video variants.
* File carving support specifically for AVIF files.
* Ability of the internal graphics display library and the picture content analyis to load pictures from AVIF files.
* HEIC display support revised.
* Broader recognition of BitLocker recovery key files, which are identified as "blkey" in the Type column.
* Recovery keys that were encountered in any evidence object in the case already are automatically used to decrypt BitLocker partitions that you open if they fit.
* A new notation options allows to display file size in units of sectors. If not found on storage devices or images with sector-level access, but e.g. in evidence objects that are zip archives or directories, a standard sector size of 512 bytes is assumed. The display sector count is either rounded up (because a file occupying 1 full sector plus 2 bytes actually utilizes 2 sectors where files are stored as sector-aligned) or it is displayed with one decimal digit. The display style with one decimal digit can give you an idea how precisely or roughly carved files were sized because if a file size is an exact multiple of the sector size, it will be displayed with no decimal, whereas .0 indicates a few extra bytes that just do not amount to one tenth of a sector. This can also give you an idea which file types are naturally rounded in size, e.g. Windows registry hives and OLE compound files. On the other hand, if a JPEG or HEIC or any other usually unrounded file is shown with no decimal digit, that is a candidate for a file that was truncated, e.g. by carving or file system corruption. (Though if file sizes are equally distributed, one in 512 files would happen to be a multiple of the sector size naturally.)
* Another new notation setting allows to see the complete internal path of an evidence object in the evidence object column, not the title of the evidence object that is user-definable (and only up to 79 characters long).
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Mar 12, 2026 - 9:32: | |
Preview 2:
* Some minor improvements.
* Most of the fixes of v21.7 SR-2. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Tuesday, Mar 17, 2026 - 16:10: | |
Preview 3:
* That certain binary files are included in the report in a readable format if possible is now optional. This affects for example .job files, .lnk, prefetch files, $I*, $LogFile, $UsnJrnl:$J, wtmp, utmp, btmp, TCP and UDP packets, and many more. If binary copies are preferred that cannot be viewed in the browser along with the report, the new box for this can be unchecked.
* X-Ways Forensics can now optionally extract messages of certain types from UFDR archives and present them as events. Currently messages of these types are supported:
Chats: Kik Messenger
Instant Messages: Android CallLog database
Messages are extracted if the box "UFDR: interpret report.xml" is fully checked.
* When taking a volume snapshot of UFDR archives, X-Ways Forensics can now optionally ignore ordinary timestamps in zip records and only include timestamps defined in report.xml (if parsing report.xml is enabled). This is a new volume snapshot option.
* Extended UTF-8 support in some functions/parts of the user interface.
* Identifies hardlinks and symlinks in TAR archives as such. Hardlinks are presented with the original file contents and the hardlink count within the archive.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Friday, Mar 20, 2026 - 14:57: | |
Preview 4:
* Improved representation of the picture size row in the Summary table in Details mode, with textual descriptions of the resolution, output of the aspect ratio if worth pointing out, potentially a known previous resolution if a picture was resized. An arrow up indicates an unexpectedly high propensity score. An arrow down indicates an unexpectedly low propensity score, which is correlated with reduced-resolution copies for dissemination and a lower generic relevance. "Picture size" is now marked there with a superscript + symbol to set it apart from the directory browser column with otherwise the same title.
* Same fix level as v21.7 SR-2. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Mar 26, 2026 - 19:06: | |
Preview 5:
* Ability to store decoded document text and OCR-derived text in evidence file containers. This allows recipients of such containers to run fast logical searches in the included files without spending time on text decoding and OCR.
* Improved ability to cope with a certain NTFS file system manipulation.
* More detailed feedback on report.xml parsing in case of problems.
* A new security option controls whether BitLockers passwords and keys that you enter manually or that are found automatically (BEK and recovery key files) or that match when trying out passwords from a list are centrally stored in the case (on disk). That is convenient and the default setting, but perhaps not desirable for internal investigations.
* X-Ways Forensics now monitors additional threads during volume snapshot refinement and attemps to terminate and resume hanging threads if they are found to be unresponsive for e.g. 15 minutes. This is a new settings under Options | Security and assumes that the user interface itself is still responsive. Even if a particular file takes longer to process (e.g. large Outlook PST e-mail archive with
many e-mails and attachments), the thread makes it known that it is still alive, so that alone will not trigger any recovery measures.
* Ability to simulate hanging on a file, using one of the unlabeled, but tooltipped check boxes in Options | Security, only in Preview and Beta releases.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Mar 30, 2026 - 17:00: | |
Preview 6:
* When importing hash values, either from an external text file with ASCII hex values or from files selected in the directory browser, you now have the option to merely find out which hash values are already contained in your database and which hash values are new, without actually adding the hash values to the database. This can be used for example to find out how an import would affect your database / if there is any new material included at all etc., or if you find merely a list of hash values of files of interest and do not have access to the files themselves (e.g. files that once were in someone's possession).
* More granular setting for what action should be triggered when double-clicking files with child objects (explore or view).
* The first 4-state check box in X-Ways Forensics (or maybe the universe) has been introduced. Be prepared for the clearest violation of Microsoft user interface style guidelines yet. The first user who will spot this check box and report it down below or via e-mail to mail@x-ways.com will receive a temporary dongle-less license for half a year. Employees of X-Ways and their families as well as AIs and their families are excluded from this giveaway. The winner will be announced here.
* Support for overlong platform UNC (network) paths (significantly longer than 259 characters). |
Paul Bobby
Username: pbobby
Registered: N/A
| | Posted on Monday, Mar 30, 2026 - 18:30: | |
Email sent!
"I always said there was something fundamentally wrong with the universe."
— Arthur Dent
Now everything is right. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Monday, Mar 30, 2026 - 18:44: | |
The correct answer was sent in by Derek Eiri via e-mail. Sorry, Paul, that was 15 minutes before your post. Thanks everyone for participating.
* Grid lines in the directory browser are now available in 3 different shades (and can optionally be completely hidden). |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Sunday, Apr 5, 2026 - 19:16: | |
Beta 1:
* Ctrl+A now works in windows of the viewer component to select all, in text documents and spreadsheets (but not in PDF documents, presentations, ...).
* Improved detection of AI-generated pictures.
* Improved interpretation of picture aspect ratios.
* Some minor improvements.
* Some of the fixes of v21.7 SR-3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Thursday, Apr 9, 2026 - 18:18: | |
Beta 2:
* The Recover/Copy function's log function, if fully checked, now also logs directories that are being recreated in the output path, with their original names, internal IDs, timestamps, attributes or whatever you select.
* The Description filter can now filter for directories.
* The Ukrainian and Russian translations of the user interface were updated.
* Can extract certain messages in UFDR archives as events from databases categorized as:
Instant Messages: Android
Instant Messages: Phone
Chats: Native Messages
Chats: Kik Messenger
* Some minor improvements.
* Same fix level as v21.7 SR-3. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Apr 22, 2026 - 14:12: | |
Beta 3:
* A new notation setting allows you to choose what to see in the Int. Parent column: Either the internal ID of the parent or a description of the parent or both.
* The directory tree depth at which an error will be presumed and at which recursion will be aborted when taking a volume snapshot of FAT* or Ext* file systems can now be defined in the volume snapshot options and helps to avoid stack overflow errors in some rare cases.
* Revised parsing of .evtx Windows event log files and more complete output of event data to the event list.
* Updated picture generating device support.
* Some minor improvements. |
Stefan Fleischmann
Username: admin
Registered: 1-2001
| | Posted on Wednesday, Apr 29, 2026 - 12:41: | |
Beta 4:
* Ability to continue filling encrypted container archives. (The user needs to enter the same password again.)
* PNG and JPEG support updated in the internal graphics display library.
* Tentatively identifies RTF files that contain embedded pictures, using a label ("No pictures extracted").
* Can extract certain messages in UFDR archives as events from databases categorized as:
Chats: Snapchat
Chats: Native Messages (more than before)
* Some minor improvements.
* Some of the fixes of v21.7 SR-4. |