WinHex & X-Ways Forensics Newsletter Archive

This mailing is to announce the release of another update with important improvements, the new version 21.2, on July 9, 2024.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in v21.2?
(most changes affect X-Ways Forensics only)

Storage Device Handling

• If access to a local storage device is lost while reading or writing sectors, for example because of a loose connection or because you have to unplug and replug it because it occasionally freezes your Windows system, I/O operations can now resume automatically without closing and re-opening the data window for that device. This was previously a potential problem when dealing with certain failing devices.

• Ability to safely change the disk access method on the fly. Previously, existing data windows for storage devices had to be closed and re-opened to avoid errors.

• Revised handling of write errors on physical storage devices. When you get notified of a write error, your first option in such a situation will be to simply retry writing the same sector that failed. You can do so as often as you like, when you are ready. This could be helpful for example if unplugging and replugging the device will make it responsive again. You would hit the retry button a few seconds after replugging once Windows has recognized the device again (e.g. if a Windows Explorer window opens). The second option is to continue writing at the next sector, and you can define that as the default response to write errors, to avoid further prompts until the device is closed or the disk access method is changed. (However, that could be a very slow approach if there are many bad sectors on the device.) The third option is to abort, which means the write operation for the currently targeted range of sectors will be aborted or optionally the entire overarching operation (e.g. wiping multiple selected files). You can define that as the default action as well to avoid further prompts. After a local abort the overall operation may still continue. If desired, it can still be discontinued the usual way at any time while the device and the application are responsive by closing the progress indicator window. With the new option to define a default choice it should be possible to find a suitable compromise for the situation at hand, for example when you attempt to sanitize an already failing hard disk to either the maximum extent possible or to a "reasonable" extent given a limited amount of time.

• If the option "List internal file system files" is inactive, that now has an effect on FAT12, FAT16 and FAT32 file systems.

• Warns when trying to reconstruct a RAID system or JBOD using components with different sector sizes, as this could have unintended effects.

• After retroactively locating another partition, X-Ways Forensics now covers unpartitioned space that follows that partition if necessary with another virtual file.

Data Redaction and Erasure

• The command Edit | Fill Disk Sectors now diplays sectors numbers in the progress indicator window, so that in case of a freeze because of a hardware defect you can tell to which sector number the operation got.

• The directory browser context menu to wipe selected files has been renamed to "Redact data". It is only available in WinHex (including when X-Ways Forensics is run as WinHex), for example for retroactive redactions in a raw image copy before it is shared with other parties or to selectively and partially sanitize physical storage devices for which you do not expect or care about sector reallocation to occur upon write operations.

• Ability to apply the "Redact data" context menu command to selected files in the Case Root window.

• Ability to fill/wipe/redact disk sectors, blocks, and files with a meaningful recognizable text pattern (watermark) instead of raw hex values, in either ASCII or UTF-16 Unicode, as known from the function to create cleansed images.

• The command to redact selected files now has an option to also erase slack space.

• There is now a slightly more detailed success report when the "Redact data" command has been applied to multiple selected files, in additional to the label output, separately for each affected evidence object if run from the Case Root window.

• That the data in clusters of selected directories are also erased by the "Redact data" command is now optional and not active by default, so that you could conveniently and safely select entire directories to get all the files in those directories wiped. Users are warned when they enable this option as it will corrupt the file system and leave files orphaned. Also keep in mind that after you have purged directories, depending on which exact file system it is, X-Ways Forensics itself may be unable to find the files again when taking a new volume snapshot.

• Warnings are now shown if the user has selected certain known system files for redaction since erasing their data will corrupt the file system.

• The command variants Edit | Fill File and Edit | Fill Block can now be applied in File mode to a file that is selected in the directory browser.

• With the "Wipe securely" command in the main menu, actually deleting the selected files in the file system is now optional. If not desired, only their file contents will be overwritten.

Directory Browser

• After using the Seek Item # command in the directory browser context menu, the blue tooltip that reveals the list item number of an item will pop up to confirm that you have reached the intended item.

• The Seek Item # command can now optionally keep the selection in the directory browser and merely move the indicated item number into view and highlight it. Note that if you wish to open the context menu without losing your selection, if you can't see your selection at the moment because you have scrolled up or down, right-clicking any unselected item in the directory browser with the Ctrl key pressed will achieve that. Alternatively, you can press the context menu key on your keyboard.

• The Seek Item # command now has two extra buttons that allow you to easily navigate to the first and the last selected item in the directory browser. That is useful in a very long list of files if you have scrolled elsewhere, but need to return to a spot where you had selected files.

• The selection statistics below the directory browser now also include the item numbers that the current selection spans. Clicking the statistics brings up the Seek Item # dialog window.

• Middle-clicking an item in the directory browser will now tag or untag that item, just like in the case tree.

• The path filters can now optionally be case-sensitive, which is faster.

• Type and Type category filters accelerated.

• Ability to use the Description filter to focus on files to which OCR has been applied, but with no result, i.e. <= 0 characters. The filter can now target results with greater than or less than 65,534 characters.

• Dedicated context menu command to untag selected search hits and events. (Pressing the space bar still toggles the status of selected search hits/events.)

• Ability to prevent certain labels from being displayed in the Labels column, for example because you don't need to see them and they just clutter up that column or because you wish to show your screen to someone but don't want them to see those particular labels. You can change that in the dialog window where you manage and assign labels, using the Exclude (×) button.

• Improved representation of text extraction and OCR results in the Description column (if in the Notation settings the "other" box is checked).

• Checkmarks for tagging are now better visible in dark mode.

• Hovering over a row in the directory browser is now also reflected in the tag area.

User Interface

• A new command in the context menu of the case allows to locate the file or directory with a given unique ID. If the evidence object that contains that item is not open at that moment, it will be opened automatically.

• Optionally all three categorization icons (for notable, irrelevant and uncategorized) can now be displayed next to the filenames in the Name column, not just the one for notable files. This can be changed in the directory browser options.

• The dialog window to manage labels was further revised. All label types are now listed optionally.

• Setting up keyboard shortcuts via Options | General | Define keyboard shortcuts... is now easier because the dialog window reveals the ID of the last command used. So in order to find out the ID of the command that you wish to generate a shortcut for, you just need invoke that command (you can cancel it if that is an option) and can then see its ID. Most commands invoked in the main window, in a data window, in the directory browser or in the Case Data window are suitable.

• The dialog window for Options | General | Define keyboard shortcuts... now also reminds you of a special ID that you can use to repeat the last command invoked, whichever that may have been. For example if you wish to manually categorize files as notable in multiple steps, you can do so through the directory browser context menu the first time, and after that just press the special key combination that you have defined for that ID. The special repeat ID is currently 182. Most commands invoked the main window, a data window, in the directory browser and in the Case Data window are suitable. In fresh installations, the keyboard shortcut Ctrl+F5 is now predefined to repeat the last action.

• When moving an evidence object down in the case tree with the old method (the arrow buttons in the properties dialog window), it is now still highlighted in the case tree afterwards.

• Improved scaling of some GUI elements for usage with high-resolution displays and high Windows DPI settings, including the option to use checkmarks for tagging.

• Buttons now have a mouse-hover effect.

• Some icons revised.

Picture Viewing

• When viewing or previewing pictures with the internal graphics display library, low resolution pictures are now automatically magnified to some extent. This depends on which factor you feel comfortable with at most to avoid pixelation, and the maximum can be set in the Options | File Viewing dialog window. By default, only natural magnification factors are used (100%, 200%, 300%, ...) to avoid the need for interpolation, but there is a checkbox to change that. The difference can be seen best with a small picture and a high maximum magnification when you resize the preview area. Under the constraints of the user-editable maximum magnification and the potential restriction to simple pixel multiplication (no interpolation), pictures are magnified in Preview mode and in view windows of the internal graphics display library to the maximum extent possible given the size of the preview mode area and the size of the screen workspace, respectively.

• The magnification applied to pictures in Preview mode when rendered by the internal graphics display library is now displayed in the lower left corner of the preview area in percent. (The magnification applied in a view window of the internal graphics display library has always been displayed in the window caption after the filename.)

• Ability to zoom in and out when pictures are rendered by the internal graphics display library in Preview mode, using the mouse wheel, in steps of 10%. (This does not currently change the center of the picture based on the mouse pointer position. If you wish to navigate within a greatly magnified picture, please use the View command for that.)

• HEIC display functionality updated.

• The internal graphics display library was revised for other file formats as well.

• The user now has the option to switch to the internal graphics display library from the viewer component (VC) when previewing TIFF pictures, by clicking the VC submode button that by default appears pushed for TIFF pictures. Note that the internal graphics cannot display additional pages if present in a TIFF file.

Picture Content Analysis

• More detected photo styles (such as "colorful", "framing", "selective color", "unsaturated", "bright") can now be used for categorization purposes.

• Improved handling of insufficient drive space for temporary files employed by the picture content analysis.

• Certain file format variants or corruptions that the internal graphics display library is able to deal with, but that were not supported by Excire, can now also undergo the picture content analysis. An updated Excire package is now downloadable and required for use with v21.2 (and is still compatible with v21.1).

X-Tension API

• The X-Tension API function XWF_GetEvObjProp now supports two more property types: 30 retrieves the bias of the reference time zone of an evidence object, if such a time zone was set by the user. 31 retrieves the bias of the preferred display time zone of an evidence object. Optionally, more information about daylight saving in each of the two time zones is provided.

• The X-Tension API function XWF_GetItemInformation now supports various XWF_ITEM_INFO_*_DISPLAY_OFS types (one for each timestamp type) that can be used to learn how many minutes need to be added or subtracted from a timestamp to get to the same local time that X-Ways Forensics itself would display. It depends most obviously on 1) the user's preferred display time zone (which can be the same for the entire case or individually set per evidence object), 2) the base time zone that the timestamp is known to be stored in or the user-set reference time zone that it is supposed to be stored in, 3) whether the timestamp falls into the daylight saving portion of the year according to the base or reference time zone, 4) whether the timestamp falls into the daylight saving portion of the year according to the display time zone. A special return value is -1. It indicates that the timestamp could not be converted to the preferred display time zone and instead is shown as is, in local time, based on whatever time zone that originally may have been, or that no valid timestamp exists.

Miscellaneous

• The limit of ~2 billion hash values in the hash database has been lifted. The next theoretical barrier is ~4 billion.

• Further increased the number of recognized picture generating devices.

• More thorough integrity test for volume snapshots. That test is accessible by clicking the button with the check mark on it in the Refine Volume Snapshot dialog window.

• Now allows to copy up to 1 GB of data into the clipboard to share with other Windows application, instead of 128 MB previously.

• When printing files, you now have the option to not only print the full path on the first page, but also the unique ID of the file.

• You can now hide controls in dialog windows before saving your settings in a .dlg file so that the values of those controls remain undefined in that .dlg file and cannot cause problems next time when you wish to use that .dlg file, perhaps without supervision through the command line. To hide a control you hold the Shift key and roll the mouse wheel (in either direction) over a control. It is useful to prevent control values from getting saved in a .dlg file if those values are not general settings, but values for one-time use, such as the name of an image file that you are about to create or the last sector on a storage device to be covered when creating an image. On the other hand, settings such as compression method and strength as well as block and segment sizes are probably settings that you keep using for a longer time unless you change your preferences. .dlg files created by different versions of the application are compatible with each other except if the dialog window controls have changed, so you could create new .dlg files exclusively with v21.2 going forward and use them in older versions as well, with said proviso.

• OCR is now prevented for very small files, to save some time.

• OCR now has a verbose report mode option, where various remarks that Tesseract outputs on the files that it processes will appear in the Messages window.

• The function to export cluster lists into a text file is now Unicode-capable and produces a UTF-8 text file.

• The export function for FuzZyDoc hash sets did nothing except under special circumstances. That was fixed.

• Preview and beta releases now show a number in the lower left corner of gallery tiles for files that are presented only with an icon, not a thumbnail. That number is an internal indicator of the reason why no thumbnail was produced.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.1

• SR-1: The function to merge labels (previously report tables) did not work correctly under all circumstances since v20.5. That was fixed.

• SR-1: Some picture files were previously not processed by picture content analysis, mostly PNG files and a variant of WEBP. That was fixed.

• SR-1: Fixed potentially incomplete output of error.log entries in the original v21.1 release.

• SR-2: The dedicated picture content analysis stage after volume snapshot refinement now always uses the maximum number of threads possible with the available CPU, regardless of the setting for the volume snapshot refinement itself.

• SR-2: Some predefined tooltips were mismatched in v21.1. That was fixed.

• SR-2: Fixed an exception error that could occur in v21.1 when decoding .json files for a logical search.

• SR-3: Now optimized for and requires the newer Tesseract version that we have made available for download in Oct 2023. OCR is now considerably faster with multiple threads.

• SR-3: The "Dlg:" command no longer continues execution if values fed to a the dialog window are not accepted by X-Ways Forensics. Instead, execution will pause until the user fixes the problem manually and clicks the OK or Cancel button. That will allow users to become aware of and pinpoint problems in their .dlg files. A new command named DLG: in all upper-case letters now works as Dlg: previously did, i.e. forces continued processing no matter whether there is a problem or not. If there is a problem with a certain value, that means that other values in the same .dlg file that would be acceptable might be ignored!

• SR-3: Cases now remember all 9 keyboard shortcuts for labels.

• SR-3: The special parameters of the AddImage command in the command line did not work as intended. That was fixed.

• SR-3: Fixed mismatched information in recipient columns for MSG files with certain received e-mail messages.

• SR-3: A rare error in LVM2 handling could occur, when a single physical disk held multiple LVM2 containers and a partition within that LVM2 setup spanned across those LVM2 containers. This was fixed.

• SR-3: Remarks have been renamed Annotations.

• SR-4: Ability to redo the picture content analysis if you reset selected files to the "still to be processed" state by pressing Ctrl+Del.

• SR-4: The 64-bit edition of earlier releases of v21.1 had problems with certain volume snapshots of older versions. That was fixed. Older versions cannot load volume snapshots any more once saved by v21.1 SR-4, except future releases of older versions can load them as read-only.

• SR-4: Fixed inability of v21.1 in some environments to find out whether it was running with administrator rights.

• SR-5: Prevented the message box "Please stop ongoing operation first" that could be shown in earlier releases of v21.1 in certain situations.

• SR-5: Ability to explore very small partitions with SquashFS.

• SR-5: TAR archives can now be added to a case directly as evidence objects even if the alternative processing method for TAR is active.

• SR-5: The internal graphics display library was updated slightly.

• SR-6: Fixed an instability that could occur when adding positions to the Position Manager when the latter was not yet visible.

• SR-6: Fixed an instability that could occur when a long path for temporary files was set.

• SR-6: Prevented an unintended activation of a different data window in certain situations when activating or deactivating a filter.

• SR-7: Fixed an exception error that occurred when filling the hash comment database with very long texts.

• SR-7: Fixed read errors that could occur when reading from a reconstructed RAID or JBOD with a sector size of 4 KB.

• SR-7: Fixed potentially incorrect extraction of e-mail attachments from MBOX e-mail archives and original .eml files..

Exponent LoadReady™

Another Exponent 3rd-party module is now available, which aims to bridge the gap between X-Ways Forensics and electronic discovery. Exponent LoadReady creates 'load-ready' productions from selected files within your case. Packaged evidence, using industry-compliant formatting, provides time-saving and accurate ingestion by highly trusted e-discovery platforms, specifically Relativity. Quotes for the entire Exponent bundle, which includes all modules, are available from X-Ways here.

Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

This mailing is to announce the release of another update with important improvements, v21.1, plus a notable bundle of add-ons for X-Ways Forensics. The official release date of v21.1 was Apr 5, 2024.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in data/password (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Please be reminded that if you are interested in receiving information about service releases as soon as they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept up to date on future classes.

What's new in v21.1?
(please note that most changes affect X-Ways Forensics only)

Volume Snapshot and File System Support

• Better support for very large volume snapshots. More than 500 million items (i.e. files+directories) in a single volume are now possible, only in the 64-bit edition, subject to sufficient RAM, and assuming you have enough time to wait for the completion of the volume snapshot. This tested capability should add to the notion of X-Ways Forensics as a heavy lifter for storage device analysis. The ~500 million mark assumes an average filename length of 16 characters. With shorter filenames theoretically 1 billion items or more are possible. If only the space for filenames is exhausted, more files can still be included in the volume snapshot, but they will be shown with a dummy filename (a question mark character).

• Volume snapshots of extraordinarily huge volumes now support files that are defined in the file system at offsets beyond 131 TB or have their data starting more than 131 TB into such a volume. The new limit is 262 TB.

• Slightly accelerated volume snapshot creation for large NTFS file systems.

• Two kinds of proactive filters, based on names and timestamps, can now be activated in the properties of a case. Proactive filters allow you to restrict the initial volume snapshot. Files that don't pass these filters will not be included in any volume snapshot that is taken while such filters are active. Directories are still included. This pertains only to partitions/volumes and file archives that are evidence objects, and all the files that are found in them directly, following the defining data structures of the file system or the archive. It does not restrict the addition of files that are found in any other way, for example by a file header signature search or when checking files that are already contained in a volume snapshot for embedded data etc.

• Proactive filters are special in that they can prevent files from involuntarily getting into a volume snapshot, files that you do not need or want to be there or that you are not supposed to see. Either if your task or search scope is limited to specific files whose names or timestamp ranges are known beforehand or if the evidence object (image or file archive) is so big that by avoiding hundreds of millions of other files you save time and main memory or can make the volume digestible at all (i.e. keep the volume snapshot size within the supported boundaries). The creation of the volume snapshot itself may be noticeably accelerated that way if the evidence object is an image file, plus all subsequent steps (navigating, listing, sorting, filtering, volume snapshot refinement) are less computationally expensive if you proactively prevent the inclusion of large numbers of unwanted files.
  
  A count of how many files are proactively omitted during the creation of the volume snapshot is displayed in the progress indicator window. After completion, the total number of such files can always be checked in the status of the volume snapshot in the dialog window for volume snapshot refinement. A warning that a proactive filter is active is output in the Messages window once per session, when a volume snapshot is taken.

• Directory listings obtained from the operating system ("OS dir list"), which you get for example when adding a directory or a single file to a case as an evidence object, can now be made to not show any timestamps from the file system or only the modification timestamp. That is a volume snapshot option and useful if the timestamps of the files do not have the usual significance, e.g. if they reflect when you collected the files and not what timestamps they had originally at their original location.

• In new installations the default setting of the volume snapshot option "Newly identified names as main names" is now half selected, which means only for original .eml files newly identified names (i.e. the subject lines) become the main name in the Name column, and the potentially unhelpful generic filenames according to the file system become the secondary names.

• Ability to recognize SquashFS compressed file systems as such and treat their data like file archives. The supported compression algorithms for SquashFS in X-Ways Forensics are GZIP/zlib, LZMA, LZO and XZ.

Hash Database Support

• Normal use of the hash database for reading purposes (to retrieve the names of matching hash set for display in the "Hash set" column of the directory browser), if it's shared, no longer prevents other users from updating the database or replacing the database (i.e. the directory) because the hash set names will be kept in a local cache/buffer.

• The rather simple CRC32 algorithm is now supported in ordinary hash databases. Creating a hash database  based on CRC32 is useful (only) if you really only know the CRC32 values of files that you are looking for, no more advanced hash values and not the full original file contents, for example from encrypted zip archives as such archives have the CRC32 values of the unencrypted data in the metadata. If you find CRC32 matches and the file size is the same as known from the metadata in such an encrypted zip archive, then it is very likely that you have found an unencrypted copy of the very same file.
  
  If you wish to import CRC32 hash values from a text file (with "CRC32" in the first line, followed by one CRC32 value in hex ASCII per line), please note that their hex ASCII values are expected in big-endian ("human-readable") byte order, as displayed in software like 7-Zip and WinZip and also X-Ways Forensics itself, which unlike MD5, SHA-1 etc. is not the byte order in which they are stored in binary, in X-Ways Forensics internally as well as in zip files themselves and presumably elsewhere.

• Option to define the block size for block hash databases. 512 bytes is still the default and recommended unless you are certain of what you are doing. A larger block size of 4 KB for example can be compatible with volumes/partitions that have a cluster size of 4 KB and hard disks with a sector size of 4 KB physically and logically, but thwarts any attempt to find the data that you are looking if the clusters in the target file system are not aligned at 4 KB boundaries themselves from the point of view of the evidence object. The latter may be the case for example because the file system has an irregularly sized header area before the first cluster (like FAT) or because you apply the block-wise hashing (only) at the level of a partitionable storage device in which the partitions are not aligned at a 4 KB boundary. The good news, however, is that, just like the file header signature search, block-wise hashing is applied specifically to partitions if partitions are known on a partitionable storage device (or image thereof), and only the area outside of known and explorable partitions is processed at the level of the partitionable storage device.

• Block hash matches are now displayed with their sizes in the search hit column.

• PhotoDNA matches (notably multiple matches for the same picture) can now optionally be output as labels. This is useful if you need to see all matches and/or if you wish to see PhotoDNA matches in the same place as ordinary hash database matches, which can also be output as labels.

User Interface

• You can change the order of labels in either the dialog window for label management or the filter dialog, if labels in that dialog window are not sorted by name, using the arrow buttons. Changing the order there now has an immediate effect on the order in which labels are listed in the Labels column. That way you can make sure that the labels that are most important to you are listed first.

• Label names in the Labels column can now optionally be truncated, so that more label names fit into the cells of the directory browser. This is a notation setting. Half-checked means that truncations are marked with an ellipsis.

• Reorganized and tidied up the extended dialog window for labeling.

• The option "dynamic e-mail and date columns" now properly controls visibility of the "Content created" column.

• Date filter setting to focus on files of which certain timestamps are not know at all (usually because they were not set e.g. in the file system).

• More consistent and thorough error and plausibility checks of user-provided file masks.

• Option to potentially improve synchronization of multiple gallery threads.

• If you need to call external programs from within X-Ways Forensics with certain parameters in addition to the name of the file that they should open, you can now specify those parameters in the same line of Programs.txt, delimited from the path of the executable file with a tab. The name of the file will be appended at the end, after your own parameters, unless you include the placeholder %1 anywhere in your list of parameters. That placeholder will be replaced with the filename.

• To associate a portable installation of X-Ways Forensics or X-Ways Investigator and its icon with .xfc case files on a particular machine, you could consciously run the application at least once explicitly as administrator and end it while any of the customizable standard paths is located on the same drive letter as your Windows installation, to give the application a hint that you are the owner of that Windows system and feel comfortable that data is written to it. That's either the path from where you run the application, the path where to create and expect case files, the path where to create and expect image files, or the path where to create temporary files.

• Revised compression / data density chart for .e01 evidence files. Among other improvements, the chart window now scales with the user DPI settings.

• If Preview mode is combined with Details mode, and the lower half of the data window is moved to the right-hand side, preview and details are now split vertically instead of horizontally, with the preview appearing above the details.

• The description cell in Details mode is now always quite detailed regardless of the notation settings for the Description column.

• The video files from which to extract still images are now targeted with a comma-delimited type list instead of a filename mask.

• Ukrainian and Russian translations of the user interface updated.

Picture Content Analysis

• A new Excire version is available for download now, and required for use with X-Ways Forensics 21.1. The search for "similar" pictures was revised, and the accuracy of content detection has been improved. The number of pictures that get more than one wrong keyword assigned (false positives) has been reduced by 75%. The number of pictures with no wrong keyword has been doubled.

• The new Excire version has dropped 69 keywords from its detection capabilities that yielded less reliable results. None of these keywords are very important. Support for 87 new keywords was added, including one that was previously requested from law enforcement/government agencies (identification documents), plus various body parts (i.e. not complete people).

File Format Support

• Report HTML files can now be generated automatically for the Windows Registry hive files NTUSER.DAT, SYSTEM, SOFTWARE, SECURITY, and SAM as part of metadata extraction, based on "Reg Report *.txt" definition files that you have in your installation directory (a number of which are preinstalled). The HTML files are added to the volume snapshot as child objects. The benefit is that they can serve as human-readable previews of selected interesting values, and they contain some encoded text in plain text such as UserAssist entries, so that the logical search can find them. Lots of timestamps from the processed registry hives will be added to the event list at the same time. This all happens if the user also chose to generate HTML previews for browser databases etc. and/or to populate the event list with internal timestamps in files.

• Checks certain temporary files of MS Edge for embedded pictures automatically as part of the "File header signature search in files not processed above" procedure. The file mask for this procedure is reset in this release for that purpose.

• Extracts Microsoft Teams messages stored in certain PST archives that were exported via the Admin Center of Microsoft 365.

• Ability to extract e-mail messages from OLM databases of Microsoft Outlook for Mac.

• Extracts plain text attachments from original .eml files and MBOX e-mail archives as child objects.

• Ability to decode .json files for logical searches, indexing, and Text Preview mode, including files with specially encoded Unicode characters from the Basic Multilingual Plane (e.g. Chinese).

• Metadata extraction from WEBP files extended. In particular, output of Exif metadata in WEBP pictures in addition to XMP metadata has been introduced.

• Support for some more TIFF picture variants with the internal graphics display library.

• "Social media" used to be one of multiple possible values of the so-called processing state in the Summary table of JPEG files in Details mode. This origin of photos is now brought to the user's attention via the so-called software class.

• 28 software classes are currently supported for JPEG and WEBP pictures: AI generated, Adobe, Amazon (for photos from their shopping web site), Android, Apple, Beautifier, Bing, Camera, ContentGeneral, Editor, Facebook/Instagram, Firmware, General, Google/Picasa, LinkedIn, MSN, PHP, Pinterest, Scanner, Screenshot, Misc social media, Stock (in the sense of stock photos), Twitter (X), Video still, Website builder, WhatsApp, Windows, Wordpress.

• About 75% of all JPEG and PNG (plus some WEBP) pictures now get a software class assigned.

• More definitions of photo generating devices. In particular the Galaxy S23 and S24 generator signatures were updated.

• The Summary table was revised.

• Various special properties that are detected in pictures are now referenced in Details mode with "remark" numbers. A new text file "Remarks.txt" is included, which documents those numbers and may offer a rudimentary explanation.

• Improved output of metadata for ICC color profiles

• The output of QWORD values in the registry viewer was previously only for 32 bits. It now covers the complete 64 bits.

X-Tension API

• The X-Tension API got two additional functions: XWF_Mount() and XWF_Unmount(). If your X-Tensions need to give external programs read access to many or large files in a volume snapshot, it may be faster to mount the volume snapshot as a drive letter than to copy those files to a path that is accessible to those external programs.

• When X-Tensions add directories to a case as an evidence object, they can choose to have X-Ways Forensics ignore any of the four regular timestamps of NTFS, to prevent their inclusion in the volume snapshot if they are of no value.

• The X-Tension API has spawned a notable bundle of commercial 3rd-party modules called Exponent™ that integrate very well in X-Ways Forensics and significantly extend its functionality in particular with access to acquired smartphone data and mailboxes. Exponent is available for purchase directly from X-Ways. For details please see below!

Miscellaneous

• The "Capture Processes" command for Windows live systems was revised. The ability to take window screenshots of various applications, especially Internet browsers and certain Microsoft applications, was considerably improved. Also, users now have some more control over what information is included in the tab-delimited list of windows, e.g. comprehensive lists of child windows and (also new) hash values of screenshots.

• When interpreting a file as a raw image that does not have a multiple of the presumed sector size as the file size, the extra data at the end that doesn't add to another full sector is now included, unlike in previous versions, which affects hash computation and potentially file carving. You will still get a warning about the unexpected file size when interpreting such an image, unless you have suppressed it for an evidence object. You may also get read error messages when operations that are applied sector-wise try to read the last (incomplete) "sector".

• error.log file entries are now stored in UTF-8 instead of the ANSI code page active in Windows.

• Improved error message when encountering non-standard internal timestamps in .e01 evidence files.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.0

• SR-1: The regular OR combination of timestamps in the timestamp filter did not always work correctly in the original release of v21.0. That was fixed.

• SR-1: nLicID was wrong in the original release of v21.0. That was fixed.

• SR-2: An error message is now shown when taking a volume snapshot when encountering files that are located beyond the 131 TB barrier in a volume because access to such files is not supported.

• SR-2: X-Ways Forensics now more strictly prevents users from treating data in free space as "embedded".

• SR-2: Fixed an exception error that could occur in v21.0 when extracting metadata from certain QuickTime video files.

• SR-2: Fixed a crash that could occur with certain TIFF pictures.

• SR-2: Fixed an error present in v20.9 and v21.0, which could include directories and files with alternative names into the same evidence file container multiple times.

• SR-2: Unusual zip archives in which overlapping records are detected, which can theoretically be a sign of archive bombs, are now labeled less intrusively.

• SR-3: Ability to use UNC paths for temporary files with the PST/OST e-mail extraction.

• SR-3: Fixed an error in the alternative PST/OST e-mail extraction.

• SR-3: The API function XWF_GetItemName() did not work correctly for certain files in v20.9 and v21.0 when trying to retrieve potentially available alternative filenames. That was fixed.

• SR-4: Largely prevented occasional inability to display thumbnails in the gallery (where thumbnails were marked with the word "Error") when the gallery was used with a great number of extra threads.

• SR-4: Improved ability to restart automatically after a crash in conjunction with multiple instances, and fixed restart error in SR-2 and SR-3.

• SR-5: Fixed a time zone adjustment issue of Safari Cache.db timestamps.

• SR-5: Prevented the "dynamic e-mail and date columns" feature from rendering the "Content created" column invisible.

• SR-6: Fixed an error in the preview of newer .automaticdestinations-ms files.

• SR-6: Fixed repetition of timestamps in zeroed out entries of wtmp log files.

• SR-6: An exception error could occur when processing Thunderbird e-mail stores under certain conditions. That was fixed.

• SR-6: Fixed incomplete output of e-mail bodies extracted from Thunderbird e-mail stores.

Exponent™

Exponent is a continually growing bundle of powerful add-ons (64-bit X-Tensions), designed exclusively for X-Ways Forensics (XWF), developed by API Forensics Inc., available from X-Ways, currently at an introductory price. This bundle extends and simplifies forensic data analysis, visualization and reporting capabilities, for everyday digital forensics and cyber security investigations. Subscribers always have access to the latest version available and get any additional future modules at no extra cost while their licenses last. Trial licenses can be requested by users of X-Ways Forensics here.

Exponent was designed with the idea of being able to import mobile device data acquired by third party products such as Magnet Axiom and MSAB XRY. The objective behind this approach is to be able to import all evidence into XWF so that forensic practitioners can conduct only one (1) forensic examination of the evidence using just one (1) tool.  This puts examiners back in the driver's seat by allowing them to leverage their skills and the power of XWF to complete their analysis and reporting more efficiently.

One thing forensic practitioners will appreciate is how Exponent X-Tensions have been designed with a rich graphical user interface. This provides a comfortable and natural experience in working with the various X-Tensions, right out of the box, using an intuitive interface and logical workflow. 

Exponent Cloud Mail

• Suports IMAP mail collection from 3rd party services providers

• Supports Microsoft, Google, AOL, Yahoo, Zoho and more

• Filter by date and date range

• Filter by keywords and GREP expressions

• Apply keyword filters to specific fields (e.g., From, To, Cc, Bcc, Subject, Attachment filenames, headers)

• Email and attachments are downloaded directly in X-Ways Forensics

• For complete details: https://www.apiforensics.com/cloud-mail.asp

Exponent Faces

• Implements commercial, industry recognized facial recognition technology that is in use by military and police organizations

• Quickly detect and extract FACES from pictures and video files (by frame), including gender recognition

• Match faces against faces you provide - create custom libraries of faces for enrollment

• Face matching is a powerful and fast way to determine if a person of interest exists in your evidence

• Extract FRAMES from videos up to 30 frames per second (34 millisecond intervals)

• Extract CLIPS (segments) from existing videos and add it back to your case file

• All FRAMES, FACES, MATCHES and CLIPS are added back to your case file as child objects making it easy to navigate and audit the evidence

• Supports all the common file formats and more:  BMP, JPG, PNG, HEIC, MP4, MPG, MOV, VOB, AVI, FLV

• Detects and extracts multiple faces from a single photograph or video frame!

• Easily produce reports from faces extracted or review in Gallery view

• Emulate built-in video playback in X-Ways Forensics by navigating extracted FRAMES in conjunction with the Preview tab

• For complete details: https://www.apiforensics.com/faces.asp

Exponent Mobile Messaging

• Import select 3rd party collected data from mobile devices for Android and iOS (see below)

• Import SMS, MMS, iMessage, Instagram Direct Messages, WhatsApp Messages collected by 3rd party mobile device products

• All metadata defined by 3rd party tools is preserved

• Messages, including all embedded photos and videos, are converted to .EML messages and imported into X-Ways Forensics (XWF)

• Allows XWF to then process and extract the imported data and embedded objects

• Supports MSAB XRY, Magnet Axiom and standalone iTunes Backup

• Now you can combine desktop evidence with mobile evidence in one single examination

• For complete details: https://www.apiforensics.com/mobile-messaging.asp

Exponent Mobile Media

• Import select 3rd party collected data from mobile devices for Android and iOS (see below)

• Import all available pictures collected by MSAB XRY, Magnet Axiom and standalone iTunes Backups

• All metadata defined by 3rd party tools is preserved

• For complete details: https://www.apiforensics.com/mobile-media.asp

Here are some of the features and functionality that are currently in development or being planned:

• Support for Cellebrite in Mobile Messaging and Mobile Media

• Portable case for X-Ways Forensics

• Loadfile and payload creator for Relativity

• Built-in support for SQLite databases

• Built-in media player

• Registry Mounter (as its own evidence object)

• Real time cloud collection of files, email, calendars

• Production Order Importer (import files produced by Google, Microsoft, Facebook, etc) as a result of a search warrant or production order

• Real time cyber and network security tools, including OSINT

• Cyber forensic artifacts

• TotalMobile - a new X-Tension to import ALL available artifacts collected by 3rd party mobile device tools

Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.