#171: X-Ways Forensics,
X-Ways Investigator, WinHex 20.8 released
Apr 25, 2023 |
This mailing is to announce the release of
another update with important improvements, v20.8.
Customers please go to
https://www.x-ways.net/winhex/license.html
as always for the latest download instructions including current log-in data/password
(!), details about their licenses
and upgrade or renewal offers. Please do not ask us about the download
password. Your organization has access to it already if eligible as
described.
Please be reminded that if you are interested in
receiving information about service releases as soon as they become
available, you can find those in the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with
an older version for a while, you should at least use the last service
release of that version.
Upcoming Training Events
Dates |
Location |
Target Region |
Course |
Delivered by |
May 2-5 |
Online |
Europe, Asia |
X-Ways Forensics I |
X-Ways |
May 16-19 |
St. Paul, MN |
USA |
X-Ways Forensics I |
H-11 |
May 30-Jun 2 |
Paris |
France |
X-Ways Forensics I |
Tracip |
May 30-Jun 2 |
Online |
Middle East, APAC |
X-Ways Forensics I |
X-Ways |
Jun 6-9 |
Online |
America, Europe |
X-Ways Forensics I |
X-Ways |
Jun 20-23 |
Online |
Europe, Asia |
X-Ways Forensics I |
X-Ways |
Jun 20-22 |
Online |
Europe, Asia |
X-Ways Forensics II |
X-Ways |
Jun 20-23 |
Fyshwick ACT |
Australia |
X-Ways Forensics I |
CDFS |
Jul 3-6 |
Birmingham, England |
Europe |
X-Ways Forensics I |
X-Ways |
Jul 10-13 |
Online |
America, Europe |
X-Ways Forensics I |
X-Ways |
Jul 11-13 |
Online |
America, Europe |
X-Ways Forensics II |
X-Ways |
Jul 18-21 |
Online (4x6 hrs!) |
Middle East, APAC |
X-Ways Forensics II |
X-Ways |
Jul 31-Aug 3 |
Salt Lake City, UT |
USA |
X-Ways Forensics I |
H-11 |
Aug 14-17 |
London, England |
Europe |
X-Ways Forensics I |
X-Ways |
Aug 14-17 |
Columbia BWI, MD |
USA |
X-Ways Forensics I |
H-11 |
... |
Oct 23-27 |
Online |
America, Europe |
File Systems Revealed |
X-Ways |
Please sign up for our training notifications
here
if you would like to be kept up to date on future classes.
What's new in v20.8?
(please note that most
changes affect X-Ways Forensics only)
Picture Analysis
-
v20.8 requires a new Excire package, which is now downloadable and which is compatible with v20.7 SR-7
and later (also older releases of v20.7 if you don't use the search for known faces). The previous version of the package for use with v20.7 SR-6 and older can still be found in the resource download directory as well.
-
Face markings for the search for known faces are now remembered even if the path of the picture collection changes.
-
The picture collection for the face search may now be stored in a path that contains spaces.
-
Option to abort face markings and volume snapshot refinement by pressing Esc while in the face marking process.
-
Identified content in pictures now optionally affects the computed relevance of those files depending on what objects/keywords you define as notable or irrelevant.
-
If the results of picture content analysis are output as labels, videos now also get labeled automatically if the stills that were extracted from them are processed.
-
A new automatic label "metadata added retroactively" was introduced. It is used for pictures whose metadata was automatically or manually added after the content already existed, such as copyright information or keywords.
-
The Summary table for JPEG files in Details mode now does not only assess the compression quality roughly as either "high", "medium", "low" or "very low", but also quantifies it in a linear scale from 0 to 100. This number is not to be confused with the nominal/official JPEG quality, which does not take the actually achieved compression into account.
-
Generating device recognition capabilities updated.
-
The option to falsify the colors of pictures in the gallery to reduce their psychological impact can now be limited to just notable pictures.
-
Gallery thumbnails can now alternatively or additionally be blurred for the same reason, if desired (thumbnails of all pictures or only notable pictures), where half-checked means less blurred.
File Analysis
-
The function to uncover embedded data now has a verbose report mode that makes you aware of files which were previously listed in the virtual directory for carved files (found by signature at the general partition/volume level) but have since been turned into child objects of other files because they seem to logically belong to them and are contained in them.
-
The option to mark files as duplicates in the Description column is now available when checking for listed files with identical start offsets.
-
Time zone information in the summary table of Quicktime videos in Details mode for the Quicktime timestamp, with identification of files that have the so-called "incorrect time zero" issue.
-
For each "family" of file archives (general purpose, Office, special interest, ...) you can now decide whether such archives should be presented in the directory tree once their contents have been included in the volume snapshot.
-
Moderately accelerated dictionary attack on encrypted file archives. Now ~50% faster than in v20.7 and earlier.
-
Encryption test for documents slightly accelerated.
File Type Support
-
Ability to treat CAB Windows installation packages like file archives. If you wish to include their contents in the volume snapshot, please make sure that the type designation cab is listed in an active archive family like "general purpose" or "special interest". By default (in new installations) cab will become part of "special interest" only because most cab archives are just irrelevant Microsoft installation packages and not user-created file archives. The type designation "cab1" tries to identify most Microsoft installation packages, whereas "cab" could be more interesting, manually created file archives.
-
Ability to view and preview the first frame of animated WEBP pictures, also in the gallery.
-
Produces thumbnails of e-mail messages in the report with the alternative .eml presentation if that presentation is active for viewing e-mails right in the browser.
-
Revised handling of file archives for better stability with some rare unusual archives.
Searching
-
If previously decoded text in files was stored in the volume snapshot for re-use, it is now possible to discard that and decode again from scratch, for example after enabling the special decoding option for spreadsheets.
-
Option to display search hits in the search hit list along with their context in hexadecimal notation. Useful especially for technical searches, i.e. not keyword searches, but searches for header signatures, delimiters, binary markers etc. The option can be found in the context menu. It will also affect the output of search hits in the "Export list" command.
-
The special search commands for integer numbers and floating point numbers can now be applied in File mode, and their output messages are now Unicode-capable and thus readable if the user interface is set to a non Western European language.
User Interface
-
Selecting an evidence object in the Case Root window now automatically also selects it in the Case Data window, and expands the tree for that if necessary (if the selected evidence object is a partition) and scrolls vertically if necessary, so that it now becomes easy to locate a particular evidence object in a large case, considering that in the case root window you can sort evidence objects by name and use filters etc.
-
Drag & drop is now supported in the Case Data window to move top-level evidence objects up or down in the tree.
-
The expanded status of top-level evidence objects with partitions is now remembered and restored when opening a case.
-
Notation setting to show forward slashes instead of backslashes in the path columns, in the caption line of the directory browser, in the Info Pane, and in the status bar, either always or only in data windows that represent a volume with a non-Microsoft file system.
-
Special icons in the Case Root window for evidence file containers, RAIDs and process acquisitions.
-
A new 3-state checkbox in the directory browser option controls whether clicking/selecting a file or directory in the directory browser will navigate to the data associated with that object in Disk/Partition/Volume mode or to the object's defining data structure in the file system. Please remember that a quick jump to the latter can also be achieved by clicking the "FS offset" cell of that object even if a click elsewhere navigates to the former. If the box is unchecked, no navigation in the lower half of the data window will take place at all, which could be beneficial if you are operating directly on a physically damaged disk, where accessing certain sectors or regions may cause hanging in the application or a crash in the operating system.
-
In newly taken volume snapshots of physical, partitioned storage devices, the "FS offset" column now shows the exact offset where in a partition table a partition is defined, and thus allows to jump to that location with a simple mouse click. The absence of such an offset indicates that the partition was found not by following any pointers in partition tables, but merely based on its own data, in which case the Description column shows the partition as "not referenced in partition table".
-
Recover/Copy command: In case of problems with output path length, the exact offending path is now mentioned in the Messages window so that the issue can be better understood.
-
If multiple cell coloring conditions are met by the same item in the directory browser, they always produce a mixed color so hopefully none of the targeted properties go unnoticed. Selecting items in the directory browser that have active conditional line coloring will alter the color so that both the selected status and alerts of special conditions will be apparent.
-
Improved some aspects of dark mode when Windows does not use a dark theme (e.g. alternative e-mail preview) and greatly improved compatibility with some dark themes of Windows 11.
-
Improved GUI appearance of most arrow buttons in dialog windows under Windows 11.
-
Option to adjust the size of the standard Windows GUI font used for example in the directory browser and in the Case Data window. A positive number of pixels increases the size, a negative number decreases it. Restarting the application is recommended after making any adjustments.
Generally it is much better to adjust the DPI scaling settings in Windows instead because that has a more consistent effect on all elements of the GUI, including clickable controls etc., not just on the font size in certain areas. However, there are situations in which it is more practical to control the font sizes in X-Ways Forensics specifically, for example if your eyesight is above or below average and you frequently use a portable installation of X-Ways Forensics on computers other than your own.
-
Some GUI elements are now automatically resized proportionally if you use the same WinHex.cfg file in a portable installation in Windows systems with different DPI settings (i.e. usually on machines with different display resolutions), for example for on-site triage, so that you roughly keep the perceived sizes that you are used to. Among others, the following are resized: the font in the hex and text display, directory browser columns (their widths), the Case Data window (its width), and thumbnails in the gallery. This works with WinHex.cfg files last saved by v20.7 SR-7 or later.
-
Loading .settings files saved by v20.7 SR-7 and later now also adjusts previous directory browser column widths based on current DPI settings if necessary.
-
File and folder selection dialog windows are now larger.
Case and Volume Snapshot Management
-
Option to make a backup of the volume snapshot automatically once refinement has completed, so that you can quickly return to this state if necessary instead of taking a new volume snapshot and refining it again. Useful for example if you make some mistake in your manual review of files or if the volume snapshot gets corrupted somehow. If the checkbox for this (in Specialist | Refine Volume Snapshot) is fully checked instead of only half-checked, an intermediate additional backup if made after the operations of step 1 (at the disk/partition level) have completed. The menu command to restore volume snapshot backups can still be found in the context menu of the evidence object in the Case Data window.
-
Option to create the subdirectories for case and volume snapshot backups with the hidden attribute (H) so that they do not clutter up the directory listing if you check out the case directory occasionally in the Windows File Explorer, or at least are identified by a fainter version of the folder icon. This option will also affect volume snapshot backups created automatically when completing steps of the volume snapshot refinement.
-
Ability to split copylog files of the Recover/Copy command into segments of x MB, to keep them more manageable when viewing them or importing them elsewhere.
File System Support
-
Btrfs: Now includes multiple hardlinks of the same file in the volume snapshot also when they are in the same directory.
-
The option "Always ignore start sectors of known files" of the file header signature search now treats previously existing files in FAT32 file systems as known even though their start cluster numbers are just guesswork, so that more duplicates are prevented (since v20.7 SR-8).
-
Improved treatment of NTFS reparse points (since v20.7 SR-2).
-
Recognition of the Tuxera Flash File System (TFFS).
Storage and Imaging
-
When creating a cleansed image in which the virtual file "Free space" is excluded while the net free space computation is active, the Messages window now reminds the user of the fact that the cluster associations of that file are highly variable and depend on which previously existing files are known in the current volume snapshot, which may in turn depend on to what extent it has been refined already. If you need to exclude the entire free space as defined by the file system, the net free space option may not be suitable for you (turn it off in Options | Volume Snapshot), or alternatively you also need to specifically exclude previously existing file in free space whose contents are not supposed to make it into the cleansed image.
-
X-Ways Forensics now accepts Windows drive letters as components to internally reconstruct RAIDs. That doesn't make much sense, but allows you to reinterpret a drive letter as a physical storage device in X-Ways Forensics if necessary, by selecting it as the sole component of a JBOD. This could be useful if for some reason you need to apply menu commands to it that only make sense to apply to physical storage devices and are only available for physical storage devices, such as Scan For Lost Partitions. For example a RAID that is reconstructed/mounted outside of X-Ways Forensics may somehow present itself as a drive letter (although it does not have a volume boot sector / file system starting at sector 0 and thus cannot be put to any good use in Windows itself).
-
Excluded files and subdirectories are no longer included when mounting a volume snapshot or directory.
Miscellaneous
-
Improved support for Microsoft Azure cloud machines as a platform.
-
Improved support for machines in the Google cloud as a platform (since v20.7 SR-3).
-
X-Tensions are now by default loaded in such a way that additional DLLs required by the X-Tension will be found in the same directory where the X-Tension itself is located. This new behavior is optional and can be turned off by the user by way of a checkbox.
-
The program help and the user manual were updated.
-
Many minor improvements.
Changes of service releases of 20.7
-
SR-1: Fixed an I/O error that could occur after using the
gallery to display files in nested disk images.
-
SR-1: Fixed an infinite loop that could occur in v20.6 and
the original v20.7 release when uncovering Windows resource data
embedded within carved DLLs.
-
SR-1: Fixed a memory corruption error that could occur on some machines in the 32-bit edition when trying analyze photos with artificial intelligence.
-
SR-1: Prevented a message box that had to be clicked away when trying to add inaccessible drive letters to the active case through the command line.
-
SR-1: Potentially prevented instabilities with the internal graphics display library.
-
SR-2: Fixed inability to run a picture content analysis in v20.7 SR-1.
-
SR-2: Improved treatment of NTFS reparse points.
-
SR-2: Fixed an exception error that could occur in v20.6 and v20.7 when imaging storage devices from the command line.
-
SR-3: Fixed a memory leak that could occur during volume
snapshot refinement.
-
SR-3: Fixed caching of compressed TAR archives processed
with the alternative extraction method if they contained additional
nested archives.
-
SR-3: Prevented multi-threading read errors in certain
kinds of nested images.
-
SR-3: X-Ways Forensics parsed directory entries in XFS incompletely when unaligned entries were encountered. That was fixed in v20.7 and will also be fixed in all future service releases of older versions.
-
SR-3: Ability to read uninitialized areas of files before the last defined portion as binary zeroes in Btrfs depending on the corresponding volume snapshot option.
-
SR-3: When reporting a data/parameter/parity inconsistency for newly reconstructed RAIDs, X-Ways Forensics now mentions the offset on the component disks where the problem was first detected. Note that X-Ways Forensics does not check the entire disks, just the first 16 strips (previously 10).
-
SR-3: Some target paths in jumplists were improperly truncated in the event list. That output was fixed.
-
SR-3: Improved support for machines in the Google cloud as a platform.
-
SR-4: Better compatibility with the Aquatic high contrast dark theme of Windows 11.
-
SR-4: *.service_worker is now included in fresh installations in the file mask for the file header signature search portion of "Uncover embedded data in various file types" to target cache files.
-
SR-4: Support for certain streamed MP4 video files in the internal carving algorithm ~27 for the file header signature search.
-
SR-4: Fixed an error in the "Find Text" function in the Registry Viewer in v20.6 and v20.7.
-
SR-4: Fixed failure to decode Base64-encoded e-mail bodies that could occur depending on the characters in the search terms.
-
SR-4: Fixed an error in the "Filename analysis" for pictures sent via WhatsApp.
-
SR-5: Fixed an exception error that could occur in v20.7 SR-3 and SR-4 when trying to access storage devices.
-
SR-5: Fixed an exception error that could occur in v20.7 with the "OS dir list: Compute total amount of data" option.
-
SR-5: Fixed recycle bin file naming error in v20.7.
-
SR-5: Prevented data interpretation of some invalid ANIS SQL timestamps as nonsensical dates.
-
SR-5: Fixed a rare time zone problem with carved partial QuickTime video files.
-
SR-6: Fixed a rare instability that could occur when parsing corrupt inactive data of HFS+ file systems.
-
SR-6: Fixed sector number display in the progress indicator window of simple searches (searches that don't output to the search hit list).
-
SR-6: Avoided an error message that could occur under Windows XP and Vista when opening storage devices.
-
SR-6: Fixed an exception error that could occur with the alternative .eml presentation.
-
SR-7: Fixed a rare instability that could occur when processing MSG files with forwarded other e-mail messages with very long subject lines.
-
SR-7: Better prepared for the transition to v20.8.
-
SR-8: The option "Always ignore start sectors of known files" of the file header signature search now treats previously existing files in FAT32 file systems as known even though their start cluster numbers are just guesswork, so that more duplicates are prevented.
-
SR-8: Fixed display of certain SIDs in the Data Interpreter when shown alongside of GUIDs.
-
SR-8: Highlights more recent FILETIME values in the hex and text display.
-
SR-8: Fixed inability to extract thumbnails in some old JPEG pictures with very small Exif segments.
-
SR-8: Reducing the case's auto-save interval now takes effect immediately instead of next time when the previous interval elapses.
-
SR-9: Labels derived from hash set matches are now always of the special "hash set" type, not the generic "hint" type, no matter whether they are created immediately when matching hash values against the database or retroactively.
-
SR-9: The File Header Signature Search will not skip JPEG signatures within a known JPEG file any more assuming the function to uncover embededed data will pick up the inner file later, if the outer known JPEG file is a previously existing file. That can make a difference if the outer JPEG file is not intact any more and there is no logical connection between the inner and the outer file (thumbnail representation or alternative resolution), in which case the function to uncover embedded data would not find the inner file.
-
SR-9: More compact representation of PhotoDNA matches in Details mode.
-
SR-9: Ability to understand information about additionally found partitions as stored in .xfc case files by v20.8. Ability to gracefully deal with case files in which that kind of information is not understood.
Become a certified user of X-Ways Forensics
Become an
X-PERT (X-Ways Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you will be part
of an exclusive circle and enjoy various benefits such as special
recognition, training discounts, updated training material. For further
details, please check
here.
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or
on our
Facebook page. You may also follow us on
Twitter. Please forward this newsletter to anyone who you think
will be interested. If you wish to subscribe with another e-mail address,
please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde Germany
|