#170: X-Ways Forensics,
X-Ways Investigator, WinHex 20.7 released
Jan 9, 2023 |
This mailing is to announce the release of another update with very
important improvements, v20.7. The official release date was the 15th of
November 2022.
Customers please go to
https://www.x-ways.net/winhex/license.html
as always for the latest download instructions including current log-in data
(the passwords have changed recently!), details about their licenses
and upgrade or renewal offers. Please do not ask us about the download
password. Your organization has access to it already if eligible.
Please be reminded that if you are interested in
receiving information about service releases at the moment when they become
available, you can find those in the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with
an older version for a while, you should at least use the last service
release of that version.
Upcoming Training Events
Dates |
Location |
Target Region |
Course |
Delivered by |
Jan 9-12 |
Online |
America, Europe |
X-Ways Forensics |
X-Ways |
Jan 16-19 |
London, England |
Europe |
X-Ways Forensics |
X-Ways |
Jan 23-26 |
Las Vegas, NV |
USA |
X-Ways Forensics |
H-11 |
Jan 23-26 |
Seattle, WA |
USA |
X-Ways Forensics |
H-11 |
Jan 24-27 |
Online |
Europe, Asia |
X-Ways Forensics |
X-Ways |
Feb 7-10 |
Online |
Europe, Asia |
X-Ways Forensics |
X-Ways |
Feb 20-23 |
Liverpool, England |
Europe |
X-Ways Forensics |
X-Ways |
Feb 21-24 |
Ft. Lauderdale |
USA |
X-Ways Forensics |
H-11 |
Feb 27-Mar 2 |
Online |
America, Europe |
X-Ways Forensics |
X-Ways |
Mar 6-9 |
DC Area |
USA |
X-Ways Forensics |
X-Ways |
Mar 13-16 |
Mexico City |
Mexico |
X-Ways Forensics |
H-11 |
Mar 20-24 |
Online |
America, Europe |
File Systems Revealed |
X-Ways |
Mar 27-30 |
Salt Lake City |
USA |
X-Ways Forensics |
H-11 |
Mar 28-30 |
Online |
America, Europe |
X-Ways Forensics II |
X-Ways |
Apr 17-20 |
Santa Ana, CA |
USA |
X-Ways Forensics |
H-11 |
Apr 18-20 |
Online |
America, Europe |
X-Ways Forensics II |
X-Ways |
Apr 25-27 |
Online |
Europe, Asia |
X-Ways Forensics II |
X-Ways |
Please sign up for our training notifications
here
if you would like to be kept up to date on future classes. Training
vouchers for 2023 are available from
here.
What's new in v20.7?
(please note that most
changes affect X-Ways Forensics only)
Picture Analysis
-
The functionality of
Excire Forensics is now
included in X-Ways Forensics! That means an artificial
intelligence can check the pictures in your case (when refining volume
snapshots from the main menu) and make you aware of identified content
via labels or comments, by which you can filter. The complete hierarchy
of identifiable content can be found
here.
Photo content descriptions are available in English, German, French,
Spanish and Italian. Users of X-Ways Investigator please consider
upgrading to X-Ways Forensics to get access to the Excire functionality.
-
Excire requires a 64-bit Windows 10, Windows 11,
Windows Server 2016, Windows Server 2019 or Windows Server 2022.
Download instructions for this separate package can be retrieved by
querying one's license status
here as always.
It's simply another zip archive in the resource directory. By default
the additional files will be expected in a subdirectory \Excire in the
installation directory, but you can change the path in Options | File
Viewing so that multiple installations of X-Ways Forensics can share the
same installed package.
-
Pictures can be automatically categorized as
irrelevant or notable. In the extensive hierarchy of identifiable
objects you can select individual objects or entire subtrees that render
a picture irrelevant from your point of view with a high degree of
certainty, such as any kinds of animals, plants, sports, musical
instruments etc. You can also define what renders a picture notable for
you, such as nudity, pornography, guns, powdery substances, pills,
children, vehicles, text, paper texture (for documents) etc. "Notable"
always overrides "irrelevant" when in doubt, if for example dogs are
considered as important in a particular case, but animals otherwise are
still marked as irrelevant. Logical AND combinations are supported when
categorizing photos as notable. Some AND combinations are predefined
that are meant to assist in child pornography investigations.
-
Excire also allows you to find photos that are
“similar” from the perspective of an artificial intelligence to a
collection of typical relevant photos from earlier cases or other photos
that you provide (in JPEG, PNG, Bitmap, or TIFF format).
-
Excire also allows you to find faces of particular
people in photos of new cases. (The application will require you to mark
faces of interest in JPEG, PNG, Bitmap, or TIFF pictures.)
File Type Support
-
A patch was applied to the viewer component download
that improves rendering for certain PDF documents.
-
The internal graphics display library was revised and
updated in particular for the formats PNG, WEBP, and PCX.
-
5% more definitions of photo generating devices.
-
Front camera recognition improved, especially for
Samsung, also for Xiaomi and Apple smartphones.
-
The average number of bits per pixel in an actual
JPEG picture in Details mode is now accompanied by the known median
value of bits per pixel for the same generator signature to put it into
perspective.
-
The Summary table for JPEG pictures has a new entry
called "software class", which aggregates information previously spread
across various other metadata details. The following values are
possible: Adobe, Facebook/Instagram, Whatsapp, Twitter, Google/Picasa,
Windows, Android, Firmware, Apple, Social media, Editor, General,
Beautifier.
-
A new possible condition in the summary table for
JPEG files is "cropped". Cropped means that the dimensions of the
picture in pixels are not known to be one of the standard dimensions of
the generating device. That also means that the picture is not even
considered to be potentially "relatively original", and its relevance
will be reduced compared to pictures that are considered "relatively
original". The dimension will be displayed in blue in such a case.
-
Improved grouping of small pictures without metadata
when sorting by relevance.
-
Relevance computation revised. The number of bits per
pixel in a JPEG picture now has an effect on the computed relevance so
that rather monotonous and blurred pictures get a lower score.
-
Some target paths in jumplists were improperly
truncated in the event list. That output was fixed.
User Interface
-
Report table associations are now called labels for
reasons of simplicity and because v20.7 even more so than previous
versions can generate a lot of such associations that will not usually
become the basis of a report. If all the files with a particular label
are output in a report in tabular form, the result of that, however, is
still called a report table.
-
Option to adjust American spelling to British
spelling in most parts of the user interface when setting English as the
active language. British spelling is also the default setting now in new
installations of WinHex/X-Ways Forensics/X-Ways Investigator if the
Windows installation language is UK English, Australian English or New
Zealand English.
-
The Chinese translation of the user interface was
updated.
-
The option to display offsets in either hexadecimal
or decimal has been moved to the Notation settings. As such, you can
have for example hexadecimal offsets in the GUI when using the
application, but decimal offsets for example when exporting data from
the directory browser for external use.
-
Hexadecimal numbers and code can now optionally be
written with lower-case letters from a through f. This affects
hexadecimal offsets, the hex column, hash value display and more, and
this is another option in the Notation settings.
-
Prevented a message box that had to be clicked away
when trying to add inaccessible drive letters to the active case through
the command line.
File System Support
-
Improved treatment of NTFS reparse points.
-
Ability to read uninitialized areas of files before
the last defined portion as binary zeroes in Btrfs depending on the
corresponding volume snapshot option.
-
An error in XFS processing has been corrected that
prevented the reading of certain directory structures if the directory
used an EA fork.
-
X-Ways Forensics parsed directory entries in XFS
incompletely when unaligned entries were encountered. That was fixed in
v20.7 and will also be fixed in all future service releases of older
versions.
-
Fixed an exception error that occurred when trying to
preview extracted e-mail messages in extracted text mode.
Miscellaneous
-
Filtering for a particular event ID in the event
description column without hitting on the same number elsewhere in the
description is now easy because the event ID is now prepended with the
letters "ID" and a space. (In newly refined volume snapshots only.)
-
When reporting a data/parameter/parity inconsistency
for newly reconstructed RAIDs, X-Ways Forensics now mentions the offset
on the component disks where the problem was first detected. Note that
X-Ways Forensics does not check the entire disks, just the first 16
strips (previously 10).
-
The old Bates numbering function now supports Unicode
filenames.
-
The latest NSRL hash database version 2.79 is now
downloadable in XWF format from the resource directory.
-
The program help and the user manual were updated.
-
Many minor improvements.
Various fixes until v20.7 SR-3
-
Fixed an I/O error that could occur after using the
gallery to display files in nested disk images.
-
Fixed an infinite loop that could occur in v20.6 and
the original v20.7 release when uncovering Windows resource data
embedded within carved DLLs.
-
Fixed a memory leak that could occur during volume
snapshot refinement.
-
Fixed caching of compressed TAR archives processed
with the alternative extraction method if they contained additional
nested archives.
-
Prevented multi-threading read errors in certain
kinds of nested images.
Changes of service releases of 20.6
-
SR-1: The option to keep archive contents in the
cache, if half-checked, caused errors (exceptions or unreadable files)
when dealing with file archives in the GB range in the original v20.6
release. That was fixed.
-
SR-1: Compatible with the new version of the Excire
PhotoAI package from today.
-
SR-2: Fixed an exception error that could occur in
v20.6 when converting extracted e-mail bodies in RTF format to plain
text.
-
SR-2: Fixed an exception error that occurred in v20.6
when applying the thorough file system data structure search to an Ext
volume.
-
SR-2: Fixed an error that could occur in report table
management in v20.5 and later.
-
SR-2: Fixed an exception error that could occur when
clicking OK in the evidence object properties window in v20.5 and later.
-
SR-2: Fixed inability to automatically add newly
created images to the case and refine their volume snapshots.
-
SR-2: Fixed a potential archive cache problem.
-
SR-3: Fixed inability to pick a column to name copied
files in the case report.
-
SR-3: In some situations, files copied along with the
report, if named after a particular property of theirs in the directory
browser, were not given a filename extension. That was fixed.
-
SR-3: Fixed an exception error that could occur when
parsing Windows event log files with certain metadata extraction
settings.
-
SR-3: Avoided an exception error with minimal impact
related to floating point numbers in SQLite databases.
-
SR-4: Fixed the definition of a generator signatures
for a few devices by Huawei and Apple (retroactively also in v20.1 SR-14
and v20.2 SR-10). This is relevant for device class identification and
processing state.
-
SR-4: Fixed a potential loss of entries in the
user-defined file "Regular Expressions.txt" in the 64-bit edition of
X-Ways Forensics and X-Ways Investigator.
-
SR-4: Fixed inability to refine volume snapshots or
run a physical search if no information for crash reports was collected.
-
SR-4: Avoided read error messages when carving
certain files in certain other files.
-
SR-5: Some fixes in Event Log Events.txt.
-
SR-5: Very large data associated with in Windows
event logs events previously were not output at all and caused malformed
lines in the TSV representation. That was improved. Up to 8 KB of that
data are now included.
-
SR-5: The X-Tension API function XWF_GetWindow() was
improved and can now also target the active data window.
-
SR-5: Fixed a rare memory corruption error that could
occur when extracting metadata from JPEG files.
-
SR-5: Fixed an exception error that occurred when
importing NSRL RDS hash sets in the 64-bit edition with certain
settings.
-
SR-5: Fixed inability to define a keyboard shortcut
for associations with certain report tables if the total number of
report tables is very high.
-
SR-5: Fixed intermittent failure to highlight FILE
records in situations where the number of lines in the hex editor
display was not a multiple of 4, if the box for this highlighting option
was only half checked.
Become a certified user of X-Ways Forensics
Become an
X-PERT (X-Ways Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you will be part
of an exclusive circle and enjoy various benefits such as special
recognition, training discounts, updated training material. For further
details, please check
here.
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or
on our
Facebook page. You may also follow us on
Twitter. Please forward this newsletter to anyone who you think
will be interested. If you wish to subscribe with another e-mail address,
please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde
|