#174: X-Ways Forensics,
X-Ways Investigator, WinHex 21.1 and Exponent released
Apr 8, 2024 |
This mailing is to announce the release of another update with important improvements, v21.1,
plus a notable bundle of add-ons for X-Ways Forensics. The
official release date of v21.1 was Apr 5, 2024.
Customers please go to
https://www.x-ways.net/winhex/license.html
as always for the latest download instructions including the latest log-in data/password
(!), details about their licenses, and upgrade or renewal offers. Please do not ask us
for the download
password. Your organization has access to it already if eligible, as
described.
Please be reminded that if you are interested in
receiving information about service releases as soon as they become
available, you can find those in the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with
an older version for a while, you should at least use the last service
release of that version.
Upcoming Training Events
Dates |
Location |
Target Region |
Course |
Delivered by |
Apr 8-12 |
Online (5x6¼ hrs) |
Europe, Asia |
X-Ways Forensics I |
X-Ways |
Apr 15-18 |
Kingston, ON |
Canada |
X-Ways Forensics I |
F111th |
May 6-9 |
Victoria, BC |
Canada |
X-Ways Forensics I |
F111th |
May 13-17 |
Online (5x6¼ hrs) |
America (incl. West Coast) |
X-Ways Forensics I |
X-Ways |
May 14-17 |
New York City, NY |
USA |
X-Ways Forensics I |
H-11 |
May 28-31 |
Canberra |
Australia |
X-Ways Forensics I |
CDFS |
Jun 3-7 |
Online (5x6¼ hrs) |
Europe, Asia |
X-Ways Forensics I |
X-Ways |
Jul 2-5 |
Online (4x6¼ hrs) |
Europe, Asia |
X-Ways Forensics II |
X-Ways |
Jul 22-25 |
Online (4x6¼ hrs) |
America (incl. West Coast) |
X-Ways Forensics II |
X-Ways |
Sep 23-27 |
Online |
America, Europe |
File Systems Revealed |
X-Ways |
Please sign up for our training notifications
here
if you would like to be kept up to date on future classes.
What's new in v21.1?
(please note that most
changes affect X-Ways Forensics only)
Volume Snapshot and File System Support
-
Better support for very large volume snapshots. More
than 500 million items (i.e. files+directories) in a single volume are
now possible, only in the 64-bit edition, subject to sufficient RAM, and
assuming you have enough time to wait for the completion of the volume
snapshot. This tested capability should
add to the notion of X-Ways Forensics as a heavy lifter for storage
device analysis. The ~500 million mark assumes an average filename
length of 16 characters. With shorter filenames theoretically 1 billion items or
more are possible. If only the space for filenames is
exhausted, more files can still be included in the volume snapshot, but
they will be shown with a dummy filename (a question mark character).
-
Volume snapshots of extraordinarily huge volumes now
support files that are defined in the file system at offsets beyond 131
TB or have their data starting more than 131 TB into such a volume. The
new limit is 262 TB.
-
Slightly accelerated volume snapshot creation for
large NTFS file systems.
-
Two kinds of proactive filters, based on names and
timestamps, can now be activated in the properties of a case. Proactive
filters allow you to restrict the initial volume snapshot. Files that
don't pass these filters will not be included in any volume snapshot
that is taken while such filters are active. Directories are still
included. This pertains only to partitions/volumes and file archives
that are evidence objects, and all the files that are found in them
directly, following the defining data structures of the file system or
the archive. It does not restrict the addition of files that are found
in any other way, for example by a file header signature search or when
checking files that are already contained in a volume snapshot for
embedded data etc.
-
Proactive filters are special in that they can
prevent files from involuntarily getting into a volume snapshot, files
that you do not need or want to be there or that you are not supposed to
see. Either if your task or search scope is limited to specific files
whose names or timestamp ranges are known beforehand or if the evidence
object (image or file archive) is so big that by avoiding hundreds of
millions of other files you save time and main memory or can make the
volume digestible at all (i.e. keep the volume snapshot size within the
supported boundaries). The creation of the volume snapshot itself may be
noticeably accelerated that way if the evidence object is an image file,
plus all subsequent steps (navigating, listing, sorting, filtering,
volume snapshot refinement) are less computationally expensive if you
proactively prevent the inclusion of large numbers of unwanted files.
A count of how many files are proactively omitted during the creation of
the volume snapshot is displayed in the progress indicator window. After
completion, the total number of such files can always be checked in the
status of the volume snapshot in the dialog window for volume snapshot
refinement. A warning that a proactive filter is active is output in the
Messages window once per session, when a volume snapshot is taken.
-
Directory listings obtained from the operating system
("OS dir list"), which you get for example when adding a directory or a
single file to a case as an evidence object, can now be made to not show
any timestamps from the file system or only the modification timestamp.
That is a volume snapshot option and useful if the timestamps of the
files do not have the usual significance, e.g. if they reflect when you
collected the files and not what timestamps they had originally at their
original location.
-
In new installations the default setting of the
volume snapshot option "Newly identified names as main names" is now
half selected, which means only for original .eml files newly identified
names (i.e. the subject lines) become the main name in the Name column,
and the potentially unhelpful generic filenames according to the file
system become the secondary names.
-
Ability to recognize SquashFS compressed file systems
as such and treat their data like file archives. The supported
compression algorithms for SquashFS in X-Ways Forensics are GZIP/zlib,
LZMA, LZO and XZ.
Hash Database Support
-
Normal use of the hash database for reading purposes
(to retrieve the names of matching hash set for display in the "Hash
set" column of the directory browser), if it's shared, no longer
prevents other users from updating the database or replacing the
database (i.e. the directory) because the hash set names will be kept in
a local cache/buffer.
-
The rather simple CRC32 algorithm is now supported in ordinary hash
databases. Creating a hash database based on CRC32 is useful (only) if you really only know the CRC32
values of files that you are looking for, no more advanced hash values
and not the full original file contents, for example from encrypted zip
archives as such archives have the CRC32 values of the unencrypted data
in the metadata. If you find CRC32 matches and the file size is the same
as known from the metadata in such an encrypted zip archive, then it is
very likely that you have found an unencrypted copy of the very same
file.
If you wish to import CRC32 hash values from a text file (with "CRC32"
in the first line, followed by one CRC32 value in hex ASCII per line),
please note that their hex ASCII values are expected in big-endian
("human-readable") byte order, as displayed in software like 7-Zip and
WinZip and also X-Ways Forensics itself, which unlike MD5, SHA-1 etc. is
not the byte order in which they are stored in binary, in X-Ways
Forensics internally as well as in zip files themselves and presumably
elsewhere.
-
Option to define the block size for block hash
databases. 512 bytes is still the default and recommended unless you are
certain of what you are doing. A larger block size of 4 KB for example
can be compatible with volumes/partitions that have a cluster size of 4
KB and hard disks with a sector size of 4 KB physically and logically,
but thwarts any attempt to find the data that you are looking if the
clusters in the target file system are not aligned at 4 KB boundaries
themselves from the point of view of the evidence object. The latter may
be the case for example because the file system has an irregularly sized
header area before the first cluster (like FAT) or because you apply the
block-wise hashing (only) at the level of a partitionable storage device in which the
partitions are not aligned at a 4 KB boundary. The good news, however,
is that, just like the file header signature search, block-wise hashing
is applied specifically to partitions if partitions are known on a
partitionable storage device (or image thereof), and only the area
outside of known and explorable partitions is processed at the level of
the partitionable storage device.
-
Block hash matches are now displayed with their sizes
in the search hit column.
-
PhotoDNA matches (notably multiple matches for the
same picture) can now optionally be output as labels. This is useful if
you need to see all matches and/or if you wish to see PhotoDNA matches
in the same place as ordinary hash database matches, which can also be
output as labels.
User Interface
-
You can change the order of labels in either the
dialog window for label management or the filter dialog, if labels in
that dialog window are not sorted by name, using the arrow buttons.
Changing the order there now has an immediate effect on the order in
which labels are listed in the Labels column. That way you can make sure
that the labels that are most important to you are listed first.
-
Label names in the Labels column can now optionally
be truncated, so that more label names fit into the cells of the
directory browser. This is a notation setting. Half-checked means that
truncations are marked with an ellipsis.
-
Reorganized and tidied up the extended dialog window
for labeling.
-
The option "dynamic e-mail and date columns" now
properly controls visibility of the "Content created" column.
-
Date filter setting to focus on files of which certain timestamps
are not know at all (usually because they were not set e.g. in the file
system).
-
More consistent and thorough error and plausibility
checks of user-provided file masks.
-
Option to potentially improve synchronization of
multiple gallery threads.
-
If you need to call external programs from within
X-Ways Forensics with certain parameters in addition to the name of the
file that they should open, you can now specify those parameters in the
same line of Programs.txt, delimited from the path of the executable
file with a tab. The name of the file will be appended at the end, after
your own parameters, unless you include the placeholder %1 anywhere in
your list of parameters. That placeholder will be replaced with the
filename.
-
To associate a portable installation of X-Ways
Forensics or X-Ways Investigator and its icon with .xfc case files on a
particular machine, you could consciously run the application at least
once explicitly as administrator and end it while any of the
customizable standard paths is located on the same drive letter as your
Windows installation, to give the application a hint that you are the
owner of that Windows system and feel comfortable that data is written
to it. That's either the path from where you run the application, the
path where to create and expect case files, the path where to create and
expect image files, or the path where to create temporary files.
-
Revised compression / data density chart for .e01
evidence files. Among other improvements, the chart window now scales
with the user DPI settings.
-
If Preview mode is combined with Details mode, and
the lower half of the data window is moved to the right-hand side,
preview and details are now split vertically instead of horizontally,
with the preview appearing above the details.
-
The description cell in Details mode is now always
quite detailed regardless of the notation settings for the Description
column.
-
The video files from which to extract still images
are now targeted with a comma-delimited type list instead of a filename
mask.
-
Ukrainian and Russian translations of the user
interface updated.
Picture Content Analysis
-
A new Excire version is available for download now,
and required for use with X-Ways Forensics 21.1. The search for
"similar" pictures was revised, and the accuracy of content detection
has been improved. The number of pictures that get more than one wrong
keyword assigned (false positives) has been reduced by 75%. The number
of pictures with no wrong keyword has been doubled.
-
The new Excire version has dropped 69 keywords from
its detection capabilities that yielded less reliable results. None of
these keywords are very important. Support for 87 new keywords was
added, including one that was previously requested from law
enforcement/government agencies (identification documents), plus various
body parts (i.e. not complete people).
File Format Support
-
Report HTML files can now be generated automatically
for the Windows Registry hive files NTUSER.DAT, SYSTEM, SOFTWARE,
SECURITY, and SAM as part of metadata extraction, based on "Reg Report
*.txt" definition files that you have in your installation directory (a
number of which are preinstalled). The HTML files are added to the
volume snapshot as child objects. The benefit is that they can serve as
human-readable previews of selected interesting values, and they contain
some encoded text in plain text such as UserAssist entries, so that the
logical search can find them. Lots of timestamps from the processed
registry hives will be added to the event list at the same time. This
all happens if the user also chose to generate HTML previews for browser
databases etc. and/or to populate the event list with internal
timestamps in files.
-
Checks certain temporary files of MS Edge for
embedded pictures automatically as part of the "File header signature
search in files not processed above" procedure. The file mask for this
procedure is reset in this release for that purpose.
-
Extracts Microsoft Teams messages stored in certain
PST archives that were exported via the Admin Center of Microsoft 365.
-
Ability to extract e-mail messages from OLM databases
of Microsoft Outlook for Mac.
-
Extracts plain text attachments from original .eml
files and MBOX e-mail archives as child objects.
-
Ability to decode .json files for logical searches,
indexing, and Text Preview mode, including files with specially encoded
Unicode characters from the Basic Multilingual Plane (e.g. Chinese).
-
Metadata extraction from WEBP files extended. In
particular, output of Exif metadata in WEBP pictures in addition to XMP
metadata has been introduced.
-
Support for some more TIFF picture variants with the
internal graphics display library.
-
"Social media" used to be one of multiple possible values of
the so-called processing state in the Summary table of JPEG files in Details mode.
This origin of photos is now brought to the user's attention via the
so-called software class.
-
28 software classes are currently supported for JPEG and
WEBP pictures: AI generated, Adobe, Amazon (for photos from their
shopping web site), Android, Apple, Beautifier, Bing, Camera,
ContentGeneral, Editor, Facebook/Instagram, Firmware, General,
Google/Picasa, LinkedIn, MSN, PHP, Pinterest, Scanner, Screenshot, Misc
social media, Stock (in the sense of stock photos), Twitter (X), Video
still, Website builder, WhatsApp, Windows, Wordpress.
-
About 75% of all JPEG and PNG (plus some WEBP)
pictures now get a software class assigned.
-
More definitions of photo generating devices. In particular the Galaxy S23 and S24 generator signatures
were updated.
-
The Summary table was revised.
-
Various special properties that are detected in
pictures are now referenced in Details mode with "remark" numbers. A new
text file "Remarks.txt" is included, which documents those
numbers and may offer a rudimentary explanation.
-
Improved output of metadata for ICC color profiles
-
The output of QWORD values in the registry viewer was
previously only for 32 bits. It now covers the complete 64 bits.
X-Tension API
-
The
X-Tension
API got two additional functions: XWF_Mount() and XWF_Unmount(). If
your X-Tensions need to give external programs read access to many or
large files in a volume snapshot, it may be faster to mount the volume
snapshot as a drive letter than to copy those files to a path that is
accessible to those external programs.
-
When X-Tensions add directories to a case as an
evidence object, they can choose to have X-Ways Forensics ignore any of
the four regular timestamps of NTFS, to prevent their inclusion in the
volume snapshot if they are of no value.
-
The X-Tension API has spawned a notable bundle of
commercial 3rd-party modules called
Exponent™
that integrate very well in X-Ways Forensics and significantly extend
its functionality in particular with access to acquired smartphone data
and mailboxes. Exponent is
available for purchase directly from X-Ways. For details please see below!
Miscellaneous
-
The "Capture Processes" command for Windows live
systems was revised. The ability to take window screenshots of various applications, especially Internet browsers
and certain Microsoft applications, was considerably improved. Also, users now have
some more control over what information is included in the tab-delimited
list of windows, e.g. comprehensive lists of child windows and (also
new) hash values of screenshots.
-
When interpreting a file as a raw image that does not
have a multiple of the presumed sector size as the file size, the extra
data at the end that doesn't add to another full sector is now included,
unlike in previous versions, which affects hash computation and
potentially file carving. You will still get a warning about the
unexpected file size when interpreting such an image, unless you have
suppressed it for an evidence object. You may also get read error
messages when operations that are applied sector-wise try to read the
last (incomplete) "sector".
-
error.log file entries are now stored in UTF-8
instead of the ANSI code page active in Windows.
-
Improved error message when encountering non-standard
internal timestamps in .e01 evidence files.
-
The program help and the user manual were updated.
-
Many minor improvements.
Changes of service releases of 21.0
-
SR-1: The regular OR combination of timestamps in the
timestamp filter did not always work correctly in the original release
of v21.0. That was fixed.
-
SR-1: nLicID was wrong in the original release of
v21.0. That was fixed.
-
SR-2: An error message is now shown when taking a
volume snapshot when encountering files that are located beyond the 131
TB barrier in a volume because access to such files is not supported.
-
SR-2: X-Ways Forensics now more strictly prevents
users from treating data in free space as "embedded".
-
SR-2: Fixed an exception error that could occur in
v21.0 when extracting metadata from certain QuickTime video files.
-
SR-2: Fixed a crash that could occur with certain
TIFF pictures.
-
SR-2: Fixed an error present in v20.9 and v21.0,
which could include directories and files with alternative names into
the same evidence file container multiple times.
-
SR-2: Unusual zip archives in which overlapping
records are detected, which can theoretically be a sign of archive
bombs, are now labeled less intrusively.
-
SR-3: Ability to use UNC paths for temporary files
with the PST/OST e-mail extraction.
-
SR-3: Fixed an error in the alternative PST/OST
e-mail extraction.
-
SR-3: The API function XWF_GetItemName() did not work
correctly for certain files in v20.9 and v21.0 when trying to retrieve
potentially available alternative filenames. That was fixed.
-
SR-4: Largely prevented occasional inability to
display thumbnails in the gallery (where thumbnails were marked with the
word "Error") when the gallery was used with a great number of extra
threads.
-
SR-4: Improved ability to restart automatically after
a crash in conjunction with multiple instances, and fixed restart error
in SR-2 and SR-3.
-
SR-5: Fixed a time zone adjustment issue of Safari
Cache.db timestamps.
-
SR-5: Prevented the "dynamic e-mail and date columns"
feature from rendering the "Content created" column invisible.
-
SR-6: Fixed an error in the preview of newer
.automaticdestinations-ms files.
-
SR-6: Fixed repetition of timestamps in zeroed out
entries of wtmp log files.
-
SR-6: An exception error could occur when processing
Thunderbird e-mail stores under certain conditions. That was fixed.
-
SR-6: Fixed incomplete output of e-mail bodies
extracted from Thunderbird e-mail stores.
Exponent™
Exponent is a continually growing bundle of powerful
add-ons (64-bit X-Tensions), designed exclusively for X-Ways Forensics
(XWF), developed by API Forensics Inc.,
available from X-Ways,
currently at an introductory price. This
bundle extends and simplifies forensic data analysis, visualization and
reporting capabilities, for everyday digital forensics and cyber security
investigations. Subscribers always have access to the latest version
available and get any additional future modules at no extra cost while their
licenses last. Trial licenses can be requested by users of X-Ways Forensics
here.
Exponent was designed with the idea of being able to import mobile device
data acquired by third party products such as Magnet Axiom and MSAB XRY. The
objective behind this approach is to be able to import all evidence into XWF
so that forensic practitioners can conduct only one (1) forensic examination
of the evidence using just one (1) tool. This puts examiners back in the
driver's seat by allowing them to leverage their skills and the power of XWF
to complete their analysis and reporting more efficiently.
One thing forensic practitioners will appreciate is how
Exponent X-Tensions have been designed with a rich graphical user interface.
This provides a comfortable and natural experience in working with the
various X-Tensions, right out of the box, using an intuitive interface and
logical workflow.
Exponent Cloud Mail
-
Suports IMAP mail collection from 3rd party services
providers
-
Supports Microsoft, Google, AOL, Yahoo, Zoho and more
-
Filter by date and date range
-
Filter by keywords and GREP expressions
-
Apply keyword filters to specific fields (e.g., From,
To, Cc, Bcc, Subject, Attachment filenames, headers)
-
Email and attachments are downloaded directly in
X-Ways Forensics
-
For complete details:
https://www.apiforensics.com/cloud-mail.asp
Exponent Faces
-
Implements commercial, industry recognized facial
recognition technology that is in use by military and police
organizations
-
Quickly detect and extract FACES from pictures and
video files (by frame), including gender recognition
-
Match faces against faces you provide - create custom
libraries of faces for enrollment
-
Face matching is a powerful and fast way to determine
if a person of interest exists in your evidence
-
Extract FRAMES from videos up to 30 frames per second
(34 millisecond intervals)
-
Extract CLIPS (segments) from existing videos and add
it back to your case file
-
All FRAMES, FACES, MATCHES and CLIPS are added back
to your case file as child objects making it easy to navigate and audit
the evidence
-
Supports all the common file formats and more: BMP,
JPG, PNG, HEIC, MP4, MPG, MOV, VOB, AVI, FLV
-
Detects and extracts multiple faces from a single
photograph or video frame!
-
Easily produce reports from faces extracted or review
in Gallery view
-
Emulate built-in video playback in X-Ways Forensics
by navigating extracted FRAMES in conjunction with the Preview tab
-
For complete details:
https://www.apiforensics.com/faces.asp
Exponent Mobile Messaging
-
Import select 3rd party collected data from mobile
devices for Android and iOS (see below)
-
Import SMS, MMS, iMessage, Instagram Direct Messages,
WhatsApp Messages collected by 3rd party mobile device products
-
All metadata defined by 3rd party tools is preserved
-
Messages, including all embedded photos and videos,
are converted to .EML messages and imported into X-Ways Forensics (XWF)
-
Allows XWF to then process and extract the imported
data and embedded objects
-
Supports MSAB XRY, Magnet Axiom and standalone iTunes
Backup
-
Now you can combine desktop evidence with mobile
evidence in one single examination
-
For complete details:
https://www.apiforensics.com/mobile-messaging.asp
Exponent Mobile Media
-
Import select 3rd party collected data from mobile
devices for Android and iOS (see below)
-
Import all available pictures collected by MSAB XRY,
Magnet Axiom and standalone iTunes Backups
-
All metadata defined by 3rd party tools is preserved
-
For complete details:
https://www.apiforensics.com/mobile-media.asp
Here are some of the features and functionality that are
currently in development or being planned:
-
Support for Cellebrite in Mobile Messaging and Mobile
Media
-
Portable case for X-Ways Forensics
-
Loadfile and payload creator for Relativity
-
Built-in support for SQLite databases
-
Built-in media player
-
Registry Mounter (as its own evidence object)
-
Real time cloud collection of files, email, calendars
-
Production Order Importer (import files produced by
Google, Microsoft, Facebook, etc) as a result of a search warrant or
production order
-
Real time cyber and network security tools, including
OSINT
-
Cyber forensic artifacts
-
TotalMobile - a new X-Tension to import ALL available
artifacts collected by 3rd party mobile device tools
Become a certified user of X-Ways Forensics
Become an
X-PERT (X-Ways Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you will be part
of an exclusive circle and enjoy various benefits such as special
recognition, training discounts, updated training material. For further
details, please check
here.
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or
on our
Facebook page. You may also follow us on
Twitter/X. Please forward this newsletter to anyone who you think
will be interested. If you wish to subscribe with another e-mail address,
please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde Germany |