WinHex &
X-Ways Forensics Newsletter Archive
(You may sign up for the newsletter here.)
| #119b: WinHex, X-Ways
Forensics, X-Ways Investigator 15.8 SR-4 and 15.9 Beta available Dec 18, 2010 |
Hello everyone, Upcoming X-Ways Forensics & File Systems Training Find us on Facebook! Although many of our users have to be secretive and strictly separate work and private life, we hope for a few “likes”. Depending on the response, we may make additional announcements and share information in the future on Facebook. Promised: Of course we do not grant Facebook access to our e-mail or share the thousands of contacts that we have with Facebook. Additionally, our official main web site is not part of any Facebook network that would allow Facebook or other companies to see and recognize you when you visit us. What's new in v15.9 Beta?
Changes of v15.8 SR-1:
Changes of v15.8 SR-2:
Changes of v15.8 SR-3:
Changes of v15.8 SR-4:
Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net. Please forward this newsletter to anyone who you think will be interested. Happy holidays
or Merry Christmas for all readers! |
| #119: WinHex, X-Ways
Forensics, X-Ways Investigator 15.8 released Oct 10, 2010 |
This mailing is to announce an noteworthy update, v15.8. WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license) Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Please be advised that if you are interested in receiving information about service releases of v15.8 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net Service releases are not announced via this newsletter when they are made available. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Washington, DC http://www.x-ways.net/training/washington_dc.html Nov 15-17, 18-19 For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * A new version of the viewer component (v8.3.5) is now available for download to licensed owners of X-Ways Forensics and X-Ways Investigator with update maintenance. The relevant changes are: - Windows 7 is now an officially supported platform. - Improved rendering engine for vector drawings, presentations, and charts. - Some minor improvements. Installing this update is recommended, but not urgent. * The number of files that are contained in a directory or in evidence objects (recursively) is now optionally displayed in the directory tree and in the directory browser directly following the directory name, in parentheses. This allows you to easily find directories or evidence objects/partitions that contain most files. A file count is also provided for files that have child objects. File counts are also presented in a new directory browser column, which is sortable. Forensic license only. * If recursive selection statistics are enabled, in the directory browser X-Ways Forensics now shows as the size of a directory the total size of all the files directly or indirectly contained in that directory, not the size of the data structures of the directory any more. Comments about this new feature are welcome. The recursive selection statistics now exclude the size of the data structures of the directories themselves. * The recursive selection statistics are now considerably faster to compute for directories on large volume snapshots. * Ability to internally reconstruct JBOD, i.e. virtually concatenate spanned physical disks (or images of physical disks), via the menu command Specialist | Reconstruct RAID System. Requires a specialist license or higher. Note that if not all the sectors on the component disks are actually used (some reserved at the end) then prior to reconstructing the RAID you can specify the used sector count for each component via Tools | Disk Tools | Set Disk Parameters. * Recover/Copy: Ability to group existing and deleted files even when not recreating the original path. Ability to group files by other parameters such as file type, category, description, sender, owner, hash set, hash category, report table association. Forensic license only. * Recover/Copy: Ability to embed attachments that are part (but not the only contents) of e-mail messages in their respective parent .eml files, if both the attachment(s) and the e-mail message are selected for copying and not excluded by any filter. The ability to embed attachments in .eml files already when extracting e-mail from e-mail archives will be removed only in the next version after 15.8. * Recover/Copy: The single-character suffix that is used to name output folders for child objects of files (distinguish them from the name of the parent files, avoid name conflicts) is now user-definable. It can also be disabled to return to the behavior of v15.5 and earlier, where the words " child objects" were appended. Forensic license only. * Recover/Copy no longer recreates the original Windows attributes when copying files because hidden and system attributes often make it unnecessarily complicated to see the output files. * For e-mail extracted by v15.8, you can now see in the Attribute column if an e-mail message is marked as unread. Forensic license only. * Revised ability to filter for e-mail messages via the Attr. column. Note that the additional e-mail properties by which you can filter are combined with a logical AND, not OR, as otherwise common within the Attr. filter. Forensic license only. * Sent e-mails in PST/OST archives are now extracted as eml files by the non-MAPI extraction method, too, and their timestamps are now shown in the timestamp columns. * Support for non-English attachment names in artificially generated .eml representation of e-mails that were extracted from OST/PST with the non-MAPI method. * Outlook calendar entries, contacts, notes, and tasks will now also be shown with timestamps. * Outlook journal entries are now better represented. * It is now possible to monitor lengthy operations in X-Ways Forensics from other computers in the same network, i.e. see whether they are still ongoing or completed. In General Options you can enable progress notifications via text files (that can be created in a directory on a network drive) and via e-mail in user-defined intervals. Forensic license only. * New default directory for cases under Windows Vista and 7 if X-Ways Forensics has been installed with the setup program. * The category filter popup menu now allows to see statistics about the categories of the files currently listed. * Numeric columns in the directory browser such as 1st sector, skin color percentage, internal ID etc. are now right-aligned. * GPS module timestamps and coordinates are now extracted from JPEG files that contain them. * Comments in zip archives will be extracted by the metadata extraction. * Zip archives that contain hidden files will now be flagged with a report table association. * Certain deleted files that are found during the particularly thorough file system data structure search in NTFS volumes can now be represented with correct contents even if they are fragmented and their FILE records are not available any more. * New checkbox for logical searching and indexing that allows to specifically omit directories (i.e. not search NTFS INDX buffer, FAT directory entries etc. etc.). * Maximum number of search terms that can be logically combined for a fuzzy AND combination slightly increased from 7 to 8. * Contiguous bad clusters in FAT volumes are now represented as separate virtual files. * Correct representation of FAT and root directory in the volume snapshot for FAT volumes with only 1 file allocation table. * Detection of eCryptfs-encrypted files (files stored by the Enterprise Cryptographic FileSystem for Linux). Based on material provided by Ted Smith and implementations for Ubuntu 8.10, 9.04, 9.10 and 10.04. Such files will by marked with E in the Attributes column, just like EFS-encrypted files in NTFS, but only after the encryption test has been run. Forensic license only. * Support for the Linux file system next3. The exclude bitmap inode will be evaluated, and snapshot files are marked with (SF) in the Attribute column. Specialist license or higher required. * Table "Partitions by disk signature" in registry report now supported for Windows 7 registries, too. New table "Windows portable devices". * Polish translation of user interface (still in development). * The Sender/Recipient columns were swapped in the original 15.7 release. This was fixed with SR-1. * Fixed two errors that could interrupt taking a volume snapshot with the original 15.7 release. This was fixed with SR-2. * Non-MAPI PST/OST processing further improved. (with v15.7 SR-3) * Ability to restore the last filter settings (via the Back button in the toolbar) also when deactivating all filters with a single mouse click. (since v15.7 SR-3) * Fixed an exception error that could occur when creating a Technical Details Report for certain not 100% efficiently formatted large FAT32 volumes. (since v15.7 SR-3) * Fixed inefficient handling of negated GREP expressions for searches in Unicode. (since v15.7 SR-3) * Fixed HTML export for GREP search hits. (since v15.7 SR-3) * The Italian translation of the user interface was updated. (with v15.7 SR-4) * Ability to turn off the strict drive letter protection when saving files. (since v15.7 SR-4) * If the preferred e-mail extraction method for PST files is MAPI, the non-MAPI method is still used to find traces of e-mail messages in unallocated space within the PST files. (since v15.7 SR-4) * Ability to distinguish ZIPX and XAP files from ordinary Zip archives. (since v15.7 SR-4) * Additional registry report definitions. (since v15.7 SR-4) * Ability to automatically extract SID/username combinations from non-standard SAM hives where previously that failed. (since v15.7 SR-4) * Otherwise improved Windows Registry support for Windows versions from XP to 7. (since v15.7 SR-4) * Two exception errors were fixed that could occur when processing registry hives. (since v15.7 SR-4) * Fixed a problem when exporting search hits without context that were the result of GREP expressions. (since v15.7 SR-4) * Fixed an crash that could occur when importing a folder with hash sets or hash sets with duplicate hash values. (since v15.7 SR-4) * "NOT" option for the file type filter.(since v15.7 SR-4) * Better processing of some unusual FAT volume layouts. (since v15.7 SR-5) * Fixed an exception error that could occur when opening certain FAT volumes. (since v15.7 SR-5) * Improved PDF metadata extraction for certain PDF generators. (since v15.7 SR-5) * Slight improvements for registry report. (since v15.7 SR-5) * Fixed an exception error that could occur when generating the registry report. (since v15.7 SR-5) * The filename filter is now optionally case-sensitive. (since v15.7 SR-6) * GREP expressions used for the filename filter may now contain true Unicode characters (e.g. Chinese) and may now use the ^ anchor. (since v15.7 SR-6) * An error was fixed in the filename filter that affected v15.7 when GREP syntax was used. (since v15.7 SR-6) * Fixed an exception error that could occur when converting from hex ASCII to binary with the Edit | Convert menu command. (since v15.7 SR-7) * Certain received e-mails with attachments in OST/PST archives were not represented correctly if extracted with the non-MAPI method. That was fixed. (since v15.7 SR-7) * Certain malformed start directory entries of subdirectories in FAT file systems are now tolerated. (since v15.7 SR-8) * Multipliers in GREP notation may not have worked correctly in Unicode in v15.7. That was fixed with v15.7 SR-8. * Hex values in square brackets were not evaluated correctly in GREP notation in v15.7. That was fixed with v15.7 SR-8. * Fixed an exception error that could occur when completing a physical search with no search hits. (since v15.7 SR-8) * Many other minor improvements, e.g. in file type detection. Please note that volume snapshots created or imported by v15.8 cannot be used by earlier versions any more. |
| #118: WinHex, X-Ways
Forensics and X-Ways Investigator 15.7 released July 29, 2010 |
This mailing is to announce an noteworthy update, v15.7. WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license) Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired this time need to go to http://www.x-ways.net/winhex/license.html for log- in data (password for downloads and forum!!), download links, update maintenance, upgrade offers, and more. Please be advised that if you are interested in receiving information about service releases of v15.7 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net Service releases are not announced via this newsletter. ------------------------------------------------------------- WHAT'S NEW? * Introduced an interface that allows to copy files of a certain category from selected evidence objects to a user- defined output directory for analysis by an external program. The external program can then identify relevant files or classify files. The result can imported back into the case and will be shown as report table associations, by which you can filter or create reports. The interface works at the case level, the commands can be found in the case context menu. Requires a forensic license or X-Ways Investigator. * Through this interface, using the upcoming professional version of the software DoublePics (www.dotnetfabrik.de) and a database of pictures from previous cases as often maintained by law enforcement agencies that have to deal with child pornography cases, it is possible to conveniently and automatically categorize pictures in new cases that are known already, as relevant or irrelevant or "gray area" or whatever. Known pictures can be recognized even if they are stored in a different file format, resized, if the colors or the quality are different or they have been edited, etc. thanks to fuzzy logic and adjustable sensitivity and tolerance. Hence for pictures this method is vastly superior to the use of hash sets. * Support for the exFAT file system. (requires a specialist license or higher) * Ability to interpret dynamic Virtual PC VHD images. (requires a specialist license or higher) Allocated areas in such images can also be edited (in WinHex, not X-Ways Forenscis). * Ability to interpret .e01 evidence files with an internal chunk size of up to 256 KB (previously up to 128 KB). Useful for example for memory dumps created by other software. * Old versions of files that are found as part of the thorough file system data structure search in volume shadow copies are now marked as (SC) in the Attribute column and can be filtered. The old contents of old versions of large files will be correctly represented in a future release. The file system level metadata of old versions and the contents of small files are already usually correctly represented. * Old names/paths of renamed/moved files in NTFS as discovered by the thorough file system data structure search are now by default no longer listed as additional items in the volume snapshot and in the directory browser. Instead, they are mentioned as comments that are attached to the renamed/moved files. This keeps directory browser listings smaller and makes searches quicker than before. * The Simultaneous Search now supports case-insensitive searches generally, not just for English and German letters. * GREP expressions may now contain true Unicode characters (or in other words Unicode search terms may now use GREP characters), and it is now possible to search in specific code pages when using GREP syntax. * The most important MS Office 2007/2010 and OpenOffice 2/3 document types are now by default decoded for the logical search, and (in conjunction with the recommended data reduction) their main XML files are omitted from the search. That ensures that you get search hits in the documents and not in the XML files, which is more convenient, and that you don't get them twice unnecessarily. The other XML files, which may contain important metadata, are still searched (provided that you have included the contents of archives in the volume snapshot). * When using the non-MAPI method to extract e-mails from PST/OST archives, HTML e-mails are now also usually represented in .eml format (except for outgoing/sent messages). Additionally, a clickable link to the attachments is now included in Preview mode (except for outgoing/sent messages, and not guaranteed to work if attachments have non-English names). * Previous limitations for writing sectors in partitioned areas under Windows Vista/7 have been practically removed. In 99% of all cases it is now possible to write sectors in these Windows versions. * Ability to recursively delete a directory with sub- directories that cannot be deleted with Windows Explorer or other Windows tools and commands because of illegal characters, via Tools | File Tools | Delete recursively. * Improved behavior when encountering already running instances. A new middle state of the checkbox that controls the behavior (see General Options) allows to decide on a case-by-case basis whether to start another instance. * There is now an option to filter by internal ID. Useful for example and very easy to use if you would like to focus on the files that were added to the volume snapshot last (after having refined it) or if you would like to resume a logical search with a internal ID (and filter out files that may have already been searched before). * Metadata extraction improved for Windows 7 .lnk files. * Catalogs of JumpList files are now output in Details mode. * Fixed an exception error that could occur when taking a volume snapshot. * Fixed some errors that were present in the original v15.6 with v15.6 SR-1 and SR-2. * Support for very long paths and subject lines of e-mails in PST/OST e-mail archives for extraction with the non-MAPI method, in excess of 259 characters. (since v15.6 SR-3) * When attaching a directory on one of your own drives to the volume snapshot of an evidence object, sub- directories are now included as well, recursively, and the partial directory tree is replicated in the volume snapshot with the help of virtual directories. This functionality is now available through a separate context menu command, no longer by holding the Ctrl key when invoking the "Attach external file" menu command. (since v15.6 SR-3) * Help button and separate help topic for Recover/Copy. (since v15.6 SR-3) * Support for restore points in metadata extraction: internal creation date extracted from rp.log and Details mode extended for change.log. (since v15.6 SR-3) * New Attributes filter for files that are child objects of other files (not of directories). (since v15.6 SR-3) * Windows system SIDs now resolved in Owner column also, not only in NTFS permissions display. (since v15.6 SR-3) * Base64 file type verification improved. (since v15.6 SR-3) * $I file support in file type verification and carving. (since v15.6 SR-3) * Fixes in metadata extraction. (since v15.6-SR3) * Fix for AOL PFC processing. (since v15.6-SR3) * Fix for an error that could occur on some computers when executing pff.dat and a certain DLL was missing. (since v15.6 SR-3) * Correct HTML line breaks for metadata fields in case report.(since v15.6 SR-3) * Avoided the necessity to click away an error message about failure to open files when indexing in v15.6 through SR-2. (since v15.6 SR-3) * Sender name and recipient names (in addition to e-mail addresses) are now included in the respective columns for sent messages in Outlook PST/OST e-mail archives, too. (since v15.6 SR-4) * Path coloring and the turquoise arrow in the Case Data window now reflect recursive exploration of the Case Root window if it's open and active, otherwise as before the status of the individual data windows of the evidence objects. (since v15.6 SR-4, path coloring feature not available in Windows Vista/7.) * Exception error in metadata extraction from certain OLE2 documents fixed. (since v15.6 SR-4) * Exception error in e-mail extraction prevented. (since v15.6 SR-4) * "Unable to record a search hit" problem fixed for certain search terms containing German umlauts. (since v15.6 SR-4) * Fixed a memory leak that could occur when taking a volume snapshot of certain volumes formatted with Ext* file system. (since v15.6 SR-4) * That hidden items are mandatorily listed in X-Ways Investigator is no longer enforced at every start-up of the program if investigator.ini option 31 is not in use. (since v15.6 SR-4) * PST e-mail archive extraction with the non-MAPI method: Avoided some unnecessary error messages about items that were supposedly missing in the export, but actually were not. (since v15.6 SR-4) * Enabled certain keyboard shortcuts in dialog and message boxes generally that before worked only when certain button styles were active. (since v15.6 SR-5) * Fixed an error that in SR-4 could truncate search terms. (since v15.6 SR-5) * Time zone settings updated for Western Australia. (since v15.6 SR-5) * Improved representation of contacts, appointments, tasks and files stored in PST e-mail archives with the non-MAPI method. For example, no longer is each and every such object organized in an additional subdirectory, and you can now easily focus on such objects with the help of a new Attr. filter because they are now marked in the Attr. column as "(Misc. Outlook data)". (since v15.6 SR-6) * Fixed memory leaks. (since v15.6 SR-6) * Now 99 volumes can be open simultaneously in addition to the 26 drive letters (99 instead of 64 before). (since v15.6 SR-6) * Internal creation date extracted from EDB, ETL, and SQM files. (since v15.6 SR-6) * Fixed an exception error that could occur when trying to open deleted files on Ext* volumes that cannot be opened. (since v15.6 SR-6) * .eml files with HTML-formatted e-mails are now optionally named .html instead of .txt when copied off the image for the case report, for viewing as HTML. (since v15.6 SR-6) * An error was fixed that caused X-Ways Forensics to misread the true type of files within evidence file containers under certain circumstances. (since v15.6 SR-6) * The Recover/Copy command and the function to add files to an evidence file container now optionally respect any active filters and omit files that are filtered out even if directories that contain them are selected. (since v15.6 SR-7) * When attempting to add files to a container that are not completely readable, previously that failed, such files were not added at all. Now if they are partially readable they will be added to the container with the notice "Excerpt" in the Attribute column, and if their contents cannot be read at all, they will be added with the notice "file contents unknown". (since v15.6 SR-7) * Fixed inability to find lost Ext* partitions if formatted with certain block sizes. More options when searching for lost partitions, to avoid many false positives with new default settings. (since v15.6 SR-7) * Special rules for e-mails when hiding duplicates now also takes header.txt files into account that are often child objects of e-mail messages in PST/OST e-mail archives. (since v15.6 SR-7) * Extended and improved file type verification algorithms. (since v15.6 SR-7) * Fixed an infinite loop that could occur under certain circumstances during the file header signature search. (since v15.6 SR-7) * Prevented a recursion error when processing large archives containing many nested archives. (since v15.6 SR-7) * Fixed an exception error that could occur when processing Reiser4 volumes with a very large internal tree. (since v15.6 SR-7) * Support for many new file types in file type verification and file header signature search (e.g. TravelLog .dat files, sessionrestore.js, jump list files, various XML subtypes, various zip subtypes, ...). (since v15.6 SR-7) * An error was fixed that in SR-7 could cause X-Ways Forensics to misread carved files under certain circumstances. (since v15.6 SR-8) * Improved error tolerabilty and recovery as well as completeness of the non-MAPI e-mail extraction method. (since v15.6 SR-9) * Fixed hiberfil.sys decompression for Windows 7. (since v15.6 SR-9) * Descriptive text files that accompany images created by X-Ways Forensics are now UTF-8 encoded. (since v15.6 SR-9) * Description field for images is now Unicode capable. (since v15.6 SR-9) * Examiner field for images introduced, also Unicode capable. (since v15.6 SR-9) * If the creation of a thumbnail picture for the gallery causes X-Ways Forensics to freeze or crash, you will be notified of the offending file when you restart the program. (since v15.6 SR-9) * Avoids an exception error that in SR-8 could occur after reconstructing RAID system. (since v15.6 SR-9) * Avoids an exception error that could occur when verifying file types. (since v15.6 SR-10) * Accelerated the process of marking duplicate files as already viewed when viewing one file that is marked as having duplicates. (since v15.6 SR-10) * Base64 to binary conversion now automatically filters out line breaks. (since v15.6 SR-10) * If there are multiple hash set matches for the same files after matching hash values against the hash database, they are now always listed in the same order. (since v15.6 SR-11) * If there are matches for multiple hash sets and these hash sets do not all belong to the same category, a warning is output to the Messages window. (since v15.6 SR-11) * Avoided more redundant duplicate files/directories when adding files from volume shadow copies to the volume snapshot as part of a thorough file system data structures search on NTFS volumes. (since v15.6 SR-11) * E-mail extraction with the non-MAPI method in rare situations produced subdirectories in the folder for temporary files that could not be deleted any more. This was fixed. (since v15.6 SR-11) * The Ctrl+Del keyboard shortcut now additionally clears already extracted metadata for selected files. (since v15.6 SR-11) * New version of the graphics library included. Avoids an exception error that could occur when loading certain Photoshop PSD files. (since v15.6 SR-11) * Fixed an exception error that could occur in recent releases when using the Position Manager. (since v15.6 SR-11) * Skin color and b/w detection in pictures did not work correctly in v15.6 SR-11. This was fixed. (since v15.6 SR-12) * Improved representation of notes in PST archives with the non-MAPI extraction method. (since v15.6 SR-12) * Metadata extraction from cookies improved visually (formatting) and content-wise (often now with remote timestamp). (since v15.6 SR-12) * Ability to use the Ctrl+Del keyboard shortcut to reset files in the volume snapshot in X-Ways Investigator, unless prevented by the new investigator.ini option +33. (since v15.6 SR-12) * Supports larger NTFS-compressed files in NTFS. (since v15.6 SR-12) * Fixed export of Unicode search hits. (since v15.6 SR-12) * Avoided a rare exception error in the registry viewer and in metadata extraction. (since v15.6 SR-12) * Fixed a file creation error when using the Recover/Copy command. (since v15.6 SR-13) * Access to physical RAM under Windows 2000/XP did not work in v15.6 SR-12. This was fixed with v15.6 SR-13. * Many other minor improvements, some more minor fixes. |
| #117: WinHex, X-Ways
Forensics and X-Ways Investigator 15.6 released March 1, 2010 |
This mailing is to announce an important update, v15.6. WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license) Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Please be advised that if you are interested in receiving information about service releases when made available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net ------------------------------------------------------------- Recently some comparisons of imaging speeds have been posted by a user of X-Ways Forensics in the computer forensics section of the forum. In these comparisons X-Ways Forensics basically outclassed all tested competitors. Licenses for X-Ways Forensics just for disk imaging at a reduced rate can be purchased from http://www.x-ways.net/forensics/dongle.html#imaging. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Seoul please ask if interested Mar 8-11 London http://www.x-ways.net/training/london.html Apr 12-16 Chicago http://www.x-ways.net/training/chicago.html May 11-13 For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * Matches with multiple hash sets for the same file are now supported by the hash set column, and therefore also by the hash set filter. (forensic license only) * When importing a hash set, X-Ways Forensics automatically filters out duplicate hash values within that hash set. This has a big effect on the US NIST NSRL RDS database for example and reduces its size tremendously. If your hash database already contains hash sets with duplicates, those will be eliminated by v15.6 as well, next time when you import any other hash set. Hash databases used by v15.6 and later cannot be opened any more by v15.1 or earlier. (forensic license only) * X-Ways Forensics can now usually recognize the true sector count according to ATA on ATA/SATA hard disks in situations where that failed (returned a question mark only) in previous versions. Useful to detect an attempt to limit the addressable capacity of a hard disk using an HPA (host-protected area) or DCO (device configuration overlay). (forensic license only) * Whenever X-Ways Forensics checks for an HPA/DCO (that is when imaging a hard disk, when adding it to a case, or when creating a Technical Details Report for it) and actually detects one, it now offers to either temporarily or permanently deactivate the HPA/DCO and make the full official disk capacity accesssible, so that you can e.g. image the hard disk in its full size before it returns to its original state next time when it powers down. (forensic license only) * The Technical Details Report can now retrieve the internal error count recorded by hard disks if available through the SMART interface. (forensic license only) * Simple and quick plausibility check for internally reconstructed RAID 5 that warns you immediately after reconstruction if the parity does not match. (specialist and forensic license only) * Convenient display and deconstruction of the objects ID(s) of files stored in NTFS volumes in Details mode. (forensic license only) * Better plausibility checks for deleted files in Ext* file systems. (specialist and forensic license only) * Representation of file system areas in certain Ext4 volumes corrected. (specialist and forensic license only) * The link reference (inode number) of a hard-link file in HFS+ is now shown in the Comments column. You can use the Comments filter to filter for a given inode number. (forensic license only) * Representation of the system files Attributes and Startup in the root directory of HFS+ volumes, if defined. (forensic license only) * Encryption/decprytion with AES accelerated on computers with multiple processor cores thanks to parallelization. * Indexing and index optimization revised. They are now slightly faster, and are more efficient in memory utilization. (forensic license only) * A new directory browser option now controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted whenever double-clicking such a file. In earlier versions such a file was always explored, altough it might have been more intuitive to view it (think of a MS Office 2007 or OpenOffice document with XML files as child objects). * Improved sorting performance for the columns for which sorting became slower with v15.4 (date columns, SC%, pixels, owner, hard-link count, ...). * That .eml files are renamed to .txt when copying files off the image for inclusion in the report so that Internet Explorer can open them, is now optional, so that Firefox can send such files to Outlook Express. (forensic license only) * Pictures can now be optionally embedded directly in the HTML report as inline code, so that there is no need any more for separate files in the report subdirectory. Of course, this greatly increases the size of the HTML file. Only Firefox supports this encoding style for larger pictures. (forensic license only) * The folder for scripts is now also used as the folder for templates. * That the general folder for images is preselected when adding images to the case is now optional. (affects users of a forensic license only) * The Sender and Recipients columns are now populated for e-mail attachments, too, so that even when you focus on attachments you can immediately tell who sent that file to whom, and don't have to navigate to the parent e-mail message to find out (e.g. by pressing the Backspace key). You can also filter for attachments via Sender/Recipient. (forensic license only) * The Sender and Recipients fields are now copied into evidence file containers for e-mail messages extracted from PST/OST files without the MAPI method. (forensic license only) * Sorting many e-mail messages by Sender or Recipients was potentially very slow in earlier versions, except in v15.5 for e-mails extracted from PST/OST archives not via MAPI. Sorting by Sender or Recipients is now generally fast for e-mail extracted with v15.6. (forensic license only) * Sender and Recipients as well as an internal creation date are now extracted from original .eml files (i.e. .eml files not created by X-Ways Forensics when extracting e-mails from e-mail archives) when extracting internal metadata from such files. (forensic license only) * Fixed an error that could cause instability when using the Sender/Recipient filter. (forensic license only) * Metadata extraction from HTML documents. (forensic license only) * Ability to finalize/convert/encrypt evidence file container in X-Ways Investigator after filling them, just like in X-Ways Forensics. Useful for example when investigators need to forward identified incriminating files (e.g. CP) to other departments/agencies in an encrypted state. In order to not unnecessarily confuse users of X-Ways Investigator who don't need this ability, it can be disabled with the new switch +32 in investigator.ini. * Option to always specifically run WinHex/X-Ways Forensics as administrator under Windows Vista/7 (see General Options). * Option to automatically restart the program when a restart is necessary after changing certain settings. * Ability to optionally store the key for already added AES- encrypted .e01 evidence files in the case file, so that you don't have to enter it over and over again when opening the evidence object. This is convenient, but 100% secure only if you protect your case files appropriately. (forensic license only) * The Attribute filter for "e?" did not work for files that were marked as e-mail attachments. This was fixed. * Fixed an error that could corrupt the loaded file type category definitions and lead to an empty File Type Categories.txt file. * Fixed an error that occurred when opening files with very long names on HFS+ volumes. (since v15.5 SR-1) * The creation of sparse raw image files was faulty in the original 15.5 version. This was fixed with v15.5 SR-1. * File Type Categories.txt updated and extended. (forensic license only) * Mismatches were fixed with v15.5 SR-2 that occurred when importing report table associations and comments from evidence file containers into the volume snapshot in v15.5 including SR-1. * Exception errors fixed with v15.5 SR-2 that in rare situations could in occur when verifying the type of certain kinds of text files. * The filename filter was not case-insensitive for non- English characters. This was fixed with v15.5 SR-3. * Removes trailing dots from directory names when recovering/ copying files with path, so that Windows will allow to create such directories. (since v15.5 SR-3) * Prevented an exception error that could occur when about to select a disk. (since v15.5 SR-3) * Support for .e01 evidence files with more than 2^32 sectors. (since v15.5 SR-3) (forensic license only) * Fixed an error that in recent releases caused a misinter- pretation of the sector size in raw images of certain Apple disks. (since v15.5 SR-3) * Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't. (forensic license only) * Information in Details mode about newer hiberfil.sys files in Windows Vista and Windows 7 fixed. (since v15.5 SR-4) (forensic license only) * Two rare exception errors fixed in file type identification. (since v15.5 SR-4) * Wiping free space left the wiped free space allocated in v15.5. This was fixed with v15.5 SR-4. * Fixed an exception error that could occur in v15.5 when exporting the Sender and Recipient columns. (since v15.5 SR-4) * Fixed an error when writing disk sectors past the 2 TB barrier. (since v15.5 SR-4) * Fixed an exception error that could occur when editing disk sectors on media with a sector size of 4 KB. (since v15.5 SR-4) * Virtual file "Unpartitionable space" avoided in a case where it does not make sense. (since v15.5 SR-4) * Many other minor improvements, some more minor fixes. |
