| #126: WinHex, X-Ways
Forensics, X-Ways Investigator 16.4 released
Mar 22, 2012 |
This mailing is to announce the release of
one of the most notable updates ever, v16.4.
WinHex evaluation version:
http://www.x-ways.net/winhex.zip (also the correct download
link for anyone with a personal, professional, or specialist
license)
Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and
licensed users whose update maintenance has expired please
go to
http://www.x-ways.net/winhex/license.html for download
links, the latest log-in data (!!), update maintenance,
upgrade offers, and more. Note that licensed users of X-Ways
Forensics with active update maintenance can conveniently find
all older versions for download if needed.
Please be reminded that if you are interested in receiving
information about service releases of v16.4 when they become
available, you can find those in the Announcement section of the
forum and (with active update maintenance) can subscribe to
them, too.
Upcoming X-Ways Forensics & File Systems Training
London, UK: Apr 23-27, 2012 seats
available
Washington, DC: May 15-17, 2012 seats
available
More information
Please be reminded again that lost, misplaced or stolen
dongles for X-Ways Forensics are replaced only if they have been
insured, which is free.
What's new in v16.4?
Performance
-
A 64-bit edition of X-Ways Forensics and of the
special WinHex version for licensed users of X-Ways Forensics is now
available. You can simply add it to an installation of the 32-bit
edition of X-Ways Forensics. The 64-bit .exe file must be located in the
same directory as the 32-bit xwforensics.exe file. Additional files
needed by the 64-bit edition are expected in a subdirectory named \x64.
Most other files are shared by both editions! That means that all your
settings, search terms, file type signature definitions, file type
category definitions etc. etc are conveniently remembered and commonly
used by both editions. Both editions use exactly the same format for
case files, volume snapshots, search hits etc.
While not 100% of the functionality is available (e.g. SMART data
extraction does not work), the 64-bit edition is recommended especially
in situations where the 32-bit memory address space may be insufficient,
when dealing with disks or images that contain many millions of files,
or when dealing with many millions of search hits, provided that you
have plenty of physical RAM installed. Certain operations that are
computationally intensive (e.g. hashing or encrypting) may also be
faster in the 64-bit edition.
A 64-bit edition of X-Ways Investigator will follow soon.
-
A 64-bit edition of the viewer component is now also
provided. X-Ways Forensics warns when trying to load the 64-bit viewer
component from the 32-bit edition of X-Ways Forensics. (Some users now
think the 64-bit viewer component is for 64-bit Windows, but it is for
64-bit X-Ways Forensics.)
-
Improved ability to take a snapshot of volumes with
many millions of files, especially in the 64-bit edition, but also in
the 32-bit edition (if used with the /3GB switch or better in a 64-bit
Windows).
-
Hashing with the MD5 algorithm (the mere computation,
excluding disk I/O for reading data) further accelerated in the 32-bit
edition by ~30%, with SHA-1 by ~20%! (depends on the processor) Hashing
in the 64-bit edition it is optimized, too, and even slightly faster
than in the 32-bit edition.
-
AES encryption and decryption (the mere computation)
accelerated by 70% in the 64-bit edition and by 30% in the 32-bit
edition.
-
Speed for sorting by filename more than tripled.
-
Sorting by various columns noticeably accelerated.
-
Copying large files (Recover/Copy command and adding
files to containers) accelerated.
-
New buffer system at work when reading from .e01
evidence file, which may speed up processing in certain situations.
-
Supports more complex GREP search expressions now
than before. Such complex expressions required too much main memory in
previous versions to run.
-
Previously existing files whose first cluster is
known to have been overwritten or whose first cluster is unknown (i.e.
red X files) are now generally excluded from volume snapshot refinement
except if you specifically target them via tagging. They are also
excluded from logical searches and from indexing if the recommendable
data reduction is active unless targeted specifically via tagging or
selection.
-
Improved ability to deal with so-called zip bombs.
-
Processing of .msg and original .eml files is now
slower.
Programming Interface/Scripting
-
Automate investigative tasks and extend the
functionality of X-Ways Forensics with X-Tensions: The new X-Ways
Forensics X-Tension API (application programming interface) allows you
to use many of the advanced capabilities of the X-Ways Forensics
computer software programmatically and extend them with your own
functionality. For example, you could implement some specialized file
carving for certain file types, automated triage functionality, generate
alternative reports, or automatically filter out unwanted search hits
depending on your requirements etc.
Among other things, X-Tensions allow you to:
- read from a disk/partition/volume/image
- retrieve abundant information about each file and directory in the
volume snapshot
- read from any file
- create new objects in the volume snapshot
- assign files to report tables
- add comments to files
- process, validate and delete search hits
- and do practically everything else that is possible with a Windows
program! (thanks to the Windows API)
You can use your programming language of choice, e.g. C++, Delphi, or
Visual Basic, and do not have to learn any new programming language. You
can use your compiler of choice, for example Visual Studio Express
(freeware).
Since an extension is not an interpreted script, but regular compiled
executable code that is running in the address space of the application
itself, you can expect highest performance, the same as with internally
implemented functionality. X-Tensions give you easy and direct access to
crucial and powerful functions deep inside X-Ways Forensics.
When X-Tensions functions can get called:
- when refining the volume snapshot
- when running a simultaneous search
- via the directory browser context menu
- in future versions of X-Ways Forensics via the search hit context menu
You may distribute your XWF extension DLLs that you compile and/or your
source code free of charge or even for a fee, under whatever license
terms you see fit.
For more information please see
http://www.x-ways.net/forensics/x-tensions/api.html.
Usability
-
More convenient ability to specify nature, sector
size and additional storage location of raw images when holding the
Shift key when interpreting images.
-
When reading a file that is referenced in a volume
snapshot fails when refining the snapshot or running a logical search,
for example because the storage location of some of the clusters is
unknown or because they are contained in corrupt file archives, then
only one read error message is output per session and the user is
informed of a newly introduced attribute by which you can also filter:
"file contents unknown, partially".
-
When pressing a Ctrl+number key combination that is
not currently assigned to any report table (e.g. accidentally), X-Ways
Forensics now produces an error sound.
-
More information in progress indicator window when
copying files.
-
When printing multiple selected files (using the
viewer component), only a single print job will be submitted, for all
files and (if selected) cover pages, such that no other print jobs sent
to a shared printer can get in between and such that if you are printing
to PDF you will only be prompted for a filename only once and all pages
are printed to the same output file.
-
All Position submenus have been renamed Navigation.
-
Two neat commands for navigation in the directory
browser have been added to the context menu (Navigation submenu): "See
selected item in its directory" will show you the selected file or
directory among its siblings. Useful to quickly check out whether there
are more notable files in the same directory or to better understand the
function of the file when you see it in context. "See selected item from
volume root" will show you the selected file among all other files in
the same volume. Useful for example to see whether there are any files
with the same name, the same ID (e.g. previous version from a volume
shadow copy), same owner, same sender, or similar timestamps etc. etc.
in the same file system (just sort accordingly). Both commands can be
also be used from within the case root window and from within search hit
lists (so the previous "Go to file in directory browser" command becomes
obsolete). Remember you can click the Back button in the toolbar to
conveniently return to the previous view.
-
When toggling between normal and recursive
exploration of the same directory, e.g. by clicking the button with the
turquoise curly arrow, X-Ways Forensics now automatically selects the
last selected item again if it is still contained in the directory
browser after the change.
-
When activating or deactivating a filter, X-Ways
Forensics now automatically selects the item in the directory browser
again that you had clicked last, if it is still listed in the directory
browser.
-
Improved responsiveness when decompressing large file
archives.
-
If a certain file for which a hash value was computed
before or for which a hash value is computed at the same time (volume
snapshot refinement) crashes X-Ways Forensics (of which you are usually
informed in great detail when restarting X-Ways Forensics), identical
files are now skipped automatically if you (continue to) refine the
volume snapshot and compute hash values (at least if the protection
against identical crasher files is active in the properties of the
case). To make the case forget previous crasher files, click the Delete
button in the case properties. Skipped files are automatically added to
the report table "Reason for crash?".
-
If not using the crash-safe decoding option and if
the viewer component crashes X-Ways Forensics when decoding a certain
file, on the next start-up X-Ways Forensics points out more precisely
that the crash occurred during the decoding step and recommends to
activate crash-safe decoding (which is an option in Options | Viewer
Programs).
File System Support
-
When running a particularly thorough file system data
structure search on NTFS volumes, X-Ways Forensics now specially deals
with existing or previously existing volume shadow copies, and includes
valuable information in the volume snapshot that would not be available
otherwise, such as files that cannot be found in the current $MFT any
more or old versions of files whose contents have changed (and unlike in
previous versions of X-Ways Forensics, the original file contents can
now be reconstructed for files of any size). And this happens relatively
quickly now, even if you choose not to use the potentially very time
consuming "Search FILE records everywhere" option.
Processing of volume shadow copies, if any, occurs before all the other
operations that are part of the particularly thorough file system data
structure search (parsing $LogFile, optionally searching for FILE record
outside of $MFT and outside of VSC, searching for index records in the
slack of INDX buffers). If there are volume shadow copies, the caption
of the small progress indicator window will tell you when they are being
parsed.
-
Files found in volume shadow copies are specially
marked if they are previous versions of files that were known to the
volume snapshot already before the thorough file system data structure
search. Remember you can sort by ID to see the files they are a previous
version of next to them.
-
Option to avoid that previous versions of files in
volume shadow copies are added to the volume snapshot if they are exact
duplicates (identical file contents) so that it is much easier to focus
on files for which actually previous data is still available. Even if
modification dates are different, the file contents are often the same
for files installed by the operation system. See Options | Volume
Snapshot. If fully selected, X-Ways Forensics will compare files up to
128 MB, if half selected, only up to 16 MB, as to not waste too much
time on this feature.
-
X-Ways Forensics now distinguishes between deleted
files whose contents may have changed (i.e. overwritten by other files)
and deleted files whose original contents are known to be still
available/original. For example, volume shadow copies often guarantee
the original contents of files that were deleted or changed afterwards.
If so, such files found in a volume shadow copy are displayed with an
icon that is different from other previously existing files. The icon of
virtual files has changed, too. Please see the Legend for an overview of
all icons.
-
Ability to open a directory (File | Open Directory).
This new function can list the files and subdirectories of any
accessible directory in the directory browser.
-
Ability to add any accessible directory to the case.
Useful if a directory or a file of interest resides on a drive with many
irrelevant files, if you merely wish to view, hash, or search a few of
those files, check their metadata or copy them to an evidence file
container etc.
-
Ability to identify Btrfs file systems.
-
Reparse points are no longer highlighted by a virtual
file whose name reveals the target, but by a comment that is attached to
the reparse point host directory.
File Format Support
-
E-mail extraction revised for certain e-mail archive
file types such as Exchange EDB, DBX, MBOX, and MSG, in particular
better support for e-mails in e-mails (e-mails as attachments)
-
Metadata extracted from XML files in Office documents
can now be seen in the metadata cell of the outer Office document, no
longer for the inner XML files in which they were actually found, where
some users did not expect them.
-
OLE2 timestamps can now be translated by the Data
Interpreter and in templates optionally in big endian, as they appear in
ICQ 7 chat messages.
-
Improvements for Exchange EDB extraction.
-
File format consistency check now supported for EXE,
ZIP, RAR, JPEG, GIF, PNG, RIFF, BMP, PDF.
File Header Signature Search
-
File header signature search noticeably revised and
accelerated, accelerated especially on volumes with millions of files.
The already very high quality of the results was further improved.
-
Ability to select file types for the file header
signature search more conveniently grouped by categories instead of in a
flat list.
-
Automatic file size detection for even more file
types than before, now including for example MPEG, MP3 in general,
index.dat.
-
For each file type that the internally implemented
algorithms in X-Ways Forensics know well and support with automatic size
detection, the ID of the corresponding algorithm is now specified in the
"File Type Signatures Search.txt" definition instead of a footer
signature, following a tilde symbol (~). For example that can be useful
if you create alternative definitions for a certain file type (e.g. to
match a certain subtype only), to ensure that the sophisticated file
size detection at work in X-Ways Forensics is still applied.
-
New flag "c" supported in the file type signature
definitions which, if taken into account (depends on user interface
settings), ignores header signatures that are not aligned at cluster
boundaries. Can be useful for some file types to avoid to many false
positives.
-
Files carved with the new flag "g" greedily allocate
all their sectors exclusively. The file type signature search continues
its search for further file headers only after the presumed end of such
files.
-
New flag "u" allows to carve files in unused clusters
only.
-
New file carving flag "F" (upper case) that makes
X-Ways Forensics discard hits of the file header signature search if no
corresponding footer can be found, provided that a footer signature is
specified in the definition. Can be useful to reduce the number of or
totally avoid false positives.
-
New flag "t" prevents X-Ways Forensics from
presenting the type of carved files immediately as confirmed. Useful for
example for file format families such as XML, to determine the exact
subtype later during file type verification.
Directory Browser
-
Option to copy child objects of selected files from
search hit lists.
-
Ability to use the Name filter for keyword searches
in filenames not only with GREP syntax.
-
Filter for the Owner column.
-
More detailed filter for previously existing files.
-
Virtual files are now counted separately in the
caption line of the directory browser and no longer included in the
count of existing or previously existing files. The icons of virtual
files and directories have been changed.
-
Ability to mark important evidence objects in the
case root window with a yellow flag.
-
Ability to tag or untag all items in the volume
snapshots of all open evidence objects by clicking the case root icon
with the middle mouse button.
-
Ability to copy the text in the cell of the directory
browser that you right-click to the clipboard. Previously users had to
copy from Details mode.
Miscellaneous
-
Cases now remember non-standard sector sizes of raw
images so that you do not have to specify them again when re-opening a
raw image evidence object.
-
Ability to add a selected block to the volume
snapshot as a virtual file even from the case root window (in File
mode).
-
In newly taken volume snapshots of physical disks,
all virtual files covering unpartitioned areas will not be subject any
more to volume snapshot refinement (e.g. hash computation) unless
specifically targeted via tagging, to save time and because it does not
make much sense. The same applies to partitioned areas on GPT+LDM disks
that are not treated like partitions because they never contain a file
system (only the dynamic volumes do).
-
Fixed an error in the direct byte-wise translation
for GREP that could cause some additional false hits.
-
More information in evidence object selection dialog
windows that show the number of files in each evidence object and the
yellow flag, if it has one.
-
Ability to represent large offsets in decimal.
-
New encryption algorithm for .e01 evidence files:
128-bit AES in BE CTR mode, which is ~67% faster than the already
accelerated implementation of 256-bit AES in LE CTR mode, for both
encryption and decryption. Previous versions of X-Ways Forensics cannot
open .e01 evidence file created with the new algorithm.
-
That an iterative SHA-256 hash of both the password
and the salt is stored in encrypted .e01 evidence file for password
verification purposes is now optional when using the 256-bit AES option
(see Security Options). Previous versions of X-Ways Forensics cannot
open .e01 evidence file created without such a hash.
-
Many minor improvements.
Changes of service releases of v16.3:
-
SR-1: Improved UTF-8 encoding of GREP expressions.
-
SR-1: Fixed code page display problem with very long
search terms.
-
SR-1: Fixed non-acceptance of containers of the new
format with certain investigator.ini settings
-
SR-1: Avoided one more situation where writing
sectors could fail under Windows Vista and later.
-
SR-1: Fixed inability of v16.3 to explore nested
archives.
-
SR-2: Fixed an exception error that could occur when
opening files with certain filenames when Asian code pages were active
in Windows.
-
SR-2: Fixes and improvements for Exchange EDB
extraction.
-
SR-3: When extracting e-mail from certain e-mail
archive types like DBX or MBOX, identical attachments that were attached
to different e-mail messages (same name, same contents) were only
provided as child objects to 1 e-mail message. That was fixed.
-
SR-4: \b anchors did not work correctly in v16.3.
That was fixed.
-
SR-5: Fixed errors that could occur in certain cases
when extracting embedded pictures from carved files (I/O errors and
inability to display the pictures in the gallery).
-
SR-5: Fixed inability to read alternate data streams
from evidence file containers of the new format.
-
SR-5: Improved representation of file slack that is
deliberated included in evidence file containers of the new format.
-
SR-5: Included buffer overrun fix of libpng 1.5.9
(http://www.libpng.org/pub/png/libpng.html) in the internal graphics
viewing library. This fix was also retroactively applied to earlier
versions: v16.2 SR-12, v16.1 SR-10, v16.0 SR-13, v15.9 SR-10, v15.8
SR-11.
Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
Please forward this newsletter to anyone who you think will be interested.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany |
