#155: X-Ways Forensics,
X-Ways Investigator, WinHex 19.3 released
Jun 14, 2017 |
This mailing is to announce the release of
another notable update with many, many important improvements,
v19.3.
WinHex evaluation version:
http://www.x-ways.net/winhex.zip
(also the correct download link for anyone with a personal, professional, or
specialist license)
Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their update
maintenance, etc. Those customers whose update maintenance or license has
expired can receive upgrade/renewal offers from there.
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.
Every now and then we still receive a request about a
replacement of a lost or stolen uninsured dongle although we have pointed
out many times that we do not replace such dongles. We ask for your
understanding that we provide only 1 working dongle per license, not as many
as customers want. We have never made an exception in our entire company
history. Anyone who still asks for a replacement of a lost dongle that was
not insured will forfeit their chance for a good-will discount on the
purchase of a new license.
Upcoming
Training
Please sign up for our training newsletter
here
if you would like to be kept up to date on classes in the USA, Canada, Europe,
and/or
Asia/Pacific.
What's new in v19.3?
(please note that most changes
apply to
X-Ways Forensics only)
File System Support
-
If the file header signature search in volumes with a
supported file system other than Ext2/Ext3 finds the start of a file in
free space, at a cluster boundary, the data is now by default assumed to
flow around potentially following clusters that are marked by the file
system as in use. This will correctly reconstruct files that were
created after and stored around other files and then deleted, as long as
the released clusters were not re-used and overwritten afterwards. To
prevent file carving purely in free space this way, i.e. to make it work
as in previous versions, you can UNcheck the new option "Carve files in
free clusters around used clusters". This option takes effect only at
the moment when files are added to the volume snapshot, not
retroactively for files that were added previously. Carved files purely
in free space retain the storage location that was assumed when they
were added to the volume snapshot even if the option is changed
afterwards. However, older versions of X-Ways Forensics will not
understand that certain files are assumed to flow around allocated
clusters and thus would present them as contiguous files as usually when
they work with the same volume snapshot.
-
Tools | Disk Tools | File Recovery by Type offers the
same cluster assignment logic.
-
If the file carving definition has the strong greedy
flag ("G"), after carving a file that flows around allocated clusters,
the file header signature search will only skip first fragment of the
carved file. The "h" flag for header exclusion prevents the new carving
method from being applied to the affected file types.
-
The same logic to skip in-use clusters is now by
default also applied to deleted files in volume snapshots of FAT12,
FAT16, FAT32, and exFAT file systems, if not disabled in Options |
Volume Snapshot. That means that data of deleted files is now not
necessarily assumed to be contiguous any more, but assumed to occupy as
many free clusters from the start cluster number as are necessary to
accommodate the known file size, while skipping clusters that are marked
as in use by existing files. If the end of the volume is reached that
way, the next free clusters are taken from the start of the volume,
replicating the built-in logic of typical FAT32 file system drivers to
rotate through the volume on the search for allocatable clusters. As
this volume snapshot option retroactively changes the assumption about
the storage location of files that are already contained in the volume
snapshot, changing this option will also cause hash values to change if
they are re-computed.
-
Significantly improved ability to recover deleted
files and directories in FAT32 volumes (ability to get the start
location right, in newly taken volume snapshots only).
-
File mode now offers a "raw" submode for
NTFS-compressed files. In Raw mode you can actually see the compressed
data as well as the sparse clusters, not the decompressed state of the
file. This is useful for research or educational purposes and because
theoretically small amounts of data could have been manually hidden in
the not clearly defined, but implicitly existing slack area of each
compression unit, which follows the compressed payload data.
-
Reduced the number of false positives when scanning
for lost Ext3/Ext4 partitions.
-
The "List Clusters" command in the directory browser
context menu has been revised. It can now be applied to some more
"exotic" objects that it could not deal with before, such as certain
embedded files, certain file system area files, and carved files. It
automatically outputs sector instead of cluster numbers for any objects
that are not aligned at cluster boundaries. It outputs the total number
of clusters or sectors even if contiguous series of clusters are
represented in the optional compact fashion. If exported to a text file,
the cluster list is automatically opened in the user's preferred text
editor. The effects of the aforementioned new cluster assignment logic
options are visible in newly populated cluster lists.
-
The volume snapshot options are now more clearly
structured, split into file system specific settings and file system
independent settings.
-
There is a new volume snapshot option that causes
X-Ways Forensics to read known uninitialized portions at the end of a
file (valid data length < logical file size) as binary zeroes instead of
as whatever data is stored in the clusters allocated. This mimics the
behavior of Windows when ordinary applications open files through the
operating system instead of reading the contents of the file directly
from the sectors in the volume. Useful for example to achieve hash
compatibility with such applications. This new option does not apply to
read operations for logical searches, so that logical searches remain
forensically thorough and clusters allocated to uninitialized portions
of files are still searched. This option has an immediate effect even on
already opened files, for the next read operation.
File Format Support
-
Details mode for JPEG files now shows an additional
table at the bottom. This table contains the generator signature as well
as the "condition" of the file, which may be "incomplete" (if the file
was truncated) or "trailing data" (if surplus data was appended to the
JPEG data) or in some cases "original" (if the file is believed with
great certainty to be in a pristine, unaltered state). "Original" is
based on the presence of thumbnails, the absence of color correction
certificates, the absence of unoriginal metadata such as XMP, based on
timestamps, based on artifacts left behind by known editing software,
and on whether a resize operation is detected.
-
Improved detection of scanned images. The model
designations of known scanning devices can be manually extended in the
section "KnownScanner" of "Generator Signatures.txt". Identification by
model name can help to identify scanned images if they contain Exif data
or were edited. Generally the detection as scanned images is based on 1)
generator signature, 2) generic properties of the Exif metadata
(FileSource, Density, ...) and 3) the KnownScanner list.
-
Improved detection of screenshots in JPEG format.
-
Recognition of JPEG files produced by Twitter through
their generator signature.
-
Checking the passwords in the password collection
provided for file archive exploration is now more thorough, avoiding
some rare false password matches.
-
Fixed a rare exception error that could occur with
password-protected RAR archives. Fixed another rare exception error in
conjunction with file archive handling.
-
RAR hybrid files now automatically receive a child
object named "Trailing data" so that no manual effort is required any
more to access the hidden data.
-
Uncovers embedded data from some more
.vcf files.
-
Carving method ~109 implemented for Blu-ray videos.
-
Google Analytics signature moved from the "Special
Interest" category to "Internet", as it has proven to be quite
worthwhile to collect web surfing events.
-
For UserAssist program executions, the event
description column now has the plain text description after ROT13
decoding.
-
Ability to interpret image files in TAR archive as
disks without having to copy/extract them out. Very handy for VMDK
virtual machine disks within OVA files (open virtualization archives in
TAR format).
-
Ability to extract metadata from some new PDF format
variants. PDF metadata extraction generally revised.
-
Prefix "Reporting::" inserted in generator signature
definitions for easier filtering for the category reporting/records
(account statements, credit card statements etc.).
-
Detection of scanned PDF documents further improved.
-
Different e-mail recipient groups (To:, Cc:, and
Bcc:, if present) are now more clearly separated from each other in the
Recipients column and the alternative .eml presentation.
-
Cc: and Bcc: recipients are now distinguished from
To: recipients in the Recipients column for MSG e-mail files as well.
Timestamps
-
In the properties of evidence objects with a FAT file
system you can now optionally define which time zone the local
timestamps in that file systems are based on, if you have an opinion
about that. That time zone depends on the settings of the computer or
device that wrote to the file system. (Keep in mind that those settings
may have changed over time and thus a single time zone may not be
adequate to get all timestamps right.) If you define the time zone
reference, file system level timestamps are presented according to the
selected display time zone and not in their original local time any
more. They are internally converted from local time to UTC (based on
your time zone reference) and then from UTC to the display time zone, at
the moment when the timestamps are displayed. The effect is not
permanent, the reference time zone settings can be changed at any time.
The definition of a time zone reference is lost if you open a case in
versions older than v19.3.
-
When copying files from FAT file systems to an
evidence file container, file system level timestamps of these files are
usually marked in the container as based on an unknown local time zone
so that they will not be time zone adjusted when reviewing the container
in the future. If however you are certain about the original time zone
and define the time zone reference for the source evidence object, the
timestamps are converted to UTC within the container based on the
reference time zone and marked in the container as timestamps in UTC,
permanently. In that state the timestamps later will be adjusted
according to the selected display time zone, even if you change your
mind and change the reference time zone in the source evidence object.
The evidence file container is self-contained and separate from the
source evidence object once files have been copied.
-
The time zone conversion hints after timestamps in
the directory browser (the number of hours that have been added to or
subtracted from UTC) are now included in tooltips for these cells.
-
Consistency of timestamp notation and Unicode
capability of timestamp notation improved in a few places in the GUI and
in the case report/log.
-
As the number of years represented in Calendar mode
is limited, garbage timestamps in the far past can keep you from seeing
the years that you are interested in if you don't set a filter or don't
delete events with garbage timetamps. A new option now allows to set the
minimum year that will be represented by the calendar. Any timestamps in
earlier years will be disregarded by the calendar even if no filter is
active. By default, the minimum year is the year 2000. To change it,
click the number of the first year on the left in Calendar mode.
-
The Data Interpreter and also templates can now
display and edit FILETIME timestamps with a precision of milliseconds,
depending on the settings in Options | Notation.
-
Timestamps of files in OS directory listings and
remote network drives are now displayed with higher precision.
-
Display of internal creation timestamps in the
"Content created" column with millisecond precision, where available.
Searching
-
The whole words only option of the Simultaneous
Search works with a user-defined alphabet of characters of which words
are composed, in order to identify what a word is and where its
boundaries are. In previous versions, only an alphabet of characters
from the Latin 1 code page was supported (for all Western European
languages). Now an additional alphabet can be defined for letters of
certain other languages. If activated, it is used for searches in UTF-16
and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1
byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew,
Vietnamese, and various Central/Eastern/South Eastern European
languages. The Cyrillic alphabet is predefined.
-
Ability to index words that contain characters with
special GREP meaning, such as #.?()[]{}\*, without masking them, both
with the "range:" prefix and without.
-
Manual relocation or resize operations on search hits
through the context menu may now exceed 32,767 bytes (up to
2,147,483,647 supported in both directions). Concerning a related
command in the directory browser context menu, the size of carved files
can now be set manually as an absolute number instead of as an
adjustment to the previous size (through the directory browser context
menu). The maximum size supported by this operation is 4,294,967,295
bytes.
-
Ability to run the simple search functions (Find
Text, Find Hex Values) with the "List search hits" option in File mode
even in evidence objects. The search hits will be collected in the
general Position Manager.
-
Search hits in the general Position Manager are now
optionally deleted as soon as the general Position Manager is closed, to
avoid confusion as positions in the general Position Manager have no
reference to a particular file or disk and are intentionally applied to
whatever data source is active when invoked. The option can be found in
the Position Manager's context menu.
X-Tensions API
-
The XWF_GetItemType function now allows to find out
the detected file format consistency for a file.
-
The XWF_ShouldStop function now does not only check
whether the user wishes to abort lengthy operations, it also helps to
keep the GUI responsive when the X-Tension is not executed in a separate
worker thread. Calling this function regularly will process mouse and
keyboard input, allow the windows to redraw etc. The user realizes that
the application is not hanging, and potential attempts of the user to
close the progress indicator window will be noticed. Even if you ignore
the result of this function call during lengthy operations conducted by
your X-Tension, you are doing something good already by making the calls
in the first place.
-
The X-Tension function XWF_CreateEvObj can now add
multiple image files to the case with a single function call.
-
New X-Tensions API function XWF_GetHashSetAssocs.
Retrieves the name(s) of the hash set(s) that the specified file is
associated with.
Keyboard Shortcuts
-
It is now possible to define up to 20 custom keyboard
shortcuts for commands in the directory browser context menu and
elsewhere, in a dialog window that can be accessed from within Options |
Directory Browser. Currently available only in X-Ways Forensics.
Shortcuts are meant to increase your productivity while using the
functionality that you need most often. Only key combinations that
involve the keys Ctrl, Alt Gr, Shift and Space are supported. Please
note that if you use the Space key for any keyboard shortcut, you cannot
use it any more to tag or untag items. The second key can be relatively
freely defined by just pressing it when the grayed out edit box has the
input focus. In case no human-readable description of the selected key
is provided and you later forget what key you had defined, you can check
out this list of hexadecimal key codes:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx
The following ~80 directory browser menu command codes can
theoretically be used (not all tested) and have to be entered as a
number:
9800: View with external viewer program #1
9801: View with external viewer program #2
9802: View with external viewer program #3
...
9831: View with external viewer program #32
9919: Define file type
9920: Go to related file
9921: Refine volume snapshot for selected files
9927: Run X-Tension on selected files
9928: Attach external file
9931: Edit metadata
9932: See this file in its directory
9933: See this file from volume root
9934: Find parent object
9935: Logical search within selected files
9937: Attach external directory
9938: Erase securely
9939: Leave search hit list for specific directory
9940: Delete duplicate search hits in list
9941: Select excluded items
9942: Edit comment
9944: Include
9945: Select tagged items
9946: Exclude all except tagged items
9947: Hide tagged items
9948: Add to evidence file container OR skeleton image if active in the
background
9949: Resize search hit
9950: Convert search hit to carved file
9951: Resize carved and virtual files
9952: Assign search hit to other search term
9953: Extract consecutive video frames
9954: Include search hit in report
9955: Mount as drive letter (makes sense only if a directory is
selected, and only one)
9956: Watch with preferred video player
9957: View with preferred HTML viewer
9958: View with preferred text editor
9959: Execute/open in associated external program
9960: Select viewed items
9961: View with to-be-selected external program
9962: Remove duplicates based on hash
9963: Seek item based on int. ID
9964: Sort by relevance
9965: Print
9966: Seek item based on list item number
9967: Sort by nothing
9968: Select all
9969: Filter by the selected file's hash value (to find duplicates)
9971: Explore
9972: Mark search hit as notable
9973: Open
9974: Navigate to defining data structure
9975: Export list
9976: List clusters
9977: Recover/copy,
9978: Explore/view
9979: Invert selection
9980: Include in hash database
You will notice a few suspicious gaps in between the incrementing
numbers. The missing numbers are either unassigned or discouraged to
invoke or simply don't make much sense to define for a keyboard
shortcut. As an example for the latter, 9929 will delete selected search
hits or event, something that can of course be accomplished already by
pressing the Del key. This information shall reduce your urge to
randomly try numbers not listed here, although who knows whether one
undocumented number may trigger a secret "Find all evidence" command.
Please note that even without defining any such keyboard shortcut you
can reach all directory browser context menu commands purely with the
keyboard by pressing the context menu key. (Usually to be found between
the right-hand Windows key and the right-hand Ctrl key.) Some menu
commands already have a predefined keyboard shortcut. For example the
Enter key is the same as a double click (either View or Explore,
depending on your settings). The multiplication key of numeric keypad
triggers the Explore command. Del means Exclude. Ctrl+Del resets files
to the "still to be processed by volume snapshot refinement" state and
undoes some refinement operations. Ctrl+Shift+Del removes hash set
matches, hash category, and PhotoDNA categorization. Ctrl+Caps Lock+Del
removes the "file contents unknown" flag from a file. (Useful for
example if because of temporary I/O problems X-Ways Forensics marked
files that way although generally the files can be read just fine.)
Ctrl+C copies the selected items into the clipboard using special
settings of the Export List dialog window.
The user-defined keyboard shortcuts should be able to invoke practically
all commands from the main menu as well, and even if parts of the user
interface other than the directory browser have the input focus. If the
command code of a menu command changes in a future version, X-Ways
Forensics will ensure that any keyboard shortcut targeting that code
will automatically become inactive, to prevent accidental misuse. To
find out the command codes of commands in the main menu (also called IDs
of menu items), you can open the main executable file in a so-called
resource editor and have a look at the menu resource in your preferred
language. A highly recommendable light-weight example of such a tool is
"Pelles
C for Windows", which also happens to be a fine C compiler and
complete development kit suitable for creating
X-Tensions.
Keyboard shortcuts for main menu commands should be less important than
for directory browser context menu commands because the main menu
already has many dedicated keyboard shortcut predefined, or even if not
can be reached without taking one's hands off the keyboard starting with
the Alt key. To give you some ideas about useful applications, FYI the
command code to toggle between recursive and non-recursive exploration
is 122, and the command code to take a new volume snapshot is 109.
Command codes defined for filters
(The order is the historical order in which filters were introduced.)
9700: Name
9701: Type
9702: Type status
9703: Category
9704: Size
9705: Path
9706: Sender
9707: Recipients
9708: Timestamp
9709: Attr
9710: Hash 1
9711: Hash set
9712: Hash category
9713: Report table
9714: Comment
9715: Metadata
9716: Analysis
9717: Pixels
9718: Int. ID
9719: Unique ID
9720: Search terms
9721: Owner
9722: Parent name
9723: Child objects
9724: ID
9725: Author
9726: Search hit description
9727: Event timestamp
9728: Event type
9729: Event description
9730: Search hit
9731: First sector
9732: Description
9733: Hash 2
9734: Full path
9735: Flex filter 1
9736: Flex filter 2
Command codes for the Mode buttons and related buttons
122: Toggle recursive exploration
138: Access button popup menu
172: Toggle Directory Browser
186: Toggle Position Manager
223: Toggle Search Hit List
224: Toggle Event Hit List
225: Disk/Partition/Volume/Container mode
226: File mode
227: Preview mode
228: Details mode
229: Gallery mode
230: Calendar mode
231: Legend mode
232: Sync mode
249: Raw preview mode
250: Viewer X-Tension preview mode
Automation
-
New command line parameter "Cfg:", which determines
the name of the configuration file from which X-Ways Forensics will read
during start-up and to which it will write when terminating, in
situations when you need to use an alternative configuration (not the
one stored in the main WinHex.cfg file). For example useful if for
automated processing you need different settings than for manual
execution, with specific volume snapshot refinement operations selected
or to avoid the prompt whether a second instance should be started. Such
a parameter looks like "Cfg:My other settings.cfg". The quotation marks
are required only if the name contains spaces. The maximum length of the
name is 31 characters. Only ANSI/ASCII characters supported currently.
-
Text in message boxes that usually need to be clicked
away by the user is now redirected to the Messages window while
processing the command line parameters "AddImage" and "RVS". Dialog
boxes, if any, would still pop up normally.
-
The command line parameter AddImage can now be used
to add multiple image files to the case at the same time, with an
asterisk in the filename, such as "AddImage:Z:\My Images\*.e01".
-
The "AddImage" command line parameter now supports
optional sub-parameters to force interpretation of an image as either a
physical, partitioned medium (P) or a logical volume (V) and to force
interpretation with a certain sector size, where the sector size is
optional, e.g.
AddImage:#P#Z:\Images\*.dd
AddImage:#P,4096#Z:\Images\*.dd
If you do not specify these sub-parameters, a dialog window might pop up
to ask the user for this input, but only in some very rare cases. Only
if 1) it is not obvious to X-Ways Forensics from the data in the first
few sectors what kind of image it is and 2) if the image was not created
by X-Ways Forensics or X-Ways Imager and 3) if the image is in raw
format. Only if all three conditions are met at the same time plus you
do not specify the sub-parameters, then the dialog window will pop up
and interrupt automatic processing.
User Interface
-
Dedicated icon for evidence file containers in the
Case Data window.
-
Larger font in the text column display for UTF-16 for
better readability, especially of Chinese characters.
-
Avoided some rare graphical artifacts in the text
column display for code pages with a variable number of bytes per
character.
-
Text representations of dialog windows now by default
omit unselected list box items and unchecked check boxes and radio
buttons. This is a new option in the special menu that you get when you
click the small unlabeled button in the upper left corner of a dialog
window. It also affects the textual summary of active filters.
-
The Info window is now called Output window, as that
more precisely describes its purpose. And it now gets its own screen
coordinates and a centered position initially, and its coordinates are
remembered separately from those of the Messages window, as otherwise
some users seem to completely overlook that window, and they even
contact us when they don't see the output that they expect, although
it's visible on their screens.
-
New menu command available to collapse the entire
case tree when right-clicking the case title.
-
Carved files are now identified as such not only by
the Description column, but also by their icons, with by default either
a stylized C (Windows 7) or a hammer (Windows 10, unavailable in Windows
7). The exact character can be entered in the Options | Notation dialog.
Hopefully that way some users will no longer find it necessary to name
all carved files with a prefix like "Carved_".
-
The information that a file was originally a carved
file is now preserved in evidence file containers and shown in the
Description column and icon even for files within containers.
-
The special file icon for pictures now by default no
longer gets symbols like question marks, arrows, scissors, hammers, etc.
superimposed, which is easier on the eye. You can still tell the exact
deletion status from the Description column, and the rough
deletion/existence status is still obvious from the contrast of the
icon. However, if the box for this option is half checked, the icon is
displayed as in previous versions, with full details.
-
The command to view the selected file with a selected
external program now invokes the standard Windows dialog to pick such a
program.
-
Whether the viewer component or the internal graphics
viewing library should be used for pictures is now remembered by X-Ways
Forensics separately for Preview mode and the View command. For the View
command the behavior can be changed in Options | Viewer Programs.
-
When not allowing to view multiple pictures at the
same time with the View command and the internal graphics viewing
library, a new "Auto update" option is now available in Options | Viewer
Programs, which will refresh the View window for a picture immediately
when a new picture is selected in the directory browser, one way or the
other, for example with a single mouse click or when advancing to the
next file after defining a report table association. This behavior was
previously limited to the arrow keys in the gallery. It should be useful
mainly for work with multiple monitors.
-
Italian translation updated.
Miscellaneous
-
FlexFilters are now optionally case-sensitive.
Case-sensitive operations are always faster and should be used for
performance reasons unless you require otherwise.
-
Category pop-up menu statistics are retained when
activating the filter.
-
The blue funnel symbol on both sides of the caption
line of the directory browser is now always present when filters are
active, even if the filters do not actually filter out any items.
-
Byte-wise checksum computation for multi-byte
accumulators as was the standard in v18.9 and earlier is now an option
in Options | Security. The newer variant is to compute multi-byte
checksums by adding units that are equivalent in size to the accumulator
itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real
life applications.
-
Recover/Copy: Ability to specify the name of the log
file if the file is created in the output directory. Useful if you run
multiple Recover/Copy operations specifically for different purposes, to
produce one separate log file for each output.
-
Export List: The search hit context size units now
correctly designated as characters instead of bytes.
-
Ability to open spanned LVM2 volumes if the other
disk is missing. Available data will be incomplete, but potentially
still very helpful.
-
Ability to open an evidence object that is a
directory even if that directory does not exist any more, to be able to
at least check out the volume snapshot again, using the command "Open
(without disk/image)".
-
We are pleasantly surprised that you are reading
every single bullet point. Thank you very much for your time.
-
Option to unload the hash database if loaded at the
moment when all data windows are closed (the moment when the last open
data window is closed), to save main memory or to specifically allow
other concurrent users or instances to change the hash database.
-
Ability to set the alternative name of a file by
holding the Shift key when renaming it (at the moment when clicking the
OK button).
-
The Technical Details Report now has an option to
show a byte-swapped version of hard disk serial numbers in addition to
the serial number reported through the operating system, when in doubt.
Some users of certain interfering hardware write blockers may find that
useful.
-
More complete representation of the logical memory
address space of 64-bit processes.
-
More tolerant to corruption in internal metadata
storage files.
-
Many minor improvements.
-
User manual and program help updated for v19.3.
Changes of service releases of v19.2
-
SR-1: Fixed inability of v19.2 to remember the
default volume snapshot refinement operations when run from the command
line.
-
SR-1: Fixed inability of v19.2 to uncover embedded
data from selected files.
-
SR-1: Fixed inability of v19.2 to take volume
snapshots of drive letters without sector level access.
-
SR-1: Metadata extraction from certain irregular DOCX
files supported.
-
SR-1: Improved internal handling of FlexFilters.
-
SR-2: Now able again to cope with .e01 evidence files
that are incorrectly marked as images or physical disks by 3rd party
software although they are just volume images.
-
SR-2: Fixed incorrect extraction of attachments
encoded by Gmail found in MBOX archives and lose EML files.
-
SR-2: Fixed a cause of instability when the "Search
in directory browser cells (metadata)" option was used for the
Simultaneous Search.
-
SR-2: Fixed a rare exception error that could occur
when extracting metadata from certain corrupt Zip-styled Office document
files.
-
SR-2: The option to show non-picture files in the
gallery is now represented by a three-state check box. If half checked,
only those non-picture files will be represented as thumbnails in the
gallery whose type can be confirmed or newly identified by X-Ways
Forensics. That means that files of unknown types and garbage files will
not be represented in the gallery any more. This will speed up the
gallery, reduce the number of thumbnails with just ASCII character
gibberish in them, and perhaps most importantly prevent an error in the
viewer component from occurring, which exhausts the pool of available
GDI objects (handles in the graphics device interface of Windows) in the
process and leads to graphical screen artifacts, loss of functionality
or even crashes. So far only files with garbage data are known to
trigger this error. The error is probably very rarely encountered when
specifically viewing or previewing individual files only, but when
reviewing large amounts of non-picture files in the gallery it becomes
more likely to occur. The error is known to Oracle as bug #25430258. No
fix has been made available yet.
-
SR-2: Images stored in nested subdirectories of the
case directory instead of directly in the case directory are now also
found immediately even if drive letter or absolute path of the case have
changed.
-
SR-2: Chinese translation of the user interface
updated.
-
SR-3: The time out for the generation of thumbnails
of non-picture files in the gallery is now the same user-defined value
as previously used only for pictures that are loaded by the internal
graphics viewing library. It can be adjusted in Options | Viewer
Programs. A smaller value may result in a faster display of the gallery,
but at the cost of interrupting the loading process of the viewer
component for some files, in which case the gallery tile shows "Error -
operation cancelled".
-
SR-3: v19.2 SR-2 did not properly execute external
viewer programs. That was fixed.
-
SR-3: Videos are now again represented in the case
report by their first extracted still as a thumbnail.
-
SR-3: If the output of the Compare function was a
text file and the comparison start offsets in the two data windows were
different, the second offset reported for a found difference was off.
That was fixed.
-
SR-3: Fixed a problem in LVM2 support.
-
SR-3: Fixed a rare exception error that could occur
when producing a registry report based on Reg Report Free Space.txt.
-
SR-3: Prevented rejection of certain ProjectVic JSON
files for PhotoDNA import.
-
SR-4: Ability to show gallery tiles with rotating
still images for processed videos in situations in which that did not
work previously.
-
SR-4: Prevented a situation where the category
statistics in the Category column's pop-up menu filter could be that of
another data window.
-
SR-4: Fixed inability of v19.2 to take a volume
snapshot of a directory with a network path (UNC path).
-
SR-4: The Exif metadata field formerly officially
called "Daten taken" is now called "Content modified" in X-Ways
Forensics.
-
SR-4: A relative path for the PhotoDNA hash database
is now supported and preserved in Options | General.
-
SR-4: Fixed slightly corrupted presentation of e-mail
attachments in some specific situations (e.g. Facebook e-mail received
via Hotmail).
-
SR-4: Run counts from Windows 10 Prefetch files while
shown correctly in Preview mode were not extracted correctly into the
Metadata column. That was fixed.
-
SR-5: If original pictures were not included in the
case report, but thumbnails of pictures were supposed to be output,
those thumbnails were not generated for very small pictures. That was
fixed.
-
SR-5: Under certain circumstances the detection of
scanned images/PDF documents failed. That was fixed.
-
SR-5: The whole words only option of the Simultaneous
Search is no longer applied to search hits that are not words according
to the user's selected alphabet definition (checking only the first and
the last character in the hit). However, the GREP word boundary
indicator \b is still applied in such a case, for example to be able to
search for certain data in between words, data that is not considered a
word itself.
-
SR-6: The volume snapshot refinement option of v19.1
and later to omit files deemed irrelevant by the hash database also
omitted known uncategorized files if they were identified as such only
by a previous refinement run, with no re-matching. That was fixed.
-
SR-6: Fixed incorrect size of some few carved files
and avoided output of some irrelevant/damaged OLE2 objects.
Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde |