X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#161: X-Ways Forensics, X-Ways Investigator, WinHex 19.9 released

Nov 15, 2019

This mailing is to announce the release of another update with many notable improvements, v19.9. The release date was 2019-11-14.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to https://www.x-ways.net/winhex/license.html for download links, the current log-in data, details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Course Delivered by
Nov 18-21 Augusta, GA X-Ways Forensics H-11
Nov 18-22 Ottawa, ON X-Ways Forensics I+II (full) X-Ways
Nov 25-28 London, England X-Ways Forensics (full) X-Ways
Nov 26-29 Canberra, Australia X-Ways Forensics CBIT
Dec 3-4 Online X-Ways Forensics II X-Ways
Dec 9-12 Huntington Beach, CA X-Ways Forensics H-11
Dec 16-19 London, England X-Ways Forensics X-Ways

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new in v19.9?
(please note that most changes affect X-Ways Forensics only)

Recover/Copy Command

  • There is now an option to convert files of certain supported types to PDF format, to share those files with computer users that otherwise would not have suitable applications to view the files or if you generally prefer a fixed, context-insensitive representation. You can define the file types that do not need to be converted, e.g. those that can easily be displayed by a web browser or ordinary Windows tools. If no conversion is possible, the original file is copied unconverted.

  • Ability to extract pure text from files of various types and output it as plain text files. That is the same representation that you get when switching from ordinary Preview mode to raw Preview mode with the Shift key held, and the same text that a logical search would get to see of a file when you have X-Ways Forensics "decode" the text in a file. Files that are not suitable for text extraction (e.g. pictures) or from which no text can be extracted for whatever other reasons are copied normally if the corresponding checkbox is only half checked, or are omitted if fully checked.

  • There is now an option to output all selected files as a single PDF document. This includes even file types that would usually not be converted to PDF individually. For example it may not make sense to recode original PDF files as PDF files again individually, but if the purpose is to bundle multiple files in a single document for easier sharing it has merit.

  • You now have the option to output the alternate name of a file, or both the main name and the alternate name in the copylog.txt or copylog.html file depending on what you prefer to see.

  • That same option also exists for the Export List command.

Case Report

  • Files that are copied for and linked from the case report can now be converted to PDF format if needed, similar to the aforementioned option of the Recover/Copy command.

  • You can now choose to convert the entire HTML case report to PDF format. This cannot be used in conjunction with the option to split the report file after a certain number of files. If the box with the PDF option is fully checked, that means that you will receive only a PDF version of the report. If half checked, that means that you you will receive both an HTML and a PDF version of the report.
    Please note that if you later delete one of the two files (.html and .pdf) in the Windows Explorer/File Explorer,  this will automatically and involuntarily also delete the corresponding subdirectory that contains the copied files for the report, if there is such a directory, even if those files are still needed for the respective other version of the report.

  • The generation of report thumbnails for non-picture files with or without shrinking is now possible in current versions of Windows 10 (1809 and 1903).

  • The report generation no longer makes copies of files with a size of 0 bytes.

Case Management

  • Images of a case are now found automatically in the case directory even if they are not remembered to have been there previously (this condition existed in earlier versions). This works even if the path of a case changes. Please remember, the case directory is the directory of a case, with the same name as the .xfc file of the case, not to be confused with the default directory for cases, which may contain many cases (multiple .xfc files and multiple case directories).

  • A dedicated case-specific default path for images can now be defined and enabled in the properties of a case, which then overrides the generic default path for images. That means it will be preselected when creating new images and when adding images to the case. It will also be a place where X-Ways Forensics will automatically look for images that cannot be located any more in the path were they were last known to be. The case-specific path may be a relative path, where a . refers to the case directory and .. to the parent directory of the case directory. A suggested dedicated place where to put the images of a case is the subdirectory \!images of cases that are newly created in v19.9.
    Please note, however, that for performance reasons it can still be advisable to store cases and images on different physical storage devices. If you define a case-specific image path in v19.9 and open the case in v19.8 or earlier, you will get a warning about unknown data being ignored and lost, but can still work with that case in the older version and later enter the path again in v19.9 if necessary.

  • Project Vic categories for the USA are now predefined in the user-editable text file PVicCat.txt. Law enforcement users from UK and Canada can download their own definitions from the PhotoDNA download section on our web server and replace the default PVicCat.txt file in their installations. Users in other countries with differing categories can gladly share their category definitions with us for the benefit of other users.

Search Functionality

  • Indexing and index searches were revised.

  • Ability to permanently remember friendly names for complex GREP expressions when you rename search terms in the search term list. Future searches for the same expressions will immediately add entries in the search term list with the more easily recognizable friendly names. Friendly names and corresponding GREP expressions are stored in the text file "GREP Expressions.txt", which you can share with your colleagues and from which you can easily copy and paste GREP expressions when needed. The file can be opened from within the Simultaneous Search dialog window by clicking on the button with the yellow lightbulb (lightbulb for "ideas" for expressions to search for). You can edit the file directly with any text editor. Just keep the structure intact: Always 1 friendly name followed by 1 GREP expression, 2 lines for each such pair, in UTF-16.

  • The logic of the search hit filter was refined: You now have the ability to focus on search hits whose context does NOT contain a certain word. And you have the ability to logically combine all filter options with a logical OR or AND.

  • There is now a context menu command in search hit lists that unmarks all search hits in the evidence object(s) represented by the current data window as notable. This allows for incremental filtering. Example: You filter for search hits whose context contains the word "Hello". Then you mark those hits as notable (Ctrl+A plus context menu command). Then you filter for search hits that are notable AND contain the word "Hey". Then you unmark all search hits (even those that are currently not listed), which has no immediate effect on the presented list, and mark those that are listed as notable. The result is that all search hits that contain both "Hello" and "Hey" in their context are now marked as notable.

  • It is now possible to omit files from logical searches that are known from a hash database in any sense (whether known good or known bad).

File Type Support

  • The picture viewing library updated, revised especially for GIF pictures.

  • The algorithm to compute the generic relevance of pictures has been revised. It now tries to put more emphasis on intelligence value rather than news value, and to weigh evidential value higher than informational value.

  • Relevance computation was revised for JPEG and PNG pictures in particularar. 3.0 is the base value defined for JPEG files in File Type Categories.txt. 3.0 is also a value that you can expect from pictures that are just advertising. 3.2 = typical browser cache picture. 3.5 = typical for a picture from the system partition. 3.9 = social media. 4.1 = webcam. 4.2 = backup. 4.7 = photo as originally taken by a digital camera. Sorting picture by relevance achieves a grouping effect in the gallery because pictures from a similar context are sorted next to each other.

  • Relevance computation is now performed for some more exotic file types that were not covered previously.

  • The generator signature table was significantly expanded and updated. For example it now has a new signature for smartphones like the Samsung Galaxy S10.

  • Recognition of device types screen and front camera updated for newer iPhone and Samsung smartphone models.

  • Reduced incidents of misidentification of files as being produced by the device type "Scanner".

  • A new video generator signature was added.

  • Generator signatures are now computed for more files, which may include the file types GIF, HTML, WEBP, AVI and the RIFF format family.

  • The list of recognized smartphone models was considerably extended and updated with new models.

  • The table of iOS release dates was updated.

  • Details mode: The summary field "Timestamp from file name" is now more generally named "Filename analysis". It shows the recognized naming scheme, such as Twitter, and/or a timestamp. Often JPEG files contain an additional timestamp in their names. The recognized naming scheme affects the relevance computation.

  • Two more timestamps are extracted from the PNG file format.

  • Some rare creation timestamps extracted from XMP metadata in JPEG files.

  • Two more timestamps in JPEG files are now considered candidates for the Content created column. If an official creation timestamp is found in the internal metadata, that timestamp will be shown there. If not, practically any other plausible timestamp may be used as a substitute, even a timestamp derived from the filename if necessary. That way an estimated ~60% of all JPEG files can be presented with a Content created value.

  • Extraction of creation timestamps from iPhone screenshots in PNG format.

  • Content created timestamps are now inherited from the parent file by extracted thumbnails.

  • Ability to uncover JPEG objects in PDF documents with a certain wrong encoding.

  • Improved extraction of metadata from MSG files.

  • Extraction of original filenames from old style INFO2 recycle bin files.

  • Ability to preview inactive versions of utmp, wtmp and btmp logs.

  • PLists and BPLists are now parsed for Preview mode when needed if the volume snapshot has not been refined yet and the child object with the parsed contents does not exist yet.

  • PNG and WEBP file processing revised. The generic relevance is now computed analogously to JPEG files.

  • Improved detection of spanned archives. Archive processing revised in general.

File System Support

  • The first sector of a completely uninitialized file (valid data length = 0) is no longer omitted from the file header signature search.

  • Preview mode reads uninitialized portions of files now exactly as File mode, depending on the corresponding volume snapshot option.

  • When searching for FILE records everywhere as part of the particularly thorough file system data structure search, clusters belonging virtual machine disk images are omitted. This now works for more such disk image types.

  • The output of simple extended attributes in Apple file systems as special lines in the Metadata column instead of child objects is now optional. If included in the Metadata column, the Metadata field will now also be shown in Details mode.

Miscellaneous

  • Technically minded users now have the ability to set the desired attributes of newly created image files, such as "read-only" or "encrypted", as well as buffering flags for performance tweaking in unusual environments such as "write through". Attributes are defined most thoroughly at https://docs.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants, flags at https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea. The flag for "no buffering" should not be used. Attributes and flags are combined by oring or adding them and have to be specified in hexadecimal notation.

  • A raw (non-.e01) evidence file container can now be interpreted and mounted as a drive letter in WinHex with any license type, to render the files accessible in other tools if those other tools do not understand the container format natively. (If such a container contains no more than 1,000 objects, then even the evaluation version of WinHex can do that.)

  • Hex editing: WinHex now allows to replace a fixed-length series of hex values that are all wildcards with other hex values, where the replacing hex values can partially be wildcards, as well to keep some original (variable) hex values and change others.

  • The X-Tension API command XWF_OpenItem (in conjunction with XWF_Read) can now be used to retrieve a PDF representation of the requested file.

  • The X-Tension API command XWF_GetItemName now allows to retrieve the alternative name of a file in the volume snapshot.

  • Ability to detect Windows 10 PE as a platform.

  • Some stability improvements.

  • Many minor improvements.

  • Fixed an error in the setup program that could terminate the setup program.

  • User manual and program help updated for v19.9.


Changes of service releases of v19.8

  • SR-1: Fixed erroneous presentation of certain compressed files in HFS+ as already viewed.

  • SR-1: Prevented usage of corrupt internal Photoshop filenames to name carved files.

  • SR-2: Fixed an exception error in v19.8 that could occur repeatedly during file header signature searches for JPEG files under certain conditions.

  • SR-2: Fixed an exception error in v19.8 that could occur when processing video files.

  • SR-2: Fixed an access violation error that could occur when processing certain EDB database files.

  • SR-3: Fixed an error in the dialog window for the copylog file settings.

  • SR-3: The new JSON export function skipped files in the 64-bit edition. That was fixed.

  • SR-3: Presentation of metadata from extended attributes in Apple file systems adjusted to make it more obvious where it comes from.

  • SR-3: German program help and user manual updated.

  • SR-4: Ability to skip the new window state where the lower half of a data window becomes the right half, by holding the Shift key when clicking the vertical bar with the four gray dots.

  • SR-4: Fixed inability to display certain GIF variants.

  • SR-4: Fixed an exception error that could occur when searching for embedded data.

  • SR-4: Fixed potential corruption of filenames in volume snapshots taken by v19.8.

  • SR-4: Ability to replace the path of an evidence object that is a single file.

  • SR-4: Fixed a general stability problem.

  • SR-4: Fixed an exception error that occurred with the Russian translation of the user interface.

  • SR-5: Support for Unix style absolute paths in zip archives.

  • SR-5: Fixed an exception error that could occur in v19.8 when filtering for report table associations and additionally including direct child objects.

  • SR-5: Fixed an instability issue that could occur when refining the volume snapshot with multiple threads.

  • SR-5: Understands extra large clusters in NTFS as now supported in Windows 10.

  • SR-5: No longer ignores FAT directory entries with corrupt size values.

  • SR-5: Fixed an exception error that occurred in the 64-bit edition when parsing non-standard $Bad FILE records.

  • SR-5: Entering the known password of an encrypted file archive that had been processed already did not always have an immediate effect. That was fixed.

  • SR-6: In certain situations, X-Ways Forensics alerted the user of Bcc: e-mail recipients, but presented them as Cc: recipients only instead of Bcc:. That was fixed.

  • SR-6: Fixed inability to open the virtual APFS Descriptors file.

  • SR-6: Now properly filters out ASCII control codes within Quoted Printable.

  • SR-6: More reliable archive password test.

  • SR-6: Fixed a rare zip extraction error.

  • SR-6: Fixed an error in Google Chrome SNSS processing.

  • SR-7: Fixed outdated category pop-up menu statistics in certain situations.

  • SR-7: Prevented instability caused by certain corrupted WofCompressed files.

  • SR-7: Fixed an error in zlib deflate conversion for larger amounts of data.

  • SR-7: Some more devices supported by BYOD.

  • SR-8: The option "Convert RTF e-mail bodies to plain UTF-8" did not work in all situations. That was fixed.

  • SR-8: Auxiliary timestamps of e-mail attachments as retrieved from the parent e-mail message are now also used for sorting, not only display purposes.

  • SR-8: Fixed sorting by the Full path column.

  • SR-8: Ignores clusters belonging to more virtual machine disk image types when searching for FILE records everywhere.

  • SR-8: Fixed incorrect reporting of registered owner in the Windows Registry report when the RegisteredOwner value is not present.

  • SR-8: Fixed incorrect reporting of a responsible file after a crash and restart when only a single thread was used (internal ID off by 1).

  • SR-9: Ability to parse BPLists with arrays instead of dicts at the top level.

  • SR-9: Fixed an error that could occur when adding hash values to a large hash database with the option "Omit hash values that are already contained in the database".

  • SR-9: Fixed internal recoding of search terms.

  • SR-10: Fixed calendar tooltips for high DPI settings.

  • SR-10: Auxiliary checkmark representation in the Type filter dialog window for Windows PE/FE.

  • SR-10: Prevented a rare exception error that could occur when parsing corrupt NTFS file system data structures.

  • SR-10: Write-protecting a physical storage device in X-Ways Forensics no longer officially also sets volumes internally defined in Windows on that device to read-only status as that triggers an unintended write operation in Windows.

  • SR-10: Fixed an exception error that could occur when opening directories in APFS.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

#160: X-Ways Forensics, X-Ways Investigator, WinHex 19.8 released

Feb 21, 2019

This mailing is to announce the release of another update with many notable improvements, v19.8.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data (!!), details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Mar 11-14 London, England X-Ways Forensics (wait list)
Mar 25-28 London, England X-Ways Forensics
May 6-9 Chicago, IL area X-Ways Forensics
Jul 15-18 Vancouver, BC X-Ways Forensics

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new in v19.8?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • More comprehensive understanding of APFS file system data structures.

  • Support for a new variant of the Ext4 file system. Parsing this new variant (to generate a volume snapshot) without understanding its implications would necessarily fail. Previous versions of X-Ways Forensics informed the user of the presence of an unsupported feature in the file system.

  • The journal parsing option for Ext3/Ext4 had proven somewhat tricky and has now been removed from the volume snapshot options.

  • Association of data with certain previously existing files that otherwise would be presented only with file system metadata and no contents using the Ext3/Ext4 journal is now an option of the particularly thorough file system data structure search.

  • More extensive preview/view of Ext3/Ext4 journals than in previous versions.

  • Fixed erroneous presentation of certain compressed files in HFS+ as already viewed.

File Format Support

  • Two additional internal metadata timestamps are now extracted from MS Word OLE2 compound file documents, which can be useful for corroboration. The "nRevision" field is now also extracted, which according to its documentation contains the number of save operations applied to a document.

  • Tentative support for RAR archive format version 5.

  • Jump list hash values are now translated to application names in the presented metadata of customDestionations-ms and automaticDestinations-ms jump list files, based on a new user-editable text file named JumpListNames.txt. The translation table currently consists of around 500 entries. If you add entries, please make sure to insert them at the correct place such that all entries remain sorted by the CRC in ascending order. Leading zeroes in the CRC obviously must be preserved. There is a tab character between the CRC and the application name.

  • Representation of more digital camera raw formats in Gallery and Preview mode after uncovering embedded pictures: NEF, ARW, ORF

  • The character set / code page of text files is no longer pointed out in the Type column, but rather (for in some cases) in the Metadata column.

  • Many metadata extraction improvements in detail.

  • Generator signatures defined for the QuickTime video format family (MOV, MP4, 3GP, ...), in the file "Video Signatures.txt". A device type is assigned to videos of that format family as well as AVI. The detected device type of videos will also affect the generic relevance, based on the weight that you can adjust in the file "Generator Signatures.txt" for JPEG files, at the end of the *** lines. The structure of "Video Signatures.txt" is the same as that of "Generator Signatures.txt". It currently consists of two subcategories: Original and Generic. You may insert newly found signatures (as shown in Details mode) in the Original section if you are certain that the video has not been edited, otherwise in the Generic section.

  • Additional metadata extracted from QuickTime video files. For example, the values for pixel dimensions and handler are new. The presence of trailing data is mentioned as well as an incomplete condition of a QuickTime video file.

  • The processing state "Original" of QuickTime videos is brought to your attention in Details mode, if applicable. However, this statement is not as strong as for JPEG pictures. The contents may have been changed in some irregular ways without a way of detecting it (e.g. exchange of individual frames). The statement refers to the format structure. Conventional editing tools practically always alter this structure, so "normal" editing will be detected.

  • Extraction of Exif data from HEIC pictures.

JPEG Metadata Support

  • The DHT marker in JPEG files is now evaluated during metadata extraction. If the marker has the values as defined by the JPEG standard, it will be marked as "Standard", otherwise the number of table entries will be output. Practically all digital cameras use standard tables, but JPEGs encoded by social networks don't. They use optimized tables and achieve a file size reduction by around 5%.

  • Identification of now more than 20,000 devices via "Generator Signatures.txt" and more than 6,000 smartphone models via "Phone Alias Table.txt". The latter table must now be alphabetically sorted as that allows for enhanced performance. Note that this is just an auxiliary table. Corresponding entries in Generator Signatures.txt are essential for detection and for categorization into device classes. Thanks to more and more regionally specific smartphone model variants, more and more photos can be attributed to a certain region of the world.

  • Two new device types have been defined: Action cams and monitor cameras (=game cameras, trail cams, also used for surveillance purposes).

  • Ability to decode region information from Huawei firmware designations.

  • Improved recognition of photos taken with front cameras.

  • Extraction of epoch timestamps from Facebook filenames.

  • Timestamps taken from filenames are now explicitly listed in the summary table of JPEG metadata (previously used only for the Content created column). Useful for pictures shared on social media, where available metadata is scarce and where they may indicate the time when the picture was shared.

  • Generator signatures have been slightly revised to better detect social media pictures as such. Specifically Facebook and Twitter pictures are now better detected than before. Also, a new type "Adobe embedded" was added. General device type identification slightly improved.

  • The Summary table for JPEGs now identifies a "processing state", which can one of the following: original (=as originally produced by a digital device), edited normally (processing was marked by the program used), social media (as published on various social media, blogs, photo sharing services, or even eBay), irregular editing detected (meaning there is uncertainty about what was actually changed, could be processing by social media if not detected as such), and EXIF stripped.

  • Generic relevance computation slightly adjusted for pictures to favor camera originals, pictures whose creation time and location are precisely defined, device type, available metadata and more. The median relevance of JPEG pictures is now roughly 4.0. The weight of the processing state "Social media" for the relevance computation can be adjusted in the file Generator Signatures.txt (look for the line "JPEG/Social Media"). The default is an average weight.

  • A new condition of JPEG files was introduced: "embedded". This condition identifies pictures that were not generated as stand-alone files, but embedded in larger files, as thumbnails or reduced resolution alternates. That condition may also occur if JPEG metadata was retroactively removed with a tool.

  • A generator signature for WeChat was defined. The processing state "Social Media" now includes WeChat.

  • Decoding and output of additional firmware timestamps.

  • Correction of some formerly incorrect JPEG metadata output.

  • JPEG metadata representation slightly improved.

E-mail

  • E-mail attachments now show the same timestamps in the Creation and Modification columns as the e-mail messages to which they belong, so that you can see directly when they were sent ("Created" column) and delivered ("Modified" column).

User Interface

  • The maximum number of additional worker threads in volume snapshot refinement and logical searches, subject to a sufficient number of processors, has been increased to 16 in X-Ways Forensics and 3 in X-Ways Investigator.

  • Ability to show directory subtrees in Preview mode with directory sizes instead of or in addition to file counts (see new settings in Options | Viewer Programs).

  • The Report Table filter now has an option to output child objects of files at the same time, in addition to siblings.

  • That newly discovered names (e.g. e-mail subjects of original .eml files or original names of files in iPhone backups) become the new main names in a volume snapshot (and thus also potentially part of paths if they have child objects) is now optional. If not enabled, they become the alternative names, displayed in a lighter color in square brackets as additional information.

  • Option to right-align the path columns in case you are more interested in the end of the path and would like to keep the column width compact. Simply a button with an arrow in the directory browser options dialog, pointing to where the paths will be aligned.

  • Some GUI adjustments for high DPI settings in Windows. Users can now choose between the larger high-resolution icons for the toolbar, context menus and the mode button through an unlabelled new checkbox in Options | General. By default, the larger icons are now used on systems with higher than 150% DPI settings.

  • X-Ways Forensics only: Ability to export a list of selected files in Project Vic JSON format.

  • Already for many versions it was possible to decouple the lower half of a data window and treat it like a separate window, for example to move it to another monitor. With the same control it is now also possible to show that part of a data window on the right-hand side of the directory browser instead of below it. That can be useful on today's widescreen monitors, where vertical screen space is scarce, so that you can now have a long vertical list of files visible and at the same time also fully utilize the available vertical screen space for example for previews of page-based documents that were meant to be viewed in portrait mode as opposed to landscape orientation. Also useful for the gallery, and very efficient for portrait mode photos, Details mode, and hex editor displays in Disk/Partition/Volume and File mode with traditionally just 16 bytes per line.

  • "Log messages in msglog.txt" is now a three-state checkbox. The default behavior has not changed, and it is now the middle state. Fully checked means that messages in the Progress indicator window (descriptions of operations as well as names of processed files) are also output.

  • Unlabelled, but tooltipped new checkbox in the center of the General Options dialog window that allows to use alternative file selection dialog windows throughout the program in case the original style dialog windows cause problems in your system.

  • Mathematical formulas in templates may now reference variables of the uint_flex type.

  • X-Ways Forensics now prompts before losing existing tag marks when mass tagging or untagging an entire directory or file listing with a single mouse click.

  • The graphical or textual screenshot of the Refine Volume Snapshot settings for the case activity log now include screenshots of nested dialog window with further settings, even if the user did not open them and close them with OK.

Search/Indexing

  • New version of the indexing and index search engine.

  • The functionality of several three-state checkboxes for the Simultaneous Search has been split up into two separate ordinary checkboxes each. Users of a German Tooltips.txt please download a new version of that file.

  • The middle state the whole words option of the Simultaneous Search now allows to match starts of words only (require a word boundary at the beginning of the search hit). That means e.g. with "box" you can find "boxes" at the same time (but not "checkbox") and with "tend" you can find "tends" and "tended" at the same time (but not "attended" or "extended"). This was previously possible with GREP syntax only, and if you wish to search some search terms as whole words and others as starts of words at the same time you still need to use GREP syntax, please.

  • The whole words option of the simultaneous search now supports non Latin I characters in many languages (Eastern European, Russian, Arabic, Hebrew, Greek, ..., depends on what which characters you enter) also for searches in UTF-8.

Disk/Image Support

  • A new option in the case properties allows to automatically verify the hash value when adding an image to the case, if such a hash value is present, or (if the checkbox is fully checked) to compute the hash value from scratch if the image doesn't have one. Newly created cases inherit the state of this option from the last case whose settings were defined. This also means that you can verify images from the command line, with the AddImage command. The result will be output 1) in the Messages window, 2) in msglog.txt if desired, and 3) in the properties of the evidence object, i.e. the representation of the image in the case.

  • Ability to interpret VHDX virtual machine disk images and add them to a case like other supported image types. They can also be opened and interpreted right from within other images or file systems on disks parsed by X-Ways Forensics itself.

  • Filling newly created surrogate .e01 segments with a special watermark ("MISSING IMAGE FILE SEGMENT!") is now optional, for performance reasons. Zeroed out blocks are faster to generate.

  • Improved representation of MD RAIDs and LVM2. For example, container header areas are now shown as files instead of partitions and mere container partitions are not automatically added to the case any more. Support for LVM2 containers in level 1 MD RAID containers. Cases with evidence objects that have MD RAID or LVM2 partitioning that were created with earlier versions should not be further processed in v19.8.

  • Some GUID partition table partition attributes are now shown in the Attr. column: system (=required by operating system), hidden (=not mounted as drive letter), read-only, shadow copy.

  • Support for GUID partition table partition names in ASCII.

  • Partitions that are retroactively added as child evidence objects to the case tree when their parent is not at the bottom of the tree now receive evidence object numbers that reflect their position and order within the tree, which makes a difference when sorting in the directory browser by evidence object.

Hashing/PhotoDNA

  • Identification of duplicate pictures with PhotoDNA now allows to group duplicates in report tables.

  • Notation options now include a setting to show report tables representing groups of identical files.

  • When matching hash values against hash databases (ordinary hashes like MD5, SHA-1, SHA-256, ...), there is now an option to make a local copy of the database and work with that copy. This can be helpful if you share the database with your colleagues and your colleagues want to update the database (e.g. add additional hash sets) while it's in use for matching, which otherwise would not be possible for the whole duration of volume snapshot refinement. It could also enhance performance if the database is large and does not fit into main memory and is stored on a remote network drive. The local copy is created in the directory for temporary files if it does not exist yet, and updated only if the master copy of the hash database has changed (all users should have v19.8 or newer to avoid unnecessary copying of an unchanged database).

  • Now supports up to ~58.8 million PhotoDNA hash values in the hash database instead of ~29.4 million (64-bit edition only). Please note that it is not recommendable to have that many hash values in the PhotoDNA database because matching will take quite some time, even if processed by all available CPU cores at the same time.

Miscellaneous

  • When opening the logical memory of a running process, shows the process creation timestamps in the Info pane.

  • Some stability improvements.

  • Many minor improvements.

  • User manual and program help updated for v19.8.

  • FYI, some very few Windows 10 users have reported problems in X-Ways Forensics since they upgraded to version 1809 of Windows 10.


Changes of service releases of v19.7

  • SR-1: Ability to open certain fragmented files in APFS that could not be opened previously (that were just presented with no contents available or lead to further errors).

  • SR-1: Some extended attributes in APFS are now shown as information in the Metadata column, if suitable, others not at all, depending on the same volume snapshot settings as previously just for HFS+.

  • SR-1: Prevented unnecessary output of messages and further fixed the new "Convert RTF e-mail bodies to plain UTF-8" option.

  • SR-1: Fixed an exception error that could occur when overriding the detected sector size of raw images.

  • SR-1: Fixed inability to correctly embed multiple attached e-mail messages with file attachments in certain single parent .eml files for the Recover/Copy command or the case report.

  • SR-1: Fixed incomplete HTML representation of $UsnJrnl:$J.

  • SR-2: Metadata is now extracted from volume shadow copy files even when the volume snapshot options are set to read uninitialized areas of files as binary zeroes.

  • SR-2: Fixed inability of v19.7 to open image-based evidence objects without the image.

  • SR-2: Previews of directories can now be enabled or disabled, for example disabled for directory browser navigation performance reasons, with an unlabelled (but tooltipped) check box in Options | Viewer Programs.

  • SR-2: Logical searches additionally target the raw data in certain clusters of NTFS compression units, now more clusters than before.

  • SR-3: Prevented crashes with certain SNSS files.

  • SR-3: Reading from a partition of a physical disk now triggers skeleton image acquisition again if the physical disk is the target of the acquisition, like in earlier versions.

  • SR-3: On-the-fly calculations of edk2 hash values when copying files into evidence file containers are not supported, but if such hash values are stored in the volume snapshot already, they are now correctly copied into the container, if so desired.

  • SR-3: Fixed an exception error that could occur in v19.7 when carving certain JPEG files.

  • SR-3: Registry viewer: The value data types REG_DWORD_BIG_ENDIAN and REG_QWORD were previously treated like REG_BINARY, and now are more properly interpreted.

  • SR-3: Registry viewer: An exception error was fixed that occurred when exploring more than 80 nested keys.

  • SR-3: Registry viewer: Keys with overlong names (more than 260 characters) were not processed correctly and could result in crashes. That was fixed.

  • SR-3: Registry viewer: ASCII characters in the 0x01 to 0x1F range in value names were not processed consistently. That was improved.

  • SR-3: Multi-threading in the gallery caused problems in conjunction with the filter for still images and the option "list respective parent video as well", so that it is now prevented with these settings.

  • SR-3: Fixed a potential crash with some rare finder bookmark (flnk) files.

  • SR-4: Fixed an exception error that could potentially occur when extracting metadata.

  • SR-4: Fixed an exception error that could potentially occur in v19.6 and later when parsing registry hives.

  • SR-4: The option "Wait for imaging in other instances to complete" did not work in X-Ways Imager. That was fixed.

  • SR-4: When creating the case report, the option "In selected evidence object" now also works with "Order as they are currently listed in the case root".

  • SR-4: Fixed an error that occurred when indexing more than 8,190 characters (Japanese was the only affected predefined language, with almost 15,000 characters). Korean alphabet redefined. Fixed internal translation of certain indexing character sets.

  • SR-4: Prevented a rare exception error that could occur when processing carved registry hive fragments.

  • SR-4: Fixed a rare instability that could occur during metadata extraction with additional threads and lead to a non-responsive user interface.

  • SR-5: Fixed misrepresentation of free space in some FAT12 volumes.

  • SR-5: Fixed: Erroneous insertion of a dot in the file or directory name for certain short filename directories in FAT in v19.4 SR-4.

  • SR-5: "Omit additional hardlinks" no longer has an effect when refining the volume snapshot for selected files only, like in earlier versions.

  • SR-5: Fixed an error in opening child objects (uncovered embedded data) of hardlinked files in HFS+.

  • SR-6: Fixed use of case-specific password collection in v19.7.

  • SR-6: Fixed sector mapping error in v19.7 when filling physical skeleton images with data of contained partitions.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

> Archive of the year 2018 <

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <