#160: X-Ways Forensics,
X-Ways Investigator, WinHex 19.8 released
Feb 21, 2019 |
This mailing is to announce the release of
another update with many notable improvements, v19.8.
WinHex evaluation version:
https://www.x-ways.net/winhex.zip
(also the correct download link for anyone with a personal, professional, or
specialist license)
Customers please go to
https://www.x-ways.net/winhex/license.html
for download links, the latest log-in data
(!!), details about their access to updates, etc.
Please do not ask us about the download password. Your organization has
access to it already if eligible. Those customers whose
access to updates or license has
expired can receive upgrade/renewal offers from the same web page.
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.
Upcoming
Training
Please sign up for our training newsletter
here
if you would like to be kept up to date on future classes.
What's new in v19.8?
(please note that most changes
affect X-Ways Forensics only)
File System Support
-
More comprehensive understanding of APFS file system data
structures.
-
Support for a new variant of the Ext4 file system. Parsing
this new variant (to generate a volume snapshot) without understanding its
implications would necessarily fail. Previous versions of X-Ways Forensics
informed the user of the presence of an unsupported feature in the file system.
-
The journal parsing option for Ext3/Ext4 had proven somewhat tricky
and has now been removed from the volume snapshot options.
-
Association of data with
certain previously existing files that otherwise would be presented only with file
system metadata and no contents using the Ext3/Ext4 journal is now an option of the
particularly thorough file system data structure search.
-
More extensive preview/view of Ext3/Ext4 journals than in previous
versions.
-
Fixed erroneous presentation of certain compressed
files in HFS+ as already viewed.
File Format Support
-
Two additional internal metadata timestamps are now extracted from
MS Word OLE2 compound file documents, which can be useful for corroboration. The
"nRevision" field is now also extracted, which according to its documentation
contains the number of save operations applied to a document.
-
Tentative support for RAR archive format version 5.
-
Jump list hash values are now translated to application names in the
presented metadata of customDestionations-ms and automaticDestinations-ms jump list files,
based on a new user-editable text file named JumpListNames.txt. The translation table
currently consists of around 500 entries. If you add entries, please make sure to insert
them at the correct place such that all entries remain sorted by the CRC in ascending order.
Leading zeroes in the CRC obviously must be preserved. There is a tab character between the
CRC and the application name.
-
Representation of more digital camera raw formats in Gallery and
Preview mode after uncovering embedded pictures: NEF, ARW, ORF
-
The character set / code page of text files is no longer pointed out
in the Type column, but rather (for in some cases) in the Metadata column.
-
Many metadata extraction improvements in detail.
-
Generator signatures defined for the QuickTime video format family
(MOV, MP4, 3GP, ...), in the file "Video Signatures.txt". A device type is assigned to
videos of that format family as well as AVI. The detected device type of videos will
also affect the generic relevance, based on the weight that you can adjust in the file
"Generator Signatures.txt" for JPEG files, at the end of the *** lines. The structure of
"Video Signatures.txt" is the same as that of "Generator Signatures.txt". It currently
consists of two subcategories: Original and Generic. You may insert newly found signatures
(as shown in Details mode) in the Original section if you are certain that the video has
not been edited, otherwise in the Generic section.
-
Additional metadata extracted from QuickTime video files. For example,
the values for pixel dimensions and handler are new. The presence of trailing data is
mentioned as well as an incomplete condition of a QuickTime video file.
-
The processing state "Original" of QuickTime videos is brought to your
attention in Details mode, if applicable. However, this statement is not as strong as for
JPEG pictures. The contents may have been changed in some irregular ways without a way of
detecting it (e.g. exchange of individual frames). The statement refers to the format structure.
Conventional editing tools practically always alter this structure, so "normal" editing will be
detected.
-
Extraction of Exif data from HEIC pictures.
JPEG Metadata Support
-
The DHT marker in JPEG files is now evaluated during metadata extraction.
If the marker has the values as defined by the JPEG standard, it will be marked as "Standard",
otherwise the number of table entries will be output. Practically all digital cameras use standard
tables, but JPEGs encoded by social networks don't. They use optimized tables and achieve a file
size reduction by around 5%.
-
Identification of now more than 20,000 devices via
"Generator Signatures.txt" and more than 6,000 smartphone models via
"Phone Alias Table.txt". The latter table must now be alphabetically sorted as that allows
for enhanced performance. Note that this is just an auxiliary table. Corresponding entries in
Generator Signatures.txt are essential for detection and for categorization into device classes.
Thanks to more and more regionally specific smartphone model variants, more and more photos can be
attributed to a certain region of the world.
-
Two new device types have been defined: Action cams and monitor cameras
(=game cameras, trail cams, also used for surveillance purposes).
-
Ability to decode region information from Huawei firmware designations.
-
Improved recognition of photos taken with front cameras.
-
Extraction of epoch timestamps from Facebook filenames.
-
Timestamps taken from filenames are now explicitly listed in the summary
table of JPEG metadata (previously used only for the Content created column). Useful for pictures
shared on social media, where available metadata is scarce and where they may indicate the time
when the picture was shared.
-
Generator signatures have been slightly revised to better detect social media
pictures as such. Specifically Facebook and Twitter pictures are now better detected than before.
Also, a new type "Adobe embedded" was added. General device type identification slightly improved.
-
The Summary table for JPEGs now identifies a "processing state", which can
one of the following: original (=as originally produced by a digital device), edited normally (processing
was marked by the program used), social media (as published on various social media, blogs, photo sharing
services, or even eBay), irregular editing detected (meaning there is uncertainty about what was actually
changed, could be processing by social media if not detected as such), and EXIF stripped.
-
Generic relevance computation slightly adjusted for pictures to favor camera originals,
pictures whose creation time and location are precisely defined, device type, available metadata and more.
The median relevance of
JPEG pictures is now roughly 4.0. The weight of the processing state "Social media" for the
relevance computation can be adjusted in the file Generator Signatures.txt (look for the line
"JPEG/Social Media"). The default is an average weight.
-
A new condition of JPEG files was introduced: "embedded". This condition
identifies pictures that were not generated as stand-alone files, but embedded in larger files, as thumbnails
or reduced resolution alternates. That condition may also occur if JPEG metadata was retroactively removed with a tool.
-
A generator signature for WeChat was defined. The processing state "Social Media" now includes WeChat.
-
Decoding and output of additional firmware timestamps.
-
Correction of some formerly incorrect JPEG metadata output.
-
JPEG metadata representation slightly improved.
E-mail
User Interface
-
The maximum number of additional worker threads in volume snapshot refinement and logical
searches, subject to a sufficient number of processors, has been increased to 16 in X-Ways Forensics and 3 in X-Ways Investigator.
-
Ability to show directory subtrees in Preview mode with directory
sizes instead of or in addition to file counts (see new settings in Options | Viewer Programs).
-
The Report Table filter now has an option to output child objects of
files at the same time, in addition to siblings.
-
That newly discovered names (e.g. e-mail subjects of original .eml
files or original names of files in iPhone backups) become the new main names in a volume
snapshot (and thus also potentially part of paths if they have child objects) is now optional.
If not enabled, they become the alternative names, displayed in a lighter color in square brackets
as additional information.
-
Option to right-align the path columns in case you are more interested in the
end of the path and would like to keep the column width compact. Simply a button with an arrow in
the directory browser options dialog, pointing to where the paths will be aligned.
-
Some GUI adjustments for high DPI settings in Windows. Users can now choose
between the larger high-resolution icons for the toolbar, context menus and the mode button through
an unlabelled new checkbox in Options | General. By default, the larger icons are now used on systems
with higher than 150% DPI settings.
-
X-Ways Forensics only: Ability to export a list of selected files in Project Vic JSON format.
-
Already for many versions it was possible to decouple the lower half of a data window and treat
it like a separate window, for example to move it to another monitor. With the same control it is now also possible
to show that part of a data window on the right-hand side of the directory browser instead of below it. That can be
useful on today's widescreen monitors, where vertical screen space is scarce, so that you can now have a long vertical
list of files visible and at the same time also fully utilize the available vertical screen space for example for previews
of page-based documents that were meant to be viewed in portrait mode as opposed to landscape orientation. Also useful for
the gallery, and very efficient for portrait mode photos, Details mode, and hex editor displays in Disk/Partition/Volume
and File mode with traditionally just 16 bytes per line.
-
"Log messages in msglog.txt" is now a three-state checkbox.
The default behavior has not changed, and it is now the middle state. Fully checked means that
messages in the Progress indicator window (descriptions of operations as well as names of processed
files) are also output.
-
Unlabelled, but tooltipped new checkbox in the center of the General Options
dialog window that allows to use alternative file selection dialog windows throughout the program in
case the original style dialog windows cause problems in your system.
-
Mathematical formulas in templates may now reference variables of the uint_flex type.
-
X-Ways Forensics now prompts before losing existing tag marks when mass tagging or untagging
an entire directory or file listing with a single mouse click.
-
The graphical or textual screenshot of the Refine Volume Snapshot settings for the case
activity log now include screenshots of nested dialog window with further settings, even if the user did not
open them and close them with OK.
Search/Indexing
-
New version of the indexing and index search engine.
-
The functionality of several three-state checkboxes for the Simultaneous Search has been split
up into two separate ordinary checkboxes each. Users of a German Tooltips.txt please download a new version of that file.
-
The middle state the whole words option of the Simultaneous Search now allows to match starts of words
only (require a word boundary at the beginning of the search hit). That means e.g. with "box" you can find
"boxes" at the same time (but not "checkbox") and with "tend" you can find "tends"
and "tended" at the same time (but not "attended" or "extended"). This was previously possible
with GREP syntax only, and if you wish to search some search terms as whole words and others as starts of words at the same
time you still need to use GREP syntax, please.
-
The whole words option of the simultaneous search now supports non Latin I characters in many languages
(Eastern European, Russian, Arabic, Hebrew, Greek, ..., depends on what which characters you enter) also for searches in UTF-8.
Disk/Image Support
-
A new option in the case properties allows to automatically verify the hash value when adding an
image to the case, if such a hash value is present, or (if the checkbox is fully checked) to compute the hash value
from scratch if the image doesn't have one. Newly created cases inherit the state of this option from the last case
whose settings were defined. This also means that you can verify images from the command line, with the AddImage
command. The result will be output 1) in the Messages window, 2) in msglog.txt if desired, and 3) in the properties
of the evidence object, i.e. the representation of the image in the case.
-
Ability to interpret VHDX virtual machine disk images and add them to a case like other supported image types.
They can also be opened and interpreted right from within other images or file systems on disks parsed by X-Ways Forensics itself.
-
Filling newly created surrogate .e01 segments with a special watermark
("MISSING IMAGE FILE SEGMENT!") is now optional, for performance reasons. Zeroed out blocks are faster to
generate.
-
Improved representation of MD RAIDs and LVM2. For example, container header areas are now shown
as files instead of partitions and mere container partitions are not automatically added to the case any more. Support
for LVM2 containers in level 1 MD RAID containers. Cases with evidence objects that have MD RAID or LVM2 partitioning
that were created with earlier versions should not be further processed in v19.8.
-
Some GUID partition table partition attributes are now shown in the Attr. column: system (=required
by operating system), hidden (=not mounted as drive letter), read-only, shadow copy.
-
Support for GUID partition table partition names in ASCII.
-
Partitions that are retroactively added as child evidence objects to the case tree when their parent
is not at the bottom of the tree now receive evidence object numbers that reflect their position and order within the
tree, which makes a difference when sorting in the directory browser by evidence object.
Hashing/PhotoDNA
-
Identification of duplicate pictures with PhotoDNA now allows to group duplicates in report tables.
-
Notation options now include a setting to show report tables representing groups of identical files.
-
When matching hash values against hash databases (ordinary hashes like MD5, SHA-1, SHA-256, ...),
there is now an option to make a local copy of the database and work with that copy. This can be helpful if you share the
database with your colleagues and your colleagues want to update the database (e.g. add additional hash sets) while it's in
use for matching, which otherwise would not be possible for the whole duration of volume snapshot refinement. It could also
enhance performance if the database is large and does not fit into main memory and is stored on a remote network drive. The
local copy is created in the directory for temporary files if it does not exist yet, and updated only if the master copy of
the hash database has changed (all users should have v19.8 or newer to avoid unnecessary copying of an unchanged database).
-
Now supports up to ~58.8 million PhotoDNA hash values in the hash database instead of ~29.4 million
(64-bit edition only). Please note that it is not recommendable to have that many hash values in the PhotoDNA database
because matching will take quite some time, even if processed by all available CPU cores at the same time.
Miscellaneous
-
When opening the logical memory of a running process, shows the process creation timestamps in the Info pane.
-
Some stability improvements.
-
Many minor improvements.
-
User manual and program help updated for v19.8.
-
FYI, some very few Windows 10 users have reported
problems in X-Ways Forensics since they upgraded to version 1809 of
Windows 10.
Changes of service releases of v19.7
-
SR-1: Ability to open certain fragmented files in
APFS that could not be opened previously (that were just presented with
no contents available or lead to further errors).
-
SR-1: Some extended attributes in APFS are now shown
as information in the Metadata column, if suitable, others not at all,
depending on the same volume snapshot settings as previously just for
HFS+.
-
SR-1: Prevented unnecessary output of messages and
further fixed the new "Convert RTF e-mail bodies to plain UTF-8" option.
-
SR-1: Fixed an exception error that could occur when
overriding the detected sector size of raw images.
-
SR-1: Fixed inability to correctly embed multiple
attached e-mail messages with file attachments in certain single parent
.eml files for the Recover/Copy command or the case report.
-
SR-1: Fixed incomplete HTML representation of
$UsnJrnl:$J.
-
SR-2: Metadata is now extracted from volume shadow
copy files even when the volume snapshot options are set to read
uninitialized areas of files as binary zeroes.
-
SR-2: Fixed inability of v19.7 to open image-based
evidence objects without the image.
-
SR-2: Previews of directories can now be enabled or
disabled, for example disabled for directory browser navigation
performance reasons, with an unlabelled (but tooltipped) check box in
Options | Viewer Programs.
-
SR-2: Logical searches additionally target the raw
data in certain clusters of NTFS compression units, now more clusters
than before.
-
SR-3: Prevented crashes with certain SNSS files.
-
SR-3: Reading from a partition of a physical disk now
triggers skeleton image acquisition again if the physical disk is the
target of the acquisition, like in earlier versions.
-
SR-3: On-the-fly calculations of edk2 hash values
when copying files into evidence file containers are not supported, but
if such hash values are stored in the volume snapshot already, they are
now correctly copied into the container, if so desired.
-
SR-3: Fixed an exception error that could occur in
v19.7 when carving certain JPEG files.
-
SR-3: Registry viewer: The value data types
REG_DWORD_BIG_ENDIAN and REG_QWORD were previously treated like
REG_BINARY, and now are more properly interpreted.
-
SR-3: Registry viewer: An exception error was fixed
that occurred when exploring more than 80 nested keys.
-
SR-3: Registry viewer: Keys with overlong names (more
than 260 characters) were not processed correctly and could result in
crashes. That was fixed.
-
SR-3: Registry viewer: ASCII characters in the 0x01
to 0x1F range in value names were not processed consistently. That was
improved.
-
SR-3: Multi-threading in the gallery caused problems
in conjunction with the filter for still images and the option "list
respective parent video as well", so that it is now prevented with these
settings.
-
SR-3: Fixed a potential crash with some rare finder
bookmark (flnk) files.
-
SR-4: Fixed an exception error that could potentially
occur when extracting metadata.
-
SR-4: Fixed an exception error that could potentially
occur in v19.6 and later when parsing registry hives.
-
SR-4: The option "Wait for imaging in other instances
to complete" did not work in X-Ways Imager. That was fixed.
-
SR-4: When creating the case report, the option "In
selected evidence object" now also works with "Order as they are
currently listed in the case root".
-
SR-4: Fixed an error that occurred when indexing more
than 8,190 characters (Japanese was the only affected predefined
language, with almost 15,000 characters). Korean alphabet redefined.
Fixed internal translation of certain indexing character sets.
-
SR-4: Prevented a rare exception error that could
occur when processing carved registry hive fragments.
-
SR-4: Fixed a rare instability that could occur
during metadata extraction with additional threads and lead to a
non-responsive user interface.
-
SR-5: Fixed misrepresentation of free space in some
FAT12 volumes.
-
SR-5: Fixed: Erroneous insertion of a dot in the file
or directory name for certain short filename directories in FAT in v19.4
SR-4.
-
SR-5: "Omit additional hardlinks" no longer has an
effect when refining the volume snapshot for selected files only, like
in earlier versions.
-
SR-5: Fixed an error in opening child objects
(uncovered embedded data) of hardlinked files in HFS+.
-
SR-6: Fixed use of case-specific password collection
in v19.7.
-
SR-6: Fixed sector mapping error in v19.7 when
filling physical skeleton images with data of contained partitions.
Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde Germany |