#172: X-Ways Forensics,
X-Ways Investigator, WinHex 20.9 released
Jul 27, 2023 |
This mailing is to announce the release of
another update with important improvements, v20.9. The release
date was 26 July.
Customers please go to
https://www.x-ways.net/winhex/license.html
as always for the latest download instructions including current log-in data/password
(!), details about their licenses
and upgrade or renewal offers. Please do not ask us about the download
password. Your organization has access to it already if eligible as
described.
Please be reminded that if you are interested in
receiving information about service releases as soon as they become
available, you can find those in the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with
an older version for a while, you should at least use the last service
release of that version.
Upcoming Training Events
Dates |
Location |
Target Region |
Course |
Delivered by |
Jul 31-Aug 4 |
Online (5x6 hrs!) |
America (incl. West Coast) |
X-Ways Forensics I |
X-Ways |
Jul 31-Aug 3 |
Salt Lake City, UT |
USA |
X-Ways Forensics I |
H-11 |
Aug 14-17 |
Columbia BWI, MD |
USA |
X-Ways Forensics I |
H-11 |
Aug 21-24 |
Online (4x6 hrs!) |
America (incl. West Coast) |
X-Ways Forensics II |
X-Ways |
Aug 21-24 |
Ontario, CA |
USA |
X-Ways Forensics I |
H-11 |
Sep 4-8 |
Online (5x6 hrs!) |
Europe, Asia |
X-Ways Forensics I |
X-Ways |
Sep 18-21 |
Online |
America, Europe |
X-Ways Forensics I |
X-Ways |
Sep 19-22 |
Fyshwick ACT |
Australia |
X-Ways Forensics I |
CDFS |
Sep 19-22 |
St. Paul, MN |
USA |
X-Ways Forensics I |
H-11 |
Oct 10-12 |
Online |
Europe, Asia |
X-Ways Forensics II |
X-Ways |
Oct 10-13 |
Ottawa, ON |
Canada |
X-Ways Forensics I |
F111th |
Oct 10-13 |
Paris |
France |
X-Ways Forensics I (in French) |
Tracip |
Oct 16-19 |
London, England |
Europe |
X-Ways Forensics I |
X-Ways |
Oct 16-19 |
Ft. Lauderdale, FL |
USA |
X-Ways Forensics I |
H-11 |
Oct 23-27 |
Online |
America, Europe |
File Systems Revealed |
X-Ways |
Oct 24-27 |
Melbourne |
Australia |
X-Ways Forensics I |
CDFS |
Please sign up for our training notifications
here
if you would like to be kept up to date on future classes.
What's new in v20.9?
(please note that most
changes affect X-Ways Forensics only)
Hash Databases
-
What's better than five hash databases? Right, six
hash databases. In addition to two conventional hash databases, a block
hash database, a FuzZyDoc database and (if eligible) a PhotoDNA hash
database, you can now maintain a database of recurring files that you
have descriptions of. For example that may be useful if you are required
to include descriptions of illegal photos in your case reports for the
court. If the same photos occur in multiple cases, the new database can
save you work and make it unnecessary to view the photos again. Whatever
you enter as comments can be saved in the database along with the
corresponding hash value. For that to happen you select the relevant
files and invoke the command "Include in Hash Database" in the directory
browser context menu. Whether hash values were already computed for the
selected files is not important. They are computed on the fly if not.
You can get the same comments back in another case if you match the hash
values in the other case against the database as part of volume snapshot
refinement.
-
The database is stored in the file "Hash
Comments.txt". You can easily share the database by simply sharing that
file with other users. The file is independent of the conventional hash
databases, meaning it does not matter which user has which conventional
hash database with hash sets from which source(s). You do not need a
conventional hash database at all to create a "Hash Comments.txt" file
or match the hash values in your cases against the "Hash Comments.txt"
file of someone else. So the "Hash Comments.txt" is quite universal and
suitable for inter-agency exchange.
-
You can merge text files of different
colleagues/sources with your own database in the user interface: Open
the Tools | Hash Database dialog window and click the Import button. If
X-Ways Forensics detects duplicate entries (same hash value), it will
either keep the previous comment or adopt the new comment, depending on
the state of a checkbox in the same dialog window. Keep that in mind
when importing entries from other users. The rule also has an effect if
duplicate entries are found within the same text file because you have
merged entries manually.
-
Since we are talking about a simple text file, you
can merge "Hash Comments.txt" files from different sources easily in a
simple text editor, or edit the descriptions as needed, get them
automatically translated etc. Just keep the general layout of 1 hash
value + description per line intact. The first line (header line) in
"Hash Comments.txt" must contain the designation of the hash type in
ASCII (e.g. "MD5" or "SHA-1"), followed by a tab and the ASCII letters
"Cmt", and this is all case-sensitive. All the following lines start
with a hash value in hex ASCII (both upper or lower case allowed),
followed by a tab and the description in UTF-8. Both Windows and
Unix/Linux line breaks are allowed.
-
There is an unlabeled, but tooltipped checkbox that
allows you to get existing comments on files replaced when successfully
matching hash values against hash comments. That means previous comments
will be lost if there is a comment for the same files in the hash
comment database.
-
There is an option to prepend comments that were
automatically derived from "Hash Comments.txt" with the initials "[HC] "
to distinguish them from comments entered by the user manually.
File Type Support
-
Now 40,000 definitions of photo generating devices.
-
A fallback code page for plain text representations
by the viewer component can now be selected via a new "..." button in
Options | File Viewing. The list of available code pages there is more
extensive than in the options dialog window of the viewer component
itself (the one that can be accessed via the right-click menu in any
window maintained by the viewer component).
-
When playing videos with MPlayer that were recorded
by smartphones, or when extracting individual frames/stills from them,
these videos are now rotated as needed. (Does not work if metadata was
previously extracted by volume snapshot refinement in earlier releases.)
-
Several new compression and decompression options are
now available in X-Ways Forensics and WinHex Lab Edition via Edit |
Convert, which can be applied to the entire data represented in an
active data window, if not in read-only mode. They allow you to manually
decompress data found in and compressed by various file systems if
X-Ways Forensics does not have the corresponding files in its volume
snapshot or cannot decompress them automatically.
-
The relevance calculation for pictures based on
dimensions in pixels was improved.
-
PNG support in the internal graphics display library
updated.
-
Proper aspect ratio of report thumbnails for JPEG
pictures that need to be rotated as per Exif orientation metadata.
-
Ability to process certain SRUDB.dat files that
previously could not be processed successfully or were not recognized as
SRUDB.dat files.
-
Addressed an exception error that could occur when
extracting metadata from certain PDF and Adobe Illustrator files.
-
Eliminated a restriction that could prevent automatic
carving of Base64 code.
-
Files with pure Base64 code (e.g. carved from HTML
files in which they are embedded) that have their decoded data in a
child objects can now be previewed and represented in the gallery with
their decoded data directly.
File System Support
-
Additional hard links for the same file in NTFS can
now optionally be omitted already when taking a volume snapshot, which
means they will not be included at all and not shown in the directory
browser as additional files. That could be helpful for example when
making sense of storage space utilization, where counting the same files
10 or 100 times does not make sense. The "Link count" column still shows
the true number of hard links (which, however, as before ignores pure
8.3 character filenames and which, by the way, as before may differ
significantly from the not very well maintained hard-link count in the
FILE record).
-
Ability to detect unusual or suspicious short
filenames (SFNs, 8+3 character names) in NTFS. Such short filenames can
optionally be output in the volume snapshot either as alternative names
or as fully valid hardlinks themselves (i.e. like additional copies of
the same files). They can also be labeled as "peculiar SFNs" to make you
aware of them. Unexpected SFNs that don't seem to match their
corresponding LFNs could be interesting if they reflect previous names
of files that have been renamed, or because they may have been specially
engineered to replace sensitive files with fixed names (such as DLLs or
configuration files), while their LFNs are different and perfectly
innocuous. The settings for SFN treatment can be found in Options |
Volume Snapshot. If you find that too many normal files are flagged that
way, you can report back to us and try UNchecking the box for "more
strict matching", so that some of the less severe discrepancies are
ignored.
-
Improved interpretation of certain
incomplete/corrupted NTFS file system data structures.
-
Support for more compressed storage variants in APFS,
including inline storage.
-
Support for ZSTD compression in Btrfs.
-
Inline compression in BtrFS supported.
-
Improved cluster/block listing output for compressed
data in BtrFS.
-
The new XFS timestamp format known as "Big time" is
now supported and the timestamps are shown correctly. Previous versions
of XWF would simply warn the user of an unknown incompatibility feature
being in use in the volume.
-
Should an XFS volume be flagged internally as
"needing repair", XWF now issues a message to that effect, warning of
damaged file system structures potentially causing issues. Previous
versions of XWF would simply warn the user of an unknown incompatibility
feature being in use in the volume, without further specifics.
-
Volume snapshots based on directory listings of the
active operating system ("OS dir list") for local storage now include
"Record changed" timestamps and hard-link counts.
-
If the incremental completion option for directory
listings of the active operating system ("OS dir list") is active,
directories that have not been explored yet are now marked with an
asterisk (*) in the Attr. column.
-
In volume snapshots based on directory listings of
the active operating system ("OS dir list"), write-locked files that are
open in other processes and cannot be changed are now optionally shown
with an upper-case "L" in the Attr. column (for "locked"). Files that
are merely kept option may be shown with a lower-case "o" if the box
that represents this option is fully checked (for "open"). This could be
useful when previewing or acquiring a live system, to find out which
files are/were open in running processes or background services, or
which executable files appear(ed) to be running/loaded. Please note that
checking this for many files will take a long time. It may be practical
only for specific directories of interest. This option has no effect on
mapped network drives. It is possible to use the Attr. filter to quickly
target open or write-locked files, and these files are higher in the
sort order for the Attr. column.
Storage Device Support
-
Improved handling of HPAs/DCOs.
-
Treats presumably inactive GPT partitioning (replaced
with ordinary MBR partitioning) properly as such, by presenting
partitions that are defined in the GUID partition table as previously
existing instead of existing, and by confirming MBR as the (active)
partitioning style.
-
If a file system in a partition assumes a sector size
of 4 KB while the physical storage device or image that it's contained
in has a sector size of 512 bytes, and if the number of 512-byte sectors
in the partition is not evenly divisible by 8, then an incomplete
additional 4 KB sector is now defined to cover the existing extra
512-byte sectors even if this exceeds the capacity of the partition, the
device or the image, so that the extra space is included in the virtual
volume slack file and targeted by logical searches etc., for more
thorough coverage, at the risk of producing read errors.
-
Ability to specify a footer size in sectors on
components of a RAID that you reconstruct, to exclude sectors at the
end. This could be useful in particular for JBODs if the interspersed
unused space disturbs the consistency of the resulting data.
Disk Imaging
-
Support for a much more modern compression algorithm
in .e01 evidence files, which compared to the historically used
algorithm offers a much better trade-off between compression ratio and
compression speed plus decompression speed. Roughly speaking, with an
almost as strong compression ratio as the "normal" setting of the
compatible algorithm (a few % points less), the modern "normal" setting
requires only 1/4 of the time for compression and 1/3 of the time for
decompression. (We are referring to the mere computational work with a
single thread here, excluding time needed for I/O.) When set to
"stronger+", the modern algorithm achieves a comparable compression
ratio as the former "normal" (or slightly better), but requires only 1/2
the time for compression and 40% of the time for decompression (or
less). "Stronger++" takes noticeably more time and is usually not
recommendable because the extra compression that it can achieve is
usually limited, but it may still be faster than the old compression
algorithm, especially for decompression (which typically occurs more
than once, e.g. for immediate image verification after creation, for
image verification at a later date, a file header signature search, one
or more more keyword searches, analysis and copying of files, etc.).
-
Please note that the modern compression style will
render an image suitable for use in X-Ways Forensics and X-Ways
Investigator v20.9 and later only. The "sparse" setting of the modern
compression style, however, which is already extremely efficient when
acquiring storage devices that have been minimally used, in fact 11
times (!) more efficient for zeroed space than the sparse setting of the
compatible compression style, is understood by v18.9 and later already.
-
The descriptive text file that is generated along
with an image now has an additional line at the end that describes
whether the image is expected to be generally compatible or compatible
only with X-Ways products or only with X-Ways products of a particular
version, depending on compression settings and encryption.
-
Please note that the additional savings of the
stronger compression settings are often minimal. If the compression
ratio is very important to you and random access speed within the
interpreted image is not, you may want to consider larger chunk sizes
instead (or additionally).
-
Faster decompression of .e01 evidence files with the
original/compatible compression method in x86.
-
The compression statistics window of .e01 evidence
files can now be turned into a data density statistics window by way of
a mouse click, which is simply the indication of the reverse. The new
default is data density. Taller blue bars previously indicated and still
indicate higher compression = lower data density = no encryption = less
storage space requirement for the image = less data to analyze = less
work. Taller red bars (new) represent higher data density = more storage
space requirement = more data to analyze = (if the bars reach the
ceiling) potentially encryption. Please note that the lengths of the
bars may vary depending on the selected compression method/strength.
-
Prevents accidental overwriting of an image that is
to be re-imaged to a new image itself, if the filename is kept the same.
Evidence File Containers
-
Alternative filenames are now preserved in evidence
file containers (if together with the respective main filename they are
not too long).
-
When copying files into an evidence file container
from the root directory of an evidence object or the case root, then the
middle option between recreating the full original path and no path at
all is now to make child objects of selected files also child objects of
those files in the container and not place them at the same top level as
the parents. In all other cases the middle option remains the same, i.e.
only the part of the path below the currently explored directory is
recreated, and the effect is now made more clear by the dynamic labeling
of the checkbox.
User Interface
-
With the timestamp filter active, matching timestamps
are now highlighted in different colors depending on whether they merely
fall into the targeted time period or whether they are actually in one
of the targeted columns. Similarly, the funnel icons in headers of not
directly targeted timestamp columns now appear in a different color,
suggesting they are "less" active.
-
Remembers the preferred initials of the last user for
the next case and the "Distinguish between different users" option.
-
New notation setting to provide descriptions of files
that are child objects of files recursively including their parents.
-
More metadata in the list of restorable volume
snapshot backups.
-
Ctrl+0 no longer removes labels that were assigned
automatically by X-Ways Forensics and serve as hints for the user or
labels that represent detected picture content.
-
It is now easier to find the option to make a label
definition available in the report for output as a report table.
-
Chinese translation updated.
Miscellaneous
-
If the command Tools | File Tools | Delete
Recursively fails to remove a directory the regular way because of
insufficient access rights, it can now make a second attempt if run with
administrator rights and have a good chance at removing the directory
that way. It requires your consent to use administrator power and take
ownership of the selected directory structure prior to deletion.
-
Better resilience against certain corrupted volume
snapshots (active only in Preview and Beta releases).
-
Slightly improved internal coordination between
sessions.
-
X-Tension API: XWF_SelectVolumeSnapshot now has a
return value that allows to determine success or failure.
-
Fixed a reason for a crash that could occur when
exporting search hits with context. If exporting a search hit list with
context around search hits still crashes, the exact search hit that is
responsible for that should now be brought to the user's attention when
restarting the next time.
-
When evidence objects are opened automatically for
volume snapshot refinements or simultaneous searches, a certain rare
problem with that should be eliminated now.
-
The program help and the user manual were updated.
-
Many minor improvements.
Changes of service releases of 20.8
-
SR-1: Accepts XFS volumes with just 2 or 3 allocation
groups as valid.
-
SR-1: Fixed an exception error that could occur when
running a file header signature search in Btrfs, QNX or XFS volumes.
-
SR-1: A very rare exception has been fixed that could
theoretically occur when opening a file in APFS if the very first data
block was sparse.
-
SR-1: X-Ways Imager can now interpret images again
after their creation so that they can be verified immediately and
automatically.
-
SR-1: Fixed read errors in logical process memory.
-
SR-1: Ukrainian translation of the user interface
available.
-
SR-1: The Russian translation of the user interface
was updated.
-
SR-2: A very rare exception error was fixed that
could occur when parsing NTFS file systems.
-
SR-2: Fixed an exception error that occurred when
removing all extracted metadata.
-
SR-2: Fixed a rare exception error that could occur
when updating the edit box history.
-
SR-2: Fixed a rare erroneous message about a hash
mismatch after verifying evidence objects.
-
SR-3: An internal limitation of 4 TB of extracted
data in a volume snapshot was overcome.
-
SR-3: Fixed an exception error that occurred when
previewing PLists before they were processed by "Uncover embedded data
from various files".
-
SR-3: Fixed a potentially crash that could occur on
some systems when starting X-Ways Forensics 20.8 for the first time.
-
SR-4: X-Ways Forensics is now more careful when
adopting files that were previously carved at the partition/volume level
as child objects of other files in which they seem to be contained when
uncovering embedded data because that could lead to unwanted data
truncation. This improvement will be applied to all affected versions
(v20.6 and later).
-
SR-4: Fixed processing of overlong command line
parameters.
-
SR-4: The Description filter filtered out all files
if certain invisible dependent boxes were checked. That was fixed.
-
SR-4: Fixed inability to open certain newly extracted
files in very specific circumstances when refining the volume snapshot.
Become a certified user of X-Ways Forensics
Become an
X-PERT (X-Ways Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you will be part
of an exclusive circle and enjoy various benefits such as special
recognition, training discounts, updated training material. For further
details, please check
here.
Thank you for your attention! We hope to see you soon
somewhere at https://www.x-ways.net or
on our
Facebook page. You may also follow us on
Twitter. Please forward this newsletter to anyone who you think
will be interested. If you wish to subscribe with another e-mail address,
please do so
here.
Kind regards
Stefan Fleischmann
X-Ways Software Technology AG
Carl-Diem-Str. 32 32257 Bünde Germany
|