X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#136: WinHex, X-Ways Forensics, X-Ways Investigator 17.4 released

Nov 13, 2013

This  mailing is to announce the release of another notable update with many interesting new features, v17.4.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data (the password has changed recently!), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our brand new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Book: X-Ways Forensics Practitioner's Guide

Bestseller in forensic science on Amazon (was rank #2). Written by Brett Shavers and Eric Zimmerman. Technical editor Jimmy Weg. Foreword by Craig Ball. Authors' blog.


Training Conference in Australia

Canberra, March 10-11, 2014. With Craig Ball and Eric Zimmerman as a keynote speakers and presenters, and blocks of 45-minute presentations on intermediate to advanced X-Ways functionality. All attendees will receive a copy of the “X-Ways Forensics Practitioner's Guide”.

Interested parties that would like to attend or present are encouraged to contact the organizer CBIT Forensics. More information.


What's new in v17.4?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Keyword Searches

  • Ability to conveniently run non-GREP index searches for search terms that contain spaces, just like in conventional searches. This is very important for names (e.g. "John Doe" or "XYZ Technology Ltd") and spaced compound words (e.g. "bank account" or "credit card limit"). New index only.

    This works even if the individual components of the compound already exceed the maximum word length that was indexed (by default 7 characters), so that you will have no trouble finding "basketball positions" (10+9 letters) or "skyscraper architecture" (10+12 letters). Just as always the components are only matched up to the length that was indexed, which is not a big problem because there are not many words other than "basketball" and "skyscraper" that start with "basketb" or "skyscra", respectively.

    In fact the spaces in the search terms match unindexed word delimiters other than space characters as well, such as hyphens, so you will also find "Spider-Man" and "freeze-dried" when searching for "spider man" and "freeze dried", or underscores as in "bank_account" (think of a filename like "bank_account.html") or plus signs as in "credit+card" (e.g. common in Google search URLs when searching for more than 1 word). So in that respect index searches are now even more powerful than conventional searches.

    Defining spaces as being part of words is now finally a big no-no.

  • NEAR combination of search hits is now supported for more than 2 selected search terms. The effect is that a search hit is listed only if any of the other selected search terms occurs nearby.

File Analysis

  • Block-wise hashing may allow to identify complete or incomplete remnants of known notable files that are still floating around in free drive space even if they were fragmented and the location of the fragments is unknown, to show with some or very high certainty that these files once existed on that medium.

    Most suitable for selected notable files larger than a few sectors, files that are ideally compressed or at least not only sparsely populated with non-zero data and do not contain otherwise trivial combinations of bytes values that occur frequently. Good examples are zip-styled Office documents, pictures and video files. Very trivial blocks within a file that consist of mostly just 1 byte value are ignored and not hashed (the same already when creating the hash set). For quicker matching, ideally work with a small hash database and do not select a hash type stronger than MD5.

    Hash sets of block hashes can be created or imported in the same way as ordinary hash sets, but are handled by a separate hash database, which internally is stored in a subdirectory of the main hash database directory. You can create hash sets consisting of the block hashes of 1 file at a time, or combined hash sets of multiple selected files. The block size is currently always 512 bytes.

    Block hash matches may be found as part of volume snapshot refinements. The hash values are computed when reading from the evidence object sector-wise, and that happens at the same time when running a file header signature search if selected, to avoid unnecessary duplicated I/O, with the same sector scope. Matches are returned as a special kind of search hits. Multiple matches for contiguous block are more meaningful than isolated individual matches, as they are even less likely the result of some coincidence, and they are usually combined in a single hit. The size of all such hits is shown when listing search hits. The larger the size, the higher the evidentiary value of the match. Please note that X-Ways Forensics does not verify itself that contiguous matching blocks are in the same order as in the original file(s), but that can be verified manually, and for data that is as unique as compressed data that is most likely the case.

  • Ability to freely carve any kind of file within any kind of file, not just those marked with the "e" flag, with a second sub-operation of "Uncover embedded data in certain file types". Use great caution to avoid delays and copious amounts of garbage files (false positives) and duplicates.

    Signatures marked with the "E" flag (upper case) are never carved within other files, to prevent the worst effects, for example MPEG frames carved within MPEG videos, zip records carved within zip archives, .eml, .html and .mbox files carved within e-mail archives, .hbin registry fragments carved within registry hives. If you know what you are doing (e.g. if you are an X-PERT), of course you could remove the E flag.

    Please apply this new function very carefully and only with a good reason to specifically targeted files only, such as swap files or storage files in which backup application concatenate other files without compression. Do not apply this function blindly to all files or random files. Remember with great power comes great responsibility.

    There is an option to apply the carving procedure recursively, that means to those files again that were already carved within other files. This can lead to many duplicates if the outer file at level 1 is carved too big so that files can be carved in it that were also carved at level 0 (the original file).

    For situations where you want to carve embedded files that are not aligned at 512-byte boundaries in the original file, you may make use of the extensive byte-level option. In such a case one of the biggest mistakes to make would be to carve at the byte level in $MFT, which typically contains many small files stored as resident/inline, but which of course is fully processed already when taking the volume snapshot. Hence the option to always exclude $MFT at the very least.

  • Uncovering embedded data in various files based on byte-level file carving with the "e" flag is no longer limited to file types with a tilde ("~") method.

  • Prevents a crash that could occur in the 64-bit edition under Windows 8 when running the encryption test.

Gallery

  •  For large JPEG, PNG, GIF and TIFF files, at the same time when analyzing the colors in the pictures during volume snapshot refinement, X-Ways Forensics can now optionally also create thumbnails in advance for much quicker display updates in Gallery mode later. Internal thumbnails are only created if no original thumbnails are embedded in the files and extracted at the same time, and they are actually utilized for the gallery only if auxiliary thumbnails are enabled (see Options | General).

    (To discard all internal thumbnails, but keep the computed skin color percentages, you may delete the file "Secondary 1" in the "_" subdirectory of an evidence object behind X-Ways Forensics' back, when the evidence object is not currently open.)

  • Improved representation of videos with extracted stills in the gallery, showing all stills in a loop, to give a much more complete impression of the contents of videos without further user interaction (without having to explore them).

    An alternative efficient way to review a large number of videos now seems to be this: Explore recursively, filter for videos, sort in descending order by number of child objects (so that videos with a similar number of stills are shown together), and activate Gallery mode. Watch the various video stills for each video. Proceed to the next gallery page when you are confident that no incriminating videos are represented on the current page, for example when all stills have been shown, which you will know is the case when the gallery has rotated back to the first still for each video.

    "Allow auxiliary thumbnails" is now a 3-state checkbox. To disable the new representation of videos described above, you can half-check that box.

  • When a View window displays a picture, if limited to one such window, that window will be updated with the next picture when you hit the cursor keys in the gallery. Useful especially if the View window is centered on the second monitor if the gallery is on the first monitor, on a spanned desktop. Avoids having to press the Enter key to view the picture and another key to close the View window to get the input focus back to the gallery.

  • X-Ways Forensics now by default extracts embedded JPEG thumbnails from .cr2 raw files. The first extracted thumbnail becomes the preview and gallery representation of a .cr2 raw file.

File Format Support

  • Support for Windows.edb of Windows 8.1.

  • Improved support for thumbcaches in Windows 8 and Windows 8.1.

  • Greatly improved ability to repair inconsistent EDB databases. Several changes and fixes which improve reliability when processing EDB databases in general.

  • .evtx event log preview shows the username, old time and new time for system time changes.

  • Minor fixes and improvements for EDB and SQLite database extraction.

  • Reduced memory consumption of the registry viewer.

  • Separate file type category for spreadsheets.

  • New file type category "Page Layout".

  • New file types in the ZIP and XML families defined.

  • Several new and revised file type signature definitions.

Timestamps & Events

  • A filter for event descriptions is now available.

  • Improved tooltips in Calendar mode.

  • When in Calendar mode and not showing events, you can now select which column's timestamp should be included in the calendar. Columns that are hidden (have a width of 0 pixels) are excluded, all other columns are included. The status bar reminds you which columns are included even if not currently visible because of horizontal scrolling.

  • More timestamps extracted from Prefetch files.

  • X-Ways Forensics now outputs all entries in .evtx event log files as events. Most of these events now come with a description that includes the event source, the event ID and the record number. The record number allows you to quickly search for the record in the HTML preview if you need further details about that particular event.

  • Extraction of MS Windows operating system update events from DataStore.edb.

  • The directory browser column "Internal creation" is now called "Content creation".

Usability & User Interface

  • Ability to filter for duplicates of files in X-Ways Investigator, by right-clicking a given file in the directory browser with an available hash value. Actually filters for that hash value. As in previous versions, the actual hash values are not displayed in X-Ways Investigator. The same command is also used in X-Ways Forensics and supersedes the "Filter by [hash value]" command that required to right-click the cell with the hash value.

  • New investigator.ini option +51 prevents listing of excluded items (opposite of +31). Useful to intentionally keep users of X-Ways Investigator from seeing certain files.

  • Greatly accelerated loading of large registry hives into the registry viewer.

  • No longer loses the block definition when switching from Partition to File mode and back.

  • Chinese and Italian translation of the user interface updated.

  • Acoustic signals before shutdowns (e.g. after imaging or volume snapshot refinement) to give users a better chance to abort it if they have changed their mind.

File System Support

  • When taking a volume snapshot, symbolic links are now connected to their targets in the volume snapshot as so-called related files, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also one of potentially several symlinks pointing to a certain target will become the related file of the target, so that you can conveniently navigate to the symlink or quickly see in the first place that one or more symlinks exist that point to a certain target, since any file that has a "related" file in the volume snapshot is marked with a tiny blue arrow next to its icon. Also the same arrow will tell you whether the target of a symlink can actually be found in the file system. If a symlink links to other symlinks, those are not recursively linked. If resolving symlink takes to long because there are many symlinks in a volume, you may safely abort that step at any time.

  • When taking a snapshot of volumes with Windows installations, certain reparse points (a.k.a. junction points) are now connected to their targets in the volume snapshot just like as symlinks in Unix-based file systems, so that you can conveniently navigate to the target by pressing Shift+Backspace. Also there will be a back-reference to one reparse point, so that you can conveniently navigate to that reparse point or quickly see in the first place that one or more reparse points exist that link to a certain directory, since any directory that has a "related" directoy in the volume snapshot is marked with a tiny blue arrow next to its icon. Forensic license only. Reparse points that do not get connected with their target directories will still show a comment that advises you of the target path as in earlier versions of X-Ways Forensics.

  • For reparse points in NTFS, File mode now shows the reparse point target information instead of the directory's empty index root.

  • A secondary tooltip now appears for files with a "related" file when hovering the mouse cursor over the icon, which tells you the path and name of that related file, for example the target of a symbolic link.

  • Improved support for volume shadow snapshot properties files of Windows 8.1.

  • Improved ability to write certain sectors on drive letters.

Image Support

  • Support for .e01 evidence file with an exotic internal chunk size of more than 0.5 MB as apparently used by default by Wiebetech Ditto devices. (Note that the standard size is 32 KB).

  • It is now possible to store the hash values of files in evidence file containers even when including only metadata of the files, as long as the hash value of the files have been computed already and stored in the volume snapshot.

  • The non-forensic version of WinHex did not write the hash value of created raw images into the text file. That will be fixed with v17.4.

Miscellaneous

  • New X-Tensions API function XWF_GetVSProp introduced.

  • Support for Unicode characters in template filenames.

  • New Venezuela time zone defined.

  • User manual and program help were updated.

  • Various minor improvements and some small bug fixes.


Changes of service releases of v17.3:

  • SR-1: Support for more event types in .evtx event logs.

  • SR-1: Fixed an exception error that could occur when embedding attachments in .eml files as Base64 code.

  • SR-1: Fixed an error in the Edit | Convert | Base64 -> Binary function.

  • SR-1: Avoided unnecessary error messages that could occur when generating events based on 0x30 timestamps.

  • SR-2: Some collisions of report table shortcuts resolved.

  • SR-2: Improved identification of .emlx files.

  • SR-2: Avoided a rare exception error when getting out of Calendar mode.

  • SR-3: Fixed an exception error that could occur when extracting 0x30 timestamps of certain previously existing files as events.

  • SR-3: Fixed an exception error that could occur when processing certain file archives.

  • SR-4: Tools | Disk Tools | Initialize MFT Records did not work when using WinHex in languages other than Western European ones. That was fixed.

  • SR-4: Prefetch file viewing and metadata extraction support was not active in SR-3. That was fixed.

  • SR-4: Some special code pages were not offered for selection in all functions related to code pages in SR-3. That was fixed.

  • SR-4: Some pictures were not checked for their amount of skin colors in v17.3, resulting in "?" in the SC% column. That was fixed.

  • SR-5: Fixed an exception error that occurred in v17.3 under Windows PE/FE when starting operations with a progress bar.

  • SR-5: Fixed some rare exception errors.

  • SR-5: Improved processing of volume shadow copies.

  • SR-6: The alternative e-mail presentation in the report now works even if not selected also for Preview mode, as it should.

  • SR-6: Fixed text decoding option in the new indexing engine.

  • SR-6: Fixed inability of v17.2 and v17.3 to open objects internally marked as alternate data streams in evidence file containers.

  • SR-7: v17.2 and v17.3 did not save comments in a volume snapshot when the evidence object was closed if nothing else was changed in the volume snapshot. That was fixed.

  • SR-7: Fixed a stability error that could occur when processing certain .evtx files.

  • SR-7: Fixed two errors that could occur when processing EDB database files.

  • SR-7: Fixed an error in the "Embed pictures in HTML as inline code" option in the 64-bit edition of X-Ways Forensics.

  • SR-8: Fixed an error that could occur when opening files in certain GZ archives.

  • SR-8: Fixed a timestamp filter problem that for time zones with daylight saving sometimes erroneously rejected a certain end date and time as invalid.

  • SR-8: No potentially misleading hit count is diplayed any more for unselected search terms when using the "List 1 hit per file only" option.

  • SR-8: Verification after imaging was reported to take 0:00 minutes in v17.3. That was fixed.

  • SR-9: Fixed an infinite loop that could occur in SR-8 when reading from certain file archives.

  • SR-9: Enhanced stability when processing SQLite databases.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

#135: WinHex, X-Ways Forensics, X-Ways Investigator 17.3 released

Sep 12, 2013

This  mailing is to announce the release of another notable update with many interesting features, v17.3.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.3 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to continue to use an older version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training Dates

London, England, Oct 14-18, 2013
Washington DC area, USA, Nov 4-8, 2013
More information


What's new in v17.3?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Events & Timestamps

  • Calendar mode now represents all timestamps from all 6 timestamp columns of the regular directory browser (instead of just 3) for all listed files (instead of only selected files). The darker the gray color in the calendar for a day, the more timestamps on that day. Hovering the mouse cursor over a day in the calendar tells you the number of timestamps that fall on that day. Left-clicking on a day sets that day as the left boundary for the combined timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day hones in on that particular day only. If the same file is listed more than once (which can happen in a search hit list if it contains more than 1 search hit), then its timestamps are also represented more than once in the calendar.

  • For event lists, Calendar mode now shows the number of events on each day (all events that are currently listed) using different shades of gray (the darker, the more events on that day). That allows you to quickly figure out when there was most activity and when there was no activity. Hovering the mouse cursor over a day in the calendar tells you the number of events on that day. Left-clicking on a day sets that day as the left boundary for the event timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day filter for that particular day only.

  • Years in the calendar with no timestamps are now grayed out. The number of a year is now displayed in a darker shade of gray the more timestamps are listed for that. All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity.

  • If the corresponding timestamp filter is active, years are printed in blue in Calendar mode to remind you of the filter. To turn off the filter as always click the blue filter symbol in the caption line of the directory browser.

  • Event timestamps from FAT file systems are now output adequately. They are not translated to local time and do not show more precision than they actually have.

  • Timestamps in the normal directory browser that meet the timestamp filter condition are now highlighted. Timestamps in an event list that are identical to the event timestamp are now also highlighted.

  • Timestamps from 0x30 attributes in NTFS file systems are now output as events if actually different from their 0x10 counterparts and not identical to the 0x30 creation timestamp. They are marked as "0x30" in the Event Type column. Malware might give itself harmless looking timestamps after deployment, so that it does not seem to be related to the time of intrusion/infection. The 0x30 attribute timestamps, however, remain unaltered (except if the file is renamed or moved later), and that is the reason why some examiners are interested in them. If the time frame of intrusion/infection is known, related files might be found in the event list with v17.3 and later thanks to original 0x30 attribute timestamps.

    0x30 timestamps are marked in the event list with an asterisk if they are later than the corresponding 0x10 timestamps, which seems unnatural and in some rare cases might be the result of backdating by the rightful users of the computers themselves. Under certain circumstances, backdating documents is seen as fraudulent and illegal. However, much more commonly 0x10 timestamps predating 0x30 timestamps is just the effort of installation programs or the result of copying a file or moving a file from one volume to another or extracting a file from a zip archive, where Windows or other programs artificially apply the original creation time of the source file to the destination once copying turns out to be successful (internal programmatic backdating).

    If the checkbox "Provide file system level timestamps as events" is only half checked, timestamps in 0x30 attributes are ignored for event generation, which is faster.

  • Ability to filter for mere times, matching any possible date. For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working, you could filter for times such as between 22:00:00 and 05:59:59 (on a 24-hour clock). Obviously, selecting the right local time zone for the timestamp filter is crucial for this.

  • Omits modification and record update timestamps as events if identical to the corresponding creation timestamp, just as access timestamps already in previous versions.

  • More events are now generated from internal file contents: Internal creation in various file formats, last saved in Office documents and RTF, boot time from ETL (event trace log) files, attach timestamps from EDB, signing date from EXE/DLL/SYS/..., Exif timestamps in photos.

  • .evt event logs supported as a source of events.

  • Support for more event types in .evtx event logs.

  • Clickable offsets in the HTML representation of Windows .evtx event logs.

Usability

  • Better support for high DPI settings in Windows (larger than 125, with non-XP style scaling), display no longer blurred. Still settings in the 100-125 range are recommended.

  • Ability to change the user interface of X-Ways Forensics to that of X-Ways Imager, for evaluation purposes or when no other functionality is needed on an imaging workstation.

  • Gallery display accelerated and flickering avoided in certain situations.

  • Gallery thumbnails remain visible when proceeding to the next page until replaced by the new thumbnails of the next page, and can usually still be double-clicked. Useful if you still spot a potentially relevant picture after having pressed Page Dn or rolled the mouse wheel too early.

  • The progress of operations is now also shown in the taskbar of Windows 7 and later.

  • Relative progress displayed when indexing large files (new indexing engine) and in some other situations.

  • The virtual "Free space" file is now shown in gray if the "net free space computation" option is active, as a reminder of the fact that it does not represent the entire free space when opened.

  • The presence of a file named winhex.nouser in the installation directory forces a generic (not user-specific) configuration. Useful for example for portable use on an external USB hard disk, to avoid that you will inadvertently use an existing user-specific configuration on the same system when executing X-Ways Forensics. For more information about storing configurations please see https://www.x-ways.net/winhex/setup.html.

  • The title of the currently open case is now displayed in the main window caption.

  • Video still extraction is now completely silent.

  • X-Ways Forensics now remembers the sort criteria and the "Group files and directories" option separately
    1) for the normal directory browser of a volume,
    2) for the normal directory browser of a partitioned disk,
    3) for search hit lists and
    4) for event lists.

Disk & Image Support

  • Ability to open physical disks, partitions and volumes like a file, via File | Open or when selecting a source file for disk cloning, by clicking a new button labeled "Device..." in the file selection dialog. You can enter a device path such as
    \\.\PhysicalDrive1 (for hard disk 1)
    \\?\Volume{12345678-9abc-11a1-abcd-0123456789ab} (for a volume with that GUID)
    \\.\C: (for a volume mounted as drive letter C: )

    This new functionality allows to open volumes that are not mounted as drive letters. To get an overview of volumes known to Windows, type "mountvol" in a command prompt window.

    You can also try to open exotic devices supported by Windows such as tapes and changers (not tested)

    Also this is how you can open alternate data streams whose path and name you know, which cannot be opened through the ordinary File | Open dialog, without opening the volume on which they reside.

    Opening a hard disk as a file can be useful for example if you wish to clone that disk and if source and destination disk have different sector sizes (whether it makes sense in the first place to clone a hard disk despite the sector mismatch depends on the data). When treated as a file, there is no defined sector size and hence no possibility for a sector size mismatch.

    Device files can also be interpreted as disks like images can.

  • Volume shadow copy host files that have been excluded by the user (examiner) are now ignored by the particularly thorough file system data structure search.

  • The drive letters that correspond to the partitions on real physical disks (not images interpreted as disks) are now displayed by the partition number in the directory browser. Also you will see the partition size for a drive letter in the Open Disk dialog.

  • Includes hardlinks of the same file in containers of the new file format even if the links have the same name.

  • When copying selected files to an evidence file container, X-Ways Forensics now reports how many files were selected in addition to the number of files that were actually copied, for reasons of convenience. If all selected files were copied, that will be indicated by the word "all". Previously the number of selected files could only be seen in the selection statistics below the directory browser.

  • Ability to add newly created images to the case and start refining their volume snapshot(s) automatically without further user interaction, provided that the source disk had not been added to the case yet and that a case is open at that time.

  • Estimates the total size of the resulting compressed .e01 image while creating it and updates the estimate continuously.

  • Warns users who try to interpret the .001 segment of a split raw image if a segment named .000 exists. Users need to know that they have to specify the first segment when interpreting split images or adding them to a case.

File Format Support

  • Internal graphics viewing library revised for JPG, PNG, TIFF.

  • Fixed instability when processing certain GIF pictures.

  • Support for Windows 8 .pf Prefetch files.

  • File type identification of and metadata extraction from JIDX (Java applet cache).

  • File type verification generally updated.

  • Improved recognition of original names of files embedded in .mht files.

  • Extraction from .mht files did not work in recent releases of v17.2. That was fixed.

  • Ability to specify the type of selected files yourself, via a new command in the directory browser context menu. Useful if you wish to identify types or subtypes in an individual way unknown to X-Ways Forensics, for example to be able to filter by these types later. How about categorizing TIFF pictures that are digitally stored faxes as type "fax"? Remember you can define your own file types in File Type Categories.txt.

  • Fixed an exception error that could occur when embedding attachments in .eml files as Base64 code.

  • Fixed an error in the Edit | Convert | Base64 -> Binary function.

Miscellaneous

  • Shows the first extracted video still as a thumbnail in the case report to represent the video itself.

  • Ability to create report table associations for files based on search terms that they contain. Useful if you wish to keep the information about which file contains which search terms even after deleting search hits, or to preserve it in evidence file containers. Report tables representing contained search terms are the 3rd kind of report tables, the first two being report tables created by X-Ways Forensics to make the user aware of certain file specialities and user-created general purpose report tables. Report tables representing search terms are recognized in evidence file containers by v17.3 and later.

  • Ability to automatically associate siblings of selected files with report tables. Useful for example when reviewing search hits, if you find a relevant search hit in the attachment of an e-mail message and want to be sure to include other attachments of the same e-mail message in further processing, even if they do not contain search hits.

  • New flag "W" (upper case) supported in File Type Header Signatures Check Only.txt", which identifies header signatures that are too weak to newly detect the type of a file and are merely used to confirm the type suggested by the name extension of the file.

  • Whole word searches now work for words in Western European languages in UTF-16 BE.

  • Many minor improvements and some minor fixes.

  • PDF user manual and program help revised and updated for v17.3.


Other News

  • Imaging with X-Ways Forensics (and thus with X-Ways Imager) twice as fast as with FTK Imager. 3 times as fast as with EnCase. Image 8% larger. Test results from here.

  • A simplified graphical comparison of skeleton images, cleansed image and evidence file containers can now be found here.

  • Oracle has provided a critical patch for v8.3.7 and v8.4.1 of the viewer component. The updated versions are now downloadable. They are recommeded for security reasons.

    With this patch, HTML tables displayed by v8.4.1 now look much better, but they do not utilize the full available window width as they did in v8.3.7. Please note that for that reason links to file offsets (as in HTML representations of index.dat and .evtx files) are often broken into two lines and then do not allow you to jump to the correct offset.


Changes of service releases of v17.2:

  • SR-1: Fixed an exception error that occurred with thumbcache_256.db files.

  • SR-1: Fixed an exception error that could occur when extracting e-mail from Outlook Express DBX archives.

  • SR-1: Resolving same-target references on FAT volumes is now faster.

  • SR-2: PST/OST e-mail extraction in v17.2 depended on the presence of MSVCR100.dll, which may not be present in all Windows systems. This was avoided.

  • SR-2: Fixed an error that could lead to freezing when extracting data from Skype databases.

  • SR-2: Fixed an exception error that could occur during metadata extraction.

  • SR-2: Prevented a rare infinite loop that could occur when processing certain hive fragment files.

  • SR-2: Special handling of # in filenames when generating the case report.

  • SR-3: Several minor improvements and fixes for handling of certain file types, including Windows Registry files.

  • SR-3: Pipes now allowed in Name filter expressions (can be useful for GREP expressions).

  • SR-3: Fixed an error that could cause a wrong file size display in the directory browser for certain files found in volume shadow copies that had alternate data streams.

  • SR-3: Fixed inability to explore certain TAR archives automatically.

  • SR-4: Empty volume snapshots of partitions could result in v17.2 from exploring recursively from the case root when no volume snapshots of partitions had been taken previously. That was fixed.

  • SR-4: Some fixes for handling of certain file types.

  • SR-6: Better handling of corrupt archives.

  • SR-6: Fixed memory leak in new indexing.

  • SR-6: Improvements for Exchange EDB extraction.

  • SR-7: Fixed inability of X-Ways Investigator 17.2 to read from the very end of .e01 evidence files.

  • SR-7: Fixed an error in metadata extraction from certain executable files.

  • SR-8: Event generation from .evtx Windows event log files was introduced in v17.2, but was not announced before.

  • SR-8: Fixed infinite recursion that could occur when extracting old versions from certain PDF documents.

  • SR-8: Prevents some problems with video processing using the new MPlayer version.

  • SR-8: Fixed an exception error that could occur when interpreting differencing VMDK disk images.

  • SR-8: Fixed an exception error that could occur in v17.2 when extracting information about meetings or contacts from Outlook PST e-mail archives.

  • SR-9: Fixed an error in the "Skip already zeroed out source sectors" option of skeleton images.

  • SR-9: Fixed an exception error that could occur when exporting stills from videos.

  • SR-9: Fixed an error that could occur when parsing PLists.

  • SR-9: Export of user search hits improved.

  • SR-9: Internet Explorer 10 web history extraction failed with an error message in some releases of v17.2. That was fixed.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

#134b: WinHex, X-Ways Forensics, X-Ways Investigator 17.2 released

July 5, 2013

This  mailing is to announce the release of another notable update with many interesting features, v17.2.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. also for new log-in data that was changed for X-Ways Forensics! Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.2 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to continue to use an older version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming X-Ways Forensics & File Systems Training

Seattle, WA area, USA, July 15-19, 2013
London, England, Oct 14-18, 2013
Washington DC area, USA, Nov 4-8, 2013
More information


What's new in v17.2?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Practically all changes were announced already in the previous newsletter issue about v17.2 Beta, which you can still read here!

Additional changes since v17.2 Beta:

  • Metadata from the XML files in zip-styled Office documents can now be extracted even if the XML files are not included in the volume snapshot.

  • Extraction of thumbnails from thumbcache*.db files of Windows 8 supported.

  • Better readable font in dialog boxes for the Chinese, Japanese and Russian user interface.

  • Option to use the standard Windows GUI font for the WinHex/X-Ways Forensics GUI (see additional font checkbox in General Options).

  • Better support for large system fonts for high screen resolutions, up to 120 dpi.

  • Option to define the size of the extra gap between rows in the hex editor display in pixels, which together with the official height of the selected font defines the distance between the rows. The default value has always been 3, but now it can be decreased, to display more rows at the same time and see more data. For example with the Courier font the display still looks fine with an extra gap of 1, but you see 15% more data (based on font size 10). Even negative values are possible. With -1 you may see 35% more data than before. See Options | General.

  • Traditional Chinese predefined for indexing.

  • Better support for NNTP-encoded e-mails.

  • Ability to copy up to 64 KB of data in a selected block into the clipboard in X-Ways Investigator (subject to change).

  • Fixed an exception error that could occur when parsing volume shadow copies.

  • Hiding files is now called excluding files.

  • Separate file type category "Chats, Messaging" defined in File Type Categories.txt. If anyone has more ideas which file types to add to that category, please send e-mail. Thanks.

  • More stable when decompressing corrupt zip archives.

  • Several minor fixes and improvements.Ability to interpret raw images whose segments have 4-digit filename extensions (.0001, .0002, ...), in addition to the conventional 3-digit extensions.

  • PDF user manual and program help revised and updated for v17.2 in English and German.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Big Brother is watching you.

 

#134a: WinHex, X-Ways Forensics, X-Ways Investigator 17.2 Beta released

June 17, 2013

This  mailing is to announce the release of a beta version of X-Ways Forensics 17.2, with many interesting improvements. v17.2 Beta is only available for X-Ways Forensics. The next newsletter issue will notify you when v17.2 is officially released, and at that time v17.2 will also be available as WinHex (for users with a personal, professional or specialist license) and X-Ways Investigator.

Users of X-Ways Forensics please go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there.

Please note that if you wish to continue to use a previous version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming X-Ways Forensics, File System & Memory Forensics Training

Washington DC area, USA, July 9-12, 2013   seats available!
Seattle, WA area, USA, July 15-19, 2013   seats available!
London, England, Oct 14-18, 2013
More information


What's new in v17.2 Beta?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Searching

  • Totally revised new indexing engine with many advantages: Created at the same time when then volume snapshot is refined (synergy saves time!), faster to create than before even by itself, no separate optimization step, just 1 index for multiple code pages/character sets, just 1 word list for multiple code pages/character sets (i.e. less duplicates), GREP searches in the index possible, multiple indexes with different names for different purposes may coexist for the same evidence object, indexing with regular expressions possible (details to be revealed later), more convenient search hit review (exactly like for ordinary search hits, search hits are stored permanently immediately, allowing for immediate logical AND and NEAR combinations), and more.

    At the moment the old and the new indexing engines coexist within the program. To use the old indexing engine use the menu commands Search | Indexing (to create an index) and Search | Search in Index (to search in the index). To create an index with the new indexing engine, use the menu command Specialist | Refine Volume Snapshot. To run a search in the index created by the new search engine, invoke Search | Simultaneous Search and select “Search in Index” in the drop-down box at the bottom of the dialog window.

  • The crash-safe text decoding option for logical searches and indexing is now much faster, almost as fast as the regular decoding option.

Image Support

  • Yet another acquisition option for users who need to or want to exclude certain data from forensic images. You can now create ordinary images, in raw format or as an .e01 evidence file - with all the known options such as hashing, compression, encryption, splitting - and exclude the data in clusters associated with files that you hide before starting the acquisition process. The resulting image is called a cleansed image. The affected sectors are zeroed out in the image and optionally marked with an easily recognizable “watermark” of your choice. All other data is copied to the image normally.

    Useful for anyone who needs to redact certain files in the file system, but otherwise wants to create an ordinary forensically sound sector-wise image, compatible with other tools. A must in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets (e.g. lawyers and physicians, whose profession swears them to secrecy/confidentiality). For a comparison of evidence file containers, skeleton images and cleansed images, which all serve similar purposes, please see https://www.x-ways.net/investigator/containers_vs_skeleton_images.html .

    Before you start the imaging process for a partitioned disk, open the partitions in which the files are located that you would like to exclude from the image. Wait till the volume snapshot has been taken if it was not taken before. Then hide the files. You do not need to open and take volume snapshots of partitions whose data you would like to include completely.

    Note that alternatively you can retroactively cleanse (redact) already created complete raw images, in WinHex, by securely wiping files selected files via the directory browser context menu. The granularity of this operation is not limited to entire clusters. For example, that means it can also wipe files in NTFS file systems with so-called resident/inline storage and it does not erase file slack along.

  • Random access to large .e01 evidence file segments accelerated.

File Format Support

  • Revised e-mail extraction from MS Exchange databases and Outlook PST e-mail archives.

  • Events recorded by Skype are now output to the event list (chats, calls, file transfers, account creation, ...). When sorting these events by their timestamps, you can read all chats messages in chronological order.

  • Metadata extraction from PE .exe files with version resources.

  • Option to extract the oldest revision of PDF documents with changes and provide convenient access to it as a child object (see metadata extraction). The child objects are marked as excerpts. Old revisions can also easily be carved manually in File mode.

  • New Edit | Convert functions: Percentage URL Encode, Percentage URL Decode, Quoted Printable Decode.

Directory Browser

  • New directory browser column “Unique ID”. Similar to the internal ID, but unique within the entire case, not just within the evidence object. Filter available.

  • Ability to choose completely numeric unique IDs for a case instead of unique IDs with a delimiter, when creating a case.

  • Ability to filter for files whose internal IDs or unique IDs are contained in (mathematically "element of") an entire list of IDs, or exclude them (mathematically "not element of"). Useful if you first export a list of files including IDs for someone, and then receive back a list of IDs of files that you should copy. Remember internal IDs are specific to an evidence object and volume snapshot (and each partition of a partitioned disk has its own volume snapshot and counts as a separate evidence object), unique IDs are unique for the entire case.

  • User IDs (including last SID components) larger than 65,535 supported in Owner filter.

  • The options "Group files and directory", "List dir.s when exploring recursively" and "Apply filters to directories, too" are now remembered separately by the normal directory browser, search hit lists and event lists.

Methodology

  • The Hash column now displays pseudo-hash values in light gray color until real hash values have been computed. Pseudo-hash values are based on the file metadata, not on the file contents. They are available instantly even for very large files. They allow you to list files in a random order just like when you sort by real hash values, but without having to invest time to compute real hash values first. Useful for example for triage, if you have limited time and just wish to quickly look at some randomly selected files in a large evidence object first (e.g. pictures in a gallery) to determine how relevant an evidence object might be.

    Looking at files in a random order might give you a more complete and accurate impression of what is stored in an evidence object, because the first x% of the files listed are more varied and more representative of the evidence object as a whole if they are in a truely random order. If you sort by name or path or size or timestamps on the other hand, many of the files you see will likely be somewhat similar (created by the same application or by the operating system, by the same user, for a similar purpose, created or copied or received around the same time, same file format, ...), so with some bad luck you will only see irrelevant files even if there is an equally large group of relevant files. Remember that if you don't sort in the directory browser at all, the view is skewed as well, because you will see the files in the order in which they are referenced by the volume snapshot, which is more or less the order in which they are referenced by the file system and thus not random.

    Sorting by hash values can be combined with any filter, for example to see only pictures larger than 1 MB in a random order or only files of a certain user. Pseudo-hashes are not guaranteed to be unique or even remain the same when you close and re-open the evidence object.

  • For a similar purpose, there is now a modulo option for the internal ID filter. For evidence objects that contain a huge number of files, it allows you to focus on a subset of files that is more or less representative of all files (though less random than files selected by hash value). Applying the modulo operation to the internal ID will pick files from any directory, with any name, creation date etc. To see only 1,000 out of 100,000 files, i.e. every 100th file, use the operation "internal ID modulo 100 = 0". Also useful for testing purposes: If you wish to compare the performance of different hard disks, RAID systems, processors, configurations for volume snapshot refinements, you don't have to process all files in an evidence object. You can get quicker, yet likely representative results for example in 1/10 of the time if you only process every 10th file, pseudo-randomly selected by internal ID.

    Even for normal work, examiners may not be required by their bosses/their prosecutor to conduct a 100% complete examination, for example if after review of a reasonably sized and representative subset you can extrapolate that about 10% of several 10,000 photos is illegal material.

X-Tensions API (Details)

  • A C# port of the X-Tension API is available from https://github.com/chadgough/x-tensions (also http://www.4discovery.com/our-tools/#8) to make it easier to develop X-Tensions in .Net, thanks to Chad Gough.

  • Ability to retrieve the result of the skin tone/gray scale analysis of pictures programmatically, via XWF_GetItemInformation.

  • New X-Tensions API function XWF_GetCaseProp available, which retrieves properties of the current case.

Miscellaneous

  • Ability to attempt a recovery of an unresponsive previous instance by starting another instance (executing the same .exe file again) if the option "Allow multiple program instances" is half checked. For example, should X-Ways Forensics get into an infinite loop when processing a certain file during volume snapshot refinement, this can potentially help the already running instance break out of that loop and proceed with the next file. The second instance also shows some technical information about what the already running instance is doing at the moment, and can do so even without recovering a supposedly hanging previous instance.

  • Ability to retrieve the hardware serial numbers of USB media.

  • Resolving hard links in HFS+ file systems has been accelerated. You can always abort that step if it takes too long.

  • Fixed an error that occurred when writing to symlinks in Ext* and XFS file systems.

  • Some optimizations for volume snapshot refinements.

  • Many minor improvements and some minor fixes.


Changes of service releases of v17.1:

  • SR-1: Fix for PDF metadata extraction.

  • SR-1: Fixed inability to manually carve data from slack space of files in File mode.

  • SR-1: E-mail extraction from DBX and MBOX slightly improved.

  • SR-1: Can share the same local dongle again with instances of old versions.

  • SR-2: Fixed certain exception errors of v17.1 that could occur when refining the volume snapshot, in particular when extracting metadata from executable files.

  • SR-2: Fixed potentially wrong attributes of e-mail messages extracted from MBOX and DBX e-mail archives.

  • SR-3: Fixed "cannot read" error of v17.1 when opening volume snapshots saved by v17.0.

  • SR-3: Prevented exception error that could occur in v17.1 with e-mails of a certain format.

  • SR-3: Fixed inability of v17.0 and newer to open files with child objects in evidence file containers of the old format. (A new volume snapshot needs to be taken.)

  • SR-3: Timestamps in certain registry events were potentially off by some hours. That was fixed. (Events need to be regenerated.)

  • SR-4: Resolving hard links in HFS+ file systems has been accelerated.

  • SR-4: When matching hash values against the hash database, if the same hash values are found in hash sets of different hash categories, not only a warning is output in the Messages window, but also one such hash value as a reference.

  • SR-4: Fixed an instability error that could occur when processing thumcache*.db files.

  • SR-4: Fixed inability of X-Ways Investigator SR-3 to read pictures from evidence file containers of the old format in certain situations.

  • SR-4: With some rare Base64 format variants, the new extraction method for MBOX e-mail archives potentially missed some attachments. That was fixed.

  • SR-4: Some fixes for XML export.

  • SR-4: Some errors in PDF extraction fixed.

  • SR-5: Fixed an exception error that occurred when copying selected files to skeleton images (64-bit edition only).

  • SR-6: Prevented exception errors when processing certain e-mails in MSG and EML format.

  • SR-6: Some other exception errors fixed.

  • SR-7: Fixed some errors that could occur during metadata extraction.

  • SR-7: In v17.0 and v17.1, thumbs.db files were not marked as having child objects once the contained thumbnails were uncovered. That was fixed.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

#133: WinHex, X-Ways Forensics, X-Ways Investigator 17.1 released

May 14, 2013

This  mailing is to announce the release of another notable update with many interesting features, v17.1.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.1 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to continue to use an older version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming X-Ways Forensics & File Systems Training

Kingston, ON, Canada, May 17, 2013
Chicago area, USA, May 24, 2013
Washington DC area, USA, July 9-12, 2013
Seattle, WA area, USA, July 15-19, 2013
London, England, Oct 14-18, 2013
More information


What's new in v17.1?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Disk Imaging

  • Another typical X-Ways feature that cements X-Ways Forensics' position as the tool that gives its users the greatest amount of control when selecting/targeting/filtering data at any conceivable level: The ability to create forensic physical skeleton disk images, which contain only those sectors that are needed for certain purposes, while maintaining compatibility with other tools. These can be sectors with partition tables, file system data structures, their neighboring sectors as well as sectors with file contents or any sectors in unpartitioned no man's land. A skeleton image is typically sparsely populated with data, with vast areas in between remaining undefined, so that it makes sense to utilize NTFS sparse file technology for it. Unwritten areas in the skeleton image will act as if zeroed out when read later.

    You start skeleton imaging by invoking the File | Create Skeleton Image menu command. Which sectors from then now will be copied into the image is defined indirectly, by making X-Ways Forensics read those sectors from the source disk that are needed for a certain purpose. When the target image is open in the background, next you typically open the disk or partition or open and interpret the image that you wish to acquire partially. That way it will be automatically defined as the source, and that way even read operations during the important opening or interpretation step are triggered, when partition tables and boot sectors are parsed, so that these essential data structures that define partitions and identify file systems are included in the skeleton image without having to select the relevant sectors manually.

    After opening a partitioned physical disk, you have a "basic skeleton" in your target image: Partition tables pointing to partition boot sectors or nested partition tables, whose function is to support all the other data in between (file system data and user data). If you also wish to ensure that from the skeleton image it is possible to take a volume snapshot of a certain partition, i.e. get a listing of all files and directories referenced by the file system in that partition, then you open that partition from the source hard disk so that a volume snapshot is taken. Again, all the sectors read from the source hard disk in the process are simultaneously copied to the image, and those contain the file system data structures, e.g. $MFT in NTFS, all directory clusters in FAT, the catalog file in HFS+ etc. etc. That adds considerably more administrative data and also metadata to your skeleton image, but still no or almost no user content. Unrelated sectors that are not used by the file system are not read and therefore not copied. That also means that the ability to find previously existing files in the skeleton image will be limited.

    If you wish to include an arbitrary range of sectors in the image, you only need to find a way to make X-Ways Forensics read those sectors. For example, to include sectors from number 1,000,000 to 1,000,999, define those 1,000 sectors as a block and hash that block (in Disk mode) using the Tools | Compute Hash command, or run a physical search in that block only. Or, to acquire an unusually large partition gap between partition 1 and 2, you could hash the virtual file representing that gap. You can also manually navigate to any single sector of interest that you want to be included (e.g. Navigation | Go To Sector) or use any of the file system navigation menu commands. All of that works because reading sectors triggers their acquisition.

    However, if you wish to specifically acquire selected files, that is easier, and it might be a good idea to turn off the indirect acquisition of any sectors that are read for whatever purpose along the way, so that for example a file that you preview and that turns out to be irrelevant is not acquired by the preview action already. For that, you can change the state of the skeleton image that is open in the background to "idle", using the State command in the File menu. In "idle" mode, only the "Add to [name of the skeleton image]" command in the directory browser context menu allows to acquire selected files (by temporarily activating the image and triggering read operations), .

    If you wish to include some operating system files, for example, such as Windows registry hives, explore the partition recursively from the root directory, filter for those files and invoke the "Add to" command in the directory browser context menu. (Only available if no evidence file container is open in the background for filling at that time.) The examiner who only has the resulting skeleton image will consequently be able to view the hives and create a registry report about them, assuming you had already copied the file system data structures which are required to find out which sectors contain the data of the file.

    The dialog window to change the state of the target image also allows you to close it, i.e. stop the acquisition for the moment or finalize the image. The same skeleton image can be further completed at any later time by selecting it again with the "Create Skeleton Image" command, but then you choose to not overwrite, but to update it.

    As you see, you have full control over what data will make it into the image. The methology just assumes that you have some understanding of what data you want/need and, should that data not be stored in ordinary easy-to-select files, where to find it/how to get it physically. The sectors can be targeted in any order. Multiple reads of the same sectors don't change anything in the skeleton image and have no negative effect, except they may cause unnecessary duplicate lines in the optional log file that X-Ways Forensics can produce. Such a log file is created in the same directory as the skeleton image and will list all sector ranges that were copied, optionally along with the hash value of each sector range, which allows to manually verify the data in certain areas should there ever be doubt about it. If you use the "Add to" command to copy files to a skeleton image, the name of each such file will also be output in the log, followed by the sector ranges that correspond to to it (more than one if the file is fragmented or if X-Ways Forensics simply chooses to copy sectors in multiple chunks).

    You may want to convert the resulting raw skeleton image into a compressed and/or encrypted .e01 evidence file and hash it or compress it with WinRAR or 7Zip etc. before passing it on to other users. The compression rate will be unusually high if the skeleton image is only sparsely populated, and the speed of reading extremely high because undefined/unallocated areas do not have to be read from the disk. For your own use, you can just keep it as is since it does not use as much drive space as the nominal file size suggests thanks to NTFS sparse storage. If you wish to copy the raw skeleton image, be sure to copy it as a sparse file (see below) so that the copy will also be a sparse file and only takes as much drive space as the original file. A conventional copy command would copy even the vast unused and unallocated areas within the sparse file as binary zeroes.

    To verify that the data transferred to a skeleton image has not changed, such an image can be hashed entirely, just like an ordinary image. Alternatively, and much quicker, you can use the command "Verify Skeleton Image" to hash only those sector ranges again that were actually transferred, according to the .log file (reading from the skeleton image), and compare the hash values to those in the .log file. Then, to verify that the .log file has not changed, it will be hashed itself, and the resulting highly valuable all encompassing master hash value is compared to the hash value stored in the optional .log.log file, if that file was created. It might be desirable to additionally verify that all unused areas in a skeleton image are still unallocated or at least filled with binary zeroes. This is not done by this function.

    Benefits of skeleton images:

    • Partial image, saves drive space.
    • Quick to create, especially when acquiring remote hard disks through a slow network connection using F-Response.

    • Transports/reveals only specifically targeted data, excludes unrelated data, as may be required by law, common sense, time pressure or the customer.

    • Ideally suitable for technical data structures (partition tables, file systems) and files in a file system as well.

    • Ability to acquire all essential file system data without knowing anything about the file system and in which sectors its data structures are stored.

    • Result works exactly like a conventional raw image of the disk for all the intended purposes if adequately prepared, with original offsets and relative distances between data structures preserved (unlike in an evidence file container).

    • The file format is universal, and all forensic tools that support raw images have a chance to understand the data, unless they need more data than was included or already don't understand the partitioning method or file system etc. of the original complete disk/image.

    Caveats:

    • Note that a search hit list on the screen with context previews around the search hits for example will cause a lot of read activity, so you may want to change the state of the skeleton image to idle mode when it is open in the background in certain situations.

    • To avoid that the start sectors of files or directories that you merely click in the directory browser in Partition/Volume mode are copied to the skeleton image (because such a click automatically jumps to the respective 1st sector), you can navigate the directory browser in Legend mode instead, or have to change the status of the image to "idle".

    • Reading data from most extracted files such as e-mail messages, attachments, video stills, pictures embedded in MS Excel spreadsheets etc. do not trigger corresponding read operations at the disk level, so they cannot be copied. Skeleton images are suitable only for files at the file system level, not at any other level seen in volume snapshots. Use evidence file containers instead for such purposes.

    • Note that to an unsuspecting examiner a skeleton image may look very much like an ordinary complete image. Such an examiner must be made aware of the incomplete, sparsely populated nature of the image. Unlike in a logical evidence file container, files whose contents are not contained in the image are not specially marked as such in a volume snapshot taken of an incomplete physical image. X-Ways Forensics v17.1 and later informs the examiner of the nature of an image when it's added to a case, if it detects a skeleton image.

    A comparison of evidence file containers and skeleton images can be found here:
    English: https://www.x-ways.net//investigator/containers_vs_skeleton_images.html
    German: https://www.x-ways.net//investigator/Container_vs_Minimalsicherungen.html

  • Option to prevent unencrypted copies of AES-encrypted .e01 evidence files. Can be useful if you are afraid that recipients of an encrypted image handle it without care and for reasons of convenience or to share it with users of other forensic software convert it to an unencrypted image.

  • Ability to interpret raw images whose segments have 4-digit filename extensions (.0001, .0002, ...), in addition to the conventional 3-digit extensions.

  • Previously, it was possible to open VMKDs only if their name was recorded correctly in the VMDK descriptor. For self-contained VMKDs, this requirement led to the effect that VMDKs would no longer be opened if renamed without updating their internal descriptor. While this requirement continues to stand for VMDKs consisting of multiple parts (the names of the remaining parts must be recorded correctly), this is no longer required for VMKDs consisting of only one part or in the case of multi-part VMKDs, it is no longer required for the first part.

File Format Support

  • Extracts much more nicely formatted data from Skype main.db database files than before, such as phone calls, sent text messages (SMS) and chats.

  • Uncovers individual cookie files embedded in Firefox and Chrome SQLite databases, as child objects in the volume snapshot, in addition to the TSV cookie overview that the metadata extraction still can provide. The metadata column lists the path, host and expiration timestamp for each of these individual cookie files.

  • Provides timestamps from Internet browser SQLite databases as events.

  • Option to add more Windows registry events to the event list, when generating registry reports. These events depend on the selected report definitions and are much more specific than the generic registry hive events (which are mostly "Key changed").

  • New extraction methods for MBOX and DBX updated to also produce slim .eml files without embedded attachments.

  • Improved file type verification of encrypted MS Office 2007/2010 documents.

  • X-Ways Forensics now uncovers any kinds of files in PDF documents that are marked as embedded. Those can be Office documents, videos or flash files, for example. They can be embedded for example as so-called attachments. JPEG pictures are extracted as before. Additionally, Acrobat form files in XML format and JavaScript objects are uncovered. Based on the JavaScript files it is easier to decide whether a certain PDF document should be considered malware. If JavaScript is found in a document, that will also brought to your attention in a new metadata field named "JavaScript". Protected PDF document are not yet processed. Ability to uncover JPEG 2000 pictures in PDF documents.

  • PDF metadata extraction revised.

  • Fixed an error in Intel Hex to binary conversion.

Usability

  • When restoring the last window arrangement upon start-up, X-Ways Forensics now also restores search hit list and event list mode if applicable and reselects the last search hit or event that was selected, so that you can resume even review work in search hits and event lists right where you left it, even in the case root window.

  • Ability to turn on or off usage of the copy log file and configure the copy log right in the Recover/Copy dialog window. That the copy log is written to the _log subdirectory of the case is now optional. It can now also be written to the selected output folder along with the copied files. This is more convenient if you wish to pass the copy log on to others.

  • For reasons of convenience, after exploring an object from a recursive list, the .. item is now marked with a "Back" arrow and allows to return to the previous recursive list, just like the Back button in the toolbar, and does not navigate to the parent directory of the explored object. If in some rare situations you do want to navigate to the parent directory of the explored object, just use the Navigation submenu of the directory browser context menu or press the Backspace key on your keyboard.

  • Ability to highlight search hits for GREP expressions in documents in Preview mode just like ordinary search hits, as long as the viewer component can find it (not if the search hit is located for example in the document metadata which the viewer component does not represent in Preview mode).

  • When printing files with a cover page, the header line that specifies which user and which program and version created the print job is now optional. Useful if you wish to show the cover page to witnesses or the suspect who should not know the username of the examiner.

Setup

  • For historical reasons, licensed users of X-Ways Forensics were always provided with the option to execute a special winhex.exe file instead of xwforensics.exe. This special WinHex version combines the best of both worlds: Full disk editing and data wiping functionality, as known from WinHex with merely a professional or specialist license for example, embedded in the complete forensic feature set of X-Ways Forensics. X-Ways Forensics itself, being a pure forensic analysis program, never ever allowed to edit data in disk sectors or interpreted images or to wipe files or free drive space areas etc.

    For more than 1 year now licensed users of X-Ways Forensics were provided with four different .exe files, X-Ways Forensics and WinHex, each in a 32-bit and 64-bit edition. To avoid the complex, inefficient and unnecessary maintenance of different .exe files that are 99.9% identical, to make the downloads more than 25% smaller, and to reduce risks of version mismatches in the same directory, no more WinHex executables will be distributed in addition to X-Ways Forensics. Instead, from v17.1 onwards, those users of X-Ways Forensics who occasionally need the special capabilities of WinHex, may simply copy their xwforensics.exe file or xwforensics64.exe and name the copy winhex.exe or winhex64.exe. Or even cooler, create hard links with these names. Those users who use the setup program do not need to do anything, as the setup program creates hard links with these names automatically. When you execute an X-Ways Forensics .exe file with "WinHex" in the filename/name of the hard link, the program will identify itself as WinHex everywhere (in the user interface, case report, case log, image descriptions, and all screenshots) and work exactly like that special WinHex version known for many years, while with no "WinHex" in the filename the same program continues to run as X-Ways Forensics without any disk editing or data wiping capability.

  • Russian translation of the user interface available (change via Help | Setup)..

Media Support

  • Now supports non-standard (non-Adaptec/JetStor typical) parity start components for RAID level 6 with backward parity when internally reconstructing RAIDs, as seen in Synology hardware.

  • Now supports backward parity dynamic for RAID level 6, with standard or non-standard parity start components.

  • Supports certain LVM2 partition layouts that were not recognized before.

  • Better support for unusually deep subdirectory nestings in Ext file systems.

  • Slightly improved treatment of remote network drives, network shares, and F-Response connector volumes.

Miscellaneous

  • New menu command Tools | File Tools | Copy Sparse introduced, which can copy any selected file, but preserves the sparse nature of an NTFS sparse file in the destination file. That means for example when copying a 1 TB skeleton disk image that only has 100 MB of data allocated, the copy process will finish almost instantly because only 100 MB out of 1 TB of data has to be copied. Conventional copy functions do not preserve the sparse nature of a file and copy the entire nominal file size.

  • Ability to change the detected sector size of a physical hard disk that WinHex works with, via Tools | Disk Tools | Set Disk Parameters. Remember you should also adjust the sector count accordingly. For example, if you change the detected sector size from 512 bytes to 4 KB (i.e. you multiply it by 8), then you also need to divide the total number of sectors by 8 to keep the same total detected disk capacity (assuming the capacity was detected correctly).

  • More information about exception errors in error.log files.

  • Many minor improvements and some minor fixes.

  • PDF user manual and program help revised and updated for v17.1 in English and German.


Changes of service releases of v17.0:

  • SR-1: Extraction of pictures from .xls documents supported.

  • SR-1: Improved e-mail extraction from Exchange EDB.

  • SR-1: Fixed a rare exception error that could occur when opening FAT volumes with a certain layout.

  • SR-1: v17.0 did not apply information from Windows.edb to thumbnails extracted from thumbcache*. That was fixed.

  • SR-1: An exception error was fixed that could occur when extracting large amounts of e-mail or embedded files from other files.

  • SR-1: An exception error was fixed that could occur when extracting events from Windows registry hive fragments.

  • SR-1: The options to exclude JAR, APK, IPA etc. from archive exploration did not work reliably in v17.0. That was fixed.

  • SR-1: Now when about to convert the old volume snapshot format of v16.9 and before to the new one, the software highly recommends to make a backup of the case and all its subdirectories first, as apparently some conversions are not successful.

  • SR-2: All operations with EDB database files now also work under Windows 8.

  • SR-2: Fixed exception errors that could occur when first uncovering embedded data in miscellaneous files and then running a simultaneous search in the same session.

  • SR-2: Selection error for more than 5 type groups in the Type Status filter dialog fixed.

  • SR-2: Ability to convert a network dongle to a "pure" network dongle that even if connected locally can only be used through the network interface, which can be enforced as described in the network dongle package.

  • SR-3: More thorough exploitation of volume shadow copies.

  • SR-3: Fixed error "Cannot open '...\External". Please check the path and your access rights." when processing PLists.

  • SR-3: v17.0 did not always automatically include the contents of archives if they were misnamed. That was fixed.

  • SR-4: Forces MPlayer to use the directory for temporary files for the export of video stills.

  • SR-4: Can share the same local dongle simultaneously on the same machine with instances of v16.5 SR-14, v16.6 SR-11, v16.7 SR-11, v16.8 SR-11, v16.9 SR-6 (not older releases), and v17.1 if executed by the same user.

  • SR-4: More consistent treatment of garbage timestamp values.

  • SR-5: When creating report table associations for the parent file of the selected file, if the direct parent is no file, but the grandparent or great grandparent etc., then the grandparent will get the association. E.g. XML file in a directory in a ZIP-style Office document.

  • SR-5: Fixed an error message that occurs when not keeping .xfc backup files.

  • SR-5: Prevents a rare error message that could occur when processing empty e-mail messages in unusually named directories within in Outlook PST e-mail archives.

  • SR-5: Fixed a rare error that could occur with corrupt FAT32 boot areas.

  • SR-5: XFS support improved to better recognize and ignore corrupted file system data that might otherwise cause issues.

  • SR-6: Non-deterministic "The specified resource name is not found in an image file" error fixed in Chinese and Japanese user interface.

  • SR-6: Some of the radio buttons in the case report options did not behave as they should. That was fixed.

  • SR-6: The export of report table associations for multiple selected evidence objects was potentially incomplete if one of the selected evidence objects did not have any report table associations. That was fixed.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Competition is normal and healthy. Patents and court battles about rectangles and finger movements are not. Please reconsider before buying Apple products. Don't support malevolent companies. Thank you.   

 

#132: WinHex, X-Ways Forensics, X-Ways Investigator 17.0 released

Mar 27, 2013

This  mailing is to announce the release of another notable update with many interesting features, v17.0.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.0 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to continue to use an older version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming X-Ways Forensics & File Systems Training

London, England, Apr 15-24, 2013
Kingston, ON, Canada, May 13-17, 2013
Chicago area, USA, May 20-24, 2013
More information


What's new in v17.0?

(note most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Network Dongles

  • Ability to unlock X-Ways Forensics 17.0 and later (also v16.9 SR-4 and v16.8 SR-10) with network dongles. Network dongles are available now as a substitute for regular dongles. A single network dongle can represent x licenses and substitute x regular dongles and allow the users to run X-Ways Forensics on x machines on the same network at the same time. The network dongle is attached to any of the computers on the network and made available to the clients by a dongle server program or service. If multiple network dongles are found by a client, the user may choose one of them when starting up X-Ways Forensics. If one of these dongles is already fully in use, according to the number of licenses that it represents, the user will see that and can choose another dongle. Conveniently, a network dongle can also be used locally just like a regular dongle or multi-user dongle when needed!

    You have the option to order new licenses with a network dongle instead of regular dongles, depending on the number of licenses either for free or at a surcharge. If you own many licenses already, we can offer you to test the network dongle and to swap many or all of your existing regular dongles for a single network dongle. For much more information on the dongles in general and network dongles in particular please see https://www.x-ways.net/forensics/dongle.html#types.

File System Support

  • In newly taken snapshots of HFS+ volumes with hard links, you can now view hard-linked files directly and do not have to look up the corresponding so-called indirect node file manually (the one whose name contains the iNode number, which is specified in the Comments column).

  • Newly taken volume snapshots now support a concept of "related" files, related in ways other than a parent-child or sibling relationship. For example, the related file for hard links in HFS+ is the corresponding indirect node file. The related file for files that were found in volume shadow copies in NTFS is the volume shadow copy host file. The related file for a volume shadow copy host file is the corresponding snapshot properties file (called "snapprop" in the Type column). More kinds of n:1 relationships are conceivable in future versions. Files for which a related file is defined get their icons marked with a small blue downward pointing arrow on the left-hand side.

  • A new command in the directory browser context menu (Navigation submenu) allows to conveniently find the related file if one exists for the selected file. You may also press Shift+Backspace to navigate to the related file. This is similar to just hitting the Backspace key, which navigates to the parent file or directory.

  • For files found by v17.0 and later in volume shadow copies, the Attr. column now points out the sequential number of the snapshot in which they were found, as indicated by the snapshot properties file.

  • Avoids more irrelevant identical traces of files found in volume shadow copies.

  • In newly taken volume snapshots of NTFS volumes, hard-linked files now get a special treatment. An additional hard link that merely provides a short filename to satisfy the 8.3 requirements of old Microsoft DOS/Windows versions is not counted any more as a hard link. Instead, such files get their hard link count marked with a ? in the Links column of the directory browser. That way, the hard link count more accurately reflects the hard links actually present in the volume snapshot of X-Ways Forensics, and normal files always have a count of 1, whereas 2 or more really means something more special.

  • A filter is now available for the ID column, which makes it more convenient to find other hard links of a given file (except HFS+).

  • When viewing a hard-linked file in file systems with direct support for hard links (not HFS+), the other hard links of the same file are now optionally marked as already viewed as well at the same time, just as known in previous versions for duplicates based on hash values.

  • When creating report table associations for duplicates of the selected files at the same time, this now includes other hard links of the same file (except in HFS+).

  • Support for more deeply nested subdirectories on Ext* volumes.

Searching

  • In newly taken volume snapshots of NTFS volumes, all "real" hard links (i.e. hard links other than SFN) except for one can be conveniently excluded from logical searches and indexing . Nowadays on Windows installations often between 10,000 and 100,000 hard links of system files exist, for example 27 links to a file like "Ph3xIB64MV.dll" in directories such as
    \Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4...
    \Windows\System32\DriverStore\FileRepository\ph3xibc2.inf_amd64_neutral_7621f5d6...
    \Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382...
    \Windows\winsxs\amd64_ph3xibc9.inf_31bf3856ad364e35_6.1.7600.16385_none_a0a...
    \Windows\winsxs\amd64_ph3xibc5.inf_31bf3856ad364e35_6.1.7600.16385_none_9e7...
    \Windows\winsxs\amd64_ph3xibc12.inf_31bf3856ad364e35_6.1.7600.16385_none_64...
    etc. etc.
    By searching only in one hard link of a file, you can typically exclude several GB of duplicate data and yet don't miss anything if you search all other files. Those additional hard links that are excluded get their hard link count marked with an asterisk (*). Search hits in the only hard link that does get searched are marked with the hint "-> Links" in the Descr. column to remind you of the other hard links of the same file in case those search hits are relevant.

  • Support for another artifically defined code page, which allows to search for and read UTF-16 text encoded by the MS Outlook cipher called compressible encryption.

  • It is now possible to search and index in up to 6 code pages at the same time.

  • The already previously supported non-Unicode artificial code page for MS Outlook compressible encryption now works based on a user-defined code page (by default equal to the code page active in your Windows system for non-Unicode programs), not just Latin 1. Potentially important for languages other than Western European languages. Outlook uses the Windows system code page in its old non-Unicode capable variant of PST.

  • PST and OST files are now no longer omitted by logical searches and indexing if the recommended data reduction is active and e-mail and other Outlook data has been extracted from them, but MBOX files are.

  • Search hits in all variants of UTF-16 that are not aligned at even offsets are now marked in the Descr. column as "unaligned", as a small hint and explanation why you can read the text only in the alignment-aware context preview of the Search hits column, and not in the text column.

  • Logical searches now also specifically cover the transition area from uninitialized (but physically allocated) areas of files to immediately following free space, if the option to cover the transition from slack space to free space is in use.

  • Ability to run a logical search in selected files via the directory browser context menu from the case root window.

File Format Support

  • The "Uncover embedded data" function uses some special algorithms for certain file types (Windows.edb, thumbs.db, PLists) and byte-level carving for all other host file types. This carving was limited to embedded JPEG and PNG files in previous versions (+EMF in multi-page printer spool .spl files). Now embedded files of any type whose definition in the File Type Signatures Search.txt file comes with a tilde (~) algorithm and is marked with a new flag "e" (for "embedded") will be carved. As a very good example of this new flexibility, .lnk shortcut files are now carved within customdestinations-ms jumplists.

  • Special extraction of objects (pictures and others) embedded OLE2 compound files such as MS Word .doc and MS PowerPoint .ppt, in which previously only JPEG and PNG were found and only through ordinary carving. Embedded pictures are now often output with their original name or designation in the document and are extracted correctly even if fragmented within the OLE2 compound file.

  • Exploring the contents of 5 more usually irrelevant zip subtypes is now optional when refining the volume snapshot, compared to just JAR in previous versions.

  • Exploring zip-based Office document files such as those of MS Office 2007/2010, LibreOffice, OpenOffice, iWork is now also optional when refining the volume snapshot. Useful if you or the recipients of evidence file containers that you create only wish to see the documents as a whole, no embedded pictures or XML files separately, and don't need to extract metadata from these XML files and can recognize nested documents (documents embedded in other documents) themselves if necessary.

  • Support for binary PLists has been improved to include the undocumented CF$UID data type.

  • Carving support for "Gatherer Transaction Log".

  • Special support for carving thumbcache fragments (CMMM records) at the byte level.

  • The resolution of videos is now displayed roughly in the Pixels column after at least one video still has been exported.

  • The option to list items in registry hives recursively has been removed.

Disk Support, Disk Imaging

  • The Technical Details Report now checks for certain read inconsistencies that can occur with flash media (for example certain USB stick brands/models, but not others) in data areas that have never been written/used, where the data is undefined. The data that is read in such areas, for example when imaging the media, may depend on the amount of data that is read at a time with a single internal read command. The result is mentioned in the report. If inconsistencies are detected ("Inconsistent read results!" in the report), you will see a message box, which offers to read sectors in smaller chunks from that device as long as it is open, which likely yields the expected zero value bytes instead of some random looking non-zero pattern data when reading such areas. Use of this option does not give you data that is somehow more accurate or original (undefined is undefined and does not mean zeroed out) or contains more or less evidence, it can just have a big impact on compression ratio achieved and reproducibility of hash values with other tools, which may use different chunk sizes for reading and thus produce different data and hash values. Note that it is possible that read inconsistencies occur that are not detected by X-Ways Forensics, because a complete check would be very slow. Again, these inconsistencies are not fatal and not the fault of the software, and they can be explained. Does it mean that you should invoke the Specialist | Technical Details Report command prior to imaging? No, the report is routinely created already when imaging starts.

  • Since v16.3 it is possible to reconstruct RAID level 5EE by simply selecting a compatible RAID level 6 variant. Now it is possible to select RAID 5EE systems specifically and reconstruct them also if evencomponent disk is missing. RAID 5EE with forward and backward parity are supported.

  • Ability to specify how many extra threads to use when creating .e01 evidence files, when clicking the tiny little button in the lower right corner of the Create Disk Image dialog window. By default X-Ways Forensics will use no more than 4, and it depends on how many processor cores your system has, but you could try to increase it to up to 8 or even 16 on very powerful systems with even more cores usually without problems, for a chance to further increase the speed.

  • Detection of Windows dynamic volumes larger than 2 TB on GPT LDM partitioned disks.

Methodology

  • Ability to rank file types by importance/relevance and filter by the rank using the Type Status filter. For example, filtering out those file types ranked #0 or #1 will exclude font files, cursors, icons, themes, skins, clip arts, etc. Files with a low rank are of importance just in very specific investigations, for example source code, in which you would not be interested when looking for office documents or pictures for example, but perhaps when hunting a virus programmer. Higher ranked file types are relevant in more cases. Generally the rank is useful in simple cases where you can expect to find what you are looking for in file types that are fairly well known. As another idea, you could make it a habit to only index files with higher ranks.

  • Ability to assign file types to a so-called group, a new concept, which is not identical to a file type category. Useful for example if your standard procedure is to let examiner A check out pictures and videos, examiner B documents, e-mail, and other Internet activity, and examiner C operating system files of various kinds, because of their specializations. You can give these groups meaningful names and filter for them, also using the Type Status dialog window. The groups are displayed in the Type filter.

  • The new definitions are all made in the "File Type Categories.txt" file. Existing files of that kind will continue to work as before. Suggestions for ranks are already predefined in the new standard file. Both ranks (from 0 to 9, where missing means 0) and groups (letters from A to Z) can be optionally specified following a tab at the end of a line, in any order, for example as "2P" or "DI3". So up to 10 rank levels are possible (but it is not necessary to fully utilize this range), and up to 26 groups (and you do not have to start alphabetically, the case of the letters is ignored). You can also define ranks and groups for an entire category, following a tab in a category line. To give a group a more descriptive name than just a single letter, insert group definition lines at the end of the text file that start with a equal sign, e.g.
    =P=Photos and videos for image group
    =D=Docs, e-mails and Internet
    =I=File types to index

Event Analysis

  • Event extraction from carved fragments of Gatherer Transaction Log (.gthr2) and existing .NTfy.gthr files, and several other file types. Below is an overview of file formats from which events are currently extracted:
    .firefox (~55) fragments
    _CACHE_001_ and _CACHE_002_
    .lnk shortcuts
    .automaticDestination-ms
    .chrome Chromium cache data_1, data_2
    .usnjrnl fragments
    Registry hives
    .hbin Registry hive fragments
    .doc (last printed)
    .msg
    rp.log XP restore point
    INFO2 XP recycle bin
    .recycler Vista recyle bin
    .snapprop Vista volume shadow copy properties
    .cookie
    .gthr;.gthr2 Gatherer and Gatherer fragments
    .pf prefetch
    JPEG GPS
    OLE2 last modification

  • Several events now have an individual description, for example events in the Windows registry and in Internet Explorer index.dat files.

  • A filter for the event type column is now available.

Setup/Administration

  • User-specific configurations are now stored in the Windows user profile, in a subdirectory of \AppData\Local\X-Ways. The configuration now becomes user-specific automatically when running X-Ways Forensics not as administrator from a directory on the C: drive where a user does not have write access, such as C:\Program Files. Otherwise by default X-Ways Forensics still runs with a non user-specific configuration so that it remains a portable program and does not unnecessarily alter live systems that you wish to preview/triage. For details please see https://www.x-ways.net/winhex/setup.html. Whether a user-specific configuration is active or not (and if active, for what reason and where it is stored) can be seen in the Help | About box. The reason can be "necessarily" if no write access to the installation directory is available or "forced" if a file named winhex.user is found in the installation directory or "for this user" if the user has an individual configuration already from previous executions for either of the other two reasons. The inconsistent use of Virtual Store subdirectories is now avoided.

Usability

  • Ability to refine the volume snapshot for selected files only, via the directory browser context menu.

  • Ability to store most filter and all sort settings in the active case and load them again automatically when a case is opened. See Options | Directory Browser.

  • Ability to save filter and sort settings to a separate file and load them again at any time, by clicking on the Open/Save icons on the right-hand side of the caption line of the directory browser. Such files are given the extension ".settings".

  • The selected file types of the Type filter are now also optionally stored in cases, like other filter settings. Note that collisions among file type designations become apparent when selections for the file type filter are loaded. For example if you had originally selected "mmf" = "MailMessage File" (category e-mail), then you will find that "mmf" is also selected as "Yamaha SMAF" (category Sound/Music). This is normal and does not change what the Type filter does. When in doubt, the Type filter always also includes other types with the same designation, to avoid that anything is overlooked.

  • If you choose to not sort the directory browser initially after start-up, there will now also be no sorting when turning off all filters with a single mouse click, to avoid longer delays when suddenly all files are listed again recursively.

  • Ctrl+A now works in all edit boxes and all multi-selection list windows in dialog windows.

  • The check for updates can now be found in the Help | Online menu.

  • Ability to filter for "unequal to" in the ID and internal ID filters. Useful should the volume snapshot refinement crash with a file that was not part of the volume snapshot when it was last saved during the refinement. In that case you can filter out and omit the offending file with the future assigned internal ID in advance when you try again.

  • New Attr. filter option for other virtual files, which includes for example human-readable HTML representations of Internet browser databases, event logs etc.

  • Activating Sync mode now automatically deactivates all filters if filters keep the directory browser from listing the file that the current cursor position in Partition/Volume mode is contained in. As always you can click the Back button to return to the previous listing in the directory browser, but remember that this works only if the directory browser has the input focus, not the lower half of the data window where you navigated in Partition/Volume mode, where jumps from one offset to the other can be undone or redone with the Back & Forward functionality.

Miscellaneous

  • Includes the contents of the Pixels column in evidence file containers of the new type.

  • If the option to Recover/Copy child objects of selected files is half selected, that now means that the only child objects that will be copied are e-mail attachments.

  • When copying files or alternate data streams or other objects that do not have any or all timestamps with the Recover/Copy command, X-Ways Forensics now approximates the fact that a timestamp is not available by setting the corresponding timestamps of the output files to ~0 (Jan 1, 1601 in NTFS). This behavior was already active in versions before April 2012. It can be avoided by holding the Shift key when clicking OK in the dialog box, for example if you wish to use some other programs with these files that do not want to open files with such timestamps (it has been reported for VLC).

  • Ability to extract video stills reliably using recent MPlayer releases. MPlayer 1.1 for use with v17 is now provided as a download.

  • Directory browser option to display tag marks as check marks.

  • The option "Display file sizes always in bytes" can now be found in Options | General | Notation. The alternative .eml preview option can now be found in Options | Viewer Programs.

  • Tools | File Tools | Delete Recursively can now automatically delete files for which you do not currently have the right to delete (for example because "Trusted Installer" is the owner), but for which you can get all rights (if you are running WinHex with administrator rights).

  • Minimum memory requirements for loaded volume snapshots reduced. More data of volume snapshots can now be kept in memory optionally for higher performance.

  • More compact internal organization of certain files in volume snapshots (extracted e-mails, video stills, virtual attached files).

  • Volume snapshots from v16.3 (released in October 2011) and later can be imported, from v15.8 (October 2010) to v16.2 as well if no e-mail was extracted by those versions. Incompatible volume snapshot will be identified and not converted.

  • Memory requirements for search hits reduced by 17%. Old versions cannot load search hit lists saved by v17.0 and later.

  • Many minor improvements and some minor fixes.

  • PDF user manual and program help revised and updated for v17.0 in English and German.


Changes of service releases of v16.9:

  • SR-1: Ability to force user-specific WinHex*.cfg configuration files by creating an empty file named "winhex.user" in the installation directory.

  • SR-1: Fixed two errors with the Export List command for event lists.

  • SR-1: The column Sender and Recipients are now populated for e-mail extracted from MBOX and DBX e-mail archives with the new extraction method.

  • SR-1: Fixed inability of X-Ways Investigator 16.9 to open images/containers.

  • SR-2: More tables extracted from previously supported SQLite databases.

  • SR-2: Chinese translation of the user interface updated.

  • SR-2: Fixed an exception error that could occur when attempting to find deleted directory entries while taking a snapshot of XFS volumes.

  • SR-2: Prevented a theoretically possible issue where a few random characters could have been appended to an (otherwise correct) file name in XFS.

  • SR-2: An exception error could occur when the "Search Terms" filter was active when opening an evidence object that had search hits. That was fixed.

  • SR-2: Fixed an exception error that could occur under certain circumstances when parsing PLists.

  • SR-2: Fixed a rare exception error that could occur when parsing index.dat files.

  • SR-2: Fixed thumbcache*.db processing error.

  • SR-2: Prevented a rare SHA-256 computation error in disk imaging that if it occurred was revealed by hash verification later.

  • SR-3: The file carving flags u and U now also carve in unpartitioned areas and partitions with an unknown file system.

  • SR-3: The new option for separate print jobs did not work on all systems. Fixed now.

  • SR-3: Ability to trigger the check for updates online at any time.

  • SR-3: The display in the Path column was truncated in v16.9. That was fixed.

  • SR-3: Fixed hanging when applying the "List clusters" command to certain directories in XFS.

  • SR-3: Fixed an instability that could occur in v16.9 when parsing $UsnJrnl:$J.

  • SR-4: Ability to use the new network dongles just like in v17.0.

  • SR-4: File system level timestamps of directories are now also output as events.

  • SR-4: Regular expressions with \nnn where \nnn is a decimal number were not processed correctly in previous versions. That was fixed.

  • SR-5: .lnk shortcut files that were extracted from jump lists were erroneously marked internally as e-mail attachments. This was fixed.

  • SR-5: No metadata extraction was performed by a fresh install unless the suboptions had once been confirmed by clicking OK. That was fixed.

  • SR-5: Avoids an exception error that could occur when parsing volume shadow copies.

  • SR-5: Improved communication with the network dongle server.x.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Competition is normal and healthy. Patents and court battles about rectangles and finger movements are not. Please reconsider before buying Apple products. Don't support malevolent companies. Thank you.  

 

#131: WinHex, X-Ways Forensics, X-Ways Investigator 16.9 released

Feb 6, 2013

This  mailing is to announce the release of another notable update, v16.9.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v16.9 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to continue to use an older version, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming X-Ways Forensics & File Systems Training

Washington DC area, USA, Mar 11-20, 2013
London, England, Apr 15-24, 2013
Kingston, ON, Canada, May 13-17, 2013
Chicago area, USA, May 20-24, 2013
More information


What's new in v16.9?

Methodology

  • Ability to generate a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory, when extracting metadata. Conceivable sources include browser histories, Windows event logs, Windows registry hives, e-mails, etc. An event list works exactly like a search hit list and can be displayed by clicking a new button which is located next to the search hit list button, with a clock icon on it. Just like a search hit list, an event list comes with additional columns: the event timestamp, event type, event category, and optionally a file offset.

    When an event list is sorted chronologically, by timestamps, it works like a timeline, which may allow you to figure out a sequence of events of different kinds stored in different places (e.g. e-mail received, attachment saved, application started, document printed, file deleted) that otherwise could not be seen together in context. As usual, you may see events from different evidence objects at the same time from the case root window, explore recursively or by path, sort by event type or event category, see all the usual file properties, view files, navigate to the definition of an event within a file (if a relative offset is available) and filter for certain date ranges.

    Event-based analysis instead of file-based analysis is a progressive new approach with a totally different perspective that may lead to knowledge about activities recorded on computers that otherwise could not be gained. You may see connections (related activity) that otherwise could be overlooked, and may be able to better explain the logic behind what has happened. The sources of events that are exploited by the metadata extraction in this release are still limited (file system, index.dat, e-mails, processes in memory dumps). More will be covered in future releases.

  • Option to work with an adjusted virtual free space file that is net of clusters that were identified as belonging to previously existing files, to minimize the amount of space in file systems that is read twice for logical searches and indexing. After changing the option (in Options | Volume Snapshot) the virtual file is updated when it is opened next time, for example selected in File mode or when it is that file's turn during a logical search. Relative offsets of search hits in this virtual file become wrong when the file changes, so they cannot be used to navigate to the search hits in File mode.

  • New flag U for file header signatures that will cause files (or records) of this type to be carved only in net free space. Useful especially for internal entries of Zip files, RAR archives, Internet Explorer index.dat files, and Firefox URL records, to avoid numerous duplications.

  • The file carving flags b (for byte granularity) and g (for greedy allocation) can now be combined. Useful when carving records of files for which an internal algorithm is available that can combine multiple contiguous records in a single carved file. The g flag makes sure that those records that have been included already will not be found and carved again separately.

File Format Support

  • Extraction of all tables (with all columns except binary data) from all other SQLite databases besides the already supported various Internet browser databases as part of metadata extraction. The first extracted table will also serve as a preview of the SQLite database file itself.

  • File header signature and internal algorithm for $UsnJrnl:$J records. A single file is carved that is composed of multiple contiguous records outside of known $J ADS and can be nicely viewed in Preview mode (still testing). Viewing such a single file is much more efficient than viewing separately carved records.

  • Ability to display certain non-standard GIF pictures in the gallery and in Preview mode using the internal graphics viewing library that caused exception errors in v16.7 and before and were not attempted to display by v16.8.

  • Signatures and algorithms for file type verification and file header signature search considerably revised.

  • Preview of .pf prefetch files improved.

  • Revised processing of PLists.

  • The metadata extraction for index.dat files (HTML preview generation and event extraction) is now also applied to carved fragments of index.dat files (Internet Explorer URL records).

  • Menu option to display text in the text column in big-endian UCS-2/UTF-16 Unicode. Useful especially to correctly see East Asian characters for example in HFS* file systems and in binary PLists.

  • Carved files are now defined to have slack space if they happen to start at a cluster boundary.

Disk Support, Disk Imaging

  • Superimposition of sectors on top of disks or interpreted images that are opened as read-only. Useful when you need to make minor temporary adjustments to data in sectors within the program to get it interpreted correctly internally, but do not want to or are not allowed to alter the sectors on the disk or in the image itself (or cannot because it is not a raw image, but an .e01 evidence file), and also do not want to make another complete working copy of an image that is e.g. 2 TB in size if just 1 byte needs to be changed. Such adjustments can be necessary for example in cases of partitioning or file system metadata corruption, where just a missing magic number keeps WinHex from detecting the file system or just one flipped bit keeps WinHex from finding $MFT in NTFS or just one wrong nibble in the partition table keeps WinHex from recognizing a partition as an LVM2 container partition etc. etc. In these situations you can manually provide and superimpose the corrected data and then hopefully work with the disk or image with no further problems, getting all partitions and files listed immediately as if nothing was wrong. This functionality is intended for advanced users that do not give up easily when at first they see "nothing" and have some understanding of low level data structures and know how to fix them.

    You can enable and disable superimposition for the disk or partition in the active data window using the Edit | Superimpose Sectors menu command. This command allows you to select any file with the raw contents of disk sectors. For example, you can create such a file by selecting one or more sectors as a block, copying the block into a new file, making the necessary adjustments (possible even in X-Ways Forensics because ordinary files unlike disks or interpreted images can be edited) and saving that file. When applied, the contents of this file are superimposed to the sectors starting with the sector in which the cursor is located, or if the file is named "*.n.superimposition", where n is a number, it will be applied to the sectors starting with sector n, and all other files in the same directory matching the same mask with the same base name will also be applied to sector numbers as indicated within the filename. You will immediately see the superimposed data when navigating to the affected sectors, and can continue making adjustments to the imposed raw data file if you keep it open in a separate window. As soon as you have saved changes in that window, they will take effect in the data window that represents the disk or partition whose data you are trying to fix when you refresh the view, take a new volume snapshot, define the start of a partition, try again to open a file with a corrupt FILE record etc. etc.

    Please note that only complete sectors, not partial sectors, can be superimposed. Superimposition can be active only for one disk or disk partition or image at a time. If desired, you can make a copy (image or cloned disk) of the virtually repaired disk or image with the usual commands while the superimposition is in effect, so that the copy will have the superimposed sectors directly embedded.

  • Support for PC-compatible BSD disklabel partitioning.

  • Ability to image a physical device (e.g. local hard disk or remote hard disk or RAM opened through F-Response) automatically via the command line. The first parameter should start with a colon and then specify the number of the device in Windows (e.g. ":1" for hard disk No. 1). This will cause that device to be opened automatically upon start-up. The second parameter should start with a pipe, followed by either e01 or raw to indicate the preferred image file format, followed by another pipe and the path and filename of the image (e.g. "|e01|G:\Output filename.e01"). The third parameter can be "auto" to automatically exit X-Ways Forensics after imaging. (That command has always been available in WinHex and X-Ways Forensics, just like you were always able to open files through the command line or execute .whs WinHex scripts.)
    A powershell script that automates imaging physical memory on remote machines with F-Response Enterprise and X-Ways Forensics using the above-mentioned new command line options has just been posted here.

  • Simultaneous creation of 2 copies of .e01 evidence files was unsuccessful if they were given different names. That was fixed.

  • Reports the total number of CRC errors in the evidence object properties for each hash computation if chunk CRCs are being verified when reading from .e01 evidence files (see Options | Security).

Search Functions

  • Easy to use settings for the alphabet that defines word boundaries when searching for whole words only in Latin-based languages. The setting for the most thorough search results remains the default. Users that are overwhelmed by garbage hits for short keywords in non-text data such as Base64 or binary garbage may want to try the other two options. These other two options could lead to valid search hits being missed in some constellations (depends on the file format), but can still be justifiable as a great time saver for searches in text documents.

  • Ability to use GREP syntax specifically for some search terms only, while others are keywords in a natural language. For this setting make sure that the GREP syntax box is half checked, and prepend GREP expressions with "grep:".

  • Similarly, when not using GREP syntax, you can now search for only some search terms as whole words, also by checking the corresponding box half only, and by indenting search terms that you want to find as whole words only, i.e. prepend them with a tab character.

  • X-Tensions API: New flags XWF_SEARCH_WHOLEWORDS2 and XWF_SEARCH_GREP2 to reflect the new search options. New XT_PrepareSearch function supported that allows X-Tensions that monitor search hits to also monitor some search settings and adjust search terms.

  • Maximum number of contained search terms listed in the Search Term column of the directory browser is now 25 instead of 10.

Usability

  • In Gallery mode scrolling using the mouse wheel now always scrolls by exactly one page of thumbnails for reasons of convenience. Everywhere else the mouse wheel scrolls by as many lines as specified in the Windows Control Panel since v16.7. In v16.6 and earlier that was an option in the General Options.

  • When attaching an external directory to the volume snapshot, usually X-Ways Forensics creates virtual files in a new virtual directory. Now there is an option to accommodate the files in existing directories in the volume snapshot of the same name at the same position in the directory tree. Useful if you copy an entire directory structure off the image to convert/decrypt/translate/... files outside of X-Ways Forensics, and then want to bring the results back into the volume snapshot and see the files next to their original counterparts in the same original subdirectories. This can help for example if you wish to OCR and convert PDF documents that X-Ways Forensics has deemed non-searchable using Adobe Acrobat.

  • When attaching an external directory to the volume snapshot, you are now prompted whether the selected directory itself should also be attached (that was the standard behavior in earlier versions) or just its contents.

  • It is now possible to "unsort" the directory browser by clicking the header of the column that represents the primary sort criterion while holding the Shift key.

  • The Print command in the directory browser context menu now has a convenient option to print any child objects after the selected file(s), e.g. e-mail attachments together with their respective e-mail message.

  • Ability to print multiple selected files optionally in separate print jobs like in v16.3 and earlier.

  • It is now easier to enter dates in the timestamp filter dialogs. You can click buttons to get a calendar control in which to pick a date using mouse clicks.

  • Several other user interface elements were improved.

  • New icon for renamed/moved directories in FAT and exFAT volumes.

  • Some more statistics in the evidence object properties.

  • Ability to check for updates online occasionally (Options | Security). This can report the availability of later versions or new service releases of the currently used version and allow to start the download. Does not send any data from within the program to the Internet, for example no system or user information or dongle ID, neither directly nor encrypted nor anonymized, of course no case data, not even the currently used version number, nothing. This option is active by default only if the program determines that it is running on the examiner's own system (if it is executed from the C: drive or if it was installed using the setup program). The check does not occur when running the program for the first time, so that you definitely have a chance to turn off this option before anything happens. Given the fact that most systems on which X-Ways Investigator and X-Ways Forensics are run do not have an Internet connection, this feature has a limited effect only.

  • Whether new report table associations for selected files are created for the selected files only or also for their child objects or duplicates etc. is now a setting that is individual to each report table.

  • The View | Refresh View menu command now also refills the directory browser if the directory browser has the input focus. Useful for example when a filter for tagged items is active and you remove the tag marks of some of the listed files, if you wish to update the listing in the directory browser and get rid of those files that are no longer tagged.

  • Buttons that allow to expand or collapse all categories in the file type filter dialog. Expanding all categories can be useful if you would like to quickly find a certain file type by typing its letters while the tree view window has the input focus.

  • New verbosity option: If totally unchecked in Options | Security, only exception errors with a potentially serious impact (like considerably incomplete analysis results) will be brought to your attention in the Messages window. If fully checked, all of them will be output, like before, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The new default option is a reasonable compromise.

Miscellaneous

  • Ability to copy up to ~4 GB of data into the internal clipboard in the 64-bit edition (~2 GB before and still in the 32-bit edition).

  • New hash type available: Adler32

  • The values of the bits in the volume attributes of HFS+ file systems are now output in the Technical Details Report.

  • Option to only make a copy of tagged files for inclusion in a case report instead of all or none. Useful if you wish to reference all notable files with their metadata in your report, but show only a subset of those.

  • Sorting by path accelerated.

  • Many other minor improvements.

  • Some minor fixes.

  • Program help and user manual revised and updated for v16.9.


Changes of service releases of v16.8:

  • SR-1: Search hits in the decoded version of files were erroneously highlighted in File mode, with their artificial offsets. That was avoided.

  • SR-1: Fixed an error in the way that the 64-bit edition read exFAT file systems.

  • SR-1: Fixed an error that could occur when copying e-mails with extremely long subject lines and attachments to an evidence file container.

  • SR-1: Avoided warning about evidence objects in use in some situations where it is not necessary.

  • SR-1: Fixed incorrect checkmark states in the Type filter dialog after double-clicking that could occur in Windows versions newer than XP.

  • SR-1: X-Ways Imager download updated with v16.8. Now includes a 64-bit edition, which is very useful as a powerful disk imaging and disk cloning program for the 64-bit edition of the lightweight Windows PE or FE.

  • SR-2: A 64-bit edition of the ordinary (not dongle-based) version of WinHex is now available to users with a professional or specialist license. Memory requirements of WinHex are very low, so that the extended logical memory address space of the 64-bit edition does not count as an advantage. However, unlike the 32-bit edition, the 64-bit edition can be executed from a 64-bit Windows PE such as the one that you can boot from your 64-bit Windows 7 or Windows 8 installation CD or that you can boot from your hard disk with a Windows 8 installation in case of problems. This is useful for example if you wish to edit/repair or wipe sectors in the partition that contains your installation of Windows, which are otherwise write-protected by Windows Vista or later. More information about Windows PE. Licensed users can retrieve the download link of the additional 64-bit files from the usual web page. The setup program remains a 32-bit program. As a portable application, WinHex does not need to be and should not be installed using the setup program.

  • SR-2: Avoided an infinite loop that could occur in v16.8 when running a file header signature search for index.dat records in free space.

  • SR-2: Fixed an exception error that could occur when loading old variants of the old evidence file container format.

  • SR-2: Prevented a rare exception error that could occur when taking snapshots of Ext file systems.

  • SR-3: Fixed an exception error in the 32-bit edition of X-Ways Forensics 16.8 that could occur after taking a snapshot of FAT volumes.

  • SR-3: Creating many thousands of report table associations at a time or importing them from an evidence file container could be very slow in v16.8. That was fixed.

  • SR-3: Intelligent naming for prefetch files in file header signature search.

  • SR-4: Some issues in X-Ways Imager were fixed.

  • SR-4: The owner ID of files originating from NTFS volumes was not passed on from 1st generation evidence file containers to 2nd generation containers. That was fixed.

  • SR-4: Sorting by evidence object no longer sorts alphabetically, but by the position of the evidence object in the case tree. This is much faster and perhaps even expected or desired by most users.

  • SR-4: The "Do not sort list" command now automatically refills the directory browser with the same items in the order in which they are referenced by the volume snapshot(s). Useful especially for users of X-Ways Investigator who are used to working with an unsorted list, accidentally click a column header and do not know how to refill the directory browser.

  • SR-4: Detects certain non-standard GIF pictures that can cause exception errors and does not try to process them any more to avoid problems.

  • SR-4: Ability to supply your own bitmap (16x16 pixels) that marks files as already viewed in the directory browser if you do not like the standard light green color. Provide it as a file named 9.bmp in the same directory where the .exe file is located.

  • SR-5: Improved ability to extract sender and recipient fields from artificial PST e-mail archives created by SysTools NSF to PST conversion.

  • SR-5: Minor improvements in Exchange EDB extraction.

  • SR-5: Registry report for Windows 8 registry hives as complete as for earlier Windows versions.

  • SR-5: X-Tensions that are invoked via Tools | Run X-Tensions are now applied by default to the active data window if a data window is open, just like via Specialist | Refine Volume Snapshot.

  • SR-5: Avoided certain situations where tagging a large number of files in large volume snapshots was extremely slow. (Please report back if you continue to have such a problem.)

  • SR-6: Fixed an error that could occur when extracting e-mail from Exchange EDB databases.

  • SR-6: Since v16.4, the Type and Category filters did not reliably address all numeric file types such as .123, .000, .001. That was fixed.

  • SR-6: Fixed an exception error that could occur under certain circumstances when creating previews for index.dat files.

  • SR-6: Fixed a rare exception error that could occur when extracting e-mail from MBox e-mail archives.

  • SR-6: Fixed freeze that could occur when processing certain files named cache.db.

  • SR-6: Improved compatibility of evidence file containers of the new format mounted with Mount Image Pro when copying directories using Windows Explorer.

  • SR-7: File type verification signatures slightly updated.

  • SR-7: Fixed an error that could occur when processing SQLite databases.

  • SR-7: Fixed some errors that could occur when processing certain corrupt files.

  • SR-7: Prevented a situation where the 64-bit edition could hang when using the option "Skip and exclude data in free clusters" in disk imaging.

  • SR-7: Fixed an error in v16.8 that in certain situations (more often on computers with many processor cores) created a small amount of invisible surplus data at the end of compressed .e01 evidence files which could lead to a wrong verification hash and a read or CRC error message in other tools although all the data that was presented and user-accessible in the same tools was 100% correct.

  • SR-7: Fixed errors that could occur when reaching the limit of ~176 million search hits.

  • SR-8: Fixed a data error that occurred when imaging media with more than 4,294,967,295 sectors.

  • SR-8: Avoided an exception error with certain non-standard volume labels in FAT file systems.

  • SR-8: Fixed an exception error that could occur in the 64-bit edition when processing .evtx event log files.

  • SR-8: Fixed an exception error that could occur when processing certain MSG files.

  • SR-9: E-mail extraction from MSG files improved.

  • SR-9: Prevented distorted text proportions that could occur on cover pages when printing multiple files with the viewer component at the same time.

  • SR-9: Fixed an error in the search function of the registry viewer.

  • SR-9: Fixed crash of the Recover/Copy function with overlong file paths in the not dongle-based version of WinHex.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Competition is normal and healthy. Patents and court battles about rectangles and finger movements are not. Please reconsider before buying Apple products. Thank you.

 

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <