X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#163: X-Ways Forensics, X-Ways Investigator, WinHex 20.0 released

Aug 18, 2020

This mailing is to announce the release of another update with many notable improvements, v20.0.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Course Delivered by
Sep 1-4 new Online X-Ways Forensics X-Ways
Sep 8-11 new Online X-Ways Forensics X-Ways

Sep 28-29 new

Online X-Ways Forensics II X-Ways
Sep 28-Oct 1 Salt Lake City X-Ways Forensics H-11

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.0?
(please note that most changes affect X-Ways Forensics only)

File System/Disk Support

  • UFS support has been revised. Significantly more UFS variants are now understood.

  • APFS: Supports new Catalog ID structure as created by Mac OS Catalina.

  • Technical Details Report/evidence object properties now show details of MacOS X Installations on HFS+ or APFS volumes: Exact OS X version, timezone, the system's network and display names.

  • Support for much more deeply nested subdirectories in XFS volumes.

  • Supports Ext4 volumes with version 2 of sparse superblocks.

  • Slightly more complete output of Ext* file system timestamps.

  • Ability to choose which copy of a FAT12/FAT16/FAT32 file allocation table to work with, in Options | Volume Snapshot. This can be either a user-designated copy or the one that is defined as active in the boot sector (in case of FAT32). If neither the user selects a copy nor the boot sector defines a single copy as active, the first copy will be used, labelled as "FAT 1", like in earlier versions. The copy that was selected at the time when the volume snapshot was taken will be used for the whole lifetime of that volume snapshot, even if the settings are changed. It is displayed in the Info Pane. The Technical Details Report now informs which copy or copies are considered active in the file system.

  • Identifies unpartitioned physical disks or disk images as such in some rare cases where it previously didn't.

  • General option to open volumes including the slack that doesn't add to another cluster just like when opening an entire partition. The data in that area, aside from a potential NTFS backup boot sector, does not belong to that volume logically and was stored there before the volume was created. It is not needed to parse the file system or to mount the volume (though some tools may output an error message if it's not included). Including such data in a volume image can be an IT security leak if only the regularly accessible part of the volume had been sanitized before usage.

  • Identifies some new bus types of currently attached storage devices.

  • Active sector superimposition is now remembered in an evidence object and automatically re-activated when the evidence object is opened next time, and you will be reminded of that.

  • Generally improved handling of incomplete/corrupted .e01 evidence files, similar to storage media with unreadable areas (bad sectors). NTFS: A limited listing of system files is now presented based on $MFTMirr if in an such an incomplete image $MFT is not included, but $MFTMirr is.

  • Ability to abort the potentially time-consuming preparation of a cluster allocation map for huge volumes and still proceed with taking the actual volume snapshot if desired (without reverse cluster allocation information).

Picture Support

  • New version of the internal picture viewing library.

  • WEBP pictures are now supported in Preview, Gallery, and for the View command.

  • Ability to view pictures in some variants of the DICOM format.

  • Metadata extraction from WEBP pictures revised. Output of processing states, similar to PNG files. File type identification/verification for DICOM and WEBP revised.

  • All JPEG files are now presented with a processing state in Details mode. Two additional state values were introduced.

  • The processing state now depends on the detected generator, where each generator is now assigned to one of three generator classes D (device), E (editor), or C (content management system). JPEG files produced by generator class D are absolute originals. The processing state is always "original". JPEG files produced by the generator class E are relative originals. Their processing state is always "Edited normally". Examples are photos published by news agencies like Reuters.

  • The detected processing state of the third generator class (CMS like WordPress, Drupal, TYPO3, Joomla etc.) can assume different values. They are usually irregularly edited, i.e. their edited status is not officially indicated. The state can be deducted indirectly based on filename, generator signature, pixel dimension. The state "irregularly edited" can also result from picture manipulations.

  • The new processing state "scaled" means that a picture was created with a content management system such as WordPress, TYPO3, Drupal. It can be said with a high probability that such pictures have been released to the public, which entails a reduced intelligence value. Practically such pictures cannot be regarded as documents. They were automatically and individually adapted to the respective output display in order to optimize the loading time of the web page.

  • The state "EXIF stripped" refers to JPEG pictures, whose device origin was detected although no EXIF metadata is present. The device can potentially be detected based on generator signature, filename or a characteristic pixel dimension.

  • The state "social media" is indicated separately because such pictures often have a higher intelligence value. Unlike news agency pictures they are rather semi-public in nature.

  • The state "minimized" is also new and indicates that the JPEG quality was reduced or that the file size was reduced by optimized recompression (jpeg-recompress, JPEGMini).

  • The state "undefined" means that the status cannot be determined. It's a category for everything that remains. Such pictures are usually also the output of content management systems, those that do not identify themselves and whose format is not yet identified (which may change in future versions).

  • The processing state and other values (size, bits per pixel, filename analysis) are now also output for PNG files. The same processing states as for JPEG are used, except "Irregularly edited" and "EXIF stripped" are not possible. The value "Original" is used only for screenshots, if they have passed a special test.

  • The "size" reported for JPEG pictures in Details mode now always has 1 or 2 values. Sizes that are not standard sizes with a common name (such as "XGA") are described as "thumbnail", "medium", "medium large", "large" or "big" based on the terminology established by Wordpress. If a generating device is identified, the field is named "sensor size" instead or - in the case of scanners - "paper size".

  • Reduced false positive rate when detecting scanned documents.

  • JPEG screenshot identification now based on generating device recognition.

  • Improved classification of pictures based on pixel dimensions.

  • X-Ways Forensics now knows an additional 5000+ devices to better identify the origins of JPEG pictures and other files. The generator signature table and video signature table updated.

  • Simplified output of "Quality" in the summary table for JPEG files. It can assume one of the values High, Medium, Low and Very low. It is based on the lossy compression percentage of the DQT segment.

  • Additional test in the check for camera originals based on whether the EXIF tags are sorted or not.

  • Output of GPS coordinates with up to 6 digits after the decimal point. This is useful because of the habit of newer Samsung device models to specify more decimals and indirectly express the precision of the value by that, contrary to the convention to use the GPS Error tag for that information, unlike Apple and older Samsung models.

  • If the GPS format encountered is "unexpected" based on the assumed source of the JPEG file, that is brought to the user's attention in Details mode. The GPS format will be shown as "unknown" if it is not used in camera original pictures (for example the format of the Geosetter application).

  • Generally improved GPS format consistency tests.

  • Some more "content created" timestamps are now extracted from pictures, in particular from XMP metadata.

  • Output of Photoshop's "Preserved file name" in the metadata.

File Archive Support

  • Support for split zip archives in PKZIP/WinZip and 7-Zip styles (a.k.a. spanned or segmented archives).

  • Extended timestamps from the extra field in zip records are now extracted and presented in the timestamp columns based on Apple specifications, which however is not always how these timestamps are meant. An alternative interpretation can be seen for each zip record in Details mode when selecting the zip archive. The latter interpretation shows these timestamps with the "UT" prefix and tries to recognize the actual format variant, for example that used in GrayKey collections, and from GrayKey collection also extracts an additional type of timestamp (a record change timestamp).

  • The alternative interpretation of extended timestamps can also be made available in the directory browser. This is an option in Options | Volume Snapshot. The alternative processing currently takes some more time.

  • In newly refined volume snapshots, the column "1st sector" is now populated properly for files in Zip archives with the sector that contains the local zip record of the respective file. Clicking a file in a zip archive now automatically jumps directly to its local zip record, which is followed by the (usually) compressed file data. Does not apply to files in nested zip archives.

  • Detection and avoidance of more variants of zip bombs.

  • The alternative TAR extraction method now estimates the size of the MBOX e-mail archive in a Google Takeout TGZ file if that size was erroneously stored as 0, which apparently happens in real life. Only that work-around allows to extract the MBOX e-mail archive file from such a takeout at all, and once that has happened of course the e-mail messages and attachments can usually be extracted from the e-mail archive.

  • Navigation within a file archive with directories is now possible without leaving File mode when touching a directory.

  • Archive subtypes in a section that is not selected for automatic inclusion in the volume snapshot are now still explored when manually double-clicked by the user.

  • Support for .ctx Chrome Extensions as file archives. That file type is now included in the "Special interest" section of archives in a fresh installation.

  • Improved ability to extract attachments in PDF files, in particular in so-called PDF portfolios (user-compiled collections of arbitrary files), with the original names and internal paths of the attached/embedded files, where the Description column identifies these files as attachments.

Spreadsheet Support

  • New ability of the logical Simultaneous Search to find numbers and dates not only if stored literally as text, but also if numbers or dates are stored in binary form in certain spreadsheet files (e.g. in OLE2 compound file format) or in some other encoded form (e.g. dates encoded as textual integer numbers in XML), if the "decode text" option is on. This works pretty well with numbers in Excel and LibreOffice Calc spreadsheets, but can be tricky occasionally with the format of dates if the original Excel user has selected a custom date format instead of one of the standard date formats and also because of some specialties with certain Calc files where it's not 100% predictable that a date will be extractable in the expected format. This kind of search likely works with some other file types as well, e.g. older spreadsheet types like MS Works or Lotus 123. You can try and define the file types in Options | Viewer Programs if needed. To quickly see and double-check the extraction of numbers and dates from a particular file of interest, you select that file in the directory browser and switch from ordinary to raw preview mode with the Shift key pressed. Please feel encouraged to completely remove that new file mask there for faster text decoding if you do not need to search for numbers and dates in spreadsheets.

    Some more details about number searches: Consider a cell in an MS Excel spreadsheet that contains the number 1234567. You can now find that number with the Simultaneous Search searching simply for "1234567" (without the quotation marks). Even if you just know part of the sequence of digits and search for "34567", you will get a search hit (unless the "whole words only" option is on). If the cell has the "number" format (not "general"), with digit grouping enabled, you can optionally get the number with digit grouping when the file is searched/indexed/decoded in that volume snapshot for the first time, using the digit grouping symbol that is defined in X-Ways Forensics in Options | General | Notation, but that is not generally recommended because you would have to search for the same number both with and without the grouping symbol if you don't know whether the original spreadsheet cells were formatted as "number" with or without digit grouping or as "general". Anyway, to give you another example, if you enable that option for digit grouping in number cells in Options | Viewer Programs and you live in an English speaking country, using a comma as the digit grouping symbol, you would thus search for "1,234,567" to find that number in a number cell. You can also search for just ",567" to find the digit group "567" at the end or in the middle of any longer number in that notation.

    If the number that you are looking for is a floating point number, the same rules apply, and you can optionally enter the number with as many decimals as you expect to be visible in the cell in the original application (or less), with the same decimal symbol as in your notation settings in X-Ways Forensics (either a point or comma). If a floating point number is stored for example as 9.876 and formatted to show 2 decimals, it will be shown rounded as 9.88 in the original application and will also be searchable like that in X-Ways Forensics. The same rules apply to currency amounts. You can append or prepend the currency symbol if you know for sure that it was shown in the original formatting, and how (e.g. with or without space between currency symbol and number), or you just omit symbol.

    You can search for dates in pure date cells using the notation that is active in X-Ways Forensics as the so-called simple date format. If your simple date format is MM/dd/YY, you would search for 12/31/19 to find the date Dec 31, 2019. Partial date searches are also possible, and make sense especially if you do not use American date styles. For example in ISO notation "yyyy-MM-dd" you can search for "2019-07-". Or in German notation "dd.MM.yy" you can search for ".07.19" to find any date in July 2019.

    Pure time cell searches have also become possible (with partial or whole time expressions). Just make sure to use the separator that is active in X-Ways Forensics for the display of times. Searches for combined date and time values are supported, however, the delimiter between date and time that you can expect is not the delimiter defined in Options | General | Notation, but typically a single space, or an individual delimiter defined by the user of the spreadsheet.

    If an Excel worksheet is embedded in a .docx, .pptx, or .odt file and the volume snapshot has been sufficiently refined, the worksheet will be processed and searched in the same way as if it was a separate file. If embedded in a .doc file, you would get a notification in the form of a report table association "Contains embedded document(s)", which is often useful to check manually anyway.

    The number search capabilities should prove very useful especially in forensic accounting, tax fraud investigations etc. Please note that the simple search function of the viewer component (Ctrl+F) in ordinary ("pretty") Preview mode or the View command cannot find numbers or dates in spreadsheets, no matter how you type them.

  • Preview mode and the View command now use the same digit grouping character, decimal character, date separator, time separator and date order as active elsewhere X-Ways Forensics, to format numbers and dates in spreadsheets.

E-mail Support

  • Alternative extraction methods are now available for PST/OST/MBOX e-mail archives (still in a testing stage). These methods will be used if the main extraction method fails to extract e-mails or if preferred by the user. There is a new check box for that preference, not labelled but tooltipped. The alternative method for PST/OST does not work with password-protected e-mail archives and cannot find previously existing objects.

  • When attaching a directory with external files to an e-mail archive (PST, OST or MBOX), the contents of that directory will be treated like the result of an e-mail extraction performed by the viewer component. That means for example that redundant empty top-level directories like "Top of Personal Folders", "Root - Mailbox", "IPM_SUBTREE" will be skipped and that the MSG files will automatically be split up into to EML files with e-mail headers and bodies plus separate attachment files. Such an extraction can be performed with the context menu commands "Extract Selected Files" and "Extract All Files" in the preview or view of those e-mail archives.

  • E-mails that are extracted from PST/OST e-mail archives and that are attached to other e-mails are now described as extracted e-mails and attachments at the same time.

  • Support for more code pages in e-mail extraction from MSG.

  • The alternative .eml preview option now affects PDF representations of e-mails generated by the Recover/Copy command.

General File Format Support

  • Revised and more thorough metadata extraction from HTML files. In particular, "Open Graph" metadata is now extracted.

  • Support for certain copy-protected PDF documents used by X-Ways.

  • Ability to import hash values from v2.0 of Project VIC JSON files.

  • Can now find search terms in ISO-2022 code pages (Japanese, Korean, Chinese) that span an escape sequence in the original data. Can now find individual characters that require escape sequences in Korean and Chinese ISO-2022 code pages.

  • Improved conversion from/to ISO-2022 code pages.

  • UTF-16 text from the clipboard is now pasted without the null terminator.

User Interface

  • WinHex and X-Ways Forensics now respect Windows settings for window text and background colors. We are referring to the settings that you were able to reach with a few mouse clicks in the Control Panel in Windows XP, which in Windows 7 you can still find via Personalization | Window Color | Advanced appearance settings, and which in Windows 10 can still be edited as raw RGB value with the Registry Editor in this key: HKEY_CURRENT_USER | Control Panel | Colors (followed by logging in and out).

    Black backgrounds for almost all parts of the user interface (main window, data window, Case Data window, ...) in particular are now supported in X-Ways Forensics, which can be helpful when working in an environment with little ambient light, which generally benefits users who think they can work longer with a less bright screen, and which in general should reduce the disruption of melatonin production and the circadian rhythm among people who face screens emitting unnatural light. The viewer component already previously respected those settings for most document types (it does not or cannot respect them for PDF files for example).

    For the most complete dark screen experience you would change your entire Windows system to a dark theme. The easiest way to achieve that not only for "apps", but also real desktop applications, is to activate the black high contrast theme. In Windows 10 you would go to PC Settings | Personalization | Settings for high contrast | Activate high contrast | Contrast black.

  • A "forced" dark mode just within WinHex/X-Ways Forensics is now also readily available, even without any of the above procedures or settings, in Options | General, which you can activate when needed for night time or generally, for health reasons or to attract less attention during secretive work in a dark adversary environment. It is not 100% complete, as for example it does not affect user interface elements such as window captions, pop-up menus, scrollbars, standard file selection windows or date selection boxes. For those dark mode support from Windows is needed (see above).

  • Various meaningful colors in the graphical user interface had to be adjusted in X-Ways Forensics' own dark mode or when a black background color in Windows settings is detected and adopted, for example the color of file types depending on the type status. In the calendar, the grayscale coding of days with lots of activities is inversed if the background color is black. If you discover text that is unreadable in dark mode, please report back. Color preferences for block selections, tag marks, "already viewed", modified bytes, and positions/search hits highlighting are now remembered separately for normal mode and dark mode.

  • A new option useful in conjunction with dark mode is the ability to render pictures with the internal graphics viewing library as well as all thumbnails in the gallery darker. If that check box, which can be found next to the check box for dark mode in Options | General, is half checked, that means the pixels will be darkened a little less.

  • Some more GUI adjustments for high DPI settings.

  • The Windows username of the current user is now logged in each section of msglog.txt, in addition to the exact program release, which was previously logged already.

  • The command line parameter for automated (unsupervised) imaging is now supported in X-Ways Imager just like in X-Ways Forensics.

  • The filters for size and first sector now have a modulo option. With that option in the Size filter you can for example filter out files that are not a multiple of the sector size, when looking for raw disk images or TrueCrypt/VeraCrypt container files. With that option in the First Sector filter you can for example focus on files that are cluster-aligned or not.

  • Settings of the Size filter, the Hash Value filter, and the Device Type filter are now stored in .settings files and in .xfc case files like the settings of other column-based filters.

  • The Flex filters now have the option for a logical AND combination of all filter terms, so that for example you can filter for e-mails that at the same time are described as attachments.

  • Improved option to filter for carved files with the Description column.

  • The text filters for comments, metadata, and event descriptions now have an option for case sensitivity.

X-Tension API

  • New X-Tension API function XWF_ManageSearchTerm().

  • Ability of the X-Tension API XWF_Search() function to specify the alphabet(s) that define word boundaries.

  • XWF_OpenItem now supports a new flag to open only the plain text of files, which X-Ways Forensics is able to extract from various file types.

  • C++ function definitions and C++ sample projects updated on the X-Tension API web page.

  • Fixed an error in the disk I/O X-Tension API.

Miscellaneous

  • More efficient generation of thumbnails of non-pictures in the gallery.

  • The generation of thumbnails of non-picture files for the report is now more consistent in the results it produces.

  • Usage of internal keyboard hooks for enhanced keyboard shortcuts is now optional, cf. Options | Security.

  • Some improvements in stability and error handling.

  • SR-1: Fixed an exception error that could occur when extracting embedded data from PDF documents.

  • Users who are cut off from their offices and/or have no access to their dongles due to a regional lockdown, quarantine measures, travel restrictions or mail service disruptions have this option since May 2020: As long as someone else has access to your dongle (a colleague), they can temporarily deactivate (mothball) the dongle in v20.0, which allows you to use X-Ways Forensics with other means instead, for the time being, at a nominal price. For details please see www.x-ways.net/dongle_protection2.html.

  • Many minor improvements.

  • User manual and program help updated for v20.0.


Changes of further service releases of v19.9

  • SR-8: Password detection using a dictionary did not work in certain encrypted archives. That was fixed.

  • SR-8: Big-endian interpretation of data as FILETIME timestamps in the Data Interpreter failed when interpretation as a big-endian floating point number was active and not successful ("NAN"). That was fixed.

  • SR-8: Fixed processing of Windows.edb and SRUDB.dat files in v19.9.

  • SR-9: Prevented a rare exception error that could occur when resolving symlinks.

  • SR-9: Prevented a very rare exception error that could occur when parsing Zone.Identifier ADS.

  • SR-9: A rare error that could occur when reading XFS directories has been fixed.

  • SR-9: Ability to process certain MBOX files with unusual line break characters between e-mails.

  • SR-9: Fixed inability to read from files in some GZ archives that occurred if these files were opened repeatedly and the evidence object was not closed in between.

  • SR-9: Fixed RunCount interpretation of certain Windows 10 Prefetch files.

  • SR-10: Fixed an internal recoding error for search terms that could occur when the simultaneous search was run as part of volume snapshot refinement.

  • SR-10: Prevented a crash that could occur when extracting metadata from certain MP3 files with a corrupt ID3 tag.

  • SR-10: Under certain circumstances, logical searches with multiple threads unnecessarily processed the same file more than once. That was fixed.

  • SR-10: The alternative TAR extraction method no longer omits files with a size of 0 bytes in TAR archives.

  • SR-10: X-Tension API: XWF_GetVSProp() with XWF_VSPROP_SET_HASHTYPE1* and XWF_SetHashValue() did not work in volume snapshots with no previous or simultaneous hash value computation. That was fixed.

Viewer Component

  • A new download of v8.5.4 of the viewer component was made available on July 16. Oracle security fixes from July have been applied. The below issues were addressed. Some of these bullet points are quoted verbatim, others have been rephrased for better general understanding where possible.

    E-mail with background color set to white color will make the white body text disappear
    Email header is in a dark background
    Issue with text extraction from One Note with non-ASCII characters
    Issue with text extraction from PDF with broken words with spaces
    Issue with text extraction from PDF incorrect Hebrew texts from PDF file
    Conversion from MS Word DOC to PDF could produce garbage character
    Viewer hangs while rendering a certain PDF file with formulas
    Conversion from MS Word DOC to PDF could print certain paragraph numbers twice
    Enhancement for support of HWP files 5.0.4 and above
    Outlook Appointment files show as corrupted when viewing/exporting.
    Candidate Word file attachments received corrupted from Outside-In service
    Selecting from both body and header of MSG document creates redaction more than
    Viewer failed to display content of a particular MS Excel document properly
    msg file converted with extra question mark like character
    OutsideIn garbles Japanese and other multi-byte characters
    Drawpage produces half size view for the tiff file
    Exporting PDF file results in inverted text
    Conversion to PDF skips some text and graphics elements
    Crashes when viewing a particular MS Excel document


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Proof your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

#162: Various news related to X-Ways Forensics

May 25, 2020

This mailing is to announce various news and changes, about service releases, an upcoming new version and more.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data (!!), details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dates Location Course Delivered by
May 26-27 Online X-Ways Forensics II (almost full) X-Ways
Jun 4-9 Online X-Ways Forensics X-Ways
Jun 22-25 new Online X-Ways Forensics X-Ways
Jun 29-Jul 2 new Online File Systems Revealed X-Ways

Jul 8-9 new

Online X-Ways Forensics II X-Ways
Aug 24-27 Salt Lake City X-Ways Forensics H-11
Sep 28-Oct 1 Salt Lake City X-Ways Forensics H-11

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new to report?
(please note that most changes affect X-Ways Forensics only)

v19.9 SR-1

  • Fixed usage of predefined Project Vic categories.

  • PDF conversion failed for certain extracted files. That was fixed.

  • Some timestamps in UTC were displayed in v19.9 as if they were stored in local time. That was fixed.

  • Fixed an exception error that could occur in v19.9 when extracting internal metadata specifically without "Content created" timestamps.

  • Fixed an exception error that could occur when extracting metadata from certain QuickTime video files.

  • Fixed screenshot paths in the activity log of cases created with v19.9.

  • FYI, "converting" individual original PDF documents to PDF format for report generation or during Recover/Copy can make sense to security-minded users because it will not transfer potentially malicious JavaScript code from the original files to the newly generated PDF files.

v19.9 SR-2

  • Updated RunCount interpretation in Prefetch files based on Windows 10 versions 1903 and 1909.

  • On request (after prompting the user), accepts certain malformed Ext* superblocks as valid.
    Recognizes Ext4 volumes with the bigalloc feature as Ext4.

  • More precise type classifications of events extracted from WebCacheV01.dat files as Cookie timestamps and modification timestamps.

  • Avoided indexing interruption by "Numeric limits exceeded" error in v19.8 and v19.9.

  • New notation option that uses a special backslash character in paths in order to force path components to be displayed strictly in left-to-right order even if multiple consecutive components are in Arabic or Hebrew. Currently this has an effect in the Path columns of the directory browser, the caption line of the directory browser, and the path line in the Info Pane.

  • Internal graphics viewing library updated for PNG.

  • Avoided certain unnecessary reminders to use the latest version of the viewer component.

  • Fixed occasional change of the "Omit unchecked/unselected items" setting of textual dialog window representations.

  • Several minor improvements..

v19.9 SR-3

  • Fixed reset of the amount of memory used for indexing when the dialog window with the settings was opened.

  • Fixed potential rejection of indexes as invalid.

  • Prevented some loss of functionality that could occur when parsing certain misidentified CDFS data structures.

  • APFS: Unnecessary repeats of the message informing the user about unsupported high Catalog IDs are now avoided.

  • The option to omit unselected items in dialog windows from text representations does not have an effect on checkboxes and radio buttons any more, only lists.

  • That option is now more prominently shown in the Case Properties dialog window for textual screenshots of the case's activity log.

  • Output of a reserved backward compatibility GUID variant by Microsoft in the Data Interpreter and in templates.

  • Some other minor improvements.

  • Supersedes expiring previous service release.

v19.9 SR-4

  • Fixed problem with exchanging clipboard data between multiple simultaneous instances.

  • Fixed certain unsuccessful index searches for sequences of Asian language characters.

v19.9 SR-5

  • Fixed an infinite loop that could occur in v19.9 when indexing large amounts of data.

  • Fixed exception error in API function XWF_CreateEvObj when applied to empty cases.

  • Some minor fixes and improvements.

v19.9 SR-6

  • Fixed an infinite loop that could occur when processing a TAR archive that is stored in a corrupt parent archive.

  • Fixed a sector read error that could occur in v19.9 when re-opening evidence objects that are physical storage devices.

v19.9 SR-7

  • Fixed an infinite loop that could occur when processing nested TAR archives within a corrupt parent archive.

  • Prevented a very rare exception error that could occur when loading the file signature table.

  • Fixed a display problem with GIF pictures in v19.9.

  • Ability to create and fill evidence file containers with WinHex Lab Edition.

  • Fixed an exception error that could occur when extracting metadata from certain PNG files.

  • The device type filter now also works for PNG.

  • New X-Tension API functions XWF_GetWindow() and XWF_GetProp().

  • New nPropType 50 for the X-Tension API function XWF_GetEvObjProp().

  • Processes zip archives with certain non-standard headers.

  • Several other improvements.

Viewer Component

  • A new download of v8.5.4 of the viewer component was made available on April 18, and was updated again on May 23. Oracle security fixes from April have been applied. Known addressed bugs/issues:

    Web-view export crashes when exporting PDF file
    Installation of 8.5.4 breaks conversion in .NET application
    Fidelity Issues with HTML5 Conversion of PDF
    Attachments of message eml files with winmail.dat not extracted
    Infinite loop with certain pdf files
    Certain MSG files generate out of memory error
    PDF file with ZAPFDINGBATS does not display properly
    MSG converted to PDF has striked out lines
    EMF OUTPUT QUALITY OF PDF FILE WITH EMBEDDED FONTS IS NOT GOOD
    PDF to Image produces improper outputs on WCC11G Patches
    A separate embedded email does not get extracted
    Certain PDF file does not render
    Spacing issue after PDF export
    Viewing of PDF with embedded Fonts results in garbled text
    PDF File rendered with garbage characters
    Not all the characters are being displayed
    Issue with the attachments and Message Body in the eml samples
    PDF text shows as garbled in viewer
    No attachments get extracted for 201401_00943057_winmail.dat
    Text and Spacing issues
    PDF garbled
    PDF conversion issue
    Extra spaces and new lines are found in content of some pdf file
    External Compute Instance Can Not Preview PDF (BIDI)
    Rendering issues in 8.5.4 but not in 8.5.3
    Multiple degradation after upgrade to 854 from 853
    Lines are struck out when viewing certain msg file
    Viewer hangs on attached PDF file
    Conversion to PDF: Header text is shown on the wrong side
    PDF export fails to process certain pptx files
    Attachments not extracted from tnef encoded eml files.
    Overprint issue with some .DOCX files
    SOME CHARACTERS ARE OUT OF THE VIEWING AREA AND SOME ARE OVERWRITTEN
    Special characters (ö,ä,ü,ß) are not displayed correctly and missing
    OIT should support LATEST HWP Version 5.0.4.x and 5.0.5.x
    Unknown error when opening doc in viewer
    "Unknown chunker failure" error when viewing the attached docx file
    Support additional properties from winmail.dat
    Extraction of an attachment does not work in a certain eml file
    Redactions shifted in Excel documents

Other News

  • v20.0 Beta is available for download and can be recommended. Changes are described here.

  • Dongle users who are away from their offices for a while and need to work from other locations because of quarantine, lockdown, or travel restrictions and who do not have their dongles with them can find a possible temporary solution here.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Proof your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

 

 

 

> Archive of the year 2019 <

> Archive of the year 2018 <

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <