|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||
|
|||||||
| #109: WinHex, X-Ways
Forensics and X-Ways Investigator 14.9 released Apr 17, 2008 |
This mailing is to announce a noteworthy update, v14.9. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- WHAT'S NEW? * WinHex and X-Ways Forensics now point out if a file in an NTFS volume has been only partially filled with data. Such files are marked with "partial init." (partial initialization) in the Attribute column and can be filtered based on that. The size of the actually initialized/defined portion of the file is now displayed in the Details Panel when opening such a file or when looking at it in File mode, labelled as "Valid data length", and the affected uninitialized range will be displayed in a different color. Search hits in the uninitialized portion of a file will be marked as search hits in "slack etc.". The fact that a file has been partially initialized only (but not the extent) will also be remembered by containers. All of that is meant to help a skillful forensic examiner to avoid drawing inaccurate conclusions. This risk exists because data that is stored in the allocated clusters of a file may be _old_ data that was present on the disk before the clusters were allocated to that file, if the clusters have never been actually overwritten with new data. Or in other words, that may be data that has nothing to do with the file, although according to the logical file size it is part of it. Typically, file types that are not always fully initialized can include - Windows Registry - Windows Event Log (.evt and .evtx) - CRMLOG - Outlook PST - Outlook Express DBX - Windows MediaPlayer databases - Windows Reliability Monitor - SystemIndex Indexer CiFiles - Microsoft Network Downloader - Windows Font Cache - Windows Vista thumbcache - Windows rescache - Microsoft IME User Dictionary - Java .jsa and database files, temporary files, and generally files created by applications that like to preallocate storage space for performance reasons/to prevent later file fragmentation. * When extracting e-mail messages and attachments (forensic license only), attachments now become child objects of their respective parent e-mail messages. That makes it very easy to find the attachments for a given e-mail message, or to find the e-mail message that contains a given attachment. Because of this parent-child relationship, you can now conveniently include the containing e-mail message when copying attachments to an evidence file container, or include the attachments when copying the e-mail message. Tagging an e-mail message will also tag its attachments. Tagging an attachment will at least partially tag the containing e-mail message. The old e-mail extraction logic from v14.8 and before, where attachments were collected in a separate directory "Attach", can still be used by choosing to not allow files with child objects (see Options | Directory Browser). Note that this option will eventually be removed in future versions. It is included for backwards compatibility only. * The names of attached and embedded files that belong to e-mail messages in the same folder in the same e-mail archive are usually no longer made unique by artificially inserting an incrementing number in square brackets before the extension, so they are now usually authentic/original. * The rendition of the body of e-mail messages extracted from PST archives with Outlook 2003 or later present is now more faithful for Asian languages. * The directory browser context menu command that in previous versions found the containing e-mail message for a given attachment has been renamed "Find parent object", moved to the Position submenu and can now be applied to _any_ file. It's function is now identical to the Backspace key, and it's now available with any license type. It also no longer switches back from a recursive to a non-recursive view if the parent object is already listed in the directory browser in that recursive view. * Password-protected Outlook PST e-mail archives will now be marked with "e!" if either the encryption test is applied to such files or if you try to extract e-mail from such files. * The e-mail extraction functionality now checks *.pst for their signature and original *.eml for the presence of embedded files before trying to do the extraction, to reduce the number of files for which "no e-mail found in..." is reported unnecessarily. Files embedded in original .eml files are now extracted directly as child objects, and the e-mail message is not duplicated anymore. * Some more minor improvements/fixes for e-mail processing, concerning e-mails with unusual line-break formats, Pegasus Mail and PocoMail files. * Better structured and more visually appealing representation of internal file metadata in Details mode for various file types. * Representation of .lnk shortcut files for Preview mode and View command now more visually appealing. (forensic license only) * Metadata extraction from MS Office 2007 XML, OpenOffice XML, StarOffice XML, .dmp memory dumps, and PNF (precompiled setup information) files. Metadata extraction from hiberfil.sys files, wim Vista image files, and GZ archives in Details mode. (forensic license only) * Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive ones, after having copied them off the image to your own hard disk, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.sys files, including xpress chunks located in the "slack" of hiberfil.sys that are even older. This feature is available in Edit | Convert. (forensic license only) * Support for true Unicode filenames for the examination of Zip, RAR, and 7zip archives (forensic license only). Note that for Zip archives with true Unicode filenames to be processed correctly, you need to pick the correct code page in the case properties first. E.g. for Zip archives created under Linux, that's likely UTF-8. For Zip archives created under Windows in Asia, that's likely a regional code page. * Better support for very large archives in excess of 2 GB. Some other minor improvements in relation to archive handling. * Creation and last access timestamps are now extracted from zip archives when including their contents in the volume snapshot, if these timestamps are available. * The option to not include free drive space in otherwise complete sector-wise images of partitions/volumes is now available in X-Ways Forensics, too, not only in WinHex when run with a specialist or forensic license. It's now included in X-Ways Forensics because more selective instead of complete acquisitions may be preferable or even required in certain jurisdictions and because certain prosecutors wish to limit examinations to existing files anyway. Special precautions help to avoid unintentional use of this option. * Ability to filter out those previously existing items only whose first cluster is known to be unavailable (most notably the so-called "X files"), by using a new third state of the checkbox entitled "List previously existing items". (forensic license only) * Ability to focus on files that have child objects with the Attribute filter. (forensic license only) * Whenever one or more filters are active that actually filter out items in the currently displayed directory browser, the two blue filter symbols in the directory browser's caption line are now clickable and allow you to deactivate *all* filters with a single mouse click, to ensure you are not missing any file. This was a frequently requested feature. They also causes search hits list to be displayed in full, in that if multiple search terms are selected and "Min. x" or "All x" settings are used, they are reduced to "Min. 1". Also it unchecks the "List 1 hit per file only" checkbox, if checked. (forensic license only) * Ability to read and write .e01 evidence files with a segment size larger than 2 GB. In fact it is not necessary any more to split them at all (except of course if the target file system is FAT32 or if you need to burn the image on CDs or DVDs). For full compatibility with earlier versions of X-Ways Forensics, with EnCase versions before v6, and with other products, split them at 2,047 MB or less, as before. (forensic license only) * Report tables created by X-Ways Forensics itself (by v14.9 Preview 3 and later) can now be distinguished from user-created report tables in dialog windows. * The size limit that defines when a picture is considered irrelevant for skin tone analysis is now slightly more strict (width or height no more than 8 pixels, or width and height no more than 16 pixels each). (forensic license only) * Ability to rename virtual attached files in the volume snapshot with the directory browser context menu. (forensic license only) * Even after exploring a directory by clicking it in the directory tree you will now find a ".." item at the top of the directory browser, which you can double-click to go upwards to the respective parent directory, same as with the backspace key. * Indexing: Unnecessary interruption by user prompts in certain situations prevented. (forensic license only) * Pictures embedded in other files can now be included in the volume snapshot even if their respective parent files are compressed. (forensic license only) * Stills extracted from videos are now named after the video file, not only after the time index. (forensic license only) * When viewing video files externally, X-Ways Forensics now ensures temporary filenames with Latin 1 characters only, for compatibility with programs such as MPlayer that are not Unicode-aware. (since v14.8 SR-4) * Naming carved JPEG files after camera model and date and time (specialist or forensic license), where possible, is now optional. * It is now possible to focus on or filter out half tagged items (see Directory Browser Options, forensic license only). * Option to export lists as text files in Unicode. (forensic license only) * Fixed an error that under certain circumstances caused a file header signature search to find and list files that were already part of the volume snapshot before, although this feature is supposed to avoid creating duplicates. * More complete usage of Unicode in various portions of the user interface, such that the Chinese and Japanese translation can now be used correctly even if the code page that is active in the Windows system is not 936 or 932, respectively. More complete Unicode support also for case HTML reports output in Chinese or Japanese. * For certain file types, the file type verification now determines the correct file type without highlighting the type status as "newly identified" even if the type is different from the extension. It does that for Windows Registry files (because it's normal for them not to have any extension) and HTML/XML files (because there are a variety of extensions that are all normal and plausible). That helps to keep the number of files with the type status "newly identified" low and allows to better concentrate on files that were actually misnamed. (forensic license only) * Finds deleted partitions automatically if located 64 sectors apart from a previously found partition (not only 63 or 2048 sectors as before). * Since the introduction of 256-bit AES in WinHex/X-Ways Forensics, the PC1 encryption algorithm was still supported only for compatibility with earlier versions. Support has now been discontinued. * No longer adds XML and HTML files to the report table "No detectable textual contents" when no text is extracted from them by the viewer component for the logical search/for indexing. (forensic license only) * An error was fixed that would prevent files beyond the 2 TB barrier from being read correctly, on NTFS volumes larger than 2 TB. * The first step of the particularly thorough file system data structure search now works on NTFS volumes larger than 2 TB. (since v14.8 SR-5) * Error fixed that prevented reconstructing RAIDs over 2 TB. (since v14.8 SR-1) * X-Ways Forensics and X-Ways Investigator now notify you automatically when you get nearer to the end of your update maintenance period. * The viewer component is now loaded only when actually needed, not immediately when starting the program. (forensic license only) * The "Text" button that turns the preview provided by the viewer component into a raw text preview (which for example is very helpful when interested in all header lines of an e-mail message), is now labelled "Raw", to increase awareness of the fact that usually it is _not_ desirable to view files in that mode. (forensic license only) * When exporting search hits to a tab-delimited text file (not HTML) including context, the actual search term was previously represented by "x" characters. This was fixed. (since v14.8 SR-4) * When exporting metadata to a tab-delimited text file, line breaks and tabs are now replaced with space characters. (since v14.8 SR-4) * An error was fixed that occurred when trying to copy directory data to evidence file containers with the indirect method. (since v14.8 SR-3) * Using keyboard shortcuts to create report table association now either replaces already existing associations or not, depending on the settings in the dialog window for report table associations. (since v14.8 SR-3) * Fixed an error that could occur in v14.8 SR-1 when automatically interpreting images with multiple segments directly after creation, for hash verification or evidence object replacement. (since v14.8 SR-2) The images were all OK, however. * Fixed an error that occurred when copying alternate data streams as alternate data streams. (since v14.8 SR-2) * Possible source of instability in Details mode fixed. (since v14.8 SR-1) * New option in investigator.ini that allows to prevent attaching external files to a volume snapshot in X-Ways Investigator. (since v14.8 SR-1) * Under certain circumstances, the progress indicator could be wrong for logical searches conducted in selected evidence objects. This was fixed. (since v14.8 SR-1) * Quicker display of metadata cells in the directory browser if a lot of metadata has been extracted. (since v14.8 SR-1) * Several more minor improvements. * The quick-guides that are downloadable from the X-Ways Forensics product web page have been updated for v14.8/v14.9 where necessary. The user manual has been updated for v14.9 as well. * v8.2 of viewer component has been updated on Mar 14 and Mar 20. It no longer freezes when viewing/processing certain HTML files that v8.1.9 had no problems with. MS Word documents that consist of just a single table are now again displayed correctly. ------------------------------------------------------------- Please note that if you would like to be notified of service releases between two newsletters issues, you can simply create an account ( http://www.x-ways.net/winhex/forum/create-account.html ) on our forum and activate e-mail notification for postings in the Announcements section of the forum. If you would like to be notified of training opportunities in North America, Europe, Asia, or Australia, please drop us a brief note. Youd could simply reply to this message. Thanks. |
| #108: WinHex, X-Ways
Forensics and X-Ways Investigator 14.8 released Feb 27, 2008 |
This mailing is to announce a major update, v14.8. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS CLASSES Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html London, Apr 22-Apr 24 http://www.x-ways.net/training/london.html New York, Jun 9-13 http://www.x-ways.net/training/new_york.html For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * Ability to extract JPEG pictures from video files, in a userdefined interval (e.g. every 20 seconds). Immensely useful if you have to systematically check many videos for inappropriate or illegal content. Looking at extracted pictures in the gallery is much faster and less stressful than having to watch each video entirely one after the other, as the amount of data is vastly reduced, and the extraction process can be run unattended e.g. over night. Even if the nature of the material changes in the middle of the video (e.g. child pornography hidden in a family or vacation video), that will be discovered if the chosen interval is not too large. Also useful if you need to include still pictures in a printed report. The extracted pictures of each video are collected as either child objects of the video file itself or in a virtual directory named after the orginal video file, as virtual files, always in the same path as the original file, so that it's easy to link suspicious still pictures back to a video. The first extracted picture of a video at the same time serves as a preview picture for the video file in Preview and Gallery mode. ASF/WMV videos protected with digital rights management (DRM) cannot be processed and are consequentially marked with e! in the Attr. column. Requires an external program, either the non-GUI version of MPlayer (http://www.mplayerhq.hu/design7/dload.html) and its separately downloadable codec package (extract to "codecs" subdirectory of MPlayer), or Forensic Framer(http://www.kuiper.de/). The program has to be selected in Options | Viewer Programs. Pictures can be extracted from these video formats and codecs: http://www.mplayerhq.hu/DOCS/HTML/en/video-formats.html http://www.mplayerhq.hu/DOCS/codecs-status.html * The Options | Viewer Programs dialog window now allows to define an additional external program specifically for video files (forensic license only). If defined, double-clicking video files will send them directly to that external program. If MPlayer is detected by X-Ways Forensics (or Forensic Framer, which includes MPlayer), MPlayer will be predefined. * When pictures are extracted from video files or documents or thumbs.db files, or when e-mail messages and attachments are extracted from e-mail archives, X-Ways Forensics no longer creates a virtual directory whose name resembles the original filename. Instead, the extracted files are accessible directly by double-clicking the original file. They also can still be seen when exploring recursively. The parent file's icon will be marked with an ellipsis, to indicate that the file's contents were extracted and there is more to find "behind" the file. The main benefit is that it is now much faster to identify the parent/host file. For example, when tagging an extracted file, the parent file will be half tagged automatically, which makes it easier to e.g. add such files to a report tables later. Or when navigating back upwards from the extracted contents to the parent file by clicking the ".." item, the parent file itself instead of a virtual directory will be automally selected. Also the path of the extracted contents is more authentic because no suffix " Mail" or " Pics" etc. is artificially inserted in the path any more. Note that when you copy such files whose parents are other files (not directories) to evidence file containers, older versions of X-Ways Forensics and X-Ways Investigator will not understand the parent-child relationship and show the child objects in "Path unknown" instead. However, it is possible to optionally have X-Ways Forensics create virtual directories instead of files with child objects (Options | Directory Browser), as before, for compatibility reasons. For reasons of consistency and simplicity, the optional special treatment of archives as directories has been removed. Instead, archives are now treated exactly like other files with child objects. * Ability to preview/view $EFS logged utility streams (LUS) and Windows Task Scheduler .job files. (forensic license only) * Preview/view support for $I* Vista recycle bin files (since v14.7 SR-1, forensic license only) * The option to filter out $EFS logged utility streams was removed from the directory browser option dialog. An option was added that keeps NTFS LUS from being included in newly taken volume snapshots in the first place, or only non-$EFS LUS. Useful for NTFS volumes written by Windows Vista if you are not interested in NTFS LUS. * The binary contents of recycle bin info2 files, .lnk shortcut files, $EFS LUS, and .job files are no longer output directly as part of a case report. Instead, a textual representation of their contents is output, as known from Preview mode. * Attribute filters for NTFS $EFS, other logged utility streams, NTFS offline files, files with object ID, Unix/Linux symlinks, and other Unix/Linux special files. (forensic license only) * There is now an Attr. filter that allows to focus on files for which file system metadata is available only and whose contents are totally unknown (where not even the original location of the data ont he volume is known). Such files are usually part of the volume snapshot after a particularly thorough file system data structure search on NTFS volumes. * Attribute filters for pictures that were extracted from videos and for virtual files that were manually attached to a volume snapshot. (forensic license only) * Metadata extraction from MP3 files. ID3-embedded files other than JPEG and PNG (which can be automatically extracted) areindicated by a special report table once discovered. (forensic license only) * X-Ways Forensics can now distinguish between .wma/.wmv audio/video files when verifying the file type based on signatures. Much more metadata is now extracted from .asf, wmv, and .wma files. For a MS Excel document, the name of the person that opened it last is now extracted. * Intelligent file size detection for .rar archives for File Header Signature Search and File Recovery by Type, which allows to extract and not only list files in such archives. * File header signature search and file type verification improved for HTML, XML, XSD, and DTD. * File Type Signatures.txt, File Type Categories.txt, and file carving further expanded and improved. * Support for anchors in the GREP syntax: \b for a word boundary, ^ for the start of a file, $ for the end of a file. * The options to filter out existing/previously existing/ hidden items have been superseded by options that are defined in a "positive" sense and more in line with other filters: Show existing files, show previously existing items, show tagged items, show untagged items, show hidden items, show non-hidden items. This change also makes is very easy to focus on files that were tagged or hidden. (forensic license only) * The option to group tagged and untagged items was removed. However, it is now easily possible to _filter_ by tags, as mentioned above. (forensic license only) * The option to filter out previously existing files is now available in X-Ways Investigator, unless prevented by new option "+28" in investigator.ini. * Additional option in investigator.ini that prevents users from deleting report tables. * A path filter has been introduced. Allows you to focus on files in whose path a certain substrings occurs, e.g. "pic" or "Temporary Int". (forensic license only) * Files identified as duplicates based on hash values are no longer optionally marked with comments, but with a "duplicates found" mark in the Attribute column, which is more efficient, is retained in evidence file containers (for the recipient to see that he/she can be supplied with the duplicates if needed), and is now filterable. (forensic license only) * Available hashes in the volume snapshot are now reused instead of re-computed when creating hash sets. * When refining the volume snapshot and verifying file types based on signatures, in earlier versions this operation was applied to files even if it had been applied before. Now if you wish to repeat it, e.g. because you have edited the file header signatures database, you need to check [x] Again, or else the same files will not be touched again, to save time. From now on, only files whose types were not verified before will be processed by default. * Should X-Ways Forensics crash during Refine Volume Snapshot, Logical Search or Indexing whenever it is dealing with one of the file in the volume snapshot, you will automatically be pointed to the offending file when you restart the program, so that you can easily omit it when trying again. Depends on a new option in Security Options. The VS.log file known from v14.7 is no longer created. * WinHex can now identify the exact type of optical media in the technical details report (whether CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RW, etc.). * Somewhat faster read access to DVDs. * Better handling of CD-ROM XA, but still most sectors cannot be read. Unlike as so often with the competitors, X-Ways Forensics will alert you that there is a problem. At least many times now it is possible to open the files on such CDs (e.g. Video CDs) through the operating system (see Security Options). (since v14.7 SR-1, further improved with v14.8) * Predefined character pool for indexing Japanese text. * Ability to copy selected text from viewer component windows to the clipboard in Unicode and RTF. (forensic license only) * The Details mode is now more visually appealing and easier to understand. Will be further improved in future releases/versions. * Option to retain alternate data streams as ADS when using the Recover/Copy command if the output volume is formatted with NTFS. (forensic license only) If disabled or if copied to a different file system, ADS are recreated as conventional files, as before. * When using the Recover/Copy command to copy files including their path, the name of the evidence object is now recreated as a directory also if "Default to evidence object folders for output" is unchecked in the case properties, not only when copying from a recursively explored case root window. (forensic license only) * Options to explicitly include or exclude child objects of directories or files when using the Recover/Copy command or when filling evidence file containers. As before, when copying from an already recursive view, however, child objects cannot be included. (forensic license only) * It is now possible to include directory data (i.e. depending on the file system, directory entries, INDX buffers, ...) in evidence file containers (forensic license only). Useful if the user of the container might be interested in timestamps or other metadata in these data structures. If you choose to include directory data in a container when creating it, this has a direct effect only on directories that are selected themselves. If has an effect on parent directories of selected items only if you check an additional option. This is needed because otherwise the directory data might unintentionally reveal the names and other metadata of files that were intentionally omitted from the container, e.g. for reasons of confidentiality. Earlier versions of X-Ways Forensics and X-Ways Investigator do understand it if data is available for directories. * Option to automatically compress, encrypt, and/or split a container after creation, offered when closing a container that was opened in the background. (forensic license only, not in X-Ways Investigator) Useful e.g. to be able to ship huge containers on CDs or DVDs. * The setup program now shows a progress window when the viewer component is copied (if found in the subdirectory\viewer). It also automatically copies MPlayer (if found in the subdirectory \MPlayer). Remember that if these external components are found in the expected subdirectories, they are activated in Options | Viewer Programs automatically. * If in the case report options you specify maximum dimensions for pictures as 0×0, then the pictures will only be linked, just as other files, not displayed directly in the report. * Tools | Disk Tools | Scan For Lost Partitions now recognizes Ext2/Ext3/Ext4 partitions via their first superblock. * Removing items from huge volume snapshots is now usually much faster. However, after this operation, you can no longer make conclusions from the internal IDs about the order in which items have been added to the volume snapshots, because the remaining internals IDs may be shuffled when removing items. * In previous versions, when totally removing hidden items from a volume snapshot for which hash values had been computed, this operation left inconsistent hash values for some of the remaining items in the volume snapshot. Also report table associations, comments, and extracted metadata were not correctly retained. This was fixed. * Whenever the case is automatically saved because the autosave interval has elapsed, the configuration (various options, settings) is also saved. * The Attach External File command in the directory browser context menu is now available in X-Ways Investigator, too. (since v14.7 SR-1) * The Attach External File command can now even be used to attach multiple files at the same time. Useful e.g. after having manually extracted/converted certain records/e-mails/pictures/files from a file. When you attach the externally stored files to the original file, they will either become direct child objects (see above), or a virtual directory will be created named after the original file, and the files will be shown collectively in that directory. If a single file is attached only (e.g. the converted/decrypted/translated version of a document), no virtual directory is needed.(since v14.7 SR-2, changed in v14.8) * Ability to rename virtual directories, with a new command in the directory browser context menu. * Fixed an exception error that under certain circumstances occurred when entering into search hit list mode. (since v14.7 SR-3) * Since v14.6, if any hash sets were selected for the hash set filter, they were used for hash set matching, too, even if unselected for matching by the user. This was fixed with v14.7 SR-5. * Since v14.6, the option "Not only extract, also embed attachments" only embedded e-mail attachments in .eml files and did not extract them. This was fixed with v14.7 SR-5. * The registry viewer now allows to search for true Unicode characters in values (data). An error was fixed that prevented finding text in the values (data) in earlier releases of v14.7. The number of hives that can be loaded simultaneously has been increased from 16 to 32. (since v14.7 SR-6) * The exception list for the indexing algorithm, if enabled by the user, was not correctly utilized any more since v14.3. This was fixed with v14.7 SR-7. * Fixed an exception error with v14.7 SR-7 that could occur when opening very large FAT16 volumes. * Screen update problem in gallery fixed v14.7 SR-8, for files without known contents (for which file system metadata is available only). * Fixed inability to open dynamic volumes under certain circumstances. * Many other minor improvements, some smaller bug fixes. * The viewer component has been updated on Feb 12 and Feb 26. Some exception errors and instabilities were fixed, and two errors were fixed that caused the viewer component to freeze with certain corrupt GZ archives and certain SWF files. |
| #107: WinHex, X-Ways
Forensics and X-Ways Investigator 14.7 released Jan 17, 2008 |
This mailing is to announce a noteworthy update, v14.7. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS CLASSES Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html London, Apr 22-Apr 24 http://www.x-ways.net/training/london.html New York, Jun 9-13 http://www.x-ways.net/training/new_york.html For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * The virtual "Path unknown" directory on NTFS volumes is now often much better organized. It identifies files and subdirectories whose original parent directories are unknown but known to be the same. Such files and subdirectories are now collected in the same generically named virtual directory, which makes it easier to get an idea what that directory might have been and more quickly identify relevant and irrelevant files. Applies to newly taken volume snapshots only. * The thorough file system data structure search on NTFS volumes now often turns up even more traces of previously existing files than before, including even more earlier names and earlier paths of renamed/moved files. (forensic license only) * Improved results of thorough file system data structure search on NTFS volumes that still can be recognized as NTFS volumes, whose MFT however is corrupted and cannot be read any more. * Support for dynamic volumes defined on GUID partitioned (GPT) disks. Such dynamic volumes can be used under Windows Vista and the 64-bit versions of Windows XP and Windows 2003 Server. * Now automatically finds all partitions on hard disks that have both valid GPT and MBR partition definitions. * Partitions formatted with exFAT are now recognized as such. (That does not mean that the exFAT file system is now natively supported.) * Slightly more informative progress indicator window for thorough NTFS file system data structure search and file header signature search. * Progress indicator window and ability to abort for metadata extraction. * Extracted metadata were previously added to the Comments column. Now there are a separate column and a separate filter for metadata, and the Comments columns is now reserved for the examiner's own comments. * Metadaten extraction from RTF, MP4, 3GP, M4V, M4A, RIFF (.wav, .avi, ...) files and IE cookies. (forensic license only) * Intelligent file size detection for MP4, 3GP, M4V, M4A, MOV, DBX for File Header Signature Search and File Recovery by Type. Improved JPEG file size detection/estimation. * File Header Signatures.txt further expanded. * PDF documents with former invisible versions of the same document are now associated automatically with a special report table once seen in Details mode or once internal metadata has been extracted from them.(forensic license only) Once aware that old versions exist, well-versed users can extract them if needed. * Extracts the internal creation timestamp from Internet Explorer cookies, Norton Ghost .gho and PGP pubring.pkr keyring files. (forensic license only) * Ability to preview/view INFO2 recycle bin files. * Ability to preview/view most SPL printer spool files. Ability to automatically extract EMF files from multipage SPL printer spool files (see Refine Volume Snapshot). (forensic license only) * thumbs.db and many Windows Registry files found via file header signature search are now listed/recovered with their original names. Intelligent file size detection for Windows Registry files. * Microsoft's XPS documents are now treated like archives, such that in particular the XML files within are now properly covered in logical searches (as long as the contents of archives have been included in the volume snapshot, of course). * Ability to conveniently find the e-mail message that contains the selected attachment, via a new directory browser context menu command. (forensic license only) Not for AOL PFC. * Attachments and embedded files in e-mail messages that are attachments to other e-mail messages (e.g. forwarded) can now be extracted from the outer e-mail message if you add *.eml to the series of file masks for e-mail extraction. * Correct conversion from/to the Windows code pages between 50220 and 50230. * When trying to view a file externally again that was already copied to the directory for temporary files before for viewing and still exists there, it is not copied again any more, which saves time (think of large video files). * Ability to immediately and automatically verify newly created raw images and .e01 evidence files by recomputing the hash values. (forensic license only) * Option to immediately replace an evidence object in the active case with a newly created image, if a disk is imaged that is associated with the active case as an evidence object. * When creating raw image files or .e01 evidence files of volumes/partitions with WinHex, there is now an option to store free clusters as zero-value bytes. (specialist or forensic license only) That is useful if you create the image for data backup and not for forensic purposes, in conjunction with compression, to save drive space. This option is not available in X-Ways Forensics, to prevent the unintentional creation of images that are not forensically sound. * Ability to control NTFS compression for newly created raw image files in File | Create Disk Image: none, sparse, or normal compression. * Now complete Unicode support in technical details report, technical description of evidence objects, and technical description in .e01 evidence files. * Improved Unicode support for textual values in the registry viewer and in the registry report. * In the registry report, binary data such as "RecentDocs" can now optionally be interpreted as Unicode text, which e.g. allows to view non-Latin 1 filenames. * The automatically suggested registry report output filename now depends on the definition file used. Useful to avoid accidentally overwriting reports created on different registry keys for different purposes, and to immediately get an idea of the purpose of the report if the definition file was already adequately named. * When clicking a value in a loaded hive in the Registry Viewer, if the data window with the drive/image from which the hive was loaded is in File mode, the cursor will automatically jump to the selected value in the registry file in File mode, and the value will automatically be selected as a block in that file. Useful as that allows to see values, in particular binary ones, in both hexadecimal and text and as that allows to easily copy binary values in either binary or as text, not only as hex ASCII. * Option to create the copylog file as a tab-delimited ASCII or Unicode text file instead of HTML. Option to only output the target filename/path and no original metadata in additional columns. Option to only output original metadata columns and no target filename/path. * New option: The bytes in the display can be represented as characters in the text column one by one, or WinHex can try to combine them, which if the active code page in Windows is a double-byte character set may be desirable to get the characters right (if 2 bytes = 1 character), or undesirable because of the variable row length. * When using distributed indexing, X-Ways Forensics now tries to detect differences in the index settings used by the various participants (options such as code pages, substring support, character pool etc.). If detected, at least one of the participants will be warned before indexing starts on that machine. Obviously, in a shared indexing effort the settings should be same everywhere. * Interpreted raw images now show up in the Select Target Disk dialog window of Tools | Disk Tools | Clone Disk in WinHex with a specialist or forensic license (not in X-Ways Forensics). Useful if you wish to selectively copy certain sector ranges from one image or disk to another image. * The logs for Refine Volume Snapshot, Logical Search, and Indexing, which contain the internal IDs of processed files to identify the offending file in case of a crash, are no longer stored in separate log files and no longer in the evidence object metadata directories. Instead, a single file "VS.log" is now created in the directory from where X-Ways Forensics is run, and it is overwritten each time a new operation is started. This means you no longer have to search for the correct log file for the last operation, and it also saves drive space. As before, the last line in such a file specifies the internal ID of the last file that was processed. New: The operation type and the name of the disk/image can be seen in the first line. * Fixed an exception error that could with very long image file paths and names. * Fixed an error that caused certain GREP search hits to be incorrectly regarded as Unicode hits. (since v14.6 SR-1) * Three new investigator.ini options: Prevent taking new volume snapshots. Prevent arbitrary files from being opened externally with associated programs. Prevent redefinition of external viewer programs. * Two more investigator.ini options since v14.6 SR-2: Prevent removal of evidence objects and prevent use of Recover/Copy command (mandatory in X-Ways Investigator, meant as an option in X-Ways Forensics when run with the reduced user interface for non-IT investigators). * Directories within PST e-mail archives, whose names contain true Unicode characters, can now be recreated when extracting e-mail message. Previously this failed because of illegal names. The Unicode characters are lost and replaced with underscores, though. (since v14.6 SR-2) * Fixed an exception error that could occur when viewing certain search hits in Preview mode. (since v14.6 SR-2) * Fixed an error that could lead to incorrect data being shown in sectors above the 2 TB barrier. (since v14.6 SR-2) * The directory entries in clusters other than the first one in directories on FAT12/FAT16 volumes that are child directories of the root directory and whose names consist of only 1 or 2 characters were ignored. Files defined by ignored directory entries could only be found through a file header signature search. This was fixed. (since v14.6 SR-3) * Some instability issues in support for certain file types fixed. (since v14.6 SR-3) * Many other minor improvements, some smaller bug fixes. |