X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#154: X-Ways Forensics, X-Ways Investigator, WinHex 19.2 released

Mar 27, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.2.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Mar 27-28 Victoria, BC X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2
Jul 3-6 London, England X-Ways Forensics
Oct 23-27 Toronto, ON X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


X-Tensions

  • KPF by Jedson Technologies. Picture and video categorization previously known as C4All. The X-Ways KPF version is the original C4All X-tension and does everything and more than the original C4All did (but six times faster), and is free. Other versions exist that produce output in JSON/ProjectVic, XML, or other formats. Presentation at Techno Security & Digital Forensics conference.

  • NEW XT_RAW by Kuiper Forensics. Detects and converts many digital camera RAW formats within X-Ways Forensics.

  • Beyond Compare X-Tension by Chad Gough. Select any two files in X-Ways and quickly send them to Beyond Compare for review.

  • VirusTotal X-Tension by Chad Gough. Check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the Messages window.

  • Binary Large Objects by Christopher Lees. Extracts Binary Large Object (BLOB) data from Sqlite databases.

  • Multiple File Finder by Werner Rumpeltesz. Search for filenames and/or path names and add the matching files to a specific report table.

  • Luhn Credit Card Check by X-Ways Software Technology AG. 32-bit, 64-bit. For use during GREP searches for credit card numbers. Discards false hits based on the Luhn algorithm.

For more information about publicly available X-Tensions known to us please check here. Please get in touch if you have something to contribute. Thank you!

X-Tensions API

  • Disk I/O X-Tensions now cannot only intercept sector-wise I/O at the disk level (for example to decrypt encrypted disks or partitions on the fly and make X-Ways Forensics see the decryption data), but can also intercept I/O at the file level (for example to decrypt encrypted files). The new function to export for that purpose is XT_FileIO. For details please see http://www.x-ways.net/forensics/x-tensions/XWF_functions.html#A.

  • A new X-Tension API function named XWF_FindItem1 allows to conveniently find out the internal ID of a file with a given name in a given directory.


What's new in v19.2?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Files encrypted in Zip, RAR, and 7z file archives can now also be decompressed and processed, provided that the password is known or can be guessed. X-Ways Forensics will try any password listed in either the password collection of the current case or a general password collection. You can edit the password list right from within the dialog window with the options for archive processing. The case-specific password collection can also be edited from within the case properties, and it is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". The general password collection is stored in a file of the same name in the installation directory or in your Windows user profile directory. Almost all Unicode characters are supported, including space characters and Chinese characters etc. Remember passwords are usually case-sensitive.

    If the collection contains the right password for a particular file archive, that password will be remembered in that file's extracted metadata and taken directly from there instead of the case's password collection if needed again later to read files in the archive. Alternatively, you can provide a specific password for a particular file archive manually and directly by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". (Note to French users: No space before the colon.) Files within encrypted file archives are not treated and shown as encrypted ("e" attribute) if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.

  • Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files. All messages are added to the event database, where they can be filtered based on phone number or email address.

  • Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.

  • Improved support for East Asian regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.

  • Extraction of metadata from JPEG files improved. More metadata presented for JPEG files in Details mode.

  • Trailing data in JPEG files is now provided as a separate child object.

  • Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.

  • Generator signatures further revised.

  • File type verification further improved.

  • Type group designations are now displayed along with the type description in the "Type description" column.

  • A few file type designations were assigned to multiple categories previously. That was tidied up.

  • Updated file mask for uncovering embedded data.

  • Files can now be extracted from e-mail related MIM archives as part of e-mail processing.

  • Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.

Disk Support

  • Linux software RAIDs: Ability to recognize MD RAID container partitions as such. They are represented as two distinct items: A static header area that contains metadata about the RAID (usually at relative offset 4096), and an explorable partition that serves as a RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.

  • Terminology: What was formerly designated as the stripe size is now correctly referred to as the strip size. The stripe size is the strip size multiplied by the number of RAID component disks, i.e. a whole row.

  • Sector superimposition used to affect specifically the disk/partition/volume represented by the data window to which it was applied. From now on, it also has an effect on partitions opened from within a physical, partitioned disk to which sector superimposition was applied.

  • Ability to recognize Windows storage pool container partitions as such.

  • Ability to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes.

  • The search for lost partitions now finds NTFS storage space partitions within storage space container partitions despite sector size discrepancies. The search for lost partitions is a useful work-around to find and properly parse the actual payload partition in simple single-disk Windows storage spaces.

  • GPT partition names are now shown in the Name column as alternative names and should be helpful when examining Android phone images containing large numbers of partitions, revealing their respective functions.

  • Technical details report slightly more complete now with partition names as per GUID partition tables.

  • Structure of Access button menu improved for partitioned disks. (Access button is the official name of the button with the white arrow, below the Sync button.)

Usability

  • When clicking the link to an attachment from within the alternative e-mail preview, this now triggers the same action as if that file had been viewed from within the directory browser. That means that 1) it will be marked as already viewed, 2) depending on your preferences, if it's a picture, it will be either presented by the viewer component or the internal graphics display library, and 3) depending on your other viewer settings the file may be opened in an external program, for example if it is a video file.

  • In replace mode for report table associations, the currently associated report tables are now automatically preselected, so that it's less work and less error-prone to remove or add one report table specifically.

  • The case directory is the directory that has the same name as the .xfc case filename just without the extension. It is a subdirectory of the cases directory. There is now special support for the case directory as an image storage location. If images are moved to the case directory first and then added to the case or if the path of an existing image in the case is changed to that in the case directory with the "Replace with New Image" command, these images will be referenced internally without path, and thus the image can always be found instantly even if the case is moved to a different directory or if the drive letter changes. A case that has all images in its own directory can be considered fully self-contained. References to images in the case directory without path are understood by v19.0 SR-14, v19.1 SR-7, and v19.2.

  • Changing the display time zone for an evidence object that is a partitioned, physical disk now automatically also changes the display time zone for all its partitions (dependent evidence objects).

Filters

  • A new filter concept was introduced, called FlexFilters. Two such filters are available in WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. They can target any column in the ordinary directory browser (i.e. not search hit list or event list specific columns) that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.

    For example, these new filters are useful if you wish to target files that were created or modified not in a particular contiguous period of time, but generally on certain weekdays or on weekends, i.e. where either of these columns contain the word "Saturday" or "Sunday" in the long date notation format. Also useful whenever the column-specific column filter does not give you as many options as you need (e.g. for Author, Sender, Recipients currently you can only enter one name or address or substring, and with the Description filter you cannot currently specifically target additional hard links that are optionally omitted from certain operations).

    The color that indicates that a FlexFilter is active is violet instead of blue, so that it can be better distinguished from a regular column filter. Both FlexFilters come with a NOT option, and they may also target the same column, so that you can achieve results like "show all e-mail messages sent with the name John Doe in the sender field where the sender field does NOT contain the domain name company.com".

  • Right-clicking a column header in the directory browser now quickly activates or deactivates that column's filter without showing the settings dialog window, just like when left-clicking the filter icon with the Shift key pressed.

  • Ability to output a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.

Volume Snapshot Refinement

  • Indexing is now permitted as a sub-operation of a volume snapshot refinement run with multiple threads, though it is not further parallelized itself when multiple refinement threads are active.

  • Previous hash set matches for all files in a volume snapshot are not completely discarded any more when re-matching only selected or tagged files. Now only previous matches for those particular files are discarded.

  • A new option allows to restrict picture loading to just 1 worker thread at a time, with a new check box next to "Picture analysis and processing", either strictly (fully checked) or not so strictly (half checked). Please give this option a try if you experience exception errors or crashes when multiple pictures are processed simultaneously.

  • Outputs a file named ResIL.log in case of certain instability problems with picture processing for debugging purposes.

Viewer Component

  • On Jan 17, 2017, Oracle released a security patch update from Dec 12, 2016 for v8.5.3 of the viewer component. The updated version is downloadable from our web site since Jan 18, 2017. It is probably recommendable for security reasons. A list of bugs fixed was not made available. Two DLLs were updated: dewp.dll and vspdf.dll. They are probably responsible for word processing documents and PDF files.

Miscellaneous

  • When taking a volume snapshot without sector level access, e.g. of a remote network drive or a directory or a local drive letter without administrator rights, overlong paths are now supported, up to ~1000 characters long.

  • The most essential functions in X-Ways Forensics are now able to open files with overlong file paths up to ~1000 characters long (File mode, Preview mode, volume snapshot refinement, logical search).

  • Slightly improved support for 4-digit 0-based filename extensions of segmented raw images.

  • Thumbnails can now be created for and shown in the case report even when not copying and linking the original files.

  • A notification sound is output when running a simple linear search for a single match when that match has been found if the program is running in the background, to alert the user.

  • Many minor improvements.

  • User manual and program help updated for v19.2.


Changes of service releases of v19.1

  • SR-1: Some commands in the directory browser context menu in v19.1 did not always appear as they should have appeared. That was fixed.

  • SR-1: An exception error that could occur in v19.1 when hashing files should no longer occur now.

  • SR-1: The JPEG quality detection now also works for rotated JPEGs.

  • SR-2: Computing hash values and matching them against hash databases was not done repeatedly in the original v19.1 release. Now it is done repeatedly again, and that operation is now officially documented as one of the operations that will be applied repeatedly to the same files in a volume snapshot, the only other exception being indexing.

  • SR-2: Many descriptions for registry events were not output to the event list. That was changed. This improvement will also be applied to v19.0 SR-13.

  • SR-3: Prevented a rare infinite loop with certain previously existing EVTX files that are incompletely defined in volume shadow copies.

  • SR-3: Prevented a rare infinite loop when carving OLE2 compound files.

  • SR-3: Australia Adelaide time zone definition updated.

  • SR-3: Prevented a rare error with corruption of decoded textual data when running a logical search with multiple worker threads.

  • SR-3: The representation of search hits in the search hit list is now based on the code page of the search hit in certain situations where previously it was not. Improved code page based context preview specifically for search hits in ISO-2022 code pages, where the search hits and their surroundings may or may not be prepended directly with a suitable escape sequence and may or may not be just ordinary ASCII text.

  • SR-4: Support for one previously unsupported component of the PIDL data structure in OpenSavePidlMRU items in the Windows Registry.

  • SR-4: Fixed a stability problem in the Registry Viewer.

  • SR-4: Index searches for two words that are delimited by a space were unsuccessful in certain files. That was fixed.

  • SR-4: Some sent e-mails extracted from PST archives were presented with erroneously inserted header lines. That error in the extraction process was fixed.

  • SR-4: Fixed an exception error that could occur in v19.1 when selecting files, events or search hits in the Case Root window.

  • SR-5: Fixed potential hanging during XViD metadata extraction.

  • SR-5: Prevented an exception error that could occur at the end of indexing when not even a single word was found to index.

  • SR-5: Fixed inability to read files representing uncovered data embedded in HFS+-compressed files.

  • SR-5: Fixed an error in the Registry Viewer search.

  • SR-6: Certain currently unsupported file system level compression styles in HFS+ volumes are now recognized as such, and the affected files will be shown with their correct file size and "only metadata available" in the description.

  • SR-6: Fixed an exception error that occurred with template variables within loops if their names were longer than 30 characters.

  • SR-6: Since v17.3, files with child objects and an unknown hard-link count were potentially included in evidence file containers multiple times. That was fixed.

  • SR-6: Page count of some special PDF documents now reported correctly.

  • SR-7: Fixed an exception error that occurred in the X-Tension API function XWF_CreateEvObj if the case was still empty.

  • SR-7: Gallery scroll position is reset when the directory browser is re-filled.

  • SR-7: Uninitialized areas of NTFS-compressed files no longer have an undefined status, but are now presented with the data as stored on the disk, just as with ordinary (not compressed) files.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#153: X-Ways Forensics, X-Ways Investigator, WinHex 19.1 released

Jan 19, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

NEW: If when querying your licenses you do not receive any e-mail message at your work address because your organization is blocking the sending server, you now have the option (here) to get the e-mails sent from an alternative server (different domain, different IP address), for a second chance to actually receive something.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Jan 27 Miami, FL NTFS/XWFS2
Feb 13-16 London, England X-Ways Forensics
Feb 20-23 London, England X-Ways Forensics
Feb 27-Mar 2 Ottawa, ON X-Ways Forensics
Mar 13-16 London, England X-Ways Forensics
Mar 21-28 Victoria, BC X-Ways Forensics, X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.1?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Support for Google's Chrome sync database, where information can be found that is synchronized across devices, such as bookmarks, form history, typed URLs, synced devices and much more. A preview HTML file is generated, and events are output to the event list.

  • Ability to view upside-down Bitmap pictures with the internal graphics display library and in the gallery. (To see them flipped vertically, you currently have to view them with the viewer component, though.)

  • TAR archive processing revised.

  • Fixed inability to process BZ2 archives.

  • More reliable detection of pictures as screenshots (output as report tables "Screenshot" and "Screenshot?").

  • New report table "Scan" for PDF and JPEG files that contain a scan. The detection is based on generator signatures "PDF/Scan" and "JPEG/Scan".

  • Most JPEG pictures that were transcoded by Facebook and downloaded from Facebook are now identified as such in the Metadata column by their generator signature.

  • PDF metadata extraction improved especially for Acrobat 10 PDF files.

  • Tentative extraction of Exif metadata fields that are damaged in a certain way.

  • Revised metadata extraction for JPEG. ICC profiles are evaluated, including timestamps.

  • New file type signature for .0tx Tobit e-mail defined.

  • Generator signature table further revised.

  • The type status "mismatch detected" now has an effect on the assumed relevance of a file.

  • The relevance of a file now more reliably takes into account whether or not a picture is a screenshot.

  • Improved stability while processing EDB databases. Users of v18.8, v18.9, and v19.0 may replace their copy of the file EDBex.dat with the new version that at first is tentatively included in v19.1 only.

  • Sender and recipients are now also shown for MSG files to which e-mail processing was applied, not only for the extracted .eml file.

File System Support

  • Extended attributes in HFS+ are now optionally included in the volume snapshot as child objects of the files or directories to which they belong (in X-Ways Forensics only) depending on a new 3-state volume snapshot option. If fully checked, extended attributes are presented as child objects even when they have been specially interpreted already by X-Ways Forensics internally. If half checked (default setting in X-Ways Forensics), they are presented as child objects only if they are not specially interpreted by X-Ways Forensics assuming that the user might want to check them out manually.

  • Ability to open files with resident/inline storage in HFS+.

  • Ability to recognize and open compressed files in HFS+.

  • HTML previews are now generated during metadata extraction for the GZ archives that contain Apple FSEvent logs.

  • Event extraction from Apple FSEvent logs.

  • Recognition of new file system level compression style in NTFS under Windows 10.

  • In newly taken volume snapshots, alternate data streams now show hard link counts in the same way as their parents, so that the alternate data streams of additional hard links can be optionally omitted from searches etc.

Disk Imaging

  • The descriptive text file that is generated for images now points out the exact sizes in bytes of all segments of raw images files and the exact chunk counts in all segments of .e01 evidence files. If for whatever reason one or more segments get lost or corrupted, this allows to create artificial placeholder segments of the right capacity to fill in any gaps, such that all the data in subsequent segments will have the correct logical distance from the data in preceding segments, to preserve validity of pointers within the data (partition start sectors in the partition table, cluster numbers in file system data structures) as long as the original image file segments that contain source and destination are available.

  • Ability to conveniently create dummy/makeshift segments for .e01 evidence files that can substitute missing/lost/corrupt original segments, with the File | New command. The user specifies the required chunk size and the number of chunks as well as a filename for the desired segment (must be with the correct extension, identifying the segment number, not number 1). The data written into the chunks is a recurring textual pattern ("MISSING IMAGE FILE SEGMENT!" when running X-Ways Forensics in English), so that you know that you are looking at a gap in between available data when browsing the interpreted combined image later. The idea of such an artificial dummy segment is that if correctly created it can serve as a placeholder that ensures that data in subsequent segments has the correct logical distance from the data in preceding segmented. Of course, the hash of the entire image cannot be successfully verified any more if the original data is not present, and of course, this functionality should be used only as a last resort if there is no backup of the missing segment file and if data recovery fails etc., and creation and usage of such a dummy image file segment should be properly documented. (forensic license only)

  • When interpreting an .e01 evidence file that contains dummy segments, you will be notified, and the total number of placeholder chunks are noted in the evidence object properties when the image is added to the case.

  • If you require a placeholder for a single missing segment of which you don't know the chunk size and chunk count because the image was created without the new information in the descriptive text file, this is how to find out: Change the filename extension of the penultimate segment to that of the missing segment so that there is no gap. Then rename the last segment to the now missing penultimate segment. (If the missing segment actually is the penultimate one, the last step is sufficient; if the missing one is the last, no renaming is required at all.) Then add the image (first segment) to a case in X-Ways Forensics as usually. X-Ways Forensics will bring the misnamed segment to your attention in the Messages window, which can be ignored. Check the evidence object properties for the chunk size as well as the expected chunk count and the actually referenced chunk count. Subtract the actually referenced chunk count from the expected chunk count. Now you know how many chunks are missing. Change the filename extension back to what it was before, and then create the missing dummy segment with the correct chunk size, correct chunk count, and correct extension.

    With a variation, this approach also works if multiple consecutive segments are missing, just you rename more available segments to fill the gap in the first step, and you create as many dummy segments as necessary to fill the gap. Which dummy segment exactly contains how many surrogate chunks is not important as long as the total number of surrogate chunks must account exactly for the total number of missing chunks. If multiple discontiguous segments are missing, suitable dummy segments can only be created with the new information from the descriptive text file.

Volume Snapshot Refinement

  • Multi-threading: Option to set the number of worker threads to 1, which means that one extra thread is started for processing, separate from the main thread, so that GUI interaction is possible without time lag. Useful for example on a terminal server with many concurrent users, where you should not start too many threads, but may want to be able to at least use the GUI quickly. If the number of additional threads is set to 0, that means processing is done like in v19.0 with 1 thread or generally in v18.9 and before by the main thread itself, so that GUI interactions may be slow.

  • Ability to pause multi-threaded operations with the Pause key.

  • It is now possible to omit not only known irrelevant files, but also known relevant files from further volume snapshot refinement. Useful for example if in large cases you have or expect really many such files and having proof of their presence is sufficient for you and you don't need to extract their internal metadata, don't need to compute their skin tone percentages or PhotoDNA hashes, and don't need to check them for embedded data etc.

  • If matches are returned from regular hash databases as well as the PhotoDNA hash database at the same time with conflicting categorizations, the "more severe" category prevails: unknown < known good < known, but uncategorized < known bad

  • The option to mark a file as already viewed when it gets categorized as irrelevant is now applied to the combined result of ordinary hash database and PhotoDNA hash database matching.

  • Internal metadata is now extracted into the Metadata column only from files of selected categories.

  • Options | Security | "Collect information for crash report" is now a 3-state check box. If fully checked, should volume snapshot refinement crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed. It has not been tested whether this enhanced granularity of logging might cause any noticeable slowdown. There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash. Unlike in v19.0, all of them are now logged, and they are now presented with the help of the Int. ID filter upon restart.

Report Tables

  • When checking for duplicate files based on hash values, identical files can now optionally be grouped in dedicated report tables so that you can conveniently list each group of duplicates in the directory browser with the report table filter, for example to find out which copy of the file was created first, which was was touched last, which one might be of most evidentiary value based on metadata such as path etc. Unlike marking duplicates as so-called related items, report table grouping works even across evidence object boundaries, so you are not limited to comparing duplicates within the same evidence object.

  • Report tables that represent groups of duplicate files are highlighted in turquoise. In total there are now 5 different kinds of report tables: 1) user-created report tables, for example for report purposes, 2) report tables created by X-Ways Forensics to make the user aware of special properties of files, 3) report tables representing search terms that are contained in a file, 4) report tables representing hash sets in which a file was found, 5) report tables representing groups of duplicate files.

  • The maximum number of report tables in a case was increased from 256 to 1000.

  • To avoid a bloated list of report tables available for selection during report creation, report tables are now offered in that dialog window only if they are actually intended for report purposes. That is assumed by default for all user-created report tables. And you can toggle the report purpose of each report table in the report table association dialog window, by assigning or removing the "star" symbol.

  • When taking a new volume snapshot, all report table associations in that evidence object are discarded. If that completely empties a report table that is not marked as intended for report purposes, such a report table will now be automatically deleted from the case at that occasion.

Usability & User Interface

  • Options | Viewer Programs now offers grayscale thumbnails for true-color pictures in the gallery. This option is meant for law enforcement users whose job is to review child pornography photos, to reduce the mental impact and stress level.

  • A new 3-state check box in General Options prevents Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). This option has an effect no matter whether the main window is visible or whether the program is running in the background. Useful for example when acquiring a live system of which you don't want to lose control during imaging, or if you wish to keep an eye on the progress indicator on your own machine from another corner in your office.

  • More user-friendly behavior when trying to change the edit mode in data windows where that is not allowed because of not running X-Ways Forensics as WinHex or because of the strict drive letter protection.

  • Convenient option to automatically open the output directories of Recover/Copy after completion.

  • In Edit | Define Block it is now optionally possible to enter the size of the block instead of its end offset. And it is now possible to enter the start and end of a block in terms of sector numbers instead of offsets directly.

  • The option to use the viewer component also for pictures is now presented as an easy-to-reach button in Preview mode, named "VC", so it is now much quicker to switch between the internal graphics viewing library and the separate viewer component. Previously, users had to go to the Options | Viewer Programs dialog window for that, for example to get a second opinion in case of corrupt pictures. Also, some users probably had this option always enabled simply because they thought it was a "must" to view pictures with the viewer component, to get pictures displayed at all, not knowing that pictures are by default displayed by the internal graphics viewing library in X-Ways Forensics.

  • Directory icons for evidence objects that are directories, in the Case Data window, so that they can be distinguished from volumes.

  • Under Windows Vista and later, attachments are now conveniently linked from the alternative e-mail representation in Preview mode.

  • Tidied up Case Data context menus.

  • French translation of the user interface updated. (Not guaranteed to be error-free.)

  • Check boxes with long text labels in Romance languages that get truncated because of the limited space available now automatically come with tooltips that reveal the complete text when hovering the mouse cursor over the control.

  • The Navigation | Go To menu commands are now available in File mode.

  • "Display SHA-1 & TTH192 in Base32" is now a Notation option.

  • Some dialog windows are now slightly more clearly structured.

X-Tensions API

  • The XWF_CreateFile function now supports a new flag, which allows to create files in the volume snapshot with data as provided in a buffer.
  • Documentation updated.

Miscellaneous

  • The Full path column now comes with a filter.

  • New options when importing or creating hash sets in the ordinary hash databases and the block hash database. Duplicate hash values that are already contained in the hash database can either be removed from the newly created or newly imported hash set or from all existing hash sets, to keep the hash database more compact/less redundant.

  • A new command in the Case Data window's context menu allows to mark an evidence object with a light bulb icon as a visual aid to locate it if important.

  • Another new command in the Case Data context menu allows to conveniently make a backup of the selected evidence object's volume snapshot. Backups can be restored at any later time with the same command, and they can also be deleted with the same command (right-click an item in the list of backups to get the Delete command). Such a backup is like a snapshot of the volume snapshot. Useful if you think you might want to revert to a certain processing stage later (i.e. undo changes to the volume snapshot), for example after having carefully tagged thousands files that you don't want to lose, before running a file header signature search with experimental settings that might produce a lot of garbage files, before attaching external files with options that you had never tried before, before running an X-Tension made by a 3rd party, before totally removing excluded items from the volume snapshot etc.

    Report table associations, events, and search hits are also included in the backup. Search hits can be restored from a backup only if the search term list of the case did not change in the meantime. Indexes are not included in the backup, but can be manually backed up, of course.

  • The same command applied at the case level (right-click the case title in bold for that) allows to make a backup of the entire case, covering all evidence objects' volume snapshots, all report tables, events, search terms, search hits, indexes, image file paths, etc. etc. Such backups can be restored from the same dialog window. Such backups can also be opened directly with the Open Case command if necessary, as they are complete copies of a case. (Backup .xfc file are created with the "hidden" attribute, though, as they are meant to be dealt with within X-Ways Forensics only.)

  • Duplicate files can now also be recognized by the secondary hash value.

  • Duplicate files can now also be recognized by identical start sectors (within the same evidence object).

  • It now possible to optionally ignore additional hard links when checking for duplicate files.

  • Option to print selected fields on the cover page in bold letters and in a different color, to point the attention of the reader to a certain aspect.

  • New upper/lower case conversion option for textual data in UTF-16 (Edit menu).

  • Separate notation options for the case report just like for exported lists.

  • FYI, two users confirmed independently that the anti-virus software Webroot SecureAnywhere causes random crashes (program terminations) in X-Ways Forensics. So it is not recommended to use the two on the same computer at the same time.

  • Many minor improvements.

  • Some minor fixes.

  • User manual and program help updated for v19.0.


Changes of service releases of v19.0

  • SR-1: Fixed inability of v19.0 to recognize a few file types (those with the "x" flag), including SQLite 3.

  • SR-1: Fixed an instability problem in the registry viewer.

  • SR-1: Fixed crashes that could occur since v18.9 when extracting metadata from certain Linux PNG thumbnails.

  • SR-1b: Fixed an error in File mode in X-Ways Investigator.

  • SR-2: Fixed inability of v19.0 to read a few sectors on very large hard disks.

  • SR-2: Fixed error in file type verification and uncovering embedded data when run with multiple threads.

  • SR-2: Fixed an error where attachments were not extracted from certain .eml files.

  • SR-2: Fixed new option to link attachments from HTML previews of e-mails in the case report.

  • SR-2: Fixed potentially wrong time zone translation of timestamps in transcoded Nikon photos.

  • SR-3: Fixed a volume snapshot data corruption problem in multi-threaded picture analysis and processing.

  • SR-3: More complete extraction of Chrome web history in some cases.

  • SR-4: Fixed an exception error that could occur when providing the alternative e-mail representation for certain e-mail messages.

  • SR-4: Fixed a potential exception error that could occur when running a file header signature search on physical, partitioned media.

  • SR-4: Fixed inability of X-Ways Forensics 19.0 to view contained files in separate windows from within representations of the viewer component.

  • SR-5: Fixed an I/O error that could occur when the case auto-save interval elapsed while refining the volume snapshot with multiple threads.

  • SR-5: Report table descriptions were not handled correctly when deleting a report table. That was fixed.

  • SR-5: Fixed a crash that could occur with certain SQLite databases.

  • SR-5: Fixed a rare exception error that could occur during multi-threaded relevance computation.

  • SR-5: Fixed an exception error that could occur when exporting search hits with context in TSV format.

  • SR-5: Extraction of certain embedded pictures in .eml files.

  • SR-6: The hash filter did not correctly target the 2nd and 4th hash value if the hash type was 2 or 4 bytes in size (e.g. CRC32). That was fixed.

  • SR-6: Fixed an I/O error that could occur in v18.9 and v19.0 when applying File Recovery by Type to an uninterpreted image file.

  • SR-6: The internal graphics viewing library now represents Windows Bitmaps with 32 bits per pixel in correct colors. Fixed skin tone computation for certain Bitmaps with 8 bits per pixel.

  • SR-6: Fixed a potential infinite loop that could occur during a file header signature search for Zip archives when data of JNX files was found.

  • SR-6: Upward searches did not run correctly in v19.0. That was fixed.

  • SR-7: Support for previously unsupported SQLite database files.

  • SR-7: Multi-threaded operations generally more reliable now.

  • SR-7: When matching the files in a volume snapshot against hash databases more than once, previous matches according to the "Hash set" column are now automatically discarded. The hash category remains. This is for performance reasons. Keeping previous and new matches consistent and free of duplications potentially took a lot of time and was not optimized. Users of v18.7 through v18.9 have the option to discard hash set matches and categorizations for selected files with Ctrl+Shift+Del first to accelerate re-matching.

  • SR-7: Fixed problems when loading certain GIF files that contain extension blocks.

  • SR-7b: Fixed error in hash database matching with multiple threads.

  • SR-8: Fixed a crash that could occur when exploring certain keys in registry hives.

  • SR-8: Fixed an exception error that could occur when uncovering embedded data in certain executable files.

  • SR-8: Fixed a rare exception error that could occur when verifying the type of zip archives.

  • SR-8: Sorting by filename extension is now case-insensitive.

  • SR-8: Fixed a crash that could occur in v19.0 when extracting e-mails/attachments from MBOX e-mail archives and original .eml files.

  • SR-8: Prevented unnecessary inclusion of traces of existing files from volume shadow copies in the volume snapshot in certain situations.

  • SR-8: Fixed a cause for multi-threading instability.

  • SR-8: Improved stability with special GIF and TIFF pictures.

  • SR-9: For some few JPEG/TIFF files the extracted "Content created" date was wrong or incorrectly marked as local time. That was fixed.

  • SR-9: There was a problem with the multi-threading option on VMDK images and in Ext* file systems. That was fixed.

  • SR-9: Prevented potential instability with carved .lnk shortcut files.

  • SR-9: Warns the user of GUID conflicts among Windows dynamic disks if open at the same time, to prevent wrong volume-disk connections.

  • SR-10: Fixed inability of v19.0 SR-8 and SR-9 to make certain changes to PhotoDNA databases.

  • SR-10: The category of PhotoDNA hash database matches no longer supersedes that of regular hash database matches during the same snapshot refinement run.

  • SR-10: Fixed a potential crash that could occur when extracting metadata from $UsnJrnl:$J.

  • SR-10: Fixed an exception error that could occur when uncovering embedded data from PE executable files.

  • SR-11: Newly identified 3GP files were erroneously assigned to the category "Other/unknown type" by the file type verification in v19.0 SR-1 and later. That does no longer happen now.

  • SR-11: X-Tension API: Two new kinds of evidence object IDs can now be retrieved with the XWF_GetEvObjProp function (nPropType 3 and 4).

  • SR-11: Fixed inability of v19.0 to copy certain files along with the case report under certain circumstances if the type status was "newly identified".

  • SR-12: Fixed an I/O error that could occur when extracting e-mails from e-mail archives while multiple threads were active.

  • SR-12: Full filename matches in the Type filter did not count if the type status was "newly identified" or "confirmed". That was fixed. In v18.8 and later, full filename matches should have been ignored only if the type status was "mismatch detected".

  • SR-12: Fixed an exception error or crash that could occur under certain circumstances when opening partitions in X-Ways Investigator without opening the parent disk first.

  • SR-12: LVM2 container partitions are now interpreted properly even if the designated partition type in the MBR or GPT is wrong.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <