Order now, get quotes

Upgrades/Renewals
 
Products
 
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
 
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
 
Find out more about WinHex! WinHex
  License types
  Upgrade
  Forensic features
  All features
 
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
 
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
 
Find out more about X-Ways Trace X-Ways Trace
User activity
 
Find out more about Davory Davory
Data recovery
 
Find out more about X-Ways Security X-Ways Security
Permanent erasure
 
Services
 
Training
 

 
Contact X-Ways Contact X-Ways
User forum
 
Corporate info Corporate info
Find us on Facebook Find us on Facebook
 
  X-Ways Software Technology AG
Deutsch
 
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#140: X-Ways Forensics, X-Ways Investigator, WinHex 17.8 released

Jul 7, 2014

This mailing is to announce the release of another notable update with notable improvements, v17.8.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.8 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Now on Twitter: https://twitter.com/XWaysSoftware


Upcoming Training

Canberra, Australia, Jul 28-31, 2014
Chicago area, IL, Sep 8-12, 2014
Calgary, Canada, Sep 22-26, 2014
Toronto, Canada, Sep 29-Oct 3, 2014
Ottawa, Canada, Oct 6-10, 2014
Los Angeles, CA, Oct 13-17, 2014
and London, England, Oct 27-Nov 5, 2014 (mega training event that includes the new X-Ways Forensics II training course, for experienced users and previous attendees of the regular X-Ways Forensics training!)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v17.8?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Searching

  • Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (e.g. filenames in particular in FAT), specially encoded (e.g. sender and recipients as quoted printable in e-mails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.

    When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.

    Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.

  • Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | ... and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.

    Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other.

    Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.

    You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.

  • Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.

  • The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).

  • User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.

Usability

  • A new multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the now removed option "Extended multi-user coordination" from previous versions.

  • Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.

  • Option to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits).

  • Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.

  • Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.

  • Ability to conveniently load keywords from a text file into the Name filter and save them directly from the dialog window.

  • Ability to omit child objects and/or excluded files when running an X-Tension on selected files.

File System Support

  • New directory browser columns named Created², Modified², and Record changed² introduced, showing alternative creation, last modification and last FILE record/Inode change timestamps. Specialist license or higher. For NTFS, they are populated in newly taken volume snapshots with timestamps from the 0x30 attribute and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous Creation timestamp tunneling effect, http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally Modified² and Record changed² only if different from Created², to avoid cluttering the screen unnecessarily. That means any timestamp that you see there actually contains additional information and is not redundant.

  • Created² is also populated for HFS+ file systems, with the relatively new "Added date" timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier. "Added date" timestamps in HFS+ are also output as events.

  • All ² timestamps shown in the directory browser are now also preserved in evidence file containers.

  • NTFS last access timestamps are now displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained and thus not very significant.

  • Volume shadow copy exploitation revised.

  • Sparse files are now represented with a tilde (~) instead of the word "sparse" in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file, by setting a larger file size in the same dialog window.

File Type Support

  • Support for a relatively new Windows registry format specialty found for example in Windows 7 AppCompatCache keys.

  • Support for the Windows 8 successor of AppCompatCache, i.e. the Amcache.hve hive, using a dedicated registry report definition file named "Reg Report Amcache.txt", which allows to produce a report and extract related special events.

  • File type verification updated.

  • Support for nested e-mails when embedding attachments in parent .eml file.

  • More complete artificial headers for sent e-mails from Exchange databases, which allow to properly reference attachments in the .eml representation.

  • Support for another thumbs.db format variant.

C4All

The popular C4All program, used by law enforcement and others worldwide to categorize pictures and videos, is now available as an X-Tension, from the C4All forum and here, for free. For v17.7 SR-5 and later. About 6 times faster in X-Ways Forensics than in competing software! Thanks to Steve Frawley, D. F., and Trevor F. for their great work. The downloadable guides describe how to best use the X-Tension with the strategy hash sets, but your own hash sets can be used as well.

Benefits of the X-Tension, showcasing the advantages of X-Tensions in comparison to scripts in other forensic software:

  • Fewer steps to follow than original C4All process.

  • Speed, speed, speed.

  • Even faster if run locally and saved locally, up to 30 GB/min speeds on SSD drives observed.

  • Crash protection, using X-Ways Forensics' ability to resume if there is a crash during preparation of data.

  • If the X-Tension is interrupted, there is the option to resume, start new or if needed just make new XML file.

  • Ability to filter out irrelevant files and false positive carved files before C4All extraction.

  • Hash sets are connected to X-Ways and not SQL server (this allows for known irrelevant files to be excluded from extraction).

  • Hash sets are transferable by simply copying the folder and pointing X-Ways Forensics to storage location, no need to wait all day for the database to be created.

  • Ability to use your own hash sets, up to ~65,000.

  • Better resulting folder structure, especially when run against many evidence objects in one case.

  • Results can be extracted from C4All in HashKeeper format, to be easily brought back in to X-Ways Forensics case, no need to run any bookmarking script.

  • Thumbnails are extracted from files that include thumbnails or are created by X-Ways Forensics itself, and if thumbnails exist in a file it is not used twice, reducing duplicate files.

  • When processing, all functions of X-Ways Forensics are available during X-Tension run phase.

  • Able to use X-Ways Forensics' reporting features for court and presentation.

  • Video stills extracted from within X-Ways Forensics.

VirusTotal X-Tension

This new X-Tension allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. X-Tension available from here. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Thanks a lot to Chad Gough for this effort, based on his own C# adaption of the X-Tension API.

Miscellaneous

  • Ability to export the category statistics of listed files via the Category column's filter popup menu if the Category filter is not active, as tab-delimited text.

  • The folder for templates, X-Tensions and scripts may now be a relative path. Previously only "." was supported.

  • In previously taken volume snapshots of HFS+ file systems, the contents of files with a hard-link count of 1 was not accessible if such files had an associated iNode file. That was fixed. Such files that unexpectedly have an associated iNode file are now marked with a ° in the Link count column.

  • That the columns "Term count" and "Search terms" were populated only after the search hit list for an evidence object has been displayed once was fixed.

  • Many minor improvements.

  • Program help and user manual updated for v17.8..


Changes of service releases of v17.7:

  • SR-1: After using the [x] "Replace evidence object with image" option of disk imaging with active [x] "Improved recognition of physical media", partitions could not be opened any more until the image was removed from and added back to the case. That was fixed.

  • SR-1: Fixed inability of the Exchange EDB extraction to use a folder for temporary files on a network drive.

  • SR-1: Fixed inability to select hash sets for filtering when the hash database was in use already.

  • SR-1: Fixed an exception error that could occur when extracting metadata from certain SQLite databases in some rare constellations.

  • SR-1: Slightly more thorough processing of volume shadow copies.

  • SR-2: Fixed an exception error that could occur in some random situations when creating registry reports.

  • SR-3: Fixed inability of v17.6 and later to read sectors of all disks when just 1 disk was inaccessible.

  • SR-3: Fixed inability of v17.6 and later to automatically add multiple decompressed hiberfil.sys files to the same case as evidence objects.

  • SR-3: Fixed misrepresentation of alternative filenames for volume shadow copy host files that reference recycle bin files in v17.6 and later.

  • SR-3: Fixed unnecessary "device not ready" error message for optical drives.

  • SR-3: New flag 0x10 supported for the XWF_OpenItem X-Tension function: open alternative file data if available, and fail if not.

  • SR-4: Fixed uninherited deletion statuses of e-mail attachments in original .eml files, DBX and MBOX.

  • SR-4: Fixed a rare infinite loop when taking a volume snapshot of Ext4 file systems.

  • SR-4: Fixed inability to determine original filenames for thumbnails from thumbcache*.db in certain cases.

  • SR-4: Fixed missing case association of automatically re-opened partitions when restarting the program or using the File menu history.

  • SR-5: Fixed inability of the Registry Viewer in v16.9 and later to show extended key information and value sizes and to highlight values in File mode for additionally loaded hives beyond the first one.

  • SR-5: X-Tensions API: New flags "Flagged" and "Selected for operations" supported in XWF_GetEvObjProp.

  • SR-6: Fixed an error of missing search hits representing block hash matches.

  • SR-6: Fixed an exception error that could occur when deleting duplicate block hash matches.

  • SR-7: Fixed an error that could occur under certain circumstances in video processing when working with a relative MPlayer path.

  • SR-7: Tries to avoid a potential time-out error that may have occurred when searching in extremely large indexes.

  • SR-7: Fixed an exception error that could occur when automatically adding known duplicates of selected files to report tables.


The X-Ways Forensics Practitioner’s Guide won the “Best Digital Forensics Book of the Year” award at the DFIR Summit 2014 in Austin, TX.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#139: X-Ways Forensics, X-Ways Investigator, WinHex 17.7 released

May 13, 2014

This mailing is to announce the release of another notable update with many improvements, v17.7.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.7 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Austin, TX, May 19-23 (waiting list)
Cambridge, England, Jun 10-13
Ottawa, Canada, June 16-20 (long waiting list)
Norwalk, CT, Jun 23-27
Chicago, IL, Sep 8-12
Toronto, Canada, Sep 22-26

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v17.7?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Usability

  • Ability to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode-capable, which allows for example for original Chinese notation of dates. See Options | General | Notation. Please see http://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspx for a complete documentation of what kind of notation is possible.
    Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4.
    Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014 (Wed)

  • New Directory Browser option for advanced sorting of the Name column. Takes 4 to 6 times more time than the highly optimized standard Unicode sorting from previous versions (noticeable when sorting millions of files), but has several useful settings and characteristics:
    - Language-specific character equivalence rules (treat ß like ss, treat é similar to e, ü similar to u etc.)
    - Linguistically improved case insensitivity
    - Special treatment of hyphens and apostrophes (they are treated differently from other non-alphanumeric characters to ensure that words such as "coop" and "co-op" stay together in a sorted list).
    - Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for hexadecimal notation, available under Windows 7 and later only)
    - Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters)
    - Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same)

    Advanced sorting depends on the regional settings of the currently logged on user. For example, if regional settings of a Nordic country are active, Å comes after Z, as defined in the alphabets of that region, otherwise near A, as perhaps expected by non-locals. Advanced sorting rules are also applied when sorting the search hits by the Search Hit column.

  • Files that are included in an evidence file container without contents just to complete the full original path of child objects that they contain with their names are now shown in the directory tree.

  • The active display time zone of the active case or of any evidence object is now shown directly on the button in the properties dialog window.

  • Creating report table associations at the same time for known duplicates of directly targeted files now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

  • When files are viewed that have duplicates, marking the duplicates as already viewed as well now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

  • Ability to import multiple selected hash set files at a time.

  • Ability to efficiently delete individual hash values from an existing hash set, by importing a hash set file (simple 1-column format, 1 hash value per line), where the hash values to delete must be listed first and must be prepended with a minus sign ("-"). The file must have the same name as the existing hash set that you wish to update (additional filename extension allowed).

  • As not all users know, when they recreate original paths of files in evidence file containers, the parent objects of files in files are included (and need to be included) in the container even if not selected themselves, just to guarantee that the child objects are shown with their complete correct path. But then these parent files are included without file contents, of course, just with file system metadata, as obvious for example from the Attr. column. Such parent files with metadata only are now no longer listed in containers when exploring recursively, just like directories, because in fact they function like mere directories in the container, even though they were real files in the source file system. They were not deemed relevant by the creator of the container (as they were not selected for inclusion themselves), so it is perhaps more logical that only if users explicitly wish to list directories even when exploring recursively (one of the directory browser options), such files will be listed as well. At least this will avoid some confusion and user questions.

Directory Browser

  • The header of the Name column now allows to tag or untag all listed items with a single mouse click. It also indicates whether among the listed items are any tagged or untagged items.

  • The number of listed tagged files is now displayed in the caption line of the directory browser if there any tagged files are listed.

  • Tagging and excluding recursively are now two separate options.

  • Greatly accelerated recursive tagging, untagging, excluding and including of a large number of selected files, which previously was potentially very slow in large refined volume snapshots.

  • Ability to specifically filter for 0x30 timestamps in the event list, using the event type filter.

  • If an original name is found for a file in the Windows recycle bin or in an iPhone backup during metadata extraction, that name is displayed in the Name column with the current unique name in square brackets. The current unique name is now also shown in square brackets in the case report. Both names are targeted by the Name filter.

  • If the parent file of a file in a file has been assigned to one or more report tables by the user, then this will now be pointed out in the "Report table" column for the child object as well, in gray color and with an arrow. Reminds the user that the parent was reviewed and marked as relevant already, which can spare him or her the extra step of navigating to the parent again.

  • Tentatively extended the amount of text that can be pasted into the Name filter to 2 million characters (30,000 before). That doesn't guarantee that X-Ways Forensics can efficiently use a filter with many ten thousands of characters or more. When in doubt, use the "Match against full name" option, not the substring search.

  • Directory browser column widths and the column order are now stored in cases as well as in .settings files along with filter and sort settings.

  • New investigator.ini option +53 that prevents storing directory browser column widths, column order, filter and sort settings in cases.

  • Larger tooltip for cells with a lot of text, e.g. in the Metadata column.

  • Excluding files in search hit lists and event lists now has an immediate effect (if excluded files are actually filtered out) and usually auto-selects the next remaining search hit or event in the list. Very useful to quickly get rid of all listed search hits in files that are identified as irrelevant.

Disk & Image Support

  • When creating a new case, you now have the option to make X-Ways Forensics recognize evidence objects that are physical media (not images) by their own, inherent properties, not by the disk number assigned by Windows, which can change when replugged. Using this option will prevent earlier versions of X-Ways Forensics from opening the case. The advantage of this option is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk. Useful especially for triage, when not working with images. Please note that X-Ways Forensics may be unable to recognize external media already known to the case if next time they are attached through a different hardware write blocker. In that situation you can use the "Replace with new disk" command in the evidence object context menu to point X-Ways Forensics to the correct disk.

    Just as a reminder: You can open an evidence objects even if the disk is not currently attached to the system, just to see and work with the volume snapshot, using a command in the evidence object context menu.

  • Ability to schedule in advance subsequent disk imaging operations in additional instances that will wait until already ongoing imaging operations in previous instances have completed, to avoid inefficient simultaneous creation of multiple images on the same output disk (which is unnecessarily slow and produces highly fragmented image files).

  • Automatic detection of some full disk/partition encryption types.

  • Option to abort copying files into an evidence file container upon a read error and to not include affected files partially. Useful when acquiring files from a network location and the connection might be interrupted, if you assume that if that happens you will get the connection back and will be more successful when you try again, to avoid having incomplete files in the container, which cannot be replaced with a complete copy retroactively. Available only when not filling containers indirectly.

  • Avoided a rare exception error that could occur when parsing corrupt LVM2 partitioning data structures.

File Type Support

  • Revised Exchange database extraction (up to version 2007) with improved support of internal e-mail communication and a wider set of metadata.

  • Improved presentation of e-mail extracted from Outlook PST/OST archives that contain forwarded other e-mail messages as attachments.

  • Recover/Copy: Improved ability to embed attachments in e-mails that originally did not reference any attachments.

  • Log-on events in Windows event logs are now presented in the event list with domain name, log-on ID and IP address when available.

  • Support for the MacOS X artifact .DS_Store, which helps to analyze recycle bin activity.

  • New file type category "Address Book".

  • Better support of Samsung and Nokia .tec graphics files.

  • Metadata extraction from RecentFilecache.bcf, an important Windows 8 artifact.

  • Report table associations for e-mail messages with recipients on Bcc:.

  • Revised file type definitions and signatures.

X-Tensions API (details here)

  • New X-Tension functions XWF_GetReportTableInfo, XWF_GetEvObjReportTableAssocs, XWF_GetExtractedMetadata, XWF_AddExtractedMetadata, XWF_GetMetadata, XWF_GetFileCount, XWF_GetSearchTerm, XWF_GetBlock and XWF_SetBlock

  • New XWF_GetItemInformation capability added: XWF_ITEM_INFO_EMBEDDEDOFFSET. 2 more flags for XWF_ITEM_INFO_FLAGS. 0x00100000 flag of XWF_ITEM_INFO_FLAGS now deprecated.

  • Parameters for XWF_OpenItem defined.

Miscellaneous

  • Accelerated multi-threaded block hash matching.

  • Recover/Copy: Ability to group output files in directories by the search terms that they  contain according to the Search terms column.

  • Recover/Copy: Option to name output files after their unique ID. Available only when copying without original path, selectable when clicking the "..." button.

  • Special paragraph in Details mode about previous names and paths of files, if known.

  • Data Interpreter option for a binary representation of 16 or 32 bits instead of just 8 bits.

  • Many minor improvements.

  • Program help and user manual updated for v17.7.


Changes of service releases of v17.6:

  • SR-1: Fixed an obscure heap overflow exception error that could occur when using the hash database in v17.6.

  • SR-1: Fixed disarranged Search menu in the regular version of WinHex in v17.6.

  • SR-2: Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

  • SR-2: Floating point error in Apple bookmark processing fixed.

  • SR-2: Some type detection problems fixed (e.g. .thumbsw7).

  • SR-2: Fixed an error that could occur when importing search hits from another user in a case with extended multi-user coordination.

  • SR-2: In newly created cases, the status of the option "Auto-detect deleted partitions" now remains frozen forever to prevent the situation of being unable to open partitions that were once auto-detected, but are no more.

  • SR-2: If you prefer to have a single-column search term list as in v17.5 and earlier, you can change the byte at offset 15414 in your WinHex.cfg from 0x00 to 0x01. One way to ensure that this change is not overwritten by X-Ways Forensics is to do it when Options | General | [ ] "Save program settings in .cfg file" is unchecked.

  • SR-3: Fixed an instability error that could occur when Recover/Copy embedded attachments in .eml files.

  • SR-3: Multi-user coordination: More immediate ability to import another user's search hits, when his or her search has just completed.

  • SR-3: File type verification slightly revised.

  • SR-3: Fixed a read or exception error that could occur when running a file header signature search with compensation for NTFS compression.

  • SR-3: Fixed an exception error that could occur when uncovering embedded data in Windows.edb files.

  • SR-3: Fixed an error that could occur when uncovering embedded thumbnails from certain malformed JPEG files.

  • SR-3: Fixed an error in the hash database.

  • SR-3: Recover/Copy no longer optionally reflects missing original timestamps by setting the corresponding timestamps of output files to Jan 1, 1601 in NTFS. Unsuspecting users were using faulty video playing software, did not read the program help or user manual topic about the Recover/Copy function and messaged us instead of the developers of the other software that refused to open files with such timestamps.

  • SR-4: Fixed an instability problem that could occur in v17.6 when extracting metadata from files larger than 2 GB.

  • SR-4: Some fixes in uncovering embedded data in PE EXE and other files.

  • SR-5: Fixed an exception error that could prevent uncovering embedded data in some Windows.edb files.

  • SR-5: Fixed faulty utilization of the header size in RAID 5 reconstruction with 1 missing component in some recent versions.

  • SR-5: Fixed "Unable to read (1)" error in the gallery for photos from which original embedded thumbnails have been uncovered and additional thumbnails have been created by X-Ways Forensics itself to accelerate the gallery.

  • SR-5: Fixed an error in the gallery of the Case Root window that could lead to the representation of a picture with a wrong thumbnail.

  • SR-5: Fixed an exception error that could occur when changing the sort order in the directory browser while the gallery was being populated.

  • SR-6: Provides modification dates for more extracted e-mail messages.

  • SR-6: Slightly improved internal graphics viewing library.

  • SR-6: Fixed an infinite loop that could occur when generating the registry report.

  • SR-6: Fixed stability errors that could occur when processing certain MSG/MBOX/DBX e-mail archives.

  • SR-6: Fixed reported Windows installation language in the registry report.

  • SR-6: Fixed missing value output in registry viewer after extracting metadata from registry hives.

  • SR-7: Prevented a message box from popping up repeatedly when applying simple text and hex searches to all open windows.

  • SR-7: "Export subtree" command now supports larger subtrees.

  • SR-7: Fixed a possible infinite loop when processing certain registry hives.

  • SR-7: Fixed an exception error that could occur when extracting metadata from OLE2 Office documents.

  • SR-7: More accurate representation of different recipient types in sent (not received) e-mails extracted from Outlook e-mail archives.

  • SR-7: Fixed incorrect representation of alternate filenames in the Name column after metadata extraction.

  • SR-7: Some minor fixes.

  • SR-8: In certain situations the associations of search hits with their corresponding search terms were potentially lost in some evidence objects after deleting search terms. That was fixed.

  • SR-8: Fixed a crash in v17.6 that could occur when viewing pictures while the gallery was being populated.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#138: X-Ways Forensics, X-Ways Investigator, WinHex 17.6 released

Mar 26, 2014

This  mailing is to announce the release of another notable update with many improvements, v17.6.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.6 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Toronto, Canada, Mar 31-Apr 4 (waiting list)
Toronto, Canada, Apr 7-11 (waiting list)
Austin, TX, May 19-23 (waiting list)
Cambridge, England, Jun 10-13
Ottawa, Canada, Jun 16-20
Norwalk, CT, Jun 23-27
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.6?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

File Type Support

  • File type detection and categorization significantly revised.

  • New metadata extraction feature, which allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename according to the file system is not completely lost, it can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will conveniently find both the original and the current name.

  • Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and produces much less redundant thumbnails especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (which will in turn target the corresponding thumbcache*.db files) via the provided mask and not the thumbcache*.db files directly as in previous versions of X-Ways Forensics.

  • Support for a variant of thumbs.db files found in Windows 7 in certain constellations.

  • Performance of uncovering thumbnails in large JPEG files improved.

  • More precise truncation of incomplete or fragmented PNG files when carving.

  • Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (.info), and Paint Shop Pro caches (.jbf).

  • Ability to uncover embedded pictures from the caches of Google's Picasa 3 image organizer and viewer software (thumbindex.db and related files).

  • Event extraction from Picasa 3.

  • Metadata extraction from IconCache.db files. Important Windows artifact that can help to prove executions of programs for example in malware investigations.

  • Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.

  • Internal file carving algorithms for INDD, Bridge Cache and Picasa3 index files implemented.

  • Improved support for Magix Photo Manager Cache .mxc2 and .mxc3 and other files.

  • Internal graphics viewer now supports certain .bmp graphics with larger headers.

  • Some other improvements in the internal graphics viewer.

  • More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.

  • Metadata and internal file carving support for AMR voice recording files.

  • Ability to uncover various potentially relevant resources in 32-bit and 64-bit Windows PE executables (programs and libraries) as child objects, in particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you specifically target executable files via a suitable series of file masks.

  • Support for even more deeply nested (recursively forwarded) e-mail messages in OST/PST e-mail archives.

  • Ability to reconstruct e-mail messages from the Livecomm.edb database, which is used by the Windows Mail client (Windows 7 and newer) as part of the "uncover embedded data" operation. Also extracts contact and account information.

  • Unicode support for e-mail excerpt reconstruction from Thunderbird indexing databases.

  • Some minor fixes for EDB processing.

  • Fixed an exception error that could occur when processing SQLite databases.

Usability

  • Increased capacity for large cases:

    Maximum number of simultaneously open images of physical media and reconstructed RAIDs combined:
    v15-v17.1: 46
    v17.2-v17.5: 57
    from v17.6: 100

    Maximum number of simultaneously open partitions on physical media (not counting drive letters) and partitions in images of physical media and images of volumes:
    v15-v15.5: 64
    v15.6-v17.5: 99
    from v17.6: 256

    Some background information: Note that it is not a must to always have all evidence objects in a case open at the same time. In fact it can be desirable to not open them all at the same time if the volume snapshots are very big (i.e. reference many millions of files) and not much RAM is available. Simultaneous searches and volume snapshot refinements across multiple selected evidence objects can be started even when no evidence object is open at all. In this setting, X-Ways Forensics will open the evidence objects one by one automatically when it is their turn, and close them again when fully processed, to minimize memory requirements. Only when you recursively explore from the case root, all evidence objects whose files you wish to include need to be open at the same time.

    Maximum number of addressable local physical media:
    from v17.2: 64

  • Imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited mode.)

  • Option to always suggest to open a case with extended multi-user coordination in shared analysis mode. That mode can be useful even for the first of many simultaneous users of the case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).

  • User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.

  • The search term list can now be sorted by search terms alphabetically in ascending order or by the listed search hit count in descending order, via the context menu of the search term list, to make it easier to locate a certain search term in lengthy lists.

  • Certain kinds of files with child objects such as e-mail archives are now included in the directory tree in the Case Data window, along with their subdirectories.

  • Hash database dialog window revised.

  • You can make raw Preview mode persistent by holding the Shift key when changing to raw mode.

  • Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several commands in the Case Data window's context menu during various ongoing operations.

  • New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).

  • Ability to store additional custom definitions of file types and categories in a separate file named "File Type Categories User.txt", which will be read and maintained in addition to the standard definitions in "File Type Categories.txt" and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so that you can easily continue to use it even when overwriting your installation with a new version.

  • That the directory for images specified in the General Options is preselected for newly created images is now optional.

  • Ability to mark events as notable and filter for notable events via the Timestamp column.

  • Ability to unmark multiple selected search hits and events as notable, by holding the Shift key when invoking the "Mark as notable" context menu command.

  • Available for download to users of X-Ways Forensics (click the "All versions" link) is now a text file that if named language.txt and put into the installation directory of v17.6 can override most texts in the user interface (except for example the main menu) and is easily user-editable. Useful if for example you wish to produce case reports in your own language.

X-Tensions API

  • Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integrating so-called Viewer X-Tensions. Such X-Tensions provide special views of certain file types by responding to calls of a newly defined function XT_View function that they have to export. Users can load Viewer X-Tensions in the Options | Viewer Programs dialog.

  • A new investigator.ini option +52 prevents the use of Viewer X-Tensions, for example for security reasons. Remember that X-Tensions are Windows DLLs, which can potentially do harmful things to your system if they are loaded.

  • A new function named XWF_AddEvent was introduced, which allows to add events to the event hit list of an evidence object. XT_Prepare and XT_Finalize now receive a handle to the evidence object that the X-Tension is applied to.

  • New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED, and XWF_ITEM_INFO_FLAG_METADATAEXTRACTED.

  • The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.

Data Interpreter & Templates

  • Support for Mac Absolute Time in the Data Interpreter.

  • The Data Interpreter is now able to interpret UNIX/C, Java/BlackBerry/Android and Mac Absolute timestamps stored as decimal ASCII text instead of in binary. You will find a context menu item for that as well as a checkbox in the options dialog.

  • The Data Interpreter now optionally translates timestamps of all formats except MS-DOS date & time to local time (the time zone defined in the General Options). You will find a context menu item for that as well as a checkbox in the option dialog.

  • New date type "MacAbsTime" supported in templates.

  • New modifier "local" supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the timezone specified in the General Options.

Media & Image Support

  • Ability to convert so-called Nandroid backup files of the NAND flash memory of Android devices to regular raw images via Edit | Convert.

  • More complete output of serial numbers of USB devices.

  • Ability to see model and serial numbers of physical media without administrator rights.

  • Structure of the technical details report for physical media slightly improved.

  • Displays the amount of free space on the output drive in the Create Disk Image dialog window.

Miscellaneous

  • New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS-compressed source files as NTFS-compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively compress such files after their creation, but writes them immediately as compressed, which is more efficient. However, it still has to copy/send the decompressed amount of data of the source file. Select the source directory first, then specify/create the destination directory. This function is useful for example if you wish to copy or move a case directory, which contains a few NTFS-compressed files that would be inefficient to store as uncompressed. Note that alternatively you can open a case and use the Save As command in the Case Data window for the same effect. The Replicate Directory command is also special in that it can operate on overlong paths.

  • Ability to manually enter the Recover/Copy output path by clicking a new "..." button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list automatically.

  • The hash database of block hash values is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus " [block hash values]" appended.

  • The old indexing engine was removed.

  • Many internal improvements and some small bug fixes.

  • Program help and user manual updated.


Changes of service releases of v17.5:

  • SR-1: Fixed output of erroneous timestamps extracted from Firefox SQLite databases.

  • SR-1: Fixed timezone adjustment of timestamps in the metadata of some file types (PDF, MDB, RTF, PNG, Flash and GZip).

  • SR-1: Fixed erroneous selection of the radio button for evidence file containers when selecting the target image path in X-Ways Imager.

  • SR-1: Word frequencies in exported index word lists were not entirely accurate. That was fixed.

  • SR-2: More thorough sorting by "Type status", which takes the detected file format consistency into account.

  • SR-2: Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

  • SR-2: Fixed an exception error that could occur when processing certain incomplete Chrome caches.

  • SR-2: Avoided a misleading and unnecessary error message when finalizing the index and searching in the index.

  • SR-2: Avoided misleading and unnecessary error messages when importing search hits from another user.

  • SR-2: Avoided instability when processing IE travellog files.

  • SR-3: Prevented a possible crash that could occur when extracting e-mails from PST/OST e-mail archives.

  • SR-3: Deleting hash sets command corrupted hash databases in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: The Include command in the directory browser context menu did not work in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: Fixed potentially incomplete previews of Google Chrome WebData databases.

  • SR-3: Fixed an exception error that could occur with irregular PDF files.

  • SR-4: Fixed a read error that could occur with XML files extracted from PDF documents.

  • SR-4: Better support for extremely fragmented files in NTFS volumes.

  • SR-4: Fixed a file creation error in the "Export report table associations" command at the case level.

  • SR-4: Prevented exception errors that could occur when selecting more than the currently supported 57 simultaneously open images of physical disks and 99 simultaneously open partitions of physical disks or images of partitions for recursive exploration from the case root window and then trying to run commands in the directory browser context menu on them.

  • SR-5: Improved/fixed coordination of simultaneous usage of the hash database by multiple users.

  • SR-5: Fixed a link error that could when generating case reports for files with overlong paths.

  • SR-5: Prevented an exception error that could occur when parsing corrupt 0x30 attributes.

  • SR-6: Improved representation of Base64-encoded e-mails extracted from MBOX e-mail archives.

  • SR-6: v17.3 and later did not always include all NTFS file system level timestamps in the event list when they were different from the creation timestamp. That was fixed.

  • SR-6: Progress indicator for the time when X-Ways Forensics finalizes indexes of the new kind.

  • SR-6: Fixed an error that could cause the loss of newly created report table associations in shared analysis mode.

  • SR-7: Fixed an instability error that could occur when recursively exploring from the case root and listing many millions of files.

  • SR-8: Fixed an exception error that could occur when extracting files from Google Chrome caches.

  • SR-8: Fixed inability of X-Ways Investigator to convert container raw images to .e01 evidence file format.

  • SR-8: Fixed an exception error that could occur when extracting certain recovered corrupt e-mail messages from Outlook PST/OST e-mail archives.

  • SR-8: Removes certain superfluous parts in certain multi-part e-mail messages to keep the viewer component from showing e-mails as blank.

  • SR-8: Fixed an error that could cause a loss of user comments in the volume snapshot.

  • SR-9: Fixed an exception error that occurred in the original and regular WinHex 17.5 version when displaying the Data Interpreter context menu.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#137b: X-Ways Forensics, X-Ways Investigator, WinHex 17.5 released

Jan 28, 2014

This  mailing is to announce the official release of v17.5.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data (the password has changed recently!), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


New License Type for Smaller Budgets

Available since late 2013: Timed annual licenses for X-Ways Forensics, which unlike our regular perpetual licenses expire after 1 year, are now available for purchase at half the price! (Subject to change.) These licenses cannot be renewed, or upgraded to a perpetual license. Online orders / quotes


What's new in v17.5?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

For the major changes already announced on Jan 8, 2014 for v17.5 Beta click here.

Miscellaneous improvements since Jan 8, 2014:

  • Program help and user manual updated for v17.5.

  • Support for more deeply nested directory trees in Ext*.

  • Some clusters of significantly fragmented files in Ext4 were incorrectly contained in idle space as well. This has been fixed.

  • Support for VMDK snapshots where the VMDK images are stored in segments, each usually representing 2 GB of the virtual disk. Previously only monolithic VMKDs were supported, i.e. where the entire VMDK image is stored in one file (whether sparse or not).

  • Fixed errors in VMDK support in previous preview and beta versions of v17.5.

  • Ability to interpret evidence file containers larger than 4 TB.

  • Creating the descriptive text file when imaging disks is now optional.

  • The option to define the number of extra compression threads when creating .e01 evidence files is no longer hidden.

  • Support for NTFS file systems larger than 232 clusters (which are not supported in Windows 8 and earlier, but perhaps in later versions).

  • Improved support for high dpi display settings in Windows (150% and larger), in message boxes, file selection dialogs, info pane, mode buttons, toolbar, progress indicator window, directory browser, and search hit context preview.

  • Colored icons for excluded and notable files now displayed with no noticeable delay even when Aero is enabled.

  • The file type filter dialog now remembers which categories were expanded.

  • Stability of EVTX processing improved.

  • Reconstruction of indexed e-mails messages from the indexing database of the Thunderbird email client and output as child objects in the volume snapshot, as part of extraction of embedded data in SQLite databases.

  • Exclusion of known SQLite databases from the embedded data extraction if it's know that there is no valuable binary data to be found.

  • Improved support for MS Internet Explorer recovery travellog files.

  • Windows Registry report and event extraction revised.

  • File type verification updated.

  • You can turn off "Extended multi-user coordination" if you are sure to be the only concurrent user of a case and don't need some of the advanced options, for performance benefits in some very few situations.

  • Indexes of the new type previously became unusable if the drive letter or path of the case changed. This is no longer the case for existing and newly created indexes in the final version of v17.5.

  • Ability to specify separate virtual output directories for separate file carving runs, for example to distinguish operations of different scopes or for different purposes (e.g. first ordinary sector-level file carving in an entire partition, then byte-level file carving of e-mails in free space).


Changes of service releases of v17.4 since Jan 8, 2014:

  • SR-7: Ability to create evidence file containers of the new type larger than 4 TB correctly. Fix also contained in v17.3 SR-11, v17.2 SR-11, and v17.1 SR-11.

  • SR-7: Fixed an error in the Copy Sparse function.

  • SR-7: The gallery was not updated in v17.4 when excluding files. That was fixed.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#137a: X-Ways Forensics 17.5 Beta released

Jan 8, 2014

This mailing is to announce the release of a beta version of X-Ways Forensics 17.5, with many interesting improvements. v17.5 Beta is only available for X-Ways Forensics. The next newsletter issue will notify you when v17.5 is officially released, and at that time v17.5 will also be available as WinHex (for users with a personal, professional or specialist license) and X-Ways Investigator.

Users of X-Ways Forensics can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. 

Please be reminded that if you are interested in receiving information about updated beta releases of v17.5 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with v17.4 or another previous version until v17.5 is officially released, or even longer, you should use the last service release of that older version.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.5 Beta?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Multi-User Support

  • All cases created or opened with v17.5 and later now have extended multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time. Cases opened with v17.5 and later cannot be opened any more with earlier versions.

  • Extended multi-user support is especially helpful for large cases and wish to tell apart their own results from their colleagues' results. Report table associations, comments and search terms/hits of different examiners can optionally be distinguished, by showing the creating examiner's initials (default), or alternatively other abbreviations of their names or (if no abbreviation is specified) their complete usernames.

    A maximum of 255 users (examiners) is supported per case. Examiners are recognized internally by their Windows user accounts. All related options can be found by clicking the button for "Extended multi-user coordination" in the case properties dialog window.

  • It is possible for multiple users to open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy, stored in a shared network location or on a terminal server. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for making users aware of access conflicts before they occur and preventing them in most situations.

  • X-Ways Forensics now remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects. That is useful if the goal is to avoid duplicate work, if you do not wish to review files that were reviewed by any of your colleagues already. Please note that individual file statuses ("tagged", "already viewed" and "excluded") as well as search hits of other users are lost if one examiners removes items from the volume snapshot.

  • Search hits and search terms are stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and search terms that were stored in the case by v17.4 or earlier. The "Extended multi-user coordination" dialog window contains a button that allows you to import the search hits and search terms of another user. 

  • Comments and report table associations are shared between all examiners. Examiners can choose whether or not they get to see report table associations of other users. The same file can be associated with the same report table only by 1 examiner. 

  • To view all the results of a colleague (report table associations, search hits, tag marked, already viewed status of files, exclusion status of files), you can open the case in read-only mode as him or her. For that, try the new "Options..." checkbox when opening a case. You may prevent your colleagues from opening the case in read-only mode as you.

  • The new "Options..." checkbox allows you to open a case in any of the three modes known from earlier versions:
    1) entire case read-only (case file and volume snapshots),
    2) cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files)
    3) full access

  • If the same user wishes to open the same case (the same copy) in more than 1 instance of the program simultaneously, that user has three options. Either in the second instance the entire case is opened as read-only, or the user is responsible for opening evidence objects that are open in one session already as read-only in the other session to avoid conflicts (right-click an evidence object for that option), or the user opens the case as a separate, fictitious user (called his or her "alter ego") with separate file statuses, search hits, report table associations etc. If the latter option is selected, shared use of the case is coordinated by X-Ways Forensics exactly as if the alter ago was a real, different examiner, even though the username is the same.

  • The aforementioned "Options..." checkbox allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program.

  • Multiple users running searches, creating report table associations, entering or editing comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else, however, is forbidden and will be refused by the program. The goal of the multi-user coordination in v17.5 and later is to support concurrent analysis/review work by multiple examiners. Removing files from a volume snapshot is not considered ordinary review/analysis work. Volume snapshot refinements should be done systematically in advance.

  • The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can be seen in square brackets next to the filename, so that it is easy to tell who has introduced such files to the case.

  • Technical changes to the way how multiple simultaneously users are coordinated are reserved. To be on the safe side, please make sure that simultaneous users are running the same version of the software.

  • Last not least v17.5 allows you to review the processing history of a case in its properties. This reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later).

User Interface

  • Revised look of the user interface (toolbar, menus, directory browser, gallery). Icons are now more colorful and plentiful. This allows experienced users to more quickly and intuitively find the right menu commands especially in the directory browser context menu.

  • Gridlines in the directory browser are now optional, and if displayed can be either light gray or light blue. Without gridlines the screen looks a little less cluttered as well.

  • The entire row in the directory browser over which the mouse cursor hovers is now highlighted. That makes it easier to identify other far away cells in the same row.

  • The names of the authors of documents of various types (MS Office, OpenOffice/LibreOffice, RTF, PDF, ...) are now displayed in a new column named "Author" after metadata extraction.

  • The page count is now extracted from PDF and some Office file types as part of metadata extraction and shown in a new column as well.

  • Sorting and filtering by comments and extracted metadata greatly accelerated for huge volume snapshots in which a huge number of files have comments or extracted metadata.

  • Sorting by certain directory browser columns such as Owner, Author, Sender, Recipients, Report tables, Comments, Metadata, Search terms, and Hash set is now more user-friendly, in that items with blanks (i.e. unknown owner, unknown author, no report table associations, no comments, ...) are listed last, not first. Also, the default sort order of the hash category column is now descending.

File Format Support

  • Improved ability to uncover files in Firefox caches when targetting "_CACHE_MAP_" files and Chrome caches when targetting "index" files. Retrieves metadata such as original filenames and timestamps. Metadata extraction from "index" files.

  • Files embedded in Norton Backup files (N360 backup, *.nb20) can now be automatically uncovered.

  • Ability to uncover pictures that are embedded as Base64 in VCF files (electronic business cards).

  • File type verification considerably updated. Examples: Identification of MMAP, IDML, INCX, EDX, ENML, NBI.

  • File type signature definitions considerably updated.

  • New file type category GPS/Navigation.

File System/Disk/Image Support

  • The existence of extended attributes for files in NTFS ($EA attributes) is now revealed in the Attr. column in newly taken volume snapshots, and you can filter for the presence of such attributes. Useful to detect certain malware as seen in recent high-profile cases.

  • Considerably improved treatment of hard-linked files in HFS+. Resolving hard links is now much faster and thorough in current HFS+ volumes that heavily use hard links because of Time Machine. Hard links to directories and resource-only files are now also resolved. The hard link count is accurately represented. All hard links except for 1 are optionally omitted from logical searches, just as in NTFS, to avoid excessive duplication of data to be searched and duplication of search hits. Hard links that are ignored are identified by a grayed out hard-link count (no longer by an asterisk as in previous versions). Additionally, iNode files (indirect node files) that got connected with the hard links that reference them as so-called "related items" in the volume snapshot are omitted. Should the hard-link count of an iNode file be not grayed out, that indicates an orphaned iNode file (one that is not referenced by any hard-linked file, at least not in the volume snapshot). Comments are no longer used for hard-linked files in HFS+.

  • Extraction of events from Unix/Linux/Macintosh system logs. These events are practically of significance especially for USB device history examinations.

  • Improved detection of non-standard LVM2 container partitions.

  • VMDK virtual disk images which have been compressed for transport purposes (the VMDK format variant referred to as "stream-optimized"), as used by the OVF appliance export format, are now supported.

  • Option to create report table associations for files that were successfully added to a skeleton image using the directory browser context menu command.

Miscellaneous

  • Various minor improvements and some small bug fixes.

  • Same fix level as v17.4 SR-6.

  • User manual and program help not updated yet for v17.5.


Changes of service releases of v17.4:

  • SR-1: Works again with the old version of MPlayer.

  • SR-1: Fixed an error that could occur in the Attr. filter for special files in Unix/Linux file systems.

  • SR-1: Fixed hanging after volume snapshot refinements if the error "Parent of ... undefined" occurred.

  • SR-1: Quicker EDB file subtype identification.

  • SR-2: When the gallery dynamically shows the stills of a video in a loop, you may now press Esc to stop the animation, + to accelerate and resume the animation, and - to slow down and resume it.

  • SR-2: Fixed an error that could stop the gallery from working.

  • SR-2: Fixed an error that occurred when exporting hash sets from the block hash database.

  • SR-2: Fixed some truncated descriptions for events collected from SQLite database in the 64-bit edition.

  • SR-2: Proper timezone adjustment of event timestamps from SQLite databases.

  • SR-2: Potentially fixed an error that could occur on some computers when closing data windows after cloning with the "copy entire medium" setting.

  • SR-3: Fixed an error that could occur when using the gallery.

  • SR-3: Prevented output of some unnecessary messages when taking snapshots of Ext4 volumes.

  • SR-3: If the Help | Dongle dialog informs you that a new activation code is required for v17.5, please request it from X-Ways.

  • SR-3: Fixed a skeleton image verification error that could occur in certain situations.

  • SR-3: Fixed an exception error that could occur during index searches in v17.4.

  • SR-4: Fixed an error that could cause the gallery to not be fully populated in certain situations.

  • SR-5: v17.4 SR-2 and later did not close the case root window when closing a case, which triggered errors. That was fixed.

  • SR-5: The gallery was not updated in v17.4 when sorting the directory browser. That was fixed.

  • SR-5: Fixed instability of the 64-bit edition with certain EDB database files.

  • SR-5: Child objects that have been viewed no longer propagate this status to a parent file.

  • SR-6: Fixed an exception error that could occur when filling evidence file containers in v17.3 and v17.4.

  • SR-6: Fixed an exception error that could occur when resolving symlinks in the 64-bit edition of v17.4.

  • SR-6: Fixed a recurring delay that could occur on volumes with a lot of clusters when reviewing search hits in free space for which only a logical/relative offset is known (index search hits).

  • SR-6: Fixed inability of v17.4 to process Windows.edb databases of Windows 7 under Windows 8 and Windows 8.1.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <