Order now / get quotes

Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
Find out more about WinHex! WinHex
  License types
  Forensic features
  All features
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
Find out more about X-Ways Trace X-Ways Trace
User activity
Find out more about Davory Davory
Data recovery
Find out more about X-Ways Security X-Ways Security
Permanent erasure

Contact X-Ways Contact X-Ways
User forum
Corporate info Corporate info
Find us on Facebook Find us on Facebook
  X-Ways Software Technology AG

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#149: X-Ways Forensics, X-Ways Investigator, WinHex 18.7 released

Jan 27, 2016

This  mailing is to announce the release of another notable update with many useful improvements, v18.7.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.

Upcoming Training

Austin, TX area, Feb 22-Mar 1
London, England, Feb 29-Mar 3
London, England, Mar 15-23
Washington DC area, Apr 5-8
Southern California, Apr 11-19
Miami, FL, May 23-27
Ottawa, Canada, May 24-27, 2016
Halifax, Canada, May 30-Jun 3, 2016
Kingston, Canada, June 6-10, 2016
London, England, Jun 14-17

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.

What's new in v18.7?
(please note that most changes affect X-Ways Forensics only)

File Format Support

  • Revised hiberfil.sys support for 64-bit Windows.

  • hiberfil.sys slack (compressed data from previous usage of a hiberfil.sys file, as found near the end, if the last usage achieved stronger compression than the previous usage) is now automatically extracted and decompressed as part of "Uncover embedded data in various file types" and provided as a child object in its decompressed form.

  • Accuracy of file type verification further improved. Fewer file types with generic extensions are now unnecessarily marked as "newly identified", but confirmed if the full filename is appropriate for the file type.

  • Verification of many more file types supported. In total the file type verification can now recognize more than 3,000 file types.

  • File carving methods implemented for .cwm (screen capture videos) and Windows 8's .accountpicture-ms files. .accountpicture-ms files are now by default targeted for uncovering embedded files.

  • Type verification supported for .thumbdata3 files (Android files that are found for example on SD cards).

  • E-mail extraction adjusted in such a way that certain Base64-encoded e-mails are shown correctly by external programs after Recover/Copy.

  • Support for certain old Outlook PST e-mail archives with previously unsupported text encoding. Requires that you select the correct regional ANSI code page in the case properties and check the unlabelled box next to it, the one that has a tooltip saying "Assume this code page in Outlook PST".

  • If e-mail messages have a Sender: line in addition to a From: line, then the sender according to the Sender: line is now shown in the Sender column of the directory browser additionally, after the From: sender, if actually different. They are delimited by spaces and a pipe (|). For example, an English language MS Outlook shows such e-mails as having been sent "on behalf of" someone else (by the Sender: sender on behalf of the From: sender). You can filter for such e-mails by entering a pipe as a substring for the Sender column. Analogously, different kinds of recipients ( To:, Cc:, and Bcc: ) are now delimited by pipes in the Recipient column.

  • Fixed a potential exception error that could occur when processing damaged OLE2 compound files.

  • Prevents crashes when dealing with certain EDB databases.

Picture Support

  • Gallery screen space is now much better utilized as thumbnails are no longer forced to be squares. You can now specify your preferred thumbnail width and height separately, in the Options | Viewer Programs dialog. The specified dimensions will be dynamically adjusted (increased) to best fill the available screen space without partial thumbnails being visible. Since most photos and practically all videos are shot in landscape format, you may want to select width and height accordingly (width larger than height) when viewing pictures. Document thumbnails can often be freely adjusted to any rectangle shape, for example those representing word processing documents or spreadsheets, but not presentations. For most documents other than presentations, portrait format feels like a more natural way of representation. The aspect ratio of the width and height that you specify is displayed in the options dialog to quickly give you a rough idea how compatible the measures will be with ordinary photos, videos or documents.

  • Previews and views of pictures (with the internal graphics library, not the viewer component) now additionally show the names of associated report tables in the upper left corner and the names of matching PhotoDNA categories in the lower right corner.

  • As part of the volume snapshot refinement, X-Ways Forensics can generate thumbnails of high-quality digital photos to accelerate the gallery. It is now possible to select the resolution (maximum width or height in pixels) and quality (JPEG compression factor) in the user interface. However, the maximum amount of data that can be stored in the volume snapshot for a thumbnail is limited, to 64 KB, so if a generated thumbnail gets larger than that, X-Ways Forensics will automatically reduce the user-defined resolution accordingly.

  • New internal report table for animated PNG pictures.

  • Extraction of embedded data in PNG files (e.g. GIF pictures) supported.

  • New internal report table for PNG pictures that are likely mobile device screenshots. That assumption is based solely on typical smartphone screen resolutions. Useful in case such screenshots do not have the typical filenames (if they were carved, received via apps, copied to other media and renamed by the user, or takes by certain apps and stored in the cache of that app).

  • Fixed slight and rare inaccuracy in the representation of GeoTagging coordinates of JPEG files.

Video Processing

  • A new context menu command has been introduced to extract all frames specifically from a defined section of a selected video. Useful if a certain part of a video is of high interest and you need to carefully check visual details in certain frames or include them in the report. You can specify how many consecutive frames to extract and starting from which second. The number of frames that you need to cover a certain period of time can be deducted from the frame rate as shown in the Metadata cell (fps = frames per second). Please note that the start second may be interpreted very roughly only, depending on the frequency of keyframes (a.k.a. I-frames in MPEG) in the video. MPlayer can seek into a video file only based on keyframes. If for example a certain video file contains keyframes only every 4 seconds for example, then the start second of the extraction may be off by up to 4 seconds. Keep this in mind when you enter the number of frames that you need or the start second. That is, to be on the safe side, extract more frames than you may actually need and perhaps from an earlier start second.

    The frames are saved as JPEG files in a directory of your choice on your own drive, where you can review them outside of X-Ways Forensics. If you like, you can of course attach the most relevant frames to the original video file in the volume snapshot as child objects. The frames are not stored within the volume snapshot by default so that the size of the volume snapshot does not unreasonably inflate with potentially mostly irrelevant and redundant pictures. If the output directory already contains extracted frames, files with identical relative frame numbers will be overwritten. Relative frame numbers always start with 00000001 for each extraction and increment with each frame. You may adjust the JPEG compression if necessary for stronger compression or better quality. (Of course you usually cannot expect a very good quality because videos are typically highly compressed already.) The volume snapshot refinement operation to produce representative still images from videos (sporadically, in certain larger intervals) has been renamed to point out the difference from the new context menu command for exhaustive frame extraction.

  • More metadata is now extracted from videos when exporting stills, usually coding/compression format, resolution, bits per pixel, frames per second, data rate per second for video data.

  • A new 64-bit edition of MPlayer from 2015 is now downloadable from the web server in addition to the 32-bit edition from 2014. The only video extraction program supported is now MPlayer.

File System Support

  • Enhanced Attr. filter settings for Unix style file permissions. You can now filter for any of the 9+3 bits specifically and combine them with OR, AND, or EQUAL. EQUAL requires a status of all 12 bits exactly as selected (whether set or not set). AND means you require ALL of the checked bits to be set, but don't care about the others. OR means you are satisfied already if ANY of the checked bits is set. SUID and SGID bits can now be combined with a logical OR or AND as well (previously they were always OR'ed). Please remember that if you are interested in directories with the sticky bit, you will need to include directories when exploring recursively and apply filters to directories, too (not the default setting). Please note that the logical operator for permissions should not be usually set to EQUAL because that will result in active filtering for permissions even if no permission bits are selected in the dialog box at all, unlike the OR or AND operators. EQUAL with no permission bits selected means to filter for files that have no permission bits set or files whose permissions are unknown.

  • iNode* files (indirect node files) in HFS+ now point to one of their hardlinked counterparts as a "related item" in the volume snapshot, so that it is very convenient to locate at least one of those hardlinks and see the actual use and location of the file. To find other hardlinks for the same iNode* file, you can for example sort by the column "1st sector".

  • HFS and HFS+ resource forks are now presented as child objects, analogously to alternate data streams and extended attributes in NTFS.

  • Attribute filter for resource forks added.

  • Loose $MFT files can now be directly and conveniently interpreted as if they were NTFS volumes, to get at least a full listing of all files and directories, with their paths, timestamps and attributes. It's possible to open resident files (files whose contents is small enough to fit into the FILE records), but no other files, of course. Useful if in special situations all you have is the $MFT, not the entire volume. Also useful for example for $MFTs from volume shadow copies.

  • Option to omit additional hard links for the same file in NTFS/HFS+ from volume snapshot refinement just as from logical searches previously, to save time and reduce the number of redundant identical child objects etc. This can make a big difference on partitions with Windows installations that have a lot of hard links and HFS+ partitions with Mac OS X Time Machine. Which hard links are considered the "additional" hard links internally can be seen in the "Link count" column as before (gray number means to be omitted) and now also in the Description column, which identifies all hard links (i.e. files with a hard link count of 2 or more) and the additional ones in particular textually. The hard link that is not marked as "optionally omitted" in the Description column is considered the "main" hard link internally.

  • Rename events from $J and fragments thereof are now output to the event list.

  • Files with only partially initialized contents (valid data length < logical file size) are now marked in the Attr. column with the # sign, and an explanation of the # sign can be found in the legend.

  • In newly refined volume snapshots, the "1st sector" column now points out that certain figures are approximate, for example for embedded files, using gray color and a tilde.

  • When clicking a file in Partition/Volume mode, the jump to the start of the data of certain files is now more precise, for example for resident files in NTFS it leads directly to the body of the 0x80 attribute and for certain embedded files directly to the start of the data. Sorting by the "1st sector" column reflects the physical start location of files more precisely now for certain unaligned files.

  • Finds more sessions of multi-session CDs/DVDs with CDFS immediately, without having to run a particularly thorough file system data structure search.

  • Avoids session duplication on CDs/DVDs with CDFS where additional sessions are found only through a particularly thorough file system data structure search.

Disk & Image Support

  • Tentative support for older VirtualBox VDI virtual disk images from Sun Microsystems.

  • Prevented an error that could occur in simultaneous computation of two hashes when imaging media in very special configurations that involve a specific hardware write blocker model and Windows version. The data in the images was OK anyway.

  • Reports the total number of unreadable sectors in the disk imaging log in addition to the affected sector ranges.

  • Imaging now aborts after media disconnect error.

Case & Report Settings

  • Smaller versions of pictures can now optionally be generated specifically for the report, to greatly reduce the memory requirements of the Internet browser or word processing application when loading the HTML report, and to accelerate loading. This can make a big difference for reports with many high-resolution photos. The JPEG compression factor is user-definable. The resolution depends on the specified "maximum dimensions of pictures".

    The checkbox that represents this option is a 3-state checkbox. If half checked, the smaller versions of the pictures are used only for the preview directly in the HTML report. If fully checked, even when clicking the picture in the report you will only see the smaller version, and the original larger file is not included in the report at all. This can be beneficial if your main concern is the drive space requirement of your report with linked files, not the output quality of pictures.

  • The report can now optionally also show previews/thumbnails of non-picture files, e.g. Office documents, e-mails, web pages, programming source code, etc. etc., similar to the gallery. You can shrink the preview representation slightly or a lot or not at all, to either be able to read some of the text right in the report without opening the document or to get a better impression of the overall formatting of the text and just see logos etc.

  • If you output one specific report table in the case report, the suggested report name is now automatically based on the name of that report table.

  • In the properties of a case you can now specify whether you prefer to have X-Ways Forensics use the case-specific directory of temporary files (the _temp subdirectory of that case) instead of the general one, when that case is active.

  • Purely physical user search hits (defined in Disk/Partition mode, not File mode) can now also be output in the report, in the section about the evidence object to which it belongs. File-related search hits are still output in the report table section about that file along with all the selected metadata. If the file that a search hit selected for the report belongs to is not output with a report table, the search hit can now be seen in the section about the evidence object.

  • Option to output incrementing numbers in the case report, for each item in a report table, to uniquely identify a file in that report.

User Interface

  • All edit boxes throughout the program (except for password edit boxes and column width boxes) now remember a history of up to 10 last entries. The history can be seen when clicking the tiny button that appears in an edit box for which a history is available. Alternatively, you can press the F4 key just like in a normal drop-down box (combo box). If you select a previous entry from the pop-up menu, it will be inserted into the edit box automatically. Users who wish to delete these histories or pass them on to others, please be advised that they are stored in the file History.dat when the program is ended. If you do not wish to keep histories between sessions, you can create an empty file named History.dat yourself and render it read-only.

  • A new keyboard shortcut, Shift+Ctrl+Del, allows to remove matches with ordinary hash sets, FuzZyDoc hash sets, and PhotoDNA categories from selected files in the volume snapshot, which even if the hash sets are deleted from the hash database are not discarded otherwise.

  • Pressing Ctrl+C in the directory browser now copies the textual data of the selected items into the clipboard, with the same notation as in the directory browser itself, otherwise similar to the Export List command.

  • The colors of tag marks (if they are not represented by check marks) are now slightly different, and they are now user-definable in Options | Directory Browser. Useful for example if you prefer stronger colors or if the default colors conflict with pictures that you are viewing in the gallery (e.g. many outdoor photos with blue sky at the top). If you liked the slightly more unobstrusive colors of previous versions, you can get them back manually: Color 1 = RGB 225, 225, 255 (for the upper left corner) and Color 2 = RGB 163, 163, 255 (for the lower right corner).

  • The colors that mark files as already viewed are now user-definable as well, via Options | Viewer Programs | Keep track of viewed files | .... If you liked the colors of previous versions, you can get them back manually: Color 1 = RGB 233, 225, 223 (for the upper left corner) and Color 2 = RGB 145, 250, 103 (for the lower right corner). In v18.7 they have been simply swapped.

Search Functions

  • The "1 hit per file needed only" option of the logical simultaneous search now no longer skips the slack of a file once a hit in the logical part has been found if "Open and search files incl. slack" is fully checked. It will check the slack for at most 1 additional hit as well.

  • Lists purely physical user search hits in the case root window, even if in that window you cannot navigate to the sector contents by clicking the search hits.

  • There is now an option to limit the search for lost partitions on physical media to the sectors that follow the current cursor position.

  • Fixed misinterpretation of literally specified # character in square bracket sets in GREP expressions.

  • Prevents overlapping GREP search hits in directory browser cells.


  • When excluding duplicates based on hash value or name, X-Ways Forensics now prefers to keep the copy whose owner is known.

  • Recover/Copy and Create Report now even name embedded .eml files after their unique ID if the corresponding option is selected.

  • Lifted internal limitation on the amount of data extracted from files per volume snapshot (previously 1 TB). Volume snapshots saved by v18.7 cannot be opened in v18.6 and earlier any more.

  • Larger files can now be attached to the volume snapshot.

  • For the record presentation of the hex editor, records are now numbered starting with 0 instead of 1 by default. 1-based record numbers are still available optionally. The record size is now specified in hexadecimal if hexadecimal offsets are active in the user interface.

  • New X-Tension API function GetEvObj().

  • Ability to convert assigned hash sets to report table associations, in the dialog window for report table associations, where you can also convert contained search terms to report table associations. This can be useful for example if you wish to recreate your hash database from scratch or delete your hash database, and do not only wish to preserve the hash category of known files in the volume snapshot, but also the exact matching hash set names. Also useful if you wish to add files to an evidence file container and wish to let the recipient know the original hash set matches, not only the hash category. These auxiliary report tables are highlighted in a different color to distinguish them from 1) ordinary user-created report tables, 2) internally created report tables that make the user aware of something special, and 3) search term based report tables. Associations with hash set based report tables can also be created on the fly when copying files to an evidence file container.

  • Including comments and/or report table associations of files in an evidence file container is now optional for each copy action and does not have to be decided up front once and for all when creating the container.

  • The main executable files are now digitally signed.

  • Windows 10 is now officially a supported platform.

  • Many minor improvements.

  • Some minor fixes.

  • Program help and user manual updated for v18.7.

Changes of service releases of v18.6

  • SR-1: Improved FuzZyDoc matching results for PDF documents.

  • SR-1: Time zone awareness of timestamps now defined on a per-file basis in exFAT.

  • SR-1: Ability to find the virtual allocation table of virtual UDF partitions on certain non-standard (incomplete) disk images as produced by other software.

  • SR-1: Fixed an exception error that occurred in v18.6 when carving files in a data window that represents a single file with no volume snapshot and no directory browser.

  • SR-1: Fixed effect of unselected "List internal file system files" option for files in archives.

  • SR-1: Fixed unsuccessful conversion of certain Base64 code.

  • SR-1: Prevented an extremely rare exception error that could occur when matching hash values against the hash database.

  • SR-2: Fixed inability of X-Ways Imager 18.6 to image disks.

  • SR-3: Fixed occasional incomplete extraction of embedded JPEGs in PDF documents.

  • SR-3: Fixed potential time zone information error in the properties of evidence objects with a Windows installation.

  • SR-3: Fixed an exception error that could occur with certain corrupt Zoom Browser files (Canon).

  • SR-4: Fixed time zone conversion in the second column of previews of certain index.dat files.

  • SR-4: Fixed occasional incomplete exclusion of duplicates based on hash values.

  • SR-4: Deduplication of multiple very similar PhotoDNA hash values now even when importing them into an empty (newly created) PhotoDNA hash database.

  • SR-4: Since v18.6, if a new PhotoDNA hash value is close enough to be considered a match for an existing one, but different enough to warrant a separate entry in the PhotoDNA hash database, the existing entry is updated and the new one added. This double entry previously did not happen if both similar hash values were added during the same import operation, but now does.

  • SR-5: Fixed size detection of Ext* partitions larger than 2^32 blocks in situations where they are not referenced by any partition table.

  • SR-5: Fixed memory leak in HFS file system support.

  • SR-5: Fixed inability to deactivate all filters with a single mouse click in SR-4.

  • SR-6: Fixed an exception and instability error that could occur when extracting metadata from certain documents in OLE2 format.

  • SR-6: In Ext4 file systems, some very rare files with uninitialized parts were previously read with partially incorrect data. That was fixed.

  • SR-6: Fixed parsing of FAT32 file systems with cluster sizes of 128 KB or more in X-Ways Forensics.

  • SR-6: Ability to show rough pixel counts for pictures that have PhotoDNA database matches.

  • SR-6: investigator.ini options related to the new Description filter did not work in v18.6. That was fixed.

  • SR-7: Fixed a rare exception error that could occur when generating HTML previews of files of certain types.

  • SR-7: Fixed potential inability to select thumbnails in the gallery while viewing pictures with the viewer component.

  • SR-7: Improved stability for processing of SQLite databases.

  • SR-7: Improved imaging behavior after media disconnect error.

  • SR-7: Prevented way around investigator.ini option +51 in v18.6.

  • SR-8: Fixed potential incomplete listing of partitions in the directory browser when more than one partition was semi-automatically detected starting from the sector pointed at by the user.

  • SR-8: Fixed an error that could occur when reading from partitions with a file system based on a sector size different from the sector size of the physical disk.

  • SR-8: Fixed incorrectly displayed file size for huge files in UDF file systems.

  • SR-8: Fixed a rare error in symlink resolving.

Loss of Dongles

There are still a few customers who ask about a replacement for lost dongles even if their dongles were not insured, although we and the X-Ways Forensics software itself have confirmed over and over again that we do not offer replacements for lost dongles if not insured, because these dongles can still be used to unlock the software, by whoever, even by yourself it the dongles show up again. With immediate effect, we will ignore requests for dongle replacements if no insurance was in place. We provide only 1 dongle per license, not as many dongles as customers would like to have.

Viewer Component

Oracle has provided a "critical patch update" for v8.5.2 of the viewer component. The updated version is downloadable from our web server. It is probably recommendable for security reasons.

Oracle's description of the patch update as always claims to have information about what was fixed, but doesn't:

What this Update Fixes:
January 2016 Critical Patch Update for Outside In
This patch is cumulative with all previous Outside In 8.5.2 Critical Patch Updates

A 3rd party web page describes the fixed security issue as follows: "A local user can exploit a flaw in the Oracle Outside In Technology Outside In Filters component to cause partial denial of service conditions." The only file that has actually changed is sccfnt.dll. That file is responsible for fonts.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <