Order now, get quotes

Upgrade online
 
Products
 
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
 
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
 
Find out more about WinHex! WinHex
  License types
  Upgrade
  Forensic features
  All features
 
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
 
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
 
Find out more about X-Ways Trace X-Ways Trace
User activity
 
Find out more about Davory Davory
Data recovery
 
Find out more about X-Ways Security X-Ways Security
Permanent erasure
 
Services
 
Training
 

 
Contact X-Ways Contact X-Ways
User forum
 
Corporate info Corporate info
Find us on Facebook Find us on Facebook
 
  X-Ways Software Technology AG
Deutsch
 
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#138: X-Ways Forensics, X-Ways Investigator, WinHex 17.6 released

Mar 26, 2014

This  mailing is to announce the release of another notable update with many improvements, v17.6.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.6 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Toronto, Canada, Mar 31-Apr 4 (waiting list)
Toronto, Canada, Apr 7-11 (waiting list)
Austin, TX, May 19-23 (waiting list)
Cambridge, England, Jun 10-13
Ottawa, Canada, Jun 16-20
Norwalk, CT, Jun 23-27
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.6?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

File Type Support

  • File type detection and categorization significantly revised.

  • New metadata extraction feature, which allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename according to the file system is not completely lost, it can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will conveniently find both the original and the current name.

  • Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and produces much less redundant thumbnails especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (which will in turn target the corresponding thumbcache*.db files) via the provided mask and not the thumbcache*.db files directly as in previous versions of X-Ways Forensics.

  • Support for a variant of thumbs.db files found in Windows 7 in certain constellations.

  • Performance of uncovering thumbnails in large JPEG files improved.

  • More precise truncation of incomplete or fragmented PNG files when carving.

  • Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (.info), and Paint Shop Pro caches (.jbf).

  • Ability to uncover embedded pictures from the caches of Google's Picasa 3 image organizer and viewer software (thumbindex.db and related files).

  • Event extraction from Picasa 3.

  • Metadata extraction from IconCache.db files. Important Windows artifact that can help to prove executions of programs for example in malware investigations.

  • Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.

  • Internal file carving algorithms for INDD, Bridge Cache and Picasa3 index files implemented.

  • Improved support for Magix Photo Manager Cache .mxc2 and .mxc3 and other files.

  • Internal graphics viewer now supports certain .bmp graphics with larger headers.

  • Some other improvements in the internal graphics viewer.

  • More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.

  • Metadata and internal file carving support for AMR voice recording files.

  • Ability to uncover various potentially relevant resources in 32-bit and 64-bit Windows PE executables (programs and libraries) as child objects, in particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you specifically target executable files via a suitable series of file masks.

  • Support for even more deeply nested (recursively forwarded) e-mail messages in OST/PST e-mail archives.

  • Ability to reconstruct e-mail messages from the Livecomm.edb database, which is used by the Windows Mail client (Windows 7 and newer) as part of the "uncover embedded data" operation. Also extracts contact and account information.

  • Unicode support for e-mail excerpt reconstruction from Thunderbird indexing databases.

  • Some minor fixes for EDB processing.

  • Fixed an exception error that could occur when processing SQLite databases.

Usability

  • Increased capacity for large cases:

    Maximum number of simultaneously open images of physical media and reconstructed RAIDs combined:
    v15-v17.1: 46
    v17.2-v17.5: 57
    from v17.6: 100

    Maximum number of simultaneously open partitions on physical media (not counting drive letters) and partitions in images of physical media and images of volumes:
    v15-v15.5: 64
    v15.6-v17.5: 99
    from v17.6: 256

    Some background information: Note that it is not a must to always have all evidence objects in a case open at the same time. In fact it can be desirable to not open them all at the same time if the volume snapshots are very big (i.e. reference many millions of files) and not much RAM is available. Simultaneous searches and volume snapshot refinements across multiple selected evidence objects can be started even when no evidence object is open at all. In this setting, X-Ways Forensics will open the evidence objects one by one automatically when it is their turn, and close them again when fully processed, to minimize memory requirements. Only when you recursively explore from the case root, all evidence objects whose files you wish to include need to be open at the same time.

    Maximum number of addressable local physical media:
    from v17.2: 64

  • Imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited mode.)

  • Option to always suggest to open a case with extended multi-user coordination in shared analysis mode. That mode can be useful even for the first of many simultaneous users of the case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).

  • User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.

  • The search term list can now be sorted by search terms alphabetically in ascending order or by the listed search hit count in descending order, via the context menu of the search term list, to make it easier to locate a certain search term in lengthy lists.

  • Certain kinds of files with child objects such as e-mail archives are now included in the directory tree in the Case Data window, along with their subdirectories.

  • Hash database dialog window revised.

  • You can make raw Preview mode persistent by holding the Shift key when changing to raw mode.

  • Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several commands in the Case Data window's context menu during various ongoing operations.

  • New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).

  • Ability to store additional custom definitions of file types and categories in a separate file named "File Type Categories User.txt", which will be read and maintained in addition to the standard definitions in "File Type Categories.txt" and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so that you can easily continue to use it even when overwriting your installation with a new version.

  • That the directory for images specified in the General Options is preselected for newly created images is now optional.

  • Ability to mark events as notable and filter for notable events via the Timestamp column.

  • Ability to unmark multiple selected search hits and events as notable, by holding the Shift key when invoking the "Mark as notable" context menu command.

  • Available for download to users of X-Ways Forensics (click the "All versions" link) is now a text file that if named language.txt and put into the installation directory of v17.6 can override most texts in the user interface (except for example the main menu) and is easily user-editable. Useful if for example you wish to produce case reports in your own language.

X-Tensions API

  • Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integrating so-called Viewer X-Tensions. Such X-Tensions provide special views of certain file types by responding to calls of a newly defined function XT_View function that they have to export. Users can load Viewer X-Tensions in the Options | Viewer Programs dialog.

  • A new investigator.ini option +52 prevents the use of Viewer X-Tensions, for example for security reasons. Remember that X-Tensions are Windows DLLs, which can potentially do harmful things to your system if they are loaded.

  • A new function named XWF_AddEvent was introduced, which allows to add events to the event hit list of an evidence object. XT_Prepare and XT_Finalize now receive a handle to the evidence object that the X-Tension is applied to.

  • New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED, and XWF_ITEM_INFO_FLAG_METADATAEXTRACTED.

  • The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.

Data Interpreter & Templates

  • Support for Mac Absolute Time in the Data Interpreter.

  • The Data Interpreter is now able to interpret UNIX/C, Java/BlackBerry/Android and Mac Absolute timestamps stored as decimal ASCII text instead of in binary. You will find a context menu item for that as well as a checkbox in the options dialog.

  • The Data Interpreter now optionally translates timestamps of all formats except MS-DOS date & time to local time (the time zone defined in the General Options). You will find a context menu item for that as well as a checkbox in the option dialog.

  • New date type "MacAbsTime" supported in templates.

  • New modifier "local" supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the timezone specified in the General Options.

Media & Image Support

  • Ability to convert so-called Nandroid backup files of the NAND flash memory of Android devices to regular raw images via Edit | Convert.

  • More complete output of serial numbers of USB devices.

  • Ability to see model and serial numbers of physical media without administrator rights.

  • Structure of the technical details report for physical media slightly improved.

  • Displays the amount of free space on the output drive in the Create Disk Image dialog window.

Miscellaneous

  • New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS-compressed source files as NTFS-compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively compress such files after their creation, but writes them immediately as compressed, which is more efficient. However, it still has to copy/send the decompressed amount of data of the source file. Select the source directory first, then specify/create the destination directory. This function is useful for example if you wish to copy or move a case directory, which contains a few NTFS-compressed files that would be inefficient to store as uncompressed. Note that alternatively you can open a case and use the Save As command in the Case Data window for the same effect. The Replicate Directory command is also special in that it can operate on overlong paths.

  • Ability to manually enter the Recover/Copy output path by clicking a new "..." button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list automatically.

  • The hash database of block hash values is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus " [block hash values]" appended.

  • The old indexing engine was removed.

  • Many internal improvements and some small bug fixes.

  • Program help and user manual updated.


Changes of service releases of v17.5:

  • SR-1: Fixed output of erroneous timestamps extracted from Firefox SQLite databases.

  • SR-1: Fixed timezone adjustment of timestamps in the metadata of some file types (PDF, MDB, RTF, PNG, Flash and GZip).

  • SR-1: Fixed erroneous selection of the radio button for evidence file containers when selecting the target image path in X-Ways Imager.

  • SR-1: Word frequencies in exported index word lists were not entirely accurate. That was fixed.

  • SR-2: More thorough sorting by "Type status", which takes the detected file format consistency into account.

  • SR-2: Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

  • SR-2: Fixed an exception error that could occur when processing certain incomplete Chrome caches.

  • SR-2: Avoided a misleading and unnecessary error message when finalizing the index and searching in the index.

  • SR-2: Avoided misleading and unnecessary error messages when importing search hits from another user.

  • SR-2: Avoided instability when processing IE travellog files.

  • SR-3: Prevented a possible crash that could occur when extracting e-mails from PST/OST e-mail archives.

  • SR-3: Deleting hash sets command corrupted hash databases in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: The Include command in the directory browser context menu did not work in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: Fixed potentially incomplete previews of Google Chrome WebData databases.

  • SR-3: Fixed an exception error that could occur with irregular PDF files.

  • SR-4: Fixed a read error that could occur with XML files extracted from PDF documents.

  • SR-4: Better support for extremely fragmented files in NTFS volumes.

  • SR-4: Fixed a file creation error in the "Export report table associations" command at the case level.

  • SR-4: Prevented exception errors that could occur when selecting more than the currently supported 57 simultaneously open images of physical disks and 99 simultaneously open partitions of physical disks or images of partitions for recursive exploration from the case root window and then trying to run commands in the directory browser context menu on them.

  • SR-5: Improved/fixed coordination of simultaneous usage of the hash database by multiple users.

  • SR-5: Fixed a link error that could when generating case reports for files with overlong paths.

  • SR-5: Prevented an exception error that could occur when parsing corrupt 0x30 attributes.

  • SR-6: Improved representation of Base64-encoded e-mails extracted from MBOX e-mail archives.

  • SR-6: v17.3 and later did not always include all NTFS file system level timestamps in the event list when they were different from the creation timestamp. That was fixed.

  • SR-6: Progress indicator for the time when X-Ways Forensics finalizes indexes of the new kind.

  • SR-6: Fixed an error that could cause the loss of newly created report table associations in shared analysis mode.

  • SR-7: Fixed an instability error that could occur when recursively exploring from the case root and listing many millions of files.

  • SR-8: Fixed an exception error that could occur when extracting files from Google Chrome caches.

  • SR-8: Fixed inability of X-Ways Investigator to convert container raw images to .e01 evidence file format.

  • SR-8: Fixed an exception error that could occur when extracting certain recovered corrupt e-mail messages from Outlook PST/OST e-mail archives.

  • SR-8: Removes certain superfluous parts in certain multi-part e-mail messages to keep the viewer component from showing e-mails as blank.

  • SR-8: Fixed an error that could cause a loss of user comments in the volume snapshot.

  • SR-9: Fixed an exception error that occurred in the original and regular WinHex 17.5 version when displaying the Data Interpreter context menu.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

 

#137b: X-Ways Forensics, X-Ways Investigator, WinHex 17.5 released

Jan 28, 2014

This  mailing is to announce the official release of v17.5.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data (the password has changed recently!), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


New License Type for Smaller Budgets

Available since late 2013: Timed annual licenses for X-Ways Forensics, which unlike our regular perpetual licenses expire after 1 year, are now available for purchase at half the price! (Subject to change.) These licenses cannot be renewed, or upgraded to a perpetual license. Online orders / quotes


What's new in v17.5?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

For the major changes already announced on Jan 8, 2014 for v17.5 Beta click here.

Miscellaneous improvements since Jan 8, 2014:

  • Program help and user manual updated for v17.5.

  • Support for more deeply nested directory trees in Ext*.

  • Some clusters of significantly fragmented files in Ext4 were incorrectly contained in idle space as well. This has been fixed.

  • Support for VMDK snapshots where the VMDK images are stored in segments, each usually representing 2 GB of the virtual disk. Previously only monolithic VMKDs were supported, i.e. where the entire VMDK image is stored in one file (whether sparse or not).

  • Fixed errors in VMDK support in previous preview and beta versions of v17.5.

  • Ability to interpret evidence file containers larger than 4 TB.

  • Creating the descriptive text file when imaging disks is now optional.

  • The option to define the number of extra compression threads when creating .e01 evidence files is no longer hidden.

  • Support for NTFS file systems larger than 232 clusters (which are not supported in Windows 8 and earlier, but perhaps in later versions).

  • Improved support for high dpi display settings in Windows (150% and larger), in message boxes, file selection dialogs, info pane, mode buttons, toolbar, progress indicator window, directory browser, and search hit context preview.

  • Colored icons for excluded and notable files now displayed with no noticeable delay even when Aero is enabled.

  • The file type filter dialog now remembers which categories were expanded.

  • Stability of EVTX processing improved.

  • Reconstruction of indexed e-mails messages from the indexing database of the Thunderbird email client and output as child objects in the volume snapshot, as part of extraction of embedded data in SQLite databases.

  • Exclusion of known SQLite databases from the embedded data extraction if it's know that there is no valuable binary data to be found.

  • Improved support for MS Internet Explorer recovery travellog files.

  • Windows Registry report and event extraction revised.

  • File type verification updated.

  • You can turn off "Extended multi-user coordination" if you are sure to be the only concurrent user of a case and don't need some of the advanced options, for performance benefits in some very few situations.

  • Indexes of the new type previously became unusable if the drive letter or path of the case changed. This is no longer the case for existing and newly created indexes in the final version of v17.5.

  • Ability to specify separate virtual output directories for separate file carving runs, for example to distinguish operations of different scopes or for different purposes (e.g. first ordinary sector-level file carving in an entire partition, then byte-level file carving of e-mails in free space).


Changes of service releases of v17.4 since Jan 8, 2014:

  • SR-7: Ability to create evidence file containers of the new type larger than 4 TB correctly. Fix also contained in v17.3 SR-11, v17.2 SR-11, and v17.1 SR-11.

  • SR-7: Fixed an error in the Copy Sparse function.

  • SR-7: The gallery was not updated in v17.4 when excluding files. That was fixed.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

 

#137a: X-Ways Forensics 17.5 Beta released

Jan 8, 2014

This mailing is to announce the release of a beta version of X-Ways Forensics 17.5, with many interesting improvements. v17.5 Beta is only available for X-Ways Forensics. The next newsletter issue will notify you when v17.5 is officially released, and at that time v17.5 will also be available as WinHex (for users with a personal, professional or specialist license) and X-Ways Investigator.

Users of X-Ways Forensics can go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. 

Please be reminded that if you are interested in receiving information about updated beta releases of v17.5 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with v17.4 or another previous version until v17.5 is officially released, or even longer, you should use the last service release of that older version.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.5 Beta?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Multi-User Support

  • All cases created or opened with v17.5 and later now have extended multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time. Cases opened with v17.5 and later cannot be opened any more with earlier versions.

  • Extended multi-user support is especially helpful for large cases and wish to tell apart their own results from their colleagues' results. Report table associations, comments and search terms/hits of different examiners can optionally be distinguished, by showing the creating examiner's initials (default), or alternatively other abbreviations of their names or (if no abbreviation is specified) their complete usernames.

    A maximum of 255 users (examiners) is supported per case. Examiners are recognized internally by their Windows user accounts. All related options can be found by clicking the button for "Extended multi-user coordination" in the case properties dialog window.

  • It is possible for multiple users to open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy, stored in a shared network location or on a terminal server. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for making users aware of access conflicts before they occur and preventing them in most situations.

  • X-Ways Forensics now remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects. That is useful if the goal is to avoid duplicate work, if you do not wish to review files that were reviewed by any of your colleagues already. Please note that individual file statuses ("tagged", "already viewed" and "excluded") as well as search hits of other users are lost if one examiners removes items from the volume snapshot.

  • Search hits and search terms are stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and search terms that were stored in the case by v17.4 or earlier. The "Extended multi-user coordination" dialog window contains a button that allows you to import the search hits and search terms of another user. 

  • Comments and report table associations are shared between all examiners. Examiners can choose whether or not they get to see report table associations of other users. The same file can be associated with the same report table only by 1 examiner. 

  • To view all the results of a colleague (report table associations, search hits, tag marked, already viewed status of files, exclusion status of files), you can open the case in read-only mode as him or her. For that, try the new "Options..." checkbox when opening a case. You may prevent your colleagues from opening the case in read-only mode as you.

  • The new "Options..." checkbox allows you to open a case in any of the three modes known from earlier versions:
    1) entire case read-only (case file and volume snapshots),
    2) cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files)
    3) full access

  • If the same user wishes to open the same case (the same copy) in more than 1 instance of the program simultaneously, that user has three options. Either in the second instance the entire case is opened as read-only, or the user is responsible for opening evidence objects that are open in one session already as read-only in the other session to avoid conflicts (right-click an evidence object for that option), or the user opens the case as a separate, fictitious user (called his or her "alter ego") with separate file statuses, search hits, report table associations etc. If the latter option is selected, shared use of the case is coordinated by X-Ways Forensics exactly as if the alter ago was a real, different examiner, even though the username is the same.

  • The aforementioned "Options..." checkbox allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program.

  • Multiple users running searches, creating report table associations, entering or editing comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else, however, is forbidden and will be refused by the program. The goal of the multi-user coordination in v17.5 and later is to support concurrent analysis/review work by multiple examiners. Removing files from a volume snapshot is not considered ordinary review/analysis work. Volume snapshot refinements should be done systematically in advance.

  • The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can be seen in square brackets next to the filename, so that it is easy to tell who has introduced such files to the case.

  • Technical changes to the way how multiple simultaneously users are coordinated are reserved. To be on the safe side, please make sure that simultaneous users are running the same version of the software.

  • Last not least v17.5 allows you to review the processing history of a case in its properties. This reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later).

User Interface

  • Revised look of the user interface (toolbar, menus, directory browser, gallery). Icons are now more colorful and plentiful. This allows experienced users to more quickly and intuitively find the right menu commands especially in the directory browser context menu.

  • Gridlines in the directory browser are now optional, and if displayed can be either light gray or light blue. Without gridlines the screen looks a little less cluttered as well.

  • The entire row in the directory browser over which the mouse cursor hovers is now highlighted. That makes it easier to identify other far away cells in the same row.

  • The names of the authors of documents of various types (MS Office, OpenOffice/LibreOffice, RTF, PDF, ...) are now displayed in a new column named "Author" after metadata extraction.

  • The page count is now extracted from PDF and some Office file types as part of metadata extraction and shown in a new column as well.

  • Sorting and filtering by comments and extracted metadata greatly accelerated for huge volume snapshots in which a huge number of files have comments or extracted metadata.

  • Sorting by certain directory browser columns such as Owner, Author, Sender, Recipients, Report tables, Comments, Metadata, Search terms, and Hash set is now more user-friendly, in that items with blanks (i.e. unknown owner, unknown author, no report table associations, no comments, ...) are listed last, not first. Also, the default sort order of the hash category column is now descending.

File Format Support

  • Improved ability to uncover files in Firefox caches when targetting "_CACHE_MAP_" files and Chrome caches when targetting "index" files. Retrieves metadata such as original filenames and timestamps. Metadata extraction from "index" files.

  • Files embedded in Norton Backup files (N360 backup, *.nb20) can now be automatically uncovered.

  • Ability to uncover pictures that are embedded as Base64 in VCF files (electronic business cards).

  • File type verification considerably updated. Examples: Identification of MMAP, IDML, INCX, EDX, ENML, NBI.

  • File type signature definitions considerably updated.

  • New file type category GPS/Navigation.

File System/Disk/Image Support

  • The existence of extended attributes for files in NTFS ($EA attributes) is now revealed in the Attr. column in newly taken volume snapshots, and you can filter for the presence of such attributes. Useful to detect certain malware as seen in recent high-profile cases.

  • Considerably improved treatment of hard-linked files in HFS+. Resolving hard links is now much faster and thorough in current HFS+ volumes that heavily use hard links because of Time Machine. Hard links to directories and resource-only files are now also resolved. The hard link count is accurately represented. All hard links except for 1 are optionally omitted from logical searches, just as in NTFS, to avoid excessive duplication of data to be searched and duplication of search hits. Hard links that are ignored are identified by a grayed out hard-link count (no longer by an asterisk as in previous versions). Additionally, iNode files (indirect node files) that got connected with the hard links that reference them as so-called "related items" in the volume snapshot are omitted. Should the hard-link count of an iNode file be not grayed out, that indicates an orphaned iNode file (one that is not referenced by any hard-linked file, at least not in the volume snapshot). Comments are no longer used for hard-linked files in HFS+.

  • Extraction of events from Unix/Linux/Macintosh system logs. These events are practically of significance especially for USB device history examinations.

  • Improved detection of non-standard LVM2 container partitions.

  • VMDK virtual disk images which have been compressed for transport purposes (the VMDK format variant referred to as "stream-optimized"), as used by the OVF appliance export format, are now supported.

  • Option to create report table associations for files that were successfully added to a skeleton image using the directory browser context menu command.

Miscellaneous

  • Various minor improvements and some small bug fixes.

  • Same fix level as v17.4 SR-6.

  • User manual and program help not updated yet for v17.5.


Changes of service releases of v17.4:

  • SR-1: Works again with the old version of MPlayer.

  • SR-1: Fixed an error that could occur in the Attr. filter for special files in Unix/Linux file systems.

  • SR-1: Fixed hanging after volume snapshot refinements if the error "Parent of ... undefined" occurred.

  • SR-1: Quicker EDB file subtype identification.

  • SR-2: When the gallery dynamically shows the stills of a video in a loop, you may now press Esc to stop the animation, + to accelerate and resume the animation, and - to slow down and resume it.

  • SR-2: Fixed an error that could stop the gallery from working.

  • SR-2: Fixed an error that occurred when exporting hash sets from the block hash database.

  • SR-2: Fixed some truncated descriptions for events collected from SQLite database in the 64-bit edition.

  • SR-2: Proper timezone adjustment of event timestamps from SQLite databases.

  • SR-2: Potentially fixed an error that could occur on some computers when closing data windows after cloning with the "copy entire medium" setting.

  • SR-3: Fixed an error that could occur when using the gallery.

  • SR-3: Prevented output of some unnecessary messages when taking snapshots of Ext4 volumes.

  • SR-3: If the Help | Dongle dialog informs you that a new activation code is required for v17.5, please request it from X-Ways.

  • SR-3: Fixed a skeleton image verification error that could occur in certain situations.

  • SR-3: Fixed an exception error that could occur during index searches in v17.4.

  • SR-4: Fixed an error that could cause the gallery to not be fully populated in certain situations.

  • SR-5: v17.4 SR-2 and later did not close the case root window when closing a case, which triggered errors. That was fixed.

  • SR-5: The gallery was not updated in v17.4 when sorting the directory browser. That was fixed.

  • SR-5: Fixed instability of the 64-bit edition with certain EDB database files.

  • SR-5: Child objects that have been viewed no longer propagate this status to a parent file.

  • SR-6: Fixed an exception error that could occur when filling evidence file containers in v17.3 and v17.4.

  • SR-6: Fixed an exception error that could occur when resolving symlinks in the 64-bit edition of v17.4.

  • SR-6: Fixed a recurring delay that could occur on volumes with a lot of clusters when reviewing search hits in free space for which only a logical/relative offset is known (index search hits).

  • SR-6: Fixed inability of v17.4 to process Windows.edb databases of Windows 7 under Windows 8 and Windows 8.1.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <