|#149: X-Ways Forensics,
X-Ways Investigator, WinHex 18.7 released
Jan 27, 2016
This mailing is to announce the release
of another notable update with many useful improvements, v18.7.
WinHex evaluation version:
(also the correct download link for anyone with a personal, professional, or
Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to
for download links, the latest log-in data, details about their update maintenance,
etc. Licensed users whose update maintenance has expired can receive upgrade offers
from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator
with active update maintenance can conveniently find older versions for
download from there if needed. Licensed users of other products can usually receive older versions on
request (but not guaranteed).
Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
Announcement section of the
and (with active update maintenance) can subscribe to them, too, by creating
a forum profile.
Please note that if you wish to stick with an older
version for a while, you should use the last service release of that version. Errors in
older releases of the same version may have been fixed already and should
not be reported any more.
Austin, TX area, Feb 22-Mar 1
London, England, Feb 29-Mar 3
London, England, Mar 15-23
Washington DC area, Apr 5-8
Southern California, Apr 11-19
Miami, FL, May 23-27
Ottawa, Canada, May 24-27, 2016
Halifax, Canada, May 30-Jun 3, 2016
June 6-10, 2016
London, England, Jun
Please sign up for our training newsletter
if you would like to be kept up to date on classes in the USA, Canada, Europe,
What's new in v18.7?
(please note that most changes affect
X-Ways Forensics only)
File Format Support
Revised hiberfil.sys support for 64-bit Windows.
hiberfil.sys slack (compressed data from previous
usage of a hiberfil.sys file, as found near the end, if the last usage
achieved stronger compression than the previous usage) is now automatically
extracted and decompressed as part of "Uncover embedded data in various
file types" and provided as a child object in its decompressed form.
Accuracy of file type verification further improved.
Fewer file types with generic extensions are now unnecessarily marked as
"newly identified", but confirmed if the full filename is appropriate
for the file type.
Verification of many more file types supported. In
total the file type verification can now recognize more than 3,000 file
File carving methods implemented for .cwm (screen
capture videos) and Windows 8's .accountpicture-ms files.
.accountpicture-ms files are now by default targeted for uncovering
Type verification supported for .thumbdata3 files
(Android files that are found for example on SD cards).
E-mail extraction adjusted in such a way that certain
Base64-encoded e-mails are shown correctly by external programs after
Support for certain old Outlook PST e-mail archives
with previously unsupported text encoding. Requires that you select the
correct regional ANSI code page in the case properties and check the
unlabelled box next to it, the one that has a tooltip saying "Assume
this code page in Outlook PST".
If e-mail messages have a Sender: line in addition to
a From: line, then the sender according to the Sender: line is now shown
in the Sender column of the directory browser additionally, after the
From: sender, if actually different. They are delimited by spaces and a
pipe (|). For example, an English language MS Outlook shows such e-mails
as having been sent "on behalf of" someone else (by the Sender: sender
on behalf of the From: sender). You can filter for such e-mails by
entering a pipe as a substring for the Sender column. Analogously,
different kinds of recipients ( To:, Cc:, and Bcc: ) are now delimited
by pipes in the Recipient column.
Fixed a potential exception error that could occur
when processing damaged OLE2 compound files.
Prevents crashes when dealing with certain EDB
Gallery screen space is now much better utilized as
thumbnails are no longer forced to be squares. You can now specify your
preferred thumbnail width and height separately, in the Options | Viewer
Programs dialog. The specified dimensions will be dynamically adjusted
(increased) to best fill the available screen space without partial
thumbnails being visible. Since most photos and practically all videos
are shot in landscape format, you may want to select width and height
accordingly (width larger than height) when viewing pictures. Document
thumbnails can often be freely adjusted to any rectangle shape, for
example those representing word processing documents or spreadsheets,
but not presentations. For most documents other than presentations,
portrait format feels like a more natural way of representation. The
aspect ratio of the width and height that you specify is displayed in
the options dialog to quickly give you a rough idea how compatible the
measures will be with ordinary photos, videos or documents.
Previews and views of pictures (with the internal
graphics library, not the viewer
component) now additionally show the names of associated report tables in
the upper left corner and the names of matching PhotoDNA categories in
the lower right corner.
As part of the volume snapshot refinement, X-Ways
Forensics can generate thumbnails of high-quality digital photos to
accelerate the gallery. It is now possible to select the resolution
(maximum width or height in pixels) and quality (JPEG compression
factor) in the user interface. However, the maximum amount of data that
can be stored in the volume snapshot for a thumbnail is limited, to 64
KB, so if a generated thumbnail gets larger than that, X-Ways Forensics
will automatically reduce the user-defined resolution accordingly.
New internal report table for animated PNG pictures.
Extraction of embedded data in PNG files (e.g. GIF
New internal report table for PNG pictures that are
likely mobile device screenshots. That assumption is based solely on
typical smartphone screen resolutions. Useful in case such screenshots
do not have the typical filenames (if they were carved, received via
apps, copied to other media and renamed by the user, or takes by certain
apps and stored in the cache of that app).
Fixed slight and rare inaccuracy in the
representation of GeoTagging coordinates of JPEG files.
A new context menu command has been introduced to
extract all frames specifically from a defined section of a selected
video. Useful if a certain part of a video is of high interest and you
need to carefully check visual details in certain frames or include them
in the report. You can specify how many consecutive frames to extract
and starting from which second. The number of frames that you need to
cover a certain period of time can be deducted from the frame rate as
shown in the Metadata cell (fps = frames per second). Please note that
the start second may be interpreted very roughly only, depending on the
frequency of keyframes (a.k.a. I-frames in MPEG) in the video. MPlayer
can seek into a video file only based on keyframes. If for example a
certain video file contains keyframes only every 4 seconds for example,
then the start second of the extraction may be off by up to 4 seconds.
Keep this in mind when you enter the number of frames that you need or
the start second. That is, to be on the safe side, extract more frames
than you may actually need and perhaps from an earlier start second.
The frames are saved as JPEG files in a directory of your choice on your
own drive, where you can review them outside of X-Ways Forensics. If you
like, you can of course attach the most relevant frames to the original
video file in the volume snapshot as child objects. The frames are not
stored within the volume snapshot by default so that the size of the
volume snapshot does not unreasonably inflate with potentially mostly
irrelevant and redundant pictures. If the output directory already
contains extracted frames, files with identical relative frame numbers
will be overwritten. Relative frame numbers always start with 00000001
for each extraction and increment with each frame. You may adjust the
JPEG compression if necessary for stronger compression or better
quality. (Of course you usually cannot expect a very good quality
because videos are typically highly compressed already.) The volume
snapshot refinement operation to produce representative still images
from videos (sporadically, in certain larger intervals) has been renamed
to point out the difference from the new context menu command for
exhaustive frame extraction.
More metadata is now extracted from videos when
exporting stills, usually coding/compression format, resolution, bits
per pixel, frames per second, data rate per second for video data.
A new 64-bit edition of MPlayer from 2015 is now
downloadable from the web server in addition to the 32-bit edition from
2014. The only video extraction program supported is now MPlayer.
File System Support
Enhanced Attr. filter settings for Unix style file
permissions. You can now filter for any of the 9+3 bits specifically and
combine them with OR, AND, or EQUAL. EQUAL requires a status of all 12
bits exactly as selected (whether set or not set). AND means you require
ALL of the checked bits to be set, but don't care about the others. OR
means you are satisfied already if ANY of the checked bits is set. SUID
and SGID bits can now be combined with a logical OR or AND as well
(previously they were always OR'ed). Please remember that if you are
interested in directories with the sticky bit, you will need to include
directories when exploring recursively and apply filters to directories,
too (not the default setting). Please note that the logical operator for
permissions should not be usually set to EQUAL because that will result
in active filtering for permissions even if no permission bits are
selected in the dialog box at all, unlike the OR or AND operators. EQUAL
with no permission bits selected means to filter for files that have no
permission bits set or files whose permissions are unknown.
iNode* files (indirect node files) in HFS+ now point
to one of their hardlinked counterparts as a "related item" in the
volume snapshot, so that it is very convenient to locate at least one of
those hardlinks and see the actual use and location of the file. To find
other hardlinks for the same iNode* file, you can for example sort by
the column "1st sector".
HFS and HFS+ resource forks are now presented as
child objects, analogously to alternate data streams and extended
attributes in NTFS.
Attribute filter for resource forks added.
Loose $MFT files can now be directly and conveniently
interpreted as if they were NTFS volumes, to get at least a full listing
of all files and directories, with their paths, timestamps and
attributes. It's possible to open resident files (files whose contents
is small enough to fit into the FILE records), but no other files, of
course. Useful if in special situations all you have is the $MFT, not
the entire volume. Also useful for example for $MFTs from volume shadow
Option to omit additional hard links for the same
file in NTFS/HFS+ from volume snapshot refinement just as from logical
searches previously, to save time and reduce the number of redundant
identical child objects etc. This can make a big difference on
partitions with Windows installations that have a lot of hard links and
HFS+ partitions with Mac OS X Time Machine. Which hard links are
considered the "additional" hard links internally can be seen in the
"Link count" column as before (gray number means to be omitted) and now
also in the Description column, which identifies all hard links (i.e.
files with a hard link count of 2 or more) and the additional ones in
particular textually. The hard link that is not marked as "optionally
omitted" in the Description column is considered the "main" hard link
Rename events from $J and fragments thereof are now
output to the event list.
Files with only partially initialized contents (valid
data length < logical file size) are now marked in the Attr. column with
the # sign, and an explanation of the # sign can be found in the legend.
In newly refined volume snapshots, the "1st sector"
column now points out that certain figures are approximate, for example
for embedded files, using gray color and a tilde.
When clicking a file in Partition/Volume mode, the
jump to the start of the data of certain files is now more precise, for
example for resident files in NTFS it leads directly to the body of the
0x80 attribute and for certain embedded files directly to the start of
the data. Sorting by the "1st sector" column reflects the physical start
location of files more precisely now for certain unaligned files.
Finds more sessions of multi-session CDs/DVDs with
CDFS immediately, without having to run a particularly thorough file
system data structure search.
Avoids session duplication on CDs/DVDs with CDFS
where additional sessions are found only through a particularly thorough
file system data structure search.
Disk & Image Support
Tentative support for older VirtualBox VDI virtual
disk images from Sun Microsystems.
Prevented an error that could occur in simultaneous
computation of two hashes when imaging media in very special
configurations that involve a specific hardware write blocker model and
Windows version. The data in the images was OK anyway.
Reports the total number of unreadable sectors in the
disk imaging log in addition to the affected sector ranges.
Imaging now aborts after media disconnect error.
Case & Report Settings
Smaller versions of pictures can now optionally be
generated specifically for the report, to greatly reduce the memory
requirements of the Internet browser or word processing application when
loading the HTML report, and to accelerate loading. This can make a big
difference for reports with many high-resolution photos. The JPEG
compression factor is user-definable. The resolution depends on the
specified "maximum dimensions of pictures".
The checkbox that represents this option is a 3-state checkbox. If half
checked, the smaller versions of the pictures are used only for the
preview directly in the HTML report. If fully checked, even when
clicking the picture in the report you will only see the smaller
version, and the original larger file is not included in the report at
all. This can be beneficial if your main concern is the drive space
requirement of your report with linked files, not the output quality of
The report can now optionally also show
previews/thumbnails of non-picture files, e.g. Office documents,
e-mails, web pages, programming source code, etc. etc., similar to the
gallery. You can shrink the preview representation slightly or a lot or
not at all, to either be able to read some of the text right in the
report without opening the document or to get a better impression of the
overall formatting of the text and just see logos etc.
If you output one specific report table in the case
report, the suggested report name is now automatically based on the name
of that report table.
In the properties of a case you can now specify
whether you prefer to have X-Ways Forensics use the case-specific
directory of temporary files (the _temp subdirectory of that case)
instead of the general one, when that case is active.
Purely physical user search hits (defined in
Disk/Partition mode, not File mode) can now also be output in the
report, in the section about the evidence object to which it belongs.
File-related search hits are still output in the report table section
about that file along with all the selected metadata. If the file that a
search hit selected for the report belongs to is not output with a
report table, the search hit can now be seen in the section about the
Option to output incrementing numbers in the case
report, for each item in a report table, to uniquely identify a file in
All edit boxes throughout the program (except for
password edit boxes and column width boxes) now remember a history of up
to 10 last entries. The history can be seen when clicking the tiny
button that appears in an edit box for which a history is available.
Alternatively, you can press the F4 key just like in a normal drop-down
box (combo box). If you select a previous entry from the pop-up menu, it
will be inserted into the edit box automatically. Users who wish to
delete these histories or pass them on to others, please be advised that
they are stored in the file History.dat when the program is ended. If
you do not wish to keep histories between sessions, you can create an
empty file named History.dat yourself and render it read-only.
A new keyboard shortcut, Shift+Ctrl+Del, allows to
remove matches with ordinary hash sets, FuzZyDoc hash sets, and PhotoDNA
categories from selected files in the volume snapshot, which even if the
hash sets are deleted from the hash database are not discarded
Pressing Ctrl+C in the directory browser now copies
the textual data of the selected items into the clipboard, with the same
notation as in the directory browser itself, otherwise similar to the
Export List command.
The colors of tag marks (if they are not represented
by check marks) are now slightly different, and they are now
user-definable in Options | Directory Browser. Useful for example if you
prefer stronger colors or if the default colors conflict with pictures
that you are viewing in the gallery (e.g. many outdoor photos with blue
sky at the top). If you liked the slightly more unobstrusive colors of
previous versions, you can get them back manually: Color 1 = RGB 225,
225, 255 (for the upper left corner) and Color 2 = RGB 163, 163, 255 (for
the lower right corner).
The colors that mark files as already viewed are now
user-definable as well, via Options | Viewer Programs | Keep track of
viewed files | .... If you liked the colors of previous versions, you
can get them back manually: Color 1 = RGB 233, 225, 223 (for the upper
left corner) and Color 2 = RGB 145, 250, 103 (for the lower right
corner). In v18.7 they have been simply swapped.
The "1 hit per file needed only" option of the
logical simultaneous search now no longer skips the slack of a file once
a hit in the logical part has been found if "Open and search files incl.
slack" is fully checked. It will check the slack for at most 1
additional hit as well.
Lists purely physical user search hits in the case
root window, even if in that window you cannot navigate to the sector
contents by clicking the search hits.
There is now an option to limit the search for lost
partitions on physical media to the sectors that follow the current
Fixed misinterpretation of literally specified #
character in square bracket sets in GREP expressions.
Prevents overlapping GREP search hits in directory
When excluding duplicates based on hash value or
name, X-Ways Forensics now prefers to keep the copy whose owner is
Recover/Copy and Create Report now even name embedded
.eml files after their unique ID if the corresponding option is
Lifted internal limitation on the amount of data
extracted from files per volume snapshot (previously 1 TB). Volume
snapshots saved by v18.7 cannot be opened in v18.6 and earlier any more.
Larger files can now be attached to the volume
For the record presentation of the hex editor,
records are now numbered starting with 0 instead of 1 by default.
1-based record numbers are still available optionally. The record size
is now specified in hexadecimal if hexadecimal offsets are active in the
API function GetEvObj().
Ability to convert assigned hash sets to report table
associations, in the dialog window for report table associations, where
you can also convert contained search terms to report table
associations. This can be useful for example if you wish to recreate
your hash database from scratch or delete your hash database, and do not
only wish to preserve the hash category of known files in the volume
snapshot, but also the exact matching hash set names. Also useful if you
wish to add files to an evidence file container and wish to let the
recipient know the original hash set matches, not only the hash
category. These auxiliary report tables are highlighted in a different
color to distinguish them from 1) ordinary user-created report tables,
2) internally created report tables that make the user aware of
something special, and 3) search term based report tables. Associations
with hash set based report tables can also be created on the fly when
copying files to an evidence file container.
Including comments and/or report table associations
of files in an evidence file container is now optional for each copy
action and does not have to be decided up front once and for all when
creating the container.
The main executable files are now digitally signed.
Windows 10 is now officially a supported platform.
Many minor improvements.
Some minor fixes.
Program help and user manual updated for v18.7.
Changes of service releases of v18.6
SR-1: Improved FuzZyDoc matching results for PDF
SR-1: Time zone awareness of timestamps now defined
on a per-file basis in exFAT.
SR-1: Ability to find the virtual allocation table of
virtual UDF partitions on certain non-standard (incomplete) disk images
as produced by other software.
SR-1: Fixed an exception error that occurred in v18.6
when carving files in a data window that represents a single file with
no volume snapshot and no directory browser.
SR-1: Fixed effect of unselected "List internal file
system files" option for files in archives.
SR-1: Fixed unsuccessful conversion of certain Base64
SR-1: Prevented an extremely rare exception error
that could occur when matching hash values against the hash database.
SR-2: Fixed inability of X-Ways Imager 18.6 to image
SR-3: Fixed occasional incomplete extraction of
embedded JPEGs in PDF documents.
SR-3: Fixed potential time zone information error in
the properties of evidence objects with a Windows installation.
SR-3: Fixed an exception error that could occur with
certain corrupt Zoom Browser files (Canon).
SR-4: Fixed time zone conversion in the second column
of previews of certain index.dat files.
SR-4: Fixed occasional incomplete exclusion of
duplicates based on hash values.
SR-4: Deduplication of multiple very similar PhotoDNA
hash values now even when importing them into an empty (newly created)
PhotoDNA hash database.
SR-4: Since v18.6, if a new PhotoDNA hash value is
close enough to be considered a match for an existing one, but different
enough to warrant a separate entry in the PhotoDNA hash database, the
existing entry is updated and the new one added. This double entry
previously did not happen if both similar hash values were added during
the same import operation, but now does.
SR-5: Fixed size detection of Ext* partitions larger
than 2^32 blocks in situations where they are not referenced by any
SR-5: Fixed memory leak in HFS file system support.
SR-5: Fixed inability to deactivate all filters with
a single mouse click in SR-4.
SR-6: Fixed an exception and instability error that
could occur when extracting metadata from certain documents in OLE2
SR-6: In Ext4 file systems, some very rare files with
uninitialized parts were previously read with partially incorrect data.
That was fixed.
SR-6: Fixed parsing of FAT32 file systems with
cluster sizes of 128 KB or more in X-Ways Forensics.
SR-6: Ability to show rough pixel counts for pictures
that have PhotoDNA database matches.
SR-6: investigator.ini options related to the new
Description filter did not work in v18.6. That was fixed.
SR-7: Fixed a rare exception error that could occur
when generating HTML previews of files of certain types.
SR-7: Fixed potential inability to select thumbnails
in the gallery while viewing pictures with the viewer component.
SR-7: Improved stability for processing of SQLite
SR-7: Improved imaging behavior after media
SR-7: Prevented way around investigator.ini option
+51 in v18.6.
SR-8: Fixed potential incomplete listing of
partitions in the directory browser when more than one partition was
semi-automatically detected starting from the sector pointed at by the
SR-8: Fixed an error that could occur when reading
from partitions with a file system based on a sector size different from
the sector size of the physical disk.
SR-8: Fixed incorrectly displayed file size for huge
files in UDF file systems.
SR-8: Fixed a rare error in symlink resolving.
Loss of Dongles
There are still a few customers who ask about a
replacement for lost dongles even if their dongles were not
we and the X-Ways Forensics software itself have confirmed over and over
again that we do not offer replacements for lost dongles if not
insured, because these dongles can still be used to unlock the software, by
whoever, even by yourself it the dongles show up again. With immediate
effect, we will ignore requests for dongle replacements if no
insurance was in place. We provide only 1 dongle per license, not as many
customers would like to have.
Oracle has provided a "critical patch update" for v8.5.2 of the viewer component. The updated version
is downloadable from our web server. It is probably recommendable for
Oracle's description of the patch update as always claims
to have information about what was fixed, but doesn't:
What this Update Fixes:
January 2016 Critical Patch Update for Outside In
This patch is cumulative with all previous Outside In 8.5.2 Critical Patch
A 3rd party web page describes the fixed security issue as follows: "A local
user can exploit a flaw in the Oracle Outside In Technology Outside In
Filters component to cause partial denial of service conditions." The only
file that has actually changed is sccfnt.dll. That file is responsible for
Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
X-Ways Software Technology AG