|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||
|
|||||||
| #117: WinHex, X-Ways
Forensics and X-Ways Investigator 15.6 released March 1, 2010 |
This mailing is to announce an important update, v15.6. WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license) Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Please be advised that if you are interested in receiving information about service releases when made available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net ------------------------------------------------------------- Recently some comparisons of imaging speeds have been posted by a user of X-Ways Forensics in the computer forensics section of the forum. In these comparisons X-Ways Forensics basically outclassed all tested competitors. Licenses for X-Ways Forensics just for disk imaging at a reduced rate can be purchased from http://www.x-ways.net/forensics/dongle.html#imaging. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Seoul please ask if interested Mar 8-11 London http://www.x-ways.net/training/london.html Apr 12-16 Chicago http://www.x-ways.net/training/chicago.html May 11-13 For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * Matches with multiple hash sets for the same file are now supported by the hash set column, and therefore also by the hash set filter. (forensic license only) * When importing a hash set, X-Ways Forensics automatically filters out duplicate hash values within that hash set. This has a big effect on the US NIST NSRL RDS database for example and reduces its size tremendously. If your hash database already contains hash sets with duplicates, those will be eliminated by v15.6 as well, next time when you import any other hash set. Hash databases used by v15.6 and later cannot be opened any more by v15.1 or earlier. (forensic license only) * X-Ways Forensics can now usually recognize the true sector count according to ATA on ATA/SATA hard disks in situations where that failed (returned a question mark only) in previous versions. Useful to detect an attempt to limit the addressable capacity of a hard disk using an HPA (host-protected area) or DCO (device configuration overlay). (forensic license only) * Whenever X-Ways Forensics checks for an HPA/DCO (that is when imaging a hard disk, when adding it to a case, or when creating a Technical Details Report for it) and actually detects one, it now offers to either temporarily or permanently deactivate the HPA/DCO and make the full official disk capacity accesssible, so that you can e.g. image the hard disk in its full size before it returns to its original state next time when it powers down. (forensic license only) * The Technical Details Report can now retrieve the internal error count recorded by hard disks if available through the SMART interface. (forensic license only) * Simple and quick plausibility check for internally reconstructed RAID 5 that warns you immediately after reconstruction if the parity does not match. (specialist and forensic license only) * Convenient display and deconstruction of the objects ID(s) of files stored in NTFS volumes in Details mode. (forensic license only) * Better plausibility checks for deleted files in Ext* file systems. (specialist and forensic license only) * Representation of file system areas in certain Ext4 volumes corrected. (specialist and forensic license only) * The link reference (inode number) of a hard-link file in HFS+ is now shown in the Comments column. You can use the Comments filter to filter for a given inode number. (forensic license only) * Representation of the system files Attributes and Startup in the root directory of HFS+ volumes, if defined. (forensic license only) * Encryption/decprytion with AES accelerated on computers with multiple processor cores thanks to parallelization. * Indexing and index optimization revised. They are now slightly faster, and are more efficient in memory utilization. (forensic license only) * A new directory browser option now controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted whenever double-clicking such a file. In earlier versions such a file was always explored, altough it might have been more intuitive to view it (think of a MS Office 2007 or OpenOffice document with XML files as child objects). * Improved sorting performance for the columns for which sorting became slower with v15.4 (date columns, SC%, pixels, owner, hard-link count, ...). * That .eml files are renamed to .txt when copying files off the image for inclusion in the report so that Internet Explorer can open them, is now optional, so that Firefox can send such files to Outlook Express. (forensic license only) * Pictures can now be optionally embedded directly in the HTML report as inline code, so that there is no need any more for separate files in the report subdirectory. Of course, this greatly increases the size of the HTML file. Only Firefox supports this encoding style for larger pictures. (forensic license only) * The folder for scripts is now also used as the folder for templates. * That the general folder for images is preselected when adding images to the case is now optional. (affects users of a forensic license only) * The Sender and Recipients columns are now populated for e-mail attachments, too, so that even when you focus on attachments you can immediately tell who sent that file to whom, and don't have to navigate to the parent e-mail message to find out (e.g. by pressing the Backspace key). You can also filter for attachments via Sender/Recipient. (forensic license only) * The Sender and Recipients fields are now copied into evidence file containers for e-mail messages extracted from PST/OST files without the MAPI method. (forensic license only) * Sorting many e-mail messages by Sender or Recipients was potentially very slow in earlier versions, except in v15.5 for e-mails extracted from PST/OST archives not via MAPI. Sorting by Sender or Recipients is now generally fast for e-mail extracted with v15.6. (forensic license only) * Sender and Recipients as well as an internal creation date are now extracted from original .eml files (i.e. .eml files not created by X-Ways Forensics when extracting e-mails from e-mail archives) when extracting internal metadata from such files. (forensic license only) * Fixed an error that could cause instability when using the Sender/Recipient filter. (forensic license only) * Metadata extraction from HTML documents. (forensic license only) * Ability to finalize/convert/encrypt evidence file container in X-Ways Investigator after filling them, just like in X-Ways Forensics. Useful for example when investigators need to forward identified incriminating files (e.g. CP) to other departments/agencies in an encrypted state. In order to not unnecessarily confuse users of X-Ways Investigator who don't need this ability, it can be disabled with the new switch +32 in investigator.ini. * Option to always specifically run WinHex/X-Ways Forensics as administrator under Windows Vista/7 (see General Options). * Option to automatically restart the program when a restart is necessary after changing certain settings. * Ability to optionally store the key for already added AES- encrypted .e01 evidence files in the case file, so that you don't have to enter it over and over again when opening the evidence object. This is convenient, but 100% secure only if you protect your case files appropriately. (forensic license only) * The Attribute filter for "e?" did not work for files that were marked as e-mail attachments. This was fixed. * Fixed an error that could corrupt the loaded file type category definitions and lead to an empty File Type Categories.txt file. * Fixed an error that occurred when opening files with very long names on HFS+ volumes. (since v15.5 SR-1) * The creation of sparse raw image files was faulty in the original 15.5 version. This was fixed with v15.5 SR-1. * File Type Categories.txt updated and extended. (forensic license only) * Mismatches were fixed with v15.5 SR-2 that occurred when importing report table associations and comments from evidence file containers into the volume snapshot in v15.5 including SR-1. * Exception errors fixed with v15.5 SR-2 that in rare situations could in occur when verifying the type of certain kinds of text files. * The filename filter was not case-insensitive for non- English characters. This was fixed with v15.5 SR-3. * Removes trailing dots from directory names when recovering/ copying files with path, so that Windows will allow to create such directories. (since v15.5 SR-3) * Prevented an exception error that could occur when about to select a disk. (since v15.5 SR-3) * Support for .e01 evidence files with more than 2^32 sectors. (since v15.5 SR-3) (forensic license only) * Fixed an error that in recent releases caused a misinter- pretation of the sector size in raw images of certain Apple disks. (since v15.5 SR-3) * Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't. (forensic license only) * Information in Details mode about newer hiberfil.sys files in Windows Vista and Windows 7 fixed. (since v15.5 SR-4) (forensic license only) * Two rare exception errors fixed in file type identification. (since v15.5 SR-4) * Wiping free space left the wiped free space allocated in v15.5. This was fixed with v15.5 SR-4. * Fixed an exception error that could occur in v15.5 when exporting the Sender and Recipient columns. (since v15.5 SR-4) * Fixed an error when writing disk sectors past the 2 TB barrier. (since v15.5 SR-4) * Fixed an exception error that could occur when editing disk sectors on media with a sector size of 4 KB. (since v15.5 SR-4) * Virtual file "Unpartitionable space" avoided in a case where it does not make sense. (since v15.5 SR-4) * Many other minor improvements, some more minor fixes. |