·.·. Computer forensics software made in Germany .·.·

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#150: X-Ways Forensics, X-Ways Investigator, WinHex 18.8 released

Apr 23, 2016

This  mailing is to announce the release of another notable update with many useful improvements, v18.8.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.

Upcoming Training

London, England, Apr 25-28
Miami, FL, May 23-27
Ottawa, Canada, May 24-27, 2016
Halifax, Canada, May 30-Jun 3, 2016
Kingston, Canada, June 6-10, 2016
London, England, Jun 14-17
London Heathrow, England, Jul 4-8
New York City, Jul 18-22
Washington DC area, Jul 25-28
Seattle area, Sep 26-30

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.

New videos

Quick Start Guides  •  Settings & Setup

What's new in v18.8?
(please note that most changes apply to X-Ways Forensics only)

File Format Support

  • The type status "newly identified" was split up into "newly identified" (in a weaker sense, for example meaning that X-Ways Forensics had no idea about the file type before verification because the file didn't have any filename extension) and "mismatch detected" (which indicates a misleading filename extension, more suspicious). The type status "newly identified" from volume snapshots that were refined in previous versions is automatically adopted as "mismatch detected".

  • File type signature definitions may now exploit the first 1024 bytes of a file (previously only the first 512 bytes).

  • Identification of the zip subtype appx, which in newly initialized installations is now defined as part of the special interest group of archives (along with jar, apk, and ipa) and thus processed optionally.

  • File type verification generally further improved.

  • Chrome cache extraction revised and improved especially for large caches. Support for a recent extension of the file format. Support for multiple streams of the same cache entry: The HTTP response (named .chrome1) is output as well as, if present, as are compiled JavaScript entries (.js1). If a no-cache directive was sent by the web server, at least the HTTP response is still cached. In Preview mode you can see a special representation of HTTP responses.

  • Chrome caches can now also be processed if their index is not available, for example if cache fragments have been carved or if the cache was partially deleted or corrupted. It may be possible in some cases that a better extraction result can be achieved without the index, even if it is present. To try that, if the index has not been processed before, you can have the uncover function process "data_4" files and omit the index. data_4 is now part of the optional "special interest" group.

  • Firefox cache extraction revised.

  • Algorithmic identification of URL-encoded ESC files from browser caches, and human readable representation in Preview mode. Contains metadata of video streaming services.

  • Processing of iPhone backups of newer iOS versions as part of metadata extraction.

  • File type "locky" is now defined, nowadays relatively widespread thanks to the ransom ware "Locky". Such files are automatically marked as encrypted for easier recognition.

  • Extraction of ranks from jump list entries as well as from jump lists as a whole. These are floating-point numbers that are roughly proportional to the access frequency and therefore potentially relevant information. The ranks are computed by Windows.

  • Specific support for jump lists of Windows 10, including a very recent new version.

  • Support for the new thumbcache_idx.db format of Windows 10.

  • Support for $I files of Windows 10.

  • Prevented an infinite recursion in certain rare damaged registry hives.

  • Ability to uncover embedded files from .p7m S/MIME files.

  • Information about the audio sound quality in videos (sampling frequency and number of channels) is now extracted when capturing still images from videos. "No audio" is output if the video does not have audio. This allows to filter for videos that have or have no audio.

  • File type category entry for .dash video streaming files in browser caches. It's an MP4 subtype, but needs to be converted to be playable with regular video players.

  • Support for the new file type "service_worker", which is part of the new Chrome Offline Cache. Such files can now be type-checked, carved and metadata and embedded files can be extracted.

  • File archives of additional types are now represented in the directory tree on the left once their contents have been included in the volume snapshot.

  • Revised support for TAR archives. Ability to extract from certain TAR archives that could not be processed before. More exact representation of files in TAR archives. Faster processing, and caching of TAR archives in GZ archives.

  • Ability to confirm and extract GZ archives with the "extra" flag.

  • Revised internal file archive handling and fixed some rare errors. Improved processing of certain corrupt file archives.

  • Greatly improved carving of XML files (almost all subtypes). Simplified XML definition in FTSS.txt and FTSCO.txt.

  • Improved context sensitivity for better XML, CSV and Base64 file carving results.

  • Rudimentary CSV file carving.

  • File carving support for Microsoft ONE files.

  • File carving definitions for OECustomProperty objects, which may contain e-mail metadata from MS Outlook, often stored as alternate data streams.

  • Ability to carve fragments of Windows.edb from Windows 10 containing Internet browsing events (cf. "special interest" group).

Picture Support

  • Ability to display incomplete JPEG pictures with progressive compression with the internal graphics viewing library.

  • Fixed an exception error that could occur with certain corrupt or very large GIF pictures.

  • JPEG generator signature representation revised. A plain text description is now provided in addition to the hex notation for almost all signatures.

    The generator signature is an experimental concept that can help identifying the origin of files of certain types. It is used in X-Ways Forensics for JPEG files. The signature is based on the JPEG quantization table and some other invariant features. It is output in Details mode and in the Metadata column.

    If the generating software library is identified, a textual description is included in addition to the raw hex signature. The most common JPEG generator is the IJG library, but there are more than 10,000 others. "Photoshop" und "Photoshop Web" are also common, for example. "Photoshop Web" identifies a JPEG file generated by Photoshop with optimization for use on the web. Other generators identified by X-Ways Forensics are iPhone, Apple 75, Apple 90, Kodak, Adobe Fireworks, Nikon, Sony, Blackberry, Canon EOS, Canon EOS fine, Canon norm, Canon fine, Canon superfine, Canon PowerShot, HP Scanjet, HP PhotoSmart, HTC, CASIO, Quicktime Med, ImageGear 84, and LEAD Technologies. The quality setting used to generate a JPEG file is also output ("Q=..."). That is a number in the range from 1 to 100 (for the regular Photoshop generator just between 1 and 12). The higher this value, the stronger the compression and the lower the image quality.

    Generator signatures are used in X-Ways Forensics to name carved JPEG files if no "better" metadata is available (e.g. camera model and timestamp from the Exif data). If the metadata extraction for existing files cannot find any "better" metadata, the generator signature at least allows you to identify groups of files that belong together because they likely have the same origin. Verifying whether the generator signature and available Exif metadata are consistent with each other may tell you whether a picture was edited and saved again.

    In particular the generator signature allows to identify files produced by scanners, as there are only a handful of generators commonly used in scanners. That allows to reliably identify scanned images even if they are not black and white or not 100% using gray scale colors only.


  • Option to filter for recipients specifically on Cc: and Bcc: or just Bcc: or just To:, in e-mail messages and attachments where the recipients were extracted by v18.8. Useful for example if in your jurisdiction e-mails sent to a lawyer on Cc: or Bcc: are less protected by attorney-client privilege than e-mails addressed specifically to a lawyer.

  • Metadata extraction from e-mail messages slightly more precise.

  • Extracts e-mail messages and attachments from .olk14message files of MS Outlook 2011 for Apple Mac OS X.

  • Quoted printable is now decoded in the alternative .eml preview/presentation.

  • Fixed an exception error that could occur when extracting metadata from certain .eml files with malformed quoted printable encoding.

Case Report

  • New CSS definitions supported for thumbnails in the case report (RTpicthumb and RTdocthumb, for thumbnails representing pictures and non-pictures, respectively).

  • Option to limit metadata output in the case report to Name and Comment specifically for video still images.

  • "Make copy of pictures for inclusion in report" will now also copy one still image per video if available and show it directly in the report to represent the video. The video itself is not copied with this setting, to save drive space, only if "Make copy of files for inclusion in report" is fully checked..

  • Manual log entries now support Unicode. Option to output only manual entries in the log.


  • The Recover/Copy dialog window has been more clearly structured. The option to embed e-mail attachments in .eml files no longer depends on the option to also copy child objects or on the explicit selection of the attachments, which makes it more intuitive and easier to use.

  • New option of the Recover/Copy command to create a 2nd copy of all selected files in a separate directory. Useful if you need to provide two parties with copies of relevant files and wish to save time. The logging option is for the 1st copy only, though.

  • When identifying duplicate files, pairs of duplicates in the same volume snapshot can now be optionally linked as so-called "related" items, so that it's easy to navigate from one such file to at least one duplicate. Excluding all duplicates but one in a group is now optional, too, and marking the files as duplicates in the Description column is also optional.

  • Identifying duplicate pictures based on stored PhotoDNA hash values is now much faster than before, depending on main memory availability and number of processor cores.

  • Disk imaging: You may now specify an overflow location in advance where further image file segments will be stored should space on the primary output drive be exhausted. If you leave that field blank or if even the overflow location has no more space left, you will be prompted for a new path as before when needed. If an overflow location is specified in advance and at the same time you chose to create two copies of the image, then please note that the overflow location is used only for the first image copy that runs out of space, if any. For the other image copy you would be prompted if space is scarce.

  • Hash values of raw images that were created by X-Ways Forensics are now taken automatically from the accompanying descriptive text file if available and shown in the evidence object properties.

  • The Description filter for still images from videos now has an additional option that allows to also list the corresponding video, directly preceding its stills. That way it is easy to see in the gallery which still images belong to which video, and you can comment on the video or add the video to a report table without navigating back and forth and without using the slightly less intuitive way to apply report table associations to an item that you cannot see (with the "for parent file" option). The tiles that represent the videos may act as visual delimiters if you disable auxiliary thumbnails in the gallery options, so that you can easily see where still images of the next video begin.

  • Description filter for files that were indexed in X-Ways Forensics.

  • When multiple users share an installation of X-Ways Forensics or X-Ways Investigator, with individual configurations in the user profiles, error.log files are now no longer created in the installation directory if it's writable, but in the user profile as well, in case other users are not supposed to see some of the metadata from evidence objects that may end up in the error.log file. Similarly, the msglog.txt file is now also created in the user profile if messages are output while no case is active (but still in the case's log subdirectory if a case is active).

  • NOT option for the Name filter.

  • Modulo setting for the internal ID filter now more flexible.

  • Clicking the caption of the text column (where the name of the currently active code page is displayed in light gray) now allows to quickly change the active code page).

  • If the text column shows text in a code page that is not the active code page in your Windows system and if you copy some data from the hex editor display into the clipboard, WinHex now asks you whether you would like the text to be converted from the code page active in the text column to UTF-16, for pasting in external programs.

  • The advanced full path sort option is now a display option of the directory browser. It can still be used to achieve a sort order where child objects follow their respective parents, but now also has a visual effect in that the path now optionally includes the name of the object itself, for example if needed to copy it directly from the Path column in a single step.

  • Option in the case properties to show the search term list in a single column next time when it is created. This enables you to scroll the list vertically instead of horizontally. Might be beneficial for example if your search terms are rather long.


  • Evidence file containers now specifically remember the RVS status of the files that they contain, e.g. whether still images have been captured already from a video or whether embedded data already has been uncovered from a file. If you choose to accept and trust this status, which is a new volume snapshot option, these files will not be processed again if you decide to refine the volume snapshot of the container. You may occasionally not want to accept the RVS status of files in containers, to avoid missing something, if you suspect that the original examiner did not apply as thorough settings as you would or that they may have used an older, less capable version of X-Ways Forensics to process the files. Adopting the RVS status is also a must to get videos within a container represented in the gallery with rotating captured still images.

  • When attaching external files to a volume snapshot, X-Ways Forensics can now optionally adopt the timestamps of these files as well (creation, modification and/or access), if you are sure that they are original and not the result of any file copy activity.

  • The Data Interpreter now respects the Big Endian setting also for FILETIME structures. That is useful because FILETIME timestamps can be found in big endian in Windows Storage Spaces.

  • Underflows and overflows in timestamp columns in the directory browser (timestamps outside of the supported range) are now marked with the text "out of bounds" and can be distinguished and properly sorted and filtered. (The supported range is May 5, 1829 through May 14, 2514.)

  • Showing the file size in white tiles in the gallery is now optional, to reduce unnecessary screen cluttering for users who do not usually need this information.

  • Now re-detects the file system of volumes without re-opening them when taking a new volume snapshot if sector superimposition is active.

  • Ext journal parsing has been optimized. The result now looks better if the option is half checked, and that is the new default. Rare problems with a full selection of this option should not longer occur.

  • Can now employ the fast search algorithm even when you get close to the maximum number of search terms per simultaneous search, i.e. around 8190. (Please note that the total number of accumulated search terms in a case is also limited to ~8190.)

  • The X-Tension API function XWF_GetHashValue can now be used to retrieve PhotoDNA hash values if those were computed by X-Ways Forensics and stored permanently in the volume snapshot.

  • The X-Tension API function XWF_GetItemType now allows to alternatively retrieve the category that the type of a file belongs to.

  • Italian translation of the user interface updated.

  • Many minor improvements.

  • Some minor fixes.

  • Program help and user manual updated for v18.8.

Changes of service releases of v18.7

  • SR-1: If multiple images were added to a case simultaneously, they had to be closed and re-opened in v18.7 to get the volume snapshot taken. That was fixed.

  • SR-1: File type recognition of certain lose Hotmail e-mails improved.

  • SR-2: Fixed blank Owner column in v18.7 for NTFS file systems.

  • SR-2: Fixed inability of 18.7 to maximize the detached lower half of a data window in most modes.

  • SR-2: Edit box histories now accessible additionally by scrolling with the mouse wheel and by pressing the Down cursor key.

  • SR-2: Fixed bad quality carving of NTFS-compressed files in recent versions.

  • SR-2: Improved interaction with MPlayer.

  • SR-3: Fixed inability of v18.7 to extract files from large GZ archives completely.

  • SR-3: Avoided a condition in which no still images were captured from videos.

  • SR-3: Fixed an exception error that could occur when extracting metadata from certain huge AVI video files.

  • SR-4: The Unique ID filter now allows to enter a list of unique IDs consisting of up to 2,000,000 characters instead of 30,000 characters before. (Characters = digits, dashes, and line breaks).

  • SR-4: Thumbnails in thumbs.db were extracted without original filename if the names were very long. That was fixed.

  • SR-4: The Sender and Recipients filters are now applied to e-mail attachments again as well.

  • SR-4: Fixed an exception error that occurred in v18.6 and v18.7 when ending the program if unlocked with a network dongle.

  • SR-4: Fixed jump to wrong offset when clicking certain embedded files in Partition mode. Fixed incorrectly displayed 1st sector values for the same files.

  • SR-5: Fixed an exception error that could occur in v18.7 when adding entries to the history of edit boxes.

  • SR-5: The scope of the file header signature search on a physical, partitioned evidence object now includes very small auxiliary partitions that do not contain any known file system and that have not been added to the case as evidence objects.

  • SR-5: Fixed an error that could occur when opening evidence objects without accessible disk or image.

  • SR-5: When exploring archives with subdirectories without computing hash values at the same time, the primary hash value was set as all zeroes. That was fixed.

  • SR-6: Fixed an exception error that could occur under certain circumstances when copying data from a data window with no directory browser.

  • SR-6: Fixed an error that occurred in v18.7 when reading from reconstructed RAID5 systems with a missing component.

  • SR-6: Fixed a potential exception error with CAB files that are smaller than 256 bytes.

  • SR-6: Fixed a potential infinite loop when carving JNX files.

  • SR-6: Fixed a rare volume snapshot anomaly where the files of a certain directory became part of "Path unknown" although the path should have been known to X-Ways Forensics.

  • SR-6: Fixed a rare exception error that could occur in the Export List command in the registry viewer.

  • SR-7: Fixed inability to import PhotoDNA hash values from certain current ProjectVic ODATA JSON files.

  • SR-7: Some other aspects of PhotoDNA hash value imports improved.

  • SR-7: Fixed a miscategorization issue when importing conventional hash values from certain current ProjectVic ODATA JSON files.

  • SR-7: Ability to import hash values from JSON files belonging to previously unexpected, newly defined category numbers 4 and 5.

  • SR-7: Avoided certain unnecessary messages about corrupt directory entries in exFAT.

  • SR-7: More convenient option to have a user-specific configuration only for selected users of a shared installation, by creating an empty file named winhex.user.[username] in the installation directory for every user that shall be allowed to maintain his or her individual configuration, while using a shared configuration for everyone else, e.g. using a write-protected general WinHex.cfg file with predefined settings as deemed appropriate for your organization.

  • SR-8: Ability to import hash values from current Project Vic/Hubstream ODATA JSON files.

  • SR-8: Accepts category numbers up to 9 in ODATA JSON files.

  • SR-8: Search hits in the case report could be empty or garbled depending on the Export List options for search hits. That was fixed.

  • SR-8: Fixed an exception error that occurred when running a logical search immediately after removing items from the volume snapshot.

  • SR-8: Prevents annoying, lengthy and unnecessary font cache initialization in MPlayer versions from 2015.

  • SR-8: Alternative e-mail preview: Fixed encoding error in the header representation at the bottom.

  • SR-9: Fixed an exception error that could occur in v18.7 when extracting metadata from XML files.

  • SR-9: Fixed a rare floating point exception error that could occur when dealing with timestamps in certain formats.

  • SR-9: Less false positives and fast processing of full file encryption test.

  • SR-9: BLOBs (binary data chunks) are now also optionally provided as child objects for SQLite database of an unknown purpose/subtype.

  • SR-10: Now preserves the original filename extension when naming original single .eml files after their subject lines.

  • SR-10: Support for .evtx event log files larger than 2 GB.

  • SR-10: Fixed problems with PhotoDNA hash databases that contain no hash values.

  • SR-10: Fixed output of Boolean values in BPLists.

  • SR-10: More stable when processing corrupt BPList files.

  • SR-10: Prevents occurrence of zeroed out primary hashes in volume snapshots in certain situations.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde


#149: X-Ways Forensics, X-Ways Investigator, WinHex 18.7 released

Jan 27, 2016

This  mailing is to announce the release of another notable update with many useful improvements, v18.7.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.

Upcoming Training

Austin, TX area, Feb 22-Mar 1
London, England, Feb 29-Mar 3
London, England, Mar 15-23
Washington DC area, Apr 5-8
Southern California, Apr 11-19
Miami, FL, May 23-27
Ottawa, Canada, May 24-27, 2016
Halifax, Canada, May 30-Jun 3, 2016
Kingston, Canada, June 6-10, 2016
London, England, Jun 14-17

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.

What's new in v18.7?
(please note that most changes affect X-Ways Forensics only)

File Format Support

  • Revised hiberfil.sys support for 64-bit Windows.

  • hiberfil.sys slack (compressed data from previous usage of a hiberfil.sys file, as found near the end, if the last usage achieved stronger compression than the previous usage) is now automatically extracted and decompressed as part of "Uncover embedded data in various file types" and provided as a child object in its decompressed form.

  • Accuracy of file type verification further improved. Fewer file types with generic extensions are now unnecessarily marked as "newly identified", but confirmed if the full filename is appropriate for the file type.

  • Verification of many more file types supported. In total the file type verification can now recognize more than 3,000 file types.

  • File carving methods implemented for .cwm (screen capture videos) and Windows 8's .accountpicture-ms files. .accountpicture-ms files are now by default targeted for uncovering embedded files.

  • Type verification supported for .thumbdata3 files (Android files that are found for example on SD cards).

  • E-mail extraction adjusted in such a way that certain Base64-encoded e-mails are shown correctly by external programs after Recover/Copy.

  • Support for certain old Outlook PST e-mail archives with previously unsupported text encoding. Requires that you select the correct regional ANSI code page in the case properties and check the unlabelled box next to it, the one that has a tooltip saying "Assume this code page in Outlook PST".

  • If e-mail messages have a Sender: line in addition to a From: line, then the sender according to the Sender: line is now shown in the Sender column of the directory browser additionally, after the From: sender, if actually different. They are delimited by spaces and a pipe (|). For example, an English language MS Outlook shows such e-mails as having been sent "on behalf of" someone else (by the Sender: sender on behalf of the From: sender). You can filter for such e-mails by entering a pipe as a substring for the Sender column. Analogously, different kinds of recipients ( To:, Cc:, and Bcc: ) are now delimited by pipes in the Recipient column.

  • Fixed a potential exception error that could occur when processing damaged OLE2 compound files.

  • Prevents crashes when dealing with certain EDB databases.

Picture Support

  • Gallery screen space is now much better utilized as thumbnails are no longer forced to be squares. You can now specify your preferred thumbnail width and height separately, in the Options | Viewer Programs dialog. The specified dimensions will be dynamically adjusted (increased) to best fill the available screen space without partial thumbnails being visible. Since most photos and practically all videos are shot in landscape format, you may want to select width and height accordingly (width larger than height) when viewing pictures. Document thumbnails can often be freely adjusted to any rectangle shape, for example those representing word processing documents or spreadsheets, but not presentations. For most documents other than presentations, portrait format feels like a more natural way of representation. The aspect ratio of the width and height that you specify is displayed in the options dialog to quickly give you a rough idea how compatible the measures will be with ordinary photos, videos or documents.

  • Previews and views of pictures (with the internal graphics library, not the viewer component) now additionally show the names of associated report tables in the upper left corner and the names of matching PhotoDNA categories in the lower right corner.

  • As part of the volume snapshot refinement, X-Ways Forensics can generate thumbnails of high-quality digital photos to accelerate the gallery. It is now possible to select the resolution (maximum width or height in pixels) and quality (JPEG compression factor) in the user interface. However, the maximum amount of data that can be stored in the volume snapshot for a thumbnail is limited, to 64 KB, so if a generated thumbnail gets larger than that, X-Ways Forensics will automatically reduce the user-defined resolution accordingly.

  • New internal report table for animated PNG pictures.

  • Extraction of embedded data in PNG files (e.g. GIF pictures) supported.

  • New internal report table for PNG pictures that are likely mobile device screenshots. That assumption is based solely on typical smartphone screen resolutions. Useful in case such screenshots do not have the typical filenames (if they were carved, received via apps, copied to other media and renamed by the user, or takes by certain apps and stored in the cache of that app).

  • Fixed slight and rare inaccuracy in the representation of GeoTagging coordinates of JPEG files.

Video Processing

  • A new context menu command has been introduced to extract all frames specifically from a defined section of a selected video. Useful if a certain part of a video is of high interest and you need to carefully check visual details in certain frames or include them in the report. You can specify how many consecutive frames to extract and starting from which second. The number of frames that you need to cover a certain period of time can be deducted from the frame rate as shown in the Metadata cell (fps = frames per second). Please note that the start second may be interpreted very roughly only, depending on the frequency of keyframes (a.k.a. I-frames in MPEG) in the video. MPlayer can seek into a video file only based on keyframes. If for example a certain video file contains keyframes only every 4 seconds for example, then the start second of the extraction may be off by up to 4 seconds. Keep this in mind when you enter the number of frames that you need or the start second. That is, to be on the safe side, extract more frames than you may actually need and perhaps from an earlier start second.

    The frames are saved as JPEG files in a directory of your choice on your own drive, where you can review them outside of X-Ways Forensics. If you like, you can of course attach the most relevant frames to the original video file in the volume snapshot as child objects. The frames are not stored within the volume snapshot by default so that the size of the volume snapshot does not unreasonably inflate with potentially mostly irrelevant and redundant pictures. If the output directory already contains extracted frames, files with identical relative frame numbers will be overwritten. Relative frame numbers always start with 00000001 for each extraction and increment with each frame. You may adjust the JPEG compression if necessary for stronger compression or better quality. (Of course you usually cannot expect a very good quality because videos are typically highly compressed already.) The volume snapshot refinement operation to produce representative still images from videos (sporadically, in certain larger intervals) has been renamed to point out the difference from the new context menu command for exhaustive frame extraction.

  • More metadata is now extracted from videos when exporting stills, usually coding/compression format, resolution, bits per pixel, frames per second, data rate per second for video data.

  • A new 64-bit edition of MPlayer from 2015 is now downloadable from the web server in addition to the 32-bit edition from 2014. The only video extraction program supported is now MPlayer.

File System Support

  • Enhanced Attr. filter settings for Unix style file permissions. You can now filter for any of the 9+3 bits specifically and combine them with OR, AND, or EQUAL. EQUAL requires a status of all 12 bits exactly as selected (whether set or not set). AND means you require ALL of the checked bits to be set, but don't care about the others. OR means you are satisfied already if ANY of the checked bits is set. SUID and SGID bits can now be combined with a logical OR or AND as well (previously they were always OR'ed). Please remember that if you are interested in directories with the sticky bit, you will need to include directories when exploring recursively and apply filters to directories, too (not the default setting). Please note that the logical operator for permissions should not be usually set to EQUAL because that will result in active filtering for permissions even if no permission bits are selected in the dialog box at all, unlike the OR or AND operators. EQUAL with no permission bits selected means to filter for files that have no permission bits set or files whose permissions are unknown.

  • iNode* files (indirect node files) in HFS+ now point to one of their hardlinked counterparts as a "related item" in the volume snapshot, so that it is very convenient to locate at least one of those hardlinks and see the actual use and location of the file. To find other hardlinks for the same iNode* file, you can for example sort by the column "1st sector".

  • HFS and HFS+ resource forks are now presented as child objects, analogously to alternate data streams and extended attributes in NTFS.

  • Attribute filter for resource forks added.

  • Loose $MFT files can now be directly and conveniently interpreted as if they were NTFS volumes, to get at least a full listing of all files and directories, with their paths, timestamps and attributes. It's possible to open resident files (files whose contents is small enough to fit into the FILE records), but no other files, of course. Useful if in special situations all you have is the $MFT, not the entire volume. Also useful for example for $MFTs from volume shadow copies.

  • Option to omit additional hard links for the same file in NTFS/HFS+ from volume snapshot refinement just as from logical searches previously, to save time and reduce the number of redundant identical child objects etc. This can make a big difference on partitions with Windows installations that have a lot of hard links and HFS+ partitions with Mac OS X Time Machine. Which hard links are considered the "additional" hard links internally can be seen in the "Link count" column as before (gray number means to be omitted) and now also in the Description column, which identifies all hard links (i.e. files with a hard link count of 2 or more) and the additional ones in particular textually. The hard link that is not marked as "optionally omitted" in the Description column is considered the "main" hard link internally.

  • Rename events from $J and fragments thereof are now output to the event list.

  • Files with only partially initialized contents (valid data length < logical file size) are now marked in the Attr. column with the # sign, and an explanation of the # sign can be found in the legend.

  • In newly refined volume snapshots, the "1st sector" column now points out that certain figures are approximate, for example for embedded files, using gray color and a tilde.

  • When clicking a file in Partition/Volume mode, the jump to the start of the data of certain files is now more precise, for example for resident files in NTFS it leads directly to the body of the 0x80 attribute and for certain embedded files directly to the start of the data. Sorting by the "1st sector" column reflects the physical start location of files more precisely now for certain unaligned files.

  • Finds more sessions of multi-session CDs/DVDs with CDFS immediately, without having to run a particularly thorough file system data structure search.

  • Avoids session duplication on CDs/DVDs with CDFS where additional sessions are found only through a particularly thorough file system data structure search.

Disk & Image Support

  • Tentative support for older VirtualBox VDI virtual disk images from Sun Microsystems.

  • Prevented an error that could occur in simultaneous computation of two hashes when imaging media in very special configurations that involve a specific hardware write blocker model and Windows version. The data in the images was OK anyway.

  • Reports the total number of unreadable sectors in the disk imaging log in addition to the affected sector ranges.

  • Imaging now aborts after media disconnect error.

Case & Report Settings

  • Smaller versions of pictures can now optionally be generated specifically for the report, to greatly reduce the memory requirements of the Internet browser or word processing application when loading the HTML report, and to accelerate loading. This can make a big difference for reports with many high-resolution photos. The JPEG compression factor is user-definable. The resolution depends on the specified "maximum dimensions of pictures".

    The checkbox that represents this option is a 3-state checkbox. If half checked, the smaller versions of the pictures are used only for the preview directly in the HTML report. If fully checked, even when clicking the picture in the report you will only see the smaller version, and the original larger file is not included in the report at all. This can be beneficial if your main concern is the drive space requirement of your report with linked files, not the output quality of pictures.

  • The report can now optionally also show previews/thumbnails of non-picture files, e.g. Office documents, e-mails, web pages, programming source code, etc. etc., similar to the gallery. You can shrink the preview representation slightly or a lot or not at all, to either be able to read some of the text right in the report without opening the document or to get a better impression of the overall formatting of the text and just see logos etc.

  • If you output one specific report table in the case report, the suggested report name is now automatically based on the name of that report table.

  • In the properties of a case you can now specify whether you prefer to have X-Ways Forensics use the case-specific directory of temporary files (the _temp subdirectory of that case) instead of the general one, when that case is active.

  • Purely physical user search hits (defined in Disk/Partition mode, not File mode) can now also be output in the report, in the section about the evidence object to which it belongs. File-related search hits are still output in the report table section about that file along with all the selected metadata. If the file that a search hit selected for the report belongs to is not output with a report table, the search hit can now be seen in the section about the evidence object.

  • Option to output incrementing numbers in the case report, for each item in a report table, to uniquely identify a file in that report.

User Interface

  • All edit boxes throughout the program (except for password edit boxes and column width boxes) now remember a history of up to 10 last entries. The history can be seen when clicking the tiny button that appears in an edit box for which a history is available. Alternatively, you can press the F4 key just like in a normal drop-down box (combo box). If you select a previous entry from the pop-up menu, it will be inserted into the edit box automatically. Users who wish to delete these histories or pass them on to others, please be advised that they are stored in the file History.dat when the program is ended. If you do not wish to keep histories between sessions, you can create an empty file named History.dat yourself and render it read-only.

  • A new keyboard shortcut, Shift+Ctrl+Del, allows to remove matches with ordinary hash sets, FuzZyDoc hash sets, and PhotoDNA categories from selected files in the volume snapshot, which even if the hash sets are deleted from the hash database are not discarded otherwise.

  • Pressing Ctrl+C in the directory browser now copies the textual data of the selected items into the clipboard, with the same notation as in the directory browser itself, otherwise similar to the Export List command.

  • The colors of tag marks (if they are not represented by check marks) are now slightly different, and they are now user-definable in Options | Directory Browser. Useful for example if you prefer stronger colors or if the default colors conflict with pictures that you are viewing in the gallery (e.g. many outdoor photos with blue sky at the top). If you liked the slightly more unobstrusive colors of previous versions, you can get them back manually: Color 1 = RGB 225, 225, 255 (for the upper left corner) and Color 2 = RGB 163, 163, 255 (for the lower right corner).

  • The colors that mark files as already viewed are now user-definable as well, via Options | Viewer Programs | Keep track of viewed files | .... If you liked the colors of previous versions, you can get them back manually: Color 1 = RGB 233, 225, 223 (for the upper left corner) and Color 2 = RGB 145, 250, 103 (for the lower right corner). In v18.7 they have been simply swapped.

Search Functions

  • The "1 hit per file needed only" option of the logical simultaneous search now no longer skips the slack of a file once a hit in the logical part has been found if "Open and search files incl. slack" is fully checked. It will check the slack for at most 1 additional hit as well.

  • Lists purely physical user search hits in the case root window, even if in that window you cannot navigate to the sector contents by clicking the search hits.

  • There is now an option to limit the search for lost partitions on physical media to the sectors that follow the current cursor position.

  • Fixed misinterpretation of literally specified # character in square bracket sets in GREP expressions.

  • Prevents overlapping GREP search hits in directory browser cells.


  • When excluding duplicates based on hash value or name, X-Ways Forensics now prefers to keep the copy whose owner is known.

  • Recover/Copy and Create Report now even name embedded .eml files after their unique ID if the corresponding option is selected.

  • Lifted internal limitation on the amount of data extracted from files per volume snapshot (previously 1 TB). Volume snapshots saved by v18.7 cannot be opened in v18.6 and earlier any more.

  • Larger files can now be attached to the volume snapshot.

  • For the record presentation of the hex editor, records are now numbered starting with 0 instead of 1 by default. 1-based record numbers are still available optionally. The record size is now specified in hexadecimal if hexadecimal offsets are active in the user interface.

  • New X-Tension API function GetEvObj().

  • Ability to convert assigned hash sets to report table associations, in the dialog window for report table associations, where you can also convert contained search terms to report table associations. This can be useful for example if you wish to recreate your hash database from scratch or delete your hash database, and do not only wish to preserve the hash category of known files in the volume snapshot, but also the exact matching hash set names. Also useful if you wish to add files to an evidence file container and wish to let the recipient know the original hash set matches, not only the hash category. These auxiliary report tables are highlighted in a different color to distinguish them from 1) ordinary user-created report tables, 2) internally created report tables that make the user aware of something special, and 3) search term based report tables. Associations with hash set based report tables can also be created on the fly when copying files to an evidence file container.

  • Including comments and/or report table associations of files in an evidence file container is now optional for each copy action and does not have to be decided up front once and for all when creating the container.

  • The main executable files are now digitally signed.

  • Windows 10 is now officially a supported platform.

  • Many minor improvements.

  • Some minor fixes.

  • Program help and user manual updated for v18.7.

Changes of service releases of v18.6

  • SR-1: Improved FuzZyDoc matching results for PDF documents.

  • SR-1: Time zone awareness of timestamps now defined on a per-file basis in exFAT.

  • SR-1: Ability to find the virtual allocation table of virtual UDF partitions on certain non-standard (incomplete) disk images as produced by other software.

  • SR-1: Fixed an exception error that occurred in v18.6 when carving files in a data window that represents a single file with no volume snapshot and no directory browser.

  • SR-1: Fixed effect of unselected "List internal file system files" option for files in archives.

  • SR-1: Fixed unsuccessful conversion of certain Base64 code.

  • SR-1: Prevented an extremely rare exception error that could occur when matching hash values against the hash database.

  • SR-2: Fixed inability of X-Ways Imager 18.6 to image disks.

  • SR-3: Fixed occasional incomplete extraction of embedded JPEGs in PDF documents.

  • SR-3: Fixed potential time zone information error in the properties of evidence objects with a Windows installation.

  • SR-3: Fixed an exception error that could occur with certain corrupt Zoom Browser files (Canon).

  • SR-4: Fixed time zone conversion in the second column of previews of certain index.dat files.

  • SR-4: Fixed occasional incomplete exclusion of duplicates based on hash values.

  • SR-4: Deduplication of multiple very similar PhotoDNA hash values now even when importing them into an empty (newly created) PhotoDNA hash database.

  • SR-4: Since v18.6, if a new PhotoDNA hash value is close enough to be considered a match for an existing one, but different enough to warrant a separate entry in the PhotoDNA hash database, the existing entry is updated and the new one added. This double entry previously did not happen if both similar hash values were added during the same import operation, but now does.

  • SR-5: Fixed size detection of Ext* partitions larger than 2^32 blocks in situations where they are not referenced by any partition table.

  • SR-5: Fixed memory leak in HFS file system support.

  • SR-5: Fixed inability to deactivate all filters with a single mouse click in SR-4.

  • SR-6: Fixed an exception and instability error that could occur when extracting metadata from certain documents in OLE2 format.

  • SR-6: In Ext4 file systems, some very rare files with uninitialized parts were previously read with partially incorrect data. That was fixed.

  • SR-6: Fixed parsing of FAT32 file systems with cluster sizes of 128 KB or more in X-Ways Forensics.

  • SR-6: Ability to show rough pixel counts for pictures that have PhotoDNA database matches.

  • SR-6: investigator.ini options related to the new Description filter did not work in v18.6. That was fixed.

  • SR-7: Fixed a rare exception error that could occur when generating HTML previews of files of certain types.

  • SR-7: Fixed potential inability to select thumbnails in the gallery while viewing pictures with the viewer component.

  • SR-7: Improved stability for processing of SQLite databases.

  • SR-7: Improved imaging behavior after media disconnect error.

  • SR-7: Prevented way around investigator.ini option +51 in v18.6.

  • SR-8: Fixed potential incomplete listing of partitions in the directory browser when more than one partition was semi-automatically detected starting from the sector pointed at by the user.

  • SR-8: Fixed an error that could occur when reading from partitions with a file system based on a sector size different from the sector size of the physical disk.

  • SR-8: Fixed incorrectly displayed file size for huge files in UDF file systems.

  • SR-8: Fixed a rare error in symlink resolving.

Loss of Dongles

There are still a few customers who ask about a replacement for lost dongles even if their dongles were not insured, although we and the X-Ways Forensics software itself have confirmed over and over again that we do not offer replacements for lost dongles if not insured, because these dongles can still be used to unlock the software, by whoever, even by yourself it the dongles show up again. With immediate effect, we will ignore requests for dongle replacements if no insurance was in place. We provide only 1 dongle per license, not as many dongles as customers would like to have.

Viewer Component

Oracle has provided a "critical patch update" for v8.5.2 of the viewer component. The updated version is downloadable from our web server. It is probably recommendable for security reasons.

Oracle's description of the patch update as always claims to have information about what was fixed, but doesn't:

What this Update Fixes:
January 2016 Critical Patch Update for Outside In
This patch is cumulative with all previous Outside In 8.5.2 Critical Patch Updates

A 3rd party web page describes the fixed security issue as follows: "A local user can exploit a flaw in the Oracle Outside In Technology Outside In Filters component to cause partial denial of service conditions." The only file that has actually changed is sccfnt.dll. That file is responsible for fonts.

Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde


> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <