(You may sign up for the newsletter here.)
|#143a: X-Ways Forensics 18.1
Jan 27, 2015
This mailing is to announce various company
news and the release of a beta version of X-Ways Forensics 18.1,
with many interesting improvements. v18.1 Beta is only available
for X-Ways Forensics. Note that all Preview and Beta versions
expire after some time! The next newsletter issue will notify
you when v18.1 is officially released, and at that time v18.1
will also be available as WinHex (for users with a personal,
professional or specialist license) as well as X-Ways
Investigator and X-Ways Imager.
Users of X-Ways Forensics please go to
for download links, the latest log-in data, details about their update
maintenance, etc. Licensed users whose update maintenance has expired can
receive upgrade offers from there.
Please be reminded that if you are generally interested in receiving information about
service releases, preview and beta versions when they become available, you can find those in
Announcement section of the
and (with active update maintenance) can subscribe to them, too, by creating
a forum profile.
Washington DC, Feb 24-Mar 4, 2015 (first
delivery of the advanced course in the US!)
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-31, 2015
ON, Jun 1-5, 2015
Please send e-mail
if you would like to be kept up to date on classes in the USA, Europe, or
Miscellaneous News/Policy Improvements
The value of the Euro is currently very low compared
to most other currencies. If you reside outside of the Euro zone, please
be advised that now is a great time to buy licenses! Much lower prices
than usually. Should you decide to order online, you will see that all
major currencies are offered. However, you may want to pay in Euros, as
your bank or credit card provider will probably be able to give you a
better exchange rate.
We have recently updated our loyalty reward program.
There are now two tiers, Silver
Gold, instead of just one, and it is easier to
reach a status than during all the years before, and there are more very
practical benefits to be gained. All details
insurance against theft (not merely loss), if you have insured your
dongle with a version before v18.0, please uninsure your dongle and
immediately re-insure it with v18.0 or later. v18.0 and later allow you to register
at least one e-mail address for your dongle when you top it up for the first
time. This is potentially important as it will prevent clever thieves from uninsuring a stolen dongle
you may have a chance to report it as lost/stolen. Only the owners of
the registered e-mail addresses can uninsure insured dongles, if any
e-mail address is registered.
It is now possible to renew non-perpetual (temporary)
licenses at a discount at any time after such licenses have expired, by 1 year
starting from the renewal date,
or already 2 months in advance, by 1 whole year as well counted from the
end of the current license term.
Temporary licenses are now available on a daily
basis as well. Those come in handy if you have a need to run the
software on more computers at the same time than usually, such as for
training purposes or if you wish to parallelize processing (keyword
searches, volume snapshot refinements) with X-Ways Forensics using
multiple instances on multiple computers of an unusually large or urgent
Useful and cost-effective also when conducting triage on a large
number of computers on site, i.e. where you have to quickly verify using
special methods (keyword search, filename filter, skin tone computation
on 10% of all pictures, ...) whether or not there is potential evidence
on a computer, and depending on the result decide to acquire all its
data on site or take the hardware away or just leave the computer alone.
1 day usage refers to a whole calendar day (24 hours) in your time zone. Very
cost-effective if you need many additional licenses for just a short
time or very rarely.
All licensing terminology explained
What's new in v18.1?
(please note that most changes affect
X-Ways Forensics only)
Support for Windows 10 (Technical Preview) as a
Improved scaling of various elements of the user
interface with high DPI settings in Windows, especially directory
browser and case tree icons, center screen buttons, the status bar, tag
squares, sort arrows. Several toolbar and menu icons have been revised.
In particular, almost all icons are now available in high resolution for
high DPI settings. File and directory icons have been revised as well
and are now more consistent between directory tree and the directory
browser. New icons are now shown to represent pictures, e-mails, and
miscellaneous Outlook data. Considerably improved support for larger
font sizes in the hex editor display and in character tables. These
improvements are important especially for high resolution displays (4K
or 5K displays, such as the Retina displays of recent Mac computers) and
users with below average eyesight.
Now up to 2 alter egos of the same user may open the
same case at the same time. Some users might find this useful for
parallelized simultaneous volume snapshot refinement of different
evidence objects in the same case on the same computer.
A new gallery option allows to tag a file by clicking
anywhere in the thumbnail, not just in the tag square. That makes it
more convenient to tag a large number of files, and is more comfortable
than selecting multiple files while holding the Ctrl key.
It is now easier to use CSS (cascading style sheets)
for case report format definitions. In addition to defining the
parameters for standard HTML elements (which would have been possible
previously already), key elements of the report are now assigned "class"
parameters to simplify targeting those for formatting purposes. Example
style sheets are available to use as a basis for further modification.
The report options allow picking or editing a CSS.txt as part of the
Two new case report options have been added. "Name
output files after unique ID" will ensure filenames that are succinct,
unique, trackable and reproducible, and will also ensure that if the
same files is associated with multiple report tables, it will be copied
to the report subdirectory only once. That saves time and drive space.
"List each file only once" is a 3-state checkbox. If fully checked, no
file will be referenced in the report by more than one report table any
more. Note that you can still see all report table associations of a
file when it is listed in its first report table in the report, if you
output the field "Report table". If the checkbox is half-checked, that
means that a file will still be referenced (listed) by multiple report
tables in the report if it has multiple associations, but copied only
once and linked only from the first report table.
Option to fill the block hash database with 1 hash
set per file for multiple selected files, unlike previous versions,
which created 1 hash set spanning all selected files.
Support for Project VIC JSON files format 1.1.
Ability to maintain 2 hash values per evidence
object. Ability to import 2 hash values from .e01 evidence files
produced by X-Ways Forensics or X-Ways Imager.
Support for the hash types Tiger128, Tiger160, and
Support for Tiger Tree Hashes (TTH). Useful for
investigations that involve Direct Connect P2P file sharing programs.
Base32 notation for TTH can be enabled in the directory browser options.
The search term list now offers a "Max. 1" option
when multiple search terms are selected that are not forced with a + or
excluded with a -. "Max. 1" will list search hits only if they are
contained in files that do not contain any of the other selected search
terms. For example for 3 search terms, to get the same results in
previous versions, you would have had to list search hits for search
term A while excluding B and C, then list search hits for B while
excluding A and C, and then list search hits for C while excluding A and
B, which of course is not as elegant and does not show you all such
singular search hits at the same time.
The search term list now offers a "NOT NEAR" option
(abbreviated NTNR) in addition to "NEAR". With 2 selected search terms,
NTNR will ensure that only search hits are listed that are not located
in vicinity of any search hits of the respective other search term. With
more than 2 selected search terms, the result is currently undefined.
Minor fix in the HTML code of search hit exports.
File Type Support
File type verification revised.
Category order revised (based on typical frequency).
New file carving method for Quickbooks .qbw files.
.evtx event log processing slightly revised.
Support for the updated database format of the Chrome
history. Support for Opera browsing history since version 15.0 (the
switch to the Chromium engine).
Nicer names for files that are extracted from Google
Special carving support for EDB (ESE) log files
(.edblog). These log files forensically relevant in that Microsoft
stores more and more internal data about EDB databases in these files.
The log files record and keep the complete data that is added to a
database at a certain point, until it is eventually deleted in the log
file. Typically, multiple such log files can be recovered from Windows
systems, and search hits in such a log file are more meaningful than in
ordinary free space. Metadata is also extracted from these log files.
Better support for the CAB file format family, which
includes Windows Installer files (less interesting), Windows Cabinet
(more interesting, may contain e-mails) and Microsoft OneNote packages
(also more interesting).
Additional information provided to X-Tensions via the
New X-Tension function XWF_GetEvent, which retrieves
information about an event in the internal event list of an evidence
X-Tension functions XWF_GetReportTableInfo and
When imaging media with active compression, X-Ways
Forensics now provides immediate visual feedback about the actual amount
of data found on the disk. That is possible because disk areas that were
never written as well as disk areas that were wiped achieve extremely
high compression ratios. The rolling compression ratio is represented
during imaging by vertical bars in a separate window. The higher the
bar, the lower the "data density" in that area. The compression
statistics are also stored in the .e01 evidence file, so that the same
chart is also available at any later time from the evidence object
properties dialog when you click the "Compression" button.
The option "Name output files after unique ID" in
Recover/Copy is now available also when recreating complete or partial
original paths in the output directory. It is now a 3-state checkbox. If
half checked, the files will not be named purely after the unique ID
(+extension) any more. Instead, the unique ID will be inserted between
base filename and filename extension.
Ability to "include" all items in all open evidence
objects in the directory browser options dialog of a recursively
explored case root window.
Specialist | Refine Volume Snapshot now shows the
size of extracted metadata and comments in memory and allows to discard
extracted metadata if necessary, to reduce main memory requirements. Now
supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB
Changes of service releases of v18.0:
SR-1: An exception error was fixed that could occur
when using X-Ways Forensics without a second file hash database.
SR-2: Support for some additional TIFF subtypes for
SR-2: Certain unsupported TIFF subtypes are now dealt
with more properly in that PhotoDNA matching and potentially also skin
color detection are not attempted any more if futile, and a question
mark is output instead.
SR-2: Fix for certain variants of FAT12.
SR-3: Support for relative paths when using the
PhotoDNA hash database.
SR-3: Extraction of EXIF metadata from .wav files.
SR-3: Internal timestamps from JPEG files written by
recent Canon camera models are now retrieved with original timezone
information and thus can be converted to the display time zone.
SR-3: Fixed a possible error that could occur when
sorting by the SC%/PhotoDNA column.
SR-3: Fixed an instability issue that could occur
with corrupt Google Chrome caches.
SR-3: Fixed an error that could occur when processing
.ieurl files extracted from Google Chrome caches.
SR-3: Fixed a crash that could occur with Windows
SR-4: Mass metadata extraction no longer slowed down
by the option "Coordinate processing by simultaneous users more
SR-4: Fixed an exception error that could occur when
using the registry viewer.
SR-4: Automatic report table associations with
duplicates did not work any more. That was fixed.
SR-5: Fixed an error that could cause crashes with
OLE2 files in v18.0 SR-4.
SR-5: v18.0 did not always match hash values against
the hash database in additional volume snapshot refinement runs. That
SR-5: Fixed an error in the X-Tension API function
SR-6: Prevents certain erroneous events with
timestamps in the year 1829.
SR-6: Fixed inability of v18.0 to extract senders and
recipients from all e-mail headers.
SR-6: Fixed inadequate handling of bad sectors in
SR-6: Fixed an exception error that could occur in
the 64-bit edition when processing Google Chrome cache files.
SR-7: Fixed an unjustified partial read error in
SR-7: Fixed potential error about lost comments
imported from evidence file containers.
SR-7: Fixed a crash that could occur when trying to
display very long search hits (e.g. produced with a GREP expression like
SR-8: Fixed an exception error that could occur when
switching to the search hit list in the Case Root window while sorting
in the directory browser was still ongoing.
SR-8: Fixed a potential crash with corrupt OLE2
SR-8: Fixed dongle errors that a few users
experienced when running multiple instances simultaneously.
SR-8: Some minor improvements and fixes.
Become a certified user of X-Ways Forensics
Professional in Evidence Recovery Techniques)
Prove your proficiency
in computer forensics in general and X-Ways Forensics in particular with our
certification program. After passing the challenging exam, you
will be part of an exclusive circle and enjoy various benefits such as
special recognition, training discounts, updated training material. For
further details, please check
Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
X-Ways Software Technology AG
> Archive of the year 2014 <
> Archive of the year 2013 <
> Archive of the year 2012 <
> Archive of the year 2011 <
> Archive of the year 2010 <
> Archive of the year 2009 <
> Archive of the year 2008 <
> Archive of the year 2007 <
> Archive of the year 2006 <
> Archive of the year 2005 <
> Archive of the year 2004 <
> Archive of the year 2003 <
> Archive of the year 2002
> Archive of the year 2001
> Archive of the year 2000