Order now, get quotes
Yes, really possible here.

Upgrades/Renewals
 
Products
 
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
 
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
 
Find out more about WinHex! WinHex
  License types
  Upgrade
  Forensic features
  All features
 
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
 
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
 
Find out more about X-Ways Trace X-Ways Trace
User activity
 
Find out more about Davory Davory
Data recovery
 
Find out more about X-Ways Security X-Ways Security
Permanent erasure
 
Services
 
Training
 

 
Contact X-Ways Contact X-Ways
User forum
 
Corporate info Corporate info
Find us on Facebook Find us on Facebook
 
  X-Ways Software Technology AG
Deutsch
 
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#145: X-Ways Forensics, X-Ways Investigator, WinHex 18.3 released

May 15, 2015

This  mailing is to announce the release of another notable update with useful improvements, v18.3. Official release date was May 14.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015 (waiting list)
Washington DC area, Jun 8-10, 2015 (advanced X-Ways Forensics II course!)
Southern California, Aug 17-21, 2015
Toronto area, ON, Aug 24-27, 2015
Munich, Germany, Sep 14-18, 2015 (first English language training in Germany)
Largo, FL, Nov 2-6, 2015
Toronto, ON, Nov 9-10, 2015 (X-Ways Forensics II course! open for enrollment soon)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Oracle has provided a "critical patch update" for v8.5.1 of the viewer component. The updated version is downloadable from our web server since April 24, 2015. It is probably recommendable for security reasons. The only two files that have changed are "ibpsd2.dll" and "vsw12.dll". The first file is responsible for PSD graphic files. The second one seems to be of more general use within the viewer component.

Oracle's description:
What this Update Fixes:
April 2015 Critical Patch Update for Outside In
This is the initial Outside In Critical Patch Update for 8.5.1


What's new in v18.3?
(please note that most changes affect X-Ways Forensics only)

Usability

  • Conditional cell background coloring is now available as an option in Options | Directory Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.

    If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.

    Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.

    Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. The definitions are stored in a separate .cfg file named "Conditional Coloring.cfg". They are also included in .settings files. .settings files continue to be compatible with previous versions. Up to 255 conditions may be defined.

    Some conditional color definitions for event lists that follow the SANS color scheme for activities are available for download to users of X-Ways Forensics and X-Ways Investigator (query your license status for the latest download instructions).

  • Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.

  • Larger thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.

  • Ability to more easily print at least the cover page for file types which the viewer component does not support, for which it shows the message "The display engine for this format is not installed", e.g. Corel Draw or Wave files.

  • Ability to enable or disable the representation of a loaded viewer X-Tension in situations where it was not supported before.

  • Combined tag status now initially displayed in Name column header even in search hit lists and event lists.

  • Ability to totally remove excluded items from the volume snapshots of all the evidence objects that are included in an existing recursive exploration in the case root window, in a single step. Previously, that had to be done separately for each evidence object.

  • Automatically selecting the next item in the list after associating the current item with a report table is now optional. A 3-state checkbox allows you to do that either never or only for associations created with keyboard shortcuts or for all association methods.

  • No longer lists previously existing printers in print dialogs.

  • Chinese translation of the user interface updated.

File Type Support

  • New directory browser option to display the file type ranks in the Type status column, which also causes sorting by that column to sort by those ranks. Some new file types with ranks as high as 4 and 5 were added.

  • New file carving algorithm for sessionrestore. sessionrestore is file type ranked 4, an essential source of information from Firefox usage aside from the cache. The new algorithm can carve fragments of sessionrestore. That is important because few sessionrestore objects remain fully intact. Most artifacts found are typically from Facebook or webmail.

  • New carving algorithm for e-mail fragments.

  • New registry report output for remote desktop connections defined.

  • IPA file type recognition improved.

  • PNG metadata extraction updated.

  • Significantly smaller preview HTML for Windows event logs, which makes them easier to view with the viewer component. The number of processed records is listed at the bottom of the preview. Terminal Service connection events are now added to the event list with username and IP address.

  • Lists sent files in Skype chat history previews with filename and size as well as in the event list. The latter allows to quickly filter for files that were sent or received via Skype.

  • Several more file header signature defined for carving, among them special Base64 encodings of JPEG, PNG, PDF, OLE2.

  • Improved and more thorough carving of individual e-mail messages floating around in free space and pagefile.sys etc., with a dedicated signature definition named "E-mail fragment" and a dedicated internal algorithm. Most thorough if you employ it with the "b" flag for byte-level carving.

  • MSO files are now checked for embedded files.

  • PSPImage files (newer Paint Shop Pro pictures) are now checked for embedded thumbnails by default.

  • Two separate file masks are now maintained for uncovering embedded data in various file types, for reasons of convenience. The second mask is optional and labelled as "special interest". For example malware investigators may process executable files that way when needed..

Hash Database

  • Ability to create multiple hash sets in a single step, where the hash values of the selected files are put into hash sets that are named after each file's report table association(s). This is useful if you categorize notable files in one case using report tables (e.g. based on different types of CP), and wish to quickly identify the same files again in other cases later, and automatically see the category that you had originally assigned, as the hash set name. The new checkbox in the Create Hash Set command's dialog window is labelled "Name after report table associations, if any". If a selected file does not have any report table association, its hash value will be assigned to the hash set named as you specify, as in previous version or as if you do not check the new checkbox.

  • Including child object of selected files when creating hash sets is now optional.

  • Hash set filter considerably accelerated for volume snapshots with a huge number of hash set matches. Previous versions will not be able to load hash set matches saved by v18.3 and later any more.

  • Child objects of files now inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.

  • Ability to import PhotoDNA hash values that are stored in text files, with "PhotoDNA" in the first line, followed by 1 hash value per line in hex ASCII or Base64.

  • Option to skip a hash database altogether when matching hash values..

Searches

  • Support for GREP expressions with \unnnn in simultaneous searches, where nnnn are four hexadecimal digits that designate a certain Unicode value in human notation (big endian order). Depending on the code page(s) selected for the search, this constant Unicode character value is translated to different byte values and potentially also different numbers of bytes for the actual search. Useful for example if you are looking for strings that are null-terminated or follow a null character, where that null character is represented by a different number of bytes depending on the character set (e.g. 1 in UTF-8, 2 in UTF-16). Also useful if you know the Unicode value of a certain character that you are looking for, but cannot easily produce the character with your keyboard and cannot copy it from somewhere else.

  • Supports simultaneous searches where some search terms are to be considered case-sensitive (if prepended with "case:") and others not, at the same time.

  • The option to list 1 search hit per item only now no longer filters out search hits in slack space. This is useful because the slack of a file is typically not related to the contents of that file, so any search hits in the slack would likely have a totally different context than search hits in the logical portion of the file and thus need to be reviewed additionally. Please note that it is usually still necessary to unselect the "1 hit per item" option to separately check out search hits in conglomerates such as pagefile.sys and the virtual "Free space" file, which contain data from totally different sources. The "1 hit per item" option remains most useful for documents only, for which you can often tell after a quick look in Preview mode whether the entire file is relevant or not.

  • ?, * and {0,n} at the end of a GREP expression did not always match 0 occurrences. This error is now avoided.

  • Slightly improved availability of context previews for search hits in nested archives.

Disk Image Support

  • Ability to explicitly choose a larger chunk size when creating .e01 evidence files. Might be regarded as useful by some to achieve a marginally better compression ratio for ordinary data, at the expense of more time needed when creating the image and when later randomly accessing data in the image, but improves compression noticeably for extremely compressible data (e.g. a wiped or largely unused hard disk). A 512 KB chunk size reduces the image size with ideal data (e.g. only 0x00 bytes) ceteris paribus by an additional 40% compared to a 32 KB chunk size.

  • Fixed simultaneous creation of multiple copies of an .e01 evidence file if encrypted.

  • Support for another VMDK variant.

Miscellaneous

  • Ability to specifically copy text from the text column as Unicode even when the text column is not displayed in Unicode, or specifically as ANSI-encoded text even when the text column is not displayed as ANSI ASCII, using an additional command in the Edit | Copy menu. This command is potentially important because some users are unfamiliar with fundamental computing concepts like character sets or null-terminated strings, and they think that English language text in UTF-16 (where every other byte is 0x00) is not copied correctly by WinHex/X-Ways Forensics just because a text editor or word processing program that pastes the text naturally truncates it at the first null byte. These users may now notice in the GUI that another option exists, and may decide to give it a try. Previously it was necessary to change the text column to Unicode to copy text as Unicode (in accordance with "what you see is what you get").

    For users who are unfamiliar with the concept of null-terminated strings and do not understand the implications of UTF-16 and binary data when they copy selected data as ANSI text in order to paste it as text in other Windows programs, there is now a message box with a hint when they copy data with zero-value bytes in it as ANSI text. Time and again unsuspecting users reported "WinHex does not copy the text properly", when it fact just the receiving application does not paste everything because of zero-value bytes in the copied data. The hint will hopefully stop users from blaming WinHex/X-Ways Forensics.

    Please remember that it is easy to eliminate zero-value bytes, by pasting the copied data in WinHex itself first (into a new data window, via Shift+Ins, which of course supports binary data and includes zero-value bytes as well as data that follows them) and then replacing 0x00 with spaces, line breaks or nothing, as you like. After that you could copy the data again and paste it in the target program. Another way to extract only printable characters and most likely readable text (actual words in English, German and French) from an entire data window is the Specialist | Gather Text command.

  • The internal logic of the Type filter was slightly revised, which may be noticeable for overlapping definitions (such as the full filename "pagefile.sys" in the Windows Internals category and "sys" Program Files) and when using the NOT setting.

  • Some operations such as Specialist | Refine Volume Snapshot and logical searches are now slightly faster when applied to actual disks, not images, most notably when these operations are applied to the C: drive opened as a drive letter C:.

  • Pages in the user address space of 32-bit processes that are not mapped are no longer included in Process mode when analyzing memory dumps.

  • Accepts certain non-standard FAT12 boot sectors.

  • The delimiter for default size and size detection limit in File Type Signatures Search.txt is now a forward slash, to avoid some incompatibility issues with editing in MS Excel. The colon from v18.2 SR-1 and later will still be accepted for a while if you have your own definition files that use colons already.

  • Several minor improvements and some minor fixes.

  • Program help and user manual updated for v18.3.


Changes of service releases of v18.2

  • SR-1: Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the "Hash set" column with the word "deleted" to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values of files against the hash database again, might have confused that they cannot target files with matches using the "Hash set" column filter, which only offers existing hash sets.

  • SR-1: More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table assocations.

  • SR-1: Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well (as introduced with v18.0).

  • SR-1: Prevented erroneous "Please stop ongoing operation first." message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors.

  • SR-1: Fixed an error with message "Unable to release memory" that could occur during file header signature searches.

  • SR-2: Fixed errors that occurred when dealing with medium to large hash databases. Symptoms were reports of a corrupt hash database by the integrity test (although as stored on the disk the database was not necessarily corrupt), as well as potentially some other non-specific errors. If you have altered an existing hash database in v18.2, the integrity test in v18.2 SR-2 may still report errors in the database, and in that case the errors are permanent and you would have to set up your database again. Sorry.

  • SR-2: Fixed an exception error that occur in v18.2 when resetting items in the volume snapshot with Ctrl+Del.

  • SR-2: Fixed an instability problem that could occur when parsing certain PList files.

  • SR-2: Softened filtering for events from Windows event logs. Improved stability and responsiveness for event log processing, and sub-progress indication added.

  • SR-2: Exception error fixed that could occur when extracting metadata from .eml files.

  • SR-2: Fixed very rare type misidentification for some very small files.

  • SR-2: Fixed an exception error that could occur in v18.2 after imaging a disk before automatic verification if in Gallery mode.

  • SR-3: Fixed potential stack overflow error when dealing with certain constellations of deeply nested archives.

  • SR-3: Fixed a potential crash that could occur after running a search for several lengthy search terms with hits for many of those search terms in the same file.

  • SR-3: HTML previews of SQLite databases sometimes appeared incomplete in the 64-bit edition. That was fixed.

  • SR-3: Fixed a few rare exception errors.

  • SR-4: An error has been fixed that could lead to duplicated and very slow inclusion of previously existing files in volume snapshots of Ext2/Ext3/Ext4 file systems.

  • SR-4: Prevented possible infinite loop when processing newsgroup archives in DBX format. 


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

 
#144: X-Ways Forensics, X-Ways Investigator, WinHex 18.2 released

Mar 27, 2015

This  mailing is to announce the release of another notable update with useful improvements, v18.2. Official release date was March 26.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data (just changed, please do not ask), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-May 1, 2015
Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015
Washington DC area, Jun 8-10, 2015
Southern California, Aug 17-21, 2015
Munich, Germany, Sep 14-18, 2015 (first English language training in Germany)
Largo, FL, Nov 2-6, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.2?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • For the file systems Ext2/Ext3/Ext4, there is now a "Particularly thorough file system data structure search" functionality, which checks the entire volume for previously existing directory structures whose contents are no longer known from corresponding inodes (these would have been looked at as part of the regular volume snapshot already). Such directories are listed with a generic name ("Directory with ID ..."), usually in "Path unknown", but potentially in the root directory, if that is where they previously existed. (The root directory is special in this situation, as it has an unchangeable ID.)

  • Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.

  • Volume shadow copy processing revised, delivering better results.

  • Improved dealing with incomplete Ext* partitions, in particular those that are part of Linux software RAIDs if not reconstructed by the user, but processed directly by themselves.

File Type Support

  • Tentative support for Exchange 2010 EDB databases. Feedback appreciated! Exchange EDB extraction generally revised.

  • Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.

  • Both default and maximum file sizes for carving are now individually specified in the "File Type Signatures Search.txt" file on a per file type basis, no longer generically in the user interface. That allows for better output quality because different file types have different variances in typical file sizes (larger or smaller deviations from their respective average file size).

  • Extraction of browsing history information from Safari's icon database. This alternative source is very interesting because it records browsing history even when Safari is in private browsing mode.

  • Ability to view .DS_Store in more detail in Preview mode.

  • Slightly revised file type verification.

  • More efficient processing of solid 7zip archives.

  • Faster processing of huge numbers of original .eml and .msg files in very large volume snapshots. Volume snapshots saved by earlier releases have to be converted to a new format by v18.2 Preview 3 and later.

Usability

  • Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.

  • Extended support for relative paths to external programs.

  • Substring filter for the Author column.

  • Ability to copy the path of the selected key in the Registry Viewer using a new context menu command.

  • Maintains a history of the last 8 search terms used in the Registry Viewer.

  • A new button labelled "XT" is now shown when viewer X-Tensions are available (loaded), next to the "Raw" button. Allows you to conveniently change the preview to the representation provided by the first viewer X-Tension that feels responsible for the type of the selected file. Or back to the regular preview if not helpful, in both directions with a single mouse click. You may also combine Raw and XT submodes of Preview mode, for example for debugging purposes if you are programming a viewer X-Tension of your own and have it return HTML code that you wish to check in X-Ways Forensics.

  • New directory browser context menu command to exclude files based on identical names instead of identical hash values. This is a case-insensitive comparison and of course should be used only if you know what you are doing, as it does not compare the file contents at all. Could be useful for example if you wish to get rid of multiple copies of the same files found in backups if you do not need to keep different versions of these files. If prior to the comparison for example you sort by last modification date in descending order, this will ensure that the newest version of the file will be kept and all older versions will be excluded. Files with identical names are not marked as duplicates in the Attr. column. That happens only if you identify identical files based on hash values, in previous versions.

  • Context menu for directories in the Case Data window. Available if "More context menus" in Options | General is fully checked or if the Shift key is pressed while right-clicking a directory. Allows to recursively explore the right-clicked directory (just like when no context menu is shown), allows to tag the directory recursively (just like when pressing the Space bar), to expand the directory recursively (just like when pressing the multiply key of the numeric keypad), to collapse all, export a subtree into an ASCII text file, or copy the entire path of that directory into the clipboard.

  • Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the "Hash set" column with the word "deleted" to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values of files against the hash database again, might have confused that they cannot target files with matches using the "Hash set" column filter, which only offers existing hash sets. (as of v18.2 SR-1)

  • Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well, as introduced with v18.0. (as of v18.2 SR-1)

  • The Chinese translation of the user interface was updated.

Reporting

  • "Create main report" is now a 3-state checkbox in the case report options dialog. If only half checked, details about the evidence objects are not included in the case report, the evidence objects are merely listed. Evidence objects details, if included, now precede report tables in the report.

  • Links to report tables now work even if the report is optionally split into multiple HTML files, and there is a link back from each report table to the report table overview. The report is now split based on the number of items that are referenced, not based on the number of pictures that are displayed in the report. If the report is split, the next segment is now linked from the bottom of the previous segment.

  • The case log, if output along with the case report, is now a separate HTML file. If the report is saved in a directory other than the case directory and screenshots of the case log are to be included, they are now copied to the appropriate subdirectory.

  • Ability to split huge HTML and TSV exports from the directory browser into separate files.

Miscellaneous

  • Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.

  • Ability to tweak CPU and memory utilization of indexing, and more conservative default values are used.

  • The virtual "Free space" file is now frozen also once it is indexed, to avoid later invalidation of index offsets.

  • Avoided garbled look of toolbar icons on systems with only 16-bit color depth (High Color).

  • Improved support for logical memory addresses in the Position Manager (previously called "virtual" memory addresses).

  • More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table assocations. (as of v18.2 SR-1)

  • Prevented erroneous "Please stop ongoing operation first." message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors. (as of v18.2 SR-1)

  • Fixed an error with message "Unable to release memory" that could occur during file header signature searches. (as of v18.2 SR-1)

  • Many minor improvements and fixes.

  • Program help and user manual updated for v18.2.


Changes of service releases of v18.1

  • SR-1: Processing of more zip subtypes.

  • SR-1: Fixed a rare exception error that could occur when processing MBOX files.

  • SR-1: Fixed incomplete representation of WebCacheV01.dat files in v18.1.

  • SR-1: v18.1 did not take correct volume snapshots of certain Ext3/4 partitions. That was fixed.

  • SR-1: No longer blindly adopts certain machine-specific settings from a re-used .cfg file upon start-up that made sense with different hardware only.

  • SR-2: Fixed extremely slow progress that could occur in v17.9 and later when carving MPEG files.

  • SR-2: Fixed an error that could occur under certain circumstances when processing file archives larger than 4 GB in the 64-bit edition.

  • SR-2: Fixed a crash that could occur in the 64-bit edition when extracting metadata from certain HTML files.

  • SR-2: Some minor file type verification fixes.

  • SR-2: Fixed some unnecessary error messages that were potentially output in v18.1 when searching for embedded data in OLE2 compound files.

  • SR-3: Sender and recipients now shown for e-mails that are extracted from livecomm.edb.

  • SR-3: Fixed an exception error that occurred in v18.1 when running searches in the Registry Viewer.

  • SR-3: An exception error was fixed that could occur in v18.0 and later when carving certain PDF files.

  • SR-3: Fixed an error that could lead to data corruption in remaining extracted files when removing other excluded extracted files from the volume snapshot.

  • SR-3: Fixed a memory corruption error that could occur during net free space computation.

  • SR-3: Fixed an exception error that could occur in v18.1 when taking a snapshot of certain Ext3 or Ext4 volumes.

  • SR-3: Fixed various exception errors in very specific situations and some minor errors.

  • SR-4: Fixed considerable inefficiency in dealing with very large nested file archives.

  • SR-4: Fixed an exception error that could occur when extracting metadata from Windows Registry hive fragments.

  • SR-4: Fixed code page error in Italian translation of the user interface in v18.1.

  • SR-4: Updated language.txt files for custom translation (e.g. just report generation) now available for download for v17.9, v18.0, and v18.1.

  • SR-4: X-Ways Forensics did not always remember X-Tensions listed in the dialog window from previous sessions. That was fixed.

  • SR-5: Prevented excessive memory consumption that could occur in very specific constellations when decoding text during logical searches or indexing.

  • SR-5: Fixed missing scrollbars in preview of PDF documents after non-picture files were represented in the gallery.

  • SR-5: Fixed an exception error that could occur when processing corrupt RIFF files.

  • SR-5: Prevented a possible infinite loop when processing corrupt EVT files.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany


#143b: X-Ways Forensics, X-Ways Investigator, WinHex 18.1 released

Feb 16, 2015

This  mailing is to announce the release of a notable update with important improvements, v18.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Washington DC, Mar 2-4, 2015 (seats still available for the last 3 days!)
Canberra, Australia, Mar 16-20, 2015
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-May 1, 2015
Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015
Washington DC area, Jun 8-10, 2015
Southern California, Aug 17-21, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.1?
(please note that most changes affect X-Ways Forensics only)

All the changes in v18.1 Beta 1 were already announced. You can find all previous newsletter issues in the newsletter archive.

Additional changes since Beta 1:

  • In newly taken Volume Snapshots of Ext3 and Ext4 file systems, X-Ways Forensics now considers the contents of these file systems' journals as alternative sources for information. This may lead to the listing of additional previously existing files, or the listing of previously existing files with contents and timestamps that were not available previously, or the identification of previous names for currently existing files (in the latter case, a note to that effect would be added to the existing file's Metadata column). Important caveat: Since Ext3/4 journaling involves copies of entire file system blocks, journal rollover will occur quite quickly on very active partitions, with the most recent entries in the journal being identical to the current state of affairs, of course.

  • Files whose representations are based on an inode in the Ext3/Ext4 journal are marked with (Jrnl) in the Attr. column. A filter for such files is available.

  • Retrieves some essential information about Windows installations, if found, from partitions or images that are added to a case, and displays them in the evidence object properties.

  • Support for Deflate64 compression in zip archives.

  • Fixed an exception error that could occur when extracting e-mails from certain MBOX e-mail archives.

  • Minor fix for and improvement of event extraction from .evtx event logs in case events had been deleted in the event log by the user.

  • Option to show pictures above the text in report tables in the case report, not below.

  • Italian translation of the user interface updated.

  • Some other minor improvements and fixes.

  • Fixed potential spill-over of sender and recipients to other e-mail fragments extracted from Windows.edb.

  • Fixed an error that could occur when processing file archives larger than 2 GB.

  • Some file type verification improvements.

  • Some minor improvements and fixes.

  • Program help and user manual updated for v18.1.


Changes in v18.0 SR-9:

  • SR-9: Fixed an exception error that could occur when automatically verifying images after creation with certain settings.

  • SR-9: Prevents alteration of report table names in certain situations when synchronizing shared analysis work.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

 

#143a: X-Ways Forensics 18.1 Beta released

Jan 27, 2015

This mailing is to announce various company news and the release of a beta version of X-Ways Forensics 18.1, with many interesting improvements. v18.1 Beta is only available for X-Ways Forensics. Note that all Preview and Beta versions expire after some time! The next newsletter issue will notify you when v18.1 is officially released, and at that time v18.1 will also be available as WinHex (for users with a personal, professional or specialist license) as well as X-Ways Investigator and X-Ways Imager.

Users of X-Ways Forensics please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there.

Please be reminded that if you are generally interested in receiving information about service releases, preview and beta versions when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.


Upcoming Training

Washington DC, Feb 24-Mar 4, 2015 (first delivery of the advanced course in the US!)
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-31, 2015
Ottawa, ON, Jun 1-5, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Miscellaneous News/Policy Improvements

  • The value of the Euro is currently very low compared to most other currencies. If you reside outside of the Euro zone, please be advised that now is a great time to buy licenses! Much lower prices than usually. Should you decide to order online, you will see that all major currencies are offered. However, you may want to pay in Euros, as your bank or credit card provider will probably be able to give you a better exchange rate.

  • We have recently updated our loyalty reward program. There are now two tiers, Silver and Gold, instead of just one, and it is easier to reach a status than during all the years before, and there are more very practical benefits to be gained. All details here.

  • For insurance against theft (not merely loss), if you have insured your dongle with a version before v18.0, please uninsure your dongle and immediately re-insure it with v18.0 or later. v18.0 and later allow you to register at least one e-mail address for your dongle when you top it up for the first time. This is potentially important as it will prevent clever thieves from uninsuring a stolen dongle immediately, before you may have a chance to report it as lost/stolen. Only the owners of the registered e-mail addresses can uninsure insured dongles, if any e-mail address is registered.

  • It is now possible to renew non-perpetual (temporary) licenses at a discount at any time after such licenses have expired, by 1 year starting from the renewal date, or already 2 months in advance, by 1 whole year as well counted from the end of the current license term.

  • Temporary licenses are now available on a daily basis as well. Those come in handy if you have a need to run the software on more computers at the same time than usually, such as for training purposes or if you wish to parallelize processing (keyword searches, volume snapshot refinements) with X-Ways Forensics using multiple instances on multiple computers of an unusually large or urgent case.
    Useful and cost-effective also when conducting triage on a large number of computers on site, i.e. where you have to quickly verify using special methods (keyword search, filename filter, skin tone computation on 10% of all pictures, ...) whether or not there is potential evidence on a computer, and depending on the result decide to acquire all its data on site or take the hardware away or just leave the computer alone. 1 day usage refers to a whole calendar day (24 hours) in your time zone. Very cost-effective if you need many additional licenses for just a short time or very rarely.

  • All licensing terminology explained here.


What's new in v18.1?
(please note that most changes affect X-Ways Forensics only)

Usability

  • Support for Windows 10 (Technical Preview) as a platform.

  • Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, center screen buttons, the status bar, tag squares, sort arrows. Several toolbar and menu icons have been revised. In particular, almost all icons are now available in high resolution for high DPI settings. File and directory icons have been revised as well and are now more consistent between directory tree and the directory browser. New icons are now shown to represent pictures, e-mails, and miscellaneous Outlook data. Considerably improved support for larger font sizes in the hex editor display and in character tables. These improvements are important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight.

  • Now up to 2 alter egos of the same user may open the same case at the same time. Some users might find this useful for parallelized simultaneous volume snapshot refinement of different evidence objects in the same case on the same computer.

  • A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable than selecting multiple files while holding the Ctrl key.

HTML Reports

  • It is now easier to use CSS (cascading style sheets) for case report format definitions. In addition to defining the parameters for standard HTML elements (which would have been possible previously already), key elements of the report are now assigned "class" parameters to simplify targeting those for formatting purposes. Example style sheets are available to use as a basis for further modification. The report options allow picking or editing a CSS.txt as part of the reporting process.

  • Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the first report table.

Hash Values

  • Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.

  • Support for Project VIC JSON files format 1.1.

  • Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.

  • Support for the hash types Tiger128, Tiger160, and Tiger192.

  • Support for Tiger Tree Hashes (TTH). Useful for investigations that involve Direct Connect P2P file sharing programs. Base32 notation for TTH can be enabled in the directory browser options.

Keyword Searches

  • The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.

  • The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.

  • Minor fix in the HTML code of search hit exports.

File Type Support

  • File type verification revised.

  • Category order revised (based on typical frequency).

  • New file carving method for Quickbooks .qbw files.

  • .evtx event log processing slightly revised.

  • Support for the updated database format of the Chrome history. Support for Opera browsing history since version 15.0 (the switch to the Chromium engine).

  • Nicer names for files that are extracted from Google Chrome caches.

  • Special carving support for EDB (ESE) log files (.edblog). These log files forensically relevant in that Microsoft stores more and more internal data about EDB databases in these files. The log files record and keep the complete data that is added to a database at a certain point, until it is eventually deleted in the log file. Typically, multiple such log files can be recovered from Windows systems, and search hits in such a log file are more meaningful than in ordinary free space. Metadata is also extracted from these log files.

  • Better support for the CAB file format family, which includes Windows Installer files (less interesting), Windows Cabinet (more interesting, may contain e-mails) and Microsoft OneNote packages (also more interesting).

X-Tensions API

  • Additional information provided to X-Tensions via the XT_Init call.

  • New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.

  • X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.

Miscellaneous

  • When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.

  • The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory. It is now a 3-state checkbox. If half checked, the files will not be named purely after the unique ID (+extension) any more. Instead, the unique ID will be inserted between base filename and filename extension.

  • Ability to "include" all items in all open evidence objects in the directory browser options dialog of a recursively explored case root window.

  • Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).


Changes of service releases of v18.0:

  • SR-1: An exception error was fixed that could occur when using X-Ways Forensics without a second file hash database.

  • SR-2: Support for some additional TIFF subtypes for PhotoDNA matching.

  • SR-2: Certain unsupported TIFF subtypes are now dealt with more properly in that PhotoDNA matching and potentially also skin color detection are not attempted any more if futile, and a question mark is output instead.

  • SR-2: Fix for certain variants of FAT12.

  • SR-3: Support for relative paths when using the PhotoDNA hash database.

  • SR-3: Extraction of EXIF metadata from .wav files.

  • SR-3: Internal timestamps from JPEG files written by recent Canon camera models are now retrieved with original timezone information and thus can be converted to the display time zone.

  • SR-3: Fixed a possible error that could occur when sorting by the SC%/PhotoDNA column.

  • SR-3: Fixed an instability issue that could occur with corrupt Google Chrome caches.

  • SR-3: Fixed an error that could occur when processing .ieurl files extracted from Google Chrome caches.

  • SR-3: Fixed a crash that could occur with Windows Vista thumbcaches.

  • SR-4: Mass metadata extraction no longer slowed down by the option "Coordinate processing by simultaneous users more carefully".

  • SR-4: Fixed an exception error that could occur when using the registry viewer.

  • SR-4: Automatic report table associations with duplicates did not work any more. That was fixed.

  • SR-5: Fixed an error that could cause crashes with OLE2 files in v18.0 SR-4.

  • SR-5: v18.0 did not always match hash values against the hash database in additional volume snapshot refinement runs. That was fixed.

  • SR-5: Fixed an error in the X-Tension API function XWF_GetRasterImage.

  • SR-6: Prevents certain erroneous events with timestamps in the year 1829.

  • SR-6: Fixed inability of v18.0 to extract senders and recipients from all e-mail headers.

  • SR-6: Fixed inadequate handling of bad sectors in recent versions.

  • SR-6: Fixed an exception error that could occur in the 64-bit edition when processing Google Chrome cache files.

  • SR-7: Fixed an unjustified partial read error in v18.0.

  • SR-7: Fixed potential error about lost comments imported from evidence file containers.

  • SR-7: Fixed a crash that could occur when trying to display very long search hits (e.g. produced with a GREP expression like .*).

  • SR-8: Fixed an exception error that could occur when switching to the search hit list in the Case Root window while sorting in the directory browser was still ongoing.

  • SR-8: Fixed a potential crash with corrupt OLE2 files.

  • SR-8: Fixed dongle errors that a few users experienced when running multiple instances simultaneously.

  • SR-8: Some minor improvements and fixes.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 BŁnde
Germany

 

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <