|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||
|
|||||||
| #114: WinHex, X-Ways
Forensics and X-Ways Investigator 15.2 released May 11, 2009 |
This mailing is to announce a noteworthy update, v15.3. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Los Angeles, June 10-12 http://www.x-ways.net/training/los_angeles.html Seattle, June 15-17 http://www.x-ways.net/training/seattle.html For more information: http://www.x-ways.net/training/ A second training date in Seattle might be scheduled soon. ------------------------------------------------------------- A new version of the viewer component is now available for download to licensed owners of X-Ways Forensics with update maintenance. Changes include: * Open Office 2.x / Star Office 8.0 Calc enhancements * MS Office 2007 chart support (most chart types) * support for AutoCAD 2007 * enhancement of AutoCAD 2005 & 2006 beyond text only * JPEG2000 support extended * other improvements and presumably error corrections ------------------------------------------------------------- WHAT'S NEW IN V15.3? * The index optimization step was reworked. It can now use a user-defined number of processor cores simultaneously and a user-defined amount of main memory per process, optimize faster and more thoroughly and better utilize memory. * Improved memory handling for search hits. No additional memory requirement for search hits any more when loading or saving the case. Memory for search hits is now needed only when the evidence object is open (same as before already with memory for volume snapshots). The limitation of the number of search hits in one evidence object by main memory was slightly increased (now several ten million search hits possible). Search hits saved by v15.3 cannot be loaded by older versions any more. * The menu items for simultaneous search and the index searches have been moved to the top of the menu (for license types in which they are available), since they are the most important ones in the Search menu. * Decoding the text in PDF, HTML, and various other documents for the logical search and for indexing can no longer cause the program to freeze or crash if the viewer component has problems processing the file e.g. because the file is corrupt. * When attempting to view or preview a file with the viewer component that is a known to be a reason for crashes, you are asked whether you are really sure you would like to view the file. * The Raw option of preview mode is now automatically disabled when viewing file of a different type. This is because too many users forget about it after having viewed e-mail or HTML or XML files in Raw mode (where it makes sense) and continue using it for other file types as well, thereby missing a faithful representation of important document types. * Detects if hash database is in use, to avoid conflicts when updating it. * The integrity test of the hash database can now be aborted. * When you add an excerpt from a file to the volume snapshot as a virtual file (select a block in File mode and use the Edit menu for that), the resulting file is now marked as "excerpt" in the Attr. column and is filterable like this. * In main memory (local live main memory or memory dumps), Windows kernel data structures and named objects are now conveniently listed in a tree in the volume snapshot. Other objects will be listed per process in the handle table. * Also loaded modules are now listed, in a virtual directory named "Modules". That enables X-Ways Forensics to allocate their memory pages in RAM mode to them, and to compute hashes for them so that they can be identified via special hash sets, where optionally and ideally only their invariable headers are hashed. * Various other improvements in main memory analysis, better support for 64-bit Windows versions, and generally more robust now. * The file "File Type Signatures Memory Search.txt" extends the file header signature search and is now downloadable from http://www.x-ways.net/winhex/templates/File%20Type%20Signatures%20Memory%20Search.txt . That file contains signature definitions for TCP, ADR, UDP, ICMP, and IGMP packets, and is applicable only to memory dumps, and the signatures are to be searched byte-aligned. * 4 additional data types have been added to the Data Interpreter: SID (security identifiers), IP addresses, packed 7-bit ASCII strings, and unsigned 48-bit integers. IP addresses and unsigned 48-bit integers are also available in templates, and the variable type is called "IP". They are both helpful for manual 64-bit main memory analysis. * 4 additional hash types have been added: RipeMD-128, RipeMD-160, MD4, and (specialist or forensic license only) ed2k. ed2k is based on MD4 and used in file sharing programs. * The case report can now optionally be split into multiple HTML files if too many pictures are to be included (like hundreds or thousands) that give Internet browsers or other programs headache when loading the HTML file. * It is now possible to output the report for selected evidence objects only, not simply for all evidence objects, via an additional checkbox in the report options dialog. (forensic license only) * Clickable links to attachments in e-mails in Preview mode now work in some very rare cases where they previously didn't. * A new filter has been introduced that allows to focus on files that have been already or have not been viewed yet by the examiner. See Directory Browser Options. (forensic license only) * Some options from the Security Options and the Directory Browser Options that affect the creation of volume snapshots have been moved to a separate dialog box that you can access via a button in the Directory Browser Options. * A new volume snapshot option is now available that causes deleted partitions to pass on their deleted state to everything that they contain (files, directories, ...), and deleted e-mail archives to pass on their deleted state to all the e-mails, directories and attachments that they contain. This may seem logical, but results in a loss of information (*everything* is listed as deleted). By default, X-Ways Forensics still distinguishes between existing and deleted files and e-mails etc. even in deleted partitions/deleted e-mail archives, as in earlier versions, so that more information is retained. * Via two other new volume snapshot options you can indicate whether you are interested in earlier names and locations of renamed/moved files in NTFS and whether you are interested in getting files listed for which only filename, size, time-stamps and attributes (but no data) are known. By default, such files are listed, as in earlier versions. (specialist or forensic license only) * zip.exe was updated with a version that supports larger zip files. That program is used for archiving cases. * Several minor improvements. * Fixed an exception error that could occur when taking volume snapshots. (since v15.2 SR-1) * Metadata is now extracted from carved TCP, UDP, ICMP packet "files". (since v15.2 SR-2) * A crash was prevented that occurred when X-Ways Forensics was processing zip archives with a very specific kind of corruption. (since v15.2 SR-2) * Prevented an infinite loop that occurred in a very special situation when extracting e-mail. (since v15.2 SR-2) * Errors were fixed that caused corruption in hash databases up to v15.2 SR-2. * In some situations when importing a folder with hash sets, the hash sets were unintentionally merged. This was fixed with v15.2 SR-4. * New template command "gotoex n" that allows to jump to an absolute offset on a disk or in a file or in memory, unlike the ordinary "goto" command which is based on the start of the structure where template interpretation starts. (since v15.2 SR-4) * New template command "exit" that terminates interpretation of the template. (since v15.2 SR-4) * An exception error was fixed that could occur in v15.2 when returning from a search hit list to the normal directory browser depending on the sort criteria in the search hit list. (since v15.2 SR-4) * The Windows CD key is now decoded and ouput in plaintext when including the Windows DigitalProductId in the registry report. (since v15.2 SR-4) * Format error in registry report fixed. (since v15.2 SR-5) * The path of the loaded registry hive is now (at least partially) displayed in the registry viewer's status bar. Useful for example if you load multiple ntuser.dat files from different images and user profiles at the same time. (since v15.2 SR-7) * An asterisk at the end of a registry path in the registry report definition did not match all subkeys and values. This was fixed. (since v15.2 SR-9) * When errors occur when filling an evidence file container, the filling is not longer aborted in certain situations, and a more specific error code is report in some other situations. (since v15.2 SR-5) * Fixed an error that could occur when copying files into a container from a non-recursive list.(since v15.2 SR-7) * Newly created evidence file containers now remember the owner of files from NTFS file systems as the last part of the SID, no longer as the security identifier index. (since v15.2 SR-7) * A new exception error that could occur when viewing externally opened files was fixed. (since v15.2 SR-6) * The directory browser and Details mode now show both the translated username (if available) and the SID as the owner of files in NTFS file systems, not only one of them. (since v15.2 SR-7) * An exception error was fixed that could occur when clicking directories in the directory tree. (since v15.2 SR-7) * Fixed inability to read raw sectors from audio CDs. (since v15.2 SR-9) * Avoids error that occurred when starting a Simultaneous Search with certain settings. (since v15.2 SR-10) * Fixed a display refresh error that could occur under certain circumstances when navigating from one search hit to another in File mode. (since v15.2 SR-10) * Avoidance of conflicts when invoking multiple instances of MPlayer simultaneously. (since v15.2 SR-10) * The size of the buffer for the file mask for the extraction of embedded JPEG/PNG pictures was increased. (since v15.2 SR-10) * Fixed misinterpretation of special GREP characters $ and ^ in keyword searches run without GREP syntax. (since v15.2 SR-11) * Files that were virtually attached by the user to the root directory of a volume were ignored in some operations even when selected. This was fixed. (since v15.2 SR-11) * Deals more gracefully with overlong paths and extremely high numbers of files when taking a volume snapshot of drives with no sector-level access (e.g. remote network drives). (since v15.2 SR-12) * No longer freezes when taking a volume snapshot of certain very large DVDs. (since v15.2 SR-12) * Improved compatibility with .e01 evidence files as produced by EnCase 6.13. (since v15.2 SR-12) * Avoided "... is not a valid character" error message in inappropriate situations. (since v15.2 SR-12) * Fixed an error that in some situation occurred when processing certain thumbs.db files. (since v15.2 SR-12) |
| #113: WinHex, X-Ways
Forensics and X-Ways Investigator 15.2 released Jan 15, 2009 |
This mailing is to announce a noteworthy update, v15.2. WinHex evaluation version: http://www.x-ways.net/winhex.zip Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES DC area, Mar 16-20 http://www.x-ways.net/training/washington_dc.html London, Mar 30-Apr 3 http://www.x-ways.net/training/london.html For more information: http://www.x-ways.net/training/ ------------------------------------------------------------- WHAT'S NEW? * Main memory analysis. Requires a forensic license. This analysis is available for local RAM (opened via Tools | Open RAM) and for memory dumps. Supports the 32-bit versions of Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, and Windows 2008 Server. Processes will be listed in the directory browser, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in "Process" mode, with pages concatenated in correct logical order as seen by each process. The "particularly thorough data structure search" will take a little longer and may turn up traces of additional terminated processes as well as rootkits. The Technical Details Report informs you of important system-wide parameters as well as of the current addresses of kernel data structures. In Details mode you can find the addresses of process-related data structures for each process, and the ID of its parent process. In RAM mode, the Details Panel shows for each memory page a process to which it is allocated (if any) and its memory management status. With the appropriate background knowledge, the new functionality can be used learn more about the current state of the machine and its processes, sockets, open files, loaded drivers, and attached media, to identify malware, to find the decrypted version of other encrypted data, to analyze network traces in incident response, and to do further research in the field of memory forensics. * Memory can be acquired remotely with X-Ways Forensics in conjunction with F-Response 2.x since v15.1 SR-5 (Tools | Open Disk). * If more than 1 GB of main memory is available, the optimization of an index now better utilizes that memory, which may result in a tremendous acceleration of this step for large indexes. * There are now two different checkboxes in the Index Search window. Checking the first one helps finding words within words (e.g. "wife" in "housewife"), which however is likely incomplete and slow if the index was not prepared for substring searches The second one makes it optional to find word extensions (e.g. "houses" when searching for "house" and "skyscraper" when searching for "sky"). Finding word extensions was default behavior in previous versions. Unchecking both boxes works like a "whole words only" option. * Hash sets can now be classified as to how important they are. This is useful because when matching hash values against the hash database, only one match is returned even if the same hash values is contained in multiple hash sets. Now you can make sure that in such a case you get the most relevant hash set returned, for example a hash set that identifies CP pictures without any doubt as opposed to hash sets from a different source that may contain the hash values of doubtful pictures. Also new: If there is more than one match, a "+" sign will be displayed in the hash set column in the directory browser after the name of one of the matching hash sets. * You may now use Unicode characters in hash set names. * For reasons of convenience, WinHex and X-Ways Forensics now remember and restore the last selected item and other settings of the directory browser when reopening data windows and evidence objects. That makes it much easier to resume your work after a break or interruption when reviewing files. * Evidence file containers created by the new version now also remember the hash category of a file and the skin color percentage. * X-Ways Forensics can import SHA-1 hashes from .e01 evidence files as now optionally provided by EnCase 6.12. (Note that in X-Ways Forensics you were never ever implicitly forced to use MD5 hashes.) * It is now possible to replace an evidence object with a new medium (drive letter or physical disk). Useful if you are working with original disks, not images, and the drive letter or disk number has changed. * The graphics library was updated. Some issues with the display of pictures were fixed. * Ability to interpret mode 1 ISO CD images with 2,352 bytes per sector, if not spanned (segmented). * It is now possible to group existing and deleted files in different output directories when using the Recover/Copy command. Requires that you have X-Ways Forensics recreate the original path. * Ability to recreate files whose original paths contains directory names with trailing spaces, although not allowed by Windows, by removing such spaces. * For internally reconstructed RAIDs, the number of the component disk from which the current sector (where the cursor is in) was read is now displayed in the Details Panel, along with the relative number that that sector has on that component disk. * It is now possible to mark files as hidden even in a search hit list. Such files will actually be filtered out if you do not list hidden items when you click the Enter button in the search term list window to recompile the search hit list. * When identifying and hiding duplicate files, previously it was possible that duplicate e-mails with attachments (e-mail/attachment pairs) were separated if the parent (e-mail message) of one pair and the child (attachment) of another pair was hidden. The algorithm was changed to improve the quality of the examination, and this undesirable situation is now avoided. Identical e-mail messages with different attachments (child objects) will be marked as duplicates, but not hidden any more. Identical attachments (child objects) will be marked as duplicates, but they will be hidden only indirectly if they are part of identical e-mail messages and those are hidden. * After processing e-mail, X-Ways Forensics now shows attachments as child objects of e-mail messages instead of in a virtual "Attach" folder in some cases where this previously did not happen. * Naming problem solved for e-mail messages that were extracted from .msg files which were attached to the volume snapshot as virtual files. * It is now possible to attach all the files of an entire directory to the volume snapshot, not just individual files, if you hold the Ctrl key while invoking the directory browser menu command. Useful for example after having extracted thousands of .msg files from a .pst or .ost e-mail archive using the viewer component, to integrate them back into X-Ways Forensics for further processing. * An error in the "Totally remove hidden items" function was fixed that existed since v14.8. * The "Save As" command is now also available for disks (yet another way how to create a raw image). * Icons of hidden files are now displayed in gray instead of blue. Icons of notable files are now displayed in red instead of blue. * When adding a file to a report table, it is now also possible to recursively add all its child objects to the same report table, not only direct children. * Ability to view Unix/Linux wtmp and utmp log-in records. * Recognizes the TFAT file system as such. * When enabling the recommendable data reduction for logical searches, files marked as moved/renamed will not be searched any more, as the same data is searched when the same file is searched under in its new location/under its new name. * Several minor improvements. * There are now two interpretations of $LogFile in Preview mode and for the View command. The new interpretation gives an easy to understand overview of deleted files including deletion timestamps (unavailable before and another unique feature). In cases where the deletion timestamp is missing, the time frame in which the deletion occurred can be deduced manually. The old interpretion, a much more complete and detailed view of $LogFile, is still accessible if you enable Raw mode. (since v15.1 SR-1) * An exception that could occur during an index search was fixed. (since v15.1 SR-1) * Tagging files in a recursive view did not always have the correct effect on directories. This was fixed. (since v15.1 SR-1) * A resource leak was fixed that had an effect when trying to extract e-mail from thousands of files. (since v15.1 SR-1) * Moved or renamed files in NTFS volumes of which only index records are available and whose file size in unknown can now be seen in Gallery mode, too, not only in Preview mode. (Only if the new state of the file as defined by a FILE record allows to open it.) (since v15.1 SR-2) * When e-mail from password-protected Outlook PST archives is to be extracted and the user does not react and agree to provide the password within 30 seconds, X-Ways Forensics will continue with the next file. (since v15.1 SR-2) * Evidence file containers can now optionally be frozen when they are closed and enclosed in an .e01 file, such that they cannot be further filled (even after converted back to a raw image). Such containers are marked as read-only in the Technical Details Report. (since v15.1 SR-2) * Ability to detect hybrids of RAR and JPEG or Bitmap files when extracting metadata and in Details mode. (since v15.1 SR-2) * More information about RAR files in Details mode. (since v15.1 SR-2) * Fixed registry viewer instability under Windows Vista. (since v15.1 SR-2) * An instability error was fixed that could occur when decompressing certain hiberfil.sys files. (since v15.1 SR-2) * Fixed an issue processing signed emails (x-pkcs7-signature) from Eudora. (since v15.1 SR-2) * Improved conversion accuracy of certain kinds of emails stored in Office Outlook. (since v15.1 SR-2) * Some other minor improvements and issues fixed in e-mail processing. (since v15.1 SR-2) * An error no longer occurs that prevented the display of GIF pictures for the remainder of a session after one particular GIF picture was displayed. (since v15.1 SR-3) * The Windows disk signature is now output as part of the Technical Details Report for hard disks. (since v15.1 SR-4) * OpenOffice document zip files are now usually carved again with the correct file size. (since v15.1 SR-4) * After having matched hash values against the hash database, when loading a different hash database and not re-matching the hash values against that new database, references to hash sets in the old database are no longer considered valid by X-Ways Forensics, which avoids that a wrong matching hash set may be displayed in the hash set column. The hash category was always stored independently of the hash database. (since v15.1 SR-4) * Progress indicator for Recover/Copy command fixed. (since v15.1 SR-4) * Avoided two message boxes that required user interaction in very specific situations when refining the volume snapshot. (since v15.1 SR-4) * Unchecking the "copy child objects of selected files" checkbox did not always have the intended effect. That was fixed. (since v15.1 SR-5) * The $ GREP anchor did not work correctly for larger files. This was fixed. (since v15.1 SR-5) * Inability of Edit | Modify Data to fully process large files was fixed. (since v15.1 SR-6) * Some exception errors prevented. (since v15.1 SR-6) * An error in the Recover/Copy command was fixed that could cause display errors in the progress indicator window and could cause it to not recover certain files (followed by an error message saying that the original timestamps or attributes could not be applied to the file because the file could not be found). (since v15.1 SR-7) * Timestamp bias error in new $LogFile interpretation (not raw mode) fixed. (since v15.1 SR-7) * Ability to apply the menu command Edit | Select All (not the keyboard shortcut) to windows of the viewer component. (since v15.1 SR-7) * The Save As command for cases can now deal with overlong paths in the case subdirectories (up to 510 characters). (since v15.1 SR-8) * Fixed an error that could cause an incorrect reconstruction pattern for internally reconstructed forward parity RAID 5 systems under certain circumstances. (since v15.1 SR-8) |