X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#159: X-Ways Forensics, X-Ways Investigator, WinHex 19.7 released

Aug 19, 2018

This mailing is to announce the release of another update with many notable improvements, v19.7.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Sep 17-20 London, England X-Ways Forensics (wait list)
Sep 18-21 St. Paul, MN X-Ways Forensics (wait list)
Oct 8-11 Fyshwick ACT, Australia X-Ways Forensics
Nov 12-15 London, England X-Ways Forensics
Dec 3-6 Washington DC area X-Ways Forensics
Mid Dec London, England X-Ways Forensics II

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new in v19.7?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • Ability to parse data structures of many APFS volumes in order to provide a volume snapshot.

  • Cloned files in APFS, of which only differences from their original counterparts are stored in separate clusters, are marked with an uppercase Greek delta in the Attr. column.

  • Support for APFS timestamps in the Data Interpreter as well as in templates ("APFSDateTime").

  • A particularly thorough file system data structure search is now available for exFAT volumes, too.

  • Protection against a rare kind of NTFS corruption, FILE record displacements within $MFT.

  • The option to omit additional hard links now has an effect even when processing selected or tagged files specifically.

File Format Support

  • Encrypted documents with a known password can now be matched against the FuzZyDoc hash database.

  • The report table "Scan" is no longer used to identify PDF documents that have scanned content. Instead, "scanner" is now shown in the device type column for PDF documents that are as having been generated by a scanner.

  • Extraction of the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files into the metadata column.

  • Identification of and file header signature search for MP4s files, a proprietary surveillance video format.

  • Google Chrome history will now display the transition for each visited web site, making it easier to ascertain whether the visit was triggered by the user or by some other action like redirect. The duration of each visit is listed as well. Internet searches run from the address bar of Chrome are listed in a separate table and also added to the event list.

  • Ability to parse Google Chrome SNSS session files (Current/Last Session and Current/Last Tabs) during metadata extraction. The resulting session overview lists all open tabs and their browsing history.

  • The previous output for .automaticdestinations-ms files in Details mode is now presented in Preview mode, and also for the View command and when copying such jumplist files for inclusion in the report.

  • Report thumbnail generation now supported for files of these types: lnk, flnk, TCP/UDP packets, NK2, DBX, Skype chat, WAB, change.log.1, info2, job, IconCache.db, Prefetch, shd, usnjrnl, eiurl, $I*, travellog, chrome1, automaticdestinations-ms, and more.

  • Fixed a rare checksum error in Intel Hex conversion output.

  • Ability to convert (e.g. search terms) from UTF-16 to various Indian code pages: ISCII Devanagari, Bengali, Tamil, Telugu, Assamese, Oriya, Kannada, Malayalam, Gujarati, Punjabi (Gurmukhi).

JPEG Metadata Support

  • Irregular EXIF metadata encodings that violate EXIF specifications are now marked with an asterisk at the end (sometimes additionally with a bold font).

  • "EXIF compliance" is another new aggregated single value, a score that allows to see whether a low quality photo editor was used to edit a photo. A good rating that JPEG pictures produced by Nikon or Canon cameras usually have is retained only by high quality photo editing programs. A bad rating for such pictures indicates editing by a low quality program. Irregularly coded fields in the EXIF data are marked with a star. Irregular might mean that a wrong data type was used or the permitted value range was violated or there are duplicate tags or a character string is not null-terminated or contains slack. Some tags must not appear at the same time, some tags must be stored in a designated directory.

  • Generally the EXIF presentation is not a simple unstructured output of all EXIF values, but it aims to provide background information and highlights certain parameters within their context to make examiners aware of irregularities. Already in their original files digital cameras produce characteric EXIF metadata errors. By editing a photo additional errors may be produced, or others may be fixed.

  • XMP metadata extraction revised. New and relevant information is added to the metadata column while redundant information is not. XMP often contains information about the time zone that is not available from the EXIF metadata.

  • The amount of slack (zero-value bytes) at the end of an EXIF segment is presented in Details mode if such slack is present. For example, iPhone 4 and iPhone 5 usually produce such an area of a variable length, but iPhone 7 does not. If the slack remains present after a rotation, that means the rotation was minimally invasive, without recompression (no loss of quality). If however a photo editing program rewrites the JPEG file, the slack will disappear.

  • The Summary part of the internal metadata in Details mode for JPEG files now has a new field named "Light value". That value is derived from the well-known photography formula Ev=log2(N**2/t)+log2(100/ISO). The value range ends at around 16, which means full sunshine. This aggregated value can be interesting to some examiners because it allows to distinguish indoor and outdoor photos and because it allows to check whether the local time of a photo is plausible.

  • A new value "Rotated" is now possible for the Condition field in JPEG metadata.

  • A new device type "printer" is now shown for JPEG files that were created for printing purposes.

  • Firmware dates are now also output for iPhones and other Apple devices.

  • The IMEI of some Samsung Galaxy smartphones (high end models) is stored in the SEFT trailing data of JPEG files, depending on the phone's settings, and if so is now presented in Details mode of the SEFT file. The SEFT file is generated by "Uncover embedded data in various file types".

  • Generator signatures and phone alias table were revised.

E-mail

  • Extracts more internal timestamps from e-mails in PST/OST e-mail archives.

  • If the names of e-mail recipients contain the pipe character (rare), such recipients were previously not correctly classified as To:, Cc:, or Bcc: when refining the volume snapshot. That was fixed.

  • New volume snapshot option to convert certain RTF-formatted e-mail bodies from Outlook e-mail archives to plain UTF-8 (when extracting e-mails) to better view generated .eml files in external e-mail clients and to allow for the alternative .eml preview.

User Interface

  • When sorting timestamps in one of the many timestamp columns, it may happen that UTC-based time stamps have to be compared to local timestamps with an undefined time zone reference or local timstamps with a user-defined time zone reference (user-defined meaning defined by the examiner), to see which one is earlier and which one is later. That happens for example for file system based timestamps in the case root window if one evidence object has an NTFS file system and the other a FAT file system. It also happens within the same evidence object for example when sorting internal creation timestamps retrieved from file contents, such as ordinary Exif timestamps in JPEG (which are local) and GPS timestamps in JPEG (which are stored in UTC). Sorting all such timestamps now takes into account how these timestamps are displayed (in original local time or in a user-defined display time zone) such that the order is consistent with the displayed values, and not with how the timestamps are internally stored. That means for example that the local Exif timestamp 2017-01-01 14:01 LT is sorted *after* a UTC GPS timestamp 2017-01-01 14:00 +2, which is right if the undefined local time zone is equal to the display time zone, which in this example is UTC +2. That order of course can be wrong, as the unknown time zone of a local Content created timestamp could be somewhere to east of UTC +2. The order could also be wrong if the user-defined time zone reference of timestamps from a FAT file system is wrong.

  • The event list's Timestamp column now respects the user-defined reference time zone for timestamps for file systems that store timestamps in local time and translates these timestamps to the current display time zone accordingly.

  • Ability to toggle between single and double column modes when viewing internal JPEG metadata in IM details mode. Given a sufficient screen resolution and window width, no scrolling is required any more to quickly review the entire internal metadata, as the summary table is on the right-hand side.

  • Option to display the Data Interpreter window with a certain degree of transparency. The practical value of this option remains to be discovered. It just looks cool.

  • If volume snapshot refinement is invoked for a virgin volume snapshot, this will now remember the option to conduct a simultaneous search immediately after refinement. That is useful in particular in conjunction with the command line interface.

  • A new command line command allows to load a list of search terms: "LST" (=load search terms). If followed by a colon and the name or complete path of a text file with 1 search term per line and if this precedes an RVS run with an implicitly triggered simultaneous search, the terms will be utilized for that search.

  • When viewing pictures with the internal graphics display library, the view window is no longer maximized if the picture has to be shrunk to fit the screen, and you now have a choice to either center such view windows on the screen as in previous versions or remember their left top position or their center position after you move them somewhere else on the screen. To make your choice, open the system menu of the view window (i.e. click the icon in the left top corner of the window). You can also decide whether or not such view windows should always be in the foreground, even in front of windows of other applications. Last no least you can choose to roughly remember the window size. Especially useful in conjunction with the options to remember the left top position of the view window, to have only one view window at a time, and to update the view window automatically with just a single click on a file, so that at place on your screen of your own choice you essentially have a fixed preview of pictures while the lower half of the data window can show something other than Preview mode, for example Details mode.

  • Templates can now display and edit UTF-16 Unicode string variables containing non-Latin characters.

  • Ability to copy the contents of templates as tab-delimited text into the clipboard through the template's system menu.

  • Ability to present the member variables of a template as entries in the Position Manager (either the general Position Manager or, if the data window represents an evidence object, in the evidence object's Position Manager). This also means they will be visually highlighted directly in the hex editor display and equipped with explanatory tooltips. The command for that can be found in the template's system menu as well.

  • Optionally, the regular template window can be skipped altogether and Position Manager entries can be generated right away, if you hold the Shift key when you apply a template.

  • Ability to copy text into the clipboard as UTF-16 Unicode even when the text column does not show UTF-16 Unicode, through the main menu. Ability to copy data into the clipboard as ANSI characters even when the text column shows UTF-16 Unicode.

  • Ctrl+Shift+Del now removes the "Duplicates found" marker from the selected files in addition to removing all kinds of hash set matches.

  • The search hit context preview in search hit lists can now be turned on and off in the context menu.

Disk/Image Support

  • Now can address and open up to 128 physical storage devices in Windows instead of 64 (those numbered 0 through 127).

  • When creating a skeleton image, if the first read operation is triggered from a data window that represents a partition opened from within a physical disk, the skeleton image will become a partition/volume image instead of a full disk image, unlike in previous versions. Read operations in other data windows (representing the surrounding physical disk or its other partitions) have no effect on the skeleton image.

  • Support for a new acquisition date format in certain third party .e01 evidence files.

X-Tensions API

  • The XWF_GetCaseProp function can now be used to learn the creation timestamp and the internal ID of the current case. XWF_GetVSProp can now be used to define the hash types of a volume snapshot.

  • The X-Tension function XWF_GetHashValue now has the ability to retrieve the primary hash value and the secondary hash value at the same time, and it has the ability to compute the requested hash values if they are not stored in the volume snapshot yet.

  • Prompts the user whether or not stubborn C# X-Tension DLLs that cannot easily be unloaded should be forced to unload after execution. Programmers may prefer to do that when debugging their own X-Tensions, but apparently this can prevent usage the same DLL a second time in the same session of X-Ways Forensics, so ordinary users better choose No.

Miscellaneous

  • The password collection of a newly created case is now initialized with the general password collection. The general password collection can now opened for editing from within Options | Security. The password collection of a case is used with encrypted archives as well as encrypted documents whenever the case is loaded.

  • When importing hash values from Project Vic, the user is now asked whether US or Canadian standard categories should be preset.

  • Solved an import problem with certain surprising whitespace characters in Project Vic JSON files.

  • When filling blocks/files/disks with constant hex values, now any number of two-digit hex values up to 16 is allowed.

  • Some stability improvements.

  • Many minor improvements.

  • User manual and program help updated for v19.6.

  • Oracle has provided some fixes to the viewer component, in particular for viewing PDF files and to address some security issues (no details available).


Changes of service releases of v19.6

  • SR-1: No longer loads incompatible parts of .settings files from v19.5.

  • SR-1: No longer uses uncovered thumbnails with type status "not confirmed" as auxiliary thumbnails in the gallery.

  • SR-2: Automatically changes the "Store .e01 metadata for fast re-open" option from fully to half selected if it is detected that the storage device or volume containing the image is write-protected.

  • SR-2: Fixed a problem detecting the size of evidence objects that are files or directories.

  • SR-2: Ability to add multiple single files that are located in the same directory to the same case as evidence objects. Previous versions cannot open cases with single-file evidence objects that were saved by v19.6 SR-2.

  • SR-2: Ability to process certain Windows thumbcaches with an unusual signature variant.

  • SR-2: When viewing pictures with the internal graphics viewing library, the generated windows are now guaranteed to be in the foreground, even if the gallery has been decoupled from the data window.

  • SR-2: Securely wiping selected files failed with an error message on logical drive letters. That was fixed. (It worked fine when applied to the physical disk's partition instead.)

  • SR-2: Proper identification of SQLite database subtype in some rare cases where this did not happen previously.

  • SR-2: Fixed an exception error that could occur when saving the case with a new name if the case root window was open.

  • SR-2: Ability to decrypt files in certain file archives that could not be decrypted previously.

  • SR-3: Fixed a potential source of instability when populating the gallery with multiple threads in the x64 edition.

  • SR-3: Fixed inability to open files in certain GZ archives more than once while the evidence object is open.

  • SR-3: Fixed a rare exception error that could occur at the beginning the "examining files" phase of volume snapshot refinement in Ext* file systems.

  • SR-3: Fixed an error that could prevent storage of performance enhancing image metadata in some rare configurations.

  • SR-3: Fixed an error in carving of TIFF files.

  • SR-3: Fixed a problem with white text on white background in the directory browser that could occur when using conditional cell coloring.

  • SR-3: For some columns the FlexFilters never returned a result. That was fixed.

  • SR-3: When naming recovered/copied files after a selected column, the extension of the current filename in the volume snapshot is now no longer appended to the alternative name.

  • SR-4: The RunCount for Windows 8 Prefetch files was shown correctly in Details mode, but not in the Metadata column. That was fixed.

  • SR-4: The contents of the Metadata column is now always shown in Details mode if it contains marked user-defined or X-Tension defined entries. It is suggested that users mark their manual additions with their initials in square brackets and that X-Tensions mark their additions with [XT], so that they can be recognized as such. Any 1-4 characters between square brackets will have the described effect.

  • SR-4: An exception error occurred in v19.6 when opening drive letters without sector level access. That was fixed.

  • SR-4: The print cover page preview was not updated when printing multiple selected files at a time. That was fixed.

  • SR-4: Extraction of RTF-formatted e-mail bodies from PST/OST e-mail archives in cases where no alternative HTML or plain text e-mail body is available.

  • SR-4: Prevented an exception error that could occur when extracting metadata from Samsung style JPEG trailing data.

  • SR-4: A new option in Options | Volume Snapshot will allow recipients of evidence file containers to confirm that they have the exact same PhotoDNA hash database as the creator of the container, so that any PhotoDNA categories assigned to files (stored in the container as category numbers) will be matched with the corresponding category name in the user's current PhotoDNA hash database. If this option is not selected, only the original category numbers in the container's creator's database will be presented to the recipient of a container, no category name.

  • SR-5: Fixed a potential exception error that could occur with carved or corrupt files of Outlook 2011 for Mac.

  • SR-5: Improved stability when extracting Thunderbird index databases

  • SR-5: Presents previous visits to a website from the Chrome history in addition to the last one, also as events, and the duration of each visit.

  • SR-5: Prevented the insertion of a disruptive line break when exporting a list of files with generator signatures included.

  • SR-5: Fixed possible infinite recursion with JPEG files created by Galaxy S3 Mini VE smartphones.

  • SR-6: Fixed extraction of e-mails from MBOX e-mail archives in v19.6 without .eml extension in the name.

  • SR-6: Fixed a rare error where certain attachment names in a original .eml files and a few other formats could be truncated if encoded in Quoted Printable.

  • SR-6: If a logical search was run in encrypted/protected PDF documents with the crash-safe decoding option without having checked for encryption prior to that, the search would have been unsuccessful even if the right password was provided. That was fixed.

  • SR-7: X-Tension API: The XWF_CreateEvObj function returned a handle to a wrong evidence objects when called for evidence objects of types 0, 3 and 4. That was fixed.

  • SR-7: Case report: Under certain circumstances, report thumbnails of pictures were generated as if they were non-pictures (e.g. documents). That was fixed.

  • SR-7: Prevented a potential crash when extracting metadata from MP3 files that contain an ID3 tag with an incompatible GEOB entry.

  • SR-7: Extraction of modification timestamps from TAR archives with certain non-standard encoding with the alternative extraction method.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

#158: X-Ways Forensics, X-Ways Investigator, WinHex 19.6 released

Mar 9, 2018

This mailing is to announce the release of another notable update with many notable improvements, v19.6.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Mar 13-16 London, England X-Ways Forensics
Mar 19-22 Gatineau, QC X-Ways Forensics
Apr 30-May 3 Chicago, IL X-Ways Forensics
May 3-4 Liverpool, England X-Ways Forensics II
Jul 9-12 Vancouver, BC X-Ways Forensics

Please sign up for our training newsletter here if you would like to be kept up to date on future classes.


What's new in v19.6?
(please note that most changes affect X-Ways Forensics only)

File Type Support

  • A new directory browser column is now available in X-Ways Forensics and X-Ways Investigator and populated during metadata extraction: Device type. This column shows the class of device that produced a given JPEG file, such as a smartphone's main camera, a smartphone's front/secondary camera, a point and shoot/compact camera, camcorder, DSLR, webcam etc. That information is derived from the generator signature. This column also comes with a filter. Filtering for the device type could be useful for example if you are looking for rather private photos (selfies taken with a smartphone's front camera) or rather professional photos (e.g. DSLR or digital camera back).

  • Scanned pictures used to be identified as such through report table associations. That is no longer the case. That they were generated by a scanner can now be seen in the new aforementioned column.

  • Pictures that were identified as screenshots are now shown with "screen" as the device type. The device type "screen" identifies screenshots and sometimes pictures that seem to be specially sized to match a certain screen resolution (e.g. wallpapers).

  • The GPS processing mode, if available, is listed in Details mode. This mode allows to estimate the reliability/precision of the coordinates. It is used by various manufacturers, and it can be one of the following values: Unknown, GPS, Network, Hybrid, Fused, or CELLID.

  • New entry named "Geolocation" in the extracted metadata and in Details mode, with the GPS coordinates in a notation as accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces the previous fields Latitude and Longitude in the extracted metadata as it is more suitable for automatic processing.

  • Three additional fields for Exif GPS data are output in Details mode where available: Altitude, Image direction, and GPS Error. Altitude might be helpful to judge the reliability of the geo coordinates. Image direction is a feature of high-end smartphones.

  • If there is something unusual about the presence of GPS coordinates in JPEG pictures, those GPS coordinates are now highlighted in blue color. For example if the GPS coordinates are present and a GPS timestamp is absent, for a mobile device type that is known to always include both at the same time (sometimes depending on whether the front or back camera is used), or for a camera type that is known to not have GPS, it could mean that the coordinates have been retroactively embedded. GPS timestamps that are different from the time when the photo was taken are also highlighted in blue color.

  • A new file named PhoneAliasTable.txt contains a translation from internal device designations to human-readable marketing names. In particular device designations used by Samsung, Motorola, LG and Huawei are rather cryptic and better understood if translated. This table can also contain the device's release date and region. That table is currently relatively sparsely populated, but its format is explained in the header so that users can help to complete it.

  • Details mode now shows firmware date and region for JPEG files created by many Samsung mobile phones, which can help to validate other metadata.

  • The table for the generator signature based Exif data validation now supports more than 11,000 devices (where the front cameras of smartphones count as separate devices).

  • Time zone extracted from files that were produced by some new Sony devices.

  • Twitter timestamps in JPEG files are recognized and output in the "Content created" column.

  • Extraction of Content created timestamp from JPEG files improved.

  • Automatic removal of interspersed padding data between two thumbnails in JPEG files created by various digital camera models, which was previously included in (prepended to) the second thumbnail's data.

  • PNG files now also receive a generator signature as part of metadata extraction, to identify PNG files that likely originate from the same source and PNG files that are screenshots.

  • Detection of the generating device type for some PNG files, also shown in the new Device type column.

  • Improved detection of PNG screenshots of old mobile phones.

  • Support for iOS netusage.sqlite files, which record the data usage of apps. Besides the amount of data flowing in and out, they also provides approximate timestamps when apps were used for the first and last times. Appropriate events are extracted and an HTML preview is created containing all relevant information.

  • Improved stability when processing EVTX files.

  • Supports a new format variant of certain registry values in Windows 10.

Picture Display

  • If pictures in Preview mode are shown by the internal graphics viewing library, not the separate viewer component, they can now be rotated in 90° steps by clicking the left mouse button (to rotate to the left) and the right mouse button (to rotate to the right).

  • Photos taken by mobile phones and digital cameras of certain major manufacturers in portrait mode are stored in landscape orientation and marked as to be rotated left or right in the Exif metadata. Both Preview mode and the View command now adjust those photos to the correct orientation automatically, only with the internal graphics viewing library, not the viewer component. The gallery also automatically adjusts the orientation (not for auxiliary thumbnails).

  • Clicking the middle mouse button in Preview mode when a picture is shown by the internal graphics viewing library will mirror the picture (flip horizontally) or if the Shift key is pressed flip the picture vertically. Please note that this operation is applied in addition to any active rotation.

  • The currently active rotation and flip mode are described by some symbols in the upper right corner. Additionally, if no flipping has taken place, but a rotation, the letters "BR" indicate what in the original graphical data was the bottom right corner.

  • Ability to display certain rare PNG files with invalid zlib compression.

User Interface

  • Video files, audio files, Office documents and plain text files can now optionally be represented by special icons, just as previously only picture files. You can enable special icons separately for each such category in the directory browser options dialog window.

  • Many additional icons in the user interface, in particular for the mode buttons and external programs.

  • Closed envelope icons now reflect the known unread status of e-mails.

  • Right-clicking anywhere in the Mode button bar outside of all the buttons will now show or hide the divider line between the directory browser and the lower half of a data window. If the divider line is visible, it is thicker now with high DPI settings to make it easier to grab that line and adjust the height of the directory browser. If the divider line is invisible, you can adjust the window height by left-clicking in the Mode button bar and moving the mouse cursor up and down while holding the mouse button. Without the divider it is also more intuitive that the right-hand side of the Mode button bar acts as a status bar of the directory browser and that the buttons in the right half affect the upper half of a data window.

  • Improved support for high DPI settings in general.

  • The height of the directory browser options dialog window is now automatically increased as the vertical resolution of the main screen allows in order to accommodate as many column labels as possible and ideally do away with the scrollbar if no longer required.

  • Russian translation of the user interface updated.

  • Option to get prompted for each file when printing with direct child objects.

  • Option to output only non-blank fields on the print cover page.

Performance

  • Ability to populate the gallery with thumbnails using multiple threads. This makes the biggest difference for high-resolution JPEG pictures whose embedded thumbnails have not been uncovered yet (e.g. during preview of a live machine) or are not used as auxiliary thumbnails, for which the decompression procedure is computationally intensive.

  • Accelerated volume snapshot finalization for large snapshots with many directories in "Path unknown".

  • Ability to refine volume snapshots on storage devices with sector wise access using multiple threads just like on images and in directories.

  • Ability to open large .e01 evidence files faster after the first time, by keeping some internal image metadata for navigation in a separate file. This can make a big difference if the image is stored on media with slow access, in particular remote network drives. Can be turned off in Options | Security, as that is where all the .e01 options are located. If fully checked, the separate file is stored in the same directory as the image itself, so that even other cases / other users that open the same copy of the same image benefit from the increased performance if the separate file has been created before. If half checked, the separate file is stored in the evidence object's internal metadata directory of the current case.

    In an attempt to protect their image files from accidental alteration, deletion, or corruption and to maximize the revenue of hardware write blocker manufacturers, a few of our users do not only write block suspect storage devices, but also their own storage devices if those devices contain image files. Those users are well advised to half-check this option for obvious reasons, and here is a friendly reminder that write blocking interferes with proper functioning of the operating system and application programs because it untruthfully signals write success when actually no data is written, preventing the OS and application programs from realizing that the data that they wanted to write could not be written. Write blocking is meant for special situations only. The recommended method to protect one's own data (e.g. images in the case of a computer forensic examiner) would be official write protection that the OS is aware of or enforces itself, not sneaky write blocking. (And backups are good, too, of course.)

Storage Device Management

  • The list of logical volumes in Tools | Open Disk can now optionally include volumes that are active in Windows, but not currently associated with any drive letter. Please understand that whenever you open volumes, whether with drive letter or without drive letter, no volume slack is presented. Volume slack is included only if you open the physical storage device first and then the partition that contains the volume.

  • Active volumes that are not ordinary volumes are displayed with a special icon and a special description, e.g. "TrueCryptVolumeX". Useful so that on a live system that you wish to preview, examine or acquire you can quickly see which volumes may need to be addressed separately (in additional to physical storage devices) because it would be difficult to reconstruct or unlock them later based on the data on the physical storage device.

  • If volumes without connected drive letter are listed, that also includes volumes that have been mounted within Windows as a junction point in another volume. Such volumes are listed with a special link icon, and the junction point is displayed between volume label and volume size.

  • The list of volumes that do not have drive letters may also include volumes that were previously active in Windows. Those are marked with a crossed out red circle icon. For example a previously mounted TrueCrypt volume that was dismounted might be shown in this fashion. Such volumes cannot be opened any more, they are just listed for informational purposes, which is useful when running X-Ways Forensics on a live system that needs to be examined.

  • A new command in the Specialist menu allows to write-protect locally attached physical storage devices (including removable media, except optical media) with all their volumes everywhere in the operating system, in all applications, even at the sector level in WinHex itself, no matter which edit mode is active. This can be useful to protect original disks that need to be acquired or analyzed (but only after Windows has detected and accessed them) and your own disks that contain images, from accidental alteration, deletion, or data corruption. The effect will last until you remove the write protection again or unplug the devices or reboot your computer. To keep Windows from touching newly attached physical storage devices before you can write-protect them (i.e. to keep them in "offline" mode first), you would need to disable automatic mounting in Windows (and verify that this works). Turning on write-protection for an offline disk will automatically bring the disk online, at the same time while rendering it read-only. Careful, do not write-protect disks that your Windows system needs to write to for proper functioning.

  • This new command also allows to selectively write-protect only specific volumes (if mounted as drive letters), not the entire physical storage device. Please note that the read-only status of a volume cannot be lifted selectively if the entire underlying physical storage device is read only.

  • If a physical storage device is treated as offline or read-only in Windows Disk Management, that information is now displayed in all disk selection dialog windows. Offline disks can be opened for reading/imaging/analysis.

  • Better support for Linux MD RAIDs with container partitions on GPT-partitioned disks.

File System Support

  • Referrer URLs in Zone.Identifier alternate data streams are now presented in the Metadata column if such ADS are not included in the volume snapshot.

  • Support for 1 KB FILE records in NTFS volumes with a sector size of 4 KB.

  • Rejects more invalid/corrupt FAT directory entries than before.

  • Fixed occasional absence of exFAT allocation information for file allocation table entries in the Info pane.

  • Unix style symlinks now have a file icon with a little arrow for easier identification.

  • Reparse points/junction points in NTFS file systems now have a directory icon with a little arrow to identify them as special directories in the directory browser. Such directories are no longer initially marked as "already viewed" in a newly taken volume snapshot.

Miscellaneous

  • Support for 5-digit filename extensions in segmented raw images.

  • More stable when dealing with corrupt .e01 evidence files.

  • Passing on internal file metadata in evidence file containers is now a 3-state check box. If half checked, only extracted senders and recipients of e-mails will be passed on and not general metadata as known from the Metadata column.

  • The command line parameter “RVS” now includes a screenshot of the volume snapshot refinement dialog in the case activity log showing the active refinement settings. That screenshot is either textual or graphical in nature depending on your case activity log settings.

  • If "Page break after x table rows for printing" is selected for the case report, that will now also insert a page break after each report table.

  • The size of an evidence object that is a directory is now the total recursive size of all its files, not the total capacity of the volume on which it resides. That size is now also shown in the Info Pane as "used space", though the "free space" and "total capacity" are still those of the host volume.

  • The weight of the device type for the generic relevance judgement can now be defined in the file Generator Signatures.txt. The weight factor can be found at the end of the *** line. It may be between 0 and 50.

  • The number of categories per device type in Generator Signatures.txt has increased, and there is a new category "Unknown".

  • Ability to schedule a shutdown or (if supported) hibernation of the machine after a certain number of minutes, in Options | Security. Guaranteed to work only if nothing keeps the machine from powering down, e.g. other application programs with unsaved work etc. If you half-check to proceed "brutally", that should power down the machine even if an application is hung. If fully checked, that will not even wait for other applications that prompt the user what to do with any unsaved work longer than a few seconds. If you exit the instance of WinHex/X-Ways Forensics in which you have scheduled the shutdown, the shutdown won't happen. It is possible to cancel a previously scheduled shutdown without restarting the program.

  • Some stability improvements.

  • Many minor improvements.

  • User manual and program help updated for v19.6.


Changes of service releases of v19.5

  • SR-1: The internal creation date of XML/Zip-based Office documents was incorrectly assumed to be UTC-based during extraction. That was fixed.

  • SR-1: A few filters could not be activated any more in v19.5 by clicking the respective funnel symbols in the column headers, only from within the dialog window with the directory browser options. That was fixed.

  • SR-1: Parses a GUID partition table if present even if the MBR has a valid partition table itself and does not point to the presence of GPT partitioning.

  • SR-2: Ability to use the RAID reconstruction feature to rebuild a JBOD that consists of just a single component. That could be useful to get a single partition of an MD RAID with RAID level 1 interpreted as a physical disk within X-Ways Forensics.

  • SR-2: Processing of SQLite databases with the identification as sqlite3 in the Type column.

  • SR-2: Fixed "Extents cannot be accessed" error that could occur on some highly fragmented HFS+ volumes.

  • SR-2: Fixed an error or crash that could occur when viewing nested files purely with the viewer component in v19.5.

  • SR-2: More stable when trying to decompress corrupt data that is presumed to be XPRESS-compressed.

  • SR-2: Fixed a possible read error in conjunction with image files in v19.5.

  • SR-3: Certain existing files in evidence file containers that originated from exFAT file systems were erroneously not included in the volume snapshot if "Include deleted files in snapshot at all" was not checked. That was fixed.

  • SR-3: Fixed a crash that could occur when adding e-mails with an extremely long list of recipients to an evidence file container.

  • SR-3: Prevented a possible exception error with certain Chome cache files.

  • SR-3: The work-around to view Windows 10 Prefetch files under Windows 7 did not work any more in v19.5. That was fixed.

  • SR-4: Improved stability when decompressing data that is expected to be WofCompressed, but is not really WofCompressed, and for certain unsupported WofCompressed data.

  • SR-4: Fixed an exception error that occurred when creating a case report if an evidence object had positions/bookmarks without description in the Position Manager.

  • SR-4: Fixed a possible exception error when uncovering embedded data from PE executable files.

  • SR-4: The alternative .eml preview now now correctly deals with bodies that contain concatenated HTML documents such as found in Skype conversation that were auto-saved in MS Exchange.

  • SR-4: Fixed an exception error that could occur at the beginning of the file-wise processing of volume snapshot refinement if started from the command line.

  • SR-4: Fixed inability to change the user interface language in X-Ways Investigator right in the user interface.

  • SR-5: Prevented exception errors that could occur with carved corrupt Canon Zoom Browser files (.info).

  • SR-5: Some previously existing directories of which traces were found in $LogFile were erroneously included in the volume snapshot as files. That could lead to consequential parent-child problems for files that were contained in those directories, if traces of these files were also found in $LogFile.

  • SR-5: Fixed an error that under certain circumstances prevented the removal of unwanted hash values from a specifically targeted hash set in the hash database.

  • SR-5: Fixed an exception error that could occur when generating the alternative preview of .eml files.

  • SR-5: Fixed incomplete GPS latitude output.

  • SR-5: Fixed an exception error that occurred in v19.5 when recovering files by type from within uninterpreted raw image files.

  • SR-5: Prevented reproduction of trailing backslashes in evidence object names as top level directory names in evidence file containers.

  • SR-5: Fixed an exception error that could occur in the 64-bit edition when activating the Type filter with a user-defined type list.

  • SR-6: More strict checking of $USNJrnl:$J data before extraction to prevent instabilities with potential data corruption.

  • SR-6: Automatic removal of interspersed padding data between a thumbnail and a low-resolution alternative of a photo in JPEG files created by various digital camera models, which was previously included in (prepended to) the low-resolution alternative and prevented immediate viewing.

  • SR-6: Fixed an exception error that could occur when parsing incomplete sets of thumbcaches of Windows 7.

  • SR-6: Prevented a possible crash that could occur with certain corrupt or irregular ID3 metadata in MP3 files.

  • SR-6: Implemented a more precise handling of Google Chrome's SyncData which results in a more detailed extraction of artifacts.

  • SR-6: Extraction of embedded JPEG attachments from certain original .eml files with an unusual encoding style.

  • SR-6: Better protection against corrupt .evt files.

  • SR-6: Stored search hits were not automatically loaded when an evidence object was opened by the "Last session" project.

  • SR-6: Fixed an error that in v19.3 and later could lead to sector read problems.

  • SR-6: Prevented unnecessary output of "Cannot write..." error messages for certain SQLite databases in certain situations when actually no error had occurred.

  • SR-7: Under certain circumstances, a logical simultaneous searches in v19.5 were aborted prematurely if the "1 hit per file" option was selected, and the user was informed of that. That was fixed.

  • SR-7: Reading uninitialized areas of files is now forced for shadow copy host files when volume shadow copies are parsed, no matter which settings for reading unintialized areas is active.

  • SR-7: If the surrogate pattern for unreadable sectors is completely removed, that will now result in an all zeroes again as documented and as known from v19.1 and earlier, without line breaks.

  • SR-7: When viewing password-protected documents with the viewer component for which the password list did not contain the correct password, after manually entering the correct password, a wrong password was remembered in the metadata column. That was fixed.

  • SR-7: Duplicate identification based on timestamp columns did not work correctly before. That was fixed.

  • SR-7: Fixed an exception error that could occur when uncovering embedded bitmap ressources from corrupt PE executable files.

  • SR-8: Fixed inability of SR-6 and SR-7 to extract attachments from lose .eml files and e-mails in MBOX archives.

  • SR-8: Fixed potentially incomplete processing of some rare SQLite database files.

  • SR-8: Fixed a potential instability when extracting e-mails from MBOX e-mail archives.

  • SR-8: Fixed display error with extremely high DPI settings.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <