X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#155: X-Ways Forensics, X-Ways Investigator, WinHex 19.3 released

Jun 14, 2017

This mailing is to announce the release of another notable update with many, many important improvements, v19.3.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.

Every now and then we still receive a request about a replacement of a lost or stolen uninsured dongle although we have pointed out many times that we do not replace such dongles. We ask for your understanding that we provide only 1 working dongle per license, not as many as customers want. We have never made an exception in our entire company history. Anyone who still asks for a replacement of a lost dongle that was not insured will forfeit their chance for a good-will discount on the purchase of a new license.


Upcoming Training

Jul 3-6 London, England X-Ways Forensics
Jul 24-27 Ottawa, ON X-Ways Forensics
Aug 15-18 London, England X-Ways Forensics
Sep 25-28 Chicago, IL X-Ways Forensics
Oct 23-27 Toronto, ON X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.3?
(please note that most changes apply to X-Ways Forensics only)

File System Support

  • If the file header signature search in volumes with a supported file system other than Ext2/Ext3 finds the start of a file in free space, at a cluster boundary, the data is now by default assumed to flow around potentially following clusters that are marked by the file system as in use. This will correctly reconstruct files that were created after and stored around other files and then deleted, as long as the released clusters were not re-used and overwritten afterwards. To prevent file carving purely in free space this way, i.e. to make it work as in previous versions, you can UNcheck the new option "Carve files in free clusters around used clusters". This option takes effect only at the moment when files are added to the volume snapshot, not retroactively for files that were added previously. Carved files purely in free space retain the storage location that was assumed when they were added to the volume snapshot even if the option is changed afterwards. However, older versions of X-Ways Forensics will not understand that certain files are assumed to flow around allocated clusters and thus would present them as contiguous files as usually when they work with the same volume snapshot.

  • Tools | Disk Tools | File Recovery by Type offers the same cluster assignment logic.

  • If the file carving definition has the strong greedy flag ("G"), after carving a file that flows around allocated clusters, the file header signature search will only skip first fragment of the carved file. The "h" flag for header exclusion prevents the new carving method from being applied to the affected file types.

  • The same logic to skip in-use clusters is now by default also applied to deleted files in volume snapshots of FAT12, FAT16, FAT32, and exFAT file systems, if not disabled in Options | Volume Snapshot. That means that data of deleted files is now not necessarily assumed to be contiguous any more, but assumed to occupy as many free clusters from the start cluster number as are necessary to accommodate the known file size, while skipping clusters that are marked as in use by existing files. If the end of the volume is reached that way, the next free clusters are taken from the start of the volume, replicating the built-in logic of typical FAT32 file system drivers to rotate through the volume on the search for allocatable clusters. As this volume snapshot option retroactively changes the assumption about the storage location of files that are already contained in the volume snapshot, changing this option will also cause hash values to change if they are re-computed.

  • Significantly improved ability to recover deleted files and directories in FAT32 volumes (ability to get the start location right, in newly taken volume snapshots only).

  • File mode now offers a "raw" submode for NTFS-compressed files. In Raw mode you can actually see the compressed data as well as the sparse clusters, not the decompressed state of the file. This is useful for research or educational purposes and because theoretically small amounts of data could have been manually hidden in the not clearly defined, but implicitly existing slack area of each compression unit, which follows the compressed payload data.

  • Reduced the number of false positives when scanning for lost Ext3/Ext4 partitions.

  • The "List Clusters" command in the directory browser context menu has been revised. It can now be applied to some more "exotic" objects that it could not deal with before, such as certain embedded files, certain file system area files, and carved files. It automatically outputs sector instead of cluster numbers for any objects that are not aligned at cluster boundaries. It outputs the total number of clusters or sectors even if contiguous series of clusters are represented in the optional compact fashion. If exported to a text file, the cluster list is automatically opened in the user's preferred text editor. The effects of the aforementioned new cluster assignment logic options are visible in newly populated cluster lists.

  • The volume snapshot options are now more clearly structured, split into file system specific settings and file system independent settings.

  • There is a new volume snapshot option that causes X-Ways Forensics to read known uninitialized portions at the end of a file (valid data length < logical file size) as binary zeroes instead of as whatever data is stored in the clusters allocated. This mimics the behavior of Windows when ordinary applications open files through the operating system instead of reading the contents of the file directly from the sectors in the volume. Useful for example to achieve hash compatibility with such applications. This new option does not apply to read operations for logical searches, so that logical searches remain forensically thorough and clusters allocated to uninitialized portions of files are still searched. This option has an immediate effect even on already opened files, for the next read operation.

File Format Support

  • Details mode for JPEG files now shows an additional table at the bottom. This table contains the generator signature as well as the "condition" of the file, which may be "incomplete" (if the file was truncated) or "trailing data" (if surplus data was appended to the JPEG data) or in some cases "original" (if the file is believed with great certainty to be in a pristine, unaltered state). "Original" is based on the presence of thumbnails, the absence of color correction certificates, the absence of unoriginal metadata such as XMP, based on timestamps, based on artifacts left behind by known editing software, and on whether a resize operation is detected.

  • Improved detection of scanned images. The model designations of known scanning devices can be manually extended in the section "KnownScanner" of "Generator Signatures.txt". Identification by model name can help to identify scanned images if they contain Exif data or were edited. Generally the detection as scanned images is based on 1) generator signature, 2) generic properties of the Exif metadata (FileSource, Density, ...) and 3) the KnownScanner list.

  • Improved detection of screenshots in JPEG format.

  • Recognition of JPEG files produced by Twitter through their generator signature.

  • Checking the passwords in the password collection provided for file archive exploration is now more thorough, avoiding some rare false password matches.

  • Fixed a rare exception error that could occur with password-protected RAR archives. Fixed another rare exception error in conjunction with file archive handling.

  • RAR hybrid files now automatically receive a child object named "Trailing data" so that no manual effort is required any more to access the hidden data.

  • Uncovers embedded data from some more .vcf files.

  • Carving method ~109 implemented for Blu-ray videos.

  • Google Analytics signature moved from the "Special Interest" category to "Internet", as it has proven to be quite worthwhile to collect web surfing events.

  • For UserAssist program executions, the event description column now has the plain text description after ROT13 decoding.

  • Ability to interpret image files in TAR archive as disks without having to copy/extract them out. Very handy for VMDK virtual machine disks within OVA files (open virtualization archives in TAR format).

  • Ability to extract metadata from some new PDF format variants. PDF metadata extraction generally revised.

  • Prefix "Reporting::" inserted in generator signature definitions for easier filtering for the category reporting/records (account statements, credit card statements etc.).

  • Detection of scanned PDF documents further improved.

  • Different e-mail recipient groups (To:, Cc:, and Bcc:, if present) are now more clearly separated from each other in the Recipients column and the alternative .eml presentation.

  • Cc: and Bcc: recipients are now distinguished from To: recipients in the Recipients column for MSG e-mail files as well.

Timestamps

  • In the properties of evidence objects with a FAT file system you can now optionally define which time zone the local timestamps in that file systems are based on, if you have an opinion about that. That time zone depends on the settings of the computer or device that wrote to the file system. (Keep in mind that those settings may have changed over time and thus a single time zone may not be adequate to get all timestamps right.) If you define the time zone reference, file system level timestamps are presented according to the selected display time zone and not in their original local time any more. They are internally converted from local time to UTC (based on your time zone reference) and then from UTC to the display time zone, at the moment when the timestamps are displayed. The effect is not permanent, the reference time zone settings can be changed at any time. The definition of a time zone reference is lost if you open a case in versions older than v19.3.

  • When copying files from FAT file systems to an evidence file container, file system level timestamps of these files are usually marked in the container as based on an unknown local time zone so that they will not be time zone adjusted when reviewing the container in the future. If however you are certain about the original time zone and define the time zone reference for the source evidence object, the timestamps are converted to UTC within the container based on the reference time zone and marked in the container as timestamps in UTC, permanently. In that state the timestamps later will be adjusted according to the selected display time zone, even if you change your mind and change the reference time zone in the source evidence object. The evidence file container is self-contained and separate from the source evidence object once files have been copied.

  • The time zone conversion hints after timestamps in the directory browser (the number of hours that have been added to or subtracted from UTC) are now included in tooltips for these cells.

  • Consistency of timestamp notation and Unicode capability of timestamp notation improved in a few places in the GUI and in the case report/log.

  • As the number of years represented in Calendar mode is limited, garbage timestamps in the far past can keep you from seeing the years that you are interested in if you don't set a filter or don't delete events with garbage timetamps. A new option now allows to set the minimum year that will be represented by the calendar. Any timestamps in earlier years will be disregarded by the calendar even if no filter is active. By default, the minimum year is the year 2000. To change it, click the number of the first year on the left in Calendar mode.

  • The Data Interpreter and also templates can now display and edit FILETIME timestamps with a precision of milliseconds, depending on the settings in Options | Notation.

  • Timestamps of files in OS directory listings and remote network drives are now displayed with higher precision.

  • Display of internal creation timestamps in the "Content created" column with millisecond precision, where available.

Searching

  • The whole words only option of the Simultaneous Search works with a user-defined alphabet of characters of which words are composed, in order to identify what a word is and where its boundaries are. In previous versions, only an alphabet of characters from the Latin 1 code page was supported (for all Western European languages). Now an additional alphabet can be defined for letters of certain other languages. If activated, it is used for searches in UTF-16 and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1 byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew, Vietnamese, and various Central/Eastern/South Eastern European languages. The Cyrillic alphabet is predefined.

  • Ability to index words that contain characters with special GREP meaning, such as #.?()[]{}\*, without masking them, both with the "range:" prefix and without.

  • Manual relocation or resize operations on search hits through the context menu may now exceed 32,767 bytes (up to 2,147,483,647 supported in both directions). Concerning a related command in the directory browser context menu, the size of carved files can now be set manually as an absolute number instead of as an adjustment to the previous size (through the directory browser context menu). The maximum size supported by this operation is 4,294,967,295 bytes.

  • Ability to run the simple search functions (Find Text, Find Hex Values) with the "List search hits" option in File mode even in evidence objects. The search hits will be collected in the general Position Manager.

  • Search hits in the general Position Manager are now optionally deleted as soon as the general Position Manager is closed, to avoid confusion as positions in the general Position Manager have no reference to a particular file or disk and are intentionally applied to whatever data source is active when invoked. The option can be found in the Position Manager's context menu.

X-Tensions API

  • The XWF_GetItemType function now allows to find out the detected file format consistency for a file.

  • The XWF_ShouldStop function now does not only check whether the user wishes to abort lengthy operations, it also helps to keep the GUI responsive when the X-Tension is not executed in a separate worker thread. Calling this function regularly will process mouse and keyboard input, allow the windows to redraw etc. The user realizes that the application is not hanging, and potential attempts of the user to close the progress indicator window will be noticed. Even if you ignore the result of this function call during lengthy operations conducted by your X-Tension, you are doing something good already by making the calls in the first place.

  • The X-Tension function XWF_CreateEvObj can now add multiple image files to the case with a single function call.

  • New X-Tensions API function XWF_GetHashSetAssocs. Retrieves the name(s) of the hash set(s) that the specified file is associated with.

Keyboard Shortcuts

  • It is now possible to define up to 20 custom keyboard shortcuts for commands in the directory browser context menu and elsewhere, in a dialog window that can be accessed from within Options | Directory Browser. Currently available only in X-Ways Forensics. Shortcuts are meant to increase your productivity while using the functionality that you need most often. Only key combinations that involve the keys Ctrl, Alt Gr, Shift and Space are supported. Please note that if you use the Space key for any keyboard shortcut, you cannot use it any more to tag or untag items. The second key can be relatively freely defined by just pressing it when the grayed out edit box has the input focus. In case no human-readable description of the selected key is provided and you later forget what key you had defined, you can check out this list of hexadecimal key codes: https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx

    The following ~80 directory browser menu command codes can theoretically be used (not all tested) and have to be entered as a number:

    9800: View with external viewer program #1
    9801: View with external viewer program #2
    9802: View with external viewer program #3
    ...
    9831: View with external viewer program #32

    9919: Define file type
    9920: Go to related file
    9921: Refine volume snapshot for selected files
    9927: Run X-Tension on selected files
    9928: Attach external file
    9931: Edit metadata
    9932: See this file in its directory
    9933: See this file from volume root
    9934: Find parent object
    9935: Logical search within selected files
    9937: Attach external directory
    9938: Erase securely
    9939: Leave search hit list for specific directory
    9940: Delete duplicate search hits in list
    9941: Select excluded items
    9942: Edit comment
    9944: Include
    9945: Select tagged items
    9946: Exclude all except tagged items
    9947: Hide tagged items
    9948: Add to evidence file container OR skeleton image if active in the background
    9949: Resize search hit
    9950: Convert search hit to carved file
    9951: Resize carved and virtual files
    9952: Assign search hit to other search term
    9953: Extract consecutive video frames
    9954: Include search hit in report
    9955: Mount as drive letter (makes sense only if a directory is selected, and only one)
    9956: Watch with preferred video player
    9957: View with preferred HTML viewer
    9958: View with preferred text editor
    9959: Execute/open in associated external program
    9960: Select viewed items
    9961: View with to-be-selected external program
    9962: Remove duplicates based on hash
    9963: Seek item based on int. ID
    9964: Sort by relevance
    9965: Print
    9966: Seek item based on list item number
    9967: Sort by nothing
    9968: Select all
    9969: Filter by the selected file's hash value (to find duplicates)
    9971: Explore
    9972: Mark search hit as notable
    9973: Open
    9974: Navigate to defining data structure
    9975: Export list
    9976: List clusters
    9977: Recover/copy,
    9978: Explore/view
    9979: Invert selection
    9980: Include in hash database

    You will notice a few suspicious gaps in between the incrementing numbers. The missing numbers are either unassigned or discouraged to invoke or simply don't make much sense to define for a keyboard shortcut. As an example for the latter, 9929 will delete selected search hits or event, something that can of course be accomplished already by pressing the Del key. This information shall reduce your urge to randomly try numbers not listed here, although who knows whether one undocumented number may trigger a secret "Find all evidence" command.

    Please note that even without defining any such keyboard shortcut you can reach all directory browser context menu commands purely with the keyboard by pressing the context menu key. (Usually to be found between the right-hand Windows key and the right-hand Ctrl key.) Some menu commands already have a predefined keyboard shortcut. For example the Enter key is the same as a double click (either View or Explore, depending on your settings). The multiplication key of numeric keypad triggers the Explore command. Del means Exclude. Ctrl+Del resets files to the "still to be processed by volume snapshot refinement" state and undoes some refinement operations. Ctrl+Shift+Del removes hash set matches, hash category, and PhotoDNA categorization. Ctrl+Caps Lock+Del removes the "file contents unknown" flag from a file. (Useful for example if because of temporary I/O problems X-Ways Forensics marked files that way although generally the files can be read just fine.) Ctrl+C copies the selected items into the clipboard using special settings of the Export List dialog window.

    The user-defined keyboard shortcuts should be able to invoke practically all commands from the main menu as well, and even if parts of the user interface other than the directory browser have the input focus. If the command code of a menu command changes in a future version, X-Ways Forensics will ensure that any keyboard shortcut targeting that code will automatically become inactive, to prevent accidental misuse. To find out the command codes of commands in the main menu (also called IDs of menu items), you can open the main executable file in a so-called resource editor and have a look at the menu resource in your preferred language. A highly recommendable light-weight example of such a tool is "Pelles C for Windows", which also happens to be a fine C compiler and complete development kit suitable for creating X-Tensions. Keyboard shortcuts for main menu commands should be less important than for directory browser context menu commands because the main menu already has many dedicated keyboard shortcut predefined, or even if not can be reached without taking one's hands off the keyboard starting with the Alt key. To give you some ideas about useful applications, FYI the command code to toggle between recursive and non-recursive exploration is 122, and the command code to take a new volume snapshot is 109.

    Command codes defined for filters
    (The order is the historical order in which filters were introduced.)

    9700: Name
    9701: Type
    9702: Type status
    9703: Category
    9704: Size
    9705: Path
    9706: Sender
    9707: Recipients
    9708: Timestamp
    9709: Attr
    9710: Hash 1
    9711: Hash set
    9712: Hash category
    9713: Report table
    9714: Comment
    9715: Metadata
    9716: Analysis
    9717: Pixels
    9718: Int. ID
    9719: Unique ID
    9720: Search terms
    9721: Owner
    9722: Parent name
    9723: Child objects
    9724: ID
    9725: Author
    9726: Search hit description
    9727: Event timestamp
    9728: Event type
    9729: Event description
    9730: Search hit
    9731: First sector
    9732: Description
    9733: Hash 2
    9734: Full path
    9735: Flex filter 1
    9736: Flex filter 2

    Command codes for the Mode buttons and related buttons

    122: Toggle recursive exploration
    138: Access button popup menu
    172: Toggle Directory Browser
    186: Toggle Position Manager
    223: Toggle Search Hit List
    224: Toggle Event Hit List
    225: Disk/Partition/Volume/Container mode
    226: File mode
    227: Preview mode
    228: Details mode
    229: Gallery mode
    230: Calendar mode
    231: Legend mode
    232: Sync mode
    249: Raw preview mode
    250: Viewer X-Tension preview mode

Automation

  • New command line parameter "Cfg:", which determines the name of the configuration file from which X-Ways Forensics will read during start-up and to which it will write when terminating, in situations when you need to use an alternative configuration (not the one stored in the main WinHex.cfg file). For example useful if for automated processing you need different settings than for manual execution, with specific volume snapshot refinement operations selected or to avoid the prompt whether a second instance should be started. Such a parameter looks like "Cfg:My other settings.cfg". The quotation marks are required only if the name contains spaces. The maximum length of the name is 31 characters. Only ANSI/ASCII characters supported currently.

  • Text in message boxes that usually need to be clicked away by the user is now redirected to the Messages window while processing the command line parameters "AddImage" and "RVS". Dialog boxes, if any, would still pop up normally.

  • The command line parameter AddImage can now be used to add multiple image files to the case at the same time, with an asterisk in the filename, such as "AddImage:Z:\My Images\*.e01".

  • The "AddImage" command line parameter now supports optional sub-parameters to force interpretation of an image as either a physical, partitioned medium (P) or a logical volume (V) and to force interpretation with a certain sector size, where the sector size is optional, e.g.

    AddImage:#P#Z:\Images\*.dd
    AddImage:#P,4096#Z:\Images\*.dd

    If you do not specify these sub-parameters, a dialog window might pop up to ask the user for this input, but only in some very rare cases. Only if 1) it is not obvious to X-Ways Forensics from the data in the first few sectors what kind of image it is and 2) if the image was not created by X-Ways Forensics or X-Ways Imager and 3) if the image is in raw format. Only if all three conditions are met at the same time plus you do not specify the sub-parameters, then the dialog window will pop up and interrupt automatic processing.

User Interface

  • Dedicated icon for evidence file containers in the Case Data window.

  • Larger font in the text column display for UTF-16 for better readability, especially of Chinese characters.

  • Avoided some rare graphical artifacts in the text column display for code pages with a variable number of bytes per character.

  • Text representations of dialog windows now by default omit unselected list box items and unchecked check boxes and radio buttons. This is a new option in the special menu that you get when you click the small unlabeled button in the upper left corner of a dialog window. It also affects the textual summary of active filters.

  • The Info window is now called Output window, as that more precisely describes its purpose. And it now gets its own screen coordinates and a centered position initially, and its coordinates are remembered separately from those of the Messages window, as otherwise some users seem to completely overlook that window, and they even contact us when they don't see the output that they expect, although it's visible on their screens.

  • New menu command available to collapse the entire case tree when right-clicking the case title.

  • Carved files are now identified as such not only by the Description column, but also by their icons, with by default either a stylized C (Windows 7) or a hammer (Windows 10, unavailable in Windows 7). The exact character can be entered in the Options | Notation dialog. Hopefully that way some users will no longer find it necessary to name all carved files with a prefix like "Carved_".

  • The information that a file was originally a carved file is now preserved in evidence file containers and shown in the Description column and icon even for files within containers.

  • The special file icon for pictures now by default no longer gets symbols like question marks, arrows, scissors, hammers, etc. superimposed, which is easier on the eye. You can still tell the exact deletion status from the Description column, and the rough deletion/existence status is still obvious from the contrast of the icon. However, if the box for this option is half checked, the icon is displayed as in previous versions, with full details.

  • The command to view the selected file with a selected external program now invokes the standard Windows dialog to pick such a program.

  • Whether the viewer component or the internal graphics viewing library should be used for pictures is now remembered by X-Ways Forensics separately for Preview mode and the View command. For the View command the behavior can be changed in Options | Viewer Programs.

  • When not allowing to view multiple pictures at the same time with the View command and the internal graphics viewing library, a new "Auto update" option is now available in Options | Viewer Programs, which will refresh the View window for a picture immediately when a new picture is selected in the directory browser, one way or the other, for example with a single mouse click or when advancing to the next file after defining a report table association. This behavior was previously limited to the arrow keys in the gallery. It should be useful mainly for work with multiple monitors.

  • Italian translation updated.

Miscellaneous

  • FlexFilters are now optionally case-sensitive. Case-sensitive operations are always faster and should be used for performance reasons unless you require otherwise.

  • Category pop-up menu statistics are retained when activating the filter.

  • The blue funnel symbol on both sides of the caption line of the directory browser is now always present when filters are active, even if the filters do not actually filter out any items.

  • Byte-wise checksum computation for multi-byte accumulators as was the standard in v18.9 and earlier is now an option in Options | Security. The newer variant is to compute multi-byte checksums by adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.

  • Recover/Copy: Ability to specify the name of the log file if the file is created in the output directory. Useful if you run multiple Recover/Copy operations specifically for different purposes, to produce one separate log file for each output.

  • Export List: The search hit context size units now correctly designated as characters instead of bytes.

  • Ability to open spanned LVM2 volumes if the other disk is missing. Available data will be incomplete, but potentially still very helpful.

  • Ability to open an evidence object that is a directory even if that directory does not exist any more, to be able to at least check out the volume snapshot again, using the command "Open (without disk/image)".

  • We are pleasantly surprised that you are reading every single bullet point. Thank you very much for your time.

  • Option to unload the hash database if loaded at the moment when all data windows are closed (the moment when the last open data window is closed), to save main memory or to specifically allow other concurrent users or instances to change the hash database.

  • Ability to set the alternative name of a file by holding the Shift key when renaming it (at the moment when clicking the OK button).

  • The Technical Details Report now has an option to show a byte-swapped version of hard disk serial numbers in addition to the serial number reported through the operating system, when in doubt. Some users of certain interfering hardware write blockers may find that useful.

  • More complete representation of the logical memory address space of 64-bit processes.

  • More tolerant to corruption in internal metadata storage files.

  • Many minor improvements.

  • User manual and program help updated for v19.3.


Changes of service releases of v19.2

  • SR-1: Fixed inability of v19.2 to remember the default volume snapshot refinement operations when run from the command line.

  • SR-1: Fixed inability of v19.2 to uncover embedded data from selected files.

  • SR-1: Fixed inability of v19.2 to take volume snapshots of drive letters without sector level access.

  • SR-1: Metadata extraction from certain irregular DOCX files supported.

  • SR-1: Improved internal handling of FlexFilters.

  • SR-2: Now able again to cope with .e01 evidence files that are incorrectly marked as images or physical disks by 3rd party software although they are just volume images.

  • SR-2: Fixed incorrect extraction of attachments encoded by Gmail found in MBOX archives and lose EML files.

  • SR-2: Fixed a cause of instability when the "Search in directory browser cells (metadata)" option was used for the Simultaneous Search.

  • SR-2: Fixed a rare exception error that could occur when extracting metadata from certain corrupt Zip-styled Office document files.

  • SR-2: The option to show non-picture files in the gallery is now represented by a three-state check box. If half checked, only those non-picture files will be represented as thumbnails in the gallery whose type can be confirmed or newly identified by X-Ways Forensics. That means that files of unknown types and garbage files will not be represented in the gallery any more. This will speed up the gallery, reduce the number of thumbnails with just ASCII character gibberish in them, and perhaps most importantly prevent an error in the viewer component from occurring, which exhausts the pool of available GDI objects (handles in the graphics device interface of Windows) in the process and leads to graphical screen artifacts, loss of functionality or even crashes. So far only files with garbage data are known to trigger this error. The error is probably very rarely encountered when specifically viewing or previewing individual files only, but when reviewing large amounts of non-picture files in the gallery it becomes more likely to occur. The error is known to Oracle as bug #25430258. No fix has been made available yet.

  • SR-2: Images stored in nested subdirectories of the case directory instead of directly in the case directory are now also found immediately even if drive letter or absolute path of the case have changed.

  • SR-2: Chinese translation of the user interface updated.

  • SR-3: The time out for the generation of thumbnails of non-picture files in the gallery is now the same user-defined value as previously used only for pictures that are loaded by the internal graphics viewing library. It can be adjusted in Options | Viewer Programs. A smaller value may result in a faster display of the gallery, but at the cost of interrupting the loading process of the viewer component for some files, in which case the gallery tile shows "Error - operation cancelled".

  • SR-3: v19.2 SR-2 did not properly execute external viewer programs. That was fixed.

  • SR-3: Videos are now again represented in the case report by their first extracted still as a thumbnail.

  • SR-3: If the output of the Compare function was a text file and the comparison start offsets in the two data windows were different, the second offset reported for a found difference was off. That was fixed.

  • SR-3: Fixed a problem in LVM2 support.

  • SR-3: Fixed a rare exception error that could occur when producing a registry report based on Reg Report Free Space.txt.

  • SR-3: Prevented rejection of certain ProjectVic JSON files for PhotoDNA import.

  • SR-4: Ability to show gallery tiles with rotating still images for processed videos in situations in which that did not work previously.

  • SR-4: Prevented a situation where the category statistics in the Category column's pop-up menu filter could be that of another data window.

  • SR-4: Fixed inability of v19.2 to take a volume snapshot of a directory with a network path (UNC path).

  • SR-4: The Exif metadata field formerly officially called "Daten taken" is now called "Content modified" in X-Ways Forensics.

  • SR-4: A relative path for the PhotoDNA hash database is now supported and preserved in Options | General.

  • SR-4: Fixed slightly corrupted presentation of e-mail attachments in some specific situations (e.g. Facebook e-mail received via Hotmail).

  • SR-4: Run counts from Windows 10 Prefetch files while shown correctly in Preview mode were not extracted correctly into the Metadata column. That was fixed.

  • SR-5: If original pictures were not included in the case report, but thumbnails of pictures were supposed to be output, those thumbnails were not generated for very small pictures. That was fixed.

  • SR-5: Under certain circumstances the detection of scanned images/PDF documents failed. That was fixed.

  • SR-5: The whole words only option of the Simultaneous Search is no longer applied to search hits that are not words according to the user's selected alphabet definition (checking only the first and the last character in the hit). However, the GREP word boundary indicator \b is still applied in such a case, for example to be able to search for certain data in between words, data that is not considered a word itself.

  • SR-6: The volume snapshot refinement option of v19.1 and later to omit files deemed irrelevant by the hash database also omitted known uncategorized files if they were identified as such only by a previous refinement run, with no re-matching. That was fixed.

  • SR-6: Fixed incorrect size of some few carved files and avoided output of some irrelevant/damaged OLE2 objects.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde

 

#154: X-Ways Forensics, X-Ways Investigator, WinHex 19.2 released

Mar 27, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.2.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Mar 27-28 Victoria, BC X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2
Jul 3-6 London, England X-Ways Forensics
Oct 23-27 Toronto, ON X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


X-Tensions

  • KPF by Jedson Technologies. Picture and video categorization previously known as C4All. The X-Ways KPF version is the original C4All X-tension and does everything and more than the original C4All did (but six times faster), and is free. Other versions exist that produce output in JSON/ProjectVic, XML, or other formats. Presentation at Techno Security & Digital Forensics conference.

  • NEW XT_RAW by Kuiper Forensics. Detects and converts many digital camera RAW formats within X-Ways Forensics.

  • Beyond Compare X-Tension by Chad Gough. Select any two files in X-Ways and quickly send them to Beyond Compare for review.

  • VirusTotal X-Tension by Chad Gough. Check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the Messages window.

  • Binary Large Objects by Christopher Lees. Extracts Binary Large Object (BLOB) data from Sqlite databases.

  • Multiple File Finder by Werner Rumpeltesz. Search for filenames and/or path names and add the matching files to a specific report table.

  • Luhn Credit Card Check by X-Ways Software Technology AG. 32-bit, 64-bit. For use during GREP searches for credit card numbers. Discards false hits based on the Luhn algorithm.

For more information about publicly available X-Tensions known to us please check here. Please get in touch if you have something to contribute. Thank you!

X-Tensions API

  • Disk I/O X-Tensions now cannot only intercept sector-wise I/O at the disk level (for example to decrypt encrypted disks or partitions on the fly and make X-Ways Forensics see the decryption data), but can also intercept I/O at the file level (for example to decrypt encrypted files). The new function to export for that purpose is XT_FileIO. For details please see http://www.x-ways.net/forensics/x-tensions/XWF_functions.html#A.

  • A new X-Tension API function named XWF_FindItem1 allows to conveniently find out the internal ID of a file with a given name in a given directory.


What's new in v19.2?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Files encrypted in Zip, RAR, and 7z file archives can now also be decompressed and processed, provided that the password is known or can be guessed. X-Ways Forensics will try any password listed in either the password collection of the current case or a general password collection. You can edit the password list right from within the dialog window with the options for archive processing. The case-specific password collection can also be edited from within the case properties, and it is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". The general password collection is stored in a file of the same name in the installation directory or in your Windows user profile directory. Almost all Unicode characters are supported, including space characters and Chinese characters etc. Remember passwords are usually case-sensitive.

    If the collection contains the right password for a particular file archive, that password will be remembered in that file's extracted metadata and taken directly from there instead of the case's password collection if needed again later to read files in the archive. Alternatively, you can provide a specific password for a particular file archive manually and directly by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". (Note to French users: No space before the colon.) Files within encrypted file archives are not treated and shown as encrypted ("e" attribute) if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.

  • Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files. All messages are added to the event database, where they can be filtered based on phone number or email address.

  • Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.

  • Improved support for East Asian regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.

  • Extraction of metadata from JPEG files improved. More metadata presented for JPEG files in Details mode.

  • Trailing data in JPEG files is now provided as a separate child object.

  • Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.

  • Generator signatures further revised.

  • File type verification further improved.

  • Type group designations are now displayed along with the type description in the "Type description" column.

  • A few file type designations were assigned to multiple categories previously. That was tidied up.

  • Updated file mask for uncovering embedded data.

  • Files can now be extracted from e-mail related MIM archives as part of e-mail processing.

  • Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.

Disk Support

  • Linux software RAIDs: Ability to recognize MD RAID container partitions as such. They are represented as two distinct items: A static header area that contains metadata about the RAID (usually at relative offset 4096), and an explorable partition that serves as a RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.

  • Terminology: What was formerly designated as the stripe size is now correctly referred to as the strip size. The stripe size is the strip size multiplied by the number of RAID component disks, i.e. a whole row.

  • Sector superimposition used to affect specifically the disk/partition/volume represented by the data window to which it was applied. From now on, it also has an effect on partitions opened from within a physical, partitioned disk to which sector superimposition was applied.

  • Ability to recognize Windows storage pool container partitions as such.

  • Ability to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes.

  • The search for lost partitions now finds NTFS storage space partitions within storage space container partitions despite sector size discrepancies. The search for lost partitions is a useful work-around to find and properly parse the actual payload partition in simple single-disk Windows storage spaces.

  • GPT partition names are now shown in the Name column as alternative names and should be helpful when examining Android phone images containing large numbers of partitions, revealing their respective functions.

  • Technical details report slightly more complete now with partition names as per GUID partition tables.

  • Structure of Access button menu improved for partitioned disks. (Access button is the official name of the button with the white arrow, below the Sync button.)

Usability

  • When clicking the link to an attachment from within the alternative e-mail preview, this now triggers the same action as if that file had been viewed from within the directory browser. That means that 1) it will be marked as already viewed, 2) depending on your preferences, if it's a picture, it will be either presented by the viewer component or the internal graphics display library, and 3) depending on your other viewer settings the file may be opened in an external program, for example if it is a video file.

  • In replace mode for report table associations, the currently associated report tables are now automatically preselected, so that it's less work and less error-prone to remove or add one report table specifically.

  • The case directory is the directory that has the same name as the .xfc case filename just without the extension. It is a subdirectory of the cases directory. There is now special support for the case directory as an image storage location. If images are moved to the case directory first and then added to the case or if the path of an existing image in the case is changed to that in the case directory with the "Replace with New Image" command, these images will be referenced internally without path, and thus the image can always be found instantly even if the case is moved to a different directory or if the drive letter changes. A case that has all images in its own directory can be considered fully self-contained. References to images in the case directory without path are understood by v19.0 SR-14, v19.1 SR-7, and v19.2.

  • Changing the display time zone for an evidence object that is a partitioned, physical disk now automatically also changes the display time zone for all its partitions (dependent evidence objects).

Filters

  • A new filter concept was introduced, called FlexFilters. Two such filters are available in WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. They can target any column in the ordinary directory browser (i.e. not search hit list or event list specific columns) that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.

    For example, these new filters are useful if you wish to target files that were created or modified not in a particular contiguous period of time, but generally on certain weekdays or on weekends, i.e. where either of these columns contain the word "Saturday" or "Sunday" in the long date notation format. Also useful whenever the column-specific column filter does not give you as many options as you need (e.g. for Author, Sender, Recipients currently you can only enter one name or address or substring, and with the Description filter you cannot currently specifically target additional hard links that are optionally omitted from certain operations).

    The color that indicates that a FlexFilter is active is violet instead of blue, so that it can be better distinguished from a regular column filter. Both FlexFilters come with a NOT option, and they may also target the same column, so that you can achieve results like "show all e-mail messages sent with the name John Doe in the sender field where the sender field does NOT contain the domain name company.com".

  • Right-clicking a column header in the directory browser now quickly activates or deactivates that column's filter without showing the settings dialog window, just like when left-clicking the filter icon with the Shift key pressed.

  • Ability to output a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.

Volume Snapshot Refinement

  • Indexing is now permitted as a sub-operation of a volume snapshot refinement run with multiple threads, though it is not further parallelized itself when multiple refinement threads are active.

  • Previous hash set matches for all files in a volume snapshot are not completely discarded any more when re-matching only selected or tagged files. Now only previous matches for those particular files are discarded.

  • A new option allows to restrict picture loading to just 1 worker thread at a time, with a new check box next to "Picture analysis and processing", either strictly (fully checked) or not so strictly (half checked). Please give this option a try if you experience exception errors or crashes when multiple pictures are processed simultaneously.

  • Outputs a file named ResIL.log in case of certain instability problems with picture processing for debugging purposes.

Viewer Component

  • On Jan 17, 2017, Oracle released a security patch update from Dec 12, 2016 for v8.5.3 of the viewer component. The updated version is downloadable from our web site since Jan 18, 2017. It is probably recommendable for security reasons. A list of bugs fixed was not made available. Two DLLs were updated: dewp.dll and vspdf.dll. They are probably responsible for word processing documents and PDF files.

Miscellaneous

  • When taking a volume snapshot without sector level access, e.g. of a remote network drive or a directory or a local drive letter without administrator rights, overlong paths are now supported, up to ~1000 characters long.

  • The most essential functions in X-Ways Forensics are now able to open files with overlong file paths up to ~1000 characters long (File mode, Preview mode, volume snapshot refinement, logical search).

  • Slightly improved support for 4-digit 0-based filename extensions of segmented raw images.

  • Thumbnails can now be created for and shown in the case report even when not copying and linking the original files.

  • A notification sound is output when running a simple linear search for a single match when that match has been found if the program is running in the background, to alert the user.

  • Many minor improvements.

  • User manual and program help updated for v19.2.


Changes of service releases of v19.1

  • SR-1: Some commands in the directory browser context menu in v19.1 did not always appear as they should have appeared. That was fixed.

  • SR-1: An exception error that could occur in v19.1 when hashing files should no longer occur now.

  • SR-1: The JPEG quality detection now also works for rotated JPEGs.

  • SR-2: Computing hash values and matching them against hash databases was not done repeatedly in the original v19.1 release. Now it is done repeatedly again, and that operation is now officially documented as one of the operations that will be applied repeatedly to the same files in a volume snapshot, the only other exception being indexing.

  • SR-2: Many descriptions for registry events were not output to the event list. That was changed. This improvement will also be applied to v19.0 SR-13.

  • SR-3: Prevented a rare infinite loop with certain previously existing EVTX files that are incompletely defined in volume shadow copies.

  • SR-3: Prevented a rare infinite loop when carving OLE2 compound files.

  • SR-3: Australia Adelaide time zone definition updated.

  • SR-3: Prevented a rare error with corruption of decoded textual data when running a logical search with multiple worker threads.

  • SR-3: The representation of search hits in the search hit list is now based on the code page of the search hit in certain situations where previously it was not. Improved code page based context preview specifically for search hits in ISO-2022 code pages, where the search hits and their surroundings may or may not be prepended directly with a suitable escape sequence and may or may not be just ordinary ASCII text.

  • SR-4: Support for one previously unsupported component of the PIDL data structure in OpenSavePidlMRU items in the Windows Registry.

  • SR-4: Fixed a stability problem in the Registry Viewer.

  • SR-4: Index searches for two words that are delimited by a space were unsuccessful in certain files. That was fixed.

  • SR-4: Some sent e-mails extracted from PST archives were presented with erroneously inserted header lines. That error in the extraction process was fixed.

  • SR-4: Fixed an exception error that could occur in v19.1 when selecting files, events or search hits in the Case Root window.

  • SR-5: Fixed potential hanging during XViD metadata extraction.

  • SR-5: Prevented an exception error that could occur at the end of indexing when not even a single word was found to index.

  • SR-5: Fixed inability to read files representing uncovered data embedded in HFS+-compressed files.

  • SR-5: Fixed an error in the Registry Viewer search.

  • SR-6: Certain currently unsupported file system level compression styles in HFS+ volumes are now recognized as such, and the affected files will be shown with their correct file size and "only metadata available" in the description.

  • SR-6: Fixed an exception error that occurred with template variables within loops if their names were longer than 30 characters.

  • SR-6: Since v17.3, files with child objects and an unknown hard-link count were potentially included in evidence file containers multiple times. That was fixed.

  • SR-6: Page count of some special PDF documents now reported correctly.

  • SR-7: Fixed an exception error that occurred in the X-Tension API function XWF_CreateEvObj if the case was still empty.

  • SR-7: Gallery scroll position is reset when the directory browser is re-filled.

  • SR-7: Uninitialized areas of NTFS-compressed files no longer have an undefined status, but are now presented with the data as stored on the disk, just as with ordinary (not compressed) files.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#153: X-Ways Forensics, X-Ways Investigator, WinHex 19.1 released

Jan 19, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

NEW: If when querying your licenses you do not receive any e-mail message at your work address because your organization is blocking the sending server, you now have the option (here) to get the e-mails sent from an alternative server (different domain, different IP address), for a second chance to actually receive something.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Jan 27 Miami, FL NTFS/XWFS2
Feb 13-16 London, England X-Ways Forensics
Feb 20-23 London, England X-Ways Forensics
Feb 27-Mar 2 Ottawa, ON X-Ways Forensics
Mar 13-16 London, England X-Ways Forensics
Mar 21-28 Victoria, BC X-Ways Forensics, X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.1?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Support for Google's Chrome sync database, where information can be found that is synchronized across devices, such as bookmarks, form history, typed URLs, synced devices and much more. A preview HTML file is generated, and events are output to the event list.

  • Ability to view upside-down Bitmap pictures with the internal graphics display library and in the gallery. (To see them flipped vertically, you currently have to view them with the viewer component, though.)

  • TAR archive processing revised.

  • Fixed inability to process BZ2 archives.

  • More reliable detection of pictures as screenshots (output as report tables "Screenshot" and "Screenshot?").

  • New report table "Scan" for PDF and JPEG files that contain a scan. The detection is based on generator signatures "PDF/Scan" and "JPEG/Scan".

  • Most JPEG pictures that were transcoded by Facebook and downloaded from Facebook are now identified as such in the Metadata column by their generator signature.

  • PDF metadata extraction improved especially for Acrobat 10 PDF files.

  • Tentative extraction of Exif metadata fields that are damaged in a certain way.

  • Revised metadata extraction for JPEG. ICC profiles are evaluated, including timestamps.

  • New file type signature for .0tx Tobit e-mail defined.

  • Generator signature table further revised.

  • The type status "mismatch detected" now has an effect on the assumed relevance of a file.

  • The relevance of a file now more reliably takes into account whether or not a picture is a screenshot.

  • Improved stability while processing EDB databases. Users of v18.8, v18.9, and v19.0 may replace their copy of the file EDBex.dat with the new version that at first is tentatively included in v19.1 only.

  • Sender and recipients are now also shown for MSG files to which e-mail processing was applied, not only for the extracted .eml file.

File System Support

  • Extended attributes in HFS+ are now optionally included in the volume snapshot as child objects of the files or directories to which they belong (in X-Ways Forensics only) depending on a new 3-state volume snapshot option. If fully checked, extended attributes are presented as child objects even when they have been specially interpreted already by X-Ways Forensics internally. If half checked (default setting in X-Ways Forensics), they are presented as child objects only if they are not specially interpreted by X-Ways Forensics assuming that the user might want to check them out manually.

  • Ability to open files with resident/inline storage in HFS+.

  • Ability to recognize and open compressed files in HFS+.

  • HTML previews are now generated during metadata extraction for the GZ archives that contain Apple FSEvent logs.

  • Event extraction from Apple FSEvent logs.

  • Recognition of new file system level compression style in NTFS under Windows 10.

  • In newly taken volume snapshots, alternate data streams now show hard link counts in the same way as their parents, so that the alternate data streams of additional hard links can be optionally omitted from searches etc.

Disk Imaging

  • The descriptive text file that is generated for images now points out the exact sizes in bytes of all segments of raw images files and the exact chunk counts in all segments of .e01 evidence files. If for whatever reason one or more segments get lost or corrupted, this allows to create artificial placeholder segments of the right capacity to fill in any gaps, such that all the data in subsequent segments will have the correct logical distance from the data in preceding segments, to preserve validity of pointers within the data (partition start sectors in the partition table, cluster numbers in file system data structures) as long as the original image file segments that contain source and destination are available.

  • Ability to conveniently create dummy/makeshift segments for .e01 evidence files that can substitute missing/lost/corrupt original segments, with the File | New command. The user specifies the required chunk size and the number of chunks as well as a filename for the desired segment (must be with the correct extension, identifying the segment number, not number 1). The data written into the chunks is a recurring textual pattern ("MISSING IMAGE FILE SEGMENT!" when running X-Ways Forensics in English), so that you know that you are looking at a gap in between available data when browsing the interpreted combined image later. The idea of such an artificial dummy segment is that if correctly created it can serve as a placeholder that ensures that data in subsequent segments has the correct logical distance from the data in preceding segmented. Of course, the hash of the entire image cannot be successfully verified any more if the original data is not present, and of course, this functionality should be used only as a last resort if there is no backup of the missing segment file and if data recovery fails etc., and creation and usage of such a dummy image file segment should be properly documented. (forensic license only)

  • When interpreting an .e01 evidence file that contains dummy segments, you will be notified, and the total number of placeholder chunks are noted in the evidence object properties when the image is added to the case.

  • If you require a placeholder for a single missing segment of which you don't know the chunk size and chunk count because the image was created without the new information in the descriptive text file, this is how to find out: Change the filename extension of the penultimate segment to that of the missing segment so that there is no gap. Then rename the last segment to the now missing penultimate segment. (If the missing segment actually is the penultimate one, the last step is sufficient; if the missing one is the last, no renaming is required at all.) Then add the image (first segment) to a case in X-Ways Forensics as usually. X-Ways Forensics will bring the misnamed segment to your attention in the Messages window, which can be ignored. Check the evidence object properties for the chunk size as well as the expected chunk count and the actually referenced chunk count. Subtract the actually referenced chunk count from the expected chunk count. Now you know how many chunks are missing. Change the filename extension back to what it was before, and then create the missing dummy segment with the correct chunk size, correct chunk count, and correct extension.

    With a variation, this approach also works if multiple consecutive segments are missing, just you rename more available segments to fill the gap in the first step, and you create as many dummy segments as necessary to fill the gap. Which dummy segment exactly contains how many surrogate chunks is not important as long as the total number of surrogate chunks must account exactly for the total number of missing chunks. If multiple discontiguous segments are missing, suitable dummy segments can only be created with the new information from the descriptive text file.

Volume Snapshot Refinement

  • Multi-threading: Option to set the number of worker threads to 1, which means that one extra thread is started for processing, separate from the main thread, so that GUI interaction is possible without time lag. Useful for example on a terminal server with many concurrent users, where you should not start too many threads, but may want to be able to at least use the GUI quickly. If the number of additional threads is set to 0, that means processing is done like in v19.0 with 1 thread or generally in v18.9 and before by the main thread itself, so that GUI interactions may be slow.

  • Ability to pause multi-threaded operations with the Pause key.

  • It is now possible to omit not only known irrelevant files, but also known relevant files from further volume snapshot refinement. Useful for example if in large cases you have or expect really many such files and having proof of their presence is sufficient for you and you don't need to extract their internal metadata, don't need to compute their skin tone percentages or PhotoDNA hashes, and don't need to check them for embedded data etc.

  • If matches are returned from regular hash databases as well as the PhotoDNA hash database at the same time with conflicting categorizations, the "more severe" category prevails: unknown < known good < known, but uncategorized < known bad

  • The option to mark a file as already viewed when it gets categorized as irrelevant is now applied to the combined result of ordinary hash database and PhotoDNA hash database matching.

  • Internal metadata is now extracted into the Metadata column only from files of selected categories.

  • Options | Security | "Collect information for crash report" is now a 3-state check box. If fully checked, should volume snapshot refinement crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed. It has not been tested whether this enhanced granularity of logging might cause any noticeable slowdown. There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash. Unlike in v19.0, all of them are now logged, and they are now presented with the help of the Int. ID filter upon restart.

Report Tables

  • When checking for duplicate files based on hash values, identical files can now optionally be grouped in dedicated report tables so that you can conveniently list each group of duplicates in the directory browser with the report table filter, for example to find out which copy of the file was created first, which was was touched last, which one might be of most evidentiary value based on metadata such as path etc. Unlike marking duplicates as so-called related items, report table grouping works even across evidence object boundaries, so you are not limited to comparing duplicates within the same evidence object.

  • Report tables that represent groups of duplicate files are highlighted in turquoise. In total there are now 5 different kinds of report tables: 1) user-created report tables, for example for report purposes, 2) report tables created by X-Ways Forensics to make the user aware of special properties of files, 3) report tables representing search terms that are contained in a file, 4) report tables representing hash sets in which a file was found, 5) report tables representing groups of duplicate files.

  • The maximum number of report tables in a case was increased from 256 to 1000.

  • To avoid a bloated list of report tables available for selection during report creation, report tables are now offered in that dialog window only if they are actually intended for report purposes. That is assumed by default for all user-created report tables. And you can toggle the report purpose of each report table in the report table association dialog window, by assigning or removing the "star" symbol.

  • When taking a new volume snapshot, all report table associations in that evidence object are discarded. If that completely empties a report table that is not marked as intended for report purposes, such a report table will now be automatically deleted from the case at that occasion.

Usability & User Interface

  • Options | Viewer Programs now offers grayscale thumbnails for true-color pictures in the gallery. This option is meant for law enforcement users whose job is to review child pornography photos, to reduce the mental impact and stress level.

  • A new 3-state check box in General Options prevents Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). This option has an effect no matter whether the main window is visible or whether the program is running in the background. Useful for example when acquiring a live system of which you don't want to lose control during imaging, or if you wish to keep an eye on the progress indicator on your own machine from another corner in your office.

  • More user-friendly behavior when trying to change the edit mode in data windows where that is not allowed because of not running X-Ways Forensics as WinHex or because of the strict drive letter protection.

  • Convenient option to automatically open the output directories of Recover/Copy after completion.

  • In Edit | Define Block it is now optionally possible to enter the size of the block instead of its end offset. And it is now possible to enter the start and end of a block in terms of sector numbers instead of offsets directly.

  • The option to use the viewer component also for pictures is now presented as an easy-to-reach button in Preview mode, named "VC", so it is now much quicker to switch between the internal graphics viewing library and the separate viewer component. Previously, users had to go to the Options | Viewer Programs dialog window for that, for example to get a second opinion in case of corrupt pictures. Also, some users probably had this option always enabled simply because they thought it was a "must" to view pictures with the viewer component, to get pictures displayed at all, not knowing that pictures are by default displayed by the internal graphics viewing library in X-Ways Forensics.

  • Directory icons for evidence objects that are directories, in the Case Data window, so that they can be distinguished from volumes.

  • Under Windows Vista and later, attachments are now conveniently linked from the alternative e-mail representation in Preview mode.

  • Tidied up Case Data context menus.

  • French translation of the user interface updated. (Not guaranteed to be error-free.)

  • Check boxes with long text labels in Romance languages that get truncated because of the limited space available now automatically come with tooltips that reveal the complete text when hovering the mouse cursor over the control.

  • The Navigation | Go To menu commands are now available in File mode.

  • "Display SHA-1 & TTH192 in Base32" is now a Notation option.

  • Some dialog windows are now slightly more clearly structured.

X-Tensions API

  • The XWF_CreateFile function now supports a new flag, which allows to create files in the volume snapshot with data as provided in a buffer.
  • Documentation updated.

Miscellaneous

  • The Full path column now comes with a filter.

  • New options when importing or creating hash sets in the ordinary hash databases and the block hash database. Duplicate hash values that are already contained in the hash database can either be removed from the newly created or newly imported hash set or from all existing hash sets, to keep the hash database more compact/less redundant.

  • A new command in the Case Data window's context menu allows to mark an evidence object with a light bulb icon as a visual aid to locate it if important.

  • Another new command in the Case Data context menu allows to conveniently make a backup of the selected evidence object's volume snapshot. Backups can be restored at any later time with the same command, and they can also be deleted with the same command (right-click an item in the list of backups to get the Delete command). Such a backup is like a snapshot of the volume snapshot. Useful if you think you might want to revert to a certain processing stage later (i.e. undo changes to the volume snapshot), for example after having carefully tagged thousands files that you don't want to lose, before running a file header signature search with experimental settings that might produce a lot of garbage files, before attaching external files with options that you had never tried before, before running an X-Tension made by a 3rd party, before totally removing excluded items from the volume snapshot etc.

    Report table associations, events, and search hits are also included in the backup. Search hits can be restored from a backup only if the search term list of the case did not change in the meantime. Indexes are not included in the backup, but can be manually backed up, of course.

  • The same command applied at the case level (right-click the case title in bold for that) allows to make a backup of the entire case, covering all evidence objects' volume snapshots, all report tables, events, search terms, search hits, indexes, image file paths, etc. etc. Such backups can be restored from the same dialog window. Such backups can also be opened directly with the Open Case command if necessary, as they are complete copies of a case. (Backup .xfc file are created with the "hidden" attribute, though, as they are meant to be dealt with within X-Ways Forensics only.)

  • Duplicate files can now also be recognized by the secondary hash value.

  • Duplicate files can now also be recognized by identical start sectors (within the same evidence object).

  • It now possible to optionally ignore additional hard links when checking for duplicate files.

  • Option to print selected fields on the cover page in bold letters and in a different color, to point the attention of the reader to a certain aspect.

  • New upper/lower case conversion option for textual data in UTF-16 (Edit menu).

  • Separate notation options for the case report just like for exported lists.

  • FYI, two users confirmed independently that the anti-virus software Webroot SecureAnywhere causes random crashes (program terminations) in X-Ways Forensics. So it is not recommended to use the two on the same computer at the same time.

  • Many minor improvements.

  • Some minor fixes.

  • User manual and program help updated for v19.0.


Changes of service releases of v19.0

  • SR-1: Fixed inability of v19.0 to recognize a few file types (those with the "x" flag), including SQLite 3.

  • SR-1: Fixed an instability problem in the registry viewer.

  • SR-1: Fixed crashes that could occur since v18.9 when extracting metadata from certain Linux PNG thumbnails.

  • SR-1b: Fixed an error in File mode in X-Ways Investigator.

  • SR-2: Fixed inability of v19.0 to read a few sectors on very large hard disks.

  • SR-2: Fixed error in file type verification and uncovering embedded data when run with multiple threads.

  • SR-2: Fixed an error where attachments were not extracted from certain .eml files.

  • SR-2: Fixed new option to link attachments from HTML previews of e-mails in the case report.

  • SR-2: Fixed potentially wrong time zone translation of timestamps in transcoded Nikon photos.

  • SR-3: Fixed a volume snapshot data corruption problem in multi-threaded picture analysis and processing.

  • SR-3: More complete extraction of Chrome web history in some cases.

  • SR-4: Fixed an exception error that could occur when providing the alternative e-mail representation for certain e-mail messages.

  • SR-4: Fixed a potential exception error that could occur when running a file header signature search on physical, partitioned media.

  • SR-4: Fixed inability of X-Ways Forensics 19.0 to view contained files in separate windows from within representations of the viewer component.

  • SR-5: Fixed an I/O error that could occur when the case auto-save interval elapsed while refining the volume snapshot with multiple threads.

  • SR-5: Report table descriptions were not handled correctly when deleting a report table. That was fixed.

  • SR-5: Fixed a crash that could occur with certain SQLite databases.

  • SR-5: Fixed a rare exception error that could occur during multi-threaded relevance computation.

  • SR-5: Fixed an exception error that could occur when exporting search hits with context in TSV format.

  • SR-5: Extraction of certain embedded pictures in .eml files.

  • SR-6: The hash filter did not correctly target the 2nd and 4th hash value if the hash type was 2 or 4 bytes in size (e.g. CRC32). That was fixed.

  • SR-6: Fixed an I/O error that could occur in v18.9 and v19.0 when applying File Recovery by Type to an uninterpreted image file.

  • SR-6: The internal graphics viewing library now represents Windows Bitmaps with 32 bits per pixel in correct colors. Fixed skin tone computation for certain Bitmaps with 8 bits per pixel.

  • SR-6: Fixed a potential infinite loop that could occur during a file header signature search for Zip archives when data of JNX files was found.

  • SR-6: Upward searches did not run correctly in v19.0. That was fixed.

  • SR-7: Support for previously unsupported SQLite database files.

  • SR-7: Multi-threaded operations generally more reliable now.

  • SR-7: When matching the files in a volume snapshot against hash databases more than once, previous matches according to the "Hash set" column are now automatically discarded. The hash category remains. This is for performance reasons. Keeping previous and new matches consistent and free of duplications potentially took a lot of time and was not optimized. Users of v18.7 through v18.9 have the option to discard hash set matches and categorizations for selected files with Ctrl+Shift+Del first to accelerate re-matching.

  • SR-7: Fixed problems when loading certain GIF files that contain extension blocks.

  • SR-7b: Fixed error in hash database matching with multiple threads.

  • SR-8: Fixed a crash that could occur when exploring certain keys in registry hives.

  • SR-8: Fixed an exception error that could occur when uncovering embedded data in certain executable files.

  • SR-8: Fixed a rare exception error that could occur when verifying the type of zip archives.

  • SR-8: Sorting by filename extension is now case-insensitive.

  • SR-8: Fixed a crash that could occur in v19.0 when extracting e-mails/attachments from MBOX e-mail archives and original .eml files.

  • SR-8: Prevented unnecessary inclusion of traces of existing files from volume shadow copies in the volume snapshot in certain situations.

  • SR-8: Fixed a cause for multi-threading instability.

  • SR-8: Improved stability with special GIF and TIFF pictures.

  • SR-9: For some few JPEG/TIFF files the extracted "Content created" date was wrong or incorrectly marked as local time. That was fixed.

  • SR-9: There was a problem with the multi-threading option on VMDK images and in Ext* file systems. That was fixed.

  • SR-9: Prevented potential instability with carved .lnk shortcut files.

  • SR-9: Warns the user of GUID conflicts among Windows dynamic disks if open at the same time, to prevent wrong volume-disk connections.

  • SR-10: Fixed inability of v19.0 SR-8 and SR-9 to make certain changes to PhotoDNA databases.

  • SR-10: The category of PhotoDNA hash database matches no longer supersedes that of regular hash database matches during the same snapshot refinement run.

  • SR-10: Fixed a potential crash that could occur when extracting metadata from $UsnJrnl:$J.

  • SR-10: Fixed an exception error that could occur when uncovering embedded data from PE executable files.

  • SR-11: Newly identified 3GP files were erroneously assigned to the category "Other/unknown type" by the file type verification in v19.0 SR-1 and later. That does no longer happen now.

  • SR-11: X-Tension API: Two new kinds of evidence object IDs can now be retrieved with the XWF_GetEvObjProp function (nPropType 3 and 4).

  • SR-11: Fixed inability of v19.0 to copy certain files along with the case report under certain circumstances if the type status was "newly identified".

  • SR-12: Fixed an I/O error that could occur when extracting e-mails from e-mail archives while multiple threads were active.

  • SR-12: Full filename matches in the Type filter did not count if the type status was "newly identified" or "confirmed". That was fixed. In v18.8 and later, full filename matches should have been ignored only if the type status was "mismatch detected".

  • SR-12: Fixed an exception error or crash that could occur under certain circumstances when opening partitions in X-Ways Investigator without opening the parent disk first.

  • SR-12: LVM2 container partitions are now interpreted properly even if the designated partition type in the MBR or GPT is wrong.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <