WinHex & X-Ways Forensics Newsletter Archive

This mailing is to announce the availability of version 21.5 with official release date June 8, 2025.

License owners please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in X‑Ways Forensics 21.5?
(where applicable, changes also affect X‑Ways Investigator, WinHex, and X‑Ways Imager)

Storage Device and File System Support

• A picture is worth a thousand words: The partition layout of physical storage devices is now depicted graphically below the list of partitions in the directory browser. The horizontal locations and widths of all partitions are directly proportional to the capacity of the entire storage device. It is not guaranteed that every partition will be visible because tiny partitions on a very large storage device might turn out just a few pixels wide or even rounded down to a width of 0 pixels because the representation is truly proportional and unbiased. If a suspect has set aside a dedicated partition for unlawful or suspicious content, the capacity chosen is not inflated or minimized in the depiction compared to other partitions just for the sake of easy clickability of all partitions.
  
  Partitions/volumes that are not referenced in any active partition table (usually deleted partitions) are presented in a lighter color. Partitions manually defined by the user (of WinHex/X-Ways Forensics) are depicted in a different color to make them stand out more. Areas that are not occupied by any partition are shown as hollow, with dotted outlines.
  
  Thanks to simple 3D rendering and the angle, you can still see the full width (i.e. true size) of partitions even if they partially intersect with other partitions because those are set apart. The overlapping of partitions is problematic because the question may arise which data in the affected disk area logically belongs to which partition. The depiction is intended to alert users of this issue. On Windows LDM disks, for dynamic volumes that consist of multiple discontiguous storage space fragments (on potentially more than one physical storage devices), only the start locations are hinted at, where their names appear, along with the word "spanned". The other fragments of such volumes are not shown.
  
  The partition layout depiction responds to mouse-over events, left-clicks, right-clicks and double-clicks. Large rectangles are more convenient to target with the mouse than narrow rows in the directory browser, so this feature addition may naturally change the way you explore partitions.

• Ability to decrypt BitLocker volumes in WinHex Lab Edition, X-Ways Imager, X-Ways Investigator and X-Ways Forensics. This requires that you have and enter (e.g. copy & paste) the right password or recovery key, if one of those is actually required to decrypt the volume (not in case of clearkey encryption). The option to enter a password or key is not given in X-Ways Investigator. However, X-Ways Investigator can use a password or recovery key that was already entered for a particular evidence object in a case by someone using X-Ways Forensics, so users of X-Ways Investigator can work on a case that includes BitLocker volumes if that case was properly set up for them by a colleague.

• Support for more variants of GPT LDM dynamic disks.

• Now warns when you select the physical storage device that contains the active Windows system for imaging because typical users would only want to image *other* devices and atypical users that really want to do this for backup purposes or to acquire a live system need to be aware that the partition with the Windows installation is in a state of flux while that same Windows system is running.

• Manually defined partitions are now described as user-defined in the Description column.

• NTFS: Zone.Identifier URLs in non-resident storage are now automatically included in the Metadata column. They are additionally output as child objects to get the cluster allocations right.

• Several more forms of compressed data storage in APFS are now supported in newly taken volume snapshots. Files that previously caused the "unsupported compression" message can now be opened successfully.

• Files that are marked as compressed in APFS, but are in fact not stored compressed but "inline" (resident storage), are now reliably recognized as such and can be opened normally in newly taken volume snapshots. Files marked in APFS as using "plain compression" (=no actual compression) are no longer shown with the C attribute, unlike before. These files would previously also have cause the "unsupported compression" message.

• Taking a volume snapshot of large APFS volumes is now faster.

• A rare error has been prevented, where the virtual file "BtrFS System Chunks" was erroneously reported as not readable at the very end.

X-Tension API, 3rd Party Tool Support

• X-Ways Forensics now prompts before actually executing/loading an X-Tension, in particular also when the execution is triggered through the command line, unless disabled in Options | Security.

• Users can decide whether to share their original dongle ID or BYOD license ID with with 3rd-party software (X-Tensions), in the dialog window where the nLicID is displayed.

• X-Tensions can now see the original dongle ID or BYOD license ID if the user agrees to share that information, when responding to the call of the XT_Init() function.

• Third-party tools that control X-Ways Forensics from outside via command line parameters may specify the command line parameter "GetLicID:" to find out the so-called nLicID, a hash value that uniquely identifies a dongle or a BYOD license. Nothing else will be done in a session started with that parameter, and X-Ways Forensics exits automatically. You could license your tool based on that ID and only allow use of your tool if the ID matches your expectations (if the ID is in your unlock list, if the user has a key file for that ID etc.). The first 4 bytes of the nLicID are returned as an exit code. Additionally, the full 16 bytes of the nLicID plus an 8-byte FILETIME value with the current timestamp in UTC can be written to a file whose path you designate optionally after the colon of "GetLicID:". By providing a unique, randomly generated filename, you can make extra sure that you get a freshly generated output file with an up-to-date nLicID and not a static, potentially outdated or manipulated value. And/or you can compare the first four bytes stored in the file with the exit code to make sure they match and/or check that the timestamp is not older than a second or so. If the first four bytes are all 0x00, that means that the X-Ways Forensics installation is not unlocked or that (re)writing the output file (if requested) has failed. This feature is also present in v21.4 SR-6 and later.

• Various XWF_*() functions of the X-Tension API now deal more gracefully with incorrectly supplied nItemID values and indicate failure through the return value instead of throwing an exception error. More return values now defined for XWF_GetItemSize() in particular.

• XWF_GetItemInformation() and XWF_SetItemInformation() can now retrieve and set the value in the Relevance column of a file or directory.

• The hVolume handle provided to the function XT_Prepare() and XT_Finalize() is now zero if the X-Tension is applied to the Case Root window, so that you can more easily recognize this special situation and reject use of your X-Tension if necessary. This change is also incorporated in v21.4 SR-5 and later.

• Three rarely used hash IDs have changed in the X-Tension API, six have been marked as deprecated (not recommended for use any more), SHA-512 has been added. Please see the documentation of the XWF_GetVSProp() function for the updated list.

Cryptography

• Support for the SHA-512 hash type.

• Simple checksums with a multi-byte accumulator, but using 8-bit integer additions, are now available as separate hash types, named "Checksum (8 on 16 bit)", "Checksum (8 on 32 bit)", and "Checksum (8 on 64 bit)". This renders the security option "Byte-wise checksum computation" obsolete. It has thus been removed.

• Revised hash computation and encryption algorithms, newly optimized for different processors.

• 256-bit AES encryption/decryption is now about 30% faster (even on old processors).

Text Extraction, OCR

• OCR can now optionally be restricted to picture files produced by/for certain device types, e.g. produced by a scanner, produced as a screenshots, or generated for printing, because such pictures are more likely to contain relevant text and because omitting other pictures can save time.

• Picture files for which device type recognition was unsuccessful ("unknown") or to which it was not applied because metadata extraction was not yet run or because device type recognition is not supported for the respective file type (resulting in a blank device type cell) can optionally be OCRed, too.

• OCR can now optionally also be applied to pictures if the regular conditions (file type, resolution and device type) are not met, but if text is detected by the picture content analysis.

• If OCR is applied to pictures retroactively at the end of volume snapshot refinement because the presence of text was detected in those pictures by the picture content analysis, the resulting text is immediately indexed if indexing is also selected.

• Text extracted from documents or pictures in Preview mode can now be optionally stored in the volume snapshot as well. This option is remembered separately just for Preview mode and disabled by default, so that you can experiment with different OCR settings and different PDF decoding settings and see fresh results instead of always the same text as stored in the volume snapshot after the first attempt. To access the Decoding/OCR settings specifically for Preview mode, please right-click the Text/OCR submode button.

• The Comment column can now display a preview of extracted text that is stored in the volume snapshot if so desired (depends on a new Notation setting). Such extracted text is displayed in a gray color to set it apart from actual user comments. To see more text, you can move the mouse cursor over the respective cell. The Comment filter still works only based on actual comments.

• To reset files to the "still to be processed" state selectively, as always you can select them and press Ctrl+Del. That will now also reliably discard extracted text that is stored in the volume snapshot, so that running the text decoding + OCR operations via RVS (e.g. after adjusting "PDF Requiring OCR.txt") will make another attempt.

File Type Support

• Internal graphics display library updated. (Also included in v21.4 SR-5 and later.)

• The number of picture files to which X-Ways Forensics can assign a device class or a software class has been further increased.

• The keyword "Dissemination" next to the generator signature identifies picture files that were transmitted as copies of single use, e.g. in a web browser display. The keyword "Edited" next to a JPEG generator signature identifies a copy that was provided permanently.

• Concurrent scrolling through pages of multiple PDF documents for OCR is now optional and disabled by default. This can yield more complete results for certain documents that are slow to render.

• Text in PDF files from certain sources cannot easily be decoded. It may be output incompletely or garbled or as total gibberish. Whenever in a real-life scenario you come across a series of uniform PDF files with that problem (generated by the same mechanism for the same purpose, e.g. bank account statements, invoices, product specifications, ...), so that their decoded text is not legible and searchable/indexable, you can add their creator name, producer name or generator signature to a list that X-Ways Forensics checks before decoding PDF files. If is a match with either of these properties, X-Ways Forensics will apply OCR to such files rather than attempt (presumably futile) text decoding. You can find this special option in the dialog window with the decoding settings. This is a rather technical option and therefore not available in X-Ways Investigator. Without that option, the only situation in which a PDF file is OCRed is if no text can be extracted from it at all, just like in all previous versions.
  
  The list is maintained in a file named "PDF Requiring OCR.txt" and can easily be shared with other users. The format is explained in the text file itself when it is created. It is expected in the same directory where your WinHex.cfg file and various other user-editable text files are. The generator signatures, creators and producers of PDF files can be found in and copied from Details mode. For the generator signature only the 8 hexadecimal digits are required.

• More meaningful names are given to uncovered embedded data in SQLite databases.

• Accepts certain slightly malformed zlib-compressed data.

• Thorough evaluation of DQT (quantization tables) in JPEG files.

• The device type filter now allows to focus on files for which device type identification has not been attempted, e.g. because metadata extraction has not been run or because the file type is not supported for that. Such files have a blank device type cell, which means undetermined.

Case Management

• There is now a command in the directory browser context menu that allows you to bookmark a file or directory. You can also enter an individual description. Bookmarks are useful to quickly navigate back to an item of interest. To see a list of all bookmarks in the case, use the Edit menu of the Case Data window. All bookmarks can be seen and navigated to even if the evidence objects to which they refer are not currently open. When you create a bookmark, that creates a label at the same time, which is useful for filtering and because creating a backup of the volume snapshot and restoring such a backup will back up and restore the label, but not the bookmark.

• The Edit menu of the Case Data window is now always the same and identical to the context menu of the case. Previously, if an evidence object was selected in the case tree, the Edit menu was identical to the context menu of that evidence object.

• When opening cases, more granular way to report and deal with unknown data from future versions, at the case and the evidence object levels.

• Does not so easily sacrifice (replace/overwrite) case file backups any more if changes to the current case file are small, i.e. more likely keeps older backups that are significantly different around for longer.

• The functionality to re-include all excluded items and the functionality to totally remove excluded items from the volume snapshot have been moved from the directory browser options dialog to the directory browser context menu (the "Exclude" submenu).

• More thorough consistency check for volume snapshots that detects certain problems in the cache and in the storage of extracted data.

Miscellaneous

• The Relevance column now has a filter.

• .dlg files now remember the positions of trackbar controls, like the ones for PhotoDNA sensitivity and Excire matching strictness, which they previously did not.

• The Resize dialog window that allows you to tailor offsets and sizes of carved files and search hits as needed has been revised and now remembers more settings separately for files and search hits. There is a new option to double the intended offset and size changes in bytes for search hits in UTF-16.

• The memory editor now identifies processes as either 32 bit or 64 bit.

• The "whole words only" restriction of logical searches did not work when searching for single Latin letters as ASCII/Latin 1 in extracted text that was internally stored in Unicode. That was fixed.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.4:

• SR-1: Fixed a sector read error that could occur in NTFS partitions in interpreted nested images since v21.1.

• SR-1: .msg files whose metadata have been extracted now respond to the Sender and Recipient filters.

• SR-1: Fixed an exception error that could occur when extracting metadata from certain PDF documents.

• SR-1: Prevented a misleading message about unknown chunks that could be seen under certain circumstances when opening cases.

• SR-2: The viewer component now remembers more display settings between sessions.

• SR-2: The default scaling mode for PDF documents is now "Fit to window" instead of "Fit to window width".

• SR-2: No longer tries to decode document files whose types cannot even be confirmed, just based on filename extension, which could yield lots of garbage characters as extracted "text".

• SR-2: More complete OCR results for certain multi-page PDF documents.

• SR-3: Slightly improved OCR quality for PDF files.

• SR-3: Fixed a very rare exception error that could occur when reading the Content created timestamp of a file from the volume snapshot under certain circumstances.

• SR-3: Fixed incomplete or missing search hit context preview for search hits in extracted text in v21.4.

• SR-3: Fixed an error that depending on the cover page settings could make X-Ways Forensics print the same file multiple times when multiple files were selected, since v21.3.

• SR-4: Fixed an error with SQLite processing that could (rarely) abort data storage in the volume snapshot.

• SR-4: When multiple threads are active dealing with SQLite databases at the same time, the creation of temporary files could fail with a misleading error description ("used by another process") provided by Windows. To address this issue, multiple re-attempts are made until the creation succeeds.

• SR-4: Fixed incorrect reporting of duplicate hash values when importing them from JSON files (Project VIC/CAID) and a potentially incomplete import from such files.

• SR-4: Fixed a rare error that could occur when converting Intel Hex data with Linux style line breaks to binary.

• SR-4: Ability to identify Windows Server 2025 as a platform.

• SR-5: Prevented unnecessary scrolling of the search term list back to the start of the list after selecting search terms and hitting the Enter key/clicking the Enter button/double-clicking.

• SR-5: Avoids that picture content analysis reports the fallback colors black and gray for incomplete JPEG pictures.

• SR-5: Prevented a rare error writing to temporary files in conjunction with certain archives, which were reported with just a question mark as the filename.

• SR-5: An automatic restart of X-Ways Forensics after a crash no longer decrements the number of remaining executions granted by an insured dongle.

• SR-5: Binary PList files with a minimal size are now processed.

• SR-5: More stable with certain rare SQLite database files.

• SR-5: Sometimes better readable floating point numbers in the output for SQLite databases.

• SR-6: Fixed misidentification of some rare .docx files as archive bombs with zip record overlaps.

Become a certified user of X‑Ways Forensics
Become an X-PERT (X‑Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X‑Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

This mailing is to announce the availability of version 21.4 with official release date Feb 17, 2025.

License owners please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including the latest log-in credentials (!), details about their licenses, and upgrade or renewal offers. Please do not ask us for the download password. Your organization has access to it already if eligible, as described.

Service releases are announced in the Announcement section of the forum, and you can subscribe to instant e-mail notifications of postings in that section if you have a forum profile. You can create such a profile here (if you have our log-in credentials). If you wish or need to stick with an older version for a while, please switch to the latest service release of that version.

Upcoming Training Events

Please sign up for our training notifications here if you would like to be kept posted on future training dates.

What's new in X‑Ways Forensics 21.4?
(where applicable, changes also affect X‑Ways Investigator, WinHex, and X‑Ways Imager)

Volume Snapshot Refinement

• Text decoding and OCR are now separate and independent suboperations of volume snapshot refinement, no longer only available in conjunction with indexing. This enables you to invest time up front for these operations in preparation for accelerated future logical searches. The number of extracted characters can be seen in the Description column if "other" is enabled for that column in the Notation settings.

• It is now easier to control whether OCR is applied to only documents (most importantly certain PDF files) and/or pictures. In volume snapshot refinement, picture OCR is now part of picture analysis processing, and you can save time by not getting pictures OCRed that have a poor resolution anyway and are likely not documents.

• You do not need to enable OCR or text decoding for logical searches if you had performed these operations already during volume snapshot refinement and if the extracted text was stored in the volume snapshot. It will be searched along with the regular file contents automatically. You can still enable text decoding or OCR for the logical search if desired to decode/OCR files that were not processed that way previously.

• You do not need to enable OCR or text decoding any more when you create an index if you had performed these operations already during volume snapshot refinement previously and if the extracted text was stored in the volume snapshot. It will be indexed along with the regular file contents automatically. You can still enable text decoding or OCR in RVS when you create an index if desired to decode/OCR files that were not processed that way in the previous RVS run.

• The settings for text decoding in files are now centralized in a single dialog window so that users are less likely to overlook the special spreadsheet support feature, which was previously selectable and customizable under Options | File Viewing because it's technically related to the viewer component.

• The new method to discard previously stored decoded text and OCR-derived text from the volume snapshot and start text decoding/OCR from scratch (e.g. now with spreadsheet support enabled) is to remove the checkmark from the "Already done" box of these operations in the Refine Volume Snapshot dialog window.

• The so-called alternative (actually active by default) text extraction method for spreadsheets is now more stable and no longer requires you to keep X‑Ways Forensics in the foreground.

• More complete text decoding of Excel spreadsheet files that contain charts.

• Some internal reorganization and optimization of volume snapshot refinement, especially with multiple worker threads.

• The picture content analysis now has an even stronger impact on the computed generic relevance. For example, depending on how unusual the detected content is and the confidence of such a finding, the relevance may be increased.

• The picture content analysis is now applied to a few exotic file format variants to which it could not be applied before.

• Prevented some potential crashes during SQLite database processing.

• Improved handling of special floating point values (negative values including negative zeroes, NaNs, and infinities) in SQLite database processing.

• Under Options | Security you can now not only deliberately simulate a crash, for example to test the auto-resume feature of volume snapshot refinement or to see how an automated environment that you set up with command line parameters will behave in case of a crash, but also an exception error that is caught by the application and does not cause a crash, for example to see in which directory the error.log entry is created and what information it contains. This function continues to be available only in preview and beta releases.

• Slightly re-organized the RVS dialog window.

• Two more methods to potentially recover a hung previous instance (showing a progress indicator window) from a second instance. If you reject both, you will see the usual list of threads.

File Archive Support

• Ability to decompress files in .xz archives and in some Nullsoft .cab archives.

• Ability to deconstruct Windows executable files (EXE, DLL, ...) and Unix/Linux executable files (ELF), as if they were file archives. If you are interested in that, you can add file type designations like ,exe,dll,elf to one of the lists of file types with a check mark under Specialist | Refine Volume Snapshot | Include contents of file archives | ... They are now listed in the "Special interest" section by default, which is not actively used and mainly meant to give you ideas about file types that you could get processed if you like.

• The settings for the inclusion of files in archives in the volume snapshot can now not only be reached from volume snapshot refinement, but also from the general volume snapshot options because they are also relevant when adding archives to a case as evidence objects.

• Avoids a rare error in which a wrong password is recognized as correct for an encrypted file archive when automatically trying each entry in the provided password list.

• Specifically sped up parallelized file archive handling with multiple threads, especially for evidence objects that are very large file archives like smartphone acquisitions.

• In v21.3 and earlier, when one RVS thread was processing a file in an archive, other threads had to wait if they want to read from other files in the same archive, unless the contents of those files were already in the cache. In v21.4 other threads don't wait any more and instead proceed with other files in the volume snapshot that are not in that archive. And the thread that is busy with that archive will be tasked specifically with processing the remaining files in that archive. If the entire evidence object is a single file archive, then all threads can read files in that archive at the same time.

• Sped up extraction of certain large GZ file archives.

Picture Support

• Improved partial display of incomplete JPEG files with the internal graphics display library.

• More resilient display of corrupt/incomplete WEBP pictures with the internal graphics display library.

• Updated support for PNG and TIFF in the internal graphics display library.

• Revised recognition of the device type Scanner and the software class Twitter/X.

• Device type detection generally further refined.

Case Management

• Ability to categorize entire evidence objects as notable or irrelevant or uncategorized, via the context menu, and show them in the case tree with a corresponding icon.

• Ability to choose specifically which evidence objects to import from another case. Previously either all or all marked evidence objects were imported. The import function can also be used just to get a sneak peek into another case (its list of evidence objects with their categorizations) without loading that case entirely, which would displace the current case, and without starting a second instance, and without actually importing anything. This is entirely read-only for the other case and possible even if that other case is currently being worked on by another user.

• Improved depiction of dependent evidence objects in selection dialog windows.

• The compression algorithm used in newly added .e01 evidence files is now shown in the evidence object properties.

• Option to store the password of an encrypted .e01 evidence file in the case not only immediately when adding the image to that case.

User Interface

• French and Romanian language abbreviations of KB, MB, GB and TB units, i.e. Ko, Mo, Go, and To, are now usable even in user interface languages other than French thanks to a new option in the Notation settings, and by virtue of being part of the Notation settings they can now be turned on or off just for export/data exchange purposes if needed.

• The French translation of the user interface was revised and updated.

• ISO/IEC 80000-13 is now another notation option (KiB, MiB, GiB, TiB) in addition to the traditional and more compact Windows/JEDEC 100B.01 standard (KB, MB, GB, TB).

• Displays the word "Admin" next to the version number in the upper right corner in a session that was run as administrator, so that unaware users have a chance to become aware of that.

• After deduplicating what is listed in the directory browser, X‑Ways Forensics now restores the order of the items to what it was prior to the operation (because that order is changed internally to identify duplicates). And if the last selected file is not excluded by the deduplication, that file will automatically be re-selected afterwards.

• More simultaneously applicable cell coloring constellations result in a color mix.

• A second type of color gradient is available for cell coloring on a per-definition basis (a diagonal gradient).

• You can now generally opt for stronger gradients if desired.

• Slightly revised display of unused exFAT file allocation table entries to avoid misinterpretation.

• Dynamic e-mail columns are now responsive to processed .msg files listed in the visible part of the directory browser.

• Directory browser cell tooltips are now darker in dark mode. In particular comment tooltips are no longer displayed with a bright yellow background.

• In Preview mode you can now conveniently right-click the Text/OCR button to change text decoding settings and OCR settings, respectively.

Data Interpreter

• The Data Interpreter now optionally also translates decimal ASCII text integer representations of HFS/HFS+ and FILETIME timestamps.

• The Data Interpreter can now translate dates and times that you enter back into decimal ASCII text integer representations (for the timestamp formats for which decimal ASCII text is supported) if decimal ASCII text integer representations of dates are active. The user needs to ensure proper termination of the resulting string as needed (e.g. via a space character or line break or null character or end of file). Only possible in a data window that is not in read-only mode.

• The Data Interpreter can now translate Base64 to ASCII (one way).

• When translating dates that you enter, into binary or decimal ASCII, if you do not enter a time, this will now assume a time of 00:00:00 instead of annoying you with an error message.

• The interpretation of data at the cursor position in the status bar now supports any of the formats known from the Data Interpreter, not just integer numbers. As before, you can left-click the status bar cell with the interpretation to select the desired format. (Display of times in addition to dates will follow in SR-1.)

X-Tension API

• The X-Tension API function XWF_GetVSProp() now supports a new type of operation: XWF_VSPROP_RESET: This takes a new volume snapshot programmatically and resets that evidence object's section of the case tree.

• To leave it up to the user whether files that your X-Tension identifies as ignorable should be further processed by volume snapshot refinement, you could set the ignorable flag via XWF_SetItemInformation() in an early call of the XT_ProcessItem() function.

• X-Tensions API: Some more flags are now defined for the XWF_AddToReportTable() function.

Miscellaneous

• Ability to locate the dynamic volumes on certain LDM disks based on GPT partitioning that were not supported previously.

• The Recover/Copy command and the command to copy selected files to an evidence file container now both have the new option to also copy child objects of selected files (as separate files) only if those child objects are not e-mail attachments. That could be a useful setting if you already embed those attachments in the parent .eml file and don't want their data to be output twice.

• Option to embed e-mail attachments into the parent .eml file when copying e-mails into an evidence file container.

• The Path and Full Path filter dialog windows can now accommodate up to 4 million characters.

• It is now possible to apply logical searches only to OCR-derived text.

• Index search results now distinguish between search hits in decoded text and OCR-derived text.

• Extended support for proxy servers in BYOD+.

• The program help and the user manual were updated.

• Many minor improvements.

Changes of service releases of 21.3

• SR-1: Different shades of basic colors with unique names (e.g. deep sky blue, fuchsia, aquamarine, yellow green, khaki, dark salmon, ...) are now optionally detected in picture analysis if the box for color identification is fully checked. Special colors are always output in English and not translated to German, French, Spanish or Italian. If the box is only half checked, only basic colors are output.

• SR-1: All color names, whether a basic color or special shade, can now be optionally prefixed with the word "Color: " (language-specific), so that all color labels are listed as a contiguous block if sorted alphabetically.

• SR-1: Some less dominant colors detected in pictures are now also output.

• SR-2: Reviewing and confirming already defined bounding boxes for the search for known faces is now optional. That step is now skipped if faces are already marked in Labels.xml for all pictures in the template directory, unless forced.

• SR-2: Fixed dongle activation code processing in v21.3.

• SR-3: MD RAID handling is now more straight forward and convenient. MD RAID container partitions are now included in cases as well when adding the physical storage device that contains them or its image. That enables X‑Ways Forensics to remember the components of the reconstructed MD RAID if you add the RAID to the case as well, for when you re-open it later. The container partitions are by default not selected for recursive exploration or for volume snapshot refinement because their storage space is (hopefully) already covered, and more properly so, as part of the reconstructed RAID.

• SR-3: Prevented an exception error that could occur when copying files from evidence objects that are file archives into an evidence file container with the option to reproduce a partial path in the target container.

• SR-3: X-Tension API: XWF_VSPROP_SET_HASHTYPE1 and XWF_VSPROP_SET_HASHTYPE2 of XWF_GetVSProp() were unable to set a new hash type if no hash type was defined yet. That was fixed.

• SR-4: Fixed inability of the simple Find functions to locate data when searching upwards in certain situations.

• SR-5: Fixed extreme slowness of the recursive selection statistics in v21.3 in already recursively explored lists in certain situations.

• SR-5: Fixed a very rare infinite loop when loading certain jpeg files

• SR-5: Less abundant detection of the color gray.

• SR-5: Support for more dongle configurations.

• SR-6: Volume snapshot backups are now properly deleted when an evidence object is removed from a case.

• SR-6: Ability to import evidence objects with their volume snapshots from older cases that were created by v20.9 and earlier and use other internal subdirectory naming conventions.

• SR-6: Prevented an exception error that could occur in v21.3 when moving the mouse cursor over icons in a no longer recursively explored Case Root window.

• SR-6: Fixed potential inability to enable or disable some picture analysis and processing suboperations in v21.3.

• SR-6: Now sets specific exit codes in certain situations.

• SR-7: Remembers which hash sets in a hash database are selected for matching, in the database itself. Thus for this reason and general consideration, to get consistent results with automated command line execution it is recommended to not use a hash database that is shared with active users who may change the selection.

• SR-7: Improved JPEG size detection in the presence of empty COM markers, which may be required to be able to display the picture.

• SR-8: Prevents that users use the installation directory itself directly for temporary files.

• SR-8: Ability to identify RAR and 7z archives with full filename encryption as encrypted if no matching password is supplied.

• SR-8: The optional alternative extended timestamp interpretation for zip archives had no effect since v20.6. That was fixed.

• SR-8: "Find duplicates in list" did not always identify all duplicates if extra criteria were selected or if name was the primary criterion for comparisons.

• SR-8: Fixed a problem extracting attachments from certain original .eml files or MBOX e-mail archives in v21.1 and later.

• SR-9: Improved compatibility with proxy servers in BYOD+.

• SR-9: Fixed failing automatic restart of RVS in a special situation.

Become a certified user of X‑Ways Forensics
Become an X-PERT (X‑Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X‑Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter/X. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.