X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

 

#125: WinHex, X-Ways Forensics, X-Ways Investigator 16.3 released

Dec 15, 2011

This  mailing is to announce the release of a noteworthy update, v16.3.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.2 when available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

London, UK: Apr 23-27, 2012     seats available
More information


Please remember that lost, misplaced or stolen dongles for X-Ways Forensics are replaced only if they have been insured, which is free.


New product: X-Ways Imager
best speed, most intelligent compression

The reduced version von X-Ways Forensics just for disk imaging is now a separate product called X-Ways Imager and can be purchased by anyone! It was introduced in 2009 based on a request from an agency in the US, whose performance tests showed that X-Ways Forensics was much faster than other imaging tools, especially when used together with hardware write blockers. Another test run by a similar agency in Australia also confirmed significant speed advantages over competing products. And now, in the latest test, November 28, 2011, X-Ways Forensics/X-Ways Imager proved to be around twice as fast as competing products (the usual suspects) in a test ran by the F-Response development team for remote acqusitions! (blog post)

The intelligence of the compression and options such as exclusion of free drive space and reverse imaging make X-Ways Forensics (and now X-Ways Imager) the perhaps best disk imaging software on the market. The algorithms in use in X-Ways Forensics and X-Ways Imager offer a great dynamic compromise between speed and compression rate and reduce the performance penalty caused by the decompression that has to occur whenever working with the image after its creation that is neglected so badly by some other disk imaging tools. Plus X-Ways Imager can reconstruct virtually every conceivable variant of JBOD, RAID 0, RAID 5, RAID 6 and more!

Remember that F-Response is an ideal add-on product that allows X-Ways Forensics to remotely analyze disks and RAM. And X-Ways Imager is an ideal add-on product for F-Response that allows you to image remote disks, and it will dump RAM of remote computers, too!


New product: X-Ways Investigator CTR

X-Ways Investigator CTR is a new even further reduced version of X-Ways Investigator, which can open only evidence file containers of X-Ways Forensics and X-Ways Investigator, no other images and no disks/media. X-Ways Investigator CTR was designed exclusively as an add-on to X-Ways Forensics, when splitting up the analysis work across multiple investigators/specialists or when providing files in containers to other people involved in the case that only need to, want to, or are supposed to see selected files. X-Ways Investigator CTR is like an extremely powerful viewer program for containers with many useful features such as filter, keyword searches, report generation, ability to enter comments about files etc.

If you are a user of X-Ways Forensics, to see what functionality exactly is available, you can reduce the user interface of X-Ways Forensics 16.3 to that of X-Ways Investigator (regular version) and X-Ways Investigator CTR.


What's new in v16.3?

Evidence file containers

  • A new evidence file container format was introduced. The new format can be understood by various computer forensic tools other than from X-Ways. Older versions of WinHex (with a specialist license or higher), X-Ways Forensics and X-Ways Investigator can also understand it. They can all read the contents of all files and show the most essential metadata (e.g. filename, path, many attributes, most timestamps, existing or deleted). To see the maximum amount of metadata as known from the old format, however, please use WinHex/XWF/XWI 16.3 and later. For compatibility purposes you can still create containers in the old format.

  • The new format will prevent that the same files will be erroneously copied twice to the same container.

  • Writing and reading very large containers could be faster with the new format (still to be verified).

  • The new container format now stores examiner comments and report table associations internally, no longer in separate files in a metadata subdirectory. Both comments and report table associations can also be seen in 3rd party tools that understand the new container format.

  • Artificial directories can be optionally created in containers of the new format to accommodate child objects of files, for compatibility with tools that do not accept files as child objects of other files in the new container format (non X-Ways tools and WinHex/XWF/XWI 15.9 and earlier). WinHex/XWF/XWI 16.0 and later (latest release, respectively) do not need such artificial directories.

  • Containers (both the old and the new format) now remember the valid data length of a file that originates from file systems that support this field even if it is not smaller than the logical file size.

  • Files that are encrypted in NTFS or in Zip/RAR archives are no longer completely skipped when selected for inclusion in evidence file containers. They are now included with their metadata, so that the recipient of the container can easily see that there were encrypted files originally. The encrypted data is still not copied for such files. The outer Zip/RAR archives that use encryption for some or all files that they contain are fully copied, of course, and have always been copied.

  • Initial zero values bytes are now skipped when copying the slack of a file to an evidence file container separately, and marks that object in the container as an excerpt.

  • Files in evidence files containers that had child objects in the original volume are no longer shown as having child objects if none of the child objects have not been included in the container.

File header signature search

  • The individual default file sizes of the file header signature search are now specified in bytes instead of KB for more precise carving. That is useful especially when not carving complete files, but just records, entries, micro-formats, main memory network traffic artifacts etc.

  • Ability to search certain file types at the sector level and other file types at the byte level simultaneously. For that purposes, the flag "b" can be set in a new last column of the file header signature definition. Allows to search for whole files and entries at the same time.

  • File header signature searches at the byte level can now also be applied to evidence objects that are physical disks (where partitioned areas are skipped because partitions are treated as additional evidence objects separately).

  • Another flag "f" can be set in the new last column to indicate that the specified footer signature is used to find data that is not part of the file any more and should excluded. Ordinary footers are included in the carved file.

  • The "f" flag is useful for file formats that do not have a well defined footer, where the end of the file can be detected by the occurrence of data that does not belong to the file any more. That could be the same signature as the header (if files of that type occur typically in groups, back to back) or just \x00 (for file formats such as text files that do not contain zero-value bytes, where however \x00 can be expected with a high likelihood in the RAM slack). Such footer signatures should be marked as exclusive because the data matched by it is not part of the file itself.

  • Also a flag "h" can now be set in the new last column to indicate that the specified header signature is used to find data that is not part of the file any more and should excluded. Ordinary headers are included in the carved file.

  • The option to search for file header signatures just a cluster boundaries has been discontinued.

File format support

  • The registry viewer now supports Windows 8 registry hives.

  • Path representation of the registry report's verbose mode for printing revised.

  • Support for file archives revised. Proven ability to find and read files in corrupt zip archives that WinZip, WinRAR and 7-Zip cannot find.

  • Support for pictures with extremely high resolutions (larger than ~ 25 MP).

  • Ability to filter for pictures with a skin color percentage of x % or *less*. For example a very low percentage or 0% only can be useful to find scanned documents that have been scanned with full color depth instead of just with a gray scale.

  • Additional overview of log-in and log-off operations at the end of the interpretation of .evtx event logs.

  • No internal metadata extraction is attempted any more for files marked with a red X.

  • A report table association is now created for multi-page TIFF files when extracting metadata.

  • Performance of JPEG consistency check improved.

  • More Exif metadata extracted from JPEG files: focal length, lens model, F number, serial number, firmware, image unique ID

  • Signing date extracted from executable files (.exe, .dll, ...) where present.

  • Prepared to carve .itc2 iTunes artwork cache files and PNG files within them.

  • Internal creation timestamp extracted from certificate files (.cat, .cer, .ctl).

  • Exchange EDB extraction considerably accelerated. Memory requirements for Exchange EDB e-mail extraction reduced.

  • Better support for pictures with an extremely high resolution.

  • Revised standard e-mail extraction mask now includes MS Office 2011 for Mac .olk14MsgSource files to allow for extraction of attachments.

Usability

  • It is now possible to press the Esc key in the search hit list to leave the search hit list (i.e. return to the normal directory browser) and navigate to the file that the selected search hit is contained in, if any.

  • It is now possible to press the multiplication key on the numeric keypad of the keyboard or the asterisk key to explore a directory or file with child objects. Useful if you have selected to use double-clicks and the Enter key already for the View command.

  • It is now possible to use the asterisk key just like the multiplication key (Windows standard) to fully recursively expand the directory tree from the selected directory downwards.

  • It is now possible to navigate back and forward by pressing Ctrl and the cursor keys left and right, just like with the Back and Forward menu and toolbar commands.

  • The Back and Forward commands now also remember switches from the normal directory browser to the search hit list and back and are able to undo them.

  • It is now possible to explore a directory or file with child objects that contain search hits from within the search hit list. Just that note that you would see any of the child objects only if they also contain search hits. If they don't contain any search hits, you will see a reminder that you can use the Back functionality or press Esc to return to the normal directory browser.

  • The number of filtered out search hits in the search hit list when a filter is active is now a more intuitively understandably count.

  • Separate menu command to add memory dumps to the case.

  • Mode Disk/Partition/Container in X-Ways Investigator now hides the hex/text column and instead shows some useful information about the container and the volume snapshot.

  • New investigator.ini options:
    +40 prevent GREP searches
    +41 prevent skin tone detection
    +42 prevent inclusion of log in report
    +43 prevent inclusion of basic report in report
    +44 prevent export of report table associations
    +45 prevent file export for analysis
    +46 prevent export tree command
    +47 prevent export list command
    +48 prevent metadata extraction

  • Original individual e-mail message files present on a disk (like .eml, .emlx or .olk14MsgSource) are now marked in the Attr. column as processed original .eml once they have been processed (e-mail extraction in Refine Volume Snapshot) and thus can be filtered as such. Useful to cover all original individual e-mail files and artifically produced .eml files (representing extracted e-mail) with a single filter (the Attr. filter).

Physical media

  • Ability to reconstruct RAID level 6 systems, more precisely these variants: backward parity (Adaptec), forward parity, and forward delayed parity with non-zero start component. Information on which manufacturers use which variant and which other variants need to be supported would be very welcome.

  • Ability to reconstruct RAID level 5 forward delayed parity and forward dynamic delayed parity (WiebeTech/CRU-Dataport).

  • Template for GPT partition tables included and invocable via the directory browser context menu (when right-clicking the virtual file that represents the beginning of a GPT-partitioned disk) and via the drop-down menu of the white arrow button.

  • Ability to write disk sectors under Windows Vista and 7 improved.

  • Ability to use File | Create Disk Image for physical RAM when opened under Windows XP or 2000.

Miscellaneous

  • The crash safe decoding option, if fully selected, now also applies to .eml files, which in previouos versions for performance reasons it did not.

  • Search hits and their context can now also be correctly displayed if in UTF-8.

  • Security option to verify the chunk CRCs when reading from .e01 evidence files.

  • Fixed a rare "Internal error 2010" that could occur in earlier versions when running logical searches.

  • Interpretation of timestamps in Ext* file systems now independent of data interpreter settings for UNIX/C timestamps as it should be.

  • Some exception errors fixed that could occur during metadata extraction.

  • Output of dummy entries in registry report fixed.

  • Ability to sort by search term column.

  • Fixes for Exchange EDB extraction.

  • Relative path to viewer component (like .\viewer) now fully supported.

  • Many minor improvements.


Changes of service releases of v16.2:

  • SR-1: Recover/Copy: Fixed inability to preserve timestamps when copying extracted e-mail messages.

  • SR-1: Fixed inability of the original v16.2 release to run a file header signature search when at the same time verifying file types.

  • SR-2: Fixed an exception error that could occur when running a file header signature search for Gzip archives in v16.1 SR-6 and later.

  • SR-2: Under certain circumstances, files with child objects were often copied twice to evidence file containers by v16.2. That was fixed.

  • SR-2: Child objects of zip-styled Office documents were not correctly copied to evidence file containers using volume snapshots refined by v16.2. The volume snapshot refinement was fixed.

  • SR-2: Fixed an exception error that could occur when extracting metadata from certain ASF/WMV files.

  • SR-3: The file header signature search did not work for some file types in v16.2 SR-2. That was fixed.

  • SR-3: Chinese translation of the user interface updated.

  • SR-3: Slightly more complete e-mail header field extraction.

  • SR-3: Avoided exception error when processing certain corrupt registry hives.

  • SR-3: The registry report could be slightly incomplete for certain hives. That was fixed.

  • SR-3: Fixed problem with very long strings in registry viewer.

  • SR-4: Fixed a rare exception error that could occur when opening exFAT volumes.

  • SR-4: Filenames (not paths) limited to 255 characters in Recover/Copy.

  • SR-4: Event log output revised.

  • SR-4: Thumbnails extracted from thumbcache*.db are no longer named after the original picture. However, the original filename and path can still be seen in the comments if available from Windows.edb.

  • SR-5: Fixed an exception error that occurred in v16.2 SR-3 and SR-4 when exploring file archives.

  • SR-6: Fixed a crash that could occur when loading large registry hives.

  • SR-6: Fixed a crash that occurred when viewing or decoding files with the viewer component that have names longer than 255 characters.

  • SR-6: Fixed naming problem of SR-4 and SR-5 that could occur when copying files.

  • SR-6: Fixed "off by one" error in listed search hit count in search term list when using logical AND combinations (existed since v15.9).

  • SR-6: Fixed exception error that could occur when extracting metadata from zip archives.

  • SR-7: Fixed inability to type Unicode characters other than Latin 1 into the Index Search window. That error existed since v16.1.

  • SR-7: Sending dongle transaction codes to the server directly did not work, only when using copy & paste on the web site. That was fixed.

  • SR-8: Fixed an error in hiberfil.sys decompression.

  • SR-8: Self-similar archives such as OpenOffice documents that contain old versions when explored by v16.2 through SR-7 were not copied correctly to evidence file containers and caused exception errors when reading the container. The exception errors are now prevented and the actual cause (the erroneous exploration of certain archives) has been fixed.

  • SR-9: Recover/Copy scope error fixed.

  • SR-10: Some small fixes.

  • SR-11: Fixed an exception error that could occur with index searches in certain situations.

  • SR-11: Fixed an instability error that could occur when taking a snapshot of ReiserFS volumes.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#124: WinHex, X-Ways Forensics, X-Ways Investigator 16.2 released

Oct 13, 2011

This  mailing is to announce the release of a noteworthy update, v16.2.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.2 when available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

London, UK: Oct 25-27, 2011     seats available
Hong Kong, Nov 1-3, 2011     seats available
Chicago area, IL: Dec 12-16, 2011     seats available
More information


What's new in v16.2?

Searching, code page support

  • Ability to search and index in up to 5 code pages simultaneously (including UTF-16 Unicode), 2 more than before. Useful for languages for which several code pages are commonly in use, e.g. Chinese and Japanese.

  • Code pages are now always listed for selection in ascending order of their numeric identifiers, which makes it easier to find the code page of interest if you know its ID.

  • Code page independent GREP searches for exact byte values enabled by selecting a "non" code page called "Direct byte-wise translation for GREP", which translates byte values without any mapping for certain code pages or case matching.

  • Support for Outlook compressible encryption as a code page for the text column and simultaneous searches.

  • Ability to search in big-endian UTF-16 Unicode. (However, the search hits are readable only in Western European languages.)

  • Some other improvements to the GREP search engine.

  • Each search hit now remembers in which code page it was found. You can see the code page in the search hit description column.

  • The search engine now assigns search hits to more than one GREP expression if multiple expressions are equivalent.

  • Ability to visually compare different single-byte code pages thanks to simultaneous code page tables (View | Tables | Hexadecimal / Code Page).

Volume snapshots, directory browser

  • X-Ways Forensics now preserves and displays paths/directories when exploring file archives (Zip, RAR, ...).

  • The volume snapshot options are now available directly via the Options menu.

  • A new option among the directory browser options allows you tag or hide files in the directory browser non-recursively, such that tagging/untagging/hiding/unhiding a file has no effect on parent or child objects or parent or subdirectories. Useful for example if all child objects of a file should processed in volume snapshot refinement or searched, but not the parent object. Previously it was not possible to have an untagged parent object whose child objects are all tagged. If the recursive tagging option is in its middle state, that means that child objects still inherit the tagged state from their parent at the moment when they are newly added to the volume snapshot, e.g. when you extract e-mail and attachment from an e-mail archive.

  • Whether tagging and hiding works recursively or not can now also be controlled by holding the Shift key.

  • Ability to sort in the directory browser by up to 3 criteria (instead of 2 as before).

  • Sorting by name and path is now case-insensitive.

  • Until now, report tables were not a good means to categorize more than 10,000 or 100,000 files in volume snapshots with millions of files. Filtering and sorting by report tables was slow with such huge numbers. That has changed. It is now quick to filter and sort by report tables with several 100,000 associations in huge volume snapshots.

  • Dynamic adaption of the video still export interval based on the video play length when using MPlayer. The longer the video, the longer the interval.

  • Older versions of X-Ways Forensics cannot read the volume snapshot format used by v16.2 and later.

Recover/Copy

  • Ability to copy files with a partial path from the case root window. In that case only the evidence object name is used as the path, not the path within the evidence object.

  • Ability to copy only direct children and not all descendents recursively, by checking the box only half. That can be useful for example when you want to copy e-mails off the image and embed their attachments, but don't care for further children of the attachments that X-Ways Forensics has extracted from them.

  • The length of the names of artificial subdirectories created in the output folder to accommodate child objects of files is now limited to a user-defined number of characters, 32 by default. This is useful in particular for e-mail messages that are named after the subject line and of course can contain attachments as child objects, to avoid overlong paths.

  • The suffix used to name artificial subdirectories created in the output folder to accommodate child objects of files is now fully user-definable.

  • Ability to create directories in the output folder whose original names have several trailing spaces.

Main memory analyis

  • If main memory is represented as a physical disk, for example because it is the RAM of a remote computer accessible via F-Response or because it is an raw memory dump or .e01 evidence file with a memory dump interpreted as a physical disk, it is now possible to open a "Volume" from within the "physical disk" in which X-Ways Forensics offers its main memory analysis.

  • Newly created .e01 evidence files of memory will be internally marked as as images of volumes rather than physical disks such that even older versions will be able to recognize them as memory dumps.

  • If a memory dump is misinterpreted as a physical disk image with a sector size of 512 bytes, the "volume" that can be opened from within will be successfully re-interpreted as having the appropriate sector size (or actually page size in this case) of 4 KB.

Disk imaging, acquisition

  • Supports skipping free clusters in partitions that are formatted with a supported file system now even when imaging MBR- and GPT-partitioned physical disks, not only when imaging pure volumes.

  • Speed quadrupled (!) for large contiguous unused areas when imaging with the option to exclude data in free clusters. Depends on compression level.

  • Ability to watermark optionally omitted free space in an image at the start of each sector with a Unicode text string, so that when working with the image you are reminded of the omission when you look at data in drive free space.

  • Includes the computer name and user name in the imaging log.

  • Accelerated filling of evidence file containers in certain situations.

Reports

  • Option to output files in the report either grouped by evidence object (as before) and sorted by internal ID or (and this is new) in the order as they are currently listed in the case root window, where you can freely change the order thanks to now up to 3 sort criteria. Note that if you choose the second option, files that are not listed in the case root window will not be output, even if they are part of a report table. That means that current filter settings now can have an effect on the generation of the report, too. If files are omitted because they are not listed in the case root window at the time of report generation, you will be notified of that in the report and in a message box.

  • Report table items are now output in the case report in the order of the internal ID within each evidence objects, no longer in the order in which the files were added to the report tables.

  • Ability to only include the mere number of items in a report table in the report, not a list of those items.

  • Correct encoding of angled brackets that occur in Windows registry values for the output in registry HTML reports based on advice by TronicGuard / Martin Wundram.

File system support

  • Improved support for volumes with more than 231 clusters.

  • Ability to deal with NTFS volumes with more than 231 (and up to 232) clusters.

File format support

  • Ability to display certain TIFF pictures with old-style JPEG compression.

  • Ability to check the consistency of the format of files of known types and output "OK" or "corrupt" in the Type Status column and filter for these properties. In later releases the consistency will be checked, depending on the file type, during file header signature search, file type verification and/or metadata extraction. In this release only the consistency of JPEG files is checked, and only when running a file header signature search.

  • The file header signature search classifies found RAR archives as corrupt if they cannot be carved completely.

  • Exceptions in metadata extraction fixed.

  • .lnk shortcut file interpretation revised.

  • Improved ability to deal with certain corrupt registry hives.
    .

Other

  • Program help and user manual updated.

  • Several minor improvements.


Changes of v16.1 SR-5

  • Fixed an exception that could occur when decoding e-mail messages for logical searches in SR-2 to SR-4.

  • Fixed an error that could prevent to get search hits at the physical end of a file in v16.0 and v16.1.

  • Fixed inactivity of multipliers that occur at the end of GREP expressions.

  • Improved extraction of certain e-mail header fields if non-standard formatted.

  • Jump list metadata presentation in Details mode was incomplete since v16.0. This was fixed.

  • Sorting of keys in Registry Viewer fixed.

  • Registry report: Output of dummy entries fixed.

  • SECURITY hive processing slightly further improved.

  • Interpretation of V account structure in SAM hives now almost perfect.

  • Fixed an exception error that could occur when searching in an index for characters that were not indexed.

v16.1 SR-6

  • Improved ability to show text encoded in multi-byte code pages in the text column in Windows 7.

  • Avoided message boxes during volume snapshot refinement.

  • Avoided message about invalid or unsupported owner ID when including the evidence object level of Windows 7 NTFS volumes in file containers.

  • Fixed memory leak that could occur in v16.1 when exploring Gzip archives.

  • Automatic file size detection fo Gzip archives in the file header signature search.

  • v16.1 before SR-5 did not associate LFN entries in FAT file systems with SFN entries if the latter contained code page dependent characters. That was fixed.

v16.1 SR-7

  • Considerably improved processing of Exchange EDB databases.

  • Avoids freeze when encountering a circular loop in a FAT.

v16.1 SR-8

  • Avoided an exception error that could occur after failed memory allocations.

  • Improved compatibility with new viewer component version 8.3.7.

  • Ability to create readable .eml files even with certain malformed e-mail headers as sent/stored by MS Outlook in certain situations when extracting e-mail from PST archives. In earlier versions of X-Ways Forensics such e-mail messages were shown as blank by the viewer component (except in Raw mode).


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#123: X-Ways Forensics and X-Ways Investigator 16.1 SR-4 released

Aug 25, 2011

This  mailing is about some news since the original release of v16.1.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be advised that if you are interested in receiving information about service releases of v16.1 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.


Upcoming X-Ways Forensics & File Systems Training

Houston, TX: Sep 19-23, 2011
London, UK: Oct 25-27, 2011
Hong Kong, Nov 1-3, 2011
More information


F-Response Consultant + Covert bundled with X-Ways Forensics

Available only for a limited time, the perfect combination for acquisition and analysis over a network for a reduced price, with 3 years update maintenance (XWF) and 3 years license validity (F-Response), for EUR 5,259 (+VAT if applicable). Order here. Consultant + Covert is the traditionally non-covert (GUI) Consultant version of F-Response + a 2nd "Covert" console designed to allow direct deployment to a single covert target, similar to F-Response Enterprise, a great and cost-effective solution.


New version 8.3.7 of the Viewer Component

Available for download to licensed owners of X-Ways Forensics and X-Ways Investigator with update maintenance. The relevant changes are:

  • Improved rendering of PDF images with JBIG2, JPEG2000 compressions and with explicit masks.

  • Support for attachments in PDF files.

  • Other improvements for PDF.

  • Support for the file formats AutoCAD 2010, Microsoft Project 2010, and Ichitaro 2010.

  • Support for CMYK color spaces in JPEG files.

  • Numerous improvements for Microsoft Office, Microsoft Outlook, and more file formats.

  • Support for charts in Microsoft Office 2007 binary Excel files.

This version can highlight search hits in PDF documents again. Installing this update is recommended! Please remember that you must not mix files from different versions of the viewer component in the same directory. This is a frequent error.


What's new in v16.1 SR-1?

  • Dongle Insurance

    It has always been the policy of X-Ways that lost, misplaced or stolen dongles are not replaced. If you are afraid that your dongle eventually might get lost or stolen, in particular when travelling or working on site (not only in your own office) or when leaving it to contractors, consultants, auditors, lawyers, externally working or temporary employees, or students, you will be happy to hear that it is now possible to insure your dongle against loss! Only if your dongle is insured, you can buy a replacement dongle. So in a sense, X-Ways Software Technology AG is now also an insurance company, and we are probably making a big mistake here, the insurance itself is free of charge! Read more.

  • Exchange EDB processing accelerated.

  • Use of intelligent and interactive file write operations that allow you to retry when running out of drive space, after you have freed up more space, without data loss, for volume snapshots and search hits.

  • Support for ShellBags and related data structures in registry viewer and report even further improved.

  • Already in the original v16.1 release: Fixed an instability error that could occur in v15.6 through v16.0 when reading from (true) ISO images.

  • Some minor improvements.

SR-2:

  • The keyboard shortcuts for report table associations were not correctly saved in recent releases. This was fixed.

  • .eml files will now be decoded for logical searches even searching for 7-bit ASCII characters only, if one of those characters might be specially encoded in quoted printable.

  • The behavior of the "Attach external directory" command in the directory browser context menu has changed slightly.

  • Improved compatibility with new viewer component version 8.3.7.

  • Fixed an internal directory naming error that occurred when adding dynamic volumes to a case newly created by v16.1.

SR-3:

  • SR-2 was unable to explore archives and reported this properly. Also when it tried, sometimes Windows showed an error message "Bad image". That was fixed.

  • Ability to extract attachments from certain .eml files that were not processed by earlier releases.

SR-4:

  • Fixed errors in Exchange EDB extraction.

  • Exception prevented that could occur when naming certain carved JPEG files.

  • Accelerated loading of registry hives.

  • Decoding of V values of the SAM hive directly in the registry viewer.

  • Error fixed that could prevent the output of registry reports.

  • Registry report: Modification dates are now displayed in gray for values that are not the only values in their respective key, as a visual aid to remind the reader that they are not the modification dates of the values.

  • Additional information output in registry report.

  • Several minor improvements.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#122: WinHex, X-Ways Forensics, X-Ways Investigator 16.1 released

Jul 17, 2011

This  mailing is to announce the release of a noteworthy update, v16.1.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be advised that if you are interested in receiving information about service releases of v16.1 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.


Upcoming X-Ways Forensics & File Systems Training

London, UK: Oct 25-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our Facebook page.


What's new in v16.1?

  • X-Ways Forensics can now process Exchange EDB databases and extract user mailboxes with their e-mail, attachments, contacts, appointments and tasks. Requires X-Ways Forensics to run under Windows Vista or later. Still in a testing stage, and can be very slow for huge databases.

File editing and tools

  • Ability to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if not supported by Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode. For this new editing capability, the file must been opened from within the already opened volume that contains it, via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image.

    Previously it was only possible to edit files when opened via File | Open, using operating system file write commands or indirectly by editing disk sectors. In File mode (forensic license only) and when opening files from within already opened volumes, the only available mode so far was read-only mode. All of this has changed. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read-only mode. For owners of a license for X-Ways Forensics, this change only affects the special WinHex version that they receive additionally, not X-Ways Forensics itself.

    In forensic computing, electronic discovery and IT security, the new edit capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values. It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.

  • New file wiping functionality for files and directories that are selected in the directory browser, via a command in the context menu. The data in the logical portion of a file (i.e. excluding the file slack) and the major data structures of a directory (such as INDX buffers in NTFS and directory entries in FAT) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. This functionality is only available in WinHex, not in X-Ways Forensics.

    Useful for example if copies of images are forwarded to investigators/examiners who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).

    Both successfully erased files and files that could not be successfully erased will be added to separate report tables by which you can filter to verify the result.

  • Cool new function to create hard links of files on NTFS volumes. Useful for example to play around with hard links during our File Systems Revealed training, or if you would like to add the same image to the same case again, which is only possible under a different name. The hard links will be created in the same directory and of course can be renamed and moved by you after they have been created. Tools | Disk Tools | Create Hard Link.

Case management

  • More powerful and convenient batch processing thanks to an option to automatically trigger logical searches (previously only indexing) after volume snapshot refinement and thanks to an option to trigger the volume snapshot refinement (and therefore indirectly also logical searches) immediately after adding images to the case. That means you click through all the dialog windows initially and then run the selected operations without further user interaction. The operations will be run in this order: First all images are added to the case. Then the volume snapshots will be taken and refined if selected. After that, for selected evidence objects (previous or newly added ones) a logical search will be run if selected. Finally for each selected evidence object an index can be created.

  • Ability to invoke the menu commands to refine volume snapshots and run logical searches in selected evidence objects even when no data window is open at that time. As always, these operations will open data windows themselves when needed and close them automatically when no longer needed, to avoid unnecessary main memory utilization by loaded volume snapshots.

  • A new case tree context menu command that allows to export any portion of the tree to a Unicode text file. The tree will be represented exactly in its current state of expansion and can span all evidence objects. To export a subtree, right-click a directory while holding the control key. Use a fixed font to view the text file. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.

  • Ability to change the order of evidence objects in the case tree, via the properties dialog window, except for "dependent" evidence objects (partitions that belong to a physical disk).

  • Shorter and language-independent case subdirectory names in all cases created by v16.1 and later.

  • More convenient procedure when the path or drive letter of an image in a case has changed, especially if the image was added to the case in v16.1 and later and you have updated the standard directory for images in the General Options already.

  • Notification when opening a case if it can only be opened as read-only because of the read-only file attribute or because of insufficient file permissions.

Images

  • Ability to interpret VMware's Virtual Machine Disk images (VMDK) in addition to .e01 evidence files, raw/dd images, ISO images and VHD images.

  • Ability to automatically hibernate the system after disk imaging, image restoration and disk cloning. (Previously the only option was to shut down the system.) If Windows signals that hibernation fails, X-Ways Forensics will instead try to shut down the system.

  • Imaging with compressed .e01 evidence files as the output format accelerated for disks that contain large areas of binary zeroes, for example because they were wiped by the user some time or zeroed out by the manufacturer and never completely filled.

  • New "sparse" compression option for .e01 evidence files that only compresses large areas of zero value bytes in a very efficient way.

  • Additional information included in imaging log.

Registry viewer

  • Additional edit window in the registry viewer that tells you the logical size of the selected value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8), MountedDevices, OpenSavePidlMRU, LastVisitedPidlMRU, and more. The new edit window now also displays the access rights/permissions of the registry keys if (Default) is selected.

  • New special table "External Memory Device" included in registry report that can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.

  • New special table in the registry report called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage.

  • New Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.

  • Several small improvements in the registry viewer/report.

Miscellaneous

  • New version of the internally used graphics viewing library.

  • New version of the internally used library for archive decompression.

  • Many additional file signature definitions, mostly for file type verification only.

  • The thorough file system data structure search will now check for INDX buffers for index records referencing existing files that are not referenced in the $MFT any more because the $MFT is in a corrupt or incomplete state, for example because the image is incomplete.

  • The metadata extraction functionality has been removed from the directory browser context menu. It is now part of the Refine Volume Snapshot command and thus cannot be applied to selected files any more, but to either all files, tagged files or not hidden files.

  • You can now conveniently close viewer windows (whose contents are provided by the viewer component) by hitting the Esc key on your keyboard.

  • It is now possible to close filter dialogs by clicking the "x" in the upper right corner or by pressing Alt+F4 without deactivating the filter if its active and without losing selection and scroll position in the directory browser.

  • When using the Recover/Copy command and the output filename has to be shortened to fit in the maximum path length specified by the user, the filename is now shortened in a nicer way, by preserving the extension whenever possible. (forensic license only)

  • Indexing slightly accelerated.

  • Many minor improvements.


Changes of v16.0 SR-1 to SR-11:

SR-1

  • In the original release it was not possible to change the codepage for the text column. That was fixed.

SR-2

  • Fixed a number notation issue that was present on the first execution of the program with a fresh installation only.

SR-3

  • Filenames are now maintained whenever possible when copying files off the evidence objects for inclusion in the case report.

  • Larger Windows system fonts now have an effect also on the directory browser.

  • WinHex and X-Ways Forensics never supported recognition of date order if the date format was specified in Windows with only single-digit days or months (e.g. d.m.yyyy or m/d/yy). That was fixed.

  • Script command "Find" can now run a case-insensitive search even if the search terms is a variable.

SR-4

  • The style "level 5 forward parity dynamic" could not be selected when reconstructing RAIDs since v15.8. That was fixed.

  • Exception errors avoided in metadata extraction.

  • In v16.0, X-Ways Forensics did not correctly resolve usernames when adding evidence objects with Windows installations to the case. That was fixed.

SR-5

  • File header signature searches in v16.0 did not find file types whose signatures were defined at relative offsets larger than 0. That was fixed.

  • Unicode support in registry hives further completed, now also covers usernames and the Owner column in the directory browser.

  • Support for Windows Image Acquisition folder MRU in registry report.

  • The option to not overwrite an already existing index when starting to index again did not work. That was fixed.

SR-6

  • Memory leak in file header signature search of v16.0 fixed.

  • Some minor improvements in registry hive processing.

SR-7

  • Registry report further improved. One exception error fixed.

  • Small memory leak in file header signature search fixed.

  • Some minor improvements.

SR-8

  • Fixed memory leak in particularly thorough file system data structure search for ReiserFS file systems.

  • Some memory-intensive functions were slow in SR-7. That was fixed.

  • Minor fix for dealing with NTFS volumes in excess of 2 TB.

  • Some minor improvements.

SR-9

  • Support for larger sector numbers in Tools | Disk Tools | Set Disk Parameters.

  • Special registry table "Attached devices by serial number" was incomplete in v16.0 SR-8. That was fixed.

  • Able to cope with certain malformed multi-part e-mail messages.

SR-10

  • Fixed a problem with illegal filenames when copying files off the image for inclusion in the report.

  • Updated registry report definition files.

  • Ability to extract creation dates from e-mail messages with a Microsoft FILETIME date.

SR-11

  • An error was fixed in the file header signature search in v16.0 that could occur with some signatures when searching at the byte level.

  • Avoided a rare error that could apparently occur when interpreting evidence file containers that contained files without names.

  • Avoided an exception error that could occur when taking a snapshot of large Ext4 volumes with many inodes and small blocks.

  • Disk cloning did not report the complete number of sectors copied correctly if over 2 TB. That was fixed.

  • Ready to open case files created by v16.1.

  • Some minor fixes and improvements.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#121: WinHex, X-Ways Forensics, X-Ways Investigator 16.0 released

Apr 26, 2011

This  mailing is to announce the release of a noteworthy update, v16.0.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can now conveniently find all older versions for download if needed.

Please be advised that if you are interested in receiving information about service releases of v16.0 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.

Upcoming X-Ways Forensics & File Systems Training

London, UK: May 9-13, 2011
Washington DC, May 23-27, 2011
Hong Kong, Nov 1-3, 2011
More information
Events are also posted on our Facebook page.


What's new in v16.0?

  • There is no performance penalty any more for selecting many or all file types for the file header signature search. File header signature searches are now considerably faster and basically limited in speed only by the medium from which the data is read.

  • Tools | Disk Tools | Clone Disk now allows for reverse disk cloning and reverse disk imaging (requires a specialist or forensic license). Useful if the disk to acquire has severe physical defects that for example cause a disk imaging program or the entire Windows system to freeze or crash when reaching a certain sector. In such a case you can create an image in reverse order, by reading sectors from the end of the disk backwards, and it is even possible to automatically fill an existing incomplete ordinary ("forward") image additionally backwards to get an image that is as complete as possible, with only a small zeroed gap somewhere in the middle that represents the unreadable damaged spot on the source hard disk. Yes, X-Ways Forensics is quite a sophisticated disk imaging tool not only because of its speed, and we would like to remind everyone that additional dongles just for disk imaging are available for much less than the cost of a full license (see here).

  • With the additional dongles for X-Ways Forensics just for disk imaging (details) you can now additionally use the Tools | Disk Tools | Clone Disk functionality.

  • Ability to interpret data in the text column as text encoded in an arbitrary code page. That is very useful for East Asian code pages, Eastern European code pages and UTF-8 if the text is found outside of files that can be nicely viewed by the viewer component, e.g. floating around in free drive space. The character set/code page for the text column can now be selected via View | Character Set. Please note that you may need to select a font in General Options that contains all characters that you intend to read, and for East Asian characters you need to have support for these kinds of languages installed in Windows. The ability to select the character set/code page for Disk/Partition/File mode is now tentatively available also in X-Ways Investigator.

  • Ability to view Windows Vista and Windows 7 event log files (.evtx), based on work by Andreas Schuster.

  • Completely revised and more robust registry hive handling. Ability to find deleted keys and values in hives that contain unused space and lost keys/values in damaged/incomplete hives. In the report, deleted values are highlighted in red. If no complete path is known for keys, they will be listed as children of a new virtual key called "Path unknown".

  • Analysis of free space in registry hives with the report definition file "Reg Report Free Space.txt". The free space can be as large as several MB, especially as a consequence of the use of virus scanners and registry cleaning programs.

  • Registry value slack has a relevant size in NTUSER.DAT hives. This fact is now exploited with 2 measures:

    1) If the slack contains text strings, it will be output in the registry report (in green). This new feature can optionally be turned off the registry viewer context menu.

    2) For values that contain item lists (i.e. are binary) you can use the "Reg Report Free Space.txt" definitions to output registry report will output lists of filenames with timestamps in green. The first timestamps is an access date, the second one is a creation date. If no timestamps can be output, these are artifacts from "RecentDocs".

  • The registry viewer now allows to recursively explore all the keys and values in a hive and sort them in a chronological order.

  • The search function in the registry viewer is now more thorough and robust.

  • Better Unicode support in the registry report for registry hives from computers in Asia.

  • Tray notifications artifacts from Windows 7 registry hives are now supported and decoded. The timestamps render these artifacts useful for computer forensics. Further improved support for shell bags.

  • Windows registry report: New data type %I (ITEM list) covers not only Shell Bag (as in previous versions), but also for example desktop shortcuts. Format adjusted for Windows Vista and 7.

  • Ability to customize the notation of dates, times, and numbers (see new button in Options | General). Useful to be independent of the settings of live system that you want to preview. Ability to display years with 2 digits only.

  • The option to display fractions of seconds in high resolution timestamps has been moved from the directory browser options to the new notation options. The option to display the time zone bias has also been moved to the notation options.

  • Ability to open an evidence object even if the disk or image is not currently available, via a special command in the evidence object's context menu, to see the volume snapshot. That means you can see all the file metadata stored in the volume snapshot (filename, path, file size, timestamps, attributes, etc.), can use all filters etc., but cannot see any data in sectors and cannot open/view any files.

  • Improved thumbnails extraction from Windows Vista's and Windows 7's thumbcache_*.db files. Ability to assign original filenames, file paths, and modification timestamps to certain thumbnails that were previously just named with a 16-digit hex number.

  • When switching from File mode to Partition/Volume mode, X-Ways Forensics will now automatically point you to the offset from the point of view of the partition/volume that is equivalent to the offset within the file where the cursor was positioned last, even if the file is fragmented, if there is an equivalent position (not if the file is a compressed or virtual attached file or an extracted e-mail message or an exported video still etc.).

  • Ability to specify the directory in which to create a case when creating a new case, for that particular case only.

  • Directories with search hits that are copied from a search hit list now receive a special name when they are created as files in the output folder.

  • Sorting by search term count column has been accelerated.

  • Fixed an exception error that could occur when extracting metadata from carved MP4 and ASF files.

  • Hash database functions internally reworked. When importing the NSRL RDS hash database, X-Ways Forensics now checks for records with the flags "s" (special) and "m" (malicious) so that these hash values are not erroneously included in the same internal hash set that should be categorized as irrelevant.

  • It is now possible to abort lengthy sort operations. The directory browser is now unsorted after start-up by default. This new behavior can be turned off in the directory browser options.

  • The grouping options now have an effect even if the directory browser is not sorted.

  • The report table filter has a new option that allows to additionally include siblings of the associated files, i.e. files in the same directory as the files that are part of the selected report table(s). Useful, especially when exploring recursively and sorting by path, to check whether there are any further notable files in the neighborhood.

  • Ability to optionally also add any known duplicates of the selected file(s) in the same evidence object to a report table (files which have been identified as duplicates based on hash values and marked as such in the Attr. column).

  • New investigator.ini option +38 allows to prevent imports of report table associations.

  • Ability to identify animated GIFs. Animated GIFs will be added to a special report table during the file type verification.

  • Support for two new zip subtypes: APK Android smartphone packages and KEY Apple iWork keynote presentation files..

  • Many minor improvements.


Changes of v15.9 SR-1 to SR-8:

SR-1:

  • General support for sector sizes up to 8 KB (previous maximum: 4 KB).

  • Support for GPT partitioning on media with 4 KB and 8 KB sector sizes.

  • Ability to deal with HFS+/HFSX volumes on media with sector sizes larger than 2 KB, as seen in iPhones and iPads.

  • Ability to auto-detect the sector size in raw images of GPT-partitioned disk with sector sizes of 4 KB and 8 KB.

  • Ability to auto-detect the sector size in most raw images of MBR-partitioned disks with a sector size of 4 KB.

  • Partial progress of volume snapshot refinements is now saved when the case auto-save interval elapses.

SR-2:

  • The "List 1 hit per file only" option did not work correctly in v15.9. This was fixed.

  • Improved function to delete duplicate search hits. When in doubt, X-Ways Forensics will now keep the longer search hit (as a hit for "Smithsonian" for example is more specific than "Smith") and favors search hits in existing files.

  • Accelerated time to list millions of search hits.

  • The Open Disk dialog window was wrong when not working with a case. That was fixed.

SR-3:

  • The hash set filter did not work in v15.9. That was fixed.

  • Avoided an exception error that could occur under certain circumstances when running a byte-level signature search.

  • If the context preview of search hits in files in large archives is too slow, it can now be disabled by unselecting the existing option "Gallery: Show pictures in archives".

SR-4:

  • Avoided an exception error that could occur when the case root window was automatically opened at start-up.

  • Avoided (potentially annoying, but harmless) messages that could be displayed by Windows when working with images on write-protected drives.

  • Fixed an error that could occur when loading volume snapshots with more than 6 million objects.

  • Drive letters were missing in the special tables of the registry report in earlier releases of 15.9. That was fixed.

SR-5:

  • With the new search algorithm, GREP expressions of variable length were found in v15.9 with their shortest matches instead of their longest possible matches as before. This was changed.

SR-6:

  • Avoids an exception error that occurred in v15.9 SR-5 when trying to refine the volume snapshot without a case.

  • Fixed erroneous disappearance of partitions in the case tree when removing hidden items from the volume snapshot of a physical disk.

  • Avoided an exception error that could occur when starting to use the Recover/Copy functionality.

  • Fixed an error that occurred with .e01 evidence files that have more than 775 segments.

  • Japanese translation updated.

SR-7:

  • HFS+ partition size detection on disks with Apple partition table fixed.

  • Ability to deal with volumes with cluster sizes of more than 128 sectors, which seem to be not uncommon in the exFAT file system.

  • Fixed an exception error that could occur in certain situations with the new v15.9 search algorithm.

  • In WinHex 15.7 through 15.9 with a specialist license, the simultaneous search function was unable to run a case-insensitive search correctly. That was fixed.

  • Improved handling of the internal volume snapshot files if reading or writing these files fails because of insufficient drive space or other system resources, file system errors, or other reasons.

  • More complete assignment of drive letters in the "Attached Devices" section of the registry report.

SR-8:

  • Internal technical information about .e01 evidence files were potentially included more than once in the evidence object properties before. That was fixed.

  • Windows 7 compatible import of regional settings (date format).


What to expect in v16.1?

Support for Exchange EDB e-mail databases, and more! Please check the forum for a preview version next week!


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#120: WinHex, X-Ways Forensics, X-Ways Investigator 15.9 released

Jan 25, 2011

This  mailing is to announce the release of a noteworthy update, v15.9.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more.

Please be advised that if you are interested in receiving information about service releases of v15.9 when available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net.


Upcoming X-Ways Forensics & File Systems Training

London, UK: May 9-13, 2011
More information
Events are also posted on our Facebook page.


What's new in v15.9?

  • Three main improvements were already announced in newsletter issue #119b for v15.9 Beta:
    1) the sophisticated new search algorithm that tremendously acceleratess conventional (non-index) searches with many search terms and search variants,
    2) the new directory browser columns with search terms and search term counts,
    3) the greatly improved registry report.
    Since then, the following additional improvements have been made:

  • Ability to export report table associations created in an evidence file container, such that they can be imported back into the original case. That means when you split up the workload in large cases across multiple investigators who work simultaneously, you can now automatically and more easily reconcile their results!

  • It is also now possible to export report table associations from original evidence objects (not containers), so even when not working with containers, multiple examiners can work with their own copy of the same case and exchange results with each other or reconcile all results in the main copy of the case, all that by exporting and importing report table associations.

  • Both aforementioned commands, the export and import of report table associations, can be found in the context menu of the case tree. Export is supported at the case and evidence object level, import at the case level. Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot after the creation of the evidence file container(s) or if you have removed objects from the volume snapshot.

  • Ability to display the name of the evidence object name where SID/username combinations were found, if recorded.

  • Attachments can now be embedded in their respective .eml parent files also when creating a case report, not only when using the Recover/Copy command.

  • Usage of the option to embed attachments in .eml files as Base64 code already when extracting e-mail from e-mail archives was discouraged already for some years. The option now has been finally completely removed as it became obsolete.

  • Ability to carve, confirm, and view Outlook 2011 for Mac e-mails and extract attachments from them.

  • Better prepared for certain PST files.

  • Filter for the new search term column introduced.

  • Displays the number of search hits that would be listed based on current settings for search terms if they were selected.

  • The standard registry report definition file was split into 8 parts, so that any time you create the report you can choose which parts you need. As before, you can change the definition files as you see fit, or create your own ones for specific purposes/for different kinds of cases.

  • When matching hash values against the hash database, if X-Ways Forensics finds a hash value in different hash sets that belong to different categories, a warning is output (since v15.6). Now it is guaranteed that the category that is returned in such a case is always "notable".

  • Ability to convert Motorola S files to binary that define data in a range of more than 2 GB.

  • Several minor improvements.

Changes of v15.8 SR-5 to SR-7:

  • Recover/Copy: Now the same options that are known from the normal directory browser are also available when copying files from a search hit list. For example, you can automatically copy child objects of selected files and embed attachments in .eml parent files.

  • Error messages in message boxes are now additionally logged in messages.txt.

  • Fixed inability of v15.8 to correctly convert volume snapshots of certain earlier versions.

  • Improved processing of .mht files.

  • Fixed a memory leak in e-mail extraction.

  • The external virus check did not work correctly (and informed the user about that) in v15.6 through v15.8. This was fixed.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <