X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#148: X-Ways Forensics, X-Ways Investigator, WinHex 18.6 released

Nov 11, 2015

This  mailing is to announce the release of another notable update with many useful improvements, v18.6.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Northern California, Nov 30-Dec 4, 2015
London, England, Feb 29-Mar 3, 2016
London, England, Mar 15-23, 2016
Washington DC area, Apr 5-8, 2016
Southern California, Apr 11-19, 2016
Halifax, Canada, May 30-Jun 3, 2016

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, or Asia/Pacific.


Flexible Update Maintenance Terms

It is now possible to order perpetual licenses for X-Ways Forensics with an individual update maintenance period. You may want to choose for example the same update maintenance expiration date as that of your existing licenses, so that co-termed old and new licenses of the same type can be merged in our database in a single entry, for combined volume discounts next time when you upgrade them and so that they can be managed together as a single group by yourself as well. Also useful to match the update maintenance period with your internal financial year or to better utilize the budget that you have available at this very moment.

Similarly, upgrades of existing licenses with new update maintenance may now be offered to you with an expiration date of your choice as well. Please enter your preferred new update maintenance expiration date on the More options page.


What's new in v18.6?
(please note that most changes affect X-Ways Forensics only)

Mounting As Drive Letter

  • X-Ways Forensics now has a function to mount the volume that is represented by the active data window as a Windows drive letter. Either entirely (if the command is invoked in the Specialist menu or in the case tree context menu for a whole volume) or partially (if applied to a directory or file with child object using the directory browser context menu or the case tree context menu). This allows for convenient and quick access to all files with external programs where necessary, without the need to copy the files to your own local drive letter first. Very efficient in particular if you wish to check a whole volume or directory or certain files with a virus scanner.

    Mounting works for all the file systems that are supported, for all partitioning methods supported and all image types supported (in X-Ways Forensics: raw images, .e01, VDI, VMDK, VHD, and of course evidence file containers), even for images within images, also for partitions of physically attached disks formatted with a file system unknown to Windows. Access to all the files is complete read-only, mounting of images or disk partitions will not changing anything in the image/on the disk. To unmount a drive letter, simply invoke the mount command in any of the menus again and click the Cancel button.

    You can choose to see all existing and optionally all known deleted files from the volume in the drive letter, exactly the same files as known from the very thorough volume snapshot of X-Ways Forensics itself, which depends on whether you have refined it already or not. Optionally filtered out files can be omitted from directory listings. Child objects of files (files in files) are optionally exposed as well, presented as files in an artificial directory that has the same name as the parent file, with just a single character appended to render the name unique, as you may know it from the Recover/Copy command. By default, that suffix character is invisible, i.e. a Unicode character with no width, to make the path of the child objects look as original as possible. You may wish to replace that character with something else, e.g. an underscore, for example because you are working with an old external program that is not Unicode-capable. For that you need to remove the invisible character from the edit box first, for example by pressing the Backspace key, which works even if it does not have any visible effect. After that you can insert any other character.

    Previously existing files are listed optionally, and if listed, they are presented with the "hidden" attribute, so that they can be visually distinguished from existing files even in the Windows Explorer a.k.a. File Explorer. Virtual directories are presented in the same way. (Of course, hidden files are displayed in Windows only if you choose to see them, see Tools | Folder options | View.) Virtual files in a volume snapshot as well as internal files of the file system (e.g. $MFT in NTFS and Catalog in HFS+) are included optionally, and so are original names and locations of files that that have been renamed/moved. Special objects like alternate data streams, extracted e-mails, video stills, embedded thumbnails, manual file excerpts, etc. etc. are presented in the mounted drive as ordinary files. File slack is not exposed.

    Files with identical names in the same directory (e.g. 1 existing, 1 previously existing file, up to 16) are not problematic with mounting. Such files can be opened from within mounted volumes through the drive letter as if they had unique names.

    This function requires Windows 7 and later and the installation of a driver (which will be initiated when you use any of the mount commands for the first time) and the Microsoft Visual C++ 2013 Redistributable Package (which is not included in Windows by default and may need to be downloaded). That means that this particular part of X-Ways Forensics is not portable, but it's not a typical function for previews of live systems anyway.

  • Interactivity: Deleting a file in a volume mounted by X-Ways Forensics in Windows (e.g. in the Windows Explorer a.k.a. File Explorer) of course does not delete the file in the source image or on the source disk, but can optionally trigger one of the following actions in the volume snapshot:
    1) exclude the file in the volume snapshot
    2) mark the file as already viewed, or
    3) associate the file with a report table of your choice.
    The latter is very useful if you mount the volume in order to check the files for malware with an external virus scanner. Should the virus scanner delete or quarantine any of the files, X-Ways Forensics will sense the deletion in the directory and add the file to the specified report table. Note that if you manually move a file off the volume to some other drive letter this will trigger the same action, because that kind of moving is identical to copying followed by deletion. Moving a file within the same volume is not allowed.

    Renaming a file in a mounted volume in Windows also renames the file in the volume snapshot. (The original name is preserved and displayed in the directory browser additionally.)

  • Since v18.5 SR-3 WinHex allows to interpret evidence file containers with no more than 1,000 objects with any license type and even in the evaluation version, free of charge, not only for evaluation purposes. And now in WinHex 18.6 without any license type and even in the evaluation version those containers can also be mounted as a drive letter. (Subject to change.) If you acquire files logically in an evidence file container and pass the container on to other parties that do not have a license for X-Ways Investigator or Forensics, the recipients could now save money by mounting the container either for free or in WinHex Lab Edition (see below).

New Product Variant: WinHex Lab Edition

  • The new mount functionality is also available in a new product variant of WinHex called WinHex Lab Edition. In WinHex Lab Edition, all the functionality of a specialist license for WinHex will be available, plus the ability to run X-Tensions (except viewer X-Tensions), support for the same file systems as in X-Ways Forensics (i.e. HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, UFS, and XFS additionally), creation of evidence file containers and mounting. So WinHex Lab Edition bridges the gap between WinHex with a specialist license on the one hand and X-Ways Forensics on the other hand to some extent. Still, functionality wise and price wise it will be much closer to WinHex with a specialist license.

    For a product and license type comparison, please see this web page (updated, of course incomplete considering that there are hundreds or thousands of functions and options in X-Ways Forensics). Licenses for WinHex Lab Edition can be ordered online.

Description Column

  • The Description column now deserves much more attention. It has taken over many of the display responsibilities of the Attr. column that are not file system related, and also half of the Attr. column's filters. Additionally, it has taken over the previously column-independent filters from the Directory Browser Options dialog. This solution should be a little more intuitive and logical for new users (now all filters are column-based), and it clears up some space in the notoriously crowded Directory Browser Options dialog. The filter for carved files (previously in the column "1st sector") was also absorbed by the Description column.

  • A new filter settings in the Description filter allows to filter out virtual items just like existing and previously existing items.

  • So the Description column's filter is now one of the most important filters. The quickest way to access the filter settings is to right-click the caption line of the directory browser. That shortcut is available even if the Description column is not visible on the screen or not displayed at all. A left click in the same line still quickly opens the directory browser options dialog.

  • The funnel symbol that represents the filter of the Description column has four possible colors: 1) Gray when inactive, as usually. 2) Gray with a very, very light tendency to blue, almost indistinguishable from gray, when the filter is on theoretically, but only excluded files would be filtered out, but no excluded files are actually getting filtered out currently because there are none. 3) Blue-gray when only excluded files are filtered out by the filter, and such files have actually been filtered out. 4) Ordinary blue if the Description filter is active and does not only focus on excluded files. This subdued color scheme was introduced because many users consider it rather "normal" that excluded files are filtered out, and thus an active filter that merely targets excluded files should not attract as much attention as other active filters.

  • The Description column is now more precise in revealing the object type (e.g. carved file, child objects of file, alternate data stream, video still, etc.) and the deletion status and other properties. Also, this column has become configurable. You can specify in the Notation Options dialog what information to convey in this column. That the settings of the Description column are part of the Notation Options means that you can have two different settings, one generally for the directory browser and the other one specifically for the the Export List command. This is useful because in the exported list there are no icons that can help you to tell certain object types and their deletion status apart, unlike in the directory browser.

  • v18.6 (only this version) will not load the width of the (now more important) Description column from cases. That way nobody who starts using v18.6 and loads cases that were last saved by v18.5 or earlier with directory browser settings embedded will lose that column because they didn't use it before.

File Format Support

  • Revised detection of and protection against of zip bombs. Newly introduced detection of and protection against recursive zip and gz archives and possibly other archive types. Protection means that processing will stop at a certain level once the malicious nature of the archive is detected. Archives identified in this fashion will be marked as already processed and added to a special internal report table. Please note that if afterwards you wish to manually dig deeper than the level at which the recursive automatic exploration stops, you can do so by marking the inner-most archive reached as still to be processed (by pressing Ctrl+Del) and then applying the Explore command in the context menu to it manually.

  • More format variants of MP4, MOV, etc. supported for file carving and file consistency checks.

  • Support for Windows 10 registry hives and its new data types. (In previous versions of X-Ways Forensics, the registry report would be incomplete for a Windows 10 registry.) Some new registry report definitions for Windows 10.

  • Support for the new prefetch file format of Windows 10 in Preview mode, on Windows 8.1 and Windows 10 platforms. New file carving algorithm for those prefetch files.

  • Support for the new $I recycle bin files of Windows 10.

  • Extraction of the AppVersion field from new Office document types. Extraction of the absolute path of Office 2013 .xlsx files.

  • Unix and DOS attributes of files in zip archives are now output in Details mode in a decoded form.

  • Lists groups and group members in the registry viewer and registry report.

  • Photoshop metadata in JPEG pictures is now displayed nicely formatted in HTML tables. The relatively new printer metadata field has been added. Better support for UTF-8 encoded metadata. The most frequent IPTC fields now have a readable field name.

  • AppCompatCache entries of Windows 8.1 and Windows 10 registries are now supported. Those entry are relevant when analyzing program executions.

  • Output of the flag "Executed" of the Shim Cache (AppCompatCache) in the registry viewer. Potentially relevant for malware investigations.

  • Output of three timestamps of Google Analytics cookies in Details mode (first visit, previous visit, last visit). Analytics cookies have the filename extension .eiurl. They are encoded as as URL that references a GIF picture with a size of 1x1 pixel and can be optionally carved (cf. "Special interest" category).

  • Google Analytics last visit timestamps (URLs with "ie" timestamps) are now also provided as events when extracting embedded files from Google Chrome cache files. Useful in particular for users who do not regularly carve for URLs with "ei" timestamps at the byte level on the whole disk or partition, which is a categorized as a "special interest" carving definition only.

  • Time zone changes of Windows systems and the timestamps when applications are installed, uninstalled or updated by the Windows MSI installer are now output as events to the event list.

  • Support for an old file format variant of SKP (Google SketchUp).

  • More precise in reporting the first sector of certain embedded files.

  • The subject of e-mails in original single e-mail files (.eml, .emlx, .olk14msgsource) is now extracted as part of Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and events | [x] "Extract sender, recipients, and subject from original .eml files" and shown in the Name column if different from the name of the file, and unless the file is a carved file (i.e. a file with an artificially generated filename), the original filename will be preserved and shown as an alternative name in the same column.

Volume Snapshot

  • There is now an option to limit the total number of produced video stills per video as defined by the user (1-255), regardless of the video play length. Useful to significantly decrease the output compared to fixed-length still intervals for longer videos. (Fixed-length intervals result in number of stills that grows proportionally with the play length.) This may decrease your workload a lot if you are going to look at all stills in the gallery, and also decreases the time to process long videos, but of course at the cost of being less thorough and an increased risk of missing something should any suspect hide relevant content somewhere within an innocuous video. X-Ways Forensics tries to extract the fixed number of stills at even intervals from all over the video to give a representative impression of it.

  • Ability to strip certain lines off the extracted metadata in order to not see them in the Metadata column, for example to keep the case report or the output of the Export List command more compact for printing or viewing on the screen, or just because certain metadata fields are not relevant to you. You can identify unwanted metadata fields by a substring. That substring can either match the field name (e.g. "Focal Length") or a certain expected value of the field (e.g. the author name "Joe Huber" in a document). 1 substring is entered per line. You can share your definitions by sharing the file "Unwanted Metadata.txt".

  • Support for files with child objects in the volume snapshot of a physical medium, which was not possible in any previous version. And physical media now also get a virtual directory specifically for carved files when running the file header signature search. Consequently, physical media with child objects or virtual directories now have a button for recursive exploration, but please note that a recursive exploration does not include any partitions, as they have their own volume snapshots. Also, please note that directories and files with child objects are still shown in the tree of the Case Data window only for volumes, not for physical media.

  • The initials of the user who has carved a file manually in Disk/Partition/Volume mode are now optionally displayed after the filename in square brackets just like for other self-defined files (attached files or manual excerpts).

  • When attaching external files (e.g. after decrypting, converting, translating, ...) to their respective original counterparts as identified by the unique ID, through the context menu of the case, you are now given four options:
    1) the attached file can become a child object of the original file (as before)
    or
    2) the attached file can become a sibling of the original file (shown next to it, in the same directory)
    or
    3) the attached file can replace the original file (original file no longer present)
    or
    4) the attached file can replace the original file, and the original file can become a child object of the new file if still needed.
    You can select the attachment method separately for ordinary files and e-mail attachments. The three new methods are particularly useful for e-mail attachments because only direct child objects of .eml files are embeddedd in the parent .eml file when recovering/copying those .eml files. So if you would like to have the decrypted/converted/translated version of an attachment embedded in the .eml file, that version should not become grandchild object as in previous versions. If you want original and new version both to be embedded, make them siblings. If you do not need the original version embedded, replace it completely or preserve it only as a child object of the new version (i.e. grandchild of the .eml file).

  • There is now a volume snapshot option for incremental snapshot completion when dealing with OS directory listings as evidence objects (when you add a directory to your case). If selected, the volume snapshot initially just contains the contents of the top-level directory, and it is further completed only on demand, step-by-step when you manually explore subdirectories. This is exactly how the Windows Explorer/File Explorer in Windows works, and useful when dealing with slow and huge network drives that would take a long time up front to scan completely. But it's very different from the usual approach in X-Ways Forensics, and will obviously prevent you from getting a complete listing of all files when exploring recursively, simply because there is no guarantee that all files have been included in the volume snapshot yet until you have explored all subdirectories. If at any time you decide that you wish to include the contents of a certain directory in the volume snapshot recursively, you can use the "Expand all" command in the context menu of the Case Data window (right-clicking that directory) or unselect the option to complete the volume snapshot on demand and then explore that directory. Please remember that the most convenient way to expand an entire subtree is by clicking its root and pressing the multiplication key on the numeric keypad (standard feature in Windows).

  • New file carving flag "y", which identifies file types that are known to use encryption internally, which allows to mark carved files of these types in the Attr. column with "e!".

PhotoDNA

  •  When importing PhotoDNA hash sets or when creating PhotoDNA hash sets yourself, the new entries are now matched with existing entries exactly as lax as matching works during the analysis phase. This can be important for potential recategorization of existing entries. The benefit of this fuzzy matching is that you can adjust the category of certain entries whose original categorization was from a foreign source (e.g. Project Vic), which may be necessary because of different legislation or jurisdiction in your country or simply because of categorization errors or different interpretation, provided that you have variants of the same pictures (not necessarily the exact same files) in your collection. However, whether the new entries are added to the database as well, in addition to the similar existing entries, still depends on the same relatively strict threshold as before (more strict than the condition for recategorization of existing entries).

  • You can now see in the directory browser whether there were matches for more than one PhotoDNA category for a given picture. This has become less likely thanks to the aforementioned improvement, but in those rare cases where it happens this hint can be very important to check manually. If there were matches with different categories, the name of the category with the closest match is shown (as before), now followed by a comma and an ellipsis. Also, you can now filter for such pictures that were found in more than one category. Such pictures may deserve as much attention as duplicates in conventional hash databases that belong to the "irrelevant" category and "notable" category at the same time and are usually the result of an inconsistently populated database, e.g. accidental miscategorizations or correct categorizations made by users in different jurisdictions etc. If the returned best matching category for a picture is wrong in your opinion, you can fix this by adding a hash set of that picture to the PhotoDNA database again, specifying the correct category.

  • A stylized P is now displayed in the Analysis column for pictures for which at least one PhotoDNA hash value is stored in the volume snapshot.

  • The PhotoDNA hash value of a picture, if stored in the volume snapshot, can now be seen in Details mode.

Search Functions

  • Ability to mark search hits for inclusion in the case report, using a new command in the context menu of the search hit list, with the green grid icon. If a file is part of a report table and the report table is output in the report, and if the file contains search hits that have been marked for inclusion in the report, then the context of these search hits is shown below the listing of that file. Inclusion in the report and being notable are two separate properties of search hits. You can filter for both properties with the filter of the Search hits column.

    Of course, user search hits can also be included in the report. That means you can select any part of a file in File mode, add it as a user search hit and then get that part quoted automatically in the case report.

  • Maximum length for the simple search and replace functions extended from 50 to 100 bytes.

Usability & User Interface

  • Scrolling in Calendar mode now updates the view on the fly. Ability to use the mouse wheel in Calendar mode for scrolling. The calendar now no longer shows years that are more than 1 year in the future, even if distant garbage timestamps are listed in the directory browser or event list, to keep the display range more compact.

  • Listing the root directory of a volume in the directory browser, in the root directory itself, actually, is kind of illogical, but can be very helpful to see that directory's timestamp (if any, depends on the file system) or to quickly navigate to its clusters (if any, also depends on the file system) or as another place where to quickly tag or untag all items in a volume. Whether the root directory is listed now no longer depends on the file system, but is controlled in the directory browser options.

  • Another new directory browser setting renders listing the internal files of the file system optional in the normal directory browser. This affects for example the various $* files in NTFS. Specifically in X-Ways Investigator those files are no longer listed as they are irrelevant to non-technical examiners (the target group of X-Ways Investigator) and might confuse them because they are not familiar with them from using ordinary high-level computer software.

  • There is now a second grouping option for the Recover/Copy command. That means you can group by any two of the previously known aspects at the same time, e.g. first by deletion status and then by type, or first by report table and then by file type category.

  • The filename extension of an original image (image of the suspect found within evidence objects and added to the case, e.g. VMDK, VHD, VDI, ISO) is no longer removed in the evidence object title, so that you can see it everywhere in the user interface and better understand the context if you find relevant files in such an image.

  • Excerpts are now marked with scissors on the icon.

  • Files with metadata only (no known file contents) now have an icon with white interior.

  • Ability to check or uncheck all file types for the file header signature search with a single mouse click.

Miscellaneous

  • Setup program revised.

  • Many minor improvements.

  • Some minor fixes.

  • Program help and user manual updated for v18.6.


Changes of service releases of v18.5

  • SR-1: Opening the entire memory of a running process failed in the 32-bit edition since v18.4. That was fixed.

  • SR-1: Prevented "Invalid file" error message, which some users experienced repeatedly during volume snapshot refinement. (For those who thought that the only way to stop it was the terminate X-Ways Forensics with the Windows Task Manager, please be reminded that you can abort operations such as volume snapshot refinements by clicking the "x" in the upper right corner of the progress indicator window.)

  • SR-1: Fixed potentially incomplete output of the Export List command with the clipboard option depending on the (invisible) "Max. lines per file" setting.

  • SR-2: Fixed an exception error that could occur when matching files against the FuzZyDoc hash database.

  • SR-2: Fixed an infinite loop that could occur when carving certain rare corrupt zip archives.

  • SR-2: Prevents redundant line breaks in the Metadata columns.

  • SR-2: Prevents some garbled characters in the registry report for Windows 10 System hives when created with the 64-bit edition.

  • SR-3: When searching in files that were opened through the operating system (through your own drive letter), when also searching in their directory browser cells, in GREP syntax, without allowing overlapping hits, if there was a hit in a directory browser cell, additional hits in the file contents were ignored. That was fixed.

  • SR-3: The raw Base64 to binary conversion now ignores space and tab characters in addition to line breaks.

  • SR-3: Fixed a rare exception error that could occur when viewing an Ext* .journal file.

  • SR-3: Russian and Chinese translation of the user interface updated.

  • SR-3: Fixed a formatting error in metadata extraction in the previous release.

  • SR-4: Proper type display and file type treatment for files carved in unpartitioned space on physical media.

  • SR-4: Sector sizes other than 512 bytes supported for Ext file systems.

  • SR-4: Fixed omission of file system level timestamps of certain files without file contents in the event list.

  • SR-5: v18.5 parsed certain directories in exFAT volumes incompletely. That was fixed.

  • SR-6: Fixed an error that could occur when interpreting images that are stored in other images or disks without copying them off the image or disk first.

  • SR-6: Fixed a rare error that could occur during e-mail extraction from Outlook Express DBX files.

  • SR-6: Fixed inability to display the cell texts of events that are not related to any file.

  • SR-6: Fixed certain occurrences of the error message "The viewer component does not accept your path for temporary files" in v18.5.

  • SR-7: Now supports path lengths of 255 characters for the temp directory of the viewer component in case the path consists of pure ANSI code page characters only. If at least 1 true Unicode character is present in the path, the limit is 127 characters. In v18.4 and earlier the limit was 255 ANSI code page characters, and true Unicode characters were not allowed. In v18.5 prior to SR-7 the limit was 127 characters, and Unicode characters were allowed.

  • SR-7: MSG file processing slightly revised.

  • SR-7: No skin color percentages or PhotoDNA hash values are computed any more for JPEG pictures that are considered too corrupt, e.g. truncated in such a way that more than 50% missing.

  • SR-7: PhotoDNA hash values are now stored in the volume snapshot for re-matching and deduplication even for trivial single-color pictures.

  • SR-8: PDF file carving problems in v18.5 fixed.

  • SR-8: Fixed a rare exception error that could occur in recent versions when opening the virtual memory of other processes.

  • SR-8: v18.5 did not actually add a manually carved file to the selected report table(s) on request. That was fixed.

  • SR-8: Renaming search terms did not always work correctly, depending on the presented search term order. That was fixed.

  • SR-9: Greatly reduced free drive space requirements for nested image interpretation.

  • SR-9: Fixed occasional corruption of "Partitions by disk signature" table in the registry report in the 64-bit edition.

  • SR-9: Fixed an exception error that could occur when sorting block hash matches by the Search hit column.

  • SR-9: The "Xtra Atom" format variant was previously supported for carving F4V videos already, now also for MP4.

  • SR-9: Potential instability with corrupt SketchUp files fixed.


Viewer Component

Oracle has provided a "critical patch update" for v8.5.2, v8.5.1, and v8.5.0 of the viewer component. The updated versions are downloadable from our web server since  Oct 25, 2015. They are probably recommendable for security reasons. This time it is quite hard to make educated guesses about what was actually fixed because several general utility DLLs are affected. Other DLLs that were patched provide support for PDF, TGA, PDX and WK4 files.

Oracle's description of the patch update for v8.5.2 as always starts with a very promising first line, but is not super enlightening otherwise:

What this Update Fixes:
October 2015 Critical Patch Update for Outside In
This patch is the initial Outside In 8.5.2 Critical Patch Update


There are still a few users who ask about a replacement for their lost dongle although they did not insure the dongle against loss or theft and although we say everywhere that we do not replace lost or stolen dongles if not insured.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#147: X-Ways Forensics, X-Ways Investigator, WinHex 18.5 released

Sep 1, 2015

This  mailing is to announce the release of another notable update with many useful improvements, v18.5.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Largo, FL, Nov 2-6, 2015
Toronto, ON, Nov 9-10, 2015 (X-Ways Forensics II course!)
Northern California, Nov 30-Dec 4, 2015
London, England, Mar 15-23, 2016

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.5?
(please note that most changes affect X-Ways Forensics only)

Disk & Image Support

  • Support for Virtual Box disk images (VDI) of the default subtype "sparse" and the subtypes "fixed size" and "diff" (snapshots). Snapshot images as usually can only be interpreted if the parent is available and open and interpreted itself.

  • It is now possible to interpret images of various kinds (unsegmented raw images and most VHD/VMDK/VDI) and nature (disk/volume) even if they are stored within other images (forensic disk images created by yourself), without copying them off the outer image first. That can save a considerable amount of time, especially if after interpreting the contained image you can quickly see that it is not really relevant, and of course also drive space. First right-click the image in the directory browser and open it with the context menu's Open command in a separate data window. After that, use the command Specialist | Interpret Image File As Disk in the main menu to interpret the image. And then, once the volume snapshot has been taken, if you think that the image is relevant, you can add it to the active case as usually with the "Add to active case" command in context menu of the data window's tab or with the Add command in the Case Data window's File menu.

  • When adding new evidence objects to the case, X-Ways Forensics now includes technical information about more than one Windows installation per partition in the evidence object properties if traces of more than one are found. That can happen for example if a Windows.old backup directory exists because of a Windows upgrade.

  • If partitions overlap, for example because one previously existing partition was partially overwritten by another partition, then a note is now displayed in the Messages window (only if you have the program number partitions by disk location). This note should make unsuspecting users aware of the possible consequences, for example make them realize that potential errors when parsing the file system in the overwritten partition might be normal and not a reason to ask for assistance.

  • Support for HFS+/HFSJ/HFSX when searching for lost partitions. An extra effort is made to reject false positives automatically. Supports sector sizes 512, 4096, and 8192 bytes.

  • Some improvements for parsing exFAT volumes.

  • Support for Ext4 journals with 64-bit block numbers.

Usability

  • The Export List command now remembers its own notation settings, separate from the notation settings in the General Options. That is useful because the database or spreadsheet program of your choice in which you wish to import the data may not like the formatting that you prefer to see in the directory browser (e.g. fractions of seconds in timestamps, time zone bias, weekdays in dates, delimiter between date and time, integer digit grouping, ...). While the Export List dialog window is on the screen, the directory browser in the background reflects the notation settings of the Export List command, as a kind of preview.

  • For your 9 most important report tables, keyboard shortcuts are now defined also to remove associations from the selected files. Ctrl+n adds the selected files to the related report table, Alt+n removes the associations. Useful if you accidentally press the wrong key combination or if you change your mind about the classification of a file, and wish to preserve associations with several other report tables (otherwise you could of course simply press Ctrl+0).

  • Menu command to close the active case without saving it. Usually the case and volume snapshots of all open evidence objects are always saved, at latest when the evidence objects and the case are closed. This may be undesirable for example if you accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl+0 for all selected files). In such a situation it is just important to invoke the new menu command as soon as possible, before the auto-save interval elapses next time. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.

  • Sync mode in non-recursive exploration mode now has a similar effect as the option "Automatically expand to current folder" in the Windows Explorer. That means that when navigating from one directory to another using the directory browser while Sync mode is off, the directory tree on the left will not reflect the current directory any more, will neither expand its parent if necessary nor select the current directory. Whether Sync mode is active or not is now remembered separately for recursive and non-recursive exploration. The other effect that Sync mode used to have, that when navigating from one cluster to another the file whose data is stored in the current cluster is automatically selected in the directory browser, is now only achieved through the Info Pane's context menu (the command now named "Select file"). And whether the parent directory of that file is automatically selected in the directory tree at that occasion depends on whether Sync mode is active or not.

Cool New Functions

  • New directory browser context menu command to identify and exclude listed duplicate pictures using PhotoDNA (if you have access to PhotoDNA in X-Ways Forensics). All duplicates will be marked as "duplicates found" in the Attr. column, and all except one will be excluded. When in doubt, deleted files or pictures with a poor resolution will be excluded and existing files and pictures with a higher resolution will be kept. Please note that the hash value comparison is a potentially time-consuming operation if many pictures are listed in the directory browser, much more so than for conventional hash values. However, you can abort the comparison at any time. This operation requires that PhotoDNA hash values have been computed beforehand, using Specialist | Refine Volume Snapshot | Picture processing | Compute PhotoDNA hash values. It is useful for example for law enforcement agencies that wish create PhotoDNA hash sets of unique pictures only and for that purpose maintain a lawful collection of incriminating pictures without duplicates. The strictness of the picture comparison is the same as set in the Specialist | Refine Volume Snapshot | Picture processing dialog window for matching against the PhotoDNA hash database.

  • Option to attach external files as child objects to their original counterparts (after decrypting, translation, convertion, OCRing, ...) in multiple evidence objects at the same time automatically if they are named after the unique ID of the original files. You can name the files after the unique ID when you copy them off the image with the Recover/Copy command, and you do not need to preserve the path, as the unique ID already fully identifies the file. Useful if you wish to apply external tools to the copied files which have problems with overlong paths, if you wish to bring back the result into the original volume snapshots. The command to attach external files based on unique ID can be found in the context menu of the case.

  • A new timestamp column filter setting is available that allows you to focus on files whose creation date is later than the modification date, i.e. which apparently were copied and that way got a new creation date. The Notation options now allow to mark all such files with the word "(copied)" in the Creation column. The presence of that word can also be used for conditional cell coloring, so that you can quickly see which files are likely original files and which files were copied. Note that a search for the word "copied" is language-specific, so you may want to define the condition based on the presence of a round bracket in the Creation timestamp cell instead.

  • Ability to enter a free text description for any report table, by clicking the button with the "properties" icon in the report table association dialog. The description will be included in the case report if the report table is output. Useful for some explanation of what the report table is about. Helps to keep the report table name itself, which appears at many places in the user interface, more concise.

  • Recover/Copy: Option to try to encode zeroed out areas in a file as sparse when writing the data. This will have an effect only if the zeroed areas are somewhat aligned and sufficiently large, and of course only when writing to an NTFS or ReFS volume, not FAT. Works no matter whether the source file is defined as sparse or not. This option will reduce the data transfer rate and is only recommendable if you know that the data that you are copying is probably suitable.

Search Hits

  • A new context menu command in search hit lists named "Resize" allows to resize or reposition the selected search hits. If for example you are searching for a signature that identifies records in some kind of database, and you get many search hits for these signatures, but what you are really interested in is the record data that follows the signature, and you wish to export that data, then you could adjust the offsets and the lengths of the search hits in a suitable way. Also, instead of exporting more context around the search hits with the Export List command you could enlarge the search hits themselves prior to exporting them. The effect is visible immediately in the search hit preview in the search hit list (but not necessarily immediately in the highlighting in the lower half of the data window).

  • Another context menu command in search hit lists allows to convert search hits to carved files. Useful if you wish to include your search hits as files in a report, add them to a report table, comment on them, print the contents, Recover/Copy them etc. Note that search hits that have both a physical and a logical offsets will be carved at the sector level and will appear in the virtual directory for carved files. Search hits that only have a logical offset will be carved within the file in which they were found and will appear as a child object. Search hits in the decoded text of a file as well as search hits in directory browser columns cannot be carved and will be omitted.

  • The search hit context in the Export List command is now limited to around 16,384 bytes on each side (previously 1,000 bytes). The total amount of text including the search hit itself is limited to around 32,768 bytes.

  • Ability to categorize search hits by moving them over to other search terms. If for example you get several relevant hits when running a search for the search term "invoice", and some hits are relevant in a different way than others, then you could assign them to other search terms like "Invoice ABC Ltd.", "Invoice XYZ Corp." etc. Those newly created search terms will appear in the search term list, but they function more like categories because they were not searched for literally themselves.

    How it works: In the search hit list you select the search hits that you wish to categorize, right-click them, and invoke the new context menu command "Assign to other search term". You can assign them to a search term/category that already exists or create a new one. You can also rename search terms/categories now with a new command in the context menu of the search term list. Artificially created search terms are marked with ?, just like the search terms/categories that manually found search hits (so-called user search hits) are assigned to.

File Format Support

  • File carving approach revised, which may result in faster processing depending on the data.

  • The quality of the internal file carving algorithms for the Quicktime file format family (MP4, MOV, 3GP, ...) and GIF was improved.

  • Files found through a file header signature search and files that were carved within other files can now be manually resized by the user to get the size right if necessary (another directory browser context menu command).

  • Option to output the complete metadata in the case report as known from Details mode, in HTML format, instead of the extracted subset in the Metadata column in plain text.

  • Ability to decompress the partially contained compressed file at the end of an incomplete (truncated) zip archive as far as possible.

  • Prevents the output of runaway timestamp values in registry hives to the event list.

  • Fixed an exception error that occurred when trying to view Windows registry hives <= 4 KB.

  • Fixed swapped creation and access timestamps in the extracted metadata of zip records (extra field).

X-Tensions API (Details)

  •  XT_Prepare may return a new flag to indicate that even if the users wants to omit certain files (for any of the three possible reasons) the X-Tensions wants to be called to process them. Another flag indicates that an X-Tension wants to be called for directories. (For details please see https://www.x-ways.net/forensics/x-tensions/api.html.) The Delphi source code and sample demo project was also updated.

  • New function XWF_GetUserInput allows to request textual or integer number input from the user, e.g. a password.

  • XWF_AddSearchTerm allows you to add search terms to a case programmatically. Use this function for example if you wish to automatically categorize search hits (assign them to different search terms) while responding to XT_ProcessSearchHit calls.

Miscellaneous

  • If auto-coloring for FILE records etc. is fully checked, FILETIME structures are now highlighted even if not aligned at a 4-byte boundaries.

  • The filters for comments, metadata, and event descriptions now have a NOT option.

  • Program help and user manual updated for v18.5.


Changes of service releases of v18.4

  • SR-1: Ability to decompress files in 7z archives whose compression ratio is enhanced by a BCJ pre-processing filter.

  • SR-2: Fixed an error that could occur when running index searches for search terms containing a space character.

  • SR-2: Fixed a possible exception error that could occur when processing LiveComm.edb.

  • SR-2: Fixed an error in the greedy jump logic in file carving in v18.4.

  • SR-3: Support a certain unorthodox GZ archives.

  • SR-3: Fixed an exception error that could occur when carving files in other files (uncovering certain embedded data) in SR-2.

  • SR-3: Fixed an error in XML export that occurred when the user interface language was English.

  • SR-4: When previously users tried to expand a volume in the Case Data window (for example by double-clicking the partition icon) to see the directory tree although no volume snapshot had been taken yet, this could result in a temporarily incomplete directory tree for that volume in the Case Data window or in a missing "+" next to the volume icon, so that the volume could not be expanded in the Case Data window at all. This is now prevented. Please note that to open a volume (and trigger taking the initial volume snapshot), single-clicking is sufficient.

  • SR-4: Fixed possible overspill of column widths when changing the order of directory browser columns in v18.4.

  • SR-4: Fixed an exception error (division by zero) that could occur under certain circumstances in v18.4 during file carving.

  • SR-4: Fixed a sharing error with the file "Addl" that occurred when additional users opened the same evidence object in the same case at the same time after the volume snapshot of that evidence object had just been freshly refined.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#146: X-Ways Forensics, X-Ways Investigator, WinHex 18.4 released

July 4, 2015

This  mailing is to announce the release of another notable update with many useful improvements, v18.4.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Southern California, Aug 17-21, 2015
Toronto area, ON, Aug 24-27, 2015
Munich, Germany, Sep 14-18, 2015 (in English)
Largo, FL, Nov 2-6, 2015
Toronto, ON, Nov 9-10, 2015 (X-Ways Forensics II course!)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


In April, Oracle has provided a "critical patch update" for v8.5.1 of the viewer component. It is probably recommendable for security reasons. The only two files that have changed are "ibpsd2.dll" and "vsw12.dll". The first file is responsible for PSD graphic files. The second one seems to be of more general use within the viewer component.

Oracle's description:
What this Update Fixes:
April 2015 Critical Patch Update for Outside In
This is the initial Outside In Critical Patch Update for 8.5.1


A new version of the viewer component (v8.5.2) is available for download to licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance, since June 18, 2015. The relevant changes according to Oracle are:

1) PPT, PPTX: Rotate text 90 and rotate text 270 is now supported in tables. Potentially improved text decoding of hidden slide content.

2) HTML Inline Graphics: Base64-encoded graphics enclosed in an <img> tag in the HTML body (not in a style) will be displayed or can be handled as any other embedded object.*

3) Open Office Write table cell alignment: Middle and bottom alignment are now supported.


*This cannot be confirmed by us. For example, HTML case reports created by X-Ways Forensics with embedded graphics in inline Base64 code are apparently not supported.

On the plus side, the viewer component in its decompressed state is now 14 MB smaller because the SQLite database oit_font_metrics.db has magically shrunk a lot.


What's new in v18.4?
(please note that most changes affect X-Ways Forensics only)

Analysis with FuzZyDoc

  •  A new technology was implemented that can help you to identify known documents (word processing documents, presentations, spreadsheets, e-mails, plain text files, ...) with a much more robust approach than conventional hash values. Even if a document was stored in a different file format (e.g. first PPT, then PPTX, then PDF), it can still be recognized. Internal metadata changes, e.g. after a "Save as" or or after printing (which may update a "last printed" timestamp), do not prevent identification either. Very often even if text was inserted/removed/reordered/revised, a document can still be recognized. This is achieved by using fuzzy hashes. The technology is called FuzZyDoc?.

    FuzZyDoc hash values are stored in yet another hash database in X-Ways Forensics. So there are now 5 hash databases available in total, and counting. Hash sets based on selected documents can be added to the FuzZyDoc database exactly like hash sets can be created in ordinary hash databases, and the FuzZyDoc hash database can also be managed in the same dialog window as the other hash databases, so existing users will have no trouble locating and using the new functionality. For each selected document you can create 1 separate hash set, or you can create 1 hash set for all selected documents. Up to 65,535 hash sets are supported in a FuzZyDoc hash database.

    FuzZyDoc is available to all users of X-Ways Forensics and X-Ways Investigator (i.e. not only law enforcement). FuzZyDoc should work well with documents in practically all Western and Eastern European languages, many Asian languages (e.g. Chinese, Japanese, Korean, Indonesian, Malay, Tamil, Tagalog, ..., but not Thai, Divehi, Tibetan, Punjabi, ...), and Middle Eastern languages (e.g. Arabic, Hebrew, ..., but not Pashto, ...). Note that numbers in spreadsheet cells are not exploited by the algorithm, only text. Note that only files with a confirmed or newly identified type will be matched against the FuzZyDoc hash database. For that reason, file type verification is applied automatically when FuzZyDoc matching is requested.

    Documents whose contents are largely identical (e.g. invoices created by the same company with the same letterhead) are considered similar by the algorithm even if important details change (billing address, price, product description), depending on the amount of identical text. That means that if you have 1 copy of an invoice of a company, matching against unknown documents will easily identify other invoices of the same company. For every document that is matched against the database, up to 4 matching hash sets are returned, and the 4 best matching hash sets are picked for that if more than 4 match. For every matching hash set, X-Ways Forensics also presents a percentage that roughly indicates to what degree the contents of the document match the hash set. Two different percentage types are available. A percentage based on the total text in the processed document gives you an idea of how much of the text in the document is known/was recognized, whereas a percentage based on the text represented by the hash set gives you an idea of how closely a document resembles the original document that the hash set is based on (makes sense only if you generate 1 hash set per document, i.e. do not combine multiple documents in 1 hash set). The matching percentage does not count characters one by one, and it works only on documents that actually make sense, not on small test files that only contain a few words.

    Before matching files against the FuzZyDoc hash database (a new operation of Specialist | Refine Volume Snapshot), you can specify which types of files you would like to analyze, and you can unselect hash sets in the database that you are temporarily not interested in. Note that processing less files (e.g. by specifying less file types in the mask) of course will require less time, proportionally, but selecting less hash sets for matching as such does not save time. You may specify a certain minimum percentage that you require for matches (15% by default) to ignore insignificant minor similarities. That option is not meant to save time either.

    In order to re-match all documents in the volume snapshot against the FuzZyDoc hash database, please remove the checkmark in the "Already done" box first. Otherwise the same files will not be matched again, for performance reasons. Re-matching the same files may become necessary not only if you add additional hash sets to your FuzZyDoc database, but also if you delete hash sets, as that invalidates some internal links (if that happens, it will be shown in the cells of the result column).

    FuzZyDoc should prove very useful for many kinds of white collar crime cases, most obviously (but not limited to) those involving stolen intellectual property (e.g. software source code) or leakage of classified documents.

  • Matches with the FuzZyDoc database are presented in the same column as PhotoDNA matches and skin color percentages. That combined column is now more generically named "Analysis". A filter for FuzZyDoc matches is available. Sorting by the Analysis column in descending order now lists files with FuzZyDoc matches first (those files with the most confident matches for any hash set near the top, with lower percentages following), followed by PhotoDNA matches, if any, followed by pictures with no PhotoDNA matches (in descending order of their skin tone percentage). After that, irrelevant pictures are listed (picture with very small dimensions), and then files that are not pictures, and near the bottom black & white and gray scale pictures. Text color coding in that column now makes it easier to distinguish between different kinds of categorizations.

Analysis with PhotoDNA

  • It is now possible to more conveniently match pictures against the PhotoDNA hash database again, for example after having added some hash values to the database or after having assigned hash values to different categories, thanks to a new check box simply labelled "Again". You can still uncheck the "Already done?" check box for the whole picture analysis and processing operation to also discard the results of the skin color computation and precomputed thumbnails and regenerate both plus the PhotoDNA matches from scratch.

  • Matching pictures against the PhotoDNA hash database again is now much faster if during a previous run you have X-Ways Forensics store the computed PhotoDNA hashes in the volume snapshot. This is a new option. Saves the time to read the files from the disk/image again and to decode/decompress the JPEG data or other formats again (time-consuming for high-resolution photos) and to recompute the hash values. Please note that PhotoDNA hashes require considerably more drive space than ordinary hashes. Also, more than one PhotoDNA hash may be required for just one picture. It is recommended to store the hash values in the volume snapshot for future fast re-matching only if you expect your PhotoDNA hash database to change during processing of a case, for example if it is likely that you or your colleagues discover further relevant pictures in that case, forcing you to search for other copies of these pictures.

    Please note that with the "Again" option when re-using previously computed hashes, changes to the state of the check box "Recognize pictures even if mirrored" have no effect. That means if previously unchecked when hash values were computed for the first and stored in the volume snapshot, checking it later when re-using the stored hash values won't do any good.

    To discard stored hash values you can either take a new volume snapshot, or alternatively you may delete the file "PDNA" in the "_" subdirectory of the evidence object, where the volume snapshot is internally stored.

User Interface

  • Since the days of Windows 95 (or perhaps even Windows 3.1?) users can press Ctrl+C to produce a plain-text representation of standard Windows message boxes in the clipboard. With message boxes in WinHex and X-Ways Forensics it works the same. Although this is an elementary feature in Windows for more than 20 years already and should be known to any experienced Windows user, and although WinHex and X-Ways Forensics make users aware of that ("Did you know? ..."), the great majority of users for some reason still take graphical screenshots of message boxes and paste them into HTML e-mails, for example when they report error messages, although that is more work than simply pressing Ctrl+C and Ctrl+V and although it inflates the size of the e-mail unnecessarily, as a few ASCII characters need much less space them thousands of pixel values, and although that means the screenshot will get lost if the e-mail is converted to plain text when being replied on, and of course the error message text will not be searchable in a graphical screenshot and cannot be conveniently selected and copied to the clipboard as text by the recipient, and the recipient cannot be sure of the exact Unicode value of certain characters for which multiple variants exist. And of course it may not scale nicely for viewing with different screen resolutions. There is no point in taking screenshots of textual data, yet most users do it over and over again.

    Now in v18.4 it is even possible to copy a rudimentary ASCII representation of dialog boxes and almost all their control items (static text, push buttons, check boxes, radio buttons, list boxes, combo boxes, tree view controls) including their states (unchecked, checked, half checked) by pressing Ctrl+C with an active dialog box on the screen (not if an edit box with a selection has the input focus). The system menu (also known as the window menu or control menu) also allows to copy dialog windows as text. The system menu is the menu that you get when right-clicking the caption of a window.

    This is a very efficient way to share your settings in a certain dialog box with other users and let them copy strings for use in their own edit boxes, so that they don't have to type them, avoiding typos. The text representation is even more powerful than a screenshot because it shows the contents of edit boxes and list boxes completely, even if these controls have scrollbars and the contents exceed the physical boundaries of the controls on the screen. Unicode characters are supported. We suggest that users take screenshots of message boxes and dialog boxes only if absolutely necessary, for example if they wish to graphically highlight certain control items in a Photoshop or similar programs to get the message across.

  • The ASCII representation of dialog boxes can also be used as a substitute for actual screenshots in the activity log of the case. If "Include screenshots in log" in the case properties is half-checked, that means that no actual screenshots of dialog windows will be taken, just the ASCII representation will be stored in the log. These details are included in a special way in the HTML output, so that they do not detract too much from the main log entries. Either they are output in a smaller font and gray color (if "Include screenshots in log" is fully checked) or simply as a pop-up when hovering with the mouse cursor over a space-saving placeholder rectangle, as known from Windows registry reports in X-Ways Forensics (if half checked) or not at all (if not checked). The placeholder rectangle and pop-up work best when viewed in Google Chrome, as that browser does not truncate the text if lengthy and even shows a preview of the first line in the placeholder rectangle.

  • In the conventional real screenshots of dialog boxes in the log as known from previous versions, pixels with the gray background color can be changed to pure white, to save toner/ink in case you are going to print your log at some time (anyway, please think twice and save paper).

  • Settings in practically all dialog windows can now be conveniently saved to and loaded from files as needed, via the system menu. This function can remember the selection states of the most important control types: check boxes, radio buttons, list boxes, combo boxes, and tree view controls. This works even if the controls are currently invisible. The settings are stored in files with the .dlg extension (for "dialog"), in the same directory as templates and scripts.

    The contents of edit boxes are also remembered. However, this function does not remember the contents/text labels of check boxes, list boxes, combo boxes, and tree view controls, e.g. which code page a check box represents in the Simultaneous Search dialog, which report tables exist in the Report Table filter list box, which external programs are listed in the Viewer Programs dialog window, which file types are listed in a tree view control etc. It also does not remember the order of controls or list items. It also does not remember settings in a dependent dialog window (which opens e.g. when clicking a "..." button). The functionality is not available for the Directory Browser Options dialog window. For those please continue to save and load .settings files by clicking the icons in the directory browser caption line.

    This new functionality is useful for many commands, for example the Export List command, where some users repeatedly need different settings for different purposes, and where the items in the list box are always the same (just the available columns), except after changing the language of the user interface.

  • Some minor changes about how colors are applied in the directory browser, especially if the directory browser does not have the input focus.

  • Conditional cell coloring now allows the use of * as a wildcard, to color cells or entire lines if the target cell contains any text at all.

  • Ability to adjust size, timestamps and attributes of a file with the File | Properties dialog box also in X-Ways Forensics, not only in WinHex. Among other things, this allows to mark a file as sparse and artificially increase the size of a file instantly to sizes in the GB or TB range without writing data to it (valid data length remains the same). For example this can be used to manually prepare a skeleton raw image file, before sparsely filling it with data using copy & paste.

  • Search in the registry viewer: Improved display of hits in the data of values.

  • Italian translation of the user interface revised.

File Type Support

  • The web history extracted from Internet Explorer (Webcache* files) is now added to the event list.

  • Support for several thumbs.db variants improved.

  • Processes certain PST e-mail archives despite invalid internal checksums.

  • E-mails extracted from LiveComm.edb get an entry in the event list and receive an improved reconstructed header.

  • Improved support for Windows.edb of Windows 8 or newer. The snippets are added to the volume snapshot using the original filename when available (previously in a few cases only). The path of the original file is now always shown in the Metadata column (previously in a few cases only).

  • Fixed a rare case where relevant (i.e. not duplicate/redundant) events in $UsnJrnl:$J were not output.

  • File type verification improved.File header signature searches at the byte level within pagefile.sys files are now conducted by default, to find e-mail fragments, .lnk shortcut files, pictures, etc.

  • Automatically discards byte-level file carving hits in NTFS $MFT FILE records, as those records are already exploited when parsing the file system.

  • Automatically discards byte-level file carving hits for loose e-mails and Base64-encoded attachments as well as individual zip records if contained in known e-mail archives / zip archives (respectively), to avoid unnecessary duplication.

  • Support for another variant of MOV files during carving and file type verification.

  • Fixed a bug in the HBIN file carving algorithm.

  • New flag "S" for file type signature definitions, which marks signatures that are good enough for the file header signature search (probably in conjunction with a carving algorithm), but not for file type verification because of occasional misidentifications. This flag should be very rarely needed.

  • File carving algorithm for .emlx.

  • A rare exception error was fixed that could occur when carving individual e-mail messages (.eml files).

  • A rare exception error was fixed that could occur when extracting metadata from corrupt DBX e-mail archives.

  • A rare exception error was fixed that could occur when carving .dxf files.

File System Support

  • Tentative support for 64-bit block numbers in Ext4.

  • Some inconsistencies within the inclusion of previously existing files and directories into snapshots of Ext3/Ext4 volumes in v18.3 were fixed.

  • Accelerated resolving of symlinks when taking a snapshot of volumes that contain many of the same.

  • More reliable hard-link counts in newly taken volume snapshots of Windows 8.1 installations, where the official hard-link counts in the FILE record headers often seem to be bogus.

  • Compensation for NTFS compression during the file header signature search now also works when carving at the byte level (completely or partially via flags).

  • Fixed possible errors when parsing UDF file systems.

  • Fixed an exception error that could occur when taking a snapshot of malformed FAT16 volumes.

Disk/Image Support

  • The X-Tension API has been further completed and now allows the development and use of so-called Disk I/O X-Tensions. These are snap-ins that sit between all analysis functionality and the user interface of X-Ways Forensics on the one hand and a disk/image/RAID/partition/volume from which sectors are read on the other hand. They can for example deal with full disk encryption and decrypt the data in all sectors read by X-Ways Forensics on the fly when needed, so that all relevant functions only get to see the decrypted data and can deal with it as if it was a normal disk/volume.

    The user may open a selected evidence object through such a Disk I/O X-Tension using a new command in the context menu of the Case Data window. After selecting the intended X-Tension DLL, if the DLL signals that it can successfully deal with the data in that evidence object, the case will remember which DLL that was chosen and automatically apply it next time when opening the same evidence object. Note that as always partitions count as evidence objects themselves. That way full disk encryption can be tackled as well as volume level encryption.

    For more information, developers and other interested parties please see www.x-ways.net/forensics/x-tensions/api.html#diskio. The demo X-Tension for Delphi has been updated and can now also serve as a Disk I/O X-Tension (just doing some nonsense stuff as proof of concept). This API addition shall encourage other developers to come up with decryption solutions for this interface. X-Ways will consider to do the same. As always, X-Tensions may be provided to the public as open or closed source, for free or for a charge, through our web site or any other channel.

  • Ability to change the nature of an image (disk or volume) and its sector size when creating the image. This is possible not only for .e01 evidence files, where both is explicitly defined in the internal metadata (compatible with other tools), but also for raw images (via external metadata, compatible only with X-Ways Forensics/Imager v18.4 and later, lost if the image leaves the realm of NTFS file systems). Useful whenever the source of the data is not an ideal interpretation. For example if a reconstructed RAID actually represents a volume, not a physical disk, then you can already adjust the nature of the image accordingly. Or if the sector size of the reconstructed RAID or a disk in an enclosure does not match the sector size of the file system in a partition, you can adjust the sector size of the image accordingly. All of this will allow for smoother and more successful usage of the image later, in particular by users who do not know or care much about details such as image type and sector size. With the additional metadata present for a raw image, X-Ways Forensics does not need to prompt users for the nature of the image and its sector size even if under normal circumstances it would (for example because the image does not start with an easily identifiable partitioning method or volume boot sector).

  • The Technical Details Report now shows the physical sector size of Advanced Format hard disks (4 KB) if they emulate a conventional 512-byte sector size logically.

  • Supports double-digit Windows disk numbers in disk imaging command line syntax.

Import/Export

  • New Recover/Copy option to use the alternative names of files, if available, for the output. The alternative name, if one exists, can be seen in the directory browser in square brackets. For example, when parsing iPhone backups, X-Ways Forensics automatically changes artificial generic filenames back to what they were originally. Or, when parsing $I files from the Windows recycle bin, the corresponding $R files are given their original names. If for some reason you prefer the untranslated filenames when copying such files off the image to your own hard disk, for example because you wish to process these files with some external tool that expects the artificial filenames, then you can now use this option.

  • Export List command: Option to copy files off the disk/image and link them from the HTML output. The links can be found in the Name column. The behavior is affected by two case report options: "Name output files after unique ID" and "Embed attachments in parent .eml file". An interesting layout alternative to the regular output of report tables.

  • Prevented some illegal characters in XML tags of the Export List command.

Miscellaneous

  • Ability to delete all indexes for an evidence object by removing the "Already done" check mark. This will also clear the "i" flag from all indexed files in the volume snapshot.

  • Fixed sender and recipients filter for processed original .eml and other single-mail files. These filters did not work in v18.2 and v18.3.

  • Many minor improvements and some minor fixes.

  • Program help and user manual updated for v18.4.


Changes of service releases of v18.3

  • SR-1: Improved character filter for text decoding.

  • SR-1: Fixed an instability problem that could occur when attaching files to large volume snapshots.

  • SR-1: Conditional coloring did not work correctly for users who had changed the column order before. That was fixed.

  • SR-1: Fixed occasional inability to import hash matches from previous versions.

  • SR-1: Fixed an exception error that could occur when parsing .evtx event log files.

  • SR-2: Fixed an exception error that could occur in v18.3 when processing files in archives of different evidence objects in a single operation.

  • SR-2: Fixed unnecessary assignment of certain files to the "Path unknown" directory in HFS+.

  • SR-3: Fixed a rare memory corruption error that could occur when extracting metadata from large .pf Prefetch files.

  • SR-3: Fixed an exception error that could occur in v18.3 when reading from the logical memory address space of processes in memory dumps.

  • SR-3: Fixed a layout inefficiency in .e01 evidence file created by v18.3.

  • SR-4: Fixed a possible exception error in EDB processing.

  • SR-4: Specifications of the XWF_GetHashValue API function revised.

  • SR-4: Fixed potentially incomplete parsing of highly fragmented directories in Ext4 in v18.1 through v18.3.

  • SR-4: Fixed potentially extremely slow and redundant carving of MPEG videos.

  • SR-4: Recognizes certain FAT boot sectors that violate official Microsoft specifications.

  • SR-5: Fixed incomplete HTML export in v18.3 SR-3 and SR-4.

  • SR-5: The Type filter did not always work correctly for full filename matches in v18.3. That was fixed.

  • SR-5: Fixed some errors in the new address space representation of 32-bit processes.

  • SR-6: Recover/Copy: The "Name output files after unique ID" option did not work for files without filename extension. That was fixed.

  • SR-6: Fixed a possible exception error that could occur under certain circumstances in v18.1 and later when exploring recursively.

  • SR-6: Fixed incomplete still extraction from some videos.

  • SR-6: Fixed time zone translation of event list timestamps extracted from Mac OS X's system.log.

  • SR-7: The default file mask for "Uncover embedded data in various file types" in new installations of v18.3 SR-5 and SR-6 was slightly too long, so that the last character could get overwritten and hiberfil.sys files, if present, were potentially not automatically decompressed and added to the case as memory dumps. In the latest download, the default mask is now not too long any more. Note that the maximum length of file mask has been extended in v18.4.

  • SR-7: Fixed an exception error that could occur when filling an evidence file container from a source that was not added to a case as an evidence object.

  • SR-7: Fixed inability to parse exFAT file systems with extremely large cluster sizes.

  • SR-7: Fixed incomplete extraction of certain embedded data in PDF documents.

  • SR-7: Fixed an instability error that could occur when parsing the journal in certain Ext3/Ext4 volumes in v18.2 and v18.3. 


Occasionally there are still users who ask about a replacement for their lost dongle although they did not insure the dongle and although we say over and over again that we do not replace lost or stolen dongles if not insured against loss or theft. Some users do not ask, but just assume that a replacement is always possible. Please understand that if we were to provide as many dongles per license as users want, there would be no point in using dongles in the first place.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#145: X-Ways Forensics, X-Ways Investigator, WinHex 18.3 released

May 15, 2015

This  mailing is to announce the release of another notable update with useful improvements, v18.3. Official release date was May 14.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request (but not guaranteed).

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015 (waiting list)
Washington DC area, Jun 8-10, 2015 (advanced X-Ways Forensics II course!)
Southern California, Aug 17-21, 2015
Toronto area, ON, Aug 24-27, 2015
Munich, Germany, Sep 14-18, 2015 (first English language training in Germany)
Largo, FL, Nov 2-6, 2015
Toronto, ON, Nov 9-10, 2015 (X-Ways Forensics II course! open for enrollment soon)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Oracle has provided a "critical patch update" for v8.5.1 of the viewer component. The updated version is downloadable from our web server since April 24, 2015. It is probably recommendable for security reasons. The only two files that have changed are "ibpsd2.dll" and "vsw12.dll". The first file is responsible for PSD graphic files. The second one seems to be of more general use within the viewer component.

Oracle's description:
What this Update Fixes:
April 2015 Critical Patch Update for Outside In
This is the initial Outside In Critical Patch Update for 8.5.1


What's new in v18.3?
(please note that most changes affect X-Ways Forensics only)

Usability

  • Conditional cell background coloring is now available as an option in Options | Directory Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.

    If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.

    Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.

    Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. The definitions are stored in a separate .cfg file named "Conditional Coloring.cfg". They are also included in .settings files. .settings files continue to be compatible with previous versions. Up to 255 conditions may be defined.

    Some conditional color definitions for event lists that follow the SANS color scheme for activities are available for download to users of X-Ways Forensics and X-Ways Investigator (query your license status for the latest download instructions).

  • Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.

  • Larger thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.

  • Ability to more easily print at least the cover page for file types which the viewer component does not support, for which it shows the message "The display engine for this format is not installed", e.g. Corel Draw or Wave files.

  • Ability to enable or disable the representation of a loaded viewer X-Tension in situations where it was not supported before.

  • Combined tag status now initially displayed in Name column header even in search hit lists and event lists.

  • Ability to totally remove excluded items from the volume snapshots of all the evidence objects that are included in an existing recursive exploration in the case root window, in a single step. Previously, that had to be done separately for each evidence object.

  • Automatically selecting the next item in the list after associating the current item with a report table is now optional. A 3-state checkbox allows you to do that either never or only for associations created with keyboard shortcuts or for all association methods.

  • No longer lists previously existing printers in print dialogs.

  • Chinese translation of the user interface updated.

File Type Support

  • New directory browser option to display the file type ranks in the Type status column, which also causes sorting by that column to sort by those ranks. Some new file types with ranks as high as 4 and 5 were added.

  • New file carving algorithm for sessionrestore. sessionrestore is file type ranked 4, an essential source of information from Firefox usage aside from the cache. The new algorithm can carve fragments of sessionrestore. That is important because few sessionrestore objects remain fully intact. Most artifacts found are typically from Facebook or webmail.

  • New carving algorithm for e-mail fragments.

  • New registry report output for remote desktop connections defined.

  • IPA file type recognition improved.

  • PNG metadata extraction updated.

  • Significantly smaller preview HTML for Windows event logs, which makes them easier to view with the viewer component. The number of processed records is listed at the bottom of the preview. Terminal Service connection events are now added to the event list with username and IP address.

  • Lists sent files in Skype chat history previews with filename and size as well as in the event list. The latter allows to quickly filter for files that were sent or received via Skype.

  • Several more file header signature defined for carving, among them special Base64 encodings of JPEG, PNG, PDF, OLE2.

  • Improved and more thorough carving of individual e-mail messages floating around in free space and pagefile.sys etc., with a dedicated signature definition named "E-mail fragment" and a dedicated internal algorithm. Most thorough if you employ it with the "b" flag for byte-level carving.

  • MSO files are now checked for embedded files.

  • PSPImage files (newer Paint Shop Pro pictures) are now checked for embedded thumbnails by default.

  • Two separate file masks are now maintained for uncovering embedded data in various file types, for reasons of convenience. The second mask is optional and labelled as "special interest". For example malware investigators may process executable files that way when needed..

Hash Database

  • Ability to create multiple hash sets in a single step, where the hash values of the selected files are put into hash sets that are named after each file's report table association(s). This is useful if you categorize notable files in one case using report tables (e.g. based on different types of CP), and wish to quickly identify the same files again in other cases later, and automatically see the category that you had originally assigned, as the hash set name. The new checkbox in the Create Hash Set command's dialog window is labelled "Name after report table associations, if any". If a selected file does not have any report table association, its hash value will be assigned to the hash set named as you specify, as in previous version or as if you do not check the new checkbox.

  • Including child object of selected files when creating hash sets is now optional.

  • Hash set filter considerably accelerated for volume snapshots with a huge number of hash set matches. Previous versions will not be able to load hash set matches saved by v18.3 and later any more.

  • Child objects of files now inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.

  • Ability to import PhotoDNA hash values that are stored in text files, with "PhotoDNA" in the first line, followed by 1 hash value per line in hex ASCII or Base64.

  • Option to skip a hash database altogether when matching hash values..

Searches

  • Support for GREP expressions with \unnnn in simultaneous searches, where nnnn are four hexadecimal digits that designate a certain Unicode value in human notation (big endian order). Depending on the code page(s) selected for the search, this constant Unicode character value is translated to different byte values and potentially also different numbers of bytes for the actual search. Useful for example if you are looking for strings that are null-terminated or follow a null character, where that null character is represented by a different number of bytes depending on the character set (e.g. 1 in UTF-8, 2 in UTF-16). Also useful if you know the Unicode value of a certain character that you are looking for, but cannot easily produce the character with your keyboard and cannot copy it from somewhere else.

  • Supports simultaneous searches where some search terms are to be considered case-sensitive (if prepended with "case:") and others not, at the same time.

  • The option to list 1 search hit per item only now no longer filters out search hits in slack space. This is useful because the slack of a file is typically not related to the contents of that file, so any search hits in the slack would likely have a totally different context than search hits in the logical portion of the file and thus need to be reviewed additionally. Please note that it is usually still necessary to unselect the "1 hit per item" option to separately check out search hits in conglomerates such as pagefile.sys and the virtual "Free space" file, which contain data from totally different sources. The "1 hit per item" option remains most useful for documents only, for which you can often tell after a quick look in Preview mode whether the entire file is relevant or not.

  • ?, * and {0,n} at the end of a GREP expression did not always match 0 occurrences. This error is now avoided.

  • Slightly improved availability of context previews for search hits in nested archives.

Disk Image Support

  • Ability to explicitly choose a larger chunk size when creating .e01 evidence files. Might be regarded as useful by some to achieve a marginally better compression ratio for ordinary data, at the expense of more time needed when creating the image and when later randomly accessing data in the image, but improves compression noticeably for extremely compressible data (e.g. a wiped or largely unused hard disk). A 512 KB chunk size reduces the image size with ideal data (e.g. only 0x00 bytes) ceteris paribus by an additional 40% compared to a 32 KB chunk size.

  • Fixed simultaneous creation of multiple copies of an .e01 evidence file if encrypted.

  • Support for another VMDK variant.

Miscellaneous

  • Ability to specifically copy text from the text column as Unicode even when the text column is not displayed in Unicode, or specifically as ANSI-encoded text even when the text column is not displayed as ANSI ASCII, using an additional command in the Edit | Copy menu. This command is potentially important because some users are unfamiliar with fundamental computing concepts like character sets or null-terminated strings, and they think that English language text in UTF-16 (where every other byte is 0x00) is not copied correctly by WinHex/X-Ways Forensics just because a text editor or word processing program that pastes the text naturally truncates it at the first null byte. These users may now notice in the GUI that another option exists, and may decide to give it a try. Previously it was necessary to change the text column to Unicode to copy text as Unicode (in accordance with "what you see is what you get").

    For users who are unfamiliar with the concept of null-terminated strings and do not understand the implications of UTF-16 and binary data when they copy selected data as ANSI text in order to paste it as text in other Windows programs, there is now a message box with a hint when they copy data with zero-value bytes in it as ANSI text. Time and again unsuspecting users reported "WinHex does not copy the text properly", when it fact just the receiving application does not paste everything because of zero-value bytes in the copied data. The hint will hopefully stop users from blaming WinHex/X-Ways Forensics.

    Please remember that it is easy to eliminate zero-value bytes, by pasting the copied data in WinHex itself first (into a new data window, via Shift+Ins, which of course supports binary data and includes zero-value bytes as well as data that follows them) and then replacing 0x00 with spaces, line breaks or nothing, as you like. After that you could copy the data again and paste it in the target program. Another way to extract only printable characters and most likely readable text (actual words in English, German and French) from an entire data window is the Specialist | Gather Text command.

  • The internal logic of the Type filter was slightly revised, which may be noticeable for overlapping definitions (such as the full filename "pagefile.sys" in the Windows Internals category and "sys" Program Files) and when using the NOT setting.

  • Some operations such as Specialist | Refine Volume Snapshot and logical searches are now slightly faster when applied to actual disks, not images, most notably when these operations are applied to the C: drive opened as a drive letter C:.

  • Pages in the user address space of 32-bit processes that are not mapped are no longer included in Process mode when analyzing memory dumps.

  • Accepts certain non-standard FAT12 boot sectors.

  • The delimiter for default size and size detection limit in File Type Signatures Search.txt is now a forward slash, to avoid some incompatibility issues with editing in MS Excel. The colon from v18.2 SR-1 and later will still be accepted for a while if you have your own definition files that use colons already.

  • Several minor improvements and some minor fixes.

  • Program help and user manual updated for v18.3.


Changes of service releases of v18.2

  • SR-1: Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the "Hash set" column with the word "deleted" to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values of files against the hash database again, might have confused that they cannot target files with matches using the "Hash set" column filter, which only offers existing hash sets.

  • SR-1: More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table assocations.

  • SR-1: Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well (as introduced with v18.0).

  • SR-1: Prevented erroneous "Please stop ongoing operation first." message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors.

  • SR-1: Fixed an error with message "Unable to release memory" that could occur during file header signature searches.

  • SR-2: Fixed errors that occurred when dealing with medium to large hash databases. Symptoms were reports of a corrupt hash database by the integrity test (although as stored on the disk the database was not necessarily corrupt), as well as potentially some other non-specific errors. If you have altered an existing hash database in v18.2, the integrity test in v18.2 SR-2 may still report errors in the database, and in that case the errors are permanent and you would have to set up your database again. Sorry.

  • SR-2: Fixed an exception error that occur in v18.2 when resetting items in the volume snapshot with Ctrl+Del.

  • SR-2: Fixed an instability problem that could occur when parsing certain PList files.

  • SR-2: Softened filtering for events from Windows event logs. Improved stability and responsiveness for event log processing, and sub-progress indication added.

  • SR-2: Exception error fixed that could occur when extracting metadata from .eml files.

  • SR-2: Fixed very rare type misidentification for some very small files.

  • SR-2: Fixed an exception error that could occur in v18.2 after imaging a disk before automatic verification if in Gallery mode.

  • SR-3: Fixed potential stack overflow error when dealing with certain constellations of deeply nested archives.

  • SR-3: Fixed a potential crash that could occur after running a search for several lengthy search terms with hits for many of those search terms in the same file.

  • SR-3: HTML previews of SQLite databases sometimes appeared incomplete in the 64-bit edition. That was fixed.

  • SR-3: Fixed a few rare exception errors.

  • SR-4: An error has been fixed that could lead to duplicated and very slow inclusion of previously existing files in volume snapshots of Ext2/Ext3/Ext4 file systems.

  • SR-4: Prevented possible infinite loop when processing newsgroup archives in DBX format. 


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#144: X-Ways Forensics, X-Ways Investigator, WinHex 18.2 released

Mar 27, 2015

This  mailing is to announce the release of another notable update with useful improvements, v18.2. Official release date was March 26.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data (just changed, please do not ask), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-May 1, 2015
Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015
Washington DC area, Jun 8-10, 2015
Southern California, Aug 17-21, 2015
Munich, Germany, Sep 14-18, 2015 (first English language training in Germany)
Largo, FL, Nov 2-6, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.2?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • For the file systems Ext2/Ext3/Ext4, there is now a "Particularly thorough file system data structure search" functionality, which checks the entire volume for previously existing directory structures whose contents are no longer known from corresponding inodes (these would have been looked at as part of the regular volume snapshot already). Such directories are listed with a generic name ("Directory with ID ..."), usually in "Path unknown", but potentially in the root directory, if that is where they previously existed. (The root directory is special in this situation, as it has an unchangeable ID.)

  • Viewing support for Ext3/Ext4 journals. Our File Systems Revealed training course now also explains the Ext journal.

  • Volume shadow copy processing revised, delivering better results.

  • Improved dealing with incomplete Ext* partitions, in particular those that are part of Linux software RAIDs if not reconstructed by the user, but processed directly by themselves.

File Type Support

  • Tentative support for Exchange 2010 EDB databases. Feedback appreciated! Exchange EDB extraction generally revised.

  • Ability to specify in great detail which types of file archives and which zip subtypes should be explored to include their contents into the volume snapshot.

  • Both default and maximum file sizes for carving are now individually specified in the "File Type Signatures Search.txt" file on a per file type basis, no longer generically in the user interface. That allows for better output quality because different file types have different variances in typical file sizes (larger or smaller deviations from their respective average file size).

  • Extraction of browsing history information from Safari's icon database. This alternative source is very interesting because it records browsing history even when Safari is in private browsing mode.

  • Ability to view .DS_Store in more detail in Preview mode.

  • Slightly revised file type verification.

  • More efficient processing of solid 7zip archives.

  • Faster processing of huge numbers of original .eml and .msg files in very large volume snapshots. Volume snapshots saved by earlier releases have to be converted to a new format by v18.2 Preview 3 and later.

Usability

  • Support for up 32 external viewer programs instead of 9. Their paths are now defined in a separate file, named Programs.txt, so that it is easier to share a collection of external programs separately, or keep them when taking over all other settings from someone else.

  • Extended support for relative paths to external programs.

  • Substring filter for the Author column.

  • Ability to copy the path of the selected key in the Registry Viewer using a new context menu command.

  • Maintains a history of the last 8 search terms used in the Registry Viewer.

  • A new button labelled "XT" is now shown when viewer X-Tensions are available (loaded), next to the "Raw" button. Allows you to conveniently change the preview to the representation provided by the first viewer X-Tension that feels responsible for the type of the selected file. Or back to the regular preview if not helpful, in both directions with a single mouse click. You may also combine Raw and XT submodes of Preview mode, for example for debugging purposes if you are programming a viewer X-Tension of your own and have it return HTML code that you wish to check in X-Ways Forensics.

  • New directory browser context menu command to exclude files based on identical names instead of identical hash values. This is a case-insensitive comparison and of course should be used only if you know what you are doing, as it does not compare the file contents at all. Could be useful for example if you wish to get rid of multiple copies of the same files found in backups if you do not need to keep different versions of these files. If prior to the comparison for example you sort by last modification date in descending order, this will ensure that the newest version of the file will be kept and all older versions will be excluded. Files with identical names are not marked as duplicates in the Attr. column. That happens only if you identify identical files based on hash values, in previous versions.

  • Context menu for directories in the Case Data window. Available if "More context menus" in Options | General is fully checked or if the Shift key is pressed while right-clicking a directory. Allows to recursively explore the right-clicked directory (just like when no context menu is shown), allows to tag the directory recursively (just like when pressing the Space bar), to expand the directory recursively (just like when pressing the multiply key of the numeric keypad), to collapse all, export a subtree into an ASCII text file, or copy the entire path of that directory into the clipboard.

  • Matches with deleted hash sets (which are not discarded from volume snapshots when the hash sets are marked as deleted in the hash database) are now marked in the "Hash set" column with the word "deleted" to avoid confusion and mix-ups with existing hash sets of the same name. Some users who delete hash sets from a hash database, add new hash sets, but do not match hash values of files against the hash database again, might have confused that they cannot target files with matches using the "Hash set" column filter, which only offers existing hash sets. (as of v18.2 SR-1)

  • Keeps track of viewed files when viewed in the gallery only for pictures, even if non-picture files are represented in the gallery by thumbnails as well, as introduced with v18.0. (as of v18.2 SR-1)

  • The Chinese translation of the user interface was updated.

Reporting

  • "Create main report" is now a 3-state checkbox in the case report options dialog. If only half checked, details about the evidence objects are not included in the case report, the evidence objects are merely listed. Evidence objects details, if included, now precede report tables in the report.

  • Links to report tables now work even if the report is optionally split into multiple HTML files, and there is a link back from each report table to the report table overview. The report is now split based on the number of items that are referenced, not based on the number of pictures that are displayed in the report. If the report is split, the next segment is now linked from the bottom of the previous segment.

  • The case log, if output along with the case report, is now a separate HTML file. If the report is saved in a directory other than the case directory and screenshots of the case log are to be included, they are now copied to the appropriate subdirectory.

  • Ability to split huge HTML and TSV exports from the directory browser into separate files.

Miscellaneous

  • Reliably preserves the PhotoDNA category of pictures, if identified, in evidence file containers, and can show it in installations whose PhotoDNA database has a category of the same name, after a volume snapshot of the container has been taken.

  • Ability to tweak CPU and memory utilization of indexing, and more conservative default values are used.

  • The virtual "Free space" file is now frozen also once it is indexed, to avoid later invalidation of index offsets.

  • Avoided garbled look of toolbar icons on systems with only 16-bit color depth (High Color).

  • Improved support for logical memory addresses in the Position Manager (previously called "virtual" memory addresses).

  • More likely enough space now in evidence file containers for e-mail messages with extremely long subjects, extracted sender and recipients text, comments, and report table assocations. (as of v18.2 SR-1)

  • Prevented erroneous "Please stop ongoing operation first." message that could occur when trying to hash files in large volume snapshots, and subsequent exception errors. (as of v18.2 SR-1)

  • Fixed an error with message "Unable to release memory" that could occur during file header signature searches. (as of v18.2 SR-1)

  • Many minor improvements and fixes.

  • Program help and user manual updated for v18.2.


Changes of service releases of v18.1

  • SR-1: Processing of more zip subtypes.

  • SR-1: Fixed a rare exception error that could occur when processing MBOX files.

  • SR-1: Fixed incomplete representation of WebCacheV01.dat files in v18.1.

  • SR-1: v18.1 did not take correct volume snapshots of certain Ext3/4 partitions. That was fixed.

  • SR-1: No longer blindly adopts certain machine-specific settings from a re-used .cfg file upon start-up that made sense with different hardware only.

  • SR-2: Fixed extremely slow progress that could occur in v17.9 and later when carving MPEG files.

  • SR-2: Fixed an error that could occur under certain circumstances when processing file archives larger than 4 GB in the 64-bit edition.

  • SR-2: Fixed a crash that could occur in the 64-bit edition when extracting metadata from certain HTML files.

  • SR-2: Some minor file type verification fixes.

  • SR-2: Fixed some unnecessary error messages that were potentially output in v18.1 when searching for embedded data in OLE2 compound files.

  • SR-3: Sender and recipients now shown for e-mails that are extracted from livecomm.edb.

  • SR-3: Fixed an exception error that occurred in v18.1 when running searches in the Registry Viewer.

  • SR-3: An exception error was fixed that could occur in v18.0 and later when carving certain PDF files.

  • SR-3: Fixed an error that could lead to data corruption in remaining extracted files when removing other excluded extracted files from the volume snapshot.

  • SR-3: Fixed a memory corruption error that could occur during net free space computation.

  • SR-3: Fixed an exception error that could occur in v18.1 when taking a snapshot of certain Ext3 or Ext4 volumes.

  • SR-3: Fixed various exception errors in very specific situations and some minor errors.

  • SR-4: Fixed considerable inefficiency in dealing with very large nested file archives.

  • SR-4: Fixed an exception error that could occur when extracting metadata from Windows Registry hive fragments.

  • SR-4: Fixed code page error in Italian translation of the user interface in v18.1.

  • SR-4: Updated language.txt files for custom translation (e.g. just report generation) now available for download for v17.9, v18.0, and v18.1.

  • SR-4: X-Ways Forensics did not always remember X-Tensions listed in the dialog window from previous sessions. That was fixed.

  • SR-5: Prevented excessive memory consumption that could occur in very specific constellations when decoding text during logical searches or indexing.

  • SR-5: Fixed missing scrollbars in preview of PDF documents after non-picture files were represented in the gallery.

  • SR-5: Fixed an exception error that could occur when processing corrupt RIFF files.

  • SR-5: Prevented a possible infinite loop when processing corrupt EVT files.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany


#143b: X-Ways Forensics, X-Ways Investigator, WinHex 18.1 released

Feb 16, 2015

This  mailing is to announce the release of a notable update with important improvements, v18.1.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Washington DC, Mar 2-4, 2015 (seats still available for the last 3 days!)
Canberra, Australia, Mar 16-20, 2015
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-May 1, 2015
Washington DC area, May 18-22, 2015
Ottawa, ON, Jun 1-5, 2015
Washington DC area, Jun 8-10, 2015
Southern California, Aug 17-21, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.1?
(please note that most changes affect X-Ways Forensics only)

All the changes in v18.1 Beta 1 were already announced. You can find all previous newsletter issues in the newsletter archive.

Additional changes since Beta 1:

  • In newly taken Volume Snapshots of Ext3 and Ext4 file systems, X-Ways Forensics now considers the contents of these file systems' journals as alternative sources for information. This may lead to the listing of additional previously existing files, or the listing of previously existing files with contents and timestamps that were not available previously, or the identification of previous names for currently existing files (in the latter case, a note to that effect would be added to the existing file's Metadata column). Important caveat: Since Ext3/4 journaling involves copies of entire file system blocks, journal rollover will occur quite quickly on very active partitions, with the most recent entries in the journal being identical to the current state of affairs, of course.

  • Files whose representations are based on an inode in the Ext3/Ext4 journal are marked with (Jrnl) in the Attr. column. A filter for such files is available.

  • Retrieves some essential information about Windows installations, if found, from partitions or images that are added to a case, and displays them in the evidence object properties.

  • Support for Deflate64 compression in zip archives.

  • Fixed an exception error that could occur when extracting e-mails from certain MBOX e-mail archives.

  • Minor fix for and improvement of event extraction from .evtx event logs in case events had been deleted in the event log by the user.

  • Option to show pictures above the text in report tables in the case report, not below.

  • Italian translation of the user interface updated.

  • Some other minor improvements and fixes.

  • Fixed potential spill-over of sender and recipients to other e-mail fragments extracted from Windows.edb.

  • Fixed an error that could occur when processing file archives larger than 2 GB.

  • Some file type verification improvements.

  • Some minor improvements and fixes.

  • Program help and user manual updated for v18.1.


Changes in v18.0 SR-9:

  • SR-9: Fixed an exception error that could occur when automatically verifying images after creation with certain settings.

  • SR-9: Prevents alteration of report table names in certain situations when synchronizing shared analysis work.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#143a: X-Ways Forensics 18.1 Beta released

Jan 27, 2015

This mailing is to announce various company news and the release of a beta version of X-Ways Forensics 18.1, with many interesting improvements. v18.1 Beta is only available for X-Ways Forensics. Note that all Preview and Beta versions expire after some time! The next newsletter issue will notify you when v18.1 is officially released, and at that time v18.1 will also be available as WinHex (for users with a personal, professional or specialist license) as well as X-Ways Investigator and X-Ways Imager.

Users of X-Ways Forensics please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there.

Please be reminded that if you are generally interested in receiving information about service releases, preview and beta versions when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.


Upcoming Training

Washington DC, Feb 24-Mar 4, 2015 (first delivery of the advanced course in the US!)
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-31, 2015
Ottawa, ON, Jun 1-5, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Miscellaneous News/Policy Improvements

  • The value of the Euro is currently very low compared to most other currencies. If you reside outside of the Euro zone, please be advised that now is a great time to buy licenses! Much lower prices than usually. Should you decide to order online, you will see that all major currencies are offered. However, you may want to pay in Euros, as your bank or credit card provider will probably be able to give you a better exchange rate.

  • We have recently updated our loyalty reward program. There are now two tiers, Silver and Gold, instead of just one, and it is easier to reach a status than during all the years before, and there are more very practical benefits to be gained. All details here.

  • For insurance against theft (not merely loss), if you have insured your dongle with a version before v18.0, please uninsure your dongle and immediately re-insure it with v18.0 or later. v18.0 and later allow you to register at least one e-mail address for your dongle when you top it up for the first time. This is potentially important as it will prevent clever thieves from uninsuring a stolen dongle immediately, before you may have a chance to report it as lost/stolen. Only the owners of the registered e-mail addresses can uninsure insured dongles, if any e-mail address is registered.

  • It is now possible to renew non-perpetual (temporary) licenses at a discount at any time after such licenses have expired, by 1 year starting from the renewal date, or already 2 months in advance, by 1 whole year as well counted from the end of the current license term.

  • Temporary licenses are now available on a daily basis as well. Those come in handy if you have a need to run the software on more computers at the same time than usually, such as for training purposes or if you wish to parallelize processing (keyword searches, volume snapshot refinements) with X-Ways Forensics using multiple instances on multiple computers of an unusually large or urgent case.
    Useful and cost-effective also when conducting triage on a large number of computers on site, i.e. where you have to quickly verify using special methods (keyword search, filename filter, skin tone computation on 10% of all pictures, ...) whether or not there is potential evidence on a computer, and depending on the result decide to acquire all its data on site or take the hardware away or just leave the computer alone. 1 day usage refers to a whole calendar day (24 hours) in your time zone. Very cost-effective if you need many additional licenses for just a short time or very rarely.

  • All licensing terminology explained here.


What's new in v18.1?
(please note that most changes affect X-Ways Forensics only)

Usability

  • Support for Windows 10 (Technical Preview) as a platform.

  • Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, center screen buttons, the status bar, tag squares, sort arrows. Several toolbar and menu icons have been revised. In particular, almost all icons are now available in high resolution for high DPI settings. File and directory icons have been revised as well and are now more consistent between directory tree and the directory browser. New icons are now shown to represent pictures, e-mails, and miscellaneous Outlook data. Considerably improved support for larger font sizes in the hex editor display and in character tables. These improvements are important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight.

  • Now up to 2 alter egos of the same user may open the same case at the same time. Some users might find this useful for parallelized simultaneous volume snapshot refinement of different evidence objects in the same case on the same computer.

  • A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable than selecting multiple files while holding the Ctrl key.

HTML Reports

  • It is now easier to use CSS (cascading style sheets) for case report format definitions. In addition to defining the parameters for standard HTML elements (which would have been possible previously already), key elements of the report are now assigned "class" parameters to simplify targeting those for formatting purposes. Example style sheets are available to use as a basis for further modification. The report options allow picking or editing a CSS.txt as part of the reporting process.

  • Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the first report table.

Hash Values

  • Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files.

  • Support for Project VIC JSON files format 1.1.

  • Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager.

  • Support for the hash types Tiger128, Tiger160, and Tiger192.

  • Support for Tiger Tree Hashes (TTH). Useful for investigations that involve Direct Connect P2P file sharing programs. Base32 notation for TTH can be enabled in the directory browser options.

Keyword Searches

  • The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time.

  • The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined.

  • Minor fix in the HTML code of search hit exports.

File Type Support

  • File type verification revised.

  • Category order revised (based on typical frequency).

  • New file carving method for Quickbooks .qbw files.

  • .evtx event log processing slightly revised.

  • Support for the updated database format of the Chrome history. Support for Opera browsing history since version 15.0 (the switch to the Chromium engine).

  • Nicer names for files that are extracted from Google Chrome caches.

  • Special carving support for EDB (ESE) log files (.edblog). These log files forensically relevant in that Microsoft stores more and more internal data about EDB databases in these files. The log files record and keep the complete data that is added to a database at a certain point, until it is eventually deleted in the log file. Typically, multiple such log files can be recovered from Windows systems, and search hits in such a log file are more meaningful than in ordinary free space. Metadata is also extracted from these log files.

  • Better support for the CAB file format family, which includes Windows Installer files (less interesting), Windows Cabinet (more interesting, may contain e-mails) and Microsoft OneNote packages (also more interesting).

X-Tensions API

  • Additional information provided to X-Tensions via the XT_Init call.

  • New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object.

  • X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised.

Miscellaneous

  • When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button.

  • The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory. It is now a 3-state checkbox. If half checked, the files will not be named purely after the unique ID (+extension) any more. Instead, the unique ID will be inserted between base filename and filename extension.

  • Ability to "include" all items in all open evidence objects in the directory browser options dialog of a recursively explored case root window.

  • Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before).


Changes of service releases of v18.0:

  • SR-1: An exception error was fixed that could occur when using X-Ways Forensics without a second file hash database.

  • SR-2: Support for some additional TIFF subtypes for PhotoDNA matching.

  • SR-2: Certain unsupported TIFF subtypes are now dealt with more properly in that PhotoDNA matching and potentially also skin color detection are not attempted any more if futile, and a question mark is output instead.

  • SR-2: Fix for certain variants of FAT12.

  • SR-3: Support for relative paths when using the PhotoDNA hash database.

  • SR-3: Extraction of EXIF metadata from .wav files.

  • SR-3: Internal timestamps from JPEG files written by recent Canon camera models are now retrieved with original timezone information and thus can be converted to the display time zone.

  • SR-3: Fixed a possible error that could occur when sorting by the SC%/PhotoDNA column.

  • SR-3: Fixed an instability issue that could occur with corrupt Google Chrome caches.

  • SR-3: Fixed an error that could occur when processing .ieurl files extracted from Google Chrome caches.

  • SR-3: Fixed a crash that could occur with Windows Vista thumbcaches.

  • SR-4: Mass metadata extraction no longer slowed down by the option "Coordinate processing by simultaneous users more carefully".

  • SR-4: Fixed an exception error that could occur when using the registry viewer.

  • SR-4: Automatic report table associations with duplicates did not work any more. That was fixed.

  • SR-5: Fixed an error that could cause crashes with OLE2 files in v18.0 SR-4.

  • SR-5: v18.0 did not always match hash values against the hash database in additional volume snapshot refinement runs. That was fixed.

  • SR-5: Fixed an error in the X-Tension API function XWF_GetRasterImage.

  • SR-6: Prevents certain erroneous events with timestamps in the year 1829.

  • SR-6: Fixed inability of v18.0 to extract senders and recipients from all e-mail headers.

  • SR-6: Fixed inadequate handling of bad sectors in recent versions.

  • SR-6: Fixed an exception error that could occur in the 64-bit edition when processing Google Chrome cache files.

  • SR-7: Fixed an unjustified partial read error in v18.0.

  • SR-7: Fixed potential error about lost comments imported from evidence file containers.

  • SR-7: Fixed a crash that could occur when trying to display very long search hits (e.g. produced with a GREP expression like .*).

  • SR-8: Fixed an exception error that could occur when switching to the search hit list in the Case Root window while sorting in the directory browser was still ongoing.

  • SR-8: Fixed a potential crash with corrupt OLE2 files.

  • SR-8: Fixed dongle errors that a few users experienced when running multiple instances simultaneously.

  • SR-8: Some minor improvements and fixes.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <