X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#130: WinHex, X-Ways Forensics, X-Ways Investigator 16.8 released

Nov 29, 2012

This  mailing is to announce the release of another notable update v16.8.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.8 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Like us on Facebook, and you may see some promotional pre-Christmas limited special offers for software and training during the month of December.


Upcoming X-Ways Forensics & File Systems Training

Washington DC area, USA, Mar 11-20, 2013
London, England, Apr 15-24, 2013
Kingston, ON, Canada, May 13-17, 2013
Chicago area, USA, May 20-24, 2013
More information


What's new in v16.8?

Disk Imaging

  • Accelerated .e01 evidence file creation.

  • Ability to compute two hash values simultaneously. If you make use of this option, then both hash values will be stored in the descriptive text file. The first hash value is the one that can be automatically verified when imaging completes. You could intentionally choose the faster algorithm for that as main the purpose at that point is to detect I/O errors and file errors. The second hash value is imported into the evidence object properties when adding the image to a case.

  • If you cancel disk imaging in the middle of the process, X-Ways Forensics now quickly finalizes the .e01 evidence file format (more precisely, the current segment) to guarantee a consistent image even though it is not a complete image. Useful for example in an emergency situation when imaging media on site, because a incomplete image that can be used without errors is better than an unusable corrupt image. If hashing was enabled, incomplete .e01 images produced with v16.8 even have a hash value that can later be verified later.

  • Ability to adjust the compression option while .e01 evidence files are being created. Useful if your priorities (higher compression rate or higher speed) change, for example when you see that drive space suddenly seems scarce or you have to finish the process quicker than previously thought. Also useful to experiment, when not sure which compression option might be best for a particular system configuration (e.g. when imaging a live system on site and having to write the image to an external hard disk via USB, where I/O is slow and the overall process may be faster with compression than without).

  • Slightly improved compression ratio for the slow strong compression option if selected when disk imaging starts (but still does not usually justify the additional time needed).

  • Revised chunk CRC definition in encrypted .e01 evidence files.

  • Evidence file containers of the new format no longer need to be optimized for a certain number of files and now have a fixed limit of around 1 billion objects that they can hold.

  • Support for Virtual PC snapshots/differencing VHD image files.

Multi-Examiner Support

  • Improved support for shared analysis work and distributed volume snapshot refinement in the same case. Use this feature
    1) when several examiners are available to deal with a single large case, to review different evidence objects using multiple machines on the same network or with separate accounts on a terminal server, simultaneously
    or
    2) to refine the volume snapshots of different evidence objects using multiple machines on the same network, simultaneously.

    Each user/computer opens the same .xfc case file (the same copy on the same computer). All participating users/computers or all except for one (the master session) have to open the case as partially read-only, i.e. only allowing for distributed analysis work/volume snapshot refinement. This can be done by selecting View mode in the Open Case dialog window, or you will be prompted automatically when opening the case if the case if already open in another session as not read-only (i.e. in the master session).

    When completed, the results (the refined volume snapshot, comments, report table associations, search hits, tag marks, etc.) will be imported and become visible when opening the evidence object in the master session next time (the next session where the case file is not opened read-only), and a notice about successful synchronization appears in the Messages window.

  • If two users try to open the same evidence object as not read-only at the same time, the second one will be warned and advised to open it as read-only to avoid conflicts. Only one user may change the volume snapshot of an evidence object at a time.

  • Ability to specifically open individual evidence objects (not the entire case) with the volume snapshot treated as read-only, using a dedicated command in the evidence object context menu in the Case Data window. Just as with the option to open a case as read-only, this is useful for cooperative work, if you know your colleagues may want to open the same case (the same copy of the .xfc file) and the same evidence object and if you wish to let them makes changes in that evidence object's volume snapshot, but keep control of the case as such (i.e. run the master session).

    Please note that this has nothing to do with how the evidence object itself (the disk or the image) is treated. X-Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence objects. Only the volume snapshot, i.e. the database with information about all the files and directories found, is either read-only or, and that is the normal state, changeable.

Usability

  • Ability to open files in an external program that you select ad hoc, via the directory browser context menu, Viewer Programs submenu. The program that you select will be saved as a standard custom viewer program if you have not used all slots for external viewer programs yet, and then also remembered for next time when you invoke the same menu command.

  • In the Report table column, if a file is associated with multiple report tables, their names are now listed exactly in the order as the report tables are defined. (In earlier versions the order was not deterministic.) You can change that order in any dialog window that deals with report tables, and for example sort report tables alphabetically or by importance or topic.

  • When changing the order of report tables, an entire selected group of report tables can now be moved up or down at the same time, which for example makes it easy to move all internally created report tables to the bottom of the list below your own report tables in a single step.

  • Ability to enter timestamps in the timestamp column filter dialog based on an arbitrary time zone. In previous versions the timestamps had to be specified in UTC.

  • Blank lines entered as simultaneous search keywords or substrings for the filters Name, Path, Parent name or Child objects are now silently ignored and filtered out for the next use of the same function.

  • Ability to unselect all file types in the Type filter with a single mouse click.

File Format Support

  • Revised internal algorithm and automatic length detection for carving JPEG files. This new algorithm also improves intelligent naming of carved JPEG files in that certain JPEG files can be given an original name as found in Photoshop metadata. Also the quality of uncovering JPEG pictures that are embedded in other files is greatly improved.

  • The generator signatures of JPEG files are now output in Details mode. These signatures reveal the creating software and are available even if other metadata is removed. For JPEG files with ordinary metadata they can be used for corroboration.

  • Ability to view certain misformed JPEG pictures with a lagging header signature in Gallery and Preview mode.

  • Ability to extract e-mails and indexed files from Windows Vista and Windows 7 Windows.edb files. Requires Windows Vista or 7.

  • HTML previews and views of index.dat Internet Explorer browser cache/history files now contain an extra column with the offset of the record where the data of each row has been found. This offset is presented as a link. If you click it, you will automatically navigate to that offset in the corresponding index.dat file in File mode so that it is convenient to verify the information that X-Ways Forensics has extracted from the record at that location. (Note that this works correctly only if the link is not broken into 2 lines, which may happen in v8.4 of the viewer component, but not in v8.3.7. Anyway you can still navigate to that offset manually.)

  • Ability to collect Internet Explorer history and browser cache records that are floating around in free drive space or file slack in a virtual single file named "index.dat" as part of the file header signature search. The URL records collected cluster-wise. An HTML preview of the resulting "artificial" raw index.dat file can be created automatically as part of metadata extraction just as for natural index.dat files. The offsets in that preview refer to the index.dat file. To locate the corresponding offset in the volume and see the actual basis for the interpretation in the HTML file, simply switch from the index.dat in File mode to Partition/Volume mode.

  • Ability to automatically decompress hiberfil.sys files as part of volume snapshot refinements and add them to the case as evidence objects because they can be treated like memory dumps. You can find this new feature in the newly named multi-purpose Swiss army knife refinement option "Uncover embedded data in miscellaneous file types".

  • File type identification and file size detection supported for Chrome session files, which are identified in the Type column as "snss". These files store information about opened tabs, their histories and visited web sites.

  • File header signature search: Rough file size detection for .olk14MsgSource e-mail message files.

  • Ability to populate the columns Sender, Recipient and Int. Creation for .olk14MsgSource e-mail messages when extracting metadata just as for original .eml files. (Attachments are extracted from .olk14MsgSource already since v16.3.)

  • Ability to view and preview MacOS X finder bookmarks (flnk).

  • New file header signature definitions added.

  • Internal type detection of Apple iWork Pages and Numbers files, and special treatment of iWork documents during volume snapshot refinements.

  • Ability to detect file format specific encryption of various MS Office 2007 and 2010 file types as part of volume snapshot refinement.

  • Ability to view carved TCP and UDP packets in Preview mode instead of Details mode.

  • Improved support for Windows Task Scheduler (file header signature database and registry report).

  • By default now uses the viewer component to view and preview .mdb MS Access database files.

File System Support

  • Interpretation of file allocation table entries in exFAT file systems in the Info Pane. Brackets indicate that the displayed information is not actually retrieved from the file allocation table and that the entry where the cursor is located is actually unused.

Search Functionality

  • When 2 search terms are selected in the search term list and combined with a logical AND (using either of the two available methods), additionally you can now require that search hits must be "near" to each other to be listed, to find more likely relevant combinations of both search terms in the same file, exactly like with a proximity search. The maximum distance between the search hits that constitutes "near" can be defined by the user in bytes.

  • The number of notable search hits is now displayed in parentheses in the search term window.

  • Ability to view search hits in UTF-16 Big Endian. UTF-16 Big Endian is common for example in the Apple Mac world, for filenames in the file systems Joliet and UDF, and in Java.

X-Tensions API (details)

  • X-Tension API function XWF_GetHashValue implemented.

  • XWF_GetSize officially available now.

Miscellaneous

  • XML is now supported as a new output format for the Export List command. The Metadata column, which may contain many more separate fields, gets a special treatment. Many of these separate fields are output separately.

  • New clipboard output option of the Export List command.

  • Optional alternative e-mail representation in Preview mode (see directory browser options) and in the case report. The latter allows you nicely view e-mails in the report, without invoking external programs. Attachments are not linked directly from those kinds of e-mail representations (yet).

  • To see the decoded text that the viewer component can extract from a document for the logical search/indexing or that it has extracted already, you may hold the Shift key while clicking the Raw button in Preview mode.

  • Fixed two rare exception errors in Registry Viewer.

  • Many minor improvements.

  • Some minor fixes.


Viewer Component

A new version of the viewer component (v8.4) is now available for download to licensed owners of X-Ways Forensics and X-Ways Investigator with update maintenance. The relevant changes are:

  • Improved support for PDF documents, in particular those created by Acrobat 10, compressed PDF files, and PDF files using 256-bit AES encryption.

  • Support has been enhanced for processing hyperlinks in PDF files.

  • Support has been added for AutoCAD 2011 and 2012 files.

  • Support has been added for Hangul 2010 documents.

  • Scalable Vector Graphics (SVG) files are now identified as and processed like XML.

  • Support for digitally signed MSG and EML files.

  • Support has been added for Access 95, 97, 2000, 2002, 2003, 2007, and 2010 database files. You may want to remove *.mdb from the list of files types to view with the associated program.

  • Support has been added for text extraction from Microsoft OneNote 2007 and 2010 files.

  • Support has been added for Outlook 2010 PST and OST files, including support for High Encryption in all versions of Outlook PST and OST files.

  • Support has been added for rendering Outlook MSG files: Note, Task, Appointment, Contact, and Journal.

  • Support has been added for two types of Office 2003 files: WordProcessingML (Word 2003), text only; and SpreadSheetML (Excel 2003), text only. The XML version of the binary format will be processed, skipping embedded objects and tagging properties.

  • Support has been added for IBM SmartSuite 9.8 files: Lotus WordPro, Lotus 1-2-3, and Lotus Freelance.

  • Support has been added for Apple iWork 09 files for Mac OSX: Pages 09 PDF Preview & Text, Numbers 09 PDF Preview & Text, and Keynote 09 PDF Preview & Text.

  • Support has been added for WordPerfect X5 files: Word Processor, Quattro Pro, and Presentations.

  • Support has been added for Adobe Creative Suite 5 files: Photoshop CS5, Illustrator CS5, and InDesign CS5.

  • When automatic font color is selected in Microsoft Office (the default setting), the application renders the text as white if the text is on a dark background. The viewer component now assumes the same behavior.

  • Support has been added for Microsoft Project Note field rich text.

Installing this update would be highly recommended, however, it turns out that v8.3.7 was better at viewing HTML files, in particular internal HTML representations of index.dat and .evtx etc. v8.4 has 2 problems with HTML files: Text in table cells can exceed cell boundaries and the full window width is not utilized for full table width. Also users have reported that some certain PDF documents cannot be viewed in v8.4 that could be viewed in v8.3.7. Please remember that you must not mix files from different versions of the viewer component in the same directory.


Changes of service releases of v16.7:

  • SR-1: Fixed inability to recognize the partitioning style on partitioned media in some random situations, which caused errors when opening partitions that were detected before.

  • SR-1: Fixed a problem which could lead to duplicate listings of logon/logoff activity in extracted security eventlog files.

  • SR-1: Avoided false hits when searching for lost Ext partitions.

  • SR-1: Minor fixes for Exchange EDB and SQLite database processing.

  • SR-1: Ability to extract browser history and browser cache management information from Internet Explorer 10 databases in Windows 2012 Server as part of metadata extraction. Requires Windows Vista or 7.

  • SR-2: Fixed exception error in v16.7 that occurred when opening excerpts carved from the slack area of other files.

  • SR-2: Automatic removal of alternate data streams from .chm files when invoking the program help from within the application.

  • SR-3: Fixed an erroneous item in index search hit lists in v16.7.

  • SR-3: Fixed a memory leak that occurred when carving binary PList files.

  • SR-3: Fixed inability to write sectors in some situations under Windows Vista/7.

  • SR-3: Fixed an error that could prevent opening files on remote network drives.

  • SR-3: Fixed an error that could prevent the output of devices as part of the registry report.

  • SR-3: Fixed an error that under certain circumstances could lead to a random hash value when creating encrypted .e01 evidence files.

  • SR-3: Fixed an error that could cause different versions and editions of X-Ways Forensics not to understand each others partitioning information for evidence objects once a search for lost partitions has been run.

  • SR-4: The search hit description filter did not work when used together with other filters. That was fixed.

  • SR-4: Ability to use system and user environment variables in standard paths (for cases, images etc.), where the variable name has to be enclosed in percentage signs, e.g. %TEMP%.

  • SR-4: Memory leak in processing of corrupt PList files fixed.

  • SR-5: Fixed an error that could occur when interpreting VHD Virtual PC images.

  • SR-5: Rare "The virtual System Area file will be incomplete" error fixed for Ext4 volumes.

  • SR-5: Misidentification of free space as idle space fixed on certain versions of Ext4.

  • SR-5: Fixed an exception error that could occur when clicking physical search hits.

  • SR-5: Fixed a memory leak that could occur during skin tone detection.

  • SR-5: Some minor fixes for Exchange EDB processing and other functions.

  • SR-6: Fixed an error that occurred in the 64-bit edition when saving volume snapshots with more than 77 million objects.

  • SR-6: Prevented a rare exception error that could occur in Details mode for files extracted from other files in NTFS volumes under certain circumstances.

  • SR-7: Prevented errors during EDB database processing from potentially crashing X-Ways Forensics.

  • SR-7: Fixed a memory leak that could occur when reading fragmented files in HFS+ volumes.

  • SR-7: Avoided an endless recursion that could occur when trying to parse XML-formatted PLists whose capitalization does not follow the established norms.

  • SR-7: Fixed an exception error that could occur in the 64-bit edition when extracting metadata from e-mail messages.

  • SR-8: Fixed an exception error that could occur when extracting e-mails from Outlook Express DBX e-mail archives with the new extraction method.

  • SR-8: In previous versions, a new snapshot was taken of the physical disk when lost partitions were found at any later point of time, unfortunately without warning, causing a loss of search hits found on the physical disk (not search hits in the partitions) and anything else that was newly defined in the volume snapshot (e.g. files carved in unpartitioned space). That does no longer happen.

  • SR-8: Files that are excerpts of other files in the volume snapshot were opened incorrectly in v16.7, with a wrong logical file size. This could prevent hashing such artificially defined files and may have caused repeated recursive detection of embedded JPEG files. Fixed now.

  • SR-8: Fixed an exception error that could occur under certain circumstances when running a byte level file header signature search.

  • SR-9: PDF file carving results had deteriorated with v16.4. That was fixed.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Competition is normal and healthy. Patents and court battles about rectangles and finger movements are not. Please reconsider before buying Apple products. Thank you.  

 

#129: WinHex, X-Ways Forensics, X-Ways Investigator 16.7 released

Sep 30, 2012

This  mailing is to announce the release of another notable update v16.7.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.7 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

London, UK: Oct 8-12, 2012     seats still available!
Washington, DC: Nov 26-30, 2012
More information


What's new in v16.7?

Platform Support

  • Ability to execute dongle-based product variants (X-Ways Forensics, X-Ways Imager and the special version of WinHex that users of X-Ways Forensics get) under Windows 8 and Windows 2012 Server. Dongle-free product variants were executable under these Windows versions already before. Testing will continue.

  • Program help now in .chm HTML help format.

Search Functionality

  • Ability to run a new simultaneous search while reviewing existing search hits. Additional search hits will be listed when you refresh the search hit list, by clicking the Enter button in the search term list as usually.

  • When clicking the search hit list button to review preliminary search hits during an ongoig search, that search will not be paused, but continue.

  • Ability to create user search hits when in search hit list mode.

  • New filter in the search hit description column that allows to focus on notable hits, user search hits, hits in a certain code page, hits in the text extraction of documents, and hits in slack space or uninitialized tail areas of files. This is a very powerful filter and the first search hit specific filter in the search hit list!

  • User search hits are now marked with an asterisk (*) in the search hit description column.

  • Option to get all search hits in a file highlighted in File mode at the same time, either only when a search hit list is displayed (if half checked) or permanently once search hits have been loaded for an evidence object (if fully checked), i.e. even when working with the normal directory browser. Search hits are loaded after an evidence object has been opened as soon as search hits are listed. This new feature also applies to user search hits.

  • Ability to delete highlighted search hits when right-clicking them in File mode.

  • Fixed inability of v16.6 to display search hits in the Outlook code page correctly.

File System Support

  • Faster and more diligent reconstruction of files in volume shadow copies (up to 1 GB).

  • Support for Ext2, Ext3, Ext4, ReiserFS and Reiser4 volumes larger than 2 TB.

  • When switching from Volume/Partition to File mode and File mode represents the file that is known to occupy the cluster last seen in Volume/Partition mode, the relative offset in the file that corresponds to the last cursor position in Volume/Partition mode is calculated, and the cursor is automatically moved there. Useful for example if wish to see how the data continues in the file if the file is fragmented, or (in WinHex) to edit th data in the next fragment. Does not work if the file is compressed.
    Remember you can press the Sync button to automatically highlight the file that is known to occupy the cluster on the screen in Volume/Partition mode. Which file is known to occupy the currently displayed cluster can be seen in the Info Pane.

  • WinHex only: Ability to securely wipe files in NTFS file systems that are compressed or use sparse storage, using the directory browser context menu command.

  • Support for Mode 2 Form 1 ISO images with 2,352 bytes per sector. Previously only Mode 1 was suppported.

  • More reliable to find lost Ext* partitions and more reliable to identify Ext* file systems, in cases were an Ext* partition was previously formatted with a Microsoft file system.

File Format Support

  • Data blocks embedded as Base64 in XML-formatted PLists (.plist) and raw data blocks embedded in binary PLists (.bplist) are extracted as separate child objects when refining volume snapshots. It is recommended to verify file types at the same time so X-Ways Forensics can distinguish between traditional (XML-formatted) PLists and binary PLists (BPLists). Many PLists do not have a .plist extension and need to be identified as PLists first. Since the type of the embedded data is not identified by the PList as such, the output also benefits from a simultaneous file type verification. Nested PLists (PLists embedded in PLists) will also be identified and processed recursively. Another child object created for PLists represents parsed text in a human-readable way and serves as a preview of the PList itself.

  • Ability to extract browser history and browser cache management information from Internet Explorer 10 databases (from Windows 8) as part of metadata extraction in conjunction with file type verification. Requires Windows Vista or 7.

  • File size detection for ELF executable and shared object files as part of file header signature search.

  • Gigatribe (P2P) signature definitions added.

  • Improved representation of extensible metadata (Adobe-XMP) in JPEG and PDF files.

Volume Snapshot Refinement

  • The refine volume snapshot operations last applied by the user to a fresh volume snapshot are now preselected when refining another fresh (i.e. totally unrefined) volume snapshot next time, for reasons of convenience.

  • File header signature search: The flag for greedy sector allocation is now "G" instead of "g". "g" (lower case) is now a weaker version of the same flag. Only if an internal file size detection algorithm exists for a file type and if a file with the same start sector number exists already with the same file size as detected, the "g" flag will cause X-Ways Forensics to skip the affected sectors. This can help to prevent overlapping zip files and thereby avoid potentially many contained duplicate files.

  • More efficient internal storage of some identified embedded pictures.

  • Much more efficient storage of files that are manually carved within other files (i.e. in File mode, using the Add Block as Virtual File command). Older versions of X-Ways Forensics see these excerpt files as complete copies of the original host files.

  • Already carved areas in host files are now highlighted in File mode. Useful to remind the user whether he or she already has created excerpts from a file and where (e.g. from a large free space virtual file) when continuing to look at that host file.

  • Extraction of metadata from original .eml files is now a separate option of the metadata extraction operation.

  • Ability to omit files from volume snapshot refinement operations that are filtered out. That is a new powerful option scope-defining option that can target files in advance that are not yet part of the volume snapshot when the refinement starts. For example when additional files are added to the snapshot by the file header signature search, depending on the file type these files can be further processed (e.g. hashed) or not, if the Type filter is active during the later stages of the volume snapshot refinement.

Hash Values

  • Filter for the Hash column. Allows to filter for files that have a hash value, do not have a hash value, whose hash values start with certain hex values (if you specify only the beginning of a hash value) or have a certain value (if you specify a complete hash value). This filter can compare the hash values of files to up to 4 hash values that the user supplies as hex ASCII. Quicker alternative to creating a small hash set in the hash database if you just wish to quickly find a few files, e.g. duplicates of files with a known hash value that you can just copy from the hash column in the directory browser. Available with a specialist and forensic license.

  • The easiest way to use this filter when looking for duplicates, which does not require copy & paste of hash values, is to right-click a hash value of a given file in the directory browser in hex ASCII notation and invoke the new "Filter by" command in the context menu.

  • Ability to import SHA-1 hash sets in Base32 notation for hash set matching in P2P investigations. Such a hash set text file must have "SHA-1" in the first line, followed by the hash values in Base32 notation, one per line.

  • Option to display SHA-1 hash values in Base32 notation in the directory browser.

  • The hash filter dialog and the "Filter by..." context menu command both understand Base32 SHA-1 hash values, too.

  • Ability to quickly merge hash sets in the internal hash database. Note that duplicate hash values in the resulting hash set are not removed immediately, but next time when you import a hash set, and that you are not warned if you are merging hash sets of different categories.

Usability

  • Option to save the program settings in the .cfg file either when the program terminates (cleanly), i.e. like before, or every time when you click OK in any dialog window (could be useful if the program does not terminate cleanly, to avoid that you lose your later settings). Can be found in Options | General. If totally unchecked, the program settings will not be saved at all, except if you hold the Shift key when exiting the program, which is necessary once if you would like to save in the .cfg file the setting that from then on the settings should not be saved again.

  • Whenever the program detects that you are using the .cfg file of a later version in an earlier version, which is not permitted, v16.7 will change the aforementioned option such that the program settings will not be saved, as to not corrupt the .cfg file.

  • New investigator.ini option that allows to prevent users from changing the option to save the program settings as desired by some agencies for their users of X-Ways Investigator so that they always start the program with the same canonical settings as predefined by their more experienced colleagues.

  • The optional preface for a case report now supports HTML code.

  • Ability to associate a manually carved file ("Add Block as Virtual File" command) to report tables immediately upon its creation.

  • Ability to activate or deactivate column-based filters individually, with a single mouse click on the column header's filter symbol when holding the Shift key. The options of the respective filter remain unchanged.

  • New case report option that makes the Internet browser start a new page after x rows with files when printing the HTML report.

  • Print command in the directory browser context menu: Ability to print just the cover page by choosing to print only the pages 0 through 0 of the document or picture itself.

  • In the context menu of data windows, in the English and German user interface, bookmarks have been renamed positions. This is more consistent with the term "Position Manager" and enforces the notion that entries in the Position Manager are no longer the preferred way to bookmark locations in the forensic user interface, when working with cases, where you ideally create so-called
    user search hits for these purposes, which are much more powerful (they can be listed, selected, viewed and exported with their context just like ordinary search hits).

  • Ability to use the Back and Forward extra mouse buttons if available to navigate backward and forward.

X-Tensions API (details)

  • New function XWF_CreateFile that allows to attach an external file to the volume snapshot and efficiently carve files within other files (i.e. create files that are marked as "excerpts" in the volume snapshot).

  • A new version of the Python plug-in is available.

Miscellaneous

  • The file messages.txt is now named msglog.txt and encoded in UTF-8 instead of UTF-16.

  • Relative paths supported for MPlayer/Forensic Framer and the external video player program.

  • Supports an additional variant of geodata in JPEG exif data.

  • Fixed an input focus problem of v16.5 and v16.6 in the directory browser that could occur after changing filter settings.

  • Fixed an error that could occur when adding more items after loading an already very large volume snapshot (> 6 million).

  • Many minor improvements.

  • Some minor fixes.


Changes of service releases of v16.6:

  • SR-1: No longer prevents duplication in evidence file containers of the new format for the same object in the same file system if the origin is a different evidence object or if a new volume snapshot has been taken (e.g. because of changes in the evidence object). The messages about avoided duplications are no longer output.

  • SR-1: Improved attachment name decoding for extraction from DBX and MBOX.

  • SR-1: Fixed Export List command for user search hits.

  • SR-1: Fixed an exception error that could occur when running a file header signature search.

  • SR-2: Fixed an exception error that could occur when processing certain MSG files with the new extraction method.

  • SR-2: Fixed an exception error that could occur when viewing certain DBX e-mail archives.

  • SR-2: For e-mail messages extracted from PST/OST/EDB, ability to slightly adjust the e-mail header in such a way that the HTML message body is shown directly in other programs such as Outlook Express and Windows Live Mail 2011, not like an attachment.

  • SR-2: Fixed inability of the x64 edition to process .evtx event log files.

  • SR-3: E-mail extraction better protected from certain kind of malformed e-mail headers.

  • SR-3: Hash set import better protected from malformed hash set text files.

  • SR-3: In the registry report for user accounts defined in a SAM hive, the timestamps for last log-off, last PW change, and last failed log-in were not converted to local time. That was fixed.

  • SR-3: "..." button with more options in Recover/Copy dialog window now always available when these options might make a difference.

  • SR-3: The user ID (last segment) in the SID of files originating from NTFS file systems is now displayed for evidence file containers of the new format.

  • SR-3: Other minor improvements and fixes.

  • SR-4: Ability to render a message box modeless in an emergency situation by double-clicking its caption. For example if an error message appears repeatedly in a loop when you click OK, this will give you a chance to save your work (e.g. save the case via the menu) before you have to terminate the program. Otherwise when an ordinary (i.e. modal) message box is on the screen, the main window, the Case Data window and their menus are inaccessible.

  • SR-4: Fixed file carving errors that could occur in Ext4 volumes.

  • SR-4: List of devices in registry report no longer limited to 100 items.

  • SR-4: Fixed an Undo command error that could occur when hex editing a file since v16.4.

  • SR-4: Fixed an exception error that could occur when extracting metadata from OLE2 compound files.

  • SR-5: Detection of multi-page JPEG pictures as created by Sony and Panasonic devices. A report table association will be created just as for multi-page TIFF pictures. Additional pages can be found by the search for JPEG pictures in JPEG files.

  • SR-5: Fixed inability of v16.6 to display search hits in the Outlook code page correctly.

  • SR-5: Fixed an input focus problem of v16.5 and v16.6 in the directory browser that could occur after changing filter settings.

  • SR-5: Fixed an error that could occur when adding more items after loading an already very large volume snapshot (> 6 million).

  • SR-5: Incorrect warning of inefficient .e01 table layout in certain situations avoided.

  • SR-5: Fixed truncated error messages in EDB processing (64-bit edition only).

  • SR-6: Fixed an exception error that could occur in v16.5 and later when parsing FAT file systems.

  • SR-6: The new e-mail extraction methods for EML and MBOX in some cases produced invalid and random attachment filenames. That was fixed.

  • SR-6: Exception error fixed that could occur when using the filter of the Child Objects column.

  • SR-7: Fixed an error that could cause incomplete 2nd copies of .e01 evidence files.

  • SR-7: Prevents some exception errors that could occur during volume snapshot refinements, in particular metadata extractions.

  • SR-8: Avoids that a window with the title "Please wait" may become permanent when extracting data from large archives to generate context previews in search hit lists.

  • SR-8: Fixed a crash that could occur when trying to extract e-mails from certain carved corrupt MSG files with the new method.

  • SR-8: Correct extraction of e-mail header fields from original .eml files with UNIX line breaks.

  • SR-8: Free space representation error in XFS fixed.

  • SR-8: Disk imaging compression slightly tweaked.

  • SR-8: Some minor improvements for XFS support and other functions.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

Competition is normal and healthy. Patents on rectangles and finger movements are not. Please reconsider before buying Apple products. Thank you.

 

#128: WinHex, X-Ways Forensics, X-Ways Investigator 16.6 released

Aug 1, 2012

This  mailing is to announce the release of another notable update v16.6.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

Southern California, DC: Aug 6-10, 2012     seats available, get F-Response Tactical for free!
Chicago, DC: Aug 20-24, 2012     seats available
London, UK: Oct 8-12, 2012     seats available
Washington, DC: Nov 26-30, 2012     includes the Memory Forensics course! NEW
More information


What's new in v16.6?

Search Functionality

  • Ability to define search hits manually. Whenever you come across some relevant text, for example floating around in free space in Disk/Partition/Volume mode or within a certain file in File mode, you can select it as a block and right-click the block to add it as a so-called user search hit (i.e. some kind of search hit not found by the program). You can assign the search hit to an arbitrarily named search term/category. For example, if what you have found is related to suspect A, assign it as a search hit to a search term named after suspect A. If also related to suspect B, you can also assign it to another search term. You could also assign it to a real search term that you have used for an automatic search.
    User search hits can be conveniently listed in and nicely exported from search hit lists just like ordinary (automatically generated) search hits. You can specify the correct code page for user search hits yourself when you define them, which may be essential to get the text displayed correctly. User search hits are stored related to an object in the volume snapshot if you define them in File mode. User search hits are forward compatible, i.e. older versions (v16.2 and later) can also see user search hits created by v16.6.

  • Search hits may now have a theoretical maximum length of 65,535 bytes and are no longer truncated after 255 bytes.

  • The maximum amount of context that can be included when exporting search hits was increased from 340 bytes to 1000 bytes, and can now be specified separately for context that precedes and context that follows the search hit, even 0 for one or the other. The latter is useful especially for technical searches (not keyword searches), where you have searched for example for a signature that indicates the start of a certain data record, where the data before the hit is irrelevant.

  • Avoids duplicate search hits when searching unnecessarily in multiple code pages that are essentially equivalent for all or some of the search terms used. For example, many users seem to select both Latin-1 and UTF-8 even when searching for English language words only.

  • Revised support for word boundary anchors (\b) and whole word searches in the Simultaneous Search. (forensic license only) You can now define which characters should be considered parts of word. This is useful to avoid false hits for short words in binary garbage data or Base64 code and generally for users that consider numbers to be parts of words (such as in "GIF89"). Example: An undesirable hit for "band" in "7HZsIF9BaND4TpkSbSBS" can be prevented if you search for it as a whole word and if you additionally redefine the alphabet of word characters to include digits 0-9, so that the positions between "9" and "B" as well as between "D" and "4" are not considered word boundaries.

  • That the slack of files that are omitted from logical searches is still searched is now optional. If the box for "Open and search files incl. slack" is fully checked, this option still has priority over all the options that can cause files to be omitted from the search, but not any more if only half checked.

  • When indexing multiple evidence objects in a single step, those that are opened automatically by X-Ways Forensics for indexing will now be automatically closed again when indexing has completed for them (and the same again for optimization), so that the screen is not cluttered with data windows and not all volume snapshots need to be loaded at the same time, which can consume a lot of memory if they contain many millions of files.

File System Support

  • Support for the XFS file system. Traces of deleted files can be found, too. Requires a forensic license.

  • Supports high-precision timestamps and creation timestamps in Ext4 file systems, where available.

  • If the particularly thorough file system data structure search in an NTFS volume is aborted, X-Ways Forensics now remembers which volume shadow copies (if any) have been processed already and will skip those when you run this operation again.

  • Ability to add a single file in a directory to the case using the File | Add File command in the Case Data window or via drag & drop to the Case Data window. If you wish to add more than 1 file from the same directory, continue to add the whole directory, just hide or remove those files that are irrelevant. This new kind of evidence object is forward compatible with v16.4 and v16.5. That means if you add a single file to the case, you can also work with it in those older versions.

  • Options | Volume Snapshot | [x] "NTFS: Search FILE records everywhere" is now one of the infamous three-state checkboxes. If fully checked, FILE records are searched as part of the particularly thorough file system data structure search everywhere in an NTFS partition, if half checked (default setting) only in volume shadow copy host files.

File Format Support

  • Exchange EDB extraction improved.

  • When extracting received e-mails from e-mail archives with no Delivery-Date: line in the header, X-Ways Forensics now takes the modification date from the end of the first Received: line.

  • Ability to use the registry viewer during ongoing other operations such as simultaneous searches and volume snapshot refinement.

  • Certain HTML e-mails extracted from PST/EDB are now more clearly marked as HTML format which in some cases helps to view them properly.

  • Revised representation of wtmp/utmp/btmp log-in records.

  • Ability to extract all kinds of files from Safari cache.db browser cache files when refining the volume snapshot.

  • The contents of JAR archives are now included in volume snapshots only optionally. These archives usually contains many, many irrelevant files and are often deeply nested.

Image Support

  • Ability to create a second copy of an image immediately when imaging a disk, which is much quicker than copying the image file later and makes sense if the 2nd copy is created on a different drive. Only the first copy will be automatically verified if desired. File spanning (i.e. when to start another image file segment) is kept in sync between both copies even when running out of space on one of the two target drives only.

  • Ability to verify multiple selected images in a case in a single operation, i.e. compute their hash values and automatically compare it to already known hash values, if any. You can find the menu command in the context menu of the case (i.e. the context menu that appears when right-clicking the case title where it is printed in bold letters).

  • .e01 evidence files with larger chunk sizes supported.

  • Notices in the Messages window when files are not included in a container of the new format again because of duplication.

X-Tensions API (details)

  • C++ function definitions and Python plug-in updated.

  • Ability to execute X-Tensions in X-Ways Forensics directly from the main menu (Extra | Run X-Tensions). Useful for X-Tensions that don't interact with the volume snapshot or search hits of any particular volume, but for example create or otherwise manage evidence objects themselves. The nOpType parameter in the XT_Prepare function is XT_ACTION_RUN when executed that way.

Usability

  • Two new columns in the directory browser are now available with a forensic license: "Parent name" and "Child objects". Both columns come with filters. The filter for child object allows you for example to quickly find all e-mails that have an attachment with a certain name. The filter for parent name for example allows you to quickly find all attachments that were attached to e-mail with a subject that contains certain words. Note that filters for the columns Name, Parent name, and Child objects share the same settings and are mutually exclusive (cannot be active at the same time, one will deactivate the other).

  • The progress indicator window now displays filenames in the same color in which they are displayed in the directory browser, as described in the legend.

  • Ability to center full window pictures views (not using the viewer component) on a 2nd monitor if you are operating windows with a desktop that spans two monitors.

  • New option in Options | Viewer Programs that allows to automatically close the preview picture viewer window when a new picture is viewed (only when the internal graphics viewing library is used for pictures, not the viewer component).

  • The paths for cases, images, temporary files, and the hash database maybe now be relative to the directory from where X-Ways Forensics is executed, e.g. like .\Cases and .\Temp. Useful as a configuration that you take on site to preview live systems so that all files will be created on your own external drive, yet in separate directories.

  • Also relative paths starting with .. are now supported, where .. stands for the parent directory of the directory from where X-Ways Forensics is executed.

  • External viewer programs can now be specified with a relative path, too (one that starts with .\ or ..\).

  • Unlimited path substring lengths in the Path filter.e.

Miscellaneous

  • Deals more gracefully with temporary dongle connection problems. Automatically resumes normal operation once the connection is re-established without user interaction. Useful for example if the dongle is attached to a dongle server when the network connection temporarily does not work.

  • For the Export List command all control codes <0x20 now filtered out from the Metadata column, except for line breaks and tabs that are still replaced with semicolons.

  • Fixed a rare heap corruption error that was caused by a certain kind of GIF files.

  • The Tools | Analyze ... command did not work in the 64-bit edition before. That was fixed.

  • Deals more gracefully with the situation when the connection to the dongle is lost because the computer has been put in hibernation or on standby.

  • Refresh error fixed in templates with the "multiple" option..

  • Many minor improvements.


Changes of service releases of v16.5:

  • SR-1: Certain types of VMDK snapshots failed to be recognized as such. This has been fixed.

  • SR-1: The new extraction method for e-mail attachments had flaws. Those were fixed.

  • SR-1: The attempt to view files externally or explore archives during ongoing other operations closed the progress indicator window for those other operations. That was fixed.

  • SR-2: The preview of $UsnJrnl:$J is now a true tab-delimited text file, in accordance with user wishes. That means columns are not aligned any more when displayed internally by the viewer component.

  • SR-2: Avoided possible exception error that could occur when identifying SQLite databases.

  • SR-2: Fixed inability to sort in the case root window in certain situations.

  • SR-2: The Replace Hex Values command sometimes failed to find a sequence of hex values. That was fixed.

  • SR-3: Ability to carve in evidence file containers of the new format at the byte level. Useful as a work-around to find unaligned small files in selected other larger files (which have to be copied to the container first, though), without having to run the file header signature search at the byte level on an entire image or disk, which would output too many garbage files and require too much time.

  • SR-3: Hitting the Esc key now closes all filter dialog windows without activating or deactiving the filter. Before the same behavior was possible to achieve already by clicking the "x" button in the upper right corner of a dialog window.

  • SR-3: Important for those users who have customized the "File Type Categories.txt" file, file types had to be written in lower case characters, just like in the original file as provided by us, or else the file type filter and the category filter did not work correctly any more. This requirement has been removed.

  • SR-3: Adding the block as a virtual file to the volume snapshot did not work in search hit lists. This was fixed.

  • SR-4: Message "Please stop ongoing operation first" avoided in situations during logical searches where it should not occur.

  • SR-4: Extracting files from small other files using File Recovery by Type failed with a read error. That was fixed.

  • SR-4: Fixed an exception error that could occur under certain circumstances when using the Search | Continue Search command.

  • SR-5: Virtual directory "Modules" in Windows memory dumps preserved when running a thorough file system data structure search.

  • SR-5: Some fields in sent e-mails in Outlook PST/OST e-mail archives were not parsed correctly in v16.5. That was fixed.

  • SR-5: Several minor improvements/fixes.

  • SR-6: Faster, less memory intensive, and slightly more error-tolerant processing of Exchange EDB databases.

  • SR-6: Improved ability to list processes and DLL names in a 64-bit Windows via Tools | Open RAM.

  • SR-6: Filter for viewed items fixed.

  • SR-6: Fixed an error that could occur when searching for embedded pictures in files with a very long path.

  • SR-6: Error in Chinese user interface in v16.5 fixed.

  • SR-6: Avoided the message "Invalid, corrupt or simply unexpected directory entry found at offset ..." and the omission of invalid directory entries in FAT that can sometimes be found for files or directories with East Asian names.

  • SR-6: Some minor fixes and improvements.

  • SR-7: Slight further improvements of Exchange EDB processing.

  • SR-7: More stable when extracting metadata from corrupt iPhone Backup files.

  • SR-7: More stable when processing .evtx event log files.

  • SR-7: More stable when detecting the size of SQLite databases when carving.

  • SR-7: More stable when extracting metadata from flash video files.

  • SR-7: More stable when extracting attachments from DBX e-mail archives (new method).

  • SR-7: Avoided endless loop when processing .msg files.

  • SR-7: Now based on libpng 1.5.11. Includes vulnerability fix of libpng 1.5.10.

  • SR-7: Some minor improvements and fixes.

  • SR-8: Accepts invalid FAT short filename directory entries as seen on Android smartphones. Previous versions reported such entries as invalid.

  • SR-8: Ability to display certain JPEG variants in the gallery that previous were not displayed.

  • SR-8: Avoided DLL dependencies that existed in v16.5 SR-7 x86.

  • SR-8: Fixed inability to display a list of physical search hits.

  • SR-8: Some minor improvements and fixes.

  • SR-9: Fixed one more error that could occur when extracting metadata from iPhone backup files.

  • SR-9: Prevented a crash that occurred when extracting metadata from corrupt .evtx event logs.

  • SR-9: Fixed extraction error with certain kinds of damaged thumbs.db files.

  • SR-10: More stable when processing $UsnJrnl:$J.

  • SR-10: Prevents endless loop when exporting stills from certain corrupt video files.

  • SR-10: Prevents exception errors that could occur when processing corrupt .evtx event logs and further stability improvements in conjunction with .evtx event logs.

  • SR-10: Some minor fixes and improvements.

  • SR-11: Fixed index search error that appeared in v16.5.

  • SR-11: Prevented exception errors that occurred in v16.5.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

Competition is normal and healthy. Reconsider before buying Apple products. Thank you.

 

#127: WinHex, X-Ways Forensics, X-Ways Investigator 16.5 released

May 27, 2012

This  mailing is to announce the release of another notable update v16.5.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, the log-in data, update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

Washington, DC: Jun 26-28, 2012     seats available, please sign up soon!
Southern California, DC: Aug 6-10, 2012     seats available
Chicago, DC: Aug 20-24, 2012     seats available
London, UK: Oct 9-11, 2012     seats available
More information


Once again please be reminded again that lost, misplaced or stolen dongles for X-Ways Forensics are replaced only if they have been insured, which is free.

Important only if your organization has several dongles: Did you ever make a note of the ID of your dongle? See Help | Dongle in the software. We may need the ID in case of upgrades or should your dongle stop working. Please check it now and save it in a secure place. Or ideally have your employer maintain a single list of all dongles and their respective users. Thank you!  


What's new in v16.5?

File Format Support

  • Ability to view browser SQLite databases after generating previews for them using a new option in Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and more. This requires that the files have been checked for their true file type (or are checked at the same time). Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, and Safari feeds, also Skype's main.db database with contacts and file transfers.

  • Ability to view Internet Explorer index.dat files after generating previews for them with the same function.

  • A permanent preview can now be generated for $UsnJrnl:$J as part of metadata extraction, so that it does not have to be generated on demand when viewing or previewing this journal, which can be potentially time-consuming for large specimen (potentially several GB).

  • Ability to generate permanent previews as child objects also for Windows Event Logs (.evt and .evtx).

  • The previews are stored in the volume snapshot as child objects, usually in HTML format. These child objects can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of them in an external program such as your preferred browser or in MS Excel, by sending these child object to the program of your choice (directory browser context menu). The existence of HTML child objects with searchable text for browser data, event logs and probably more data sources in future releases also improves effectiveness of logical searches and indexing.

  • Ability to split HTML tables in the previews of browser databases and event logs after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component, which cannot deal with very large tables.

  • Ability to view Outlook NK2 auto-complete files, Outlook WAB address books, and Internet Explorer travellog files (a.k.a. RecoveryStore).

  • Automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc. etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value.

  • Ability to extract metadata from MS Access database files.

  • Metadata extraction from Manifest.mbdx and Manifest.mbdb iPhone backup files.

  • Registry report definition files revised. New definition file Reg Report Autorun.txt included.

  • Automatic extraction of .lnk shortcut files from automaticdestinations-ms jump lists during volume snapshot refinement.

  • Improved ability to deal with corrupt .evtx event log files.

E-mail Support

  • New method for the extraction of e-mail messages and attachments from MSG files, which does not require MAPI.

  • Revised extraction of e-mail messages and attachments from DBX and MBOX e-mail archives.

  • Revised extraction of attachments from original .eml files.

  • PST e-mail extraction slightly improved and completed.

  • Ability to select the new extraction methods individually for PST, MSG, DBX, MBOX, and EML. The old extraction method for PST and MSG is a method previously described as "MAPI". The new method for PST was introduced long ago already and is the recommended standard setting. The new methods for all other file types are new to v16.5. The old extraction methods will probably not be offered any more in future versions of X-Ways Forensics.

  • Preview available for Outlook Express DBX e-mail archives.

File System Support

  • Support for MBR LVM2 and GPT LVM2 partitioned disks as commonly used by Fedora/Red Hat and also available in Debian and Ubuntu. Single-disk approaches (like the default behaviour when installing Fedora on an ordinary hard disk) and spanned volumes (i.e. logical volumes spanning several physical disks) are supported, the latter require all constituent disks/images to be open in X-Ways Forensics in order to find all data required.

  • Ability to reconstruct Linux software RAIDs from partitions. The partitions need to be opened before they can be selected.

  • Support for various UDF file system versions and specialties revised and considerably extended: Improved support for UDF when used on media other than optical discs, as well as added support for virtual partitions, metadata partitions, and named streams (the UDF equivalent of alternate data streams from NTFS).

  • NTFS FILE record 0x30 attribute timestamps are now displayed in Details mode next to their 0x10 counterparts.

  • Fix for NTFS support for media with a sector size of 4096 bytes.

  • Ability to recognize the new ReFS file system as such.

  • The volume snapshot option "Include files whose clusters are unknown" has turned into one of the infamous 3-state options. If fully checked, all previously existing files of which metadata only is known will be included in a volume snapshot. If not checked at all, those files will be ignored. If half checked, only files for which more than just the name is known (e.g. size, attributes, and timestamps) will be included, e.g. found in index records in INDX buffers or in $LogFile in NTFS, but not directory entry remnants in Ext* or Reiser file systems.

Image Support

  • Support for VMDK snapshot images. The base image and any preceding snapshot images have to be open and interpreted already when interpreting a later snapshot.

  • Fixed inability to read from flat VMDK images. Ability to interpret certain VMDK images that previous v16.5 releases could not deal with.

  • Ability to create evidence file containers from File | Create Disk Image where some new users may expect that kind of functionality. (X-Ways Forensics only, not WinHex)

  • The field to include notes in an .e01 evidence file when creating an image is now larger and allows to use line breaks. Useful if you wish to use it for more information and structure the notes more clearly.

X-Tensions API (details)

  • C++ function definitions for the X-Tensions API are now available for download.

  • A plug-in to run Python scripts as X-Tensions can now be downloaded from the X-Tension API web page, along with sample scripts. Also a minimal Python installation is downloadable.

  • An X-Tension that during a simultaneous search uses the Luhn algorithm to check sequences of digits for whether they could be credit card numbers (and discards false hits) is now available in 32 bit and 64 bit. When more users create and share their own X-Tensions as we hope, we will create a dedicated web page for X-Tension downloads.

  • Ability to load X-Tension DLLs from any directory. By default, X-Ways Forensics expects X-Tension DLL in the directory for scripts and templates.

  • Only selected X-Tensions will be executed, not all X-Tensions that were added to the list.

  • 7 important new functions were added:
    XWF_Search
    XWF_OpenItem
    XWF_Close
    XWF_CreateContainer
    XWF_CopyToContainer
    XWF_CloseContainer
    XWF_CreateEvObj

  • XT_ProcessSearchHit now receives a handle of the item or volume in which a search hit was found, for optional further reading.

  • New functionality was added to the XWF_SetItemInformation function.

  • More return values for XT_Prepare supported.

  • New flag for XWF_OutputMessage function.

  • Last parameter in XWF_GetItemInformation API function fixed.

Usability

  • When starting volume snapshot refinements, simultaneous searches or indexing, most other functionality now remains accessible and usable. The directory browser, the case tree and all other user interface elements including all menus remain reasonably responsive most of the time. That means for example you can continue to view files, enter comments about them, add them to report tables, explore directories, activate or deactivate filters, sort files, print files, open and close other evidence objects. BTW, there is an option to minimize the small progress indicator window if you right-click its caption.

  • The option to power down or hibernate the computer after completion of imaging or disk cloning is now available in the progress indicator window, so that you can still see during the process whether you had selected it and so that you can still change your mind.

  • Multiple dongles attached to the same computer (e.g. terminal server) are now supported, to allow for multiple simultaneous users at the same computer not only with multi-user dongles (cf. https://www.x-ways.net/forensics/dongle.html). Each user can select which dongle to use when starting up the software. The ID of the dongle that he or she had used last will be preselected. The textual notes that are stored in the dongles, if any, will also be displayed to make it easier to identify the right dongle.

  • If the only filter that is active is the "naturally active" filter that causes hidden items not to be listed, and when items that are hidden are actually filtered out in the directory browser, then the additional filter icons that indicate an active filter are now displayed in gray, no longer in glaring blue, to reinforce the notion that is it normal that hidden items are not listed and nothing else is filtered out.

  • Options in Name filter dialog clarified.

  • Path filter extended. Multiple substrings (one per line) are now permitted, and there is a NOT option.

  • Virtually attached files now have a paperclip icon.

  • Pressing the backspace key and spacebar now work in the case tree.

File Header Signature Search

  • That the start sectors of files that are already known to the volume snapshot are always excluded from file carving is now optional. Of course, X-Ways Forensics still tries to prevent duplicates, but if the file header signature definition or the internal file size detection is strong enough to suggest that a known deleted file was overwritten with a new file, then that new file will be carved although it shares the same start sector with the known file.

  • If you intentionally abort the file header signature search or if the file header signature search causes X-Ways Forensics to crash, next time when you start a file header signature search in the same evidence object, you will find an option to resume it right where you had interrupted it, or where it was when the volume snapshot was last saved before the crash occurred (depends on the auto-save interval of the case).

Miscellaneous

  • Ability to only include associations with user-created report tables in evidence file containers, not those created by X-Ways Forensics itself. To make use of this feature, make sure that the option to export report table associations is only half checked when you create a container. This is now also the new default setting.

  • Ability to use the General Position Manager in File mode.

  • Fixed error that occurred when sorting by the ST# column.

  • One more option for the Internal ID filter.

  • Many minor improvements.


Changes of service releases of v16.4:

  • SR-1: The case root is now more strongly labelled, with the words "Case root".

  • SR-1: Color coding of directory and evidence object labels in the Case Data window now works in Windows 7 as known from X-Ways Forensics under Windows XP.

  • SR-1: Processing of .msg and original .eml files is now faster again.

  • SR-1: Fixed a memory leak of the original v16.4 release.

  • SR-1: Avoids that the viewer component freezes on certain corrupt PST files.

  • SR-1: Fixed error that occurred when sorting by the Category column in the original v16.4 release

  • SR-2: Tagging a file in the case root window caused an exception in v16.4. That was fixed.

  • SR-2: Deletion timestamps in $LogFile were erroneously adjusted to local time twice. That was also fixed.

  • SR-3: Italian translation revised.

  • SR-3: X-Tensions function definitions revised.

  • SR-3: Option to allow overlapping hits in GREP search hits. This could be useful in certain situation for example when searching for credit card numbers in undelimited sequences of digits.

  • SR-3: Files created by an X-Tension are now specially marked with a tiny "XT" in the tag mark square.

  • SR-4: A 64-bit edition of X-Ways Investigator is now available and included in the standard download.

  • SR-4: Some search hit list context menu commands did not work as expected, and there was an error that could occur when displaying the contents of the columns "Search terms" and "#ST". That was fixed.

  • SR-4: The Owner filter dialog could not be displayed for all user interface languages. That was fixed.

  • SR-4: The volume snapshot created by v16.3 and v16.4 for NTFS partitions with more than 48 volume shadow copies was corrupted when saved. That was fixed.

  • SR-4: Under certain circumstances it was possible that hash values of files with child objects in an evidence file container were displayed as all zero after taking the volume snapshot. That was fixed.

  • SR-4: The "search in filenames" option of the Name column filter did not work for more than 1 search term except if GREP was active. That was fixed.

  • SR-5: The SMART data is now partially retrievable from hard disks in the 64-bit edition.

  • SR-5: The alternative disk access methods now work in the 64-bit edition.

  • SR-5: An exception error was fixed that could occur when refining volume snapshots of volumes that were not added to a case.

  • SR-6: Fixed inability of v16.4 to open physical RAM in Windows XP.

  • SR-6: Fixed inability of v16.4 to extract embedded PNG from arbitrary other files.

  • SR-6: Fixed an exception error that could occur in the 64-bit edition when running a logical search in files with extremely long paths.

  • SR-7: The case auto-save feature did not save the case if only report table associations were created since the last save and no other case data was changed. That was fixed.

  • SR-7: Compatibility of new evidence file container format with other software improved.

  • SR-7: Fixed inability of v16.4 to add images to the case whose filenames contain square brackets.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

#126: WinHex, X-Ways Forensics, X-Ways Investigator 16.4 released

Mar 22, 2012

This  mailing is to announce the release of one of the most notable updates ever, v16.4.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator/X-Ways Imager and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data (!!), update maintenance, upgrade offers, and more. Note that licensed users of X-Ways Forensics with active update maintenance can conveniently find all older versions for download if needed.

Please be reminded that if you are interested in receiving information about service releases of v16.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.


Upcoming X-Ways Forensics & File Systems Training

London, UK: Apr 23-27, 2012     seats available
Washington, DC: May 15-17, 2012     seats available
More information


Please be reminded again that lost, misplaced or stolen dongles for X-Ways Forensics are replaced only if they have been insured, which is free.


What's new in v16.4?

Performance

  • A 64-bit edition of X-Ways Forensics and of the special WinHex version for licensed users of X-Ways Forensics is now available. You can simply add it to an installation of the 32-bit edition of X-Ways Forensics. The 64-bit .exe file must be located in the same directory as the 32-bit xwforensics.exe file. Additional files needed by the 64-bit edition are expected in a subdirectory named \x64. Most other files are shared by both editions! That means that all your settings, search terms, file type signature definitions, file type category definitions etc. etc are conveniently remembered and commonly used by both editions. Both editions use exactly the same format for case files, volume snapshots, search hits etc.
    While not 100% of the functionality is available (e.g. SMART data extraction does not work), the 64-bit edition is recommended especially in situations where the 32-bit memory address space may be insufficient, when dealing with disks or images that contain many millions of files, or when dealing with many millions of search hits, provided that you have plenty of physical RAM installed. Certain operations that are computationally intensive (e.g. hashing or encrypting) may also be faster in the 64-bit edition.
    A 64-bit edition of X-Ways Investigator will follow soon.

  • A 64-bit edition of the viewer component is now also provided. X-Ways Forensics warns when trying to load the 64-bit viewer component from the 32-bit edition of X-Ways Forensics. (Some users now think the 64-bit viewer component is for 64-bit Windows, but it is for 64-bit X-Ways Forensics.)

  • Improved ability to take a snapshot of volumes with many millions of files, especially in the 64-bit edition, but also in the 32-bit edition (if used with the /3GB switch or better in a 64-bit Windows).

  • Hashing with the MD5 algorithm (the mere computation, excluding disk I/O for reading data) further accelerated in the 32-bit edition by ~30%, with SHA-1 by ~20%! (depends on the processor) Hashing in the 64-bit edition it is optimized, too, and even slightly faster than in the 32-bit edition.

  • AES encryption and decryption (the mere computation) accelerated by 70% in the 64-bit edition and by 30% in the 32-bit edition.

  • Speed for sorting by filename more than tripled.

  • Sorting by various columns noticeably accelerated.

  • Copying large files (Recover/Copy command and adding files to containers) accelerated.

  • New buffer system at work when reading from .e01 evidence file, which may speed up processing in certain situations.

  • Supports more complex GREP search expressions now than before. Such complex expressions required too much main memory in previous versions to run.

  • Previously existing files whose first cluster is known to have been overwritten or whose first cluster is unknown (i.e. red X files) are now generally excluded from volume snapshot refinement except if you specifically target them via tagging. They are also excluded from logical searches and from indexing if the recommendable data reduction is active unless targeted specifically via tagging or selection.

  • Improved ability to deal with so-called zip bombs.

  • Processing of .msg and original .eml files is now slower.

Programming Interface/Scripting

  • Automate investigative tasks and extend the functionality of X-Ways Forensics with X-Tensions: The new X-Ways Forensics X-Tension API (application programming interface) allows you to use many of the advanced capabilities of the X-Ways Forensics computer software programmatically and extend them with your own functionality. For example, you could implement some specialized file carving for certain file types, automated triage functionality, generate alternative reports, or automatically filter out unwanted search hits depending on your requirements etc.

    Among other things, X-Tensions allow you to:
    - read from a disk/partition/volume/image
    - retrieve abundant information about each file and directory in the volume snapshot
    - read from any file
    - create new objects in the volume snapshot
    - assign files to report tables
    - add comments to files
    - process, validate and delete search hits
    - and do practically everything else that is possible with a Windows program! (thanks to the Windows API)

    You can use your programming language of choice, e.g. C++, Delphi, or Visual Basic, and do not have to learn any new programming language. You can use your compiler of choice, for example Visual Studio Express (freeware).

    Since an extension is not an interpreted script, but regular compiled executable code that is running in the address space of the application itself, you can expect highest performance, the same as with internally implemented functionality. X-Tensions give you easy and direct access to crucial and powerful functions deep inside X-Ways Forensics.

    When X-Tensions functions can get called:
    - when refining the volume snapshot
    - when running a simultaneous search
    - via the directory browser context menu
    - in future versions of X-Ways Forensics via the search hit context menu

    You may distribute your XWF extension DLLs that you compile and/or your source code free of charge or even for a fee, under whatever license terms you see fit.

    For more information please see https://www.x-ways.net/forensics/x-tensions/api.html.

Usability

  • More convenient ability to specify nature, sector size and additional storage location of raw images when holding the Shift key when interpreting images.

  • When reading a file that is referenced in a volume snapshot fails when refining the snapshot or running a logical search, for example because the storage location of some of the clusters is unknown or because they are contained in corrupt file archives, then only one read error message is output per session and the user is informed of a newly introduced attribute by which you can also filter: "file contents unknown, partially".

  • When pressing a Ctrl+number key combination that is not currently assigned to any report table (e.g. accidentally), X-Ways Forensics now produces an error sound.

  • More information in progress indicator window when copying files.

  • When printing multiple selected files (using the viewer component), only a single print job will be submitted, for all files and (if selected) cover pages, such that no other print jobs sent to a shared printer can get in between and such that if you are printing to PDF you will only be prompted for a filename only once and all pages are printed to the same output file.

  • All Position submenus have been renamed Navigation.

  • Two neat commands for navigation in the directory browser have been added to the context menu (Navigation submenu): "See selected item in its directory" will show you the selected file or directory among its siblings. Useful to quickly check out whether there are more notable files in the same directory or to better understand the function of the file when you see it in context. "See selected item from volume root" will show you the selected file among all other files in the same volume. Useful for example to see whether there are any files with the same name, the same ID (e.g. previous version from a volume shadow copy), same owner, same sender, or similar timestamps etc. etc. in the same file system (just sort accordingly). Both commands can be also be used from within the case root window and from within search hit lists (so the previous "Go to file in directory browser" command becomes obsolete). Remember you can click the Back button in the toolbar to conveniently return to the previous view.

  • When toggling between normal and recursive exploration of the same directory, e.g. by clicking the button with the turquoise curly arrow, X-Ways Forensics now automatically selects the last selected item again if it is still contained in the directory browser after the change.

  • When activating or deactivating a filter, X-Ways Forensics now automatically selects the item in the directory browser again that you had clicked last, if it is still listed in the directory browser.

  • Improved responsiveness when decompressing large file archives.

  • If a certain file for which a hash value was computed before or for which a hash value is computed at the same time (volume snapshot refinement) crashes X-Ways Forensics (of which you are usually informed in great detail when restarting X-Ways Forensics), identical files are now skipped automatically if you (continue to) refine the volume snapshot and compute hash values (at least if the protection against identical crasher files is active in the properties of the case). To make the case forget previous crasher files, click the Delete button in the case properties. Skipped files are automatically added to the report table "Reason for crash?".

  • If not using the crash-safe decoding option and if the viewer component crashes X-Ways Forensics when decoding a certain file, on the next start-up X-Ways Forensics points out more precisely that the crash occurred during the decoding step and recommends to activate crash-safe decoding (which is an option in Options | Viewer Programs).

File System Support

  • When running a particularly thorough file system data structure search on NTFS volumes, X-Ways Forensics now specially deals with existing or previously existing volume shadow copies, and includes valuable information in the volume snapshot that would not be available otherwise, such as files that cannot be found in the current $MFT any more or old versions of files whose contents have changed (and unlike in previous versions of X-Ways Forensics, the original file contents can now be reconstructed for files of any size). And this happens relatively quickly now, even if you choose not to use the potentially very time consuming "Search FILE records everywhere" option.
    Processing of volume shadow copies, if any, occurs before all the other operations that are part of the particularly thorough file system data structure search (parsing $LogFile, optionally searching for FILE record outside of $MFT and outside of VSC, searching for index records in the slack of INDX buffers). If there are volume shadow copies, the caption of the small progress indicator window will tell you when they are being parsed.

  • Files found in volume shadow copies are specially marked if they are previous versions of files that were known to the volume snapshot already before the thorough file system data structure search. Remember you can sort by ID to see the files they are a previous version of next to them.

  • Option to avoid that previous versions of files in volume shadow copies are added to the volume snapshot if they are exact duplicates (identical file contents) so that it is much easier to focus on files for which actually previous data is still available. Even if modification dates are different, the file contents are often the same for files installed by the operation system. See Options | Volume Snapshot. If fully selected, X-Ways Forensics will compare files up to 128 MB, if half selected, only up to 16 MB, as to not waste too much time on this feature.

  • X-Ways Forensics now distinguishes between deleted files whose contents may have changed (i.e. overwritten by other files) and deleted files whose original contents are known to be still available/original. For example, volume shadow copies often guarantee the original contents of files that were deleted or changed afterwards. If so, such files found in a volume shadow copy are displayed with an icon that is different from other previously existing files. The icon of virtual files has changed, too. Please see the Legend for an overview of all icons.

  • Ability to open a directory (File | Open Directory). This new function can list the files and subdirectories of any accessible directory in the directory browser.

  • Ability to add any accessible directory to the case. Useful if a directory or a file of interest resides on a drive with many irrelevant files, if you merely wish to view, hash, or search a few of those files, check their metadata or copy them to an evidence file container etc.

  • Ability to identify Btrfs file systems.

  • Reparse points are no longer highlighted by a virtual file whose name reveals the target, but by a comment that is attached to the reparse point host directory.

File Format Support

  • E-mail extraction revised for certain e-mail archive file types such as Exchange EDB, DBX, MBOX, and MSG, in particular better support for e-mails in e-mails (e-mails as attachments)

  • Metadata extracted from XML files in Office documents can now be seen in the metadata cell of the outer Office document, no longer for the inner XML files in which they were actually found, where some users did not expect them.

  • OLE2 timestamps can now be translated by the Data Interpreter and in templates optionally in big endian, as they appear in ICQ 7 chat messages.

  • Improvements for Exchange EDB extraction.

  • File format consistency check now supported for EXE, ZIP, RAR, JPEG, GIF, PNG, RIFF, BMP, PDF.

File Header Signature Search

  • File header signature search noticeably revised and accelerated, accelerated especially on volumes with millions of files. The already very high quality of the results was further improved.

  • Ability to select file types for the file header signature search more conveniently grouped by categories instead of in a flat list.

  • Automatic file size detection for even more file types than before, now including for example MPEG, MP3 in general, index.dat.

  • For each file type that the internally implemented algorithms in X-Ways Forensics know well and support with automatic size detection, the ID of the corresponding algorithm is now specified in the "File Type Signatures Search.txt" definition instead of a footer signature, following a tilde symbol (~). For example that can be useful if you create alternative definitions for a certain file type (e.g. to match a certain subtype only), to ensure that the sophisticated file size detection at work in X-Ways Forensics is still applied.

  • New flag "c" supported in the file type signature definitions which, if taken into account (depends on user interface settings), ignores header signatures that are not aligned at cluster boundaries. Can be useful for some file types to avoid to many false positives.

  • Files carved with the new flag "g" greedily allocate all their sectors exclusively. The file type signature search continues its search for further file headers only after the presumed end of such files.

  • New flag "u" allows to carve files in unused clusters only.

  • New file carving flag "F" (upper case) that makes X-Ways Forensics discard hits of the file header signature search if no corresponding footer can be found, provided that a footer signature is specified in the definition. Can be useful to reduce the number of or totally avoid false positives.

  • New flag "t" prevents X-Ways Forensics from presenting the type of carved files immediately as confirmed. Useful for example for file format families such as XML, to determine the exact subtype later during file type verification.

Directory Browser

  • Option to copy child objects of selected files from search hit lists.

  • Ability to use the Name filter for keyword searches in filenames not only with GREP syntax.

  • Filter for the Owner column.

  • More detailed filter for previously existing files.

  • Virtual files are now counted separately in the caption line of the directory browser and no longer included in the count of existing or previously existing files. The icons of virtual files and directories have been changed.

  • Ability to mark important evidence objects in the case root window with a yellow flag.

  • Ability to tag or untag all items in the volume snapshots of all open evidence objects by clicking the case root icon with the middle mouse button.

  • Ability to copy the text in the cell of the directory browser that you right-click to the clipboard. Previously users had to copy from Details mode.

Miscellaneous

  • Cases now remember non-standard sector sizes of raw images so that you do not have to specify them again when re-opening a raw image evidence object.

  • Ability to add a selected block to the volume snapshot as a virtual file even from the case root window (in File mode).

  • In newly taken volume snapshots of physical disks, all virtual files covering unpartitioned areas will not be subject any more to volume snapshot refinement (e.g. hash computation) unless specifically targeted via tagging, to save time and because it does not make much sense. The same applies to partitioned areas on GPT+LDM disks that are not treated like partitions because they never contain a file system (only the dynamic volumes do).

  • Fixed an error in the direct byte-wise translation for GREP that could cause some additional false hits.

  • More information in evidence object selection dialog windows that show the number of files in each evidence object and the yellow flag, if it has one.

  • Ability to represent large offsets in decimal.

  • New encryption algorithm for .e01 evidence files: 128-bit AES in BE CTR mode, which is ~67% faster than the already accelerated implementation of 256-bit AES in LE CTR mode, for both encryption and decryption. Previous versions of X-Ways Forensics cannot open .e01 evidence file created with the new algorithm.

  • That an iterative SHA-256 hash of both the password and the salt is stored in encrypted .e01 evidence file for password verification purposes is now optional when using the 256-bit AES option (see Security Options). Previous versions of X-Ways Forensics cannot open .e01 evidence file created without such a hash.

  • Many minor improvements.


Changes of service releases of v16.3:

  • SR-1: Improved UTF-8 encoding of GREP expressions.

  • SR-1: Fixed code page display problem with very long search terms.

  • SR-1: Fixed non-acceptance of containers of the new format with certain investigator.ini settings

  • SR-1: Avoided one more situation where writing sectors could fail under Windows Vista and later.

  • SR-1: Fixed inability of v16.3 to explore nested archives.

  • SR-2: Fixed an exception error that could occur when opening files with certain filenames when Asian code pages were active in Windows.

  • SR-2: Fixes and improvements for Exchange EDB extraction.

  • SR-3: When extracting e-mail from certain e-mail archive types like DBX or MBOX, identical attachments that were attached to different e-mail messages (same name, same contents) were only provided as child objects to 1 e-mail message. That was fixed.

  • SR-4: \b anchors did not work correctly in v16.3. That was fixed.

  • SR-5: Fixed errors that could occur in certain cases when extracting embedded pictures from carved files (I/O errors and inability to display the pictures in the gallery).

  • SR-5: Fixed inability to read alternate data streams from evidence file containers of the new format.

  • SR-5: Improved representation of file slack that is deliberated included in evidence file containers of the new format.

  • SR-5: Included buffer overrun fix of libpng 1.5.9 (http://www.libpng.org/pub/png/libpng.html) in the internal graphics viewing library. This fix was also retroactively applied to earlier versions: v16.2 SR-12, v16.1 SR-10, v16.0 SR-13, v15.9 SR-10, v15.8 SR-11.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Agrippastr. 37-39
50676 Cologne
Germany

 

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <