X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#142: X-Ways Forensics, X-Ways Investigator, WinHex 18.0 released

Dec 13, 2014

This mailing is to announce the release of a notable update with important improvements, v18.0.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager please go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find older versions for download from there if needed. Licensed users of other products can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Washington DC, Feb 24-Mar 4, 2015
Hong Kong, Mar 2-5, 2015
London, England, Mar 24-Apr 1, 2015
Indianapolis, IN, Apr 21-24, 2015
Kingston, ON, Apr 27-31, 2015
Ottawa, ON, Jun 1-5, 2015

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v18.0?
(please note that most changes affect X-Ways Forensics only)

Conventional Hash Databases

  • It is now possible to maintain two separate hash databases at the same time, databases based on the same hash type or different hash types. Useful for example if you receive hash sets from different sources with different hash types (e.g. some with MD5 and some with SHA-1 values) and wish to use them simultaneously.

    The second hash database may be stored on a different drive. Useful if for example the primary hash database for general use is shared with colleagues on a network drive and the user wishes to create or import new hash sets, either for temporary use only or while the primary hash database is locked by other users, into a locally stored second database.

    When creating a hash set yourself, you can choose to which hash database it should be added. That can be file hash database #1 or file hash database #2 or the block hash database.

    The ability to import an entire folder of hash sets has been dropped. You can still import multiple selected hash sets in the same directory at once.

  • Ability to compute hash values of two different hash types at the same time when refining the volume snapshot, for general purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values will be matched against any of the two hash databases whose hash type fits. That means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1, and hash database #1 is based on SHA-1 and #2 based on MD5, X-Ways Forensics will match the hash values accordingly. The hash types in the volume snapshot and in the hash databases do not have to be in the same order.

  • Which hash value is displayed in the Hash column can be changed in the Directory Browser Options dialog. Either the primary hash value or the secondary hash value or both at the same time (if the box is half checked). The Hash column filter is applied to the hash type(s) that is/are currently displayed. Which hash type(s) is/are displayed in the Hash column can be seen in the column header.

  • The Hash Set column shows known matches for both hash databases simultaneously. The filter can be used to filter for selected hash sets of one of the databases at a time. The database to choose hash sets from can be selected in the filter dialog.

  • The Hash Category column shows only one category. If you assign the hash value of a certain file in one hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once during matching and given exact information about which hash value in which hash sets in which hash databases are conflicting. The categorization as "notable" will prevail when in doubt.

  • Ability to import hash sets in the current JSON/ODATA format layout as used by Project Vic and found in the Hubstream Inbox.

PhotoDNA

  • X-Ways Forensics can now employ the PhotoDNA hashing algorithm for photos, until further notice. Because of the robustness of the hash algorithm and its specialization in photos, it usually allows to automatically recognize known photos even if they have experienced lossy compression repeatedly (e.g. JPEG), if they have been stored in a different file format, resized, partially blurred/pixelated, color-adjusted or contrast-adjusted etc. Unlike hash values computed by conventional general purpose algorithms, PhotoDNA hashes are resistant to various such image alterations. Optionally, known photos can be recognized even if they were mirrored (flipped horizontally).

    For licensing reasons the PhotoDNA functionality is made available as a separate download, and provided by X-Ways itself only to law enforcement agencies, which may use it to prevent the spread of child sexual abuse content and for investigations targeted to stop its distribution and possession.

    For details about PhotoDNA please see this high level technical explanation and this press information.

    If the PhotoDNA functionality is present, a 4th (!) database, with PhotoDNA hash values of photos can be created and maintained within X-Ways Forensics, and photos may be matched against that hash database in X-Ways Forensics and X-Ways Investigator to identify known incriminating content.

    Law enforcement agencies may want to create and share their own collections of such hash values, or import an extensive existing collection from Project Vic. You can also import  PhotoDNA hash databases of other X-Ways users, you may delete hash categories that you don't need any more, and you may merge or rename categories in your database. When importing someone else's hash database, their categories of the same name will be merged with yours. X-Ways Forensics will attempt to deduplicate hash values of similar photos when adding hash values to the database.

    Hash values can be added to the PhotoDNA hash database for pictures in the volume snapshot of an evidence object in the same way as conventional hash sets are added to a conventional hash database, using the “Create Hash Set” command in the directory browser context menu. The database is one of now four databases that can be managed with the Tools | Hash Database command. The PhotoDNA hash database is stored in a directory next to hash database #1.

    Matching is part of the "picture analysis and processing" operation in Specialist | Refine Volume Snapshot. If you select more strict matching (allow less variation in a picture), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the now combined SC%/PDNA column. Please note that photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tones.

Performance Enhancements

  • File header signature searches, block-wise hash matching, FILE record searches, searches for lost partitions, and physical simultaneous searches are now sparse-aware operations when dealing with compressed and sparse .e01 evidence files. That means that areas that on the original hard disk were never written and zeroed out or areas that had been wiped on the original hard disk or consciously omitted areas in cleansed images are skipped and almost require no time, because their data neither has to be read nor decompressed nor further processed (searched/hashed/matched against the block hash database).

    Sparse-awareness is active guaranteed for .e01 evidence files that were created by X-Ways Forensics and X-Ways Imager 16.1 and later (also possibly for images created by 3rd party software, depending on the settings and the internal layout). Operations are not sparse-aware on images of Windows dynamic disks, images of LVM2 disks, and on reconstructed RAIDs based on .e01 evidence files.

  • Logical searches in files stored in an NTFS file system are also sparse-aware at the .e01 evidence file level, and generally logical searches in virtual "Free space" files.

  • Logical searches in NTFS, Ext*, XFS and UFS file systems are sparse-aware at the file system level. That means no time is wasted on large sparse areas within sparse files. Those areas are ignored, regardless of whether the evidence object is an .e01 evidence file, raw image, RAID, or actual disk.

  • Skin tone computation slightly accelerated for high resolution photos.

File Type Support

  • Improved stability and quality of e-mail extraction from Exchange databases.

  • Supports a new PST/OST data storage method as used in Outlook 2013.

  • Support for e-mail extraction from MBOX e-mail archives larger than 4 GB.

  • Preview of Skype chat sync files (named "chatsync" in the Type column). Shows the complete chat and the IP addresses of the participants. Events are also extracted.

  • Support for newer Photoshop thumbnail cache format.

  • Improved Windows account administration section in the registry report.

  • Ability to extract alternative names and timestamps from Linux PNG thumbnails as known from Ubuntu and Kubuntu distributions, desktop manager MATE and GNOME ThumbnailFactory during metadata extraction. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a "Content created" timestamp. The complete path of the original file can be seen in the Metadata column.

  • More thorough extraction of embedded files in PE executables (not done by default, only if addressed via the file mask).

  • Exif metadata extraction revised.

  • Some improvements for file type verification.

File Carving

  • Option to show results of the file header signature search as child objects of existing files, not in the directory for carved files, if they were found within these other files.

  • A new "Special interest" entry allows to either carve Google search URLs with "ei" parameters as files or (better) output events with the contained timestamps (if "Provide by-catch timestamps from various sources as events" is checked).

  • Better avoids false positives when carving files with support NTFS compression enabled.

  • File carving for Outlook for Mac 2011 improved. 

Memory Editor

  • Ability to list loaded modules above the 4 GB barrier in 64-bit processes with Tools | Open Memory. Ability to  read and edit memory in such address ranges. Unicode support for process and module names and paths in the memory editor. Page boundaries are represented by horizontal lines. Boundaries that represent gaps between contiguous allocated regions are represented by darker horizontal lines. The Info Pane now shows more information such as the maximum address represented and the number of allocation gaps (=number of contiguous allocated page ranges -1) as well as protection status and type of the currently displayed page. Several other minor improvements. Please note that you need to run the 64-bit edition to properly deal with 64-bit processes.

Usability

  • The ".." item at the top of the directory browser that appears when navigating within a volume from one directory to another is now optional. If displayed, it is now frozen at the top of the directory browser and does not scroll along with all the other items. And it now shows all the information on the directory that it represents (the one that you would navigate to if you double-click it), just like with all the other items in the directory browser.

    And a "." item is now also displayed optionally, representing the currently explored directory. Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects. And if the . or .. item is a file and you select it, then you can now see that particular file in File, Preview or Details mode. And it is represented in Gallery mode.

  • When clicking any component of the current path in the caption line of the directory browser, this will now navigate directly to that directory (or file with child object) whose name you clicked.

  • Ability to toggle column visibility purely with the mouse, by clicking the column labels in Options | Directory Browser.

  • Modified unexpected behavior of the option "Full path sorting for parent objects".

  • The "Keep track of viewed files" option has been moved to Options | Viewer Programs.

  • Separate "Append type as extension if newly identified" checkbox for "Use associated program for viewing". Allows to more easily get Windows to run the right program for misnamed files, files without extension etc.

  • Option to specify a user-defined timeout in milliseconds for loading pictures with the internal graphics viewing library, in Options | Viewer Programs. 

  • Option to automatically create report table associations for files that have been added to an evidence file container.

  • When creating two copies of an image at the same time, ability to automatically verify both of them.

  • Chinese translation of the user interface updated.

Miscellaneous

  • When printing long paths on the cover page or at the top of the first page, such paths are now broken into multiple lines even if they do not contain any spaces.

  • Internal memory allocation tracking can now be enabled in Options | Security for debugging purposes.

  • Fixed inability to evaluate equations in templates depending on notation settings.

  • Containers of the old format (from more than 3 years ago) can no longer be created or further filled, but can still be used in cases as evidence objects.

  • New X-Tension function XWF_GetRasterImage. Provides a standardized true-color raster image representation for any picture file type that is supported internally in X-Ways Forensics (e.g. JPEG, GIF, PNG, ...), with 24 bits per pixel, with some powerful options.

  • Support for a variant of FAT12 and FAT16 file systems with unusual directory entries.

  • Many minor improvements.

  • Program help and user manual updated for v18.0.

Viewer Component

  • v8.5 of the viewer component was made available on July 27, 2014 to licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance.

  • Support has been added for AutoCAD 2013.

  • The LibreOffice 4.0 suite (Impress, Draw, Calc, and Writer) is now supported.

  • 64-bit zip compression is now supported in the zip input filter.

  • Input filter support for HTML5 and CSS2.1 tags and attributes related to email messages has been added.

  • Microsoft Visio 2010 is now supported.

  • From Microsoft Office 2013, Access, OneNote, and Visio are now supported.

  • From the Apple iWork suite, Pages (iPad) PDF Preview & Text, Numbers (iPad) PDF Preview & Text, and Keynote (iPad) PDF Preview & Text are supported.

  • From the WordPerfect X6 suite, Word Processor, Quattro Pro, and Presentations are supported.

  • Windows 8.1 is now an officially supported platform.

  • HTML tables, which were usually too narrow in previous versions, are now sometimes rather wide, and they always seem to trigger the display of a horizontal scrollbar, even when no scrolling capability is needed because the window is wide enough. Also, some inconsistent spacing and line breaks inside HTML table cells can be seen.

  • As always, please remember that different versions of the viewer component must reside in different directories. You must not copy the files of new version to an existing directory with a previous version because that does not necessarily overwrite all files and may cause error messages.

    The compressed size of the viewer component has grown by 34%, owing largely to a new file named oit_font_metrics.db, an SQLite font database whose exact purpose is yet to be determined and that at first sight seems to be optional.

  • As a user in Switzerland found out, v8.5 of the viewer component was unable to decode the text in PDF files created by Abbyy Fine Reader 11. Ordinary PDF files were processed normally. That was apparently fixed with v8.5.1, available since Nov 26, 2014. Other known improvements of v8.5.1 are that MHT files are no longer displayed with an e-mail header and allegedly support for Ichicatro 2014, though it is unknown what "Ichicatro 2014" is.

Licensing

  • Temporary licenses are now available on a daily basis as well. Those come in handy if you have a need to run the software on more computers at the same time than usually, such as for training purposes or if you wish to parallelize processing (keyword searches, volume snapshot refinements) with X-Ways Forensics using multiple instances on multiple computers of an unusually large or urgent case. Useful and cost-effective also when conducting triage on a large number of computers on site, i.e. where you have to quickly verify using special methods (keyword search, filename filter, skin tone computation on 10% of all pictures, ...) whether or not there is potential evidence on a computer, and depending on the result decide to acquire all its data on site or take the hardware away or just leave the computer alone. 1 day usage refers to a whole day (24 hours) in your time zone. Very cost-effective if you need many additional licenses for just a short time or very rarely.


Changes of service releases of v17.9:

  • SR-1: Fixed inability to filter by hash sets when the hash database was in use for matching in another instance.

  • SR-1: Fixed an exception error that could occur in the original 17.9 version when opening dependent viewer windows from within the viewer component or closing them.

  • SR-1: Fixed metadata representation of processes in Details mode in the 64-bit edition.

  • SR-1: Fixed inability to open dynamic volumes in certain situations.

  • SR-1: Fixed some minor memory leaks.

  • SR-2: Fixed HTML export highlighting for search hits in certain code pages.

  • SR-2: Files referenced in volume shadow copies are now typically shown again in their original directories, like in earlier versions.

  • SR-2: Fix and improvement for TAR carving.

  • SR-2: Some minor improvements and fixes.

  • SR-3: Fixed an exception error that could occur in SR-2 when opening certain volumes.

  • SR-4: Fixed an exception error that could occur when opening partitions of physical disks that were added to the case without parent disk.

  • SR-4: Prevented an error message that in certain situations incorrectly stated that the volume snapshot was was changed from outside of the current session.

  • SR-4: No longer treats previously existing hash sets in the hash database as existing in certain situations.

  • SR-5: Fixed incorrect representation of metadata of processes in memory dumps in the 64-bit edition.

  • SR-5: Fixed incomplete NEAR combination of search hits in certain situations.

  • SR-6: Fixed an error in certain volume snapshots taken by the 64-bit edition of SR-5.

  • SR-7: Fixed misrepresentation of partition table entries in the 64-bit edition of SR-6 when deleted partitions were found.

  • SR-8: Fixed corruption of hash set names in certain situations in the 64-bit edition of recent service releases of v17.9 and v18.0 Preview. Garbled hash set names can be manually rectified with the Rename function.

  • SR-9: Fixed an instability problem that could occur when processing certain MBOX e-mail archives.

  • SR-9: Fixed swapped timestamps of files found in VSC.

  • SR-9: Prevents a possible exception error that might occur when parsing certain corrupt LVM2 configurations.

  • SR-9: Prevents a rare exception error that could occur when parsing corrupt .evtx event log files.

  • SR-9: Fixed a technical problem for a few dongle users.

  • SR-9: Registry keys in the registry viewer should now always be sorted alphabetically.

  • SR-9: Fixed an error in evidence file container creation in v17.9. (since Dec 4, 2014)

  • SR-10: When filling evidence file containers of the old format with v17.8 and v17.9 (a usually hidden option), parent directories were included more than once. That was fixed.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


There are still occasionally a few users who ask about a replacement for their lost dongle although they did not insure the dongle and although we say everywhere that we do not replace lost or stolen dongles if not insured against loss or theft.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Happy holidays / Merry Christmas to all readers and users!

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#141: X-Ways Forensics, X-Ways Investigator, WinHex 17.9 released

Oct 2, 2014

This mailing is to announce the release of another notable update with notable improvements, v17.9.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.8 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Follow us on Twitter for occasional news and special offers https://twitter.com/XWaysSoftware


Upcoming Training

Toronto, Canada, Oct 3, 2014 (last minute tickets available)
Ottawa, Canada, Oct 6-10, 2014
Canberra, Australia, Oct 27-30, 2014
and London, England, Oct 27-Nov 5, 2014 (mega training event that includes the new X-Ways Forensics II training course, for experienced users and previous attendees of the regular X-Ways Forensics training!)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v17.9?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

File Type Support

  • The gallery can now show thumbnails for any file type that is supported by the viewer component, including Office documents, PDF, HTML, e-mails, and pictures that the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...)!

    You can choose between normal and shrunk thumbnails of documents. Shrunk thumbnails show much more detail from an original document and the original layout, but at the cost of readability. Larger fonts (in particular captions) in an original document, if not shrunk, are typically readable in the thumbnail and can already give you an idea what kind of document it is even if don't view it, so you can more quickly find the documents that you are looking for. Plus, you will be able to see which documents can be nicely viewed with the viewer component at all. It is recommended run X-Ways Forensics with Aero enabled in Windows when using the gallery.

    Files that are larger than 16 MB are not represented with a thumbnail, for performance reasons. X-Ways Forensics tries to abort the generation of a thumbnail if it takes longer than a few seconds. If the generation of a true thumbnail is unsuccessful, you may see a viewer component error message like "Operation cancelled" in tiny red letters in the thumbnail instead. If thumbnail generation is not even attempted by X-Ways Forensics, you will just see the filename and an icon.

  • Extraction of Internet Explorer browsing history from the Windows.edb database. Visited URLs are added to the event list as part of Windows.edb processing in "Uncover embedded data in various file types". The URLs remain in Windows.edb even after erasing the browser history in Internet Explorer.

  • Extraction of contacts from Windows Live Messenger's contacts.edb database, using the operation "Uncover embedded data in various file types".

  • Certain previously valid timestamps of files are now output as events during various suboperations of the particularly thorough file system data structure search on NTFS, depending on a new refinement option "Provide by-catch timestamps from various sources as events", which may also effect other operations whose primary purpose is not the retrieval of timestamps/events.

  • Support for big data records in registry hives in the registry viewer and registry report.

  • Support for the Windows 8 version and some other new variants of AppCompatCache in the Windows Registry.

  • The alternative e-mail preview now supports Base64-encoded e-mail bodies.

  • Ability to decode fully Base64-encoded files in the volume snapshot and provide the result binary as a child object as part of "Uncover embedded data in various files types", provided that the encoded file has "b64" in the Type column.

  • An updated version of MPlayer (named 2014) is now downloadable from our web site.

  • Longer filter expression for video file processing supported.

  • Fix for geo informationen in BlackBerry JPEGs.

  • Fixed an exception error that could occur when extracting metadata from PE EXE (RLL).

  • A stability issue in the parsing for binary PLists (BPLists) has been fixed which could occur with corrupted BPLists where the corruption took very specific forms.

  • Under certain circumstances, when exporting lists in XML format including the Metadata column, import as a spreadsheet in MS Excel led to an unhelpful structure. XML export has been improved to prevent this from happening.

  • Fixed a rare exception error that could occur when extracting metadata from .evtx Event Log files.

File System Support

  • The various optional suboperations of the particularly thorough file system data structure search in NTFS are now selectable more precisely, and in a child dialog window of the Refine Volume Snapshot dialog, and they now work much more efficiently on large volume snapshots.

  • Avoided inclusion of certain redundant files in the volume snapshot during FILE record searches.

  • Ability to filter for those 0x30 timestamps that do not predate their corresponding 0x10 counterparts. (Remember that this situation frequently occurs for various "natural" reasons, and only sometimes indicates malicious backdating.) Click the checkbox that is labelled with the "greater than" symbol to use this filter.

  • Extended attributes in NTFS are now optionally included in the volume snapshot as child objects of the directory or file to which they belong, with the name "$EA" and marked in the Attr. column with "($EA)". Either all such attributes (if the box in Options | Volume Snapshot is fully checked) or only non-resident ones (if half-checked, default). If none at all, the clusters that belong to non-resident extended attributes of existing objects will be covered by the virtual file "misc non-resident attributes" as before. (Background information: Microsoft uses extended attributes on system binaries as part of the secure boot components. Attackers have been using large extended attributes to hide malware in some high profile cases. Large extended attributes are still flagged automatically by report table associations as introduced with v17.5.)

  • Downloaded files in NTFS can now be more conveniently recognized because in newly taken volume snapshots their alternative data stream "Zone.Identifier" is represented as a report table association (see Options | Volume Snapshot). That means you do not need to navigate to the child object to find out what the child object might be. "ZoneId=3" as the name of the report table identifies files downloaded from the Internet.

  • Newly taken snapshots of Ext* volumes now include directories and files that are merely orphaned because of file system errors (no longer referenced by a directory higher in the hierarchy, not deleted).

Disk Support

  • New variant of skeleton imaging called "snippet imaging". After invoking the File | Create Skeleton Image menu command, click the "Snippet imaging" button in the file selection dialog window. Any sectors that are being read by X-Ways Forensics from any disk or image while snippet imaging is active are written into separate files named after the sector number, with a .sector extension, in a subdirectory of the default directory for images named after the disk or volume. Contiguous sector reads are copied to a single file.

    Snippet imaging mode can be deactivated by invoking the File | Snippet Imaging menu command. Helpful in very specific situations only, for example for debugging purposes, when in need for very specific sectors only that are best located by the software automatically (e.g. data structures needed when opening a particular file). Compared to skeleton imaging, snippet imaging can be beneficial because no image file of the same size as the source disk is created. (Even if it's a nominal size only and the image is sparse, sparse does not help if the file needs to be sent via Internet or copied to a file system that does not preserve the sparse nature of the file.)

    Because of their compatible names, snippet image files can be directly used for sector superimposition. They can also be conveniently and very, very restored to a other disks (all such files in the same directory at the same time) by clicking the new button "Snippet imaging" in the File | Restore Image dialog window.

  • New filename conventions for sector superimposition. The expected filenames are now like "n.sector", where n is the name of the start sector and the new extension is ".sector".

  • Tools | Disk Tools | Scan For Lost Partitions now supports disks with 4 KB sector size.

  • Ability to override the sector size in .e01 evidence file when interpreting the image/adding it to a case, as usually by holding the Shift key. Useful for incorrectly marked .e01 evidence file, to get the partition and file system interpretation right. Such erroneous .e01 evidence files can be the result of a conversion from an incorrectly interpreted raw image to .e01 or of an incorrect sector size emulation by a USB adapter or of previous cloning of a hard disk to another hard disk with a different sector size. If you override the sector size when adding an image to a case, that sector size will be remembered in the evidence object.

  • Checks for and warns of overlapping partitions when creating a cleansed image of a partitioned physical disk. Does not omit clusters in affected disk areas and recommends to image relevant partitions separately.

  • The 1st sector column now optionally shows physical start sector numbers for files in partitions (counted from the start of the physical disk or disk image) instead of logical start sector numbers, if the partition was opened from within the physical disk/disk image. In that case the column label contains a P in a circle (P for physical). Can be changed in the directory browser options dialog. Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.

  • Filter for the 1st sector column. Allows to focus on files whose contents start in certain sector ranges, for example to identify files that are definitely affected by known bad sectors or to identify files whose contents are stored past the end of a known incomplete image. Also allows to focus on carved files that are either aligned at sector boundaries or not, for example after having run a file header signature search at the byte level, to remove garbage files, which are more frequently those that are not aligned.

  • The Go To Sector dialog, when applied to a physical disk, now optionally allows to jump to the designated sector within the respective partition window, so that you can immediately see the allocation status of the corresponding cluster. Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.

  • Apple Core Storage (i.e. Lion FileVault) partitions are now identified in the Type column as "Core Storage".

Usability

  • Ability to use different versions of the viewer component for viewing on the one hand and decoding text on the other hand at the same time. You can now specify separate directories in the Options | Viewer Programs dialog window. This is useful to benefit from the extended file format support of the latest version 8.5 and at the same time employ the more reliable text decoding capabilities of the previous version 8.4.1 for PDF files produced by the OCR software Abbyy Fine Reader 11 and possibly others.

  • The number of active filters is now displayed in the caption line of the directory browser, next to the blue filter symbol on the left. Column-based and column-independent active filters are counted separately. Useful because there might be column-based filters active for columns that are not currently visible in the directory browser, and that column-independent filters are active may be otherwise apparent only when checking in the directory browser options dialog.

  • "Show user initials for report table associations" is now a 3-state option. If half-checked, it has an effect on the directory browser only, not for the Export List or Recover/Copy command for example and not in the case report.

  • Pseudo-hash values are now shown in the directory browser only, not in the output of the Export List command or in the case report any more.

  • Copy command in context menu of status bar in Details, Preview and Gallery mode.

  • The new columns with alternative timestamp can now be shown dynamically, i.e. only when items that have such timestamps are displayed in the visible portion of the directory browser.

  • All options related to Gallery mode have been moved from Options | General to Options | Viewer Programs.

  • The gallery now has its own "Dbl-click=View instead of Explore" 3-state option, analogously to the directory browser. By default, double-clicking will still mean View in the gallery.

  • When removing existing report table associations from selected files, they are now also removed from relatives of the selected files depending on the connection options of the report table (selected file, direct children, parent objects, known duplicates etc.).

  • The digit grouping option has moved from the Data Interpreter options to the general notation options and now has a global effect in the program.

  • Option to rename ordinary files in the volume snapshot, not just virtual and carved files, if the Shift key is pressed when a file is right-clicked. Although not exactly forensically sound when dealing with original evidence, this can prove helpful in special situations, for example if a filename or directory name is too long to copy a file out of an image etc. The original filename will be kept as the alternative filename. Note that this does not rename the file in the file system, only in the volume snapshot, i.e. the internal database in X-Ways Forensics about the file system.

Miscellaneous

  • New file carving flag "C" (upper case) introduced, which denotes file type signatures that should not be used to search for NTFS-compressed files if compensation for NTFS compression is active, because they are too weak and would yield too many false positives or would not be actually stored as compressed anyway.

  • New file carving flag "B" (upper case) introduced, which prevents a byte-level search for that particular signature, for performance reasons.

  • Improved file carving algorithm for zip.

  • The decomposition of V1 GUIDs into timestamp, sequence number and MAC address in the Data Interpreter as well as in templates is now optional. In the Data Interpreter options you can now choose to force the decomposition as before (fully checked) or prevent it (to always get the standard GUID notation is braces) or to see the decomposition only if the timestamp is not too implausible (half checked). The latter setting is helpful for example for Apple GPT values that claim to be V1 GUIDs, but contain twisted ASCII text instead of valid timestamps.

  • Ability to byte-wise reverse units of more than 2 or 4 bytes via Edit | Modify.

  • More thorough listing of DLLs of other processes in Tools | Open RAM in the 64-bit edition.

  • Many minor improvements.

  • Program help and user manual updated for v17.9.


Changes of service releases of v17.8:

  • SR-1: Accelerated hash set matching if hash values were computed before.

  • SR-1: Under certain circumstances, Exchange EDB databases were not processed by X-Ways Forensics, but ignored. That was fixed.

  • SR-2: Fixed incorrect encoding of spaces in filenames in case reports in v17.8.

  • SR-2: Supports :n parameters in the command line again as v17.5 and earlier did, to automatically open hard disk n (and optionally image it automatically).

  • SR-2: Fixed missing FAT32 volume label in Technical Details Report in some recent versions.

  • SR-2: Fixed inability to remove hashes values from hash databases using certain import hash set files.

  • SR-2: Fixed display of certain double byte code pages in the text column.

  • SR-2: Fixed output of certain fields in case reports in v17.8, e.g. timestamps and matching hash sets.

  • SR-2: Prevented inclusion of invalid "Content created" timestamps in the volume snapshot.

  • SR-3: The specified maximum resulting file size for file carving is now ignored for file types with an internally implemented "~" algorithm. It now has an effect only on file types with a defined footer signature.

  • SR-3: Fixed inability of recent versions to carve zip archives with certain statistical properties.

  • SR-3: Fixed an interpretation error for Java Date+Time in v17.6 and later.

  • SR-3: Hash set matching in v17.7 and later did not work for selected files. That was fixed.

  • SR-3: Simultaneous hash set matching in multiple instances supported again.

  • SR-4: Fixed an exception error that could occur in the "jump-as-you-type" function.

  • SR-4: Fixed an exception error in XML export.

  • SR-4: Fixed inability to open dynamic volumes in certain situations.

  • SR-4: Fixed an error in the ability to delete hash values from hash sets.

  • SR-4: Fixed some inconsistencies in the handling of ANSI SQL and Java Date in the Data Interpreter.

  • SR-5: Fixed non-inclusion of file associations with freshly created report tables in evidence file containers.

  • SR-5: Fixed inability to import report table associations and comments from encrypted evidence file containers in certain situations.

  • SR-5: Minor fix and improvement for XML PList processing.

  • SR-5: The author, if extracted from an XML file in a zip-styled Office document, is now shown for the Office document file, not the XML file itself.

  • SR-6: Accelerated metadata extraction.

  • SR-6: Fixed an exception error that could occur when dealing with certain rare inconsistent FILE records in NTFS.

  • SR-6: Fixed output of some rare malformed .eml files during e-mail extraction.

  • SR-6: Certain e-mail messages created by Lotus Notes and received by Outlook that were not stored by Outlook in a consistent way were not presented correctly. That was fixed.

  • SR-6: Fixed inability to locate all LVM2 volumes in some situations.

  • SR-6: Fixed missing additional case open dialog for multiple simultaneous users in v17.8.

  • SR-6: Fixed an error in v17.8 that occurred importing an entire directory of hash sets or renaming a hash set.

  • SR-7: Revised date definitions for e-mails extracted from MSG.

  • SR-7: Fixed an error in the hash database handling in v17.8.

  • SR-8: Fixed an exception error that could occur when adding media whose model designation X-Ways Forensics could not determine to cases with active "Improved recognition of physical media".

  • SR-8: Accelerated byte-level JPEG carving in partitions with certain data.

  • SR-9: Fixed computed total capacity for certain internally reconstructed RAIDs.

  • SR-9: Fixed an error in the crash-safe text decoding option which could lead to incomplete decoding results in certain situations.

  • SR-10: The option "Omit directories" for logical searches did not have an effect for some file systems. That was fixed.

  • SR-10: Avoided unnecessary error messages when copying from a directory on a remote network drive to an evidence file container with certain settings.

  • SR-11: Fixed an instability in the Recover/Copy dialog window in SR-10.

  • SR-12: Fixed logical AND combination of associations with automatically generated report table.

  • SR-12: Fixed occasional inability to remove report table associations.

  • SR-12: More thorough support for certain Exif GPS data.

  • SR-12: Fixed an exception error that could occur when processing livecomm.edb files.

  • SR-13: Certain extremely fragmented files in NTFS volumes were not opened correctly in v17.7 SR-9 and SR-10 as well as v17.8 SR-6 through SR-12. That was fixed.

  • SR-13: Avoided garbage characters in the table "Partitions by disk signature" of the registry report in the 64-bit edition.

  • SR-13: Fixed an exception error that could occur when importing report table definition files whose names are enclosed in square brackets in v17.5 and later.

  • SR-13: Support for Apple partitionining on disks with a sector size of 4 KB.

  • SR-14: Fixed an error in the option to update existing hash sets in the hash database by importing a hash set of the same name. v17.8 SR-13 was marked as expiring, so it needs to be replaced now with v17.8 SR-14 or v17.9.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#140: X-Ways Forensics, X-Ways Investigator, WinHex 17.8 released

Jul 7, 2014

This mailing is to announce the release of another notable update with notable improvements, v17.8.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.8 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Now on Twitter: https://twitter.com/XWaysSoftware


Upcoming Training

Canberra, Australia, Jul 28-31, 2014
Chicago area, IL, Sep 8-12, 2014
Calgary, Canada, Sep 22-26, 2014
Toronto, Canada, Sep 29-Oct 3, 2014
Ottawa, Canada, Oct 6-10, 2014
Los Angeles, CA, Oct 13-17, 2014
and London, England, Oct 27-Nov 5, 2014 (mega training event that includes the new X-Ways Forensics II training course, for experienced users and previous attendees of the regular X-Ways Forensics training!)

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v17.8?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Searching

  • Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (e.g. filenames in particular in FAT), specially encoded (e.g. sender and recipients as quoted printable in e-mails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.

    When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.

    Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.

  • Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | ... and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.

    Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical. For example, after searching for e-mail addresses with the expression [a-zA-Z0-9_\-\+\.]{1,20}@[a-zA-Z0-9\-\.]{2,20}\.[a-zA-Z]{2,7}, sorting by the data allows you to quickly identify and visually skip groups of identical e-mail addresses or see similar e-mail addresses (starting with the same characters) next to each other.

    Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.

    You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.

  • Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.

  • The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).

  • User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.

Usability

  • A new multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the now removed option "Extended multi-user coordination" from previous versions.

  • Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.

  • Option to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits).

  • Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.

  • Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.

  • Ability to conveniently load keywords from a text file into the Name filter and save them directly from the dialog window.

  • Ability to omit child objects and/or excluded files when running an X-Tension on selected files.

File System Support

  • New directory browser columns named Created?, Modified?, and Record changed? introduced, showing alternative creation, last modification and last FILE record/Inode change timestamps. Specialist license or higher. For NTFS, they are populated in newly taken volume snapshots with timestamps from the 0x30 attribute and represent previously valid timestamps from when a file was last renamed or moved, or possibly before some backdating operation occurred. Backdating operations are often applied by setup programs and also Windows itself (the infamous Creation timestamp tunneling effect, http://support.microsoft.com/kb/172190), and of course potentially by ordinary application programs as well as by users for various legitimate or less noble purposes. Note that these columns are populated only if these previously valid timestamps are actually different from their current counterparts, and additionally Modified? and Record changed? only if different from Created?, to avoid cluttering the screen unnecessarily. That means any timestamp that you see there actually contains additional information and is not redundant.

  • Created? is also populated for HFS+ file systems, with the relatively new "Added date" timestamp from Mac OS X Lion and later as well as iOS, where available and if different from the regular Created date. That timestamp specifies when a file was added to the particular directory in which it is contained, even if originally created earlier. "Added date" timestamps in HFS+ are also output as events.

  • All ? timestamps shown in the directory browser are now also preserved in evidence file containers.

  • NTFS last access timestamps are now displayed in gray if identical to the creation timestamp, as that on most systems likely means that these timestamps are simply not maintained and thus not very significant.

  • Volume shadow copy exploitation revised.

  • Sparse files are now represented with a tilde (~) instead of the word "sparse" in the Attr. column. It is now possible to set the sparse attribute to any existing file on your own drive or remove that attribute via the File | Properties dialog window, as always by pressing the Enter key while the edit box in which you made changes has the input focus. Please note that setting or removing the attribute does not necessarily change the allocation status of already assigned clusters, but will definitely have an effect on newly assigned clusters when you expand the file, by setting a larger file size in the same dialog window.

File Type Support

  • Support for a relatively new Windows registry format specialty found for example in Windows 7 AppCompatCache keys.

  • Support for the Windows 8 successor of AppCompatCache, i.e. the Amcache.hve hive, using a dedicated registry report definition file named "Reg Report Amcache.txt", which allows to produce a report and extract related special events.

  • File type verification updated.

  • Support for nested e-mails when embedding attachments in parent .eml file.

  • More complete artificial headers for sent e-mails from Exchange databases, which allow to properly reference attachments in the .eml representation.

  • Support for another thumbs.db format variant.

C4All

The popular C4All program, used by law enforcement and others worldwide to categorize pictures and videos, is now available as an X-Tension, from the C4All forum and here, for free. For v17.7 SR-5 and later. About 6 times faster in X-Ways Forensics than in competing software! Thanks to Steve Frawley, D. F., and Trevor F. for their great work. The downloadable guides describe how to best use the X-Tension with the strategy hash sets, but your own hash sets can be used as well.

Benefits of the X-Tension, showcasing the advantages of X-Tensions in comparison to scripts in other forensic software:

  • Fewer steps to follow than original C4All process.

  • Speed, speed, speed.

  • Even faster if run locally and saved locally, up to 30 GB/min speeds on SSD drives observed.

  • Crash protection, using X-Ways Forensics' ability to resume if there is a crash during preparation of data.

  • If the X-Tension is interrupted, there is the option to resume, start new or if needed just make new XML file.

  • Ability to filter out irrelevant files and false positive carved files before C4All extraction.

  • Hash sets are connected to X-Ways and not SQL server (this allows for known irrelevant files to be excluded from extraction).

  • Hash sets are transferable by simply copying the folder and pointing X-Ways Forensics to storage location, no need to wait all day for the database to be created.

  • Ability to use your own hash sets, up to ~65,000.

  • Better resulting folder structure, especially when run against many evidence objects in one case.

  • Results can be extracted from C4All in HashKeeper format, to be easily brought back in to X-Ways Forensics case, no need to run any bookmarking script.

  • Thumbnails are extracted from files that include thumbnails or are created by X-Ways Forensics itself, and if thumbnails exist in a file it is not used twice, reducing duplicate files.

  • When processing, all functions of X-Ways Forensics are available during X-Tension run phase.

  • Able to use X-Ways Forensics' reporting features for court and presentation.

  • Video stills extracted from within X-Ways Forensics.

VirusTotal X-Tension

This new X-Tension allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. X-Tension available from here. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Thanks a lot to Chad Gough for this effort, based on his own C# adaption of the X-Tension API.

Miscellaneous

  • Ability to export the category statistics of listed files via the Category column's filter popup menu if the Category filter is not active, as tab-delimited text.

  • The folder for templates, X-Tensions and scripts may now be a relative path. Previously only "." was supported.

  • In previously taken volume snapshots of HFS+ file systems, the contents of files with a hard-link count of 1 was not accessible if such files had an associated iNode file. That was fixed. Such files that unexpectedly have an associated iNode file are now marked with a ? in the Link count column.

  • That the columns "Term count" and "Search terms" were populated only after the search hit list for an evidence object has been displayed once was fixed.

  • Many minor improvements.

  • Program help and user manual updated for v17.8..


Changes of service releases of v17.7:

  • SR-1: After using the [x] "Replace evidence object with image" option of disk imaging with active [x] "Improved recognition of physical media", partitions could not be opened any more until the image was removed from and added back to the case. That was fixed.

  • SR-1: Fixed inability of the Exchange EDB extraction to use a folder for temporary files on a network drive.

  • SR-1: Fixed inability to select hash sets for filtering when the hash database was in use already.

  • SR-1: Fixed an exception error that could occur when extracting metadata from certain SQLite databases in some rare constellations.

  • SR-1: Slightly more thorough processing of volume shadow copies.

  • SR-2: Fixed an exception error that could occur in some random situations when creating registry reports.

  • SR-3: Fixed inability of v17.6 and later to read sectors of all disks when just 1 disk was inaccessible.

  • SR-3: Fixed inability of v17.6 and later to automatically add multiple decompressed hiberfil.sys files to the same case as evidence objects.

  • SR-3: Fixed misrepresentation of alternative filenames for volume shadow copy host files that reference recycle bin files in v17.6 and later.

  • SR-3: Fixed unnecessary "device not ready" error message for optical drives.

  • SR-3: New flag 0x10 supported for the XWF_OpenItem X-Tension function: open alternative file data if available, and fail if not.

  • SR-4: Fixed uninherited deletion statuses of e-mail attachments in original .eml files, DBX and MBOX.

  • SR-4: Fixed a rare infinite loop when taking a volume snapshot of Ext4 file systems.

  • SR-4: Fixed inability to determine original filenames for thumbnails from thumbcache*.db in certain cases.

  • SR-4: Fixed missing case association of automatically re-opened partitions when restarting the program or using the File menu history.

  • SR-5: Fixed inability of the Registry Viewer in v16.9 and later to show extended key information and value sizes and to highlight values in File mode for additionally loaded hives beyond the first one.

  • SR-5: X-Tensions API: New flags "Flagged" and "Selected for operations" supported in XWF_GetEvObjProp.

  • SR-6: Fixed an error of missing search hits representing block hash matches.

  • SR-6: Fixed an exception error that could occur when deleting duplicate block hash matches.

  • SR-7: Fixed an error that could occur under certain circumstances in video processing when working with a relative MPlayer path.

  • SR-7: Tries to avoid a potential time-out error that may have occurred when searching in extremely large indexes.

  • SR-7: Fixed an exception error that could occur when automatically adding known duplicates of selected files to report tables.


The X-Ways Forensics Practitioner?s Guide won the “Best Digital Forensics Book of the Year” award at the DFIR Summit 2014 in Austin, TX.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#139: X-Ways Forensics, X-Ways Investigator, WinHex 17.7 released

May 13, 2014

This mailing is to announce the release of another notable update with many improvements, v17.7.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.7 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Austin, TX, May 19-23 (waiting list)
Cambridge, England, Jun 10-13
Ottawa, Canada, June 16-20 (long waiting list)
Norwalk, CT, Jun 23-27
Chicago, IL, Sep 8-12
Toronto, Canada, Sep 22-26

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


What's new in v17.7?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Usability

  • Ability to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode-capable, which allows for example for original Chinese notation of dates. See Options | General | Notation. Please see http://msdn.microsoft.com/en-us/library/dd317787%28v=vs.85%29.aspx for a complete documentation of what kind of notation is possible.
    Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4.
    Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014 (Wed)

  • New Directory Browser option for advanced sorting of the Name column. Takes 4 to 6 times more time than the highly optimized standard Unicode sorting from previous versions (noticeable when sorting millions of files), but has several useful settings and characteristics:
    - Language-specific character equivalence rules (treat ß like ss, treat ?similar to e, ü similar to u etc.)
    - Linguistically improved case insensitivity
    - Special treatment of hyphens and apostrophes (they are treated differently from other non-alphanumeric characters to ensure that words such as "coop" and "co-op" stay together in a sorted list).
    - Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for hexadecimal notation, available under Windows 7 and later only)
    - Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters)
    - Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same)

    Advanced sorting depends on the regional settings of the currently logged on user. For example, if regional settings of a Nordic country are active, ?comes after Z, as defined in the alphabets of that region, otherwise near A, as perhaps expected by non-locals. Advanced sorting rules are also applied when sorting the search hits by the Search Hit column.

  • Files that are included in an evidence file container without contents just to complete the full original path of child objects that they contain with their names are now shown in the directory tree.

  • The active display time zone of the active case or of any evidence object is now shown directly on the button in the properties dialog window.

  • Creating report table associations at the same time for known duplicates of directly targeted files now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

  • When files are viewed that have duplicates, marking the duplicates as already viewed as well now no longer only works within the same volume snapshot, but within the volume snapshots of all open evidence objects.

  • Ability to import multiple selected hash set files at a time.

  • Ability to efficiently delete individual hash values from an existing hash set, by importing a hash set file (simple 1-column format, 1 hash value per line), where the hash values to delete must be listed first and must be prepended with a minus sign ("-"). The file must have the same name as the existing hash set that you wish to update (additional filename extension allowed).

  • As not all users know, when they recreate original paths of files in evidence file containers, the parent objects of files in files are included (and need to be included) in the container even if not selected themselves, just to guarantee that the child objects are shown with their complete correct path. But then these parent files are included without file contents, of course, just with file system metadata, as obvious for example from the Attr. column. Such parent files with metadata only are now no longer listed in containers when exploring recursively, just like directories, because in fact they function like mere directories in the container, even though they were real files in the source file system. They were not deemed relevant by the creator of the container (as they were not selected for inclusion themselves), so it is perhaps more logical that only if users explicitly wish to list directories even when exploring recursively (one of the directory browser options), such files will be listed as well. At least this will avoid some confusion and user questions.

Directory Browser

  • The header of the Name column now allows to tag or untag all listed items with a single mouse click. It also indicates whether among the listed items are any tagged or untagged items.

  • The number of listed tagged files is now displayed in the caption line of the directory browser if there any tagged files are listed.

  • Tagging and excluding recursively are now two separate options.

  • Greatly accelerated recursive tagging, untagging, excluding and including of a large number of selected files, which previously was potentially very slow in large refined volume snapshots.

  • Ability to specifically filter for 0x30 timestamps in the event list, using the event type filter.

  • If an original name is found for a file in the Windows recycle bin or in an iPhone backup during metadata extraction, that name is displayed in the Name column with the current unique name in square brackets. The current unique name is now also shown in square brackets in the case report. Both names are targeted by the Name filter.

  • If the parent file of a file in a file has been assigned to one or more report tables by the user, then this will now be pointed out in the "Report table" column for the child object as well, in gray color and with an arrow. Reminds the user that the parent was reviewed and marked as relevant already, which can spare him or her the extra step of navigating to the parent again.

  • Tentatively extended the amount of text that can be pasted into the Name filter to 2 million characters (30,000 before). That doesn't guarantee that X-Ways Forensics can efficiently use a filter with many ten thousands of characters or more. When in doubt, use the "Match against full name" option, not the substring search.

  • Directory browser column widths and the column order are now stored in cases as well as in .settings files along with filter and sort settings.

  • New investigator.ini option +53 that prevents storing directory browser column widths, column order, filter and sort settings in cases.

  • Larger tooltip for cells with a lot of text, e.g. in the Metadata column.

  • Excluding files in search hit lists and event lists now has an immediate effect (if excluded files are actually filtered out) and usually auto-selects the next remaining search hit or event in the list. Very useful to quickly get rid of all listed search hits in files that are identified as irrelevant.

Disk & Image Support

  • When creating a new case, you now have the option to make X-Ways Forensics recognize evidence objects that are physical media (not images) by their own, inherent properties, not by the disk number assigned by Windows, which can change when replugged. Using this option will prevent earlier versions of X-Ways Forensics from opening the case. The advantage of this option is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk. Useful especially for triage, when not working with images. Please note that X-Ways Forensics may be unable to recognize external media already known to the case if next time they are attached through a different hardware write blocker. In that situation you can use the "Replace with new disk" command in the evidence object context menu to point X-Ways Forensics to the correct disk.

    Just as a reminder: You can open an evidence objects even if the disk is not currently attached to the system, just to see and work with the volume snapshot, using a command in the evidence object context menu.

  • Ability to schedule in advance subsequent disk imaging operations in additional instances that will wait until already ongoing imaging operations in previous instances have completed, to avoid inefficient simultaneous creation of multiple images on the same output disk (which is unnecessarily slow and produces highly fragmented image files).

  • Automatic detection of some full disk/partition encryption types.

  • Option to abort copying files into an evidence file container upon a read error and to not include affected files partially. Useful when acquiring files from a network location and the connection might be interrupted, if you assume that if that happens you will get the connection back and will be more successful when you try again, to avoid having incomplete files in the container, which cannot be replaced with a complete copy retroactively. Available only when not filling containers indirectly.

  • Avoided a rare exception error that could occur when parsing corrupt LVM2 partitioning data structures.

File Type Support

  • Revised Exchange database extraction (up to version 2007) with improved support of internal e-mail communication and a wider set of metadata.

  • Improved presentation of e-mail extracted from Outlook PST/OST archives that contain forwarded other e-mail messages as attachments.

  • Recover/Copy: Improved ability to embed attachments in e-mails that originally did not reference any attachments.

  • Log-on events in Windows event logs are now presented in the event list with domain name, log-on ID and IP address when available.

  • Support for the MacOS X artifact .DS_Store, which helps to analyze recycle bin activity.

  • New file type category "Address Book".

  • Better support of Samsung and Nokia .tec graphics files.

  • Metadata extraction from RecentFilecache.bcf, an important Windows 8 artifact.

  • Report table associations for e-mail messages with recipients on Bcc:.

  • Revised file type definitions and signatures.

X-Tensions API (details here)

  • New X-Tension functions XWF_GetReportTableInfo, XWF_GetEvObjReportTableAssocs, XWF_GetExtractedMetadata, XWF_AddExtractedMetadata, XWF_GetMetadata, XWF_GetFileCount, XWF_GetSearchTerm, XWF_GetBlock and XWF_SetBlock

  • New XWF_GetItemInformation capability added: XWF_ITEM_INFO_EMBEDDEDOFFSET. 2 more flags for XWF_ITEM_INFO_FLAGS. 0x00100000 flag of XWF_ITEM_INFO_FLAGS now deprecated.

  • Parameters for XWF_OpenItem defined.

Miscellaneous

  • Accelerated multi-threaded block hash matching.

  • Recover/Copy: Ability to group output files in directories by the search terms that they  contain according to the Search terms column.

  • Recover/Copy: Option to name output files after their unique ID. Available only when copying without original path, selectable when clicking the "..." button.

  • Special paragraph in Details mode about previous names and paths of files, if known.

  • Data Interpreter option for a binary representation of 16 or 32 bits instead of just 8 bits.

  • Many minor improvements.

  • Program help and user manual updated for v17.7.


Changes of service releases of v17.6:

  • SR-1: Fixed an obscure heap overflow exception error that could occur when using the hash database in v17.6.

  • SR-1: Fixed disarranged Search menu in the regular version of WinHex in v17.6.

  • SR-2: Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

  • SR-2: Floating point error in Apple bookmark processing fixed.

  • SR-2: Some type detection problems fixed (e.g. .thumbsw7).

  • SR-2: Fixed an error that could occur when importing search hits from another user in a case with extended multi-user coordination.

  • SR-2: In newly created cases, the status of the option "Auto-detect deleted partitions" now remains frozen forever to prevent the situation of being unable to open partitions that were once auto-detected, but are no more.

  • SR-2: If you prefer to have a single-column search term list as in v17.5 and earlier, you can change the byte at offset 15414 in your WinHex.cfg from 0x00 to 0x01. One way to ensure that this change is not overwritten by X-Ways Forensics is to do it when Options | General | [ ] "Save program settings in .cfg file" is unchecked.

  • SR-3: Fixed an instability error that could occur when Recover/Copy embedded attachments in .eml files.

  • SR-3: Multi-user coordination: More immediate ability to import another user's search hits, when his or her search has just completed.

  • SR-3: File type verification slightly revised.

  • SR-3: Fixed a read or exception error that could occur when running a file header signature search with compensation for NTFS compression.

  • SR-3: Fixed an exception error that could occur when uncovering embedded data in Windows.edb files.

  • SR-3: Fixed an error that could occur when uncovering embedded thumbnails from certain malformed JPEG files.

  • SR-3: Fixed an error in the hash database.

  • SR-3: Recover/Copy no longer optionally reflects missing original timestamps by setting the corresponding timestamps of output files to Jan 1, 1601 in NTFS. Unsuspecting users were using faulty video playing software, did not read the program help or user manual topic about the Recover/Copy function and messaged us instead of the developers of the other software that refused to open files with such timestamps.

  • SR-4: Fixed an instability problem that could occur in v17.6 when extracting metadata from files larger than 2 GB.

  • SR-4: Some fixes in uncovering embedded data in PE EXE and other files.

  • SR-5: Fixed an exception error that could prevent uncovering embedded data in some Windows.edb files.

  • SR-5: Fixed faulty utilization of the header size in RAID 5 reconstruction with 1 missing component in some recent versions.

  • SR-5: Fixed "Unable to read (1)" error in the gallery for photos from which original embedded thumbnails have been uncovered and additional thumbnails have been created by X-Ways Forensics itself to accelerate the gallery.

  • SR-5: Fixed an error in the gallery of the Case Root window that could lead to the representation of a picture with a wrong thumbnail.

  • SR-5: Fixed an exception error that could occur when changing the sort order in the directory browser while the gallery was being populated.

  • SR-6: Provides modification dates for more extracted e-mail messages.

  • SR-6: Slightly improved internal graphics viewing library.

  • SR-6: Fixed an infinite loop that could occur when generating the registry report.

  • SR-6: Fixed stability errors that could occur when processing certain MSG/MBOX/DBX e-mail archives.

  • SR-6: Fixed reported Windows installation language in the registry report.

  • SR-6: Fixed missing value output in registry viewer after extracting metadata from registry hives.

  • SR-7: Prevented a message box from popping up repeatedly when applying simple text and hex searches to all open windows.

  • SR-7: "Export subtree" command now supports larger subtrees.

  • SR-7: Fixed a possible infinite loop when processing certain registry hives.

  • SR-7: Fixed an exception error that could occur when extracting metadata from OLE2 Office documents.

  • SR-7: More accurate representation of different recipient types in sent (not received) e-mails extracted from Outlook e-mail archives.

  • SR-7: Fixed incorrect representation of alternate filenames in the Name column after metadata extraction.

  • SR-7: Some minor fixes.

  • SR-8: In certain situations the associations of search hits with their corresponding search terms were potentially lost in some evidence objects after deleting search terms. That was fixed.

  • SR-8: Fixed a crash in v17.6 that could occur when viewing pictures while the gallery was being populated.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#138: X-Ways Forensics, X-Ways Investigator, WinHex 17.6 released

Mar 26, 2014

This  mailing is to announce the release of another notable update with many improvements, v17.6.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.6 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Toronto, Canada, Mar 31-Apr 4 (waiting list)
Toronto, Canada, Apr 7-11 (waiting list)
Austin, TX, May 19-23 (waiting list)
Cambridge, England, Jun 10-13
Ottawa, Canada, Jun 16-20
Norwalk, CT, Jun 23-27
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.6?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

File Type Support

  • File type detection and categorization significantly revised.

  • New metadata extraction feature, which allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). Support for more file types will follow. The current filename according to the file system is not completely lost, it can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will conveniently find both the original and the current name.

  • Improved ability to uncover thumbnails from Windows thumbcaches. The process is now faster and produces much less redundant thumbnails especially for Windows 8 and 8.1 installations (only the highest resolution available for a set of thumbnails for the same picture). The new method is used when targeting thumbcache_idx.db files (which will in turn target the corresponding thumbcache*.db files) via the provided mask and not the thumbcache*.db files directly as in previous versions of X-Ways Forensics.

  • Support for a variant of thumbs.db files found in Windows 7 in certain constellations.

  • Performance of uncovering thumbnails in large JPEG files improved.

  • More precise truncation of incomplete or fragmented PNG files when carving.

  • Ability to extract embedded files from Photoshop thumbnail caches (Adobe Bridge Cache.bc), Canon ZoomBrowser thumbnail collections (.info), and Paint Shop Pro caches (.jbf).

  • Ability to uncover embedded pictures from the caches of Google's Picasa 3 image organizer and viewer software (thumbindex.db and related files).

  • Event extraction from Picasa 3.

  • Metadata extraction from IconCache.db files. Important Windows artifact that can help to prove executions of programs for example in malware investigations.

  • Extraction of forensically valuable metadata from PhotoShop PSD and INDD (Adobe InDesign) files.

  • Internal file carving algorithms for INDD, Bridge Cache and Picasa3 index files implemented.

  • Improved support for Magix Photo Manager Cache .mxc2 and .mxc3 and other files.

  • Internal graphics viewer now supports certain .bmp graphics with larger headers.

  • Some other improvements in the internal graphics viewer.

  • More metadata is now extracted from AVI video files, for example the codec and the IDIT creation timestamp or original filename, where available.

  • Metadata and internal file carving support for AMR voice recording files.

  • Ability to uncover various potentially relevant resources in 32-bit and 64-bit Windows PE executables (programs and libraries) as child objects, in particular RCDATA, named objects, bitmaps, icons and manifests. Useful for example for malware analysis. This does not happen automatically, only if you specifically target executable files via a suitable series of file masks.

  • Support for even more deeply nested (recursively forwarded) e-mail messages in OST/PST e-mail archives.

  • Ability to reconstruct e-mail messages from the Livecomm.edb database, which is used by the Windows Mail client (Windows 7 and newer) as part of the "uncover embedded data" operation. Also extracts contact and account information.

  • Unicode support for e-mail excerpt reconstruction from Thunderbird indexing databases.

  • Some minor fixes for EDB processing.

  • Fixed an exception error that could occur when processing SQLite databases.

Usability

  • Increased capacity for large cases:

    Maximum number of simultaneously open images of physical media and reconstructed RAIDs combined:
    v15-v17.1: 46
    v17.2-v17.5: 57
    from v17.6: 100

    Maximum number of simultaneously open partitions on physical media (not counting drive letters) and partitions in images of physical media and images of volumes:
    v15-v15.5: 64
    v15.6-v17.5: 99
    from v17.6: 256

    Some background information: Note that it is not a must to always have all evidence objects in a case open at the same time. In fact it can be desirable to not open them all at the same time if the volume snapshots are very big (i.e. reference many millions of files) and not much RAM is available. Simultaneous searches and volume snapshot refinements across multiple selected evidence objects can be started even when no evidence object is open at all. In this setting, X-Ways Forensics will open the evidence objects one by one automatically when it is their turn, and close them again when fully processed, to minimize memory requirements. Only when you recursively explore from the case root, all evidence objects whose files you wish to include need to be open at the same time.

    Maximum number of addressable local physical media:
    from v17.2: 64

  • Imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. (In v17.5 this happened only when opening the case in normal, unlimited mode.)

  • Option to always suggest to open a case with extended multi-user coordination in shared analysis mode. That mode can be useful even for the first of many simultaneous users of the case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).

  • User interface of the search term list slightly updated. Better readable font and more economical use of space. To focus on notable search hits please remember you can use the Descr. column filter.

  • The search term list can now be sorted by search terms alphabetically in ascending order or by the listed search hit count in descending order, via the context menu of the search term list, to make it easier to locate a certain search term in lengthy lists.

  • Certain kinds of files with child objects such as e-mail archives are now included in the directory tree in the Case Data window, along with their subdirectories.

  • Hash database dialog window revised.

  • You can make raw Preview mode persistent by holding the Shift key when changing to raw mode.

  • Remains more responsive during file header signature searches and other volume snapshot refinement operations, and allows to use several commands in the Case Data window's context menu during various ongoing operations.

  • New option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).

  • Ability to store additional custom definitions of file types and categories in a separate file named "File Type Categories User.txt", which will be read and maintained in addition to the standard definitions in "File Type Categories.txt" and has the same structure and is not overwritten by updates of the software if contained in the installation directory, so that you can easily continue to use it even when overwriting your installation with a new version.

  • That the directory for images specified in the General Options is preselected for newly created images is now optional.

  • Ability to mark events as notable and filter for notable events via the Timestamp column.

  • Ability to unmark multiple selected search hits and events as notable, by holding the Shift key when invoking the "Mark as notable" context menu command.

  • Available for download to users of X-Ways Forensics (click the "All versions" link) is now a text file that if named language.txt and put into the installation directory of v17.6 can override most texts in the user interface (except for example the main menu) and is easily user-editable. Useful if for example you wish to produce case reports in your own language.

X-Tensions API

  • Ability to expand the file viewing capabilities of X-Ways Forensics, X-Ways Investigator, and X-Ways Investigator CTR by integrating so-called Viewer X-Tensions. Such X-Tensions provide special views of certain file types by responding to calls of a newly defined function XT_View function that they have to export. Users can load Viewer X-Tensions in the Options | Viewer Programs dialog.

  • A new investigator.ini option +52 prevents the use of Viewer X-Tensions, for example for security reasons. Remember that X-Tensions are Windows DLLs, which can potentially do harmful things to your system if they are loaded.

  • A new function named XWF_AddEvent was introduced, which allows to add events to the event hit list of an evidence object. XT_Prepare and XT_Finalize now receive a handle to the evidence object that the X-Tension is applied to.

  • New functions available: XWF_GetEvObjProp, XWF_OpenEvObj, XWF_CloseEvObj, XWF_GetFirstEvObj, XWF_GetNextEvObj, XWF_UpdateDirBrowser. 4 new flags for XWF_GetItemInformation and XWF_SetItemInformation introduced: XWF_ITEM_INFO_FLAG_FILEARCHIVEEXPLORED, XWF_ITEM_INFO_FLAG_EMAILARCHIVEORVIDEOPROCESSED, XWF_ITEM_INFO_FLAG_EMBEDDEDDATAUNCOVERED, and XWF_ITEM_INFO_FLAG_METADATAEXTRACTED.

  • The Delphi API definitions and a demo X-Tension have been updated with some of the new functionality.

Data Interpreter & Templates

  • Support for Mac Absolute Time in the Data Interpreter.

  • The Data Interpreter is now able to interpret UNIX/C, Java/BlackBerry/Android and Mac Absolute timestamps stored as decimal ASCII text instead of in binary. You will find a context menu item for that as well as a checkbox in the options dialog.

  • The Data Interpreter now optionally translates timestamps of all formats except MS-DOS date & time to local time (the time zone defined in the General Options). You will find a context menu item for that as well as a checkbox in the option dialog.

  • New date type "MacAbsTime" supported in templates.

  • New modifier "local" supported for timestamps in templates. Causes X-Ways Forensics to convert timestamps (except DOSDateTime) to the timezone specified in the General Options.

Media & Image Support

  • Ability to convert so-called Nandroid backup files of the NAND flash memory of Android devices to regular raw images via Edit | Convert.

  • More complete output of serial numbers of USB devices.

  • Ability to see model and serial numbers of physical media without administrator rights.

  • Structure of the technical details report for physical media slightly improved.

  • Displays the amount of free space on the output drive in the Create Disk Image dialog window.

Miscellaneous

  • New menu command Tools | File Tools | Replicate Directory. This command copies a directory with all its files and subdirectories, recursively, and recreates individually NTFS-compressed source files as NTFS-compressed in the respective output folder if supported by the destination file system and any layer in between. The command does not retroactively compress such files after their creation, but writes them immediately as compressed, which is more efficient. However, it still has to copy/send the decompressed amount of data of the source file. Select the source directory first, then specify/create the destination directory. This function is useful for example if you wish to copy or move a case directory, which contains a few NTFS-compressed files that would be inefficient to store as uncompressed. Note that alternatively you can open a case and use the Save As command in the Case Data window for the same effect. The Replicate Directory command is also special in that it can operate on overlong paths.

  • Ability to manually enter the Recover/Copy output path by clicking a new "..." button in the dialog window, in the same line where the path is displayed. Useful if you wish to specify a network location that Windows does not list automatically.

  • The hash database of block hash values is now no longer expected in a subdirectory of the directory with the regular hash database, but in a directory at the same level, with the same base name plus " [block hash values]" appended.

  • The old indexing engine was removed.

  • Many internal improvements and some small bug fixes.

  • Program help and user manual updated.


Changes of service releases of v17.5:

  • SR-1: Fixed output of erroneous timestamps extracted from Firefox SQLite databases.

  • SR-1: Fixed timezone adjustment of timestamps in the metadata of some file types (PDF, MDB, RTF, PNG, Flash and GZip).

  • SR-1: Fixed erroneous selection of the radio button for evidence file containers when selecting the target image path in X-Ways Imager.

  • SR-1: Word frequencies in exported index word lists were not entirely accurate. That was fixed.

  • SR-2: More thorough sorting by "Type status", which takes the detected file format consistency into account.

  • SR-2: Fixed faulty utilization of the header size in RAID reconstruction in some recent versions.

  • SR-2: Fixed an exception error that could occur when processing certain incomplete Chrome caches.

  • SR-2: Avoided a misleading and unnecessary error message when finalizing the index and searching in the index.

  • SR-2: Avoided misleading and unnecessary error messages when importing search hits from another user.

  • SR-2: Avoided instability when processing IE travellog files.

  • SR-3: Prevented a possible crash that could occur when extracting e-mails from PST/OST e-mail archives.

  • SR-3: Deleting hash sets command corrupted hash databases in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: The Include command in the directory browser context menu did not work in v17.5 and v17.6 Preview. That was fixed.

  • SR-3: Fixed potentially incomplete previews of Google Chrome WebData databases.

  • SR-3: Fixed an exception error that could occur with irregular PDF files.

  • SR-4: Fixed a read error that could occur with XML files extracted from PDF documents.

  • SR-4: Better support for extremely fragmented files in NTFS volumes.

  • SR-4: Fixed a file creation error in the "Export report table associations" command at the case level.

  • SR-4: Prevented exception errors that could occur when selecting more than the currently supported 57 simultaneously open images of physical disks and 99 simultaneously open partitions of physical disks or images of partitions for recursive exploration from the case root window and then trying to run commands in the directory browser context menu on them.

  • SR-5: Improved/fixed coordination of simultaneous usage of the hash database by multiple users.

  • SR-5: Fixed a link error that could when generating case reports for files with overlong paths.

  • SR-5: Prevented an exception error that could occur when parsing corrupt 0x30 attributes.

  • SR-6: Improved representation of Base64-encoded e-mails extracted from MBOX e-mail archives.

  • SR-6: v17.3 and later did not always include all NTFS file system level timestamps in the event list when they were different from the creation timestamp. That was fixed.

  • SR-6: Progress indicator for the time when X-Ways Forensics finalizes indexes of the new kind.

  • SR-6: Fixed an error that could cause the loss of newly created report table associations in shared analysis mode.

  • SR-7: Fixed an instability error that could occur when recursively exploring from the case root and listing many millions of files.

  • SR-8: Fixed an exception error that could occur when extracting files from Google Chrome caches.

  • SR-8: Fixed inability of X-Ways Investigator to convert container raw images to .e01 evidence file format.

  • SR-8: Fixed an exception error that could occur when extracting certain recovered corrupt e-mail messages from Outlook PST/OST e-mail archives.

  • SR-8: Removes certain superfluous parts in certain multi-part e-mail messages to keep the viewer component from showing e-mails as blank.

  • SR-8: Fixed an error that could cause a loss of user comments in the volume snapshot.

  • SR-9: Fixed an exception error that occurred in the original and regular WinHex 17.5 version when displaying the Data Interpreter context menu.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#137b: X-Ways Forensics, X-Ways Investigator, WinHex 17.5 released

Jan 28, 2014

This  mailing is to announce the official release of v17.5.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Users of X-Ways Forensics/X-Ways Investigator/X-Ways Imager can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data (the password has changed recently!), details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. Note that licensed users of X-Ways Forensics and X-Ways Investigator with active update maintenance can conveniently find all older versions for download from there if needed, others can usually receive older versions on request.

Please be reminded that if you are interested in receiving information about service releases of v17.4 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


New License Type for Smaller Budgets

Available since late 2013: Timed annual licenses for X-Ways Forensics, which unlike our regular perpetual licenses expire after 1 year, are now available for purchase at half the price! (Subject to change.) These licenses cannot be renewed, or upgraded to a perpetual license. Online orders / quotes


What's new in v17.5?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

For the major changes already announced on Jan 8, 2014 for v17.5 Beta click here.

Miscellaneous improvements since Jan 8, 2014:

  • Program help and user manual updated for v17.5.

  • Support for more deeply nested directory trees in Ext*.

  • Some clusters of significantly fragmented files in Ext4 were incorrectly contained in idle space as well. This has been fixed.

  • Support for VMDK snapshots where the VMDK images are stored in segments, each usually representing 2 GB of the virtual disk. Previously only monolithic VMKDs were supported, i.e. where the entire VMDK image is stored in one file (whether sparse or not).

  • Fixed errors in VMDK support in previous preview and beta versions of v17.5.

  • Ability to interpret evidence file containers larger than 4 TB.

  • Creating the descriptive text file when imaging disks is now optional.

  • The option to define the number of extra compression threads when creating .e01 evidence files is no longer hidden.

  • Support for NTFS file systems larger than 232 clusters (which are not supported in Windows 8 and earlier, but perhaps in later versions).

  • Improved support for high dpi display settings in Windows (150% and larger), in message boxes, file selection dialogs, info pane, mode buttons, toolbar, progress indicator window, directory browser, and search hit context preview.

  • Colored icons for excluded and notable files now displayed with no noticeable delay even when Aero is enabled.

  • The file type filter dialog now remembers which categories were expanded.

  • Stability of EVTX processing improved.

  • Reconstruction of indexed e-mails messages from the indexing database of the Thunderbird email client and output as child objects in the volume snapshot, as part of extraction of embedded data in SQLite databases.

  • Exclusion of known SQLite databases from the embedded data extraction if it's know that there is no valuable binary data to be found.

  • Improved support for MS Internet Explorer recovery travellog files.

  • Windows Registry report and event extraction revised.

  • File type verification updated.

  • You can turn off "Extended multi-user coordination" if you are sure to be the only concurrent user of a case and don't need some of the advanced options, for performance benefits in some very few situations.

  • Indexes of the new type previously became unusable if the drive letter or path of the case changed. This is no longer the case for existing and newly created indexes in the final version of v17.5.

  • Ability to specify separate virtual output directories for separate file carving runs, for example to distinguish operations of different scopes or for different purposes (e.g. first ordinary sector-level file carving in an entire partition, then byte-level file carving of e-mails in free space).


Changes of service releases of v17.4 since Jan 8, 2014:

  • SR-7: Ability to create evidence file containers of the new type larger than 4 TB correctly. Fix also contained in v17.3 SR-11, v17.2 SR-11, and v17.1 SR-11.

  • SR-7: Fixed an error in the Copy Sparse function.

  • SR-7: The gallery was not updated in v17.4 when excluding files. That was fixed.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#137a: X-Ways Forensics 17.5 Beta released

Jan 8, 2014

This mailing is to announce the release of a beta version of X-Ways Forensics 17.5, with many interesting improvements. v17.5 Beta is only available for X-Ways Forensics. The next newsletter issue will notify you when v17.5 is officially released, and at that time v17.5 will also be available as WinHex (for users with a personal, professional or specialist license) and X-Ways Investigator.

Users of X-Ways Forensics can go to https://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Licensed users whose update maintenance has expired can receive upgrade offers from there. 

Please be reminded that if you are interested in receiving information about updated beta releases of v17.5 when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too.

Please note that if you wish to stick with v17.4 or another previous version until v17.5 is officially released, or even longer, you should use the last service release of that older version.


Upcoming Training

Orlando, FL, March 3-7
Toronto, Canada, Mar 31-Apr 4
Austin, TX, May 19-23
Cambridge, England, Jun 10-13
Cambridge, England, Jun 30-Jul 3

Please send e-mail if you would like to be kept up to date on classes in the USA, Europe, or Asia/Pacific.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our new certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


What's new in v17.5 Beta?

(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)

Multi-User Support

  • All cases created or opened with v17.5 and later now have extended multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time. Cases opened with v17.5 and later cannot be opened any more with earlier versions.

  • Extended multi-user support is especially helpful for large cases and wish to tell apart their own results from their colleagues' results. Report table associations, comments and search terms/hits of different examiners can optionally be distinguished, by showing the creating examiner's initials (default), or alternatively other abbreviations of their names or (if no abbreviation is specified) their complete usernames.

    A maximum of 255 users (examiners) is supported per case. Examiners are recognized internally by their Windows user accounts. All related options can be found by clicking the button for "Extended multi-user coordination" in the case properties dialog window.

  • It is possible for multiple users to open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy, stored in a shared network location or on a terminal server. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for making users aware of access conflicts before they occur and preventing them in most situations.

  • X-Ways Forensics now remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects. That is useful if the goal is to avoid duplicate work, if you do not wish to review files that were reviewed by any of your colleagues already. Please note that individual file statuses ("tagged", "already viewed" and "excluded") as well as search hits of other users are lost if one examiners removes items from the volume snapshot.

  • Search hits and search terms are stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and search terms that were stored in the case by v17.4 or earlier. The "Extended multi-user coordination" dialog window contains a button that allows you to import the search hits and search terms of another user. 

  • Comments and report table associations are shared between all examiners. Examiners can choose whether or not they get to see report table associations of other users. The same file can be associated with the same report table only by 1 examiner. 

  • To view all the results of a colleague (report table associations, search hits, tag marked, already viewed status of files, exclusion status of files), you can open the case in read-only mode as him or her. For that, try the new "Options..." checkbox when opening a case. You may prevent your colleagues from opening the case in read-only mode as you.

  • The new "Options..." checkbox allows you to open a case in any of the three modes known from earlier versions:
    1) entire case read-only (case file and volume snapshots),
    2) cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files)
    3) full access

  • If the same user wishes to open the same case (the same copy) in more than 1 instance of the program simultaneously, that user has three options. Either in the second instance the entire case is opened as read-only, or the user is responsible for opening evidence objects that are open in one session already as read-only in the other session to avoid conflicts (right-click an evidence object for that option), or the user opens the case as a separate, fictitious user (called his or her "alter ego") with separate file statuses, search hits, report table associations etc. If the latter option is selected, shared use of the case is coordinated by X-Ways Forensics exactly as if the alter ago was a real, different examiner, even though the username is the same.

  • The aforementioned "Options..." checkbox allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program.

  • Multiple users running searches, creating report table associations, entering or editing comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else, however, is forbidden and will be refused by the program. The goal of the multi-user coordination in v17.5 and later is to support concurrent analysis/review work by multiple examiners. Removing files from a volume snapshot is not considered ordinary review/analysis work. Volume snapshot refinements should be done systematically in advance.

  • The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can be seen in square brackets next to the filename, so that it is easy to tell who has introduced such files to the case.

  • Technical changes to the way how multiple simultaneously users are coordinated are reserved. To be on the safe side, please make sure that simultaneous users are running the same version of the software.

  • Last not least v17.5 allows you to review the processing history of a case in its properties. This reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later).

User Interface

  • Revised look of the user interface (toolbar, menus, directory browser, gallery). Icons are now more colorful and plentiful. This allows experienced users to more quickly and intuitively find the right menu commands especially in the directory browser context menu.

  • Gridlines in the directory browser are now optional, and if displayed can be either light gray or light blue. Without gridlines the screen looks a little less cluttered as well.

  • The entire row in the directory browser over which the mouse cursor hovers is now highlighted. That makes it easier to identify other far away cells in the same row.

  • The names of the authors of documents of various types (MS Office, OpenOffice/LibreOffice, RTF, PDF, ...) are now displayed in a new column named "Author" after metadata extraction.

  • The page count is now extracted from PDF and some Office file types as part of metadata extraction and shown in a new column as well.

  • Sorting and filtering by comments and extracted metadata greatly accelerated for huge volume snapshots in which a huge number of files have comments or extracted metadata.

  • Sorting by certain directory browser columns such as Owner, Author, Sender, Recipients, Report tables, Comments, Metadata, Search terms, and Hash set is now more user-friendly, in that items with blanks (i.e. unknown owner, unknown author, no report table associations, no comments, ...) are listed last, not first. Also, the default sort order of the hash category column is now descending.

File Format Support

  • Improved ability to uncover files in Firefox caches when targetting "_CACHE_MAP_" files and Chrome caches when targetting "index" files. Retrieves metadata such as original filenames and timestamps. Metadata extraction from "index" files.

  • Files embedded in Norton Backup files (N360 backup, *.nb20) can now be automatically uncovered.

  • Ability to uncover pictures that are embedded as Base64 in VCF files (electronic business cards).

  • File type verification considerably updated. Examples: Identification of MMAP, IDML, INCX, EDX, ENML, NBI.

  • File type signature definitions considerably updated.

  • New file type category GPS/Navigation.

File System/Disk/Image Support

  • The existence of extended attributes for files in NTFS ($EA attributes) is now revealed in the Attr. column in newly taken volume snapshots, and you can filter for the presence of such attributes. Useful to detect certain malware as seen in recent high-profile cases.

  • Considerably improved treatment of hard-linked files in HFS+. Resolving hard links is now much faster and thorough in current HFS+ volumes that heavily use hard links because of Time Machine. Hard links to directories and resource-only files are now also resolved. The hard link count is accurately represented. All hard links except for 1 are optionally omitted from logical searches, just as in NTFS, to avoid excessive duplication of data to be searched and duplication of search hits. Hard links that are ignored are identified by a grayed out hard-link count (no longer by an asterisk as in previous versions). Additionally, iNode files (indirect node files) that got connected with the hard links that reference them as so-called "related items" in the volume snapshot are omitted. Should the hard-link count of an iNode file be not grayed out, that indicates an orphaned iNode file (one that is not referenced by any hard-linked file, at least not in the volume snapshot). Comments are no longer used for hard-linked files in HFS+.

  • Extraction of events from Unix/Linux/Macintosh system logs. These events are practically of significance especially for USB device history examinations.

  • Improved detection of non-standard LVM2 container partitions.

  • VMDK virtual disk images which have been compressed for transport purposes (the VMDK format variant referred to as "stream-optimized"), as used by the OVF appliance export format, are now supported.

  • Option to create report table associations for files that were successfully added to a skeleton image using the directory browser context menu command.

Miscellaneous

  • Various minor improvements and some small bug fixes.

  • Same fix level as v17.4 SR-6.

  • User manual and program help not updated yet for v17.5.


Changes of service releases of v17.4:

  • SR-1: Works again with the old version of MPlayer.

  • SR-1: Fixed an error that could occur in the Attr. filter for special files in Unix/Linux file systems.

  • SR-1: Fixed hanging after volume snapshot refinements if the error "Parent of ... undefined" occurred.

  • SR-1: Quicker EDB file subtype identification.

  • SR-2: When the gallery dynamically shows the stills of a video in a loop, you may now press Esc to stop the animation, + to accelerate and resume the animation, and - to slow down and resume it.

  • SR-2: Fixed an error that could stop the gallery from working.

  • SR-2: Fixed an error that occurred when exporting hash sets from the block hash database.

  • SR-2: Fixed some truncated descriptions for events collected from SQLite database in the 64-bit edition.

  • SR-2: Proper timezone adjustment of event timestamps from SQLite databases.

  • SR-2: Potentially fixed an error that could occur on some computers when closing data windows after cloning with the "copy entire medium" setting.

  • SR-3: Fixed an error that could occur when using the gallery.

  • SR-3: Prevented output of some unnecessary messages when taking snapshots of Ext4 volumes.

  • SR-3: If the Help | Dongle dialog informs you that a new activation code is required for v17.5, please request it from X-Ways.

  • SR-3: Fixed a skeleton image verification error that could occur in certain situations.

  • SR-3: Fixed an exception error that could occur during index searches in v17.4.

  • SR-4: Fixed an error that could cause the gallery to not be fully populated in certain situations.

  • SR-5: v17.4 SR-2 and later did not close the case root window when closing a case, which triggered errors. That was fixed.

  • SR-5: The gallery was not updated in v17.4 when sorting the directory browser. That was fixed.

  • SR-5: Fixed instability of the 64-bit edition with certain EDB database files.

  • SR-5: Child objects that have been viewed no longer propagate this status to a parent file.

  • SR-6: Fixed an exception error that could occur when filling evidence file containers in v17.3 and v17.4.

  • SR-6: Fixed an exception error that could occur when resolving symlinks in the 64-bit edition of v17.4.

  • SR-6: Fixed a recurring delay that could occur on volumes with a lot of clusters when reviewing search hits in free space for which only a logical/relative offset is known (index search hits).

  • SR-6: Fixed inability of v17.4 to process Windows.edb databases of Windows 7 under Windows 8 and Windows 8.1.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

Legalities
Register of commerce: AG Bad Oeynhausen HRB 7475
CEO: Stefan Fleischmann
Supervisory board: Dr. M. Horstmeyer (chairwoman)

 

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <