WinHex &
X-Ways Forensics Newsletter Archive
(You may sign up for the newsletter here.)
| #85: WinHex & X-Ways Forensics
12.7 and X-Ways Capture released Dec 2, 2005 |
This mailing is to announce a noteworthy
update, v12.7. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular users of X-Ways Forensics please go to https://www.x-ways.net/winhex/upgrade.html for more information, download links, and upgrade offers. If you are still in your update maintenance phase (12 months by default), you will also receive a confirmation of when it will expire. Upgrading starts a new update maintenance period of 12 months. ------------------------------------------------------------- UPCOMING X-WAYS FORENSICS CLASSES Dallas, TX: Jan 17-20 https://www.x-ways.net/signup_dallas.html Chicago, IL: Jan 23-26 https://www.x-ways.net/signup_chicago.html Please follow the links for details or send e-mail to mail@x-ways.com. Thank you! ------------------------------------------------------------- WHAT'S NEW IN V12.7? * Recursively explored directories are now specially flagged in the directory tree. A simple right click in the directory tree is now sufficient to explore a directory recursively (formerly: right click and context menu item). * Directories whose contents are either fully or partially tagged are now specially flagged in the directory tree as well. The middle mouse button can now be used in the directory tree to tag or untag directories. * Support for the file systems UFS and UFS2, both in big-endian and little-endian variants. * The Refine Volume Snapshot command now features the statistical entropy test for the detection of fully encrypted files as known from the now obsolete Create Drive Contents Table command, plus a new file format specific encryption/ password protection test for PDF documents and MS Office documents such as MS Word 4...2003, MS Excel 2...2003, MS PowerPoint 97-2003, and MS Project 98-2003. * The Details Panel is now integrated into a data window, more exactly into the data (or sectors) area in a data window. The benefit is that more screen space is available horizontally for the directory browser, gallery mode, preview mode, calendar mode, and the status bar. * Certain search operations (without GREP, in particular with several keywords, case insensitive) are now considerably faster. * Evidence file containers can now optionally include disk/image names as the first directory level, so that for multiple sources it is still obvious where files originate from when reviewing the containers. * It is now possible to mix files with UNIX-styled permissions and files with DOS/Windows-styled attributes in the same evidence file container. Both will be displayed correctly in X-Ways Forensics. * In volume snapshots taken by v12.7 and later, there will be a fictitiuous directory "Path unknown" instead of "Deleted Items". That's because a dedicated overview of deleted items is already available in recursive views with the dynamic filter. The only need for such a special directory is now to accomodate lost/ deleted files whose path is unknown, i.e. which are orphaned or were only discovered based on their header signatures. * Ability to preview disks without temporary files being written anywhere on the system. For that purpose you can set the folder for temporary files and the folder for cases to a directory on the CD from which you are running X-Ways Forensics (e.g. simply "."). X-Ways Forensics will still allow you to create the case and work with it, just won't be able to save it. Remember, you do not need to "install" X-Ways Forensics before running it. * The drive letter that contains the folder for image files is now officially considered a legitimate output folder in X-Ways Forensics. * Ability to add file slack to evidence file containers specifically. Hold the Shift key when invoking the menu command to add a file. (since 12.6 SR-1) * Optional faster slim volume snapshot without cluster allocation scan now available for all file systems (Safety & Security Options). Useful e.g. when previewing a live system and having temporary and snapshot files written to one's own USB stick where only USB 1.1 speed is available. (since v12.6 SR-4) * Ability to select an internally assembled RAID 0 as a source disk in the Disk Cloning dialog window. (since v12.6 SR-7) * In additional to the "reduced" user interface, there is now an optional "forensic lite" user interface, meant for investigators in law enforcement - who are specialized in areas e.g. such as white-collar crime, corruption, tax fraud, etc. - who do not need profound knowledge of computer forensics - who do not need technical insights that WinHex and XWF are well-known to provide as a by-product - who receive e.g. convenient-to-handle X-Ways evidence file containers from well-versed computer forensics examiners with only selected files from various sources (e.g. "all documents that contain the keywords x and y"), with obviously irrelevant stuff already filtered out - who need to review hundreds of electronic documents, identify relevant ones, add comments to them, identify logical structures and connections between them with the help of their comments, and print documents, all with a few mouse clicks within the same environment, which saves the time to extract and load each document in its associated application The "forensic lite" interface lacks _many_ advanced technical features on the outside, to allow for easier access to non-technical personnel. Forensic licenses that _only_ allow to use the "forensic lite" interface are available at 50% the regular rate, on request. * Several other minor improvements and error corrections. |
| #84: WinHex & X-Ways Forensics
12.65 and X-Ways Capture released Oct 27, 2005 |
This mailing is to announce a noteworthy
update, v12.65. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular users of X-Ways Forensics please go to https://www.x-ways.net/winhex/upgrade.html for more information and download links. v12.65 is a free update for all users who purchased v11.8 or newer (e.g. online after Oct 22, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html. Upgrading entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- UPCOMING PUBLIC CLASSES Oslo, Norway: Dec 6-9 https://www.x-ways.net/signup_oslo.html Dallas, TX: Jan 17-20 https://www.x-ways.net/signup_dallas.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.65? * We now offer forensic licenses optionally without update maintenance (at reduced cost) or including 2 years instead of 1 year default update maintenance (surcharge). * Ability to add a comment to an item in the directory browser. After entering comments, you can conveniently set the filter such that only commented items are shown or only items with specific comments, i.e. certain keywords. For items in a report table, comments are also included in the report if the table is output in the flat format. (forensic licenses only) * Ability to export selected hash sets from the internal hash database, to share them with other users without exchanging the entire hash database. * Ability to hide a directory recursively, so that all its files and subdirectories are automatically hidden as well. If you are only allowed to examine the contents of certain directories, you could initially hide all files in all other directories such that they will be automatically excluded from the directory browser, the gallery view, logical searches, copying actions, additions to an evidence file container, etc. * New visual concept for "tagging" items. Ability to select all listed tagged items. (forensic license only) * Ability to tag directories recursively, i.e. including their files and subdirectories. Ability to hide all untagged items on a volume. (Remember that you can make use of the dynamic filter to conveniently tag oder hide certain files.) * The directory browser context menu was restructured. * Ability to limit the operations in Refine Volume Snapshot to all tagged files or to all files that are not hidden. * It is now possible to add selected files from within archives to evidence file containers. Prerequisite: The volume snapshot has been refined and includes the contents of archives. * New script commands: GetClusterAllocEx, GetClusterSize * Several other minor improvements. For example, during the creation of hash sets, the name of the currently hashed file is displayed in the caption of the small progress indicator window, and the core file in the internal hash database is locked while in use to prevent the user from inadvertently moving or replacing the hash database's directory while X-Ways Forensics is running. |
| #83: WinHex & X-Ways Forensics
12.6 and X-Ways Capture released Sep 25, 2005 |
This mailing is to announce a noteworthy
update, v12.6. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular users of X-Ways Forensics please go to https://www.x-ways.net/winhex/upgrade.html for more information and download links. v12.6 is still a free update for all users who purchased v11.7 or newer (e.g. online after Sep 1, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html. Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- UPCOMING PUBLIC CLASSES Bedfordshire, England: Nov 2+3 https://www.x-ways.net/signup_NSLEC.html Oslo, Norway: Dec 6-9 https://www.x-ways.net/signup_oslo.html Dallas, TX: Jan 17-20 https://www.x-ways.net/signup_dallas.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.6? * Refined volume snapshots now supersede drive contents tables as the recommended way to systematically review files on computer media. They offer similar features (like the ability to explicitly list pictures embedded in documents, to compute skin color percentages, etc.) and at the same time allow to work directory-wise, not only as a flat list. * Ability to conveniently, dynamically and non-destructively filter out files based on criteria such as deletion status, filename, file type category, and matching hash set category. Options | Directory Browser. Ability to filter out certain files that have been marked as to hide (e.g. because they are irrelevant or simply not needed in a particular view). * GREP syntax in physical and logical simultaneous search. (Specialist license only) * Logical searches in multiple evidence objects at a time are now more convenient with the help of a global case root window from where one can select evidence objects to search. Unlike in unified contents tables, it is possible to output search results as hit lists or as tables of files with hits. * File preview mode is now available when reviewing search hits lists and bookmarks. Search hit context preview now also supported for Unicode search hits. * Support for evidence file containers. (Only available with a forensic license.) An evidence file container is a raw image file. Files selected in the directory browser can be added to the active file container with the directory browser's context menu. Certain technical metadata (e.g. the original cluster allocation and file ID) are lost, however, name, path, size, attributes, timestamps, and especially the contents of the file are fully retained in a file container. So when you need to pass on selected files (even from different evidence objects) that are of particular relevance to a case, in a single handy archive, to other persons involved in that case, who do not need to or must not see irrelevant files, this feature comes highly recommended. Evicence file containers can be interpreted and conveniently examined like conventional image files with X-Ways Forensics 12.6 and later. * Several other minor improvements. |
| #82: WinHex & X-Ways Forensics
12.55 and X-Ways Capture released Sep 3, 2005 |
This mailing is to announce a noteworthy
update, v12.55. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular users of X-Ways Forensics please go to https://www.x-ways.net/winhex/upgrade.html for more information and download links. v12.55 is a free update for all users who purchased v11.7 or newer (e.g. online after Sep 1, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html. Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- UPCOMING PUBLIC CLASSES Bedfordshire, England: Nov 2+3 https://www.x-ways.net/signup_NSLEC.html Mesa, AZ: Nov 14-17 Please drop us a note if interested. Dallas, TX: Jan 17-20 https://www.x-ways.net/signup_dallas.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.55? * Ability to find deleted or otherwise lost files on Reiser4 volumes. Ability to rebuild the internal Reiser4 tree if its root was lost e.g. because it has moved, yet the superblock buffer was not flushed by Linux. All of these features should be exclusives that you won't find anywhere else. * The standard non-contents-table file overview can now be extended in a similar way as drive contents tables. Use Specialist | Refine Volume Snapshot to find orphaned files and directories on FAT volumes, lost parts of the MFT on NTFS volumes, and deleted files on ReiserFS and Reiser4 volumes. Deleted or otherwise lost directories retrieved with the refined volume snapshot will also be added to the directory tree in the Case Data window and will persists between sessions unless you have X-Ways Forensics trash volume snapshots when exiting. After refining the volume snapshot, the fictitious directory "Deleted Objects" will become available for ReiserFS and Reiser4 volumes. * State-of-the-art 256-bit AES/Rijndael encryption has been added. This implementation of AES runs in counter mode (CTR) and works with hashed 256-bit keys, cryptographically sound random input ("salt"), and a randomized initial counter. Use Edit | Convert to encrypt/decrypt one or several files at a time. * Evidence files can now be encrypted with 256-bit AES as well. Encrypted evidence files still allow for random read access. Data transfer rates from encrypted evidence files are sligthly worse than from unencrypted evidence files, of course. Encrypted evidence files are not supported by other computer forensics software products. * It is now possible to password-protect case files and either prevent unauthorized opening or only unauthorized saving. This protection is not based on encryption, so theoretically it can be circumvented with sufficient effort and knowledge. * Adding files to the table of particularly noteworthy items and highlighting (tagging) files are now two separate operations. So you may now decide to tag files for other purposes, e.g. to mark them as "already examined". However, if you still wish to tag files to mark them as noteworthy, a new option among the directory browser options allows you to retain the previous behavior. As a side-effect of the separation, it is now possible to add files within archives to the table of noteworthy files. * In cases created with X-Ways Forensics 12.55 and later, there will be one additional subdirectory per evidence object, with the prefix "_Metadata". The standard subdirectory will be reserved for original files extracted from the evidence object, the metadata subdirectory will be used for files created by XWF itself: contents tables, search hit lists, and also the volume snapshot files. Like this, there can be no confusion about what files can be considered original evidence and what files are rather of an auxiliary nature. Also it is now easy to identify the snapshot files that correspond to a given evidence object. * When the separate viewer component is active, you can now select files for printing in the directory browser and use the Print command in the context menu. * While running a logical or physical search and having WinHex list search hits, it is now possible to view the search hits while the list is being populated and to open files that contain hits via the search hit list's context menu. After opening files like this, you can view them with the separate viewer component (Tools | View) or export them (File | Save As). Also it is now possible to switch between the search hit list and the directory browser during an ongoing search operation, by clicking the respective buttons. (since v12.5 SR-1) * In WinHex and X-Ways Forensics v12.1 through v12.5 SR-1, disk images created in the WinHex backup legacy format (.whx) were not encrypted correctly when encryption was enabled. The data in these backups is not securely protected. This error was fixed. (since v12.5 SR-2) * Several other minor improvements. |
| #81: WinHex & X-Ways Forensics
12.5 and X-Ways Capture released Aug 12, 2005 |
This mailing is to announce the major update
of the year, v12.5. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular users of X-Ways Forensics please go to https://www.x-ways.net/winhex/upgrade.html for more information and download links. WinHex 12.5 is a free update for all users who purchased WinHex 11.6 or newer (e.g. online after June 20, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- UPCOMING PUBLIC CLASSES Bedfordshire, England: Nov 2+3 https://www.x-ways.net/signup_NSLEC.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- X-WAYS CAPTURE 1.0 Successfully seize all evidence Computer forensics tool for the evidence collection phase of a forensic investigation, that captures Windows and Linux live systems. X-Ways Capture gathers all data from the running computer logically and physically, such that during the analysis even encrypted or otherwise protected data that was unlocked at the point of time when the system was acquired, can be examined. X-Ways Capture saves you from returning empty-handed after pulling the plug and imaging hard disks the conventional way when you discover that the relevant files are encrypted! Plus you may be able to find pass phrases in main memory that X-Ways Capture dumps for you. Please see https://www.x-ways.net/capture/ for more information and subscribe to the X-Ways Capture newsletter . ------------------------------------------------------------- WHAT'S NEW IN WINHEX & X-WAYS FORENSICS V12.5? * The Apple Macintosh file system HFS+ (a.k.a. HFS Plus and Mac OS Extended) and the brand-new Linux file system Reiser4 are now natively supported. * Exploring large directories (including large fictitious "Deleted Objects" directories) now works instantly. Even recursively exploring an entire volume (right-clicking the root directory in the directory tree and using the context menu) now works almost instantly as well! * The "Deleted Objects" directory on NTFS volume now shows the original paths if known instead of just "?". Plus there is now a fictitious "Deleted Objects" directory for FAT volumes. * WinHex can now more often tell the former allocation of free clusters to deleted files on FAT volumes. * NTFS alternate data streams (ADS), non-directory INDX streams and $EFS streams are now listed in the normal directory view, too, not only in contents tables. * The size of directories is now always displayed on NTFS volumes. * The number of the first cluster of files and directories can now be listed in the directory browser in an optional column. This allows you to sort files by their physical location on the disk and identify existing and deleted files that reference the same first cluster. * The six aforementioned improvements are entirely ("1st cluster" column: partly) based on a new kind of file system analysis that takes place immediately when opening volumes. This analysis is more extensive than the former so-called cluster scan and supersedes it. * The IDs of files and directories as assigned by either the file system or WinHex itself can now be listed in another optional column. * The alternative access method #1 is now the default one for optical media. The benefit is that the full sector count of CDs and DVDs will be always detected. That also means, selecting one of the alternative access methods now solely affects physical hard disks. Alternative disk access method #1 now works with a timeout as well. * In some rare configurations under Windows 2000/XP, WinHex previously associated the detected hard disk model number and size with the wrong physical hard disk. This should no longer happen. Plus under Windows 2000/XP WinHex can now detect the bus with that a hard disk is connected (ATA, SATA/SCSI, USB, ...). * Better support for filenames with non-Western-European characters. (since v12.35) Improvements to the directory browser: * Ability to type multiple characters in the directory browser in order to jump to the first matching item. This is particularly useful for very long lists of files. The characters typed are matched against the column that is currently selected as the primary sort criterion. * The display update now works better when holding the Cursor Up/Down key in a heavily populated directory browser with several hundred thousand items. * When the mouse cursor hovers over a directory browser item's icon, the number of that item in the directory browser is now displayed in addition to the item's path. This number can be used e.g. to resume examining files exactly where one left the directory browser. The directory browser's context menu (Position submenu) allows you to jump to any item based on the item's number. The number is 0-based. Always remember that the number depends on what exactly has been loaded into the directory browser and on the current and possibly previous sort parameters. * Memory utilization of directory browser reduced. -- * The gallery view has been decoupled from the directory browser. That means, if there is sufficient space on the screen, much more thumbnails can be displayed per page than there are visible items in the directory browser. * Protection against certain rare corrupt picture files that caused X-Ways Forensics to hang upon loading, with the help of a timeout. * ROT13 is now an additional option in Edit | Modify Data. * The Italian translation of the user interface is now more complete. * Hash set renaming bug fixed. * Restoring an uninterpreted image to a disk is now noticeably faster. * When the segments of a raw image are spread across two different drives, it is now possible to specify the other storage location if you hold the Ctrl key when the first segment is about to be interpreted. * Files in a table that is included in the case report can now be included in the report themselves (by way of a picture or link) if the corresponding option in the case properties has been enabled and the table is output as a flat, vertical list . * Error opening files on certain ReiserFS volumes fixed. (since v12.35 SR-3) * Error in Go To Page and record presentation fixed. (since v12.35 SR-3) * Provided "as is", without guarantees: Ability to format large volumes with FAT32, which is not feasible with Windows XP beyond a limit of 32 GB, but often desirable for compatibility with other operating systems (e.g. DOS, to save image files with X-Ways Replica). Open a hard disk partition that is not currently mounted as a logical drive letter and then press Shift+Ctrl+F. You will then be prompted for a cluster size (128 sectors per cluster at most; 8, 16, or 32 recommended). Use this tool on your own risk only. * Several other minor improvements. |
| #80: WinHex & X-Ways Forensics
12.35 released July 10, 2005 |
This mailing is to announce a minor update,
v12.35. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular owners of forensic licenses please go to https://www.x-ways.net/winhex/upgrade.html for more information and download links. WinHex 12.35 is still a free update for all users who purchased WinHex 11.26 or newer (e.g. online after March 2, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- NEXT COMPUTER FORENSICS CLASS San Francisco, CA: Aug 23-26 https://www.x-ways.net/signup_sanfrancisco.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.35? * Support for Apple Mac styled hard disk partitioning added. (since v12.3 SR-1) * Support for HFS+ date & time format in the Data Interpreter and in templates. (since v12.3 SR-1) * Compatibility issues with certain evidence files fixed. (since v12.3 SR-2) * Some fixes in support for CDFS and UDF. (since v12.3 SR-2) * Fixed an error that occurred when reloading certain content tables (since v12.3 SR-1) * The restrictions concerning acceptable output folders in X-Ways Forensics have been somewhat softened. (since v12.3 SR-3) * Fixed an error invoking external programs. * Viewer component improvements as of July 5: - Scaling for drawings in PDF documents improved - Handling of frames that should appear behind text in RTF files - Support for bidirectional display of Hebrew and Arabic text files - Character and font mapping - Handling of extended characters in PowerPoint - Handling of a system's default character set - Mapping of some Chinese characters in RTF files - better memory usage in RTF files that contain embedded files, - support for V4 encryption for PDF password security in PDF 1.4 vs. 1.5 - faster text decoding in PDF documents, UUE files, Microsoft Project documents, password-protected PowerPoint and Excel files, Outlook PST, Lotus 1-2-3, WordPerfect 5x, AutoCAD, and more * Some other minor improvements and bug fixes. |
| #79: WinHex & X-Ways Forensics
12.3 released June 23, 2005 |
This mailing is to announce a minor update,
v12.3. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users and in particular owners of forensic licenses please log in at https://www.x-ways.net/winhex/upgrade.html for further instructions and download links. WinHex 12.3 is still a free update for all users who purchased WinHex 11.26 or newer (e.g. online after March 2, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at greatly reduced prices at https://www.x-ways.net/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- NEXT COMPUTER FORENSICS CLASSES San Francisco, CA: Aug 23-26 https://www.x-ways.net/signup_sanfrancisco.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.3? * It is now possible to include JPEG and PNG pictures in a contents table that are embedded in MS Word documents, PDF files, and thumbs.db thumbnail buffers. Such pictures can be found by their header signature. They are listed with generic names as "Embedded 1.jpg", "Embedded 2.png", etc. (since v12.25 SR-1, forensic license only) * When examining files based on their contents only, where filenames, timestamps, deletion status and other metadata are of no relevance, you can now use the "Remove duplicates" command in the directory browser's context menu to remove duplicated files from a contents table, based on hash values (if hash values were calculated). * Ability to invoke X-Ways Trace for Mozilla's/Firefox's browser history files "history.dat" and Opera's browser cache directory file "dcache4.url". A beta version of X-Ways Trace 2.0, which can now interpret these file types, is available from https://www.x-ways.net/trace/ . * When copying/recovering files from the directory browser or via File Recovery by Name, the case log will now indicate whether you _copied_ an existing file or _recovered_ a deleted/lost file. * Ability to output report tables in the report as flat vertical lists, which is preferable for printing, whereas for display in a browser on the screen the standard 3-dimensional output format is still useful. (since v12.25 SR-3) * In File Recovery by Type, the output filename prefix may now optionally contain a placeholder "%d", which will be replaced by the drive name. Useful when you apply "File Recovery by Type" to multiple drives at the same time, to easily distinguish the files that originate from different drives, without consulting the log file. * Some minor improvements and bug fixes. |
| #78: WinHex & X-Ways Forensics
12.25 released June 2, 2005 |
This mailing is to announce a minor update,
v12.25. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users please log in at https://www.x-ways.net/winhex/upgrade.html for further instructions. WinHex 12.25 is a free update for all users who purchased WinHex 11.26 or newer (e.g. online after March 2, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at https://www.x-ways.net/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- COMPUTER FORENSICS CLASSES Seattle, WA : Jun 14-17 https://www.x-ways.net/signup_seattle.html San Francisco, CA : Aug 23-26 https://www.x-ways.net/signup_sanfrancisco.html For more information please see https://www.x-ways.net/training.html . ------------------------------------------------------------- WHAT'S NEW IN V12.25? * There is now an alternative access method #2 that affects how physical hard disks are accessed under Windows 2000/XP. This method allows you to specify a timeout in milliseconds, after which read attempts will be aborted. This can be useful on disks with bad sectors, where an attempted read access to a single sector could otherwise cause a delay of many seconds or minutes. (since v12.2 SR-8) * It is now possible to apply "File Recovery by Type" directly to physical memory. (since v12.2 SR-5) * The display of record numbers and relative record offsets in the status bar, when record presentation is enabled, has been improved. Also there is now a Go To Record dialog, and Ctrl+Page Down/Up moves the cursor in units of the records size. (since v12.2 SR-6) * There is now a template that interprets the header and attribute structure of FILE records in NTFS. The template can be reached via the Access button menu when a FILE record is displayed in sectors mode. * The size of the case log can now be seen in the case properties and evidence object properties dialog windows. The log and all related screenshots can also be deleted from there. (since v12.2 SR-4) * Up to 50 (instead of 32 previously) virtual logical drives can be can opened at the same time (partitions from physical disks or image files). * Up to 50 (instead of 32 previously) virtual physical disks can be can opened at the same time (image files). * Some other minor improvements and bug fixes. The user manual has been updated as well. * X-Ways Replica: v2.35 is an important update that fixes a bug in the MD5 implementation for data in excess of 256 MB. |
| #77: WinHex & X-Ways Forensics
12.2 released May 2, 2005 |
This mailing is to announce a noteworthy update, v12.2.
WinHex download URL: https://www.x-ways.net/winhex.zip Registered users please log in at https://www.x-ways.net/winhex/upgrade.html for further instructions. WinHex 12.2 is still a free update for all users who purchased
WinHex 11.25 or newer (e.g. online after Jan 17, 2004). If you do not
qualify any more, or if you are interested in a different license type,
please find out more about online upgrading at
https://www.x-ways.net/winhex/upgrade.html. Purchasing the current
version (or upgrading) entitles you to receive updates released in the
following 12 months or more at no cost. |
| #76: WinHex & X-Ways Forensics
12.15 released April 18, 2005 |
This mailing is to announce a noteworthy update, v12.15.
WinHex download URL: https://www.x-ways.net/winhex.zip Registered users please log in at https://www.x-ways.net/winhex/upgrade.html for further instructions. WinHex 12.15 is a free update for all users who purchased WinHex 11.25 or newer (e.g. online after Jan 17, 2004). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at https://www.x-ways.net/winhex/upgrade.html. Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- COMPUTER FORENSICS CLASSES Washington, DC : May 24-27
https://www.x-ways.net/signup_washington_dc.html
------------------------------------------------------------- WHAT'S NEW IN V12.15? * The RAM viewer/RAM editor so far was able to load the virtual memory of active processes. In addition to that, it is now possible to view/edit _physical_ RAM (under Windows 2000 and XP). * Physical access to floppy disks under Windows 2000/XP is now 20% faster than before. Physical access to DVDs under Windows 2000/XP can now read protected sectors. * Logical search operations can now optionally extract and decode the text contained in Adobe PDF documents, Corel WordPerfect (WPD), Corel Draw (CDR), and Microsoft Visio (VSD) files and search the plaintext automatically. Potential search hits in such files would otherwise be missed because these file types typically store text in an encoded, encrypted or otherwise garbled way. This feature requires the separate viewer component to be active for the decoding and text extraction part. (https://www.x-ways.net/forensics/viewer.html) * Listings of search hits now usually allow you to open the corresponding file that contains the hit and (in the case of logically found search hit) automatically jump to the seach hit position. This is particularly useful for compressed files or files with search hits in decoded raw text only, where no physical disk offsets corresponds to the search hits and could be shown. Both physical and relative (=logical) offsets are now displayed for logical search hits, if available, in separate columns. * If many thousand search hits or bookmarks were listed and highlighting was enabled, the display previously became rather slow. This problem was solved now. * Logical searches in directories now include the directory data itself, i.e. directory entries in FAT and INDX records in NTFS will be searched as well. * Filesystem areas such as the file allocation table, Ext2/ Ext3 inodes or the internal Reiser tree can now be logically searched in a convenient way via a new fictitious item named "Filesystem areas" in the directory browser, similar to "Free Space". * When importing folders with hash set files, it is now possible to import these files into a single hash set in the internal database, that is unify them under one name. * Importing folders with many hash set files into the internal hash database is now considerably faster. The same holds true for deleting hash sets from a very large internal database. * Access to data in raw image files (since v12.1 SR-4) and evidence files has generally become somewhat faster. * When loading very large files with the separate viewer takes too much time, you can now abort the process in a convenient way. * Right-clicking a file in the directory browser (to bring up the context menu) no longer triggers the preview to refresh and possibly delay the context menu. * There is now a legend that explains icons, colors, and attributes listed in the directory browser. (forensic licenses only, since v12.1 SR-2) * There is now an optional column "File Type Category" in the directory browser. (forensic licenses only, since v12.1 SR-3) * ATA password protection can now be detected on hard disks under Windows 2000 and XP by creating a Media Details Report (since v12.1 SR-4). If detected, the protection level is reported and whether or not the master password has been changed from factory default. * Previous versions of X-Ways Forensics and WinHex allowed the user to enter a segment size for evidence files of up to 2047 MB. Under special circumstances a set of evidence files apparently could have become corrupt if this limit was fully or nearly utilized. This error can be easily detected because it results in the immediate error message "Incomplete image" when opening the image. Such corrupted images have to be reacquired. The new limit is 2025 MB and such corruption would now be detected when writing already. * In previous versions, initializing slack space on NTFS volumes potentially corrupted EFS-encrypted files. This was fixed. * Many other minor improvements. ------------------------------------------------------------- FAQ: HOW TO INSTALL THE UPDATE CORRECTLY? Install the new version to the folder with your existing WinHex installation, using the setup program. There is no need for prior uninstalling. The existing installation must not be running when installing, of course. The setup program will warn you if your license no longer supports the new version as a free update, or if you need new license codes, before overwriting the existing installation. FAQ: WHAT VERSION DID I ORIGINALLY PURCHASE? The Help | About box tells you what version your license was issued for. |
| #75: WinHex & X-Ways Forensics
12.1 released April 2, 2005 |
This mailing is to announce a major update,
v12.1. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users please log in at https://www.x-ways.net/winhex/upgrade.html for further instructions. WinHex 12.1 is still a free update for all users who purchased WinHex 11.15 or newer (e.g. online after Nov 8, 2003). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at https://www.x-ways.net/winhex/upgrade.html. Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- COMPUTER FORENSICS CLASSES Washington, DC : May 24-27 https://www.x-ways.net/signup_washington_dc.html Seattle, WA : Jun 14-17 https://www.x-ways.net/signup_seattle.html San Francisco, CA : Aug 23-26 https://www.x-ways.net/signup_sanfrancisco.html For more information please see https://www.x-ways.net/training.html. ------------------------------------------------------------- WHAT'S NEW IN V12.1? * We offer an add-on component that allows to view more than 200 (!) file formats (such as MS Word/Excel/PowerPoint/Access/Works/Outlook, HTML, PDF, CorelDraw, StarOffice, OpenOffice, ...) directly in WinHex and X-Ways Forensics. For details please see https://www.x-ways.net/forensics/viewer.html. The viewer component can be used to view files in images or on logical drives in a separate window or conveniently in Preview mode. This add-on is now included in newly purchased forensic licenses and also made available at no additional cost to all owners of forensic licenses issued for v12.05. All other registered users can upgrade to a forensic license for v12.1 if they are interested in this new component. (https://www.x-ways.net/winhex/upgrade.html) * A new internal hash database (forensic license only) allows for very quick matching. You may import existing NSRL RDS 2.x, HashKeeper, or ILook hash sets or create your own ones as before. When creating a contents table, you may now select hash sets in the database for matching individually. Known good files can still be filtered out automatically. However, corresponding hash sets and hash categories can now be seen directly in the directory browser, in new optional columns, which are sortable and thus allow you to manually filter out irrelevant files or address notable files specifically. The hash value itself is now shown in an optional column, too. * Windows 2000/XP dynamic disks (with simple, spanned, and striped volumes) are now supported. (specialist and forensic licenses only) * Evidence files created by WinHex are now compatible with other computer forensics programs. * When creating compressed evidence files, the default compression is now a quick algorithm that allows to save on time. * The Create Disk Image dialog now offers the option to tolerate bad source sectors without interrupting the copy process and to select a substitute ASCII pattern for such sectors. * The size of directories is now displayed even for FAT and NTFS file systems (NTFS: contents tables only). * The deletion date is now visible in a new optional column for deleted files (file systems Ext2 and Ext3 only). * The maximum number of contents tables that can be associated with an evidence object has been increased from 16 to 32. (since 12.05 SR-4) * It is now possible to associate up to 32 externally stored search hits lists (.pos files) with an evidence object. The only search hit list internally stored in an evidence object (which was the default output for newly archived search hits in previous releases) is now considered the "main" one for search hits found to be relevant, moved there specifically from newly created external search hit lists. Only search hits in this main list will be included in a case report. (since 12.05 SR-4) * There is now a command in the context menu of an evidence objects that allows to replace the object with a new image file, so that e.g. after previewing and imaging a physically connected disk you can continue to work with the same evidence object even when the disk itself is no longer available. (since 12.05 SR-8) * The alternative disk access method is now faster on certain computers. (since 12.05 SR-9) * New script commands: StrCat, GetUserInput, GetUserInputI (since 12.05 SR-11), and Terminate. * Fixed: File signatures beyond the first 127 were previously ignored for filename/file type mismatch checks. The maximum number of file types supported in the File Type Signatures.txt file is still 255. * Fixed: Scan for lost partitions failed with an error message in certain situations. * Many other minor improvements. |
| #74: WinHex & X-Ways Forensics
12.05 released February 23, 2005 |
This mailing is to announce a major update,
v12.05. WinHex download URL: https://www.x-ways.net/winhex.zip Registered users please log in at https://www.x-ways.net/winhex/upgrade.html for more information. WinHex 12.05 is a free update for all users who purchased WinHex 11.15 or newer (e.g. online after Nov 8, 2003). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at https://www.x-ways.net/winhex/upgrade.html . Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- WHAT'S NEW? * Loading huge contents tables (with hundreds of thousands of items) into the directory browser is now considerably faster. * There are new optional columns in the directory browser for the path and the record/inode modification date and time. Hidden columns (with a width of 0) can be unhidden via the dialog window that opens when you right-click the list header. * The directory browser now has its own options dialog window. Grouping files and directories is now optional. $EFS streams of NTFS-encrypted files can now be listed in contents tables. * The general Position Manager content and evidence-related annotations and search hits are no longer displayed in a separate dialog window, but in the same window as the actual data. Single-clicking items in the list of annotations or search hits conveniently jumps to that position in the sectors view. * Search hits on logical drives/partitions or images of the same are now listed with filename and file path in separate columns, which are fully sortable. Forensic licenses optionally allow to display a preview of the context of the search hits right within the Position Manager. * Single-clicking items in the directory browser or case tree window is now sufficient for the screen to update. * File Recovery by Type can now optionally recover files with individual, file type based default file sizes. Like this you could e.g. recover large .mpg and small .jpg files at the same time. * There is now a virtual file "free space" in the directory browser (root directory) that allows to open, view, and search unallocated cluster in a convenient way. (specialist and forensic licenses only) * You can now create a contents table using the logical search function. Each file with at least one hit for at least one of the keywords provided will be added to that contents table. This is great way to narrow down huge contents tables to files with relevant content. (since v12.0 SR-4) * It is now possible to open and search files via the directory browser optionally including their slack space (see directory browser options). (since v12.0 SR-11) * WinHex can now explore archives in archives (i.e. up to the second level) when using the directory browser, when creating a contents table, and when searching logically. (forensic licenses only, since v12.0 SR-3) * The creation of contents tables on NTFS drives with a minimum set of options selected is now considerably faster. (since v12.0 SR-?) * There is now an option that allows to simplify the user interface (reduce the menu structures) if the forensic interface (the case data window) is active. See Options menu. * The search for formerly existing hard disk partitions (Disk Tools menu: Scan For Lost Partitions) can now optionally be applied to an entire hard disk or image, not only to currently unpartitioned space. * There is now a "Sync" button that causes the file that a currently displayed cluster is assigned to to be auto-selected in the directory browser. The directory tree switches to that file's directory as well. Available with a forensic license only. (since v12.0 SR-11, improved in v12.05) * An error was fixed in the SHA-1 and SHA-256 implementation for data in excess of 512 MB. (since v12.0 SR-9) * An error was fixed in ReiserFS support. * WinHex can now list NTFS reparse points (a.k.a. junction points) when exploring directories with the directory browser and when creating contents tables. (since v12.0 SR-4) * The total size of files selected in the directory browser will now be displayed along with the number of selected items. * Many other minor improvements.. |
| #73: WinHex & X-Ways Forensics
12.0 released January 4, 2005 |
This mailing is to announce a major update, v12.0. Download URLs: WinHex: https://www.x-ways.net/winhex.zip (all languages) WinHex: https://www.x-ways.net/winhex-e.zip (English only) X-Ways Forensics: registered users please log in at https://www.x-ways.net/winhex/upgrade.html to receive the URL WinHex 12.0 is still a free update for all users who purchased WinHex 11.0 or newer (e.g. online after Aug 12, 2003). If you do not qualify any more, or if you are interested in a different license type, please find out more about online upgrading at https://www.x-ways.net/winhex/upgrade.html. Purchasing the current version (or upgrading) entitles you to receive updates released in the following 12 months or more at no cost. ------------------------------------------------------------- WHAT'S NEW? * There is now a directory tree for logical drives, partitions, and interpreted image files in the case tree window if a case is active. It interacts closely with the directory browser. (It is possible to work with the case tree window even without a forensic license, it's just not possible to open a saved case.) * The directory tree allows to explore directories recursively, i.e. list their contents including the contents of their sub-directories. Right-click a directory in the directory tree for that. * Alternatively to the standard sector view and the gallery view, there is now a file preview and a calendar / timeline view for files selected in the directory browser. (forensic license only) The file preview feature checks for file type mismatches and shows either a picture or a raw ASCII text preview. The calendar offers a convenient graphical overview of when files in certain folders, with certain names or of certain types on a drive have been created, modified, or accessed. * The gallery view now includes non-picture files and routinely checks the signature of files to detect filename/file type mismatches. Non-picture files are represented by an icon, the filename, filename extension, and the result of the signature check. * Complete support for the ReiserFS file system. (forensic license only) When creating a contents table, WinHex can search and list not only existing, but also deleted files, such that they are recoverable via the directory browser. If you are looking for a way how to undelete files on a Reiser partition based on file system data structures (not on file signatures), look no further. * It is now possible to copy/recover files off a drive via the directory browser including their original path, by option (see General Options). The path will be recreated within the output folder. * In the directory browser of an evidence object, you can
now conveniently highlight files and mark them as noteworthy, thereby
copying them to a dedicated contents table. These files will then also
appear in the case report. Having them in a dedicated contents table allows
to copy/recover them in a single step at a later point of time or get a
gallery overview of these files specifically. |
