·.·. Computer forensics software made in Germany .·.·

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#106: WinHex, X-Ways Forensics and X-Ways Investigator 14.6 released

Dec 6, 2007

This mailing is to announce a major update, v14.6.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


London, Apr 22-Apr 24 http://www.x-ways.net/training/london.html
Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html
For more information: http://www.x-ways.net/training/



* Ability to completely access media, RAIDs and interpreted image files with more than 4.3 billion (2^32) sectors. Allows to read data from beyond the 2 TB barrier on media with a sector size of 512 bytes.

* Support for NTFS volumes that consist of more than 2^32 sectors (less than 2^32 clusters). Other file systems on partitions that large: Not yet specifically supported.

* Search terms can now be more variably logically combined in the search term list. In particular, using a NOT operator is now more convenient. To force a search term, select it and press the "+" key. To exclude a search term, select it and press the "-" key. To remove any + or - you press the Esc key. You may also use the context menu of the search term list for all that.

= search hits for A and search hits for B that occur in any files (normal OR combination)

= search hits for A and search hits for B that occur in files that contain A

= search hits for A and search hits for B that occur in files that contain both A and B

= search hits for A that occur in files that do not contain B

* A logical search can now be optionally applied to all _selected_ items, just as in X-Ways Forensics versions up to 13.7, via the directory browser context menu.

* Ability to attach external files to the volume snapshot and have them processed by X-Ways Forensics like regular files in the volume snapshot. Useful if you need to translate, decrypt, or convert original files and would like to reintegrate the result back in the original volume snapshot, in the original path, for further examination, reporting, filtering, searches etc. Such external files will be copied to the metadata directory, managed completely by X-Ways Forensics from then one, and marked as virtual files. In order to attach a file, you right-click the original file that the external file is based on and invoke "Attach external file". It is recommended to name the new file based on the original file.

* When filling an evidence file container, two new options are now available: One option allows you to copy files to the container _partially_ only. This is possible if the file has been opened in File mode and a block is selected. Useful e.g. if there is a relevant search hit in the middle of a 2 GB swap file or of a 100 GB virtual free space file, and you would like to forward the context of that search hit to someone via a container, thereby excluding GBs of data that are not related.

* The other option allows you to copy _only_ the file system metadata of selected files to a container, totally omitting all file contents, for example if you are not allowed to copy any file contents, if the file system metadata and directory tree may be helpful already. When examing such a container, you can see the entire original directory structure, all filenames, timestamps, file sizes, attributes, deletion state, etc. and can use various filters.

* Ability to specifically deal with NTFS compression when searching for files via file header signatures (forensic
license only). Allows to automatically find NTFS-compressed files of certain types even when their FILE records are no longer available. These files are also automatically decompressed for searching, hashing, File mode, Preview mode, the Recover/Copy command, etc.

* Now extracts metadata from JPEG, PNG, TIF, GIF, THM, ASF, WMV, WMA, MOV, GZ, and thumbs.db in Details mode in addition to many other file types that were supported earlier already.
Additional metadata is now extracted from PPT files. General further improvements for OLE2 compound files (e.g. pre-2007 MS Office files).

* When running a file header signature search, WinHex now automatically names Exif JPEG pictures after the model designation and time stamp as stored by the digital camera. (specialist license or higher)

* The internal creation timestamp that can be found in various file types can now be displayed in a separate newdirectory browser column, once extracted with a new context menu command ("Extract internal metadata") or once seen in Details mode. Thanks to this new column and the timestamp filter, it is now very easy to focus on files/documents that were originally created in a certain time period (not merely created in a particular file system/volume). Internally stored timestamps are usually less volatile than file system level timestamps and more difficult to manipulate retroactively. The supported file types are: OLE2 compound files (e.g. pre-2007 MS Office documents), PDF, MDI, ASF, WMV, WMA, MOV, various JPEG variants, THM, TIFF, PNG, GZ, SHD printer spool, PF prefetch, LNK shortcut, and Document-Summary alternate data streams.

* Some metadata is now extracted from most PDF documents. Details available for Zip archives.

* The option to copy/append metadata to comments has been moved to the same new context menu command "Extract internal metadata".

* Ability to detect MS Office files (Word, Excel and Power Point) with Microsoft DRM (Digital Rights Management) or Oracle IRM applied. Such files are marked with e! in the Attribute column, just as file format specifically encrypted files are. Requires the latest version of the viewer component.

* The hash set column now comes with a filter that allows to more conveniently focus on files whose hash values are contained in selected hash set or are not contained in selected hash sets.

* When using the Recover/Copy command, overlong paths are now truncated and rendered legal if shortening the last path component can achieve that. Any file with a path still longer than 259 characters after this attempt will, as before, not be copied and rather be associated to a report table (so that they can be conveniently addressed and copied separately without the path) because it wouldn't be possible to deal with such a file in Windows anyway.

* Support for multiple daylight saving variants in the same time zone in different years. Predefined for USA, Canada, (Western) Australia, and New Zealand with recent daylight saving changes in mind. Additions and corrections welcome.

* UTC-based timestamps displayed in the registry viewer and in the registry report now respect the "Show time zone bias" option so that it's obvious if and how they have been converted to local time. The same time zone settings as for the active case are used.

* When analyzing small amounts of data (<50000 bytes) with Tools | Analyze Data, the compression ratio that zlib achieves for that data is now displayed in the analysis window caption.

* Attachments in original .eml e-mail message files (not virtually produced by X-Ways Forensics itself) can now be extracted if you add *.eml to the series of file masks for e-mail extraction.

* Sectors mode is now labeled either Disk, Partition, Volume, or Container, depending on the nature of the medium/image represented by the data window.

* Ability to find files via file header signatures and recover or merely list them with file sizes larger than 2 GB.

* Both File Header Signature Search and File Recovery by Type now distinguish between default file sizes that are used if the internal algorithm does not support a certain file type and a maximum file size that limits the attempt of the internal algorithm to find the end of files of specially supported file types.

* Ability to create partial raw images and .e01 evidence files by specifying a sector number that is not the last
sector on the disk as the last sector to copy.

* Support for .e01 evidence files that consist of more than 512 segments.

* Greatly reduced memory requirement for .e01 evidence files that consist of a lot of segments.

* Cases now remember for each evidence object an optional alternative path where additional image file segments are stored. That means you do not have to pick the additional path each time you open the evidence object. Useful if your images are too large to fit on the same drive (letter).

* Ability to securely wipe inactive directory entries on FAT volumes, to thoroughly remove traces of previously existing files or earlier names/locations of existing files from the file system. Tools | Disk Tools | Initialize Directory Entries. (still testing) Useful especially in conjunction with the command to initialize all free space. Available in WinHex only, not in X-Ways Forensics.

* Parsing the NTFS system file $LogFile for Preview/View is now considerably faster.

* MFT auto coloring now optionally even works on corrupt partitions that are not recogized as NTFS volumes any more and on physical media.

* It is now possible to more conveniently categorize files (i.e. associate them with report tables) using keyboard shortcuts. Try Ctrl+1, Ctrl+2, ..., Ctrl+9 to create report table associations for selected files. Alternatively, if NumLock is activated, the numpad keys can also be used, on most computers at least. You can assign these keyboard shortcuts to your most important report tables yourself by pressing the keys in the dialog window for report table associations. The assigned shortcuts will be remembered by
the case.

* The internal creation and modification date available in evidence file containers created by X-Ways Forensics 14.5 and later can now be seen in the evidence object properties when a container is added to a case. Also you can now easily tell from the properties whether an evidence file container is considered secure (filled with the indirect method) or not.

* When adding a container to a case that contains an internal description, that description is now shown in a message box in addition to in the evidence object properties. That is useful because this field allows the preparer of a container to send messages/instructions/hints/comments to the recipient.

* Seconds in timestamps can now optionally be displayed with up to 3 decimal places after the decimal point in the directory browser, whereever that precision is available (e.g. NTFS and Reiser4 file systems and partially in FAT).

* File sizes can now optionally be always displayed in bytes in the directory browser rather than in KB, MB, or TB.

* It is now possible to recursively tag selected directories in an already recursive list.

* Item numbers in the directory browser are now 1-based instead of 0-based.

* An additional column displays the internal ID of the parent directory of a file or directory. Useful e.g. when
exporting a list of files and directories to uniquely identify directories if there are name collisions.

* Fixed inability to create the case report when not overwriting an existing file. (since v14.5 SR-1)

* Files in archives in containers were displayed in the gallery only with an icon instead of a thumbnail despite
the option in General Options. This was fixed. (since v14.5 SR-1)

* Fixed output of garbage characters in the comments field in the case report. (since v14.5 SR-2)

* Improved detection of cirular links in the directory tree of file systems. (since v14.5 SR-3)

* Many other minor improvements, some smaller bug fixes.


An update to the viewer component (v8.2) is available for download to owners of X-Ways Forensics with current update maintenance since Nov 14, 2007. Please see below for caveats. The update comes with the following changes:

* Concerning MS Office 2007, Word, Excel and PowerPoint, there is now viewing support for more Office Art, including line styles, fills, and shapes. Text Extraction of Smart Art objects.

* Concerning Star Office / Open Office Calc 2.x / 8.0 and 6.0: Extends support for viewing and transformation of Calc 2.x / 8.0 and 6.0 beyond text only. This filter now supports character attributes (bold, underlined, color) and paragraph attributes (alignment, tabs, spacing, borders, hidden, revisions). It does not yet support embedded graphics.

* Concerning Star Office / Open Office Writer 2.x / 8.0 Embedded graphics: Supports viewing and conversion of embedded graphics in Writer 2.x / 8.0 except for draw objects in Star Office.

* Supports the viewing Yahoo! Instant Messenger 8.x files.

* Fully verified support to view the 2007 versions of Outlook and Exchange related formats: MSG, PST.

* The display of pictures is now noticeably faster.

* When printing a file and printing the path in the header line (%P), umlauts (öüä) and probably other codepage-dependent characters from other languages in the filename were not displayed correctly. This was fixed.

* Certain corrupt HTML files caused problems. The viewer component could display the top of the document, but then it froze, and also froze X-Ways Forensics. Problems analogously occured when decoding certain corrupt HTML files for logical searches or indexing. This was fixed.

* In certain .msg e-mail message files, the message body was not readable in the viewer component. There was a clickable link that opened a new window where the message text was displayed in black on a very dark blue background, hardly noticeable. The same files could be viewed normally in MS Outlook. This was fixed.

* The viewer component completely froze when it tried to view certain (truncated or corrupt) OpenOffice documents. This was fixed.

* It was not possible to use the search functionality in the viewer component to find text with German umlauts (öüä) or other characters outside of 7-bit ASCII. This affected plain text files for whose display options the Windows (ANSI 1252) character set has been selected and special file types like MS Word documents. This was fixed.

* Certain .eml e-mail message files based on certain code pages (like Japanese iso-2022-jp) previously could not be viewed correctly. This was fixed.

* Another important change if you use X-Ways Forensics and the viewer component on live machines is that the viewer component now stores its configuration/settings in the Windows profile (\Application Data\.oit) of the logged-on user instead of in the Windows system registry. To avoid writing files to the media of a live system that you would like to examine, do not activate the viewer component in X-Ways Forensics and
make sure it's not located in the \viewer subdirectory of X-Ways Forensics on e.g. the external USB device from which you plan to run X-Ways Forensics, where the viewer component might be found and activated automatically by X-Ways Forensics.

* This version requires msvcr80.dll from the Microsoft Visual C++ 2005 SP1 Redistributable Package. This package can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=200b2fd9-ae1a-4a14-984d-389c36f85647&DisplayLang=en (2.6 MB). On many Windows computers it is installed already,
under C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_*. On other Windows computers you need to install it before you are able to use v8.2 of the viewer component.

* Other than the above, you simply extract the files to a directory of your choice and point X-Ways Forensics to that directory under Options | Viewer Programs.

IMPORTANT: Some rare files of various types that could be viewed normally in v8.1.9 now cannot be viewed any more in v8.2 and may provoke an exception error in X-Ways Forensics.
This is still being investigated, and we will post a message in the Announcement section of the forum when there is something new to report. For the time being, because of the above, the update is recommended only to benefit from the strengthened stability when decoding the text of corrupt HTML and OpenOffice files for logical searches or indexing.  If it wasn't for that new error, installing the viewer component update would be highly recommended because of the various fixes and improvements.

#105: WinHex, X-Ways Forensics and X-Ways Investigator 14.5 released

Nov 2, 2007

This mailing is to announce a noteworthy update, v14.5.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html
London, Apr 22-24 http://www.x-ways.net/training/london.html
For more information: http://www.x-ways.net/training/



* Reading from multi-session CDs and DVDs has become considerably faster because WinHex and X-Ways Forensics now skip blank sectors. The difference will be noticeable e.g. when imaging, hashing, and
searching such media.

* More information on optical media in the technical details report.

* It is now possible to assemble RAID systems that consist of up to 16 instead of 10 component disks.

* One additional RAID 5 pattern is now supported: Forward Dynamic Parity, a.k.a. Right Synchronous, one of the four algorithms used in software RAIDs under Linux. The other three Linux algorithms are supported by X-Ways Forensics already.

* Ability to specify a non-standard parity start component disk. E.g. Intel SRCU42L RAID controllers use a disk other than No. 1 for their forward parity pattern.

* If physical "superfloppy" media (unpartitioned, consisting of just a single volume) are imaged as .e01 evidence files, these files will now be marked as evidence files of logical volumes instead of physical disks. This avoids the unnecessary inclusion of an additional physical evidence object when adding such an evidence file to a case.

* In the case report, report table cells can now optionally have borders and padding. The font size used in report tables and in the log is now user-definable. You can save space/paper if you decrease the font size (e.g. 10 points instead of the default of 12).

* When including report tables in the report, comments on files are no longer truncated.

* It's now possible to remove physical evidence objects from the case that have child objects (partitions) without having to remove the child object first.

* A "Save As" command was introduced for cases, which allows to save the case with a new internal case filename and/or in a different directory. When using this command, the entire case subdirectory will be copied, too. Available also for a case that was opened as read-only by the user if that happened voluntarily and not because of password protection.

* When working with a case opened in read-only mode, the user is now reminded of that whenever the auto-save interval elapses and when an evidence object whose volume snapshot has changed is about to be closed. Useful when working in read-only mode inadvertently, e.g. after having decided to open a case that was not
properly closed in read-only mode, without actually understanding the consequences.

* An evidence file container can now optionally store the name of its creator. The internal designation of a container can now contain up to 63 characters instead of 31. A container now internally records its creation date and time as well as its last modification date and time.

* User-defined metadata in OLE2 compound files as used e.g. when exporting documents in OpenOffice as MS Office file types can now be seen in Details. More OLE2 metadata and in particular metdata from MS Word documents are now extracted.

* Better tailored metadata for inclusion in comments. Metadata can now be extracted from .mdi files (MS Office document imaging) and .wi (Windows Write). Further file formats will be supported in v14.6.

* Ability to use the directory browser and preview files during an ongoing volume snapshot refinement if that operation is paused, to check the preliminary results (e.g. to verify that the settings used for the file header signature search have the desired effect).

* The process of listing the clusters allocated to huge files can now be greatly accelerated by omitting the clusters in the middle of a series of contiguous clusters from the list. Each omission is indicated by a special line in square brackets, where the number of omitted clusters is specified. That the number of the last cluster in a fragment is listed makes it easy to navigate to the end of each fragment. This new option can be found in the context menu of a cluster list and takes effect on the next cluster list that is brought up.

* The lower word length limit in indexing has been decreased from 3 to 2 to allow for 2-character searches in Chinese if required by the user in certain cases (e.g. for names).

* Fixed an error that could prevent complete index optimization if that process had been aborted before.

* According to Oracle, v8.2 of the viewer component should be out in the next couple of days. Once available, you will see a posting in the Announcements section of the forum (http://www.x-ways.net/cgi-bin/discus/show.cgi?tpc=1&post=11065) and a notice in the download instructions that you can retrieve
from http://www.x-ways.net/winhex/license.html.

* Several other minor improvements.

* More robust when extracting thumbails from thumbs.db files. (since v14.4 SR-1)

* When creating a container in "direct" mode, X-Ways Forensics now continues filling it despite read errors and merely reports what files could not be copied. (since v14.4 SR-1)

* Fixed instability issue with long paths. (since v14.4 SR-2)

* Last access and last modification date+time were swapped when viewing Windows .lnk shortcut files. This was fixed. (since v14.4 SR-2)

* .eml files in report tables are now internally linked from within the case report with a .txt extension, which allows to view them in Internet Explorer. (since v14.4 SR-2)

* Avoids file cache problem in Windows Vista when working with large image files. (since v14.4 SR-2)

* If only skin color percentages were computed and nothing else was changed in the volume snapshot since opening an evidence object, X-Ways Forensics would not save the skin color percentages when closing the evidence object. This was fixed. (since v14.4 SR-2)

* Fixed an error with very long filenames in thumbs.db. (since v14.4 SR-3)

* Fixed search hit preview length for DBCS code pages. (since v14.4 SR-3).

#104: WinHex, X-Ways Forensics and X-Ways Investigator 14.4 released

Sep 20, 2007

This mailing is to announce a noteworthy update, v14.4.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Hong Kong: 22-26 Oct http://www.x-ways.net/training/hong_kong.html
Singapore: 17-19 Dec http://www.x-ways.net/training/SGP.html
For more information: http://www.x-ways.net/training.html



* Ability to extract e-mail messages and attachments from AOL PFC files. (forensic license only) Note that if these files have no extension, only a signature check will identify them as PFC files.

* Can now extract embedded files from MHT Web Archives if you append ";*.mht" to the series of file masks for e-mail extraction. (forensic license only)

* NTFS permissions can now be seen in Details mode.

* The internals of the NTFS file system journal $LogFile can now be viewed with the View command and in Preview mode.

* For NTFS volumes, the Technical Details Report now shows the volume GUID, the NTFS version number, and the volume flags.

* Windows Prefetch files can now be conveniently viewed.

* For Windows shortcut files (.lnk), any MAC addresses shown are now definitely MAC addresses. The creation date+time of the target's object ID is now also shown. Volume ID, birth volume ID and object ID are now displayed in special GUID notation.

* There is now an option to copy/append file metadata to the comments of selected files, when editing the comments, which allows to later filter by this metadata with the comments filter, to export the metadata with the Export List command, and to output it with a report table in a case report. (forensic license only) Metadata can be extracted from Windows shortcut files (.lnk), OLE2 compound files (e.g. pre-2007 MS Office), and .shd printer spool files. More file types to be added in the future.

* The buffer size for comments in the case report has been increased. Line breaks in comments are now converted to HTML line breaks for the case report.

* More space for the user-specified comments on a file when printing with a cover page.

* It's now possible to conveniently send the files in an evidence object's volume snapshot to an external virus scanner. (forensic license only) Infected files will be added to a report table named "Virus suspected". The command can be found in the Specialist menu. Please see the program help for details.

* It is now possible to export report table associations when creating a container, so that the recipient of the
container can already see classifications such as "notable", "invoice", "family", "bomb construction", etc. when adding the container to a case.

* Files that were recognized as irrelevant with the help of the hash database can now be optionally excluded from further volume snapshot refinement operations. This has an immediate effect if hash database matching is selected at the same time with other options such as skin color computation, search for embedded pictures etc.

* In a search hit list, it is now possible to recover/copy the files that contain the selected search hits automatically into subdirectories that are named based on the respective search term. For that, please try the new third state of the checkbox entitled "Recreate full original path".

* There is a new command in the Position submenu of the context menu in the search hit list of a volume that allows to conveniently exit the search hit list and navigate to the respective file in its directory.

* Search hits based on code page 1251 (Cyrillic) are now displayed correctly in the search hit list. (since v14.3 SR-5)

* Manually mixing different index .xfi files in the same index subdirectory (undocumented feature) now works reliably. E.g. like that you can have multiple indexes based on the same character set, like an index of words (a-zA-Z) and an index of numbers (0-9), and search all of them simultaneously. (since v14.3 SR-4)

* Empty indexes with no words will no longer be saved as xfi files. As a result, there will be no annoying error messages about empty indexes any more when searching an index. An evidence object's index may be empty e.g. if you index tagged files only and the tagged files do not contain any text, have a size of zero bytes, etc.

* It is now possible to optionally include substrings in index searches from the case root. The option to include substrings in indexes did not work for Unicode in the original v14.3 release. This was fixed with v14.3 SR-1.

* In substring-enabled indexes created with v14.3 SR-1 and later, XWF can now optionally search for whole words only (more precisely, beginnings of words). This prevents finding e.g. "card" in "bankcard". Useful if there are too many hits in such solid compound words and you are more interested in the word as a whole word.

* Fixed an error that could occur when running an index search from the case root window.

* Fixed an error that could occur under certain circumstances when starting indexing.

* Ability to copy selected data has hex values in GREP notation.

* Under Windows Vista, the lower half of a decoupled data window no longer becomes invisible when reintegrated in the main window.

* When extracting embedded JPEG files from other files, X-Ways Forensics is now more strict when deciding what actually is a JPEG file and what only looks like one.

* Including directories in a recursive view is now a 3-state option. In its middle state, real directories are not included, but archives treated as directories are.

* The internal file header signature search algorithm can now automatically detect the original size of Outlook PST, AOL PFC, Prefetch, EMF, and SPL files.

* Ability to find additional sessions on multi-session CDs burned with Roxio software with a thorough file system data structure search if CDFS does not co-exist with UDF.

* Ability to understand certain dynamic disks created by Windows Vista that are incompatible with earlier Windows versions.

* Full support for NTFS volumes with exotic FILE record sizes. (since v14.3 SR-5)

* If the viewer component freezes when decoding the text in a file for the logical search or for indexing, X-Ways Forensics will now continue with the next file after a timeout period has expired, and will add the offending file to the report table "Unable to decode text."

* A Japanese translation of the user interface of X-Ways Forensics is now available from our Japanese reseller, Data Recovery Center.

* Maximum number of report tables in a case now 100 instead of 64.

* Earlier versions of X-Ways Forensics left it to the user to decide whether to search for file header signatures in partitioned space on a physical partitioned evidence object as part of the Refine Volume Snapshot operation. This option has been removed, and the search is now run in partitioned space only within the partitions themselves, to avoid unnecessary duplication.

* Further limitations of the reduced user interface of X-Ways Investigator can now optionally be specified individually for certain users even in a shared installation, by creating copies of the investigator.ini file named "investigator *.ini", where * is the respective username.

* X-Ways Investigator no longer allows to open a case whose case directory is missing. WinHex and X-Ways Forensics still allow to do this.

* Several other minor improvements and error corrections.

* XWF now deals more gracefully with truncated FAT partitions in incomplete image files. (since v14.3 SR-1)

* New directory icons. Dedicated icon for deleted partitions in the case tree and in the case root window. (since v14.3 SR-3)

* Ability to delete the case log from within X-Ways Forensics. (since v14.3 SR-3)

* The Java date+time format now respects the Data Interpreter's Big Endian option. That date+time format can be found in Little Endian in BlackBerry memory dumps. Before, it simply always worked based on Big Endian philosophy. (since v14.3 SR-4)

* Fixed an error that could prevent to correctly open certain extremely fragmented alternate data streams on NTFS. (since v14.3 SR-4)

* Fixed display refresh problem in case root window. (since v14.3 SR-4)

* The definitions in File Type Signatures.txt and File Type Categories.txt have slightly changed in that Unix/Linux executable files now have the type "elf" instead of "elfexe", and Windows Vista Event Log Files now have the type "evtx" instead of "elf". (since v14.3 SR-4)

* Fixed an error that under very special circumstances caused WinHex/X-Ways Forensics to show existing partitions as lost partitions. (since v14.3 SR-6).

#103: WinHex, X-Ways Forensics and X-Ways Investigator 14.3 released

Jule 30, 2007

This mailing is to announce a noteworthy update, v14.3.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Seattle, WA: Aug 6-10 http://www.x-ways.net/training/seattle.html (waiting list)
Long Beach, CA: Aug 13-17 http://www.x-ways.net/training/long_beach.html (seats available!)
Hong Kong: Oct 22-26 http://www.x-ways.net/training/hong_kong.html (seats available!)
For more information: http://www.x-ways.net/training.html



* The indexing feature has been significantly extended. It is now possible to index text both in single-byte character code pages and in Unicode (UTF-16LE)! Also it is possible to have up to three such indexes per evidence object (e.g. Cyrillic characters indexed in Unicode and two Cyrillic codepages). Multiple indexes, if selected, are created consecutively in this version, but with user interaction only once at the beginning. The index search will search in all created indexes for an evidence object at the same time.

Since Unicode is now supported for indexing, the characters to index are entered as Unicode characters, and X-Ways Forensics allows you to conveniently select the alphabets of more than 22 languages for indexing. Currently, most European and many Asian languages are predefined. Please note that it is the responsibility of the user to select the appropriate code page(s) and to enable substring indexing if the words in the language to index are not delimited with spaces (e.g. in Thai).

* Also, it is now possible to optionally create an index that is case-sensitive. This is useful e.g. if you create the index for the purpose of creating a word list for a customized dictionary attack.

* You may define a character substitution list in Unicode that causes certain letters to be indexed as other letters (e.g. "?quot; with an accent as just an "e"). This will allow you to find certain spelling variations with a single index search, e.g. the name "Ren?quot;/"Rene", with either spelling.

* Optimization will not merge .xfi files past the 2 GB barrier any more. This allows to archive these files in
old-fashioned zip archives (e.g. if you archive a case and choose to include index files). Generally, the optimization step is faster now compared with v14.2 and earlier.

* The Details mode has been significantly extended for OLE2 compound files (e.g. pre-2007 MS Office documents) and .shd printer spool files, in that it shows their metadata. For MS Office documents, you will often see many more timestamps (e.g. Last Printed), subject, author, organization, keywords, total edit time, and much more.

* You will now see accurate listings of the contents of Windows shortcut files (.lnk) when viewing them in Preview or full-window view. The listing may include path, name, size, attributes and timestamps of the file being linked, volume label and serial number, drive type, icon file, link description, MAC address, and more.

* When refining the volume snapshot and verifying the true file type based on signatures, X-Ways Forensics now warns when it finds hybrid MS Office files, more precisely merged MS Word and MS Excel documents that can be opened in both applications, showing different contents. A notice in the messages window will be displayed, and any detected files will be associated with a special report table. Hybrid MS Office files are a clever attempt to conceal the contents of one of the merged documents.

* Ability to open CDs/DVDs in external optical drives as physical media.

* The Chinese translation has been updated. Also, when selecting Chinese as the user interface language, more parts of the user interface can now be actually seen with Chinese characters even if the Chinese code page is not active in Windows (as long as support for East Asian characters has been installed).

* Additional hash category filters have been introduced: Output irrelevant files only, output unknown files only.

* In newly taken volume snapshots, files and directory on NTFS volumes that have an object ID are now flagged with a capital I in the Attribute column.

* If a file cannot be copied to an evidence file container, e.g. when filling a container indirectly because an anti-virus tool has intercepted the file and prevented its inclusion in the container, that file is now added to a special report table so that it's easy to specially filter these files and address them separately.

* Ability to load certain registry files of Windows Vista that could not be loaded before.

* Ability to highlight Unicode search hits in documents in Preview mode even if they contain non-ASCII characters.

* The search term list now has a context menu from which search terms can be deleted. Useful for users of MacBooks that don't have a Del key.

* No longer closes the search hit list when invoking Search| Find Text without the option to list search hits.

* It is now possible to log logical searches, such that e.g. if a certain damaged file cannot be decoded and causes the program to crash, you can easily find out its internal ID in the search.log file in the evidence object's metadata directory and omit it when you try again.

* When replacing a partitioned evidence object with a (new) image file, the child evidence objects (partitions) will now be replaced with the same image automatically.

* The viewer component has been updated. Only one file has actually changed. This patch fixes an error that could occur with certain Visio (.vsd) documents. It is recommended to re-download and re-install the viewer component (only) if you would like to view Visio documents during your work or decode their text for the logical search or indexing.

* The Messages window can now be minimized, maximized, and restored.

* The General Options dialog window was restructured. This is now the place where to define the substitute pattern displayed for unreadable sectors. It was removed from the Create Disk Image dialog window because it affects how bad sectors are treated in the program in _any_ situation.

* If the subject lines of extracted e-mail messages are not based on the code page that is currently active in Windows, they may be displayed incorrect. X-Ways Forensics can nowmake an attempt to fix the subjects after extracting e-mail messages if you specify up to two code pages related to the case in the case properties. To avoid this, select the code page that is active in your Windows system twice.

* Some minor improvements concerning the extraction of e-mail messages.

* Several other minor improvements and error corrections.

* Fixed an error that under certain circumstances opened Internet Explorer windows when copying files and directories. (since v14.2 SR-3)

* An error was fixed that caused duplication of file listings in the Chinese version of X-Ways Forensics after a thorough file system data structure search on NTFS volumes. (since v14.2 SR-4)

* Fixed an error that caused certain directory browser operations (copying and creating a hash set) to abort prematurely if applied to a recursive view that contained archives treated like directories. (since v14.2 SR-5)

* Fixed an error that could occur when replacing an evidence object with a new image under certain circumstances after creating a technical details report. (since v14.2 SR-5)

* Prevented certain exceptions that could occur when processing garbage data in NTFS FILE records. (since v14.2 SR-5).


#102: WinHex, X-Ways Forensics and X-Ways Investigator 14.2 released

June 20, 2007

This mailing is to announce a major update, v14.2.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Seattle, WA: Aug 6-10 http://www.x-ways.net/training/seattle.html
Southern California: Aug 13-17 (uncertain)
NEW: Hong Kong: Oct 22-26 http://www.x-ways.net/training/hong_kong.html
For more information: http://www.x-ways.net/training.html



* Better support for multi-monitor systems. Some display problems were fixed, and dialog boxes and message boxes will now always be centered within the WinHex main window except if that means they are split between two screens (if the main window spans two monitors). In that case they will be centered on the main screen.

* It is now possible to detach the lower half of a data window (with Sectors mode, File mode, Preview, Gallery etc.) from the data window, by clicking the three dots that are located left to the Sectors button. After that, you can freely move and resize it on the screen. On multi-monitor this allows you to have that part of the user interface on a separate screen and even maximize it there!

* X-Ways Forensics now informs about the SMART status of [S]ATA hard disks (connected via [S]ATA), as part of the technical details report. Useful to check for one's own hard disk as well as that of suspects. For example, you can learn how often and how long the hard disk was used and whether it has had any bad sectors in the sense that unreliable sectors were replaced internally with spare sectors. When a hard disk has to be returned to a suspect and he or she consequently about bad sectors after that and accuses you of having damaged the disk, a details report created when the hard disk was initially captured can now show whether it was already in a bad shape at that time. Also, seeing that spare sectors are in use means knowing that there is additional data to gain from the hard disk (with the appropriate technical means).

* When creating an image, the SMART information is queried twice, at the beginning and again upon completion, so that you can see whether the status of a hard disk in bad shape has further deteriorated during imaging. Secondly, you can see how the "power on time" has changed, which is useful to deduce ist unit of measurement (usually hours, but can be different on certain hard disk models).

* A new mode named "Details" has been introduced, that contains all the information on a single selected file from all the directory browser columns, including those that are not currently visible. (forensic license only) Very useful for example if the path is very long and does not fit on the screen in the path column, maybe not even in the path tooltip display. Also allows to easily copy the filename or file path or selected other data to the clipboard. In future versions, the Details mode may also become the place where to look up additional information on a file, like extracted internal document metadata.

* An additional directory browser column "Type description" was introduced, that usually displays the name of the application that a file type belongs to or what the filename extension stands for, whatever is specified as a hint in File Type Categories.txt. (forensic license only) If the same extension occurs multiple times in the definition file, all its meanings are listed. For example, .pm could be a Perl module, a PageMaker document, or Pegasus file, or an X11 Pixmap file.

The file format of File Type Categories.txt has been slightly changed in that category names are now defined in lines that start with *** instead of :incrementing number:, so the user does not have to ensure unique category IDs any more and can more easily see category boundaries. The same extension may be associated with different categories at the same time. The category column only shows a single category in such a case, but the category filter works nonetheless.

* Yet another column was added, labeled "Dimensions". (forensic license only) It denotes the size of a picture in pixels, as the result of width times height, rounded. Computed simultaneously with skin color percentages, plus when viewing pictures (full-screen mode, preview mode, or in the gallery). Useful to easily distinguish between e.g. small browser cache garbage graphics and high-quality digital photos, with the associated filter, which allows you to concentrate on very small or very large pictures, or mid-sized pictures within a user-defined range.

* Thumbnail pictures can now be successfully extracted from most thumbs.db files even if internally fragmented. Original filenames and timestamps are now extracted for these thumbnails, too. This is especially useful considering that thumbs.db files remember pictures that were deleted in the meantime. (forensic license only)

* It is now possible to compute hash values for all files that are copied to an evidence file container. The hash is computed directly for the data as read from the source medium. These hash values, if originally computed and stored within the container, are also automatically imported into the volume snapshot when interpreting the container.

* It is now possible to verify already available hash values for the files in a volume snapshot, with the Refine Volume Snapshot functionality. Most importantly this helps to confirm that the files in an evidence file container have not changed since they were acquired from the original source medium. Should there be any files whose hash values have changed, they will be added to a special report table for convenient review.

* Ability to totally remove irrelevant items from the volume snapshot if not needed, e.g. meaningless garbage files found via a file header signature search. This can render the volume snapshot more efficient to handle and save main memory in case of 100,000s of such files. At first, you hide such files, and then you remove all hidden items, clicking a new button in the directory browser options dialog. Available only for volume snapshots created by v14.2 and later. Useful also if you would like X-Ways Forensics to find certain files once again via a file header signature search, but list them with a different default file size if the originally specified default file size proved inadequate.

* Volume snapshots created or processed by v14.2 cannot be correctly understood by earlier versions any more. There will be warnings to that effect in certain situations.

* Ability to select hidden items listed in the directory browser (only if not filtered out, of course), with a new command in the context menu. Useful e.g.
- if you would like to see hidden items specifically (first select them, then tag them, then group tagged and untagged items)
- if relevant files have been assigned to a report table already and you then have X-Ways Forensics hide duplicates among those files based on hash values, and then would like to remove duplicates from the report.

* When in gallery mode, the path and the name of the selected picture are now displayed in the status bar. The path includes the evidence object name.

* Now allows to optionally run simultaneous searches in a second code page at the same time (forensic license only). Useful when searching for keywords that contain non-7-bit-ASCII characters. For example, specifically searching in the UTF-8 code page in addition to your language's typical Windows code page will render decoding the text in XML files (think of MS Office 2007 documents) obsolete. Not relevant for search terms that consist of 7-bit ASCII characters only (like A-Z, 0-9, simple punctuation marks).

* Clarified effect of using GREP syntax in dialog box (code page translation options disappear).

* When displaying code page search hits with their context, X-Ways Forensics now tries to convert all text to Unicode so that such search hit previews can be properly viewed even if the respective code page that a search hit is based on is not the active code page in the examiner's Windows system!

* When reviewing search hits, and when in Preview mode a search hit cannot be highlighted, e.g. because the hit is in the file's metadata (which is not displayed by the viewer component), X-Ways Forensics now offers to switch to File mode instead.

* Ability to convert text from various code pages to Unicode and vice-versa, with new options in the Edit | Convert command.

* Ability to specify an alternative sector size when interpreting raw images. For that, please hold the Shift key. You will then have to indicate the nature of the image (partitioned physical medium or volume) as in earlier versions, and if you continue to hold the shift key you will be prompted for the sector size. Note that even in earlier versions WinHex already used the sector size specified in a FAT or NTFS boot sector if a raw image contained a volume and started directly with such a boot sector. For .e01 evidence files, WinHex uses the sector size specified within that file's metadata.

* It is now possible to log the internal IDs of processed files both when refining the volume snapshot and when indexing. The log files are named RVS.log and Indexing.log, respectively, and are written to the metadata subdirectory of the evidence object. Should a corrupt file cause X-Ways Forensics to freeze and to clear the display of the currently processed file or should a corrupt file cause X-Ways Forensics to terminate completely, the logs can reveal the offending file so that it can be omitted when trying again.

* Certain corrupt OpenOffice2 Writer documents (.odt) previously could cause the file format specific encryption test to freeze forever. Such attempts will now be aborted when a time-out period has elapsed.

* "Wash me, but don't make me wet" is a German saying that frequently applies when users of X-Ways Forensics select to treat archives like directories and then wonder why (or complain) they cannot copy such archives off the image like files or wonder why the archives are not listed in a recursive view (when they run X-Ways Forensics with directories excluded from recursive views). For the latter "problem" there is now a solution: Archives treated like directories are no longer excluded from recursive views depending on this option. Also they are not grouped along with directories any more, and filters are now applied to archives even when they are treated like directories.

Possible "solutions" for copying: You could reverse treatment as directories in Specialist | Refine Volume Snapshot, or you could open such archives (with the Open command in the directory browser context menu) and then save them with File | Save As.

Note that it was never a "must" to treat archives like directories in the first place. Once the files contained in archives are included in the volume snapshot, they will be included in any recursive listing (unless somehow filtered out, of course), no matter whether the archives are treated like directories or not.

* It is now possible to apply the data analyis feature to the selected file when in File mode.

* When including the evidence object names as the top directory level in an evidence file container and when including full paths in the container, items from the virtual "Path unknown" directory previously could end up in a wrong evidence
object's "Path unknown" directory when copied to a container. This will no longer occur in newly taken volume snapshots or in volume snapshots imported from v14.1 or earlier.

* An error was fixed that could occur when decoding the text of certain files for the logical search.

* Under certain circumstances (apparently systems with Internet Explorer 7.0), Internet Explorer windows were opened when copying directories off an image/disk in the original 14.1 version. This was fixed with v14.1 SR-2.

* Under certain circumstances in the original 14.1 version, further options in Refine Volume Snapshot were not applied simultaneously to files whose true file type was newly detected. This was fixed with v14.1 SR-2.

* Fixed an error in the WinHex API WHX_Open functionality. (since v14.1 SR-3)

* Fixed an issue that could occur under certain circumstances when exporting index search hits with context preview to HTML. (since v14.1 SR-3)

* The option "+19" in investigator.ini now also prevents users of X-Ways Investigator from changing the case and the temp path in General Options. (since v14.1 SR-1)

* Ability to create evidence file containers with X-Ways Investigator now tested and functional. (since v14.1 SR-3)

* Certain search options in early v14.2 versions did not work correctly. This was fixed with v14.2 SR-1.

* Several minor improvements and error corrections.


#101: WinHex, X-Ways Forensics and X-Ways Investigator 14.1 released

May 21, 2007

This mailing is to announce a noteworthy update, v14.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics and X-Ways Investigator please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.


Seattle, WA: Aug 6-10 http://www.x-ways.net/training/seattle.html
Southern California: Aug 13-17
Hong Kong: Oct 22-26
For more information: http://www.x-ways.net/training.html



* X-Ways Forensics now offers a dedicated option to logically combine search hits with a Boolean AND operator, i.e. require that a file contains all selected search terms at the same time. If this requirement is not met, the search hits in that file will be omitted from the list altogether. That way you can reduce the view to those files that contain both search term A and search term B. If you know that the document you are looking for contains both of the search terms, this narrows down the number of listed search hits to the most likely relevant ones.

And that is not all: You can select more than two search terms (e.g. 4) and require that the files to be listed contain an arbitrary _minimum_ number of different search terms at the same time (e.g. any 2 or 3 of the search terms, or all 4)!

* Reducing a huge search hit list in such a way that only one hit per file is left can be a great time-saver if you intend to look at each such file anyway, but prefer to not have to look at the same file more than once (if there are many hits in the same file). It is now more convenient to limit the output to 1 search hit per file, with a new checkbox below the search term list. The former context menu command for that was removed.

* If search hits are omitted from the search hits list either because of the reduction to 1 hit per file or because of the logical AND combination, the number of omitted search hits is now displayed with a filter symbol in the directory browser header line, as a visual reminder that the search hit list on the screen is not the complete one.

* HTML format for exporting file lists or search hits is now optional. If disabled, tab-delimited text files will be created as in earlier versions. That may be desirable for huge amounts of data.

* On multi-core processor systems, the performance penalty when working with compressed .e01 evidence files has been considerably reduced, by about 50% on a dual-core processor. On single-core processor systems, there is a slight improve- ment, too.

* There is a new compression ratio option available for creating .e01 evidence files: "fast". This option comes highly recommended, for it is a very good compromise between "no" compression (with maximum speed) and the "normal" compression level. For average data, you can expect half the compression ratio that you would get with "normal", and a speed right between "no" compression and "normal" compression. For highly uniform data, you get the same very high compression ratio as with "normal", and possibly even more speed than with "no" compression because the amount of data to write is so drastically reduced. For uncompressable data, you almost get the same speed as with "no" compression (much faster than with "normal").

* Searching for deleted files by header signatures and verifying the true file type based on signatures have become more flexible. The signatures are now defined in GREP syntax. That means it is now possible to allow for alternatives (e.g. "the 4th byte could be either 0xE0 or 0xE1") and undefined gaps ("." wildcard character) within the signatures. The new signature database that comes with WinHex and X-Ways Forensics already utilizes this to further reduce the number of false positives and to reduce the number of definitions needed for the same file type (e.g. HTML). File Type Signatures.txt files from old version can still be read, but cannot use the GREP syntax.

* Files found via header signature are now listed in a dedicated virtual directory "Carved files" under "Path unknown". This makes it more convenient to address such files separately.

* In newly taken volume snapshots, empty orphaned sub-directories are now listed in a dedicated virtual directory "Empty directories" under "Path unknown". This renders exploring and navigating in "Path unknown" more convenient.

* For files and directories on NTFS volumes, X-Ways Forensics can now often display the username instead of the user's SID in the Owner column. X-Ways Forensics collects SIDs and usernames from Windows installations on evidence objects that are added to the case. An overview of all the SID and user- name combinations that were found can be displayed from within the case properties window.

* When recovering NTFS-compressed files manually (e.g. because they were found manually or via an adjusted file header signature search tailored for NTFS-compressed files), it is necessary to decompress such files separately. Previously it was possible to successfully decompress a single 16-cluster unit of compressed data with with Edit | Convert. Multiple 16-cluster units could be decompressed in a single step if and only if these units were physically 16 clusters apart from one another (as under Windows XP it's usually the case if an already existing file on an NTFS volume is retroactively compressed). Now the decom- pression algorithm also works if there are no physical gaps between the units (as under Windows XP it's usually the case if a file is saved with compression in the first place). It dynamically picks the decompression strategy that yields the highest amount of decompressed data, on a file-by-file basis.

* Auto-coloring on NTFS now also works for FILE records that are not part of the active MFT, if found somewhere on the partition (e.g. in $LogFile or in free space), when visible on the screen. Auto-coloring now also highlights attributes in a FILE record's slack space, which e.g. are left if the preceding attributes are shortened (e.g. filename) or moved out to extension FILE records. Also it now highlights FILETIME structures left in a FILE record's slack space without an encompassing attribute (e.g. standard information or filename).

* "Offline" files are now marked with a capital O in the Attributes column. Files with the attribute "temporary" are now marked with a "T".

* It is now possible to integrate a free-text description of up to 60,000 Unicode characters in evidence file containers, for the recipient to see in the evidence object properties when he or she adds the container to the case.

* Can now much more precisely recognize and distinguish between various OLE2 compound file types (e.g. pre-2007 MS Office documents) during file header signature search and file type verification.

* MS Office 2007 and OpenOffice documents are now treated like archives (which makes it easier to extract embedded pictures), but at the same time they retain their special extension in the type column so that they can easily be distinguished from ordinary zip files and still belong to the document category rather than archives. This best of both worlds combination was not possible in earlier versions. Consequently, in the default settings, OpenOffice documents are not subject to text decoding during searches any more, as the contained XML files will already be searched in their decompressed state. The XML files themselves, however, should still be subject to text decoding during searches if your search terms contain non-English characters, because of XML's UTF-8 coding (unless you specifically search in the UTF-8 codepage). Consequently, *.xml was added to the default file masks for text decoding.

* Regular archives as well as MS Office 2007/OpenOffice documents can now also be viewed in a separate window from the directory browser context menu, not just explored or viewed in Preview mode.

* The internal hive names of restore point registry files as loaded in the registry viewer have been adjusted, so that the registry report can also be created for such backup registry files. Previously, the defined paths would not match.

* An error in the registry viewer was fixed that prevented the user from continuing a search in a hive other than the one in which the first search hit was found.

* It is now possible to pick a registry report definition file before creating the registry report. Useful if you maintain multiple such files, e.g. one that extracts information about hardware, another for information about users, etc.

* Fixed sparse file support on Ext2/Ext3 file systems.

* Various minor improvements.

Since v14.0 SR-1:

* Pressing certain keys in the gallery caused X-Ways Forensics 14.0 to switch to Sectors mode. This was fixed.

* Unique output filenames for "Recover/Copy" now guaranteed also for files where X-Ways Forensics appends the presumed right extension (based on the option in Directory Browser Options).

* Disabling the exception list for indexing caused errors. This was fixed.

* Many more filename extensions were added to the file type category definition file, thanks to Günter Fabian of the state police of Upper Austria.

* Fixed search hit column output of export command. The option to export search hits without search hit context was broken.

* That partitioned areas on physical disks are omitted in file header signature searches (to avoid duplicates as the same searches can also be run on the partitions), is now optional.

* X-Ways Forensics now allows to run byte-level signature searches within evidence file containers. Can be useful to find embedded files other than JPEG and PNG in selected host files. Such files have to be collected in a container first.

Since v14.0 SR-2:

* Fixed inability to review search hits during a physical simultaneous search via pause and resume.

Since v14.0 SR-3:

* Due to popular demand, "Windows Registry" is back as a separate file type category, and just as in earlier versions it again matches the most important files by name even when no file type verification (signature check) has been executed yet. Still, the file type verification step and the artificial type designation ("registry", formerly "regis") are required to match other registry files, e.g. backups of registry files in restore points.

* An error was fixed that activated Sectors mode when clicking a thumbnail in Gallery mode, if Sync mode was enabled in conjunction with recursive exploration.


#100: WinHex, X-Ways Forensics and X-Ways Investigator 14.0 released

Apr 19, 2007

This 100th mailing is to announce a major update, v14.0.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics and X-Ways Investigator please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.



* X-Ways Forensics and X-Ways Investigator can now optionally keep track of which files were already viewed, and flag them visually with a green background color around the tag. This is especially useful when reviewing hundreds or thousands of documents/pictures over a longer period, to avoid accidentially viewing the same documents multiple times and to assure the user of his or her progress. A file can automatically be flagged as already viewed when viewing it in Preview or full window mode, when viewing pictures in the gallery, or when identifying a file as known good based on the hash database. This is customizable in the directory browser options dialog. To manually flag files as already viewed, you can press Alt in combination with the cursor keys. Alt+Left removes the mark. A direc- tory will be marked as fully viewed once all files in it are marked as already viewed. The total number of viewed items in the volume snapshot can be seen under Specialist | Refine Volume Snapshot.

* Due to popular demand, it is now possible to redefine the order of the columns in the directory browser, in the directory browser options dialog. This will also change the order of the fields in the case report (i.e. in report tables), on print cover pages and in exported file listings. You can select a column for relocation by clicking its radio button. Then use the vertical scrollbar that appears at the top. You can reset the column order to the default one if you right-click that scrollbar.

* There is now a filter for the skin color percentage column, allowing to specifically address e.g. pictures with a high amount of skin tones or gray scale and black and white pictures.

* The attribute filter now allows to specifically list files that are flagged as possibly encrypted based on the entropy test ("e?"), files with the Hidden attribute, extracted e-mail messages, and e-mail attachments only.

* Two more columns, Sender and Recipient, have been introduced, that are filled for e-mail messages. These columns come with convenient substring filters. They can optionally be displayed dynamically, i.e. included in the directory browser only when e-mail messages are actually listed in the visible portion. This avoids wasting space on the screen for these columns when no e-mail messages are currently listed.

* E-mail messages and attachments can now be extracted from Outlook .msg files.

* Improved file signature search at sector boundaries for MPEG files, in that no overlapping MPEG fragments and no MPEG fragments in the middle of known MPEG files will be output/listed any more.

* X-Ways Forensics now by default includes MP3 files in the check for embedded JPEG pictures.

* Displaying pictures with the separate viewer component instead of with the internal graphics library is now noticeably faster (but still noticeably slower than with the internal graphics library).

* Ability to delete duplicate search hits with a context menu command. Search hits are considered duplicates if they either have identical physical offsets or, if they don't have physical offsets, if their logical offsets and the corresponding internal file IDs are the same. No assumption must be made that the duplicate that is selected for deletion is the "less valuable" search hit (but this is subject to improvement in future releases). E.g. a search hit in a deleted file "delivery_note_28924.pdf" might be more helpful than in the virtual file "Free space", even if it's the same search hit. Or a hit for "Smithsonian" may be more helpful than a hit for "Smith".

* It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.

* The search window width for GREP search is now user-definable. An explanation of the search window and of its significance for proximity searches has been added to the program help and user manual.

* Now supports up to 75 locally accessible physical media instead of 30.

* Write access possible to disk sectors under Windows Vista for physical media and partitions opened from within physical media (not opened as a drive letters in WinHex) in most of the situations where this failed with previous versions of WinHex.

* The case root is now a complete overview of all evidence objects. It is now possible to remove evidence objects from the case in the case root window, and in particular to remove multiple selected evidence objects at a time (useful e.g. if you have added multiple ordinary files to the case directly instead of to a file container, which is preferable).

* The number of backups that X-Ways Forensics keeps for a case file is now user-definable (3 by default) instead of just 1.

* When using the Recover/Copy command in search hit lists, directories are now recreated in the output folder as files, as the user likely wants to retain the original data with the search hit. The Recover/Copy command in such situations did not branch into selected subdirectories anyway in earlier versions.

* The Recover/Copy command is no longer covered by general logging, but has its own HTML log file, "copylog.html", which can include not only the output filename and path, but also any of the available metadata about the copied files, e.g. original name, original path, size, timestamps, true type, etc. The HTML file is created in the _log subdirectory of a case. (forensic license only)

* Ability to view the messages.txt file directly from within the case properties dialog window.

* The Export command now creates HTML files instead of text files. The result is much more convenient to view (e.g. in a web browser, in MS Word or MS Excel), especially in the case of exported search hits with context, where the actual search term can be high- lighted within the context (yellow background color). Search hit highlighting, however, is optional, as it does not have the desired effect when viewing with MS Excel. With the HTML output for search results, the main functionality of Evidor is now available in X-Ways Forensics, too. If needed, programs like MS Excel can still be used to convert the HTML to tab- delimited ASCII or Unicode text as created by earlier versions of X-Ways Forensics.

* A new script command Write2 was introduced, which differs from the conventional Write if the end of the file is reached (please see program help or user manual for details).

Since v13.9 SR-1:

* Ability to automatically detect deleted partitions with 1 MB partition gaps as typically created by Windows Vista.

* The filename extensions .whs and .whx are no longer automatically associated with X-Ways Forensics in the system registry.

* Improvements for running WinHex/X-Ways Forensics under Windows Vista:

Resolved problems:
- Text column visual character alignment problems with various characters fixed.
- Icons in registry viewer fixed.

Slight improvements:
- Encryted parts of BitLocker volumes are now represented by a virtual file that has the encryption attribute.

Unresolved or unresolvable problems:
- Writing sectors on certain disk areas fails with "access denied". To be partially resolved with v14.0.
- Prevented opening physical RAM on Vista as it does not work any more.
- Colored text feature in Case Data window not available.

The recommended platform for WinHex/X-Ways Forensics continues to be Windows XP.

Since v13.9 SR-2:

* The filename extension .xfc is now automatically associated with X-Ways Forensics in the system registry only if X-Ways Forensics was installed with the setup program. This is so that avoidable changes to the registry are not made when executing X-Ways Forensics on a live system without having installed it. (Note that the viewer component still writes to the registry if loaded by X-Ways Forensics.)

* Exception error prevented that could occur under certain circumstances after deleting search hits.

Since v13.9 SR-3:

* Fixed an error that could prevent running a simultaneous search for search terms with an opening parenthesis.

* Several other minor improvements.


#99: WinHex, X-Ways Forensics and X-Ways Investigator 13.9 released

Mar 23, 2007

This mailing is to announce a noteworthy update, v13.9.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics and X-Ways Investigator please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.



* Forensic licenses only: Ability to open remote network drives at a logical level, if a drive letter has been assigned locally. The directory browser, File mode, Preview mode, Gallery mode, and Calendar mode are all available. A volume snapshot can be taken and refined (not with the options that require sector access), filters can be used, keyword searches can be run. On the other hand, sectors, free space, slack space, deleted files, alternate data streams, owner SIDs etc. cannot be displayed. Very useful to preview remote network drives on site and e.g. search/copy relevant documents if no physical access to certain computers on a network is available. Another benefit is that NTFS-encrypted files (EFS) to which the currently logged-on user has access can be opened and processed as if they were not encrypted.

* Forensic licenses only: Ability to open local drive letters without administrator rights. The same limitations apply.

* Support for the Ext4 file system (specialist and forensic licenses only).

* X-Ways Forensics now warns when opening a case if that case has already been opened by someone else (if not in read-only mode).

* When decoding the text in PDF, HTML, RTF, StarOffice, WordPerfect, etc. files for logical searches and indexing, the result is now optionally buffered (can be disabled in Options | Viewer Programs). As the decoding is relatively slow, the benefits of the buffer are that further searches will run noticebably faster if there are many such files and that there are now context previews even for search hits in the decoded version of files! This renders examining search hit lists much more convenient. Decoded text output is now either ASCII or Unicode on a per-file basis, depending on the nature of the characters in the text.

* The Print command in the directory browser context menu is now more flexible in that it allows to print files with the help of the viewer component either with or without its own cover page. As a new third option it is now possible now have X-Ways Forensics print the filename and path itself, on the first page. This option is not bound by the same path length limitations as the header printed by the viewer component. To avoid that the path is printed twice on the first page, have _either_ X-Ways Forensics or the viewer component print it, not both.

* If in the new Print command the printer resolution cannot be automatically detected, the user now has the option to specify it manually to get a correct print result.

* It's easier now to identify the evidence object in the Case Data window that is represented by the active data window, as all the other evidence objects, including their directory trees, are displayed in gray.

* Changes among physical disks (e.g. newly attached external USB hard disks) are now detected without having to restart the program.

* File containers now optionally have an internal designation (the XWFS volume label). Useful as another means to identify to which case/suspect a container belongs since the filename might be too generic (used similarly in different cases) or could be accidentally changed.

* A new switch "+19" in investigator.ini allows to keep users of X-Ways Investigator from opening images/containers that are not located in the default path for images/containers. Useful if the default path is externally controlled and users must not inadvertently add images from unrelated cases.

* Ability to optionally filter directories based on names in addition to files. This is the only filter based on a directory browser column that has an effect on directories, too.

* Each evidence object now remembers the last 32 files that were viewed in Preview mode. Press Shift+Ctrl+F7 to see the list of filenames, internal IDs, and viewing timestamps. Useful e.g. if you forgot where to stopped your work the other day or based on what sort criteria you viewed the files (to recreate the same order). Not documented in program help or user manual, subject to change.

* Changed sorting in search hit description column such that hits in slack space are not merely grouped, but moved to the end of the list so that they can be easily found, and the slack copied specifically with appropriate settings in the Recover/Copy command if needed. (since v13.8 SR-5)

* Decoded text was not indexed correctly in v13.8 before v13.8 SR-2. This was fixed.

* The logical search in v13.8 had a memory leak before v13.8 SR-2. This was fixed.

* Memory leak in indexing fixed with v13.8 SR-5.

* An error interpreting full filenames in File Type Categories .txt was fixed with v13.8 SR-3.

* The daylight saving bias was not correctly applied for southern hemisphere time zones. This was fixed with v13.8 SR-4.

* Some other minor improvements.


#98: WinHex, X-Ways Forensics and X-Ways Investigator 13.8 released

Feb 14, 2007

This mailing is to announce a noteworthy update, v13.8.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics
and X-Ways Investigator please go to
http://www.x-ways.net/winhex/license.html for more information
such as update maintenance, download links, and upgrade offers.


Sydney: Mar 12-16 http://www.x-ways.net/training_sydney.html
Atlanta, GA: Mar 26-30 http://www.x-ways.net/training_atlanta.html (week after CyberCrime summit)
For more information: http://www.x-ways.net/training.html



* The investigator version of X-Ways Forensics is now a separate product: X-Ways Investigator ( http://www.x-ways.net/investigator/ ). The user interface of the investigator version is now customizable to a certain extent: With the help of an optional file named "investigator.ini", additional administrative security precautions and additional optional usage simplifications can be activated individually.

* The ability to interpret .e01 evidence files was added to X-Ways Investigator. That means investigators can now be provided with file containers that were turned into (optionally compressed or encrypted) .e01 evidence files. Also the ability to _create_ file containers was added to X-Ways Investigator. That means investigators can now create containers themselves and that way copy highly relevant files to separate containers for their own use or to pass them on to colleagues. The ability to create search indexes was removed.

* The logical simultaneous search has been removed from the directory browser context menu and integrated in Search | Simultaneous Search. It no longer searches the _selected_ files, but either all files or tagged files. Search | Simultaneous Search can now execute both physical and logical searches. Logical searches have been reworked internally and now always process the files in the order in which they appear in the volume snapshot (i.e. sorted by internal ID).

* The physical simultaneous search is finally obsolete in the forensic edition when searching entire media, as the logical simultaneous search now has a solution for the file slack/free space paradox, by searching all file slack/free space transitions separately. (The paradox is that although all file slack and free space is searched, not all occurrences of the search terms in these areas are found by certain standard computer forensics software products.)

* Irrelevant, hidden, or filtered out files can now be omitted during logical searches, or if slack space is included the search is limited to the file slack. This saves time and reduces the number of irrelevant hits.

* Indexing can now be limited to the slack of irrelevant, hidden, or filtered out files, too.

* It is now possible to a certain degree to continue reviewing files while searching logically, as the directory browser is no longer blocked.

* When decoding PDF/OpenOffice/WPD/HTML/... files for the logical search, the text output is now in 16-bit Unicode instead of ASCII. That means Unicode needs to be enabled for searching when using this option (is ensured by the software automatically).

* The volume snapshot can now be refined and an index can be created for _selected_ evidence objects at the same time, and it is now possible to start indexing after volume snapshot refinement automatically. If the latter is selected, at first the volume snapshots of the selected evidence objects will be refined, then the index will be created for these evidence objects, and finally the indexes will be optimized. The optimzation is optional as before, and can be aborted and resumed at any time.

* The volume snapshot can now be refined for physical, partitioned media. This is useful to conveniently list files in unpartitioned space that can be found via a header signature search. Files in _partitioned_ space can be found with a signature search within the corresponding partition only, as before. This prevents duplications.

* Physical media now offer a File mode, a Preview mode, and a Gallery mode. Useful for files found via a header signature search.

* Ability to print multiple selected documents without interruption/ the need to click somewhere after each document, with the revised context menu command "Print with cover page". The cover page contains the date and time when the print job was started and user-selected meta-information, e.g. filename, path, evidence object title, file size, description, time stamps, comments, ... The cover page is printed by X-Ways Forensics itself, the following pages with the actual document are printed by the viewer component. In order to print documents with the viewer component without a cover page, as before, use the Print command in the main menu or the Print icon in the tool bar, while in Preview mode or when viewing a document in a separate window. Known error: The viewer component does not always display the correct printer name while printing although the print job is indeed sent to the selected printer.

* Self-extracting .exe archives as created by WinZip (tested with v9.0 and v11.0), WinRAR (GUI and console .exe files, Zip and RAR compression, tested with v3.0, v3.3, v3.62, and v3.7 beta), 7-Zip (tested with v4.42), and WinACE (tested with SFX-Factory 2.64) are now internally detected by the file signature check. They are classified as the file type "sfx" and assigned to the category "Archives" so that they can be specifically targeted. This prevents that compressed files in such archives go totally unnoticed in an investigation. .exe archives with Zip compression can be viewed in Preview mode, other self-extracting archives need to be copied off the image and opened with an appropriate tool like WinRAR or 7-Zip.

* Reading from compressed evidence files is now considerably faster.

* CRC32 computation is now somewhat faster.

* When assembling a hardware RAID, the header size of a component may now exceed 65,535 sectors.

* Now 48 instead of 32 script variables supported simultaneously.

* Tools | Disk Tools | Set Disk Parameters for a physical disks now accepts blanks for the C/H/S values. If left blank, suitable values will be computed by X-Ways Forensics itself.

* The data analysis feature now works with more than 4 billion occurrences of the same byte value. So although it is meant to be applied to much smaller amounts of data, this functionality can now be safely be applied to many GB of data. The increased computation time was compensated by omitting the checksums.

* In Options | Viewer Programs, a list of filename extensions is now maintained that indicates which files should better be viewed with external programs, e.g. because the viewer component and the internal picture display and gallery do not support them. When double-clicking/viewing such files, the program that is associated with the extension on the examiner's system is automatically invoked. Based on the default settings, this applies to *.mdi;*.mdb;*.mpeg; *.mov;*.asf;*.avi;*.mp3. The list is user-editable (see Options | Viewer Programs). In particular MDI (Microsoft Document Imaging), a file type similar to TIFF, usually should not be overlooked, as this format can be used in MS Office to store scanned documents or to store print output graphically.

* Ability to automatically power down the computer after successfully creating a disk image. (since v13.7 SR-1)

* Stability and speed of picture processing and display further improved. (with v13.7 SR-2 and SR-5) Please note that if you have problems with processing pictures or the display of pictures, it might help to return to the picture viewing capability of earlier versions by checking Options | Viewer Programs | [x] Use alternative picture display library. We ask, however, that you notify us should encounter specific pictures that cause X-Ways Forensics to choke.

* Error in ExecuteScript script command fixed. (since v13.7 SR-2)

* Fixed an exception error that could occur when reviewing search hit lists. (since v13.7 SR-3)

* Characters in the text column are now usually correctly displayed in double-byte code pages such as Simplified Chinese (if active) even when a block or a bookmark is defined in a line. (since v13.7 SR-3)

* Fixed an exception error that could occur during an NTFS thorough file system data structure search. (since v13.7 SR-4)

* Fixed instability issue with extremely long filename extensions (more than 127 characters) in text decoding option. (since v13.7 SR-8)

* "Internal search term list inconsistent" error fixed. (since v13.7 SR-8)

* Indexing progress display error fixed. (since v13.8 SR-1)

* Several other minor fixes and improvements, including the Recover/Copy command.


#97: WinHex & X-Ways Forensics 13.7 released

Jan 12, 2007

This mailing is to announce a noteworthy update, v13.7.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Registered users and in particular owners of X-Ways Forensics please go to http://www.x-ways.net/winhex/license.html for more information such as update maintenance, download links, and upgrade offers.

London, Feb 5-9 http://www.x-ways.net/training_london1.html (new!)
London, Feb 19-23 http://www.x-ways.net/training_london.html (waiting list)
Sydney, Mar 12-16 http://www.x-ways.net/training_sydney.html (new!)
Atlanta, GA: Mar 26-30 http://www.x-ways.net/training_atlanta.html (seats available!)
Other classes in Australia for government/law enforcement in February/March: Please ask for details.


* On Chinese Windows systems, X-Ways Forensics can now be run with a Chinese user interface if support for East Asian languages is installed in Windows. (The translation is not 100% complete.)

* Ability to search for non Latin-1/Western European language characters (e.g. Cyrillic, Arabic, Greek, Chinese, ...) in an explicitly specifiable code page, in addition to 16-bit Unicode, with the physical & logical simultaneous search.

* Ability to export search hit offsets and search hits from search hit lists. Ability to export the hits with context previews of an arbitrary length (up to 240 bytes in total). Available for search hits in both ASCII and Unicode, for both ASCII and Unicode output text files.

* An additional sortable column for search hit lists was introduced that describes for each search hit whether it is a Unicode or a codepage search hit, whether references the decoded version of a file, and whether the search hit is in a file's slack (only for search hits gathered with v13.7 and later). The latter allows to systematically copy the file slack off an image with the Recover/Copy command for all search hits that are not located in the logical part of a file.

* Ability to save index search hits permanently, without marking them as notable, under a dedicated search term item in the search term list.

* Search terms for index searches are now logged.

* It is now possible to start indexing for all evidence objects from the case root window. The optional optimization step is now executed only after all evidence objects have been indexed.

* In certain scenarios with repartitioned or reformatted NTFS volumes, previously existing files could cause an infinite loop during indexing. This was fixed. (since v13.6 SR-7.)

* The gallery is now considerably faster. Loading large pictures for preview or full window view is faster, too.

* The check for skin colors and black-and-white pictures is now faster and more stable when dealing with corrupt pictures. The computed skin color percentages may differ slightly when compared to earlier versions of X-Ways Forensics.

* The "1st cluster" column was replaced with a "1st sector" column. This allows WinHex/X-Ways Forensics 1) to make better targeted jumps to resident files on NTFS volumes, 2) to display this information for fictitious files in special file system areas, and 3) to more successfully prevent duplicate files found by header signature (e.g. if run repeatedly) if they start at mere sector, not cluster boundaries. Also this allows the user to tell more easily which files are affected by bad sectors (after converting number ranges of bad sectors on physical disks to logical sector numbers on the partition). The improved precision for files that do not start at cluster boundaries is available only for newly taken volume snapshots.

* "File Recovery by Name" is no longer available. The more flexible substitute is to recover files selectively from the directory browser, with the Recover/Copy command. To achieve the same effect as with "File Recovery by Name", explore the root directory recursively, optionally activate a filter like the filename filter, and then select all. Unlike "File Recovery by Name", this works with all supported file systems, and all filters are available, not just a filename filter. The ability to explore directories or an entire volume recursively is available to owners of personal and professional licenses for the first time now.

* The selection statistics (amount of data in KB/MB/GB) and the logical search progress indicator now take into account that files do not necessarily have any data attached to them (where metadata is known only), even if their nominal file size suggests that. This helps to avoid confusion that could arise in earlier version if the amount of data copied or searched was less than expected. Also such files are now copied/opened with a size of 0 bytes instead of not opened/copied at all.

* There is now a progress indicator for the Recover/Copy command and for filling evidence file containers with selected files.

* When copying files off an evidence object and the output path is too long, the omitted files are now added to a dedicated report table so that they can easily be addressed separately later, e.g. copied again without path.

* Reduced the amount of output to the messages window when refining the volume snapshot. More and more hints/warnings are now attached to these files as report tables associations instead of comments.

* Better compatibility with unusual sector sizes on fixed media.

* Circular bit rotation added as an option in Edit | Modify Data. Allows to decrypt disk images as saved on tapes by certain legacy computer forensics software.

* Ability to manually shorten the path that can be optionally output as a header when printing documents, by holding the Shift key when sending the print job. Useful as the viewer component truncates very long path always at the end, which may not be desirable.

* The name of the evidence object is now part of the path when printing files with the viewer component and printing the path as the header. (since v13.6 SR-6)

* Separate icon for deleted e-mail messages with attachments. (since v13.6 SR-7)

* Windows installation dates as recorded in the registry of Windows 95/98/Me are no longer incorrectly converted when creating the registry report. (since v13.6 SR-7)

* An error was fixed that under certain circumstances (many report table associations) caused an exception when saving the case. (since v13.6 SR-7)

* Deals more gracefully with garbage .gz files found through signature search.

* When processing large e-mail archives, X-Ways Forensics now remains reponsive, and the operation can be aborted if needed. (since v13.6 SR-1)

* Often there are now more descriptive error messages when e-mail archives cannot be processed (because they are corrupt, unsupported format etc.). (since v13.6 SR-5)

* An error was fixed that could prevent e-mail extraction depending on the case path length. (since v13.6 SR-1) Fixed exception an error that could occur when extracting e-mail messages. (since v13.6 SR-5)

* An error was fixed that prevented generic mailbox files from being processed. (since v13.6 SR-3)

* Files copied off an image as part of a report will now be created as read-only, such that they cannot be inadver- tently modified when opening them in applications such as MS Word. (since v13.6 SR-4)

* Ability to specify how cooperative X-Ways Forensics behaves during operations that involve a progress indicator window (e.g. hashing, searching) when competing with other processes for CPU time, by pressing Shift+Ctrl+F5. 0 is the default setting (not specially cooperative). You may try values like 10, 25, 50, or 100 (maximum willingness to share CPU time) e.g. if X-Ways Forensics is executed simultaneously by different users on the same server, for a fairer distribution of CPU time. (since v13.6 SR-5)

* Fixed an error that prevented correct relative paths of linked files when saving the HTML report in a directory other than the preselected one. (since v13.6 SR-5)

* Fixed an error in the script command GetUserInput. (since v13.6 SR-5)

* Ability to click attachment links in extracted e-mail messages in containers even if attachments were not embedded in the .eml files. (since v13.6 SR-6) As the main reason to directly embed attachments therefore no longer exists, it is recommended not to use that option any more, considering its downsides (more time and drive space needed needed for extraction and especially for indexing).

* Now 64 instead of 32 report tables supported in a case. (since v13.6 SR-6)

* An error was fixed that occurred when hiding duplicates based on hash values in the case root. (since v13.6 SR-6)

* In newly created volume snapshots, fictitious e-mail subdirectories now get a name different from the e-mail archive file to avoid name conflicts when copying files off an image. (since v13.6 SR-7)

* Several other minor improvements and fixes.

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <