·.·. Computer forensics software made in Germany .·.·

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)


#112: WinHex, X-Ways Forensics, X-Ways Investigator 15.1 released

Sep 3, 2008

This mailing is to announce a noteworthy update, v15.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


DC area, Sep 24-26 http://www.x-ways.net/training/washington_dc.html (full)
New York, Sep 29-Oct 1 http://www.x-ways.net/training/new_york.html (PLEASE SIGN UP NOW!)
London, Oct 7-9 http://www.x-ways.net/training/london.html (almost full)
Sydney, Nov 5-7 http://www.x-ways.net/training/sydney.html
Hong Kong, Nov 11-13 http://www.x-ways.net/training/hong_kong.html
For more information: http://www.x-ways.net/training/



* Ability to detect simple attempts at masking any files of any type as executable files. Such files will not be confirmed as executable files any more. Forensic license only.

* Allows to better focus on unusual executable files by assigning them to report tables when they contain unknown segments or an unexpected tail. Forensic license only.

* Can better distinguish between various .exe file types including legacy formats, DLLs, fonts, VXDs, and other drivers (see Type column after file type verification). Forensic license only.

* Special support for executable files when running the file header signature search. The file size and the precise file type will be detected. The exact file size helps to exclude known irrelevant files with the help of hash databases.

* Size detection for very large zip archives during file header signature search. Size detection for 7zip file newly introduced.

* It is now possible to automatically associate the parent file and child objects of a selected file with a report table as well. Useful for example if you do not only want to add a certain e-mail message to a report, but also it's attachments or the other way around, or not only a certain video still, but also the corresponding video. Report table associations can also be removed from parent and child objects in a single step. Forensic license only.

* Files that are child objects of a file (i.e. whose parent is not a directory) are now specially marked in the directory browser with 3 light blue dots in the upper left corner of the icon.

* It is now much more convenient to supply lengthy filename lists for use as a filename filter. Multiple filenames or filename masks are no longer concatenated with semicolons, but entered (or pasted from the clipboard!) one per line. Useful if you have a list of relevant filenames or keywords and want to find out quickly whether files with such names are present, e.g. in electronic discovery.

* When extracting thumbnails from JPEGs, they are now listed as child objects of the respective JPEG file. Such thumbnails and other generically named embedded pictures are now considered virtual files. Forensic license only.

* Attached external files will now always be added as child objects of the selected object, even if you add a single file only, unless you hold the Shift key. It is now also possible to attach external files to a directory. Forensic license only.

* Ability to add a selected block as a virtual file (Edit menu) now in File mode, too. In that case it will be added as a child object of the original file. Forensic license only.

* Support for viewing the NTFS system file $UsnJrnl, another unique feature. Forensic license only.

* Examination of $LogFile as part of thorough file system data structure search on NTFS volumes even more complete now. Forensic license only.

* The Interpretation of $LogFile for View command/Preview mode now more complete. It also now shows you the date range coverered (see bottom of Preview/View), so that you can easily determine whether relevant dates are covered by $LogFile at all. It is now easier to determine or at least narrow down the date and time when a file was deleted if that action is covered, by looking for an "Undo: Initialize File Record Segment" operation for a given file or by looking for the LSN as seen in the FILE record header. The following EndPage statement indicates the time frame for that operation. Generally improved representation. Forensic license only.

* Ability to deal with FAT32 volumes whose main boot sector is corrupt if the backup boot sector is intact. Ability to automatically find lost FAT32 partitions when scanning for lost partitions even if the main boot sector is corrupt.

* Ability to deal with extremely large directories in FAT volumes.

* Copying files off an image to your own drive or into a container, these actions now internally work slightly differently. They can now include the contents of selected directories even in an already recursive view, and when doing that they automatically make sure not to copy directly and indirectly selected files twice. Or if the same file is listed multiple times in a search hit list, because it contains many search hits, it is copied once only even if selected multiple times, which is very convenient. Another consequence is that you will not see the message "This command cannot branch into selected directories in an already recursive view." any more. Another benefit is that there are now 3 instead of 2 options for recreating the original path in the output directory or file container: full path, no path, or partial path (based on the currently explored directory, not available from case root).

* The Recover/Copy command now also optionally allows to output files with overlong paths (more than 260, up to 510 characters, for output path + original path + original filename). Note that you cannot access (e.g. view, copy or delete) such files with ordinary tools like the Windows Explorer. The option is useful if you are dealing with these files with tools that support overlong paths. Otherwise you can specifically limit path lengths to 260 characters and get report table associations for omitted files, as before. Forensic license only.

* A new option labelled "recommendable data reduction" for the logical search and indexing allows to save time by excluding the logical portion of certain files automatically: File archives such as ZIP and RAR whose contents have been
included in the volume snapshot, and PST and DBX e-mail archives whose e-mail messages and attachments have been extracted. The latter is helpful in particular for indexing, since Base64 code inflates the index extremely and slows down the indexing process.

* There is now a "NOT" option in the Attributes filter. Allows you to easily filter out alternate data streams, symlinks, files with unknown contents, etc. etc. when you do NOT want see such items.

* There is now a progress indicator for the hashing process when creating a hash set.

* Individual filenames for cloning logs based on start time.

* Ability to reset selected files in the volume snapshot such that the options in Refine Volume Snapshot would touch them again even if they have been processed before. This function is available via Ctrl+Del. It does not clean up after the selected files, i.e. does not delete any already extracted child objects.

* Fixed scope inconsistency when running a search from the case root window.

* Italian translation updated.

* Fixed some errors in the new indexing algorithm of v15.0.

* Several minor improvements.

* The copy log option no longer noticeably slows down the Recover/Copy command when copying many files. (since v15.0 SR-3)

* Occasional unavailability of the Print command in the context menu fixed. (since v15.0 SR-3)

* Fixed an exception error that could occur when running a file header signature search when in search hit list mode. (since v15.0 SR-3)

* A minimized main window at the end of a search is no longer a problem. (since v15.0 SR-3)

* Fixed an exception error that could occur when imaging RAIDs reconstructed from images. (since v15.0 SR-3)

* Fixed an error in the directory browser that could occur after refining the volume snapshot or after returning from a search hit list. (since v15.0 SR-3)

* Intelligent size detection when carving .tar archives. (since v15.0 SR-4)

* Fixed an error that could interrupt the interpretation of an .e01 evidence file with many segments. (since v15.0 SR-4)

* Files that cause exception errors or crashes during the mass metadata extraction are now reported by the program so that they can be identified, hidden and/or forwarded to us more easily. (since v15.0 SR-5)

* Instability in IE cookie metadata extraction fixed. (since v15.0 SR-7)

* Fixed an exception error that could occur when clicking items in the Position Manager. (since v15.0 SR-5)

* Fixed an exception error that could occur when processing large AOL PFC files. (since v15.0 SR-7)


Remote analysis capability for X-Ways Forensics ( http://www.x-ways.net/forensics/f-response.html ) will soon also cover Linux and OS X machines.


dit Co., Ltd. is now the reseller of X-Ways in Japan:


#111: X-Ways Forensics 15.0 SR-2 released; Remote Analysis Capability for X-Ways Forensics

Jul 11, 2008

This mailing is to announce
* remote analysis capability for X-Ways Forensics,
* v15.0 SR-2 of WinHex, X-Ways Forensics, and X-Ways Investigator,
* new training dates

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Chicago, Aug 12-14 http://www.x-ways.net/training/chicago.html (please sign up now if interested)
DC area, Sep 24-26 http://www.x-ways.net/training/washington_dc.html (almost full)
New York, Sep 29-Oct 1 http://www.x-ways.net/training/new_york.html
London, Oct 7-9 http://www.x-ways.net/training/london.html (almost full)
Sydney, Nov 5-7 http://www.x-ways.net/training/sydney.html
Hong Kong, Nov 11-13 http://www.x-ways.net/training/hong_kong.html
For more information: http://www.x-ways.net/training/



* If you need to examine media that are attached to remote computers, over a network, then we can now offer you a solution! Use F-Response in conjunction with X-Ways Forensics. That allows you to finally apply the superior analysis functionality of X-Ways Forensics that you know to remote network drives, e.g. enterprise-wide. For details please see >>>>>>> http://www.x-ways.net/forensics/f-response.html <<<<<<<.

You can purchase F-Response from X-Ways separately, or, with a special discount, together in a bundle with X-Ways Forensics, thanks to an agreement between Agile Risk Management LLC and X-Ways Software Technology AG.


* Identical consecutive video stills will not be included any more in the volume snapshot when capturing frames from videos with MPlayer. (since v15.0 SR-1)

* It is now theoretically possible to specify an interval as short as 1 second for video still extraction. Whether you actually get additional, different stills with such a low setting, however, depends on the encoding and compression of the respective video file. (since v15.0 SR-1)

* For images of optical media that contain both a CDFS and UDF file system and that are associated with a case as evidence objects, X-Ways Forensics now prompts the user for the preferred file system only once, when opened for the first time. (since v15.0 SR-1)

* Application-created report table associations (as opposed to user-created ones) are now represented by gray instead of green triangles in the directory browser, which makes it easier to distinguish between the two. (since v15.0 SR-1)

* Ability to limit the scope of the file header signature search to a certain sector range (more precisely, a selected block). This is useful e.g. if a previous file header signature search has been aborted, to save time. (since v15.0 SR-2)

* The size of PSD files is now intelligently detected when running a file header signature search. (since v15.0 SR-2)

* The maximum number of report tables supported in a case has been increased to 128. (since v15.0 SR-2)

* Many other minor improvements.

* Two errors in the new indexing algorithm of v15.0 have been found and fixed. The index was not 100% complete, and under certain circumstances an infinite loop and/or the errors 1074 and 1075 could occur. (since v15.0 SR-1)

* Fixed an error that under certain circumstances prevented the new indexing algorithm of v15.0 from completing. (since v15.0 SR-2)

* Fixed the error message that under certain circumstances claimed that the viewer component had to be activated although it was already activated. (since v15.0 SR-1)

* Fixed an exception error that could occur under certain circumstances when reading from previously existing files where the location of the data was unknown. (since v15.0 SR-2)

* Fixed an error in the export of the search hit column with context. (since v15.0 SR-2)

* Fixed an exception error that could occur when reconstructing RAIDs using images. (since v15.0 SR-2)


#110: WinHex, X-Ways Forensics and X-Ways Investigator 15.0 released

Jun 2, 2008

This mailing is to announce a noteworthy update, v15.0.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


New York, Jun 9-13 http://www.x-ways.net/training/new_york.html (waiting list)
DC area, Sep 24-26 http://www.x-ways.net/training/washington_dc.html
London, Oct 7-9 http://www.x-ways.net/training/london.html
Sydney, Nov 5-7 http://www.x-ways.net/training/sydney.html
Hong Kong, Nov 11-13 http://www.x-ways.net/training/hong_kong.html
For more information: http://www.x-ways.net/training/



* X-Ways Forensics now features a totally revised indexing algorithm that a lot of effort has been put in. This algorithm specifically utilizes multiple processor cores and on systems that have multiple process cores runs faster than its predecessor, in particular when taking the (optional) optimization step into account.

* The file type signatures database now distinguishes between signatures that are useful for file type verification only (to verify the type of files that are already contained in the volume snapshot, forensic license only) and signatures that are strong and important enough to also use them for a file header signature search, i.e. to find additional, previously existing files. To that end, two separate definition text files now ship with X-Ways Forensics. The idea is to keep unsuspecting users from blindly selecting all file types for the search, from getting too many false positive for weak signatures as a consequence, from getting too many garbage files (e.g. overlapping MPEG fragments that cannot be played), from getting too many irrelevant files (e.g. font files, cursor files), and from unnecessarily suffering from a slow search speed, and from complaining about all of this. Of course it's still possible to manually add new file type definitions for file header signature searches or to consciously move file type definitions from one definition file to the other if you know what you are doing.

* File type signature and category definitions have been further expanded. Support for up to 4096 file type signature definitions for file type verification and up to 1024 definitions for file header signatures searches, as opposed to just 255 before.

* The naming conventions for carved files have been slightly changed. Files are now named based on an incrementing number that is unique for each evidence object.

* Previously existing files whose first clusters are known to be overwritten are no longer checked for their true file type.

* When verifying file types, for files that are not recognized by any entry in the file header signature database, X-Ways Forensics now makes additional attempts at detecting the file type. Useful to recognize file types that do not have a fixed signature, e.g. .eml e-mail messages, programming language source code, batch files, various other kinds of text files, and many more.

* The names of extracted .eml files are now usually more authentic especially if the subject line is encoded in an Asian code page. Some minor improvements in e-mail processing.

* When including report tables in the case report, to render the report horizontally more compact (e.g. for printing), it is now possible to artificially break the filename and paths lines after a user-defined number of pixels. Helps to avoid that the report becomes wider than a printable page, especially when referencing more than one file per row in a report table.

* It is now possible in X-Ways Forensics to manually define a block in Volume/Partition/Disk mode and add it to the volume snapshot as a carved file. Useful if you wish to treat data in a certain area (e.g. HTML code or e-mail messages found floating around in free space) as a file, e.g. to view it, search it specifically, comment on it, add it to a report, etc. The command for that can be found in the Edit menu.

* A new directory browser option called "Full path sorting" for objects that have child objects has been introduced. The effect is that, after exploring recursively, if sorted by path, child objects will be listed directly after their respective parents (e.g. files after their parent directories, e-mails after the e-mail archives from which they have been extracted, e-mail attachments after their containing parent e-mail messages, compressed files after their parent archives, etc.).

* Zip and Rar archives that X-Ways Forensics knows contain encrypted files are now marked as encrypted themselves, with "e!" (file format specifically encrypted) in the Attribute column. Allows to focus on such files more conveniently than before using the Attribute filter. (And some users didn't realize how it was possible before.)

* When viewing search hits in the decoded version of e.g. PDF documents in raw preview mode, you now see the exact raw decoded text as used for searching. This can be useful if the viewer component cannot highlight a search hit in the regular view of the PDF document.

* Two more external programs can be defined.

* The first portion of the Details mode ("Data from the Volume Snapshot") is now displayed as a table, which is visually more appealing.

* Metadata extraction from BMP files and (on logical drive letters) EXE/DLL files.

* RAID reconstruction: Stripe size of 1 sector now supported.

* Various other minor improvements. Several exception errors fixed that could occur in very specific situations.

* Please note that .cfg configuration files from previous versions cannot be imported in v15.0.

* v8.2.2 of viewer component has been made available on May 31, 2008. It now supports the JPEG 2000 file type, officially runs under Windows 2008 Server, and contains various patches and bug fixes. Installing this update is recommended.

* The original version X-Ways Forensics 14.9 did not automatically load the viewer component for the encryption test, so unless the viewer component was utilized in the same session before, an error message appeared. This was fixed with v14.9 SR-1.

* Fixed some checkboxes in the Attribute filter dialog. (since v14.9 SR-2)

* When copying files with child objects from a recursive view without recreating the original paths, X-Ways Forensics no longer creates empty subdirectories named after these files. (since v14.9 SR-2)

* Fixed an error that could occur when attaching a file to a file in the root directory of a volume. (since v14.9 SR-2)

* Fixed an infinite loop that could occur in some very rare situations when finding OLE2 compound files via signatures. (since v14.9 SR-3)

* When applying a logical search to selected files in a recursively explored directory, pausing the search to preview search hits previously caused the search to be aborted. This was fixed. (since v14.9 SR-3)

* An instability issue in the indexing algorithm was fixed. (since v14.9 SR-3)

* Fixed a rare error where filenames where read incorrectly from certain Ext* directory entries. (since v14.9 SR-3)

* An error was fixed that under certain circumstances could lead to attachments copied to containers incorrectly showing up in "Path unknown". (since v14.9 SR-3)

* \b GREP anchor now works when 16-bit option is enabled. (since v14.9 SR-4)

* hiberfil.sys decompression now more like the original Microsoft code. (since v14.9 SR-4)

* Prevented possible accidental duplication of files with child objects in evidence file containers. (since v14.9 SR-5)

* Prevented certain exception error when extracting e-mail messages from e-mail archives. (since v14.9 SR-5)

* Since v14.8, the owner column in the directory browser was not filled any more on certain NTFS volumes. This was fixed. (since v14.9 SR-5)


#109: WinHex, X-Ways Forensics and X-Ways Investigator 14.9 released

Apr 17, 2008

This mailing is to announce a noteworthy update, v14.9.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.



* WinHex and X-Ways Forensics now point out if a file in an NTFS volume has been only partially filled with data. Such files are marked with "partial init." (partial initialization) in the Attribute column and can be filtered based on that. The size of the actually initialized/defined portion of the file is now displayed in the Details Panel when opening such a file or when looking at it in File mode, labelled as "Valid data length", and the affected uninitialized range will be displayed in a different color. Search hits in the uninitialized portion of a file will be marked as search hits in "slack etc.". The fact that a file has been partially initialized only (but not the extent) will also be remembered by containers.

All of that is meant to help a skillful forensic examiner to avoid drawing inaccurate conclusions. This risk exists because data that is stored in the allocated clusters of a file may be _old_ data that was present on the disk before the clusters were allocated to that file, if the clusters have never been actually overwritten with new data. Or in other words, that may be data that has nothing to do with the file, although according to the logical file size it is part of it.

Typically, file types that are not always fully initialized can include
- Windows Registry
- Windows Event Log (.evt and .evtx)
- Outlook PST
- Outlook Express DBX
- Windows MediaPlayer databases
- Windows Reliability Monitor
- SystemIndex Indexer CiFiles
- Microsoft Network Downloader
- Windows Font Cache
- Windows Vista thumbcache
- Windows rescache
- Microsoft IME User Dictionary
- Java .jsa
and database files, temporary files, and generally files created by applications that like to preallocate storage space for performance reasons/to prevent later file fragmentation.

* When extracting e-mail messages and attachments (forensic license only), attachments now become child objects of their respective parent e-mail messages. That makes it very easy to find the attachments for a given e-mail message, or to find the e-mail message that contains a given attachment. Because of this parent-child relationship, you can now conveniently include the containing e-mail message when copying attachments to an evidence file container, or include the attachments when copying the e-mail message. Tagging an e-mail message will also tag its attachments. Tagging an attachment will at least partially tag the containing e-mail message. The old e-mail extraction logic from v14.8 and before, where attachments were collected in a separate directory "Attach", can still be used by choosing to not allow files with child objects (see Options | Directory Browser). Note that this option will eventually be removed in future versions. It is included for backwards compatibility only.

* The names of attached and embedded files that belong to e-mail messages in the same folder in the same e-mail archive are usually no longer made unique by artificially inserting an incrementing number in square brackets before the extension, so they are now usually authentic/original.

* The rendition of the body of e-mail messages extracted from PST archives with Outlook 2003 or later present is now more faithful for Asian languages.

* The directory browser context menu command that in previous versions found the containing e-mail message for a given attachment has been renamed "Find parent object", moved to the Position submenu and can now be applied to _any_ file. It's function is now identical to the Backspace key, and it's now available with any license type. It also no longer switches back from a recursive to a non-recursive view if the parent object is already listed in the directory browser in that recursive view.

* Password-protected Outlook PST e-mail archives will now be marked with "e!" if either the encryption test is applied to such files or if you try to extract e-mail from such files.

* The e-mail extraction functionality now checks *.pst for their signature and original *.eml for the presence of embedded files before trying to do the extraction, to reduce the number of files for which "no e-mail found in..." is reported unnecessarily. Files embedded in original .eml files are now extracted directly as child objects, and the e-mail message is not duplicated anymore.

* Some more minor improvements/fixes for e-mail processing, concerning e-mails with unusual line-break formats, Pegasus Mail and PocoMail files.

* Better structured and more visually appealing representation of internal file metadata in Details mode for various file types.

* Representation of .lnk shortcut files for Preview mode and View command now more visually appealing. (forensic license only)

* Metadata extraction from MS Office 2007 XML, OpenOffice XML, StarOffice XML, .dmp memory dumps, and PNF (precompiled setup information) files. Metadata extraction from hiberfil.sys files, wim Vista image files, and GZ archives in Details mode. (forensic license only)

* Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive ones, after having copied them off the image to your own hard disk, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.sys files, including xpress chunks located in the "slack" of hiberfil.sys that are even older. This feature is available in Edit | Convert. (forensic license only)

* Support for true Unicode filenames for the examination of Zip, RAR, and 7zip archives (forensic license only). Note that for Zip archives with true Unicode filenames to be processed correctly, you need to pick the correct code page in the case properties first. E.g. for Zip archives created under Linux, that's likely UTF-8. For Zip archives created under Windows in Asia, that's likely a regional code page.

* Better support for very large archives in excess of 2 GB. Some other minor improvements in relation to archive handling.

* Creation and last access timestamps are now extracted from zip archives when including their contents in the volume snapshot, if these timestamps are available.

* The option to not include free drive space in otherwise complete sector-wise images of partitions/volumes is now available in X-Ways Forensics, too, not only in WinHex when run with a specialist or forensic license. It's now included in X-Ways Forensics because more selective instead of complete acquisitions may be preferable or even required in certain jurisdictions and because certain prosecutors wish to limit examinations to existing files anyway. Special precautions help to avoid unintentional use of this option.

* Ability to filter out those previously existing items only whose first cluster is known to be unavailable (most notably the so-called "X files"), by using a new third state of the checkbox entitled "List previously existing items". (forensic license only)

* Ability to focus on files that have child objects with the Attribute filter. (forensic license only)

* Whenever one or more filters are active that actually filter out items in the currently displayed directory browser, the two blue filter symbols in the directory browser's caption line are now clickable and allow you to deactivate *all* filters with a single mouse click, to ensure you are not missing any file. This was a frequently requested feature. They also causes search hits list to be displayed in full, in that if multiple search terms are selected and "Min. x" or "All x" settings are used, they are reduced to "Min. 1". Also it unchecks the "List 1 hit per file only" checkbox, if checked. (forensic license only)

* Ability to read and write .e01 evidence files with a segment size larger than 2 GB. In fact it is not necessary any more to split them at all (except of course if the target file system is FAT32 or if you need to burn the image on CDs or DVDs). For full compatibility with earlier versions of X-Ways Forensics, with EnCase versions before v6, and with other products, split them at 2,047 MB or less, as before. (forensic license only)

* Report tables created by X-Ways Forensics itself (by v14.9 Preview 3 and later) can now be distinguished from user-created report tables in dialog windows.

* The size limit that defines when a picture is considered irrelevant for skin tone analysis is now slightly more strict
(width or height no more than 8 pixels, or width and height no more than 16 pixels each). (forensic license only)

* Ability to rename virtual attached files in the volume snapshot with the directory browser context menu. (forensic license only)

* Even after exploring a directory by clicking it in the directory tree you will now find a ".." item at the top of the directory browser, which you can double-click to go upwards to the respective parent directory, same as with the backspace key.

* Indexing: Unnecessary interruption by user prompts in certain situations prevented. (forensic license only)

* Pictures embedded in other files can now be included in the volume snapshot even if their respective parent files are compressed. (forensic license only)

* Stills extracted from videos are now named after the video file, not only after the time index. (forensic license only)

* When viewing video files externally, X-Ways Forensics now ensures temporary filenames with Latin 1 characters only, for compatibility with programs such as MPlayer that are not Unicode-aware. (since v14.8 SR-4)

* Naming carved JPEG files after camera model and date and time (specialist or forensic license), where possible, is now optional.

* It is now possible to focus on or filter out half tagged items (see Directory Browser Options, forensic license only).

* Option to export lists as text files in Unicode. (forensic license only)

* Fixed an error that under certain circumstances caused a file header signature search to find and list files that were already part of the volume snapshot before, although this feature is supposed to avoid creating duplicates.

* More complete usage of Unicode in various portions of the user interface, such that the Chinese and Japanese translation can now be used correctly even if the code page that is active in the Windows system is not 936 or 932, respectively. More complete Unicode support also for case HTML reports output in Chinese or Japanese.

* For certain file types, the file type verification now determines the correct file type without highlighting the type status as "newly identified" even if the type is different from the extension. It does that for Windows Registry files (because it's normal for them not to have any extension) and HTML/XML files (because there are a variety of extensions that are all normal and plausible). That helps to keep the number of files with the type status "newly
identified" low and allows to better concentrate on files that were actually misnamed. (forensic license only)

* Finds deleted partitions automatically if located 64 sectors apart from a previously found partition (not only 63 or 2048 sectors as before).

* Since the introduction of 256-bit AES in WinHex/X-Ways Forensics, the PC1 encryption algorithm was still supported only for compatibility with earlier versions. Support has now been discontinued.

* No longer adds XML and HTML files to the report table "No detectable textual contents" when no text is extracted from them by the viewer component for the logical search/for indexing. (forensic license only)

* An error was fixed that would prevent files beyond the 2 TB barrier from being read correctly, on NTFS volumes larger than 2 TB.

* The first step of the particularly thorough file system data structure search now works on NTFS volumes larger than 2 TB. (since v14.8 SR-5)

* Error fixed that prevented reconstructing RAIDs over 2 TB. (since v14.8 SR-1)

* X-Ways Forensics and X-Ways Investigator now notify you automatically when you get nearer to the end of your update maintenance period.

* The viewer component is now loaded only when actually needed, not immediately when starting the program. (forensic license only)

* The "Text" button that turns the preview provided by the viewer component into a raw text preview (which for example is very helpful when interested in all header lines of an e-mail message), is now labelled "Raw", to increase awareness of the fact that usually it is _not_ desirable to view files in that mode. (forensic license only)

* When exporting search hits to a tab-delimited text file (not HTML) including context, the actual search term was previously represented by "x" characters. This was fixed. (since v14.8 SR-4)

* When exporting metadata to a tab-delimited text file, line breaks and tabs are now replaced with space characters. (since v14.8 SR-4)

* An error was fixed that occurred when trying to copy directory data to evidence file containers with the indirect method. (since v14.8 SR-3)

* Using keyboard shortcuts to create report table association now either replaces already existing associations or not, depending on the settings in the dialog window for report table associations. (since v14.8 SR-3)

* Fixed an error that could occur in v14.8 SR-1 when automatically interpreting images with multiple segments directly after creation, for hash verification or evidence object replacement. (since v14.8 SR-2) The images were all OK, however.

* Fixed an error that occurred when copying alternate data streams as alternate data streams. (since v14.8 SR-2)

* Possible source of instability in Details mode fixed. (since v14.8 SR-1)

* New option in investigator.ini that allows to prevent attaching external files to a volume snapshot in X-Ways Investigator. (since v14.8 SR-1)

* Under certain circumstances, the progress indicator could be wrong for logical searches conducted in selected evidence objects. This was fixed. (since v14.8 SR-1)

* Quicker display of metadata cells in the directory browser if a lot of metadata has been extracted. (since v14.8 SR-1)

* Several more minor improvements.

* The quick-guides that are downloadable from the X-Ways Forensics product web page have been updated for v14.8/v14.9 where necessary. The user manual has been updated for v14.9 as well.

* v8.2 of viewer component has been updated on Mar 14 and Mar 20. It no longer freezes when viewing/processing certain HTML files that v8.1.9 had no problems with. MS Word documents that consist of just a single table are now again displayed correctly.


Please note that if you would like to be notified of service releases between two newsletters issues, you can simply create an account ( http://www.x-ways.net/winhex/forum/create-account.html ) on our forum and activate e-mail notification for postings in the Announcements section of the forum.

If you would like to be notified of training opportunities in North America, Europe, Asia, or Australia, please drop us a brief note. Youd could simply reply to this message. Thanks.


#108: WinHex, X-Ways Forensics and X-Ways Investigator 14.8 released

Feb 27, 2008

This mailing is to announce a major update, v14.8.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html
London, Apr 22-Apr 24 http://www.x-ways.net/training/london.html
New York, Jun 9-13 http://www.x-ways.net/training/new_york.html
For more information: http://www.x-ways.net/training/



* Ability to extract JPEG pictures from video files, in a user-defined interval (e.g. every 20 seconds). Immensely useful if you have to systematically check many videos for inappropriate or illegal content. Looking at extracted pictures in the gallery is much faster and less stressful than having to watch each video entirely one after the other, as the amount of data is vastly reduced, and the extraction process can be run unattended e.g. over night. Even if the nature of the material changes in the middle of the video (e.g. child pornography hidden in a family or vacation video), that will be discovered if the chosen interval is not too large.

Also useful if you need to include still pictures in a printed report. The extracted pictures of each video are collected as either child objects of the video file itself or in a virtual directory named after the orginal video file, as virtual files, always in the same path as the original file, so that it's easy to link suspicious still pictures back to a video. The first extracted picture of a video at the same time serves as a preview picture for the video file in Preview and Gallery mode. ASF/WMV videos protected with digital rights management (DRM) cannot be processed and are consequentially marked with e! in the Attr. column.

Requires an external program, either the non-GUI version of MPlayer (http://www.mplayerhq.hu/design7/dload.html) and its separately downloadable codec package (extract to "codecs" subdirectory of MPlayer), or Forensic Framer(http://www.kuiper.de/). The program has to be selected in Options | Viewer Programs. Pictures can be extracted from these video formats and codecs:
http://www.mplayerhq.hu/DOCS/HTML/en/video-formats.html http://www.mplayerhq.hu/DOCS/codecs-status.html

* The Options | Viewer Programs dialog window now allows to define an additional external program specifically for video files (forensic license only). If defined, double-clicking video files will send them directly to that external program. If MPlayer is detected by X-Ways Forensics (or Forensic Framer, which includes MPlayer), MPlayer will be predefined.

* When pictures are extracted from video files or documents or thumbs.db files, or when e-mail messages and attachments are extracted from e-mail archives, X-Ways Forensics no longer creates a virtual directory whose name resembles the original filename. Instead, the extracted files are accessible directly by double-clicking the original file. They also can still be seen when exploring recursively. The parent file's icon will be marked with an ellipsis, to indicate that the file's contents were extracted and there is more to find "behind" the file. The main benefit is that it is now much faster to identify the parent/host file. For example, when tagging an extracted file, the parent file will be half tagged automatically, which makes it easier to e.g. add such files to a report tables later. Or when navigating back upwards from the extracted contents to the parent file by clicking the ".." item, the parent file itself instead of a virtual directory will be automally selected. Also the path of the extracted contents is more authentic because no suffix " Mail" or " Pics" etc. is artificially inserted in the path any more.

Note that when you copy such files whose parents are other files (not directories) to evidence file containers, older versions of X-Ways Forensics and X-Ways Investigator will not understand the parent-child relationship and show the child objects in "Path unknown" instead. However, it is possible to optionally have X-Ways Forensics create virtual directories instead of files with child objects (Options | Directory Browser), as before, for compatibility reasons.

For reasons of consistency and simplicity, the optional special treatment of archives as directories has been removed. Instead, archives are now treated exactly like other files with child objects.

* Ability to preview/view $EFS logged utility streams (LUS) and Windows Task Scheduler .job files. (forensic license only)

* Preview/view support for $I* Vista recycle bin files (since v14.7 SR-1, forensic license only)

* The option to filter out $EFS logged utility streams was removed from the directory browser option dialog. An option was added that keeps NTFS LUS from being included in newly taken volume snapshots in the first place, or only non-$EFS LUS. Useful for NTFS volumes written by Windows Vista if you are not interested in NTFS LUS.

* The binary contents of recycle bin info2 files, .lnk shortcut files, $EFS LUS, and .job files are no longer output directly as part of a case report. Instead, a textual representation of their contents is output, as known from Preview mode.

* Attribute filters for NTFS $EFS, other logged utility streams, NTFS offline files, files with object ID, Unix/Linux symlinks, and other Unix/Linux special files. (forensic license only)

* There is now an Attr. filter that allows to focus on files for which file system metadata is available only and whose contents are totally unknown (where not even the original location of the data ont he volume is known). Such files are usually part of the volume snapshot after a particularly thorough file system data structure search on NTFS volumes.

* Attribute filters for pictures that were extracted from videos and for virtual files that were manually attached to a volume snapshot. (forensic license only)

* Metadata extraction from MP3 files. ID3-embedded files other than JPEG and PNG (which can be automatically extracted) areindicated by a special report table once discovered. (forensic license only)

* X-Ways Forensics can now distinguish between .wma/.wmv audio/video files when verifying the file type based on signatures. Much more metadata is now extracted from .asf, wmv, and .wma files. For a MS Excel document, the name of the person that opened it last is now extracted.

* Intelligent file size detection for .rar archives for File Header Signature Search and File Recovery by Type, which allows to extract and not only list files in such archives.

* File header signature search and file type verification improved for HTML, XML, XSD, and DTD.

* File Type Signatures.txt, File Type Categories.txt, and file carving further expanded and improved.

* Support for anchors in the GREP syntax: \b for a word boundary, ^ for the start of a file, $ for the end of a file.

* The options to filter out existing/previously existing/ hidden items have been superseded by options that are defined in a "positive" sense and more in line with other filters: Show existing files, show previously existing items, show tagged items, show untagged items, show hidden items, show non-hidden items. This change also makes is very easy to focus on files that were tagged or hidden. (forensic license only)

* The option to group tagged and untagged items was removed. However, it is now easily possible to _filter_ by tags, as mentioned above. (forensic license only)

* The option to filter out previously existing files is now available in X-Ways Investigator, unless prevented by new option "+28" in investigator.ini.

* Additional option in investigator.ini that prevents users from deleting report tables.

* A path filter has been introduced. Allows you to focus on files in whose path a certain substrings occurs, e.g. "pic" or "Temporary Int". (forensic license only)

* Files identified as duplicates based on hash values are no longer optionally marked with comments, but with a "duplicates found" mark in the Attribute column, which is more efficient, is retained in evidence file containers (for the recipient to see that he/she can be supplied with the duplicates if needed), and is now filterable. (forensic license only)

* Available hashes in the volume snapshot are now reused instead of re-computed when creating hash sets.

* When refining the volume snapshot and verifying file types based on signatures, in earlier versions this operation was applied to files even if it had been applied before. Now if you wish to repeat it, e.g. because you have edited the file header signatures database, you need to check [x] Again, or else the same files will not be touched again, to save time. From now on, only files whose types were not verified before will be processed by default.

* Should X-Ways Forensics crash during Refine Volume Snapshot, Logical Search or Indexing whenever it is dealing with one of the file in the volume snapshot, you will automatically be pointed to the offending file when you restart the program, so that you can easily omit it when trying again. Depends on a new option in Security Options. The VS.log file known from v14.7 is no longer created.

* WinHex can now identify the exact type of optical media in the technical details report (whether CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RW, etc.).

* Somewhat faster read access to DVDs.

* Better handling of CD-ROM XA, but still most sectors cannot be read. Unlike as so often with the competitors, X-Ways Forensics will alert you that there is a problem. At least many times now it is possible to open the files on such CDs (e.g. Video CDs) through the operating system (see Security Options). (since v14.7 SR-1, further improved with v14.8)

* Predefined character pool for indexing Japanese text.

* Ability to copy selected text from viewer component windows to the clipboard in Unicode and RTF. (forensic license only)

* The Details mode is now more visually appealing and easier to understand. Will be further improved in future releases/versions.

* Option to retain alternate data streams as ADS when using the Recover/Copy command if the output volume is formatted with NTFS. (forensic license only) If disabled or if copied to a different file system, ADS are recreated as conventional files, as before.

* When using the Recover/Copy command to copy files including their path, the name of the evidence object is now recreated as a directory also if "Default to evidence object folders for output" is unchecked in the case properties, not only when copying from a recursively explored case root window. (forensic license only)

* Options to explicitly include or exclude child objects of directories or files when using the Recover/Copy command or when filling evidence file containers. As before, when copying from an already recursive view, however, child objects cannot be included. (forensic license only)

* It is now possible to include directory data (i.e. depending on the file system, directory entries, INDX buffers, ...) in evidence file containers (forensic license only). Useful if the user of the container might be interested in timestamps or other metadata in these data structures. If you choose to include directory data in a container when creating it, this has a direct effect only on directories that are selected themselves. If has an effect on parent directories of selected items only if you check an additional option. This is needed because otherwise the directory data might unintentionally reveal the names and other metadata of files that were intentionally omitted from the container, e.g. for reasons of confidentiality. Earlier versions of X-Ways Forensics and X-Ways Investigator do understand it if data is available for directories.

* Option to automatically compress, encrypt, and/or split a container after creation, offered when closing a container that was opened in the background. (forensic license only, not in X-Ways Investigator) Useful e.g. to be able to ship huge containers on CDs or DVDs.

* The setup program now shows a progress window when the viewer component is copied (if found in the subdirectory\viewer). It also automatically copies MPlayer (if found in the subdirectory \MPlayer). Remember that if these external components are found in the expected subdirectories, they are activated in Options | Viewer Programs automatically.

* If in the case report options you specify maximum dimensions for pictures as 0?, then the pictures will only be linked, just as other files, not displayed directly in the report.

* Tools | Disk Tools | Scan For Lost Partitions now recognizes Ext2/Ext3/Ext4 partitions via their first superblock.

* Removing items from huge volume snapshots is now usually much faster. However, after this operation, you can no longer make conclusions from the internal IDs about the order in which items have been added to the volume snapshots, because the remaining internals IDs may be shuffled when removing items.

* In previous versions, when totally removing hidden items from a volume snapshot for which hash values had been computed, this operation left inconsistent hash values for some of the remaining items in the volume snapshot. Also report table associations, comments, and extracted metadata were not correctly retained. This was fixed.

* Whenever the case is automatically saved because the autosave interval has elapsed, the configuration (various options, settings) is also saved.

* The Attach External File command in the directory browser context menu is now available in X-Ways Investigator, too. (since v14.7 SR-1)

* The Attach External File command can now even be used to attach multiple files at the same time. Useful e.g. after having manually extracted/converted certain records/e-mails/pictures/files from a file. When you attach the externally stored files to the original file, they will either become direct child objects (see above), or a virtual directory will be created named after the original file, and the files will be shown collectively in that directory. If a single file is attached only (e.g. the converted/decrypted/translated version of a document), no virtual directory is needed.(since v14.7 SR-2, changed in v14.8)

* Ability to rename virtual directories, with a new command in the directory browser context menu.

* Fixed an exception error that under certain circumstances occurred when entering into search hit list mode. (since v14.7 SR-3)

* Since v14.6, if any hash sets were selected for the hash set filter, they were used for hash set matching, too, even if unselected for matching by the user. This was fixed with v14.7 SR-5.

* Since v14.6, the option "Not only extract, also embed attachments" only embedded e-mail attachments in .eml files and did not extract them. This was fixed with v14.7 SR-5.

* The registry viewer now allows to search for true Unicode characters in values (data). An error was fixed that prevented finding text in the values (data) in earlier releases of v14.7. The number of hives that can be loaded simultaneously has been increased from 16 to 32. (since v14.7 SR-6)

* The exception list for the indexing algorithm, if enabled by the user, was not correctly utilized any more since v14.3. This was fixed with v14.7 SR-7.

* Fixed an exception error with v14.7 SR-7 that could occur when opening very large FAT16 volumes.

* Screen update problem in gallery fixed v14.7 SR-8, for files without known contents (for which file system metadata is available only).

* Fixed inability to open dynamic volumes under certain circumstances.

* Many other minor improvements, some smaller bug fixes.

* The viewer component has been updated on Feb 12 and Feb 26. Some exception errors and instabilities were fixed, and two errors were fixed that caused the viewer component to freeze with certain corrupt GZ archives and certain SWF files.

#107: WinHex, X-Ways Forensics and X-Ways Investigator 14.7 released

Jan 17, 2008

This mailing is to announce a noteworthy update, v14.7.

WinHex evaluation version: http://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to http://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Chicago, Mar 31-Apr 4 http://www.x-ways.net/training/chicago.html
London, Apr 22-Apr 24 http://www.x-ways.net/training/london.html
New York, Jun 9-13 http://www.x-ways.net/training/new_york.html
For more information: http://www.x-ways.net/training/



* The virtual "Path unknown" directory on NTFS volumes is now often much better organized. It identifies files and subdirectories whose original parent directories are unknown but known to be the same. Such files and subdirectories are now collected in the same generically named virtual directory, which makes it easier to get an idea what that directory might have been and more quickly identify relevant and irrelevant files. Applies to newly taken volume snapshots only.

* The thorough file system data structure search on NTFS volumes now often turns up even more traces of previously existing files than before, including even more earlier names and earlier paths of renamed/moved files. (forensic license only)

* Improved results of thorough file system data structure search on NTFS volumes that still can be recognized as NTFS volumes, whose MFT however is corrupted and cannot be read any more.

* Support for dynamic volumes defined on GUID partitioned (GPT) disks. Such dynamic volumes can be used under Windows Vista and the 64-bit versions of Windows XP and Windows 2003 Server.

* Now automatically finds all partitions on hard disks that have both valid GPT and MBR partition definitions.

* Partitions formatted with exFAT are now recognized as such. (That does not mean that the exFAT file system is now natively supported.)

* Slightly more informative progress indicator window for thorough NTFS file system data structure search and file header signature search.

* Progress indicator window and ability to abort for metadata extraction.

* Extracted metadata were previously added to the Comments column. Now there are a separate column and a separate filter for metadata, and the Comments columns is now reserved for the examiner's own comments.

* Metadaten extraction from RTF, MP4, 3GP, M4V, M4A, RIFF (.wav, .avi, ...) files and IE cookies. (forensic license only)

* Intelligent file size detection for MP4, 3GP, M4V, M4A, MOV, DBX for File Header Signature Search and File Recovery by Type. Improved JPEG file size detection/estimation.

* File Header Signatures.txt further expanded.

* PDF documents with former invisible versions of the same document are now associated automatically with a special report table once seen in Details mode or once internal metadata has been extracted from them.(forensic license only) Once aware that old versions exist, well-versed users can extract them if needed.

* Extracts the internal creation timestamp from Internet Explorer cookies, Norton Ghost .gho and PGP pubring.pkr keyring files. (forensic license only)

* Ability to preview/view INFO2 recycle bin files.

* Ability to preview/view most SPL printer spool files. Ability to automatically extract EMF files from multipage SPL printer spool files (see Refine Volume Snapshot). (forensic license only)

* thumbs.db and many Windows Registry files found via file header signature search are now listed/recovered with their original names. Intelligent file size detection for Windows Registry files.

* Microsoft's XPS documents are now treated like archives, such that in particular the XML files within are now properly covered in logical searches (as long as the contents of archives have been included in the volume snapshot, of course).

* Ability to conveniently find the e-mail message that contains the selected attachment, via a new directory
browser context menu command. (forensic license only) Not for AOL PFC.

* Attachments and embedded files in e-mail messages that are attachments to other e-mail messages (e.g. forwarded) can now be extracted from the outer e-mail message if you add *.eml to the series of file masks for e-mail extraction.

* Correct conversion from/to the Windows code pages between 50220 and 50230.

* When trying to view a file externally again that was already copied to the directory for temporary files before
for viewing and still exists there, it is not copied again any more, which saves time (think of large video files).

* Ability to immediately and automatically verify newly created raw images and .e01 evidence files by recomputing the hash values. (forensic license only)

* Option to immediately replace an evidence object in the active case with a newly created image, if a disk is imaged that is associated with the active case as an evidence object.

* When creating raw image files or .e01 evidence files of volumes/partitions with WinHex, there is now an option to store free clusters as zero-value bytes. (specialist or forensic license only) That is useful if you create the image for data backup and not for forensic purposes, in conjunction with compression, to save drive space. This option is not available in X-Ways Forensics, to prevent the unintentional creation of images that are not forensically sound.

* Ability to control NTFS compression for newly created raw image files in File | Create Disk Image: none, sparse, or normal compression.

* Now complete Unicode support in technical details report, technical description of evidence objects, and technical description in .e01 evidence files.

* Improved Unicode support for textual values in the registry viewer and in the registry report.

* In the registry report, binary data such as "RecentDocs" can now optionally be interpreted as Unicode text, which e.g. allows to view non-Latin 1 filenames.

* The automatically suggested registry report output filename now depends on the definition file used. Useful to avoid accidentally overwriting reports created on different registry keys for different purposes, and to immediately get an idea of the purpose of the report if the definition file was already adequately named.

* When clicking a value in a loaded hive in the Registry Viewer, if the data window with the drive/image from which the hive was loaded is in File mode, the cursor will automatically jump to the selected value in the registry file in File mode, and the value will automatically be selected as a block in that file. Useful as that allows to see values, in particular binary ones, in both hexadecimal and text and as that allows to easily copy binary values in either binary or as text, not only as hex ASCII.

* Option to create the copylog file as a tab-delimited ASCII or Unicode text file instead of HTML. Option to only output the target filename/path and no original metadata in additional columns. Option to only output original metadata columns and no target filename/path.

* New option: The bytes in the display can be represented as characters in the text column one by one, or WinHex can try to combine them, which if the active code page in Windows is a double-byte character set may be desirable to get the characters right (if 2 bytes = 1 character), or undesirable because of the variable row length.

* When using distributed indexing, X-Ways Forensics now tries to detect differences in the index settings used by the various participants (options such as code pages, substring support, character pool etc.). If detected, at least one of the participants will be warned before indexing starts on that machine. Obviously, in a shared indexing effort the settings should be same everywhere.

* Interpreted raw images now show up in the Select Target Disk dialog window of Tools | Disk Tools | Clone Disk in WinHex with a specialist or forensic license (not in X-Ways Forensics). Useful if you wish to selectively copy certain sector ranges from one image or disk to another image.

* The logs for Refine Volume Snapshot, Logical Search, and Indexing, which contain the internal IDs of processed files to identify the offending file in case of a crash, are no longer stored in separate log files and no longer in the evidence object metadata directories. Instead, a single file "VS.log" is now created in the directory from where X-Ways Forensics is run, and it is overwritten each time a new operation is started. This means you no longer have to search for the correct log file for the last operation, and it also saves drive space. As before, the last line in such a file specifies the internal ID of the last file that was processed. New: The operation type and the name of the disk/image can be seen in the first line.

* Fixed an exception error that could with very long image file paths and names.

* Fixed an error that caused certain GREP search hits to be incorrectly regarded as Unicode hits. (since v14.6 SR-1)

* Three new investigator.ini options: Prevent taking new volume snapshots. Prevent arbitrary files from being opened externally with associated programs. Prevent redefinition of external viewer programs.

* Two more investigator.ini options since v14.6 SR-2: Prevent removal of evidence objects and prevent use of
Recover/Copy command (mandatory in X-Ways Investigator, meant as an option in X-Ways Forensics when run with the reduced user interface for non-IT investigators).

* Directories within PST e-mail archives, whose names contain true Unicode characters, can now be recreated when extracting e-mail message. Previously this failed because of illegal names. The Unicode characters are lost and replaced with underscores, though. (since v14.6 SR-2)

* Fixed an exception error that could occur when viewing certain search hits in Preview mode. (since v14.6 SR-2)

* Fixed an error that could lead to incorrect data being shown in sectors above the 2 TB barrier. (since v14.6 SR-2)

* The directory entries in clusters other than the first one in directories on FAT12/FAT16 volumes that are child directories of the root directory and whose names consist of only 1 or 2 characters were ignored. Files defined by ignored directory entries could only be found through a file header signature search. This was fixed. (since v14.6 SR-3)

* Some instability issues in support for certain file types fixed. (since v14.6 SR-3)

* Many other minor improvements, some smaller bug fixes.

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <