·.·. Computer forensics software made in Germany .·.·

WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)


#116: WinHex, X-Ways Forensics and X-Ways Investigator 15.5 released

Dec 18, 2010

This mailing is to announce a major update, v15.5.

WinHex evaluation version: https://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for download links, log-in data, update maintenance, upgrade offers, and more.

Please be advised that if you are interested in receiving information about service releases when made available, you can create an account on the support forum and enable e-mail notification of postings in the Announcement section: http://www.winhex.net

We wish our users and readers a Merry Christmas and Happy Holidays.


Washington DC https://www.x-ways.net/training/washington_dc.html Feb 15-19
London https://www.x-ways.net/training/london.html Apr 12-16

For more information: https://www.x-ways.net/training/



* New e-mail extraction function for Outlook PST and OST e-mail archives. Ability to recover deleted e-mail messages if they can still be found. More information extracted from contact entries, calendar entries, and tasks stored in PST archives. Ability to process encrypted PST archives without the password. Faster processing than before. An Outlook/MAPI installation is not needed.

Some plain text e-mail messages are presented as .eml files (i.e. header and body combined in one), others as text files, HTML e-mail messages as HTML files. They are all marked as extracted e-mail messages in the Attribute column. To see extracted e-mail messages, filter by the Attribute column, not by type. Except for the .eml files, e-mail headers are presented as child objects. The old PST processing via MAPI is still used if the "MAPI" checkbox is checked, but the new method is then still used additionally just to try to find deleted content.

The program help topic and the user manual chapter about e-mail extraction have been completely revised.

* Based on a request from a major customer, X-Ways Forensics can now be used with a special license type as a pure disk imaging tool (i.e. with disk imaging capability only). The request was based on performance tests in which X-Ways Forensics compared very favorably with other imaging tools, especially when used together with hardware write blockers. These imaging licenses are available at a special rate. For details please see https://www.x-ways.net/forensics/dongle.html#imaging.

* New "fast, adaptive" compression option for imaging that provides an even better speed/compression compromise than before. This is the new default setting. The previous fast adaptive compression option is still available as "average, adaptive".

* The HTML registry report is now output completely in tabular form, for much better readability and import into other programs such as MS Excel for further processing (sorting, filtering). Comments about this new format are welcome. The name and key of each value are not output explicitly any more by the default, but can be seen as a
tooltip when moving the mouse cursor over a small white box. If you need to see the name and key explicitly for each and every reported value for some reason, you can include them optionally via the registry viewer's context menu.

* The second part of the registry report now gives an overview of installed drivers, file systems, and services in addition to the very helpful tables "Attached devices by serial number" and "Partitions by disk signature".

* The index optimization now fully utilizes the memory space advantages 64-bit Windows environments.

* X-Ways Forensics has been found to run on Windows 7 just as well as under Windows Vista, i.e. the same limitations (but no additional limitations) apply.

* Improved support for dynamic disks created by Windows Vista.

* Ability to distinguish between DOCX, XLSC, PPTX, and other file types when running a file header signature search.

* Information about the detected true type of a file (confirmed or newly identified) is now included in evidence file containers. That information can be imported by v15.5
and later version. Consequently, the option "Append correct extension when copying" is not needed any more for filling evidence file containers and from now on will only have an effect on the Recover/Copy command.

* In newly taken snapshots of NTFS volumes, alternate data streams, logged utility streams etc. are now represented as child objects of the file to which they belong. This is a more faithful representation of the actual organization of the file system, since ADS are not listed in the directories to which their host files belong. Instead ADS are attached to their respect host files. Another advantage is that it is easy to navigate from any relevant alternate data stream to its parent (e.g. by pressing the Backspace key). Also the listing of a directory that contains many files with ADS becomes less crowded thanks to this change. Feedback about this new feature in particular is welcome.

* Ability to use certain Position menu commands in the case root window: Find parent object, Navigate to FILE record/index record/inode/directory entry etc., Jump to item number.

* When you click a deleted file in an Ext file system for which only a directory entry is known and no inode, in Partition/Volume mode, X-Ways Forensics will now automatically jump to the directory entry.

* Ability to navigate to the parent object from within a search hit list in the case root window without losing that search hit list view.

* When viewing pictures with the graphics viewing library (not the viewer component) in a separate window, you can now press Page Down/Up to proceed to the next file in the list and view it in a new window. Press Ctrl additionally for the same effect in a window provided by the viewer component.

* The icon displayed for a ".." item in the directory browser now accurately presents the parent object, i.e. indicates an existing, deleted or dummy directory or an existing or deleted or dummy file. Tentative feature only.

* Ability to filter out hidden items in X-Ways Investigator. (In X-Ways Investigator, files can be hidden when identifying duplicates based on hash values.)

* The special rule for hiding duplicate e-mail messages and attachments in the directory browser based on hash values is now optional.

* Fixed an error with the representation of volume slack on Ext* volumes.

* Fixed non-deterministic listing of unpartionable space for physical media.

* Revised uninstall procedure that in case of X-Ways Forensics does not require the dongle.

* Ability to manually rename automatically carved files. Useful to get the hive names of carved registry files right for the registry report.

* The interpreted version of a raw image of a physical hard disk can now be selected as the destination for cloning. This is useful for example if you want to copy a range of sectors from one image to another. Supported in WinHex only, not X-Ways Forensics.

* Ability to shut down the computer after completion of disk cloning or after restoring an image back to a disk.

* Improved support for deconstruction of MHT files.

* Fixed an error that could occur in the representation of GUIDs in templates.

* The Details Panel has been renamed to Info Pane in the English user interface, to avoid confusion with Details mode.

* In the original v15.4 version, the skin color percentage was initialized with 0%, and the column widths could not easily be changed in the Directory Browser Options dialog. This was all fixed with v15.4 SR-1.

* Improved ability to recognize dummy partitions defined in MBRs on Apple style GPT-partitioned disks as such. (since v15.4 SR-2)

* It is now optionally possible to apply *any* kind of filter to directories, too. Previously that was possible for the Name filter only. Useful for example for timestamp
filters or Attribute filters. See Directory Browser Options. (since v15.4 SR-2)

* The filename filter now optionally supports GREP syntax. The conventional notation to find files whose names contain the word "invoice" for example was *invoice*. With the GREP option enabled you just search for "invoice". (since v15.4 SR-2)

* New option +29 in investigator.ini that prevents the menu command "Replace with new image" from appearing in X-Ways Investigator. (since v15.4 SR-2)

* Back and Forward buttons added to toolbar in X-Ways Investigator. (since v15.4 SR-2)

* Ability to show the history of 10 last authors and file paths in MS Word documents in some rare cases where previously it couldn't. (since v15.4 SR-2)

* Support for sector numbers larger than 2^32 in Tools | Disk Tools | Clone Disk. (since v15.4 SR-2)

* The skin color percentage filter did not work in v15.4 up to SR-1. This was fixed with v15.4 SR-2.

* The edit box for search terms in Simultaneous Search now by default allows to enter 100,000 characters instead of about 30,000. When search terms are loaded from a text file, there is no fixed limit. (since v15.4 SR-2)

* Fixed occasional unavailability of menu command "Save hit permanently" (for index search hits). (since v15.4 SR-2)

* Avoided exception error that could occur in v15.4 up to SR-1 when attaching external files to a volume snapshot. (since v15.4 SR-2)

* Fixed new search hit count for search hits listed in the case root window. (since v15.4 SR-2)

* Fixed an error that could render an index incomplete if substrings were indexed, words in the exception list were longer than the maximum word length being indexed, and the index was optimized. It did not occur with default settings. (since v15.4 SR-3)

* Fixed an exception error that could occur under certain cirumstances when running an index search. (since v15.4 SR-3)

* Improved certain aspects of directory browser navigation and gallery handling. (since v15.4 SR-3)

* Lifted limitation to a search term length of 50 bytes in Simultaneous Search for some more settings. (since v15.4 SR-3)

* The Recover/Copy command did not apply the original time-stamps for files from within archives in v15.4 up to SR-3. This was fixed with SR-4.

* When in the process of filling an evidence file container with selected files in multiple steps, if you open and interpret the container or add it to the case to take a
look at what files you had already included in the container, you may now keep that window opened and simply take a new volume snapshot at any time to see the current contents of the container after adding more files. (since v15.4 SR-4)

* When exporting the contents of the metadata column as a tab-delimited ASCII or Unicode text file, line breaks are now replaced with semicolons instead of spaces, so
that the data can be better parsed automatically. (since v15.4 SR-4)

* Fixed an error in metadata extraction from QuickTime files. (since v15.4 SR-4)

* Fixed an avoidable sector read error that could occur when real sector read errors occurred in the Clone Disk functionality. (since v15.4 SR-4)

* Now supports both deletion and internal creation time-stamps for files in evidence file containers at the same time. (since v15.4 SR-4)

* A new command was added to the case menu that allows to conveniently open previously saved reports and display them in the associated or specified application. (since v15.4 SR-5)

* When identifying duplicate files based on hash value, and one of the files has been marked as already viewed, then the duplicates can optionally be marked as already viewed, too. Similary, if files have been marked already as having duplicates already and their hash values are available, when they are viewed, duplicates within the
same volume will be marked as already viewed at the same time. (since v15.4 SR-5)

* The crash-safe text decoding mechanism that was introduced with v15.3 is now optional (see Options | Viewer Programs) as it is slower than the earlier method. Once the results are buffered in the volume snapshot, there is no speed difference any more. (since v15.4 SR-5)

* .eml files are no longer decoded for logical searches and indexing when searching for/indexing 7-bit ASCII characters only anyway. In this case searching in/indexing .eml files in their natural state should be good enough. This saves time (specially with the crash-safe decoding mechanism) and reduces the number of duplicate search hits. (since v15.4 SR-5)

* When storing a hash value along with files that are copied into an evidence file container, that hash value is not re-computed any more if it's already available from the volume snapshot. (since v15.4 SR-5)

* When in a dialog window for any column-based filter you don't activate a deactivated filter, the directory browser is not unnecessarily filled from scratch any more when closing the dialog, so that you don't have to wait if sorting is slow and so that you don't lose selection and scroll position. (since v15.4 SR-5)

* Search hits found when not working with a case are stored in the Position Manager. Now they are now no longer kept automatically when closing WinHex, but deleted, except those that have been edited using the context menu. (since v15.4 SR-5)

* The legacy option to use the picture viewing library from v13.6 has been removed. (since v15.4 SR-5)

* If a Simultaneous Search is run with search terms A and B, where B is a substring of A, then if a search hit can be counted as a hit for both A and B, it will now be counted as a hit for both. In earlier versions it was counted as 1 hit only, for the search terms that was specified first. (since v15.4 SR-6)

Example: In "Peter Peterson" you will now get 2 hits for "Peter" and 1 hit for "Peterson". In earlier versions you would have received either 1 hit for "Peter" and
1 for "Peterson" or 2 hits for "Peter", depending on your preference.

If you don't like to get both hit for "Peter" and "Peterson" in the text "Peterson", you can still use the search hit list's context menu command "Delete duplicate hits in list". This command will give priority to longer hits, i.e. keep "Peterson" and discard the hit for "Peter".

* Functionality that saves index search hits permanently fixed. (since v15.4 SR-6)

* Searching in indexes of multiple evidence objects at a time from the case root window did not work correctly for some recent service releases. This was fixed with v15.4 SR-6.

* When hiding duplicates in the directory browser based on hash values, priority is now given to non-carved files, i.e. when in doubt, carved files are hidden und their equivalents with file system metadata are retained. (since v15.4 SR-6)

* It is now possible to start the volume snapshot refinement for selected evidence object from the case root window. (since v15.4 SR-6)

* Better support for carving Nikon NEF and Canon CR2 raw files as part of the TIFF file type signature definition. Ability to automatically distinguish between these subtypes and detect the file size. (since v15.4 SR-7)

* TIFF metadata extraction revised. (since v15.4 SR-7)

* MS Office 2007, MS Office 2010, OpenOffice 3 metadata extraction revised. The typical fields such as Company, Author and Title now have the same names as in earlier Office versions, which makes it easier to filter by them. (since v15.4 SR-7)

* The search hits produced by physical searches run on physical media or images of physical media that are associated with a case as evidence objects are now also shown in search hit lists and not in the global Position Manager. (since v15.4 SR-7)

* An error that occurred under certain circumstances during a search, related to the message "Unable to record a search hit" or in earlier versions "Internal search term list inconsistent", was fixed. (since v15.4 SR-7)

* The German letter "ß" will not be considered equivalent to "ss" any more for searches that populate the search term list and the search hit list. (since v15.4 SR-7)

* Fixed an error with SR-7 that could occur in v15.4 SR-6 when hiding duplicates in the directory browser based on hash values in the case root window.

* An error was fixed with SR-8 that in v15.4 SR-7 prevented the inclusion of hash values of some files in the volume snapshot.

* It is now possible to open volumes mounted as drive letters even if they are not formatted with a valid file system. (since v15.4 SR-8)

* The backspace key on the keyboard as a shortcut to navigate to a file's parent object now works in the gallery, too. That is useful for example if you look at video stills in the gallery and want to play the video that a certain still belongs to. Remember that when finished you can click the Back button in the toolbar to return to the previous list of stills. (since v15.4 SR-8)

* Ability to find multiple session on images of CD in some cases where previously only the first session was found. (since v15.4 SR-8)

* Fixed an exception error with SR-8 that occured in v15.4 SR-7 when extracting metadata without extracting internal creation timestamps at the same.

* Now accepts lower case hex digits in record length indicator in Intel Hex files when converting them to binary. (since v15.4 SR-9)

* Ability to extract JPEG and PNG files from Firefox _CACHE_ container files. (since v15.4 SR-9)

* Fixed path errors that occurred when opening a case file using a command line parameter without path. (since v15.4 SR-9)

* Fixed an error that caused X-Ways Forensics to not extract e-mail messages from valid e-mail archives in certain situations. This was accompanied by the "No e-mail found" message. (since v15.4 SR-9)

* More stable when processing corrupt (e.g. carved) AOL PFC e-mail archives. (since v15.4 SR-9)

* Avoids an error message when using the case root window in more than one session simultaneously. (since v15.4 SR-10)

* Shows permissions for files stored in an NTFS file system even in the case root window. (since v15.4 SR-10)

* Exception error fixed with SR-10 that in SR-9 could occur when processing certain AOL PFC e-mail archives.

* Fixed "...is not a valid integer value" error that could occur when extracting e-mail from e-mail archives in SR-9.

* Fixed an error in the GREP search engine. (since v15.4 SR-10)

* Fixed an exception error that could occur when including the contents of encrypted archives in the volume snapshot. (since v15.4 SR-10)

* Individual "File Type Categories.txt" file for each user of a shared installation of X-Ways Forensics/X-Ways Investigator, so that individual file type filter settings are remembered. Depends on whether a user-specific .cfg file is used also, or only one generic WinHex.cfg file. (since v15.4 SR-11)

* When focussing on e-mail messages using e.g. an Attribute filter and selecting e-mail messages that have attachments as child objects for the Recover/Copy command, the attachments were not copied even when [x] "Copy child objects of selected files" was checked, because the filter for e-mail messages did not let any other kinds of files through. This is probably undesirable in most situations, so the behavior was changed in such a way that filters now do not have any effect on the Recover/Copy command any more, and also no effect any more on the command that adds files to an evidence file container. (since v15.4 SR-11)

* Fixed freeze problem that could occur with the new 8.3.2 version of the viewer component in Preview mode in seach hit lists. (since v15.4 SR-11)

* Avoids error message about being unable apply original timestamps to recovered/copied files that were carved within FAT partitions. (since v15.4 SR-11)

* Fixed an error that caused Unicode search hits in the Position Manager to be recorded with a description that was off by 1 character. (since v15.4 SR-11)

* Fixed an error that could cause a path recreation error in the Recover/Copy command of the non-forensic edition of WinHex under certain circumstances. (since v15.4 SR-11)

* Fixed an error with SR-11 that in certain situations within large files could make a search hit be listed once for every search term instead of just for one in v15.4 SR-6 through SR-10.

* Fixed read error in SR-11 that occurred when scanning e-mail attachments for embedded pictures. (since v15.4 SR-12)

* Fixed an exception error that could occur when processing certain MP3 files. (since v15.4 SR-12)

* Fixed an error that prevented usage of a new output drive when running out of space during indexing. (since v15.4 SR-12)

* Better handling of circular links in deleted directory entries in Ext file systems. (since v15.4 SR-12)

* MANY other minor improvements.


#115: WinHex, X-Ways Forensics and X-Ways Investigator 15.4 released

July 31, 2010

This mailing is to announce a major update, v15.4.

WinHex evaluation version: https://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


UPCOMING X-WAYS FORENSICS & FILE SYSTEMS CLASSES Washington DC https://www.x-ways.net/training/washington_dc.html Sep 17+18 London https://www.x-ways.net/training/london.html Sep 23-25 Hong Kong https://www.x-ways.net/training/hong_kong.html Nov 9-11 For more information: https://www.x-ways.net/training/



* Considerably reduced main memory requirements for large volume snapshots (i.e. snapshots of volumes with a lot of files), allowing to open and analyze volumes with many more million files than in earlier versions (roughly 100% more) with the same amount of available main memory. Please note that the volume snapshot format has changed, so that earlier versions cannot open volume snapshots saved by v15.4 and later!

* The Back and Forward commands in the Position menu and the Back and Forward buttons in the toolbar now allow to conveniently go back to a certain directory browser setting. This takes into account: explored path, recursive or non- recursive, sort criteria, on/off state of all filters, settings of some of the filters, some directory browser options. The Back and Forward commands also allow to activate the previously active data window again when switching between windows (does not work for viewer windows yet). Forensic license only.

* The filters have been given some "intelligence" when navigating from a parent file to a child file or vice-versa, so that the filters "know" when it's a good time to be turned off. Forensic license only. For example:
- If you are using a filter to focus on all extracted e-mail messages recursively, and then you double-click an individual e-mail message to have a look at its attachments in the directory browser, the filter is automatically deactivated, so that you can actually see these attachments. A simple click on the Back button returns to the previous point of exploration and restores the previous filter settings and the last selection, so that you can easily continue reviewing the next e-mail message!
- If you are using a filter to focus on videos or documents, and then you double-click a video or a document to see the video stills exported for that video or the embedded pictures in that document, respectively, the filter is automatically deactivated, too.
- When you are viewing video stills only, in a gallery, and you use the Backspace key or "Find parent object" menu command to navigate to the video that this still belongs to (e.g. in order to play that video), then any active filters will be turned off so that the video can actually be listed. A simple click on the Back button returns to the previous overview of stills, enables the previous filters again, and restores the last selected item, so that you can easily continue with the next still!
- This works analogously when systematically looking at e-mail attachments, if occasionally for relevant attachments you would like to view the containing e-mail message (and e.g. print it or include it in a report) and then return to the list of attachments.
These two new features combined, intelligent filters on the one hand and back/forward navigation in the directory browser on the other hand, are expected to further improve the usability of the software tremendously.

* It is now possible to explore directories and files with child objects listed in the case root window, e.g. by double- clicking them. For that, the data window will automatically be activated that represents the evidence object that contains the directory or file. With the Back command you can conveniently return to the case root window.

* It's now possible to see and copy the hit counts for selected search terms in the search term list. These hit counts are based on the current settings for the search hit list that is on the screen, take all filters into account, the explored path, any active AND combination etc. Forensic license only.

* It is now possible to search for more than 1 search term at a time in an index search. It is now also possible to control the substring and word extension options for index searches run from within the case root window. Forensic license only.

* Even more deleted files can now typically be found on NTFS volumes and included in the refined volume snapshot when running the particularly thorough file system data structure search. This deleted files can be listed with filenames, path, timestamps etc. Forensic license only.

* Often X-Ways Forensics can now also retrieve a true deletion timestamp for previously existing files during the particularly thorough file system data structure search on NTFS volumess. Even more deletion timestamps can be found when viewing/previewing $UsnJrnl:$J. This is a very unique feature. Forensic license only. Please don't confuse it with so-called deletion timestamps that other forensic tools may show you on NTFS volumes, for files that have not even been deleted from the file system.

* Option to exclude deleted files from volume snapshots when the they are taken. Useful if you are interested in or not supposed to look at deleted files.

* Option to exclude the time-consuming search for FILE records outside of the $MFT from the particularly thorough data structure search in NTFS.

* Improved StreamMRU decoding for the registry report to reveal folders on removable media.

* Improved detection of the sector size and different Apple partition table layouts in CD/DVD raw images.

* Support for HFS+ volumes on optical discs or in images with a sector size of 2048 bytes. Forensic license only.

* Ability to change the attributes "temporary" and "not indexed" of a file in File | Properties, using the letters T and X, respectively.

* More of the .dir files in which volume snapshots are stored, .xfi index files, and images created by v15.4 will not be indexed any more by Windows if indexing is enabled, to save time and drive space.

* Several minor improvements.

* Toggling decimal and hexadecimal offsets by clicking the offset column stopped working in certain situations in v15.2 and v15.3. This was fixed.

* An infinite loop is now prevented that could occur when creating an index and writing the index on a remote network drive failed.

* If in the midth of an ongoing Case Save As operation the auto-save interval of that case elapsed, this interrupted the Save As operation with error messages. That was fixed.

* When the same file is added to the same evidence file container again, and if the version of the file in the container includes metadata only, because it was copied indirectly and only to replicate the path of one of its child objects, and when the same file is to be added again specifically along with its contents, then the new version of the file (with contents) will now replace the old version of the file (without contents). Previously, the file would not have been copied again. (since v15.3 SR-1)

* If multiple search terms were used in the original 15.3 version in Simultaneous Search with the GREP option enabled, only the first one was actually searched for. This was fixed with v15.3 SR-1.

* More user account information is extracted from the SAM registry hive as part of the Windows registry report. (since v15.3 SR-1)

* The Convert script command now supports the parameters "hiberfil Binary" for automated hiberfil.sys decompression. (since v15.3 SR-1)

* More thorough check for file systems in partitions defined by conventional Apple partition maps. (since v15.3 SR-1)

* More information in Messages window when refining the volume snapshots of several evidence objects about which evidence objects is currently being processed. (since v15.3 SR-2)

* A common situation when refining the volume snapshot is that files in carved zip archives cannot be opened because the zip archive is incomplete or corrupted. In that case the number of error messages that is output in the messages window is greatly reduced, the affected files are marked as "File contents unknown" in the Attribute column, and no more attempts are made to open such files, which should accelerate the volume snapshot refinement and result in better stability. (since v15.3 SR-2)

* The NTFS flag for "not indexed" is now output in the Attr. column. (since v15.3 SR-2)

* More information in preview of $UsnJrnl:$J. (since v15.3 SR-2)

* The registry report now extracts disk signatures and partition start sectors from MountedDevices values. (since v15.3 SR-2)

* A virtual loss of search hits could occur in certain special situations. This was related to the new storage method of search hits in v15.3, and it is now prevented. Search hits "lost" because of this error are recovered by v15.3 SR-3 if no new search has been run in the same evidence object. (since v15.3 SR-3)

* Search hits in the decoded version of PDF/HTML/... files could be displayed incorrectly in v15.3 before, depending on the sort criterion, with incorrect contents. This was fixed. (since v15.3 SR-3)

* Opening large NTFS volumes is now much faster. (since v15.3 SR-3)

* The tab labels of windows that represent interpreted images and partitions on images are now shorter, so that more tabs fit on the screen. The partition numbers remain visible in the tabs even if the image name is long. (since v15.3 SR-3)

* Fixed the details panel's display of the RAID component and relative sector number of internally reconstructed RAIDs of level 0. It worked for RAID 5 before only. (since v15.3 SR-3)

* The case is now saved again immediately after a search is completed or aborted, so that search results are not lost if the program crashes or freezes before the case is saved next time after that. (since v15.3 SR-4)

* Ability to recover/copy files with their paths if part of the path is a directory whose name consists only of a single dot. Useful for files associated with traces of old NTFS root directories. Just the dot is considered an illegal name by Windows, hence "." is now renamed to "_". (since v15.3 SR-4)

* Avoids that our company name will be used in e-mail extracted from Outlook "Sent Items" as a substitute for a missing original X-Mailer line. (since v15.3 SR-4)

* Fixed inability to open case report after its creation when the filename specified by the user lacked the .html extension. (since v15.3 SR-4) 


#114: WinHex, X-Ways Forensics and X-Ways Investigator 15.3 released

May 11, 2009

This mailing is to announce a noteworthy update, v15.3.

WinHex evaluation version: https://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


Los Angeles, June 10-12 https://www.x-ways.net/training/los_angeles.html
Seattle, June 15-17 https://www.x-ways.net/training/seattle.html
For more information: https://www.x-ways.net/training/
A second training date in Seattle might be scheduled soon.


A new version of the viewer component is now available for
download to licensed owners of X-Ways Forensics with update
maintenance. Changes include:

* Open Office 2.x / Star Office 8.0 Calc enhancements
* MS Office 2007 chart support (most chart types)
* support for AutoCAD 2007
* enhancement of AutoCAD 2005 & 2006 beyond text only
* JPEG2000 support extended
* other improvements and presumably error corrections



* The index optimization step was reworked. It can now use a user-defined number of processor cores simultaneously and a user-defined amount of main memory per process, optimize faster and more thoroughly and better utilize memory.

* Improved memory handling for search hits. No additional memory requirement for search hits any more when loading or saving the case. Memory for search hits is now needed only when the evidence object is open (same as before already with memory for volume snapshots). The limitation of the number of search hits in one evidence object by main memory was slightly increased (now several ten million search hits possible). Search hits saved by v15.3 cannot be loaded by older versions any more.

* The menu items for simultaneous search and the index searches have been moved to the top of the menu (for license types in which they are available), since they are the most important ones in the Search menu.

* Decoding the text in PDF, HTML, and various other documents for the logical search and for indexing can no longer cause the program to freeze or crash if the viewer component has problems processing the file e.g. because the file is corrupt.

* When attempting to view or preview a file with the viewer component that is a known to be a reason for crashes, you are asked whether you are really sure you would like to view the file.

* The Raw option of preview mode is now automatically disabled when viewing file of a different type. This is because too many users forget about it after having viewed e-mail or HTML or XML files in Raw mode (where it makes sense) and continue using it for other file types as well, thereby missing a faithful representation of important document types.

* Detects if hash database is in use, to avoid conflicts when updating it.

* The integrity test of the hash database can now be aborted.

* When you add an excerpt from a file to the volume snapshot as a virtual file (select a block in File mode and use the Edit menu for that), the resulting file is now marked as "excerpt" in the Attr. column and is filterable like this.

* In main memory (local live main memory or memory dumps), Windows kernel data structures and named objects are now conveniently listed in a tree in the volume snapshot. Other objects will be listed per process in the handle table.

* Also loaded modules are now listed, in a virtual directory named "Modules". That enables X-Ways Forensics to allocate their memory pages in RAM mode to them, and to compute hashes for them so that they can be identified via special hash sets, where optionally and ideally only their invariable headers are hashed.

* Various other improvements in main memory analysis, better support for 64-bit Windows versions, and generally more robust now.

* The file "File Type Signatures Memory Search.txt" extends the file header signature search and is now downloadable from https://www.x-ways.net/winhex/templates/File%20Type%20Signatures%20Memory%20Search.txt . That file contains signature definitions for TCP, ADR, UDP, ICMP, and IGMP packets, and is applicable only to memory dumps, and the signatures are to be searched byte-aligned.

* 4 additional data types have been added to the Data Interpreter: SID (security identifiers), IP addresses, packed 7-bit ASCII strings, and unsigned 48-bit integers. IP addresses and unsigned 48-bit integers are also available in templates, and the variable type is called "IP". They are both helpful for manual 64-bit main memory analysis.

* 4 additional hash types have been added: RipeMD-128, RipeMD-160, MD4, and (specialist or forensic license only) ed2k. ed2k is based on MD4 and used in file sharing programs.

* The case report can now optionally be split into multiple HTML files if too many pictures are to be included (like hundreds or thousands) that give Internet browsers or other programs headache when loading the HTML file.

* It is now possible to output the report for selected evidence objects only, not simply for all evidence objects, via an additional checkbox in the report options dialog. (forensic license only)

* Clickable links to attachments in e-mails in Preview mode now work in some very rare cases where they previously didn't.

* A new filter has been introduced that allows to focus on files that have been already or have not been viewed yet by the examiner. See Directory Browser Options. (forensic license only)

* Some options from the Security Options and the Directory Browser Options that affect the creation of volume snapshots have been moved to a separate dialog box that you can access via a button in the Directory Browser Options.

* A new volume snapshot option is now available that causes deleted partitions to pass on their deleted state to everything that they contain (files, directories, ...), and deleted e-mail archives to pass on their deleted state to all the e-mails, directories and attachments that they contain. This may seem logical, but results in a loss of information (*everything* is listed as deleted). By default, X-Ways Forensics still distinguishes between existing and deleted files and e-mails etc. even in deleted partitions/deleted e-mail archives, as in earlier versions, so that more information is retained.

* Via two other new volume snapshot options you can indicate whether you are interested in earlier names and locations of renamed/moved files in NTFS and whether you are interested in getting files listed for which only filename, size, time-stamps and attributes (but no data) are known. By default, such files are listed, as in earlier versions. (specialist or forensic license only)

* zip.exe was updated with a version that supports larger zip files. That program is used for archiving cases.

* Several minor improvements.

* Fixed an exception error that could occur when taking volume snapshots. (since v15.2 SR-1)

* Metadata is now extracted from carved TCP, UDP, ICMP packet "files". (since v15.2 SR-2)

* A crash was prevented that occurred when X-Ways Forensics was processing zip archives with a very specific kind of corruption. (since v15.2 SR-2)

* Prevented an infinite loop that occurred in a very special situation when extracting e-mail. (since v15.2 SR-2)

* Errors were fixed that caused corruption in hash databases up to v15.2 SR-2.

* In some situations when importing a folder with hash sets, the hash sets were unintentionally merged. This was fixed with v15.2 SR-4.

* New template command "gotoex n" that allows to jump to an absolute offset on a disk or in a file or in memory, unlike the ordinary "goto" command which is based on the start of the structure where template interpretation starts. (since v15.2 SR-4)

* New template command "exit" that terminates interpretation of the template. (since v15.2 SR-4)

* An exception error was fixed that could occur in v15.2 when returning from a search hit list to the normal directory browser depending on the sort criteria in the search hit list. (since v15.2 SR-4)

* The Windows CD key is now decoded and ouput in plaintext when including the Windows DigitalProductId in the registry report. (since v15.2 SR-4)

* Format error in registry report fixed. (since v15.2 SR-5)

* The path of the loaded registry hive is now (at least partially) displayed in the registry viewer's status bar. Useful for example if you load multiple ntuser.dat files from different images and user profiles at the same time. (since v15.2 SR-7)

* An asterisk at the end of a registry path in the registry report definition did not match all subkeys and values. This was fixed. (since v15.2 SR-9)

* When errors occur when filling an evidence file container, the filling is not longer aborted in certain situations, and a more specific error code is report in some other situations. (since v15.2 SR-5)

* Fixed an error that could occur when copying files into a container from a non-recursive list.(since v15.2 SR-7)

* Newly created evidence file containers now remember the owner of files from NTFS file systems as the last part of the SID, no longer as the security identifier index. (since v15.2 SR-7)

* A new exception error that could occur when viewing externally opened files was fixed. (since v15.2 SR-6)

* The directory browser and Details mode now show both the translated username (if available) and the SID as the
owner of files in NTFS file systems, not only one of them. (since v15.2 SR-7)

* An exception error was fixed that could occur when clicking directories in the directory tree. (since v15.2 SR-7)

* Fixed inability to read raw sectors from audio CDs. (since v15.2 SR-9)

* Avoids error that occurred when starting a Simultaneous Search with certain settings. (since v15.2 SR-10)

* Fixed a display refresh error that could occur under certain circumstances when navigating from one search hit to another in File mode. (since v15.2 SR-10)

* Avoidance of conflicts when invoking multiple instances of MPlayer simultaneously. (since v15.2 SR-10)

* The size of the buffer for the file mask for the extraction of embedded JPEG/PNG pictures was increased. (since v15.2 SR-10)

* Fixed misinterpretation of special GREP characters $ and ^ in keyword searches run without GREP syntax. (since v15.2 SR-11)

* Files that were virtually attached by the user to the root directory of a volume were ignored in some operations even when selected. This was fixed. (since v15.2 SR-11)

* Deals more gracefully with overlong paths and extremely high numbers of files when taking a volume snapshot of drives with no sector-level access (e.g. remote network drives). (since v15.2 SR-12)

* No longer freezes when taking a volume snapshot of certain very large DVDs. (since v15.2 SR-12)

* Improved compatibility with .e01 evidence files as produced by EnCase 6.13. (since v15.2 SR-12)

* Avoided "... is not a valid character" error message in inappropriate situations. (since v15.2 SR-12)

* Fixed an error that in some situation occurred when processing certain thumbs.db files. (since v15.2 SR-12) 


#113: WinHex, X-Ways Forensics and X-Ways Investigator 15.2 released

Jan 15, 2009

This mailing is to announce a noteworthy update, v15.2.

WinHex evaluation version: https://www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed users whose update maintenance has expired please go to https://www.x-ways.net/winhex/license.html for more information such as download links, update maintenance, and upgrade offers.


DC area, Mar 16-20 https://www.x-ways.net/training/washington_dc.html
London, Mar 30-Apr 3 https://www.x-ways.net/training/london.html
For more information: https://www.x-ways.net/training/



* Main memory analysis. Requires a forensic license. This analysis is available for local RAM (opened via Tools | Open RAM) and for memory dumps. Supports the 32-bit versions of Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, and Windows 2008 Server.

Processes will be listed in the directory browser, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in "Process" mode, with pages concatenated in correct logical order as seen by each process. The "particularly thorough data structure search" will take a little longer and may turn up traces of additional terminated processes as well as rootkits.

The Technical Details Report informs you of important system-wide parameters as well as of the current addresses of kernel data structures. In Details mode you can find the addresses of process-related data structures for each process, and the ID of its parent process. In RAM mode, the Details Panel shows for each memory page a process to which it is allocated (if any) and its memory management status.

With the appropriate background knowledge, the new functionality can be used learn more about the current state of the machine and its processes, sockets, open files, loaded drivers, and attached media, to identify malware, to find the decrypted version of other encrypted data, to analyze network traces in incident response, and to do further research in the field of memory forensics.

* Memory can be acquired remotely with X-Ways Forensics in conjunction with F-Response 2.x since v15.1 SR-5 (Tools | Open Disk).

* If more than 1 GB of main memory is available, the optimization of an index now better utilizes that memory, which may result in a tremendous acceleration of this step for large indexes.

* There are now two different checkboxes in the Index Search window. Checking the first one helps finding words within words (e.g. "wife" in "housewife"), which however is likely incomplete and slow if the index was not prepared for substring searches The second one makes it optional to find word extensions (e.g. "houses" when searching for "house" and "skyscraper" when searching for "sky"). Finding word extensions was default behavior in previous versions. Unchecking both boxes works like a "whole words only" option.

* Hash sets can now be classified as to how important they are. This is useful because when matching hash values against the hash database, only one match is returned even if the same hash values is contained in multiple hash sets. Now you can make sure that in such a case you get the most relevant hash set returned, for example a hash set that identifies CP pictures without any doubt as opposed to hash sets from a different source that may contain the hash values of doubtful pictures. Also new: If there is more than one match, a "+" sign will be displayed in the hash set column in the directory browser after the name of one of the matching hash sets.

* You may now use Unicode characters in hash set names.

* For reasons of convenience, WinHex and X-Ways Forensics now remember and restore the last selected item and other settings of the directory browser when reopening data windows and evidence objects. That makes it much easier to resume your work after a break or interruption when reviewing files.

* Evidence file containers created by the new version now also remember the hash category of a file and the skin color percentage.

* X-Ways Forensics can import SHA-1 hashes from .e01 evidence files as now optionally provided by EnCase 6.12. (Note that in X-Ways Forensics you were never ever implicitly forced to use MD5 hashes.)

* It is now possible to replace an evidence object with a new medium (drive letter or physical disk). Useful if you are working with original disks, not images, and the drive letter or disk number has changed.

* The graphics library was updated. Some issues with the display of pictures were fixed.

* Ability to interpret mode 1 ISO CD images with 2,352 bytes per sector, if not spanned (segmented).

* It is now possible to group existing and deleted files in different output directories when using the Recover/Copy command. Requires that you have X-Ways Forensics recreate the original path.

* Ability to recreate files whose original paths contains directory names with trailing spaces, although not allowed by Windows, by removing such spaces.

* For internally reconstructed RAIDs, the number of the component disk from which the current sector (where the cursor is in) was read is now displayed in the Details Panel, along with the relative number that that sector has on that component disk.

* It is now possible to mark files as hidden even in a search hit list. Such files will actually be filtered out if you do not list hidden items when you click the Enter button in the search term list window to recompile the search hit list.

* When identifying and hiding duplicate files, previously it was possible that duplicate e-mails with attachments (e-mail/attachment pairs) were separated if the parent (e-mail message) of one pair and the child (attachment) of another pair was hidden. The algorithm was changed to improve the quality of the examination, and this undesirable situation is now avoided. Identical e-mail messages with different attachments (child objects) will be marked as duplicates, but not hidden any more. Identical attachments (child objects) will be marked as duplicates, but they will be hidden only indirectly if they are part of identical e-mail messages and those are hidden.

* After processing e-mail, X-Ways Forensics now shows attachments as child objects of e-mail messages instead of in a virtual "Attach" folder in some cases where this previously did not happen.

* Naming problem solved for e-mail messages that were extracted from .msg files which were attached to the volume snapshot as virtual files.

* It is now possible to attach all the files of an entire directory to the volume snapshot, not just individual files, if you hold the Ctrl key while invoking the directory browser menu command. Useful for example after having extracted thousands of .msg files from a .pst or .ost e-mail archive using the viewer component, to integrate them back into X-Ways Forensics for further processing.

* An error in the "Totally remove hidden items" function was fixed that existed since v14.8.

* The "Save As" command is now also available for disks (yet another way how to create a raw image).

* Icons of hidden files are now displayed in gray instead of blue. Icons of notable files are now displayed in red instead of blue.

* When adding a file to a report table, it is now also possible to recursively add all its child objects to the same report table, not only direct children.

* Ability to view Unix/Linux wtmp and utmp log-in records.

* Recognizes the TFAT file system as such.

* When enabling the recommendable data reduction for logical searches, files marked as moved/renamed will not be searched any more, as the same data is searched when the same file is searched under in its new location/under its new name.

* Several minor improvements.

* There are now two interpretations of $LogFile in Preview mode and for the View command. The new interpretation gives an easy to understand overview of deleted files including deletion timestamps (unavailable before and another unique feature). In cases where the deletion timestamp is missing, the time frame in which the deletion occurred can be deduced manually. The old interpretion, a much more complete and detailed view of $LogFile, is still accessible if you enable Raw mode. (since v15.1 SR-1)

* An exception that could occur during an index search was fixed. (since v15.1 SR-1)

* Tagging files in a recursive view did not always have the correct effect on directories. This was fixed. (since v15.1 SR-1)

* A resource leak was fixed that had an effect when trying to extract e-mail from thousands of files. (since v15.1 SR-1)

* Moved or renamed files in NTFS volumes of which only index records are available and whose file size in unknown can now be seen in Gallery mode, too, not only in Preview mode. (Only if the new state of the file as defined by a FILE record allows to open it.) (since v15.1 SR-2)

* When e-mail from password-protected Outlook PST archives is to be extracted and the user does not react and agree to provide the password within 30 seconds, X-Ways Forensics will continue with the next file. (since v15.1 SR-2)

* Evidence file containers can now optionally be frozen when they are closed and enclosed in an .e01 file, such that they cannot be further filled (even after converted back to a raw image). Such containers are marked as read-only in the Technical Details Report. (since v15.1 SR-2)

* Ability to detect hybrids of RAR and JPEG or Bitmap files when extracting metadata and in Details mode. (since v15.1 SR-2)

* More information about RAR files in Details mode. (since v15.1 SR-2)

* Fixed registry viewer instability under Windows Vista. (since v15.1 SR-2)

* An instability error was fixed that could occur when decompressing certain hiberfil.sys files. (since v15.1 SR-2)

* Fixed an issue processing signed emails (x-pkcs7-signature) from Eudora. (since v15.1 SR-2)

* Improved conversion accuracy of certain kinds of emails stored in Office Outlook. (since v15.1 SR-2)

* Some other minor improvements and issues fixed in e-mail processing. (since v15.1 SR-2)

* An error no longer occurs that prevented the display of GIF pictures for the remainder of a session after one particular GIF picture was displayed. (since v15.1 SR-3)

* The Windows disk signature is now output as part of the Technical Details Report for hard disks. (since v15.1 SR-4)

* OpenOffice document zip files are now usually carved again with the correct file size. (since v15.1 SR-4)

* After having matched hash values against the hash database, when loading a different hash database and not re-matching the hash values against that new database, references to hash sets in the old database are no longer considered valid by X-Ways Forensics, which avoids that a wrong matching hash set may be displayed in the hash set column. The hash category was always stored independently of the hash database. (since v15.1 SR-4)

* Progress indicator for Recover/Copy command fixed. (since v15.1 SR-4)

* Avoided two message boxes that required user interaction in very specific situations when refining the volume snapshot. (since v15.1 SR-4)

* Unchecking the "copy child objects of selected files" checkbox did not always have the intended effect. That was fixed. (since v15.1 SR-5)

* The $ GREP anchor did not work correctly for larger files. This was fixed. (since v15.1 SR-5)

* Inability of Edit | Modify Data to fully process large files was fixed. (since v15.1 SR-6)

* Some exception errors prevented. (since v15.1 SR-6)

* An error in the Recover/Copy command was fixed that could cause display errors in the progress indicator window and could cause it to not recover certain files (followed by an error message saying that the original timestamps or attributes could not be applied to the file because the file could not be found). (since v15.1 SR-7)

* Timestamp bias error in new $LogFile interpretation (not raw mode) fixed. (since v15.1 SR-7)

* Ability to apply the menu command Edit | Select All (not the keyboard shortcut) to windows of the viewer component. (since v15.1 SR-7)

* The Save As command for cases can now deal with overlong paths in the case subdirectories (up to 510 characters). (since v15.1 SR-8)

* Fixed an error that could cause an incorrect reconstruction pattern for internally reconstructed forward parity RAID 5 systems under certain circumstances. (since v15.1 SR-8)

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <