X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#167: X-Ways Forensics, X-Ways Investigator, WinHex 20.4 released

Nov 24, 2021

This mailing is to announce the release of another update with important improvements, v20.4. The release date was Nov 23, 2021.

Customers please go to https://www.x-ways.net/winhex/license.html for the latest download instructions including current log-in data, details about their licenses and potentially upgrade/renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.

New videos are available on YouTube that depict how to set up X-Ways Forensics and discuss various settings.


Upcoming Online Live Training

Dates Location Target Region Course
Nov 30-Dec 3 Online Europe, Asia X-Ways Forensics
Dec 6-9

Salt Lake City

USA X-Ways Forensics
Dec 14-17 Online America, Europe X-Ways Forensics
Jan 11-14 Online Europe, Asia X-Ways Forensics

Jan 18-20

Online Europe, Asia X-Ways Forensics II
Feb 1-4 Online America, Europe X-Ways Forensics
Feb 1-4 Canberra Australia X-Ways Forensics

Feb 15-17

Online America, Europe X-Ways Forensics II
Mar 1-4

Salt Lake City

USA X-Ways Forensics
...

Online

... ...
Apr 25-28

Mexico City

Mexico X-Ways Forensics

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.4?
(please note that most changes affect X-Ways Forensics only)

File System Support

  • Support has been added for the QNX file system as commonly found in current car entertainment systems. X-Ways Forensics, if supplied with an image extracted from such a system, can now parse the file system structures, including timestamps and UNIX permissions, as known from other file systems. Individual virtual files representing the key file system structures are also shown, and Specialist | Technical Details Report will show fundamentals of the file system as well.

  • Btrfs volumes using snapshots are now supported.

  • Up to 127 subvolumes (incl. snapshots) are now supported per volume in Btrfs, up from 31 subvolumes previously. Unlike other subvolumes, which are all shown on the first level of the main volume, snapshots are shown within the subdirectory of .snapshots that corresponds with the snapshot’s creation date.

  • For all subvolumes (incl. snapshots) of Btrfs, the Technical Details Report identifies their respective official parent (sub)volumes, as before.

  • When taking a volume snapshot of directories (or entire drive letters without sector-level access), where it's not X-Ways Forensics itself that parses the file system, but Windows (internally referred to as file system "OS dir list"), alternate data streams can now also be included. This is a new setting in Options | Volume Snapshot and can be turned off if you are not interested in ADS and/or wish to save time. In new installations of X-Ways Investigator it is turned off by default.

  • Computing the total amount of data in files found in OS directory listings is now optional (cf. Options | Volume Snapshot). Any discrepancy between the original amount of data and the new amount detected when re-opening the evidence objects is brought to the user's attention and triggers an offer to take a new volume snapshot.

  • The x86 edition is no longer subject to internal path redirections of Windows, for example when traversing directories on the C: drive without sector-level access ("OS dir list") in some directories like C:\Windows\System32\config. The x64 edition never was.

  • Parsing symlinks when taking a volume snapshot (depending on the file system) is now optional, cf. Options | Volume Snapshot.

  • Ability to identify partitions formatted with the F2FS file system as such.

File Format Support

  • Support for spanned 7z archives.

  • Ability to detect and defend against one more type of archive bomb.

  • Increased maximum number of zip records presented in Details mode of zip archives from 10,000 to 20,000.

  • Recognition of more generating devices including iPhone 13. Updated evaluation of pictures.

  • Thumbnails in JPEG format can now be generated for HEIC pictures in the case report.

  • If the creation of a special human-readable representation of certain file types in the case report fails (for lnk, flnk, info2, wab, job, ...), such files are now copied verbatim.  (This change will also be applied to v20.3 SR-9.)

Data Access

  • The File Header Signature Search now accepts more partially available data as NTFS-compressed.

  • Raw submode is now available for WofCompressed files in File mode to see the complete compressed data with slack. The List Clusters command now lists all clusters of such files including the slack. The slack area of the WofCompressed data is highlighted also in Partition/Volume mode.

  • There is now a dedicated checkbox for the logical search to control whether certain slack areas of NTFS compression are targeted. It's unlabeled, but has a tooltip. If fully checked, the undefined slack area at the end of each compression unit of ordinary NTFS-compressed files is searched raw (as is, without decompression), like in previous versions. If that check box is at least half checked, the well-defined slack of WofCompressed files is targeted (searched raw, without decompression), and this is a new feature of v20.4.

  • When text in files is decoded for the simultaneous search or indexing and saved in the volume snapshot for future re-use, and the special option for numbers and dates in spreadsheets is not active at that time, and later you run a search again *with* the special spreadsheets option, then you may not benefit from it if the originally decoded text is searched. That's why you will now get a warning in such a situation if the volume snapshot's decoded text is already loaded, or it will be discarded altogether upon loading.

  • The option to open files with slack has been moved from Options | Directory Browser to Options | Volume Snapshot.

  • Text derived by OCR now has Windows line breaks instead of Unix style line breaks.

Directory Browser Filters

  • If multiple filters are active, they were previously always ANDed, meaning each file had to pass the first active filter AND also all other active filters to be listed in the directory browser. However, now you can also filter files with a logical OR, meaning any file that passes the first active filter OR any other active filter will be listed. If active filters are combined with a logical OR, that is shown in the directory browser caption line next to the active filter count. A click on the filter count or the word OR toggles between AND and OR combination.

  • If multiple filters are combined with OR, the Description filter can still be optionally ANDed and is ANDed by default, as you can tell from an additional checkbox labeled AND in the Description filter dialog window, visible when other filters are ORed. If ANDed, the Description filter is counted and treated separately.

  • Ability to load multiple .settings files at the same time, which each can target different files using different filters (internally combined with AND or OR), and all matching files will be added to a single report table. This allows for complex nested filter conditions like this: Files of type A only if contained in path X plus files of type B if not deleted plus files whose names contain the word Y or Z and who have the System attribute etc. etc. A filter for the resulting report table is automatically activated.

  • Option to select multiple file type categories for filtering instead of just one, in a dialog window instead of the pop-up menu.

  • An easier-to-use and simplified version of the dialog window to create report table associations is now available, with less settings that might confuse new users, which is the new default in X-Ways Investigator, and optionally available in both X-Ways Forensics and X-Ways Investigator. For example, in the simplified version report tables that are created by the application to make the user aware of something will not be listed, and it's possible to specifically remove report table associations from selected files without the use of keyboard shortcuts.

Directory Browser Context Menu

  • New Recover/Copy option: If "Apply original timestamps to copies" is half checked, Recover/Copy works as in previous version, plus the content creation timestamp if available may substitute for a missing file system level creation timestamp.

    If the box is fully checked, that means X-Ways Forensics will make extra efforts to set creation, modification and last access to some original timestamps to avoid that any of these three standard timestamps will reflect the time when the Recover/Copy command was used. For example extracted e-mails or attachments or files in archives or carved files may not have all or any timestamps. X-Ways Forensics may resort to record change timestamps, alternative creation timestamps, content creation timestamps, and modification timestamps as substitutes for creation, modification as well as last access.

  • There  is now an additional checkbox that will make recovered/copied files inherit timestamps from parent files/directories. It is a 3-state box. If half checked, only timestamps of parent files are inherited (think of e-mails that contain e-mail attachments or pictures that contain thumbnails). If fully checked, timestamps can also be inherited from parent directories (or grandparent directories or great-grandparent directories etc.).

    An extreme example is a carved files with no timestamps at all. Its parent directories are virtual directories and have no original timestamps either. Hence the creation timestamp of the root directory will be adopted, if available (not in FAT file systems). A parent directory creation timestamp could helpful because it can be regarded as a lower limit for the unknown creation timestamp of the file. A parent file creation timestamp could be regarded as an upper limit for the unknown creation timestamp of a file if the parent is a file archive or an e-mail message. If the file is a thumbnail embedded in a JPEG file, the creation timestamp of the parent should be exactly right for the child object.

  • A new command in the directory browser context menu named "Copy: Extracted text" allows to copy text that is decoded or OCRed from selected files to other places. The scope can be limited to files that specifically need OCR (i.e. pictures and certain PDFs) if you are only after such files. The extracted text can be buffered internally in the volume snapshot for future logical searches or indexing and the context preview of search hits. It can be copied into comments of the respective files (suitable esp. for small amounts of text OCRed from pictures), for example to include the text in the case report or exported lists, optionally with an explanatory prefix like [OCR] or [Extracted text]. The extracted text can also be output as child objects (text files). Or it can be collected in a single text file on your own storage device, or copied into the clipboard, and any combination of the above is also possible.

Command Line

  • A new command line command named "AddDir" is now supported. It is followed by a colon, and after that you specify which directory you wish to add to the case, e.g. AddDir:X:\. If the character after the colon in an asterisk, the root directories of all available drive letters will be added to the case: AddDir:*. However, network drives are optional because they can be excessively large and slow to explore. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device. The AddDir command also allows to add single files to a case.

  • A new command line command named "AddDrive" is now available. It is followed by a colon, and after that you specify which drive letter you wish to add to the case, in upper case, e.g. AddDir:C. Unlike a directory, which is accessed and explored through the operating system, drive letters require sector-level access (and therefore administrator rights), and any present file system will be parsed by X-Ways Forensics itself, if supported. If the character after the colon in an asterisk, all available drive letters in the system will be added to the case: AddDrive:*. However, network drives are optional because they can be excessively large and slow to explore and cannot be read by X-Ways Forensics with sector-level access. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device. If you specify the AddDrive:* command although you run the software without administrator rights, then the AddDir:* command will be run instead.

  • The command line command "NewCase" followed by a semicolon instead of a colon generates a unique filename if the specified .xfc file already exists. With a colon, the existing case is deleted and overwritten (without prompt or mercy), like in previous versions.

  • The "NewCase" command now supports relative case paths as well as references to environment variables.

  • The "Dlg" command line parameter now supports relative paths for .dlg files and file masks, so that you can load multiple .dlg files in the same directory at the same time.

Usability

  • New investigator.ini customizations are now supported in X-Ways Investigator and when running X-Ways Forensics as X-Ways Investigator:
    -18 prevent ability to show/hide toolbar
    -20 prevent most commands in directory browser context menu
    -54 prevent more options for report table associations
    -55 prevent creation and deletion and properties of report tables
    -56 predefine report table in new cases: "Include in report" (if you use the ~ character in this string, it will be replaced with the examiner name)
    -57 prevent display of case report options
    -58 prevent report filename selection (automatically generate a unique report filename)
    -59 prevent opening of newly created case report in browser
    -60 prevent report file visibility (set H attribute)
    -69 prevent usage of most keyboard shortcuts, esp. the main menu related ones
    -70 prevent File menu
    -71 prevent Edit menu
    -72 prevent Search menu
    -74 prevent View menu
    -75 prevent Tools menu
    -76 prevent Specialist menu
    -77 prevent Options menu
    -78 prevent Window menu
    -79 prevent Help menu
    -80 prevent Version menu
    -81 disable Disk/Partition/Volume button (mode still available)
    -82 disable File button
    -83 disable Preview button
    -84 disable Details button
    -85 disable Gallery button
    -86 disable Calendar button
    -87 disable Legend button

  • A new mode of operation in X-Ways Investigator can guide users through a simple triage process, by exploring all drive letters recursively, suggesting a file category filter and a simple keyword search before reviewing files, for example in conjunction with AddDir:* in the command line:
    +100 special guided process, with this main window title: "X-Ways Triage"

  • If you wish to output hash values of the files in your case report, and you did not compute hash values previously by refining the volume snapshot, the hash values can now optionally be computed on the fly when generating the report.

  • "Clean up after GDI font object leaks" now mainly has the function to allow for mass operations with the viewer component that potentially permanently consume GDI handles. To avoid a crash for example when generating thumbnails for thousands of PDF files for the case report, this option should be active. The option is now also available in the 32-bit edition of X-Ways Forensics. By default the check box is now half checked. Fully checked means that the necessary checks for handle leakage are performed more often.

  • More precise enforcement of the maximum simultaneous user count with network dongles in multi-modal mode and multi-user dongles.

  • There is now a progress bar when creating a case report for which files are copied or thumbnails are created (or both).

  • Logs command line parameters in the activity log of a case if those parameters create or open a case.

  • If Tesseract is unsuccessful with a particular file to which you apply OCR in Preview mode, its error messages are now output by X-Ways Forensics in the Messages window..

Miscellaneous

  • More complete listing of RAID reconstruction parameters in the Technical Details Report, so that you can find out exactly at any time later how you had managed to rebuilt a particular RAID.

  • Support for overlong paths within the case directory.

  • The downloadable English-language Tooltips.txt file was revised.

  • The resource download directory now contains ready-to-use XWF hash databases with the NIST NSRL RDS 2.74 hash values as MD5 and SHA-1.

  • Which hash databases are used for matching is no longer controlled by Skip buttons, but rather by checkboxes in the Specialist | Refine Volume Snapshot dialog window, so that this behavior can be better controlled when running RVS from the command line.

  • X-Tension API: Ability to store hashes in the volume snapshot even if hashes had never been computed for that evidence object with user interface functionality. (This capability will also be added to v20.3 SR-9.)

  • The already established Metadata refinement function to estimate the generic relevance of files has been further revised and improved, in particular for pictures: A new Propensity Score Table predicts the probability that a particular picture file will possess embedded additional metadata based on the larger of the picture's pixel dimensions. (The actual table is available for download to registered customers in the resource directory: PropensityScore.html.)

    This is based on empirical assessment and the fact that certain specific picture dimensions are themselves indicative of e.g. smart device screenshots (whose dimensions are identical to the screen resolution of the device) and thus might hold particular interest. In some cases, the generic assessment of a particular pixel dimension is replaced by a more specific verdict in the case of certain aspect ratios (e.g. 1:1 or 4:3) or specific pixel dimensions (e.g. 5488x4096) known to be exact camera resolutions and the like. Some specific resolutions or aspect ratios are also identified in the table as being associated with a particular source device, e.g. Smartphone, Scanner, etc.

    The propensity score further considers the embedded metadata: firstly, whether it is present at all, but also its completeness, original or modified nature and the actual meaning of the metadata, e.g. EXIF information identifying a smartphone's front ("selfie") camera as the originating device
    of a picture.

  • Many minor improvements.

  • User manual and program help updated for v20.4.


Changes of further service releases of 20.3

  • SR-1: Option to immediately output new hash set matches also as report table associations, either all of them, or (if half selected) only for notable hash sets.

  • SR-1: Improved fidelity when producing .eml representations of certain single-part plain-text e-mails in MSG format.

  • SR-1: If OCR was unsuccessful for the last page of a PDF document, text from preceding pages was previously discarded. That was fixed.

  • SR-1: Shows pictures in WEBP format in the case report just like various other picture file types that are typically supported by web browsers.

  • SR-1: Dialog window selections, which are saved in and loaded from .dlg files, in the case of the directory browser options dialog now include the order of the columns in the directory browser.

  • SR-1: The service release number is now reflected in the modification timestamps of the installation files in the zip archive, as the number of seconds, so that you can automatically parse it if needed.

  • SR-2: The file format specific encryption test did not work as intended in v20.3. That was fixed.

  • SR-2: Prevented an unnecessary read operation from a physical storage device when opening a partition from the case tree (potentially relevant when creating skeleton images).

  • SR-2: The Recover/Copy command was unable to create directories with very long paths in certain constellations. That was fixed.

  • SR-2: The "Hash computed" filter option of Hash 2 was erroneously applied to the Hash 1 column. That was fixed already in the original release of v20.3.

  • SR-3: Avoids a conflict between processing of command line parameters and recovery from a crash upon restarting.

  • SR-3: Addresses a potential cause of inavailability of the "Refine volume snapshot" command.

  • SR-3: The X-Tension API function XWF_GetItemCount() now has additional capabilities.

  • SR-4: Fixed a rare exception error that could occur when creating text representations of dialog windows.

  • SR-4: Applied the latest security fixes of the FFmpeg library.

  • SR-5: The X-Tension API function XWF_GetCellText() did not work for all columns. That was fixed.

  • SR-5: The FlexFilter did not always target the right columns in v20.3 if the column order was redefined by the user. That was fixed.

  • SR-5: Fixed an error in the alternative processing method of TAR archives that appended garbage characters to certain very long paths/filenames.

  • SR-5: Double-clicks on already selected items in the directory browser did not always work in v20.3. That was fixed.

  • SR-5: Fixed an occasional OCR problem with multiple threads.

  • SR-5: Case report: No thumbnail placeholders are output any more for directories in report tables.

  • SR-5: Fixed an exception error that could occur when viewing unprocessed PList files.

  • SR-6: No more (futile) attempts to back up cases that are opened as read-only.

  • SR-6: When opening files that were carved and that contain NTFS-compressed data, the resulting decompressed file contents no longer contain a few surplus bytes.

  • SR-6: Avoids possible duplication when carving NTFS-compressed files.

  • SR-6: Some necessary initializations are now performed when triggering a logical search from the command line indirectly via RVS.

  • SR-6: Since v20.1, with the internal algorithm ~29 not all RAR archives were carved. That was fixed.

  • SR-7: Since v20.1, multipliers in regular expressions when applied to characters other than letters in Western languages did not work in UTF-16. That was fixed.

  • SR-7: Fixed inability to cleanly remove an evidence object from a case that is a reconstructed RAID once it had been opened in that session.

  • SR-7: Fixed a re-use error that could occur when viewing files externally from different evidence objects in the same session that had the same filenames and the same internal IDs in their respective volume snapshots.

  • SR-8: Fixed an exception error that could occur since v20.2 when processing certain .evtx event log files.

  • SR-8: An error in the alternative spreadsheet text decoding method was fixed. This fix will also be available in v20.1 SR-13 and v20.2 SR-8. Please keep the application's main window in the foreground if you run a search with that option.

  • SR-8: The gallery now reflects the directory browser's scrollbar position when switching to gallery mode, like in v20.1 and earlier.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany
 

 

#166: X-Ways Forensics, X-Ways Investigator, WinHex 20.3 released

Jul 20, 2021

This mailing is to announce the release of another update with important improvements, v20.3.

Customers please go to https://www.x-ways.net/winhex/license.html for the latest download instructions including current log-in data, details about their licenses and potentially upgrade/renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.


Upcoming Online Live Training

Dates Location Time Zone/Country Course
Aug 3-6

Salt Lake City

USA X-Ways Forensics

Aug 31-Sep 2

Online Europe, Asia X-Ways Forensics II
Sep 7-10 Online Europe, Asia X-Ways Forensics
Sep 20-23 Online America, Europe X-Ways Forensics
...

...

... ...
Dec 6-9

Salt Lake City

USA X-Ways Forensics

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.3?
(please note that most changes affect X-Ways Forensics only)

Text Extraction

  • The OCR capabilities of the software package Tesseract can now be utilized from within X-Ways Forensics and X-Ways Investigator. The package can be downloaded from our web server. Updated download instructions are available from the same place as always. If Tesseract is found by v20.3 in the subdirectory \Tesseract of the installation directory when v20.3 is first run, Tesseract will be activated automatically. Otherwise please go to Options | Viewer Programs to indicate the path.

  • OCR can be applied as part of logical searches or indexing to suitable files such as document scans or digitally stored faxes in TIFF format or PDF documents that contain only graphic content. The default file masks includes even *.jpg, however, whether applying OCR to every JPEG file in a case is a little excessive or necessary is up to you to decide, and you have full control over the scope of the search using various means anyway. Please be aware that high-resolution photos cost a lot of time to check of text. Digital photos in JPEG and HEIC format will be rotated according to the instructions in the Exif metadata to restore the correct orientation and thus hopefully allow OCR of text that was originally photographed roughly horizontally. If the ordinary text decoding is already successful for a given file of a type that is contained in both file masks (*.pdf), OCR will not be applied additionally. The option "Store decoded text for context preview and future searches" will also keep text derived from OCR stored in the volume snapshot.

  • Search hits returned by the logical search in OCR-derived text are identified as such in the Descr. column and highlighted in a different color. The Descr. filter allows you to list only such OCR search hits or not OCR hits. Older versions of X-Ways Forensics can see OCR search hits from v20.3 when opening the same case, but won't know that they are OCR search hits.

  • You can select up to two languages for text recognition at the same time, after clicking the ... button for this in Options | Viewer Programs. However, there is a trade-off if you select Chinese/Japanese and a Western language at the same time. This will deteriorate the recognition of the Asian characters. You may want to select *only* Chinese/Japanese for much better recognition in that language. English (actually Latin) letters can still be recognized in that case, even if English is not expressly selected, at reduced quality. Select both Chinese/Japanese and a Western language at the same time only if correct recognition is more important to you in the Western language.

  • Preview mode now has a separate submode in addition to Raw submode, called Text mode, in which pure text from non-picture files is extracted, just like for the logical search with the decode option. That submode can also be useful to better understand how text is extracted from various document types, in particular from spreadsheets, for which different extraction options exist that may differ in output, especially in formatting.

  • If the ordinary text extraction/decoding in Text submode does not return any result or if the previewed file is a picture file, and if Tesseract is available and active, OCR will be applied. This allows you to better understand how well OCR will work in searches for the kind of files that you are dealing with. You can also experiment with different languages selected and compare the quality of the results. The submode button is named "Text" by default, but will change its label to "OCR" to make you aware that OCR is or was employed to retrieve the text. OCR can be time-consuming for multi-page TIFF and PDF files, but can be interrupted by the user if necessary. If a logical search or indexing has applied OCR to a file before and the result was stored in the volume snapshot, then the OCR-based preview will be available instantly and OCR will not be re-applied from scratch.

  • Both submodes Raw and Text in Preview mode remain active until you leave Preview mode or select a file of a different type. If you prefer to make either of these submodes more persistent, so that it remains active even when previewing files of different types, you can hold the Shift key while clicking the respective submode button.

  • The Tesseract package that is downloadable from our web server already has support for the following languages integrated, in alphabetic order:
    ara: Arabic
    chi_sim: simplified Chinese (horizontal writing only)
    chi_tra: traditional Chinese (horizontal writing only)
    deu: German
    eng: English
    fra: French
    heb: Hebrew
    ita: Italian
    jpn: Japanese (horizontal writing only)
    kor: Korean (horizontal writing only)
    nld: Dutch
    pol: Polish
    rus: Russian
    spa: Spanish
    swe: Swedish
    tur: Turkish
    Other languages can be added if you can find .traineddata files for them at https://github.com/tesseract-ocr/tessdata_fast. Such files simply need to be put into the \tessdata subdirectory of Tesseract. Or you can visit https://github.com/tesseract-ocr/tessdata_best to download higher quality OCR engines for any of the supported languages. (Please note that OCR takes considerably more time with them.)

  • Supported file types are generally the following: PDF, PostScript (PS), TIFF, JPEG, HEIC, PNG, GIF, BMP, WEBP, AutoCAD DXF, Photoshop PSP, and maybe more.

  • Ability to use the Descr. filter to focus on search hits in misaligned UTF-16 text.

  • Ability to highlight search hits in alternative e-mail previews.

  • Ability to load search terms from text files with Unix/Linux line breaks.

File System Support

  • Compressed data chunks in NTFS-deduplicated files are now decompressed, i.e. such files can now be opened. Requires access to Windows 8 or later.

  • In Ext file systems, a new volume snapshot option allows running a more in-depth parsing of deleted directory entries during the initial creation of the volume snapshot, even if they are misaligned in relation to the current directory entries. This might find additional previously existing files in Ext, at a likely manageable risk of finding some garbage entries as well. The checkbox for this is labeled "Ext: Try misaligned deleted dir entries".

  • Ability to interpret backup bundles created by Apple Time Machine as disks, by opening and interpreting the file "com.apple.TimeMachine.MachineID.plist". Requires WinHex Lab Edition or higher. Once interpreted, in X-Ways Forensics you can add the simulated disk to the case as an evidence object if considered relevant, as usually for example by right-clicking the tab and invoking the menu command for that.

  • Volume shadow copy host files are now treated as if their data was initialized/valid although the NTFS file system says otherwise, to avoid unnecessary complications for users who run X-Ways Forensics with the standard setting of "Read uninitialized areas as binary zeroes".

  • Recognizes the file system QNX in a partition as such.

File Type Support

  • More cameras/picture generating devices are recognized, including the 8th generation of the iPad.

  • Improved detection of generating device class and processing state of pictures based on dimensions.

  • Raw representation of newer $LogFile files of Windows 10 available.

Case Management

  • There is now an option to not show internal information such as examiner name and case path and image paths in the case report, if the report is generated for people outside of your organization.

  • There is also an option to not show the technical description of evidence objects. That could be useful to avoid unnecessary discussions with computer laypersons in court or elsewhere about what a "sector size" is etc.

  • The command "Import evidence objects" now by default imports all evidence objects in a case, and only evidence objects marked as important if you hold the Shift key at the moment when the import starts.

  • When importing evidence objects from another case, report tables in the selected imported case with no associations in the imported evidence objects are no longer imported. Report tables in the selected imported case that have the same names as existing report tables in the target case are now merged with the latter.

  • If a parameter in the command line is the path or name of an .xfc file, and if at that point when the parameter is processed a case is already open, then the evidence objects of that .xfc file will be imported into the already active case. (In previous versions this would have closed the active case and opened the other case.)

  • Case reports created by X-Ways Investigator can now show the hash values of files.

  • Ability to merge report tables in the dialog window for report table associations.

User Interface

  • Ability to apply the Flex Filters to the additional columns of event lists, such as event timestamp and event description.

  • The menu commands File | Restore Image and Specialist | Technical Details Report are now available in X-Ways Imager.

  • Cyclic tab key order defined in the main window also in search hit list mode.

  • The file "GREP Expressions.txt", in which X-Ways Forensics recalls friendly names of your favorite regular expressions, is now named "Regular Expressions.txt". Please rename your existing file, if you have one.

  • The number of matches of blockwise hashing that is output as search hits is now mentioned in the Messages window, to inform the user of the results and remind him or her of in what form to find them.

X-Tension API

  • The plug-in required to use the X-Tension API with Python has been updated and is downloadable from https://www.x-ways.net/forensics/x-tensions/api.html.

  • New X-Tension API functions XWF_PrepareTextAccess() and XWF_GetText().

  • The new X-Tension API functions XWF_GetColumnTitle and XWF_GetCellText allow to retrieve the contents of all directory browser cells as text.

  • X-Tension API: The XWF_ManageSearchTerm() function can now rename search terms, for example so that they appear with a more user-friendly name.

  • Fixed an instability issue that could affect X-Tensions conducting certain file read activities when run with multiple threads and responding to XT_ProcessItem().

  • There is now a separate forum section about X-Tension programming. Please consider subscribing to notifications of postings in that section in your user profile (https://www.x-ways.net/cgi-bin/discus/board-profile.cgi) if you are interested. Those users who had enabled notifications from the computer forensics section will not automatically receive notifications from the new X-Tension programming section.

Miscellaneous

  • Faster performance when dealing with undefined/sparse areas in backup bundles, VDI, VHD, VHDX, and VMDK disk images, including differencing images, i.e. virtual disk images with "parents".

  • New option to name carved files after the number of their respective first sector, either with or without leading zeroes.

  • The Recover/Copy command, when applied to the Case Root window and when run with the option to recreate partial paths will now gather child objects of files in subdirectories just like when applied to one particular evidence object.

  • Including the column headers when exporting or copying a list in TSV or HTML format is now optional.

  • Many minor improvements.

  • User manual and program help updated for v20.3.


Changes of further service releases of 20.2

  • SR-1: Supports one more variant of HEIC files.

  • SR-1: In certain situations Preview mode remained blank in v20.2 until a different file was selected in the directory browser. That was fixed.

  • SR-1: Prevented one situation in which the error message "The file does not contain offset ..." could pop up when opening a case with evidence objects in search hit list mode.

  • SR-1: Slightly reduced strain on the dongle.

  • SR-1: If the connection to the dongle gets lost, the open case will be saved immediately in addition to the interval-based automatic save.

  • SR-1: Reduced impact of a certain floating point exception error in SQLite processing.

  • SR-1: Fixed slow text extraction from spreadsheets that could occur previously when searching logically with more than 8 threads.

  • SR-2: Supports one more variant of HEIC files.

  • SR-2: HEIC picture data parsing is now optional (see Options | Viewer Programs).

  • SR-2: Potentially fixed a rare exception error that could occur when parsing Ext4 volumes with meta blockgroups.

  • SR-2: Ability to read deduplicated files in a previously not covered scenario.

  • SR-2: Around the time when SR-2 was released, the documentation of the XT_ProcessSearchHit() API function was updated and corrected.

  • SR-3: The GREP syntax option is now called "regular expressions".

  • SR-3: Easier to understand description of exactness of PhotoDNA matches in Details mode, in percent.

  • SR-3: Text decoding did not always preserve certain symbols in the 2xxx Unicode range, such as a French apostrophe. That was improved.

  • SR-3: Ability to save dialog window selections instead of filter settings from within the directory browser options dialog window, just like with other dialog windows.

  • SR-3: Prevented a possible exception error that could occur when extracting metadata.

  • SR-3: Addressed a rare infinite loop problem that could occur when extracting metadata.

  • SR-3: The option to discard duplicates of imported hash values in existing hash sets previously discarded even hash values that were rejected for import due to category mismatch. That was fixed.

  • SR-4: Timeout avoided with certain incomplete PNG files.

  • SR-4: Fixed a crash that could occur when text representations of dialog windows with extremely long lists were created for the activity log of the case.

  • SR-4: Representations of nested dialog windows of the volume snapshot refinement settings are now included in the case's activity log only if the corresponding operation is actually selected, and no longer potentially twice.

  • SR-4: The descriptions of events from .evtx event logs in the event list of v20.2 lacked the first character of extracted values like Address, UserID, SessionID. That was fixed in the metadata extraction function.

  • SR-4: Carves newer subversions of EDB databases than algorithmically supported, with the defined default file size.

  • SR-5: Graphics display library updated.


A revision of v8.5.4 of the viewer component is downloadable since June 3, 2021. The below issues were addressed that potentially affected X-Ways Forensics, quoted verbatim.

Some extra spaces are rendered after PDF file conversion-IX
Search Export generates XRunExport() failed: file is corrupt (0x0009)
PDF conversion doesn't provide correct conversion result
PDFs w/blanks sections are exporting bad format w/Search & Image Export
E-mail with background color performs differently from 8.5.3
Info->PageCount on attached excel files hang the drawpage.exe app(32 bit)
XLS file crashes drawpage.exe on 32-bit and 64-bit
Viewer hangs the system when the attached xlsx file is opened
PDF results in a core dump when running through exsimple via PX
Observed Text Overlapping and Data loss on PX Export for Given PDF file
Highlighting issue in Word documents with footnotes
UNADDRESSABLE ACCESS beyond heap bounds while exporting in tiff format
Email Header Redaction
Small msg file is rendered to a PDF file with over 65,000 pages
Customer searches for a name not found due to added space by SX
Watermark is obscuring document in OIT
Compressed Searchable PDF Files Generated by CVISION are not Previewable in OCE
Some extra spaces are rendered after PDF file conversion.
Document in RTF not correct shown or printed in OIT, 8.5.1 to 8.5.4
HTML charset not respected when enclosed in single quotes
OIT Viewer crash when opening XLSX document
Part of Text not showing in viewer: VW 8.5.4
Incorrect UTF8 output encoding for email content with iso-2022-kr character set
OIT 8.5.4 Viewer Crashes on attached xlsx file
word doc in WVX is missing a lot of data and only has two pages.
SCCOPT_TIMEZONE NOT WORKING FOR .EML FILES - IMAGE EXPORT
PFDA conversion of PDF is missing text.
Microsoft Outlook OST File count mismatch - 8.5.3 CA
OVERLAPPING TEXT IN .DOCX FILES

Attached DOCX file errors out while viewing on OIVT
Numbering in word documents are rendered incorrectly by PX and IX
Spacing Issue Observed on Given PDF file across SDKs
CA 8.5.5 producing blank output on some html files, customer crash
Text selection with Body and Footnote for redaction, it add extra lines and texts
French Character not extracted correctly
EXRunExport() failed: unknown chunker failure (0x0241) on Loading Input Doc File
eml files being reported as 7-bit files rather than emails in 8.5.4 and 8.5.5
Image covering header after conversion in latest 8.5.4/5
Some images in the PX and IX of DOC files are out of place
XLSX is not shown with drawpage.exe in OIVT8.5.4.20(BP10) but works in BP8
CEC: Fidelity Issues with PX Conversion of PDF - HME_DR_SimGrid_SNUBH_2016_FT
MS Excel file converted to PDF had Partial text hidden
CEC: Fidelity Issues with HTML5 Conversion of PDF - HME_DR_SimGrid_SNUBH_2016_FT
Exported pdf displays unmappable characters
Docx - Inline Image in the table in Header is not positioned or aligned properly
Oracle Outside-In adds redundant space in the word
Font rendering issues in 8.5.4, not present in 8.5.3
Extracted text of PDF document contains spaces between letter of a single word
WCC: certain excel hangs when exporting to pdf
with OIT 8.5.4 BP5, Redaction on last page of document is appearing on front
The umlauts in eml files are not rendered correctly
image export of eml file chops off portion of document
web view of Specific .xlsm file shows file corrupt message.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany
 

 

 

#165: X-Ways Forensics, X-Ways Investigator, WinHex 20.2 released

Mar 22, 2021

This mailing is to announce the release of another update with many notable improvements, v20.2.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal or professional license and access to updates)

Customers please go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Please do not ask us about the download password. Your organization has access to it already if eligible. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from the same web page.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Online Live Training

Dates Location Time Zone Course

Mar 30-31

Online Europe, Asia X-Ways Forensics II
Apr 13-16 Online Europe, Asia X-Ways Forensics
Apr 26-29 Online America, Europe X-Ways Forensics

May 4-6

Online Europe, Asia X-Ways Forensics II

May 10-12

Online America, Europe X-Ways Forensics II

Please sign up for our training notifications here if you would like to be kept up to date on future classes.


What's new in v20.2?
(please note that most changes affect X-Ways Forensics only)

File Format Support

  • Ability to view and preview pictures in HEIC format. The gallery loads and displays HEIC thumbnails. Picture analysis and processing also supports HEIC files now.

  • Android .thumbdata4 archives and HEIC files are now by default in the list to uncover embedded data. (Thumbnails in HEIC files will be output in JPEG format.)

  • Ability to extract specific data from the event payload in .evtx event logs and list them directly in the event list. This makes working with event logs much more powerful, as it allows to quickly filter for usernames, IP addresses from log-in or RDP events, task or service names, PowerShell commands, etc. The new tab-separated definition file "Event Log Events.txt" in the installation directory contains a list of event IDs, (optional) log provider and the list of individual data fields to extract. The definition file can be adjusted to your own requirements.

  • Windows .evtx event logs are now parsed and exported into one single TSV file, replacing the previously output multiple HTML preview files. The generated TSV file contains the complete payload of each event. It is ideally viewed in MS Excel or similar applications.

  • Events are now listed with less clutter in the event list.

  • Ability to extract e-mail attachments from TNEF files once they are identified as such. (Such files are usually named winmail.dat.)

  • Option to name MSG files in the volume snapshot after the e-mail subject when extracting e-mail messages and attachments from them. That could be useful for generically named MSG files.

User Interface

  • The gallery can now operate in an alternative mode, activated with the button left to the Sync button. In that mode the gallery does not present the items currently listed in the directory browser, but instead all the child objects of a single selected item, if there are any such child objects. Those are either only direct child objects or (in ² mode) child objects recursively. This is a unique way to get a quick overview of entire directories or file archives with a single mouse click. Also very useful for videos from which stills have been extracted. You can right-click any listed child object in the gallery and perform various operations on that particular object. Most commands known from the directory browser context menu are available. In particular you can associate a child object with report tables that way, exclude it, tag it, or navigate to see it in its native parent directory in the directory browser with all metadata (and then you can click the Back button to return to the previous view). The child objects are listed in the gallery in ascending order of internal ID.

  • The selection in the gallery usually exactly replicates the selection in the directory browser. However, when representing child objects of a file that is selected in the directory browser, the gallery now allows a separate selection in itself, among the child objects.

  • True-color pictures can now be presented in the gallery not only in grayscale, but also with mismatched colors, to reduce the psychological impact of certain photos. The new option is the middle state of the checkbox. The grayscale conversion (if fully checked) was slightly optimized.

  • Ability to see the presentations of Preview and Details mode for the same file at the same time, side by side, after clicking the "+" on the Details button when in Preview mode. Clicking the Details or Preview button again will make that mode the only active mode.

  • The approximate scroll position in Details mode is now restored when selecting a different file in the directory browser or when closing and re-opening the data window or the application.

  • Ability to save the contents of Details mode into an HTML file, by clicking the new floppy disk icon in the status bar.

  • Keyboard shortcuts for the context menu commands to view the selected file(s) in X-Ways Forensics or in the associated program.

  • The command line interface now allows to load dialog window selections. This will usually override specific parts of the configuration that is initially read from a WinHex.cfg file, at the moment when the command line parameter is processed (not when those parts of the configuration might affect what the application does). The command is "Dlg:", directly followed by the path of the .dlg file. After you save dialog window selections please verify that they can actually be accepted by clicking OK after saving them. Only .dlg files created in v20.2 can be used. Older versions of X-Ways Forensics can still read .dlg files written by v20.2.

  • The Notation options in Recover/Copy are now accessible also when the "Group by" options are used because the former are relevant to the latter.

  • When adding more report table associations to the same file, the associations are now consistently shown in the order in which the report tables are defined.

  • Prevents that the viewer component tries to display NTFS system files like $UpCase in Preview mmode, which was problematic.

Searching, Indexing

  • The alternative processing method of spreadsheet text decoding was revised. For example, the boundaries and ordinal numbers of worksheets are now marked with separator lines.

  • Option to filter out spaces around common Chinese characters in decoded text (cf. Options | Viewer Programs). Such spaces can appear unexpectedly for example when processing certain PDF documents and can thwart keyword searches in Chinese.

  • Raw previews with decoded text (i.e. Shift + click on "Raw") in Chinese were not displayed properly previously because the viewer component did not always identify the data as UTF-16. That was improved.

Miscellaneous

  • WinHex Lab Edition and higher: Ability to open and read files on Windows Server NTFS volumes with active deduplication if they have not been compressed.

  • If there are multiple matches for a file in the PhotoDNA hash database, which is indicated by an ellipsis after the first match, and if the PhotoDNA hash value was stored in the volume snapshot, Details mode loads the hash database and returns all matches.

  • Many more JPEG generating devices recognized, now more than 30,000.

  • Fixed a rare infinite loop that could occur when trying to open files in APFS.

  • Mitigated a very rare exception error that can apparently occur when applying the particularly thorough file system data structure search in exFAT.

  • Fixed a rare exception error that could occur under certain circumstances after re-opening a recursively explored volume/partition on a physical device in the case and choosing to take a new volume snapshot if prompted to do so.

  • Many minor improvements.

  • User manual and program help updated for v20.2.


Changes of further service releases of 20.1

  • SR-2: Finds certain Ext* partitions with an unusual configuration when searching for lost partitions.

  • SR-2: Identifies extended partitions as such even when wrongly described as a different partition type in the MBR, as seen in Kindle storage.

  • SR-2: Fixed I/O error that occurred in v20.1 when splitting up the case report into segments.

  • SR-3: Ability to define the alphabet to detect word boundaries for the commands Find Text and Replace Text, with any kind of license.

  • SR-3: Fixed an infinite loop that could occur when processing GZ archives with very long filenames.

  • SR-3: The X-Tension API function XWF_Read() returned 0 after reading between 2 and 4 GB of data instead of the actually amount of data that was read. That was fixed.

  • SR-3: Fixed an exception error that apparently could occur in certain cases when right-clicking multiple selected files in the case root window.

  • SR-3: Fixed an error that occurred when interpreting .e01 evidence files with a user-defined sector size.

  • SR-3: Fixed an exception error that could occur when parsing unexpected LVM2 container data.

  • SR-3: msglog.txt is now slightly more complete, showing which button was clicked in message boxes and showing when a case was closed if messages were output while the case was open.

  • SR-4: Corrupt files found by the file header signature search are now included optionally (and are now included by default when searching for embedded files).

  • SR-4: Fixed trailing spaces at the end of the names of some rare files in FAT in recent releases.

  • SR-4: Fixed a rare exception error that could occur with the gallery in freshly refined volume snapshots.

  • SR-6: The gallery option "Use auxiliary thumbnails" did not work correctly in v20.1 SR-4 and SR-5 and showed the wrong thumbnails for some pictures. That was fixed.

  • SR-6: Fixed an exception error that could occur in v20.1 when right-clicking multiple selected items from different evidence objects.

  • SR-6: Some minor improvements and fixes.

  • SR-7: If the creation of an .e01 evidence file is interrupted, a notice about that is now also left in the image itself, when it is provisionally finalized.

  • SR-7: When copying files with child objects to evidence file containers and including those child objects in the container and including the path, then the parent files would have been copied with their contents even if "Copy only metadata" was selected. That was fixed.

  • SR-7: Fixed an instability problem that could occur when extracting e-mails and attachments from MSG files.

  • SR-10: thumbcache*.db thumbnail stores were previously not processed in certain rare situations, namely if they were targeted only indirectly and the main thumbcache_idx.db file was a newer version than expected or could not be parsed as expected. In many such cases they are now checked for embedded thumbnails directly, independent of thumbcache_idx.db.

  • SR-10: Detects the XFS file system based on less strict rules again, like previous versions.

  • SR-10: File mode did not show slack correctly in NTFS in the previous service release. That was fixed.


Become a certified user of X-Ways Forensics
Become an X-PERT
(X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Take care everyone.

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

 

 

 

> Archive of the year 2020 <

> Archive of the year 2019 <

> Archive of the year 2018 <

> Archive of the year 2017 <

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <