v20.4 [Dec 7, 2021]
File System Support
- Support has been added for the QNX file system as commonly found in current car entertainment systems. X-Ways Forensics, if supplied with an image extracted from such a system, can now parse the file system structures, including timestamps and UNIX permissions, as known from other file systems. Individual virtual files representing the key file system structures are also shown, and Specialist | Technical Details Report will show fundamentals of the file system as well.
- Btrfs volumes using snapshots are now supported.
- Up to 127 subvolumes (incl. snapshots) are now supported per volume in Btrfs, up from 31 subvolumes previously. Unlike other subvolumes, which are all shown on the first level of the main volume, snapshots are shown within the subdirectory of .snapshots that corresponds with the snapshot’s creation date.
- For all subvolumes (incl. snapshots) of Btrfs, the Technical Details Report identifies their respective official parent (sub)volumes, as before.
- When taking a volume snapshot of directories (or entire drive letters without sector-level access), where it's not X-Ways Forensics itself that parses the file system, but Windows (internally referred to as file system "OS dir list"), alternate data streams can now also be included. This is a new setting in Options | Volume Snapshot and can be turned off if you are not interested in ADS and/or wish to save time. In new installations of X-Ways Investigator it is turned off by default.
- Computing the total amount of data in files found in OS directory listings is now optional (cf. Options | Volume Snapshot). Any discrepancy between the original amount of data and the new amount detected when re-opening the evidence objects is brought to the user's attention and triggers an offer to take a new volume snapshot.
- The x86 edition is no longer subject to internal path redirections of Windows, for example when traversing directories on the C: drive without sector-level access ("OS dir list") in some directories like C:\Windows\System32\config. The x64 edition never was.
- Parsing symlinks when taking a volume snapshot (depending on the file system) is now optional, cf. Options | Volume Snapshot.
- Ability to identify partitions formatted with the F2FS file system as such.
File Format Support
- Support for spanned 7z archives.
- Ability to detect and defend against one more type of archive bomb.
- Increased maximum number of zip records presented in Details mode of zip archives from 10,000 to 20,000.
- Recognition of more generating devices including iPhone 13. Updated evaluation of pictures.
- Thumbnails in JPEG format can now be generated for HEIC pictures in the case report.
- If the creation of a special human-readable representation of certain file types in the case report fails (for lnk, flnk, info2, wab, job, ...), such files are now copied verbatim. (This change will also be applied to v20.3 SR-9.)
Data Access
- The File Header Signature Search now accepts more partially available data as NTFS-compressed.
- Raw submode is now available for WofCompressed files in File mode to see the complete compressed data with slack. The List Clusters command now lists all clusters of such files including the slack. The slack area of the WofCompressed data is highlighted also in Partition/Volume mode.
- There is now a dedicated checkbox for the logical search to control whether certain slack areas of NTFS compression are targeted. It's unlabeled, but has a tooltip. If fully checked, the undefined slack area at the end of each compression unit of ordinary NTFS-compressed files is searched raw (as is, without decompression), like in previous versions. If that check box is at least half checked, the well-defined slack of WofCompressed files is targeted (searched raw, without decompression), and this is a new feature of v20.4.
- When text in files is decoded for the simultaneous search or indexing and saved in the volume snapshot for future re-use, and the special option for numbers and dates in spreadsheets is not active at that time, and later you run a search again *with* the special spreadsheets option, then you may not benefit from it if the originally decoded text is searched. That's why you will now get a warning in such a situation if the volume snapshot's decoded text is already loaded, or it will be discarded altogether upon loading.
- The option to open files with slack has been moved from Options | Directory Browser to Options | Volume Snapshot.
- Text derived by OCR now has Windows line breaks instead of Unix style line breaks.
Directory Browser Filters
v20.0 [Aug 23, 2020]
File System/Disk Support:
- UFS support has been revised. Significantly more UFS variants are now understood.
- APFS: Supports new Catalog ID structure as created by Mac OS Catalina.
- Technical Details Report/evidence object properties now show details of MacOS X Installations on HFS or APFS volumes: Exact OS X version, timezone, the system's network and display names.
- Support for much more deeply nested subdirectories in XFS volumes.
- Supports Ext4 volumes with version 2 of sparse superblocks.
- Slightly more complete output of Ext* file system timestamps.
- Ability to choose which copy of a FAT12/FAT16/FAT32 file allocation table to work with, in Options | Volume Snapshot. This can be either a user-designated copy or the one that is defined as active in the boot sector (in case of FAT32). If neither the user selects a copy nor the boot sector defines a single copy as active, the first copy will be used, labelled as "FAT 1", like in earlier versions. The copy that was selected at the time when the volume snapshot was taken will be used for the whole lifetime of that volume snapshot, even if the settings are changed. It is displayed in the Info Pane. The Technical Details Report now informs which copy or copies are considered active in the file system.
- Identifies unpartitioned physical disks or disk images as such in some rare cases where it previously didn't.
- General option to open volumes including the slack that doesn't add to another cluster just like when opening an entire partition. The data in that area, aside from a potential NTFS backup boot sector, does not belong to that volume logically and was stored there before the volume was created. It is not needed to parse the file system or to mount the volume (though some tools may output an error message if it's not included). Including such data in a volume image can be an IT security leak if only the regularly accessible part of the volume had been sanitized before usage.
- Identifies some new bus types of currently attached storage devices.
- Active sector superimposition is now remembered in an evidence object and automatically re-activated when the evidence object is opened next time, and you will be reminded of that.
- Generally improved handling of incomplete/corrupted .e01 evidence files, similar to storage media with unreadable areas (bad sectors). NTFS: A limited listing of system files is now presented based on $MFTMirr if in an such an incomplete image $MFT is not included, but $MFTMirr is.
- Ability to abort the potentially time-consuming preparation of a cluster allocation map for huge volumes and still proceed with taking the actual volume snapshot if desired (without reverse cluster allocation information).
Picture Support:
- New version of the internal picture viewing library.
- WEBP pictures are now supported in Preview, Gallery, and for the View command.
- Ability to view pictures in some variants of the DICOM format.
- Metadata extraction from WEBP pictures revised. Output of processing states, similar to PNG files. File type identification/verification for DICOM and WEBP revised.
- All JPEG files are now presented with a processing state in Details mode. Two additional state values were introduced.
- The processing state now depends on the detected generator, where each generator is now assigned to one of three generator classes D (device), E (editor), or C (content management system). JPEG files produced by generator class D are absolute originals. The processing state is always "original". JPEG files produced by the generator class E are relative originals. Their processing state is always "Edited normally". Examples are photos published by news agencies like Reuters.
- The detected processing state of the third generator class (CMS like WordPress, Drupal, TYPO3, Joomla etc.) can assume different values. They are usually irregularly edited, i.e. their edited status is not officially indicated. The state can be deducted indirectly based on filename, generator signature, pixel dimension. The state "irregularly edited" can also result from picture manipulations.
- The new processing state "scaled" means that a picture was created with a content management system such as WordPress, TYPO3, Drupal. It can be said with a high probability that such pictures have been released to the public, which entails a reduced intelligence value. Practically such pictures cannot be regarded as documents. They were automatically and individually adapted to the respective output display in order to optimize the loading time of the web page.
- The state "EXIF stripped" refers to JPEG pictures, whose device origin was detected although no EXIF metadata is present. The device can potentially be detected based on generator signature, filename or a characteristic pixel dimension.
v19.9 [Nov 26, 2019]
Recover/Copy Command:
- There is now an option to convert files of certain supported types to PDF format, to share those files with computer users that otherwise would not have suitable applications to view the files or if you generally prefer a fixed, context-insensitive representation. You can define the file types that do not need to be converted, e.g. those that can easily be displayed by a web browser or ordinary Windows tools. If no conversion is possible, the original file is copied unconverted.
- Ability to extract pure text from files of various types and output it as plain text files. That is the same representation that you get when switching from ordinary Preview mode to raw Preview mode with the Shift key held, and the same text that a logical search would get to see of a file when you have X-Ways Forensics "decode" the text in a file. Files that are not suitable for text extraction (e.g. pictures) or from which no text can be extracted for whatever other reasons are copied normally if the corresponding checkbox is only half checked, or are omitted if fully checked.
- There is now an option to output all selected files as a single PDF document. This includes even file types that would usually not be converted to PDF individually. For example it may not make sense to recode original PDF files as PDF files again individually, but if the purpose is to bundle multiple files in a single document for easier sharing it has merit.
- You now have the option to output the alternate name of a file, or both the main name and the alternate name in the copylog.txt or copylog.html file depending on what you prefer to see.
- That same option also exists for the Export List command.
Case Report:
- Files that are copied for and linked from the case report can now be converted to PDF format if needed, similar to the aforementioned option of the Recover/Copy command.
- You can now choose to convert the entire HTML case report to PDF format. This cannot be used in conjunction with the option to split the report file after a certain number of files. If the box with the PDF option is fully checked, that means that you will receive only a PDF version of the report. If half checked, that means that you you will receive both an HTML and a PDF version of the report.
Please note that if you later delete one of the two files (.html and .pdf) in the Windows Explorer/File Explorer, this will automatically and involuntarily also delete the corresponding subdirectory that contains the copied files for the report, if there is such a directory, even if those files are still needed for the respective other version of the report.
- The generation of report thumbnails for non-picture files with or without shrinking is now possible in current versions of Windows 10 (1809 and 1903).
- The report generation no longer makes copies of files with a size of 0 bytes.
Case Management:
- Images of a case are now found automatically in the case directory even if they are not remembered to have been there previously (this condition existed in earlier versions). This works even if the path of a case changes. Please remember, the case directory is the directory of a case, with the same name as the .xfc file of the case, not to be confused with the default directory for cases, which may contain many cases (multiple .xfc files and multiple case directories).
- A dedicated case-specific default path for images can now be defined and enabled in the properties of a case, which then overrides the generic default path for images. That means it will be preselected when creating new images and when adding images to the case. It will also be a place where X-Ways Forensics will automatically look for images that cannot be located any more in the path were they were last known to be. The case-specific path may be a relative path, where a . refers to the case directory and .. to the parent directory of the case directory. A suggested dedicated place where to put the images of a case is the subdirectory \!images of cases that are newly created in v19.9.
Please note, however, that for performance reasons it can still be advisable to store cases and images on different physical storage devices. If you define a case-specific image path in v19.9 and open the case in v19.8 or earlier, you will get a warning about unknown data being ignored and lost, but can still work with that case in the older version and later enter the path again in v19.9 if necessary.
- Project Vic categories for the USA are now predefined in the user-editable text file PVicCat.txt. Law enforcement users from UK and Canada can download their own definitions from the PhotoDNA download section on our web server and replace the default PVicCat.txt file in their installations. Users in other countries with differing categories can gladly share their category definitions with us for the benefit of other users.
Search Functionality:
- Indexing and index searches were revised.
v19.7 [Sep 1, 2018]
File System Support
- Ability to parse data structures of many APFS volumes in order to provide a volume snapshot.
- Cloned files in APFS, of which only differences from their original counterparts are stored in separate clusters, are marked with an uppercase Greek delta in the Attr. column.
- Support for APFS timestamps in the Data Interpreter as well as in templates ("APFSDateTime").
- A particularly thorough file system data structure search is now available for exFAT volumes, too.
- Protection against a rare kind of NTFS corruption, FILE record displacements within $MFT.
- The option to omit additional hard links now has an effect even when processing selected or tagged files specifically.
File Format Support
- Encrypted documents with a known password can now be matched against the FuzZyDoc hash database.
- The report table "Scan" is no longer used to identify PDF documents that have scanned content. Instead, "scanner" is now shown in the device type column for PDF documents that are as having been generated by a scanner.
- Extraction of the mdtacom.apple.quicktime.location.ISO6709 field from iPhone MOV files into the metadata column.
- Identification of and file header signature search for MP4s files, a proprietary surveillance video format.
- Google Chrome history will now display the transition for each visited web site, making it easier to ascertain whether the visit was triggered by the user or by some other action like redirect. The duration of each visit is listed as well. Internet searches run from the address bar of Chrome are listed in a separate table and also added to the event list.
- Ability to parse Google Chrome SNSS session files (Current/Last Session and Current/Last Tabs) during metadata extraction. The resulting session overview lists all open tabs and their browsing history.
- The previous output for .automaticdestinations-ms files in Details mode is now presented in Preview mode, and also for the View command and when copying such jumplist files for inclusion in the report.
- Report thumbnail generation now supported for files of these types: lnk, flnk, TCP/UDP packets, NK2, DBX, Skype chat, WAB, change.log.1, info2, job, IconCache.db, Prefetch, shd, usnjrnl, eiurl, $I*, travellog, chrome1, automaticdestinations-ms, and more.
- Fixed a rare checksum error in Intel Hex conversion output.
- Ability to convert (e.g. search terms) from UTF-16 to various Indian code pages: ISCII Devanagari, Bengali, Tamil, Telugu, Assamese, Oriya, Kannada, Malayalam, Gujarati, Punjabi (Gurmukhi).
JPEG Metadata Support
- Irregular EXIF metadata encodings that violate EXIF specifications are now marked with an asterisk at the end (sometimes additionally with a bold font).
- "EXIF compliance" is another new aggregated single value, a score that allows to see whether a low quality photo editor was used to edit a photo. A good rating that JPEG pictures produced by Nikon or Canon cameras usually have is retained only by high quality photo editing programs. A bad rating for such pictures indicates editing by a low quality program. Irregularly coded fields in the EXIF data are marked with a star. Irregular might mean that a wrong data type was used or the permitted value range was violated or there are duplicate tags or a character string is not null-terminated or contains slack. Some tags must not appear at the same time, some tags must be stored in a designated directory.
- Generally the EXIF presentation is not a simple unstructured output of all EXIF values, but it aims to provide background information and highlights certain parameters within their context to make examiners aware of irregularities. Already in their original files digital cameras produce characteric EXIF metadata errors. By editing a photo additional errors may be produced, or others may be fixed.
- XMP metadata extraction revised. New and relevant information is added to the metadata column while redundant information is not. XMP often contains information about the time zone that is not available from the EXIF metadata.
- The amount of slack (zero-value bytes) at the end of an EXIF segment is presented in Details mode if such slack is present. For example, iPhone 4 and iPhone 5 usually produce such an area of a variable length, but iPhone 7 does not. If the slack remains present after a rotation, that means the rotation was minimally invasive, without recompression (no loss of quality). If however a photo editing program rewrites the JPEG file, the slack will disappear.
- The Summary part of the internal metadata in Details mode for JPEG files now has a new field named "Light value". That value is derived from the well-known photography formula Ev=log2(N**2/t) log2(100/ISO). The value range ends at around 16, which means full sunshine. This aggregated value can be interesting to some examiners because it allows to distinguish indoor and outdoor photos and because it allows to check whether the local time of a photo is plausible.
v19.6 [Mar 14, 2018]
- A new directory browser column is now available in X-Ways Forensics and X-Ways Investigator and populated during metadata extraction: Device type. This column shows the class of device that produced a given JPEG file, such as a smartphone's main camera, a smartphone's front/secondary camera, a point and shoot/compact camera, camcorder, DSLR, webcam etc. That information is derived from the generator signature. This column also comes with a filter. Filtering for the device type could be useful for example if you are looking for rather private photos (selfies taken with a smartphone's front camera) or rather professional photos (e.g. DSLR or digital camera back).
- Scanned pictures used to be identified as such through report table associations. That is no longer the case. That they were generated by a scanner can now be seen in the new aforementioned column.
- Pictures that were identified as screenshots are now shown with "screen" as the device type. The device type "screen" identifies screenshots and sometimes pictures that seem to be specially sized to match a certain screen resolution (e.g. wallpapers).
- The GPS processing mode, if available, is listed in Details mode. This mode allows to estimate the reliability/precision of the coordinates. It is used by various manufacturers, and it can be one of the following values: Unknown, GPS, Network, Hybrid, Fused, or CELLID.
- New entry named "Geolocation" in the extracted metadata and in Details mode, with the GPS coordinates in a notation as accepted by Google Maps, OpenStreetMap or Bing Maps. It also replaces the previous fields Latitude and Longitude in the extracted metadata as it is more suitable for automatic processing.
- Three additional fields for Exif GPS data are output in Details mode where available: Altitude, Image direction, and GPS Error. Altitude might be helpful to judge the reliability of the geo coordinates. Image direction is a feature of high-end smartphones.
- If there is something unusual about the presence of GPS coordinates in JPEG pictures, those GPS coordinates are now highlighted in blue color. For example if the GPS coordinates are present and a GPS timestamp is absent, for a mobile device type that is known to always include both at the same time (sometimes depending on whether the front or back camera is used), or for a camera type that is known to not have GPS, it could mean that the coordinates have been retroactively embedded. GPS timestamps that are different from the time when the photo was taken are also highlighted in blue color.
- A new file named PhoneAliasTable.txt contains a translation from internal device designations to human-readable marketing names. In particular device designations used by Samsung, Motorola, LG and Huawei are rather cryptic and better understood if translated. This table can also contain the device's release date and region. That table is currently relatively sparsely populated, but its format is explained in the header so that users can help to complete it.
- Details mode now shows firmware date and region for JPEG files created by many Samsung mobile phones, which can help to validate other metadata.
- The table for the generator signature based Exif data validation now supports more than 11,000 devices (where the front cameras of smartphones count as separate devices).
- Time zone extracted from files that were produced by some new Sony devices.
- Twitter timestamps in JPEG files are recognized and output in the "Content created" column.
- Extraction of Content created timestamp from JPEG files improved.
- Automatic removal of interspersed padding data between two thumbnails in JPEG files created by various digital camera models, which was previously included in (prepended to) the second thumbnail's data.
- PNG files now also receive a generator signature as part of metadata extraction, to identify PNG files that likely originate from the same source and PNG files that are screenshots.
- Detection of the generating device type for some PNG files, also shown in the new Device type column.
- Improved detection of PNG screenshots of old mobile phones.
- Support for iOS netusage.sqlite files, which record the data usage of apps. Besides the amount of data flowing in and out, they also provides approximate timestamps when apps were used for the first and last times. Appropriate events are extracted and an HTML preview is created containing all relevant information.
- Improved stability when processing EVTX files.
- Supports a new format variant of certain registry values in Windows 10.
v19.5 [Nov 28, 2017]
Case Management
- A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will be taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.
- The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.
- Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...) when images are internally interpreting as disks.
- Support for large table sections in .e01 evidence files.
- When trying to open an evidence object of a case that is backed by an image file and the image file cannot be found, X-Ways Forensics now automatically offers to open the evidence object without image, just like with the corresponding context menu command in the Case Data window. Useful if the image is not accessible right now (or has been deleted/lost completely) and you wish to just peek at the file listings, report table associations, your own comments, hash set matches, extracted metadata etc.
File Format Support
- Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.
- Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list. Individual event types for SRUDB make it easier to filter for particular resource usage types.
- Generator signature database significantly further updated.
- New prefix "Mobile::" for many photos taken by mobile devices.
- File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).
- Improved stability with EDB processing.
- Thorough addition of events from EVT event logs (Windows XP or older) to the event list. Optimized HTML preview for EVT event logs to significantly reduce its size.
- Ability to display some rare black & white PNG pictures with the internal graphics viewing library that were not supported previously.
- The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report.
v19.2 [Mar 29, 2017]
- Files encrypted in Zip, RAR, and 7z file archives can now also be decompressed and processed.
- Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files.
- Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.
- Improved support for East Asian regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.
- Extraction of metadata from JPEG files improved. More metadata presented for JPEG files in Details mode.
- Trailing data in JPEG files is now provided as a separate child object.
- Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.
- Generator signatures further revised.
- File type verification further improved.
- Type group designations are now displayed along with the type description in the "Type description" column.
- A few file type designations were assigned to multiple categories previously. That was tidied up.
- Updated file mask for uncovering embedded data.
- Files can now be extracted from e-mail related MIM archives as part of e-mail processing.
- Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.
v18.9 [Jul 19, 2016]
File Format Support
A generic relevance of files can be estimated. This is a new suboperation of the metadata extraction. This relevance is based on a variety of factors, such as the type of the file, its generator if known (for JPEG and PDF files), its currentness (last modification date), whether it is known from any hash database, the wealth of internal metadata that it contains, its size, the visual content of pictures, whether a PNG file is a smartphone screenshot, whether an HTML file has been locally saved by the user manually, whether there is something unusual about the file, etc. etc. The relevance is not merely content-based, but the result of a fundamental characterization. In particular the generator signature is a provenance-based criterion.
The main idea is that if your time for examination is limited, you can start with the files that have the highest generic relevance, to maximize your chance to find what you are looking for, if it exists, and find it rather early. To sort listed files by relevance in descending order, i.e. prioritize them for review, once the relevance has been judged, invoke Navigation | Sort by Relevance in the directory browser context menu. A check mark in the Relevance column that will appear indicates that the relevance of a file was actually computed and taken into account for sorting.
Generator signatures are now output also for PDF documents. Analogously to JPEG files, this helps to learn something about the origin of PDF files and identify PDF files that likely have the same source as a given PDF file. For example, the generator signature reveals whether a PDF file was generated by a scanner. Around 2,750 PDF generator signatures are defined (as of v18.9), covering approximately 95% of all PDF files. One particularly notable PDF generator signature category is "Reporting/Records", which identifies documents like bank account statements and invoices. This identification also improves the automatic relevance judgement. PDF generator signatures are now output in the Metadata column, and they are available even for PDF files from which no metadata is extracted (if protected with certain encryption or if double-compressed).
There is now a user-editable file named "Generator Signatures.txt", which is similar to the other user-editable text files in X-Ways Forensics. You can edit it to adjust the relevance estimation that is part of metadata extraction. If for example knowing that a JPEG file was generated by a scanner is important for you (because you are a tax fraud or other white collar crime investigator interested in scanned documents), you would make sure that the "JPEG/Scan" group has a high weight (e.g. 9). That's the number after the tab in the line with the *** group definition. If such a file is of less importance to you (e.g. because the pictures that you have to look for are CP photos), then you reduce the weight of that group (setting it e.g. to 1). You can also edit the individual relevance of each generator in a group on a scale from 0 to 9, where 9 signifies highest relevance. You can also edit the textual descriptions of JPEG and PDF generator signatures in the text file.
Metadata extraction from PDF files slightly improved.
Better protection against corrupt PDF files, which can destabilize or totally crash the viewer component in certain situations (logical search or indexing with text decoding, file format specific encryption test, FuzZyDoc). The protection requires metadata extraction. Crash-safe text decoding also prevents crashes of the main X-Ways Forensics process in such cases.
Support for certain 3-byte escape sequences in certain East Asian ISO-2022 code pages in the text column.
Ability to find search terms that consist of at least 2 Asian language characters in East Asian ISO-2022 code pages (JIS), even if not directly adjacent to the leading escape sequence.
Increased stability when processing EDB databases. Events from EDB databases are added to the event list again like in v18.6 and earlier. Some minor improvements for EDB database processing.
HTML metadata extraction and HTML file type identification improved.
Events that are adopted into the event list from Windows .evtx event log files now always carry the event ID and record number in the Description column for filtering purposes.
Events in .evtx event logs can now optionally be adopted completely. Previously, only a subset was processed, the presumably "more important" event types.
Fixed inability to read the data of embedded files within large compressed files correctly.
Fixed a rare crash with certain TIFF files.
v18.7 [Jan 29, 2016]
Revised hiberfil.sys support for 64-bit Windows.
hiberfil.sys slack (compressed data from previous usage of a hiberfil.sys file, as found near the end, if the last usage achieved stronger compression than the previous usage) is now automatically extracted and decompressed as part of "Uncover embedded data in various file types" and provided as a child object in its decompressed form.
Accuracy of file type verification further improved. Fewer file types with generic extensions are now unnecessarily marked as "newly identified", but confirmed if the full filename is appropriate for the file type.
Verification of many more file types supported. In total the file type verification can now recognize more than 3,000 file types.
File carving methods implemented for .cwm (screen capture videos) and Windows 8's .accountpicture-ms files. .accountpicture-ms files are now by default targeted for uncovering embedded files.
Type verification supported for .thumbdata3 files (Android files that are found for example on SD cards).
E-mail extraction adjusted in such a way that certain Base64-encoded e-mails are shown correctly by external programs after Recover/Copy.
v18.5 [Sep 2, 2015]
Disk & Image Support
Support for Virtual Box disk images (VDI) of the default subtype "sparse" and the subtypes "fixed size" and "diff" (snapshots). Snapshot images as usually can only be interpreted if the parent is available and open and interpreted itself.
It is now possible to interpret images of various kinds (unsegmented raw images and most VHD/VMDK/VDI) and nature (disk/volume) even if they are stored within other images (forensic disk images created by yourself), without copying them off the outer image first. That can save a considerable amount of time, especially if after interpreting the contained image you can quickly see that it is not really relevant, and of course also drive space. First right-click the image in the directory browser and open it with the context menu's Open command in a separate data window. After that, use the command Specialist | Interpret Image File As Disk in the main menu to interpret the image. And then, once the volume snapshot has been taken, if you think that the image is relevant, you can add it to the active case as usually with the "Add to active case" command in context menu of the data window's tab or with the Add command in the Case Data window's File menu.
When adding new evidence objects to the case, X-Ways Forensics now includes technical information about more than one Windows installation per partition in the evidence object properties if traces of more than one are found. That can happen for example if a Windows.old backup directory exists because of a Windows upgrade.
If partitions overlap, for example because one previously existing partition was partially overwritten by another partition, then a note is now displayed in the Messages window (only if you have the program number partitions by disk location). This note should make unsuspecting users aware of the possible consequences, for example make them realize that potential errors when parsing the file system in the overwritten partition might be normal and not a reason to ask for assistance.
Support for HFS /HFSJ/HFSX when searching for lost partitions. An extra effort is made to reject false positives automatically. Supports sector sizes 512, 4096, and 8192 bytes.
Some improvements for parsing exFAT volumes.
Support for Ext4 journals with 64-bit block numbers.
Usability
The Export List command now remembers its own notation settings, separate from the notation settings in the General Options. That is useful because the database or spreadsheet program of your choice in which you wish to import the data may not like the formatting that you prefer to see in the directory browser (e.g. fractions of seconds in timestamps, time zone bias, weekdays in dates, delimiter between date and time, integer digit grouping, ...). While the Export List dialog window is on the screen, the directory browser in the background reflects the notation settings of the Export List command, as a kind of preview.
For your 9 most important report tables, keyboard shortcuts are now defined also to remove associations from the selected files. Ctrl n adds the selected files to the related report table, Alt n removes the associations. Useful if you accidentally press the wrong key combination or if you change your mind about the classification of a file, and wish to preserve associations with several other report tables (otherwise you could of course simply press Ctrl 0).
Menu command to close the active case without saving it. Usually the case and volume snapshots of all open evidence objects are always saved, at latest when the evidence objects and the case are closed. This may be undesirable for example if you accidentally lost your carefully set tag marks (by untagging all, with a misdirected click in the column header) or if you accidentally lost report table associations (by pressing Ctrl 0 for all selected files). In such a situation it is just important to invoke the new menu command as soon as possible, before the auto-save interval elapses next time. Afterwards you can open the case again, and find everything as it was last time when the case was saved, which means that on average you will only lose half the amount of work that you get done within the auto-save interval, not everything.
v18.4 [Jul 5, 2015]
Tentative support for 64-bit block numbers in Ext4.
Some inconsistencies within the inclusion of previously existing files and directories into snapshots of Ext3/Ext4 volumes in v18.3 were fixed.
Accelerated resolving of symlinks when taking a snapshot of volumes that contain many of the same.
More reliable hard-link counts in newly taken volume snapshots of Windows 8.1 installations, where the official hard-link counts in the FILE record headers often seem to be bogus.
Compensation for NTFS compression during the file header signature search now also works when carving at the byte level (completely or partially via flags).
Fixed possible errors when parsing UDF file systems.
Fixed an exception error that could occur when taking a snapshot of malformed FAT16 volumes.
Ability to delete all indexes for an evidence object by removing the "Already done" check mark. This will also clear the "i" flag from all indexed files in the volume snapshot.
Fixed sender and recipients filter for processed original .eml and other single-mail files. These filters did not work in v18.2 and v18.3.
Many minor improvements and some minor fixes.
Program help and user manual updated for v18.4.
v18.3 [May 14, 2015]
What's new in v18.3?
(please note that most changes affect X-Ways Forensics only)
Usability
Conditional cell background coloring is now available as an option in Options | Directory Browser. Helps to draw your attention to items of interest without having to filter out all non-matching items. Matching items are found through a substring search in the cell contents of a selected column. Substring expressions may be up to 15 characters long. If a match is detected in a cell, either only the background of that particular cell can be colored (called "cell-targeted coloring") or the entire line. To color an entire column, regardless of the cell contents, activate cell-targeted coloring for that column and specify an empty condition string, i.e. no condition at all.
If a cell meets multiple cell-targeted conditions or multiple line-targeted conditions, only the first condition of each group will be applied. If different conditions apply to the same cell (one cell-targeted and one line-target color), that cell will be shown in a mix of both colors. For line-targeted coloring, only the first 255 characters in the respective cell are guaranteed to be searched.
Conditions cannot be defined for search hit specific columns, but for event specific columns. That can prove useful when trying to identify patterns in events. For example, you could color all events of type "Program started" in red and log-in events in yellow and see more easily how far apart from each other they are.
Conditional cell background coloring is case-specific if "Store directory browser settings in cases" is selected. The definitions are stored in a separate .cfg file named "Conditional Coloring.cfg". They are also included in .settings files. .settings files continue to be compatible with previous versions. Up to 255 conditions may be defined.
Some conditional color definitions for event lists that follow the SANS color scheme for activities are available for download to users of X-Ways Forensics and X-Ways Investigator (query your license status for the latest download instructions).
Automatic progress notifications via e-mail revised. If this feature didn't work for you in previous versions, in particular in the 64-bit edition, you may want to try again. You can now freely specify the SMTP port (by default 25, with 587 also being common) and conduct a test right from the dialog window with the settings (Options | General | Progress notification...). Remember to check your spam folder when looking for incoming automatically generated e-mail messages.
Larger thumbnail sizes supported in the gallery. Could be useful for users who prefer really large thumbnails and have a very high resolution display.
Ability to more easily print at least the cover page for file types which the viewer component does not support, for which it shows the message "The display engine for this format is not installed", e.g. Corel Draw or Wave files.
Ability to enable or disable the representation of a loaded viewer X-Tension in situations where it was not supported before.
Combined tag status now initially displayed in Name column header even in search hit lists and event lists.
Ability to totally remove excluded items from the volume snapshots of all the evidence objects that are included in an existing recursive exploration in the case root window, in a single step. Previously, that had to be done separately for each evidence object.
Automatically selecting the next item in the list after associating the current item with a report table is now optional. A 3-state checkbox allows you to do that either never or only for associations created with keyboard shortcuts or for all association methods.
No longer lists previously existing printers in print dialogs.
Chinese translation of the user interface updated.
v17.9 [Oct 2, 2014]
What's new in v17.9?
(please note that most changes affect the forensic edition of WinHex only, i.e. X-Ways Forensics)
File Type Support
The gallery can now show thumbnails for any file type that is supported by the viewer component, including Office documents, PDF, HTML, e-mails, and pictures that the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...)!
You can choose between normal and shrunk thumbnails of documents. Shrunk thumbnails show much more detail from an original document and the original layout, but at the cost of readability. Larger fonts (in particular captions) in an original document, if not shrunk, are typically readable in the thumbnail and can already give you an idea what kind of document it is even if don't view it, so you can more quickly find the documents that you are looking for. Plus, you will be able to see which documents can be nicely viewed with the viewer component at all. It is recommended run X-Ways Forensics with Aero enabled in Windows when using the gallery.
Files that are larger than 16 MB are not represented with a thumbnail, for performance reasons. X-Ways Forensics tries to abort the generation of a thumbnail if it takes longer than a few seconds. If the generation of a true thumbnail is unsuccessful, you may see a viewer component error message like "Operation cancelled" in tiny red letters in the thumbnail instead. If thumbnail generation is not even attempted by X-Ways Forensics, you will just see the filename and an icon.
Extraction of Internet Explorer browsing history from the Windows.edb database. Visited URLs are added to the event list as part of Windows.edb processing in "Uncover embedded data in various file types". The URLs remain in Windows.edb even after erasing the browser history in Internet Explorer.
Extraction of contacts from Windows Live Messenger's contacts.edb database, using the operation "Uncover embedded data in various file types".
Certain previously valid timestamps of files are now output as events during various suboperations of the particularly thorough file system data structure search on NTFS, depending on a new refinement option "Provide by-catch timestamps from various sources as events", which may also effect other operations whose primary purpose is not the retrieval of timestamps/events.
Support for big data records in registry hives in the registry viewer and registry report.
Support for the Windows 8 version and some other new variants of AppCompatCache in the Windows Registry.
The alternative e-mail preview now supports Base64-encoded e-mail bodies.
Ability to decode fully Base64-encoded files in the volume snapshot and provide the result binary as a child object as part of "Uncover embedded data in various files types", provided that the encoded file has "b64" in the Type column.
An updated version of MPlayer (named 2014) is now downloadable from our web site.
Longer filter expression for video file processing supported.
Fix for geo informationen in BlackBerry JPEGs.
Fixed an exception error that could occur when extracting metadata from PE EXE (RLL).
A stability issue in the parsing for binary PLists (BPLists) has been fixed which could occur with corrupted BPLists where the corruption took very specific forms.
Under certain circumstances, when exporting lists in XML format including the Metadata column, import as a spreadsheet in MS Excel led to an unhelpful structure. XML export has been improved to prevent this from happening.
Fixed a rare exception error that could occur when extracting metadata from .evtx Event Log files.
File System Support
The various optional suboperations of the particularly thorough file system data structure search in NTFS are now selectable more precisely, and in a child dialog window of the Refine Volume Snapshot dialog, and they now work much more efficiently on large volume snapshots.
Avoided inclusion of certain redundant files in the volume snapshot during FILE record searches.
Ability to filter for those 0x30 timestamps that do not predate their corresponding 0x10 counterparts. (Remember that this situation frequently occurs for various "natural" reasons, and only sometimes indicates malicious backdating.) Click the checkbox that is labelled with the "greater than" symbol to use this filter.
v17.8 [Jul 7, 2014]
Searching
- Option to apply logical simultaneous searches to various metadata of files in addition to the file contents. More precisely, they can be applied to the cells of any selected directory browser column such as Name, Author, Sender, Recipients or Metadata. That can spare you from pasting your keywords in the filter dialogs of various directory browser columns. That methodology is also more thorough because all the text addressed by this new feature is searchable in UTF-16, whereas elsewhere the same data may be fragmented (e.g. filenames in particular in FAT), specially encoded (e.g. sender and recipients as quoted printable in e-mails), compressed, or stored in unexpected code pages. It is also convenient because any hits will be presented in the same fashion and listed like ordinary search hits in file contents, just specially marked in the search hit description column with the name of the column that the text that contains the search hits actually belongs to and highlighted in a different color. You can also filter for search hits in metadata.
- When selecting search hits in metadata, they are automatically searched for and highlighted in Details mode, just as ordinary search hits in file contents are automatically searched for and highlighted in Preview mode.
- Note that the simultaneous search in metadata does not search in additional cell text that is displayed in a different color, such as alternative filenames and file counts in the Name column.
- Option to sort search hits by their data and context instead of just by the search terms to which they belong. Helpful for keyword searches (not technical, e.g. hex value, searches). Can be enabled in the dialog window Options | Directory Browser | [x] Advanced sorting (slower) | ... and is indeed slower since the data and context of all search hits to sort have to be read and converted to a comparable code page.
- Sorting by the data in search hits helps for GREP searches. It makes a difference only for GREP expressions that match variable data as for constant search terms the search terms and the data in their corresponding search hits are identical.
- Continuing sorting by the text that follows the actual search hit if the search hit data is the same will show identical or similar text passages next to each other and allow you to more quickly review the search hit list.
- You can specify how many characters of data and context to take into account for sorting. The more characters, the more memory is needed for sorting, which can make a difference when listing a huge number of search hits.
- Ability to filter search hits by the textual context around them (up to ~1000 bytes each left and right) using a user-specified keyword.
- The maximum amount of context around search hits when exporting them in HTML or TSV format is now 2x ~1000 bytes as well (500 before).
- User search hits are now marked with an icon representing users. Notable search hits and user search hits can now be filtered using the Search hits column filter.
Usability
- A multi-user support option synchronizes certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. Can have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time. This is a substitute for one of the effects of the now removed option "Extended multi-user coordination" from previous versions.
- Since v17.5, X-Ways Forensics recognizes users by their SIDs and distinguishes between them (and their findings). This is now optional in newly created cases, can be disabled in the multi-user support options dialog when creating a new case. Useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results, as in X-Ways Forensics before v17.5.
- Option to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits).
- Option to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import *your* search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits after you have imported them.
- Ability to expand or collapse the entire file type tree in the dialog window for the file header signature search and file recovery by type. Useful because when expanded you can just type the first few characters of the file type description to automatically jump to the first matching item in the tree.
v17.3 [Sep 12, 2013]
Events & Timestamps
- Calendar mode now represents all timestamps from all 6 timestamp columns of the regular directory browser (instead of just 3) for all listed files (instead of only selected files). The darker the gray color in the calendar for a day, the more timestamps on that day. Hovering the mouse cursor over a day in the calendar tells you the number of timestamps that fall on that day. Left-clicking on a day sets that day as the left boundary for the combined timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day hones in on that particular day only. If the same file is listed more than once (which can happen in a search hit list if it contains more than 1 search hit), then its timestamps are also represented more than once in the calendar.
- For event lists, Calendar mode now shows the number of events on each day (all events that are currently listed) using different shades of gray (the darker, the more events on that day). That allows you to quickly figure out when there was most activity and when there was no activity. Hovering the mouse cursor over a day in the calendar tells you the number of events on that day. Left-clicking on a day sets that day as the left boundary for the event timestamp filter. Right-clicking on a day sets that day as the right boundary. Middle-clicking on a day filter for that particular day only.
- Years in the calendar with no timestamps are now grayed out. The number of a year is now displayed in a darker shade of gray the more timestamps are listed for that. All shades of gray try to give the examiner a better and quicker impression of peaks or absence of activity.
- If the corresponding timestamp filter is active, years are printed in blue in Calendar mode to remind you of the filter. To turn off the filter as always click the blue filter symbol in the caption line of the directory browser.
- Event timestamps from FAT file systems are now output adequately. They are not translated to local time and do not show more precision than they actually have.
- Timestamps in the normal directory browser that meet the timestamp filter condition are now highlighted. Timestamps in an event list that are identical to the event timestamp are now also highlighted.
- Timestamps from 0x30 attributes in NTFS file systems are now output as events if actually different from their 0x10 counterparts and not identical to the 0x30 creation timestamp. They are marked as "0x30" in the Event Type column. Malware might give itself harmless looking timestamps after deployment, so that it does not seem to be related to the time of intrusion/infection. The 0x30 attribute timestamps, however, remain unaltered (except if the file is renamed or moved later), and that is the reason why some examiners are interested in them. If the time frame of intrusion/infection is known, related files might be found in the event list with v17.3 and later thanks to original 0x30 attribute timestamps.
- 0x30 timestamps are marked in the event list with an asterisk if they are later than the corresponding 0x10 timestamps, which seems unnatural and in some rare cases might be the result of backdating by the rightful users of the computers themselves. Under certain circumstances, backdating documents is seen as fraudulent and illegal. However, much more commonly 0x10 timestamps predating 0x30 timestamps is just the effort of installation programs or the result of copying a file or moving a file from one volume to another or extracting a file from a zip archive, where Windows or other programs artificially apply the original creation time of the source file to the destination once copying turns out to be successful (internal programmatic backdating).
- If the checkbox "Provide file system level timestamps as events" is only half checked, timestamps in 0x30 attributes are ignored for event generation, which is faster.
- Ability to filter for mere times, matching any possible date. For example if you are interested in unusual activity occurring in the middle of the night when the rightful office computer user is not working, you could filter for times such as between 22:00:00 and 05:59:59 (on a 24-hour clock). Obviously, selecting the right local time zone for the timestamp filter is crucial for this.
- Omits modification and record update timestamps as events if identical to the corresponding creation timestamp, just as access timestamps already in previous versions.
- More events are now generated from internal file contents: Internal creation in various file formats, last saved in Office documents and RTF, boot time from ETL (event trace log) files, attach timestamps from EDB, signing date from EXE/DLL/SYS/..., Exif timestamps in photos.
- Support for more event types in .evtx event logs.
- Clickable offsets in the HTML representation of Windows .evtx event logs.
v17.1 [May 14, 2013]
Another typical X-Ways feature that cements X-Ways Forensics' position as the tool that gives its users the greatest amount of control when selecting/targeting/filtering data at any conceivable level: The ability to create forensic physical skeleton disk images, which contain only those sectors that are needed for certain purposes, while maintaining compatibility with other tools. These can be sectors with partition tables, file system data structures, their neighboring sectors as well as sectors with file contents or any sectors in unpartitioned no man's land. A skeleton image is typically sparsely populated with data, with vast areas in between remaining undefined, so that it makes sense to utilize NTFS sparse file technology for it. Unwritten areas in the skeleton image will act as if zeroed out when read later.
You start skeleton imaging by invoking the File | Create Skeleton Image menu command. Which sectors from then now will be copied into the image is defined indirectly, by making X-Ways Forensics read those sectors from the source disk that are needed for a certain purpose. When the target image is open in the background, next you typically open the disk or partition or open and interpret the image that you wish to acquire partially. That way it will be automatically defined as the source, and that way even read operations during the important opening or interpretation step are triggered, when partition tables and boot sectors are parsed, so that these essential data structures that define partitions and identify file systems are included in the skeleton image without having to select the relevant sectors manually.
After opening a partitioned physical disk, you have a "basic skeleton" in your target image: Partition tables pointing to partition boot sectors or nested partition tables, whose function is to support all the other data in between (file system data and user data). If you also wish to ensure that from the skeleton image it is possible to take a volume snapshot of a certain partition, i.e. get a listing of all files and directories referenced by the file system in that partition, then you open that partition from the source hard disk so that a volume snapshot is taken. Again, all the sectors read from the source hard disk in the process are simultaneously copied to the image, and those contain the file system data structures, e.g. $MFT in NTFS, all directory clusters in FAT, the catalog file in HFS+ etc. etc. That adds considerably more administrative data and also metadata to your skeleton image, but still no or almost no user content. Unrelated sectors that are not used by the file system are not read and therefore not copied. That also means that the ability to find previously existing files in the skeleton image will be limited.
The dialog window to change the state of the target image also allows you to close it, i.e. stop the acquisition for the moment or finalize the image. The same skeleton image can be further completed at any later time by selecting it again with the "Create Skeleton Image" command, but then you choose to not overwrite, but to update it.
v17.0 [Mar 27, 2013]
1.Network Dongles
--Ability to unlock X-Ways Forensics 17.0 and later (also v16.9 SR-4 and v16.8 SR-10) with network dongles. Network dongles are available now as a substitute for regular dongles.
A single network dongle can represent x licenses and substitute x regular dongles and allow the users to run X-Ways Forensics on x machines on the same network at the same time.
The network dongle is attached to any of the computers on the network and made available to the clients by a dongle server program or service. If multiple network dongles are found by a client, the user may choose one of them when starting up X-Ways Forensics.
2.File System Support
--The taken snapshots of HFS+ volumes with hard links, you can now view hard-linked files directly and do not have to look up the corresponding so-called indirect node file manually (the one whose name contains the iNode number, which is specified in the Comments column).
--The taken volume snapshots now support a concept of "related" files, related in ways other than a parent-child or sibling relationship. For example, the related file for hard links in HFS+ is the corresponding indirect node file. The related file for files that were found in volume shadow copies in NTFS is the volume shadow copy host file. The related file for a volume shadow copy host file is the corresponding snapshot properties file (called "snapprop" in the Type column). More kinds of n:1 relationships are conceivable in future versions. Files for which a related file is defined get their icons marked with a small blue downward pointing arrow on the left-hand side.
--A command in the directory browser context menu (Navigation submenu) allows to conveniently find the related file if one exists for the selected file. You may also press Shift+Backspace to navigate to the related file. This is similar to just hitting the Backspace key, which navigates to the parent file or directory.
--For files found by v17.0 and later in volume shadow copies, the Attr. column now points out the sequential number of the snapshot in which they were found, as indicated by the snapshot properties file.
3.File Format Support
--The "Uncover embedded data" function uses some special algorithms for certain file types (Windows.edb, thumbs.db, PLists) and byte-level carving for all other host file types. This carving was limited to embedded JPEG and PNG files in previous versions (+EMF in multi-page printer spool .spl files). Now embedded files of any type whose definition in the File Type Signatures Search.txt file comes with a tilde (~) algorithm and is marked with a new flag "e" (for "embedded") will be carved. As a very good example of this new flexibility, .lnk shortcut files are now carved within customdestinations-ms jumplists.
--Special extraction of objects (pictures and others) embedded OLE2 compound files such as MS Word .doc and MS PowerPoint .ppt, in which previously only JPEG and PNG were found and only through ordinary carving. Embedded pictures are now often output with their original name or designation in the document and are extracted correctly even if fragmented within the OLE2 compound file.
4.Disk Support, Disk Imaging
--Since v16.3 it is possible to reconstruct RAID level 5EE by simply selecting a compatible RAID level 6 variant. Now it is possible to select RAID 5EE systems specifically and reconstruct them also if evencomponent disk is missing. RAID 5EE with forward and backward parity are supported.
--Detection of Windows dynamic volumes larger than 2 TB on GPT LDM partitioned disks.
5.Methodology
--Ability to assign file types to a so-called group, a new concept, which is not identical to a file type category. Useful for example if your standard procedure is to let examiner A check out pictures and videos, examiner B documents, e-mail, and other Internet activity, and examiner C operating system files of various kinds, because of their specializations. You can give these groups meaningful names and filter for them, also using the Type Status dialog window. The groups are displayed in the Type filter.
6.Usability
--Ability to refine the volume snapshot for selected files only, via the directory browser context menu.
--Ability to store most filter and all sort settings in the active case and load them again automatically when a case is opened. See Options | Directory Browser.
v16.5 [May 27, 2012]
File Format Support
Ability to view browser SQLite databases after generating previews for them using a new option in Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and more. This requires that the files have been checked for their true file type (or are checked at the same time). Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, and Safari feeds, also Skype's main.db database with contacts and file transfers.
Ability to view Internet Explorer index.dat files after generating previews for them with the same function.
A permanent preview can now be generated for $UsnJrnl:$J as part of metadata extraction, so that it does not have to be generated on demand when viewing or previewing this journal, which can be potentially time-consuming for large specimen (potentially several GB).
Ability to generate permanent previews as child objects also for Windows Event Logs (.evt and .evtx).
The previews are stored in the volume snapshot as child objects, usually in HTML format. These child objects can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of them in an external program such as your preferred browser or in MS Excel, by sending these child object to the program of your choice (directory browser context menu). The existence of HTML child objects with searchable text for browser data, event logs and probably more data sources in future releases also improves effectiveness of logical searches and indexing.
Ability to split HTML tables in the previews of browser databases and event logs after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component, which cannot deal with very large tables.
Ability to view Outlook NK2 auto-complete files, Outlook WAB address books, and Internet Explorer travellog files (a.k.a. RecoveryStore).
Automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc. etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value.
Ability to extract metadata from MS Access database files.
Metadata extraction from Manifest.mbdx and Manifest.mbdb iPhone backup files.
Registry report definition files revised. New definition file Reg Report Autorun.txt included.
Automatic extraction of .lnk shortcut files from automaticdestinations-ms jump lists during volume snapshot refinement.
Improved ability to deal with corrupt .evtx event log files.
E-mail Support
New method for the extraction of e-mail messages and attachments from MSG files, which does not require MAPI.
Revised extraction of e-mail messages and attachments from DBX and MBOX e-mail archives.
Revised extraction of attachments from original .eml files.
PST e-mail extraction slightly improved and completed.
Ability to select the new extraction methods individually for PST, MSG, DBX, MBOX, and EML. The old extraction method for PST and MSG is a method previously described as "MAPI". The new method for PST was introduced long ago already and is the recommended standard setting. The new methods for all other file types are new to v16.5. The old extraction methods will probably not be offered any more in future versions of X-Ways Forensics.
Preview available for Outlook Express DBX e-mail archives.
File System Support
Support for MBR LVM2 and GPT LVM2 partitioned disks as commonly used by Fedora/Red Hat and also available in Debian and Ubuntu. Single-disk approaches (like the default behaviour when installing Fedora on an ordinary hard disk) and spanned volumes (i.e. logical volumes spanning several physical disks) are supported, the latter require all constituent disks/images to be open in X-Ways Forensics in order to find all data required.
Ability to reconstruct Linux software RAIDs from partitions. The partitions need to be opened before they can be selected.
Support for various UDF file system versions and specialties revised and considerably extended: Improved support for UDF when used on media other than optical discs, as well as added support for virtual partitions, metadata partitions, and named streams (the UDF equivalent of alternate data streams from NTFS).
v15.6 [Mar 2, 2010]
Matches with multiple hash sets for the same file are now supported by the hash set column, and therefore also by the hash set filter.
When importing a hash set, X-Ways Forensics automatically filters out duplicate hash values within that hash set. This has a big effect on the US NIST NSRL RDS database, for example, and reduces its size tremendously. If your hash database already contains hash sets with duplicates, those will be eliminated by v15.6 as well, next time when you import any other hash set. Hash databases used by v15.6 and later cannot be opened any more by v15.1 or earlier.
X-Ways Forensics can now usually recognize the true sector count according to ATA on ATA/SATA hard disks in situations where that failed (returned a question mark only) in previous versions. Useful to detect an attempt to limit the addressable capacity of a hard disk using an HPA (host-protected area) or
DCO (device configuration overlay).
Whenever X-Ways Forensics checks for an HPA/DCO (that is when imaging a hard disk, when adding it to a case, or when creating a Technical Details Report for it) and actually detects one, it now offers to either temporarily or permanently deactivate the HPA/DCO and make the full official disk capacity
accesssible, so that you can e.g. image the hard disk in its full size before it returns to its original state next time when it powers down.
The Technical Details Report can now retrieve the internal error count recorded by hard disks if available through the SMART interface.
Simple and quick plausibility check for internally reconstructed RAID 5 that warns you immediately after reconstruction if the parity does not match.
v13.2 [Aug 16, 2006]
For information on changes of each version, go to http://www.x-ways.net/winhex/mailings/index-d.html