X-Ways - many other users out there?

I don't have a full forensic license, but I do use the "specialist" licence I have, and very frequently - in conjunction with others to allow for verification.

Perhaps not as fully featured as others, but heck - it works 100% of the time ! That seems to be a unique selling point in this industry !

-P

Greetings,

I have a forensic license, which I need to renew. It's been a valuable asset on several occasions.

-David

I have used X-Ways Forensic for many years now and consider it a valuable component of my toolkit. While it may not be as "automated" as FTK or EnCase it is a very powerful tool and one I often use to verify my findings.

We use x-ways since years with great results. One of the best things they started ~2 years ago is a new modell. First there is the full forensic license for the "specialist" to do all the pre-work for the investigators (hashing, filtering and…..). Then you can set up this case on a server and with the much more cheaper investigators license they can open only their own cases (read only) with installed viewers and all the stuff they need.. Nice and cheap solution.

Siggi
lol

We also use EnCase, FTK and X-Ways, every product has its specialities and advantages, but X-Ways has become my favourite tool, it is very flexible and progressing!
In addition Stefan Fleischmann offers great service and support!
I can fully recommend X-Ways

Chris

X-Ways is fast becoming my main integrated tool. Since attending a training they had back in March my use of the product has increased dramatically. It's a great tool, but not the most intuitive product out there. I highly recommend the training to get the full value out of the product. Support for it is also excellent!

Hello everyone,

This mailing is to announce a noteworthy update, v15.0.

WinHex evaluation version h t t p //www.x-ways.net/winhex.zip

Owners of X-Ways Forensics/X-Ways Investigator and licensed
users whose update maintenance has expired please go to
h t t p //www.x-ways.net/winhex/license.html for more information
such as download links, update maintenance, and upgrade offers.

WHAT'S NEW?

* X-Ways Forensics now features a totally revised indexing
algorithm that a lot of effort has been put in. This algorithm
specifically utilizes multiple processor cores and on systems
that have multiple process cores runs faster than its predecessor,
in particular when taking the (optional) optimization step
into account.

* The file type signatures database now distinguishes between
signatures that are useful for file type verification only
(to verify the type of files that are already contained in
the volume snapshot, forensic license only) and signatures
that are strong and important enough to also use them for a
file header signature search, i.e. to find additional,
previously existing files. To that end, two separate definition
text files now ship with X-Ways Forensics. The idea is to
keep unsuspecting users from blindly selecting all file types
for the search, from getting too many false positive for weak
signatures as a consequence, from getting too many garbage files
(e.g. overlapping MPEG fragments that cannot be played), from
getting too many irrelevant files (e.g. font files, cursor
files), and from unnecessarily suffering from a slow search
speed, and from complaining about all of this. Of course it's
still possible to manually add new file type definitions for
file header signature searches or to consciously move file
type definitions from one definition file to the other if
you know what you are doing.

* File type signature and category definitions have been
further expanded. Support for up to 4096 file type signature
definitions for file type verification and up to 1024 definitions
for file header signatures searches, as opposed to just
255 before.

* The naming conventions for carved files have been slightly
changed. Files are now named based on an incrementing number
that is unique for each evidence object.

* Previously existing files whose first clusters are known
to be overwritten are no longer checked for their true file
type.

* When verifying file types, for files that are not recognized
by any entry in the file header signature database, X-Ways
Forensics now makes additional attempts at detecting the file
type. Useful to recognize file types that do not have a fixed
signature, e.g. .eml e-mail messages, programming language
source code, batch files, various other kinds of text files,
and many more.

* The names of extracted .eml files are now usually more
authentic especially if the subject line is encoded in an
Asian code page. Some minor improvements in e-mail processing.

* When including report tables in the case report, to render
the report horizontally more compact (e.g. for printing), it
is now possible to artificially break the filename and paths
lines after a user-defined number of pixels. Helps to avoid
that the report becomes wider than a printable page,
especially when referencing more than one file per row in
a report table.

* It is now possible in X-Ways Forensics to manually define
a block in Volume/Partition/Disk mode and add it to the
volume snapshot as a carved file. Useful if you wish to treat
data in a certain area (e.g. HTML code or e-mail messages
found floating around in free space) as a file, e.g. to view
it, search it specifically, comment on it, add it to a report,
etc. The command for that can be found in the Edit menu.

* A new directory browser option called "Full path sorting"
for objects that have child objects has been introduced.
The effect is that, after exploring recursively, if sorted
by path, child objects will be listed directly after their
respective parents (e.g. files after their parent directories,
e-mails after the e-mail archives from which they have been
extracted, e-mail attachments after their containing parent
e-mail messages, compressed files after their parent archives,
etc.).

* Zip and Rar archives that X-Ways Forensics knows contain
encrypted files are now marked as encrypted themselves, with
"e!" (file format specifically encrypted) in the Attribute
column. Allows to focus on such files more conveniently than
before using the Attribute filter. (And some users didn't
realize how it was possible before.)

* When viewing search hits in the decoded version of e.g.
PDF documents in raw preview mode, you now see the exact raw
decoded text as used for searching. This can be useful if
the viewer component cannot highlight a search hit in the
regular view of the PDF document.

* Two more external programs can be defined.

* The first portion of the Details mode ("Data from the Volume
Snapshot") is now displayed as a table, which is visually
more appealing.

* Metadata extraction from BMP files and (on logical drive
letters) EXE/DLL files.

* RAID reconstruction Stripe size of 1 sector now supported.

* Various other minor improvements. Several exception errors
fixed that could occur in very specific situations.

* Please note that .cfg configuration files from previous
versions cannot be imported any more.

* v8.2.2 of viewer component has been made available on May 31,
2008. It now supports the JPEG 2000 file type, officially runs
under Windows 2008 Server, and contains various patches and
bug fixes. Installing this update is recommended.

* The original version X-Ways Forensics 14.9 did not auto-
matically load the viewer component for the encryption test,
so unless the viewer component was utilized in the same
session before, an error message appeared. This was fixed
with v14.9 SR-1.

* Fixed some checkboxes in the Attribute filter dialog.
(since v14.9 SR-2)

* When copying files with child objects from a recursive view
without recreating the original paths, X-Ways Forensics no
longer creates empty subdirectories named after these files.
(since v14.9 SR-2)

* Fixed an error that could occur when attaching a file to
a file in the root directory of a volume. (since v14.9 SR-2)

* Fixed an infinite loop that could occur in some very rare
situations when finding OLE2 compound files via signatures.
(since v14.9 SR-3)

* When applying a logical search to selected files in a
recursively explored directory, pausing the search to preview
search hits previously caused the search to be aborted. This
was fixed. (since v14.9 SR-3)

* An instability issue in the indexing algorithm was fixed.
(since v14.9 SR-3)

* Fixed a rare error where filenames where read incorrectly
from certain Ext* directory entries. (since v14.9 SR-3)

* An error was fixed that under certain circumstances could
lead to attachments copied to containers incorrectly showing
up in "Path unknown". (since v14.9 SR-3)

* \b GREP anchor now works when 16-bit option is enabled.
(since v14.9 SR-4)

* hiberfil.sys decompression now more like the original
Microsoft code. (since v14.9 SR-4)

* Prevented possible accidental duplication of files with
child objects in evidence file containers. (since v14.9 SR-5)

* Prevented certain exception error when extracting e-mail
messages from e-mail archives. (since v14.9 SR-5)

* Since v14.8, the owner column in the directory browser
was not filled any more on certain NTFS volumes. This was
fixed. (since v14.9 SR-5)

Thanks all!

The reason I threw out that question is that over recent years, X-Ways has been increasingly used in my department & I have to say my own experience echoes that of Chris (Itagent2000). The only thing bothering me was the relative lack of mentions in forums such as this, and I was simply wondering if that was because others were finding faults or limitations with it that I wasn't aware of. Thankfully that doesn't seem to be the case & they seem to be steadily building a dedicated following of users who don't have too much to complain about!

One thing I would dispute from some of the replies is mentions of lack of features or automation. Actually, there are very few features lacking in X-Ways compared with other tools & the automation is very effective once you are used to it.

& of course… Stefan's amusingly direct answers to technical support questions on the restricted users forum are worth the price of purchase alone!

I tend to believe that no matter what forensic work I'm doing, it all comes back to throwing X-Ways at it to make sure the other tools did their job. This is even more so when updated versions of other tools come out (that's when X-Ways goes to the front of the line).

I'd say other tools compared to X-Ways are different in that with X-Ways, you need to know how to get to where you want to go for it to do a good job. Other tools are more intuitive (as in, "click this button for email") but that doesn't make them any better or X-Ways any worse off.

I couldn't see a forensic tool set being complete without X-Ways Forensics as part of the toolbox.