WHAT’S NEW IN V13.2?
* There are new (optional) quick filter buttons in the directory browser column headers that allow to activate and modify dynamic filter settings more instantly.
* The indexing algorithm was revised. The index files are now considerably smaller and certain worst case data will no longer cause the algorithm to almost freeze. The index file format has changed, so existing indexes created by earlier versions cannot be reused.* Report tables have evolved from tab-delimited text files
that are associated with just one evidence object to
virtual, case-wide categories, by which you can dynamically
filter or sort, even in the case root, not unlike comments.
However, while comments are best for free text, report
tables can now serve as convenient user-defined categories
such “related to company x”, “incriminating pictures”,
“unjustified expenses”, depending on what the objective
of your examination is. Using report tables that way for
filtering instead of keywords in free text comments can
prevent errors due to typos.
The same file can be part of multiple report tables. An
optional column in the directory browser indicates to which
report table(s) a file has assigned.
The report tables fields you can select for output to the
case report are now the same as for the directory browser.
Report tables created and filled by v12.9 and later can
be imported by v13.2. Report table titles now use Unicode
instead of ASCII. Filenames in report tables are now output
to the case report in Unicode.
* Comments now use the Unicode character set instead of
the ASCII throughout the user interface and the case
report.
* Case titles, case filenames, case descriptions, examiner
names, image filenames, evidence object titles, comments,
command line parameters, and the case log now all work
with Unicode.
* It is now possible to select evidence objects for
recursive viewing in the case root.
* Cases last saved by v13.2 cannot be opened any more by
earlier versions of X-Ways Forensics. v13.2 won’t import
certain items from cases saved by earlier versions: search
hit lists from v12.9 and earlier; free space, slack space,
and text that was captured in a separate file and associated
with a case.
* The bookmark list associated with an evidence object
can no longer be brought up via an icon in the case tree,
but by clicking the button with a paperclip icon in the
middle of the screen.
* The name of the evidence object that a directory browser
item belongs to is now displayed in a separate column. This
field is useful in a recursively explored case root and
for reports that include the new case-level report tables,
as it helps establishing the original location of files.
* When associating a hard disk and its partitions with a
case as evidence objects, the case tree now lists the
partitions as child nodes of the disk. Volumes/partitions
are now represented by a different icon in the case tree
to better tell them apart from physical media. They no
longer employ separate icons for access to the root
directory, but provide access directly. All of this allows
to more conveniently handle larger cases that involve many
hard disks with many partitions and to utilize screen space
more economically.
* Lost partitions that were found through a thorough
search are now remembered by X-Ways Forensics if the hard
disk/hard disk image is associated with a case as an
evidence object.
* The particularly thorough file system data structure
search on NTFS volumes has a new second step that usually
turns up much more previously existing files than before,
files that have been deleted, renamed, or moved. Known
earlier names/locations of renamed/moved files will be
displayed with new arrow icons. For many of the additionally
discovered deleted files, however, only the metadata is
available (filename, timestamps, ID, …), not the file
contents.
* Newly created volume snapshots for FAT volumes now
identify directory entries that indicate that files have
been renamed or moved. They are displayed with an arrow
icon as well. Requires a specialist or forensic license.
* Support for multiple sessions on optical media formatted
with UDF. The first and the last session will be listed
automatically. Additional sessions in the middle can be
found through a particular thorough file system structure
search.
* Strict drive letter based write protection is now
optional (yet still enabled by default) in X-Ways Forensics.
See Options | Security.
* Auto-save option for cases.
* The directory browser options now allow to lock columns
on the left, i.e. prevent them from scrolling horizontally.
* Memory management is now more efficient when dealing
with millions of files on a volume.
* Ability to totally disable sorting with a command in the
directory browser context menu. Can save time when dealing
with huge file lists,
* All text output in the messages window can now be
optionally logged in a file messages.txt. See Options |
Security. This file is created in the log subfolder of the
case, if a case is active, or else in the installation
directory.
* Newly created evidence file containers can now be
optimized for better performance if a huge number of files
is to be added. All three options related to containers
are now presented whenever creating a new container, no
longer in Options | Security.
* The Copy/Recover command now offers a convenient option
to copy files including their slack or the slack separately.
(forensic licenses only)
* You can now view Windows Event Log (.evt) files. (forensic
licenses only)
* File Type Signatures.txt: More legitimate extensions per
file type supported.
* During the creation of image files, X-Ways Forensics
now displays the average data transfer rate in MB per
minute and the average compression ratio for compressed
evidence files.
* The case report is now more flexible. All components
(basic report, report tables, log) are optional. Also
you can now optionally omit times from the case log,
e.g. if you do wish to pass on the log to someone else,
but feel uncomfortable disclosing the pace you worked at.
* The program to view HTML reports (case reports, registry
reports, event log conversions) can now be selected in
Options | Viewer Programs. MS Word can be more useful
than an Internet browser because e.g. it allows to further
process the report and can display directly embedded TIFF
pictures. If no program is specified in that dialog window
(like by default), HTML files will be viewed with the
default program for that file type in your system as
before, i.e. usually your preferred Internet browser.
* When the hash of an evidence object is verified or
computed for the first time, the result is added to the
technical description of the evidence object.
* The standard extension of template text files has been
changed from .txt to .tpl. Like that, templates can be
more easily told apart from other text files.
* Several other minor improvements and fixes.
WinHex download URL: http://www.x-ways.net/winhex.zip
