WinHex, X-Ways Forensics, X-Ways Investigator 13.8 released


The investigator version of X-Ways Forensics is now a separate product: X-Ways Investigator ( ). The user inface of the investigator version is now customizable to a certain extent: With the help of an optional file named “investigator.ini”, additional administrative security precautions and additional optional usage simplifications can be activated individually…* The ability to interpret .e01 evidence files was added to X-Ways
Investigator. That means investigators can now be provided with
file containers that were turned into (optionally compressed or
encrypted) .e01 evidence files. Also the ability to _create_ file
containers was added to X-Ways Investigator. That means investigators
can now create containers themselves and that way copy highly
relevant files to separate containers for their own use or to
pass them on to colleagues. The ability to create search indexes
was removed.

* The logical simultaneous search has been removed from the
directory browser context menu and integrated in Search |
Simultaneous Search. It no longer searches the _selected_ files,
but either all files or tagged files. Search | Simultaneous Search
can now execute both physical and logical searches. Logical searches
have been reworked internally and now always process the files in
the order in which they appear in the volume snapshot (i.e. sorted
by internal ID).

* The physical simultaneous search is finally obsolete in the
forensic edition when searching entire media, as the logical
simultaneous search now has a solution for the file slack/free
space paradox, by searching all file slack/free space transitions
separately. (The paradox is that although all file slack and free
space is searched, not all occurrences of the search terms in
these areas are found by certain standard computer forensics
software products.)

* Irrelevant, hidden, or filtered out files can now be omitted
during logical searches, or if slack space is included the search
is limited to the file slack. This saves times and reduces the
number of irrelevant hits.

* Indexing can now be limited to the slack of irrelevant, hidden,
or filtered out files, too.

* It is now possible to a certain degree to continue reviewing
files while searching logically, as the directory browser is no
longer blocked.

* When decoding PDF/OpenOffice/WPD/HTML/… files for the logical
search, the text output is now in 16-bit Unicode instead of ASCII.
That means Unicode needs to be enabled for searching when using
this option (is ensured by the software automatically).

* The volume snapshot can now be refined and an index can be
created for _selected_ evidence objects at the same time, and it
is now possible to start indexing after volume snapshot refinement
automatically. If the latter is selected, at first the volume
snapshots of the selected evidence objects will be refined, then
the index will be created for these evidence objects, and finally
the indexes will be optimized. The optimzation is optional as
before, and can be aborted and resumed at any time.

* The volume snapshot can now be refined for physical, partitioned
media. This is useful to conveniently list files in unpartitioned
space that can be found via a header signature search. Files in
_partitioned_ space can be found with a signature search within the
corresponding partition only, as before. This prevents duplications.

* Physical media now offer a File mode, a Preview mode, and a
Gallery mode. Useful for files found via a header signature search.

* Ability to print multiple selected documents without interruption/
the need to click somewhere after each document, with the revised
context menu command “Print with cover page”. The cover page contains
the date and time when the print job was started and user-selected
meta-information, e.g. filename, path,
evidence object title, file size, description, time stamps, comments,
… The cover page is printed by X-Ways Forensics itself, the
following pages with the actual document are printed by the viewer
component. In order to print documents with the viewer component
without a cover page, as before, use the Print command in the main
menu or the Print icon in the tool bar, while in Preview mode or
when viewing a document in a separate window. Known error: The
viewer component does not always display the correct printer name
while printing although the print job is indeed sent to the selected

* Self-extracting .exe archives as created by WinZip (tested with
v9.0 and v11.0), WinRAR (GUI and console .exe files, Zip and RAR
compression, tested with v3.0, v3.3, v3.62, and v3.7 beta), 7-Zip
(tested with v4.42), and WinACE (tested with SFX-Factory 2.64) are
now internally detected by the file signature check. They are
classified as the file type “sfx” and assigned to the category
“Archives” so that they can be specifically targeted. This prevents
that compressed files in such archives go totally unnoticed in an
investigation. .exe archives with Zip compression can be viewed in
Preview mode, other self-extracting archives need to be copied off
the image and opened with an appropriate tool like WinRAR or 7-Zip.

* Reading from compressed evidence files is now considerably faster.

* CRC32 computation is now somewhat faster.

* When assembling a hardware RAID, the header size of a component
may now exceed 65,535 sectors.

* Now 48 instead of 32 script variables supported simultaneously.

* Tools | Disk Tools | Set Disk Parameters for a physical disks now
accepts blanks for the C/H/S values. If left blank, suitable values
will be computed by X-Ways Forensics itself.

* The data analysis feature now works with more than 4 billion
occurrences of the same byte value. So although it is meant to be
applied to much smaller amounts of data, this functionality can
now be safely be applied to many GB of data. The increased computation
time was compensated by omitting the checksums.

* In Options | Viewer Programs, a list of filename extensions is
now maintained that indicates which files should better be viewed
with external programs, e.g. because the viewer component and the
internal picture display and gallery do not support them. When
double-clicking/viewing such files, the program that is associated
with the extension on the examiner’s system is automatically invoked.
Based on the default settings, this applies to *.mdi;*.mdb;*.mpeg;
*.mov;*.asf;*.avi;*.mp3. The list is user-editable (see Options |
Viewer Programs). In particular MDI (Microsoft Document Imaging),
a file type similar to TIFF, usually should not be overlooked, as
this format can be used in MS Office to store scanned documents or
to store print output graphically.

* Ability to automatically power down the computer after successfully
creating a disk image. (since v13.7 SR-1)

* Stability and speed of picture processing and display further
improved. (with v13.7 SR-2 and SR-5) Please note that if you have
problems with processing pictures or the display of pictures, it
might help to return to the picture viewing capability of earlier
versions by checking Options | Viewer Programs | [x] Use alternative
picture display library. We ask, however, that you notify us should
encounter specific pictures that cause X-Ways Forensics to choke.

* Error in ExecuteScript script command fixed. (since v13.7 SR-2)

* Fixed an exception error that could occur when reviewing search
hit lists. (since v13.7 SR-3)

* Characters in the text column are now usually correctly displayed
in double-byte code pages such as Simplified Chinese (if active)
even when a block or a bookmark is defined in a line. (since v13.7

* Fixed an exception error that could occur during a NTFS thorough
file system data structure search. (since v13.7 SR-4)

* Fixed instability issue with extremely long filename extensions
(more than 127 characters) in text decoding option. (since v13.7

* “Internal search term list inconsistent” error fixed. (since
v13.7 SR-8)

* Indexing progress display error fixed. (since v13.8 SR-1)

* Several other minor fixes and improvements, including the
Recover/Copy command.

Leave a Comment