WinHex, X-Ways Forensics, X-Ways Investigator 13.9 released

WHAT’S NEW?

* Forensic licenses only: Ability to open remote network drives at a logical level, if a drive letter has been assigned locally. The directory browser, File mode, Preview mode, Gallery mode, and Calendar mode are all available. A volume snapshot can be taken and refined (not with the options that require sector access), filters can be used, keyword searches can be run. On the other hand, sectors, free space, slack space, deleted files, alternate data streams, owner SIDs etc. cannot be displayed. Very useful to preview remote network drives on site and e.g. search/copy relevant documents if no physical access to certain computers on a network is available. Another benefit is that NTFS-encrypted files (EFS) to which the currently logged-on user has access can be opened and processed as if they were not encrypted.* Forensic licenses only: Ability to open local drive letters without administrator rights. The same limitations apply.

* Support for the Ext4 file system (specialist and forensic licenses only).

* X-Ways Forensics now warns when opening a case if that case has already been opened by someone else (if not in read-only mode).

* When decoding the text in PDF, HTML, RTF, StarOffice, WordPerfect, etc. files for logical searches and indexing, the result is now optionally buffered (can be disabled in Options | Viewer Programs). As the decoding is relatively slow, the benefits of the buffer are that further searches will run noticebably faster if there are many such files and that there are now context previews even for search hits in the decoded version of files! This renders examining search hit lists much more convenient. Decoded text output is now either ASCII or Unicode on a per-file basis, depending on the nature of the characters in the text.

* The Print command in the directory browser context menu is now more flexible in that it allows to print files with the help of the viewer component either with or without its own cover page. As a new third option it is now possible now have X-Ways Forensics print the filename and path itself, on the first page. This option is not bound by the same path length limitations as the header printed by the viewer component. To avoid that the path is printed twice on the first page, have _either_ X-Ways Forensics or the viewer component print it, not both.

* If in the new Print command the printer resolution cannot be automatically detected, the user now has the option to specify it manually to get a correct print result.

* It’s easier now to identify the evidence object in the Case Data window that is represented by the active data window, as all the other evidence objects, including their directory trees, are displayed in gray.

* Changes among physical disks (e.g. newly attached external USB hard disks) are now detected without having to restart the program.

* File containers now optionally have an internal designation (the XWFS volume label). Useful as another means to identify to which case/suspect a container belongs since the filename might be too generic (used similarly in different cases) or could be accidentally changed.

* A new switch “+19” in investigator.ini allows to keep users of X-Ways Investigator from opening images/containers that are not located in the default path for images/containers. Useful if the default path is externally controlled and users must not inadvertently add images from unrelated cases.

* Ability to optionally filter directories based on names in addition to files. This is the only filter based on a directory browser column that has an effect on directories, too.

* Each evidence object now remembers the last 32 files that were viewed in Preview mode. Press Shift+Ctrl+F7 to see the list of filenames, internal IDs, and viewing timestamps. Useful e.g. if you forgot where to stopped your work the other day or based on what sort criteria you viewed the files (to recreate the same order). Not documented in program help or user manual, subject to change.

* Changed sorting in search hit description column such that hits in slack space are not merely grouped, but moved to the end of the list so that they can be easily found, and the slack copied specifically with appropriate settings in the Recover/Copy command if needed. (since v13.8 SR-5)

* Decoded text was not indexed correctly in v13.8 before v13.8 SR-2. This was fixed.

* The logical search in v13.8 had a memory leak before v13.8 SR-2. This was fixed.

* Memory leak in indexing fixed with v13.8 SR-5.

* An error interpreting full filenames in File Type Categories .txt was fixed with v13.8 SR-3.

* The daylight saving bias was not correctly applied for southern hemisphere time zones. This was fixed with v13.8 SR-4.

* Some other minor improvements.

Leave a Comment