WinHex, X-Ways Forensics, X-Ways Investigator 14.4 released

WHAT’S NEW?

* Ability to extract e-mail messages and attachments from AOL PFC files. (forensic license only) Note that if these files have no extension, only a signature check will identify them as PFC files.

* Can now extract embedded files from MHT Web Archives if you append “;*.mht” to the series of file masks for e-mail extraction. (forensic license only)

* NTFS permissions can now be seen in Details mode…* The internals of the NTFS file system journal $LogFile can now be viewed with the View command and in Preview mode.

* For NTFS volumes, the Technical Details Report now shows the volume GUID, the NTFS version number, and the volume flags.

* Windows Prefetch files can now be conveniently viewed.

* For Windows shortcut files (.lnk), any MAC addresses shown are now definitely MAC addresses. The creation date+time of the target’s object ID is now also shown. Volume ID, birth volume ID and object ID are now displayed in special GUID notation.

* There is now an option to copy/append file metadata to the comments of selected files, when editing the comments, which allows to later filter by this metadata with the comments filter, to export the metadata with the Export List command, and to output it with a report table in a case report. (forensic license only) Metadata can be extracted from Windows shortcut files (.lnk), OLE2 compound files (e.g. pre-2007 MS Office), and .shd printer spool files. More file types to be added in the future.

* The buffer size for comments in the case report has been increased. Line breaks in comments are now converted to HTML line breaks for the case report.

* More space for the user-specified comments on a file when printing with a cover page.

* It’s now possible to conveniently send the files in an evidence object’s volume snapshot to an external virus scanner. (forensic license only) Infected files will be added to a report table named “Virus suspected”. The command can be found in the Specialist menu. Please see the program help for details.

* It is now possible to export report table associations when creating a container, so that the recipient of the container can already see classifications such as “notable”, “invoice”, “family”, “bomb construction”, etc. when adding the container to a case.

* Files that were recognized as irrelevant with the help of the hash database can now be optionally excluded from further volume snapshot refinement operations. This has an immediate effect if hash database matching is selected at the same time with other options such as skin color computation, search for embedded pictures etc.

* In a search hit list, it is now possible to recover/copy the files that contain the selected search hits automatically into subdirectories that are named based on the respective search term. For that, please try the new third state of the checkbox entitled “Recreate full original path”.

* There is a new command in the Position submenu of the context menu in the search hit list of a volume that allows to conveniently exit the search hit list and navigate to the respective file in its directory.

* Search hits based on code page 1251 (Cyrillic) are now displayed correctly in the search hit list. (since v14.3 SR-5)

* Manually mixing different index .xfi files in the same index subdirectory (undocumented feature) now works reliably. E.g. like that you can have multiple indexes based on the same character set, like an index of words (a-zA-Z) and an index of numbers (0-9), and search all of them simultaneous- ly. (since v14.3 SR-4)

* Empty indexes with no words will no longer be saved as xfi files. As a result, there will be no annoying error messages about empty indexes any more when searching an index. An evidence object’s index may be empty e.g. if you index tagged files only and the tagged files do not contain any text, have a size of zero bytes, etc.

* It is now possible to optionally include substrings in index searches from the case root. The option to include substrings in indexes did not work for Unicode in the original v14.3 release. This was fixed with v14.3 SR-1.

* In substring-enabled indexes created with v14.3 SR-1 and later, XWF can now optionally search for whole words only (more precisely, beginnings of words). This prevents finding e.g. “card” in “bankcard”. Useful if there are too many hits in such solid compound words and you are more interested in the word as a whole word.

* Fixed an error that could occur when running an index search from the case root window.

* Fixed an error that could occur under certain circumstances when starting indexing.

* Ability to copy selected data has hex values in GREP notation.

* Under Windows Vista, the lower half of a decoupled data window no longer becomes invisible when reintegrated in the main window.

* When extracting embedded JPEG files from other files, X-Ways Forensics is now more strict when deciding what actually is a JPEG file and what only looks like one.

* Including directories in a recursive view is now a 3-state option. In its middle state, real directories are not included, but archives treated as directories are.

* The internal file header signature search algorithm can now automatically detect the original size of Outlook PST, AOL PFC, Prefetch, EMF, and SPL files.

* Ability to find additional sessions on multi-session CDs burned with Roxio software with a thorough file system data structure search if CDFS does not co-exist with UDF.

* Ability to understand certain dynamic disks created by Windows Vista that are incompatible with earlier Windows versions.

* Full support for NTFS volumes with exotic FILE record sizes. (since v14.3 SR-5)

* If the viewer component freezes when decoding the text in a file for the logical search or for indexing, X-Ways Forensics will now continue with the next file after a time- out period has expired, and will add the offending file to the report table “Unable to decode text.”

* A Japanese translation of the user interface of X-Ways Forensics is now available from our Japanese reseller, Data Recovery Center.

* Maximum number of report tables in a case now 100 instead of 64.

* Earlier versions of X-Ways Forensics left it to the user to decide whether to search for file header signatures in partitioned space on a physical partitioned evidence object as part of the Refine Volume Snapshot operation. This option has been removed, and the search is now run in partitioned space only within the partitions themselves, to avoid unnecessary duplication.

* Further limitations of the reduced user interface of X-Ways Investigator can now optionally be specified individually for certain users even in a shared installation, by creating copies of the investigator.ini file named “investigator *.ini”, where * is the respective username.

* X-Ways Investigator no longer allows to open a case whose case directory is missing. WinHex and X-Ways Forensics still allow to do this.

* Several other minor improvements and error corrections.

* XWF now deals more gracefully with truncated FAT partitions in incomplete image files. (since v14.3 SR-1)

* New directory icons. Dedicated icon for deleted partitions in the case tree and in the case root window. (since v14.3 SR-3)

* Ability to delete the case log from within X-Ways Forensics. (since v14.3 SR-3)

* The Java date+time format now respects the Data Inter- preter’s Big Endian option. That date+time format can be found in Little Endian in BlackBerry memory dumps. Before, it simply always worked based on Big Endian philosophy. (since v14.3 SR-4)

* Fixed an error that could prevent to correctly open certain extremely fragmented alternate data streams on NTFS. (since v14.3 SR-4)

* Fixed display refresh problem in case root window. (since v14.3 SR-4)

* The definitions in File Type Signatures.txt and File Type Categories.txt have slightly changed in that Unix/Linux executable files now have the type “elf” instead of “elfexe”, and Windows Vista Event Log Files now have the type “evtx” instead of “elf”. (since v14.3 SR-4)

* Fixed an error that under very special circumstances caused WinHex/X-Ways Forensics to show existing partitions as lost partitions. (since v14.3 SR-6)

Leave a Comment