What’s new in v16.4?
Performance
A 64-bit edition of X-Ways Forensics and of the special WinHex version for licensed users of X-Ways Forensics is now available. You can simply add it to an installation of the 32-bit edition of X-Ways Forensics. The 64-bit .exe file must be located in the same directory as the 32-bit xwforensics.exe file. Additional files needed by the 64-bit edition are expected in a subdirectory named \x64. Most other files are shared by both editions! That means that all your settings, search terms, file type signature definitions, file type category definitions etc. etc are conveniently remembered and commonly used by both editions. Both editions use exactly the same format for case files, volume snapshots, search hits etc…While not 100% of the functionality is available (e.g. SMART data extraction does not work), the 64-bit edition is recommended especially in situations where the 32-bit memory address space may be insufficient, when dealing with disks or images that contain many millions of files, or when dealing with many millions of search hits, provided that you have plenty of physical RAM installed. Certain operations that are computationally intensive (e.g. hashing or encrypting) may also be faster in the 64-bit edition.
A 64-bit edition of X-Ways Investigator will follow soon.
A 64-bit edition of the viewer component is now also provided. X-Ways Forensics warns when trying to load the 64-bit viewer component from the 32-bit edition of X-Ways Forensics. (Some users now think the 64-bit viewer component is for 64-bit Windows, but it is for 64-bit X-Ways Forensics.)
Improved ability to take a snapshot of volumes with many millions of files, especially in the 64-bit edition, but also in the 32-bit edition (if used with the /3GB switch or better in a 64-bit Windows).
Hashing with the MD5 algorithm (the mere computation, excluding disk I/O for reading data) further accelerated in the 32-bit edition by ~30%, with SHA-1 by ~20%! (depends on the processor) Hashing in the 64-bit edition it is optimized, too, and even slightly faster than in the 32-bit edition.
AES encryption and decryption (the mere computation) accelerated by 70% in the 64-bit edition and by 30% in the 32-bit edition.
Speed for sorting by filename more than tripled.
Sorting by various columns noticeably accelerated.
Copying large files (Recover/Copy command and adding files to containers) accelerated.
New buffer system at work when reading from .e01 evidence file, which may speed up processing in certain situations.
Supports more complex GREP search expressions now than before. Such complex expressions required too much main memory in previous versions to run.
Previously existing files whose first cluster is known to have been overwritten or whose first cluster is unknown (i.e. red X files) are now generally excluded from volume snapshot refinement except if you specifically target them via tagging. They are also excluded from logical searches and from indexing if the recommendable data reduction is active unless targeted specifically via tagging or selection.
Improved ability to deal with so-called zip bombs.
Processing of .msg and original .eml files is now slower.
Programming Interface/Scripting
Automate investigative tasks and extend the functionality of X-Ways Forensics with X-Tensions: The new X-Ways Forensics X-Tension API (application programming interface) allows you to use many of the advanced capabilities of the X-Ways Forensics computer software programmatically and extend them with your own functionality. For example, you could implement some specialized file carving for certain file types, automated triage functionality, generate alternative reports, or automatically filter out unwanted search hits depending on your requirements etc.
Among other things, X-Tensions allow you to:
– read from a disk/partition/volume/image
– retrieve abundant information about each file and directory in the volume snapshot
– read from any file
– create new objects in the volume snapshot
– assign files to report tables
– add comments to files
– process, validate and delete search hits
– and do practically everything else that is possible with a Windows program! (thanks to the Windows API)
You can use your programming language of choice, e.g. C++, Delphi, or Visual Basic, and do not have to learn any new programming language. You can use your compiler of choice, for example Visual Studio Express (freeware).
Since an extension is not an interpreted script, but regular compiled executable code that is running in the address space of the application itself, you can expect highest performance, the same as with internally implemented functionality. X-Tensions give you easy and direct access to crucial and powerful functions deep inside X-Ways Forensics.
When X-Tensions functions can get called:
– when refining the volume snapshot
– when running a simultaneous search
– via the directory browser context menu
– in future versions of X-Ways Forensics via the search hit context menu
You may distribute your XWF extension DLLs that you compile and/or your source code free of charge or even for a fee, under whatever license terms you see fit.
For more information please see http://www.x-ways.net/forensics/x-tensions/api.html.
Usability
More convenient ability to specify nature, sector size and additional storage location of raw images when holding the Shift key when interpreting images.
When reading a file that is referenced in a volume snapshot fails when refining the snapshot or running a logical search, for example because the storage location of some of the clusters is unknown or because they are contained in corrupt file archives, then only one read error message is output per session and the user is informed of a newly introduced attribute by which you can also filter: “file contents unknown, partially”.
When pressing a Ctrl+number key combination that is not currently assigned to any report table (e.g. accidentally), X-Ways Forensics now produces an error sound.
More information in progress indicator window when copying files.
When printing multiple selected files (using the viewer component), only a single print job will be submitted, for all files and (if selected) cover pages, such that no other print jobs sent to a shared printer can get in between and such that if you are printing to PDF you will only be prompted for a filename only once and all pages are printed to the same output file.
All Position submenus have been renamed Navigation.
Two neat commands for navigation in the directory browser have been added to the context menu (Navigation submenu): “See selected item in its directory” will show you the selected file or directory among its siblings. Useful to quickly check out whether there are more notable files in the same directory or to better understand the function of the file when you see it in context. “See selected item from volume root” will show you the selected file among all other files in the same volume. Useful for example to see whether there are any files with the same name, the same ID (e.g. previous version from a volume shadow copy), same owner, same sender, or similar timestamps etc. etc. in the same file system (just sort accordingly). Both commands can be also be used from within the case root window and from within search hit lists (so the previous “Go to file in directory browser” command becomes obsolete). Remember you can click the Back button in the toolbar to conveniently return to the previous view.
When toggling between normal and recursive exploration of the same directory, e.g. by clicking the button with the turquoise curly arrow, X-Ways Forensics now automatically selects the last selected item again if it is still contained in the directory browser after the change.
When activating or deactivating a filter, X-Ways Forensics now automatically selects the item in the directory browser again that you had clicked last, if it is still listed in the directory browser.
Improved responsiveness when decompressing large file archives.
If a certain file for which a hash value was computed before or for which a hash value is computed at the same time (volume snapshot refinement) crashes X-Ways Forensics (of which you are usually informed in great detail when restarting X-Ways Forensics), identical files are now skipped automatically if you (continue to) refine the volume snapshot and compute hash values (at least if the protection against identical crasher files is active in the properties of the case). To make the case forget previous crasher files, click the Delete button in the case properties. Skipped files are automatically added to the report table “Reason for crash?”.
If not using the crash-safe decoding option and if the viewer component crashes X-Ways Forensics when decoding a certain file, on the next start-up X-Ways Forensics points out more precisely that the crash occurred during the decoding step and recommends to activate crash-safe decoding (which is an option in Options | Viewer Programs).
File System Support
When running a particularly thorough file system data structure search on NTFS volumes, X-Ways Forensics now specially deals with existing or previously existing volume shadow copies, and includes valuable information in the volume snapshot that would not be available otherwise, such as files that cannot be found in the current $MFT any more or old versions of files whose contents have changed (and unlike in previous versions of X-Ways Forensics, the original file contents can now be reconstructed for files of any size). And this happens relatively quickly now, even if you choose not to use the potentially very time consuming “Search FILE records everywhere” option.
Processing of volume shadow copies, if any, occurs before all the other operations that are part of the particularly thorough file system data structure search (parsing $LogFile, optionally searching for FILE record outside of $MFT and outside of VSC, searching for index records in the slack of INDX buffers). If there are volume shadow copies, the caption of the small progress indicator window will tell you when they are being parsed.
Files found in volume shadow copies are specially marked if they are previous versions of files that were known to the volume snapshot already before the thorough file system data structure search. Remember you can sort by ID to see the files they are a previous version of next to them.
Option to avoid that previous versions of files in volume shadow copies are added to the volume snapshot if they are exact duplicates (identical file contents) so that it is much easier to focus on files for which actually previous data is still available. Even if modification dates are different, the file contents are often the same for files installed by the operation system. See Options | Volume Snapshot. If fully selected, X-Ways Forensics will compare files up to 128 MB, if half selected, only up to 16 MB, as to not waste too much time on this feature.
X-Ways Forensics now distinguishes between deleted files whose contents may have changed (i.e. overwritten by other files) and deleted files whose original contents are known to be still available/original. For example, volume shadow copies often guarantee the original contents of files that were deleted or changed afterwards. If so, such files found in a volume shadow copy are displayed with an icon that is different from other previously existing files. The icon of virtual files has changed, too. Please see the Legend for an overview of all icons.
Ability to open a directory (File | Open Directory). This new function can list the files and subdirectories of any accessible directory in the directory browser.
Ability to add any accessible directory to the case. Useful if a directory or a file of interest resides on a drive with many irrelevant files, if you merely wish to view, hash, or search a few of those files, check their metadata or copy them to an evidence file container etc.
Ability to identify Btrfs file systems.
Reparse points are no longer highlighted by a virtual file whose name reveals the target, but by a comment that is attached to the reparse point host directory.
File Format Support
E-mail extraction revised for certain e-mail archive file types such as Exchange EDB, DBX, MBOX, and MSG, in particular better support for e-mails in e-mails (e-mails as attachments)
Metadata extracted from XML files in Office documents can now be seen in the metadata cell of the outer Office document, no longer for the inner XML files in which they were actually found, where some users did not expect them.
OLE2 timestamps can now be translated by the Data Interpreter and in templates optionally in big endian, as they appear in ICQ 7 chat messages.
Improvements for Exchange EDB extraction.
File format consistency check now supported for EXE, ZIP, RAR, JPEG, GIF, PNG, RIFF, BMP, PDF.
File Header Signature Search
File header signature search noticeably revised and accelerated, accelerated especially on volumes with millions of files. The already very high quality of the results was further improved.
Ability to select file types for the file header signature search more conveniently grouped by categories instead of in a flat list.
Automatic file size detection for even more file types than before, now including for example MPEG, MP3 in general, index.dat.
For each file type that the internally implemented algorithms in X-Ways Forensics know well and support with automatic size detection, the ID of the corresponding algorithm is now specified in the “File Type Signatures Search.txt” definition instead of a footer signature, following a tilde symbol (~). For example that can be useful if you create alternative definitions for a certain file type (e.g. to match a certain subtype only), to ensure that the sophisticated file size detection at work in X-Ways Forensics is still applied.
New flag “c” supported in the file type signature definitions which, if taken into account (depends on user interface settings), ignores header signatures that are not aligned at cluster boundaries. Can be useful for some file types to avoid to many false positives.
Files carved with the new flag “g” greedily allocate all their sectors exclusively. The file type signature search continues its search for further file headers only after the presumed end of such files.
New flag “u” allows to carve files in unused clusters only.
New file carving flag “F” (upper case) that makes X-Ways Forensics discard hits of the file header signature search if no corresponding footer can be found, provided that a footer signature is specified in the definition. Can be useful to reduce the number of or totally avoid false positives.
New flag “t” prevents X-Ways Forensics from presenting the type of carved files immediately as confirmed. Useful for example for file format families such as XML, to determine the exact subtype later during file type verification.
Miscellaneous
Cases now remember non-standard sector sizes of raw images so that you do not have to specify them again when re-opening a raw image evidence object.
Option to copy child objects of selected files from search hit lists.
Ability to add a selected block to the volume snapshot as a virtual file even from the case root window (in File mode).
Ability to use the Name filter for keyword searches in filenames not only with GREP syntax.
Filter for the Owner column.
More detailed filter for previously existing files.
In newly taken volume snapshots of physical disks, all virtual files covering unpartitioned areas will not be subject any more to volume snapshot refinement (e.g. hash computation) unless specifically targeted via tagging, to save time and because it does not make much sense. The same applies to partitioned areas on GPT+LDM disks that are not treated like partitions because they never contain a file system (only the dynamic volumes do).
Virtual files are now counted separately in the caption line of the directory browser and no longer included in the count of existing or previously existing files. The icons of virtual files and directories have been changed.
Fixed an error in the direct byte-wise translation for GREP that could cause some additional false hits.
Ability to mark important evidence objects in the case root window with a yellow flag.
More information evidence object selection dialog windows that show the number of files in each evidence object and the yellow flag, if it has one.
Ability to tag or untag all items in the volume snapshots of all open evidence objects by clicking the case root icon with the middle mouse button.
Ability to represent large offsets in decimal.
Ability to copy the text in the cell of the directory browser that you right-click to the clipboard. Previously users had to copy from Details mode.
New encryption algorithm for .e01 evidence files: 128-bit AES in BE CTR mode, which is ~67% faster than the already accelerated implementation of 256-bit AES in LE CTR mode, for both encryption and decryption. Previous versions of X-Ways Forensics cannot open .e01 evidence file created with the new algorithm.
That an iterative SHA-256 hash of both the password and the salt is stored in encrypted .e01 evidence file for password verification purposes is now optional when using the 256-bit AES option (see Security Options). Previous versions of X-Ways Forensics cannot open .e01 evidence file created without such a hash.
Many minor improvements.
Changes of service releases of v16.3:
SR-1: Improved UTF-8 encoding of GREP expressions.
SR-1: Fixed code page display problem with very long search terms.
SR-1: Fixed non-acceptance of containers of the new format with certain investigator.ini settings
SR-1: Avoided one more situation where writing sectors could fail under Windows Vista and later.
SR-1: Fixed inability of v16.3 to explore nested archives.
SR-2: Fixed an exception error that could occur when opening files with certain filenames when Asian code pages were active in Windows.
SR-2: Fixes and improvements for Exchange EDB extraction.
SR-3: When extracting e-mail from certain e-mail archive types like DBX or MBOX, identical attachments that were attached to different e-mail messages (same name, same contents) were only provided as child objects to 1 e-mail message. That was fixed.
SR-4: \b anchors did not work correctly in v16.3. That was fixed.
SR-5: Fixed errors that could occur in certain cases when extracting embedded pictures from carved files (I/O errors and inability to display the pictures in the gallery).
SR-5: Fixed inability to read alternate data streams from evidence file containers of the new format.
SR-5: Improved representation of file slack that is deliberated included in evidence file containers of the new format.
SR-5: Included buffer overrun fix of libpng 1.5.9 (http://www.libpng.org/pub/png/libpng.html) in the internal graphics viewing library. This fix was also retroactively applied to earlier versions: v16.2 SR-12, v16.1 SR-10, v16.0 SR-13, v15.9 SR-10, v15.8 SR-11.