X-Ways Forensics, X-Ways Investigator 14.6 released

WHAT’S NEW?

* Ability to completely access media, RAIDs and interpreted image files with more than 4.3 billion (2^32) sectors. Allows to read data from beyond the 2 TB barrier on media with a sector size of 512 bytes.

* Support for NTFS volumes that consist of more than 2^32 sectors (less than 2^32 clusters). Other file systems on partitions that large: Not yet specifically supported.

* Search terms can now be more variably logically combined in the search term list. In particular, using a NOT operator is now more convenient. To force a search term, select it and press the “+” key. To exclude a search term, select it and press the “-” key. To remove any + or – you press the Esc key…(read more below)A
B
= search hits for A and search hits for B that occur in any files (normal
OR combination)


+A
B
= search hits for A and search hits for B that occur in files that contain
A


+A
+B
= search hits for A and search hits for B that occur in files that contain
both A and B


+A
-B
= search hits for A that occur in files that do not contain B


* A logical search can now be optionally applied to all
_selected_ items, just as in X-Ways Forensics versions up to
13.7, via the directory browser context menu.


* Ability to attach external files to the volume snapshot
and have them processed by X-Ways Forensics like regular
files in the volume snapshot. Useful if you need to trans-
late, decrypt, or convert original files and would like to
reintegrate the result back in the original volume snapshot,
in the original path, for further examination, reporting,
filtering, searches etc. Such external files will be copied
to the metadata directory, managed completely by X-Ways
Forensics from then one, and marked as virtual files. In
order to attach a file, you right-click the original file
that the external file is based on and invoke “Attach
external file”. It is recommended to name the new file based
on the original file.


* When filling an evidence file container, two new options
are now available: One option allows you to copy files to
the container _partially_ only. This is possible if the file
has been opened in File mode and a block is selected. Useful
e.g. if there is a relevant search hit in the middle of a 2
GB swap file or of a 100 GB virtual free space file, and you
would like to forward the context of that search hit to
someone via a container, thereby excluding GBs of data that
are not related.


* The other option allows you to copy _only_ the file system
metadata of selected files to a container, totally omitting
all file contents, for example if you are not allowed to
copy any file contents, if the file system metadata and
directory tree may be helpful already. When examing such a
container, you can see the entire original directory structure,
all filenames, timestamps, file sizes, attributes, deletion
state, etc. and can use various filters.


* Ability to specifically deal with NTFS compression when
searching for files via file header signatures (forensic
license only). Allows to automatically find NTFS-compressed
files of certain types even when their FILE records are no
longer available. These files are also automatically decom-
pressed for searching, hashing, File mode, Preview mode, the
Recover/Copy command, etc.


* Now extracts metadata from JPEG, PNG, TIF, GIF, THM, ASF,
WMV, WMA, MOV, GZ, and thumbs.db in Details mode in addition
to many other file types that were supported earlier already.
Additional metadata is now extracted from PPT files. General
further improvements for OLE2 compound files (e.g. pre-2007
MS Office files).


* When running a file header signature search, WinHex now
automatically names Exif JPEG pictures after the model
designation and time stamp as stored by the digital camera.
(specialist license or higher)


* The internal creation timestamp that can be found in
various file types can now be displayed in a separate new
directory browser column, once extracted with a new context
menu command (“Extract internal metadata”) or once seen in
Details mode. Thanks to this new column and the timestamp
filter, it is now very easy to focus on files/documents that
were _originally_ created in a certain time period (not
merely created in a particular file system/volume). Inter-
nally stored timestamps are usually less volatile than file
system level timestamps and more difficult to manipulate
retroactively. The supported file types are: OLE2 compound
files (e.g. pre-2007 MS Office documents), PDF, MDI, ASF,
WMV, WMA, MOV, various JPEG variants, THM, TIFF, PNG, GZ,
SHD printer spool, PF prefetch, LNK shortcut, and Document-
Summary alternate data streams.


* Some metadata is now extracted from most PDF documents.
Details available for Zip archives.


* The option to copy/append metadata to comments has been
moved to the same new context menu command “Extract internal
metadata”.


* Ability to detect MS Office files (Word, Excel and Power
Point) with Microsoft DRM (Digital Rights Management) or
Oracle IRM applied. Such files are marked with e! in the
Attribute column, just as file format specifically encrypted
files are. Requires the latest version of the viewer component.


* The hash set column now comes with a filter that allows to
more conveniently focus on files whose hash values are con-
tained in selected hash set or are not contained in selected
hash sets.


* When using the Recover/Copy command, overlong paths are now
truncated and rendered legal if shortening the last path
component can achieve that. Any file with a path still longer
than 259 characters after this attempt will, as before, not
be copied and rather be associated to a report table (so that
they can be conveniently addressed and copied separately
without the path) because it wouldn’t be possible to deal
with such a file in Windows anyway.


* Support for multiple daylight saving variants in the same
time zone in different years. Predefined for USA, Canada,
(Western) Australia, and New Zealand with recent daylight
saving changes in mind. Additions and corrections welcome.


* UTC-based timestamps displayed in the registry viewer and
in the registry report now respect the “Show time zone bias”
option so that it’s obvious if and how they have been con-
verted to local time. The same time zone settings as for
the active case are used.


* When analyzing small amounts of data (<50000 bytes) with
Tools | Analyze Data, the compression ratio that zlib achieves
for that data is now displayed in the analysis window caption.


* Attachments in original .eml e-mail message files (not
virtually produced by X-Ways Forensics itself) can now be
extracted if you add *.eml to the series of file masks for
e-mail extraction.


* Sectors mode is now labeled either Disk, Partition, Volume,
or Container, depending on the nature of the medium/image
represented by the data window.


* Ability to find files via file header signatures and
recover or merely list them with file sizes larger than 2 GB.


* Both File Header Signature Search and File Recovery by Type
now distinguish between default file sizes that are used if
the internal algorithm does not support a certain file type
and a maximum file size that limits the attempt of the
internal algorithm to find the end of files of specially
supported file types.


* Ability to create partial raw images and .e01 evidence
files by specifying a sector number that is not the last
sector on the disk as the last sector to copy.


* Support for .e01 evidence files that consist of more than
512 segments.


* Greatly reduced memory requirement for .e01 evidence files
that consist of a lot of segments.


* Cases now remember for each evidence object an optional
alternative path where additional image file segments are
stored. That means you do not have to pick the additional
path each time you open the evidence object. Useful if your
images are too large to fit on the same drive (letter).


* Ability to securely wipe inactive directory entries on FAT
volumes, to thoroughly remove traces of previously existing
files or earlier names/locations of existing files from the
file system. Tools | Disk Tools | Initialize Directory
Entries. (still testing) Useful especially in conjunction
with the command to initialize all free space. Available
in WinHex only, not in X-Ways Forensics.


* Parsing the NTFS system file $LogFile for Preview/View is
now considerably faster.


* MFT auto coloring now optionally even works on corrupt
partitions that are not recogized as NTFS volumes any more
and on physical media.


* It is now possible to more conveniently categorize files
(i.e. associate them with report tables) using keyboard
shortcuts. Try Ctrl+1, Ctrl+2, …, Ctrl+9 to create report
table associations for selected files. Alternatively, if
NumLock is activated, the numpad keys can also be used,
on most computers at least. You can assign these keyboard
shortcuts to your most important report tables yourself by
pressing the keys in the dialog window for report table
associations. The assigned shortcuts will be remembered by
the case.


* The internal creation and modification date available in
evidence file containers created by X-Ways Forensics 14.5
and later can now be seen in the evidence object properties
when a container is added to a case. Also you can now easily
tell from the properties whether an evidence file container
is considered secure (filled with the indirect method) or
not.


* When adding a container to a case that contains an internal
description, that description is now shown in a message box
in addition to in the evidence object properties. That is
useful because this field allows the preparer of a container
to send messages/instructions/hints/comments to the recipient.


* Seconds in timestamps can now optionally be displayed with
up to 3 decimal places after the decimal point in the
directory browser, whereever that precision is available
(e.g. NTFS and Reiser4 file systems and partially in FAT).


* File sizes can now optionally be always displayed in bytes
in the directory rather than in KB, MB, or TB.


* It is now possible to recursively tag selected directories
in an already recursive list.


* Item numbers in the directory browser are now 1-based
instead of 0-based.


* An additional column displays the internal ID of the
parent directory of a file or directory. Useful e.g. when
exporting a list of files and directories to uniquely
identify directories if there are name collisions.


* Fixed inability to create the case report when not over-
writing an existing file. (since v14.5 SR-1)


* Files in archives in containers were displayed in the
gallery only with an icon instead of a thumbnail despite
the option in General Options. This was fixed. (since v14.5
SR-1)


* Fixed output of garbage characters in the comments field
in the case report. (since v14.5 SR-2)


* Improved detection of cirular links in the directory
tree of file systems. (since v14.5 SR-3)


* Many other minor improvements, some smaller bug fixes.


————————————————————-


An update to the viewer component (v8.2) is available for
download to owners of X-Ways Forensics with current update
maintenance since Nov 14, 2007. Please see below for caveats.
The update comes with the following changes:


* Concerning MS Office 2007, Word, Excel and PowerPoint,
there is now viewing support for more Office Art, including
line styles, fills, and shapes. Text Extraction of Smart Art
objects.


* Concerning Star Office / Open Office Calc 2.x / 8.0 and 6.0:
Extends support for viewing and transformation of Calc 2.x /
8.0 and 6.0 beyond text only. This filter now supports character
attributes (bold, underlined, color) and paragraph attributes
(alignment, tabs, spacing, borders, hidden, revisions). It does
not yet support embedded graphics.


* Concerning Star Office / Open Office Writer 2.x / 8.0 Embedded
graphics: Supports viewing and conversion of embedded graphics
in Writer 2.x / 8.0 except for draw objects in Star Office.


* Supports the viewing Yahoo! Instant Messenger 8.x files.


* Fully verified support to view the 2007 versions of Outlook
and Exchange related formats: MSG, PST.


* The display of pictures is now noticeably faster.


* When printing a file and printing the path in the header
line (%P), umlauts (öüä) and probably other codepage-dependent
characters from other languages in the filename were not
displayed correctly. This was fixed.


* Certain corrupt HTML files caused problems. The viewer
component could display the top of the document, but then it
froze, and also froze X-Ways Forensics. Problems analogously
occured when decoding certain corrupt HTML files for logical
searches or indexing. This was fixed.


* In certain .msg e-mail message files, the message body was
not readable in the viewer component. There was a clickable
link that opened a new window where the message text was
displayed in black on a very dark blue background, hardly
noticeable. The same files could be viewed normally in MS
Outlook. This was fixed.


* The viewer component completely froze when it tried to view
certain (truncated or corrupt) OpenOffice documents. This
was fixed.


* It was not possible to use the search functionality in the
viewer component to find text with German umlauts (öüä) or
other characters outside of 7-bit ASCII. This affected plain
text files for whose display options the Windows (ANSI 1252)
character set hds been selected and special file types like
MS Word documents. This was fixed.


* Certain .eml e-mail message files based on certain code
pages (like Japanese iso-2022-jp) previously could not be
viewed correctly. This was fixed.


* Another important change if you use X-Ways Forensics and
the viewer component on live machines is that the viewer
component now stores its configuration/settings in the Windows
profile (\Application Data\.oit) of the logged-on user instead
of in the Windows system registry. So avoid writing files
to the media of a live system that you would like to examine,
do not activate the viewer component in X-Ways Forensics and
make sure it’s not located in the \viewer subdirectory of
X-Ways Forensics on e.g. the external USB device from which
you plan to run X-Ways Forensics, where the viewer component
might be found and activated automatically by X-Ways Forensics.


* This version requires msvcr80.dll from the Microsoft Visual
C++ 2005 SP1 Redistributable Package. This package can be
downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=200b2fd9-ae1a-4a1
4-984d-389c36f85647&DisplayLang=en (2.6 MB). On many Windows computers it
is installed already, under C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_*. On
other Windows computers you need to install it before you are able to use
v8.2 of the viewer component.


* Other than the above, you simply extract the files to a
directory of your choice and point X-Ways Forensics to that
directory under Options | Viewer Programs.


IMPORTANT: Some rare files of various types that could be
viewed normally in v8.1.9 now cannot be viewed any more in
v8.2 and may provoke an exception error in X-Ways Forensics.
This is still being investigated, and we will post a message
in the Announcement section of the forum when there is
something new to report. For the time being, because of the
above, the update is recommended only to benefit from the
strengthened stability when decoding the text of corrupt
HTML files for logical searches or indexing.

Leave a Comment