X-Ways Forensics 14.0

硬盘爱好者 · 发表于 2007-10-14 10:35:56

A beta version of X-Ways Forensics 14.0 is now available. The download link can be retrieved by querying one's license status.

What's new?

* X-Ways Forensics can now optionally keep track of which files were already viewed, and flag them visually with a green background color around the tag. This is especially useful when reviewing hundreds or thousands of documents/pictures over a longer period, to avoid accidentially viewing the same documents multiple times and to assure the user of his or her progress. A file can automatically be flagged as already viewed when viewing it in Preview or full window mode, when viewing pictures in the gallery, or when identifying a file as known good based on the hash database. This is customizable in the directory browser options dialog. To manually flag files as already viewed, you can press Alt in combination with the cursor keys. Alt+Left removes the mark. A directory will be marked as fully viewed once all files in it are marked as already viewed. The total number of viewed items in the volume snapshot can be seen under Specialist | Refine Volume Snapshot.

* Ability to delete duplicate search hits with a context menu command. Search hits are considered duplicates if they either have identical physical offsets or, if they don't have physical offsets, if their logical offsets and the corresponding internal file IDs are the same. (Comments by e-mail on the definition of duplicate search hits are welcome. Perhaps the lengths of two search hits should be identical, too, before declaring them duplicates.) No assumption must be made that the duplicate that is selected for deletion is the "less valuable" search hit (but this is subject to improvement in future releases). E.g. a search hit in a deleted file "delivery28924.pdf" might be more helpful than in the virtual file "Free space", even if it's the same search hit. Or a hit for "Smithsonian" may be more helpful than a hit for "Smith".

* Due to popular demand, it is now possible to redefine the order of the columns in the directory browser, in the directory browser options dialog. This will also change the order of the fields in the case report (i.e. in report tables), on print cover pages and in exported file listings. You can select a column for relocation by clicking its radio button. Then use the vertical scrollbar that appears at the top. You can reset the column order to the default one if you right-click that scrollbar.

* There is now a filter for the skin color percentage column, allowing to specifically address e.g. pictures with a high amount of skin tones or gray scale and black and white pictures.

* The attribute filter now allows to specifically list files that are flagged as possibly encrypted based on the entropy test ("e?").

* Improved file signature search at sector boundaries for MPEG files, in that no overlapping MPEG fragments and no MPEG fragments in the middle of known MPEG files will be output/listed any more.

* Now supports up to 75 locally accessible physical media instead of 30.

* Displaying pictures with the separate viewer component instead of with the internal graphics library is now noticeably faster (but still noticeably slower than with the internal graphics library).

* Write access possible to disk sectors under Windows Vista for physical media and partitions opened from within physical media (not opened as a drive letters in winhex) in most of the situations where this failed with previous versions of WinHex.

* The case root is now a complete overview of all evidence objects. It is now possible to remove evidence objects from the case in the case root window, and in particular to remove multiple selected evidence objects at a time (useful e.g. if you have added multiple ordinary files to the case directly instead of to a file container, which is preferable).

* E-mail messages and attachments can now be extracted from Outlook .msg files.

* Some minor improvements.

硬盘爱好者 · 发表于 2007-10-14 10:36:10

Beta 2:

* Two more columns, Sender and Recipient, have been introduced, that are filled for e-mail messages. These columns come with convenient substring filters. They can optionally be displayed dynamically, i.e. included in the directory browser only when e-mail messages are actually listed in the visible portion. This avoids wasting space on the screen for these columns when no e-mail messages are currently listed.

* It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.

* The attribute filter now allows to specifically list files with the Hidden attribute, e-mail messages, and e-mail attachments only.

* Ability to view the messages.txt file directly from within the case properties dialog window.

* When using the Recover/Copy command in search hit lists, directories are now recreated in the output folder as files, as the user likely wants to retain the original data with the search hit. The Recover/Copy command in such situations did not branch into selected subdirectories anyway in earlier versions.

* Some other minor improvements.

硬盘爱好者 · 发表于 2007-10-14 10:36:15

Beta 2:

* Two more columns, Sender and Recipient, have been introduced, that are filled for e-mail messages. These columns come with convenient substring filters. They can optionally be displayed dynamically, i.e. included in the directory browser only when e-mail messages are actually listed in the visible portion. This avoids wasting space on the screen for these columns when no e-mail messages are currently listed.

* It is now possible to review the (incomplete) search hit list in the middle of an ongoing simultaneous search. Clicking the search hit list button will pause the search and allow to view the preliminary search hit list, until resuming the search if necessary.

* The attribute filter now allows to specifically list files with the Hidden attribute, e-mail messages, and e-mail attachments only.

* Ability to view the messages.txt file directly from within the case properties dialog window.

* When using the Recover/Copy command in search hit lists, directories are now recreated in the output folder as files, as the user likely wants to retain the original data with the search hit. The Recover/Copy command in such situations did not branch into selected subdirectories anyway in earlier versions.

* Some other minor improvements.

硬盘爱好者 · 发表于 2007-10-14 10:36:21

Beta 4:

* The Recover/Copy command is no longer covered by general logging, but has its own HTML log file, "copylog.html", which can include not only the output filename and path, but also any of the available metadata about the copied files, e.g. original name, original path, size, timest[wiki]amp[/wiki]s, true type, etc. The HTML file is created in the _log subdirectory of a case. (forensic license only)

* The Export command now creates HTML files instead of text files. The result is much more convenient to view (e.g. in a web browser, in MS Word or MS Excel), especially in the case of exported search hits with context, where the actual search term can be highlighted within the context (yellow background color). Search hit highlighting, however, is optional, as it does not have the desired effect when viewing with MS Excel. With the HTML output for search results, the main functionality of Evidor is now available in X-Ways Forensics, too. If needed, programs like MS Excel can still be used to convert the HTML to tab-delimited ASCII or Unicode text as created by earlier versions of X-Ways Forensics.

* The number of backups that X-Ways Forensics keeps for a case file is now user-definable (5 by default) instead of just 1.

* Fixes some problems of earlier beta versions.

硬盘爱好者 · 发表于 2007-10-14 10:36:31

v14.0 has just been released. The download password for X-Ways Forensics and X-Ways Investigator has changed this time.

硬盘爱好者 · 发表于 2007-10-14 10:36:39

SR-1:

* Pressing certain keys in the gallery caused X-Ways Forensics 14.0 to switch to Sectors mode. This was fixed.

* Unique output filenames for "Recover/Copy" now guaranteed also for files where X-Ways Forensics appends the presumed right extension (based on the option in Directory Browser Options).

* Disabling the exception list for indexing caused errors. This was fixed.

* Many more filename extensions were added to the file type category definition file, thanks to Günter Fabian of the state police of Upper Austria.

* Fixed search hit column output of export command. The option to export search hits without search hit context was broken.

* That partitioned areas on physical disks are omitted in file header signature searches (to avoid duplicates as the same searches can also be run on the partitions), is now optional.

* X-Ways Forensics now allows to run byte-level signature searches within evidence file containers. Can be useful to find embedded files other than JPEG and PNG in selected host files. Such files have to be collected in a container first.