A preview version of the dongle-based edition of X-Ways Forensics 19.1 is now available. The download link can be retrieved as always by querying one's license status. NEW: If when querying your licenses you do not receive any e-mail message at your work address because your organization has the sending server blacklisted, you now have the option (here) to get the e-mails sent from an alternative server (different domain, different IP address), for a 2nd chance to actually receive something. What's new in v19.1 Preview 1? * Support for Google's Chrome sync database, where information can be found that is synchronized across devices, such as bookmarks, form history, typed URLs, synced devices and much more. A preview HTML file is generated, and events are output to the event list. * The type status "mismatch detected" now has an effect on the assumed relevance of a file. * The relevance of a file now more reliably takes into account whether or not a picture is a screenshot. * Directory icons for evidence objects that are directories, in the Case Data window, so that they can be distinguished from volumes. * Under Windows Vista and later, attachments are now conveniently linked from the alternative e-mail representation in Preview mode. * Option to print selected fields on the cover page in bold letters and in a different color, to point the attention of the reader to a certain aspect. * TAR archive processing revised. * New case conversion option for textual data in UTF-16 (Edit menu). * Some minor improvements. * Same fix level as v19.0 SR-4.
SR-11: * Newly identified 3GP files were erroneously assigned to the category "Other/unknown type" by the file type verification in v19.0 SR-1 and later. That does no longer happen now. * X-Tension API: Two new kinds of evidence object IDs can now be retrieved with the XWF_GetEvObjProp function (nPropType 3 and 4). * Full filename matches in the Type filter did not count if the type status was "newly identified". That was fixed. In v18.8 and later, full filename matches should have been ignored only if the type status was "mismatch detected". * Fixed inability of v19.0 to copy certain files along with the case report under certain circumstances if the type status was "newly identified".
Beta 1: * Event extraction from Apple FSEvent logs. * Improved stability while processing EDB databases. Users of v18.8, v18.9, and v19.0 may replace their copy of the file EDBex.dat with the new version that at first is tentatively included in v19.1 Preview 8 only. * New options when importing or creating hash sets in the ordinary hash databases and the block hash database. Duplicate hash values that are already contained in the hash database can either be removed from the newly created or newly imported hash set or from all existing hash sets, to keep the hash database more compact/less redundant. * The Full path column now comes with a filter. * Internal metadata is now extracted into the Metadata column only from files of selected categories. * "Display SHA-1 & TTH192 in Base32" is now a Notation option. * Several minor improvements. * Same fix level as v19.0 SR-11.
X-Ways Forensics 19.1 Beta 2: * Extended attributes in HFS+ are now optionally included in the volume snapshot as child objects of the files or directories to which they belong (in X-Ways Forensics only) depending on a new 3-state volume snapshot option. If fully checked, extended attributes are presented as child objects even when they have been specially interpreted already by X-Ways Forensics internally. If half checked (default setting in X-Ways Forensics), they are presented as child objects only if their are not specially interpreted by X-Ways Forensics assuming that the user might want to check them out manually. * Ability to open files with resident/inline storage in HFS+. * Ability to recognize and open compressed files in HFS+. * HTML previews are now generated during metadata extraction for the GZ archives that contain Apple FSEvent logs. * French translation of the user interface updated. (The translation probably has some mistakes.) * Check boxes with long text labels in language that get truncated because of the limited space available now automatically come with tooltips that reveal the complete text when hovering the mouse cursor over the control. * Sender and recipients are now also shown for MSG files to which e-mail processing was applied, not only for the extracted .eml file. * In Edit | Define Block it is now optionally possible to enter the size of the block instead of its end offset. And it is now possible to enter the start and end of a block in terms of sector numbers instead of offsets directly. * The Navigation | Go To menu commands are now available in File mode. * Some more dialog windows are now slightly more clearly structured. * Several minor improvements. * Same fix level as v19.0 SR-12.
Posted on Thursday, Jan 19, 2017 - 8:08: v19.1 has just been released. Additional changes: * A new 3-state check box in General Options prevents Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). This option has an effect no matter whether the main window is visible or whether the program is running in the background. Useful for example when acquiring a live system of which you don't want to lose control during imaging, or if you wish to keep an eye on the progress indicator on your own machine from another corner in your office. * Options | Security | "Collect information for crash report" is now a 3-state check box. If fully checked, should volume snapshot refinement crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed. It has not been tested whether this enhanced granularity of logging might cause any noticeable slowdown. There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash. Unlike in v19.0, all of them are now logged, and they are now presented with the help of the Int. ID filter upon restart. * Fixed inability to process bz2 archives. * User manual and program help updated for v19.1.
* Some commands in the directory browser context menu in v19.1 did not always appear as they should have appeared. That was fixed. * An exception error that could occur in v19.1 when hashing files should no longer occur now. * The JPEG quality detection now also works for rotated JPEGs. * Some minor improvements.
* Computing hash values and matching them against hash databases was not done repeatedly in the original v19.1 release. Now it is done repeatedly again, and that operation is now officially documented as one of the operations that will be applied repeatedly to the same files in a volume snapshot, the only other exception being indexing.
* Many descriptions for registry events were not output to the event list. That was changed. This improvement will also be applied to v19.0 SR-13.
* Some minor improvements and fixes.
