A preview version of X-Ways Forensics 13.8 is now available. The download link can be retrieved by querying one's license status.
What's new?
* The logical simultaneous search has been removed from the directory browser context menu and integrated in Search | Simultaneous Search. It no longer searches the _selected_ files, but either all files or tagged files. Search | Simultaneous Search can now execute both physical and logical searches. Logical searches have been reworked internally and now always process the files in the order in which they appear in the volume snapshot (i.e. sorted by internal ID).
* The physical simultaneous search is finally obsolete in the forensic edition when searching entire media, as the logical simultaneous search now has a solution for the file slack/free space paradox, by searching all file slack/free space transitions separately. (The paradox is that although all file slack and free space is searched, not all occurrences of the search terms in these areas are found by certain standard computer forensics software products.)
* For irrelevant, hidden, or filtered out files, the logical search now allows to limit the search to the file slack. This saves times and reduces the number of irrelevant hits.
* Indexing can now be limited to the slack of irrelevant, hidden, or filtered out files, too.
* It is now possible to start indexing after volume snapshot refinement automatically.
* It is now possible to a certain degree to continue reviewing files while searching logically, as the directory browser is no longer blocked.
* When decoding PDF/OpenOffice/WPD/HTML files for the logical search, the text output is now in 16-bit Unicode instead of ASCII. That means Unicode should be enabled for searching when using this option (will be ensured by the final 13.8 version automatically).
* The volume snapshot can now be refined and an index can be created for _selected_ evidence objects at the same time. If both actions (volume snapshot refinement and indexing) are scheduled at the same time, at first the volume snapshots of the selected evidence objects will be refined, then the index will be created for these evidence objects, and finally the indexes will be optimized (which is optional and can be aborted at any time, as before).
* The volume snapshot can now be refined for physical, partitioned media. This is useful to conveniently list files in unpartitioned space that can be found via a header signature search. Files in _partitioned_ space can be found with a signature search within the corresponding partition only, as before. This prevents duplications.
* Physical media now offer a File mode, a Preview mode, and a Gallery mode. Useful for files found via a header signature search.
* Self-extracting .exe archives as created by WinZip (tested with v9.0 and v11.0), WinRAR (GUI and console .exe files, Zip and RAR compression, tested with v3.0, v3.3, v3.62, and v3.7 beta), 7-Zip (tested with v4.42), and WinACE (tested with SFX-Factory 2.64) are now internally detected by the file signature check. They are classified as the file type "sfx" and assigned to the category "Archives" so that they can be specifically targeted. This prevents that compressed files in such archives go totally unnoticed in an investigation. .exe archives with Zip compression can be viewed in Preview mode, other self-extracting archives need to be copied off the image and opened with an appropriate tool like WinRAR or 7-Zip.
* Reading from compressed evidence files is now considerably faster.
* CRC32 computation is now somewhat faster.
* When assembling a hardware RAID, the header size of a component may now exceed 65,535 sectors.
* Now 48 instead of 32 script variables supported simultaneously.
* Tools | Disk Tools | Set Disk Parameters for a physical disks now accepts blanks for the C/H/S values. If left blank, suitable values will be computed by X-Ways Forensics itself.
* The data analysis feature now works with more than 4 billion occurrences of the same byte value. So although it is meant to be applied to much smaller amounts of data, this functionality can now be safely be applied to many GB of data. The increased computation time was compensated by omitting the checksums. Test results welcome.
