A preview version of X-Ways Forensics 14.8 is now available. The download link can be retrieved by querying one's license status.
What's new?
* Ability to extract JPEG pictures from video files, in a user-defined interval (e.g. every 20 seconds). Immensely useful if you have to systematically check many videos for inappropriate or illegal content (e.g. child pornography). Looking at extracted pictures in the gallery is much faster and more comfortable than having to watch each video entirely one after the other, as the amount of data is vastly reduced, and the extraction process can be run unattended e.g. over night.
Also useful if you need to include still pictures in a printed report. The extracted pictures of each video are collected in a virtual directory named after the orginal video file, as virtual files, in the same path as the original file, so that it's easy to link suspicious still pictures back to a video. The first extracted picture of a video at the same time serves as a preview picture for the video file in Preview and Gallery mode. ASF/WMV videos protected with digital rights management (DRM) cannot be processed and are consequentially marked with e! in the Attr. column.
Requires an external program, either the non-GUI version of MPlayer and its separately downloadable codec package (extract to "codecs" subdirectory of MPlayer), or Forensic Framer (available February 2008). The program has to be selected in Options | Viewer Programs. Pictures can be extracted from these video formats and codecs.
* Ability to rename virtual directories, with a new command in the directory browser context menu.
* Ability to preview/view $EFS logged utility streams (LUS).
* The option to filter out $EFS logged utility streams was removed from the directory browser option dialog. An option was added that keeps NTFS LUS from being included in newly taken volume snapshots in the first place, or only non-$EFS LUS. Useful for NTFS volumes written by Windows Vista if you are not interested in NTFS LUS.
* Attribute filters for NTFS $EFS, other logged utility streams, NTFS offline files, files with object ID, Unix/Linux symlinks, and other Unix/Linux special files.
* Attribute filters for pictures that were extracted from videos and for virtual files that were manually attached to a volume snapshot.
* Option to retain alternate data streams as ADS when using the Recover/Copy command if the output volume is formatted with NTFS. (forensic license only) If disabled or if copied to a different file system, ADS are recreated as conventional files, as before.
* When using the Recover/Copy command to copy files including their path, the name of the evidence object is now recreated as a directory also if "Default to evidence object folders for output" is unchecked in the case properties, not only when copying from a recursively explored case root window.
* Metadata extraction from MP3 files. ID3-embedded files other than JPEG and PNG (which can be automatically extracted) are indicated by a special report table once discovered.
* File Type Signatures.txt, File Type Categories.txt, and file carving further expanded and improved.
* Support for anchors in the GREP syntax: \b for a word boundary, ^ for the start of a file, $ for the end of a file.
* Further improved partial support for CD-ROM XA.
* Should X-Ways Forensics crash during Refine Volume Snapshot, Logical Search or Indexing whenever it is dealing with one of the file in the volume snapshot, you will automatically be pointed to the offending file when you restart the program, so that you can easily omit it when trying again. Depends on a new option in Security Options. The VS.log file known from v14.7 is no longer created.