A preview version of X-Ways Forensics 15.4 is now available. The download link can be retrieved by querying one's license status.
What's new?
* Considerably reduced main memory requirements for large volume snapshots (i.e. volume snapshot with a lot of files), allowing to open and analyze volumes with many more million files than in earlier versions (roughly 100% more) with the same amount of available main memory. Please note that the volume snapshot format has changed, so that earlier versions cannot open volume snapshots saved by v15.4 and later.
* Even more deleted files can now typically be found on NTFS volumes and included in the refined volume snapshot when running the particularly thorough file system data structure search. This deleted files can be listed with filenames, path, timestamps etc. Forensic license only.
* Often X-Ways Forensics can now also retrieve a true deletion timestamp for previously existing files during the particularly thorough file system data structure search. Even more deletion timestamps can be found when viewing/previewing $UsnJrnl:$J. These is a very unique features, available for NTFS volumes. Forensic license only. Please don't confuse it with so-called deletion timestamps that other forensic tools may show you on NTFS volumes, for files that have not even been deleted from the file system.
* Option to exclude deleted files from volume snapshots when the they are taken. Useful if you are interested or not supposed to look at deleted files.
* Option to exclude the time-consuming search for FILE records outside of the $MFT from the particularly thorough data structure search in NTFS.
* It's now possible to see and copy the hit counts for selected search terms in the search term list. These hit counts are based on the current settings for the search hit list that is on the screen, take all filters into account, the explored path, any active AND combination etc. Forensic license only.
* It is now possible to search for more than 1 search time at a time in an index search. (In this preview version, the edit box for the search terms does not yet work exactly as it is meant to work.) It is now also possible to control the substring and word extension options for index searches run from within the case root window. Forensic license only.
* Improved detection of the sector size and different Apple partition table layouts in CD/DVD raw images.
* Support for HFS+ volumes on optical discs or in images with a sector size of 2048 bytes. Forensic license only.
* Ability to change the attributes "temporary" and "not indexed" of a file in File | Properties, using the letters T and X, respectively.
* The Back and Forward commands in the Position menu and the Back and Forward buttons in the toolbar now allow to conveniently go back to a certain directory browser setting. This takes into account: explored path, recursive or non-recursive, sort criteria, on/off state of all filters, settings of some of the filters, some directory browser options. The Back and Forward commands also allow to activate the previously active data window again when switching between windows (does not work for viewer windows yet). Forensic license only.
* The filters have been given some "intelligence" when navigating from a parent file to a child file or vice-versa, so that the filters "know" when it's a good time to be turned off. Forensic license only. For example: - If you are using a filter to focus on all extracted e-mail messages recursively, and then you double-click an individual e-mail message to have a look at its attachments in the directory browser, the filter is automatically deactivated, so that you can actually see these attachments. A simple click on the Back button returns to the previous point of exploration and restores the previous filter settings and the last selection, so that you can easily continue reviewing the next e-mail message! - If you are using a filter to focus on videos or documents, and then you double-click a video or a document to see the video stills exported for that video or the embedded pictures in that document, respectively, the filter is automatically deactivated, too. - When you are viewing video stills only, in a gallery, and you use the Backspace key or "Find parent object" menu command to navigate to the video that this still belongs to (e.g. in order to play that video), then any active filters will be turned off so that the video can actually be listed. A simple click on the Back button returns to the previous overview of stills, enables the previous filters again, and restores the last selected item, so that you can easily continue with the next still! - This works analogously when systematically looking at e-mail attachments, if occasionally for relevant attachments you would like to view the containing e-mail message (and e.g. print it or include it in a report) and then return to the list of attachments.
These two new features combined, intelligent filters on the one hand and back/forward navigation in the directory browser on the other hand, are expected to further improve the usability of the software tremendously.
* It is now possible to explore directories and files with child objects listed in the case root window, e.g. by double-clicking them. For that, the data window will automatically be activated that represents the evidence object that contains the directory or file. With the Back command you can conveniently return to the case root window.
* Improved StreamMRU decoding for the registry report to reveal folders on removable media.
* Error in index search in v15.4 Preview fixed.
* Toggling decimal and hexadecimal offsets by clicking the offset column stopped working in certain situations in v15.2 and v15.3. This was fixed.
It also seems to have fixed an issue with Recovery/Copy of long filenames.
We are working a case where we are extracting lots of files out of about 50 images. With the previous release we were seeing a handful of files that were failing to export due to filename (or path) too long. (Nice error messages and report associations, but none the less, no files even though the paths were less than 540 chars).
We've tested several of the problematic files with 15.4 this morning and no issues. Thanks for fixing it before we had time to complain. (And I'm glad we renewed our maintenance just in time to get the new functionality.)
[/QUOTE]
