|Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору|
What's new in v16.1?
X-Ways Forensics can now process Exchange EDB databases and extract user mailboxes with their e-mail, attachments, contacts, appointments and tasks. Requires X-Ways Forensics to run under Windows Vista or later. Still in a testing stage, and can be very slow for huge databases.
File editing and tools
Ability to edit files without using operating system file write commands, directly on a disk/in a raw disk image in any file system supported, even if not supported by Windows, even files not seen by Windows (e.g. deleted files), even in partitions not seen by Windows (e.g. by damaged or deleted), without changing any timestamps or attributes, in in-place mode. For this new editing capability, the file must been opened from within the already opened volume that contains it, via the Open command in the directory browser context menu or in File mode (forensic license only). Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be edited, except in an evidence file container if they have been copied there from the original disk/image.
Previously it was only possible to edit files when opened via File | Open, using operating system file write commands or indirectly by editing disk sectors. In File mode (forensic license only) and when opening files from within already opened volumes, the only available mode so far was read-only mode. All of this has changed. Note that files cannot be shortened or expanded that way, only the data in already allocated areas can be modified. Editing files opened directly from within disks/raw images as described above is possible in WinHex only, not in X-Ways Forensics or X-Ways Investigator, where sector level write access (to which file editing is internally translated) is disabled and where the only mode available for disks and interpreted images and files opened from within volumes continues to be read-only mode. For owners of a license for X-Ways Forensics, this change only affects the special WinHex version that they receive additionally, not X-Ways Forensics itself.
In forensic computing, electronic discovery and IT security, the new edit capability can be helpful to manually redact (e.g. overtype) specific data that should not be examined/disclosed/seen or to securely erase specific areas within files (e.g. define as a block and fill the block). Note that evidence file containers are raw images if they have not been converted to the .e01 evidence file format and thus allow for retroactive file editing, which, however will invalidate any accompanying hash values. It is even possible to edit directories, i.e. the clusters with directory data, e.g. INDX buffers in NTFS, for example if you need to redact the names of certain files.
New file wiping functionality for files and directories that are selected in the directory browser, via a command in the context menu. The data in the logical portion of a file (i.e. excluding the file slack) and the major data structures of a directory (such as INDX buffers in NTFS and directory entries in FAT) will be erased/overwritten with a hex value pattern of your choice. The existence status of the file in its file system will not be changed. No file system level metadata such as timestamps or attributes will updated because no operating system file level write commands are used. No file system data data structures are changed, and no filenames will be erased, only the contents of files will be overwritten. Compressed files or generally files within other files (e.g. e-mails and attachments in e-mail archives) cannot be erased. Previously existing files whose clusters are known to have been reused will not be erased. Note that by erasing deleted files you might erase data in clusters that belong to other files, so only select existing files if you want to avoid that (assuming consistent file systems). Also note that by erasing carved files you may erase too much or not enough data, depending on the detected file size and depending on whether the file was originally fragmented. This functionality is only available in WinHex, not in X-Ways Forensics.
Useful for example if copies of images are forwarded to investigators/examiners who are not allowed to see the contents of certain files. Useful also if you have to return computer media on which child pornography has been found to the owner after clearing these files. Also useful if you are preparing images for training purposes that you would like to publish and would like to retroactively erase the contents of copyrighted files (e.g. operating system or application program files).
Both successfully erased files and files that could not be successfully erased will be added to separate report tables by which you can filter to verify the result.
Cool new function to create hard links of files on NTFS volumes. Useful for example to play around with hard links during our File Systems Revealed training, or if you would like to add the same image to the same case again, which is only possible under a different name. The hard links will be created in the same directory and of course can be renamed and moved by you after they have been created. Tools | Disk Tools | Create Hard Link.
More powerful and convenient batch processing thanks to an option to automatically trigger logical searches (previously only indexing) after volume snapshot refinement and thanks to an option to trigger the volume snapshot refinement (and therefore indirectly also logical searches) immediately after adding images to the case. That means you click through all the dialog windows initially and then run the selected operations without further user interaction. The operations will be run in this order: First all images are added to the case. Then the volume snapshots will be taken and refined if selected. After that, for selected evidence objects (previous or newly added ones) a logical search will be run if selected. Finally for each selected evidence object an index can be created.
Ability to invoke the menu commands to refine volume snapshots and run logical searches in selected evidence objects even when no data window is open at that time. As always, these operations will open data windows themselves when needed and close them automatically when no longer needed, to avoid unnecessary main memory utilization by loaded volume snapshots.
A new case tree context menu command that allows to export any portion of the tree to a Unicode text file. The tree will be represented exactly in its current state of expansion and can span all evidence objects. To export a subtree, right-click a directory while holding the control key. Use a fixed font to view the text file. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.
Ability to change the order of evidence objects in the case tree, via the properties dialog window, except for "dependent" evidence objects (partitions that belong to a physical disk).
Shorter and language-independent case subdirectory names in all cases created by v16.1 and later.
More convenient procedure when the path or drive letter of an image in a case has changed, especially if the image was added to the case in v16.1 and later and you have updated the standard directory for images in the General Options already.
Notification when opening a case if it can only be opened as read-only because of the read-only file attribute or because of insufficient file permissions.
Ability to interpret VMware's Virtual Machine Disk images (VMDK) in addition to .e01 evidence files, raw/dd images, ISO images and VHD images.
Ability to automatically hibernate the system after disk imaging, image restoration and disk cloning. (Previously the only option was to shut down the system.) If Windows signals that hibernation fails, X-Ways Forensics will instead try to shut down the system.
Imaging with compressed .e01 evidence files as the output format accelerated for disks that contain large areas of binary zeroes, for example because they were wiped by the user some time or zeroed out by the manufacturer and never completely filled.
New "sparse" compression option for .e01 evidence files that only compresses large areas of zero value bytes in a very efficient way.
Additional information included in imaging log.
Additional edit window in the registry viewer that tells you the logical size of the selected value and the size of its slack. It also interprets registry values of the following types, as known from the registry report: MRUListEx, BagMRU, ItemPos, ItemOrder, Order (menu), ViewView2, SlowInfoCache, IconStreams (Tray notifications), UserAssist, Timestamps (FILETIME, EPOCHE, Epoche8), MountedDevices, OpenSavePidlMRU, LastVisitedPidlMRU, and more. The new edit window now also displays the access rights/permissions of the registry keys if (Default) is selected.
New special table "External Memory Device" included in registry report that can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.
New special table in the registry report called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage.
New Export List command in the registry viewer context menu allows to export all values in the selected hive to a tab-delimited text file.
Several small improvements in the registry viewer/report.
New version of the internally used graphics viewing library.
New version of the internally used library for archive decompression.
Many additional file signature definitions, mostly for file type verification only.
The thorough file system data structure search will now check for INDX buffers for index records referencing existing files that are not referenced in the $MFT any more because the $MFT is in a corrupt or incomplete state, for example because the image is incomplete.
The metadata extraction functionality has been removed from the directory browser context menu. It is now part of the Refine Volume Snapshot command and thus cannot be applied to selected files any more, but to either all files, tagged files or not hidden files.
You can now conveniently close viewer windows (whose contents are provided by the viewer component) by hitting the Esc key on your keyboard.
It is now possible to close filter dialogs by clicking the "x" in the upper right corner or by pressing Alt+F4 without deactivating the filter if its active and without losing selection and scroll position in the directory browser.
When using the Recover/Copy command and the output filename has to be shortened to fit in the maximum path length specified by the user, the filename is now shortened in a nicer way, by preserving the extension whenever possible. (forensic license only)
Indexing slightly accelerated.
Many minor improvements.
Всего записей: 2156 | Зарегистр. 15-01-2003 | Отправлено: 11:36 20-07-2011 | Исправлено: CHELDAN, 11:38 20-07-2011