SAT31
Gold Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Preview 1:
File Format Support
* Ability to view browser SQLite databases after generating previews for them using a new option in Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and more, which also requires that the files have been checked for their true file type. Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, and Safari feeds. Still testing.
* Ability to view Internet Explorer index.dat files after generating previews for them with the same function.
* Ability to generate previews as child objects for Windows Event Logs (.evt and .evtx).
(Future releases are supposed to generate such previews for even more file formats.)
* The new HTML child objects can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of these tables in an external program such as your preferred browser or in MS Excel by sending these child object to the program of your choice (directory browser context menu). The existence of HTML child object with searchable text for browser data, event logs and more data sources in future releases also improves effectiveness of searches and indexing.
* Ability to view Outlook NK2 auto-complete files, Outlook WAB address books, and Internet Explorer travellog files (a.k.a. RecoveryStore).
* Ability to extract metadata from MS Access database files.
File System Support
* Support for MBR LVM2 and GPT LVM2 partitioned disks as commonly used by Fedora/Red Hat and also available in Debian. Single-disk approaches (like the default behaviour when installing Fedora on an ordinary hard drive) and spanned volumes (i.e. logical volumes spanning several physical disks) are supported, the latter require all constituent disks/images to be open in X-Ways Forensics in order to find all data required.
* NTFS FILE record 0x30 attribute timestamps are now displayed in Details mode next to their 0x10 counterparts.
* Ability to recognize the new ReFS file system as such.
File Carving
* File header signature search: That the start sectors of files that are already known to the volume snapshot are always excluded from file carving is now optional. Of course, X-Ways Forensics still tries to prevent duplicates, but if the file header signature definition or the internal file size detection is strong enough to suggest that a known deleted file was overwritten with a new file, then that new file will be carved although it shares the same start sector with the known file.
* If you intentionally abort the file header signature search or if the file header signature search causes X-Ways Forensics to crash, next time when you start a file header signature search in the same evidence object, you will find an option to resume it right where you had interrupted it, or where it was when the volume snapshot was last saved before the crash occurred (depends on the auto-save interval of the case).
Image Support
* Support for VMDK snapshot images. The base image and any preceding snapshot images have to be open and interpreted already when interpreting a later snapshot.
* Ability to create evidence file containers from File | Create Disk Image where some new users may expect that kind of functionality. (X-Ways Forensics only, not WinHex)
* The field to include notes in an .e01 evidence file when creating an image is now larger and allows to use line breaks. Useful if you wish to use it for more information and structure the notes more clearly.
Usability
* When starting volume snapshot refinements, simultaneous searches or indexing, most other functionality now remains accessible and usable. The directory browser, the case tree and all other user interface elements including all menus remain reasonably responsive most of the time. That means for example you can continue to view files, enter comments about them, add them to report tables, explore directories, activate or deactivate filters, sort files, print files, open and close other evidence objects. BTW, there is an option to minimize the small progress indicator window if you right-click its caption.
* Multiple dongles attached to the same computer (e.g. terminal server) are now supported, to allow for multiple simultaneous users at the same computer not only with multi-user dongles (cf. http://www.x-ways.net/forensics/dongle.html). Each user can select which dongle to use when starting up the software. The ID of the dongle that he or she had used last will be preselected. The textual notes that are stored in the dongles, if any, will also be displayed to make it easier to choose the right dongle.
* If the only filter that is active is the "naturally active" filter that causes hidden items not to be listed, and when items that are hidden are actually filtered out in the directory browser, then the additional filter icons that indicate an active filter are now displayed in gray, no longer in glaring blue, to reinforce the notion that is it *normal* that hidden items are not listed and nothing else is filtered out.
* Options in Name filter dialog clarified.
* The option to power down or hibernate the computer after completion of imaging or disk cloning is now available in the progress indicator window, so that you can still see during the process whether you had selected it and so that you can still change your mind.
* Virtually attached files now have a paperclip icon.
* Pressing the backspace key and spacebar now work in the case tree.
* Several minor improvements. Same fix level as v16.4 SR-5.
Preview 2:
* Revised extraction of e-mail messages and attachments from MSG files that does not require MAPI. Still testing.
* Ability to use the General Position Manager in File mode.
* Automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc. etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value.
* The volume snapshot option "Include files whose clusters are unknown" has turned into one of the infamous 3-state options. If fully checked, all previously existing files of which metadata only is known will be included in a volume snapshot. If not checked at all, those files will be ignored. If half checked, only files for which more than just the name is known (e.g. size, attributes, and timestamps) will be included, e.g. found in index records in INDX buffers or in $LogFile in NTFS, but not directory entry remnants in Ext* or Reiser file systems.
* Some fixes and improvements, among them for Internet browser previews.
Preview 3:
* Some fixes.
Preview 4:
* Support for various UDF file system versions and specialties revised and considerably extended: Improved support for UDF when used on media other than optical discs, as well as added support for UDF virtual partitions and UDF metadata partitions.
* Several minor improvements.
Beta 1:
* New X-Tension API functions: XWF_CreateContainer, XWF_CopyToContainer, XWF_CloseContainer, XWF_CreateEvObj. New functionality was added to the XWF_SetItemInformation function. Cf. http://www.x-ways.net/forensics/x-tensions/api.html.
* A plug-in to run Python scripts as X-Tensions can now be downloaded from the X-Tension API web page, along with 2 sample scripts. Still in a testing stage!
* Automatic extraction of .lnk shortcut files from automaticdestinations-ms jump lists during volume snapshot refinement.
* Revised extraction of attachments from original .eml files.
* Preview available for Outlook Express DBX e-mail archives.
* Registry report definition files revised. New definition file Reg Report Autorun.txt included.
* View command now works for SQLite database and index.dat files that have HTML child object in the same way as Preview mode. Improved processing of SQLite databases.
* Support for named streams in UDF (the UDF implementation of alternate data streams as known from NTFS).
* Fixed inability to read from flat VMDK images.
Beta 2:
* Ability to reconstruct Linux software RAIDs from partitions. The partitions need to be opened before they can be selected.
* Revised support for SQLite databases.
* Ability to split HTML tables for browser databases and event logs after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component.
* Ability to interpret certain VMDK images that previous v16.5 releases could not deal with.
* Improved ability to deal with corrupt .evtx event log files.
* Minor improvements.
Beta 3:
* The X-Tension API was noticeably extended:
Ability to load X-Tension DLLs from any directory. By default, X-Ways Forensics expects X-Tension DLL in the directory for scripts and templates.
Only selected X-Tensions will be executed, not all X-Tensions that were added to the list.
A new version of the Python plug-in and a minimal Python installation are now downloadable.
3 important new functions XWF_Search, XWF_OpenItem and XWF_Close were added.
XT_ProcessSearchHit now receives a handle of the item or volume in which a search hit was found, for optional further reading.
More return values for XT_Prepare supported.
New flag for XWF_OutputMessage function.
* A permanent preview can now be generated for $UsnJrnl:$J as part of metadata extraction, so that it does not have to be generated on demand when viewing or previewing this journal, which can be potentially time-consuming for large specimen (0.5 - 1.5 GB).
* Ability to only include associations with user-created report tables in evidence file containers, not those created by X-Ways Forensics itself. To make use of this feature, make sure that the option to export report table associations is only half checked when you create a container. This is now also the new default setting.
* Several minor improvements, some bug fixes.
Beta 4:
* Metadata extraction from Manifest.mbdx and Manifest.mbdb iPhone backup files.
* Revised extraction of e-mail messages and attachments from DBX e-mail archives. Still testing.
* HTML preview generation for certain file types updated.
* Fixed a byte level file header signature search error that occurred in Beta 3.
* Fixed error that occurred when sorting by the ST# column.
* Last parameter in XWF_GetItemInformation API function fixed.
Beta 5:
* Ability to select new e-mail extraction methods individually for PST, MSG, DBX, MBOX, and EML. The old extraction method for PST and MSG is a method previously described as "MAPI". The new method for PST was introduced long ago already and is the recommended standard setting. The new methods for all other file types are really new in v16.5. The old extraction methods will probably not be offered any more in future versions of X-Ways Forensics.
* One more option for the Internal ID filter.
* The simultaneous search could not be started from the context menu in some earlier beta versions. That was fixed.
* Some minor improvements.
v16.5 was just released.
Changes since the last beta version:
* Ability to generate previews of Skype's main.db database with contacts and file transfers.
* Extraction of e-mail messages and miscellaneous Outlook data from PST archives slightly updated and completed.
* Path filter extended. Multiple substrings (one per line) are now permitted, and there is a NOT option.
* Fix for NTFS support for media with a sector size of 4096 bytes. |
