|Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору|
* Yet another acquisition option for users who need to or want to exclude certain data from forensic images. You can now create ordinary images, in raw format or as an .e01 evidence file - with all the known options such as hashing, compression, encryption, splitting - and exclude the data in clusters associated with files that you hide before starting the acquisition process. The resulting image is called a cleansed image. The affected sectors are zeroed out in the image and optionally marked with an easily recognizable "watermark" of your choice. All other data is copied to the image normally.
Useful for anyone who needs to redact certain files in the file system, but otherwise wants to create an ordinary forensically sound sector-wise image, compatible with other tools. A must in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets (e.g. lawyers and physicians, whose profession swears them to secrecy/confidentiality). For a comparison of evidence file containers, skeleton images and cleansed images, which all serve similar purposes, please see http://www.x-ways.net/investigator/containers_vs_skeleton_images.html.
Before you start the imaging process for a partitioned disk, open the partitions in which the files are located that you would like to exclude from the image. Wait till the volume snapshot has been taken if it was not taken before. Then hide the files. You do not need to open and take volume snapshots of partitions whose data you would like to include completely.
Note that alternatively you can retroactively cleanse (redact) already created complete raw images, in WinHex, by securely wiping files selected files via the directory browser context menu. The granularity of this operation is not limited to entire clusters. For example, that means it can also wipe files in NTFS file systems with so-called resident/inline storage and it does not erase file slack along.
* Totally revised indexing engine with many advantages: Created optionally at the same time when then volume snapshot is refined (synergy saves time), faster to create than before, no separate optimization step, just 1 index for multiple code pages/character sets, just 1 word list for multiple code pages/character sets (i.e. less duplicates), GREP searches in the index possible, multiple indexes with different names for different purposes may coexist for the same evidence object, indexing with regular expressions possible (details to be revealed later), more convenient search hit review (exactly like for ordinary search hits, search hits are stored permanently immediately, allowing for immediate logical AND and NEAR combinations), and more.
At the moment the old and the new indexing engines coexist within the program. To use the old indexing engine use the menu commands Search | Indexing (to create an index) and Search | Search in Index (to search in the index). To use the new indexing engine use the menu commands Specialist | Refine Volume Snapshot (to create an index) and Search | Simultaneous Search (to search in the index, select "Search in Index" in the drop-down box).
* Events recorded by Skype are now output to the event list (chats, calls, file transfers, account creation, ...). When sorting these events by their timestamps, you can read all chats messages in chronological order.
* Metadata extraction from PE .exe files with version resources.
* New directory browser column: Unique ID. Similar to the internal ID, but unique within the entire case, not just within the evidence object. A filter for this column will probably be added at a later time.
* The options "Group files and directory", "List dir.s when exploring recursively" and "Apply filters to directories, too" are now remembered separately by the normal directory browser, search hit lists and event lists.
* X-Tensions API: Ability to retrieve the result of the skin tone/gray scale analysis of pictures programmatically, via XWF_GetItemInformation.
* Several minor improvements.