X-Ways Forensics 19.3 Released

Home/Products News/X-Ways Forensics 19.3 Released

A preview version of the dongle-based edition of X-Ways Forensics 19.3 is now available.

What’s new in v19.3 Preview 1?

* If the file header signature search in volumes with a supported file system other than Ext2/Ext3 finds the start of a file in free space, at a cluster boundary, the data is now by default assumed to flow around potentially following clusters that are marked by the file system as in use. This will correctly reconstruct files that were created after and stored around other files and then deleted, as long as the released clusters were not re-used and overwritten afterwards. To prevent file carving purely in free space this way, i.e. to make it work as in previous versions, you can UNcheck the new option “Carve files in free clusters around used clusters”. This option takes effect only at the moment when files are added to the volume snapshot, not retroactively for files that were added previously. Carved files purely in free space retain the storage location that was assumed when they were added to the volume snapshot even if the option is changed afterwards. However, older versions of X-Ways Forensics will not understand that certain files are assumed to flow around allocated clusters and thus would present them as contiguous files as usually when they work with the same volume snapshot.

* Tools | Disk Tools | File Recovery by Type offers the same cluster assignment logic.

* If the file carving definition has the strong greedy flag (“G”), after carving a file that flows around allocated clusters, the file header signature search will only skip first fragment of the carved file. The “h” flag for header exclusion prevents the new carving method from being applied to the affected file types.

* The same logic to skip in-use clusters is now by default also applied to deleted files in volume snapshots of FAT12, FAT16, FAT32, and exFAT file systems, if not disabled in Options | Volume Snapshot. That means that data of deleted files is now not necessarily assumed to be contiguous any more, but assumed to occupy as many free clusters from the start cluster number as are necessary to accommodate the known file size, while skipping clusters that are marked as in use by existing files. If the end of the volume is reached that way, the next free clusters are taken from the start of the volume, replicating the built-in logic of typical FAT32 file system drivers to rotate through the volume on the search for allocatable clusters. As this volume snapshot option retroactively changes the assumption about the storage location of files that are already contained in the volume snapshot, changing this option will also cause hash values to change if they are re-computed.

* The volume snapshot options are now more clearly structured, split into file system specific settings and file system independent settings.

* The “List Clusters” command in the directory browser context menu has been revised. It can now be applied to some more “exotic” objects that it could not deal with before, such as certain embedded files, certain file system area files, and carved files. It automatically outputs sector instead of cluster numbers for any objects that are not aligned at cluster boundaries. It outputs the total number of clusters or sectors even if contiguous series of clusters are represented in the optional compact fashion. If exported to a text file, the cluster list is automatically opened in the user’s preferred text editor. The effects of the aforementioned new cluster assignment logic options are visible in newly populated cluster lists.

* Significantly improved ability to recover deleted files and directories in FAT32 volumes (ability to get the start location right, in newly taken volume snapshots only).

* In the properties of evidence objects with a FAT file system you can now optionally define which time zone the local timestamps in that file systems are based on, if you have an opinion about that. That time zone depends on the settings of the computer or device that wrote to the file system. (Keep in mind that those settings may have changed over time and thus a single time zone may not be adequate to get all timestamps right.) If you define the time zone reference, file system level timestamps are presented according to the selected display time zone and not in their original local time any more. They are internally converted from local time to UTC (based on your time zone reference) and then from UTC to the display time zone, at the moment when the timestamps are displayed. The effect is not permanent, the reference time zone settings can be changed at any time. The definition of a time zone reference is lost if you open a case in versions older than v19.3.

* When copying files from FAT file systems to an evidence file container, file system level timestamps of these files are usually marked in the container as based on an unknown local time zone so that they will not be time zone adjusted when reviewing the container in the future. If however you are certain about the original time zone and define the time zone reference for the source evidence object, the timestamps are converted to UTC within the container based on the reference time zone and marked in the container as timestamps in UTC, permanently. In that state the timestamps later will be adjusted according to the selected display time zone, even if you change your mind and change the reference time zone in the source evidence object. The evidence file container is self-contained and separate from the source evidence object once files have been copied.

* Display of internal creation timestamps in the “Content created” column with millisecond precision, where available.

* The timezone conversion hints after timestamps in the directory browser (the number of hours that have been added to or subtracted from UTC) are now included in tooltips for these cells.

* Consistency of timestamp notation and Unicode capability of timestamp notation improved in a few places in the GUI and in the case report/log.

* X-Tension API: The XWF_GetItemType function now allows to find out the detected file format consistency for a file.

* X-Tensions API: The XWF_ShouldStop function now does not only check whether the user wishes to abort lengthy operations, it also helps to keep the GUI responsive when the X-Tension is not executed in a separate worker thread. Calling this function regularly will process mouse and keyboard input, allow the windows to redraw etc. The user realizes that the application is not hanging, and potential attempts of the user to close the progress indicator window will be noticed. Even if you ignore the result of this function call during lengthy operations conducted by your X-Tension, you are doing something good already by making the calls in the first place.

* FlexFilters are now optionally case-sensitive. Case-sensitive operations are always faster and should be used for performance reasons unless you require otherwise.

* Uncovers embedded data from some more .vcf files.

* Byte-wise checksum computation for multi-byte accumulators as was the standard in v18.9 and earlier is now an option in Options | Security. The newer variant is to compute multi-byte checksums by adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.

* Recover/Copy: Ability to specify the name of the log file if the file is created in the output directory. Useful if you run multiple Recover/Copy operations specifically for different purposes, to produce one separate log file for each output.

* Ability to index words that contain characters with special GREP meaning, such as #.?()[]{}\*, without masking them, both with the “range:” prefix and without.

* Larger font in the text column display for UTF-16 for better readability, especially of Chinese characters.

* Avoided some rare graphical artifacts in the text column display for code pages with a variable number of bytes per character.

* Manual relocation or resize operations on search hits through the context menu may now exceed 32,767 bytes (up to 2,147,483,647 supported in both directions).

* The size of a carved file can now be set manually as an absolute number instead of as an adjustment to the previous size (through the directory browser context menu). The maximum size supported by this operation is 4,294,967,295 bytes.

* More complete representation of the logical memory address space of 64-bit processes.

* File mode now offers a “raw” submode for NTFS-compressed files. In Raw mode you can actually see the compressed data as well as the sparse clusters, not the decompressed state of the file. This is useful for research or educational purposes and because theoretically small amounts of data could have been manually hidden in the not clearly defined, but implicitly existing slack area of each compression unit, which follows the compressed payload data.

* Text representations of dialog windows now by default omit unselected list box items and unchecked check boxes and radio buttons. This is a new option in the special menu that you get when you click the small unlabeled button in the upper left corner of a dialog window. It also affects the textual summary of active filters.

* Export List: The search hit context size units now correctly designated as characters instead of bytes.

* Ability to open spanned LVM2 volumes if the other disk is missing. Available data will be incomplete, but potentially still very helpful.

* Checking the passwords in the password collection provided for file archive exploration is now more thorough, avoiding some rare false password matches.

* As the number of years represented in Calendar mode is limited, garbage timestamps in the far past can keep you from seeing the years that you are interested in if you don’t set a filter or don’t delete events with garbage timetamps. A new option now allows to set the minimum year that will be represented by the calendar. Any timestamps in earlier years will be disregarded by the calendar even if no filter is active. By default, the minimum year is the year 2000. To change it, click the number of the first year on the left in Calendar mode.

* More tolerant to corruption in internal metadata storage files.

* Category pop-up menu statistics are retained when activating the filter.

* The blue funnel symbol on both sides of the caption line of the directory browser is now always present when filters are active, even if the filters do not actually filter out any items.

* Details mode for JPEG files now shows an additional table at the bottom. This table contains the generator signature as well as the “condition” of the file, which may be “incomplete” (if the file was truncated) or “trailing data” (if surplus data was appended to the JPEG data) or in some cases “original” (if the file is believed with great certainty to be in a pristine, unaltered state). “Original” is based on the presence of thumbnails, the absence of color correction certificates, the absence of unoriginal metadata such as XMP, based on timestamps, based on artifacts left behind by known editing software, and on whether a resize operation is detected.

* Improved detection of scanned images. The model designations of known scanning devices can be manually extended in the section “KnownScanner” of “Generator Signatures.txt”. Identification by model name can help to identify scanned images if they contain Exif data or were edited. Generally the detection as scanned images is based on 1) generator signature, 2) generic properties of the Exif metadata (FileSource, Density, …) and 3) the KnownScanner list.

* Improved detection of screenshots in JPEG format.

* Recognition of JPEG files produced by Twitter through their generator signature.

* Prefix “Reporting::” inserted in generator signature definitions for easier filtering for the category reporting/records.

* Carving method ~109 implemented for Blu-ray videos.

* Ability to open an evidence object that is a directory even if that directory does not exist any more, to be able to at least check out the volume snapshot again, using the command “Open (without disk/image)”.

* Dedicated icon for evidence file containers in the Case Data window.

* Italian translation updated.

* Several minor improvements, several internal optimizations, and some fixes of minor errors.