What’s new in v20.4?  (please note that most changes affect X-Ways Forensics only)

Mention this blog and get a discount on Certified X-Ways Forensics Training by H-11 Digital Forensics.

* Support has been added for the QNX file system as commonly found in current car entertainment systems. X-Ways Forensics, if supplied with an image extracted from such a system, can now parse the file system structures, including timestamps and UNIX permissions, as known from other file systems. Individual virtual files representing the key file system structures are also shown, and Specialist | Technical Details Report will show fundamentals of the file system as well.

* Btrfs volumes using snapshots are now supported.

* Up to 127 subvolumes (incl. snapshots) are now supported per volume in Btrfs, up from 31 subvolumes previously. Unlike other subvolumes, which are all shown on the first level of the main volume, snapshots are shown within the subdirectory of .snapshots that corresponds with the snapshot’s creation date.

* For all subvolumes (incl. snapshots) of Btrfs, the Technical Details Report identifies their respective official parent (sub)volumes, as before.

* A new command line command named “AddDir” is now understood. It is followed by a colon, and after that you specify which directory you wish to add to the case, e.g. AddDir:X:\. If the character after the colon in an asterisk, the root directories of all available drive letters will be added to the case: AddDir:*. However, network drives are optional because they can be excessively large and slow to explore. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device.

* A new command line command named “AddDrive” is now understood. It is followed by a colon, and after that you specify which drive letter you wish to add to the case, in upper case, e.g. AddDir:C. Unlike a directory, which is accessed and explored through the operating system, drive letters require sector-level access (and therefore administrator rights), and any present file system will be parsed by X-Ways Forensics itself, if supported. If the character after the colon in an asterisk, all available drive letters in the system will be added to the case: AddDrive:*. However, network drives are optional because they can be excessively large and slow to explore and cannot be read by X-Ways Forensics with sector-level access. Addition of network drives depends on a new option in Options | Volume Snapshot. If you run X-Ways Forensics from a volume that has a drive letter, that drive letter will be ignored, assuming that you are doing this to triage a live system and run X-Ways Forensics from your own removable device. If you specify the AddDrive:* command although you run the software without administrator rights, then the AddDir:* command will be run instead.

* The command line command “NewCase” followed by a semicolon instead of a colon generates a unique filename if the specified .xfc file already exists. With a colon, the existing case is deleted and overwritten (without prompt or mercy).

* The “NewCase” command now supports relative case paths as well as references to environment variables.

* Option to select multiple file type categories for filtering instead of just one, in a dialog window instead of the pop-up menu.

* Computing the total amount of data in files found in OS directory listings is now optional (cf. Options | Volume Snapshot). Any discrepancy between the original amount of data and the new amount detected when re-opening the evidence objects is brought to the user’s attention and triggers an offer to take a new volume snapshot.

* An easier-to-use and simplified version of the dialog window to create report table associations is now available, with less settings that might confuse new users, which is the new default in X-Ways Investigator, and optionally available in both X-Ways Forensics and X-Ways Investigator. For example, in the simplified version report tables that are created by the application to make the user aware of something will not be listed, and it’s possible to specifically remove report table associations from selected files without the use of keyboard shortcuts.

* Parsing symlinks when taking a volume snapshot (depending on the file system) is now optional, cf. Options | Volume Snapshot.

* Raw submode is now available for WofCompressed files in File mode to see the complete compressed data with slack. The List Clusters command now lists all clusters of such files including the slack. The slack area of the WofCompressed data is highlighted also in Partition/Volume mode.

* There is now a dedicated checkbox for the logical search to control whether certain slack areas of NTFS compression are targeted. It’s unlabeled, but has a tooltip. If fully checked, the undefined slack area at the end of each compression unit of ordinary NTFS-compressed files is searched raw (as is, without decompression), like in previous versions. If that check box is at least half checked, the well-defined slack of WofCompressed files is targeted (searched raw, without decompression), and this is a new feature of v20.4.

* When text in files is decoded for the simultaneous search or indexing and saved in the volume snapshot for future re-use, and the special option for numbers and dates in spreadsheets is not active at that time, and later you run a search again *with* the special spreadsheets option, then you may not benefit from it if the originally decoded text is searched. That’s why you will now get a warning in such a situation if the volume snapshot’s decoded text is already loaded, or it will be discarded altogether upon loading.

* Several minor improvements.