What’s new in X-Ways Forensics v21.2

Come to a certified training course and learn more. Sign-up online or email us at training@h11.com

Storage Device Handling

  • If access to a local storage device is lost while reading or writing sectors, for example because of a loose connection or because you have to unplug and replug it because it occasionally freezes your Windows system, I/O operations can now resume automatically without closing and re-opening the data window for that device. This was previously a potential problem when dealing with certain failing devices.
  • Ability to safely change the disk access method on the fly. Previously, existing data windows for storage devices had to be closed and re-opened to avoid errors.
  • Revised handling of write errors on physical storage devices. When you get notified of a write error, your first option in such a situation will be to simply retry writing the same sector that failed. You can do so as often as you like, when you are ready. This could be helpful for example if unplugging and replugging the device will make it responsive again. You would hit the retry button a few seconds after replugging once Windows has recognized the device again (e.g. if a Windows Explorer window opens). The second option is to continue writing at the next sector, and you can define that as the default response to write errors, to avoid further prompts until the device is closed or the disk access method is changed. (However, that could be a very slow approach if there are many bad sectors on the device.) The third option is to abort, which means the write operation for the currently targeted range of sectors will be aborted or optionally the entire overarching operation (e.g. wiping multiple selected files). You can define that as the default action as well to avoid further prompts. After a local abort the overall operation may still continue. If desired, it can still be discontinued the usual way at any time while the device and the application are responsive by closing the progress indicator window. With the new option to define a default choice it should be possible to find a suitable compromise for the situation at hand, for example when you attempt to sanitize an already failing hard disk to either the maximum extent possible or to a “reasonable” extent given a limited amount of time.
  • If the option “List internal file system files” is inactive, that now has an effect on FAT12, FAT16 and FAT32 file systems.
  • Warns when trying to reconstruct a RAID system or JBOD using components with different sector sizes, as this could have unintended effects.
  • After retroactively locating another partition, X-Ways Forensics now covers unpartitioned space that follows that partition if necessary with another virtual file.

Data Redaction and Erasure

  • The command Edit | Fill Disk Sectors now diplays sectors numbers in the progress indicator window, so that in case of a freeze because of a hardware defect you can tell to which sector number the operation got.
  • The directory browser context menu to wipe selected files has been renamed to “Redact data”. It is only available in WinHex (including when X-Ways Forensics is run as WinHex), for example for retroactive redactions in a raw image copy before it is shared with other parties or to selectively and partially sanitize physical storage devices for which you do not expect or care about sector reallocation to occur upon write operations.
  • Ability to apply the “Redact data” context menu command to selected files in the Case Root window.
  • Ability to fill/wipe/redact disk sectors, blocks, and files with a meaningful recognizable text pattern (watermark) instead of raw hex values, in either ASCII or UTF-16 Unicode, as known from the function to create cleansed images.
  • The command to redact selected files now has an option to also erase slack space.
  • There is now a slightly more detailed success report when the “Redact data” command has been applied to multiple selected files, in additional to the label output, separately for each affected evidence object if run from the Case Root window.
  • That the data in clusters of selected directories are also erased by the “Redact data” command is now optional and not active by default, so that you could conveniently and safely select entire directories to get all the files in those directories wiped. Users are warned when they enable this option as it will corrupt the file system and leave files orphaned. Also keep in mind that after you have purged directories, depending on which exact file system it is, X-Ways Forensics itself may be unable to find the files again when taking a new volume snapshot.
  • Warnings are now shown if the user has selected certain known system files for redaction since erasing their data will corrupt the file system.
  • The command variants Edit | Fill File and Edit | Fill Block can now be applied in File mode to a file that is selected in the directory browser.
  • With the “Wipe securely” command in the main menu, actually deleting the selected files in the file system is now optional. If not desired, only their file contents will be overwritten.

Directory Browser

  • After using the Seek Item # command in the directory browser context menu, the blue tooltip that reveals the list item number of an item will pop up to confirm that you have reached the intended item.
  • The Seek Item # command can now optionally keep the selection in the directory browser and merely move the indicated item number into view and highlight it. Note that if you wish to open the context menu without losing your selection, if you can’t see your selection at the moment because you have scrolled up or down, right-clicking any unselected item in the directory browser with the Ctrl key pressed will achieve that. Alternatively, you can press the context menu key on your keyboard.
  • The Seek Item # command now has two extra buttons that allow you to easily navigate to the first and the last selected item in the directory browser. That is useful in a very long list of files if you have scrolled elsewhere, but need to return to a spot where you had selected files.
  • The selection statistics below the directory browser now also include the item numbers that the current selection spans. Clicking the statistics brings up the Seek Item # dialog window.
  • Middle-clicking an item in the directory browser will now tag or untag that item, just like in the case tree.
  • The path filters can now optionally be case-sensitive, which is faster.
  • Type and Type category filters accelerated.
  • Ability to use the Description filter to focus on files to which OCR has been applied, but with no result, i.e. <= 0 characters. The filter can now target results with greater than or less than 65,534 characters.
  • Dedicated context menu command to untag selected search hits and events. (Pressing the space bar still toggles the status of selected search hits/events.)
  • Ability to prevent certain labels from being displayed in the Labels column, for example because you don’t need to see them and they just clutter up that column or because you wish to show your screen to someone but don’t want them to see those particular labels. You can change that in the dialog window where you manage and assign labels, using the Exclude (×) button.
  • Improved representation of text extraction and OCR results in the Description column (if in the Notation settings the “other” box is checked).
  • Checkmarks for tagging are now better visible in dark mode.
  • Hovering over a row in the directory browser is now also reflected in the tag area.

User Interface

  • A new command in the context menu of the case allows to locate the file or directory with a given unique ID. If the evidence object that contains that item is not open at that moment, it will be opened automatically.
  • Optionally all three categorization icons (for notable, irrelevant and uncategorized) can now be displayed next to the filenames in the Name column, not just the one for notable files. This can be changed in the directory browser options.
  • The dialog window to manage labels was further revised. All label types are now listed optionally.
  • Setting up keyboard shortcuts via Options | General | Define keyboard shortcuts… is now easier because the dialog window reveals the ID of the last command used. So in order to find out the ID of the command that you wish to generate a shortcut for, you just need invoke that command (you can cancel it if that is an option) and can then see its ID. Most commands invoked in the main window, in a data window, in the directory browser or in the Case Data window are suitable.
  • The dialog window for Options | General | Define keyboard shortcuts… now also reminds you of a special ID that you can use to repeat the last command invoked, whichever that may have been. For example if you wish to manually categorize files as notable in multiple steps, you can do so through the directory browser context menu the first time, and after that just press the special key combination that you have defined for that ID. The special repeat ID is currently 182. Most commands invoked the main window, a data window, in the directory browser and in the Case Data window are suitable. In fresh installations, the keyboard shortcut Ctrl+F5 is now predefined to repeat the last action.
  • When moving an evidence object down in the case tree with the old method (the arrow buttons in the properties dialog window), it is now still highlighted in the case tree afterwards.
  • Improved scaling of some GUI elements for usage with high-resolution displays and high Windows DPI settings, including the option to use checkmarks for tagging.
  • Buttons now have a mouse-hover effect.
  • Some icons revised.

Picture Viewing

  • When viewing or previewing pictures with the internal graphics display library, low resolution pictures are now automatically magnified to some extent. This depends on which factor you feel comfortable with at most to avoid pixelation, and the maximum can be set in the Options | File Viewing dialog window. By default, only natural magnification factors are used (100%, 200%, 300%, …) to avoid the need for interpolation, but there is a checkbox to change that. The difference can be seen best with a small picture and a high maximum magnification when you resize the preview area. Under the constraints of the user-editable maximum magnification and the potential restriction to simple pixel multiplication (no interpolation), pictures are magnified in Preview mode and in view windows of the internal graphics display library to the maximum extent possible given the size of the preview mode area and the size of the screen workspace, respectively.
  • The magnification applied to pictures in Preview mode when rendered by the internal graphics display library is now displayed in the lower left corner of the preview area in percent. (The magnification applied in a view window of the internal graphics display library has always been displayed in the window caption after the filename.)
  • Ability to zoom in and out when pictures are rendered by the internal graphics display library in Preview mode, using the mouse wheel, in steps of 10%. (This does not currently change the center of the picture based on the mouse pointer position. If you wish to navigate within a greatly magnified picture, please use the View command for that.)
  • HEIC display functionality updated.
  • The internal graphics display library was revised for other file formats as well.
  • The user now has the option to switch to the internal graphics display library from the viewer component (VC) when previewing TIFF pictures, by clicking the VC submode button that by default appears pushed for TIFF pictures. Note that the internal graphics cannot display additional pages if present in a TIFF file.

Picture Content Analysis

  • More detected photo styles (such as “colorful”, “framing”, “selective color”, “unsaturated”, “bright”) can now be used for categorization purposes.
  • Improved handling of insufficient drive space for temporary files employed by the picture content analysis.
  • Certain file format variants or corruptions that the internal graphics display library is able to deal with, but that were not supported by Excire, can now also undergo the picture content analysis. An updated Excire package is now downloadable and required for use with v21.2 (and is still compatible with v21.1).

X-Tension API

  • The X-Tension API function XWF_GetEvObjProp now supports two more property types: 30 retrieves the bias of the reference time zone of an evidence object, if such a time zone was set by the user. 31 retrieves the bias of the preferred display time zone of an evidence object. Optionally, more information about daylight saving in each of the two time zones is provided.
  • The X-Tension API function XWF_GetItemInformation now supports various XWF_ITEM_INFO_*_DISPLAY_OFS types (one for each timestamp type) that can be used to learn how many minutes need to be added or subtracted from a timestamp to get to the same local time that X-Ways Forensics itself would display. It depends most obviously on 1) the user’s preferred display time zone (which can be the same for the entire case or individually set per evidence object), 2) the base time zone that the timestamp is known to be stored in or the user-set reference time zone that it is supposed to be stored in, 3) whether the timestamp falls into the daylight saving portion of the year according to the base or reference time zone, 4) whether the timestamp falls into the daylight saving portion of the year according to the display time zone. A special return value is -1. It indicates that the timestamp could not be converted to the preferred display time zone and instead is shown as is, in local time, based on whatever time zone that originally may have been, or that no valid timestamp exists.

Miscellaneous

  • The limit of ~2 billion hash values in the hash database has been lifted. The next theoretical barrier is ~4 billion.
  • Further increased the number of recognized picture generating devices.
  • More thorough integrity test for volume snapshots. That test is accessible by clicking the button with the check mark on it in the Refine Volume Snapshot dialog window.
  • Now allows to copy up to 1 GB of data into the clipboard to share with other Windows application, instead of 128 MB previously.
  • When printing files, you now have the option to not only print the full path on the first page, but also the unique ID of the file.
  • You can now hide controls in dialog windows before saving your settings in a .dlg file so that the values of those controls remain undefined in that .dlg file and cannot cause problems next time when you wish to use that .dlg file, perhaps without supervision through the command line. To hide a control you hold the Shift key and roll the mouse wheel (in either direction) over a control. It is useful to prevent control values from getting saved in a .dlg file if those values are not general settings, but values for one-time use, such as the name of an image file that you are about to create or the last sector on a storage device to be covered when creating an image. On the other hand, settings such as compression method and strength as well as block and segment sizes are probably settings that you keep using for a longer time unless you change your preferences. .dlg files created by different versions of the application are compatible with each other except if the dialog window controls have changed, so you could create new .dlg files exclusively with v21.2 going forward and use them in older versions as well, with said proviso.
  • OCR is now prevented for very small files, to save some time.
  • OCR now has a verbose report mode option, where various remarks that Tesseract outputs on the files that it processes will appear in the Messages window.
  • The function to export cluster lists into a text file is now Unicode-capable and produces a UTF-8 text file.
  • The export function for FuzZyDoc hash sets did nothing except under special circumstances. That was fixed.
  • Preview and beta releases now show a number in the lower left corner of gallery tiles for files that are presented only with an icon, not a thumbnail. That number is an internal indicator of the reason why no thumbnail was produced.
  • The program help and the user manual were updated.
  • Many minor improvements.