X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 


WinHex & X-Ways Forensics Newsletter Archive

(You may sign up for the newsletter here.)

#157: X-Ways Forensics, X-Ways Investigator, WinHex 19.5 released

Nov 27, 2017

This mailing is to announce the release of another notable update with many notable improvements, v19.5.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Dec 4-7 Atlanta, GA X-Ways Forensics waiting list
Dec 11-13 London, England XFS, X-Ways Forensics II waiting list
Jan 16-19 London, England X-Ways Forensics
Feb 5-8 Cary, NC X-Ways Forensics
Feb 13-16 London, England X-Ways Forensics
Mar 5-8 Chino, CA X-Ways Forensics

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.5?
(please note that most changes affect X-Ways Forensics only)

Case Management

  • A new command in the case context menu allows to import evidence objects from another case into the current case, for example when you wish to merge different cases (that may have been worked on by different users to split up the workload) into a single case. Only tagged evidence objects are imported, i.e. those displayed with a light bulb in their original case. This will also import (actually: copy) an evidence object's volume snapshot with report table associations, comments, bookmarks, search hits, indexes, events, RAID reconstruction parameters, time zone selection, and much more, but not volume snapshot backups and not the users (examiners) of the other case and the distinction between their own report table associations and search hits. The timestamp recorded when the evidence object was added to the original case will be taken over into the new case. The current user who conducts the import will absorb those results. The unique IDs of files will be different in the new case. However, report table associations for that evidence object can be exchanged (exported and imported) between the source and the destination case because the volume snapshot IDs and internal IDs are retained.

  • The command to import an evidence object from another case can also be used to simply duplicate an evidence object in the same case. Simply select the .xfc file of the currently active case to do that for the tagged evidence objects. This can be useful to maintain and see and compare two volume snapshots at the same time, experiment with file header signature searches with untested signature definitions etc.

  • Support for Cellebrite's raw image segment naming conventions (abc.bin, abc_1.bin, abc_2.bin, ...) when images are internally interpreting as disks.

  • Support for large table sections in .e01 evidence files.

  • When trying to open an evidence object of a case that is backed by an image file and the image file cannot be found, X-Ways Forensics now automatically offers to open the evidence object without image, just like with the corresponding context menu command in the Case Data window. Useful if the image is not accessible right now (or has been deleted/lost completely) and you wish to just peek at the file listings, report table associations, your own comments, hash set matches, extracted metadata etc.

File Format Support

  • Safari Cache.db: Preview includes information as to where the data of each record is stored (filesystem or Cache.db). Prevents dummy data from being exported when data is not stored within the database. Support for a previous schema of the Safari cache database.

  • Metadata and event extraction from SRUDB.dat, i.e. the activity captured by the system resource usage monitor (SRUM). You can see the processes started over time, listed with their owners, and a lot of statistics. Network usage activity by each process is extracted as well. The extracted information can be useful to pinpoint the moment of a possible intrusion or the process that caused an intrusion. The information is presented in detailed HTML child object files and as events in the event list. Individual event types for SRUDB make it easier to filter for particular resource usage types.

  • Generator signature database significantly further updated.

  • New prefix "Mobile::" for many photos taken by mobile devices.

  • File type signature definition and file carving algorithm association for High Efficiency Image files (.heic).

  • Improved stability with EDB processing.

  • Thorough addition of events from EVT event logs (Windows XP or older) to the event list. Optimized HTML preview for EVT event logs to significantly reduce its size.

  • Ability to display some rare black & white PNG pictures with the internal graphics viewing library that were not supported previously.

  • The type of a user account (administrative user, user only, or guest account) is now mentioned in the Windows registry report..

File System Support

  • Recognizes files that were encrypted in FAT and exFAT volumes by Windows 10 with EFS as encrypted.

  • "Read uninitialized areas as zeroes" is now a 3-state check box. If fully checked, it has an effect on all read operations except logical searches, indexing, and search hit context preview. If half checked, it has an effect on all read operations except those three and on how files contents are presented in File mode and in separate data windows. If checked (fully or half), that is a useful setting to achieve file hash compatibility with ordinary (user level) Windows applications. If not checked at all, that is the setting required for hash compatibility with ordinary forensic tools, and it causes all file-specific read operations to return the data that is stored in the allocated (but uninitialized) clusters from previous usage, for example also for the Recover/Copy command.

  • Files in NTFS volumes that have grown or shrunk and whose previous file size is known from the FILE record now get their previous file size shown in the Info pane.

  • Directories can now be previewed. The preview of a directory shows that directory's subdirectories as a tree and optionally the respective file counts. It may be truncated if the amount of time to put together the preview exceeds a certain limit, to avoid long delays when navigating in the directory browser. If you need a complete preview, you can hold the Shift key when switching to Preview mode for a given directory, or you can use the "Export subtree" context menu command in the Case Data window instead.

Volume Snapshot Processing

  • Ability to run file header signature searches not only in files whose names or types match a certain file mask, but optionally also all files of unknown type.

  • Ability to buffer 8 GB instead of 4 GB of decoded file contents per evidence object in newly created volume snapshots.

  • When analyzing or recovering a previous instance that employs additional threads, it is now possible to select one of those worker threads instead of the main thread.

  • Ability to run X-Tensions as part of a volume snapshot refinement that is triggered from the command line.

  • Ability to run a simultaneous search neither in the original file contents nor in the directory browser metadata cells, but only in the decoded text of documents.

  • Fast re-matching specifically of selected and tagged files against a hash database even when there are lots of matches in the volume snapshot already.

  • Check box to do FuzZyDoc matching "again" for files that were matched against the FuzZyDoc hash database already before.

  • Ability to export, import and merge FuzZyDoc hash sets. The result of the export can be used with the import function or alternatively is also valid as a stand-alone database by itself.

Directory Browser Commands & Options

  • New directory browser context command Navigation | Seek Path helps to locate a file or directory in the directory browser whose full path you specify.

  • Duplicate files can now also be identified based on the textual representation of dates in some of date columns, and how many characters in these columns and in the Name column are compared is optional.

  • That previously existing files are represented with the Hidden attribute (H) when mounting as a drive letter is now optional.

  • Hierarchical indention in the Export List command can now be stronger (fully checked) or not so strong (half checked).

  • The Hash category filter can now target uncategorized files.

  • Recover/Copy now uses the same notation options as the Export List command.

  • Options of the Print command reorganized. In particular it is now easy to print *only* a cover page, not the actual file, if you are mainly interested in a printout of the metadata and your own comments.

  • The print cover page now better utilizes the page width.

  • There is now an option to print a preview of the file (picture or non-picture) at the bottom of the cover page. The format of this preview depends on the settings of the viewer component in Preview mode, e.g. "Best Fit" or "Actual Pixels" or "Fit to Window Width" etc. This is a 3-state check box. If only half checked, the preview is printed in much lighter colors, either to save ink/toner or to improve readability of the metadata fields if you output many of those and they spill over onto the preview.

  • Directories can now also be printed. The printout shows exactly the same as Preview mode.

  • When filters are applied to directories, too, that now concerns only suitable filters. Filters that do not make sense to apply to directories (Type, Type Status, Hash, Hash Set, Author, ...) are not applied.

  • If "List directories when exploring recursively" is half checked, i.e. when directories are not needed for navigation, just of interest if they match filters of interest, that now means that directories will only be listed if only filters are active that are actually applicable to directories (Name, timestamp filters, Owner, Int. ID, Attributes, ...) and if those filters let directories pass through. If for example both the Name filter and the Type filter are active at the same time, directories will not be listed, because even if they satisfy the Name filter, they cannot possibly satisfy the Type filter (directories do not have a file type). But if the Name filter is on and the filter for timestamps, then directories are listed if they match both filter conditions.

  • By default, the Path column now displays a partial path from the current exploration base when exploring recursively. That is the same path that you would get with the Recover/Copy command when reproducing a partial path only. Useful for example if you wish to share directory listings including subdirectories with someone (Export List command), distinguishing files in different subdirectories, without revealing the complete path of the files (e.g. on your own storage drive).

  • The directory browser settings including all filters can now also be saved and loaded from within the system menu of the Directory Browser Options dialog window.

User Interface

  • An additional column shows the unique ID formatted and extended as a GUID, for users who need to have a GUID for each file in their cases. The GUID can also be used to name output files in the case report and in Recover/Copy.

  • A new directory browser column shows the number of search hits in a file.

  • Additional columns after "Recipients" show To:, Cc:, and Bcc: recipients of e-mails and e-mail attachments separately.

  • The generator signature, which is known from the Metadata column, is now additionally presented in its own separate column, for sorting purposes, which may allow to identify logical connections.

  • The dialog window that allows to define keyboard shortcuts is now accessible from the General Options, no longer from the Directory Browser Options.

  • The height of the Directory Browser Options dialog window has been shrunk, so that it should now fit on the screen even on laptop computers with unnecessarily high DPI settings in Windows 10 or generally on displays or projectors with a poor vertical resolution.

  • A new option in Options | Viewer Programs allows to provisionally clean up after GDI font object leaks as exhibited by the viewer component when loading some rare files, in the x64 edition only (possibly functional also in the x86 edition in an x86 Windows as well, but that was not tested). This prevents graphical errors in the user interface as well as program instabilities and freezes. Users who have encountered such rare files occasionally because they view/preview so many files or extensively use the gallery with thumbnails of non-picture files are encouraged to switch to v19.5 early.

  • WinHex Lab Edition now allows to use File mode.

  • In WinHex with a specialist license or less, the legend can now be displayed with a command in the Access button popup menu, and toggling between recursive and normal exploration is also possible now with a command in that menu.

  • Details mode now has a sub-mode, which can be activated by pressing the new "IM" button, which shows ONLY the internal metadata of a files. That makes it more efficient to check multiple files for that kind of metadata without having to scroll. In particular this is useful for forensic review of photos, to check the Exif data. Also new: Values in the internal metadata of JPEG files that have X-Ways Forensics thinks have changed/are not original are highlighted in blue color.

  • Improved behavior when running on multiple monitors with negative horizontal screen coordinates.

  • A Tooltips.txt file with tooltip assistance for many check boxes in various dialog windows has been compiled by Michael Yasumoto, thankfully, copied verbatim from the explanations in the English language program help / user manual, and is available for download now, for users of X-Ways Forensics and X-Ways Investigator, from the “Additional resources” directory (download URLs available from here as always). Tooltip text truncations after 512 characters are normal and by design.

  • When defining German as the language of the user interface, users can now choose to get almost all occurrences of the letter ß replaced with ss. Useful especially (but not only) for customers in the German speaking parts of Switzerland.

Miscellaneous

  • X-Ways Forensics, X-Ways Investigator and WinHex Lab Edition now support a new API called the Image I/O API. It's described at http://www.x-ways.net/forensics/x-tensions/Image_IO_API.html and allows interested parties to add support for other physical disk image formats. It is even possible to add alternative support for an already supported image type, for example certain virtual machine disk images with currently unsupported special features or segmented raw images with a currently unsupported segment filename scheme. When such DLLs are made available by trusted sources, users would just add them to the installation directory of X-Ways Forensics. They have to be named Image*.dll, and will be loaded automatically by the program. (Adding them to the installation directory is considered to signify consent for that.)

  • X-Tensions API: C++ function definitions and C++ sample projects updated.

  • X-Tensions API: XWF_ITEM_INFO_ATTR of the XWF_GetItemInformation function now documented.

  • Many minor improvements.

  • User manual and program help updated for v19.5.


Changes of service releases of v19.4

  • SR-1: The Simultaneous Search as invoked from Refine Volume Snapshot did not work when RVS was triggered from the command line. That was fixed. (The fix will also be included in v19.1 SR-10, v19.2 SR-8, and v19.3 SR-8.)

  • SR-1: Mounting (volume snapshots of) drive letters as drive letters is now allowed.

  • SR-1: E-mail extraction from olk15message files revised.

  • SR-1: The auto-save interval did not have any effect in cases that were newly created from the command line with the NewCase command. That was fixed.

  • SR-1: Fixed a very rare infinite loop that could occur while processing corrupt Skype databases.

  • SR-2: Previously, hidden files in the case directory were not included when cases were archived. That was fixed.

  • SR-2: Ability to recognize APFS volumes.

  • SR-2: Ability to buffer 4 GB instead of 2 GB of decoded file contents per evidence object and prevent buffer overflow and corruption.

  • SR-2: Shift+Click to open "File Type Signatures *.txt" from within the program has been changed to Ctrl+Click.

  • SR-3: Fixed an exception error that could occur with certain VCF files since v19.3.

  • SR-3: Fixed a handle leak in the report generation with thumbnail creation for non-picture files.

  • SR-3: Limited the inclusion of excessive amounts of metadata in the Metadata column for certain files created by Photoshop.

  • SR-3: With the crash-safe decoding option, encrypted documents were not decrypted for the text decoding part of the logical search. That has been improved now.

  • SR-4: Fixed stability problems in decompressing WofCompressed data.

  • SR-4: Support for exFAT volumes with more than 232 sectors.

  • SR-4: The XWF_CTR_OPEN flag of the X-Tension function XWF_CreateContainer did not work. That was fixed.

  • SR-4: The dependent Description filter options for e-mails had a filter effect in v19.4 even when invisible and not applicable. That was fixed.

  • SR-5: In WinHex with a specialist license or less, the Recover/Copy command did not work in v19.4. That was fixed.

  • SR-5: Improved decoding of certain e-mail header lines with quoted printable and code page indicators.

  • SR-5: Matching hash values against hash databases as part of volume snapshot refinement did not work when triggered through the command line. That was fixed.

  • SR-6: Improved speed and stability when processing EVTX logs. Avoided a possible infinite loop condition.

  • SR-6: Fixed a rare exception error that could occur when taking volume snapshots of HFS+ volumes.

  • SR-6: The logical simultaneous search would not run in WinHex with a specialist license in v19.4. That was fixed.

  • SR-7: Skipping hash databases when matching hash values did not always work in v19.3 and v19.4. That was fixed.

  • SR-7: Fixed an infinite loop that could occur under rare circumstances when opening files in TAR.GZ archives.

  • SR-7: Fixed an exception error that could occur when processing certain e-mail messages in v19.4 SR-6.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde

 

#156: X-Ways Forensics, X-Ways Investigator, WinHex 19.4 released

Sep 6, 2017

This mailing is to announce the release of another notable update with many notable improvements, v19.4.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their access to updates, etc. Those customers whose access to updates or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Sep 25-28 Chicago, IL X-Ways Forensics waiting list
Sep 26-29 London, England X-Ways Forensics 1 place available!
Oct 16-19 Washington DC area X-Ways Forensics
Oct 23-26 Toronto, ON X-Ways Forensics waiting list
Nov 21-24 London, England X-Ways Forensics
Dec 4-7 Atlanta, GA X-Ways Forensics
Dec 11-13 London, England XFS, X-Ways Forensics II
Dec 19-20 London, England X-Ways Forensics II

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.4?
(please note that most changes affect X-Ways Forensics only)

File Listing/Reporting

  • The Recover/Copy command now allows to name output files optionally not only after their unique IDs, but after any other column in the directory browser, such as hash value, ID, comment, offset in the file system etc. etc. Such metadata information can also be prepended or appended to the name, which for example could be useful to do with alternative name, existence status, report table, timestamps, author, sender, description, attributes, analysis result, hash set, ... If the cell text consists of multiple lines (e.g. comments or metadata column), only the first line is used. Blackslashes in the path columns are automatically replaced with underscores. That allows to name a file after its complete original path.

  • Several more columns of the directory browser are now offered for grouping in the Recover/Copy command, such as Evidence object, Analysis, Dimensions, Comments, Sender, Recipients, and many others. Please note that grouping by evidence object has always been possible when recovering files from the case root with a partial path, long before the special grouping option was introduced, but that possibility, although available and documented from day one, has been overlooked by some users, even when they asked and were explicitly told about it, and it has now been removed (now only when recovering files from the case root with a full path).

  • It is now possible to limit the Recover/Copy grouping directory name to a certain number of characters. That could be very useful for example in order to group files by year (the first four characters in creation or modification timestamps, given suitable notation settings) or to simply to split up a huge number of output files into roughly equally large subdirectories (with the first one or two characters of the hash value, for 16 or 256 such subdirectories), based on the law of large numbers, or simply to reduce the risk of overlong paths.

  • When files are copied to include them in the case report, they can now be named not only after their original name or unique ID, but also after hash values and various other more or less unique properties. If those happen to be blank, the original name will be used.

  • Sorting by full path now ensures the correct hierarchical order with child objects following their respective parent objects even if some parent files or directories or e-mail messages have the exact same name.

  • The Full Path filter now supports asterisks at the end of each line. For example, \Windows\Prefetch\* matches all files in the directory \Windows\Prefetch.

  • When exporting a list of files or directories along with their child objects sorted by full path, so that child objects directly follow their respective parents, in TSV or HTML format, a new option called "Indention" allows to indent the names of the child objects so that it is easy to see in the output which objects are child objects of which other objects even when not looking at or when not even including the potentially very long full path as an additional column.

  • "List directories when exploring recursively" is now a 3-state check box and by default half-checked. In that state directories are listed when exploring recursively only if a non-trivial filter is active (non-trivial = for more than just not excluded items) and when actually applying filters to directories, too. In this combination the user is potentially interested in directories because they may have certain timestamps or names etc. of interest, but in ordinary situations probably not, so this new middle state could be a very good compromise.

  • Grouping files and directories is now a 3-state check box and by default groups only when not exploring recursively, i.e. only when directories are needed for navigation and thus expected at the top of the list.

  • Carved files can now be filtered with the Description column filter as a special kind of previously existing files, which should be more logical and internally slightly faster.

File Type Support

  • X-Ways Forensics and WinHex Lab Edition now have a special highlighting feature for file header signatures, right in the hex display (X-Ways Forensics: Disk/Partition/Volume and File mode). The identification is done by matching the raw GREP-enabled expressions in "File Header Signatures Search *.txt" to every single offset in the currenly visible page. The enhancing effect of the "~" algorithms, which often can identify false positives or further distinguish between different subtypes during file header signature searches, is not applied, though. This new feature can be enabled or disabled in Options | General, in the automatic coloring section on the right. If only half selected, signatures will only be searched and highlighted at sector boundaries. Generally this kind of highlighting will help you spot start positions of well known data/file types, even if embedded within one another, immediately, for example thumbnails in JPEG files, individual records in zip archives, TIFF signatures in Exif metadata, certificates in Windows Registry hives, etc. etc.

  • FILETIME highlighting is now separately selectable and not covered by the MFT FILE record auto coloring option any more.

  • New flag for file header signature definitions: "H" means that a definition is meant only for the new highlighting feature, not for regular file header signature searches or for file type verification. Such definitions only require three pieces of information: The keyword or GREP expression, the relative offset (typically 0) and the flag "H". The description at the start of the line is optional, but recommended because the color depends on the description, and for different descriptions you will likely see different colors. You could even create a dedicated text file, for example named "File Type Signatures Search Highlighting.txt", that defines various keywords or GREP expressions that you are always interested in and would like to get highlighted immediately in every case even before running appropriate searches. Also useful if you analyze or reverse-engineer file formats, where for example records do not have a fixed length (so that the record presentation option in WinHex is not applicable), but are identifiable by signatures.

  • New flag for file header signature definitions: "A" means that a definition heavily depends on the associated algorithm (the one defined with the ~ character) and is too generic for identification without it. Thus the new highlighting feature will not use signatures with the "A" flag.

  • Ability to view or preview certain password-protected documents if the password is available. Only certain encryption variants of Microsoft Office and PDF documents, Microsoft Outlook PST 97-2013, and Zip files are supported. When previewing such a file, the password will be taken from the Metadata cell of that file (if available from there in a line that starts with "Password: ") or otherwise all passwords from the currently active case's password collection will be tried automatically. If one of the passwords from the password collection matches, it will be remembered in the Metadata cell of the file for future re-use and the user's information. When viewing such a file, if no matching password is found, the user will be additionally prompted for the password repeatedly until he or she provides the correct password or gives up (clicks Cancel).

  • The file format specific encryption test now automatically tries the passwords in the current case's password collection with such files as well and remembers the matching password, if any, in the file's Metadata cell.

  • Ability to process certain zip archives with a rare header signature variant (extended local header).

  • File carving, file type verification and tentative e-mail extraction support for Outlook 11 and Outlook 14 for Mac.

  • Metadata extraction revised for MS Word documents. The “content created” timestamp is now provided for more files than before. There are two new metadata fields called "Format version" and "Generator". The generator is not necessarily MS Word itself, but could be Open Office. "Product created" is now output with a 2-digit year so that it is easier to recognize as a timestamp.

  • "Content created" timestamps can now be provided for some more PDF documents as some more special coding variants are now supported.

  • More thorough extraction of messages from certain Skype databases. The presentation of the conversation was simplified and duplicate information removed. The individual conversations in the chat files are now listed in one consecutive table with highlighted indicators when each conversation started or ended. This improvement is also retroactively applied to v19.3 through v19.0 in service releases after July 10, 2017.

  • Ability to view Windows 10 Prefetch files under Windows 7 with a work-around offered by X-Ways Forensics when the user tries to do that.

  • Better file carving results for RAR, large PST, 7Zip, DWF, and JPEG.

  • Better carving results for large embedded data in other files.

  • New file type "vdata" defined in the Special Interest category, for picture and video files that were specially hidden by an Android app called Vaulty.

  • Support for a new version of Windows Thumbcache files.

  • Output of the official InstallDate of a Windows 10 installation from the SOFTWARE hive in addition to the SYSTEM hive's original "Source OS *" InstallDate if present as an "Upgrade" timestamp in the properties of newly added evidence objects, so that users find both dates there and don't suspect a bug in X-Ways Forensics if the installation date that they think is correct does not match the date shown. Anyway, for more complete information please generate the registry report.

File System Support

  • Ability to decompress "WofCompressed" executable files as compressed by the CompactOS feature of Windows 10 in NTFS, with WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. Such files are recognized as WofCompressed by X-Ways Forensics since v19.1 and marked in the Attr. column with P and ~.

  • In NTFS volumes and in evidence file containers in raw format the "Wipe securely" command in the directory browser context menu in WinHex (X-Ways Forensics only when running as WinHex) can now optionally also wipe the main file system level metadata / the defining file system data structures of selected files (in containers the only such metadata), in addition to the file contents. If you would like to do that, just check the new box "Initialize MFT records". This option has no effect on files in other file systems or files that are embedded in other files or carved files.

  • Ext4: For files whose contents are not defined/initialized at the end, the valid data length of files is now displayed in File mode. Undefined data somewhere in the center of the file are disregarded by this function.

  • In newly taken snapshots of Ext3* volumes, the vast majority of files that utilize sparse storage or that are only partially initialized are marked as such in the Attr. column immediately. Some very few files will be identified as such once they were opened for reading/searching/processing.

  • The actually (but not officially) unused area at the end of the last block of a directory in Ext* file systems is now nicely highlighted like slack space in File mode, and once opened (for File mode or logical searches or whatever) the logical size of the directory will also be reflected in the volume snapshot (visible in the directory browser's Size column only if recursive selection statistics are disabled).

  • Previous releases potentially missed some files in newer variants of XFS file systems. A tentative fix for that has now been applied.

  • Those few extended attributes in HFS+ that contain only short plain text are now output in the Metadata column instead of as child objects.

  • Many hardlinked dir_* directories in .HFS+ Private Directory Data in HFS+ now point back to their first source as a so-called related item. This information is based on extended attributes of the "firstlink" type.

  • The volume snapshot option "Include EA in snapshot" for extended attributes in HFS+ file systems has been revised and renamed to "Complete output of EA". By default, it is not checked. All extended attributes deemed relevant by X-Ways Forensics are still processed and output either in the Metadata column if they are textual in nature (that is new) or as file contents of resident or compressed files or as links to related directories, or as child objects that are marked in the Attr. column with (EA). If the new option is half selected, "firstlink" attributes and "quarantine" attributes are output in the Metadata column additionally. If the new option is fully checked, even empty binary PLists and ordinary "Security" attributes are output as child objects.

  • The extra effort that X-Ways Forensics makes to include deleted objects in FAT32 file systems correctly in the volume snapshot since v19.3 is now optional (see Options | Volume Snapshot). If only half checked, the extra effort is made only for subdirectories, not files.

  • The Technical Details Report for a physical disk with GPT partitioning now includes the unique partition GUIDs.

Miscellaneous

  • Previously, search hits for identical search terms were always merged and made accessible through the same item in the search term list. This is useful for example when running searches for the same keywords / GREP expressions incrementally (in multiple runs) in different evidence objects. Now there is a new box on the left-hand side of the Simultaneous Search dialog window, which you can UNcheck in order to always produce a new item in the search term list, even if the keyword that you are looking for is identical to a previously used keyword or a keyword in the same run. This is useful if you run the searches with different settings (e.g. same keyword as a whole word and not as a whole word at the same time), in order to be able to distinguish the resulting search hits later.

  • The file mask for "Use associated program for viewing..." now takes precedence over the internal graphics display library and (if it's a video) even the specified preferred video player (which may be different from the program associated with a particular video file type).

  • A new command line parameter named "Override" was introduced, which overrides message boxes and dialog boxes until the last command line parameter has been processed. The text of those boxes will be output to the Messages window (and thus indirectly also to msglog.txt, unless disabled), and either an automatic click on OK will be simulated (if the parameter is "Override:1") or a click on Cancel (in case of "Override:2"). If a message box has only one button, it does not matter which parameter value was specified. All of this helps to avoid interruptions and delays of automatic processing when the program is waiting for user input.

    The default setting and recommended behavior (if no Override parameter is specified) is like "Override:0", where message boxes and dialog boxes are shown normally and potentially alert the user of critical error conditions and anomalies such as incomplete images, undetectable image format etc. The parameter takes effect immediately upon start-up, before regular processing of other parameters begins, even if the Override parameter is specified last in the command line.

  • The Override parameter also outputs the entire command line to the Messages window (even with the value "0"), and this happens at a time that depends on the position of the parameter within the command line. This allows users who study the log later to know what the simulated response to the suppressed message boxes and dialog boxes was.

  • Ctrl+Alt is identified as different from Alt Gr and can now be selected as a base key combination for user-defined keyboard shortcuts.

  • The X-Tension API function XWF_OutputMessage now has a flag that allows to output the message to the case log instead of the Messages window.

  • 3-state check boxes now have the superscript 3 next to the box instead of after the text label, which looks more tidy.

  • Users can now define their own tooltips for four types of control items (check boxes, radio buttons, drop-down boxes/combo boxes, and ordinary push buttons except "OK", "Cancel", and "Help"). This is done by clicking such items with the Shift key pressed and can be useful for personal notes and ideas, so that you can describe and better remember your preferred settings for different situations and their meaning. The tooltip texts will be stored in a file named Tooltips.txt and can be shared with other users, for example within an organization to remind your colleagues of which settings should be used according to your defined standards. Tooltip texts are stored in Unicode, may be up to 510 characters long, and may contain line breaks for formatting purposes. You can tell that a user-defined tooltip is available for a control item if it has a gray asterisk on its left.

  • Immediate effect when changing the setting for a case-specific temp directory.

  • Ability to preserve illegal filename characters in report table names in shared analysis work mode.

  • Many minor improvements.

  • User manual and program help updated for v19.4.


Network Dongle Package

  • The readme file by X-Ways now contains a hint that specifying the IP address of the machine with the network dongle is probably a must if that machine is on a different subnet.

  • A tool named NrMon.exe is now included that was designed by the manufacturer to monitor the activities of all NetROCKEY4ND devices on the network.

  • Some plain-text excerpts from the manufacturer's user's guide about the .ini files, the service programs and the monitor program are now included (without the screenshots).


Changes of service releases of v19.3

  • SR-1: Fixed an exception error that could occur when Canon zoom browser Thumbnail.info files were processed.

  • SR-1: RVS processing of files that are embedded in other files was not always completely done. That was fixed.

  • SR-1: Ability to detect newer versions of Wine under Linux as the operating system.

  • SR-1: Some improvements for execution in Wine under Linux.

  • SR-1: Prevented division by zero exception in v19.3 when running a file header signature search in uninterpreted lose files.

  • SR-1: Fixed an exception error that could occur with certain settings when producing thumbnails of non-picture files for the report.

  • SR-1: More debug information output for certain errors.

  • SR-1: Some minor improvements and fixes.

  • SR-2: More generator signatures defined.

  • SR-2: Ability to add images to an existing case through the command line. The first parameter for that is the path of the .xfc case file, and the next parameter is the usual AddImage command.

  • SR-2: The program no longer suggests to subscribe to the newsletter if run with command line parameters.

  • SR-2: Fixed an error that could occur in v19.3 when carving files in Ext2/Ext3 volumes.

  • SR-2: Some document excerpts were not extracted from the Windows.edb database correctly any more. That was fixed.

  • SR-3: Fixed potential error messages about failing to write into a file when processing SQLite databases.

  • SR-3: Fixed "... is an invalid character" error message during the particularly thorough file system data structure search in NTFS volumes in v19.3 for users with special regionally preferred digit grouping characters such as a non-breaking space.

  • SR-3: In v19.3, particularly thorough file system data structure searches for FILE records failed with an exception error on volumes whose treatment as NTFS the user had to force for example because they were reformatted with another file system. That was fixed.

  • SR-3: The internal marking of carved files changes with this service release, for future compatibility with v19.4, so older versions or releases will not describe carved files as carved files when they load volume snapshots previously opened or created by this release.

  • SR-3: X-Tension API: XWF_GetItemInformation with XWF_ITEM_INFO_DELETION now returns 5 instead 1 for carved files.

  • SR-4: Ability to open Linux block devices with Tools | Open Disk under Wine. Internally this requires interpretation of the files as disks, just like with raw image files, and thus works only in WinHex with a specialist license, WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. The device storage capacity is determined automatically, the sector size not necessarily.

  • SR-4: Creating report table associations based on matching hash sets did not work on multiple files in v19.3 if no second hash database existed. That was fixed.

  • SR-4: Fixed an exception error that could occur when processing TAR archives.

  • SR-4: The investigator.ini file had no effect in X-Ways Investigator v19.2 and v19.3. That was fixed.

  • SR-4: Improved stability when handling certain picture files.

  • SR-4: Improved ability to display GIF pictures with special header extensions.

  • SR-4: Prevented a handle leak in message boxes resulting from an error in Windows API functions that deal with icons.

  • SR-5: The preview of an SQLite database file now reliably shows the human readable representation in HTML format, if available, instead of potentially one of the other child object of that database.

  • SR-5: More reliable identification of Skype chat databases for adequate processing.

  • SR-5: Superimposition now has an effect on a partition again if the superimposition was applied to that partition directly instead of to the disk from within which the partition has been opened.

  • SR-5: Under very specific circumstances, files stored in Ext4 file systems were opened as corrupted despite being intact. The areas affected would have been displayed as sequences of binary zeroes. This was fixed.

  • SR-5: Simultaneous search: GREP set syntax (square brackets) now works in conjunction with the "MS Outlook cipher based on UTF-16" code page.

  • SR-5: In HFS+ volumes with many extended attributes not all of them were parsed. That was fixed.

  • SR-5: Fixed an infinite loop that could occur when parsing certain decompressed hiberfil.sys files.

  • SR-5: Fixed an error that could occur in v19.3 when splitting up report tables in the case report into multiple HTML file segments.

  • SR-6: Ability to extract files from GZ archives that are larger than 4 GB.

  • SR-6: Matching hash values against hash databases as part of volume snapshot refinement did not work when triggered through the command line. That was fixed.

  • SR-6: Fixed an exception error and instability that could occur with corrupt PST files.

  • SR-6: Fixed a problem with EDB processing.

  • SR-7: Removed size limitation for file carving within files.

  • SR-7: Prevented filename conflicts and potential loss of report table associations in shared analysis work mode.

  • SR-7: Deactivating the FlexFilters after they were both active and combined with a logical OR rendered filtering non-functional. That was fixed.

  • SR-7: Fixed an error in conversion from binary to Intel Hex and Motorola S format that existed since v18.9.

  • SR-7: Internal functioning of the Tools | Compare command improved.

  • SR-7: Ability to fully decompress some compressed files in HFS+ that could not be fully decompressed previously.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde

 

#155: X-Ways Forensics, X-Ways Investigator, WinHex 19.3 released

Jun 14, 2017

This mailing is to announce the release of another notable update with many, many important improvements, v19.3.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.

Every now and then we still receive a request about a replacement of a lost or stolen uninsured dongle although we have pointed out many times that we do not replace such dongles. We ask for your understanding that we provide only 1 working dongle per license, not as many as customers want. We have never made an exception in our entire company history. Anyone who still asks for a replacement of a lost dongle that was not insured will forfeit their chance for a good-will discount on the purchase of a new license.


Upcoming Training

Jul 3-6 London, England X-Ways Forensics
Jul 24-27 Ottawa, ON X-Ways Forensics
Aug 15-18 London, England X-Ways Forensics
Sep 25-28 Chicago, IL X-Ways Forensics
Oct 23-27 Toronto, ON X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.3?
(please note that most changes apply to X-Ways Forensics only)

File System Support

  • If the file header signature search in volumes with a supported file system other than Ext2/Ext3 finds the start of a file in free space, at a cluster boundary, the data is now by default assumed to flow around potentially following clusters that are marked by the file system as in use. This will correctly reconstruct files that were created after and stored around other files and then deleted, as long as the released clusters were not re-used and overwritten afterwards. To prevent file carving purely in free space this way, i.e. to make it work as in previous versions, you can UNcheck the new option "Carve files in free clusters around used clusters". This option takes effect only at the moment when files are added to the volume snapshot, not retroactively for files that were added previously. Carved files purely in free space retain the storage location that was assumed when they were added to the volume snapshot even if the option is changed afterwards. However, older versions of X-Ways Forensics will not understand that certain files are assumed to flow around allocated clusters and thus would present them as contiguous files as usually when they work with the same volume snapshot.

  • Tools | Disk Tools | File Recovery by Type offers the same cluster assignment logic.

  • If the file carving definition has the strong greedy flag ("G"), after carving a file that flows around allocated clusters, the file header signature search will only skip first fragment of the carved file. The "h" flag for header exclusion prevents the new carving method from being applied to the affected file types.

  • The same logic to skip in-use clusters is now by default also applied to deleted files in volume snapshots of FAT12, FAT16, FAT32, and exFAT file systems, if not disabled in Options | Volume Snapshot. That means that data of deleted files is now not necessarily assumed to be contiguous any more, but assumed to occupy as many free clusters from the start cluster number as are necessary to accommodate the known file size, while skipping clusters that are marked as in use by existing files. If the end of the volume is reached that way, the next free clusters are taken from the start of the volume, replicating the built-in logic of typical FAT32 file system drivers to rotate through the volume on the search for allocatable clusters. As this volume snapshot option retroactively changes the assumption about the storage location of files that are already contained in the volume snapshot, changing this option will also cause hash values to change if they are re-computed.

  • Significantly improved ability to recover deleted files and directories in FAT32 volumes (ability to get the start location right, in newly taken volume snapshots only).

  • File mode now offers a "raw" submode for NTFS-compressed files. In Raw mode you can actually see the compressed data as well as the sparse clusters, not the decompressed state of the file. This is useful for research or educational purposes and because theoretically small amounts of data could have been manually hidden in the not clearly defined, but implicitly existing slack area of each compression unit, which follows the compressed payload data.

  • Reduced the number of false positives when scanning for lost Ext3/Ext4 partitions.

  • The "List Clusters" command in the directory browser context menu has been revised. It can now be applied to some more "exotic" objects that it could not deal with before, such as certain embedded files, certain file system area files, and carved files. It automatically outputs sector instead of cluster numbers for any objects that are not aligned at cluster boundaries. It outputs the total number of clusters or sectors even if contiguous series of clusters are represented in the optional compact fashion. If exported to a text file, the cluster list is automatically opened in the user's preferred text editor. The effects of the aforementioned new cluster assignment logic options are visible in newly populated cluster lists.

  • The volume snapshot options are now more clearly structured, split into file system specific settings and file system independent settings.

  • There is a new volume snapshot option that causes X-Ways Forensics to read known uninitialized portions at the end of a file (valid data length < logical file size) as binary zeroes instead of as whatever data is stored in the clusters allocated. This mimics the behavior of Windows when ordinary applications open files through the operating system instead of reading the contents of the file directly from the sectors in the volume. Useful for example to achieve hash compatibility with such applications. This new option does not apply to read operations for logical searches, so that logical searches remain forensically thorough and clusters allocated to uninitialized portions of files are still searched. This option has an immediate effect even on already opened files, for the next read operation.

File Format Support

  • Details mode for JPEG files now shows an additional table at the bottom. This table contains the generator signature as well as the "condition" of the file, which may be "incomplete" (if the file was truncated) or "trailing data" (if surplus data was appended to the JPEG data) or in some cases "original" (if the file is believed with great certainty to be in a pristine, unaltered state). "Original" is based on the presence of thumbnails, the absence of color correction certificates, the absence of unoriginal metadata such as XMP, based on timestamps, based on artifacts left behind by known editing software, and on whether a resize operation is detected.

  • Improved detection of scanned images. The model designations of known scanning devices can be manually extended in the section "KnownScanner" of "Generator Signatures.txt". Identification by model name can help to identify scanned images if they contain Exif data or were edited. Generally the detection as scanned images is based on 1) generator signature, 2) generic properties of the Exif metadata (FileSource, Density, ...) and 3) the KnownScanner list.

  • Improved detection of screenshots in JPEG format.

  • Recognition of JPEG files produced by Twitter through their generator signature.

  • Checking the passwords in the password collection provided for file archive exploration is now more thorough, avoiding some rare false password matches.

  • Fixed a rare exception error that could occur with password-protected RAR archives. Fixed another rare exception error in conjunction with file archive handling.

  • RAR hybrid files now automatically receive a child object named "Trailing data" so that no manual effort is required any more to access the hidden data.

  • Uncovers embedded data from some more .vcf files.

  • Carving method ~109 implemented for Blu-ray videos.

  • Google Analytics signature moved from the "Special Interest" category to "Internet", as it has proven to be quite worthwhile to collect web surfing events.

  • For UserAssist program executions, the event description column now has the plain text description after ROT13 decoding.

  • Ability to interpret image files in TAR archive as disks without having to copy/extract them out. Very handy for VMDK virtual machine disks within OVA files (open virtualization archives in TAR format).

  • Ability to extract metadata from some new PDF format variants. PDF metadata extraction generally revised.

  • Prefix "Reporting::" inserted in generator signature definitions for easier filtering for the category reporting/records (account statements, credit card statements etc.).

  • Detection of scanned PDF documents further improved.

  • Different e-mail recipient groups (To:, Cc:, and Bcc:, if present) are now more clearly separated from each other in the Recipients column and the alternative .eml presentation.

  • Cc: and Bcc: recipients are now distinguished from To: recipients in the Recipients column for MSG e-mail files as well.

Timestamps

  • In the properties of evidence objects with a FAT file system you can now optionally define which time zone the local timestamps in that file systems are based on, if you have an opinion about that. That time zone depends on the settings of the computer or device that wrote to the file system. (Keep in mind that those settings may have changed over time and thus a single time zone may not be adequate to get all timestamps right.) If you define the time zone reference, file system level timestamps are presented according to the selected display time zone and not in their original local time any more. They are internally converted from local time to UTC (based on your time zone reference) and then from UTC to the display time zone, at the moment when the timestamps are displayed. The effect is not permanent, the reference time zone settings can be changed at any time. The definition of a time zone reference is lost if you open a case in versions older than v19.3.

  • When copying files from FAT file systems to an evidence file container, file system level timestamps of these files are usually marked in the container as based on an unknown local time zone so that they will not be time zone adjusted when reviewing the container in the future. If however you are certain about the original time zone and define the time zone reference for the source evidence object, the timestamps are converted to UTC within the container based on the reference time zone and marked in the container as timestamps in UTC, permanently. In that state the timestamps later will be adjusted according to the selected display time zone, even if you change your mind and change the reference time zone in the source evidence object. The evidence file container is self-contained and separate from the source evidence object once files have been copied.

  • The time zone conversion hints after timestamps in the directory browser (the number of hours that have been added to or subtracted from UTC) are now included in tooltips for these cells.

  • Consistency of timestamp notation and Unicode capability of timestamp notation improved in a few places in the GUI and in the case report/log.

  • As the number of years represented in Calendar mode is limited, garbage timestamps in the far past can keep you from seeing the years that you are interested in if you don't set a filter or don't delete events with garbage timetamps. A new option now allows to set the minimum year that will be represented by the calendar. Any timestamps in earlier years will be disregarded by the calendar even if no filter is active. By default, the minimum year is the year 2000. To change it, click the number of the first year on the left in Calendar mode.

  • The Data Interpreter and also templates can now display and edit FILETIME timestamps with a precision of milliseconds, depending on the settings in Options | Notation.

  • Timestamps of files in OS directory listings and remote network drives are now displayed with higher precision.

  • Display of internal creation timestamps in the "Content created" column with millisecond precision, where available.

Searching

  • The whole words only option of the Simultaneous Search works with a user-defined alphabet of characters of which words are composed, in order to identify what a word is and where its boundaries are. In previous versions, only an alphabet of characters from the Latin 1 code page was supported (for all Western European languages). Now an additional alphabet can be defined for letters of certain other languages. If activated, it is used for searches in UTF-16 and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1 byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew, Vietnamese, and various Central/Eastern/South Eastern European languages. The Cyrillic alphabet is predefined.

  • Ability to index words that contain characters with special GREP meaning, such as #.?()[]{}\*, without masking them, both with the "range:" prefix and without.

  • Manual relocation or resize operations on search hits through the context menu may now exceed 32,767 bytes (up to 2,147,483,647 supported in both directions). Concerning a related command in the directory browser context menu, the size of carved files can now be set manually as an absolute number instead of as an adjustment to the previous size (through the directory browser context menu). The maximum size supported by this operation is 4,294,967,295 bytes.

  • Ability to run the simple search functions (Find Text, Find Hex Values) with the "List search hits" option in File mode even in evidence objects. The search hits will be collected in the general Position Manager.

  • Search hits in the general Position Manager are now optionally deleted as soon as the general Position Manager is closed, to avoid confusion as positions in the general Position Manager have no reference to a particular file or disk and are intentionally applied to whatever data source is active when invoked. The option can be found in the Position Manager's context menu.

X-Tensions API

  • The XWF_GetItemType function now allows to find out the detected file format consistency for a file.

  • The XWF_ShouldStop function now does not only check whether the user wishes to abort lengthy operations, it also helps to keep the GUI responsive when the X-Tension is not executed in a separate worker thread. Calling this function regularly will process mouse and keyboard input, allow the windows to redraw etc. The user realizes that the application is not hanging, and potential attempts of the user to close the progress indicator window will be noticed. Even if you ignore the result of this function call during lengthy operations conducted by your X-Tension, you are doing something good already by making the calls in the first place.

  • The X-Tension function XWF_CreateEvObj can now add multiple image files to the case with a single function call.

  • New X-Tensions API function XWF_GetHashSetAssocs. Retrieves the name(s) of the hash set(s) that the specified file is associated with.

Keyboard Shortcuts

  • It is now possible to define up to 20 custom keyboard shortcuts for commands in the directory browser context menu and elsewhere, in a dialog window that can be accessed from within Options | Directory Browser. Currently available only in X-Ways Forensics. Shortcuts are meant to increase your productivity while using the functionality that you need most often. Only key combinations that involve the keys Ctrl, Alt Gr, Shift and Space are supported. Please note that if you use the Space key for any keyboard shortcut, you cannot use it any more to tag or untag items. The second key can be relatively freely defined by just pressing it when the grayed out edit box has the input focus. In case no human-readable description of the selected key is provided and you later forget what key you had defined, you can check out this list of hexadecimal key codes: https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx

    The following ~80 directory browser menu command codes can theoretically be used (not all tested) and have to be entered as a number:

    9800: View with external viewer program #1
    9801: View with external viewer program #2
    9802: View with external viewer program #3
    ...
    9831: View with external viewer program #32

    9919: Define file type
    9920: Go to related file
    9921: Refine volume snapshot for selected files
    9927: Run X-Tension on selected files
    9928: Attach external file
    9931: Edit metadata
    9932: See this file in its directory
    9933: See this file from volume root
    9934: Find parent object
    9935: Logical search within selected files
    9937: Attach external directory
    9938: Erase securely
    9939: Leave search hit list for specific directory
    9940: Delete duplicate search hits in list
    9941: Select excluded items
    9942: Edit comment
    9944: Include
    9945: Select tagged items
    9946: Exclude all except tagged items
    9947: Hide tagged items
    9948: Add to evidence file container OR skeleton image if active in the background
    9949: Resize search hit
    9950: Convert search hit to carved file
    9951: Resize carved and virtual files
    9952: Assign search hit to other search term
    9953: Extract consecutive video frames
    9954: Include search hit in report
    9955: Mount as drive letter (makes sense only if a directory is selected, and only one)
    9956: Watch with preferred video player
    9957: View with preferred HTML viewer
    9958: View with preferred text editor
    9959: Execute/open in associated external program
    9960: Select viewed items
    9961: View with to-be-selected external program
    9962: Remove duplicates based on hash
    9963: Seek item based on int. ID
    9964: Sort by relevance
    9965: Print
    9966: Seek item based on list item number
    9967: Sort by nothing
    9968: Select all
    9969: Filter by the selected file's hash value (to find duplicates)
    9971: Explore
    9972: Mark search hit as notable
    9973: Open
    9974: Navigate to defining data structure
    9975: Export list
    9976: List clusters
    9977: Recover/copy,
    9978: Explore/view
    9979: Invert selection
    9980: Include in hash database

    You will notice a few suspicious gaps in between the incrementing numbers. The missing numbers are either unassigned or discouraged to invoke or simply don't make much sense to define for a keyboard shortcut. As an example for the latter, 9929 will delete selected search hits or event, something that can of course be accomplished already by pressing the Del key. This information shall reduce your urge to randomly try numbers not listed here, although who knows whether one undocumented number may trigger a secret "Find all evidence" command.

    Please note that even without defining any such keyboard shortcut you can reach all directory browser context menu commands purely with the keyboard by pressing the context menu key. (Usually to be found between the right-hand Windows key and the right-hand Ctrl key.) Some menu commands already have a predefined keyboard shortcut. For example the Enter key is the same as a double click (either View or Explore, depending on your settings). The multiplication key of numeric keypad triggers the Explore command. Del means Exclude. Ctrl+Del resets files to the "still to be processed by volume snapshot refinement" state and undoes some refinement operations. Ctrl+Shift+Del removes hash set matches, hash category, and PhotoDNA categorization. Ctrl+Caps Lock+Del removes the "file contents unknown" flag from a file. (Useful for example if because of temporary I/O problems X-Ways Forensics marked files that way although generally the files can be read just fine.) Ctrl+C copies the selected items into the clipboard using special settings of the Export List dialog window.

    The user-defined keyboard shortcuts should be able to invoke practically all commands from the main menu as well, and even if parts of the user interface other than the directory browser have the input focus. If the command code of a menu command changes in a future version, X-Ways Forensics will ensure that any keyboard shortcut targeting that code will automatically become inactive, to prevent accidental misuse. To find out the command codes of commands in the main menu (also called IDs of menu items), you can open the main executable file in a so-called resource editor and have a look at the menu resource in your preferred language. A highly recommendable light-weight example of such a tool is "Pelles C for Windows", which also happens to be a fine C compiler and complete development kit suitable for creating X-Tensions. Keyboard shortcuts for main menu commands should be less important than for directory browser context menu commands because the main menu already has many dedicated keyboard shortcut predefined, or even if not can be reached without taking one's hands off the keyboard starting with the Alt key. To give you some ideas about useful applications, FYI the command code to toggle between recursive and non-recursive exploration is 122, and the command code to take a new volume snapshot is 109.

    Command codes defined for filters
    (The order is the historical order in which filters were introduced.)

    9700: Name
    9701: Type
    9702: Type status
    9703: Category
    9704: Size
    9705: Path
    9706: Sender
    9707: Recipients
    9708: Timestamp
    9709: Attr
    9710: Hash 1
    9711: Hash set
    9712: Hash category
    9713: Report table
    9714: Comment
    9715: Metadata
    9716: Analysis
    9717: Pixels
    9718: Int. ID
    9719: Unique ID
    9720: Search terms
    9721: Owner
    9722: Parent name
    9723: Child objects
    9724: ID
    9725: Author
    9726: Search hit description
    9727: Event timestamp
    9728: Event type
    9729: Event description
    9730: Search hit
    9731: First sector
    9732: Description
    9733: Hash 2
    9734: Full path
    9735: Flex filter 1
    9736: Flex filter 2

    Command codes for the Mode buttons and related buttons

    122: Toggle recursive exploration
    138: Access button popup menu
    172: Toggle Directory Browser
    186: Toggle Position Manager
    223: Toggle Search Hit List
    224: Toggle Event Hit List
    225: Disk/Partition/Volume/Container mode
    226: File mode
    227: Preview mode
    228: Details mode
    229: Gallery mode
    230: Calendar mode
    231: Legend mode
    232: Sync mode
    249: Raw preview mode
    250: Viewer X-Tension preview mode

Automation

  • New command line parameter "Cfg:", which determines the name of the configuration file from which X-Ways Forensics will read during start-up and to which it will write when terminating, in situations when you need to use an alternative configuration (not the one stored in the main WinHex.cfg file). For example useful if for automated processing you need different settings than for manual execution, with specific volume snapshot refinement operations selected or to avoid the prompt whether a second instance should be started. Such a parameter looks like "Cfg:My other settings.cfg". The quotation marks are required only if the name contains spaces. The maximum length of the name is 31 characters. Only ANSI/ASCII characters supported currently.

  • Text in message boxes that usually need to be clicked away by the user is now redirected to the Messages window while processing the command line parameters "AddImage" and "RVS". Dialog boxes, if any, would still pop up normally.

  • The command line parameter AddImage can now be used to add multiple image files to the case at the same time, with an asterisk in the filename, such as "AddImage:Z:\My Images\*.e01".

  • The "AddImage" command line parameter now supports optional sub-parameters to force interpretation of an image as either a physical, partitioned medium (P) or a logical volume (V) and to force interpretation with a certain sector size, where the sector size is optional, e.g.

    AddImage:#P#Z:\Images\*.dd
    AddImage:#P,4096#Z:\Images\*.dd

    If you do not specify these sub-parameters, a dialog window might pop up to ask the user for this input, but only in some very rare cases. Only if 1) it is not obvious to X-Ways Forensics from the data in the first few sectors what kind of image it is and 2) if the image was not created by X-Ways Forensics or X-Ways Imager and 3) if the image is in raw format. Only if all three conditions are met at the same time plus you do not specify the sub-parameters, then the dialog window will pop up and interrupt automatic processing.

User Interface

  • Dedicated icon for evidence file containers in the Case Data window.

  • Larger font in the text column display for UTF-16 for better readability, especially of Chinese characters.

  • Avoided some rare graphical artifacts in the text column display for code pages with a variable number of bytes per character.

  • Text representations of dialog windows now by default omit unselected list box items and unchecked check boxes and radio buttons. This is a new option in the special menu that you get when you click the small unlabeled button in the upper left corner of a dialog window. It also affects the textual summary of active filters.

  • The Info window is now called Output window, as that more precisely describes its purpose. And it now gets its own screen coordinates and a centered position initially, and its coordinates are remembered separately from those of the Messages window, as otherwise some users seem to completely overlook that window, and they even contact us when they don't see the output that they expect, although it's visible on their screens.

  • New menu command available to collapse the entire case tree when right-clicking the case title.

  • Carved files are now identified as such not only by the Description column, but also by their icons, with by default either a stylized C (Windows 7) or a hammer (Windows 10, unavailable in Windows 7). The exact character can be entered in the Options | Notation dialog. Hopefully that way some users will no longer find it necessary to name all carved files with a prefix like "Carved_".

  • The information that a file was originally a carved file is now preserved in evidence file containers and shown in the Description column and icon even for files within containers.

  • The special file icon for pictures now by default no longer gets symbols like question marks, arrows, scissors, hammers, etc. superimposed, which is easier on the eye. You can still tell the exact deletion status from the Description column, and the rough deletion/existence status is still obvious from the contrast of the icon. However, if the box for this option is half checked, the icon is displayed as in previous versions, with full details.

  • The command to view the selected file with a selected external program now invokes the standard Windows dialog to pick such a program.

  • Whether the viewer component or the internal graphics viewing library should be used for pictures is now remembered by X-Ways Forensics separately for Preview mode and the View command. For the View command the behavior can be changed in Options | Viewer Programs.

  • When not allowing to view multiple pictures at the same time with the View command and the internal graphics viewing library, a new "Auto update" option is now available in Options | Viewer Programs, which will refresh the View window for a picture immediately when a new picture is selected in the directory browser, one way or the other, for example with a single mouse click or when advancing to the next file after defining a report table association. This behavior was previously limited to the arrow keys in the gallery. It should be useful mainly for work with multiple monitors.

  • Italian translation updated.

Miscellaneous

  • FlexFilters are now optionally case-sensitive. Case-sensitive operations are always faster and should be used for performance reasons unless you require otherwise.

  • Category pop-up menu statistics are retained when activating the filter.

  • The blue funnel symbol on both sides of the caption line of the directory browser is now always present when filters are active, even if the filters do not actually filter out any items.

  • Byte-wise checksum computation for multi-byte accumulators as was the standard in v18.9 and earlier is now an option in Options | Security. The newer variant is to compute multi-byte checksums by adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.

  • Recover/Copy: Ability to specify the name of the log file if the file is created in the output directory. Useful if you run multiple Recover/Copy operations specifically for different purposes, to produce one separate log file for each output.

  • Export List: The search hit context size units now correctly designated as characters instead of bytes.

  • Ability to open spanned LVM2 volumes if the other disk is missing. Available data will be incomplete, but potentially still very helpful.

  • Ability to open an evidence object that is a directory even if that directory does not exist any more, to be able to at least check out the volume snapshot again, using the command "Open (without disk/image)".

  • We are pleasantly surprised that you are reading every single bullet point. Thank you very much for your time.

  • Option to unload the hash database if loaded at the moment when all data windows are closed (the moment when the last open data window is closed), to save main memory or to specifically allow other concurrent users or instances to change the hash database.

  • Ability to set the alternative name of a file by holding the Shift key when renaming it (at the moment when clicking the OK button).

  • The Technical Details Report now has an option to show a byte-swapped version of hard disk serial numbers in addition to the serial number reported through the operating system, when in doubt. Some users of certain interfering hardware write blockers may find that useful.

  • More complete representation of the logical memory address space of 64-bit processes.

  • More tolerant to corruption in internal metadata storage files.

  • Many minor improvements.

  • User manual and program help updated for v19.3.


Changes of service releases of v19.2

  • SR-1: Fixed inability of v19.2 to remember the default volume snapshot refinement operations when run from the command line.

  • SR-1: Fixed inability of v19.2 to uncover embedded data from selected files.

  • SR-1: Fixed inability of v19.2 to take volume snapshots of drive letters without sector level access.

  • SR-1: Metadata extraction from certain irregular DOCX files supported.

  • SR-1: Improved internal handling of FlexFilters.

  • SR-2: Now able again to cope with .e01 evidence files that are incorrectly marked as images or physical disks by 3rd party software although they are just volume images.

  • SR-2: Fixed incorrect extraction of attachments encoded by Gmail found in MBOX archives and lose EML files.

  • SR-2: Fixed a cause of instability when the "Search in directory browser cells (metadata)" option was used for the Simultaneous Search.

  • SR-2: Fixed a rare exception error that could occur when extracting metadata from certain corrupt Zip-styled Office document files.

  • SR-2: The option to show non-picture files in the gallery is now represented by a three-state check box. If half checked, only those non-picture files will be represented as thumbnails in the gallery whose type can be confirmed or newly identified by X-Ways Forensics. That means that files of unknown types and garbage files will not be represented in the gallery any more. This will speed up the gallery, reduce the number of thumbnails with just ASCII character gibberish in them, and perhaps most importantly prevent an error in the viewer component from occurring, which exhausts the pool of available GDI objects (handles in the graphics device interface of Windows) in the process and leads to graphical screen artifacts, loss of functionality or even crashes. So far only files with garbage data are known to trigger this error. The error is probably very rarely encountered when specifically viewing or previewing individual files only, but when reviewing large amounts of non-picture files in the gallery it becomes more likely to occur. The error is known to Oracle as bug #25430258. No fix has been made available yet.

  • SR-2: Images stored in nested subdirectories of the case directory instead of directly in the case directory are now also found immediately even if drive letter or absolute path of the case have changed.

  • SR-2: Chinese translation of the user interface updated.

  • SR-3: The time out for the generation of thumbnails of non-picture files in the gallery is now the same user-defined value as previously used only for pictures that are loaded by the internal graphics viewing library. It can be adjusted in Options | Viewer Programs. A smaller value may result in a faster display of the gallery, but at the cost of interrupting the loading process of the viewer component for some files, in which case the gallery tile shows "Error - operation cancelled".

  • SR-3: v19.2 SR-2 did not properly execute external viewer programs. That was fixed.

  • SR-3: Videos are now again represented in the case report by their first extracted still as a thumbnail.

  • SR-3: If the output of the Compare function was a text file and the comparison start offsets in the two data windows were different, the second offset reported for a found difference was off. That was fixed.

  • SR-3: Fixed a problem in LVM2 support.

  • SR-3: Fixed a rare exception error that could occur when producing a registry report based on Reg Report Free Space.txt.

  • SR-3: Prevented rejection of certain ProjectVic JSON files for PhotoDNA import.

  • SR-4: Ability to show gallery tiles with rotating still images for processed videos in situations in which that did not work previously.

  • SR-4: Prevented a situation where the category statistics in the Category column's pop-up menu filter could be that of another data window.

  • SR-4: Fixed inability of v19.2 to take a volume snapshot of a directory with a network path (UNC path).

  • SR-4: The Exif metadata field formerly officially called "Daten taken" is now called "Content modified" in X-Ways Forensics.

  • SR-4: A relative path for the PhotoDNA hash database is now supported and preserved in Options | General.

  • SR-4: Fixed slightly corrupted presentation of e-mail attachments in some specific situations (e.g. Facebook e-mail received via Hotmail).

  • SR-4: Run counts from Windows 10 Prefetch files while shown correctly in Preview mode were not extracted correctly into the Metadata column. That was fixed.

  • SR-5: If original pictures were not included in the case report, but thumbnails of pictures were supposed to be output, those thumbnails were not generated for very small pictures. That was fixed.

  • SR-5: Under certain circumstances the detection of scanned images/PDF documents failed. That was fixed.

  • SR-5: The whole words only option of the Simultaneous Search is no longer applied to search hits that are not words according to the user's selected alphabet definition (checking only the first and the last character in the hit). However, the GREP word boundary indicator \b is still applied in such a case, for example to be able to search for certain data in between words, data that is not considered a word itself.

  • SR-6: The volume snapshot refinement option of v19.1 and later to omit files deemed irrelevant by the hash database also omitted known uncategorized files if they were identified as such only by a previous refinement run, with no re-matching. That was fixed.

  • SR-6: Fixed incorrect size of some few carved files and avoided output of some irrelevant/damaged OLE2 objects.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde

 

#154: X-Ways Forensics, X-Ways Investigator, WinHex 19.2 released

Mar 27, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.2.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version. Yes, really.


Upcoming Training

Mar 27-28 Victoria, BC X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2
Jul 3-6 London, England X-Ways Forensics
Oct 23-27 Toronto, ON X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


X-Tensions

  • KPF by Jedson Technologies. Picture and video categorization previously known as C4All. The X-Ways KPF version is the original C4All X-tension and does everything and more than the original C4All did (but six times faster), and is free. Other versions exist that produce output in JSON/ProjectVic, XML, or other formats. Presentation at Techno Security & Digital Forensics conference.

  • NEW XT_RAW by Kuiper Forensics. Detects and converts many digital camera RAW formats within X-Ways Forensics.

  • Beyond Compare X-Tension by Chad Gough. Select any two files in X-Ways and quickly send them to Beyond Compare for review.

  • VirusTotal X-Tension by Chad Gough. Check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the Messages window.

  • Binary Large Objects by Christopher Lees. Extracts Binary Large Object (BLOB) data from Sqlite databases.

  • Multiple File Finder by Werner Rumpeltesz. Search for filenames and/or path names and add the matching files to a specific report table.

  • Luhn Credit Card Check by X-Ways Software Technology AG. 32-bit, 64-bit. For use during GREP searches for credit card numbers. Discards false hits based on the Luhn algorithm.

For more information about publicly available X-Tensions known to us please check here. Please get in touch if you have something to contribute. Thank you!

X-Tensions API

  • Disk I/O X-Tensions now cannot only intercept sector-wise I/O at the disk level (for example to decrypt encrypted disks or partitions on the fly and make X-Ways Forensics see the decryption data), but can also intercept I/O at the file level (for example to decrypt encrypted files). The new function to export for that purpose is XT_FileIO. For details please see http://www.x-ways.net/forensics/x-tensions/XWF_functions.html#A.

  • A new X-Tension API function named XWF_FindItem1 allows to conveniently find out the internal ID of a file with a given name in a given directory.


What's new in v19.2?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Files encrypted in Zip, RAR, and 7z file archives can now also be decompressed and processed, provided that the password is known or can be guessed. X-Ways Forensics will try any password listed in either the password collection of the current case or a general password collection. You can edit the password list right from within the dialog window with the options for archive processing. The case-specific password collection can also be edited from within the case properties, and it is stored in a UTF-16 encoded text in the case directory, named "Passwords.txt". The general password collection is stored in a file of the same name in the installation directory or in your Windows user profile directory. Almost all Unicode characters are supported, including space characters and Chinese characters etc. Remember passwords are usually case-sensitive.

    If the collection contains the right password for a particular file archive, that password will be remembered in that file's extracted metadata and taken directly from there instead of the case's password collection if needed again later to read files in the archive. Alternatively, you can provide a specific password for a particular file archive manually and directly by editing that file's metadata, you just need to know that the password must be prepended with "Password: ". (Note to French users: No space before the colon.) Files within encrypted file archives are not treated and shown as encrypted ("e" attribute) if the right password was available at the moment when the files were added to the volume snapshot. The archives themselves are still shown with the "e!" attribute. RAR archives and 7zip archives in which not only the file contents, but also the names are encrypted are not currently supported.

  • Support for iOS's sms.db. All recorded conversations via SMS are extracted to individual chat files. All messages are added to the event database, where they can be filtered based on phone number or email address.

  • Metadata extraction from Quicktime video files revised. In particular, geo data is extracted from current iPhone .mov files.

  • Improved support for East Asian regional code pages with variable-length character encoding for use in complex GREP expressions such as negated character sets.

  • Extraction of metadata from JPEG files improved. More metadata presented for JPEG files in Details mode.

  • Trailing data in JPEG files is now provided as a separate child object.

  • Special support for Samsung Galaxy S6 and S7 JPEG metadata, which among others contain the creation date with a precision of 1 ms.

  • Generator signatures further revised.

  • File type verification further improved.

  • Type group designations are now displayed along with the type description in the "Type description" column.

  • A few file type designations were assigned to multiple categories previously. That was tidied up.

  • Updated file mask for uncovering embedded data.

  • Files can now be extracted from e-mail related MIM archives as part of e-mail processing.

  • Import support for PhotoDNA hash values in hex ASCII notation in ProjectVic JSON files.

Disk Support

  • Linux software RAIDs: Ability to recognize MD RAID container partitions as such. They are represented as two distinct items: A static header area that contains metadata about the RAID (usually at relative offset 4096), and an explorable partition that serves as a RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.

  • Terminology: What was formerly designated as the stripe size is now correctly referred to as the strip size. The stripe size is the strip size multiplied by the number of RAID component disks, i.e. a whole row.

  • Sector superimposition used to affect specifically the disk/partition/volume represented by the data window to which it was applied. From now on, it also has an effect on partitions opened from within a physical, partitioned disk to which sector superimposition was applied.

  • Ability to recognize Windows storage pool container partitions as such.

  • Ability to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes.

  • The search for lost partitions now finds NTFS storage space partitions within storage space container partitions despite sector size discrepancies. The search for lost partitions is a useful work-around to find and properly parse the actual payload partition in simple single-disk Windows storage spaces.

  • GPT partition names are now shown in the Name column as alternative names and should be helpful when examining Android phone images containing large numbers of partitions, revealing their respective functions.

  • Technical details report slightly more complete now with partition names as per GUID partition tables.

  • Structure of Access button menu improved for partitioned disks. (Access button is the official name of the button with the white arrow, below the Sync button.)

Usability

  • When clicking the link to an attachment from within the alternative e-mail preview, this now triggers the same action as if that file had been viewed from within the directory browser. That means that 1) it will be marked as already viewed, 2) depending on your preferences, if it's a picture, it will be either presented by the viewer component or the internal graphics display library, and 3) depending on your other viewer settings the file may be opened in an external program, for example if it is a video file.

  • In replace mode for report table associations, the currently associated report tables are now automatically preselected, so that it's less work and less error-prone to remove or add one report table specifically.

  • The case directory is the directory that has the same name as the .xfc case filename just without the extension. It is a subdirectory of the cases directory. There is now special support for the case directory as an image storage location. If images are moved to the case directory first and then added to the case or if the path of an existing image in the case is changed to that in the case directory with the "Replace with New Image" command, these images will be referenced internally without path, and thus the image can always be found instantly even if the case is moved to a different directory or if the drive letter changes. A case that has all images in its own directory can be considered fully self-contained. References to images in the case directory without path are understood by v19.0 SR-14, v19.1 SR-7, and v19.2.

  • Changing the display time zone for an evidence object that is a partitioned, physical disk now automatically also changes the display time zone for all its partitions (dependent evidence objects).

Filters

  • A new filter concept was introduced, called FlexFilters. Two such filters are available in WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. They can target any column in the ordinary directory browser (i.e. not search hit list or event list specific columns) that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.

    For example, these new filters are useful if you wish to target files that were created or modified not in a particular contiguous period of time, but generally on certain weekdays or on weekends, i.e. where either of these columns contain the word "Saturday" or "Sunday" in the long date notation format. Also useful whenever the column-specific column filter does not give you as many options as you need (e.g. for Author, Sender, Recipients currently you can only enter one name or address or substring, and with the Description filter you cannot currently specifically target additional hard links that are optionally omitted from certain operations).

    The color that indicates that a FlexFilter is active is violet instead of blue, so that it can be better distinguished from a regular column filter. Both FlexFilters come with a NOT option, and they may also target the same column, so that you can achieve results like "show all e-mail messages sent with the name John Doe in the sender field where the sender field does NOT contain the domain name company.com".

  • Right-clicking a column header in the directory browser now quickly activates or deactivates that column's filter without showing the settings dialog window, just like when left-clicking the filter icon with the Shift key pressed.

  • Ability to output a textual summary of all currently active filters with their settings, by right-clicking the blue funnel symbol on the left or right end of the caption line of the directory browser.

Volume Snapshot Refinement

  • Indexing is now permitted as a sub-operation of a volume snapshot refinement run with multiple threads, though it is not further parallelized itself when multiple refinement threads are active.

  • Previous hash set matches for all files in a volume snapshot are not completely discarded any more when re-matching only selected or tagged files. Now only previous matches for those particular files are discarded.

  • A new option allows to restrict picture loading to just 1 worker thread at a time, with a new check box next to "Picture analysis and processing", either strictly (fully checked) or not so strictly (half checked). Please give this option a try if you experience exception errors or crashes when multiple pictures are processed simultaneously.

  • Outputs a file named ResIL.log in case of certain instability problems with picture processing for debugging purposes.

Viewer Component

  • On Jan 17, 2017, Oracle released a security patch update from Dec 12, 2016 for v8.5.3 of the viewer component. The updated version is downloadable from our web site since Jan 18, 2017. It is probably recommendable for security reasons. A list of bugs fixed was not made available. Two DLLs were updated: dewp.dll and vspdf.dll. They are probably responsible for word processing documents and PDF files.

Miscellaneous

  • When taking a volume snapshot without sector level access, e.g. of a remote network drive or a directory or a local drive letter without administrator rights, overlong paths are now supported, up to ~1000 characters long.

  • The most essential functions in X-Ways Forensics are now able to open files with overlong file paths up to ~1000 characters long (File mode, Preview mode, volume snapshot refinement, logical search).

  • Slightly improved support for 4-digit 0-based filename extensions of segmented raw images.

  • Thumbnails can now be created for and shown in the case report even when not copying and linking the original files.

  • A notification sound is output when running a simple linear search for a single match when that match has been found if the program is running in the background, to alert the user.

  • Many minor improvements.

  • User manual and program help updated for v19.2.


Changes of service releases of v19.1

  • SR-1: Some commands in the directory browser context menu in v19.1 did not always appear as they should have appeared. That was fixed.

  • SR-1: An exception error that could occur in v19.1 when hashing files should no longer occur now.

  • SR-1: The JPEG quality detection now also works for rotated JPEGs.

  • SR-2: Computing hash values and matching them against hash databases was not done repeatedly in the original v19.1 release. Now it is done repeatedly again, and that operation is now officially documented as one of the operations that will be applied repeatedly to the same files in a volume snapshot, the only other exception being indexing.

  • SR-2: Many descriptions for registry events were not output to the event list. That was changed. This improvement will also be applied to v19.0 SR-13.

  • SR-3: Prevented a rare infinite loop with certain previously existing EVTX files that are incompletely defined in volume shadow copies.

  • SR-3: Prevented a rare infinite loop when carving OLE2 compound files.

  • SR-3: Australia Adelaide time zone definition updated.

  • SR-3: Prevented a rare error with corruption of decoded textual data when running a logical search with multiple worker threads.

  • SR-3: The representation of search hits in the search hit list is now based on the code page of the search hit in certain situations where previously it was not. Improved code page based context preview specifically for search hits in ISO-2022 code pages, where the search hits and their surroundings may or may not be prepended directly with a suitable escape sequence and may or may not be just ordinary ASCII text.

  • SR-4: Support for one previously unsupported component of the PIDL data structure in OpenSavePidlMRU items in the Windows Registry.

  • SR-4: Fixed a stability problem in the Registry Viewer.

  • SR-4: Index searches for two words that are delimited by a space were unsuccessful in certain files. That was fixed.

  • SR-4: Some sent e-mails extracted from PST archives were presented with erroneously inserted header lines. That error in the extraction process was fixed.

  • SR-4: Fixed an exception error that could occur in v19.1 when selecting files, events or search hits in the Case Root window.

  • SR-5: Fixed potential hanging during XViD metadata extraction.

  • SR-5: Prevented an exception error that could occur at the end of indexing when not even a single word was found to index.

  • SR-5: Fixed inability to read files representing uncovered data embedded in HFS+-compressed files.

  • SR-5: Fixed an error in the Registry Viewer search.

  • SR-6: Certain currently unsupported file system level compression styles in HFS+ volumes are now recognized as such, and the affected files will be shown with their correct file size and "only metadata available" in the description.

  • SR-6: Fixed an exception error that occurred with template variables within loops if their names were longer than 30 characters.

  • SR-6: Since v17.3, files with child objects and an unknown hard-link count were potentially included in evidence file containers multiple times. That was fixed.

  • SR-6: Page count of some special PDF documents now reported correctly.

  • SR-7: Fixed an exception error that occurred in the X-Tension API function XWF_CreateEvObj if the case was still empty.

  • SR-7: Gallery scroll position is reset when the directory browser is re-filled.

  • SR-7: Uninitialized areas of NTFS-compressed files no longer have an undefined status, but are now presented with the data as stored on the disk, just as with ordinary (not compressed) files.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

 

#153: X-Ways Forensics, X-Ways Investigator, WinHex 19.1 released

Jan 19, 2017

This  mailing is to announce the release of another notable update with many important improvements, v19.1.

WinHex evaluation version: http://www.x-ways.net/winhex.zip (also the correct download link for anyone with a personal, professional, or specialist license)

Customers may go to http://www.x-ways.net/winhex/license.html for download links, the latest log-in data, details about their update maintenance, etc. Those customers whose update maintenance or license has expired can receive upgrade/renewal offers from there.

NEW: If when querying your licenses you do not receive any e-mail message at your work address because your organization is blocking the sending server, you now have the option (here) to get the e-mails sent from an alternative server (different domain, different IP address), for a second chance to actually receive something.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active update maintenance) can subscribe to them, too, by creating a forum profile.

Please note that if you wish to stick with an older version for a while, you should use the last service release of that version. Errors in older releases of the same version may have been fixed already and should not be reported any more.


Upcoming Training

Jan 27 Miami, FL NTFS/XWFS2
Feb 13-16 London, England X-Ways Forensics
Feb 20-23 London, England X-Ways Forensics
Feb 27-Mar 2 Ottawa, ON X-Ways Forensics
Mar 13-16 London, England X-Ways Forensics
Mar 21-28 Victoria, BC X-Ways Forensics, X-Ways Forensics II
Apr 11-12 London, England X-Ways Forensics II
Apr 19-21 Washington DC area X-Ways Forensics II, XFS
May 9-12 New York City X-Ways Forensics
May 15-19 Boston, MA X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter here if you would like to be kept up to date on classes in the USA, Canada, Europe, and/or Asia/Pacific.


What's new in v19.1?
(please note that most changes apply to X-Ways Forensics only)

File Type Support

  • Support for Google's Chrome sync database, where information can be found that is synchronized across devices, such as bookmarks, form history, typed URLs, synced devices and much more. A preview HTML file is generated, and events are output to the event list.

  • Ability to view upside-down Bitmap pictures with the internal graphics display library and in the gallery. (To see them flipped vertically, you currently have to view them with the viewer component, though.)

  • TAR archive processing revised.

  • Fixed inability to process BZ2 archives.

  • More reliable detection of pictures as screenshots (output as report tables "Screenshot" and "Screenshot?").

  • New report table "Scan" for PDF and JPEG files that contain a scan. The detection is based on generator signatures "PDF/Scan" and "JPEG/Scan".

  • Most JPEG pictures that were transcoded by Facebook and downloaded from Facebook are now identified as such in the Metadata column by their generator signature.

  • PDF metadata extraction improved especially for Acrobat 10 PDF files.

  • Tentative extraction of Exif metadata fields that are damaged in a certain way.

  • Revised metadata extraction for JPEG. ICC profiles are evaluated, including timestamps.

  • New file type signature for .0tx Tobit e-mail defined.

  • Generator signature table further revised.

  • The type status "mismatch detected" now has an effect on the assumed relevance of a file.

  • The relevance of a file now more reliably takes into account whether or not a picture is a screenshot.

  • Improved stability while processing EDB databases. Users of v18.8, v18.9, and v19.0 may replace their copy of the file EDBex.dat with the new version that at first is tentatively included in v19.1 only.

  • Sender and recipients are now also shown for MSG files to which e-mail processing was applied, not only for the extracted .eml file.

File System Support

  • Extended attributes in HFS+ are now optionally included in the volume snapshot as child objects of the files or directories to which they belong (in X-Ways Forensics only) depending on a new 3-state volume snapshot option. If fully checked, extended attributes are presented as child objects even when they have been specially interpreted already by X-Ways Forensics internally. If half checked (default setting in X-Ways Forensics), they are presented as child objects only if they are not specially interpreted by X-Ways Forensics assuming that the user might want to check them out manually.

  • Ability to open files with resident/inline storage in HFS+.

  • Ability to recognize and open compressed files in HFS+.

  • HTML previews are now generated during metadata extraction for the GZ archives that contain Apple FSEvent logs.

  • Event extraction from Apple FSEvent logs.

  • Recognition of new file system level compression style in NTFS under Windows 10.

  • In newly taken volume snapshots, alternate data streams now show hard link counts in the same way as their parents, so that the alternate data streams of additional hard links can be optionally omitted from searches etc.

Disk Imaging

  • The descriptive text file that is generated for images now points out the exact sizes in bytes of all segments of raw images files and the exact chunk counts in all segments of .e01 evidence files. If for whatever reason one or more segments get lost or corrupted, this allows to create artificial placeholder segments of the right capacity to fill in any gaps, such that all the data in subsequent segments will have the correct logical distance from the data in preceding segments, to preserve validity of pointers within the data (partition start sectors in the partition table, cluster numbers in file system data structures) as long as the original image file segments that contain source and destination are available.

  • Ability to conveniently create dummy/makeshift segments for .e01 evidence files that can substitute missing/lost/corrupt original segments, with the File | New command. The user specifies the required chunk size and the number of chunks as well as a filename for the desired segment (must be with the correct extension, identifying the segment number, not number 1). The data written into the chunks is a recurring textual pattern ("MISSING IMAGE FILE SEGMENT!" when running X-Ways Forensics in English), so that you know that you are looking at a gap in between available data when browsing the interpreted combined image later. The idea of such an artificial dummy segment is that if correctly created it can serve as a placeholder that ensures that data in subsequent segments has the correct logical distance from the data in preceding segmented. Of course, the hash of the entire image cannot be successfully verified any more if the original data is not present, and of course, this functionality should be used only as a last resort if there is no backup of the missing segment file and if data recovery fails etc., and creation and usage of such a dummy image file segment should be properly documented. (forensic license only)

  • When interpreting an .e01 evidence file that contains dummy segments, you will be notified, and the total number of placeholder chunks are noted in the evidence object properties when the image is added to the case.

  • If you require a placeholder for a single missing segment of which you don't know the chunk size and chunk count because the image was created without the new information in the descriptive text file, this is how to find out: Change the filename extension of the penultimate segment to that of the missing segment so that there is no gap. Then rename the last segment to the now missing penultimate segment. (If the missing segment actually is the penultimate one, the last step is sufficient; if the missing one is the last, no renaming is required at all.) Then add the image (first segment) to a case in X-Ways Forensics as usually. X-Ways Forensics will bring the misnamed segment to your attention in the Messages window, which can be ignored. Check the evidence object properties for the chunk size as well as the expected chunk count and the actually referenced chunk count. Subtract the actually referenced chunk count from the expected chunk count. Now you know how many chunks are missing. Change the filename extension back to what it was before, and then create the missing dummy segment with the correct chunk size, correct chunk count, and correct extension.

    With a variation, this approach also works if multiple consecutive segments are missing, just you rename more available segments to fill the gap in the first step, and you create as many dummy segments as necessary to fill the gap. Which dummy segment exactly contains how many surrogate chunks is not important as long as the total number of surrogate chunks must account exactly for the total number of missing chunks. If multiple discontiguous segments are missing, suitable dummy segments can only be created with the new information from the descriptive text file.

Volume Snapshot Refinement

  • Multi-threading: Option to set the number of worker threads to 1, which means that one extra thread is started for processing, separate from the main thread, so that GUI interaction is possible without time lag. Useful for example on a terminal server with many concurrent users, where you should not start too many threads, but may want to be able to at least use the GUI quickly. If the number of additional threads is set to 0, that means processing is done like in v19.0 with 1 thread or generally in v18.9 and before by the main thread itself, so that GUI interactions may be slow.

  • Ability to pause multi-threaded operations with the Pause key.

  • It is now possible to omit not only known irrelevant files, but also known relevant files from further volume snapshot refinement. Useful for example if in large cases you have or expect really many such files and having proof of their presence is sufficient for you and you don't need to extract their internal metadata, don't need to compute their skin tone percentages or PhotoDNA hashes, and don't need to check them for embedded data etc.

  • If matches are returned from regular hash databases as well as the PhotoDNA hash database at the same time with conflicting categorizations, the "more severe" category prevails: unknown < known good < known, but uncategorized < known bad

  • The option to mark a file as already viewed when it gets categorized as irrelevant is now applied to the combined result of ordinary hash database and PhotoDNA hash database matching.

  • Internal metadata is now extracted into the Metadata column only from files of selected categories.

  • Options | Security | "Collect information for crash report" is now a 3-state check box. If fully checked, should volume snapshot refinement crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed. It has not been tested whether this enhanced granularity of logging might cause any noticeable slowdown. There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash. Unlike in v19.0, all of them are now logged, and they are now presented with the help of the Int. ID filter upon restart.

Report Tables

  • When checking for duplicate files based on hash values, identical files can now optionally be grouped in dedicated report tables so that you can conveniently list each group of duplicates in the directory browser with the report table filter, for example to find out which copy of the file was created first, which was was touched last, which one might be of most evidentiary value based on metadata such as path etc. Unlike marking duplicates as so-called related items, report table grouping works even across evidence object boundaries, so you are not limited to comparing duplicates within the same evidence object.

  • Report tables that represent groups of duplicate files are highlighted in turquoise. In total there are now 5 different kinds of report tables: 1) user-created report tables, for example for report purposes, 2) report tables created by X-Ways Forensics to make the user aware of special properties of files, 3) report tables representing search terms that are contained in a file, 4) report tables representing hash sets in which a file was found, 5) report tables representing groups of duplicate files.

  • The maximum number of report tables in a case was increased from 256 to 1000.

  • To avoid a bloated list of report tables available for selection during report creation, report tables are now offered in that dialog window only if they are actually intended for report purposes. That is assumed by default for all user-created report tables. And you can toggle the report purpose of each report table in the report table association dialog window, by assigning or removing the "star" symbol.

  • When taking a new volume snapshot, all report table associations in that evidence object are discarded. If that completely empties a report table that is not marked as intended for report purposes, such a report table will now be automatically deleted from the case at that occasion.

Usability & User Interface

  • Options | Viewer Programs now offers grayscale thumbnails for true-color pictures in the gallery. This option is meant for law enforcement users whose job is to review child pornography photos, to reduce the mental impact and stress level.

  • A new 3-state check box in General Options prevents Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). This option has an effect no matter whether the main window is visible or whether the program is running in the background. Useful for example when acquiring a live system of which you don't want to lose control during imaging, or if you wish to keep an eye on the progress indicator on your own machine from another corner in your office.

  • More user-friendly behavior when trying to change the edit mode in data windows where that is not allowed because of not running X-Ways Forensics as WinHex or because of the strict drive letter protection.

  • Convenient option to automatically open the output directories of Recover/Copy after completion.

  • In Edit | Define Block it is now optionally possible to enter the size of the block instead of its end offset. And it is now possible to enter the start and end of a block in terms of sector numbers instead of offsets directly.

  • The option to use the viewer component also for pictures is now presented as an easy-to-reach button in Preview mode, named "VC", so it is now much quicker to switch between the internal graphics viewing library and the separate viewer component. Previously, users had to go to the Options | Viewer Programs dialog window for that, for example to get a second opinion in case of corrupt pictures. Also, some users probably had this option always enabled simply because they thought it was a "must" to view pictures with the viewer component, to get pictures displayed at all, not knowing that pictures are by default displayed by the internal graphics viewing library in X-Ways Forensics.

  • Directory icons for evidence objects that are directories, in the Case Data window, so that they can be distinguished from volumes.

  • Under Windows Vista and later, attachments are now conveniently linked from the alternative e-mail representation in Preview mode.

  • Tidied up Case Data context menus.

  • French translation of the user interface updated. (Not guaranteed to be error-free.)

  • Check boxes with long text labels in Romance languages that get truncated because of the limited space available now automatically come with tooltips that reveal the complete text when hovering the mouse cursor over the control.

  • The Navigation | Go To menu commands are now available in File mode.

  • "Display SHA-1 & TTH192 in Base32" is now a Notation option.

  • Some dialog windows are now slightly more clearly structured.

X-Tensions API

  • The XWF_CreateFile function now supports a new flag, which allows to create files in the volume snapshot with data as provided in a buffer.
  • Documentation updated.

Miscellaneous

  • The Full path column now comes with a filter.

  • New options when importing or creating hash sets in the ordinary hash databases and the block hash database. Duplicate hash values that are already contained in the hash database can either be removed from the newly created or newly imported hash set or from all existing hash sets, to keep the hash database more compact/less redundant.

  • A new command in the Case Data window's context menu allows to mark an evidence object with a light bulb icon as a visual aid to locate it if important.

  • Another new command in the Case Data context menu allows to conveniently make a backup of the selected evidence object's volume snapshot. Backups can be restored at any later time with the same command, and they can also be deleted with the same command (right-click an item in the list of backups to get the Delete command). Such a backup is like a snapshot of the volume snapshot. Useful if you think you might want to revert to a certain processing stage later (i.e. undo changes to the volume snapshot), for example after having carefully tagged thousands files that you don't want to lose, before running a file header signature search with experimental settings that might produce a lot of garbage files, before attaching external files with options that you had never tried before, before running an X-Tension made by a 3rd party, before totally removing excluded items from the volume snapshot etc.

    Report table associations, events, and search hits are also included in the backup. Search hits can be restored from a backup only if the search term list of the case did not change in the meantime. Indexes are not included in the backup, but can be manually backed up, of course.

  • The same command applied at the case level (right-click the case title in bold for that) allows to make a backup of the entire case, covering all evidence objects' volume snapshots, all report tables, events, search terms, search hits, indexes, image file paths, etc. etc. Such backups can be restored from the same dialog window. Such backups can also be opened directly with the Open Case command if necessary, as they are complete copies of a case. (Backup .xfc file are created with the "hidden" attribute, though, as they are meant to be dealt with within X-Ways Forensics only.)

  • Duplicate files can now also be recognized by the secondary hash value.

  • Duplicate files can now also be recognized by identical start sectors (within the same evidence object).

  • It now possible to optionally ignore additional hard links when checking for duplicate files.

  • Option to print selected fields on the cover page in bold letters and in a different color, to point the attention of the reader to a certain aspect.

  • New upper/lower case conversion option for textual data in UTF-16 (Edit menu).

  • Separate notation options for the case report just like for exported lists.

  • FYI, two users confirmed independently that the anti-virus software Webroot SecureAnywhere causes random crashes (program terminations) in X-Ways Forensics. So it is not recommended to use the two on the same computer at the same time.

  • Many minor improvements.

  • Some minor fixes.

  • User manual and program help updated for v19.0.


Changes of service releases of v19.0

  • SR-1: Fixed inability of v19.0 to recognize a few file types (those with the "x" flag), including SQLite 3.

  • SR-1: Fixed an instability problem in the registry viewer.

  • SR-1: Fixed crashes that could occur since v18.9 when extracting metadata from certain Linux PNG thumbnails.

  • SR-1b: Fixed an error in File mode in X-Ways Investigator.

  • SR-2: Fixed inability of v19.0 to read a few sectors on very large hard disks.

  • SR-2: Fixed error in file type verification and uncovering embedded data when run with multiple threads.

  • SR-2: Fixed an error where attachments were not extracted from certain .eml files.

  • SR-2: Fixed new option to link attachments from HTML previews of e-mails in the case report.

  • SR-2: Fixed potentially wrong time zone translation of timestamps in transcoded Nikon photos.

  • SR-3: Fixed a volume snapshot data corruption problem in multi-threaded picture analysis and processing.

  • SR-3: More complete extraction of Chrome web history in some cases.

  • SR-4: Fixed an exception error that could occur when providing the alternative e-mail representation for certain e-mail messages.

  • SR-4: Fixed a potential exception error that could occur when running a file header signature search on physical, partitioned media.

  • SR-4: Fixed inability of X-Ways Forensics 19.0 to view contained files in separate windows from within representations of the viewer component.

  • SR-5: Fixed an I/O error that could occur when the case auto-save interval elapsed while refining the volume snapshot with multiple threads.

  • SR-5: Report table descriptions were not handled correctly when deleting a report table. That was fixed.

  • SR-5: Fixed a crash that could occur with certain SQLite databases.

  • SR-5: Fixed a rare exception error that could occur during multi-threaded relevance computation.

  • SR-5: Fixed an exception error that could occur when exporting search hits with context in TSV format.

  • SR-5: Extraction of certain embedded pictures in .eml files.

  • SR-6: The hash filter did not correctly target the 2nd and 4th hash value if the hash type was 2 or 4 bytes in size (e.g. CRC32). That was fixed.

  • SR-6: Fixed an I/O error that could occur in v18.9 and v19.0 when applying File Recovery by Type to an uninterpreted image file.

  • SR-6: The internal graphics viewing library now represents Windows Bitmaps with 32 bits per pixel in correct colors. Fixed skin tone computation for certain Bitmaps with 8 bits per pixel.

  • SR-6: Fixed a potential infinite loop that could occur during a file header signature search for Zip archives when data of JNX files was found.

  • SR-6: Upward searches did not run correctly in v19.0. That was fixed.

  • SR-7: Support for previously unsupported SQLite database files.

  • SR-7: Multi-threaded operations generally more reliable now.

  • SR-7: When matching the files in a volume snapshot against hash databases more than once, previous matches according to the "Hash set" column are now automatically discarded. The hash category remains. This is for performance reasons. Keeping previous and new matches consistent and free of duplications potentially took a lot of time and was not optimized. Users of v18.7 through v18.9 have the option to discard hash set matches and categorizations for selected files with Ctrl+Shift+Del first to accelerate re-matching.

  • SR-7: Fixed problems when loading certain GIF files that contain extension blocks.

  • SR-7b: Fixed error in hash database matching with multiple threads.

  • SR-8: Fixed a crash that could occur when exploring certain keys in registry hives.

  • SR-8: Fixed an exception error that could occur when uncovering embedded data in certain executable files.

  • SR-8: Fixed a rare exception error that could occur when verifying the type of zip archives.

  • SR-8: Sorting by filename extension is now case-insensitive.

  • SR-8: Fixed a crash that could occur in v19.0 when extracting e-mails/attachments from MBOX e-mail archives and original .eml files.

  • SR-8: Prevented unnecessary inclusion of traces of existing files from volume shadow copies in the volume snapshot in certain situations.

  • SR-8: Fixed a cause for multi-threading instability.

  • SR-8: Improved stability with special GIF and TIFF pictures.

  • SR-9: For some few JPEG/TIFF files the extracted "Content created" date was wrong or incorrectly marked as local time. That was fixed.

  • SR-9: There was a problem with the multi-threading option on VMDK images and in Ext* file systems. That was fixed.

  • SR-9: Prevented potential instability with carved .lnk shortcut files.

  • SR-9: Warns the user of GUID conflicts among Windows dynamic disks if open at the same time, to prevent wrong volume-disk connections.

  • SR-10: Fixed inability of v19.0 SR-8 and SR-9 to make certain changes to PhotoDNA databases.

  • SR-10: The category of PhotoDNA hash database matches no longer supersedes that of regular hash database matches during the same snapshot refinement run.

  • SR-10: Fixed a potential crash that could occur when extracting metadata from $UsnJrnl:$J.

  • SR-10: Fixed an exception error that could occur when uncovering embedded data from PE executable files.

  • SR-11: Newly identified 3GP files were erroneously assigned to the category "Other/unknown type" by the file type verification in v19.0 SR-1 and later. That does no longer happen now.

  • SR-11: X-Tension API: Two new kinds of evidence object IDs can now be retrieved with the XWF_GetEvObjProp function (nPropType 3 and 4).

  • SR-11: Fixed inability of v19.0 to copy certain files along with the case report under certain circumstances if the type status was "newly identified".

  • SR-12: Fixed an I/O error that could occur when extracting e-mails from e-mail archives while multiple threads were active.

  • SR-12: Full filename matches in the Type filter did not count if the type status was "newly identified" or "confirmed". That was fixed. In v18.8 and later, full filename matches should have been ignored only if the type status was "mismatch detected".

  • SR-12: Fixed an exception error or crash that could occur under certain circumstances when opening partitions in X-Ways Investigator without opening the parent disk first.

  • SR-12: LVM2 container partitions are now interpreted properly even if the designated partition type in the MBR or GPT is wrong.


Thank you for your attention! We hope to see you soon somewhere on http://www.x-ways.net or on our Facebook page. You may also follow us on Twitter! Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 32
32257 Bünde
Germany

> Archive of the year 2016 <

> Archive of the year 2015 <

> Archive of the year 2014 <

> Archive of the year 2013 <

> Archive of the year 2012 <

> Archive of the year 2011 <

> Archive of the year 2010 <

> Archive of the year 2009 <

> Archive of the year 2008 <

> Archive of the year 2007 <

> Archive of the year 2006 <

> Archive of the year 2005 <

> Archive of the year 2004 <

> Archive of the year 2003 <

> Archive of the year 2002 <

> Archive of the year 2001 <

> Archive of the year 2000 <