An dieser Stelle berichte ich ja immer über neue Features von X-Ways Forensics. Diesmal möchte ich auf die speziellen Features von X-Ways Forensics 15.7 SR1, die Windows 7 betreffen, hinweisen. Markus Loyen, aus meinem Forensic Technology Team, hat diese kurz zusammengestellt:
Features, die Windows 7 betreffen, sind fett geschrieben:
- Support for the exFAT file system. (requires a specialist license or higher)
- Ability to interpret dynamic Virtual PC VHD images. (requires a specialist license or higher) Such images can also be edited (in WinHex, not X-Ways Forenscis), but not expanded.
- Ability to interpret .e01 evidence files with an internal chunk size of up to 256 KB (previously up to 128 KB). Useful for example for memory dumps created by other software.
- Old versions of files that are found as part of the thorough file system data structure search in volume shadow copies are now marked as (SC) in the Attribute column and can be filtered. The old contents of old versions of large files will be correctly represented in a future release. The file system level metadata of old versions and the contents of small files are already usually correctly represented.
- Old names/paths of renamed/moved files in NTFS as discovered by the thorough file system data structure search are now by default no longer listed as additional items in the volume snapshot and in the directory browser. Instead, they are mentioned as comments that are attached to the renamed/moved files. This keeps directory browser listings smaller and makes searches quicker than before.
- The Simultaneous Search now supports case-insensitive searches generally, not just for English and German letters.
- GREP expressions may now contain true Unicode characters, and it is now possible to search in specific code pages when using GREP syntax.
- The most important MS Office 2007/2010 and OpenOffice 2/3 document types are now by default decoded for the logical search, and (in conjunction with the recommended data reduction) their main XML files are omitted from the search. That ensures that you get search hits in the documents and not in the XML files, which is more convenient, and that you don’t get them twice unnecessarily. The other XML files, which may contain important metadata, are still searched (provided that you have included the contents of archives in the volume snapshot).
- Metadata extraction improved for Windows 7 .lnk files.
- Catalogs of JumpList files are now output in Details mode.
- Ability to recursively delete directory with subdirectories that cannot be deleted with Windows Explorer or other Windows tools and commands because of illegal characters, via Tools | File Tools | Delete recursively.
- Improved behavior when encountering already running instances. A new middle state allows to decide on a case-by-case basis whether to start another instance.
- There is now an option to filter by internal ID. Useful for example and very easy to use if you would like to focus on the x files that were added to the volume snapshot last or if you would like to resume a logical search with internal ID y (and filter out files that have already been searched).
- Introduced an interface that allows to copy files of a certain category from selected evidence objects to a user-defined output directory for analysis by a certain external program. The external program can then identify relevant files or classify files. The result can imported back into the case and will be shown as report table associations, by which you can filter or create reports. The interface works at the case level and requires a forensic license or X-Ways Investigator.
- Through this interface, using the upcoming professional version of the software DoublePics (www.dotnetfabrik.de) and a database of pictures from previous cases as often maintained by law enforcement agencies that have to deal with child pornography cases, it is possible to conveniently and automatically categorize pictures in new cases that are known already, as relevant or irrelevant or „gray area“ or whatever. Known pictures can be recognized even if they are stored in a different file format, resized, if the colors or the quality are different or they have been edited, thanks to fuzzy logic and adjustable sensitivity and tolerance.
- When using the non-MAPI method to extract e-mails from PST/OST archives, HTML e-mails are now also usually represented in .eml format (except for outgoing/sent messages). Additionally, a clickable link to the attachments is now included in Preview mode (except for outgoing/sent messages, and not guaranteed to work if attachments have non-English names).
- Fixed an exception error that could occur when taking a volume snapshot.
- Previous limitations for writing sectors in partitioned areas under Windows Vista/7 have been practically removed. In 99% of all cases it is now possible to write sectors in these Windows versions.
- Some minor improvements
- 1. Bugfix
SR-1:
The Sender/Recipient columns were swapped. This was fixed.