- The indexing feature has been significantly extended. It is now possible
to index text both in single-byte character code pages and in Unicode
(UTF-16LE)! Also it is possible to have up to three such indexes per
evidence object (e.g. Cyrillic characters indexed in Unicode and two
Cyrillic code pages). Multiple indexes, if selected, are created
consecutively in this version, but with only a single user interaction at
the beginning. The index search will search in all created indexes for an
evidence object at the same time.
Since Unicode is now supported for indexing, the characters to index are
entered as Unicode characters, and X-Ways Forensics allows you to
conveniently select characters from more than 22 languages for indexing.
Currently, most European and many Asian languages are predefined, e.g.
German, Spanish, French, Portuguese, Italian, Scandinavian languages,
Russian, South Slavic languages, Eastern European languages, Greek, Turkish,
Hebrew, Arabic, Thai, Vietnamese. We appreciate corrections to these
character presets (email@example.com). Please note that it is the
responsibility of the user to select the appropriate code page(s) and to
enable substring indexing if the words in the language to index are not
delimited with spaces (e.g. in Thai).
Also, it is now possible to optionally create an index that is
case-sensitive. This is useful e.g. if you create the index for the purpose
of creating a word list for a customized dictionary attack.
To do: The Export Word List command is not implemented yet for the new index
algorithm. The program help has not been updated yet.
- When selecting Chinese as the user interface language, more parts of the
user interface can now be actually seen with Chinese characters even if the
Chinese code page is not active in Windows (as long as support for East
Asian characters has been installed).
- The Details mode has been significantly extended for OLE2 compound files
(e.g. pre-2007 MS Office documents) and .shd printer spool files, in that it
shows their metadata. For MS Office documents, you will often see many more
timestamps (e.g. Last Printed), subject, author, organization, keywords,
total edit time, and much more.
- You will now see accurate listings of the contents of Windows shortcut
files (.lnk) when viewing them in Preview or full-window view. The listing
includes path, name, size, attributes and timestamps of the file being
linked, volume label and serial number, drive type, icon file, link
description, and much more.
- When refining the volume snapshot and verifying the true file type based
on signatures, X-Ways Forensics now warns when it finds hybrid MS Office
files, i.e. merged MS Word and MS Excel documents that can be opened in both
applications, showing different contents. A notice in the messages window
will be displayed, and any detected files will be associated with a special
report table. Hybrid MS Office files are a clever attempt to conceal the
contents of one of the merged documents.
- Ability to open CDs/DVDs in external optical drives as physical media.
- Additional hash category filters have been introduced: Output irrelevant
files only, output unknown files only.
- In newly taken volume snapshots, files and directory on NTFS volumes that
have an object ID are now flagged with a capital I in the Attribute column.
- When replacing a partitioned evidence object with a (new) image file, the
child evidence objects (partitions) will now be replaced with the same image
- Several minor improvements, some of them in relation to the extraction of
- An exception error was fixed that could occur at the end of a file header
signature search in certain situations. Also to be fixed with v14.2 SR-5.
Tools and Utilities
Product page: here