v16.8 [Dec 9, 2012]
Disk Imaging
- Accelerated .e01 evidence file creation.
- Ability to compute two hash values simultaneously. If you make use of this option, then both hash values will be stored in the descriptive text file. The first hash value is the one that can be automatically verified when imaging completes. You could intentionally choose the faster algorithm for that as main the purpose at that point is to detect I/O errors and file errors. The second hash value is imported into the evidence object properties when adding the image to a case.
- If you cancel disk imaging in the middle of the process, X-Ways Forensics now quickly finalizes the .e01 evidence file format (more precisely, the current segment) to guarantee a consistent image even though it is not a complete image. Useful for example in an emergency situation when imaging media on site, because a incomplete image that can be used without errors is better than an unusable corrupt image. If hashing was enabled, incomplete .e01 images produced with v16.8 even have a hash value that can later be verified later.
- Ability to adjust the compression option while .e01 evidence files are being created. Useful if your priorities (higher compression rate or higher speed) change, for example when you see that drive space suddenly seems scarce or you have to finish the process quicker than previously thought. Also useful to experiment, when not sure which compression option might be best for a particular system configuration (e.g. when imaging a live system on site and having to write the image to an external hard disk via USB, where I/O is slow and the overall process may be faster with compression than without).
- Slightly improved compression ratio for the slow strong compression option if selected when disk imaging starts (but still does not usually justify the additional time needed).
- Revised chunk CRC definition in encrypted .e01 evidence files.
- Evidence file containers of the new format no longer need to be optimized for a certain number of files and now have a fixed limit of around 1 billion objects that they can hold.
- Support for Virtual PC snapshots/differencing VHD image files.
Multi-Examiner Support
- Improved support for shared analysis work and distributed volume snapshot refinement in the same case. Use this feature
1) when several examiners are available to deal with a single large case, to review different evidence objects using multiple machines on the same network or with separate accounts on a terminal server, simultaneously
or
2) to refine the volume snapshots of different evidence objects using multiple machines on the same network, simultaneously.
- Each user/computer opens the same .xfc case file (the same copy on the same computer). All participating users/computers or all except for one (the master session) have to open the case as partially read-only, i.e. only allowing for distributed analysis work/volume snapshot refinement. This can be done by selecting View mode in the Open Case dialog window, or you will be prompted automatically when opening the case if the case if already open in another session as not read-only (i.e. in the master session).
- When completed, the results (the refined volume snapshot, comments, report table associations, search hits, tag marks, etc.) will be imported and become visible when opening the evidence object in the master session next time (the next session where the case file is not opened read-only), and a notice about successful synchronization appears in the Messages window.
- If two users try to open the same evidence object as not read-only at the same time, the second one will be warned and advised to open it as read-only to avoid conflicts. Only one user may change the volume snapshot of an evidence object at a time.
- Ability to specifically open individual evidence objects (not the entire case) with the volume snapshot treated as read-only, using a dedicated command in the evidence object context menu in the Case Data window. Just as with the option to open a case as read-only, this is useful for cooperative work, if you know your colleagues may want to open the same case (the same copy of the .xfc file) and the same evidence object and if you wish to let them makes changes in that evidence object's volume snapshot, but keep control of the case as such (i.e. run the master session).
- Please note that this has nothing to do with how the evidence object itself (the disk or the image) is treated. X-Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence objects. Only the volume snapshot, i.e. the database with information about all the files and directories found, is either read-only or, and that is the normal state, changeable.
