Digital Forensics and Incident Response website
Home News X-Ways Forensics 18.1

X-Ways Forensics 18.1

What's new? 

* Better support for larger font sizes in the hex editor display and in character tables. Improved scaling of various elements of the user interface with high DPI settings in Windows, especially directory browser and case tree icons, small center screen buttons, the status bar, tag squares, sort arrows. Important especially for high resolution displays (4K or 5K displays, such as the Retina displays of recent Mac computers) and users with below average eyesight. File and directory icons generally revised and now more consistent between directory tree and the directory browser. 

* When imaging media with active compression, X-Ways Forensics now provides immediate visual feedback about the actual amount of data found on the disk. That is possible because disk areas that were never written as well as disk areas that were wiped achieve extremely high compression ratios. The rolling compression ratio is represented during imaging by vertical bars in a separate window. The higher the bar, the lower the "data density" in that area. The compression statistics are also stored in the .e01 evidence file, so that the same chart is also available at any later time from the evidence object properties dialog when you click the "Compression" button. 

* Option to fill the block hash database with 1 hash set per file for multiple selected files, unlike previous versions, which created 1 hash set spanning all selected files. 

* Ability to maintain 2 hash values per evidence object. Ability to import 2 hash values from .e01 evidence files produced by X-Ways Forensics or X-Ways Imager. 

* The option "Name output files after unique ID" in Recover/Copy is now available also when recreating complete or partial original paths in the output directory. 

* The search term list now offers a "Max. 1" option when multiple search terms are selected that are not forced with a + or excluded with a -. "Max. 1" will list search hits only if they are contained in files that do not contain any of the other selected search terms. For example for 3 search terms, to get the same results in previous versions, you would have had to list search hits for search term A while excluding B and C, then list search hits for B while excluding A and C, and then list search hits for C while excluding A and B, which of course is not as elegant and does not show you all such singular search hits at the same time. 

* The search term list now offers a "NOT NEAR" option (abbreviated NTNR) in addition to "NEAR". With 2 selected search terms, NTNR will ensure that only search hits are listed that are not located in vicinity of any search hits of the respective other search term. With more than 2 selected search terms, the result is currently undefined. 

* Two new case report options have been added. "Name output files after unique ID" will ensure filenames that are succinct, unique, trackable and reproducible, and will also ensure that if the same files is associated with multiple report tables, it will be copied to the report subdirectory only once. That saves time and drive space. "List each file only once" is a 3-state checkbox. If fully checked, no file will be referenced in the report by more than one report table any more. Note that you can still see all report table associations of a file when it is listed in its first report table in the report, if you output the field "Report table". If the checkbox is half-checked, that means that a file will still be referenced (listed) by multiple report tables in the report if it has multiple associations, but copied only once and linked only from the 
first report table. 

* Ability to include all items in all open evidence objects in the directory browser options dialog of a recursively explore case root window. 

* New X-Tension function XWF_GetEvent, which retrieves information about an event in the internal event list of an evidence object. 

* X-Tension functions XWF_GetReportTableInfo and XWF_GetVSProp revised. 

* Specialist | Refine Volume Snapshot now shows the size of extracted metadata and comments in memory and allows to discard extracted metadata if necessary, to reduce main memory requirements. Now supports up to ~4 GB of extracted metadata per volume snapshot (~2 GB before). 

* A new gallery option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key. 

* Several minor improvements. 

* Same fix level as v18.0 SR-5.

Go to news list