Extract Internal Metadata and Events
Part of volume snapshot refinement. Requires a forensic license.
a) Can check the file format consistency of EXE, ZIP, RAR, JPEG, GIF, PNG, RIFF, BMP, and PDF files. The Type Status column will show the result, either "OK" or "corrupt".
b) Allows to extract internally stored creation times from OLE2 compound files (e.g. pre-2007 MS Office documents), EDB, PDF, MS Office HTML, EML, MDI, ASF, WMV, WMA, MOV, JPEG, THM, TIFF, PNG, GZ, GHO, PGP pubring.pkr keyring, ETL, SQM, IE Cookies, CAT, CER, CTL, SHD printer spool, PF prefetch, LNK shortcut, and DocumentSummary alternate data streams. This timestamps will be shown in the Int. Creation column of the directory browser. In some cases the earliest timestamp will be extracted, which approximates the real, original creation date best.
c) Allows to copy certain file metadata to the Metadata column, which will allow you to filter by this metadata, to export the metadata with the Export List command, and to output it with a report table in a case report. Metadata can be extracted from all the file types specifically supported in Details mode plus Windows shortcut files (.lnk) and prefetch files (.pf). Only a subset of the metadata that you see in Details mode is extracted. You have the option to strip certain lines off the extracted metadata in order to not see them in the Metadata column, for example to keep the case report or the output of the Export List command more compact for printing or viewing on the screen, or just because certain metadata fields are not relevant to you. You can identify unwanted metadata fields by a substring. That substring can either match the field name (e.g. "Focal Length") or the value of the field (for example if you know in advance that you are not interested in the Author field if the name of the author of a document is "Joe Huber"). 1 substring is entered per line. Substrings may contain spaces. You can share your definitions by sharing the file "Unwanted Metadata.txt".
d) Allows to restore original file system metadata (such as filename, timestamps) when found in certain file types such as $I* recycle bin files and iPhone mobile sync backup indexes (Manifest.mbdx). Original filenames are typically much more meaningful than random names that are assigned just to guarantee uniqueness in a single directory for backup purposes. Examples of such random names are 3a1c41282f45f5f1d1f27a1d14328c0ac49ad5ae (for a file in an iPhone backup) or $RAE2PBF.jpg (Windows recycle bin). The current filename according to the file system can still be seen in square brackets in the Name column, as well as in Details mode, and the Name filter will find both the original and the current name, so that current filename is not completely lost.
Alternative names and timestamps are also extracted from Linux PNG thumbnails as known from Ubuntu and Kubuntu distributions, desktop manager MATE and GNOME ThumbnailFactory. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a "Content created" timestamp. The complete path of the original file can be seen in the Metadata column.
e) Populates the Sender and Recipients columns for original single e-mail files (.eml, .emlx, .olk14msgsource). Extract the subject of such e-mail messages and shows it in the Name column if different from the name of the file, and unless the file is a carved file (i.e. a file with an artificially generated filename), the original filename will be preserved and shown as an alternative name in the same column.
f) Creates previews of Internet browser SQLite databases, which may require that the files have been checked for their true file type. Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Chrome sync, Safari cache, Safari feeds, and Skype's main.db database about contacts and file transfers. Creates previews also of Internet Explorer index.dat files (including artificial index.dat files compiled from individual records from various locations during the file header signature search), Internet Explorer 10's WebCacheV*.dat files, the Edge browser's spartan.edb file (all favorites and ReadingList entries will be added to the event list), $UsnJrnl:$J, Windows Event Logs (.evt and .evtx), Apple FSEvent logs. From iOS's sms.db all recorded conversations via SMS are extracted to individual chat files, and all messages are added to the event list, where they can be filtered based on phone number or email address. Also extracts browsing history information from Safari's icon database. This alternative source is very interesting because it records browsing history even when Safari is in private browsing mode. HTML previews and views of index.dat Internet Explorer browser cache/history files contain a column with the offset of the record within the file where the data of each row has been found. This offset is presented as a link. If you click it, you will automatically navigate to that offset in the corresponding index.dat file in File mode so that it is convenient to verify the information that X-Ways Forensics has extracted from the record at that location. (Note that this works correctly only if the link is not broken into 2 lines, which may happen in v8.4 of the viewer component, but not in v8.3.7. Anyway you can still navigate to that offset manually.) The HTML child objects that will be generated can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of these tables in an external program such as your preferred browser or in MS Excel, by sending these child object to the program of your choice (directory browser context menu). You may have X-Ways Forenscis split HTML tables after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component, which cannot deal with very large tables. The existence of HTML child object with searchable text for browser data, event logs and more data sources also improves effectiveness of searches and indexing.
g) Extracts tables from various other SQLite databases in TSV format and uses the first one as a preview of the SQLite database file itself.
h) Extracts the original revision of PDF documents that were edited, if available, as a child object.
i) Provides timestamps from the file system as events to analyze in an event list.
j) Provides internal timestamps in files as events.
k) A generic relevance of files can be estimated. This relevance is based on a variety of factors, such as the type of the file, its generator if known (for JPEG and PDF files), its currentness (last modification date), whether it is known from any hash database, the wealth of internal metadata that it contains, its size, the visual content of pictures, whether a PNG file is a smartphone screenshot, whether an HTML file has been locally saved by the user manually, whether there is something unusual about the file, etc. etc. The weight with which the currentness and the size of a file affect its computed generic relevance is user-definable. 100% means default weight. 50% means half of that. 0% means the factor has no effect at all. The maximum is 255%. The relevance is not merely content-based, but the result of a fundamental characterization. In particular the generator signature is a provenance-based criterion. The main idea is that if your time for examination is limited, you can start with the files that have the highest generic relevance, to maximize your chance to find what you are looking for, if it exists, and find it rather early. To sort listed files by relevance in descending order, i.e. prioritize them for review, select Navigation | Sort by Relevance from the directory browser context menu.