Exploring X-Ways Forensics 20.6 Beta 1b, Auto-Resume

digital forensics

Have you returned to a case you left to process overnight only to discover it was no longer running because of a crash? I have.

On 07/03/2022, 20.6 Beta 1 introduced a new feature that will enable X-Ways Forensics to automatically resume the volume snapshot refinement processes following a crash. I took a few moments to explore how the auto-resume feature works in 20.6 Beta 1b x64 and discover what I might anticipate using this feature when 20.6 is officially released.

Set-up

Auto-resume may be enabled by checking “Restart automatically after crash” in Options | Security.

Options | Security…
If enabled in Beta 1, an executable will run along with XWF.

The announcement for Beta 1 named two volume snapshot refinement operations that currently supports auto-resume: “file header signature search” and “processing of individual files”.

Parallelization option value will resume with +0 threads following a crash.

When enabled, the RVS process will resume from the last auto-save following a crash. The auto-save interval may be changed in case properties under Case Data | Edit | Properties.

Auto save interval is set to every 5 minutes.

In Preview and Beta releases only, repeatable crashes may be simulated by providing XWF a case-sensitive filename in the Security Options window. Optionally, non-repeatable crashes may be simulated by terminating XWF with the Task Manager.

Note: If, along with XWF, the watcher.dat process is terminated, XWF will not auto-resume.

Checking this box will simulate a crash on a specific filename.

Brief Observations

After setting up the auto-resume feature and initiating the volume snapshot refinement process, I simulated a crash by terminating XWF from the Task Manager. In a separate RVS process, I also simulated a crash by specifying a filename in the Security Options window. I explored this feature from the graphical user interface.

1. When XWF was terminated while performing a file header signature search, the msglog.txt file noted the file type and sector, then auto-resumed. Subsequent crashes added sectors to a list of sectors to omit.

The msglog.txt will note the sectors omitted following a crash.

2. When XWF was terminated while processing individual files, the msglog.txt noted the internal ID of the file. If parallelization was enabled, the msglog.txt file also noted the internal IDs of the files processed by each thread and the sub-operation. XWF resumed the process with no additional threads.

The msglog.txt events recorded following the simulated crash demonstrated in the animated GIF above.

3. When XWF was configured to simulate a crash on a specific filename (Beta/Preview only), the msglog.txt file noted the internal ID of the file, then auto-resumed. Further, the filename was added to the report table, “Omitted, Reason for crash?”

Comment

Auto-resume capability, which may save time and potential headaches, is among many new functions/improvements to look forward to in XWF 20.6.

Advertisement

Published by Derek Eiri

Published

One thought on “Exploring X-Ways Forensics 20.6 Beta 1b, Auto-Resume

  1. Pingback: Week 28 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.