Category: forensics

Last day of discounted X-Ways Forensics online course

I’m sure there are a few more people left to register for the X-Ways Forensics online course (XWF I) with the discount code of “xwf1”. That’s 25% off, plus includes free tuition to the X-Ways Forensics II online course. XWF I is introductory, XWF II is more indepth, quite a bit longer, and will be released in August. XWF III, a shorter course will be released sometime after August.

Everyone registering by midnight tonight (Pacific time) for XWF I, gets access to XWF II and XWF III when published without cost. Otherwise, it’s a separate tuition payment for each course.  From July 18, the XWF I is back to $195, XWF II will be $299, and XWF III will be $75.   Each class is lifetime access, on demand training, including updates to the courses when XWF is substantially updated (should be a course update once a year).

Details on XWF II are here: https://xwaysforensics.wordpress.com/2014/07/05/x-ways-forensics-practitioners-guide-online-ii/

Register for X-Ways Forensics Practitioner’s Guide online course here:  http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide

xwfii

Not X-Ways, but of interest to Encase users

Computer Forensics and Digital Investigation with EnCase Forensic

encase
http://amzn.to/1eY02wn

 

I know, this has nothing to do with X-Ways Forensics.  But hey, the X-Ways Practitioner’s Guide was first…

Practically, this seems like a good book for Encase users to park on the shelf (while the X-Ways Practitioner’s Guide sits on your desk next to your keyboard).

So, when is that book on “FTK” coming out….and who is going to write it?…And if you do want to write it, give Syngress a shout.

WinFE (and of course, XWF)

Taking WinFE to even another level on a multiboot thumbdrive.  Very cool, but I spread this word to you because there are few things in life neater than a forensically bootable CD/USB with X-Ways Forensics.

From Hacking Exposed: Adding the WinFE Image to the Multiboot Thumbdrive Image (Video)

http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-248-adding-winfe-image-to.html

Another reason to use, try, or at least just learn about XWF

Not that many years ago, you would not find a requirement of having experience with X-Ways to apply for a DFIR job.   But now, some jobs recommend it and yet some others require it.  This is not to say the other big players (Encase, Accessdata, etc..) are not needed or useful, just that XWF has made it to the same level at a price point that will probably not be beat with capabilities that still outpace other tools.

So……it makes sense to know a little about the tool that might put you over the edge for that next job.  Of course, you need to be competent too, but like I’ve said before, “beware the examiners that use X-Ways Forensics because they probably know what they are doing.”

one two three

For the future XWF users, check out www.x-ways.net for some details, download and read a quick guide, and when you move forward with XWF, buy the book 🙂

 

Cool update to the XWFIM, Portable Install

Eric is at it again.  This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0).  The update to the XWFIM now includes an option to create a portable install to external media.   Page 13 of the Practitioner’s Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

portable
Easy enough

 

drive letter
Cool! Notepad++ and Volume Label renamed.

 

result
Bam! Done.

 

Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install.  Neat.

folder
I like this. Saves a few keystrokes and I’m all about saving keystrokes.

 

Don’t forget, if you liked the Practitioner’s Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn’t…).  And if you use XWF and didn’t buy the guide…you are missing out on more than a few tips and tricks that will save you dozens of keystrokes.

X-Ways Forensics Install Manager

I cannot imagine anyone who uses XWF not having Eric Zimmerman‘s XWFIM.   Every time I use it, I wonder how I did without it.  XWFIM is available through the XWF support forum.  It’s free, but you need a license for XWF to get it.

Eric constantly adds little things to it, much like Stefan adds ‘little’ things to X-Ways Forensics.  One of the latest little additions is the selection box to “Include pre-release versions” which is pretty cool.

xwfim

 

And if you haven’t bought the XWF Guide yet and you use the XWFIM, just click the book’s graphic and you can have the guide on your Kindle in about 30 seconds.

xwfim2

Something else cool about XWF

Consider the differences between X-Ways v12 below:

v12
X-Ways Forensics version 12

With the current version 17:

X-Ways Forensics version 17
X-Ways Forensics version 17

They look the same!

XWF has had literally hundreds upon hundreds of significant updates over this time between v12 and v17, but the interface and usage remains constant.  Personally, I enjoy an update to a program that looks the same, the buttons are in the same place, and there are new features to use.  The last thing I want is a totally different interface, buttons where I have to hunt and peck to find or miss completely, or have to take another class from the vendor to be told how to use their new fandangle program.

It’s nice to know that in 10 years, XWF will probably look the same, even though I know it will be able to do so much more then, I’ll be able to use it without skipping a beat.

This is also the reason that the XWF Guide will carry you through the next many years without having to worry about a major change in operation of XWF.  What other manual or guide can say that?

Imaging with X-Ways Forensics

The current (and free) issue of eForensics Magazine has an article on imaging with X-Ways Forensics.   Of course, the XWF Guide is more detailed, but to get an idea of some of what XWF can do with imaging,  take a look at the article.

eForensics_17_2013-11
http://eforensicsmag.com/jumpstart-3-free/

X-Ways Forensics and WinFE

winfeA faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD.
Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.

There is no difference between the write protection in this faster build as it uses Colin Ramsden’s write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn’t mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It’s really neat.

Creating distributable test images

I’m in the process of creating working materials to go along with the XWF Guide in the form of exercises and test images.  I expect to be finished in 2014 or 2015 or …(it all depends on time available).  The materials will be freely available but will really only work best with the XWF Guide.  And yes, I know I can use images already available, like at http://digitalcorpora.org/corpora/disk-images, but these datasets will be made to demonstrate all the neat things detailed in the XWF Guide.wipe

One thing I’d like to point out regarding an issue with creating forensic images when giving images to students that contain data may violate the EULA if distributed. Files like commercial programs and operating systems.  Anyone that deals with this in training will be happy with how XWF can be used to address this problem.

With the “Cleansed Image” option of XWF, simply exclude/hide any and all files that would violate any privacy concerns or EULA violations before creating the image. Then create the image 🙂

This gives you a complete (minus excluded files) disk image without worrying about violating a EULA.  You could do this the hard way by using WinHex to overwrite every single file in question.  Or you can mass exclude files in one fell swoop with XWF and bam.  Image done.  Now you have something to give out to your class.

I’ve always wondered why some instructors give out complete images of a single system and make the student “promise” not to distribute the files…that is a bit too trusting in my opinion.   And come on, you know who you are…

<and I’ll leak a little information from the book on the cleansed image feature.  you can use this technique to remove private/privileged/protected data from an image to comply with a court order but can’t produce specific protected data on the image.  an example being a civil case where you need to turn over an image to the opposing expert but have privileged files on the image. don’t hex edit it, cleanse it!>

The XWF Guide has dozens of these kinds of tips and tricks, but you get one today for free.  Get the book for the rest of the tips and tricks, you will without a doubt, find something worthwhile that will save you hours or days of work.

%d bloggers like this: