Category: imaging

X-Ways Forensics Imaging Article

In case you missed an article on X-Ways Forensics Imaging (page 40), you can download a free copy of the issue of eforensicsmag here:  http://eforensicsmag.com/jumpstart-3-free/

XWF Imaging
You may like the WinFE article too…I know the guy that wrote that article…

brief

The article is an overview of imaging with X-Ways Forensics, which is covered in more detail in the XWF Guide.   If you haven’t bought the guide yet and are on the fence on whether XWF is right for you, check out the article on the one feature of imaging and I am sure you will not be on the fence anymore.

Xways-Cover
I use this guide myself…and I was a coauthor!

Imaging with X-Ways Forensics

The current (and free) issue of eForensics Magazine has an article on imaging with X-Ways Forensics.   Of course, the XWF Guide is more detailed, but to get an idea of some of what XWF can do with imaging,  take a look at the article.

eForensics_17_2013-11
http://eforensicsmag.com/jumpstart-3-free/

X-Ways Forensics and WinFE

winfeA faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD.
Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.

There is no difference between the write protection in this faster build as it uses Colin Ramsden’s write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn’t mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It’s really neat.

Creating distributable test images

I’m in the process of creating working materials to go along with the XWF Guide in the form of exercises and test images.  I expect to be finished in 2014 or 2015 or …(it all depends on time available).  The materials will be freely available but will really only work best with the XWF Guide.  And yes, I know I can use images already available, like at http://digitalcorpora.org/corpora/disk-images, but these datasets will be made to demonstrate all the neat things detailed in the XWF Guide.wipe

One thing I’d like to point out regarding an issue with creating forensic images when giving images to students that contain data may violate the EULA if distributed. Files like commercial programs and operating systems.  Anyone that deals with this in training will be happy with how XWF can be used to address this problem.

With the “Cleansed Image” option of XWF, simply exclude/hide any and all files that would violate any privacy concerns or EULA violations before creating the image. Then create the image 🙂

This gives you a complete (minus excluded files) disk image without worrying about violating a EULA.  You could do this the hard way by using WinHex to overwrite every single file in question.  Or you can mass exclude files in one fell swoop with XWF and bam.  Image done.  Now you have something to give out to your class.

I’ve always wondered why some instructors give out complete images of a single system and make the student “promise” not to distribute the files…that is a bit too trusting in my opinion.   And come on, you know who you are…

<and I’ll leak a little information from the book on the cleansed image feature.  you can use this technique to remove private/privileged/protected data from an image to comply with a court order but can’t produce specific protected data on the image.  an example being a civil case where you need to turn over an image to the opposing expert but have privileged files on the image. don’t hex edit it, cleanse it!>

The XWF Guide has dozens of these kinds of tips and tricks, but you get one today for free.  Get the book for the rest of the tips and tricks, you will without a doubt, find something worthwhile that will save you hours or days of work.

“This book is going to be great!”

“This book is going to be great!  The essential, accessible answer to the impenetrable density of XWF’s help file”. – Craig Ball

There’s been more than few tweets about having to wait until October, but don’t worry, we are ahead of that schedule.    The most current target date for printing is September 3.

Image

The book is now in the hands of trusted reviewers and so far, the comments have been really positive.  So much so, that even those who have used XWF for years learned tips and tricks from even the first chapters of the book.

There are a number of XWF users who started from the first versions of XWF and even went to the first XWF courses (back in ’05…).   For these XWF users, the learning curve was short.  New tool, new training by the developer, no problem.  For everyone else purchasing a dongle and trying to maneuver around a program that doesn’t look like any other they use is a different story.  I’m sure ‘different’ could be replaced with ‘frustrating’.

But with this book, new and not-so-new XWF users will have everything needed to use XWF as their primary tool (or even as the secondary tool that always works when the others fail).

Here are some benefits from the book, maybe you fit in one or more of these.

Non XWF user:  Haven’t tried it, like what I’m using already (even if I complain about it), and don’t have the time to learn a new tool.  I don’t even want to learn another tool.  However, since there is so much talk about X-Ways, I’ll try it and check it out.

New to forensics:  I haven’t got a clue which tool to start with, but XWF sounds like it works and fits my budget!

Current XWF user:  I have used XWF for years and think I got it down.  Then again, I still don’t use it as a primary tool and wonder how anyone does that.  I can use some tips on how XWF does more because I’m not totally confident in using XWF.

Forensics instructor:  I spend more time teaching the tool than forensics.  A student guide would save time in the class better spent teaching forensics instead of software use.

Expert forensics analyst:  I want the most indepth, powerful, fastest, and configurable forensic tool available!

If you have concern that the book will be outdated soon, don’t worry.  The material covers the vast majority of XWF features in detail.  Any new item that is added as an update doesn’t change the information in the book, it only adds a new capability.  Once you know the tool, the updates that are put out almost monthly are awesome.

X-Ways Forensics Practitioner’s Guide is coming!

Eric Zimmerman and Brett Shavers have started writing the “X-Ways Forensics Practitioner’s Guide”, due out toward the end of year 2013.

Check back as to when the guide will be available.   This guide intends to be the source of using X-Ways Forensics.

%d bloggers like this: