To answer a question that is being asked, yes, there will be a 3rd edition, but not until 2026.
Some points on the 3rd edition:
It will not be a repeat of the 1st or 2nd edition (buttons and checkboxes).
It will not be a beginners’ guide to XWF (for instructions on how to use XWF, refer to the 2nd edition).
It will be a guide in using XWF in specific cases.
For example, Chapter 1 might be titled XWF & CSAM. The entire chapter will be using XWF in working a CSAM case, using different approaches and processes, from start to finish.
Chapter 2 might be titled XWF & IP Theft, with the same concept as above, and so forth.
My goal with XWF/3E is to put to work all that you learned from 1E and 2E, chapters separated by case type so you can see all the ways to use X-Ways in targeting that specific type of data. I intend on giving access to the datasets so you can work alongside what you read and use other tools on the same data for verification.
Why 2026 and not 2024?
XWF/2E is detailed enough to last in the “how to use XWF” until then. XWF has a few changes here and there in dialog boxes and improvements in features, but overall, XWF/2E should be good until 2026 and beyond a few more years.
I have two more books to get out first! Next week, I am publishing something that has been on my desk(top) for a long time (DFIR Investigative Mindset). But currently working on a creative nonfiction book with Mark Spencer as a priority to get done in 2024.
Then I have an update to Placing the Suspect Behind the Keyboard in 2025.
I’ll then have XWF/3E out in 2026. Who knows what technology will be available then?
PS: I will be on the hunt for a tech editor in 2025….if one is interested in getting involved 🙂
I have had early access to API Forensics’ Exponents. I have been testing these “X-tensions” for some time now. X-tensions are, in effect, add-ons to expand functionality with X-Ways Forensics. As usual, when I am asked to look and test yet-to-be released software, I tell no one until I can. So here I am telling you!
There are quite a few free X-tensions available online and several commercial X-tensions. You can even write your own with a little elbow grease. I’ve written a few, but nothing of any substance than to do a little thing or two that I need in casework.
But with API Forensics’ Exponents, this is an entirely new level of X-tensions. X-Ways Forensics just got a capability boost in a big way.
TL:DR
API Forensics Exponents allows XWF to easily ingest data from sources like video/pictures from mobile devices, cloud webmail (Microsoft, Google, Yahoo, Zoho, AOL, etc..), and text messages from 3rd party acquisition of mobile devices, along with a Facial Recognition exponent.
My favorite forensic software application is….
…whatever works for when I need it. Yes, I’ve now written two books on how to use X-Ways Forensics, but that was because I felt that XWF users needed more than the documentation provided by X-Ways. I think that I was right about that.
No, I do notonly use XWF. I use anything and everything under the sun if the tool does what it says it can do and it solves for what I need. I will never promote a bad tool, nor complain about a bad tool other than sending a message to the developer directly. If you see a tool promoted on dfir.training or anything that I write or say, that means I personally endorse it.
But I do use XWF as a primary tool and as a validation tool to for different tools that I use as primary tools. It all depends on the type of case (data, device, OS, objectives, time, etc…) that I choose which tool will be my primary for that particular device or data examination.
The biggest negative with XWF is what it doesn’t do as well (or do at all) as other tools, like encryption. For those instances, I am exporting the data out of a XWF case for analysis with another tool that is better suited for that data. Yes, other tools are “better” than XWF in specific instances just as XWF is “better” than other tools in specific instances. I even wrote about this in the XWF books, noting that XWF even has a feature just for this purpose.
Back to API Forensics
And this is why I find API Forensics to be really cool. It gives XWF features that I wanted XWF to do in the first place, reducing redundancy in exporting data to yet another tool that needs yet another tool to validate.
Do I recommend this tool?
If you are examining the type of data that API Forensics supports AND you use XWF, then absolutely I recommend it. I am assuming that you are already competent in XWF if you have a license (and read my book!) so the learning curve is barely anything for the features you are adding in XWF.
The 2nd edition of the X-Ways Forensics Practitioner’s is already over a year old! There have been more updates during that time in XWF, but not enough to justify a new edition.
I am hoping that the XWF practitioner’s guide has been useful as that was my intent! It took a lot of work and stress to get that book out. I believe that it has sold more than the first edition, for which I am grateful for the first edition being possible with Syngress as the publisher. It hit the top selling books on Amazon a few times and was nominated for the Forensic 4:Cast awards, but didn’t win..
As of Jan 31, 2024. This doesn’t include 200 books that I gave away 🙂
There are over 35, 000 XWF licensed users, so I missed A LOT of users. I am willing to bet that this book would help them with XWF in ways they never knew.
The first edition was published by Syngress Publishing, therefore the Rights to the book belonged solely to Syngress. This edition became out of date after 5 or 6 years, and from that time, I was emailed constantly about a second edition for years.
Each time that I had bulk requests about a 2nd edition, I asked Syngress about writing it. Syngress didn’t want to. I was told that the first edition was still selling. Then they were not publishing new books at one point. And so on, each time an excuse for not publishing the second edition.
The first edition’s initial print run was sold out in pre-sale, so it was a good seller at that time proving the need for the book. I can understand Syngress not wanting to stop printing one book to replace it with another if the first was still selling.
Then the book ended up on the pirated books websites. That was sad to see, especially since at least one of the PDFs had malware that I found.
But after awhile, I didn’t want anyone buying that first edition since it was OLD and OUT OF DATE. Syngress still refused to go forward with a second edition, so I spent more than a year asking for the Rights to the book from Syngress. I am thankful that they gave the Rights of all content, title, and book to me.
So then, I could print the second edition myself, which meant marketing it myself, designing the cover myself, and asking for help in the process. Much sincere appreciation to Michael Yasumoto for tech editing!
Quick note on a Kindle version: It won’t happen with this book. I tried to convert it to Kindle and the formatting makes it unusable. It may be readable, but I don’t want such bad visual quality with my name on it…
Now that I own the Rights to the book and any future editions. I can update at will.
So…….a third edition?
I am now getting asks about a 3rd edition. Here are my thoughts on the next edition:
1-the second edition should be good for another 3-4 years to learn XWF. The improvements and updates to XWF between publishing and at that time are not enough to redo the entire book. Some dialog boxes are completely revised now, but for function, the book should be good for some years.
2-with the first and second editions showing all the buttons and checkboxes, and demonstrating the flow of XWF, I am not certain that a third edition of the same content type is worth it. A huge chunk of XWF users bought the books and should be competent in knowing how the buttons work (and checkboxes!).
3-a new method of showing XWF may be better. As of now, I am not touching a 3rd edition until I wrap up the books I have ahead of it.* But, in 2025, if I can get to XWF/3E, it will be a workflow book, meaning, each chapter will be a case study, in a specific type of case, showing one or more workflows with XWF in that particular type of case. As an example, Chapter 1 may be titled “CSAM and XWF”. An entire caseflow of working a CSAM case with XWF would be contained in that chapter using fake CSAM, of course. Chapter 2 may be titled “IP Theft and XWF” using the same concept.
Is X-Ways Forensics the best forensic software?
Yes. No. Maybe. Maybe not. It depends.
I get this question sometimes, at least enough to write about it here. First off, I do not and have never worked for X-Ways. They have never paid me for anything (writing, teaching, testing, or developing). I have no connection other than I use their products. My partner and I did suggest to X-Ways to put on training, and we set up the first X-Ways training course in Seattle, WA. Oh, my partner and I did get a license for Evidor at that time for hosting the class, and 2 free seats in the class.
That is the only thing that I have in connection with X-Ways and supporting their products.
With that, sometimes XWF is the best tool for what I need, other times it is the 2nd best, and sometimes it would be useless in what I need to do. That is my honest opinion.
I use a lot of software for specific problems. For the software that I trust as effective, I support them through through personal and professional marketing. I want them to succeed so that I can take advantage of their growth and development in their tools.
So, sometimes it is the best and sometimes another tool is best. It all depends, like everything else in DFIR. As a side note tho, XWF is one of the tools that I think is darn near mandatory to have in your toolbox.
*those other books are: The DFIR Investigative Mindset, Stepping into the Breach, and Placing the Suspect Behind the Keyboard. The Mindset book is technically done and needs review. Stepping into the Breach is in progress, and Placing the Suspect Behind the Keyboard has been an ongoing project that was put on hold for Stepping into the Breach.
I’m going to sign it (not a major deal..just my signature).
Then I’m going to write a personal note to you and sign that note.
Then I’m going to highlight one passage that means the most to me in the book that you might like to see. And I’ll sign that highlighted passage too, just to put my name on what I believe in.
So, you won’t be getting a pristine book, but rather a personalized XWF book that is unique among the thousands of other copies out there.
A challenge to you
I have given away a bunch of books over the past years as part of a DFIR Book Challenge. This is a continuation of that challenge. I paused this challenge with the lockdowns since no one was going anywhere, but now we are free to travel. I have another book to giveaway next month and will be buying more books asking those authors to sign in the same manner. The author will sign and highlight, then I will, then I will give the books away in the challenge.
Here is the challenge:
Read the book. Learn from it. And then give it away.
But before giving it away, write something personal to the person who you are giving it to. Then highlight a passage that was meaningful to you, and sign that. And ask the person you give the book to do the same.
Do this at a training event, or your workplace, or where ever you meet DFIR folks.
This book will be the only X-Ways/2E book that I sign with a personal statement and highlighted passage, and passed to someone that I challenge to carry on. If you do this, it will be the only XWF/2E book signed by the writer, then the next reader, and the next reader, and…
Why?
This is an ice-breaker to engaging people. Did you ever wonder what to say to someone that you wanted to speak to at a conference? How about, “Hey, someone gave me a DFIR book signed by the author in a book challenge to pass on? I would like you to have it next if you’d be so kind.”
Now you engaged. Now there is conversation with someone that is positive and fruitful. Now your name is in the list of readers of the book that passed from the author to another and hopefully another and hopefully another.
You will also see what others feel are important in the book that you have in your hand. This is priceless insight of other DFIRers.
———————————-
Free to enter. Free to win and free shipping too!
Enter by September 25, 2022 as the drawing will be on September 26, 2022.
@Brett_Shavers Thanks! Your book was VERY helpful. Used X-Ways today for the first time on a real life matter. Wow! Processing time savings, search and events are worth the price of admission.
Got where I was going fast and I just scratched the surface of the tool.
Every purchase of nearly everything that I make must answer one simple question: “Is this worth the money?”
For personal items, this is an easy question to answer. If my car needs gas, the answer is always “Yes” because I need to drive my car!
For work items, this question needs a little reflection. For example, when I evaluate a need any DFIR tool (hardware, software, books, training, education), I want to know:
(1) Do I really need it or can I use what I already have, or
(2) will this tool make me more money net in billing, or
If there is one chapter, or one paragraph in the book that can save you a gross amount of time or prevent making errors or help be more effective with X-Ways Forensics than if you didn’t read it, then the value of the book is equivalent to that amount of benefit.
Sometimes, it is difficult to recognize value in our tools. We tend to look at the dollar sign for a conference or software and complain (silently or not-so-silently) that everything is too expensive or should be free. Practically, however, if taking a $5,000 training course allows you to work on cases where you might be billing $10,000 to $50,000 PER CASE, then $5,000 is a great investment.
I look at books the same way. If I can spend a few minutes a day reading and find something that can save me days of effort, or prevent mistakes that cost me days of re-doing work or embarrassment, then that book cost was worth it. Even if the book sits on a shelf until needed, I plan on using every tool at my disposal just so my expenses can be turned into investments.
Perhaps, especially if you are new to X-Ways Forensics, this book is worth 100x its price.
There are two X-Ways Forensics Practitioner’s Guides. One is the outdated first edition and the second is the newly released second edition.
First edition: Outdated. Still being sold by some sellers.
Second edition: Current edition. Only sold via Amazon and no electronic versions.
The first edition is maybe still 25% relevant as so much has changed in X-Ways. The second edition is 100% relevant and current.
There is a reduced price by Amazon for the second edition. Take advantage of that now before it goes back to retail price.
I only post this because someone just bought the wrong book and asked me for an exchange, but I can’t because I am not selling the first edition and don’t have any control over sales of that book. Sorry…
The X-Ways Forensics Practitioner's Guide/2E 