Uncategorized – Page 3 – The X-Ways Forensics Practitioner's Guide/2E

X-Ways Forensics runs in the new WinFE 10

TL:DR

Here is the WinFE website with build instructions: www.winfe.net .

Brief overview of some details that may be helpful to know

Developed by Troy Larson of Microsoft in 2008, further developed into a GUI build (WinBuilder) by a number of developers in 2009, with a great write protect tool written by Colin Ramsden in 2012, noted in digital forensic books such as Computer Forensics InfoSec Pro Guide and Computer Forensics and Investigations , taught by FLETC , SEARCH , IACIS , and DFIR Training , documented in dozens of blogs and magazines, WinFE has become a widely accepted and commonly used digital forensics tool. And now you can boot an ARM device and image it with WinFE 10.

Windows Forensic Environment Training available

Typically, WinFE has mostly been law enforcement or association-membership only. Actually, there are no training courses outside of government training. Government training courses have been provided by IACIS, SEARCH, ICAC, NW3C, and FLETC.

The only non-government course is the Windows Forensic Environment online course created in 2014 and updated today with WinFE 10. I’m not counting YouTube videos as formal, documented training…neither should you (please do not put, “I learnt forensics on YouTube” on your court CV…). This course was created by one who has been involved in WinFE development from shortly after it’s initial inception (that’s me!).

Side note : I have a short promo of 60% off the Windows Forensic Environment course for the first 100 people. Completing the entire course gets you 6 hours of formal, documented training, which is way better to put on your training records than watching a YouTube ‘training’ video. So, if you use WinFE, and want documented proof of training from one of the original developers, here you go!

Registration: $125

Promo code: WINFE10 (60% off for $50)

Website: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe

Promo Expires:January 31, 2020 or at the 100 ^th registration , whichever is first.

Hours: 6

Access: 1 month. 24/7 on demand

WinFE Cheats Guide

In a few days, you will see an updated WinFE Cheats Guide available on Amazon.com. Currently, the guide available doesn’t have the WinFE 10 information, but when you see the new cover “Includes WinFE 10” , that will be the updated guide should you wish to purchase the only book in print that focuses only on WinFE. https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782

C4All X-tension update

Update November 14, 2014

Download link to version 3.6.2.d https://www.dropbox.com/s/zewn7myskf…6.2.d.zip?dl=0
This update changes the way the video stills are treated when extracting movies.
-now video stills are extracted if the parent movie is extracted, regardless of whehter
the video still has been type verified.

That is for version 3.6.2.d that fixes a few issues with C4All not handling some characters.

Videos and links to updated guides.

Steps for c4all X-tension updated November 2014.doc
www.dropbox.com/s/sfd3…4.doc?dl=0

Steps to prepare and run C4All X november 2014.doc
www.dropbox.com/s/23ts…4.doc?dl=0

I recommend downloading both guides. ***both Udpated November 2014***

Links to Youtube videos to run X-Tension
www.youtube.com/watch?v=HP6DTzpG0KI – part 1 of 3
www.youtube.com/watch?v=zCIcrA9CldI – part 2 of 3
www.youtube.com/watch?v=53cLlcogr40 – part 3 of 3

Updates to X-tension and Hash File Manipultator

Hashbrown program 64 bit version only http://1drv.ms/1tLsNnG updated October 10 2014

instructions http://1drv.ms/XNdgeJ
-New Version that handles many duplicates and many unsorted more efficiently posted.

X-tension

Update October 19 2014
download link to version 3.6.2.c http://1drv.ms/1prWU2h
-Fixed issue with extended character support of UTF-16 in XML. should show all but those 0xD800 – 0xDFFF characters.
-Adds the functions of 3.5.12.k as well as option to create a Picture/video library based on MD5 hash value as name and the option to include not confirmed files when extracting pictures and movies. (before the file had to have a type status of Confirmed or newly identified. see post from 27 September in this thread for more details)
– 3.5.12.k
option to include or not include metadata in XML
-The option to run against multiple evidence objects and better naming of folders in c4all folder tree.
-CETS users have toggle to create a CETS XML or not.

New version of X-Tension

New version of X-Tension
3.6.2.a http://1drv.ms/1rrCJ7s
Changes
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of ‘not confirmed’
(this was added as there are so many variations of avi formats, that even some valid working movies were not ‘confirmed’)
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files

Last day of discounted X-Ways Forensics online course

I’m sure there are a few more people left to register for the X-Ways Forensics online course (XWF I) with the discount code of “xwf1”. That’s 25% off, plus includes free tuition to the X-Ways Forensics II online course. XWF I is introductory, XWF II is more indepth, quite a bit longer, and will be released in August. XWF III, a shorter course will be released sometime after August.

Everyone registering by midnight tonight (Pacific time) for XWF I, gets access to XWF II and XWF III when published without cost. Otherwise, it’s a separate tuition payment for each course. From July 18, the XWF I is back to $195, XWF II will be $299, and XWF III will be $75. Each class is lifetime access, on demand training, including updates to the courses when XWF is substantially updated (should be a course update once a year).

Details on XWF II are here: https://xwaysforensics.wordpress.com/2014/07/05/x-ways-forensics-practitioners-guide-online-ii/

Register for X-Ways Forensics Practitioner’s Guide online course here: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide

xwfii

Vote for your favorite book

Don’t forget to vote for the XWF Guide at http://forensic4cast.com/2014/04/2014-forensic-4cast-awards-meet-the-nominees/. But of course, only vote if you liked it 🙂

And if you didn’t like it (which means you don’t have XWF…), vote for my other book, Placing the Suspect Behind the Keyboard. But again, only vote if you liked it 🙂

And if you didn’t like that book either…give me your phone number. We need to talk…

Humbled and honored

Forensic 4cast Awards

I just saw that the book of the year nominees at the Forensic 4cast Awards include both the X-Ways Practitioner’s Guide and Placing the Suspect Behind the Keyboard. For those that made the nominations, that was very kind. For those that vote for either book, I thank you in advance.

Both books are pretty good. Each gives plenty of tips and information to save you hours of frustration, and more importantly, close some cases. There is a sample chapter of Placing the Suspect Behind the Keyboard here: http://searchsecurity.techtarget.com/feature/Placing-the-Suspect-Behind-the-Keyboard There are reviews at Amazon for both books that may be helpful if you were thinking of getting either book.

If you use X-Ways…..you need the X-Ways Guide, no matter how long you have been using X-Ways. When I asked Eric to help me write this book, he ran with it and did a super job of helping create an easy to read guide to using a very powerful forensic tool. I have more than a ton of emails of how the book converted Encase/FTK primary users into XWF primary users.

As for the Placing the Suspect Behind the Keyboard, that has also helped more than a few examiners close a case with a simple (yet elusive) tip, trick, method, or process that saves hours, if not days, of work. Again, even if you have been doing forensics for a long time, nothing says you can’t learn or relearn something you may not know or have forgotten.

Thanks again to everyone.

Brett

WFA/4e

I’m duplicating this post from another blog because this will probably be the coolest book to come out this year in digital forensics and is a must-have. The short version as to why the book is a must-have is “duh, it’s Harlan’s latest book…and Windows 8…”

I’ll wait to give an “official” review of Harlan’s book (Windows Forensic Analysis Toolkit, Fourth Edition: Advanced Analysis Techniques for Windows 8) only to give others the chance to read it once it becomes available. But…I’ll say that based on my early reading as a tech editor, this is a book that ranks for me in as much anticipation as a new Tom Clancy novel being released.

I also think this is one of those books that if not pre-ordered, will have you waiting until it is reprinted due to being over-ordered. The X-Ways Practitioner’s Guide was one of those books too, where late-comers had to wait weeks for the second printing. This book is no different, because just about all of the neat things in the book show just how much Harlan has discovered in some very neat areas of Windows 8.

One thing I learned about ordering books from Amazon, is that Amazon will pretty much match the lowest price found elsewhere. I also learned that with a pre-ordered book, you can cancel before the book is printed if you find a lower price somewhere else. The point is, pre-order the book or you may be waiting a month after everyone else gets their copy…it comes out in April ’14 and I’d expect the second printing to be needed in April ’14…

Cool update to the XWFIM, Portable Install

Eric is at it again. This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0). The update to the XWFIM now includes an option to create a portable install to external media. Page 13 of the Practitioner’s Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

drive letter — Cool! Notepad++ and Volume Label renamed.

Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install. Neat.

Don’t forget, if you liked the Practitioner’s Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn’t…). And if you use XWF and didn’t buy the guide…you are missing out on more than a few tips and tricks that will save you dozens of keystrokes.