Tag: forensics

I have a confession to make…

I have had early access to API Forensics’ Exponents. I have been testing these “X-tensions” for some time now. X-tensions are, in effect, add-ons to expand functionality with X-Ways Forensics. As usual, when I am asked to look and test yet-to-be released software, I tell no one until I can.  So here I am telling you!

There are quite a few free X-tensions available online and several commercial X-tensions.  You can even write your own with a little elbow grease. I’ve written a few, but nothing of any substance than to do a little thing or two that I need in casework.

But with API Forensics’ Exponents, this is an entirely new level of X-tensions. X-Ways Forensics just got a capability boost in a big way.

TL:DR

API Forensics Exponents allows XWF to easily ingest data from sources like video/pictures from mobile devices, cloud  webmail (Microsoft, Google, Yahoo, Zoho, AOL, etc..), and text messages from 3rd party acquisition of mobile devices, along with a Facial Recognition exponent.

My favorite forensic software application is….

…whatever works for when I need it. Yes, I’ve now written two books on how to use X-Ways Forensics, but that was because I felt that XWF users needed more than the documentation provided by X-Ways. I think that I was right about that.

No, I do not only use XWF. I use anything and everything under the sun if the tool does what it says it can do and it solves for what I need. I will never promote a bad tool, nor complain about a bad tool other than sending a message to the developer directly. If you see a tool promoted on dfir.training or anything that I write or say, that means I personally endorse it.

But I do use XWF as a primary tool and as a validation tool to for different tools that I use as primary tools. It all depends on the type of case (data, device, OS, objectives, time, etc…) that I choose which tool will be my primary for that particular device or data examination.

The biggest negative with XWF is what it doesn’t do as well (or do at all) as other tools, like encryption. For those instances, I am exporting the data out of a XWF case for analysis with another tool that is better suited for that data. Yes, other tools are “better” than XWF in specific instances just as XWF is “better” than other tools in specific instances. I even wrote about this in the XWF books, noting that XWF even has a feature just for this purpose.

Back to API Forensics

And this is why I find API Forensics to be really cool. It gives XWF features that I wanted XWF to do in the first place, reducing redundancy in exporting data to yet another tool that needs yet another tool to validate.

Do I recommend this tool?

If you are examining the type of data that API Forensics supports AND you use XWF, then absolutely I recommend it. I am assuming that you are already competent in XWF if you have a license (and read my book!) so the learning curve is barely anything for the features you are adding in XWF.

X-Ways Forensics and WinFE

winfeA faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD.
Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.

There is no difference between the write protection in this faster build as it uses Colin Ramsden’s write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn’t mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It’s really neat.

Last day for the 40% discount on the XWF Guide!

This is one of those times that procrastinating will cost you money….

What will you tell yourself when you have to spend twice as much for the XWF Guide after tomorrow?

 

40

 

http://store.elsevier.com/product.jsp?isbn=9780124116054&_requestid=665676

And shipping is free?  Wow.  Doesn’t get much better than that. 

X-Ways Forensics Practitioner’s Guide is coming!

Eric Zimmerman and Brett Shavers have started writing the “X-Ways Forensics Practitioner’s Guide”, due out toward the end of year 2013.

Check back as to when the guide will be available.   This guide intends to be the source of using X-Ways Forensics.