| |
Front Cover |
1 |
|
| |
X-Ways Forensics Practitioner’s Guide |
4 |
|
| |
Copyright |
5 |
|
| |
Contents |
6 |
|
| |
Acknowledgments |
12 |
|
| |
About the Authors |
14 |
|
| |
Foreword |
16 |
|
| |
Introduction |
18 |
|
| |
Introduction |
18 |
|
| |
Intended audience |
18 |
|
| |
Brief history of X-Ways Forensics |
19 |
|
| |
Comparisons to ``other´´ forensic suites |
20 |
|
| |
Organization of this book |
20 |
|
| |
Chapter 1: Installation and configuration of X-Ways Forensics |
21 |
|
| |
Chapter 2: Case management and imaging |
21 |
|
| |
Chapter 3: Navigating the X-Ways Forensics interface |
21 |
|
| |
Chapter 4: Refine volume Snapshot |
21 |
|
| |
Chapter 5: The XWF internal hash database and registry viewer |
22 |
|
| |
Chapter 6: Searching in X-Ways Forensics |
22 |
|
| |
Chapter 7: Advanced use of XWF |
22 |
|
| |
Chapter 8: X-Ways Forensics reporting |
22 |
|
| |
Chapter 9: X-Ways Forensics and electronic discovery |
22 |
|
| |
Chapter 10: Consent to search and supervision of paroles |
22 |
|
| |
Summary |
23 |
|
| |
Chapter 1: Installation and Configuration of X-Ways Forensics |
24 |
|
| |
Introduction |
24 |
|
| |
System requirements |
24 |
|
| |
Installing XWF |
25 |
|
| |
Alternative install methods |
26 |
|
| |
The XWF dongle |
28 |
|
| |
Upgrading your dongle |
30 |
|
| |
The XWF user interface |
31 |
|
| |
Configuring XWF |
32 |
|
| |
Summary |
37 |
|
| |
Reference |
37 |
|
| |
Chapter 2: Case Management and Imaging |
38 |
|
| |
Introduction |
38 |
|
| |
Creating a case file |
39 |
|
| |
Creating a new case |
40 |
|
| |
General case information section |
41 |
|
| |
Audit trail and activity logging section |
42 |
|
| |
Code pages section |
42 |
|
| |
Other options section |
42 |
|
| |
Creating/Adding evidence files |
44 |
|
| |
Creating Forensic images with XWF |
45 |
|
| |
Live response using XWF |
50 |
|
| |
Using XWF to review medium while imaging |
50 |
|
| |
Reverse imaging |
51 |
|
| |
Skeleton imaging |
53 |
|
| |
Cleansed imaging |
55 |
|
| |
CD/DVD |
56 |
|
| |
Physical memory imaging |
56 |
|
| |
Container files |
57 |
|
| |
Working with RAID arrays |
59 |
|
| |
Augmenting with F-Response |
62 |
|
| |
Shortcuts |
66 |
|
| |
Summary |
66 |
|
| |
Chapter 3: Navigating the X-Ways Forensics Interface |
68 |
|
| |
Introduction |
68 |
|
| |
Case Data directory tree |
68 |
|
| |
Right click behaviors |
70 |
|
| |
Middle-click behaviors |
73 |
|
| |
Toolbar, tab control, and Directory Browser Options, Filters |
74 |
|
| |
General Options |
76 |
|
| |
Item listing options |
80 |
|
| |
Directory Browser column and filter options |
80 |
|
| |
Directory Browser columns |
81 |
|
| |
Directory Browser |
83 |
|
| |
Column sorting |
83 |
|
| |
Column filtering |
83 |
|
| |
Directory Browser context menu |
86 |
|
| |
Mode buttons and Details pane |
96 |
|
| |
Legend mode |
96 |
|
| |
Volume/Partition mode |
96 |
|
| |
Disk mode |
97 |
|
| |
File mode |
97 |
|
| |
Preview mode |
97 |
|
| |
Details mode |
98 |
|
| |
Gallery mode |
98 |
|
| |
Calendar mode |
99 |
|
| |
Directory Browser mode |
99 |
|
| |
Sync mode |
99 |
|
| |
Explore recursively mode |
99 |
|
| |
Search hit list mode |
99 |
|
| |
Events mode |
99 |
|
| |
Position manager mode |
99 |
|
| |
Status bar |
100 |
|
| |
Right clicking the status bar |
100 |
|
| |
Left clicking the status bar |
101 |
|
| |
Data Interpreter |
102 |
|
| |
Main menu |
103 |
|
| |
General Options continued |
103 |
|
| |
Volume Snapshot options |
107 |
|
| |
Viewer Programs options continued |
107 |
|
| |
Security Options |
107 |
|
| |
Shortcuts |
109 |
|
| |
Summary |
109 |
|
| |
Chapter 4: Refine Volume Snapshot |
112 |
|
| |
Introduction |
112 |
|
| |
Volume snapshot options |
113 |
|
| |
Starting RVS |
116 |
|
| |
Take new one and default RVS options |
117 |
|
| |
RVS options |
118 |
|
| |
File recovery options |
119 |
|
| |
File processing options |
121 |
|
| |
Extract e-mail messages and attachments from. . . |
125 |
|
| |
Results of an RVS |
128 |
|
| |
Shortcuts |
130 |
|
| |
Summary |
130 |
|
| |
Reference |
131 |
|
| |
Chapter 5: The XWF Internal Hash Database and the Registry Viewer |
132 |
|
| |
Introduction |
132 |
|
| |
XWF internal hash database and hash sets |
133 |
|
| |
Hash categories |
133 |
|
| |
Computing hash values |
135 |
|
| |
Creating hash sets |
136 |
|
| |
Duplicate hash values |
140 |
|
| |
The registry through X-Ways Forensics |
141 |
|
| |
The XWF Registry Viewer |
143 |
|
| |
Viewing USB devices |
144 |
|
| |
Exporting |
146 |
|
| |
The XWF Registry Report |
147 |
|
| |
Shortcuts |
148 |
|
| |
Summary |
148 |
|
| |
Chapter 6: Searching in X-Ways Forensics |
150 |
|
| |
Introduction |
150 |
|
| |
Simultaneous search |
150 |
|
| |
Search terms and code pages |
151 |
|
| |
How to search options |
152 |
|
| |
Where to search options |
153 |
|
| |
Additional search options |
155 |
|
| |
Search methodologies |
156 |
|
| |
Regular expressions |
156 |
|
| |
Regular expression examples |
158 |
|
| |
GREP and regular expressions in XWF |
160 |
|
| |
Indexed search |
161 |
|
| |
Other index-related options |
167 |
|
| |
Reviewing search hits |
168 |
|
| |
Search Hit List columns |
169 |
|
| |
Interacting with the Search Hit List |
169 |
|
| |
Simultaneous search results vs. indexed search results |
170 |
|
| |
Search Hit List options |
170 |
|
| |
+ and - operators |
171 |
|
| |
Alternate method |
171 |
|
| |
Proximity between search terms using the Search Hit List |
172 |
|
| |
Text search |
172 |
|
| |
Hexadecimal search |
174 |
|
| |
Shortcuts |
175 |
|
| |
Summary |
175 |
|
| |
Chapter 7: Advanced Use of X-Ways Forensics |
176 |
|
| |
Introduction |
176 |
|
| |
Customizing X-Ways Forensics configuration files |
176 |
|
| |
XWF directory-based configuration files |
177 |
|
| |
User profile-based configuration files |
177 |
|
| |
File Type Categories.txt |
177 |
|
| |
Assigning ranks |
177 |
|
| |
Assigning groups |
178 |
|
| |
The effects of FTC customization |
179 |
|
| |
File Type Signatures Check Only.txt |
180 |
|
| |
File Type Signatures Search.txt |
180 |
|
| |
Maneuvering in hex |
180 |
|
| |
Data Interpreter |
181 |
|
| |
Defining blocks of data |
183 |
|
| |
User search hits |
183 |
|
| |
Other options |
184 |
|
| |
Sector superimposition |
186 |
|
| |
Templates |
186 |
|
| |
Timeline and event analysis |
190 |
|
| |
Calendar mode |
190 |
|
| |
Events view |
192 |
|
| |
Gathering free and slack space |
193 |
|
| |
RAM analysis |
195 |
|
| |
Opening memory from within XWF |
198 |
|
| |
Scripting, X-Tensions API, and external analysis interface |
199 |
|
| |
Scripting |
199 |
|
| |
X-Tensions |
200 |
|
| |
External analysis interface |
200 |
|
| |
Shortcuts |
201 |
|
| |
Summary |
202 |
|
| |
Chapter 8: X-Ways Forensics Reporting |
204 |
|
| |
Introduction |
204 |
|
| |
Adding items to a report table |
204 |
|
| |
RT associations options |
206 |
|
| |
Adding a new RT association |
208 |
|
| |
Meanwhile, back in the Directory Browser |
210 |
|
| |
Sharing RT associations |
211 |
|
| |
Comments |
212 |
|
| |
Report generation |
212 |
|
| |
Main report options |
214 |
|
| |
Audit trail options |
214 |
|
| |
RT options |
214 |
|
| |
Report customization |
217 |
|
| |
Shortcuts |
218 |
|
| |
Summary |
218 |
|
| |
Chapter 9: X-Ways Forensics and Electronic Discovery |
220 |
|
| |
Introduction |
220 |
|
| |
Civil litigation |
220 |
|
| |
Preparing XWF |
221 |
|
| |
Accessing the data |
222 |
|
| |
User created files-Existing (active) files |
223 |
|
| |
Copying the filtered files |
225 |
|
| |
Optional method of creating a file list |
225 |
|
| |
Printing the relevant files |
226 |
|
| |
XWF container |
227 |
|
| |
Redacting files within an image |
228 |
|
| |
Review of relevant data with X-Ways Investigator |
229 |
|
| |
Bates numbering |
230 |
|
| |
Attorney review of data |
231 |
|
| |
Forensic analysis and electronic discovery |
231 |
|
| |
Log file and reporting |
231 |
|
| |
Summary |
231 |
|
| |
Reference |
232 |
|
| |
Chapter 10: X-Ways Forensics and Criminal Investigations |
234 |
|
| |
Introduction |
234 |
|
| |
X-Ways Forensics and criminal investigations |
235 |
|
| |
Prepare XWF |
236 |
|
| |
Adding evidence items |
237 |
|
| |
Case scenario |
239 |
|
| |
Summary |
241 |
|
| |
Reference |
242 |
|
| |
Appendix A: X-Ways Forensics Additional Information |
244 |
|
| |
Introduction |
244 |
|
| |
Online resources |
244 |
|
| |
X-Ways forensics video clips-http://xwaysclips.blogspot.com/ |
244 |
|
| |
JustAskWeg-http://justaskweg.com/ |
245 |
|
| |
Third-party software |
245 |
|
| |
Keyboard shortcuts |
246 |
|
| |
Shortcuts and commands under ``File´´ |
247 |
|
| |
Shortcuts under Edit |
247 |
|
| |
Shortcuts under Edit | Copy Sector |
247 |
|
| |
Shortcuts under Edit | Clipboard Data |
247 |
|
| |
[H2] Shortcuts under Search |
248 |
|
| |
Shortcuts under Navigation |
248 |
|
| |
Shortcuts under Navigation | Go To |
248 |
|
| |
Shortcuts under View |
249 |
|
| |
Shortcuts under Tools |
249 |
|
| |
Shortcuts under Tools | Disk Tools |
249 |
|
| |
Shortcuts under Tools | File Tools |
249 |
|
| |
Shortcuts under Specialist |
249 |
|
| |
Shortcuts under Specialist | Evidence File Container |
250 |
|
| |
Shortcuts under Options |
250 |
|
| |
Shortcuts under Window |
250 |
|
| |
Appendix B: X-Ways Forensics How to’s |
252 |
|
| |
Frequently asked questions and more XWF tips |
252 |
|
| |
How can I find encrypted containers? |
252 |
|
| |
Can I search slack space while eliminating logical file contents? |
252 |
|
| |
I want to list files so that parent files precede its child objects. Is this possible? |
253 |
|
| |
I need to recursively list two directories at once. What is the easiest way? |
253 |
|
| |
How can I export a recursive file listing? |
253 |
|
| |
Is it possible to conduct a keyword search on cell phone evidence? |
253 |
|
| |
How can I import Base32-encoded SHA-1 hashes? |
253 |
|
| |
How can I export a search hit list? |
254 |
|
| |
I need to export search hits. Where in XWF can I do this? |
254 |
|
| |
Can XWF generate a registry report for every hive in a case? |
254 |
|
| |
What if I need to reprocess items from an evidence object? How can I do this in XWF? |
254 |
|
| |
How do I verify the hash of an image? |
254 |
|
| |
How can I find which volume shadow copy a file came from? |
254 |
|
| |
I want to tag every item in an evidence object. How can I do this and how can I untag if needed? |
255 |
|
| |
I cant find files that I know I tagged! What happened to the files? |
255 |
|
| |
There are so many files I see that I know are duplicates, but I cant find how to hide them. How can I hide all duplicates? |
255 |
|
| |
How can I find and export all e-mail addresses from an image? |
255 |
|
| |
I just need to copy active files from a custodians machine and dont need a forensic analysis. Do I have to take a refined s ... |
255 |
|
| |
I want to use XWF as a consent search application. Should I run it from an external device on a live machine or should I us ... |
256 |
|
| |
There are some things XWF does not do that I would like it to do. Will XWF update to what my needs are? |
256 |
|
| |
There are a lot of features and options available in XWF. Am I expected to know where everything is? |
256 |
|
| |
I have been using so many filters and hiding files that I dont remember which files I am hiding or able to view. Can I just ... |
256 |
|
| |
I want to use WinHex and XWF but I want to be sure that I do not edit evidence by mistake. Since the two programs look the ... |
256 |
|
| |
Index |
258 |
|
