Consider the differences between X-Ways v12 below:
X-Ways Forensics version 12
With the current version 17:
X-Ways Forensics version 17
They look the same!
XWF has had literally hundreds upon hundreds of significant updates over this time between v12 and v17, but the interface and usage remains constant. Personally, I enjoy an update to a program that looks the same, the buttons are in the same place, and there are new features to use. The last thing I want is a totally different interface, buttons where I have to hunt and peck to find or miss completely, or have to take another class from the vendor to be told how to use their new fandangle program.
It's nice to know that in 10 years, XWF will probably look the same, even though I know it will be able to do so much more then, I'll be able to use it without skipping a beat.
This is also the reason that the XWF Guide will carry you through the next many years without having to worry about a major change in operation of XWF. What other manual or guide can say that?
I recently finished tech editing a book soon to be published on Cloud Storage Forensics. One of the main tools used was....wait for it...X-Ways Forensics. Without giving anything about the book away, I was really impressed by the level of detail documented on the amount of research conducted in cloud storage forensics.
The book goes to print in January, but available for preorder. I'll be writing a review of the book once it is made available, but in short, I give it a high grade of technical accuracy and research on the most commonly used cloud storage services and the connected machines. The authors documented testing of various cloud services as if it were scientific examinations (which by the way, digital forensics testing is...) and their methods can be used by anyone as can their results. I'll give a small tidbit that there are many instances of "holy smokes!" on some of their findings that I have not seen anywhere else.
The authors could have chosen any major forensic tool, but they chose XWF. This is just another example of how X-Ways Forensics is used to validate scientific theories and tests over all others. The reason is simple: XWF works.
This book, along with a few others that I know are coming out fairly soon, should be quick sellouts for the first printing. For anyone that buys books from Amazon, preordering is a good way to go and Amazon price matches books, even after you have already ordered. Just saying...
The current (and free) issue of eForensics Magazine has an article on imaging with X-Ways Forensics. Of course, the XWF Guide is more detailed, but to get an idea of some of what XWF can do with imaging, take a look at the article.
The Mini-WInFE project is out of beta (it worked as expected). This is a "mini" FE because it is a tad bit more than the original command line only version and a little less than the full-featured-every-option-available version.
It's fast to build (less than 10 minutes to build and burn to a CD), fast to boot, and fast to image.
Since is it primarily an imaging solution, scripts for FTK Imager,X-Ways Forensics, and the FAU imaging utilities and included. X-Ways does not "come with" this WinFE, you need a license for X-Ways. FTK Imager, like FAU, is free for you to download for use in this Mini-WinFE.
This is the build you want when you need a Windows based imaging boot system. It has been developed from a forensics acquisitions perspective, without an option to build anything other than a write-protected, WinFE OS.
A faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build. Of course, you have to have a license for XWF for the script to add it to the build. As of now, it includes FTK Imager and dd tools, with more on the way to add. The build method is a beta only because more apps are being added that need to be tested. Other than that, it works great with FTK Imager, XWF, and a few other small apps. The goal is to put several imaging options on it for user preference.
Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.
There is no difference between the write protection in this faster build as it uses Colin Ramsden's write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish. You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.
Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE. And just because it only takes 10 minutes doesn't mean WinFE is a minor forensic tool. With XWF, WinFE is way more than just something you can throw together to image. It's really neat.
This is Project 1 of 3 for alternative WinFE builds. The two other projects are forthcoming with the primary difference being you being able to choose which method you prefer.
This build is tentatively called “Mini – WinFE” because it is a super quick method to build a WinFE with minimal features. Primarily, it is an acquisition boot disc with the FAU utilities and FTK Imager available for you to add (no cost for these apps online). It is also set up for X-Ways Forensics (of course I want X-Ways on it…) if you have XWF. You will notice that there is not an option to select the Write Protection app (by Colin Ramsden) to make this a WinFE. That is because you don’t have a choice. This project only builds a WinFE and not a PE, eliminating any mistake in your build. It’d be a ‘bad thing’ to think you were using WinFE when you actually missed a step and were using a “P”E.
From start to finish, you can have your WinFE.iso completed in about 3 or 4 minutes. From there, you can either put the ISO on a CD or USB. Creating a bootable USB or CD adds about 5 minutes. So, in less than 10 minutes, you have your very own WinFE bootable CD/USB. By the way, I am only a conduit of these builds as others (to be credited) are actually doing all the heavy lifting. For this project, "Misty" from reboot.pro put it all together. Nicely done.
Personally, this is a build method I really like because it is fast to build, fast to boot, and fast to run. It does not have all the bells and whistles of a more fully WinFE build, but if you just need an imaging disk, this is a great way to go.
Contact me if you want to be a beta tester and I’ll send the login creds to download the project.
And really, if you haven't built a WinFE yet, it doesn't get much easier than this, or faster. If you teach how to build a WinFE in training, everything you did before has just been negated with this build method insofar as time involved to teach and use. In less than 10 minutes, your class has a bootable forensic operating system. How cool is that?
So how easy is it? Take a look below.
Point to your Windows source
Few options = no mistakes.
Point to the FTK Imager.exe on your drive (download and install from Accessdata)
Point to your XWF.exe if you have XWF. Otherwise, uncheck the box.
Push the blue arrow. Don't go anywhere, it'll only take a few minutes.
Bootable USB Media
You can either use the command line with Diskpart or a GUI app like Rufus (http://rufus.akeo.ie/). The instructions on how to use Rufus is to look at the GUI, choose your needs and select Start.
Using the command line requires a bit more instructions as seen below. Both methods work.
Want to make a bootable USB? Open a command prompt. Type diskpart.
Run the above commands against your USB. Be careful and make sure you choose your USB. Disconnect extra drives to be sure.
Copy/extract the files from your WinFE.iso to your USB. You can use WinRAR and just extract to the USB. End result = DONE. You now have a USB bootable USB.
Boot screen for WinFE (source was Windows 8 for this example)
You get a friendly reminder to be careful with ALL forensic boot discs. You also get Colin Ramsden's most excellent write protection application. Very cool, thanks Colin.
I'm sure you have tested your WinFE (if not, that means you have not yet used it in a real case....). If you have, take a look at a draft of tests at http://minixp.reboot.pro/other/WinFE/winfe.htm. This link will change soon, but I will update it as soon as it changes. Until then, you can catch it now.
For anyone that has not yet tested their WinFE, this would be a good foundation to build your tests and validation on. For anyone that doesn't believe in validating your tools, that is totally a personal choice (although, not my choice).