Cloud Storage Forensics book review

I've been waiting for this book to come out so I can write something about it.  I had the fortune of being able to read it early as I was asked to be the tech editor of the book.  It's not my book, but if it were, I'd be mighty proud of it.   If you want to skip this review and get to the point, here it is;  get this book, it is well worth it!  This is another one of those books that you will wish had been written before you tried to figure out how to do it on earlier cases...

[caption id="" align="alignleft" width="209"]Image

The forensic books of today have gotten so much better, not because older books are not good, but because the information we know now is so much more detailed and specific.  The topics of the books are no longer "Computer Forensics" but rather specific topics within forensics.  Books focusing solely on registry forensics or windows forensics or X-Box forensics.  And now we have cloud forensics.   This makes it so much easier to find a reference when needed by grabbing a book on the specific subject instead of flipping through a book to find a specific chapter of a subject.

One of the biggest differences you'll find in this book is the documentation of the methodology followed by the authors.  Step-by-step instructions of what they did and their findings.  Every chapter follows the same methods, in order and detail.  It is laid out so well, that you can replicate their work on any cloud system not covered and know that you did a good job.  Another neat thing about this book...the authors used X-Ways Forensics.

As I mentioned, the forensic books of today make it nice to have books dedicated to one topic in detail. That is the good news and the bad news as there are many of these books being published to buy.

I know many people like Kindle versions, but I have this book in print (not Kindle) because I like to treat it the same as all my other reference books.  Dog eared, highlighted, sticky-noted, and lots of personal notes written throughout the book. 


457 Hits

Thesis on WinFE, shared by Alex Van Ginkel

Very cool of Alex to share his work.  Thanks Alex!

[caption id="attachment_1020" align="aligncenter" width="465"]winfe

Alex van Ginkel Final Thesis MSc_27nov
445 Hits

Integrated Scripts to WinFE

There are a few behind the scenes work on creating scripts to integrate forensic applications into WinFE.   This is substantial work for WinFE users as it reduces your effort to add programs during the build process.  Basically, a one button approach to add a forensic application.

But, before you wait for these scripts to be written, remember that you can add many programs without a script or additional work if the program is already portable (meaning, no need to install for it to run).  The best example of a full-fledged forensic suite is X-Ways Forensics.  Many small forensic applications are also portable and easily copied into a WinFE build.  The difference is, X-Ways Forensics is an entire forensic suite, not just one app.

Some forensic apps being worked on now to be put into WinFE may not be full forensic suites, but have a single powerful function that make it worthwhile. I won't break the news yet and will let the vendors have first crack.

On another note, last week, I helped a LE forensics detective set up a review platform with WinFE for other detectives in his department using X-Ways Investigator.

The problem:

--Detectives assigned to cases with electronic evidence, particularly illicit images evidence, wanted to do light review work for their cases.

--Reviewing any type of illicit images on a work machine only leads to that machine getting dirtied up.  Also, every detective had 'their own way' of setting up their computers.

--Detectives had no forensic training.

The solution:

--WinFE and X-Ways fixed both problems.

--Department purchased two licenses of X-Ways Investigator.

--A WinFE boot CD was made with X-Ways Investigator copied onto it.

--Detectives now boot their machine to WinFE, run X-Ways Investigator, and access the forensic images from an external drive.  All work is saved onto the external drive and their workstation remains clean.

--This also prevented the IT staff from the city panicking over installing 'unauthorized' software

--And of course, a copy of the X-Ways Forensics Practitioner's Guide was ordered for the detectives to use :)

[caption id="attachment_1010" align="aligncenter" width="121"]X-Ways Guide X-Ways Forensics Practitioner's Guide









504 Hits

Cool update to the XWFIM, Portable Install

Eric is at it again.  This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0).  The update to the XWFIM now includes an option to create a portable install to external media.   Page 13 of the Practitioner's Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

portable Easy enough


drive letter Cool! Notepad++ and Volume Label renamed.


result Bam! Done.


Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install.  Neat.

folder I like this. Saves a few keystrokes and I'm all about saving keystrokes.


Don't forget, if you liked the Practitioner's Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn't...).  And if you use XWF and didn't buy the are missing out on more than a few tips and tricks that will save you dozens of keystrokes.

657 Hits

X-Ways Forensics Install Manager

I cannot imagine anyone who uses XWF not having Eric Zimmerman's XWFIM.   Every time I use it, I wonder how I did without it.  XWFIM is available through the XWF support forum.  It's free, but you need a license for XWF to get it.

Eric constantly adds little things to it, much like Stefan adds 'little' things to X-Ways Forensics.  One of the latest little additions is the selection box to "Include pre-release versions" which is pretty cool.



And if you haven't bought the XWF Guide yet and you use the XWFIM, just click the book's graphic and you can have the guide on your Kindle in about 30 seconds.


1451 Hits

X-Ways Forensics Imaging Article

In case you missed an article on X-Ways Forensics Imaging (page 40), you can download a free copy of the issue of eforensicsmag here:

[caption id="attachment_471" align="aligncenter" width="379"]XWF Imaging You may like the WinFE article too...I know the guy that wrote that article...


The article is an overview of imaging with X-Ways Forensics, which is covered in more detail in the XWF Guide.   If you haven't bought the guide yet and are on the fence on whether XWF is right for you, check out the article on the one feature of imaging and I am sure you will not be on the fence anymore.

[caption id="attachment_347" align="aligncenter" width="243"]Xways-Cover I use this guide myself...and I was a coauthor!






638 Hits

XWF Guide translations

There is a possibility that the XWF Guide may be translated into Chinese and Korean.  That would be pretty cool.  I can at least look at the pictures :)

Image  Image

544 Hits

CyberCrime 2013 Symposium

[caption id="" align="aligncenter" width="336"]Image

I'm heading to New Hampshire (first time there) to present on Placing the Suspect Behind the Keyboard.   Sounds like a pretty good conference and certainly could not be any further for me to travel in the entire country.  Literally, from one end to the other.  Looking for to the conference, come say hello if you are going to be there!


550 Hits

X-PERT Certification Program

Been using X-Ways Forensics for a while now, have ya?  Been to an X-Ways training class?  Then consider getting certified by X-Ways as an expert (X-PERT) in XWF.


Be sure to set aside time, have your XWF Guide at your side, and dive right in.  It's a real forensics exam that if you pass, have a certificate that actually means you know what you are doing with X-Ways.

784 Hits

A very kind review of Placing the Suspect Behind the Keyboard

From the Journal of Digital Forensics, Security and Law, Vol. 8(2).

Thanks for the review!

455 Hits