Reminder for the last discount for the X-Ways Forensics Practitioner’s Guide Online and On demand course.

If you were thinking of doing it, this is the best time since the $599 online course will only be at a discount of 60% for less than two weeks (until Dec 31, 2016) for only $235.  PLUS, registering before December 31, 2016 gets you a print copy of the book, the X-Ways Forensics Practitioner’s Guide shipped to you. Unfortunately, the book is only included for US/Canada registrants since shipping a book outside the USA or Canada costs more than the book.  Shipping to some countries costs more than the entire X-Ways online course costs.  I’m happy to ship a copy, but the shipping fees must be added.  Best bet is to order a book online that delivers locally without extreme duty fees.

Register with the 60% discount using this URL: 

Just a few notes on the online XWF course based on emails I have received:

Time limit:  You have a year to view the course as often as you want.

Software: Not included.  You don’t need it for the course, but I think you’ll want to have a license.  If you want to know how XWF compares to other tools, you can get 12 hours of instruction showing how it works and much of what it can do.  Once you start using XWF, you’ll begin to see that it can do a lot more than what the manual or any course can teach. 

About forensics: The online course doesn’t teach forensics, except to demonstrate features of XWF.  Don't expect to learn 'what is the registry' in this course.  It's all about X-Ways Forensics, to get you up and running right away.

Competence: If you go through this course (and you have a foundation of digital forensics knowledge), you’ll have enough knowledge to use XWF on a real case.

Students: If your school uses XWF, you’ll be much better off learning XWF online away from class to get the full benefit of using XWF.   School programs can only teach so much with software in courses where they must teach everything.

The book:  Through Dec 31, 2016 the X-Ways Forensics Practitioner’s Guide book (print copy) is included with your tuition (USA/Canada shipping only).   There is no other book on X-Ways Forensics available.  The next edition may not be for another year or two.  Get your copy as part of the course.  The cost savings of a book + 12 hours of X-Ways Forensics training at $235 is the best deal you can find anywhere.

Course updates: The course may be updated throughout the year when XWF has enough smaller updates to add up to a new course or updated lessons.  You get that as part of your registration.  Revisit the course throughout the year, anytime you want, from anywhere online.

XWF as a primary or other forensic tool:  If you currently use or plan to use XWF in your work, get some training.  Either this course or a course from X-Ways AG, or somewhere.  XWF is not a tool for self-learning when you need it for casework tomorrow.  Especially for a primary tool, get some training.  This course gives you the information to use it either as your primary tool or secondary tool.

If you have any questions, hit me up J

This email address is being protected from spambots. You need JavaScript enabled to view it.

 

1797 Hits

X-Ways Forensics Sucks….

…only with decryption, and even at that, it does everything else superbly.

I probably caught your attention if you are an X-Ways Forensics user.  The only thing that sucks about X-Ways Forensics is that it doesn’t do encryption.  By “doing encryption”, I mean that it doesn’t decrypt encrypted files or systems.  Besides that one aspect of forensic work, X-Ways Forensics rules.

**UPDATED X-WAYS FORENSICS PRACTITIONER’S GUIDE ONLINE COURSE**

I completely updated and extended an online course based on my book, the “X-Ways Forensics Practitioner’s Guide”.  It has taken some time to create a course that has 95% of what you need to use X-Ways Forensics without being an overly long instruction of the software.  The remaining 5% changes every week or so with new features and updates added by X-Ways.  This course covers X-Ways Forensics up to version 19, but know that X-Ways will be adding new features every week that aren’t included in this course yet.  After enough ‘little’ features and improvements have been added, more content to the course will be added as well.

Here is the gist of this post

Register before November 8, 2016 to get both 50% off tuition and a printed copy of the X-Ways Forensics Practitioner’s Guide.  Use this link for the discount: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course?pc=blog

Personal anecdote: While sitting in BCERT at FLETC years ago, I brought my trust X-Ways Forensics v13 to class.  FLETC issued FTK and Encase as the forensic suites during this time, and also issued a license for WinHex. The Winhex instruction was probably 30 minutes long.

I had already been using X-Ways Forensics and the FLETC instructors allowed me to use my license alongside their issued tools.  With a FLETC provided image that was given to every student in the course, X-Ways data carved hundreds of pornography pictures from my image while both FTK and Encase did not.  The instructors thought I had been surfing porn in class until I carved from someone else’s image.  Encase and FTK, for some reason, did not carve up the pictures that X-Ways did.  In about 5 minutes after seeing that X-Ways carved up porn that other tools missed, every image was collected from class by the instructors….

I emailed Stefan Fleischmann of X-Ways during lunch to let him know that his X-Ways Forensics program works pretty good.

My personal experience with X-Ways Forensics started because I was a curious about a ‘new’ forensic program based off of Winhex. I only tried X-Ways Forensics because (1) it was cheaper than anything else, (2) looked kinda cool, (3) and got deep into the actual files like a hex editor.  However, I tried to figure it out and the best way to do that was to host a course.  The only reason I gave X-Ways Forensics a chance was because X-Ways agreed to give a training course in Seattle if I would arrange it, their first course ever.  After seeing how X-Ways worked in that one course, I was hooked using X-Ways Forensics as my primary forensic tool for well over a decade.

I have met many examiners who have tried to use X-Ways Forensics and have nearly always gone back to their other tools, like Encase or FTK.  Mostly, I see this to be because of fear of change and lack of information to use X-Ways Forensics.  There were no books about X-Ways Forensics.  The manual was (is) clearly lacking in giving instruction in using X-Ways, the courses were (are) expensive and not typically where you’d like them to be.  Compared to Encase, as one example, books on using Encase have been around for some time, Encase has been taught in government forensic courses for well over a decade, and courses have been planted everywhere around the world for so long that it seems strange to not have a course local to you every year or so.  Plus, the other tools throw parties, like huge beer fests poolside in Vegas or somewhere neat.  X-Ways? No parties.  No beer fests.  It’s all down and dirty with hex, which is just the way I like it.

The manner in which this online course works is similar to the book that Eric Zimmerman and I wrote on X-Ways Forensics.  We wrote, and titled, the book for practitioners.  The manual is not for practitioners.  Do not start reading the manual hoping to find the ‘how to use X-Ways’.  Do read the X-Ways Forensics Practitioner’s Guide to find out.  Unfortunately, books and manuals simply do not fill the remaining gap of instruction and demonstration.  Short videos on Youtube won’t do it either.  You need a course to learn what you need to learn as fast as you can learn it in order for you to be able to use it right away.

If you cannot attend the official X-Ways Forensics course due to time/money, or maybe you want a refresher to the course you took five years ago, or maybe you are in a forensic course in college that uses X-Ways, this online course is the least expensive you can find (the only one currently in the world) that fills that need.

I can promise that after you complete the course, you will have a different perspective of X-Ways.  You most likely will use X-Ways Forensics as a secondary or validation tool.  Many of you will move completely over to X-Ways Forensics and turn your other tools into secondary tools.  Some of you will turn your entire lab into an X-Ways Forensics lab that uses the “other tools” as validation.

One thing the online course does not do is teach forensics.  You might learn a little something since the course uses publicly available forensic images and gives suggestions on workflows (based on case types, such as picture intensive or user document intensive cases), but don’t expect this course to teach everything about forensics.  For that, you need to take a digital forensics course to show what a “lnk” file is, or how to examine the registry.  The X-Ways Forensics Practitioner’s Guide course teaches you how to plug the X-Ways Forensics dongle into your machine and push all the buttons you need to push to get what you are looking for.  That’s more than half the battle for any forensic software: what button do I push to get forensic artifact “x”, “y” and “z”?

Watch the introductory video (free) to get a handle on why you should take this course.  Whether you have been using X-Ways Forensics for more than a day, new to X-Ways Forensics, or thinking about trying it out, this course is the fastest, least expensive, and easiest method to learn. Bar none.

 

1752 Hits

X-Ways Online Training Course

X-Ways Online Training Course


I will be publishing an X-Ways Forensics Online Training Course on June 30, 2014.  The course is based off the X-Ways Practitioner's Guide, the X-Ways manual, and a decade of experience using X-Ways...it is not the official X-Ways training course, but it also does not come with the price tag of the official course.   From Monday, the X-Ways course will be $195 but I will publish a discount code good for two weeks (through July 14) for 25% off.

I'll send out a reminder on June 30 through twitter and the XWF blog, so follow the blog or twitter account to catch the discount code.

The manner in which I made the X-Ways course is so that you can follow along with XWF in learning how to work a case with X-Ways Forensics.  The course describes the options and buttons in XWF, but also shows how to simply work a case.  There are literally so many features in X-Ways, that without training, you will be missing about 50% of what you should be doing.  I found that even the most current version of the X-Ways manual does not list features in XWF...lots of information to keep up with, tons of features to consider, easy to miss something that you should not miss for such a powerful forensic tool.

If you want to be notified of the coupon code, be sure to follow the X-Ways blog at http://xwaysforensics.wordpress.com/ or the twitter account at https://twitter.com/XWaysGuide.

 

 

Windows Forensic Environment Online Training Course


I also have just released an online course on the Windows Forensic Environment (WinFE).   I have videos of most build methods, tips and tricks, pro's and con's, and aspects of WinFE that you may find important.  I also included every bit of downloadable swag in the course too (batch files, wallpaper, scripts, etc...).

All in all, this is probably the best source of WinFE you will find.  I encourage you to share it and use it, after all, this is a free tool and this course is free.  If anyone has suggestions on making the course better, let me know and I can try to squeeze in some improvements.

[caption id="attachment_1231" align="aligncenter" width="700"]winfe http://courses.dfironlinetraining.com/windows-forensic-environment

 

2488 Hits

C4All X-tension update

Update November 14, 2014

Download link to version 3.6.2.d https://www.dropbox.com/s/zewn7myskf...6.2.d.zip?dl=0
This update changes the way the video stills are treated when extracting movies.
-now video stills are extracted if the parent movie is extracted, regardless of whehter
the video still has been type verified.

 

 

 

 

That is for version 3.6.2.d that fixes a few issues with C4All not handling some characters.

 

 

 
 
 
Videos and links to updated guides.
 
 
 
Steps for c4all X-tension updated November 2014.doc
www.dropbox.com/s/sfd3...4.doc?dl=0

Steps to prepare and run C4All X november 2014.doc
www.dropbox.com/s/23ts...4.doc?dl=0

I recommend downloading both guides. ***both Udpated November 2014***

Links to Youtube videos to run X-Tension
www.youtube.com/watch?v=HP6DTzpG0KI - part 1 of 3
www.youtube.com/watch?v=zCIcrA9CldI - part 2 of 3
www.youtube.com/watch?v=53cLlcogr40 - part 3 of 3

 

774 Hits

Updates to X-tension and Hash File Manipultator

Hashbrown program 64 bit version only http://1drv.ms/1tLsNnG updated October 10 2014

instructions http://1drv.ms/XNdgeJ
-New Version that handles many duplicates and many unsorted more efficiently posted.

 

 

 

 

X-tension

 

 

Update October 19 2014
download link to version 3.6.2.c http://1drv.ms/1prWU2h
-Fixed issue with extended character support of UTF-16 in XML. should show all but those 0xD800 – 0xDFFF characters.
-Adds the functions of 3.5.12.k as well as option to create a Picture/video library based on MD5 hash value as name and the option to include not confirmed files when extracting pictures and movies. (before the file had to have a type status of Confirmed or newly identified. see post from 27 September in this thread for more details)
- 3.5.12.k
option to include or not include metadata in XML
-The option to run against multiple evidence objects and better naming of folders in c4all folder tree.
-CETS users have toggle to create a CETS XML or not.

 

677 Hits

New version of X-Tension

New version of X-Tension
3.6.2.a http://1drv.ms/1rrCJ7s
Changes
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of 'not confirmed'
(this was added as there are so many variations of avi formats, that even some valid working movies were not 'confirmed')
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files

746 Hits

XWF II and III...

...are a little late coming out due to an emergency...but will be published soon.  sorry for the delay.

863 Hits

BlockHasher for XWF

Yet another cool XWF utility!

 

BlockHasher

 

 

http://d-forensik.de/download/

[caption id="attachment_630" align="aligncenter" width="700" class=" "]blockhash

 

 

BlockHasher helps you creating Block-HashSets for X-Ways Forensics

- Select Directory, directory-mode is atomatically activated
- Click 'with sub-folders' if you need recursive hashing
- Alternatively select some files, file-mode is atomatically activated
- you can switch everytime between both modes
- Choose your Entropy
- If you need to find a part of a single file use 'one input - one output' mode
- If you need to find a part of a bulk of files use 'all in one' mode
- Add 'MD5'-Header is necessary for X-Ways Forensics

Start hashing now. A Logfile ist automatically generated.

BlockHasher is Freeware.
If you need source send mail to This email address is being protected from spambots. You need JavaScript enabled to view it.

 

583 Hits

X-Ways MD5 Hash Manipulator

Another cool utility for X-Ways!

 

X-Ways MD5 Hash Manipulator

 

 

hash

 

 

 

 

 

A program to manipulate your Hash sets from X-Ways.
It will allow you to Add hashes, Remove hashes, Compare hashes and remove the duplicates, create hash set of excluded files, and be in the proper format to quickly import to X-Ways.

 

 

This will allow users to maintain their hash sets and create small diff files if needed to distribute when hashes are added/removed from database.
It works on the basis of add or removing records, indicating duplicates and also the '-' prefix implemented in X-ways. files with '-' prefix can be anywhere in set, not at the beginning.

 

 

 

 

 

Thanks to X-Tension author Steve Frawley (who is also the author of the C4All X-Tension) and thanks to beta tester Derek Frawley.

 

 

 

 

 

instructions

 

 

file

 

963 Hits

X-Ways Forensics Practitioner's Guide Online II

For all  XWF I registrations prior to July 17, 2014, you will receive a code for 100% off the XWF II course shown below at the email you registered.  The deadline to register in order to receive the 100% discount code for XWF II is July 17, 2014, after which, the course is available for purchase without a discount.

These are on-demand courses and you have lifetime access to both courses (XWF I and XWF II).  There will be an XWF III course released during the summer, all who register before July 17, 2014 will receive another 100% off discount code for XWF III.  So, for the purchase of XWF I by July 17, you will have lifetime access to XWF I, XWF II and XWF III.

XWF II will be released after the discount codes currently given have expired in a few weeks.  The general discount code for 25% off is:   xwf1

Members of HTCC, IACIS, and CTIN have received a 30% discount code in their e-mail.  If you are a member and did not receive the code, check your e-mail, it should be there.  If you belong to a high tech crime group not listed, This email address is being protected from spambots. You need JavaScript enabled to view it. and I can send a 30% code to your association.  Otherwise, feel free to use the 25% discount code.

xwfii

876 Hits

X-Ways Forensics Online Training

I created an X-Ways Forensics online training course at http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide.  This course, X-Ways Forensics Practitioner's Guide Online I is introductory to using X-Ways Forensics, but it covers more than enough to cover most of the use of X-Ways in a case.

The XWF II course goes into great detail with more information on using XWF in different scenarios and some more highly specific functions.  Although the course is based on the book, it is not the book, nor is it the X-Ways Forensics classroom training.  It is however, the least expensive and fastest way to get up to speed on X-Ways Forensics :)

There is a 25% discount code you can use "xwf1" that is good until July 17.  Everyone that registers before July 17 receives a separate discount code of 100% for the XWF II online course that will be released as soon as this discount period ends.  Both courses are the same cost, but the discount is valid only until July 17.

If you can't attend the X-Ways AG classroom training due to cost or time, this online training fits both your pocketbook and daily schedule.

http://www.youtube.com/watch?v=EQ_wwSBD8gc

652 Hits

New X-Tension: Up to 30GB min speeds on SSD drives!

A new X-Tension, "C4All" is available for download (free) at http://www.x-ways.net/forensics/x-tensions/index.html.  C4All is used to categorize pictures and videos, processing skin tone and video stills.  Speeds up to 30GB min speeds on SSD drives have been observed.

free css template

If you are an X-Ways user, this is one of those cool "little" things that will make you excited.

535 Hits

WinFE (and of course, XWF)

Taking WinFE to even another level on a multiboot thumbdrive.  Very cool, but I spread this word to you because there are few things in life neater than a forensically bootable CD/USB with X-Ways Forensics.

From Hacking Exposed: Adding the WinFE Image to the Multiboot Thumbdrive Image (Video)


http://www.youtube.com/watch?v=Ce9eQ0OG2jA

http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-248-adding-winfe-image-to.html

477 Hits

A gathering of the X-Ways users in Australia

The X-Ways Users Conference is here in a few weeks.  My kind of conference: Australia and fellow X-Ways users! 

 

Maybe next year for me...but it sure would make for a good vacation, I mean, training trip.

 

 

 

 

 

752 Hits

Another reason to use, try, or at least just learn about XWF

Not that many years ago, you would not find a requirement of having experience with X-Ways to apply for a DFIR job.   But now, some jobs recommend it and yet some others require it.  This is not to say the other big players (Encase, Accessdata, etc..) are not needed or useful, just that XWF has made it to the same level at a price point that will probably not be beat with capabilities that still outpace other tools.

So......it makes sense to know a little about the tool that might put you over the edge for that next job.  Of course, you need to be competent too, but like I've said before, "beware the examiners that use X-Ways Forensics because they probably know what they are doing."

one two three

For the future XWF users, check out www.x-ways.net for some details, download and read a quick guide, and when you move forward with XWF, buy the book :)

 

561 Hits

No surprise. XWF does something other tools don't

From a twitter post, a cool video on imaging with X-Ways noted (13:50) as doing something other tools don't.  The entire video is actually pretty good too.

xwf

http://youtu.be/zYYCv21I-1I

533 Hits

Cool update to the XWFIM, Portable Install

Eric is at it again.  This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0).  The update to the XWFIM now includes an option to create a portable install to external media.   Page 13 of the Practitioner's Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

portable Easy enough


 

drive letter Cool! Notepad++ and Volume Label renamed.


 

result Bam! Done.


 

Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install.  Neat.

folder I like this. Saves a few keystrokes and I'm all about saving keystrokes.


 

Don't forget, if you liked the Practitioner's Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn't...).  And if you use XWF and didn't buy the guide...you are missing out on more than a few tips and tricks that will save you dozens of keystrokes.

551 Hits

X-Ways Forensics Install Manager

I cannot imagine anyone who uses XWF not having Eric Zimmerman's XWFIM.   Every time I use it, I wonder how I did without it.  XWFIM is available through the XWF support forum.  It's free, but you need a license for XWF to get it.

Eric constantly adds little things to it, much like Stefan adds 'little' things to X-Ways Forensics.  One of the latest little additions is the selection box to "Include pre-release versions" which is pretty cool.

xwfim

 

And if you haven't bought the XWF Guide yet and you use the XWFIM, just click the book's graphic and you can have the guide on your Kindle in about 30 seconds.

xwfim2

1312 Hits

X-Ways Forensics Imaging Article

In case you missed an article on X-Ways Forensics Imaging (page 40), you can download a free copy of the issue of eforensicsmag here:  http://eforensicsmag.com/jumpstart-3-free/

[caption id="attachment_471" align="aligncenter" width="379"]XWF Imaging You may like the WinFE article too...I know the guy that wrote that article...
 

brief


The article is an overview of imaging with X-Ways Forensics, which is covered in more detail in the XWF Guide.   If you haven't bought the guide yet and are on the fence on whether XWF is right for you, check out the article on the one feature of imaging and I am sure you will not be on the fence anymore.

[caption id="attachment_347" align="aligncenter" width="243"]Xways-Cover I use this guide myself...and I was a coauthor!

 

 

 

 

 

531 Hits

X-PERT Certification Program

Been using X-Ways Forensics for a while now, have ya?  Been to an X-Ways training class?  Then consider getting certified by X-Ways as an expert (X-PERT) in XWF.

X-PerThttp://www.x-pert.eu/


Be sure to set aside time, have your XWF Guide at your side, and dive right in.  It's a real forensics exam that if you pass, have a certificate that actually means you know what you are doing with X-Ways.

694 Hits