Something else cool about XWF

Consider the differences between X-Ways v12 below:

v12 X-Ways Forensics version 12


With the current version 17:

X-Ways Forensics version 17 X-Ways Forensics version 17
 

They look the same!


XWF has had literally hundreds upon hundreds of significant updates over this time between v12 and v17, but the interface and usage remains constant.  Personally, I enjoy an update to a program that looks the same, the buttons are in the same place, and there are new features to use.  The last thing I want is a totally different interface, buttons where I have to hunt and peck to find or miss completely, or have to take another class from the vendor to be told how to use their new fandangle program.

It's nice to know that in 10 years, XWF will probably look the same, even though I know it will be able to do so much more then, I'll be able to use it without skipping a beat.

This is also the reason that the XWF Guide will carry you through the next many years without having to worry about a major change in operation of XWF.  What other manual or guide can say that?

535 Hits

Imaging with X-Ways Forensics

The current (and free) issue of eForensics Magazine has an article on imaging with X-Ways Forensics.   Of course, the XWF Guide is more detailed, but to get an idea of some of what XWF can do with imaging,  take a look at the article.

eForensics_17_2013-11 http://eforensicsmag.com/jumpstart-3-free/
 

 

580 Hits

X-Ways Forensics and WinFE

winfeA faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD. Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.


There is no difference between the write protection in this faster build as it uses Colin Ramsden's write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn't mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It's really neat.

806 Hits

Creating distributable test images

I'm in the process of creating working materials to go along with the XWF Guide in the form of exercises and test images.  I expect to be finished in 2014 or 2015 or ...(it all depends on time available).  The materials will be freely available but will really only work best with the XWF Guide.  And yes, I know I can use images already available, like at http://digitalcorpora.org/corpora/disk-images, but these datasets will be made to demonstrate all the neat things detailed in the XWF Guide.wipe

One thing I'd like to point out regarding an issue with creating forensic images when giving images to students that contain data may violate the EULA if distributed. Files like commercial programs and operating systems.  Anyone that deals with this in training will be happy with how XWF can be used to address this problem.

With the "Cleansed Image" option of XWF, simply exclude/hide any and all files that would violate any privacy concerns or EULA violations before creating the image. Then create the image :)

This gives you a complete (minus excluded files) disk image without worrying about violating a EULA.  You could do this the hard way by using WinHex to overwrite every single file in question.  Or you can mass exclude files in one fell swoop with XWF and bam.  Image done.  Now you have something to give out to your class.

I've always wondered why some instructors give out complete images of a single system and make the student "promise" not to distribute the files...that is a bit too trusting in my opinion.   And come on, you know who you are...

<and I'll leak a little information from the book on the cleansed image feature.  you can use this technique to remove private/privileged/protected data from an image to comply with a court order but can't produce specific protected data on the image.  an example being a civil case where you need to turn over an image to the opposing expert but have privileged files on the image. don't hex edit it, cleanse it!>

The XWF Guide has dozens of these kinds of tips and tricks, but you get one today for free.  Get the book for the rest of the tips and tricks, you will without a doubt, find something worthwhile that will save you hours or days of work.

488 Hits

Hindsight is 20-20

495 Hits

X-Ways Users Conference

cbitVery cool.  Meet Eric Zimmerman and Craig Ball at The Inaugural Australian X-Ways Users Conference in Canberra in March 2014!

The best part...you get a copy of the XWF Guide :)

 

 

]Xways-Cover If you can't make it to this conference, get the book!
Click to order, Amazon still has the best price.

 

 

 

 

 

482 Hits

Another free tool for X-Ways, from Magnet Forensics

Magnet Forensics provides a FREE tool at http://info.magnetforensics.com/tsv-to-tln-converter, which converts the X-Ways generated TSV file into the TLN format.  From the tutorial, this looks to be pretty neat and you can't beat the price either.

Magnet

The tutorial on how to use the TSV to TLN Converter can be found at: http://www.magnetforensics.com/convert-x-ways-tsv-data-into-tln-data-for-ief-timeline/

 

 

407 Hits

XWFIM version 0.0.5.4 released

Just released version 0.5.4 of XWFIM.

Changelog:

Change: Renamed Settings.bin to xwfim.bin since people seemed to run both XWFIM and XWFRT from same directory and this caused problems
Change: Updated book cover image and URL when clicking on the book image
Change: Delete any old viewer directories before unzipping a new version to avoid file inconsistencies across viewer versions

 

If you get a crash about "key not found" or similar, delete settings.bin and restart. Prior to this release, both XWFIM and XWFRT used the same file, settings.bin, to store configuration data. If you can both programs from the same directory this would cause issues.

 

This update will download automatically once you start XWFIM. Click the lower right corner of the application for details.

541 Hits

XWFIM updated

Just posted 0.0.5.3. This fixes a few issues related to checking for new versions when more than one zip file exists as they often do when it comes to prereleases.

 

If you get an error about "more than one element" on startup, dont sent the error report, do not exit, then proceed to update using the built in updating feature. Worst case just redownload it from XWF website and it should be fixed.

 

473 Hits

Case Studies

Here are some of the case studies we are working on for our current and last chapter:

Image

  • Electronic Discovery (IP theft, document collection, contract antedating)
  • Consent Searches (triage/preview)
  • Parole Searches (triage/preview)
  • Malicious Software
  • Intrusion
  • Fraud
  • Child Pornography
  • Cell phone analysis

Several of these are being submitted by contributors, and all are to be detailed using XWF and suggested case flow processes.  Contributors to be duly noted (as much as they allow).

560 Hits

Multiple File Finder X-Tension for X-Ways Forensics

Here is a new X-Tension for XWF that does a few neat things, such as searching for specific files and adding them to the report table, and exporting files for external analysis: http://www.gaijin.at/en/xtmultifilefinder.php

 

723 Hits

XWFRT updated to 0.4.8

Several fixes based on user testing in this build to include:


  • Added Undo button to reverse the tweaking process

  • Rearranged GUI to make it less congested

  • Undo tweaking automagically if an error occurs to keep report in a known good state

  • A bunch of processing fixes to allow for tweaking more than one report in a row


  •  


 

 

551 Hits

XWFIM goes International!

Just released version 0.0.4.8 that includes fixes for international users. The issue had to do with date/time formats and the use of non period decimal separators.

Both should be fixed, but if any of our international friends are having issues, please shoot me an email and I will get it resolved ASAP

538 Hits

XWFRT and XWFIM updated

You can let the latest build of XWFIM from the URL in the X-Ways Forums or just use the auto-update feature in the program by looking in the lower right corner of the program after it starts.

XWFRT was also updated recently. again you can auto update or pull a copy from here:

https://www.dropbox.com/s/6labcj537jlxnzz/XWFRT.exe

if you run into any reports that cause XWFRT to throw an error, please zip and email me all of the Report*.html files (not any of the directories which contain files) and i will get the issue resolved ASAP

Enjoy!

671 Hits

XWFRT 0.0.4.6 released

New in this version is the ability to attach one or more external files to your report.

This includes things like XWF registry reports (as seen below). You can include any kind of file to the report in this manner. HTML files will be viewable directly in the browser.

The screenshot below shows 2 registry reports being added as external files.

ExternalItem1

And here we see what the report would look like as a result of including the files.

 

 

ExternalItem2

454 Hits

XWFRT now available

More to come and i am sure someone will break it, but for now, here it is!

 

https://www.dropbox.com/s/6labcj537jlxnzz/XWFRT.exe

 

kick it around and email me with any bugs or suggestions

552 Hits

Coming soon...X-Ways Forensics Report Tweaker, or XWFRT for short

Ever generate a report in XWF and ended up with more than one Report*.html page? Ever been stymied by the fact that those handy menus at the top don't link to anything outside the main Report.html page?

Yea, me too, but no more!

This isnt quite done yet, but its close. here is an overview and some screenshots. In my testing, reports get tweaked in less than a second or 2 for a 9 page XWF report.

 

Here is what the main interface looks like. Basically, choose the case file, choose the directory where you exported your report to, set some other option information (like who you are, your agency, a logo), write a narrative (if you want) and TWEAK!

3-27-2013 9-45-40 AM

 

The Narrative is nice because it supports HTML, so if you wanted to get crazy and write up a nice, fancy report with lists and stuff to include in your report, go for it!

The items at the top, like the logo and the agency, arr taken from what you enter in XWFRT

3-27-2013 9-45-51 AM

 

The menu on the left contains items for general case info, all evidence items and, if present, audit trail information. Clicking a menu loads the relevant section into the main part of the window (the General tab is shown below).

3-27-2013 9-45-54 AM

 

 

here we see the evidence items page

3-27-2013 9-45-57 AM

 

 

and finally, clicking on a report table page.

3-27-2013 9-46-02 AM

 

 

I have a bit more polish to put on this thing before i release the first version to include having a setting in the GUI to control the max # of items on a report table page. For example, if you exported 1500 images in report table "Foobar" and set the max per page in XWFRT to 500 items a page, you would get Part 1, Part 2, and Part 3 links under the "Foobar" heading.

 

Oh yea, the entire look and feel is all controlled by CSS, so you can, by editing one simple file, completely change the look and feel of the report to suit your department's needs (colors, layout, borders, EVERYTHING)

 

What else does the community want to see this thing do?

990 Hits

XWFIM updated

Just pushed version 0.4.3 out.

 

This version will now track the last selected version as opposed to always defaulting to the newest available version

I also added a check on startup for any new updates for the last version you selected. That way you will know as soon as you start XWFIM whether there are updates or not.

Finally, i fixed a (stupid) bug related to mplayer install when doing a new or clean install.

 

please report any issues to me here or via email and I will get em fixed ASAP!

760 Hits

X-Tensions, what would you like to see it do?

Do you have any ideas for an X-Tensions based plugin in X-Ways? if so, post it in the comments! I have a few ideas for the advanced chapter which includes X-Tensions, but want to hear from the community as well.

657 Hits

X-Ways Forensics Install Manager

X-Ways Forensics Install Manager

Licensed users of  X-Ways Forensics can download Eric Zimmerman's install manager (XWFIM) from the X-Ways Forensics support forum.   Eric's creation of a GUI install application for XWF is really neat, minimizes the effort to configure your installation, and makes updates simple and quick.  Thanks to Eric!
1269 Hits