It’s 2017. The days of hiring a DVD from Blockbuster seems like a generation ago, and my massive drawer of hundreds of DVD’s that was once rather an impressive sight now seems as retro as my vinyl LP’s and film cameras! Even opening the drawer to select a DVD of my choice seems like a technological fau par these days when I could just use my remote control to launch NetFlix on my SmartTV and watch the very same film with about 90% less bodily movement.

Similarly, these days, the concept of having to travel anywhere for any business purpose seems to becoming increasingly less common as well. We can hold video Skype meetings with people all over the world, or just telephone conference-in if we don’t like the look of folk. We can build businesses comprising of staff in each city who never meet physically, or rarely meet, perhaps with the exception of a Christmas bash where otherwise sensible and intelligent people suddenly decide to act like fools for a day. People can actually work from home, genuinely, and do actual work and run their entire business from their back bedroom.

Along with that expectation comes the expectation of not having to travel as much to review digital evidence. These days, if you say to someone new to your company “You have to travel 200 miles to look at that data”, the new person will think “Pardon me?”, especially if they are under the age of 30. This expectation is increasingly coming from case investigators, legal people, managers and so on. In fact, if you work in a business area that does not have that facility in this day and age, and you tell people that they will have to travel…yes, travel, to your office, they nearly faint! In much the same way as choosing my DVD from my drawer selection, they expect to review digital evidence as easily as they launch Top Gun or The Gremlins using NetFlix.

Of course, when it comes to reviewing evidence from digital seizures, the technical challenges increase rather more than they do for a telephone call, not to mention the security challenges with keeping such data safe. You can’t just pop a little cloud service in an agency or company that typically serves perhaps just spreadsheets and e-mails to its staff and then expect it to deal with Terabytes of compressed E01 images…at least not overnight. It’s a big challenge. Achievable, of course, but not an overnight task. This is true for every company involved in this work arena, and it is especially true for law enforcement agencies who also have government protective markings to adhere to, which can vary case by case, as well.

All big and expensive forensic tools these days have some way of facilitating the review of digital evidence in some kind of remote way – typically, using a web browser, the remote person will access the data using a web browser. Often this is termed as a “web review platform” or something like that. What this means is that the content of digital forensic reviews is made accessible to some non-technical investigation team or non-technical legal person somewhere in the world using a web browser by incorporating a web server of some sort and a database engine of some sort. They might be using a computer in the office upstairs on the same internal Class A network. Or it may be using a computer on the other side of the world, connecting over a VPN. Often, this method of review is labelled “remote viewing” or “remote delivery”.

The provision of such a review system is, these days, expected within a forensic tool it seems, or especially e-discovery tools. Sadly in fact attitudes seem to be very negative if one reports that such a tool does not have a web review system. But, in my view, there is more than one way to make digital data accessible remotely, and a web interface over port 80 using http protocol or the https protocol is just ONE way. It was the way devised by one or two mainstream tools a few years ago. Well, web browsers are not THE ONLY way to serve such content. It is merely ONE way. Of course, there are other ways! And the other ways can be more affordable.

X-Ways Forensics does not currently have (and may never have) a web review system. I have no idea whether one is in the planning or not. I doubt they (Stefan and his colleagues) care to add one given the IT Infrastructure and security issues that come with providing such data over a web platform. What I do know of is an alternative method for facilitating remote viewing of data without using web platforms and greedy SQL databases, and best of all, it can be achieved at a very affordable price – I’m talking single digits of thousands.

X-Ways Forensics is the full-fat version of the tool. We all know that. The most powerful, most feature rich tool in their suite, and the most expensive of their suite (allbeit still cheaper than most forensic tools).

‘X-Ways Investigator’ is it’s low-fat sister, working in exactly the same way as XWF but without much of the complicated technical features needed by a digital forensics people. X-Ways Investigator, as I’m sure most of you know, is a review platform of sorts for cases created in X-Ways Forensics. It opens X-Ways Forensics cases. I could stop there – you should already be able to envisage the scenario, or one particular possible scenario of using XWF and XWI in a remote fashion. But I want to take it a step further because it gets better.

‘X-Ways Investigator CTR’ is the zero-fat skimmed version of X-Ways Investigator. It is a yet-further reduced version of X-Ways Investigator whose capabilities are restricted even more to only being able to open XWF CTR images and do very limited things with such images. That’s all it can do. But it enables non-forensic staff to review data put in the CTR containers without the need for anything else other than a workstation and network connection to the remote server. So, the theory is, you have a team of digital forensics people doing clever stuff with X-Ways Forensics in one office somewhere, and then after they have finished their magic, they suck part of it out from the many massive E01 images and store it in a CTR evidence container. They add report tables, comments and so on into the container as well. The files that are put into these CTR’s may be specific files from a manual review of files based on known specialisms and intelligence between the digital forensics person and the investigating officer. Or it may be based on more generic data types, such as “This case is a fraud case so we just want all the e-mails and PDF’s and spreadsheets” in which case, sets of customised “Type” filter may have been prepared and then used for your company\agency to operate this model (see below – ‘Customised “Type” filters’).

Either way, the data is found first, and then extracted into CTR’s for the case, and stored on the server ready to be opened, remotely, by the non-technical officer, using XWI CTR. Due to the efficiencies of CTR’s it doesn’t matter if it’s a handful of files or thousands of files. It’s designed to cope with any variety. The server used to hold these CTR’s might be in their lab, or it might be upstairs. Or it might be in another country. Remember the CTR format is the custom evidence container for X-Ways. Very fast, very efficient, very powerful. The best “selective imaging” format in the world in my humble opinion…no doubt.

Then, other offices where the non-technical staff are based have just average computers installed with direct network access to this server store. All that is needed are 32-bit Windows systems – 4Gb of RAM would be more than enough. You could set this up with a machine in each office for say 5 offices for a few hundred quid – few thousands tops. The network access may be over a VPN, or whatever…the network infrastructure is beyond the scope of this article and obviously it is the part that requires more investment of money and time but the remote offices obviously need access to the server containing the CTR’s – this is obvious, I would hope, and would be necessary anyway for any of the tools who provide any kind of web access as well, so that cost is a given. And ideally it needs to be a fairly fast link. My point is the computers used for the “remote access” do not need to be expensive or high powered at all and they certainly don’t need tends of Gb of RAM to get by.

So the computers in these remote offices have installed on them the ‘X-Ways Investigator CTR’ software, which is peanuts to buy – about £300 per license. With this software, all that the staff can do is open CTR files to review files put there by their digital forensics colleagues. The RVS options are next to none, the usually feature rich specialist menu comprises next to nothing and even the default ‘file view’ of the viewing component defaults to a non hex view (though you can enable the hex view with F7). All that would be necessary for the staff in these remote offices to get the most from the software would be a one day training session held by a specialist who knows how to use X-Ways to its best abilities. These staff could then be “key officers” to that location, with one or two of such staff in every office. Their job would be to assist with the review of digital evidence held in CTRs, put there by their specialist staff in the other office.

The diagram below explains this scenario and it shows how a national team comprising one digital forensics team and three remote officers could incorporate remote viewing of digital data for only a few thousand pounds.

The marginally more expensive alternative is to use X-Ways Investigator on it’s own, instead of X-Ways Investigator CTR. It would make this workflow even better, but I wanted to demonstrate the CTR concept to show just how affordably this can be done.

Customised “Type” filter

Basically, the default file that enables XWF to show you all the file ‘types’ when you click the filter for ‘type’ in the directory browser is called ‘File Type Categories.txt’. By default, the content of that file is used for your ‘Type’ filters.

To customise your ‘Type’ filters, or to create sets of such filters, simply copy and paste that file several times, ensuring you then rename the master as ‘File Type Categories – Master.txt’ or something so you can always revert back to normal. Edit the other copies to your needs, and then simply load each of them as and when you need them using the ‘Open’ dialog button of the directory browser ‘type’ filter options.

Video 

The video shows the roles of two people. One is the digital forensics person in the main office (at the bottom of the diagram above), saving a CTR to the main server, and then it is accessed by a non-digital forensics person in the remote office using X-Ways Investigator CTR.