X-Ways Forensics (5-Days)

Date: TBA
Price: $3500 ex GST per person
Location: Fyshwick ACT
Trainer: Zoran Iliev, X-PERT

Book Now
This course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”.

Complete and systematic coverage of all computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack: beyond the usual, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, … Emphasis can be put on any aspect suggested by the participants. You will receive reference training material for later repetition. Prerequisite: basic knowledge of computer forensics.

The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.

PROGRAM:

Basic setup of the software

  • Key folder paths
  • Read-only vs Edit vs. In-Place mode – WinHex vs. X-Ways Forensics
  • Start-up options
  • Alternative disk access methods
  • Viewer programs

Learning the user interface components

  • Menus and toolbars
  • Directory browser (icons, sorting, navigation, …)
  • Virtual files and directories
  • Case data window with directory tree
  • The case root
  • Modes: Disk/Partition/Volume vs File
  • Info panel

Navigating disks and file systems

  • Understanding offsets and sectors
  • Absolute, relative and backwards positioning
  • Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*)

Understanding the Data Interpreter

  • Available conversion options
  • How to get the value you actually want

Creating disk images

  • Raw images and evidence files
  • Fast, adaptive compression
  • In-built encryption

Creating a case/adding evidence objects

Hash calculation and checking

Using the gallery view and skin color detection efficiently

Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files

Previewing file contents

Calendar view and event list (timeline)

Registry Viewer and Registry Reports, Registry Report definition files

Working with the directory browser

  • Recursive listing of directories and entire drives
  • Column visibility and arrangements
  • Copying cell values
  • Selecting, tagging, hiding, viewing, opening files
  • Recovering/copying files
  • Identifying duplicates based on hash
  • Efficient navigation of the file systems’ data structures

Filtering files

  • existing, previously existing
  • tagged, not tagged
  • viewed, not viewed
  • non-hidden, hidden
  • By name, including multiples: by exact name, using wildcards, searching within name, using GREP
  • By path, including multiples
  • By type – exact type, multiple types, entire category, multiple categories
  • By size
  • By one or more timestamps
  • By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, …

Creating report tables and report table associations

Using report tables for filtering and classification

Report creation: Basic reports, report tables and activity log

Refining Volume Snapshots: 

  • File system specific thorough data structure search for previously existing data
  • Signature search for previously existing data not identifiable via file system metadata
  • Verifying file types based on signatures on algorithms
  • Extracting metadata from a variety of file types
  • Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
  • Analyzing Windows Event Logs (evt and evtx)
  • Exploring ZIP, RAR, etc. archives
  • Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
  • Finding pictures embedded in documents, etc.
  • Creating video stills from movie files
  • Skin color percentage calculation and black and white detection
  • Identifying file type specific encryption and running statistical encryption tests

The Hash Database

  • Importing single or multiple hash sets
  • Creating your own hash sets
  • Matching files against existing hash sets via Refine Volume Snapshot

Various methods of file recovery

Customizing file signatures

Using search functions effectively

  • Practically unlimited numbers of keywords simultaneously
  • Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
  • The many advantages of logical over physical search
  • Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
  • GREP search
  • Logical combination of multiple keywords while evaluation results
  • Filtering keywords based on the files they are contained in

Decoding Base64, Uuencode, etc.

Advanced Features Topics may include
(not all guaranteed because of time constraints or for other reasons)

  • .e01 evidence file format
  • Creating skeleton images
  • Creating cleansed images
  • Sector superimposition
  • Working with evidence file containers
    • Creating containers, understanding the available options
    • Adding files to containers from various sources
    • Closing containers, optionally converting them
    • Using containers as evidence objects
  • Finding and analyzing deleted partitions
  • Reconstructing RAID systems
    • Practical examples for RAID 0 and RAID 5
    • Explanation of underlying data arrangements
    • Clues towards finding the right parameters
  • Dynamic disks
  • LVM2
  • Understanding the levels at which file data is read and interpreted during analysis
  • How X-Tensions work
  • Recovering deleted NTFS-compressed files manually
  • Block-wise hashing and matching
  • Data profiles (Analyze Block functionality)
  • Indexing
  • Customizing the registry report
  • Templates

It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.

Examples:

  • “What documents were altered on the evening of January 12, 2012?”
  • “What pictures were hidden with what method, where and by whom?”
  • “Who viewed which web pages on what day?”
  • “Which MS Excel documents saved by Alan Smith contain the word ‘invoice’?”
  • “Which USB sticks were attached to the computer at what time?”