This course is focused on the systematic and efficient examination of computer media using the integrated computer forensics software ‘X-Ways Forensics’ The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan.
This course is focused on the systematic and efficient examination of computer media using the integrated
computer forensics software “X-Ways Forensics”.
Complete and systematic coverage of all computer forensics features in WinHex and X-Ways Forensics. Handson exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack: beyond the usual, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, … Emphasis can be put on any aspect suggested by the participants. You will receive reference training material for later repetition. Prerequisite: basic knowledge of computer forensics.
The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on
computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.
Â Basic setup of the software
Â Learning the user interface components
Â Navigating disks and file systems
Â Understanding the Data Interpreter
Â Creating disk images
Â Creating a case/adding evidence objects
Â Hash calculation and checking
Â Using the gallery view and skin color detection efficiently
Â Detecting data hiding methods (eg data streams, host-protected areas (HPA), misnamed files)
Â Previewing file contents
Â Calendar view and event list (timeline)
Â Registry Viewer and Registry Reports, Registry Report definition files
Â Working with the directory browser
Â Filtering files
Â Creating report tables and report table associations
Â Using report tables for filtering and classification
Â Report creation: Basic reports, report tables and activity log
Â Refining Volume Snapshots:
Â The Hash Database
Â Various methods of file recovery
Â Customizing file signatures
Â Using search functions effectively
Â Decoding Base64, Uuencode, etc.
It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
“What documents were altered on the evening of January 12, 2012?”
“What pictures were hidden with what method, where and by whom?”
“Who viewed which web pages on what day?”
“Which MS Excel documents saved by Alan Smith contain the word ‘invoice’?”
“Which USB sticks were attached to the computer at what time?”
X-Pert | X-Ways Forensics Instructor