X-Ways Forensics I
Digital Forensic TrainingAbout This Course
X-Ways Forensics I is a 4 day training course focused on the systematic and efficient examination of computer media using the integrated computer forensics software “X-Ways Forensics”. Many topics will be explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics, such as forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, amongst others will be covered.
The students will be instructed, for example, on how to get the most thorough overview of existing and deleted files and data from computer media, suggestions on the most efficient ways to process cases relating to CSAM (child sexual abuse material), etc. At the end of the course there will be a practical exam that can treated as just another exercise or be marked by the instructor. This exam covers the most important functions of X-Ways Forensics and helps to gauge your proficiency. (individual results are not recorded). Printed materials for the course will be provided for later repetition. Basic knowledge of computer forensics is a prerequisite.
The approach of this course is very tool-centred. After attending the course a Certificate of Attendance will be issued from X-Ways Software Technology AG, and will allow the attendee to be eligible to attempt the X-PERT Certification.
Course Overview
Basic setup of the software
- Key folder paths
- Read-only vs Edit vs. In-Place mode – WinHex vs. X-Ways Forensics
- Start-up options
- Alternative disk access methods
- Viewer programs
Learning the user interface components
- Menus and toolbars
- Directory browser (icons, sorting, navigation, …)
- Virtual files and directories
- Case data window with directory tree
- The case root
- Modes: Disk/Partition/Volume vs File
- Info panel
Navigating disks and file systems
- Understanding offsets and sectors
- Absolute, relative and backwards positioning
- Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*)
Understanding the Data Interpreter
• Available conversion options
• How to get the value you actually want
Creating disk images
• Raw images and evidence files
• Fast, adaptive compression
• In-built encryption
Creating a case/adding evidence objects
Hash calculation and checking
Using the gallery view and skin color detection efficiently
Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
Previewing file contents
Calendar view and event list (timeline)
Working with the directory browser
- Recursive listing of directories and entire drives
- Column visibility and arrangements
- Copying cell values
- Selecting, tagging, hiding, viewing, opening files
- Recovering/copying files
- Identifying duplicates based on hash
- Efficient navigation of the file systems’ data structures
Filtering files
- Existing, previously existing
- tagged, not tagged
- viewed, not viewed
- non-hidden, hidden
- By name, including multiples: by exact name, using wildcards, searching within name, using GREP
- By path, including multiples
- By type – exact type, multiple types, entire category, multiple categories
- By size
- By one or more timestamps
- By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, and more
Creating report tables and report table associations
Using report tables for filtering and classification
Report creation: Basic reports, report tables and activity log
Refining Volume Snapshots:
- File system specific thorough data structure search for previously existing data
- Signature search for previously existing data not identifiable via file system metadata
- Verifying file types based on signatures on algorithms
- Extracting metadata from a variety of file types
- Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
- Analyzing Windows Event Logs (evt and evtx)
- Exploring ZIP, RAR, etc. archives
- Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
- Finding pictures embedded in documents, etc.
- Creating video stills from movie files
- Skin color percentage calculation and black and white detection
- Picture analysis with Excire
- Identifying file type specific encryption and running statistical encryption tests.
The Hash Database
- Importing single or multiple hash sets
- Creating your own hash sets
- Matching files against existing hash sets via Refine Volume Snapshot
Various methods of file recovery
Customizing file signatures
Using search functions effectively
- Practically unlimited numbers of keywords simultaneously
- Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
- The many advantages of logical over physical search
- Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
- GREP search
- Logical combination of multiple keywords while evaluation results
- Filtering keywords based on the files they are contained in
Decoding Base64, Uuencode, etc.
It is the goal of our courses to familiarize users of our software with the tool so much that they feel confident drawing sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
Examples:
- “What documents were altered on the evening of January 12, 2012?”
- “What pictures were hidden with what method, where and by whom?”
- “Who viewed which web pages on what day?”
- “Which MS Excel documents saved by Alan Smith contain the word ‘invoice’?”
- “Which USB sticks were attached to the computer at what time?”
X-Ways Forensics I Course Details
- Location: No Courses Scheduled – please contact us to suggest a date.
- LEO/Govt Rate: $2250.00 CAD
- Private Sector Rate: $2400.00 CAD
- Duration: 4 Days
- Additional Details:
- This course is being hosted by Teel Technologies Canada, but all instruction is provided by F111th Consulting. Learn more about our Victoria, BC training center here.
- This class is open to all forensic professionals. Invoices will be sent once training is confirmed after the minimum number of attendees has been reached. With this in mind, please do not make any travel plans that are not refundable.
- Due to the sensitive nature of our curriculum, and industry, all potential students are subject to vetting prior to enrollment. We reserve the right to refuse registration to any person that does not meet our established criteria.
- Laptop Requirements:
- Windows 7 or newer with full admin privileges. A dongle for training will be provided on site if required.