X-Ways Forensics I

Digital Forensic Training
Home » Digital Forensic Training » X-Ways Training

About This Course

X-Ways Forensics I is a 4 day training course focused on the systematic and efficient examination of computer media using the integrated computer forensics software “X-Ways Forensics”. Many topics will be explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics, such as forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, amongst others will be covered.

The students will be instructed, for example, on how to get the most thorough overview of existing and deleted files and data from computer media, suggestions on the most efficient ways to process cases relating to CSAM (child sexual abuse material), etc. At the end of the course there will be a practical exam that can treated as just another exercise or be marked by the instructor. This exam covers the most important functions of X-Ways Forensics and helps to gauge your proficiency. (individual results are not recorded). Printed materials for the course will be provided for later repetition. Basic knowledge of computer forensics is a prerequisite.

The approach of this course is very tool-centred. After attending the course a Certificate of Attendance will be issued from X-Ways Software Technology AG, and will allow the attendee to be eligible to attempt the X-PERT Certification.

Reserve Your Spot!

    Select a Class:

    Your name:

    Your email:


    Agency or Business:



    Seat Type:

    *Requests for Law Enforcement pricing must be accompanied by a valid Law Enforcement agency email address.

    Number of Seats:

    Additional Details: (optional)

    Course Overview

    Basic setup of the software

    • Key folder paths
    • Read-only vs Edit vs. In-Place mode – WinHex vs. X-Ways Forensics
    • Start-up options
    • Alternative disk access methods
    • Viewer programs

    Learning the user interface components

    • Menus and toolbars
    • Directory browser (icons, sorting, navigation, …)
    • Virtual files and directories
    • Case data window with directory tree
    • The case root
    • Modes: Disk/Partition/Volume vs File
    • Info panel

    Navigating disks and file systems

    • Understanding offsets and sectors
    • Absolute, relative and backwards positioning
    • Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*)

    Understanding the Data Interpreter

    • Available conversion options
    • How to get the value you actually want

    Creating disk images

    • Raw images and evidence files
    • Fast, adaptive compression
    • In-built encryption


    Creating a case/adding evidence objects

    Hash calculation and checking

    Using the gallery view and skin color detection efficiently

    Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files

    Previewing file contents

    Calendar view and event list (timeline)

    Working with the directory browser

    • Recursive listing of directories and entire drives
    • Column visibility and arrangements
    • Copying cell values
    • Selecting, tagging, hiding, viewing, opening files
    • Recovering/copying files
    • Identifying duplicates based on hash
    • Efficient navigation of the file systems’ data structures

    Filtering files

    • Existing, previously existing
    • tagged, not tagged
    • viewed, not viewed
    • non-hidden, hidden
    • By name, including multiples: by exact name, using wildcards, searching within name, using GREP
    • By path, including multiples
    • By type – exact type, multiple types, entire category, multiple categories
    • By size
    • By one or more timestamps
    • By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, and more

    Creating report tables and report table associations

    Using report tables for filtering and classification

    Report creation: Basic reports, report tables and activity log

    Refining Volume Snapshots:

    • File system specific thorough data structure search for previously existing data
    • Signature search for previously existing data not identifiable via file system metadata
    • Verifying file types based on signatures on algorithms
    • Extracting metadata from a variety of file types
    • Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
    • Analyzing Windows Event Logs (evt and evtx)
    • Exploring ZIP, RAR, etc. archives
    • Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
    • Finding pictures embedded in documents, etc.
    • Creating video stills from movie files
    • Skin color percentage calculation and black and white detection
    • Picture analysis with Excire
    • Identifying file type specific encryption and running statistical encryption tests



    The Hash Database

    • Importing single or multiple hash sets
    • Creating your own hash sets
    • Matching files against existing hash sets via Refine Volume Snapshot

    Various methods of file recovery

    Customizing file signatures

    Using search functions effectively

    • Practically unlimited numbers of keywords simultaneously
    • Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
    • The many advantages of logical over physical search
    • Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
    • GREP search
    • Logical combination of multiple keywords while evaluation results
    • Filtering keywords based on the files they are contained in

    Decoding Base64, Uuencode, etc.

    It is the goal of our courses to familiarize users of our software with the tool so much that they feel confident drawing sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.


    • “What documents were altered on the evening of January 12, 2012?”
    • “What pictures were hidden with what method, where and by whom?”
    • “Who viewed which web pages on what day?”
    • “Which MS Excel documents saved by Alan Smith contain the word ‘invoice’?”
    • “Which USB sticks were attached to the computer at what time?”