This book is one of those books that begged to be written for years, but I didn’t realize it until recently. First off, let me talk a little about X-Ways Forensics. X-Ways Forensics is a fairly new digital forensic software application that was released in 2004 by Stefan Fleischmann of X-Ways Software AG in Germany. Stefan is also the developer of the widely used hex editor WinHex, from which X-Ways Forensics is based upon. Those examiners who started in forensics during the days of using hex editors certainly knew of WinHex as one of the best, if not the best, hex editors available.
My initial interest in X-Ways Forensics stemmed only from being a longtime WinHex user. Finding a “forensic” version of WinHex on the WinHex website looked cool and I figured that since WinHex is a pretty good hex editor, a forensic version may be good also.
- Trusted Windows (PC) download X-Ways Forensics 19.7. Virus-free and 100% clean download. Get X-Ways Forensics alternative downloads.
- X-Ways Forensics can certainly fit in the new and complex area. However, when you look at X-Ways Forensics or any digital forensics application, they all break down into the same three functions of adding the source, processing the data, and finding the evidence.
Sending a few emails to Stefan asking if he would give a class resulted in a small group of examiners being taught how to use X-Ways Forensics in Seattle early in 2005. Even with the first release of X-Ways Forensics, I knew that it Stefan was on to something as X-Ways Forensics was fast, easy to use, and had a small footprint that could run on just about any system. This first class was also neat to see Stefan make improvements from our suggestions directly into X-Ways Forensics, during the class…
Since that first class, there were more than a few exams I had where X-Ways saw data that other tools did not. It carved more, displayed more detail, and was more versatile in what I needed than other tools. I found that when “Tool A” didn’t work or couldn’t open an image, X-Ways Forensics would be able to, and I was right every time. I was hooked and figured everyone else would be too. But not everyone is so easily convinced to try a different tool.
There have always been many forensic analysts who have avoided using X-Ways because it was “too hard” or “not intuitive” with a manual that wasn’t easy to figure out. I never thought that way myself, probably because I was in a room where Stefan showed us how to use it from the first time I was exposed to it. Unfortunately for the rest of the digital forensic world, if you didn’t attend a course in X-Ways, the interface can be intimidating. For the really busy forensic analyst, making the time to learn X-Ways Forensics wasn’t in the daily schedule if you were already using another tool. I totally get that.
So in 2010, I wrote a short XWF QuickStart Guide which made its way around the Internet and even onto the X-Ways website. From that one simple guide, I received dozens of emails from owners of X-Ways licenses that they finally had something to at least show how to do the basics in X-Ways Forensics quickly and easily. And that is when I figured a book would do more justice than a simple guide.
I’ll admit, even as one of the first users of X-Ways Forensics and even as I have used it as a primary forensic tool for almost 10 years, I still had doubts if I was using X-Ways Forensics at its fullest ability. Writing a book about X-Ways needed a good team to make sure it was done right, especially since I am only a user, not developer of the software. Thus, my search for other X-Ways experts begun.
9) X-Ways Forensics. X-Ways is software that provides a work environment for computer forensic examiners. This program is supports disk cloning and imaging. It enables you to collaborate with other people who have this tool. Features: It has ability to read partitioning and file system structures inside.dd image files.
Eric Zimmerman accepted my badgering to be a co-author and I am truly grateful. Eric is one of those computer scientist forensic examiners who can take a job needing a week to finish and have it done in hours if not faster. I pestered another long-time X-Ways Forensics user, Jimmy Weg, until he agreed to at least be a Tech Editor for the book with his busy schedule. And again, the book was fortunate to have Jimmy on board. Of course, having Stefan Fleischmann support our book by reviewing every chapter for accuracy ensured we would have everything right. Stefan’s view of writing about X-Ways is different from our view, so the manual and the book are different. Both are needed and complement each other, but they are different.
We knew that during the time of writing the book, Stefan would update X-Ways Forensics with new features, updates, and upgrades. We knew this because Stefan constantly updates X-Ways Forensics! Not a month goes by that a new feature, or improved function, is made. Many of these changes are suggested by a solid core of X-Ways Forensics users, so each update is substantially better than a prior update. With this, the book will still retain its currency and value as no matter how many updates are made, the book covers 95% of using X-Ways Forensics that remain unchanged. The remaining changes are easily found on the X-Ways website. We wrote the book to be able to keep up with updates, even as we couldn’t put every update in the book before it went to press.
One major business difference with X-Ways Forensics and the other forensic software suites is the manner of marketing conducted by all the companies. Most companies of the big name brands have flashy websites, plenty of white papers, comparison tests of their competition (none seem to want to compare against X-Ways Forensics…), and a tremendous marketing to the ediscovery market. Some of these big companies hold entire conferences to sell their wares. Not X-Ways. There is no fluff. No excess costs. No attempts to sell you enterprise editions or modules or add ons. X-Ways caters to the true forensic analyst at a cost that can’t be beat. For that reason, there is a movement of X-Ways Forensics users that will pit their dongle against any other software without hesitation.
I’d like to tell anyone who has used X-Ways Forensics extensively for years that you will learn something that you did not know in this book. You may learn many things you didn’t know before. I know I did. We all did. I’d like to think Stefan also realized a thing or two about X-Ways Forensics during the book writing process. The book is that good, and I’m not saying that because I was part of the team that made it. I’m saying it because this is the book I wish I had when I started using X-Ways Forensics.
So there you have it. The beginning of the X-Ways Practitioner’s Guide to the print edition in a nutshell. There may have been an excuse you used to avoid using X-Ways Forensics before, but those excuses are gone. With this book and an X-Ways Forensics dongle, you can take off running, faster than any other forensic tool with better results.
It might sound like I work for X-Ways, but I don’t. The reason I wanted to write this book was personal and maybe a little selfish. The way I look at it, the more users of X-Ways Forensics, the greater chance that Stefan will keep improving his tool. I benefit directly from that and so does everyone else. There is a saying of ‘beware of the analysts that use X-Ways Forensics, for they probably know what they are doing’. I actually made that up, but it is fitting.
About Brett Shavers:
Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department’s first digital forensics lab in a small, cluttered storage closet. Shavers is also a Digital Forensics Practitioner, expert witness, and former Adjunct Instructor for the University of Washington Digital Forensics program
His most recent book, X-Ways Forensics Practitioner’s Guide has just been released not long after his first book, Placing the Suspect Behind the Keyboard. Both are available for purchase on the Elsevier Store at a 25% discount.
Stay up-to-date by following the X-Ways Forensics Blog and follow them on twitter @XWaysGuide
X-ways Forensics Download
Dokumente über FuzZyDoc identifizieren
Teil der Erweiterung des Datei-Überblicks.
The so-called FuzZyDoc technology can help you to identify known documents (word processing documents, presentations, spreadsheets, e-mails, plain text files, ...) with a much more robust approach than conventional hash values. Even if a document was stored in a different file format (e.g. first PPT, then PPTX, then PDF), it can still be recognized. Internal metadata changes, e.g. after a 'Save as' or or after printing (which may update a 'last printed' timestamp), do not prevent identification either. Very often even if text was inserted/removed/reordered/revised, a document can still be recognized. This is achieved by using fuzzy hashes.
FuzZyDoc hash values are stored in yet another hash database in X-Ways Forensics. Hash sets based on selected documents can be added to the FuzZyDoc database exactly like hash sets can be created in ordinary hash databases, and the FuzZyDoc hash database can also be managed in the same dialog window as the other hash databases. For each selected document you can create 1 separate hash set, or you can create 1 hash set for all selected documents. Up to 65,535 hash sets are supported in a FuzZyDoc hash database.
FuzZyDoc is available to all users of X-Ways Forensics and X-Ways Investigator (i.e. not only law enforcement like PhotoDNA). FuzZyDoc should work well with documents in practically all Western and Eastern European languages, many Asian languages (e.g. Chinese, Japanese, Korean, Indonesian, Malay, Tamil, Tagalog, ..., but not Thai, Divehi, Tibetan, Punjabi, ...), and Middle Eastern languages (e.g. Arabic, Hebrew, ..., but not Pashto, ...). Note that numbers in spreadsheet cells are not exploited by the algorithm, only text. Note that only files with a confirmed or newly identified type will be matched against the FuzZyDoc hash database. For that reason, file type verification is applied automatically when FuzZyDoc matching is requested.
Documents whose contents are largely identical (e.g. invoices created by the same company with the same letterhead) are considered similar by the algorithm even if important details change (billing address, price, product description), depending on the amount of identical text. That means that if you have 1 copy of an invoice of a company, matching against unknown documents will easily identify other invoices of the same company. For every document that is matched against the database, up to 4 matching hash sets are returned, and the 4 best matching hash sets are picked for that if more than 4 match. For every matching hash set, X-Ways Forensics also presents a percentage that roughly indicates to what degree the contents of the document match the hash set. Two different percentage types are available. A percentage based on the total text in the processed document gives you an idea of how much of the text in the document is known/was recognized, whereas a percentage based on the text represented by the hash set gives you an idea of how closely a document resembles the original document that the hash set is based on (makes sense only if you generate 1 hash set per document, i.e. do not combine multiple documents in 1 hash set). The matching percentage does not count characters one by one, and it works only on documents that actually make sense, not on small test files that only contain a few words.
X Ways Winhex
Before matching files against the FuzZyDoc hash database (a new operation of Specialist | Refine Volume Snapshot), you can specify which types of files you would like to analyze, and you can unselect hash sets in the database that you are temporarily not interested in. Note that processing less files (e.g. by specifying less file types in the mask) of course will require less time, proportionally, but selecting less hash sets for matching as such does not save time. You may specify a certain minimum percentage that you require for matches (15% by default) to ignore insignificant minor similarities. That option is not meant to save time either.
X Ways Forensics Tutorial
In order to re-match all documents in the volume snapshot against the FuzZyDoc hash database, please remove the checkmark in the 'Already done' box first. Otherwise the same files will not be matched again, for performance reasons. Re-matching the same files may become necessary not only if you add additional hash sets to your FuzZyDoc database, but also if you delete hash sets, as that invalidates some internal links (if that happens, it will be shown in the cells of the result column).
Matches with the FuzZyDoc database are presented in the same column as PhotoDNA matches and skin color percentages, called 'Analysis'. A filter for FuzZyDoc matches is available. FuzZyDoc should prove very useful for many kinds of white collar crime cases, most obviously (but not limited to) those involving stolen intellectual property (e.g. software source code) or leakage of classified documents.