Quantcast
Channel: 'X-Ways Forensics' Video Clips
Viewing all 72 articles
Browse latest View live

Listing Files in Directories Based on Directory Names

July 25, 2012, 12:15 pm
$
0
0

During your practitioner role, you may often be asked to “hone in” on directories that are named a certain thing or that contain a certain word. This is quite expected given the nature of fiscal investigations especially where data is often ordered in quite a well structured way. That said, it is equally true for other cases if you have information to suggest that directory names are or may be in use. 

Using X-Ways Forensics, it is possible to exclude all files and directories from view except those that are in a directory of a certain name or that contains a certain word. This is an enormously powerful feature that is, I think, unique to XWF. It enables you, for example, to preview live evidence (by running XWF off of your USB drive or whatever connected to the target machine) or disks that you've taken out of a machine and conduct a quick assessment as to whether directories of a suspects name or company name or a type of fraud exist. In some cases, relying on this won't be that reliable, but in many kinds of cases it is – you might have information already telling you that directories like that do exist and you are asked to find them and extract the data from them amidst thousands or millions of others, and only them, perhaps as part of an evidence container.

Best of all, using this feature is easy!

Add your evidence object, be it a disk or an image or whatever.

Before enabling your path filters which I am about to explain, you need to ensure your XWF options are set such that filters are actually applied to directories! Such is the flexibility of XWF, it allows this to be the case or not but if you didn't know of the option, you'd try to use the feature it and it wouldn't appear to work! All you do is bring up the Directory Browser Options and ensure 'Apply filters to directories, too' and 'List dir.s when exploring recursively' are both ticked and click OK.This will ensure that when you apply your filter and then right click the root of your evidence for a recursive list, you are actually shown those that are directories.



Then, you can either left click the little filter funnel to the left of 'Path' (if the 'Path' column is not visible, right click any of the columns and enter a pixel number for the width of the column next to the entry for 'Path' and move it left or right in your view by clicking up or down with it's radio button – I tend to use 100 pixels by default) to set your Path based filter settings or you can go back to Directory Browser Optionsand do it there, as seen in the trwo screenshots below:

 

or

Then, just enter the substrings you are searching for. For example, if you were looking for directories that contain the company name “HSBC Corporation” you could just enter 'HSBC' or 'Corporation' and any directories containing the word 'HSBC' or 'Corporation' will be listed. For example 'HSBC Banking Corporation' or 'HSBC Credit Cards' etc will be listed but so too will 'Shanghai Corporation'. Obviously, you could just type 'HSBC Corporation' in full and in isolation if that was the exact phrase you were looking for and if a directory of that name exists either in its entirety or in part (e.g. 'HSBC Corporation Global' or 'HSBC Corporation'), it will be listed. 


In addition, you can really go to town with this – you're not restricted to one name at a time. As you can see from the screenshot, you might have a sheet of dozens of company names – no problem. Add them all into the dialog box and X-Ways Forensics will display all the folders containing any of the search strings you've entered which you can then selectively add to your evidence container.

The screenshots below show my intial top level view of my two evidence objects. Now, I know there is a folder called '0001' in there somewhere, but rather than going through each folder, I will apply a path filter of '0001':
My initial Case Data top level view
 
Adding a Directory Search String of '0001'
 
Right click at the Case Root for a Recursive Explore
 
Voila. All files in a directory called '0001' are listed
You might also be picking up from the work of someone else and need to quickly list all the folders that they had seen or used. A fellow worker may have listed 40 or 50 files that he pasted the details of into a spreadsheet but didn't bookmark that. Or you may have a stash of data that another tool was incapable of dealing with so you want to repeat the work in XWF. You now want to quickly just list the folders in question...No problem – paste the 'Path' field from your spreadhseet into the 'Path' filter of X-Ways Forensics and voila (though you may need to apply a file filter too, depending...more on that below)!

It stands to reason that the same technique can be applied to file names! Either in full or in part. Again, you might want to list all files that have 'HSBC' somewhere in their title. So, just left click the funnel to left of the 'Name' column (and ensure it is visible too in the same way as you did for 'Path') and enter one or more substrings to search for.

WARNING! Be careful now! You now have two filters set!! So it will only show you files containing 'HSBC' in their name if they are in folders that also have 'HSBC' in their parent folder name. If you want to look for files anywhere in your case that contain 'HSBC' in their file name but you're not concerned what folder they are in, deactivate your 'Path' filter first and then apply your name filter. This kind of warning is for everything you do with X-Ways Forensics.

Once you're done, don't forget to deactivate all filters to avoid it excluding data for your next case as filters are set per installation, not per case. 

NOTE: I have used HSBC as an example only. This post has nothing to do with the actual affairs of HSBC in anyway and neither do I professionally. 

A video is to follow once I find my new microphone!
Search

Re-ordering Your List of Evidence Objects

July 25, 2012, 12:45 pm
$
0
0

When adding multiple evidence objects to your case, be it a set of forensic images or disks or both, you might realise you've added all or some of your items in an order that you'd prefer to be different. Your choices are either to start again or to look for a solution.

Happily, with XWF there is a subtle way of moving an evidence object up or down so that you can easily re-order and effectively re-group your evidence.

So, you've added all of your evidence and then realised they're in the wrong order (my example only lists two images which is not a great number to show the effect but it matters not - pretend there are ten images!):


Having added all of your evidence, if you right click any of the evidence objects in your left hand case data pane and choose properties, a properties box appears (no surprise there).


Of significant note though are the two little arrows to the top left! What do you think they do? Yep, you've guessed it. They move that particular evidence object up or down in your left hand Case Data pane. Repeat for the other objects until you are happy with the order.


















Video 19 - Reviewing Simultaneous Search Results before the Search has Finished

August 12, 2012, 2:14 pm
$
0
0
This is a really quick and simple thing, but it's something that is not obviously 'obvious' unless you know it but it is very useful to know about it!

You'll often have to run a Simultaneous Search using X-Ways because you've either no need to create a full index or you're searching for a particular pattern or just one particular word. It's brilliant for doing a grep search, for example, over specific byte ranges of sectors looking for partition patterns or something like that. In such an instance, you probably don't need to wait for the search to run from start to end of the disk, given that usually such data is at the start of the disk.



So, having searched say 5% of your disk, XWF might report "X hits" found so far. What if the hit you're looking for is amongst them already? Do you want to wait till the search has finished to find out? Perhaps not, and you don't have to with XWF. To pause the search and look at your results retrieved so far, just press the blue binoculars in the viewing component menu and XWF will display the results found to so far. If the hit you're seeking is not there, to continue, just press resume, or if you've found what you're after, just abort the search!

Simples.

Video (now with sound) is below:



Video 20 - Conducting E-Mail Client Analysis Using X-Ways Forensics

September 1, 2012, 2:47 pm
$
0
0


In this video, we show how to use X-Ways Forensics to quickly find e-mail cabinets such as PST, OST, EDB, MBOX and so on from e-mail clients such as MS Outlook, Outlook Express, MS Exchange Databases, Mozilla Thunderbird and so on.



We then show how to parse those cabinets for e-mail messages and attachments along with how to bookmark them (create a 'table association'). That leads on to Video 21 - Reporting.


Video 21 - Reporting with X-Ways Forensics

September 1, 2012, 2:51 pm
$
0
0
In Video 21, I quickly show the basics of reporting with X-Ways by illustrating the basic options and selection of various files for inclusion in a report (e-mails and text files and word processing files) and showing how the e-mails can easily be attached as actual eml messages for easy opening on most Windows PC's.

The 'Create Report' dialog box









The Imaging Speeds of X-Ways Forensics

September 15, 2012, 12:09 pm
$
0
0
So imaging speeds are crucial. With disks getting exponentially bigger, and despite all the talk of triage, it is still preferable (if possible) to get a full disk image - period. Having a full disk image gives you so many options - better undelete possibilities, searching and reconstruction of data in free space, virtualisation, and more.


I have written before in earlier posts about how X-Ways Forensics has intelligent compression options that either compress a lot or not a lot depending on whether the data it finds is compressable or not. It's a fairly obvious idea (though I expect coding it was not simple at all!) actually yet hardly any of the mainstream imaging solutions offer it. Which is again to the credit of the guys at X-Ways who were the first to introduce it.

I'm not going to waffle on again about how to do imaging in this post because I've already done it here. What I want to document here are the speed differences vs imaging size based on some tests I did a while ago. But I will quickly recap on what sets XWF apart - it applies whatever compression you choose to every byte of data read, but it then compresses (or not) depending on how compressible the data encountered is. So, if you have a 500Gb disk full of MP3 files and you choose 'Fast, Adaptive', it will read in big chunks and compute an average. The average will be 'Er, not really compressible!! Move onto the next big chunk'. Whereas if you chose max compression, the imaging speed will be a touch slower because it reads in smaller chunks and then computes an average. In the case of MP3 data, the average will still be Er, not really compressible!! Move onto the next small chunk'. So the speed is slower due to smaller chunk reads but the image is likely to be of similar size, in this example. Whereas, if the disk was full of Office documents, it would image really quick with 'Fast, Adaptive' and do a great job of compressing it, too. Max compression would compress it much more but be just slightly slower.

By comparison, the other tools ask 'What compression level am I using? Oh right, maximum' and so it will spend time trying to compress data, even if it can't be compressed. Ergo, the image size is not much different regardless of what compression you choose if all the data is un-compressible in the first place.

The following is a quote from the X-Ways Forensics website:

"The intelligence of the compression and options such as exclusion of free drive space and reverse imaging make X-Ways Forensics (and now X-Ways Imager) the perhaps best disk imaging software on the market. The algorithms in use in X-Ways Forensics and X-Ways Imager offer a great dynamic compromise between speed and compression rate and when reasonable avoid the decompression performance penalty when working with the image after its creation, unlike some really bad other disk imaging tools that waste your time and use compression blindly and shall not be named here. Plus X-Ways Imager can reconstruct virtually all conceivable variants of failed disk-based RAID systems like JBOD, RAID 0, RAID 5, RAID 6 and more if you know the correct parameters, and can image or clone the RAID."

The test was a comparison between XWF and TIM (Tableau Imager) but both FTK Imager and TIM are quite similar with regard to how they compress data - TIM is OK, and it is free. FTK Imager is OK, and it is free too.

However, if you're reading this I assume you're either a law enforcement officer working for government or a private company analyst working for a company or a self-employed contractor. As such, you probably have an XWF dongle anyway so you can just image with the full version. However, if you have dedicated imaging machines, you need either another full dongle (overkill for just imaging) or the special imaging dongle which is about 100 UK pounds and allows just the imaging functions of XWF. With that dongle, you run XWF as normal but only the imaging options are available, AFAIK. And that's all you need, for imaging, of course. My point is that 'a free imager' should not be of interest to the reader of this post because you either have everything you need or you just need to find a hundred quid, so what's the point in counter-arguing with 'yeah, but FTK Imager is free'...

So, the results below are of imaging a normal 200Gb SATA hard disk with a variety of compressable and uncompressable data on it. I imaged it with XWF (v15.7 actually) using all of it's compression options via a Firewire 800 Tableau write-blocker and compared the results. I did this because a) most practitioners will be connecting disk via write-blockers as opposed to plugged in directly to an IDE or SATA or eSATA port and b) TIM claimed that its major plus point was it's ability to image via Tableau write-blockers, which I am sure is true but in this example I think it matters not


X-Ways Forensics ver 15.7 SR-2












Average Adaptive CompressionStartedEndedDuration (hrs:mins:sec)Avg Speed (p\min)Image SizeAvg Compression Ratio
Imaging:11:20:5812:26:0601:05:072929 (3Gb)64.2Gb68%
Verification:12:26:0612:46:1720:089469 (10Gb)















Fast Adaptive CompressionStartedEndedDuration (hrs:mins:sec)Avg Speed (p\min)Image SizeAvg Compression Ratio
Imaging:12:5213:56:0901:03:283006 (3Gb)65.8Gb67%
Verification:13:56:0014:16:2620:159415 (10Gb)















Max (High) CompressionStartedEndedDuration (hrs:mins:sec)Avg Speed (p\min)Image SizeAvg Compression Ratio
Imaging:14:19:1815:46:5901:27:402176 (2Gb)49.1Gb75%
Verification:15:46:5916:07:0019:599541 (10Gb)


TIM ver 1.2












Low CompressionStartedEndedDuration (hrs:mins:sec)Avg Speed (p\min)Image SizeAvg Compression Ratio
Imaging:16:13:5917:15:0001:02Not recorded46.4GbNot recorded
VerificationNot conducted by TIM











High CompressionStartedEndedDuration (hrs:mins:sec)Avg Speed (p\min)Image SizeAvg Compression Ratio
Imaging:08:35:4209:38:0901:02Not Recorded45.7GbNot Recorded
VerificationNot conducted by TIM






AFAIK, TIM doesn't verify (it might now, maybe, not looked). FTK Imager does verify, but in my experience, it seldom exceeds 30Mb\p\s on a standard image using the hardware described.

So I won't say more than really other than, at the time of writing, we're now up to version 16.6 and I think some improvements have been made to the imaging features since 15.7. So you decide.

Video 22 - Parsing and Rendering Index.dat Files

September 15, 2012, 2:08 pm
$
0
0
In Video 22 I show you how easy and quick it is to render a raw index.dat file from Internet Explorer into a form that you can not only read but also understand, export and send to someone else. Though it doesn't actually demonstrate Mozilla Firefox and Google Chrome histories, the technique is the same - simply adjust for the file type.

(PS - The case name 'Sounds Test' was from an earlier video - trust me, this does show how to parse web browser histories!)



Video 22 below:


Now on Twitter...

September 15, 2012, 3:12 pm
$
0
0
Follow me and help more people learn of the benefits of X-Ways Forensics! I'm not generally a fan of 'social networking' to be honest but the Twitter thing seems like a good idea to help readership of X-Ways Clips. So I've posted some of the most read blog entries as 'tweets' on my new Twitter page that I encourage you to follow if you use it:



https://twitter.com/xwaysclips

Search

Understanding the Volume Snapshot of X-Ways Forensics

September 16, 2012, 2:49 am
$
0
0

I'm often asked for an explanation of what the 'RVS' (Refine Volume Snapshot) is and how it equates to other forensic tools - it's clear people often mis-understand it and quite how it works. 

My explanation, for what it's worth is this...

When you first add an evidence object, regardless of whether it is an image, a disk or whatever, you'll notice XWF initially adds it to your case and does a 'basic' mapping to determine what partitions reside etc. I say 'basic' because I cannot possibly explain all of the finite details that the guys at XWF have done to make this one initial step immensely powerful. In almost every instance, it will find all manner of partitions...NTFS, FAT, exFAT, EXT2/3/4, Dynamic, Reiser and many more - the majority of which other tools either do not support or do not support as well. Anyway, at that point, very few system resources have been used - it's added the volume and parsed the partition structure.

Once you click on a partition though (or recursively explore) it then does what again appears to be a basic traversal of the partition(s). This, again, is immensely powerful - it reads the $MFT or Superblock or FAT table or whatever and does some very clever stuff with it to present to you, almost immediately, all the live files and many more besides including partially deleted or fully deleted file fragments  immediately. At that point, it has created a 'Volume Snapshot' which is basically a snapshot in time of that evidence object. What's more, it reads all this information from the physical disk itself as opposed to what the operating system might be presenting to you. So if it's a live computer with NTFS, it physically reads the MFT and reads all over it for live and recoverable information, because as we all know, Windows lies!

The snapshot you have now is an 'overlay' if you like - a very efficient database structure that communicates between XWF and the image itself.

However, at this stage it has done what XWF considers to be a 'sufficient' traversal to help the practitioner work out what he wants next. If, for example, he's been told to just collect all of the e-mail cabinets like PST, OST, EDB etc, what's the point in XWF in parsing all of those, pulling out and computing all of the e-mails and attachments etc if the practitioner intends to do that 'back at base'?

So lets say we have plenty of time and we want to see everything. This is where we refine that basic snapshot by 'Refining the Volume Snapshot' (RVS). The options are many, very powerful, and very flexible. You can refine all the snapshots for every evidence object (which XWF allows you to see cummulatively or one at a time) or just one particular object or a couple of them.

By ticking the appropriate options, the snapshot is refined to then include all of these additional bits and pieces. The snapshot then lives with that case. On that note, it is important to state that in order to use the RVS effectively, you do need to create a case, add your evidence objects, and then do your RVS otherwise your snapshot data will be lost when you close.

Best of all, if you have a case with 20 evidence objects, each with their own snapshot refinements, when you save the case and re-open it later, you can decide yourself whether you want XWF to open them all or just one or two. This is brilliant on occasion when you might have done some work six months ago and then you get a further request to do something with one evidence object. Rather than having your forensic tool open the case and everything about every object in it and take up about 3Gb of resources (like some forensic tools I know!) you can have XWF just occupy a few Kb. Amazingly cool.

They say a picture says a thousand words, so maybe this chart will be easier on the eye? I made it using the fantastic and free 'yEd' by yWork
 
Pictoral explanation of the XWF Snapshot and Refinement of it - (c) 2012 - X-Ways Clips


As if that wasn't enough, below is a copy and paste from the XWF manual, page 19, written by Stefan Fleischman of X-Ways Software Technology AG (Sept 2012):

'A volume snapshot is a database of the contents of a volume (files, directories, …) at a given point of time. The directory tree and the directory browser present views into this database. Based on the underlying file system's data structures, it consists of one record per file or directory, and remembers practically all metadata (name, path, size, timestamps, attributes, ...), just not the contents of files or data of directories. A volume snapshot usually references both existing and previously existing (e.g. deleted) files, also virtual (artificially defined) files if they are useful for a computer forensic examination (e.g. so that even unused parts of a disk or volume are covered). Operations such as logical searches, indexing, and all commands in the directory browser context menu are applied to the files and directories as they are referenced in the volume snapshot. Because of compressed files and because deleted files and the virtual "Free space" file may be associated with the same clusters of a volume multiple times, the sum of all files and directories in a volume snapshot can easily exceed the total physical size of a volume.'



 

Video 23 - Two quick ways to resolve MS Windows SIDs to Usernames

September 24, 2012, 1:39 pm
$
0
0
In this video (Video 23) I quickly show you how to resolve SID's to user names with information derived from the SAM registry file.

I show you how to do it two ways - first is the slightly longer (but still very quick) way of adjusting the 'type' filter to 'Windows Registry' and then double clicking the SAM file to launch the XWF Registry Viewer where it resolves this information for you. This way is the most feature rich way of doing it, allowing more options with regard to reporting etc or fancy screenshot opportunities.

The second way is by clicking the 'SIDs'button in the case properties to just display the data as text in the messages window! Couldn't be much simpler really.

The 'SID's button found in the case properties of every case involving Windows data
 PS - note the deliberate mistake in the video of referring to 'SIDs' as 'SSIDs', which are obviously different!!




Jimmy Weg - A fellow XWF blogger and very credible author!

January 16, 2013, 1:30 pm
$
0
0
For many months, I have meant to give mention to an associate blogger who writes a lot about XWF, has a large audience and also creates some great instructional videos : Jimmy Weg. His material can be found over at http://www.justaskweg.com . Sorry for not mentioning him sooner.

An interview with Jimmy can be read here and his Twitter page is here


Video 24 - Closing all open evidence objects in an instant

January 16, 2013, 1:40 pm
$
0
0
Hi all, and a Happy New Year!

First things first, sorry for the lack of new material in recent months. Life at home has been busy with one thing or another. This is the first video in a series that I hope to make in the next few days and weeks.

A very quick and easy shortcut that I learned of today thanks to Jens Kirschner is the content of Video 24 - Closing all open evidence objects in an instant! ....



As you will probably have noticed, if you add multiple images to a case with multiple partitions, once you explore those partitions, tabs appear at the top of XWF. These tabs are the "opened" representation of those partitions (i.e. the volume snapshot for each object). When you open the case, however, these will not always be opened by default (settings depending - if you have "Restore previous windows arrangement, in General Options, then they might). This is a great feature because it means you can open a case quickly without your machine having to assign memory for every portion of your entire case or you can open parts of it, or you can open all of it straight away with a quick recursive explore from the case root. Useful for when you are just revisiting perhaps one image from 50 or if you are asked to find "all files that meet criteria X from every image".

So, in a serious case with perhaps dozens of images with three or four partitions a piece, if these are all open, you might well use a fair wedge of memory! For various reasons you might want to release this and get back to a blank canvas.

Two ways to do it - either right click each tab and click 'Close' (long way) or, just press Ctrl+Q to have all open evidence objects closed in an instant but leaving your actual case open!

Video 25 - Creating custom hash sets and then actually using them!

January 22, 2013, 10:22 am
$
0
0
As a digital forensics person, you're always going to need hash sets and you need to know how to create your own and import others. 

I've already covered importing hash sets in "Video 8 - Utilising the Hash Database Functionality" but this post is different. This talks about creating your own from a set of hash values that you might be interested in. 

To demonstrate, though, what I do is create my own XWF internal SHA-1 hash skelton (as seen in Video 8) database and then I add a series of newly downloaded and installed (as of 21/01/13) Linux images to it. Best of all, I then upload that newly created XWF hash set for you to download, which you can then just point to straight away and then add to. 

So the video shows me first creating a case and adding my four Linux images to it. They concist of the three main Linux Mint 14 distributions (KDE, Mate and Cinnamon) and Ubuntu 12.10. I chose these as they are the most popular distributions at the time of writing, used by the majority of home Linux users these days (I include myself in that before anyone takes offence!). 

As always, each partition has to be traversed first to populate the XWF snapshot with data about that partition. With Linux filesystems (ext4 on all of these examples), XWF does some extra clever stuff with regards to parsing inodes etc; you will notice it appears to traverse each ext partition twice? It's not that it is doing it twice - I gather it reads the structure once then goes back over it traversing the data found as part of the first scan, so it does take a little longer than with an NTFS partition, but still only dozens of seconds - not hours or even many minutes! Quite remarkable really given what it's doing as part of its "basic" snapshot (remember this is not including the "Particularly thorough filesystem search" snapshot refinement or file carving!). 

Add your image(s) or other evidence objects to a case

 So then I create my skelton hash database (SHA-1 in this case but any other choice is easy). Then, for each image, I create a hash set of each by simply right clicking at the partition level listing all files recursively, highlighting them all using Ctrl+A and then right clicking and choosing 'Create hash set'.

Right click and choose 'Create Hash Set'
Create a hash set as either irrelevant or notable, depending on your situation and name it


This will then hash each file and add the value to the hash database. It might take a while if there's lots of files. Remember though - this is simply hashing each file to add it to the global hash database of XWF - it is not adding the hash values to the volume snapshot for the case....yet. That comes soon!

Computing hashes for each file for the database

You then repeat this step for each of your evidence sets. Obviously if you want them seperate, do them one at a time. Or, if you have a dozen images that all fall under the banner of "dodgy files", you can simply right click the Case Root, explore recursively to list all files of all images in your case, select all using Ctrl + A, and then click 'Create hash set'. Whatever suits you best. Note however that you might want to exclude some or all of the XWF 'virtual files' such as 'Free Space' and 'Filesystem areas' etc as these are unlikely to be needed as part of your files hash database. The best way to do this is to tick the 'Only existing files'! 

Other ways (just to be smart as*) would be to remove them from your list by selecting some from one partition, right click those whose names you want to not list (Free space, for example), click 'export list', tick the 'Clipboard' box and have the names pasted into RAM. Then, click the 'Name' filter, paste in the values (remove the html tags), click 'Activate' and recursively list all files for all objects from the case root. Then select them all, right click and hide them or, the other way round would be to prefix each line with a colon (':') to enable the equivalent of the 'Not' logic in the name filter so it shows all of the files EXCEPT those in the list. e.g. ":Free space" lists all files EXCEPT those called 'Free space'. But ticking the 'Only existing files' box is probably easier!

Listing files that I want to hide before adding them to my hash database

Upon completion and depending on whether you've done each evidence object seperately or en masse, your hash database will have some listings in it. As a rough guide, it took about 3 minutes for 140K files on my machine but that's a Win 7 virtual machine running on a Linux box with 3Gb RAM - would be faster natively. You can then copy that database (which lives in the folder you specify in the general options, remember) to a shared location for your other colleagues to access - all they need to do is set the folder where it is kept in their general options and hey presto. Consider allowing only one person to write access, of course. 

The finished hash database

So, having got the database setup, what you can now do (besides the obvious thing in this particular example of using it as a known files hash set for removing system files) is other things like querying evidence to say "which computers contain files from Computers A and B but not C". What you can also do is toggle part of the database between irrelevant or notable by clicking on it and then clicking the 'Toggle category' button.

To use the hash set for comparison purposes (or indeed to mark files in your case as irrelevant system files)  do that, all you do is 'Refine the Volume Snapshot', tick the box for 'Compute Hash', ensure you use the same has algorithm as those values in your database (SHA-1 in my example), then tick the secondary box 'Match values against hash database'.

Refine the volume snapshot to compute hashes against the database

Files in the snapshot being hashed and compared against the hash database


Once that completes, if you then sort by 'Hash Set', all the files will be grouped by set, in order. Any appearing in all will be listed accordingly and any listed in only one, likewise, as seen below:

Files belonging to multiple hash sets are clearly identified, sortable etc

Or, you can filter by hash set by clicking on the filter funnel and choosing only the files belonging to one or more sets.

Lastly, if you see a file and you want to see other instances of that file that have the same hash and only those files, you can right click and choose "Filter by "hash value"" and then all files except those having that has will be listed. 

Filter by certain hash values, finding all duplicates, with a quick right click
And see the resulting list

The hash database as created in this video and for this guide can be downloaded in it's X-Ways Forensics form, ready for use with X-Ways Forensics, HERE. Simply download, unzip, and then in the General Options, specify the exported structure as the location for your XWF hash database.

To answer the comment posted below about excluding child objects from a hash set and whether it is possible, the answer is : Yes. Use the 'Attr' filter (for 'Attribute'), tick the box for 'Child Objects of File' followed by the 'NOT' box so that when you refresh your listing, child objects of your videos (i.e. the stills) are not listed. Only the parent video files will be listed. Then simply highlight your listed files and create hash set. 

Video illustrating this entire process is below : 













New book on the horizon (not by me) - The X-Ways Forensics Practitioners Guide

April 7, 2013, 3:11 am
$
0
0
Word on the grape vine is that a book titled "The X-Ways Forensics Practitioners Guide" is in development by two guys independent of the X-Ways Forensics team and I am delighted and quite honored to have been asked if the videos and commentaries of this blog can be cited in it.

It's really quite exciting for those of us who like XWF as it will further help establish a pool of regular users who can all hopefully collaborate and share ideas and best practice. Poor old Stefan will no doubt get increasingly fed up of feature requests but it can only be of help to their very talented team, I am sure.

The website for the book is https://xwaysforensics.wordpress.com/ and is written by Eric Zimmerman and Brett Shavers.


UPDATE: The comprehensive book titled "X-Ways Forensics - The Practitioners Guide", written by Brett Shavers and Eric Zimmerman released in August 2013, is available internationally via the Amazon website.


Video 26 - Event Lists? What are they and how do you use them?

April 18, 2013, 2:19 pm
$
0
0
In v16.9 of X-Ways Forensics, the new 'Event Lists' feature was introduced, which is already being incorrectly referred to within the community (I notice) as a "timeline feature" or "calendar feature", of which it is neither so as usual, an X-Ways Clips commentary arrives to help with demystification I hope.

Firstly, do not confuse Event Lists with the calendar button (often more correctly referred to as the timeline feature of X-Ways and similar forensic tools that support similar calendar facilities), available as part of the viewing component, which is effectively a graphical timeline of when certain files were created, modified etc to help give a visual representation of when "stuff was done" (just press the 'Calendar' button in the viewing component, to the right of the Gallery button, for that feature, but I digress).

To best explain the new Event Lists, I refer the reader to Stefans explanation in the X-Ways Forensics manual, page 55, Sec 3.17 that states (as of April 2013) :

"X-Ways Forensics can compile a list of events from timestamps that can be found at the file system level as well as internally in files and in main memory. Conceivable sources are browser histories, Windows event logs, Windows registry hives, e-mails, etc...Event-based analysis, instead of file-based analysis, is a progressive new approach with a totally different perspective that may lead to knowledge about activities recorded on computers that otherwise could hardly be gained. You may see connections (related activity) that otherwise could be overlooked, and may be able to better explain the logic behind what has happened."
I think that says it all, pretty much. So how to use it? Well, as the manual explains, it is only available as part of the volume snapshot refinement process. So, create a new case, add an image or device to your case....Then choose 'Specialist --> Refine Volume Snapshot' and tick the box for  'Extract internal metadata, browser history and events'. You will notice, when you do that, that a little button appears to the right with an elipsis. Click it. 

You will then see something like this: 

The 'Extract internal metadata, browser history and events'"enhanced" options screen

To ensure you generate event lists relating to all your filesystem and file metatdata, tick the two boxes at the bottom : 'Provide file system level timestamps as events' and 'Provide internal timestamps in files as events'. Then click OK. 

Once your RVS process completes, you can then recursively explore any directory in your image and, just like in search view, if you click the events list button, such data will be presented to you relating to your chosen directory (or directories, or images) which you can then sort to your needs. You can do this on a directory-by-directory basis, an entire image, or your entire case containing multiple images by recursively exploring from the case root. And, of course, just like a timeline, if you sort the directory browser chronologically by date and time attributes, it will create a timeline for you, but you can sort by anything you like pretty much.
Press the Events List button to apply the functionality for your chosen directory

Events list enabled for all files in Documents & Settings
Regular directory browser data of files from the same directory with the events list button depressed
 
Warning: Until you depress that button, all your recursive views in the directory browser will be event based lists so, be sure to depress it when you are done with them to return to the normal way of recursively exploring, and of course you can return to using them at any time by re-pressing it. 

Simple



Search

Parsing System Volume Information files and Volume Shadow Copy files using X-Ways Forensics

April 18, 2013, 2:58 pm
$
0
0
Some months ago (yes, it has been on my TODO list for months!) the guys at X-Ways Forensics introduced the ability to traverse for and process previously existing files from Volume Shadow Copies and System Volume Information files.

You probably know what both of these are anyway, but if you don't, here's a summary from Microsoft KB about System Volume Information

"The System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points. There is a System Volume Information folder on every partition on your computer."

and here is one about Volume Shadow Copies:

"[a service]...that allows taking manual or automatic backup copies or snapshots of data, even if it has a lock, on a specific volume at a specific point in time over regular intervals. It is implemented as a Windows service called the Volume Shadow Copy service."

In short, data from these files can contain snapshots of earlier versions of files that may have since been deleted or edited from the live file system. Traditionally, folks would use a combination of exporting these files combined with tools like Shadow Explorer, vshadow.exe, virtualisation etc and similar mounting techniques to examine the data in these systems. 

Textual data was always retrievable in these shadow copy files via keyword searches (assuming the relevant data was in ASCII)  but, unless you exported them and used these other tools just mentioned, it was tricky to examine the data as required and graphical\video files were a different kettle of fish (that is a term used often in the UK to mean "a different thing all together", for the benefit of anyone unfamiliar with such lingo).

Anyway, I'm waffling. To parse such data with X-Ways is easy peasy - that hard part is, always, interpreting it but only a human can do that (as of 2013)!

Create a new case and add an (NTFS filesystem based) image to it.

Refine your volume snapshot for the case by clicking on 'Specialist' --> Refine Volume Snapshot' and then simply tick the 'Particularly thorough filesystem data structure search'. If you want to include information about shadow copies etc in addition to all the other things that this options does too (and has done for a long time such as searching for MFT FILE records, INDX buffers and $LogFiles for index records etc etc), just tick it as stated. If you just want to search for shadow copy data only though, half tick it instead :-)

Then click OK (or apply the option to whatever images you need to do this for using the 'In selected evidence objects' at the bottom).

It will take a while probably and if shadow copies are in the image, the progress bar will tell you as it parses them in a "1/X" manner. Upon completion, you can list files in the directory browser that have been extracted from "shadow copies" by filtering using the attribute column and selecting 'SC' (files found in volume shadow copies) and 'SC, prev version' (previous versions of files that were known to the volume snapshot already before the thorough file system data structure search refinment) boxes.See screenshot below:

Filtering for files from NTFS Shadow Copies


Then, as usual, combine this creatively with other filtering options (such as type or date) if needed...e.g "Show me all the files from a shadow copy that are a picture file with a modified date between dates X and Y".

Simple.

Video 27 - Image Disks with Bad Sectors in a Flash by Enabling 'Alternate Access Method 2'

May 18, 2013, 3:02 pm
$
0
0
You know the story...you've started to image a disk that you believe to have no problems. You've said it should not take more than a day and you've made promises based on that. You start the imaging with either XWF in its default mode or "one of the other tools" and it says "4 hours remaining" at the start, then 2 hours later it says "8 hours remaining" and the next day it says "3 days remaining"? Suddenly you're a man of broken promises and look like a berk in front of your peers.

Solution :
a) don't use "one of the other tools"? There's one option. 
b) Use the Alternative Access Method 2 (not Method 1, necessarily) of X-Ways Forensics to reduce the (usual) 60 second default timeout period of a disk when a read attempt is made from a bad sector to just a few milliseconds (1 second, by default).

The XWF help says this about the functionality :

The alternative access method 1 ........ standard access method. Access method 2 affects physical hard disks only as well. Both methods allow you to specify a timeout in milliseconds after which read attempts will be aborted. This can be useful on disks with bad sectors, where an attempted read access to a single sector could otherwise cause a delay of many seconds or minutes. 

By default, the alternate disk access is disabled :


If you tick it once, it goes to Method 1 - for disks with bad sectors, you don't need this (AFAIK). Tick it again, and it sets Method 2 with 1000 milliseconds set :

 

So, imagine imaging a 500Gb disk that has just 10K bad sectors. Using most tools, the bad sector zone could take up to 600,000 seconds, which equal 10,000 minutes which equals 166 hours roughly. Using the alternate access method 2, this would be reduced to just under 3 hours. To quantify that, that's obviously a time saving of 163 hours, or, in percentage terms, a 98% boost in productivity (assuming every bad sector would have taken 60 seconds - they don't always, and assuming my math is correct). 

A video isn't really needed, but I've done anyway :-) 



Video 28 - Skelton Images - What they are and how to create and use them

July 2, 2013, 3:02 pm
$
0
0
In this video 28 I quickly introduce the concept of 'Skeleton Images', not to be confused of course with 'evidence containers'.

Evidence containers are the selective acquisition of files and folders in a forensically sound capture, with everything else excluded. Skeleton Images, by contrast, are a listing of all the files and folders from sector zero of any added device (physical, logical, whatever) but no actual file content unless you or X-Ways Forensics actually accesses\reviews certain files. So, if you have a media with 1000 files on it spanning 300 folders, when you add the media, those 1000 files and 300 folders are listed in your skeleton image but hardly any of them will actually be added to the image unless you preview them by either using the 'Preview' mode. So, if you found 100 word processing files and you previewed all of them using the viewing component in 'Preview' mode (not Partition mode) or right clicked them all and selected "Add to ImageName.dd", all 100 files would be both listed in the skeleton image and their content added. All the other 900 files (with the exception of files like the MFT etc) would simply be listed in the image (along with all their filesystem data) but their content would be zeroed out in the resulting image.

To create a Skeleton Image, simply click 'File --> Create Skeleton Image', choose where you want your image to be saved and give it a name (the size of the image will appear as the size of your target media but by using NTFS filesystem wizardry the file itself will not be that big, if you leave the 'Create as NTFS sparse file' ticked). Then, as soon as you add a media item, data from that media (file and directory names only initially) will be added to the skeleton image. As and when you review certain files in full (for example picture files or when hashing files...any purpose that requires the whole file to be read), each file reviewed will be added to the image. Everything else will not - 'just' their file names and associated metadata will be added.






A corrective comment about the video demonstration below by Stefan Fleischman is as follows and very relevant:

"...only *sectors actually read* are added to the skeleton image. In your demonstration, you click on individual files while in partition mode - while that does indeed access the files' beginning (partition mode scrolls to the beginning of whatever file is being clicked on) there is no guarantee (for large files even very little chance) that this actually reads *all* sectors belonging to that file. Previewing pictures for example would read them entirely. Hashing files would read them entirely. Simply clicking on them while in partition mode will probably not!"

Skeleton Images are useful for so many reasons across both law enforcement and private industry I cannot actually be bothered to document them all. If you're reading this, you'll know what circumstances that would be useful, I am sure of that.

The video is below:


I always like to try and add the 'official X-Ways description' direct from the XWF manual, as they know best. Below is a copy and paste from the manual, Section 8.9, pages 126 onwards, written by Stefan Fleischman (as of July 2013) :

"...When the target image is open in the background, next you typically open the disk or partition or open and interpret the image that you wish to acquire partially. That way it will be automatically defined as the source, and that way even read operations during the important opening or interpretation step are triggered already, when partition tables and boot sectors have to be parsed, so that these essential data structures that define partitions and identify file systems are included in the skeleton image. 

...Again, all the sectors read from the source hard disk in the process are simultaneously copied to the image, and that is the file system data structures, e.g. $MFT in NTFS, all directory clusters in FAT, and the catalog file in HFS+. That adds considerably more administrative data and also metadata to your skeleton image, but still no or almost no user contents. Unrelated sectors that are not used by the file system are not read and therefore not copied"

Video 29 - Assessing Picture Files by Skin Tone Ratio

July 3, 2013, 2:20 pm
$
0
0
In this Video 29 and narrative I show you how you can use X-Ways Forensics to quickly and easily find all the pictures in your case that have a high (or indeed low) ratio of skin tone and how you can selectively switch between one skin tone and another. I also demonstrate (again) how you can use the functionality to find images with a high black and white ratio - typical of paperwork that might have been scanned, faxed or e-mailed.


Lets assume your case involves the theft of Bikini IP and you have dozens of computers from your suspect with photos of all sorts of things ranging from pets, holidays, houses, gardens and indeed bikinis. All you probably want to see are the stolen bikini designs and everything else can be discarded.

To achieve this, simply add your image(s) to your case, refine the volume snapshot and choose 'Skin tone and B&W detection in pictures'. If you have lots of forensic images in your case, have XWF do this analysis across all the pictures in all your images by clicking 'In selected evidence objects' and then choose them all or selective images (saves you time if you don't need to do this for every image but instead 3 or 4 of them selectively). It's also best to choose 'Verify file types with signatures and algorithms' (option just beneath 'Compute hash' to make sure that all actual picture files are analysed in this way (note I do not do this in my video)).

(Tip : If you compute hashes too, then when you create table associations (you might think of them as 'bookmarks') you can have XWF add known duplicates to whatever file(s) you have just selected as relevant for your table association....you might think there's only one file at that stage but there might be 8 or 9 others on the other computers you have not even found yet but XWF already knows about!)



Then make sure your 'SC%' column is enabled and therefore visible in your directory browser settings (it is not by default I do not believe) and then you will notice every picture file now has a percentage value in it which you can then sort by accordingly to high from low or visa versa, either recursively or not and either for one forensic image or multiple images or all images. Better still, you can filter the column to exclude files that are lower than a certain skin tone percentage, or higher than a certain percentage, or just black white images.



This technique can enable hundreds of thousands of picture files spanning dozens of forensic images to be reduced to a much lesser and more manageable value of actual pictures that actually only contain skin tones and are therefore likely to be relevant to your Bikini IP theft case. 

Video 29 below demonstrates : 


Video 30 - Utilising Multiple Threads for Imaging

July 22, 2013, 12:30 pm
$
0
0
As of either v17.0 or 17.1 of X-Ways Forensics, the functionality was added to utilise multiple CPU threads to try and achieve extra speed whilst imaging.

Whilst using all your CPU sounds sensible, if every CPU was working away at 100% capacity, you might have an unstable system. So, the guys at XWF have, as usual, added the ability to restrict (throttle) your machine so that it does not become unstable but at the same time offering you the capability to throw more grunt at your task.

That said, if you didn't refer to the manual, you'd deserve a prize for finding where you set this functionality. The two screenshots below show the imaging dialog of v16.6 (top part) and v17.1 (bottom part). Can you spot the difference?

The "Create Disk Image" dialog of XWF, v16.6 top, v17.1 below
The difference is the tiny little rectangular box at the bottom right. Click it and you will be presented with an "Extra threads" input field. Here you can specify how many of your X threads you want to throw at your imaging task. Press it again to remove it. Simples.


Also, since posting this, Stefan notified me of the following information which acts as an informative clarification :

Hi Ted,

FYI, XWF has practically always used multiple threads
for imaging.

The new option is called "extra" threads because those
are threads in *addition* to the multiple threads that
it has always used. The extra threads are used for .e01
compression. The other threads are used for reading,
writing, and hash computation.

Kind regards

Stefan


Video below to demonstrate:





Viewing all 72 articles
Browse latest View live
Search