Quantcast
Channel: 'X-Ways Forensics' Video Clips
Viewing all 72 articles
Browse latest View live

Video 31 - Filtering E-Mails by their 'Read' or 'Unread' status

July 25, 2013, 1:51 pm
$
0
0
What if you're asked for a list of the e-mails that appear to have been read, or indeed only those that are unread? How can you do that with X-Ways Forensics?

Easy. Add you image(s) or devices to a case and refine the volume snapshot (F10) for your case. Tick the box for 'Extract email messages and attachments from..." and choose whether to run that over all your evidence, some of it, or just one item and let it finish.


Upon completion all the DBX, PST, EDB cabinet files and so on will have been parsed and their content listable within XWF using the eml\emlx 'Type' filter, or, using the 'Extracted e-mail' attribute filter (which I think is a safer bet to catch all extracted e-mails regardless of obscure types that might exist beyond eml\emlx but I could be wrong, but generally, eml\emlx will suffice as XWF renders all extracted e-mails as that type AFAIK).

When you select the 'Extracted e-mail' attribute filter, you will notice a 'read' tick box appears to allow you to list only e-mails with a 'read' flag. Conversely, if you tick that AND the NOT box, it will list e-mails that are not read, instead.




You can then create report table associations for each of your lists accordingly. Or of course you could not use the filter at all but simply sort by the attribute column instead. That way all the one's that have '(extracted e-mail)' will be listed together as will all the ones that have '(extracted e-mail, unread)' (at least in theory it should).

CAUTION: Obviously, this can only act as an indicator. It is possible for somebody to read an e-mail then set it back to 'unread'. And a variety of other caveats. So it is a general indicator only and should be used with the appropriate understanding that such caveats exist. 






Search

The new book - reserve your copy

August 21, 2013, 3:14 pm
$
0
0
The book titled "X-Ways Forensics - The Practitioners Guide" is available internationally via Amazon from September 17th 2013 (though you can reserve it now) and via Elsevier around 15th October 2013.

I was delighted to be asked to write a short back page endorsement.  My thanks to Brett Shavers and Eric Zimmerman, who wrote it, for inviting me to be part of it.




Video 32 - Determine computer usage patterns (Startup, Shutdown, Unlock etc) with Events Lists

August 23, 2013, 3:35 pm
$
0
0

So imagine the scenario, that I’m sure some of you may have been presented with before, where you’re asked, as the digital forensics wonder boy\girl, to illustrate or to give an indication of how many times a computer has been turned on and off, logged in or logged out, screen locked and unlocked, and shutdown etc?
So you’d hurry off and dig out the SAM files from Windows\System32\config, perhaps extract them, do this and that with some external utilities and some time later, you might arrive at a rough idea of things like how many times the user has logged on. 

You might even achieve this by using black magic, aka 'a hex editor' and do the decoding manually:
The values parsed by the XWF Registry Viewer from the SAM file

But hey, sensibly you decide that you will use, instead, the power of the inbuilt registry viewer of X-Ways Forensics – it’s not there for nothing at the end of the day! For any registry file (SAM, SYSTEM, SECURITY etc) simply double click it and the registry viewer will open up before you. From there you can navigate to
SAM\Domains\Users
And find the appropriate key for the user profile you’re interested in (which appears in the ‘Names’ section at the bottom of that tree, too). Click on the ‘F’ property in the right pane and the viewer will decode the hex strings for you that represent various properties and present it at the bottom right grey pane, nicely formatted.

XWF Registry Viewer, showing decoded user account properties

From there you can create a fuller display for all the users, using the report generator of the Registry Viewer. Simply click the top left drop down arrow and choose ‘Create Report’.


The result will be a nicely tabulated HTML report listing all the data of this nature for all the users.
But, it gets better. This is just the tip of the iceberg folks....childs play. Remember that so far, all we have illustrated is how to get the number of logons and the last password reset with one or two other bits and pieces thrown in, like user names (don't forget you can easily resolve all SIDs to usernames using the 'SIDs' button of the case properties). What about that 'Computer usage indicator' that we were briefed with determining at the start? The number of startups, shutdowns, logons, logoffs etc?
Well this is where Windows Event Logs come in handy. "Yeah yeah, we all know about Windows Event Logs Ted….snore snore". We can extract them and look at them with one of many utilities. “Tell me something new, Ted” I hear you cry.
But with XWF, you don’t need to extract them at all!! XWF can do all the examination for you – you just need to decide what to pull out from it and how to display it. How do we do that? Simples...
Step 1 : Refine your volume snapshot (F10) as usual, but be sure to tick the box to include ‘Extract internal metadata, browser history and events’ and then click the ellipsis box to the right of that. At the bottom of the box that appears are two entries that need to be ticked (for the specifics of our exact example, only the bottom one is actually needed as we are extracting data from event log files, but it doesn’t harm to just do both):
Provide file system time stamps as events’ and
Provide internal timestamps in files as events
Refine the volume snapshot ensuring timestamps from files are listed as events


Without repeating my explanation in my previous post about XWF events lists, but what this basically does is enable the ability for you to explore, in greater detail, immense timeline analysis for a variety of computer functions and 'events' at any level in your case (one image at a time, multiple images concurrently, a specific folder at a time in isolation or recursively, specific files even) by clicking the ‘Events’ button in the bar above the viewing component of XWF.

2) And this is where the magic starts. You’ve ran your RVS and ticked those boxes for your entire case and it finished OK. You go to the case root (or the root of whatever computer you might be interested in) and click the ‘Events’ button that appears in the viewing component toolbar (as illustrated above). In your directory browser pane you are now presented with thousands of timestamped events for that\those computer(s) from whatever level you chose in the left hand explorer pane.
Naturally you can sort and export this list, but wait....It gets so much better! Remember our brief? Show startup, shutdown, logon, logoff, screen locked, screen unlocked frequencies etc? How do we pull those out from this mass of info?
3) You can have all this displayed for you, where the event codes are automatically decoded by XWF from the event logs, using the ‘Type’ filter of the Events Listing
Choosing which events you'd like to list


You can then sort the events chronologically by sorting the 'Timestamp' column. The result will probably be for most instances (for most, not necessarily all) a sorted list of 'Startup, Logon, LogOff, Shutdown', all dated and timed for a large chunk of history. Naturally, event logs can be cleared so this might only give you an indication or it might only cover a certain period of time. But in other instances, you might be able to see history by the magnitude of many months. All of which can then simply be exported to a spreadsheet by right clicking the directory browser list and choosing ‘Export List’.


You might want to neaten your results by applying an exclusive filter for certain file types. Consider, perhaps, to only list results from actual event logs by choosing evt, evtx etc from the ‘Windows Internals’ group of the type filter, and exclude shadow copy and encrypted files using ‘NOT’ in the Attribute column filter, and exclude the more seriously deleted files using the ‘Directory Browser Options Filters', and unticking the files listed when you click ‘List previously ex items…’. That will give you a less skewed list, I might suggest.
Filter Events list to just those found in event logs

The result...ta da!

Filtered 'Events' list, from evt files of a Windows 7 PC, sorted by timestamp column
Last point - v17.3 includes a visual method of illustrating this, too, that incorporates the results with the calender mode. You can check it now by using the Preview version. 

Video to illustrate the narrative is below. As usual, forgive the fact that the screen and sound are not exactly in sync. As the video progresses, the playback lags behind the voice a little. Not so much as to be worried about it though.












Video 33 - Commenting and Exploring Free Space as Child Objects

November 9, 2013, 1:22 pm
$
0
0
OK, so god awful X-Factor is on the TV so this gives me an hour to abandon domestic matters and get back to my blog!

XWF, unlike other tools, has a single virtual file for representing the free space of a forensic image. This is neat for a number of reasons but, it makes commenting individual parts quite tricky.

So, if you find 10 "parts" of free space that you want to break out as individual bits of evidence, how do you do it?

Easy. Use the 'File' viewer to view the Free Space itself and find whatever it is you seek using either a hex header\footer marker or general hex string, text string, keyword search (Ctrl + F while the focus is in the free space will bring the search dialog up) or whatever. Left mouse click to specify a start point, drag to highlight until you reach the end, right click and choose 'Add block as virtual file'


Give the child file object a file object name (this is the name as will be seen in the 'Name' column of XWF, for the avoidance of any doubt. At the same time, you can create a report table association.

Continue in this vein for as few or as many file objects as you like. On completion, a number will appear to the right of 'Free Space' to make clear how many Free Space child objects you have created.



Then, double click Free Space and choose 'Explore' to list these children.



Then you can either table associate (or of course repeat table association to a new category) but more interestingly, you can now comment that individual segment. On completion, you can exprt the tabulated data to a spreadsheet, HTML file or whatever. Simples.

Video below :



Video 34 - Creating User Categorised Search Hits from Free Space

November 9, 2013, 1:50 pm
$
0
0
In the previous Video 33, I showed you how to create child objects of relevant evidence from free space. In this video (Video 34) titled 'Creating User Categorised Search Hits from Free Space', I show you how to quickly explore free space and add relevant entries as user generated search hits, that can be retrieved later on and\or listed en masse or individually.

Create a new case, add an image, click on 'Free Space', ensure 'File' is selected in the viewing component and then use Ctrl+F to find whatever text it is you seek. For each found entry, block sweep the text you want to note.

Then right click and, this time, click 'Add to User search hits' (instead of 'Add Block as virtual file', that I showed in Video 33).



You can either just accept the defaults or create your own categorisations. Continue until you're done.


On completion, click the search results button in the viewing component pallette and, as long as those hits are below the point you have selected in the top left pane, your results will be listed.



You can then list them individually by clicking on one category at a time in the bottom left pane, or you can select multiple entries, or all of them. Whatever you choose, the relevant entries will appear in the directory browser, top right. But do not be caught out by selecting the wrong place in the top left pane!!

Video :





Understanding Child & Parent Relationships when 'Bookmarking'

April 3, 2014, 3:53 pm
$
0
0
One of the ways that XWF helps me with my workflow so much and saves me so much time is its "like nothing else out there" method of bookmarking, or, to use the correct XWF terminology, creating and using 'Report Table associations'. 

I'll use the term bookmarking, simply because it is quicker and enables the widest user base to relate to what I am talking about, but that in no way means I acknowledge that the term 'bookmarking' is better. In my head, the traditional use of a bookmark is to make a place holder in a paper book for when you come back later and is usually bought for you by your Grandma when she visits some far flung rural retreat. I don't think of the way we work as digital forensics practitioners to be like that. We crate "buckets" of relevant data and we add one or more items of interest to the bucket(s). So in my mind we should just call it "Bucketing", or categorising, but hey, I digress. 

If apply the same thought processes to bookmarking files in XWF as you might do from experience of using other tools, you'll come unstuck pretty quick I'm afraid to say. But if you take the time to understand how XWF is designed here it will enable you to become really slick with it and you'll save time in the long run. 

Firstly, lets understand parent and child relationships. 

I've taken not an insignificant amount of time preparing the diagram below, which I think shows the parent\child hierarchy of X-Ways rather well. Please click on it and take a look. Notice the XWF screenshots next to various elements, that try to explain the differences between the bookmarking options. 

A Parent\Child XWF File Object Illustration


Basically, when you first add evidence to XWF and it parses the filesystem, on the whole, most objects will be "literal" as seen by the filesystem. So a zip file will appear just as a zip file. A doc file will appear just as a doc file. A pst file will appear as a single pst file without thousands of child objects (the e-mails and attachments). However, once you refine the volume snapshot for your case, and depending on what options you choose, each of these single file objects will be explored and their content presented in XWF as child objects of those parent files. 

I've extracted one example to show you and I'll explain each of the options in turn now. 

The options presented when creating report tables

To bookmark a file, right click it, choose "Report Table associations" and you will be presented with a menu, the right hand side of which will look something like the illustration above. 

Selected Item : Literally means the file or files (or file objects, to be more precise) that you have selected in the directory browser pane. Let us assume the file is a single word processing file called "Shrek.doc" that you have added to the bookmark (Report Table!) with this option. So, for now, your bookmark contains just Shrek.doc. Any items that XWF has found within the doc file and included in your case as additional file objects, such as embedded graphics, OLE streams etc (and for which the doc file is their parent object), which will only appear in your case if you have conducted a volume snapshot refinement with the appropriate options as mentioned above, will obviously be part of the doc file anyway, so you do not necessarily need to have them bookmarked seperatetly and in addition to (which will be the next tick box option discussed below). If you do so, you will have several bookmarked items already all from one file - the doc file itself, perhaps several OLE streams, perhaps several embedded graphics or charts or diagrams, and so on. Things could get messy! So Selected Item will, in the vast majority of cases, be the only option you need (save perhaps for the last one which is explained down below).  

Selected Item & Parent File : The most useful appliance of this combination is the context of an e-mail message with lets say three word processing files attached. Lets say one of the attachments is of interest that you wish to bookmark, but the other two are not. But the context of the e-mail in which the file was attached is also of relevance but you have no desire to have the messages' parent bookmarked too (i.e. The Outlook.pst file). By selecting the attached file in the directory browser and then have 'parent file' ticked too, only the attachment and the e-mail itself will be bookmarked - not the other attachments and not the entire PST cabinet. 

Selected Item & direct child object(s) : Similar to the above, but visa versa and also only to one level. Lets say you have an e-mail message that you wish to bookmark and for completeness you want the three attachments bookmarking too, but not their child objects (OLE streams, embedded graphics etc). Then this is the option to choose. 

Selected Item & child objects recursively: If it's the e-mail you have selected in the directory browser, then it will be the three attachments, and all of the child objects to those attachments, too. If it's an Outlook.pst cabinet, then it will be every child e-mail and every attachment to all of those e-mails, and every child object of every attachment. So one bookmarking action could be populate with thousands of file objects immediately! Similarly, if it is a zip cabinet with 10 word processing files, then it would be the cabinet itself, all ten word processing files and all of their embedded objects. So your bookmark (Report Table!) listing in the directory browser would look like this : 


MyZip.zip          \Users\User\Documents\
WordFile1.doc      \Users\User\Documents\MyZip.zip
EmbeddedJPG.jpg    \Users\User\Documents\MyZip.zip\WordFile1.doc 
WordFile2.doc      \Users\User\Documents\MyZip.zip
EmbeddedJPG.jpg    \Users\User\Documents\MyZip.zip\WordFile2.doc
WordFile3.doc      \Users\User\Documents\MyZip.zip
EmbeddedJPG.jpg    \Users\User\Documents\MyZip.zip\WordFile3.doc
...
WordFile10.doc     \Users\User\Documents\MyZip.zip
EmbeddedJPG.jpg    \Users\User\Documents\MyZip.zip\WordFile10.doc

Selected Item & Siblings: I must admit I have never used this option, but from what I understand of it, it will enable all other files in the same directory as the file you have selected to be bookmarked all at the same time. So if you found a JPG file called "PeterPansHoliday.JPG" in a folder called \Users\User\MyHoliday, then all the other files in MyHoliday would be associated at the same time.  

Selected Item & any known duplicates : This is the most awesome feature of the system. If you have conducted a volume snapshot refinement and enabled hashing of files in your case, then any file with the same hash as the one you have selected will automatically be bookmarked too...even if you don't know it exists! In cases involving dozens of computers, perhaps from multiple locations, this can be candy floss on a stick. 

A video will follow, along with some more advanced techniques that would take too much writing to explain. But it is a touch late for video antics so for now, the above will have to suffice. 


Enable or disable 'File Object Count' statisitics

April 14, 2014, 2:10 pm
$
0
0
Users upgrading from earlier versions of XWF (prior to v17.6 down to, as a rough estimate, perhaps v16.9 or thereabouts) )will know that the file object count of a case and and evidence object and each child object (directory, zip file, cabinet etc) are summarised in blue next to each folder.

Well, it seems that in XWF v17.6, that is not on by default and the user has to enable it. It is easily done, though. Simply go to Options --> Directory Browser Options, and tick the box marked 'Show file count'.


Notice also there is a "File count" column that the user can also have visible in the directory browser, if he wishes.



No need for a video, but I am "in the zone"!




Preserve filter and column sort settings on a case-by-case basis

April 14, 2014, 2:16 pm
$
0
0
In versions of XWF prior to v17.0 (released around March 2013), it was sometimes awkward if you applied filters and column sorts for a case because the next time you opened it, the settings from the previous use would take effect.

As of v17.0, there is an option to have these settings saved for you automatically inside the case. This means that when you re-open the case days or weeks later, and even if another user has set different filter and sort options on a particular computer, your settings will be restored.

To enable the option (if it is not on already), simply tick the box that says "Store filter and sort settings in cases". Once you've done that, any settings applied will be re-applied next time you open the case, assuming you use v17.0 or upwards, of course!


A video to demonstrate this in action.


Search

Video 39 - Restoring the '.' to the hex display for unprintable bytes

August 21, 2014, 2:33 pm
$
0
0
A minor thing but frustrating when you don't know how to change it is the hex display in XWF doesn't display '.' in place of non-printable characters anymore. And if you like to see them in place of such byte values, it is nice to have them, for reading Unicode is an obvious example.

The setting is easy to find though once you know it is there. In the X-Ways options, simply remove the space character from where it says '0x20 substitute character []'. Remove the space character and replace it with a '.'



Video to illustrate:

Video 40 - Improving Indexing Speeds and Storage Efficiencies using type filtering

August 21, 2014, 2:41 pm
$
0
0
The new indexing engine that was introduced in v17.2, made more significant in v17.5 (but with the old one still available) and seemingly made the primary indexing engine in v17.6 (or .7) is worthy of some explanation, given that previous blog entries described as it used to be sometime ago.

In brief, the act of indexing is now conducted via the volume snapshot, instead of via the 'Search --> Create Index'. However, the way you use it can improve your workflow and storage efficiencies.

Lets assume you have a standard case with one or more forensic images in it. When it comes to indexing it, you could index ever single file object. But what if the forensic image is of an external USB drive used to store 1Tb of videos, JPEGS, and Photoshop files that also contains one folder with 1000 xls files in it and you're investigating a case involving spreadsheets? If you index 1Tb of videos and pictures, there will be some ASCII indexable text, but chances are those text characters are not actually written language. So you'll end up with a high index of many Gb containing nothing of use, with hits found in the spreadsheets jumbled inside them.

What's more, it will take a lot longer to create than it would if you just indexed the 'more obvious' textual data.

So how to do that?

RVS your case as normal with no filters applied. Let XWF 'do it's thing', explore all the cabinets, zip files, hash the files, expand all the e-mails and attachments, and so on.

Then apply a type filter with a logical NOT operator and select as a group the likes of Pictures, Videos, Program Files, and so on.



In other words, ask XWF to remove (filter out) the files you are selecting to leave all the other file types that usually contain more meaningful textual data, including of course the free space.

Then run the RVS again and just tick 'Indexing' but ensure you also tick 'Omit files that are filtered out' so that only the files that are left AFTER applying the type filter are indexed.


Enter your indexing parameters and click OK. XWF will no only index the files that are filtered in ensuring your index folder is exponentially smaller and is created much much faster and probably contains more relevant data overall.

Then, to search the index, again, things have changed. You know use the same blue binoculars that you're perhaps used to using for Simultaneous searches, except there is now a drop down menu at the bottom with "Search in Index" as an option. If you select that and enter a word, the search will then be conducted over your index.



It makes a lot of sense design wise - keep all the searching elements in one place. But if you've upgraded to a newer version of XWF in the last few years, you might get caught out and confused, until you read the manual of course.

Video to illustrate (and yes, I do realise that in the video my type filtering hardly makes any difference to the end result because the RVS steps had little impact on the file types I asked it to filter out, but that is besides the point - the video is to show you HOW to do it - nothing more):





How far down the list am I?

October 7, 2014, 12:12 pm
$
0
0

Often you, or a team you are assisting, might find themselves in a position where they have a list of many thousands of files in the directory browser of X-Ways Forensics that they need to plough through, even with your best filtering options applied.

A question that you might ask yourself, or indeed that you might be asked, is “How can I tell how far down this list of X thousand files I am?”.

Well, there are at least two ways I know of, and maybe more. One way, however, is both remarkably awesome but at the same time remarkably allusive. So much so that even after using XWF for years, I never knew it was there until today!

1) The obvious way : Is to select a file at the top, then scroll down to where you have got to, press shift and at the same time left-mouse-click the file you have got to. This will highlight all the files and then the number of selected files will be presented to you at the bottom right of the directory browser.


Another potential way is utilising the “Viewed Files” status, but that requires one too many re-listings and option changes for this particular answer.

2) The remarkablyconvenient but entirely illusive way: The best way by far is like this...in the Directory Browser, if you hover your mouse very precisely over the tiny graphic that represents the file you have got to so far, a number will be presented to you in a small violet box to the left of the directory browser. That number is the number representing the selected row in the directory browser. So, if you have 4000 entries in total, and you hover over the icon for the 512th file in that list, “512” will appear to the left of it. And that's it! So that's a quick and easy way to find out what row you are currently looking at. The illustration below says a thousand words – the highlighted file is the 24th in the list, and that appeared as I hovered the mouse over the little white paper icon to the left of “taskhost.exe”. Only at that point does the number appear.


Blink and you'll miss it!

A video will follow soon. 

Using the Position Manager to Annotate Byte Ranges

October 7, 2014, 12:13 pm
$
0
0

The position manager enables us to keep a nicely ordered list of positions within digital data and our X-Ways Forensics case.

This is useful for both investigations, examinations, reporting, teaching\lecturing or presentation purposes.

Lets imagine the scenario, for example, of some relevant data in free space that you want to visualise for somebody to help them understand how the data pieces together.

So there's some HTML code inside some free space and I just want to annotate its structure to show the head, title and body tags.

I can select certain byte offsets and then right click and choose 'Add Position' and this will enable the user to add a position marker to the Position Manager of X-Ways Forensics. So you can use your own descriptive marker heading, assign a colour etc and then when you're finished, list the lot all at once and use it to navigate around. 

New Position A


You can add as many positions as you need, and in the drop down box to the right, all of your position labels will be added. 

New Position B

New Position C


When you're done, you can then launch the position manager to see them all listed by going to “Navigation → Position Manager”. However, be advised that as far as I understand it, each evidence object has its own position manager. So, you can only show your saved positions by choosing to show the position manager while you have a particular evidence object selected. If you click on the case root, for example, you won't be able to bring up the position manager, or if you manage to do so, I think it will be empty. 

One way to activate the Position Manager

Another way to activate the Position Manager


And, like most aspects of X-Ways Forensics, the positions that are listed are dependant on:

  1. where in the evidence object they are and
  2. whether or not you have included those areas in your recursive listing.

So, to make that easier to understand, if all your saved positions are just in Free Space but you don't include Free Space during a recursive listing because you ask only for Documents & Settings onwards, you won't obviously see your positions from free space when you activate the Position Manager. But, if you start from the root of your evidence object, you will, because Free Space will then be included (as long as you haven't excluded it with a filename filter or something).

Several saved positions, listed using Position Manager from the root of my image

The manual makes reference to a “General Position Manager” and an evidence object specific position manager when working with a case. I must confess to not being overly familiar with the finer details of the position manager. I find I am learning new things about it all the time and I don't find it especially obvious as to why it works in the way that it does. But as I find out more things, I'll mention it here.

A video will follow soon.

Video 42 - So UserB asked UserA "Where are your keyword searches?" and UserA replied "They should be there!"

October 30, 2014, 1:39 pm
$
0
0
Since v17.5, multi-user co-ordination has played a big part in the world of X-Ways Forensics. It's a great feature that enables multiple users to work the same case at the same time (up to 255) and each of their report tables, comments, viewed statuses and keyword searching to be attributed to them by name.

It also faciliates seperation of one users progress against another. All in all, lots of benefits.

But one particular aspect of it caught me and my friends by surprise once. We realised that is if UserA opened a case and searched for some words and then UserB oepened the case afterwards, the words searched for by UserA were not listed.

For a while, we thought we were going insane. But then we realised that with multi-user co-ordination, which is generally on by default, such lists are kept seperate. And in fact UserB must "Import search hits of another user" (in this case, the searches of UserA) via the case properties and the multi-user co-ordination settings.



In v17.5 there wasn't much you could do about this matter except the importing referred to above, which generally speaking works perfectly well. However, we found that if User A searched for Peter Pan and User B then imported those search hits, if User B then went on to search for Mickey Mouse and User A then repeated the importing step, what you found was tha the results for Peter Pan were doubled up, so instead of, say 100 hits, they became 200 hits.

So Stefan, after a few e-mail exchanges, very kindly added the option : Distinguish Between Different Users to v17.6 (or v17.7). When yuo create a case, if you uncheck this option, all the words executed by UserA will automatically be visibile to UserB and visa versa. This is a superb addition and works very well and thus avoids any confusion between words searched for by different users of the same case.


A video:




Video 43 - Exporting files named as the Unique ID

January 19, 2015, 3:48 pm
$
0
0
The Unique ID column is X-Ways is a great way to ensure that each file object is totally unique to the whole case, regardless of how many forensic images you add.

It differs by the Internal ID in as much as the Int ID is specific to the evidence object, but you could have several items whose Int ID is '12345' if you have more than one evidence object in your whole case. The 'Unique ID', however, is specific to a particular file object globally because its initial number is specific to the partition of the evidence object, irrespective of how many evidence objects you add.

Like all columns, you can sort by Unique ID, and because XWF assigns the ID for every file object as it encounters them, related items are generally grouped together when you sort by this value. Especially when refining the volume snapshot, because, for example, when an e-mail is found, it is assigned one ID value, and any child objects are assigned the next available ID. And any child objects of those items get the next one, and so on. So an e-mail and it's attached PDF document and the embedded pictures inside that PDF are likely to all appear together.

When exporting the files, by default, the file object name will be used. But there may be occasions when the ID is preferred for the export. But to identify how to do that is not hugely obvious.

To use the Unique ID, when exporting, simply ensure that the the "Recreate original path" is UNTICKED and then click the ellipsis near the bottom and check the box that reads "Name output files after Unique ID", specify your output folder, and click OK.




And a video, that adds some extra details:





Video 44 - Creating Your Own Custom "File Type" Categorisations

February 8, 2015, 5:38 am
$
0
0
Video 44 is a goodie....I'm confident everyone will like it.

One of the reasons I created this site was to help the guys at X-Ways Software illustrate how X-Ways Forensics can be used for everyday digital forensics casework, instead of the more intricate forensic work, because all I ever heard was "we have X-Ways but we only use it when the other tools fail", which seems thoroughly insane to me. If you have software that does a great job, why use the one that does a lesser job for something as important as digital forensics? The answer, often, was "but X-Ways is too hard to list the stuff I need to find quickly". This post will end that thought process I fancy.

I am lucky enough to work with a great team of great guys (and a girl!). Using XWF on your own can be a struggle at times, I admit, but when you have the collaborative input of a team, you all learn much faster and everyone benefits. And so with that in mind I give full credit to my buddy who finally got round to doing this for our team.

You can easily list any file of any type (as determined by signature) using the 'Type' property of the directory browser. By default XWF comes with a lot of types, and I do mean A LOT. And they are all nicely categorised into groups by way of a simple text file. And you can choose entire groups of file types or you can select individual parts of each group as combined filter and save it as a text file. That is how we worked for several years. Text configuration files can, of course, be changed, however, as anyone who uses Linux will know all too well.

So recently we realised that the "Type" configuration file for XWF can also be customised to list groups that YOU are interested in on a regular basis. There is no compulsion to stick to the ones created by X-Ways Software. So, do you want to have a file type filter like mine? If so, read on...

Your "Type" filter CAN look like this


The file you need to edit to achieve the view above is called 'File Type Categories.txt' and it is located in the root of your XWF installation (you might want to copy it first just in case you mess it up).

The File Type Categories.txt file that hold the type filter values


Open the file using a text editor. Notice how each top heading category is prefixed with three asterisk characters. e.g. *** E-Mail, and beneath them are a series of minus characters followed by a type. e.g. - .pst. This is where XWF build the type dialogue box when you click the filter for type in the directory browser.

The File Type Categories.txt file showing the groupings

Naturally you can change what is ticked\unticked by default simply by changing the minus chars to + chars (which is what happens when you save a type filter using the dialogue).

Lets assume you are an e-Discovery firm. e-Discovery firms, I gather, very often are given brief of "Detect all the MS Word files from that server little computer person", for example. You could, of course, use the built in Word Processing group and tick all the various types of word processing file you seek and save that as "My Type Filter.txt". Or you could tick the entire group but then you'll get a lot more besides just doc and docx files. So the answer is to simply create your own category, which XWF allows you to do, because it is awesome.

Using Notepad or Notepad++ simply add three asterisk characters and your own naming convention, and then below that copy and paste the entries you want in your group from elsewhere in the file. Then just change the minux chars to a plus. The next time you launch the type filter, you'll see your very own custom group at the top! And you can add more custom groups as you see fit. This might make it easier for non-technical folks to filter your case for their desired file types only, if you have non-technical review people examining the results of your work using X-Ways Investigator (or of course X-Ways Forensics).

So you can create "simple" grouping like what you might already be familiar if migrating from FTK or EnCase, but you have even more control as to exactly what is, or is not, listed. You could even create such a grouping on a case-by-case basis as agreed between your team and the legal teams for both sides.

What could be simpler? Of course...a video to show you how!




Search

Video 45 - Logging file exports and customising the log

May 31, 2015, 7:34 am
$
0
0
X-Ways Forensics, like most forensic tools, has the ability to export files to your local filesystem from the forensic image you're examining. Naturally this puts the file at the mercy of the filesystem but that's another story. What this post explains is the seamless manner in which XWF logs these exports for you, which is useful in many situations and helps comply more fully with ACPO principles.

The good news is that by default, these settings are all applied for you and the logging happens without you even knowing about it! So the lazy amongst you can be told to simply go to the "_log" folder in your case directory and find the "copylog.html" file. In there will be all the exports you have done for any given case.

The more curious of you will want to know what these settings are and how they can be adjusted to fit your workflow.

So, when you create a new case, note the option middle right titled "Log Recover/Copy command". Guess what this enables? That's right - the logging of recover or copy commands. Untick it to prevent logging, but note it is enabled by default. The ellipsis to the right enables further refinement of what values are logged so you can change these to fit your needs here and now for this case, or change it for future cases.


Once applied, your export log will include these values.

So, with a bunch of files highlighted, right click to choose "Recover\Copy" and select where you'd like to export the files to, ensuring that the "Log Recover\Copy command" is ticked, which it will be by default unless you have unticked it before:



On completion, you'll be told how many files were successfully exported. But what about the log? Well that is being quietly appended to without any further interaction from the user. So it's a rolling document or "living document" as such files are so commonly referred to as these days.

Try for yourself - export 3 or 4 files, observe the log in YourCases\YourCase\ImageName\_log\copylog.html using a web browser. Then repeat the export of a few more files and then just refresh (F5) the file in your browser and you'll notice the newly exported file details are appended to the first few.

Video 45 below to demonstrate:





Video 46 - Block Hashing Explained

May 31, 2015, 8:54 am
$
0
0
In my opinion, for what it is worth, the addition of block hashing to X-Ways Forensics is one of the most impressive new additions to the tool.

As always, the manual explains this fully and properly. But a quick explanation is this : you have a file that you have found or been asked to find from a variaety of devices. Traditionally, you would hash the file and then hash all the files on the other devices. If you get a match then you know the file exists in more than one place. But what if the file on the other device(s) has been deleted, partially overwritten, and so on? Hashing will not work....but block hashing will, if there are any complete sectors of the file left.

What block hashing does is it computes the individual 512 byte sectors values of the file you have and creates a block hash set. You then use that block hash set to run a block hash analysis of the other devices. So X-Ways Forensics will go off, and compute the individual hash values (using the algorithm you choose) of the sectors on those other devices. At the end, it does a lookup to see if any of the block hashes in your set match the block hashes found on the devices. Where there is a match, the offset and hits are shown to you. This way you can prove that part of a file did, once upon a time at least, exist on the device(s) you have examined.

So how to do it? As always, the video at the bottom demonstrates but a quick narrative is this:

1) Using the file you are trying to find fragments of, create a block hash set skelton structure via Tools -- Hash Database. Note you are not adding values at this stage - just creating the storage shell.

Initialising a block hash database
 Then, right click your "parent file", i.e. the one that you wish to find fragments of somewhere in the world, and choose "Create Hash Set".  You can choose whatever hash values you like. Naturally with something as intensive as what we are doing here (eventually examinaing every sector of every device and computing the hashes of them) you might want to choose a smaller, faster algorithm, rather than a larger more robust one, but I won't argue those issues now.

Then Refine the Volume Snapshot (F10) and choose "Block wise hashing and matching" and ensure any other options you may want to run are included.  Creating a proper hash of all the files is always useful anyway of course.

Refine the volume snapshot to include block wise hashes

Do all the usual OK clicking and upon completion, if any results were found, you can examine them by using the search facility just as you woud for normal key word searching. The block hash results are presented as search results. And just like with normal keyword searches, any block hash results show the disk offsets and free space references.

Results of block hashing exercise in search mode
As always, a video to demonstrate :


Video 34 - Creating User Categorised Search Hits from Free Space

November 9, 2013, 1:50 pm
$
0
0
In the previous Video 33, I showed you how to create child objects of relevant evidence from free space. In this video (Video 34) titled 'Creating User Categorised Search Hits from Free Space', I show you how to quickly explore free space and add relevant entries as user generated search hits, that can be retrieved later on and\or listed en masse or individually.

Create a new case, add an image, click on 'Free Space', ensure 'File' is selected in the viewing component and then use Ctrl+F to find whatever text it is you seek. For each found entry, block sweep the text you want to note.

Then right click and, this time, click 'Add to User search hits' (instead of 'Add Block as virtual file', that I showed in Video 33).



You can either just accept the defaults or create your own categorisations. Continue until you're done.


On completion, click the search results button in the viewing component pallette and, as long as those hits are below the point you have selected in the top left pane, your results will be listed.



You can then list them individually by clicking on one category at a time in the bottom left pane, or you can select multiple entries, or all of them. Whatever you choose, the relevant entries will appear in the directory browser, top right. But do not be caught out by selecting the wrong place in the top left pane!!

Video :





Video 35 - Basic RAID Reassembly using XWF

January 25, 2014, 4:39 pm
$
0
0
For those that work in areas involving corporate servers especially, but these days, many home PC's are configured with RAID configurations too, an understanding of RAID technology is important.

Fortunately, XWF allows the assembly of RAID at either the pre or post imaging phase and allows the user to even export an image of a reconstructed RAID so that those using forensic software that does not support RAIDs are able to examine the same data without having to endure the technical difficulties sometimes presented by RAID. Thankfully, XWF takes a lot of the hard work out for us. Ill try to explain....

Disclaimers:

a) I am not a RAID expert! Jens Kirschner is and lots of people around the world. But I am definitely not! In fact, I only really know the basics about RAID. So that is disclaimer one.

b) The images used in this demo are courtesy of Jens Kirschner (from X-Ways Software AG). He created them and has kindly let me use them for this demo. Disclaimer two. 

c) This is a simple demo to illustrate how you might access data on a RAID using X-Ways. It does not cover the many "what if's?" because of disclaimer one. And this concludes the disclaimers.

End of Disclaimers
 
So, lets pretend you have a server with 3 disks in it that form a striped RAID across all 3 disks. You know that the top disk is "Disk 1", middle disk is "Disk2" and the bottom disk is "Disk3". You know that because you've either worked it out from the RAID configuration software, some config files you've found, the admin guy has told you that or you're a clever clogs and worked it out from the hex of one of the sectors of one of the disks, or a combination of all four. Either way, you image Disk1 as "Image1", Disk2 as "Image2" and Disk3 as "Image3".

So you now have 3 E01 images. How do you access the data in them with XWF? Click 'Specialist --> Reconstruct RAID System...'

 

And you will be presented with the following dialog. Simply click the elipses buttons to choose the image "Image1" to be associated as "Disk1" where it says "1", then choose the image "Image2" to be associated as "Disk2" where it says "2", and, guess what....lastly choose the image "Image3" to be associated as "Disk3" where it says "3". 

The area just described is the area where you specify what images form your original RAID layout and in what order. If you get the order wrong, you can re-jig it later; re-arrange the order, etc. 

Over to the right is the RAID type that you are rebuilding. I don't need to detail them all of course - you can read them yourself from the dialog. In my case, I am going to choose "Level0" for a RAID0 striped RAID. If you have a different RAID to deal with, you can see the myriad of available options to assist. Tip : The help button (bottom right of dialog) is very helpful for RAID data and gives explanation as to the various circumstances. 

Where it says "Stripe size in sectors", you specify here your stripe size (believe it or not), which is commonly 64 or 128 or 256 but could be more or less but usually (always?) multiples of two. Again, prior knowledge here is helpful as the guess work with complex RAIDs can be time consuming and dangerous!  But for simple RAIDs, you can usually just keep going up or down until you get a successful, readable filesystem (by readable, I don't just mean the filesystem listing - I mean the actual file content itself too, such as pictures, files etc). 



When you're done, click OK and your re-assembled RAID (whether right or wrong) will appear as a new tab (evidence object) from where you can check it and if it looks OK you can add it to your case and work with it. Better still, once you are certain it is validly rebuilt, you can can then create an image of the reconstructed RAID as an E01 and then fellow people can use it with EnCase, FTK or back in X-Ways Forensics without having to reconstruct the RAID itself. Simply press Alt+C or 'File --> Create Disk Image' to create an image as usual (and as already documented elsewhere in this blog), make sure it verifies and pass it on to wherever you may have to. 


What's more is that you can use this exact same technique with a physical RAID. If you can connect all 3 disks at the same time to your workstation via Firewire, eSATA, USB or whatever bus (via write-blockers of course), you can then add all 3 disks as physical disks ('F9' or 'Tools - Open Disk') and then you can repeat the "Reconstruct RAID System..." step and instead of using images, use the physcial disk objects themselves. XWF will again reconstruct the RAID as a new tab (evidence object) and you can then create an E01 of the reconstructed RAID directly, avoiding the need to create seperate images at all. Of course, best practice is to image each disk to avoid any need to explain a fairly complicated concept but if the need is there to do it this way, the functionality is also there to facilitate it for you. 

As usual, there are many ways to access to RAID filesystems with XWF.

Once you have your rebuilt RAID (be it from image reconstruction or physical disk reconstruction), you can then refine your volume snapshot as usual.

And below is a video to demonstrate: 

 

http://youtu.be/Gkdzt9EREWo

Video 47 - Disk Image Mounting Coming with v18.6

October 11, 2015, 1:20 pm
$
0
0
From time to time during my travels the odd person says to me "Ah yes, I know X-Ways is great, but it doesn't do X", and 9\10 I am able to turn round and tell them "Er, actually, it does. You just don't know how to do it, but don't worry - it's actually really easy" and they walk off with a bee in their ear. But there is that 1 time in 10 when I have to say "You're right - it doesn't do that, yet". And for several years now, disk image mounting has been one of those things.

I suggested it to Stefan a while ago, and I assume many other people have too. FTK Imager has had disk image mounting for years, since v3.0 I think. And Mount Image Pro has been on the go for a decade or more. And then of course Linux has been able to do it since about 1993 (I don't actually know when Linux could mount images but I expect it has been for some time). And so imagine my frustration, as a major XWF campaigner, when I had to walk off after one of these discussions with their bee in my ear, about this point.

Well, like all things in the X-Ways world, it's not that they didn't want to add the functionality originally. It's that they wanted to add it properly, and then with some bells on, and then at the same time as adding about a million other awesome features. So I will forgive them for taking their time.


Not only can you now (as of v18.6, currently at preview level 7) mount physical and logical E01 or DD images and evidence containers, but you can also mount pretty much ANYTHING in the volume snapshot that has child objects as a drive letter too. So you can mount E-Mail cabinets like PST files or even just an individual e-mail that has an attachment. You can mount zip files. Though, it should be noted that many people would expect that their Windows system will see the image as a physical disk and that they would have sector-level access to that image like with other tools. More strictly speaking, X-Ways Forensics provides access to the volume snapshot through a Windows drive letter. It's an important difference.

And you can mount partitions within virtual disk images like VMWare VMDK files or VirtualBox VM's which will save users of XWF below v18.5 having to export them and then re-add them as an image for processing (note that since v18.5, it is possible to interpret a VMDK image file as a disk within XWF without having to export it by selecting the VMDK file in Directory Browser --> Specialist --> Interpret Image File as Disk --> right-click the tab to add the interpreted image to the case).

Imagine the scenario of e-mail files and attachments that you want to double check in either another tool or another e-mail client...just mount the cabinet and then browse the content. Or an e-mail that you're not too sure about and what to look at just that one, natively.

Those of you who have ever endured the torment of mounting a server image and multiple PC images and then virtualising them to try and reconstruct the network system of an entire "location" that you possibly visited will also see how this will reduce your pain by a factor of ten. The possibilities are endless. It's like being a skinny kid in a forensic chocolate factory who just wants to get fat on all the forensic goodness.

But wait - it doesn't stop there! Not only can you mount these things, but you can decide what is shown to the hosting operating system within that mounted filesystem too. So you can list previously existing files that would not ordinarily be visible of course, or not. You can list virtual files that are only in the XWF snapshot which of course would also not show up in a traditional image mount, or not. And so on. 

So bless them fellas at X-Ways. They took their time, I admit, but it's easy to see now why it has taken them a while. They've really done us all a massive favour here. From what I can see, the best mounting functionality available with anything.


OK, so how to use X-Ways Forensics to do some mounting...

Launch XWF as normal, create a quick case and add an image to it. If it's the first time you have launched XWF 18.6, you need to make sure your system has the'Visual C++ Redistributable Packages for Visual Studio 2013' installed. Be careful you do get it from the Microsoft website - there's a lot of places hosting it (in some form or another!). After that is installed, XWF will walk you through installation of the supplied Dokan.dll driver (which is an open-source user space mounting library). After that, you are good to go.

So then all you need is right-click the image and choose 'Mount as Drive Letter' and you'll be greeted by the following dialog box that allows you to choose the drive letter and then the various options about inclusion or exclusion of virtual files, previously existing items and so on. 

X-Ways Forensics v18.6 preview edition showing E01 mounting

The new mounting options dialogue of v18.6
 
A second or two later, your mounted image will appear. 

Mounted E01 Image in Windows Explorer

Same principle applies to files like PST cabinets and zip files. A point of note though is that :

a) the option to mount said objects is not available until the snapshot has been refined (F10) and file types have been verified. This makes sense because the various mounting options are of course dependent on XWF knowing what the file is. And

b) the right click option applies within the directory browser view because naturally if you right click a PST cabinet (or anything else) in the Case Data window, XWF thinks you want to view its content recursively.  



So Bee's, be off with you - get out my ear. Meanwhile, here's a simple video: 
Viewing all 72 articles
Browse latest View live
Search