Friday, April 15, 2016
Training Review: X-Ways Forensics
April 15, 2016
Training Review: X-Ways Forensics
I’ve been involved in computer/digital forensics since 2009, starting off my first training with Basic Data Recovery & Acquisition (BDRA) given by the National White Collar Crime Center (NW3C) in Fairmont, WV. Many of you have probably started your forensic training at NW3C or any of the other governmental or non-governmental entities that offer basic training. Starting with BDRA and progressing through my forensic training, I’ve observed one (mostly) universal characteristic about the trainings: No matter the host/vendor, no matter the tool-specific application(s), no matter the level of complexity of the subject matter, it’s very hard to make computer forensics training ultimately compelling and engaging. Maybe it’s because we sit in a chair for 3-7 days and stare at a computer screen all day long. Maybe it’s because there’s some overlap with training we’ve received previously. Maybe it’s just because we don’t want to be there (everyone loves to be “voluntold” to go to training), but the fact remains, it can often be dry and sometimes even boring.
When I left the public sector and launched Pro Digital Forensic Consulting, I did my research about which tools to invest in initially. Without question, there is a different mindset when you’re paying for the tools and licensing yourself as opposed to your department or company paying for them, so I was very discriminating about what I wanted, what I needed, what I thought might best serve my clients in the future. With the ever-growing need for dedicated tools for both computer and mobile forensics, I decided to invest in tools with a dedicated purpose. Having been a previous user of a very popular and widely-used tool, I reached out to them first. Their salesperson was less than knowledgeable and even told me “I don’t do forensics myself, so maybe tech support could answer your question”. This turned me off. And being a self-admitted non-conformist, I decided to go in a different direction for several reasons: 1) from my perspective, the “heavy hitters” in the computer forensic industry were trying to take on too much re: mobile devices, eDiscovery, etc., 2) the same “heavy hitters” were forcing users to use tools that were less than stellar by way of newer versions & updates that were not as effective as previous versions and 3) I kept hearing great things from real-world computer forensic practitioners about the German-based tool, X-Ways Forensics. With all that in mind, I made a leap of faith toward X-Ways as my primary computer analysis tool in 2014 and haven’t looked back.
Training in the Use of X-Ways Forensics
As every experienced examiner knows, computer forensic tools all try to do the same things, but some have strengths over others. They also have their own terminology which is sometimes tool-specific. Having only used X-Ways Forensics (XWF) very seldom during my time in law enforcement, I opted to partake in an online course of study that was created by Brett Shavers. The course was good because it gave a very basic overview of how to set up XWF and use XWF to work cases effectively. Brett and former FBI Special Agent Eric Zimmerman also wrote a book that I would recommend to all users of XWF because it’s great for a quick-reference to intermediate guide. The book is entitled X-Ways Forensics Practitioner’s Guide. It got me to a functional level, but I knew I needed more.
Unfortunately, I also knew that XWF doesn’t offer open training in the US quite as often as some of the “heavy hitters”, nor are the locations always convenient. For instance, there are only four open classes scheduled so far in 2016 in the US. However, because I’m an XWF customer and user, I received an email late in 2015 about the 2016 training dates and, lo & behold, one was offered in April, 2016 in Manassas, VA… Very convenient for Pro Digital! The cost of the training was very reasonable ($1,799.00 USD) especially in comparison to other vendor-sponsored training, whether online or classroom-based. The list of what is included in the X-Ways Forensics I course may be found at this link: http://www.x-ways.net/training/index.html
Course Content & Delivery
The XWF basic course is not for beginners in the field of computer forensics. If you have no forensic experience, I highly suggest taking the NW3C courses (BDRA & IDRA) or their equivalent before attending any vendor-specific training. You must have prior knowledge of basic forensic terminology and a basic to intermediate understanding of how files are allocated in different formats, how different operating system versions work, how file carving works, disk partitioning and a number of other concepts that are considered basic computer forensic knowledge. Simply put, if you don’t have this knowledge, you will be lost and you won’t get anything out of the training. I would also suggest that it may be beneficial to have some knowledge of how forensic tools work generally. You don’t need to purchase one of the expensive tools to do this. Consider downloading Autopsy from SleuthKit and some training disk images and experiment with it. Naturally, I’d suspect most of you reading this are very familiar with tools such as EnCase, FTK, Nuix, IEF etc.
Our instructor for the week was Fotis Mouratidis. As mentioned previously, XWF is a German-based company and, as such, their instructors are European. If you’re in the US and weary about language problems, don’t. Fotis was very fluent in English, as well as 3 other languages. He was also very knowledgeable about the tool itself. While that should be a “no-brainer” for a vendor-instructor, it’s not always a given that they know (almost) everything they need to know about the tool. Fotis walked us through such tool-specific topics as initial set-up of the tool, the multitude of case and user-specific options that XWF provides, the benefits of XWF over other tools (like disk imaging speed and compression rate) and how to use XWF in a very efficient manner.
X-Ways Forensics training is somewhat no-frills, but I don’t need frills. I need good information that I can use to work cases better, and I got that. You’ll need to bring your own laptop. Fotis didn’t come with Pelican cases full of freshly-imaged computers for us to work on, but he didn’t have to and honestly, I appreciate the ability to use the tool on my equipment to see how well they work together. X-Ways provides a number of training disk images on which to practice and complete practical exercises as well as training licenses for the duration of the class. The handout materials follow the PowerPoint presentation, but in keeping with good presentation practice, they only have a snippet of information so you are forced to concentrate on the instructor’s presentation where the real knowledge base resides. I highly recommend bringing a notebook and taking frequent notes on items that may be of particular interest to you. Throughout the 4-day course, I took a dozen pages worth of notes… and I still feel like that wasn’t enough.
One definite observation that I noted several times is that the instructions and the tool itself are very precise and specific. Remember, XWF is a German-based company. Throughout history, Germans have always been thorough and precise in their engineering of anything of quality, so it helps to keep that in mind during the training, practical exercises and when using XWF. The tool will do exactly what you tell it to do. Fotis reminded us of this several times with regard to the tool-specific X-Pert Certification test and process that is available through X-Ways Forensics.
Brief Notes About the Tool
Of particular note about XWF are a few points: First is the filtering features in XWF. There are a multitude of filtering options in XWF that can help narrow the focus of your investigation. Not only can you filter by file type, size, dates, etc., but you can filter by metadata information, child objects, file attributes and a number of other categories. What is even better is that XWF does a good job at telling you those filters are in place. In using other tools, I’ve often fallen into the trap of trying to search for evidence while a filter is on, only to waste time (and frustration) because the tool didn’t have enough “idiot icons” telling me there was a filter in place. XWF tells you in at least 3 different places that there is one or more filter activated. It’s a small, but nice feature and it can save aggravation and wasted time.
XWF is also very easy to install, customizable and portable. Once set up, the tool stores all of your options in a configuration file that can be easily copied and transferred upon installation of a new version (versions are updated every 3-4 months). If you have a particular type of file header that isn’t included in the search list, all you need to do is add it and save and it can be searched for from that point forward. One of the big reasons I invested in XWF is because it is lightweight and portable. By that, I mean that it is not a resource hog like some of the other tools. There is no external database that needs to be run on a separate disk for optimization. XWF doesn’t eat up a ton of resources on your machine to simply examine the evidence. It can be run from a thumb-drive if necessary, which can also make it an ideal tool for live response and/or advanced triage on-scene. The GUI can be intimidating to some who prefer lots of fancy icons and colors, but it too can be customized to highlight certain types of files that may be of interest in your case. It’s not going to dazzle you if you like the shiny, pretty things, but at the end of the day when you need to get the job done, XWF does it very, very well. As with all other tools, the more robust hardware you incorporate, the faster XWF will work. This is particularly true if you’re trying to work and process more than one case at a time, which XWF allows for as a user option.
If you are used to features like the picture gallery, file preview, timeline (calendar) and details/metadata, XWF also incorporates those and they don’t take forever to load or view. If you are investigating a potential security breach and your investigation has narrowed to a particular day (or set of days), then a simple click on that time frame highlights the activity for the period(s) in which you are interested. For all of the tool-specific symbols and icons, XWF offers a full-time “legend” button, just in case you get mixed up between using three different tools and need a refresher as to what the XWF icons mean. It’s a nice, functional feature.
Having attended a multitude of different training offerings including instructor-led, online and webinar-based, I would rank the XWF training among the best. Fotis kept the class moving along and knew how to demonstrate everything we covered effectively and simply and because of how it was presented, we had to pay attention to learn what he was presenting. He was patient and easy-going and, as his car-pool partner for most of the training, I can say he’s a genuinely nice person. But the true measure of the quality of training is 1) how much you get out of it and 2) does the instructor compliment the subject matter and vice-versa? As one who has used XWF for a couple of years, I learned how to do things better, faster and more efficiently. I also learned many new features I didn’t know were part of the tool. As for the instructor-tool synergy, they complimented each other very well. The instructor was able to flow with the tool demonstration and instruction and the tool flowed right along with him.
Most of the time, I come away from a week-long computer forensic training drained, knowing that it was necessary, but not looking forward to the next one. This time, when the training was over, I found myself almost immediately researching when and where the XWF Advanced course was offered and how to make it work with my budget and schedule. Sadly, it appears there may not be an open advanced course scheduled in the first part of 2016, but I’ll be keeping my eye on the 2nd half of the year and beyond to see when I can take advantage of this great training again. If you’re impressed with the simple elegance of how your computer forensic tool functions and can help you work cases better, I highly recommend signing up for the next X-Ways Forensics training in your area!
**NOTE**: Special thanks to the Virginia Department of Forensic Science for hosting this valuable training and making it available to the wider digital forensic community!
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
We Find the Truth for a Living!