April 15,
2016
Training Review: X-Ways Forensics
I’ve been
involved in computer/digital forensics since 2009, starting off my first
training with Basic Data Recovery & Acquisition (BDRA) given by the National White Collar Crime Center (NW3C)
in Fairmont, WV. Many of you have probably
started your forensic training at NW3C or any of the other governmental or
non-governmental entities that offer basic training. Starting with BDRA and progressing through my
forensic training, I’ve observed one (mostly) universal characteristic about
the trainings: No matter the
host/vendor, no matter the tool-specific application(s), no matter the level of
complexity of the subject matter, it’s very hard to make computer forensics
training ultimately compelling and engaging.
Maybe it’s because we sit in a chair for 3-7 days and stare at a
computer screen all day long. Maybe it’s
because there’s some overlap with training we’ve received previously. Maybe it’s just because we don’t want to be
there (everyone loves to be “voluntold” to go to training), but the fact
remains, it can often be dry and sometimes even boring.
When I left
the public sector and launched Pro Digital Forensic Consulting, I did my
research about which tools to invest in initially. Without question, there is a different
mindset when you’re paying for the tools and licensing yourself as opposed to
your department or company paying for them, so I was very discriminating about
what I wanted, what I needed, what I thought might best serve my clients in the
future. With the ever-growing need for
dedicated tools for both computer and mobile forensics, I decided to invest in
tools with a dedicated purpose. Having
been a previous user of a very popular and widely-used tool, I reached out to
them first. Their salesperson was less
than knowledgeable and even told me “I don’t do forensics myself, so maybe tech
support could answer your question”. This
turned me off. And being a self-admitted
non-conformist, I decided to go in a different direction for several reasons:
1) from my perspective, the “heavy hitters” in the computer forensic industry
were trying to take on too much re: mobile devices, eDiscovery, etc., 2) the
same “heavy hitters” were forcing users to use tools that were less than
stellar by way of newer versions & updates that were not as effective as
previous versions and 3) I kept hearing great things from real-world computer
forensic practitioners about the German-based tool, X-Ways Forensics. With all that in mind, I made a leap of faith
toward X-Ways as my primary computer analysis tool in 2014 and haven’t looked
back.
Training in the Use of X-Ways
Forensics
As every experienced
examiner knows, computer forensic tools all try to do the same things, but some
have strengths over others. They also
have their own terminology which is sometimes tool-specific. Having only used X-Ways Forensics (XWF) very
seldom during my time in law enforcement, I opted to partake in an online
course of study that was created by Brett Shavers. The course was good because it gave a very
basic overview of how to set up XWF and use XWF to work cases effectively. Brett and former FBI Special Agent Eric
Zimmerman also wrote a book that I would recommend to all users of XWF because
it’s great for a quick-reference to intermediate guide. The book is entitled X-Ways Forensics Practitioner’s Guide. It got me to a functional level, but I knew I
needed more.
Unfortunately,
I also knew that XWF doesn’t offer open training in the US quite as often as
some of the “heavy hitters”, nor are the locations always convenient. For instance, there are only four open
classes scheduled so far in 2016 in the US.
However, because I’m an XWF customer and user, I received an email late
in 2015 about the 2016 training dates and, lo & behold, one was offered in
April, 2016 in Manassas, VA… Very convenient for Pro Digital! The cost of the training was very reasonable
($1,799.00 USD) especially in comparison to other vendor-sponsored training,
whether online or classroom-based. The
list of what is included in the X-Ways Forensics I course may be found at this
link: http://www.x-ways.net/training/index.html
Course Content & Delivery
The XWF
basic course is not for beginners in the field of computer forensics. If you have no forensic experience, I highly
suggest taking the NW3C courses (BDRA & IDRA) or their equivalent before
attending any vendor-specific training.
You must have prior knowledge of basic forensic terminology and a basic
to intermediate understanding of how files are allocated in different formats,
how different operating system versions work, how file carving works, disk partitioning
and a number of other concepts that are considered basic computer forensic
knowledge. Simply put, if you don’t have
this knowledge, you will be lost and you won’t get anything out of the
training. I would also suggest that it
may be beneficial to have some knowledge of how forensic tools work
generally. You don’t need to purchase
one of the expensive tools to do this.
Consider downloading Autopsy
from SleuthKit and some training disk images and experiment with it. Naturally, I’d suspect most of you reading
this are very familiar with tools such as EnCase, FTK, Nuix, IEF etc.
Our
instructor for the week was Fotis Mouratidis.
As mentioned previously, XWF is a German-based company and, as such,
their instructors are European. If
you’re in the US and weary about language problems, don’t. Fotis was very fluent in English, as well as
3 other languages. He was also very
knowledgeable about the tool itself.
While that should be a “no-brainer” for a vendor-instructor, it’s not
always a given that they know (almost) everything they need to know about the
tool. Fotis walked us through such
tool-specific topics as initial set-up of the tool, the multitude of case and
user-specific options that XWF provides, the benefits of XWF over other tools
(like disk imaging speed and compression rate) and how to use XWF in a very
efficient manner.
X-Ways
Forensics training is somewhat no-frills, but I don’t need frills. I need good information that I can use to work
cases better, and I got that. You’ll
need to bring your own laptop. Fotis
didn’t come with Pelican cases full of freshly-imaged computers for us to work
on, but he didn’t have to and honestly, I appreciate the ability to use the
tool on my equipment to see how well they work together. X-Ways provides a number of training disk
images on which to practice and complete practical exercises as well as
training licenses for the duration of the class. The handout materials follow the PowerPoint
presentation, but in keeping with good presentation practice, they only have a
snippet of information so you are forced to concentrate on the instructor’s
presentation where the real knowledge base resides. I highly recommend bringing a notebook and
taking frequent notes on items that may be of particular interest to you. Throughout the 4-day course, I took a dozen
pages worth of notes… and I still feel like that wasn’t enough.
One definite
observation that I noted several times is that the instructions and the tool
itself are very precise and specific. Remember, XWF is a German-based company. Throughout history, Germans have always been
thorough and precise in their engineering of anything of quality, so it helps
to keep that in mind during the training, practical exercises and when using
XWF. The tool will do exactly what you
tell it to do. Fotis reminded us of this
several times with regard to the tool-specific X-Pert Certification test and
process that is available through X-Ways Forensics.
Brief Notes About the Tool
Of
particular note about XWF are a few points: First is the filtering features in
XWF. There are a multitude of filtering
options in XWF that can help narrow the focus of your investigation. Not only can you filter by file type, size,
dates, etc., but you can filter by metadata information, child objects, file
attributes and a number of other categories.
What is even better is that XWF does a good job at telling you those
filters are in place. In using other
tools, I’ve often fallen into the trap of trying to search for evidence while a
filter is on, only to waste time (and frustration) because the tool didn’t have
enough “idiot icons” telling me there was a filter in place. XWF tells you in at least 3 different places
that there is one or more filter activated.
It’s a small, but nice feature and it can save aggravation and wasted
time.
XWF is also
very easy to install, customizable and portable. Once set up, the tool stores all of your
options in a configuration file that can be easily copied and transferred upon
installation of a new version (versions are updated every 3-4 months). If you have a particular type of file header
that isn’t included in the search list, all you need to do is add it and save
and it can be searched for from that point forward. One of the big reasons I invested in XWF is
because it is lightweight and portable.
By that, I mean that it is not a resource hog like some of the other
tools. There is no external database
that needs to be run on a separate disk for optimization. XWF doesn’t eat up a ton of resources on your
machine to simply examine the evidence.
It can be run from a thumb-drive if necessary, which can also make it an
ideal tool for live response and/or advanced triage on-scene. The GUI can be intimidating to some who
prefer lots of fancy icons and colors, but it too can be customized to
highlight certain types of files that may be of interest in your case. It’s not going to dazzle you if you like the
shiny, pretty things, but at the end of the day when you need to get the job
done, XWF does it very, very well. As
with all other tools, the more robust hardware you incorporate, the faster XWF
will work. This is particularly true if
you’re trying to work and process more than one case at a time, which XWF
allows for as a user option.
If you are
used to features like the picture gallery, file preview, timeline (calendar)
and details/metadata, XWF also incorporates those and they don’t take forever
to load or view. If you are
investigating a potential security breach and your investigation has narrowed
to a particular day (or set of days), then a simple click on that time frame
highlights the activity for the period(s) in which you are interested. For all of the tool-specific symbols and
icons, XWF offers a full-time “legend” button, just in case you get mixed up
between using three different tools and need a refresher as to what the XWF
icons mean. It’s a nice, functional
feature.
Conclusions
Having
attended a multitude of different training offerings including instructor-led,
online and webinar-based, I would rank the XWF training among the best. Fotis kept the class moving along and knew
how to demonstrate everything we covered effectively and simply and because of
how it was presented, we had to pay attention to learn what he was presenting. He was patient and easy-going and, as his
car-pool partner for most of the training, I can say he’s a genuinely nice
person. But the true measure of the
quality of training is 1) how much you get out of it and 2) does the instructor
compliment the subject matter and vice-versa?
As one who has used XWF for a couple of years, I learned how to do
things better, faster and more efficiently.
I also learned many new features I didn’t know were part of the
tool. As for the instructor-tool
synergy, they complimented each other very well. The instructor was able to flow with the tool
demonstration and instruction and the tool flowed right along with him.
Most of the
time, I come away from a week-long computer forensic training drained, knowing
that it was necessary, but not looking forward to the next one. This time, when the training was over, I
found myself almost immediately researching when and where the XWF Advanced
course was offered and how to make it work with my budget and schedule. Sadly, it appears there may not be an open
advanced course scheduled in the first part of 2016, but I’ll be keeping my eye
on the 2nd half of the year and beyond to see when I can take
advantage of this great training again.
If you’re impressed with the simple elegance of how your computer
forensic tool functions and can help you work cases better, I highly recommend
signing up for the next X-Ways Forensics training in your area!
**NOTE**:
Special thanks to the Virginia Department of Forensic Science for
hosting this valuable training and making it available to the wider digital
forensic community!
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation
and various online investigation schools (among others), Siewert continues to
hone his digital forensic expertise in the private sector while growing his
consulting & investigation business marketed toward litigators,
professional investigators and corporations.
