reviewed by Jonathan Krause of Forensic Control

As a contractor who has to fund his own training (and also loses out on income for the duration of a course) I need to pick my courses carefully. Having heard many positive stories about X-Ways Forensics I had little hesitation in signing up for the five day course which recently ran in London. Monday through to Wednesday covered the application while Thursday and Friday offered an in-depth look at various file systems. To whet your appetite, the full course content can be viewed on the X-Ways’ web page.

The week’s training was delivered by the creator of X-Ways Forensics, Stefan Fleischmann, so understandably his knowledge of the application is unsurpassed. I’ve been on quite a few forensics courses over the past five years and have met and worked with many key players and Stefan’s understanding of file systems and their interaction with operating system artefacts is second to none. He lives and breathes his subject!

To set some perspective, this is not a review of the X-Ways Forensics application, but rather of the training course itself. However, for the uninitiated, X-Ways Forensics is very impressive indeed and I felt that as someone who has not previously used the tool that the course only touched on its potential. Compared to its competitors, the program is tiny, its resource requirements small and its system requirements happily far behind that demanded of a product like FTK 2. It’s also very good value for money. It carves, mounts compound and archive files, indexes, searches, offers skin content detection and does a whole lot more with the greatest of efficiency. The USB license dongle doesn’t even need any drivers, Windows recognises it right off the bat - a relief I’m sure to those who’ve wasted hours with the dongle license requirements of other products. The only area which was less than very impressive was internet history analysis. An add-on tool called X-Ways Trace is required for this but without it the base product lacks the built-in ease of EnCase 6.13 or the breadth of functionality of my preferred internet history analysis tool, NetAnalysis.

The usual course introductions were skipped on Monday morning, so after the dongles were handed out we dived straight into the meat of the course. I always find the few words of introduction from each course candidate useful and interesting, so it was a shame this didn’t happen. We also missed out on where the toilets were, fire exits, when breaks were scheduled for and a policy on mobile phone usage, so rather annoyingly people were receiving occasional calls and text messages throughout the week. The physical location of the course was excellent, right next to Euston station in central London, and the room itself (within premises run by Learning Tree International) was good. An area which I thought could be improved upon regarding the room would be for two displays for each student, one for their PC and one showing the contents of the instructor’s display.

Stefan’s English skills are better than many native speakers but I would say that he does speak rather quickly! He knows this and I guess he had a lot to fit in but even so, clarity of delivery is an important aspect in getting a point across. The course delivery was quite standard; Stefan going through installation of the application, coverage of its features followed by exercises. Stefan patiently answered any questions and was more than happy to spend time with students if they had a problem and to answer queries during breaks and lunch time. The application is quite complex and is perhaps not as intuitive as it could be, so I believe that more class exercises would have been beneficial. More class exercises would also help with learning the myriad of ways to access certain commands, which while there, for ease of use need to be learnt in the first place; repetition is often the best teacher!

Handouts were given out at the start of the course which mirrored the presentation screens shown on the overhead projector. As someone who bought X-Ways Forensics at the same time as paying for the course I was a little disappointed that there was no product manual handed out; a PDF version is available to download which while always a good complement to a printed manual is not enough on its own. I’m much more likely to read through a printed manual from start to finish than to sit in front of a PDF for a couple of hours.

The pitch of the course is certainly not aimed at beginners in this field or even those with less than 18 months – 2 years experience. If you’re comfortable with a course such as EnCase’s Advanced Forensics then this course is at a similar level. I’d recommend that if you were to do the course to try and set some time aside either in the evenings or the following week to sit down with the application and re-visit as many topics covered in the class as possible. This is true of most courses, but especially of an advanced course such as this.

The last two days of the course covering file systems are optional, but the majority of people who began the course stayed for this part. It covered in detail the MFT, FAT and Ext systems. Such knowledge is necessary to understand how forensic software recovers and presents data and is helpful in manual data recovery. I had covered these areas previously but decided to revisit them in order to see how X-Ways Forensics and WinHex dealt with it. My impression of the last two days was that as important as this information is, its not required by the majority of forensics examiners on a regular basis. I would have preferred if the week was re-ordered to give a slightly less rushed feel to the first 3 days with the addition of more exercises which could be designed to cumulatively build the student’s familiarity and knowledge of the application. I’m not sure Stefan would be able to tell whether my assessment of the course is shared with others as no feedback forms were given out at the end, although students were encouraged to email him with any questions. I’d also point out that the X-Ways support forum is an excellent resource and Stefan does respond quickly to queries raised.

Overall, I enjoyed my five days of looking at this very impressive forensic application and am more than happy to make it a central part of my forensic tool kit. Although I think some aspects of the course delivery could be improved, it was a pleasure to be in the company of Mr Fleischmann for the week.

Jonathan Krause, Forensic Control

This review can be discussed here.

--

Forensic Control is based in central London and offers a divergent background in Government IT security, the Metropolitan Police's Hi-Tech Crime Unit and experience at various corporate forensic providers.