Notifications
Clear all

XWays Forensics

34 Posts
15 Users
0 Likes
2,621 Views
(@moodhairboy)
Posts: 19
Active Member
Topic starter
 

Has anyone ever had a problem with evidence they collected with Xways Forensics being questioned in court. I guess the question really is was the tool questioned? I get the impression that alot of US Law Enforcement agencies use Encase or FTK for their analysis tools. I could be wrong and if I am please correct me. I'm interested in what is the most prevalent tool.

 
Posted : 06/08/2010 9:47 pm
(@armresl)
Posts: 1011
Noble Member
 

Search would have been good for this topic, It is for sure in the top 3 questions asked.

You can use whatever tool you would like to use. It's what YOU do, the steps you take, the results you get which define why you are in court.

IMHO I think that the person gets questioned more than the tool, this wasn't the case 10-15 years ago, but pretty much is now.

I'm guessing that you are new to the field and haven't testified yet in court.

The majority of cases where ESI comes into play use Encase or FTK, but there are also a plethora of tools out there including X ways which no one has any reason to believe aren't as good as each of the two previously mentioned tools.

Some people use nix tools, some people win tools, others have scripting knowledge and create their own scripts to extract information. If you can do that and explain yourself then there are no issues.

If you end up thinking that you will use a tool because someone else used it and was successful through which you will be successful, then you would be mistaken. An intimate knowledge of a tool (and even training on a specific tool) go a long way to helping a judge, jury, peers that you have the required knowledge.

Many times two sides will use the same tools and while the data will be the same the interpretation of the data will be totally different, hence the 2 experts arguing back and fourth about placement of files, causes for times, etc.

 
Posted : 06/08/2010 11:44 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

I've used XWF in nearly every case I've done to either supplement/validate work done with FTK, Encase, or other tools. I have also used XWF extensively as the primary forensic tool used in civil and criminal cases, in both the public and private sector. This includes imaging with XWF through testifying in court.

I never had an issue in any case about XWF and I believe that if any issues were brought up, side by side, XWF will give either the same information as other tools or even a little bit more.

The 'most prevalent tool' can be different for the type of analysis you are doing. Some forensic suites don't look at internet history as well as a specific internet history tool will. In that case, the 'internet history tool' is probably a more prevalently used tool for internet history. Same with registry analysis…same with email analysis….same with….

 
Posted : 06/08/2010 11:54 pm
(@afpffi)
Posts: 5
Active Member
 

Hi moodhairboy, Nice to see another Florida examiner here.
I have been using XWF for about a year now and also use it to validate work done with FTK, and Encase. For the price, it is a nice alternative. Just an FYI, I recently worked on a Defense case and was surprised to discover, Home Land Security conducted their examination with XWF. I find XWF being adopted by LEO more and more.

 
Posted : 07/08/2010 5:00 am
(@moodhairboy)
Posts: 19
Active Member
Topic starter
 

Search would have been good for this topic, It is for sure in the top 3 questions asked.

You are correct. - It wasn't 10 minutes later that I found a thread from a newbie about different linux distros and allot of my questions were answered in one way or another. I like X-ways allot just find that I seem to be the only one using it other than one other guy here in Orlando.

Hopefully no harm done with my question.

 
Posted : 07/08/2010 7:31 am
(@moodhairboy)
Posts: 19
Active Member
Topic starter
 

I've used XWF in nearly every case I've done to either supplement/validate work done with FTK, Encase, or other tools. I have also used XWF extensively as the primary forensic tool used in civil and criminal cases, in both the public and private sector. This includes imaging with XWF through testifying in court.

You wouldn't be the guy that produced the white paper on how to use Xways would you? If so, thanks allot it was very helpful. I'm currently trying out different linux distros

1. Deft 5.1
2. Caine 1.5
3. Sans WS
4. Helix 3 Pro (Yeah, I was an idiot and got a 1yr subscription)

and a few others that I can't remember. Do not have access to Encase or FTK so my experience is only with X-ways and I have found it appropriate so far. I have numerous specific tools that I use for password recovery locally and across the network and was wondering what other tools folks use in their toolbox. Private emails to barryinorlando at gmail.com are fine if folks don't want to clutter up this thread. Otherwise happy to learn.

Barry

Black Zebra Technologies
Http//www.blackzebrainc.com

 
Posted : 07/08/2010 7:37 am
(@moodhairboy)
Posts: 19
Active Member
Topic starter
 

Hi moodhairboy, Nice to see another Florida examiner here.
I have been using XWF for about a year now and also use it to validate work done with FTK, and Encase. For the price, it is a nice alternative. Just an FYI, I recently worked on a Defense case and was surprised to discover, Home Land Security conducted their examination with XWF. I find XWF being adopted by LEO more and more.

Nice to see another Floridian as well. Where are you located? I've been working on one IRS / DOJ case for 3 years with both criminal convictions and civil actions in play at the same time. Some days are dull others are not so much.

Barry

 
Posted : 07/08/2010 7:39 am
(@jonathan)
Posts: 878
Prominent Member
 

I know a fair few people use X-Ways Forensics to verify the analysis they've carried out using other tools, but shouldn't it be the other way around? X-Ways Forensics has become my main tool; in my experience it's more stable, has more features and it extracts more data.

 
Posted : 07/08/2010 1:51 pm
(@rampage)
Posts: 354
Reputable Member
 

I know a fair few people use X-Ways Forensics to verify the analysis they've carried out using other tools, but shouldn't it be the other way around? X-Ways Forensics has become my main tool; in my experience it's more stable, has more features and it extracts more data.

and it's less expansive )
it's an important thing for ppl that are starting up their lab and don't have much money to invest

 
Posted : 07/08/2010 5:32 pm
(@moodhairboy)
Posts: 19
Active Member
Topic starter
 

Rampage,

The price can't be beat compared to other for pay tools - I've always wondered whether the forensic linux distros could offer the same value for free. One of these days I might figure it out. I've found that for drives FTK can't image - Xways becomes my 2nd choice and usually can. Occasionally that doesn't work and then I have another issue like a mechanical failure. Currently dealing with this issue with a batch of 400 seized drives.

 
Posted : 07/08/2010 8:35 pm
Page 1 / 4
Share: