The X-Ways Forensic...
 
Notifications
Clear all

The X-Ways Forensics Practitioner's Guide

43 Posts
16 Users
0 Likes
3,447 Views
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

Is there something you'd like to see documented in an X-Ways Forensics user book? If so, this is a good time to give suggestions.

Eric Zimmerman and I are writing a book for Syngress titled, "The X-Ways Forensics Practitioner's Guide". The book's tech editor is Jimmy Weg and X-Ways Software Technology AG (Stefan Fleischmann) will be making sure the book contains up to date information.

Eric, Jimmy, and I probably know XWF pretty well, but are open to suggestions from anyone that would like to see more in documentation. Even anyone that has not yet made the leap to XWF, this book should help ease the transition to XWF as your primary or secondary tool and we welcome your suggestions too.

Why are we writing a book on X-Ways Forensics?

Mostly because we think it is needed to help the current users of XWF fully exploit the tool and for those that have waited, to stop waiting and use start using it.

What will the book be about?

It won't be about how to do forensics or how to do electronic discovery or what is evidence. The book is intended to be focused on how to use X-Ways Forensics, in that if you have a forensic task to accomplish, we'll show you how to do it with XWF. There will be many moments of the book when you will say, "I didn't know XWF could do that" and "so that's how XWF works". We're going to show the magic buttons, case flow suggestions, and inner workings of XWF.

Who is the audience?
You. If you use XWF, you'll really like the book. If you ever thought of using XWF but have been hesitating because of the perception of a high learning curve, this book will be for you. Do you teach forensics with XWF? Then you'll like this book as it will help you to help teach students when using XWF.

We will be done writing in September 2013, printing started soon after. GIve us your suggestions to make this book fit you.

Brett Shavers

 
Posted : 13/01/2013 12:02 am
CdtDelta
(@cdtdelta)
Posts: 134
Estimable Member
 

Brett,
This is great! Please let us know when we can pre-order the book.

In terms of what to include, I think the summary you gave is what I would be looking for. Something along the lines of what the X-Ways Video Clips has done. Maybe include a section(s) on the programming API piece and how to interact with it in other languages? Or how to do some manual file carving with the product? And by that I mean taking advantage of the Hex view (or even WinHex).

The X-Ways manual is good, but I think gets too technical for some people looking to make the jump to the product. I know I've read the manual through a few times and there's probably parts of the software I'm still not aware of.

Just my two cents….

 
Posted : 13/01/2013 2:44 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

Thanks. Pre-ordering will be few months before the book is printed and I'll post it when I get the notice of the pre-order release.

There will be some data carving in the book and every tip and trick known in XWF to make it run like a 427 '67 Cobra at full throttle on a sunny day.

 
Posted : 13/01/2013 10:13 am
(@trewmte)
Posts: 1877
Noble Member
 

Brett, thanks for the notice about your forthcoming new book. Any guidance is always helpful and welcome.

Have you seen Tim Smith's XWF videoclips blog - xwaysclips.blogspot.co.uk?

 
Posted : 13/01/2013 2:00 pm
(@jonathan)
Posts: 878
Prominent Member
 

This is excellent news. Although the manual is very through and is often updated, it is rather impenetrable.

In addition to what's already be mentioned, I increasingly find myself using XWF in small-scale e-discovery and e-disclosure cases, quite often in conjunction with Nuix. Perhaps the book could include a chapter on how XWF can be best utilised in this area.

Maybe also something on using XWF in memory analysis and malware analysis?

 
Posted : 13/01/2013 6:48 pm
ballydehob
(@ballydehob)
Posts: 14
Active Member
 

Brett & Team,
Thank you for doing this. It sounds fantastic.
I've been using XWF for 4 years with great success, but feel I am still missing a lot of its capabilities. And who can keep up with Stefan's constant innovations. In 16.9 Beta, he has added/improved its timeline/chronology capabilities. Please include some info on extracting timelines with XWF. Thanks again.

 
Posted : 13/01/2013 7:58 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

Ted Smith's videos will certainly be referenced more than once.

A case studies chapter will be included with sub-topics such as "Using XWF to Examine Evidence in an IP Theft Investigation" (user activity related to IP theft such as finding USB connections, etc…); "Using XWF in Child Pornography Investigations", etc… I am open to taking any sanitized (no suspect/victim/case names) examples to include in the book (email me at bshavers@gmail.com).

The inclusion of other utilities (freeware, open source, and commercial) will also be detailed, like how to use XWF with remote tools like F-Response, and using XWF in conjunction with virtual machines as examples. The purpose is to give clean, tested workflow options using XWF and tools supporting XWF.

This is a tentative table of contents.

Introduction –Overview of XWF
Chapter 1
Setting up XWF (installations, options, etc…)

Chapter 2 Case Flow
(working with evidence)

Chapter 3 Case Flow
(snapshots, file header searches, custom carving, etc…)

Chapter 4 Analysis
(OS artifacts, system files, metadata, editing templates, email, etc..)

Chapter 5 Searches
(indexed, GREP, simultaneous, hex values)

Chapter 6 Advanced Features
(maneuvering in hex, free/slack space, RAM/memory analysis, scripts/X-Tensions API, external analysis interface, etc..)

Chapter 7 Reporting
(tagging, adding, commenting, customizing, adding timelines)

Chapter 8
Triage/Preview Methods
(write protecting evidence, live machines, forensic OS boot with WinFE)

Chapter 9
Electronic Discovery and X-Ways Forensics
(bates numbering, searching/producing responsive native files/printed copies, creating and exporting spreadsheet listing of responsive files, etc…)

Chatper 10 Case Studies and Usage
(using XWF with specific case types, such as IP theft, CP investigations, user activity, etc…)

Chapter 11 X-Ways Software Applications Overview
(X-Ways Investigator, Capture, etc…)

 
Posted : 14/01/2013 2:47 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I know this may sound odd, but a "naming cross reference"… or more like "how to migrate from FTK or EnCase" . . . how do the other-two concepts translate to XWF?

 
Posted : 14/01/2013 7:27 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

Our goal will be primarily to explain the capabilities of XWF and how to use them vs a cookbook style approach or checklist to do for a certain type of case.

I do see some value in a cross reference between the tools, but that would assume someone has experience on all 3 tools. i know EnCase to a degree but abhor all things FTK, so that leaves a bit of a gap in the table. =)

In my own experience, once i understood how XWF worked, the other tools seemed illogical by comparison.

 
Posted : 16/01/2013 2:58 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

In my own experience, once i understood how XWF worked, the other tools seemed illogical by comparison.

. . . and this is where the comparison would be blessings to current practitioners.

A simple paragraph at end of each XWF methodology saying "in EnCase you do this, in FTK you do this to achieve same or similar".

Your target market would also exponentially increase, as all the naysayers, fanatics and vaccilators would review your writings. mrgreen Just sayin'

 
Posted : 16/01/2013 10:40 pm
Page 1 / 5
Share: