Join Us!

Notifications
Clear all

XWays Forensics  

Page 1 / 3
  RSS
moodhairboy
(@moodhairboy)
New Member

Has anyone ever had a problem with evidence they collected with Xways Forensics being questioned in court. I guess the question really is was the tool questioned? I get the impression that alot of US Law Enforcement agencies use Encase or FTK for their analysis tools. I could be wrong and if I am please correct me. I'm interested in what is the most prevalent tool.

Quote
Posted : 06/08/2010 10:47 pm
armresl
(@armresl)
Senior Member

Search would have been good for this topic, It is for sure in the top 3 questions asked.

You can use whatever tool you would like to use. It's what YOU do, the steps you take, the results you get which define why you are in court.

IMHO I think that the person gets questioned more than the tool, this wasn't the case 10-15 years ago, but pretty much is now.

I'm guessing that you are new to the field and haven't testified yet in court.

The majority of cases where ESI comes into play use Encase or FTK, but there are also a plethora of tools out there including X ways which no one has any reason to believe aren't as good as each of the two previously mentioned tools.

Some people use nix tools, some people win tools, others have scripting knowledge and create their own scripts to extract information. If you can do that and explain yourself then there are no issues.

If you end up thinking that you will use a tool because someone else used it and was successful through which you will be successful, then you would be mistaken. An intimate knowledge of a tool (and even training on a specific tool) go a long way to helping a judge, jury, peers that you have the required knowledge.

Many times two sides will use the same tools and while the data will be the same the interpretation of the data will be totally different, hence the 2 experts arguing back and fourth about placement of files, causes for times, etc.

ReplyQuote
Posted : 07/08/2010 12:44 am
bshavers
(@bshavers)
Active Member

I've used XWF in nearly every case I've done to either supplement/validate work done with FTK, Encase, or other tools. I have also used XWF extensively as the primary forensic tool used in civil and criminal cases, in both the public and private sector. This includes imaging with XWF through testifying in court.

I never had an issue in any case about XWF and I believe that if any issues were brought up, side by side, XWF will give either the same information as other tools or even a little bit more.

The 'most prevalent tool' can be different for the type of analysis you are doing. Some forensic suites don't look at internet history as well as a specific internet history tool will. In that case, the 'internet history tool' is probably a more prevalently used tool for internet history. Same with registry analysis…same with email analysis….same with….

ReplyQuote
Posted : 07/08/2010 12:54 am
afpffi
(@afpffi)
New Member

Hi moodhairboy, Nice to see another Florida examiner here.
I have been using XWF for about a year now and also use it to validate work done with FTK, and Encase. For the price, it is a nice alternative. Just an FYI, I recently worked on a Defense case and was surprised to discover, Home Land Security conducted their examination with XWF. I find XWF being adopted by LEO more and more.

ReplyQuote
Posted : 07/08/2010 6:00 am
moodhairboy
(@moodhairboy)
New Member

Search would have been good for this topic, It is for sure in the top 3 questions asked.

You are correct. - It wasn't 10 minutes later that I found a thread from a newbie about different linux distros and allot of my questions were answered in one way or another. I like X-ways allot just find that I seem to be the only one using it other than one other guy here in Orlando.

Hopefully no harm done with my question.

ReplyQuote
Posted : 07/08/2010 8:31 am
moodhairboy
(@moodhairboy)
New Member

I've used XWF in nearly every case I've done to either supplement/validate work done with FTK, Encase, or other tools. I have also used XWF extensively as the primary forensic tool used in civil and criminal cases, in both the public and private sector. This includes imaging with XWF through testifying in court.

You wouldn't be the guy that produced the white paper on how to use Xways would you? If so, thanks allot it was very helpful. I'm currently trying out different linux distros

1. Deft 5.1
2. Caine 1.5
3. Sans WS
4. Helix 3 Pro (Yeah, I was an idiot and got a 1yr subscription)

and a few others that I can't remember. Do not have access to Encase or FTK so my experience is only with X-ways and I have found it appropriate so far. I have numerous specific tools that I use for password recovery locally and across the network and was wondering what other tools folks use in their toolbox. Private emails to barryinorlando at gmail.com are fine if folks don't want to clutter up this thread. Otherwise happy to learn.

Barry

Black Zebra Technologies
Http//www.blackzebrainc.com

ReplyQuote
Posted : 07/08/2010 8:37 am
moodhairboy
(@moodhairboy)
New Member

Hi moodhairboy, Nice to see another Florida examiner here.
I have been using XWF for about a year now and also use it to validate work done with FTK, and Encase. For the price, it is a nice alternative. Just an FYI, I recently worked on a Defense case and was surprised to discover, Home Land Security conducted their examination with XWF. I find XWF being adopted by LEO more and more.

Nice to see another Floridian as well. Where are you located? I've been working on one IRS / DOJ case for 3 years with both criminal convictions and civil actions in play at the same time. Some days are dull others are not so much.

Barry

ReplyQuote
Posted : 07/08/2010 8:39 am
Jonathan
(@jonathan)
Senior Member

I know a fair few people use X-Ways Forensics to verify the analysis they've carried out using other tools, but shouldn't it be the other way around? X-Ways Forensics has become my main tool; in my experience it's more stable, has more features and it extracts more data.

ReplyQuote
Posted : 07/08/2010 2:51 pm
Rampage
(@rampage)
Active Member

I know a fair few people use X-Ways Forensics to verify the analysis they've carried out using other tools, but shouldn't it be the other way around? X-Ways Forensics has become my main tool; in my experience it's more stable, has more features and it extracts more data.

and it's less expansive )
it's an important thing for ppl that are starting up their lab and don't have much money to invest

ReplyQuote
Posted : 07/08/2010 6:32 pm
moodhairboy
(@moodhairboy)
New Member

Rampage,

The price can't be beat compared to other for pay tools - I've always wondered whether the forensic linux distros could offer the same value for free. One of these days I might figure it out. I've found that for drives FTK can't image - Xways becomes my 2nd choice and usually can. Occasionally that doesn't work and then I have another issue like a mechanical failure. Currently dealing with this issue with a batch of 400 seized drives.

ReplyQuote
Posted : 07/08/2010 9:35 pm
afpffi
(@afpffi)
New Member

Hey Barry,

I’m in the West Palm Beach Area.

I’m pleased to see we have found alternative software other than the big two (Encase & FTK). My list of application is, and in no particular order
• FTK
• Encase
• XWF Pro
• Helix pro and Yeah I paid for the sub to, and it has paid for itself 10 times over
• PRTK ( AccessData)
• Encase Password Recovery
As a sole practitioner I found it difficult to do without the software law enforcement has been using. I prefer to use the same software they use, as a side by side comparison. I will then run the data with alternative software I may feel will yield better results. A majority of my case load is defense oriented, and working with defense attorneys or corporate clients also in the defense capacity.

I hope this helps.

Anthony

ReplyQuote
Posted : 08/08/2010 7:26 am
MrWh1t3
(@mrwh1t3)
Junior Member

I have the $3,500 - $4,000 for EnCase or FTK, but it seems crazy to buy until I get a job. Especially when XWays is half the price. I guess buying EnCase or FTK software would pay off quicker than one-semester of college would. A semester of college is easily $4,000 with books.

Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.

I guess I would ask, "Do I want an interview with another company, or do I want a great tool?" If the tool is all one is after go for XWays. If you're after the interview go with FTK or EnCase.

ReplyQuote
Posted : 08/08/2010 9:04 am
PaulSanderson
(@paulsanderson)
Senior Member

Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.

What an odd thing to say. As someone who has been an interviewer in the past I would not really care whether you had used either of these packages - frankly you can pick up the basics in a day. I would however be very interested in what you know about file system fundamentals, the structure of the registry, meta data in world files, what sort of information is left behind by P2p applications, how you would go about determining what is left behind for an app you had never seen……

It is not what you use but what you do with it. That you had gone out and spent your own money on encase would not impress one bit.

ReplyQuote
Posted : 08/08/2010 2:07 pm
Jamie
(@jamie)
Community Legend

In fairness I don't think it's that odd and I suspect MrWh1t3 wouldn't disagree with your follow up comments, Paul. I think he's just saying if you're trying to get an interview at an Encase shop and you can show prior experience with that tool then it's a point in your favour (not a shoo-in).

Jamie

ReplyQuote
Posted : 08/08/2010 3:37 pm
MrWh1t3
(@mrwh1t3)
Junior Member

In fairness I don't think it's that odd and I suspect MrWh1t3 wouldn't disagree with your follow up comments, Paul. I think he's just saying if you're trying to get an interview at an Encase shop and you can show prior experience with that tool then it's a point in your favour (not a shoo-in).

Jamie

Jamie is right. I agree about those as follow-up questions.

A lot of organizations have key word searches to screen applicants prior to moving the resume forward to the hiring manager. If they didn't have any of those key words they wouldn't make it to the portion of the interview you're talking about

When I worked for Booz Allen Hamilton we got something around 500-1,000+ resumes for certain positions. There is no logical way to weed those out unless you use key word searches. We used key words like, "CISSP", "Masters", "Top Secret", "Clearance", "Firewall", "CNA", etc. One can logically assume FTK and Encase are going to be two key words

SO…if you're going to pick between FTK, Encase and X-Ways "for interview purposes only", go with FTK or Encase. If you want a solid tool at a great price, go with X-ways.

ReplyQuote
Posted : 08/08/2010 4:58 pm
Page 1 / 3
Share: