Stefan, can you tell us something about your background? Why did you decide to concentrate on the forensic aspects of WinHex and develop X-Ways Forensics?
Originally I started programming WinHex because I needed a hex editor and disk editor myself and at that time there was none for Windows 3.1. I used it for example to get Windows to read MIDI files that my synthesizer saved on floppy disks. Later I released WinHex as shareware, and people started using it for a variety of purposes (there are countless things you can do with a hex editor in very specific situations). I continued developing WinHex in my spare time while studying information systems. Eventually people in computer forensics used it when their main forensics package would not work, such as for manual data recovery if the file system was too heavily corrupted or because the amount of pictures present on a disk rendered their software too slow, or for specific tasks like extracting slack space, etc.Many users, and in particular the state office of criminal investigation of Rhineland Palatinate (Germany), suggested adding even more features and indicated how useful it could be for forensic computing. That seemed logical and seemed to have potential, and WinHex already sold quite well, so I concentrated on the forensic aspects, quit the job that I got after graduating, hired employees, and finally released X-Ways Forensics.
What does your role as CEO involve? Can you describe a typical day? How involved are you with the current development of X-Ways Forensics?
I am very much involved in current development. As my company is very small, I do a little (or a lot) of everything: programming, planning, supporting, documenting, translating, researching, training, organizing, traveling, presenting, selling, negotiating, purchasing, dealing with finance, banking and red tape!
Is there a typical user of X-Ways Forensics (e.g. law enforcement, corporate, academia, etc.)?
The relative majority of users are in law enforcement.
How does X-Ways Forensics handle evidence and manage an investigator’s casework? What are the main tools or functionality within X-Ways Forensics which are typically of the greatest benefit to an investigator and why?
Our general idea is that we want to enable our customers to easily separate technical work on the one hand and investigative, analytical work on the other hand, as that can greatly accelerate the whole process and improve the quality of the result. The separation can accelerate the process because the workload of the forensic computing specialists is reduced and as a consequence investigators can start their work earlier. It can improve the quality because someone who excels as an investigator may not have the technical skills required to find and retrieve all the data himself/herself, and an expert in forensic computing may not have the skills of someone specialized in accounting, building laws, internal auditing, or whatever.
The software also optimizes the process of evidence analysis in that it facilitates the workflow from forensic computing specialists to investigators through the use of evidence file containers for data exchange and X-Ways Investigator for analysis. Evidence file containers typically contain selected files and most of their file system level metadata along with comments (if already entered by the examiner) for the recipient of the container to see. X-Ways Investigator is a simplified version of X-Ways Forensics. It is technically less intimidating and excludes functionality that investigators should not have to worry or know about, such as disk imaging, recovery of deleted partitions, RAID reconstruction, finding deleted files, exclusion of known good files based on hash values, exclusion of duplicate files, decryption, data conversion etc.
Of course all of this is just an option. It’s still very possible to do all the work with X-Ways Forensics. Usually in both X-Ways Forensics and X-Ways Investigator you work with a case which manages the evidence objects, manages an optional log of the examiner’s/investigator’s activity, and creates reports. The case remembers which files have been viewed already, which files are tagged, remembers the comments entered about files, and remembers which files have been added to what report table, etc. It’s also easy to filter files based on these comments or report table associations, which is useful e.g. if a first review has turned up a thousand documents related to company A and a hundred documents related to company B and you wish to focus on documents that may say something about the relationship between A and B, and of those only documents that are classified as “delivery notes”. All of these functions I think are of great benefit to an investigator. However, I feel the question may have been meant differently. One of the main technical functions within X-Ways Forensics is the ability to refine what we call the volume snapshots, i.e. the internal database of all the files on a volume. Refining the volume snapshot means making it more complete, e.g. by investing more time in the search for deleted files, by extracting e-mail messages and attachments from e-mail archives, by including the contents of compressed archive files, by extracting pictures embedded in other files, by identifying pictures with a lot of skin tones, by identifying encrypted files, etc.
A number of users I’ve spoken to say they’re impressed by the frequent updates to the X- Ways product line because they often bring new functionality and increased performance. How do you evaluate and prioritise the new features added to X-Ways Forensics?
We thankfully receive tons of ideas, wishes, and suggestions from our users, and also have many ideas ourselves. Very small additions and changes might get implemented right away. Other than that, the ideas that I find more realistic and reasonable make it on to my list, which currently comprises 700 items. Many of them I grade off the top of my head in relation to (1) usefulness (expected value of the new feature, useful to how many users, requested by how many users, …) (2) difficulty to implement (uncertain amount of time needed for research, how programmatically challenging, risk of failure, …) (3) effort to implement (estimated time needed, sheer volume of code expected) Items with a good overall score have a good chance of being implemented sooner or later.
A common criticism of GUI-based forensic suites is that examiners, especially those new to the field, may become overly reliant on the software and its feature-set at the expense of a deeper appreciation of what is going on “under the hood.” How valid are these concerns?
Having had contact with users with naturally varying backgrounds and levels of understanding, I personally think that these concerns are valid. I don’t think, however, that they are related to the software being GUI-based. If there was, for instance, an indexing tool that is run from the command line, with command line parameters instead of checkboxes, users would not better understand how indexing works and what the limitations of index searches are. The appreciation of what is going on could rather be improved by better documentation on the part of the software and better background knowledge on the part of the user (e.g. regarding character sets, file formats, computer science in general).
I think that in X-Ways Forensics there may already be a better chance of understanding what is going on under the hood than in other packages because typically we leave users more choices on how to run certain functions so that they see what will affect the outcome and can experiment with different settings. The indexing feature is an example of this. It’s also much easier in X-Ways Forensics than in other packages to navigate to and manually review relevant raw file system data structures and validate what the software outputs automatically.
How does X-Ways Forensics compare with other popular forensic software packages? What are its main advantages?
I think it compares favorably, and not just when taking the price tag into account. Several points I have mentioned already. Many users find it runs faster. X-Ways Forensics has many features and options, big and small, that other packages don’t have, and vice versa.
For instance, X-Ways Forensics may find traces of previously existing files that other packages would miss, for various reasons. Under certain circumstances it will find search hits that other packages will miss. But then of course the others might find something that X-Ways Forensics will miss.
Another advantage is that X-Ways Forensics can extract a lot of internal metadata from various file types, and it can systematically filter by it. If you have thousands of MS Word documents and you are interested in those that were last opened by John Smith, originally created in 2003 or earlier (not the file system level creation date), with “ABC Inc.” in the company field, then that is easy to find out.
Another example: When X-Ways Forensics creates .e01 evidence files, it allows the use of real 256-bit AES encryption (i.e. not mere password protection), adaptive compression, and makes the image remember how long and how often the original hard disk had been powered on, how many internally reallocated sectors it had, what its password protection status was, whether there were any HPAs, what its hardware serial number was, what exact type of optical medium was being imaged, etc.
A brand new feature in X-Ways Forensics greatly facilitates the work of those who need to watch video files and check them for illegal/relevant content (e.g. CP, terrorist training) in that you can extract stills in a user-defined interval, like every 20 seconds. Looking at pictures extracted from all video files in all subdirectories on all image files simultaneously in a gallery (optionally sorted by skin tone percentage) means considerably less stress than having to watch one video after the other, in particular if you must assume that relevant stuff might be hidden at any point in the middle of a holiday or family video. And then it’s only a matter of two mouse clicks to include relevant pictures in a report.
What in other packages may be implemented as a script may be present in X-Ways Forensics as GUI functionality. What in other packages may only work with invisible preset settings, in X-Ways Forensics you may be able to tweak. Where other packages hide more of the technical stuff, some might say X-Ways Forensics hides too little (but then X-Ways Investigator hides a lot).
Which areas do you think could be improved upon to make X-Ways Forensics more competitive?
Live analysis of running systems has become more commonplace over the past few years. How does your own product, X-Ways Capture, meet the special challenges of this type of analysis?
X-Ways Capture covers the live acquisition part only, with some special techniques, for later conventional analysis.
For live analysis, X-Ways Forensics meets special challenges in that the examiner can relatively quickly get an overview of media and files, easily focus on certain files with the various dynamic filters, easily totally exclude files that the examiner is not allowed to see (e.g. because of employment laws, principle of proportionality, unrelated and confidential information), run in-depth keyword searches on selected files, in RAM etc.
What trends do you see in forensic computing and what new challenges do you envisage in the future? How will X-Ways Software Technology AG meet these challenges?
As the trend of ever growing hard disks continues, for practical reasons I think logical acquisitions (copying selected files only as opposed to creating physical, sector-wise images) will become more widespread, depending on the seriousness of the individual situation/accusations. The aforementioned evidence file containers that X-Ways Forensics and X-Ways Investigator use are meant for that, too. Another challenge is the need for more efficiency, which can be achieved with the aforementioned workflow model. Yet another challenge may be to better computerize, equip and train the prosecution, lawyers, and courts, where needed.
What do you do to relax when you’re not working?
Listening to music (instrumental film music, i.e. movie scores), formerly playing and composing music; movies; traveling to tropical beaches if possible, exploring cities with skyscrapers.
Stefan Fleischmann serves as Chief Executive Officer of X-Ways Software Technology AG, a German stock corporation operated from Cologne. Stefan originally started a software development business (sole proprietorship) in 2000 while being a student at the University of Münster. He received the German equivalent of a Master’s degree in Information Systems in 2001. While working for Micronas, a semiconductor company, where one of his tasks was to train employees internationally in SAP software, he started X-Ways corporation in April 2002 and concentrated on the computer forensics aspect of his software WinHex. In 2004, the forensic edition of that software, X-Ways Forensics, was released, and Stefan expanded the business into the computer forensics training field. Stefan personally trains law enforcement officers, federal government personnel, tax fraud investigators and private sector forensic examiners in the USA, Germany, China, Hong Kong, Australia and the UK, and supervises and participates in continued development of the company’s software. With more than 32,000 users worldwide, X-Ways Software Technology considers itself the leading supplier of computer forensics software in Europe. In 2007, Stefan Fleischmann was appointed professor at the China Fangwei Institute of Technology. Stefan is also an associate member of IACIS (International Association of Computer Investigative Specialists). His Chinese name is 史德凡.