Computer Security

Share this article:

Computer Security

  • Join our comunity:

The X-Ways Forensics Practitioner’s Guide

By: , Posted on: September 4, 2013

X-Ways Forensics Practitioner's GuideThis book is one of those books that begged to be written for years, but I didn’t realize it until recently.  First off, let me talk a little about X-Ways Forensics. X-Ways Forensics is a fairly new digital forensic software application that was released in 2004 by Stefan Fleischmann of X-Ways Software AG in Germany. Stefan is also the developer of the widely used hex editor WinHex, from which X-Ways Forensics is based upon. Those examiners who started in forensics during the days of using hex editors certainly knew of WinHex as one of the best, if not the best, hex editors available.

My initial interest in X-Ways Forensics stemmed only from being a longtime WinHex user. Finding a “forensic” version of WinHex on the WinHex website looked cool and  I figured that since WinHex is a pretty good hex editor, a forensic version may be good also.

Sending a few emails to Stefan asking if he would give a class resulted in a small group of examiners being taught how to use X-Ways Forensics in Seattle early in 2005. Even with the first release of X-Ways Forensics, I knew that it Stefan was on to something as X-Ways Forensics was fast, easy to use, and had a small footprint that could run on just about any system. This first class was also neat to see Stefan make improvements from our suggestions directly into X-Ways Forensics, during the class…

Since that first class, there were more than a few exams I had where X-Ways saw data that other tools did not. It carved more, displayed more detail, and was more versatile in what I needed than other tools. I found that when “Tool A” didn’t work or couldn’t open an image, X-Ways Forensics would be able to, and I was right every time. I was hooked and figured everyone else would be too.  But not everyone is so easily convinced to try a different tool.

There have always been many forensic analysts who have avoided using X-Ways because it was “too hard” or “not intuitive” with a manual that wasn’t easy to figure out. I never thought that way myself, probably because I was in a room where Stefan showed us how to use it from the first time I was exposed to it. Unfortunately for the rest of the digital forensic world, if you didn’t attend a course in X-Ways, the interface can be intimidating. For the really busy forensic analyst, making the time to learn X-Ways Forensics wasn’t in the daily schedule if you were already using another tool. I totally get that.

So in 2010, I wrote a short XWF QuickStart Guide which made its way around the Internet and even onto the X-Ways website.  From that one simple guide, I received dozens of emails from owners of X-Ways licenses that they finally had something to at least show how to do the basics in X-Ways Forensics quickly and easily.   And that is when I figured a book would do more justice than a simple guide.

I’ll admit, even as one of the first users of X-Ways Forensics and even as I have used it as a primary forensic tool for almost 10 years, I still had doubts if I was using X-Ways Forensics at its fullest ability. Writing a book about X-Ways needed a good team to make sure it was done right, especially since I am only a user, not developer of the software. Thus, my search for other X-Ways experts begun.

Eric Zimmerman accepted my badgering to be a co-author and I am truly grateful. Eric is one of those computer scientist forensic examiners who can take a job needing a week to finish and have it done in hours if not faster. I pestered another long-time X-Ways Forensics user, Jimmy Weg, until he agreed to at least be a Tech Editor for the book with his busy schedule. And again, the book was fortunate to have Jimmy on board. Of course, having Stefan Fleischmann support our book by reviewing every chapter for accuracy ensured we would have everything right. Stefan’s view of writing about X-Ways is different from our view, so the manual and the book are different. Both are needed and complement each other, but they are different.

We knew that during the time of writing the book, Stefan would update X-Ways Forensics with new features, updates, and upgrades. We knew this because Stefan constantly updates X-Ways Forensics! Not a month goes by that a new feature, or improved function, is made. Many of these changes are suggested by a solid core of X-Ways Forensics users, so each update is substantially better than a prior update. With this, the book will still retain its currency and value as no matter how many updates are made, the book covers 95% of using X-Ways Forensics that remain unchanged. The remaining changes are easily found on the X-Ways website. We wrote the book to be able to keep up with updates, even as we couldn’t put every update in the book before it went to press.

One major business difference with X-Ways Forensics and the other forensic software suites is the manner of marketing conducted by all the companies. Most companies of the big name brands have flashy websites, plenty of white papers, comparison tests of their competition (none seem to want to compare against X-Ways Forensics…), and a tremendous marketing to the ediscovery market. Some of these big companies hold entire conferences to sell their wares. Not X-Ways. There is no fluff. No excess costs. No attempts to sell you enterprise editions or modules or add ons. X-Ways caters to the true forensic analyst at a cost that can’t be beat. For that reason, there is a movement of X-Ways Forensics users that will pit their dongle against any other software without hesitation.

Placing The Suspect Behind the Keyboard

I’d like to tell anyone who has used X-Ways Forensics extensively for years that you will learn something that you did not know in this book. You may learn many things you didn’t know before. I know I did. We all did. I’d like to think Stefan also realized a thing or two about X-Ways Forensics during the book writing process. The book is that good, and I’m not saying that because I was part of the team that made it. I’m saying it because this is the book I wish I had when I started using X-Ways Forensics.

So there you have it. The beginning of the X-Ways Practitioner’s Guide to the print edition in a nutshell. There may have been an excuse you used to avoid using X-Ways Forensics before, but those excuses are gone. With this book and an X-Ways Forensics dongle, you can take off running, faster than any other forensic tool with better results.

It might sound like I work for X-Ways, but I don’t. The reason I wanted to write this book was personal and maybe a little selfish.  The way I look at it, the more users of X-Ways Forensics, the greater chance that Stefan will keep improving his tool. I benefit directly from that and so does everyone else. There is a saying of ‘beware of the analysts that use X-Ways Forensics, for they probably know what they are doing’. I actually made that up, but it is fitting.

About Brett Shavers:

Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department’s first digital forensics lab in a small, cluttered storage closet. Shavers is also a Digital Forensics Practitioner, expert witness, and former Adjunct Instructor for the University of Washington Digital Forensics program

His most recent book, X-Ways Forensics Practitioner’s Guide has just been released not long after his first book, Placing the Suspect Behind the Keyboard. Both are available for purchase on the Elsevier Store at a 25% discount. 

Stay up-to-date by following the X-Ways Forensics Blog and follow them on twitter @XWaysGuide

Connect with us on social media and stay up to date on new articles

Computer Security

Securing computer systems is crucial in our increasingly interconnected electronic world. With so many business, consumer, and governmental processes occurring online, a growing potential exists for unauthorized access, change, or destruction of those processes. For years, Elsevier’s Syngress imprint has helped computer and information security professionals learn theory, strategy, and tactics for protecting digital assets in this constantly evolving field. Our books and eBooks in areas such as info security, digital forensics, hacking and penetration testing, certification, and IT security and administration. Click here for Syngress companion materials Click here for access to our archive of free eBooks, booklets and downloadable PDFs for Syngress and Computer security content. Access companion materials and instructor’s resources for all our books from the Elsevier Store. Search by author, title or ISBN, then look for the “Resources” tab on any book page.