I just published the second edition of the X-Ways Forensics Practitioner’s Guide. If you use X-Ways Forensics in any sense of running the application, you should get this book.  I can’t say that any stronger than that.  But this post is not about the X-Ways book, at least not completely.

If you want to see the book or buy it, here it is:

In this second edition book, I asked and received contributions from forensic examiners who are X-Ways Forensics users. These contributions were tested and evaluated, and published as a complete section of forensic processes (and war stories) with X-Ways Forensics. This serves several levels of awesomeness.

For one, readers get more perspectives on how to use X-Ways Forensics than just me.  I know some things, but not all things.  Second, these contributors, if they were in a shell, jumped right out front and put their work on the scale to be weighed.  This is a major thing to do, because if you are wrong, you gotta take the hit and then move forward to improve.  But if you were right, that will have validated your previous work as being logically correct.  All contributions were awesome, and now, each contributor has a formally published forensic process using a tool that they know well.  Few things are greater than that in a case when you have published works.  For that, I am grateful, and the readers will benefit.  The contributors also have the right to use their contributions as they wish, whether that be as an attachment to a case report, affidavit, or in their CV.

This brings me to another work in progress (two new book projects that will be ramping up soon).  For one of my next books, I will be asking for contributors in the same manner, for a similar sort of content. My intention is to pull some great forensicators out of their cubicle and into the DFIR community's eye to display their work, their processes, their wins, and their perspectives to share with the community at large.

This takes a lot of guts, but there is such a huge personal, professional, and community benefit when you can help someone else do better and be better by simply sharing.

With that, this next book will be the most comprehensive writings in forensics that I will have ever done, and quite unique is scope and scale.  It will certainly take me a year+ to finish it, but it will be so well worth it.

The short story:

The book is done!

Get it at $20 off during the 100-hour book launch coming up in a few days (but only a limited number of books will be sold in the 100-hour book launch). Free shipping in the USA. International is available to ship, but not free..sorry…

The book will afterward be available for purchase on Amazon (and elsewhere) at the retail price of $69.99 plus shipping.

Get on the notification list here so you don’t miss it:  https://order-dfir.com/optintfu71ito

The longer story:

I used X-Ways Forensics (XWF) a lot, starting from the first version. And somehow, the experience of over 15 years of being an XWF user fit into one book. The neat thing about this book is that any XWF user can go read it and learn from that experience in a much shorter time than 15 years! That doesn’t even count the experience laid out by nearly a dozen contributors* in the book which probably gives this book a century of XWF experience wrapped up in a tad bit over 400 pages.

The intention of this book is that there will be at least one thing that you learn that when you see it, you will forever end an XWF frustration point, and prevent many hours of wasted time for years to come.  That makes any book worthwhile.

I’ll say this as strong as I can: I use all sorts of software.  I don’t have a ‘favorite’ tool, but I do have a favorite collection of tools. XWF happens to be in that collection. For the most part, any of the top forensic tools do a fantastic job and I use them all at different times and on different cases. I use good tools, support good tools, and advocate for good tools, because good tools allow good examiners to do good work.  At best, I am okay at forensics simply because I do not know so much, but the tools help me learn and work.

The only reason that I wrote a book on how to use XWF is because the manual didn’t show me how to use XWF.  This is not a problem with most other tools because many other tools are very intuitive; but not XWF.  Only after learning how to use it does it become intuitive…

For me, I need something or someone to show me how to use XWF (and most other things, too), otherwise I am spending hours trying to figure it out and may end up doing it wrong anyway or never learn the right way. I teach the same way as well...mostly I teach the way that I would like to have learned what I am teaching, not how an engineer thinks the way I should learn.

Books, books, books

This is my seventh book authored with my name, plus one fully ghost-written** book, several ghost-written chapters in other books, plus tech editing a half dozen other books. Three of my seven authored books were published under a publishing house, four with self-publishing, one in the second edition, another to be in a second edition in 2023/2024, and another due out in 2023 with a fantastic forensic expert and co-author.

For this edition, the book is more than 150 pages longer than the first edition, includes content not in the first edition, and has a dozen contributors who gave either an XWF war story, told one of their processes in how they use XWF, or contributed information on their X-Tensions or third party tools. The tech editors, Troy Larson and Michael Yasumoto are awesome.  For those who get a copy of the book, you won’t want to miss Troy Larson’s bio. If you know Troy or of Troy, the bio will make perfect sense and is only missing a shark laser pointer.

The XWF/2E started in 2005 when I was struggling with X-Ways Forensics. I struggled enough that my partner-in-crime (so to speak) and I arranged for the first ever X-Ways Forensics course to be hosted in Seattle, Washington. I will go as far to say that since X-Ways wasn’t giving training up to that point, our frustration with XWF ended up with convincing X-Ways that we’d go so far as host a class, market it, fill the seats, and even cater it if that would make it happen.

I’ve used X-Ways Forensics ever since, taking lots of notes, auditing more training, teaching what I learned at various places, and banging my head along the way. That was the impetus of the first edition: take my pain of learning XWF and write it down so others can learn faster. 

The first edition eventually became outdated

Emails started rolling in asking for a second edition. Lots of emails. This was bound to happen because the first edition was outdated to the point that functions moved around or were removed or added to the point that the book didn’t work.

Unfortunately, the publisher didn’t want to approve a second edition as the first edition was still selling well enough to not justify replacing it, even though it was outdated. Writing a book through a publishing house means the author is simply a contract employee writing for the publisher and has no ownership of the book or content other than a commission of sales (royalties).

I then had a 2-year process with the publishing house and my attorney to regain the copyright from the publisher so that a second edition could be (self-) published. This is probably a story to tell in more detail another time in how to get your copyright back from the words you wrote that the publisher owns.

And now you have the second edition, with more content, better organization, and with contributions from a dozen XWF users.  This gives you a dozen different perspectives of how XWF is and can be employed, all from one book.

You most likely have the same reference books on your desk that I have on mine, with dog-eared pages, highlights, notes, and worn out spines.  This is one of those kinds of books.

*Amazing contributors include Michael Yasumoto, Mark Burns, Derek Eiri, Yuya Hashimoto, Alexander Kuiper, Chad Gough, Craig Bowling, Jeffrey Meissner, Erinn Soulse, and a few others wishing to be unnamed.

**Ghost-written, as in, I wrote it for someone else’s book, but in their name, under contract to not give my name.

I lived a double life for a decade. I have now been away from that life for more than a decade and feel (a little) more comfortable talking about it.

Not long after I left military service, I went to work as a patrol officer in a suburb of Seattle. When I thought the best years of my life were the years in the Marines with the best group of people that I ever met doing amazing things, I entered a different sort of life with more great people doing amazing things in police work.

Side note: I worked with idiots too, both in the military and police world, and in both cases, they were the ones who put my life in danger more than any criminal or enemy ever could.

Here’s my police career in a nutshell. I was in patrol for a few short years, which included riding a bicycle. Don’t laugh. Bike Patrol was AWESOME!  Not being responsive to a radio allowed me to run amuk around town and find some dangerous criminals, some of the worst sort. I did other things too on a part time basis, like SWAT, use-of-force instructor, and things like that.

Then I applied to be a narcotics detective!

I didn’t get selected.  Someone else got it.

So, I waited until for the next opening and applied again. This time, I got it.

That is when shit started going south, as they say.  In less than 2 years, my partner and I seized more dope than the entirety of my drug unit seized in the past 20 years.  We seized that much more cash too. And that many more cars too.  Later seizures included a semi. And a plane. And boats. All with the arrests and cases to back it up. I was doing undercover buy busts, buy walks, meet and greets, surveillance, and everything else you can imagine with “crack heads”, “cranksters”, and all sorts of dealers. I was buying kilos of cocaine, working the DEA, FBI, USSS, ATF, and other alphabet soup agencies, all while being a little city PD detective…

In two years, I was in a state task force and working bigger cases. For those who understand how teams work, this task force was in a perpetual state of “storming”, so that sucked in more ways than you can imagine. Incompetence was the norm and on no less than a dozen occasions I was in more fear of being killed by incompetence of police than the criminal organizations that I infiltrated.

Two years later, I was drafted to a federal task force that virtually took the types of cases that I had started in my state task force and turned it into a laser-focused-federal objective. I’ll get into that with more detail sooner or later. During the next years, which turned out to be my final years in law enforcement, I traveled nationally and internationally doing undercover work with outlaw motorcycle gangs, Asian organized crime, and Mexican cartels. I was running informants across the country, initiated a dozen OCDETF cases on my own that were eventually managed by DHS, ICE, FBI, DEA, and the IRS.

I worked undercover for foreign agencies, one of which, again, had not only incompetence, but corruption with the very international criminal organization that I was undercover in….

Dozens of stories of having a gun stuck in my gut, followed home, investigating high level organizations where the children of my targets were in the same classroom as my kids, nearly being shot mistakenly by police, and getting the “once you are in, you are never getting out” talk by those that I was investigating while undercover all led me to getting into digital forensics.  I figured a computer would never kill me...

My double life involved my wife and kids. Now, my wife is amazing. She was a Marine wife. An army wife. And a cop’s wife. Growing up, my kids were amazing (they are even more amazing now!). My double life had me a husband and father at home, while at “work”, a drug dealer, and an arms dealer, and a human trafficker, and a hitman, and a money launderer, and a trafficker in stolen cars, and a smuggler, and eventually, involvement in “national security-type” investigations, that involved other types of assoCIAtions.   I trained my wife and kids in reacting to danger, reacting to me being confronted in public by criminals, and other reactions that families shouldn't have to be exposed to learning.

The point of this story

After being asked more times than I remember to write these stories down, I finally decided to podcast them. I am starting with some cases a little distant to me, and only the ones where someone was convicted. There are plenty of non-convicted criminals that I investigated but never filed the cases for one reason or ten others. For them, I hope they all turned a corner and are living an honest life. Some however, I know never will.

My podcast is behind a paywall because I’m a bit of a paranoid person, and if someone wants to hear these stories…well…I’d rather keep the audience a little smaller than the entire planet..

If you are interested, I'll be on Patreon.  I'm even going to do some live video chatting to talk about things that I don't want to put down on paper or in a podcast...the cool thing about these stories is that only one is under an NDA :)

The really funny thing is that you won't be the only ones hearing these stories for the first time, because my wife and kids will be hearing them for the first time too.  Little did they know that not only could daddy help mommy with housework, but he was flying armed and partying with people who killed people for a living.

Update: Some former and current narc buddies want to write a book with me about undercover work. With that, no time for a podcast as I'll trade podcast prep time with writing time!