…only with decryption, and even at that, it does everything else superbly.
I probably caught your attention if you are an X-Ways Forensics user. The only thing that sucks about X-Ways Forensics is that it doesn’t do encryption. By “doing encryption”, I mean that it doesn’t decrypt encrypted files or systems. Besides that one aspect of forensic work, X-Ways Forensics rules.
**UPDATED X-WAYS FORENSICS PRACTITIONER’S GUIDE ONLINE COURSE**
I completely updated and extended an online course based on my book, the “X-Ways Forensics Practitioner’s Guide”. It has taken some time to create a course that has 95% of what you need to use X-Ways Forensics without being an overly long instruction of the software. The remaining 5% changes every week or so with new features and updates added by X-Ways. This course covers X-Ways Forensics up to version 19, but know that X-Ways will be adding new features every week that aren’t included in this course yet. After enough ‘little’ features and improvements have been added, more content to the course will be added as well.
Here is the gist of this post
Personal anecdote: While sitting in BCERT at FLETC years ago, I brought my trust X-Ways Forensics v13 to class. FLETC issued FTK and Encase as the forensic suites during this time, and also issued a license for WinHex. The Winhex instruction was probably 30 minutes long.
I had already been using X-Ways Forensics and the FLETC instructors allowed me to use my license alongside their issued tools. With a FLETC provided image that was given to every student in the course, X-Ways data carved hundreds of pornography pictures from my image while both FTK and Encase did not. The instructors thought I had been surfing porn in class until I carved from someone else’s image. Encase and FTK, for some reason, did not carve up the pictures that X-Ways did. In about 5 minutes after seeing that X-Ways carved up porn that other tools missed, every image was collected from class by the instructors….
I emailed Stefan Fleischmann of X-Ways during lunch to let him know that his X-Ways Forensics program works pretty good.
My personal experience with X-Ways Forensics started because I was a curious about a ‘new’ forensic program based off of Winhex. I only tried X-Ways Forensics because (1) it was cheaper than anything else, (2) looked kinda cool, (3) and got deep into the actual files like a hex editor. However, I tried to figure it out and the best way to do that was to host a course. The only reason I gave X-Ways Forensics a chance was because X-Ways agreed to give a training course in Seattle if I would arrange it, their first course ever. After seeing how X-Ways worked in that one course, I was hooked using X-Ways Forensics as my primary forensic tool for well over a decade.
I have met many examiners who have tried to use X-Ways Forensics and have nearly always gone back to their other tools, like Encase or FTK. Mostly, I see this to be because of fear of change and lack of information to use X-Ways Forensics. There were no books about X-Ways Forensics. The manual was (is) clearly lacking in giving instruction in using X-Ways, the courses were (are) expensive and not typically where you’d like them to be. Compared to Encase, as one example, books on using Encase have been around for some time, Encase has been taught in government forensic courses for well over a decade, and courses have been planted everywhere around the world for so long that it seems strange to not have a course local to you every year or so. Plus, the other tools throw parties, like huge beer fests poolside in Vegas or somewhere neat. X-Ways? No parties. No beer fests. It’s all down and dirty with hex, which is just the way I like it.
The manner in which this online course works is similar to the book that Eric Zimmerman and I wrote on X-Ways Forensics. We wrote, and titled, the book for practitioners. The manual is not for practitioners. Do not start reading the manual hoping to find the ‘how to use X-Ways’. Do read the X-Ways Forensics Practitioner’s Guide to find out. Unfortunately, books and manuals simply do not fill the remaining gap of instruction and demonstration. Short videos on Youtube won’t do it either. You need a course to learn what you need to learn as fast as you can learn it in order for you to be able to use it right away.
If you cannot attend the official X-Ways Forensics course due to time/money, or maybe you want a refresher to the course you took five years ago, or maybe you are in a forensic course in college that uses X-Ways, this online course is the least expensive you can find (the only one currently in the world) that fills that need.
I can promise that after you complete the course, you will have a different perspective of X-Ways. You most likely will use X-Ways Forensics as a secondary or validation tool. Many of you will move completely over to X-Ways Forensics and turn your other tools into secondary tools. Some of you will turn your entire lab into an X-Ways Forensics lab that uses the “other tools” as validation.
One thing the online course does not do is teach forensics. You might learn a little something since the course uses publicly available forensic images and gives suggestions on workflows (based on case types, such as picture intensive or user document intensive cases), but don’t expect this course to teach everything about forensics. For that, you need to take a digital forensics course to show what a “lnk” file is, or how to examine the registry. The X-Ways Forensics Practitioner’s Guide course teaches you how to plug the X-Ways Forensics dongle into your machine and push all the buttons you need to push to get what you are looking for. That’s more than half the battle for any forensic software: what button do I push to get forensic artifact “x”, “y” and “z”?
Watch the introductory video (free) to get a handle on why you should take this course. Whether you have been using X-Ways Forensics for more than a day, new to X-Ways Forensics, or thinking about trying it out, this course is the fastest, least expensive, and easiest method to learn. Bar none.