Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link
JAN
23
0

More WinFE work and research!

Posted by Brett Shavers
in  Digital Forensics
It is always nice to find more than a few people work on any project which benefits many others.  This blog (http://gverswijvel.wordpress.com/) shows that effort.

Winfe : the forensic winpe made in windows 8 , windows 7 and vista


There is quite of bit of information and tips regarding WinFE, all of which is helpful to anyone who uses WinFE.   And not to give the impression that WinFE is the only solution, I still advocate having at least one each of the "other" forensic booting systems, such as DEFT, CAINE, RAPTOR, etc...

1233930Anyone who boots systems to a forensic OS knows that a single bootable forensic OS doesn't work on every system, nor work every time, nor is appropriate for every situation.  Plus, it doesn't look to professional when the client sees you staring at the screen when something doesn't work and you don't have a backup plan...
  2008 Hits
Tweet
Share on Pinterest
2008 Hits
JAN
01
4

Natural Progression for New Users of WinFE

Posted by Brett Shavers
in  Digital Forensics
A new user to WinFE can be a new forensic analyst or a forensic analyst new to WinFE.  Either way, this short post will be helpful to everyone who has not yet taken the time to try WinFE.  To save you frustration, time, and questions, try this natural progression to start using WinFE:

1) Start with Mini-WinFE

2) Move onto bigger builds (WinFE Lite or Winbuilder)  and/or stay with Mini-WinFE.

Here's some reasons to try this route.

*  Mini-WinFE only needs about 10 minutes, start to finish and needs zero knowledge of coding.  You get a fully operational, forensically bootable Windows operating system.  It's fairly minimal, but pretty.  It is also fast and easy to build and use with the lowest chance of having any build errors.   You actually should have zero errors when the app builds WinFE for you.

*  The bigger (full blown WinBuilder) builds take more time and effort.  You will also experience build errors no matter how much effort you put into it.  It just happens and you have to start over each time.  The build process also takes longer.  Basically, these build methods (not so much with WinFE Lite) take longer as you have more options to choose and have the ability to customize just about everything with the build to personalize it, add programs, and add features/options.  You will try this eventually just because it is so cool and practical to have in your Go-bag.

I promise that after building and using Mini-WinFE, you will eventually make a bigger build that can run more forensic apps.
  2068 Hits
Tweet
Recent Comments
Guest — jparoff
Brett - WinFE is great, but can you post more (or direct us to more) info on this statement: "be able to ship a bootable CD/USB dr... Read More
Thursday, 02 January 2014 04:09
Guest — Brett Shavers
I wouldn't necessarily recommend a wireless connection because of the hassles in setting up the connection (logins, passwords, etc... Read More
Thursday, 02 January 2014 05:11
Guest — jaclaz
Well, with all due respect, if you physically give someone else (or provide a download for) an already built PE, you are effective... Read More
Thursday, 02 January 2014 22:02
2068 Hits
DEC
20
0

Cloud Storage Forensics

Posted by Brett Shavers
in  Books

Image http://www.amazon.com


I have a detailed review of this book at http://winfe.wordpress.com.  In short, it's a really good book and of all tools to choose for the research in the book, the authors picked X-Ways Forensics.  But then, that should not come as any surprise.

There's still time to ask Santa to put this in your stocking...

  2107 Hits
Tags:
book
Tweet
Share on Pinterest
2107 Hits
DEC
20
0

Cloud Storage Forensics book review

Posted by Brett Shavers
in  Digital Forensics

I've been waiting for this book to come out so I can write something about it.  I had the fortune of being able to read it early as I was asked to be the tech editor of the book.  It's not my book, but if it were, I'd be mighty proud of it.   If you want to skip this review and get to the point, here it is;  get this book, it is well worth it!  This is another one of those books that you will wish had been written before you tried to figure out how to do it on earlier cases...

[caption id="" align="alignleft" width="209"]Image http://www.amazon.com


The forensic books of today have gotten so much better, not because older books are not good, but because the information we know now is so much more detailed and specific.  The topics of the books are no longer "Computer Forensics" but rather specific topics within forensics.  Books focusing solely on registry forensics or windows forensics or X-Box forensics.  And now we have cloud forensics.   This makes it so much easier to find a reference when needed by grabbing a book on the specific subject instead of flipping through a book to find a specific chapter of a subject.

One of the biggest differences you'll find in this book is the documentation of the methodology followed by the authors.  Step-by-step instructions of what they did and their findings.  Every chapter follows the same methods, in order and detail.  It is laid out so well, that you can replicate their work on any cloud system not covered and know that you did a good job.  Another neat thing about this book...the authors used X-Ways Forensics.

As I mentioned, the forensic books of today make it nice to have books dedicated to one topic in detail. That is the good news and the bad news as there are many of these books being published to buy.

I know many people like Kindle versions, but I have this book in print (not Kindle) because I like to treat it the same as all my other reference books.  Dog eared, highlighted, sticky-noted, and lots of personal notes written throughout the book. 

Image

  1910 Hits
Tweet
Share on Pinterest
1910 Hits
DEC
18
0

Thesis on WinFE, shared by Alex Van Ginkel

Posted by Brett Shavers
in  Digital Forensics
Very cool of Alex to share his work.  Thanks Alex!

[caption id="attachment_1020" align="aligncenter" width="465"]winfe http://winfe.files.wordpress.com/2013/12/alex-van-ginkel-final-thesis-msc_27nov.pdf


Alex van Ginkel Final Thesis MSc_27nov
  1796 Hits
Tweet
Share on Pinterest
1796 Hits
DEC
11
2

Integrated Scripts to WinFE

Posted by Brett Shavers
in  Digital Forensics

There are a few behind the scenes work on creating scripts to integrate forensic applications into WinFE.   This is substantial work for WinFE users as it reduces your effort to add programs during the build process.  Basically, a one button approach to add a forensic application.

But, before you wait for these scripts to be written, remember that you can add many programs without a script or additional work if the program is already portable (meaning, no need to install for it to run).  The best example of a full-fledged forensic suite is X-Ways Forensics.  Many small forensic applications are also portable and easily copied into a WinFE build.  The difference is, X-Ways Forensics is an entire forensic suite, not just one app.

Some forensic apps being worked on now to be put into WinFE may not be full forensic suites, but have a single powerful function that make it worthwhile. I won't break the news yet and will let the vendors have first crack.

On another note, last week, I helped a LE forensics detective set up a review platform with WinFE for other detectives in his department using X-Ways Investigator.

The problem:

--Detectives assigned to cases with electronic evidence, particularly illicit images evidence, wanted to do light review work for their cases.

--Reviewing any type of illicit images on a work machine only leads to that machine getting dirtied up.  Also, every detective had 'their own way' of setting up their computers.

--Detectives had no forensic training.

The solution:

--WinFE and X-Ways fixed both problems.

--Department purchased two licenses of X-Ways Investigator.

--A WinFE boot CD was made with X-Ways Investigator copied onto it.

--Detectives now boot their machine to WinFE, run X-Ways Investigator, and access the forensic images from an external drive.  All work is saved onto the external drive and their workstation remains clean.

--This also prevented the IT staff from the city panicking over installing 'unauthorized' software

--And of course, a copy of the X-Ways Forensics Practitioner's Guide was ordered for the detectives to use :)

[caption id="attachment_1010" align="aligncenter" width="121"]X-Ways Guide X-Ways Forensics Practitioner's Guide


 

happy

 

 

 

 

 

 

  2089 Hits
Tweet
Share on Pinterest
Recent Comments
Guest — Howard Patterson
Cool solution. Are the detectives accessing the evidence drive locally? Or via network?
Wednesday, 11 December 2013 11:01
Guest — Brett Shavers
From external drives with a copy of an image. I personally don't like those kind of cases on a network for a local PD. The feds... Read More
Wednesday, 11 December 2013 14:08
2089 Hits
DEC
09
0

Cool update to the XWFIM, Portable Install

Posted by Brett Shavers
in  Digital Forensics

Eric is at it again.  This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0).  The update to the XWFIM now includes an option to create a portable install to external media.   Page 13 of the Practitioner's Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

portable Easy enough


 

drive letter Cool! Notepad++ and Volume Label renamed.


 

result Bam! Done.


 

Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install.  Neat.

folder I like this. Saves a few keystrokes and I'm all about saving keystrokes.


 

Don't forget, if you liked the Practitioner's Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn't...).  And if you use XWF and didn't buy the guide...you are missing out on more than a few tips and tricks that will save you dozens of keystrokes.

  2265 Hits
Tags:
X-Ways Forensics
Tweet
Share on Pinterest
2265 Hits
DEC
06
1

X-Ways Forensics Install Manager

Posted by Brett Shavers
in  Digital Forensics

I cannot imagine anyone who uses XWF not having Eric Zimmerman's XWFIM.   Every time I use it, I wonder how I did without it.  XWFIM is available through the XWF support forum.  It's free, but you need a license for XWF to get it.

Eric constantly adds little things to it, much like Stefan adds 'little' things to X-Ways Forensics.  One of the latest little additions is the selection box to "Include pre-release versions" which is pretty cool.

xwfim

 

And if you haven't bought the XWF Guide yet and you use the XWFIM, just click the book's graphic and you can have the guide on your Kindle in about 30 seconds.

xwfim2

  4203 Hits
Tags:
X-Ways Forensics
Tweet
Share on Pinterest
Recent comment in this post
Guest — DKein
Works like a charm... Thanks Eric
Friday, 06 December 2013 04:49
4203 Hits
DEC
04
0

X-Ways Forensics Imaging Article

Posted by Brett Shavers
in  Digital Forensics

In case you missed an article on X-Ways Forensics Imaging (page 40), you can download a free copy of the issue of eforensicsmag here:  http://eforensicsmag.com/jumpstart-3-free/

[caption id="attachment_471" align="aligncenter" width="379"]XWF Imaging You may like the WinFE article too...I know the guy that wrote that article...
 

brief


The article is an overview of imaging with X-Ways Forensics, which is covered in more detail in the XWF Guide.   If you haven't bought the guide yet and are on the fence on whether XWF is right for you, check out the article on the one feature of imaging and I am sure you will not be on the fence anymore.

[caption id="attachment_347" align="aligncenter" width="243"]Xways-Cover I use this guide myself...and I was a coauthor!

 

 

 

 

 

  2254 Hits
Tags:
X-Ways Forensics imaging
Tweet
Share on Pinterest
2254 Hits
NOV
28
0

XWF Guide translations

Posted by Brett Shavers
in  Digital Forensics

There is a possibility that the XWF Guide may be translated into Chinese and Korean.  That would be pretty cool.  I can at least look at the pictures :)

Image  Image

  2119 Hits
Tags:
X-Ways Forensics Practitioner's Guide
Tweet
Share on Pinterest
2119 Hits
NOV
13
0

CyberCrime 2013 Symposium

Posted by Brett Shavers
in  Digital Forensics
[caption id="" align="aligncenter" width="336"]Image http://cybercrime2012symposium.com/


I'm heading to New Hampshire (first time there) to present on Placing the Suspect Behind the Keyboard.   Sounds like a pretty good conference and certainly could not be any further for me to travel in the entire country.  Literally, from one end to the other.  Looking for to the conference, come say hello if you are going to be there!

 

 
  1852 Hits
Tweet
Share on Pinterest
1852 Hits
NOV
11
0

X-PERT Certification Program

Posted by Brett Shavers
in  Digital Forensics

Been using X-Ways Forensics for a while now, have ya?  Been to an X-Ways training class?  Then consider getting certified by X-Ways as an expert (X-PERT) in XWF.

X-PerThttp://www.x-pert.eu/


Be sure to set aside time, have your XWF Guide at your side, and dive right in.  It's a real forensics exam that if you pass, have a certificate that actually means you know what you are doing with X-Ways.

  2505 Hits
Tags:
X-Ways Forensics
Tweet
Share on Pinterest
2505 Hits
NOV
09
0

A very kind review of Placing the Suspect Behind the Keyboard

Posted by Brett Shavers
in  Digital Forensics

From the Journal of Digital Forensics, Security and Law, Vol. 8(2).

http://www.jdfsl.org/subscriptions/abstracts/JDFSL-V8N2-BookReviews-Nash.pdf

Thanks for the review!

  1844 Hits
Tweet
1844 Hits
NOV
04
2

Something else cool about XWF

Posted by Brett Shavers
in  Digital Forensics

Consider the differences between X-Ways v12 below:

v12 X-Ways Forensics version 12


With the current version 17:

X-Ways Forensics version 17 X-Ways Forensics version 17
 

They look the same!


XWF has had literally hundreds upon hundreds of significant updates over this time between v12 and v17, but the interface and usage remains constant.  Personally, I enjoy an update to a program that looks the same, the buttons are in the same place, and there are new features to use.  The last thing I want is a totally different interface, buttons where I have to hunt and peck to find or miss completely, or have to take another class from the vendor to be told how to use their new fandangle program.

It's nice to know that in 10 years, XWF will probably look the same, even though I know it will be able to do so much more then, I'll be able to use it without skipping a beat.

This is also the reason that the XWF Guide will carry you through the next many years without having to worry about a major change in operation of XWF.  What other manual or guide can say that?

  2349 Hits
Tags:
X-Ways Forensics
Tweet
Share on Pinterest
Recent Comments
Guest — wmarney
True, but it would be nice if Stefan would add a bar someplace (that you could drag n drop) that would display the complete file p... Read More
Monday, 04 November 2013 04:34
Guest — Stefan
There are several places already where you can see the complete path quickly, most notably in the Path column.
Tuesday, 28 January 2014 02:37
2349 Hits
OCT
31
0

Cloud Storage Forensics and XWF

Posted by Brett Shavers
in  Digital Forensics

Cloud Storage Amazon link to order

I recently finished tech editing a book soon to be published on Cloud Storage Forensics.  One of the main tools used was....wait for it...X-Ways Forensics.   Without giving anything about the book away, I was really impressed by the level of detail documented on the amount of research conducted in cloud storage forensics.

The book goes to print in January, but available for preorder.  I'll be writing a review of the book once it is made available, but in short, I give it a high grade of technical accuracy and research on the most commonly used cloud storage services and the connected machines.  The authors documented testing of various cloud services as if it were scientific examinations (which by the way, digital forensics testing is...) and their methods can be used by anyone as can their results.  I'll give a small tidbit that there are many instances of "holy smokes!" on some of their findings that I have not seen anywhere else.

The authors could have chosen any major forensic tool, but they chose XWF.  This is just another example of how X-Ways Forensics is used to validate scientific theories and tests over all others.  The reason is simple:  XWF works.

This book, along with a few others that I know are coming out fairly soon, should be quick sellouts for the first printing.  For anyone that buys books from Amazon, preordering is a good way to go and Amazon price matches books, even after you have already ordered.  Just saying...

  2255 Hits
Tags:
book
Tweet
Share on Pinterest
2255 Hits
    Previous     Next
10 11 12 13 14 15 16 17 18 19

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2022 Brett Shavers