All chapters are done, the writing is over, and the XWF Guide is just a few steps away from being put on paper (proofing, setting, and printing is all that is left).



Having re-read the book, it is something I would have liked to have had when starting to use X-Ways Forensics in the beginning and while using it on cases.

Yep!  Not only is WinFE still a viable project, it is being taught in more places, more often, to more people.  For example:

The FAA: FAA78100041, (78100041) Creating a Windows FE DVD

Search at the Child Abuse and Family Summit in Oregon.


HTCIA at a training session in Washington (state).

Another HTCIA here (with instructions to build a WinFE).

And a few conferences too.

This does not include a varied assortment of in-service training on WinFE that I have been asked for help in either reviewing or creating training programs for WinFE from a few US Federal government agencies and about a dozen local/state agencies, just only during the past year.

There's also more instructions available online for creating a WinFE, like: http://4nzx.blogspot.com/2012/11/creating-winfe-boot-disc.html

http://megadeus.com/?p=91

 

and

https://www.youtube.com/watch?v=Dy27R34MDkE

So is WinFE a viable addition to your forensic toolbox?  Sure is.  Just ask anyone that uses it.  One thing to consider about WinFE is that the development of WinFE isn't in "new" features or capability.   It is only a boot disc.  The key factor that no other boot disc can compare, is that it boots to Windows...and it boots forensically.  The fact that you (or anyone you train) can use Windows, forensically, to triage or preview potential evidence is something amazing.

Linux is good too.  But when your entire department (or agency or group) works in Windows every day, as they have been for the past decade or longer, you don't have to teach a new (to them) operating system.  You only have to teach how to boot to a CD/DVD/or USB.

Because of that, virtually anyone can boot a suspect's machine (even a terrorist's computer!) and find the low-hanging fruit of evidence in MINUTES without having years of digital forensics training.  Like I've said before, Troy Larson's simple registry modification was ingeniously simple.  Creating an automated process with WinBuilder took it a step further to get it in the hands of more people. And Colin Ramsden's write protection GUI app made it easy for anyone.  What more could you ask for?

 

 

Regarding a post on twitter asking if training from X-Ways is worth it or just buy the book, I’d have to say taking the training is a good solution.  And so is buying the book.

I favor training for almost everything (easier to learn from other’s mistakes…).  I also favor reading to self-learn and as a reference when needed. 

I’ve personally taken XWF training on more than one occasion, and know others that have taken the training more than that.  Each time, there is something new that you learn, just like with any class I’m sure.  I did not regret taking the training as it did make the transition to XWF easier.  Although, if there were a book on XWF at the time, I would have bought it and still went to training.

I think it comes down to (1) time, (2) money, and (3) self-learning ability.  If you can afford the training and afford the time off from work, why not take the training?  You can still buy the book for a reference because you will most certainly like to have it when using XWF.  But, if the cost of training, loss of time (vacation or you just need to get things done at work) is too much, you will still learn a lot with the book, more than enough to competently use XWF.

We have written the book (working on the last chapter now…) in a manner that if you have not taken the training, you will be able to use XWF, in a step-by-step instruction, including how to use in specific types of cases.  It is also written as a reference guide.  Need to know what shortcut opens the directory browser window? We have a section on all shortcuts?  Need to know the different ways to create an image, or container, or skeleton image? We have a chapter on that?  Curious what a specific checkbox selection does?  We have that detailed.  Need to know how to use XWF in ediscovery? We have something on that too.  So, for those that like to tinker with software to learn how to use it, meaning…pushing buttons to figure it out, this book is for you.  Some like sitting in a class.  Some like figuring it out themselves.  As far as the training put on by X-Ways, they do a good job and you get your money's worth with the amount of information.   They do not stretch 8 hours into a week.  They cram 40 hours of information into 20 hours.

Just posted 0.0.5.3. This fixes a few issues related to checking for new versions when more than one zip file exists as they often do when it comes to prereleases.

 

If you get an error about "more than one element" on startup, dont sent the error report, do not exit, then proceed to update using the built in updating feature. Worst case just redownload it from XWF website and it should be fixed.

 

Here are some of the case studies we are working on for our current and last chapter:

• Electronic Discovery (IP theft, document collection, contract antedating)
• Consent Searches (triage/preview)
• Parole Searches (triage/preview)
• Malicious Software
• Intrusion
• Fraud
• Child Pornography
• Cell phone analysis

Several of these are being submitted by contributors, and all are to be detailed using XWF and suggested case flow processes.  Contributors to be duly noted (as much as they allow).

Here is a new X-Tension for XWF that does a few neat things, such as searching for specific files and adding them to the report table, and exporting files for external analysis: http://www.gaijin.at/en/xtmultifilefinder.php

 

We are starting the last chapter (Case Studies) and have a few contributors already for case examples.  We'll gladly take more as we want to have a wide range of case studies using X-Ways.

For everyone waiting, we are finishing the book much earlier than we had planned, only because it has been a smooth process with the authors (Brett and Eric), the Tech Editor (Jimmy), and publisher (agreeing to push up the schedule to keep up with us!).

We've also had offers of translating the book into other languages, and are visiting that topic.  So far, maybe French...suggestions for others?

Be sure to keep up on the progress of my second book (X-Ways Forensics Practitioner's Guide) at https://xwaysforensics.wordpress.com/.  Eric Zimmerman and I are on the last chapter!

After the book is done, I have a few new things to test and post about WinFE to update the old, bring in the new.

Don't get excited, there isn't a solution to Windows RT or Secure Boot and WinFE (yet!).  But for those working on it, here are two links of interest that help explain a few of the technical details.

 http://www.uefi.org/learning_center/

The UEFI secure boot specification is owned by the UEFI consortium, not Microsoft, so the consortium documentation and specification sets out the real rules of the road for working with UEFI.

http://noggin.intel.com/content/the-flow-of-booting-an-intel-architecture-system

This information was sent to me by the Yoda of WinFE.

We are WAY ahead of our planned writing schedule, mostly because of the XWF Guide writing and editing team are getting things done, fast.

With that, we are reaching the Case Studies chapter, where we will give specific case flow and XWF usage by the type of case.  That means, we have a section on "How to Use XWF on a Child Pornography Case" and "How to Use XWF in an Electronic Discovery Case", and more.



For this chapter to be of most use to the most number of readers, please give us what type of cases you want us to cover.  PLUS, if you have used XWF in a case that worked well, send us your (sanitized) case study and we will add it to the chapter.  Depending on how you'd like credit, we can credit you with the specific case ("case study submitted by ...."), or generically ("so and so" contributed to the case studies chapter), or not at all if you want to remain in the background with a case study.

Don't forget to follow us on Twitter to keep up with the book's progress.  It's going fast and you don't want to miss out.

I can also say that although I felt I was competent XWF user (since 2004!), the research, testing, and delving in XWF for this book opened my eyes to more capabilities of XWF that I never imagined.  You won't be disappointed and after reading this book, you will be using that green XWF dongle a lot!

Chapter 4 is wrapping up! We each have one more chapter to go and then we start the case studies.

The table of contents page is updated to reflect the topics of each chapter and, for the completed chapters, the page and word count of each.

Several fixes based on user testing in this build to include:

• Added Undo button to reverse the tweaking process


• Rearranged GUI to make it less congested


• Undo tweaking automagically if an error occurs to keep report in a known good state


• A bunch of processing fixes to allow for tweaking more than one report in a row


 

 

 

Just released version 0.0.4.8 that includes fixes for international users. The issue had to do with date/time formats and the use of non period decimal separators.

Both should be fixed, but if any of our international friends are having issues, please shoot me an email and I will get it resolved ASAP

You can let the latest build of XWFIM from the URL in the X-Ways Forums or just use the auto-update feature in the program by looking in the lower right corner of the program after it starts.

XWFRT was also updated recently. again you can auto update or pull a copy from here:

https://www.dropbox.com/s/6labcj537jlxnzz/XWFRT.exe

if you run into any reports that cause XWFRT to throw an error, please zip and email me all of the Report*.html files (not any of the directories which contain files) and i will get the issue resolved ASAP

Enjoy!

New in this version is the ability to attach one or more external files to your report.

This includes things like XWF registry reports (as seen below). You can include any kind of file to the report in this manner. HTML files will be viewable directly in the browser.

The screenshot below shows 2 registry reports being added as external files.



And here we see what the report would look like as a result of including the files.