x-ways forensic software and training available at forensicworkstation.ca

• “Custom-built forensic workstation with multiple screens showing forensic imaging software, designed for law enforcement and cybersecurity professionals.”

X-Ways Forensics I

X-Ways Forensics I Digital Forensic Training

About This Course

X-Ways Forensics I is a 4 day training course focused on the systematic and efficient examination of computer media using the integrated computer forensics software “X-Ways Forensics”. Many topics will be explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics, such as forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, amongst others will be covered.

The students will be instructed, for example, on how to get the most thorough overview of existing and deleted files and data from computer media, suggestions on the most efficient ways to process cases relating to CSAM (child sexual abuse material), etc. At the end of the course there will be a practical exam that can treated as just another exercise or be marked by the instructor. This exam covers the most important functions of X-Ways Forensics and helps to gauge your proficiency. (individual results are not recorded). Printed materials for the course will be provided for later repetition. Basic knowledge of computer forensics is a prerequisite.

The approach of this course is very tool-centred. After attending the course a Certificate of Attendance will be issued from X-Ways Software Technology AG, and will allow the attendee to be eligible to attempt the X-PERT Certification.

XWF I - 4 Day Training Course

X-Ways Forensics I, 4 days

This main training course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”. The approach is very tool-centered. After attending this course and some self-study, you may start the X-PERT certification process (though taking the advanced course as well, is recommended).

Complete and systematic coverage of most computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, ... You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.

The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, etc. There will be a practical exam at the end of the course, which you can regard as just another exercise for yourself or that you can take more seriously and get scored by the instructor if you like. The exam recapitulates the most important functions of the software and helps you to gauge your proficiency. The results will not be recorded by us in any way. Note that the instructor will present the answers to the test during the final 20 minutes (in-person training only). Topics may include (not all guaranteed, for example because of time constraints):

• Basic setup of the software
• Key folder paths
• Read-only vs Edit vs. In-Place mode - WinHex vs. X-Ways Forensics
• Start-up options
• Alternative disk access methods
• Viewer programs
• Learning the user interface components
• Menus and toolbars
• Directory browser (icons, sorting, navigation, ...)
• Virtual files and directories
• Case data window with directory tree
• The case root
• Modes: Disk/Partition/Volume vs File
• Info panel
• Navigating disks and file systems
• Understanding offsets and sectors
• Absolute, relative and backwards positioning
• Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*)
• Understanding the Data Interpreter
• Available conversion options
• How to get the value you actually want
• Creating disk images
• Raw images and evidence files
• Fast, adaptive compression
• In-built encryption
• Creating a case/adding evidence objects
• Hash calculation and checking
• Using the gallery view and skin color detection efficiently
• Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
• Previewing file contents
• Calendar view and event list (timeline)

• Working with the directory browser
• Recursive listing of directories and entire drives
• Column visibility and arrangements
• Copying cell values
• Selecting, tagging, hiding, viewing, opening files
• Recovering/copying files
• Identifying duplicates based on hash
• Efficient navigation of the file systems' data structures
• Filtering files
• existing, previously existing
• tagged, not tagged
• viewed, not viewed
• non-hidden, hidden
• By name, including multiples: by exact name, using wildcards, searching within name, using GREP
• By path, including multiples
• By type - exact type, multiple types, entire category, multiple categories
• By size
• By one or more timestamps
• By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, ...
• Creating labels and label associations (formerly report tables)
• Using labels for filtering and classification
• Report creation: Basic reports, labels and activity log
• Refining Volume Snapshots:
• File system specific thorough data structure search for previously existing data
• Signature search for previously existing data not identifiable via file system metadata
• Verifying file types based on signatures on algorithms
• Extracting metadata from a variety of file types
• Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
• Analyzing Windows Event Logs (evt and evtx)
• Exploring ZIP, RAR, etc. archives
• Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
• Finding pictures embedded in documents, etc.
• Creating video stills from movie files
• Skin color percentage calculation and black and white detection
• Picture analysis with Excire
• Identifying file type specific encryption and running statistical encryption tests
• The Hash Database
• Importing single or multiple hash sets
• Creating your own hash sets
• Matching files against existing hash sets via Refine Volume Snapshot
• Various methods of file recovery
• Customizing file signatures
• Using search functions effectively
• Practically unlimited numbers of keywords simultaneously
• Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
• The many advantages of logical over physical search
• Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
• GREP search
• Logical combination of multiple keywords while evaluation results
• Filtering keywords based on the files they are contained in
• Decoding Base64, Uuencode, etc.

It is the goal of our courses to familiarize users of our software with the tool so much that they feel confident drawing sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
Examples:
"What documents were altered on the evening of January 12, 2012?"
"What pictures were hidden with what method, where and by whom?"
"Who viewed which web pages on what day?"
"Which MS Excel documents saved by Alan Smith contain the word 'invoice'?"
"Which USB sticks were attached to the computer at what time?"

New or exisiting user requiring X-Ways training please visit the upcoming course pages or request small group training)

1-613-888-0131

X-Ways Forensics II, 3 Days

Advanced training course for experienced users of X-Ways Forensics and previous attendees of the main course. Definitely not suitable as an introduction for new users of X-Ways Forensics. After attending this course and some self-study, you may start the X-PERT certification process. Topics may include (not all guaranteed because of time constraints or for other reasons):

• .e01 evidence file format
• Creating skeleton images
• Creating cleansed images
• Capturing process memory
• Sector superimposition
• Working with evidence file containers
   • Creating containers, understanding the available options
   • Adding files to containers from various sources
   • Closing containers, optionally converting them
   • Using containers as evidence objects
• Finding and analyzing deleted partitions

• Capturing Memory Processes

• Reverse Imaging and Cloning Specialties

• Reconstructing RAID and Linux MD RAID systems

• Practical examples for RAID 0 and RAID 5

• Explanation of underlying data arrangements

• Clues towards finding the right parameters

• FuzZyDoc

• Conditional cell coloring

• UI Text Adjustments

• Custom keyboard shortcuts

• Advanced sorting rules

• Registry Viewer and Registry Reports, Registry Report definition files

• How X-Tensions work

• Recovering deleted NTFS-compressed files manually

• Block-wise hashing and matching

• Command line usage of X-Ways Forensics

• Indexing

• Customizing the registry report

• Templates

For Advanced X-Ways training please visit the upcoming course pages or request small group training)

Attendees who undertake X‑Ways Forensics training with F111TH Consulting are considered trained in X‑Ways Forensics by X-Ways Software Technology AG. Recognized training is a prerequisite to attempt the official X‑PERT certification exam, as well.

Official Training for S21 AutomateX

AutomateX allows you to create consistent workflows. Whether your examination is CSAM related, or any other Investigation that you could process with X-Ways Forensics.

Some Features of AutomateX that will be covered in the training include:

Case Creation
Drive Imaging
All RVS refinements
Simultaneous Searching
Automatic export and case creation into Semantics 21 LASERi-X (Streamline menu)
Consistent Case Workflow for all types of cases. Streamline for CSAM and Xpert for any type of case (creation of all pre-requisites to properly process cases, and how they should be stored)
Supports all file types compatible in X-Ways Forensics
Combine existing cases, keeping all individual refinements intact
Open older cases and conduct further RVS actions and searches not previously processed etc

The course is a live, online presentation that is tailored to the audience. May be 2-4 hrs depending on previous X-Ways Forensics knowledge (for new X-Ways users or existing users that wish to receive Advanced X-Ways training please visit the upcoming course pages or request small group training)

Cost of training:

$250 for 1 attendee
$475 for 2 attendees
$700 for 3 attendees
$925 for 4 attendees
$1000 for 5 or more attendees (this is to train your whole office)

Online training can be setup with little notification to make the training easier for analysts to attend

Camera required during training to verify attendence.

The training is provided by me, Derek Frawley. I am an X-Ways X-PERT and the sole provider of certified XWF I and XWF II (advanced) training in Canada. I have been instrumental in design and all testing/beta testing of Jedson Tech X-Tension and as well all the features of AutomateX (Streamline and Xpert)

Please contact by email for any training requests or questions by clicking link below.

X-Tensions

Jedson Technology X-Ways X-Tensions

The baseline X-Tension for X-Ways Forensics (a single DLL file) was designed for law enforcement agencies and requires a licensed version of X-Ways Forensics to be running. This DLL is called from within X-Ways Forensics, normally after a volume snapshot has been refined. The baseline X-Tension produces XML reports and file archive folders that are compatible with 'C4All'. The additional variants were added in response to specific needs, based on the advanced features available in various follow-on categorization applications. These variants provide output files and folder layouts that are slightly different from the original 'KPF' variant.

Different Variants include:

see info.jedsontech.com

Background

In 2014, I thought of the concept to develop an X-Tension to aid C4All extractions from X-Ways. Steve , my cousin and owner at Jedson Technologies, has been the sole developer/programmer of the X-Tensions since inception. I have always been the main beta tester and "new ideas needed" guy. The orginal version "XwaysKPF" was named after the Kingston Police Force, the Force I worked for at the time. The X-Tension has now grown to include extractions that can be imported and used in Semantics 21 (proprietary XML) , Ziuz, and any other software that use and understand XML and JSON formated output. It is now used around the world by law enforcement to aid in processing CSEM cases.

Training in the use of the different varaints, especially Semantics 21, can also be arranged. Please contact sales@f111thconsulting.com for any requests.

What Our Clients Say