E-Book, Englisch, 264 Seiten
Shavers / Zimmerman X-Ways Forensics Practitioner's Guide
1. Auflage 2013
ISBN: 978-0-12-411622-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 264 Seiten
ISBN: 978-0-12-411622-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
The X-Ways Forensics Practitioner's Guide is more than a manual-it's a complete reference guide to the full use of one of the most powerful forensic applications available, software that is used by a wide array of law enforcement agencies and private forensic examiners on a daily basis. In the X-Ways Forensics Practitioner's Guide, the authors provide you with complete coverage of this powerful tool, walking you through configuration and X-Ways fundamentals, and then moving through case flow, creating and importing hash databases, digging into OS artifacts, and conducting searches. With X-Ways Forensics Practitioner's Guide, you will be able to use X-Ways Forensics to its fullest potential without any additional training. The book takes you from installation to the most advanced features of the software. Once you are familiar with the basic components of X-Ways, the authors demonstrate never-before-documented features using real life examples and information on how to present investigation results. The book culminates with chapters on reporting, triage and preview methods, as well as electronic discovery and cool X-Ways apps. - Provides detailed explanations of the complete forensic investigation processe using X-Ways Forensics. - Goes beyond the basics: hands-on case demonstrations of never-before-documented features of X-Ways. - Provides the best resource of hands-on information to use X-Ways Forensics.
Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department's first digital forensics lab in a small, cluttered storage closet.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;X-Ways Forensics Practitioner’s Guide;4
3;Copyright;5
4;Contents;6
5;Acknowledgments;12
6;About the Authors;14
7;Foreword;16
8;Introduction;18
8.1;Introduction;18
8.1.1;Intended audience;18
8.1.2;Brief history of X-Ways Forensics;19
8.1.3;Comparisons to ``other´´ forensic suites;20
8.2;Organization of this book;20
8.2.1;Chapter 1: Installation and configuration of X-Ways Forensics;21
8.2.2;Chapter 2: Case management and imaging;21
8.2.3;Chapter 3: Navigating the X-Ways Forensics interface;21
8.2.4;Chapter 4: Refine volume Snapshot;21
8.2.5;Chapter 5: The XWF internal hash database and registry viewer;22
8.2.6;Chapter 6: Searching in X-Ways Forensics;22
8.2.7;Chapter 7: Advanced use of XWF;22
8.2.8;Chapter 8: X-Ways Forensics reporting;22
8.2.9;Chapter 9: X-Ways Forensics and electronic discovery;22
8.2.10;Chapter 10: Consent to search and supervision of paroles;22
8.3;Summary;23
9;Chapter 1: Installation and Configuration of X-Ways Forensics;24
9.1;Introduction;24
9.2;System requirements;24
9.3;Installing XWF;25
9.3.1;Alternative install methods;26
9.4;The XWF dongle;28
9.4.1;Upgrading your dongle;30
9.5;The XWF user interface;31
9.6;Configuring XWF;32
9.7;Summary;37
9.8;Reference;37
10;Chapter 2: Case Management and Imaging;38
10.1;Introduction;38
10.2;Creating a case file;39
10.2.1;Creating a new case;40
10.2.1.1;General case information section;41
10.2.1.2;Audit trail and activity logging section;42
10.2.1.3;Code pages section;42
10.2.1.4;Other options section;42
10.3;Creating/Adding evidence files;44
10.4;Creating Forensic images with XWF;45
10.4.1;Live response using XWF;50
10.4.2;Using XWF to review medium while imaging;50
10.5;Reverse imaging;51
10.6;Skeleton imaging;53
10.7;Cleansed imaging;55
10.8;CD/DVD;56
10.9;Physical memory imaging;56
10.10;Container files;57
10.11;Working with RAID arrays;59
10.12;Augmenting with F-Response;62
10.13;Shortcuts;66
10.14;Summary;66
11;Chapter 3: Navigating the X-Ways Forensics Interface;68
11.1;Introduction;68
11.2;Case Data directory tree;68
11.2.1;Right click behaviors;70
11.2.2;Middle-click behaviors;73
11.3;Toolbar, tab control, and Directory Browser Options, Filters;74
11.3.1;General Options;76
11.3.2;Item listing options;80
11.3.3;Directory Browser column and filter options;80
11.3.4;Directory Browser columns;81
11.4;Directory Browser;83
11.4.1;Column sorting;83
11.4.2;Column filtering;83
11.4.3;Directory Browser context menu;86
11.5;Mode buttons and Details pane;96
11.5.1;Legend mode;96
11.5.2;Volume/Partition mode;96
11.5.3;Disk mode;97
11.5.4;File mode;97
11.5.5;Preview mode;97
11.5.6;Details mode;98
11.5.7;Gallery mode;98
11.5.8;Calendar mode;99
11.5.9;Directory Browser mode;99
11.5.10;Sync mode;99
11.5.11;Explore recursively mode;99
11.5.12;Search hit list mode;99
11.5.13;Events mode;99
11.5.14;Position manager mode;99
11.6;Status bar;100
11.6.1;Right clicking the status bar;100
11.6.2;Left clicking the status bar;101
11.6.3;Data Interpreter;102
11.7;Main menu;103
11.8;General Options continued;103
11.9;Volume Snapshot options;107
11.10;Viewer Programs options continued;107
11.11;Security Options;107
11.12;Shortcuts;109
11.13;Summary;109
12;Chapter 4: Refine Volume Snapshot;112
12.1;Introduction;112
12.2;Volume snapshot options;113
12.3;Starting RVS;116
12.3.1;Take new one and default RVS options;117
12.4;RVS options;118
12.4.1;File recovery options;119
12.4.2;File processing options;121
12.4.3;Extract e-mail messages and attachments from. . .;125
12.5;Results of an RVS;128
12.6;Shortcuts;130
12.7;Summary;130
12.8;Reference;131
13;Chapter 5: The XWF Internal Hash Database and the Registry Viewer;132
13.1;Introduction;132
13.2;XWF internal hash database and hash sets;133
13.2.1;Hash categories;133
13.2.2;Computing hash values;135
13.2.3;Creating hash sets;136
13.2.4;Duplicate hash values;140
13.3;The registry through X-Ways Forensics;141
13.4;The XWF Registry Viewer;143
13.4.1;Viewing USB devices;144
13.4.2;Exporting;146
13.5;The XWF Registry Report;147
13.6;Shortcuts;148
13.7;Summary;148
14;Chapter 6: Searching in X-Ways Forensics;150
14.1;Introduction;150
14.2;Simultaneous search;150
14.2.1;Search terms and code pages;151
14.2.2;How to search options;152
14.2.3;Where to search options;153
14.2.4;Additional search options;155
14.2.5;Search methodologies;156
14.3;Regular expressions;156
14.3.1;Regular expression examples;158
14.4;GREP and regular expressions in XWF;160
14.5;Indexed search;161
14.5.1;Other index-related options;167
14.6;Reviewing search hits;168
14.6.1;Search Hit List columns;169
14.6.2;Interacting with the Search Hit List;169
14.6.3;Simultaneous search results vs. indexed search results;170
14.6.4;Search Hit List options;170
14.6.5;+ and - operators;171
14.6.6;Alternate method;171
14.6.7;Proximity between search terms using the Search Hit List;172
14.7;Text search;172
14.8;Hexadecimal search;174
14.9;Shortcuts;175
14.10;Summary;175
15;Chapter 7: Advanced Use of X-Ways Forensics;176
15.1;Introduction;176
15.2;Customizing X-Ways Forensics configuration files;176
15.2.1;XWF directory-based configuration files;177
15.2.2;User profile-based configuration files;177
15.2.3;File Type Categories.txt;177
15.2.3.1;Assigning ranks;177
15.2.3.2;Assigning groups;178
15.2.3.3;The effects of FTC customization;179
15.2.4;File Type Signatures Check Only.txt;180
15.2.5;File Type Signatures Search.txt;180
15.3;Maneuvering in hex;180
15.3.1;Data Interpreter;181
15.3.2;Defining blocks of data;183
15.3.3;User search hits;183
15.3.4;Other options;184
15.3.5;Sector superimposition;186
15.3.6;Templates;186
15.4;Timeline and event analysis;190
15.4.1;Calendar mode;190
15.4.2;Events view;192
15.5;Gathering free and slack space;193
15.6;RAM analysis;195
15.6.1;Opening memory from within XWF;198
15.7;Scripting, X-Tensions API, and external analysis interface;199
15.7.1;Scripting;199
15.7.2;X-Tensions;200
15.7.3;External analysis interface;200
15.8;Shortcuts;201
15.9;Summary;202
16;Chapter 8: X-Ways Forensics Reporting;204
16.1;Introduction;204
16.2;Adding items to a report table;204
16.2.1;RT associations options;206
16.2.2;Adding a new RT association;208
16.2.3;Meanwhile, back in the Directory Browser;210
16.2.4;Sharing RT associations;211
16.3;Comments;212
16.4;Report generation;212
16.4.1;Main report options;214
16.4.2;Audit trail options;214
16.4.3;RT options;214
16.5;Report customization;217
16.6;Shortcuts;218
16.7;Summary;218
17;Chapter 9: X-Ways Forensics and Electronic Discovery;220
17.1;Introduction;220
17.2;Civil litigation;220
17.2.1;Preparing XWF;221
17.2.2;Accessing the data;222
17.2.3;User created files-Existing (active) files;223
17.2.4;Copying the filtered files;225
17.2.5;Optional method of creating a file list;225
17.2.6;Printing the relevant files;226
17.2.7;XWF container;227
17.2.8;Redacting files within an image;228
17.3;Review of relevant data with X-Ways Investigator;229
17.3.1;Bates numbering;230
17.3.2;Attorney review of data;231
17.3.3;Forensic analysis and electronic discovery;231
17.3.4;Log file and reporting;231
17.4;Summary;231
17.5;Reference;232
18;Chapter 10: X-Ways Forensics and Criminal Investigations;234
18.1;Introduction;234
18.2;X-Ways Forensics and criminal investigations;235
18.2.1;Prepare XWF;236
18.2.2;Adding evidence items;237
18.2.3;Case scenario;239
18.3;Summary;241
18.4;Reference;242
19;Appendix A: X-Ways Forensics Additional Information;244
19.1;Introduction;244
19.2;Online resources;244
19.2.1;X-Ways forensics video clips-http://xwaysclips.blogspot.com/;244
19.2.2;JustAskWeg-http://justaskweg.com/;245
19.2.3;Third-party software;245
19.3;Keyboard shortcuts;246
19.3.1;Shortcuts and commands under ``File´´;247
19.3.2;Shortcuts under Edit;247
19.3.3;Shortcuts under Edit | Copy Sector;247
19.3.4;Shortcuts under Edit | Clipboard Data;247
19.3.5;[H2] Shortcuts under Search;248
19.3.6;Shortcuts under Navigation;248
19.3.7;Shortcuts under Navigation | Go To;248
19.3.8;Shortcuts under View;249
19.3.9;Shortcuts under Tools;249
19.3.10;Shortcuts under Tools | Disk Tools;249
19.3.11;Shortcuts under Tools | File Tools;249
19.3.12;Shortcuts under Specialist;249
19.3.13;Shortcuts under Specialist | Evidence File Container;250
19.3.14;Shortcuts under Options;250
19.3.15;Shortcuts under Window;250
20;Appendix B: X-Ways Forensics How to’s;252
20.1;Frequently asked questions and more XWF tips;252
20.1.1;How can I find encrypted containers?;252
20.1.2;Can I search slack space while eliminating logical file contents?;252
20.1.3;I want to list files so that parent files precede its child objects. Is this possible?;253
20.1.4;I need to recursively list two directories at once. What is the easiest way?;253
20.1.5;How can I export a recursive file listing?;253
20.1.6;Is it possible to conduct a keyword search on cell phone evidence?;253
20.1.7;How can I import Base32-encoded SHA-1 hashes?;253
20.1.8;How can I export a search hit list?;254
20.1.9;I need to export search hits. Where in XWF can I do this?;254
20.1.10;Can XWF generate a registry report for every hive in a case?;254
20.1.11;What if I need to reprocess items from an evidence object? How can I do this in XWF?;254
20.1.12;How do I verify the hash of an image?;254
20.1.13;How can I find which volume shadow copy a file came from?;254
20.1.14;I want to tag every item in an evidence object. How can I do this and how can I untag if needed?;255
20.1.15;I cant find files that I know I tagged! What happened to the files?;255
20.1.16;There are so many files I see that I know are duplicates, but I cant find how to hide them. How can I hide all duplicates?;255
20.1.17;How can I find and export all e-mail addresses from an image?;255
20.1.18;I just need to copy active files from a custodians machine and dont need a forensic analysis. Do I have to take a refined s ...;255
20.1.19;I want to use XWF as a consent search application. Should I run it from an external device on a live machine or should I us ...;256
20.1.20;There are some things XWF does not do that I would like it to do. Will XWF update to what my needs are?;256
20.1.21;There are a lot of features and options available in XWF. Am I expected to know where everything is?;256
20.1.22;I have been using so many filters and hiding files that I dont remember which files I am hiding or able to view. Can I just ...;256
20.1.23;I want to use WinHex and XWF but I want to be sure that I do not edit evidence by mistake. Since the two programs look the ...;256
21;Index;258
