Icon Menu
Icon Search

X-Ways Forensic Training

Course Content

Module 1: Getting Started with X-Ways Forensics
• Introductions
• Course Overview and X-PERT certification
• Structure, components and functionality
• Key folder paths
• Read-only versus Edit versus In-Place mode
• WinHex versus X-Ways Forensics
• Start-up options
• Alternative disk access methods
• Viewer programs
• Exercise: Installing X-Ways Forensics
Module 2: X-Ways User Interface
• Menus and toolbars
• Directory browser (icons, sorting, navigation, ...)
• Virtual files and directories
• Case data window with directory tree
• The case root
• Modes: Disk/Partition/Volume vs File
• Info panel
• Exercise: Using X-Ways Forensics
Module 3: Creating Disk Images
• Raw images and evidence files
• Fast, adaptive compression
• In-built encryption
Module 4: Creating a Case/Adding Evidence Objects
• Previewing file contents
• Working with the directory browser
• Recursive listing of directories and entire drives
• Column visibility and arrangements
• Efficient navigation of the file systems' data structures
DAY 1 – Continued
Module 4: Creating a Case/Adding Evidence Objects
• Filtering files
o existing, previously existing
o tagged, not tagged
o viewed, not viewed
o non-hidden, hidden
o By name, including multiples: by exact name, using wildcards, searching within name, using GREP
o By path, including multiples
o By type - exact type, multiple types, entire category, multiple categories
Module 4: Creating a Case/Adding Evidence Objects
• Revision Exercise: Filtering
Module 5: The Various Timestamps Available
• Timestamp filter
• Exercise: Timestamp filtering
Module 6: Recovering/Copying Files
• Original names or names derived from other details
• Groupings vs original paths
• Exporting file lists
• Creating report tables and report table associations
• Report creation: Basic reports, report tables and activity log
• Using report tables for filtering and classification
• Exercise: Report table filteringDAY 2 – Continued Module 7: Refining Volume Snapshots
Part 1
• File system specific thorough data structure search for previously existing data
• Signature search for previously existing data not
identifiable via file system metadata
Module 7: Refining Volume Snapshots
Part 2
• Verifying file types based on signatures and algorithms
• Exercise: Type mismatch filtering
Part 3
• Exploring ZIP, RAR, etc. archives
• Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
• Finding pictures embedded in documents, etc.
• Exercise: Hidden Pictures
Part 4
• Extracting metadata from a variety of file types
• Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome, Opera
• Analyzing Windows Event Logs (evt and evtx)
Module 8: The Hash Database
• Importing single or multiple hash sets
• Creating your own hash sets
Module 9: Refining Volume Snapshots
Part 5
• Matching files against hash sets in Hash Database
• Creating video stills from movie files
• Skin color percentage calculation and black and white detection
• PhotoDNA
• Identifying file type specific encryption and running statistical encryption tests
Module 10: Using Search Functions Effectively
• Practically unlimited numbers of keywords simultaneously
• Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
• Advantages of logical over physical search
• Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
• GREP search
• Logical combination of multiple keywords while evaluation results
• Filtering keywords based on the files they are contained in
• Exercise: Search

This course is taught Inclass. Contact Fulcrum for more information and to schedule.


Duration - 4 Days

Dates & Locations

  • 16.12.24 - Sydney

Enquire about this training course