Monday, May 28, 2012

A short X-War story.


Around two years ago I got a new job. Part of my responsibility was to build the firm's Computer Forensic practise almost from scratch. On my first day at work I was out imaging a dozen of computers, and then brought the acquired images for processing into a room which later became our computer forensics lab. Dell Optiplex 755 and EnCase were the only tools available at the time and the current investigation urgently demanded computer forensic reports/results. Just as a side note: I have been in the industry for many years, have MCSE certifications and knew well how to install and properly configure a forensic workstation and tools.

Twenty-four hours later I was nowhere with these images, still dealing with constant EnCase crashes. Downgrading EnCase version or calling tech support was of no help.  Using open source tools was not an option due to the time constrains and to make things worse I had access to only a very slow Internet connection.

I gave a call to X-Ways and arranged an urgent delivery of X-Ways Forensics dongle. It has arrived in a couple of days. In just a few hours I had the information start flowing to the investigators. About six days (and nights) later I had all the reports done. X-Ways Forensics was rock solid with not a single crash.

Currently X-Ways Forensics has been in a very active development stage, with new features being added almost on a weekly basis. Mind you, X-Ways is already a very advanced tool with many unique features that not yet available in EnCase or FTK. Volume Shadow Copy is a good example. The tool is also often more accurately interpreting the data compare to other mainstream forensic tools. I just read Mike’s post regarding disks using 4k sectors.  Mike in his recent post mentioned X-Ways as the only forensic tool able to correctly interpret info from such disks (EnCase 7 might work as well, so may be some folk will actually start using it :-).  This is consistent with my experience and very illustrative.

Looking at the latest features of X-Ways, I wonder if the team of developers at X-Ways ever sleep. Just added support for VMDK snapshot images, support for NK2 Outlook auto-complete, IE travellog files, metadata extraction from manifest.mbdx and manifest.mbdb iPhone backup files. The most significant addition for me personally is a plug-in to run Python scripts as X-Tensions for X-Ways forensics.  Did I mention that you actually hear back from their technical support?