X-Ways Forensics v19.9 SR-8
X-Ways Forensics Version 19.6-SR-4 x64. 1 Tested Tool Description. Tool Name: X-Ways Forensics Tool Version: Version 19.6-SR-4 x64 Vendor: X-Ways Software Technology AG. 2 Results Summary. The test data set and test cases used to create this test report are limited to frequently encountered aspects of searching for text. Sr6 incl keymaker ror torrent or choose other x ways forensics v12 0 sr6 incl keymaker ror.x ways forensics v13.0 sr 1. 12.7 is now available for. Check the crack folder for instructions. Enjoy X Ways WinHex Forensics v20 x64-x86 maddy torrent X Ways WinHex Forensics v20 64-Bit Download Torrent X Ways WinHex Forensics v20 download uTorrent client.
- X Ways WinHex Forensics v20 Download. Check the crack folder for instructions.
- X-Ways Forensics. X-Ways Forensics is an advanced work environment for computer forensic examiners. It facilitates disk cloning and imaging, reading of partitioning and file system structures inside raw image files, and recovery of deleted files. This tool has native support for FAT, exFAT, NTFS, and optical disk file systems.
X-Ways Forensics comprises all the general and specialist features known from WinHex, such as...
Disk cloning and imaging
Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD, VHDX, VDI, and VMDK images
Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors) with sector sizes up to 8 KB
Built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2
Automatic identification of lost/deleted partitions
Native support for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF
Superimposition of sectors, e.g. with corrected partition tables or file system data structures to parse file systems completely despite data corruption, without altering the original disk or image
Access to logical memory of running processes
Various data recovery techniques, lightning fast and powerful file carving
Well maintained file header signature database based on GREP notation
Data interpreter, knowing 20 variable types
Viewing and editing binary data structures using templates
Hard disk cleansing to produce forensically sterile mediaGathering slack space, free space, inter-partition space, and generic text from drives and images
File and directory catalog creation for all computer media
Easy detection of and access to NTFS alternate data streams (ADS)
Mass hash calculation for files (Adler32, CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD-128, RipeMD-160, Tiger-128, Tiger-16, Tiger-192, TigerTree, ...)
Lightning fast powerful physical and logical search capabilities for many search terms at the same time
Recursive view of all existing and deleted files in all subdirectories
Automatic coloring for the structure of FILE records in NTFS
Bookmarks/annotations
Runs under Windows FE, the forensically sound bootable Windows environment, e.g. for triage/preview, with limitations
Support for high DPI settings in Windows
Ability to analyze remote computers in conjunction with F-Response
...
...and then some:
Superior, fast disk imaging with intelligent compression options
Ability to read and write .e01 evidence files (a.k.a. EnCase images), optionally with real encryption (256-bit AES, i.e. not mere “password protection”)
Ability to create skeleton images, cleansed images, and snippet images (details)
Ability to copy relevant files to evidence file containers, where they retain almost all their original file system metadata, as a means to selectively acquire data in the first place or to exchange selected files with investigators, prosecution, lawyers, etc.
Complete case management.
Ability to tag files and add notable files to the case report. Ability to enter comments about files for inclusion in the report or for filtering.
Support for multiple examiners in cases, where X-Ways Forensics distinguishes between different users based on their Windows accounts. Users may work with the same case at different times or at the same time and keep their results (search hits, comments, report table associations, tagmarks, viewed files, excluded files, attached files) separate, or shares them if desired.
Case reports can be imported and further processed by any other application that understands HTML, such as MS Word
CSS (cascading style sheets) supported for for case report format definitions
Automated activity logging (audit logs)
Write protection to ensure data authenticity
Keeps you posted about the progress of automatic processing via a drive on the same network or via e-mail while you are not at your workplace
Remote analysis capability for drives in network can be added optionally (details)
Additional support for the filesystems HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, XFS, many variants of UFS1 and UFS2, many data structures of APFS
Ability to include files from all volume shadow copies in the analysis (but exclude duplicates), filter for such files, find the snapshot properties, etc.
Often finds much more traces of deleting files than competing programs, thanks to superior analysis of file system data structures, including $LogFile in NTFS, .journal in Ext3/Ext4
The basis for a listed file is practically just a mouse click away. Easily navigate to the file system data structure where it is defined, e.g. FILE record, index record, $LogFile, volume shadow copy, FAT directory entry, Ext* inode, containing file if embedded etc.
Supported partitioning types: MBR, GPT (GUID partitioning), Apple, Windows dynamic disks (both MBR and GPT style), LVM2 (both MBR and GPT style), and unpartitioned (Superfloppy)
Very powerful main memory analysis for local RAM or memory dumps of Windows 2000, XP, Vista, 2003 Server, 2008 Server, Windows 7
Sector superimposition to virtually fix corrupt data on disks or in images and enable further analysis steps without altering the disks sectors/images
Shows owners of files, NTFS file permissions, object IDs/GUIDs, special attributes
Output of all internal file system timestamps (even 0x30 timestamps in NTFS, added dates in HFS+)
Torrent X-ways Forensics Software
Special identification of suspicious extended attributes ($EA) in NTFS, as used for example by ReginCompensation for NTFS compression effects and Ext2/Ext3 block allocation logic in file carving
Torrent X-ways Forensics Free
Carving of files also within other files
Lightning-fast matching of files against the up to 2 internal file hash databases
Matching sector contents against a block hash database, to identify incomplete fragments of highly relevant known files
FuzZyDoc™ hashing to identify known textual contents (e.g. classified documents, invoices, stolen intellectual property, e-mails) even if stored in a different file format, re-formatted, edited, ...
PhotoDNA hashing to identify known photos (e.g. child pornography) even if stored in a different file format, resized, color-adjusted, constrast-adjusted, blurred, sharpened, partially pixelated, edited, mirrored (law enforcement only)
Ability to import hash sets in these formats: Project Vic JSON/ODATA, NSRL RDS 2.x, HashKeeper, ILook, ...
Create your own hash sets
Computation of two hash values of different types at the same time
Random analysis scope reduction using ID modulo filter and immediately available pseudo-hash values
Torrent X-ways Forensics Free
Convenient back & forward navigation from one directory to another, multiple steps, restoring sort criteria, filter (de)activation, selection
Gallery view, showing thumbnails of pictures, videos, even documents and many other non-picture file types
Calendar view, showing hotspots of activity, ideal to combine with the chronological event list
File preview, seamlessly integrated viewer component for 270+ file types
Ability to print the same file types directly from within the program with all metadata on a cover page
Internal viewer for Windows Registry files (all Windows versions); automated and configurable powerful Registry report that also check value slack in registry hives
Viewer for Windows event log files (.evt, .evtx), Windows shortcut (.lnk) files, Windows Prefetch files, $LogFile, $UsnJrnl, restore point change.log, Windows Task Scheduler (.job), $EFS LUS, INFO2, wtmp/utmp/btmp log-in records, MacOS X kcpassword, AOL-PFC, Outlook NK2 auto-complete, Outlook WAB address book, Internet Explorer travellog (a.k.a. RecoveryStore), Internet Explorer index.dat history and browser cache databases, SQLite databases such as Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, Safari feeds, Skype's main.db database with contacts and file transfers, ...
Ability to collect Internet Explorer history and browser cache index.dat records that are floating around in free space or slack space in a virtual single file
Extracts metadata and internal creation timestamps from various file types and allows to filter by that, e.g. MS Office, OpenOffice, StarOffice, HTML, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, BMP, THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool, tracking.log, .mdb MS Access database, manifest.mbdx/.mbdb iPhone backup, ...
Keeps track of which files were already viewed during the investigation
Automatic cell background coloring based on user-defined conditions helps to draw your attention to items of interest without having to filter out all non-matching items.
Include external files, e.g. translations or decrypted or converted versions of original files, and connect them to the files they belong with
Ability to examine e-mail extracted from Outlook (PST, OST), Exchange EDB, Outlook Express (DBX), AOL PFC, Mozilla (including Thunderbird), generic mailbox (mbox, Unix), MSG, EML
Can produce a powerful event list based on timestamps found in all supported file systems, in operating systems (including event logs, registry, recycle bin, ...), and file contents (e.g. e-mail headers, Exif timestamps, GPS timestamps, last printed timestamps; browser databases, Skype chats, calls, file transfers, account creation...).
Event timestamps can be sorted chronologically to get a timeline of events. They are represented graphically in a calendar to easily see hotspots of activity or periods of inactivity or to quickly filter for certain time periods with 2 mouse clicks.
Extremely extensive and precise file type verification based on signatures and specialized algorithms
Allows you to define your own file header signatures, file types, type categories, file type ranks, and file type groups
Directory tree on the left, ability to explore and tag directories including all their subdirectories
Synchronizing the sectors view with the file list and directory tree
MANY powerful dynamic filters based on true file type, hash set category, timestamps, file size, comments, report tables, contained search terms, ...
Ability to identify and filter our duplicate files
Ability to copy files off an image or a drive including their full path, including or excluding file slack, or file slack separately or only slack
Automatic identification of encrypted MS Office and PDF documents
Can extract almost any kind of embedded files (including pictures) from any other kind of files, thumbnails from JPEGs and thumbcaches, .lnk shortcuts from jump lists, various data from Windows.edb, browser caches, PLists, tables from SQLite databases, miscellaneous elements from OLE2 and PDF documents, ...
Skin color detection (e.g. a gallery view sorted by skin color percentage greatly accelerates a search for traces of child pornography)
Detection of black & white or gray-scale pictures, which could be scanned-in documents or digitally stored faxes
Detection of PDF documents that should be OCR'ed
Ability to extract still pictures from video files in user-defined intervals, using MPlayer or Forensic Framer, to drastically reduce the amount of data when having to check for inappropriate or illegal content
Lists the contents of archives directly in the directory browser, even in a recursive view
Logical search, in all or selected files/directories only, following fragmented cluster chains, in compressed files, metadata, optionally decoding text in PDF, HTML, EML, ..., optionally using GREP (regular expressions), user-defined 'whole words' option, and much more
Powerful search hit listings with context preview, e.g. like “all search hits for the search terms A, B, and D in .doc and .ppt files below Documents and Settings with last access date in 2004 that do not contain search term C”
Option to sort search hits by their data and context instead of just by the search terms to which they belong. Ability to filter search hits by the textual context around them using an additional keyword.
Highly flexible indexing algorithm, supporting solid compound words and virtually any language
Search and index in both Unicode and various code pages
Logically combine search hits with an AND, fuzzy AND, NEAR, NOTNEAR, + and - operators
Ability to export search hits as HTML, highlighted within their context, with file metadata
Detection and removal of host-protected areas (HPA, ATA-protected areas), and DCO
Ability to decompress entire hiberfil.sys files and individual xpress chunks
X-Tensions API (programming interface) to add your own functionality or automate existing functionality with very high performance (for example the popular C4All as an X-Tension runs about 6 times faster than as an EnScripts), does not require you to learn a proprietary programming language
No complicated database to set up and connect to, with the risk of never being able to open your case again like in competing software
Interface for PhotoDNA (only for law enforcement), which can recognize known pictures (even if stored in a different format or altered) and can return the classification (“CP”, “relevant”, “irrelevant”) to X-Ways Forensics
...
Only for V.I.P
- X-Ways Forensics is a 4-Day training course focused on the systematic and efficient examination of computer media using the integrated computer forensics software X-Ways Forensics. Students will learn complete andsystematic methods of the computer forensics features in both WinHex and X-Ways Forensics.
- X-Ways Forensics X-Ways Forensics comprises all the general and specialist features known from WinHex, such as Disk cloning and imaging Ability to read partitioning and file system structures.
A bit about hashing
In digital forensics, hashing is generally used as a method of verifying the integrity of a forensic image or file. The MD5 algorithm has become the accepted standard and used worldwide. Without getting into a long conversational piece about hash collisions and other more reliable and faster methods, MD5 for most purposes is still sufficient.
X-Ways Forensics: Integrated computer forensics environment. Our flagship product, based on WinHex. X-Ways Investigator: Reduced, simplified version of X-Ways Forensics for police investigators.
File hashing has had a long grounding in Law Enforcement cases to identify known good and known bad sets of image file hashes.
Known good hash sets allow an analyst to reduce their data set within their forensic evidence dramatically by removing any files/images related to software and operating systems. NIST has kept the NSRL hash sets updated for a number of years and these among others are widely used to perform this function.
Known bad hashes of images, particularly for indecent image cases are more controversial and have led to many a late-night discussion over how these should be used, managed and categorised.
The major benefit of generating known bad hash set(s) for indecent image cases, is that you are minimising the exposure of the material to the analyst. I believe having a centralised (accurate) hash database to be of utmost importance for the sanity of all those individuals who spend their time categorising images.
X-ways Forensics Software Review
Complete and systematic coverage of all computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. X-Ways is a type of software application utilized by forensic examiners to perform specific duties with greater speed and efficiency. An X-Ways Investigator has received extensive training on the advanced methods of retrieving, storing and remitting data.
The other knock-on effect of using hash sets is that it decreases the analysts time to complete their work, which for overburdened Cybercrime units can only be a blessing.
File hashing can also be used to differentiate files across multiple sources, identifying specific files across evidence sources and assisting with identifying malware (although this is not a full proof approach for malware analysis).
Anyway, on to how we can utilise hashing in X-Ways Forensics.
Hashing in X-Ways Forensics
X Ways Forensics Download Free
I’ll start off by making the assumption that you have a basic understanding of how to use X-Ways.
First, you will need to establish a storage location for your hash database(s). X-Ways comes with the option to configure two different databases, this can be useful if you have hashes using different algorithms such as MD5 or SHA1.
X Ways Forensics Cost
Another consideration when configuring the storage location is speed, configuring your databases on an internal SSD RAID would be optimal if you are going to run this locally.
To configure your hash database locations select the following in X-Ways
Tools > Hash Database
Once you have created the databases in your desired locations. You can start to import your hash sets.
You could also create your own hash sets from known good or bad sources, I tend to install fresh offline copies of Windows and create sets from these as I know I can thereafter speak to their integrity. You can also assign a category or hash set name during import, this can be extremely useful when performing differentials.
Please note that if you create any sets from your evidence after your initial hashing you will need to rehash the evidence in order for the new results from these sets to appear.
As you can see from the screenshot below we already have a couple of hash sets added to our database.
Once you have your database configured you can proceed and hash your evidence using the refine volume snapshot feature. This can be done across an entire volume or selected files only.
To perform this function select the following options:
Specialist > Refine Volume Snapshot > Compute Hash + Match against hash database
Once hashing has completed, files which have matched a set can be identified by the light green colour of the file icons.
You now need to configure the directory browser to see the hashes, sets and categories.
This can be done by selecting:
Options > Directory Browser
You will now need to set the directory column size, once this has been set you can adjust by dragging the columns wider or narrower to suit your needs.
After these views have been enabled through the directory browser we can start filtering within X-Ways. From the hash set column, we can enable or disable the ‘NOT’ function to exclude particular hash sets…
.. and from the category column, we can show or hide irrelevant, relevant, notable or uncategorised hash categories.
This approach combined with the other filtering functions in X-Ways allow the examiner to cut and dice their output quite extensively. Outputting the directory browser view including the hash sets and categories to csv can allow further review in Excel if that tends to be your tool of choice. This can then quite easily be delivered as a product in your casework.
That’s really it for how I tend to uses hashes in X-Ways.