X-Ways Forensics: 综合取证分析工具

X-Ways Forensics 是为计算机取证分析人员提供的一个功能强大的、综合的取证、分析软件，可在 Windows XP/2003/Vista/2008/7/8操作系统下运行* (32 Bit/64 Bit)。本软件与WinHex 紧密结合，Compared to its competitors, X-Ways Forensics is more efficient to use after a while, often runs faster, is not as resource-hungry, finds deleted files and search hits that the other will miss, offer many features that the others lack, ..., and it comes at a fraction of the cost! 并可以作为WinHex取证版本单独购买。

X-Ways Forensics
17.1

只有正式用户才可下载
(下载地址在购买后提供。 升级)

用户手册

快速入门
Videos
Brett Shaver's guide

创建磁盘镜像
创建案件
创建报告
动态过滤
搜索
User interface

X-Ways Forensics 包含WinHex的所有基本功能和一些特有功能。 具体为：

• 磁盘克隆和镜像功能，进行完整数据获取
• 可分析 RAW/dd/ISO/VHD/VMDK 格式原始数据镜像文件中的完整目录结构，支持分段保存的镜像文件
• Complete access to disks, RAIDs, and images more than 2 TB in size (more than 2³² sectors) with sector sizes up to 8 KB
• 支持对磁盘阵列JBOD、RAID 0、RAID 5、RAID 6 (including Linux software RAIDs), Windows dynamic disks and LVM2
• 支持 FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF 文件系统
• 察看并完整获取 RAM* 和虚拟内存中的运行进程
• 多种数据恢复功能，可对特定文件类型恢复
• Well maintained file header signature database based on GREP notation
• Data interpreter, knowing 20 data types
• Viewing and editing binary data structures using templates
• 数据擦除功能，可彻底清除存储介质中残留数据
• 可从磁盘或镜像文件中收集残留空间、空余空间、分区空隙中信息
• 创建证据文件中的文件和目录列表
• 能够非常简单地发现并分析ADS数据（NTFS alternate data streams)
• 支持多种哈希计算方法 (CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD, ...) 
• 强大的物理搜索和逻辑搜索功能，可同时搜索多个关键词
• Automatic coloring for the structure of FILE records in NTFS
• 书签和注释
• Runs in WinFE, the forensically sound bootable Windows environment, e.g. for triage/preview, with limitations
• Ability to analyze remote computers in conjunction with F-Response
• ...

...此外:

• 64-bit version available
• Superior, fast disk imaging with intelligent compression options
• 能够读取、创建.e01 证据文件，可对证据文件进行 256位AES加密 (注：并非仅仅采用口令保护方式)
• 完整的案例管理功能
• 自动创建软件操作日志 (审计日志)
• 数据写保护功能，确保数据真实性
• Remote analysis capability for drives in network can be added optionally (details)
• 支持 HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4, XFS, UFS, UFS2文件系统
• 支持分区类型: 苹果格式 in addition to MBR, GPT (GUID), Windows动态卷 (MBR+GPT), LVM2 (MBR+GPT), 未分区 (软盘/大容量软盘)
• 能够拷贝相关文件至证据文件管理器文件中，如：可将相关证据文件保存至管理器中，并发送给其他调查员协助分析
• Very powerful main memory analysis for local RAM or memory dumps of Windows 2000, XP, Vista, 2003 Server, 2008 Server, Windows 7
• Shows owners of files, NTFS file permissions, object IDs/GUIDs, special attributes
• Convenient back & forward navigation from one directory to another, multiple steps, restoring sort criteria, filter (de)activation, selection
• 自动进行文件签名、特征比对
• 内置文件预览功能，支持270种以上文件类型 
• keeps track of which files were already viewed during the investigation
• 能够分析检查抽取出的电子邮件数据，支持Outlook (PST/OST)注, Exchange EDB, Outlook Express (DBX), AOL PFC, Mozilla (包括 Thunderbird), generic mailbox (mbox, Unix), MSG, EML
• Automatic extensive file type verification based on signatures and specialized algorithms
• 以缩略图方式预览图片
• 可标记文件，并将所标记的文件添加至自定义案件报告中
• 自动生成HTML格式案件报告，可以用Word查看并编辑
• 案件报告中可关联文件注释或过滤信息
• 软件窗口左侧显示目录数结构，能够浏览并标记相关目录及子目录
• 在扇区视图模式下，可同步显示对应扇区的文件和目录
• 强大的动态过滤功能，能以文件类型、哈希库、时间、文件大小、注释、报告表等方式组合进行文件过滤
• 通过递归浏览功能，同时显示所有目录下的文件和删除数据
• 导出案件文件时，可包含并创建相应文件的原始路径，还可包含或排除文件残留区数据，或将文件或残留区数据单独导出。
• Compensation for NTFS compression effects and Ext2/Ext3 block allocation logic in file carving
• 自动识别加密的MS Office 和PDF文件
• 自动查找文件中嵌入的图片(如 Office, PDF) 
• 肤色图片检测功能，(根据肤色比例，以画廊方式排序，加速对色情图片、黑白图片的搜索) 
• Ability to extract still pictures from video files in user-defined intervals, using MPlayer or Forensic Framer, to drastically reduce the amount of data when having to check to inappropriate or illegal content
• 内置 Windows 注册表查看器(支持所有 Windows 版本)，并自动生成注册表报告
• 可查看Windows 事件日志文件
• Viewer for Windows event log files (.evt, .evtx), Windows shortcut (.lnk) files, Windows Prefetch files, $LogFile, $UsnJrnl, restore point change.log, Windows Task Scheduler (.job), $EFS LUS, INFO2, Restore Point change.log.1, wtmp/utmp/btmp log-in records, MacOS X kcpassword, AOL-PFC, Outlook NK2 auto-complete, Outlook WAB address book, Internet Explorer travellog (a.k.a. RecoveryStore), SQLite databases such as Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, Safari feeds, Skype's main.db database with contacts and file transfers, ...
• Extracts metadata and internal creation timestamps from various file types and allows to filter by that, e.g. MS Office, OpenOffice, StarOffice, HTML, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, BMP, THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool, tracking.log, .mdb MS Access database, manifest.mbdx/.mbdb iPhone backup, ...
• 能够以目录方式逐级浏览压缩文件中内容
• 易用的逻辑搜索功能，可在所有文件、选中文件和压缩文件、PDF等类型文件中进行搜索
• 强大的搜索及搜索结果预览功能，支持关键字临近的上下文预览。如：可搜索Documents and Settings目录下，最后访问时间为2004年，包含关键词A, B,  D 的doc和ppt文件
• Search and index in both Unicode and various code pages
• Highly flexible indexing algorithm，并可在索引结果中搜索固定复合词
• Logically combine search hits with an AND, fuzzy AND, + and - operators
• Ability to export search hits as HTML, highlighted within their context, with file metadata
• 可检测硬盘HPA区域(host-protected areas )和ATA加密硬盘保护区域
• 依据内部哈希库，可以快速定位特定类型文件
• 能够导入 NSRL RDS 2.x, HashKeeper 和ILook格式的哈希库
• 可创立用户专用哈希集
• Ability to decompress entire hiberfil.sys files and individual xpress chunks
• X-Tensions API (programming interface) to add your own functionality or automate existing functionality
• Interface for external analysis programs such as DoublePics that for example can recognize known pictures (even if stored in a different format or altered!) and can return the classification (“CP”, “relevant”, “irrelevant”) to X-Ways Forensics
• [...]