X-Ways Forensics
14.9
Downloadable
only for customers
(URL provided on purchase and
here)
Manuel
Quick Guides
Creating images
Creating cases
Reporting notable
files
Dynamic filtering
Searching
Evaluation version available to law enforcement,
government, and companies on request.
Please provide
us with your full
official address.
Version en libre essaie
de
WinHex
|
X-Ways Forensics is
an advanced work environment for computer forensic examiners and our
flagship product. It runs
under Windows 2000/XP/2003/Vista*/2008*. Compared to its
competitors, X-Ways Forensics is more efficient to use after a while,
often runs fast, is not as resource-hungry, finds deleted files and
search hits that the other will miss, offer many features that the
others lack, ..., and it comes at a fraction of the cost! It is based on the
WinHex hex and
disk editor and part of an efficient
workflow model where computer forensic examiners share data and
collaborate with investigators that use
X-Ways Investigator. X-Ways Forensics comprises all the general and specialist features known from WinHex,
such as...
- Disk cloning and imaging, even under DOS with X-Ways Replica (forensically sound)
- Examining the complete directory structure inside raw
(.dd) image files, even
spanned over several segments
- Native support for FAT, NTFS, Ext2/3/4, CDFS, UDF
- Built-in interpretation of RAID 0 and RAID 5 systems and
dynamic disks
- Complete access to disks, RAIDs, and images more than 2
TB in size (more than 232 sectors)
- Viewing and dumping physical RAM and the virtual
memory of running processes
- Various data recovery techniques and file carving
- File header signature database, based on flexible
GREP notation
- Hard disk cleansing to produce forensically sterile media
- Gathering slack space, free space, inter-partition space, and generic
text from drives and images
- File and directory catalog creation for all computer media
- Easy detection of and access to NTFS alternate data streams (ADS),
even where other programs fail
- Mass hash calculation for files (CRC32, MD5, SHA-1, SHA-256, ...)
- Unlike a competing product, does not depend exclusively on MD5 (collisions in MD5)
- Powerful physical and logical search capabilities for many search terms at the
same time
- Recursive view of all existing and deleted files
in all subdirectories
- Automatic coloring for the structure of FILE
records in NTFS
- Bookmarks/annotations
- Bates-numbering files
- ...
...and then some:
- Complete case management
- Automated activity logging (audit logs)
- Write protection to ensure data authenticity
-
Additional support for the filesystems
HFS, HFS+, ReiserFS, Reiser4, many variants of UFS1 and UFS2
-
Supported partitioning types: Windows dynamic disks (both MBR and GPT style)
and
Apple supported in addition to MBR, GPT (GUID partitioning), and unpartitioned (Superfloppy)
- Ability to read and write evidence files (.e01 images),
optionally with real encryption (256-bit AES, i.e. not mere
“password protection”) and very flexible compression
- Ability to copy relevant files to evidence file
containers, where they retain almost all their original file
system metadata, as a means to selectively acquire data in the
first place or to exchange selected files with investigators,
prosecution, lawyers, etc.
-
Shows owners of files and NTFS file permissions
- Gallery view for pictures
- Calendar
view
- File preview,
seamlessly integrated viewer component
for 270+ file types
- Keeps track
of which files were already viewed during the investigation
- Ability to
examine e-mail extracted from Outlook (PST)**, Outlook Express
(DBX), Mozilla (including Netscape and Thunderbird), AOL PFC, generic
mailbox (mbox, Berkeley, BSD, Unix), Eudora, PocoMail, Barca,
Opera, Forte Agent, The Bat!, Pegasus, PMMail, FoxMail, maildir folders (local copies)
- Automated file signature check
- Automated reports that can be imported and further
processed by any other
application that understands HTML, such as MS Word
- Ability to associate comments about files for
inclusion in the report or for filtering
- Ability to tag files and add notable files to report tables
- Directory tree on the left, ability to explore
and tag directories including all their subdirectories
- Synchronizing the sectors view with the file
list and directory tree
- Powerful dynamic filters based on true file type,
hash set category, timestamps, file size, comments, report tables...
- Ability to copy files off an image or a drive
including their full path, including or excluding
file slack, or file slack separately or only slack
- Compensation for NTFS compression effects and
Ext2/Ext3 block allocation logic in
file carving
- Automatic identification of encrypted MS
Office and PDF documents
- Finds pictures embedded in
documents (e.g. MS Office, PDF) automatically
- Skin color detection (e.g. a gallery view sorted by skin color percentage
greatly accelerates a search for traces of child pornography)
- Ability to extract still pictures from video files
in user-defined intervals, using
MPlayer or
Forensic Framer,
to drastically reduce the amount of data when having to check to
inappropriate or illegal content
- Internal viewer for Windows Registry files (all
Windows versions); automated Registry report
- Viewer for Windows event log files, Windows
shortcut (.lnk) files, Windows Prefetch files, $LogFile
- Extracts metadata and internal creation
timestamps from various file types and allows to filter by that,
e.g. MS Office, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV,
AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, THM, TIFF, GIF, PNG, GZ,
ZIP, IE Cookies, SHD & SPL printer spool
- Lists the contents of archives directly in
the directory browser, even in a recursive view
- Logical search, in all or selected
files/directories only, following fragmented cluster chains, in
compressed files, optionally decoding text in PDF, XML, ...
- Powerful search hit listings with context preview,
e.g. like “all search hits for the search terms A, B, and D in
.doc and .ppt files below \Documents and Settings with last
access date in 2004”
- Search and index in both Unicode and various code pages
- Highly flexible indexing algorithm,
supporting solid compound words
- Logically combine search hits with an AND,
fuzzy AND, + and -
operators
- Ability to export search hits as HTML,
highlighted within their context, with file metadata
- Detection of host-protected areas (HPA), a.k.a. ATA-protected areas
- Match files against the lightning-fast internal hash database
- Ability to import NSRL RDS 2.x, HashKeeper, and ILook
hash sets
- Create your own hash sets
- Ability to decompress entire hiberfil.sys
files and individual xpress chunks
- [...]
- Reduced and simplified user interface
available for investigators that are not forensic computing
specialists, at half the price:
X-Ways Investigator
X-Ways Forensics is available at a
very affordable price. This package is always updated whenever WinHex is updated as
well. We also offer computer forensics training.
Autre logiciel pour la capture de preuves informatiques. |
