Duration

This course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”.

Complete and systematic coverage of all computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (e.g. how .e01 files work internally, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, ... Emphasis can be put on any aspect suggested by the participants. You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.

The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.

• Basic setup of the software
• Learning the user interface components
• Understanding the data interpreter
• Preparing media for cloning
• Cloning media/Image creation
• Creating a case/adding evidence objects
• Hash calculation and checking
• Using the gallery view and skin color detection efficiently
• Calendar view usage (timeline)
• Previewing file contents
• Creating drive contents tables systematically
• Creating hash sets and matching against existing hash sets
• Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
• Adding annotations/bookmarks
• Report creation
• Working with the directory browser
• Synchronizing directory browser and directory tree for optimized work
• Working with the Access button menu
• Various methods of file recovery
• Customizing file signatures
• Extraction and analysis of free space, slack space, etc.
• Finding and analyzing deleted partitions
• Using search and index functions effectively
• Efficient navigation of the file systems' data structures
• Data profiles
• Decoding Base64, Uuencode, etc.
• Viewing RAM
• Assemble RAID systems
• Recovering deleted NTFS-compressed files manually
• Optionally other topics like template and script programming

It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.

Examples:

"What documents were altered on the evening of January 12, 2005?"
"What pictures were hidden with what method, where and by whom?"
"Who viewed which web pages on what day?"
"Which MS Excel documents saved by Alan Smith contain the keyword 'invoice'?"

Extensive introduction to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3 (1/2 day). By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations.

Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge). Selected topics:

Basics:
• Binary data storage concepts
• Data types
• Date formats

FAT:
• Structure of FAT file systems
• Boot record
• File Allocation Table (FAT)
• Directory entries

NTFS:
• Boot sector
• Master File Table (MFT)
• FILE records structure
• FILE record attributes
• Data runs
• Data compression
• Attribute lists
• Directory organisation in NTFS
• INDX record structure
• NTFS system files
• Consistency in NTFS
• Alternate data streams
• Encrypting File System: NTFS encryption
• ...

Ext2/Ext3/Ext4:
• Structure of Ext file systems
• Superblocks, group descriptors, block groups, bitmap blocks
• Inodes
• Concept of block addressing
• Concept of directory structure
• Effects of file deletion
• Specialties of Ext4
• ...

HFS, HFS+, ReiserFS, Reiser4, UFS. We can offer such a course to government/corporate customers on request. Please drop us a note if you are interested.