·.·. Computer forensics software made in Germany .·.·

Computer Forensics Training

Scheduled classes in English for mixed groups of attendees at this time:

Show all     or only show:   

For more information about each event, please simply click on the entry of interest below!

Dates Location Target Region Course Delivered by Status
Jul 2-5 Online Europe, Asia X-Ways Forensics II X-Ways past
Jul 8-12 Online America (incl. West Coast) X-Ways Forensics I X-Ways past
Jul 22-25 Online America (incl. West Coast) X-Ways Forensics II X-Ways past
Jul 29-Aug 2 Online (5x6¼ hrs) America (incl. West Coast) X-Ways Forensics I X-Ways places available
Aug 19-22 Salt Lake City, UT USA X-Ways Forensics I H-11
Sep 2-6  NEW  Online (5x6¼ hrs) Europe, Asia X-Ways Forensics I X-Ways places available
Sep 3-6  NEW  Online (5x6¼ hrs) Europe, Asia X-Ways Forensics II X-Ways places available
Sep 3-6 Mississauga, ON Canada X-Ways Forensics I F111th
Sep 9-12 London, UK Europe X-Ways Forensics I X-Ways places available
Sep 16-20  NEW  Online (5x6¼ hrs) America (incl. West Coast) X-Ways Forensics I X-Ways places available
Sep 23-27 Online America, Europe File Systems Revealed
 💬 Please note, this will be the only "File Systems Revealed" training in 2024.
X-Ways places available
Oct 8-11 Huntington Beach, CA USA X-Ways Forensics I H-11
Oct 28-31  NEW  Online (4x6¼ hrs) America (incl. West Coast) X-Ways Forensics II X-Ways places available
Oct 28-31 Canberra Australia X-Ways Forensics I CDFS
Nov 18-21 New York City, NY USA X-Ways Forensics I H-11
Dec 16-19 Salt Lake City, UT USA X-Ways Forensics I H-11

You can find our Rates and Terms here.

More classes in North America, UK, and Asia and online will be added gradually over time. Classes in German: click here

List of previous classes and trained usersOld lists (2005-2009)

Selected certified users

To be notified of newly scheduled classes in English, please enter your e-mail address and click OK:





We can occasionally offer the X-Ways Forensics course internationally also as on-site training to law enforcement agencies and corporate customers on request (in English or German, only for reasonably sized groups). If you are interested, please contact us by e-mail and let us know the number of prospective attendees and the address of your facilities. 

X-Ways Forensics I, 4 full or 5 shorter days

This main training course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”. The approach is very tool-centered. After attending this course and some self-study, you may start the X-PERT certification process (though taking the advanced course as well, see below, is recommended).

Complete and systematic coverage of most computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, ... You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.

The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, etc. There will be a practical exam at the end of the course, which you can regard as just another exercise for yourself or that you can take more seriously and get scored by the instructor if you like. The exam recapitulates the most important functions of the software and helps you to gauge your proficiency. The results will not be recorded by us in any way. Note that the instructor will present the answers to the test during the final 20 minutes (in-person training only). Topics may include (not all guaranteed, for example because of time constraints):

• Basic setup of the software
       • Key folder paths
       • Read-only vs Edit vs. In-Place mode - WinHex vs. X-Ways Forensics
       • Start-up options
       • Alternative disk access methods
       • Viewer programs
• Learning the user interface components
       • Menus and toolbars
       • Directory browser (icons, sorting, navigation, ...)
       • Virtual files and directories
       • Case data window with directory tree
       • The case root
       • Modes: Disk/Partition/Volume vs File
       • Info panel
• Navigating disks and file systems
       • Understanding offsets and sectors
       • Absolute, relative and backwards positioning
       • Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*)
• Understanding the Data Interpreter
       • Available conversion options
       • How to get the value you actually want
• Creating disk images
       • Raw images and evidence files
       • Fast, adaptive compression
       • In-built encryption
• Creating a case/adding evidence objects
• Hash calculation and checking
• Using the gallery view and skin color detection efficiently
• Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
• Previewing file contents
• Calendar view and event list (timeline)

• Working with the directory browser
       • Recursive listing of directories and entire drives
       • Column visibility and arrangements
       • Copying cell values
       • Selecting, tagging, hiding, viewing, opening files
       • Recovering/copying files
       • Identifying duplicates based on hash
       • Efficient navigation of the file systems' data structures
• Filtering files
       • existing, previously existing
       • tagged, not tagged
       • viewed, not viewed
       • non-hidden, hidden
       • By name, including multiples: by exact name, using wildcards, searching within name, using GREP
       • By path, including multiples
       • By type - exact type, multiple types, entire category, multiple categories
       • By size
       • By one or more timestamps
       • By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, ...
• Creating and assigning labels
• Using labels for filtering and classification
• Report creation: Basic reports, report tables and activity log
• Refining Volume Snapshots:
       • File system specific thorough data structure search for previously existing data
       • Signature search for previously existing data not identifiable via file system metadata
       • Verifying file types based on signatures on algorithms
       • Extracting metadata from a variety of file types
       • Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
       • Analyzing Windows Event Logs (evt and evtx)
       • Exploring ZIP, RAR, etc. archives
       • Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.
       • Finding pictures embedded in documents, etc.
       • Creating video stills from movie files
       • Skin color percentage calculation and black and white detection
       • Picture analysis with Excire
       • Identifying file type specific encryption and running statistical encryption tests
• The Hash Database
       • Importing single or multiple hash sets
       • Creating your own hash sets
       • Matching files against existing hash sets via Refine Volume Snapshot
• Various methods of file recovery
• Customizing file signatures
• Using search functions effectively
       • Practically unlimited numbers of keywords simultaneously
       • Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously
       • The many advantages of logical over physical search
       • Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)
       • GREP search
       • Logical combination of multiple keywords while evaluation results
       • Filtering keywords based on the files they are contained in
• Decoding Base64, Uuencode, etc.

It is the goal of our courses to familiarize users of our software with the tool so much that they feel confident drawing sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
"What documents were altered on the evening of January 12, 2012?"
"What pictures were hidden with what method, where and by whom?"
"Who viewed which web pages on what day?"
"Which MS Excel documents saved by Alan Smith contain the word 'invoice'?"
"Which USB sticks were attached to the computer at what time?"

X-Ways Forensics II, 3 full or 4 shorter days

Advanced training course for experienced users of X-Ways Forensics and previous attendees of the main course. Definitely not suitable as an introduction for new users of X-Ways Forensics. Topics may include (not all guaranteed because of time constraints, instructor availability or for other reasons):

• .e01 evidence file format
• Creating skeleton images
• Creating cleansed images
• Capturing process memory
• Sector superimposition
• Working with evidence file containers
       • Creating containers, understanding the available options
       • Adding files to containers from various sources
       • Closing containers, optionally converting them
       • Using containers as evidence objects
• Finding and analyzing deleted partitions
• Reconstructing RAID and Linux MD RAID systems
       • Practical examples for RAID 0 and RAID 5
       • Explanation of underlying data arrangements
       • Clues towards finding the right parameters
• FuzZyDoc
• Conditional cell coloring
• UI Text Adjustments
• Custom keyboard shortcuts
• Advanced sorting rules
• Registry Viewer and Registry Reports, Registry Report definition files
• How X-Tensions work
• Recovering deleted NTFS-compressed files manually
• Block-wise hashing and matching
• Command line usage of X-Ways Forensics
• Indexing
• Customizing the registry report
• Templates

File Systems Revealed

Variable combination of file system courses, with extensive introduction to file system basics (binary data storage concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4 (1/2 day). See below for file system courses that are available.

By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations.

Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. Explanation of the effects of file deletion and potentials for file recovery. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge).

Basics, MBR, GPT, LVM2, 1/2 day

• Understanding raw data: Integers, date storage, Endianness
       • Sector and offset navigation in X-Ways Forensics
       • Using the Data Interpreter
       • Templates and Template Manager
• Partition table structures:
       • Master Boot Record (MBR)
       • GUID Partition Tables (GPT)
       • Linux Logical Volume Managment (LVM2)

FAT12, FAT16, FAT32, 1/2 day

• Structure of FAT file systems
• Boot record
• File Allocation Table (FAT)
• Directory entries
• Effects of file deletion and potentials for file recovery
• ...

NTFS, 1 day

• Boot sector
• Master File Table (MFT)
• FILE records structure
• FILE record attributes
• Data runs
• Data compression
• Attribute lists
• Directory organisation in NTFS
• INDX record structure
• NTFS system files
• Consistency in NTFS
• Alternate data streams
• Encrypting File System (EFS): NTFS encryption
• ...

exFAT, 1/2 day

• Partition layout
• Boot sector
• File allocation table
• Directory entries
       • Root-only entry types
       • Metadata entries
       • Stream extensions
       • Filenames
• Time zone offsets

Ext2/Ext3/Ext4, 1/2 day

• File system basics
       • Block Group layout
       • Superblock and Group Descriptor backups
• Superblock data structure
       • Feature flags
       • ext2 revisions
• Layout and function of the Group Descriptors
• Block and Inode Bitmaps
• Inode structures
       • File Mode
       • Block Addressing
       • Reserved Inodes
• Directory Management
• Ext4 extents
• Ext4 extension of file system limits
• Ext4 timestamp refinement and other improvements
• ...

XFS, 1 day

• Similarities and differences with other Linux file systems
• Allocation Group Layout
• Superblock structure and variants
• Allocation Group info sectors
       • Free Space + Free List
       • Inode Info
• Free Space B+Trees
• XFS-specific Inode and Block number formats
• XFS Inodes
       • CRC-enabled vs. classic
       • File Mode
       • Attribute fork
• Inode Formats and their respective structures and uses
       • Device
       • Local
       • Extents
       • B+Tree
• XFS Directory structures
       • small and long entries for local directories
       • Single and Multiple Block directories

BtrFS, 1 day

• Generic layout of the file system
      • Shared POSIX features
      • Data management
      • Virtual offsets
• Superblock structure and feature flags
• B-Trees
      • Fundamental structure
      • Application in BtrFS
      • Keys
      • Tree node layout
• The Chunk Tree
      • Chunk management
      • Offset translation
• The Root Tree
      • Root Items
      • Root Ref
• File Trees and their components
      • Inode Items
      • Dir Index
      • Inode Ref
      • Extent Data
      • XAttr Items
• The Extent Tree
      • Extent Items
      • Metadata Items

NTFS+XWFS2, 1 day

NTFS: see above
XWFS2 is the file system at work in evidence file containers of X-Ways Forensics and X-Ways Investigator. Takes only ~45 minutes to explain once NTFS has been explained.

ReiserFS, Reiser4, 1 day

• ReiserFS block formats
• Superblock structure
• The Reiser Tree
       • Tree organisation
       • Keys
       • Internal tree node structure
       • Leaf node structure
• Stat items
• Directory structures
• Direct vs. Indirect items
• File system navigation
• Hans Reiser's own criticism

• Extents instead of block listing
• ReiserFS vs Reiser4 trees
• Reiser4 Superblock
• The Reiser4 tree
       • Tree organisation
       • Keys
       • Tree node structure: Branches, twigs, leaves
       • Plugin IDs for node items
• Stat items
• Directory structures

Memory Forensics, 1 day

Essentials of virtual memory management (Intel, AMD; 32 Bit, 64 Bit)
• Page Tables
• PFN Database
• Pagefile

Windows Object Management in context
• Processes, Threads, Sockets, Files, Tokens, ...
• Active drivers
• Registered storage media
• Plug-and-Play device management
• Using templates to navigate to kernel objects in X-Ways Forensics (major topic)
• Types of and working with object references

How to navigate a process's address space
• Process Environment Block (PEB)
• Open handles
• Mapped memory areas
• Loaded modules
• Heaps, Stack

Creating RAM images
• hiberfil.sys

Special issues when searching memory areas
• Alignment
• Endianness
• Memory Pools

Malware Analysis (hidden processes, hidden connections, DKOM, rootkits)
• Identifying suspicious references by address range comparison

Network Forensics (incident analysis)
• Ethernet packets by signature search
• Analysing traces of connections in RAM (major topic)

The course deals mostly with Windows systems, esp. XP.

training trainings course courses class classes seminar seminars education lecture exercise teaching computer forensic forensics electronic evidence acquisition data recovery electronic digital examine examination IT security analysis analyze software tool tools