X-Ways Forensics software continues to be the number one choice for digital forensic examiners and analysts for complete and advanced computer and smart device (IoT) investigations and reporting.
Teams are using X-Ways Forensics for rebuilding partitions and RAIDs, deep data carving, faster searching, more MetaData evidence, and other key features:
- Disk cloning and fast disk imaging with intelligent compression options
- Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD, VHDX, VDI, and VMDK images
- Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors) with sector sizes up to 8 KB
- Built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2
- Automatic identification of lost/deleted partitions
- Native support for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, CDFS/ISO9660/Joliet, UDF
- Lightning fast powerful physical and logical SEARCH capabilities for multiple search terms and filters at the same time
- Support for the filesystems HFS, HFS+/HFSJ/HFSX, XFS, Btrfs, ReiserFS, Reiser4, UFS1, UFS2, APFS, QNX
- Ability to create skeleton images, cleansed images, and snippet images (details)
- Logical acquisition: Ability to copy relevant files and directories to evidence file containers, where they retain almost all their original file system metadata, as a means to selectively acquire data in the first place or to exchange selected files with investigators, prosecution, lawyers, etc.
- Ability to include files from all volume shadow copies in the analysis (but exclude duplicates)
- Often finds much more traces of deleting files than competing programs, thanks to superior analysis of file system data structures, including $LogFile in NTFS, .journal in Ext3/Ext4
- Easily navigate to the file system data structure where it is defined, e.g. FILE record, index record, $LogFile, volume shadow copy, FAT directory entry, Ext* inode, containing file if embedded etc.
- Supported partitioning types: MBR, GPT (GUID partitioning), Apple, Windows dynamic disks (both MBR and GPT style), LVM2 (both MBR and GPT style), and unpartitioned (Superfloppy)
- Shows owners of files, NTFS file permissions, object IDs/GUIDs, special attributes and more
- Special identification of suspicious extended attributes ($EA) in NTFS, as used for example by Regin
- Carving of files also within other files
- Extracts metadata and internal creation timestamps from various file types and allows to filter by that, e.g. MS Office, OpenOffice, StarOffice, HTML, MDI, PDF, RTF, WRI, AOL PFC, ASF, WMV, WMA, MOV, AVI, WAV, MP4, 3GP, M4V, M4A, JPEG, BMP, THM, TIFF, GIF, PNG, GZ, ZIP, PF, IE cookies, DMP memory dumps, hiberfil.sys, PNF, SHD & SPL printer spool, tracking.log, .mdb MS Access database, manifest.mbdx/.mbdb iPhone backup, .etc
- Calendar view, showing hotspots of activity, ideal to combine with the chronological event list
- Ability to examine e-mail extracted from Outlook (PST, OST), Exchange EDB, Outlook Express (DBX), AOL PFC, Mozilla (including Thunderbird), generic mailbox (mbox, Unix), MSG, EML
- Can extract almost any kind of embedded files (including pictures) from any other kind of files, thumbnails from JPEGs and thumbcaches, .lnk shortcuts from jump lists, various data from Windows.edb, browser caches, PLists, tables from SQLite databases, miscellaneous elements from OLE2 and PDF documents, .etc
- Ability to extract still pictures from video files in user-defined intervals, using MPlayer or Forensic Framer, to drastically reduce the amount of data when having to check for inappropriate or illegal content
- Extremely extensive and precise file type verification based on signatures and specialized algorithms
We know many teams also use AXIOM for cases. Make sure you are using both. Get X-Ways Forensics.