Collaboration Modelfor Law Enforcement

X-Ways Investigator(investigator versionof X-Ways Forensics)

Overview of User Interfaces

functional range/ complexity

cost

X-WaysInvestigator

half theprice

for investigators specialized in areas other than IT, e.g. accounting, building laws, money laundering,

corruption, child pornography, ...

additional administrative precautionsand further simplifications possible

for computer specialists

X-Ways Forensics

normalprice

(competitors)

X-Ways Investigator: Important Features ability to create cases, assign evidence objects (media, images

with any supported file system); optionally solely open containers, and also optionally only containers classified as secure (i.e. virus-free)

differently specialized investigators may examine the same containers simultaneously, in their own cases, or write-protected in the case of another investigator

logical search, search in index

listing files from all evidence objects simultaneously, dynamic filters, sorting files, marking/selecting files

viewing files, printing documents

adding files to report tables, entering commentsabout files, evaluating files in one’s area ofexpertise; report creation

Collaboration Model

X-Ways Forensics

Preparatory work performed with X-Ways Forensics, like imaging media, verify image integrity, assemble

RAID systems, search deleted partitions, ... run thorough search for deleted files,

file signature check, include contents ofarchives and pictures embedded in documents,specially deal with encrypted files, ...

roughly filter out irrelevant data, like knownignorable files based on hash, exact duplicate files,with case-specific filters, ...

rought select potentially relevant files based onsearch hits (resulting e.g. from keywords providedby specialized investigators), based on file typefilters or special hash sets of incriminating files, ...

roughly copy out relevant text from large binaryfiles such as free space, swap files, etc. if found tobe relevant because of search hits

create a search index with adequate settings

Evidence File ContainerPreparatory work with X-Ways Forensics results in awith all potentially relevant files

container

An evidence file container retains the following for each file: file contents, file size filename in Unicode complete original path (optionally including evidence object name) deletion state (existent, deleted, renamed, moved, ...) all original timestamps as available (creation, contents change,

metadata change, last access, deletion) DOS/Windows attributes, Unix/Linux permissions/filemode compression and encryption state if applicable, classification as alternative data stream, resource, slack if applicable, classification as ficitious file (for “free space”,

embedded pictures, thumbnails, partition gaps etc.)

Arbitrary free-text comments for each individual file can also be passed on, e.g. the real name of a file owner, preliminary findings, ...

Collaboration Model

X-Ways Forensics

for computer specialists

“containers-onlyversion”

for investigators specialized in areas other than IT, e.g. accounting,

building laws, money laundering, corruption, child pornography, ....

container

report

cleared ofviruses

protected internal network

prosecutor

X-WaysInvestigator

Installation Options

Each investigator has an individual installation and configuration. Somewhat more administrative effort. Required e.g. for child pornography investigators who need to review CDs and DVDs without preparatory work by others.

Several investigators share an installation on a server, optionally with an individual configuration. The network traffic is high when searching or hashing data.

Several investigators share an installation on a terminal server, optionally with an individual configuration. The network traffic is reduced to screen data.

Administrators are in charge of the installations, user accounts, and the assignment of access rights to case data and container files. Computer specialists provide the investigators with containers and search indexes.

Customizable User Interface

Prevent media from being opened directly

Prevent conventional images from being opened directy

Prevent containers from being opened that are not classified as secure

Disable functions to create containers

Prevent non-picture files from being copied to the hard disk as part off the case report

Disable functions work with the hash database

Disable advanced options

Prevent more complex commands from being invoked

The user interface of X-Ways Investigator can be partially tailored to individual needs, i.e. further simplified, or reduced for security reasons.