Presentation on theme: "Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)"— Presentation transcript:
1 Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
2 Overview of User Interfaces for computer specialistsX-Ways Forensicsnormal price(competitors)Overview of User Interfacesfunctional range/ complexitycostX-Ways Investigatorhalf the pricefor investigators specialized in areas other than IT, e.g. accounting, building laws, money laundering, corruption, child pornography, ...additional administrative precautions and further simplifications possible
3 X-Ways Investigator: Important Features ability to create cases, assign evidence objects (media, images with any supported file system); optionally solely open containers, and also optionally only containers classified as secure (i.e. virus-free)differently specialized investigators may examine the same containers simultaneously, in their own cases, or write- protected in the case of another investigatorlogical search, search in indexlisting files from all evidence objects simultaneously, dynamic filters, sorting files, marking/selecting filesviewing files, printing documentsadding files to report tables, entering comments about files, evaluating files in one’s area of expertise; report creation
4 Collaboration ModelPreparatory work performed with X-Ways Forensics, likeimaging media, verify image integrity, assemble RAID systems, search deleted partitions, ...run thorough search for deleted files, file signature check, include contents of archives and pictures embedded in documents, specially deal with encrypted files, ...roughly filter out irrelevant data, like known ignorable files based on hash, exact duplicate files, with case-specific filters, ...rought select potentially relevant files based on search hits (resulting e.g. from keywords provided by specialized investigators), based on file type filters or special hash sets of incriminating files, ...roughly copy out relevant text from large binary files such as free space, swap files, etc. if found to be relevant because of search hitscreate a search index with adequate settingsX-Ways Forensics
5 Evidence File Container Preparatory work with X-Ways Forensics results in awith all potentially relevant filesAn evidence file container retains the following for each file:file contents, file sizefilename in Unicodecomplete original path (optionally including evidence object name)deletion state (existent, deleted, renamed, moved, ...)all original timestamps as available (creation, contents change, metadata change, last access, deletion)DOS/Windows attributes, Unix/Linux permissions/filemodecompression and encryption stateif applicable, classification as alternative data stream, resource, slackif applicable, classification as ficitious file (for “free space”, embedded pictures, thumbnails, partition gaps etc.)Arbitrary free-text comments for each individual file can also be passed on, e.g. the real name of a file owner, preliminary findings, ...
6 Collaboration Model X-Ways Forensics “containers-only version” prosecutorreportX-Ways Forensicscontainer“containers-only version”for investigators specialized in areas other than IT, e.g. accounting, building laws, money laundering, corruption, child pornography, ....X-Ways Investigatorcleared of virusesprotected internal networkfor computer specialists
7 Installation OptionsEach investigator has an individual installation and configuration. Somewhat more administrative effort. Required e.g. for child pornography investigators who need to review CDs and DVDs without preparatory work by others.Several investigators share an installation on a server, optionally with an individual configuration. The network traffic is high when searching or hashing data.Several investigators share an installation on a terminal server, optionally with an individual configuration. The network traffic is reduced to screen data.Administrators are in charge of the installations, user accounts, and the assignment of access rights to case data and container files. Computer specialists provide the investigators with containers and search indexes.
8 Customizable User Interface The user interface of X-Ways Investigator can be partially tailored to individual needs, i.e. further simplified, or reduced for security reasons.Prevent media from being opened directlyPrevent conventional images from being opened directyPrevent containers from being opened that are not classified as secureDisable functions to create containersPrevent non-picture files from being copied to the hard disk as part off the case reportDisable functions work with the hash databaseDisable advanced optionsPrevent more complex commands from being invoked