Collaboration model for law enforcement x ways investigator
1 / 8

Collaboration Model for Law Enforcement X-Ways Investigator - PowerPoint PPT Presentation

  • Uploaded on

Collaboration Model for Law Enforcement X-Ways Investigator.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Collaboration Model for Law Enforcement X-Ways Investigator' - estelle

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Collaboration model for law enforcement x ways investigator l.jpg
Collaboration Modelfor Law EnforcementX-Ways Investigator

X-Ways Investigator is a simplified and reduced version of X-Ways Forensics, and part of a certain philosophy: Splitting up the workload into preparatory work done by computer specialists with X-Ways Forensics and investigative work done by other specialists (investigators, analysts, agents, internal auditors, prosecutors, lawyers) can be a pivotal change and greatly accelerate the forensic process. It reduces the computer specialists' workload and allows to start the investigators to take over much earlier.

Overview of user interfaces l.jpg



X-Ways Forensics





half theprice

additional administrative precautionsand further simplifications possible

functional range/ complexity

for investigators specialized in areas other than IT, e.g. accounting, building laws, money laundering, corruption, child pornography, ...

for computer specialists

Overview of User Interfaces

X ways investigator important features l.jpg
X-Ways Investigator: Important Features

  • ability to create cases, assign evidence objects (media, images with any supported file system); optionally solely open containers, and also optionally only containers classified as secure (i.e. virus-free)

  • differently specialized investigators may examine the same containers simultaneously, in their own cases, or write-protected in the case of another investigator

  • logical search, search in index

  • listing files from all evidence objects simultaneously, dynamic filters, sorting files, marking/selecting files

  • viewing files, printing documents

  • adding files to report tables, entering commentsabout files, evaluating files in one’s area ofexpertise; report creation

Collaboration model l.jpg

X-Ways Forensics

Collaboration Model

Preparatory work performed with X-Ways Forensics, like

  • imaging media, verify image integrity, assembleRAID systems, search deleted partitions, ...

  • run thorough search for deleted files,file signature check, include contents ofarchives and pictures embedded in documents,specially deal with encrypted files, ...

  • roughly filter out irrelevant data, like knownignorable files based on hash, exact duplicate files,with case-specific filters, ...

  • roughly select potentially relevant files based onsearch hits (resulting e.g. from keywords providedby specialized investigators), based on file typefilters or special hash sets of incriminating files, ...

  • roughly copy out relevant text from large binaryfiles such as free space, swap files, etc. if found tobe relevant because of search hits

  • create a search index with adequate settings

Evidence file container l.jpg


Evidence File Container

Preparatory work with X-Ways Forensics results in a

with all potentially relevant files

An evidence file container retains the following for each file:

  • file contents, file size

  • filename in Unicode

  • complete original path (optionally including evidence object name)

  • deletion state (existent, deleted, renamed, moved, ...)

  • all original timestamps as available (creation, contents change, metadata change, last access, deletion)

  • DOS/Windows attributes, Unix/Linux permissions/filemode

  • compression and encryption state

  • if applicable, classification as alternative data stream, resource, slack

  • if applicable, classification as fictitious file (for “free space”, embedded pictures, thumbnails, partition gaps etc.)

Arbitrary free-text comments for each individual file can also be passed on, e.g. the real name of a file owner, preliminary findings, ...

Collaboration model6 l.jpg


X-Ways Forensics





cleared ofviruses

protected internal network

for investigators specialized in areas other than IT, e.g. accounting, building laws, money laundering, corruption, child pornography, ....

Collaboration Model

for computer specialists

Installation options l.jpg
Installation Options

  • Each investigator has an individual installation and configuration. Somewhat more administrative effort. Required e.g. for child pornography investigators who need to review CDs and DVDs without preparatory work by others.

  • Several investigators share an installation on a server, optionally with an individual configuration. The network traffic is high when searching or hashing data.

  • Several investigators share an installation on a terminal server, optionally with an individual configuration. The network traffic is reduced to screen data.

Administrators are in charge of the installations, user accounts, and the assignment of access rights to case data and container files. Computer specialists provide the investigators with containers and search indexes.

Customizable user interface l.jpg
Customizable User Interface

The user interface of X-Ways Investigator can be partially tailored to individual needs, i.e. further simplified, or reduced for security reasons.

  • Prevent media from being opened directly

  • Prevent conventional images from being opened directy

  • Prevent containers from being opened that are not classified as secure

  • Disable functions to create containers

  • Prevent non-picture files from being copied to the hard disk as part off the case report

  • Disable functions work with the hash database

  • Disable advanced options

  • Prevent more complex commands from being invoked

  • ...