The following section gives details on XWF specific formats, and the commonly used formats. Do not skip over this section because you know forensic image formats, because if you do not use XWF, you do not know the coolest image formats available.
DD AND EXPERT WITNESS
One of the most versatile forensic formats is the dd image. The dd image is versatile, as nearly every fo-rensic application is able to access this format without issue, or needing to be converted. The dd name is known by several variants such as “Data Description”, “convert and copy”, and even “data dump”, among others. Regardless, XWF can create a dd image for use with any forensic tool. That is not really cool be-cause it seems every tool can create dd image.
The Expert Witness image format, also known as the e0.1 format, or Encase format, is an option avail-able with XWF as well. There are benefits to the Expert Witness format, as there are benefits to the dd format, but this is another common format. Specifics of these two common formats are beyond this ar-ticle; as these are the most widely used formats by most tools. Let’s get into the cool imaging formats.
EVIDENCE FIlE CONTAINERS
An XWF Evidence File Container is an encapsulated logical acquisition of selected files/folders. The Evidence File Container is not a bit-for-bit capture of an entire hard disk, but rather a forensic capture of targeted files placed into a protective file. Other forensic applications also create proprietary logical con-tainers much like XWF, so in that manner, this is another similar feature of XWF to other tools; but there are some worthwhile differences.
The XWF Evidence File Container is a proprietary format, with a special file system (XWFS2) which XWF can fully interpret. One difference with the XWF Evidence File Container is that several other com-mercial tools can also interpret the XWF Evidence File Containers; yet they may not be able to interpret all file metadata. Compared to a proprietary logical evidence file format, in which no other tool can ac-cess, the XWF Evidence File Container is more versatile for use among several tools.
The XWF Evidence File Container can also be converted to the Expert Witness Format, which is some-thing unique to the XWF Evidence File Format compared to other file container formats.
SKElETON IMAGES
Now we get into new territory with forensic images. XWF’s option of creating a Skeleton Image is unique and ingenious. Similar to an Evidence File Container, a Skeleton image does not capture bit-for-bit an entire hard drive, but only that which you choose. That is where the similarity of a Skeleton image ends.
A Skeleton image captures the physical data, not just the logical data, for which you select. Think about that for a second. Any tool that only creates a logical capture of data, does not capture all that is avail-able, even if only select files and folders are to be captured.
The Skeleton image includes as much data as you deem necessary. For example, you can include sys-tem files such as registry files, the boot sector, directory clusters in FAT, $MFT in NTFS, and more; all the while excluding unnecessary data. A neat feature of the Skeleton image is that captured data maintains their original offsets and relative distances between data structures. An Evidence File Container, whether made by XWF or other tools, does not provide this ability.
A Skeleton image is also compatible with other tools, as it can be converted from a raw format to a compressed/noncompressed and encrypted/nonencrypted .e01 evidence file.
ClEANSED IMAGES
Wait! There’s more! XWF has another unique and well-needed format of a Cleansed Image. A Cleansed Image is simple a forensic image (dd, .e01) that has intentionally excluded data during imaging. When creating a Cleansed Image, simply “exclude” any files/folders you do not want included in the image. You can then have XWF substitute text (watermark) of your choosing in place of where the excluded files would have been. For example, creating an image where protected files are not able to be copied, such as private or confidential data, those files can be replaced with the text “REDACTED” or “CLEANSED”.
Again, given a complete bit-for-bit image of a hard drive, a Cleansed Image can be created from the complete image. The benefit to this is obvious to anyone who has had the displeasure of manually re-dacting protected files through editing hex values. It will also be obvious to those that encounter their first case of having to redact data from an image. When that day comes, remember that the Cleansed Image feature of XWF will save you hours, if not days, of manually redacting data from an image.
CREATING THE IMAGES
XWF allows creation of images via the command line, but the most common method is using the GUI.
The options in the XWF Create Disk Image dialog are self-explanatory. Metadata can be added in the In-ternal Description, a 2nd copy can be created at the same time, the choice of a dd, .e01, or Evidence File Container, specific sectors to image, choice of hash algorithms, verification of the image, compression options, encryption, and splitting the image are common options to most imaging tools. As previously mentioned, the encryption option is different, in that it is not password protection, but actual encryption.
Additionally, within the scope of imaging, files can be omitted during imaging rather than copying the en-tire medium.
Figure 2. Create Disk Image options
Most likely, you will be more impressed with the speed of imaging compared to anything you have used before, including hardware based imaging devices. There are several tests posted online, comparing XWF to other tools, and none are faster than XWF. Speeds of two and three times any other tool is impressive!
For this one reason alone, the price of XWF Imager is more than worth saving time with imaging.
ENCRYPTING IMAGES
XWF provides for real encryption; 128 or 256 bit encryption. XWF does not password protect images, it fully encrypts the image, and cannot be bypassed as if it were just password protected. Additionally, by selecting Prevent unencrypted copies, no copies of the image can be created that are unencrypted.
REVERSE IMAGING
No longer do you need to rely upon a Linux tool for reverse imaging. XWF is the only forensic imaging suite (non-Linux) that can image a damaged hard drive in reverse. Ordinary, hard drives with bad sec-tors either delay or crash imaging programs, but with reverse imaging, the odds of recovering more data and creating a complete image is leaps and bounds over tools that cannot handle defective hard drives.
RAIDS
XWF can image RAIDS, as a hard drive is a hard drive. Just as important, XWF can rebuild RAIDS, in-cluding failed disk-based RAIDS such as JBOD, RAID 0, RAID 5, etc…
lIVE CAPTURES
Sometimes, computer systems must be imaged live. That is, a system may not be able to be shut down for any number of reasons, such as encrypted operating systems or business reasons. In these cases, XWF can run from an external USB drive or CD drive on the evidence machine, and an image created while the system is running. Data will surely change on the system, but it will only be system, not user data. XWF has a small footprint, images fast, creates a sparse (Skeleton) image, or Evidence File Con-tainer, all of which has its place in live captures.
Another method of using XWF as an imaging tool is running from a booted Windows Forensic Envi-ronment (Shavers, Windows Forensic EnviEnvi-ronment, 2013) on the evidence machine. By booting the evi-dence machine to a forensic boot disc such as WinFE, a write protected access to the evievi-dence drive al-lows for capture of the evidence drive with XWF. As XWF has a small footprint, and requires only 256MB of RAM to run, nearly any computer system capable of booting to external media (CD/DVD/USB) can be booted to WinFE and XWF can create an image of the hard drive.
COMPARISON OF IMAGES
The following table from http://x-ways.net/investigator/containers_vs_skeleton_images.html shows the differences in an easy to read format. As you can see, there are more methods of creating a forensic image than simply running a program and choosing dd or .e01. It depends on your needs at the time of acquisition.
Figure 3. Comparison of image types, http://x-ways.net/investigator/containers_vs_skeleton_images.html