Totally Remove Excluded Items in XWF, Selectively

On page 181, 9.2 Directory Browser, of the X-Ways Forensics/WinHex Manual (Updated 2021-12-31), it notes a button exists to “totally remove excluded items from the volume snapshot if irrelevant/not needed…” As the manual indicates, this may reduce the size of a volume snapshot. Alternatively, it can limit the scope of the files examined by removing them from the volume snapshot all together.

After selecting the Totally remove excluded items… button, a caution box will appear. A highlighted Cancel button is a clue. The action to Totally remove excluded items is not to be taken lightly.

There are a couple scenarios when I may want to totally remove a selection of excluded items from the volume snapshot. One is when I want to totally remove excluded specific items, but keep others – irrelevant files and files that might be useful/relevant later, respectively. While it may not be frequent, the other scenario is when I add an erroneous file via the Attach external file/Dir command (4.1 Directory Browser Context Menu, Attach External File/Dir, pg. 59).

I’m not aware of a context menu command to selectively remove an item from the volume snapshot. Below is a workflow that may mitigate some issues when totally removing excluded items from the volume snapshot, while preserving the exclusion status of others to keep them in the volume snapshot.

Totally Remove Targeted Excluded Items from the Volume Snapshot

1) Create a backup of the case or volume via the Case Data window (Edit | Back up / Restore (Case OR Volume Snapshot) | [name the backup] | [click] OK). The manual recommends to work from a copy of the case.

2) Create a report table association for the excluded items to be kept and another for the excluded items to be totally removed from the volume snapshot (Directory Browser’s context menu | Report table association). While a report table association is not needed for items destined to be totally removed from the volume snapshot, I believe it helps keep things organized.

I created two report table associations and filtered by the RTAs for this view.

3) If not done already, exclude the items(s) to be totally removed from the volume snapshot.

In this example, I attached an unrelated file, ‘GOAT.pdf’, to the file, ‘SelfDefenseisMurder.pdf’.

4) Filter for the report table association of the items intended to be kept in the volume snapshot.

5) From the Directory Browser’s context menu, select Exclude | Include, for all the items in the report table association intended to be kept.

6) With the exclusion status of selected items preserved with a report table, we may proceed to totally remove the intended item(s) from the volume snapshot (Directory Browser | Totally remove excluded items).

‘GOAT.pdf’ removed as an attached file to ‘SelfDefenseisMurder.pdf’.

7) Dependent on preference, the exclusion status may be reapplied to the items that were preserved with a report table by filtering for it with the column in the Directory Browser.

Summary:

As appropriate, XWF may remove excluded items from the volume snapshot. Precautions, i.e., creating backups or working from case copies, are recommended.

The command, Totally remove excluded items, will exclude all items categorized as such. There may be scenarios when we want to remove some excluded items, but keep others.

We may use report tables in X-Ways Forensics to preserve the exclusion status of items we want to keep in the volume snapshot and differentiate them from excluded items intended to be totally removed. After creating the appropriate report table associations, we may temporarily include the excluded items in the volume snapshot and proceed to totally remove excluded items, per our selection.

Following confirmation that the excluded items intended to be removed from the volume snapshot was successful, we may filter for the report table associated with the preserved excluded items and reapply the exclusion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.