Growing with XWF

I recently accomplished a longstanding goal by becoming a certified user of X-Ways Forensics (XWF), an X-Ways Professional in Evidence Recovery Techniques (X-PERT).  It started in 2018 as an arbitrary goal to demonstrate familiarity of a well-regarded digital forensics tool that was also known to be difficult to learn.  I also perceived it to be a challenge and prestigious.

Practically, certifications provide me a semi-structured method to learn a topic that also happens to be formally documented. Becoming an X-PERT was no different. Without a doubt, the time and effort to achieve it resulted in significant growth.

1. Deeper understanding of byte-level data and file system structures for analysis to maximize XWF’s functionality.
2. Improved how I process data and plan analysis.  I don’t need to check every single box.  In fact, that can be detrimental.  This is true for “push-button” tools.
3. Appreciation of XWF’s capabilities and how it fits in a digital forensic examiner’s toolbox. This carries over to other tools, too.  I am more deliberate what tools I use and understand why.  This leads to more testing, and cross-validation of those tools.
4. I was able to contribute a small piece to the second edition of Brett Shavers’ X-Ways Forensics Practitioner’s Guide.

I appreciate my progress even more when I reflect on my first exposure to XWF. 

When I started evaluating a career change and learn about digital forensics, I asked myself a common question: “What certifications do I need and what tools should I learn about to get into digital forensics?”  I realize now that was a shallow question.  A more productive question would have been, “What do I want to learn and do with digital forensics?”

In any case, when I searched for answers on forensic tools, I encountered this post on Reddit.

Eric Zimmerman’s reply was upvoted the most, so I saw it first.  It stuck with me since.

I didn’t know anything about XWF– only that it was software for examiners who really know forensics. I also learned there was even a certification for it. At around this moment, I decided this was something I eventually wanted to learn. So, I bought a book.

I learned that I had no immediate use for it – I wasn’t the intended audience.  I didn’t have access to the software, and I wasn’t working in digital forensics – I need both (license and experience with the tool) to start the X-PERT certification process.  In contrast, pursuing the EnCase Certified Examiner (EnCE) was accessible and attainable with my experience.  Completing DF120, DF210 and DF310 provided me sufficient coverage of digital forensic fundamentals.  The X-Ways Forensics Practitioner’s Guide 1E would sit on a shelf for a few more years before I take another peek. 

After I landed a role with a new organization and applied digital forensic concepts full-time, I revisited my interest to learn how to use XWF and tackle the certification.

I signed up for X-Ways’ four-day forensics course, along with a X-PERT certification attempt in 2021.  I also took advantage of an option to purchase a discounted perpetual license of XWF.  The course delivered XWF content, as advertised.  It was great!  The course described how to efficiently utilize specific XWF functionalities and how it works.  However, after trying to read the manual for the first time, I recognized I needed to exert additional effort to really understand how to use XWF before attempting the X-PERT certification.

I appreciate the manual very much.  Every time I reference it, I learn more about the program.   As a new user (of anything), however, I need generalized concepts to keep me grounded when I encounter new, highly technical, topics.  That was when I reached out to my shelf and cracked open the X-Ways Forensics Practitioner’s Guide 1E again.  It was apparent the software changed considerably since the guide was written.  The guide, at least, was helpful for me to read something other than the manual and used it to jot down what I observed that was different.

When I attempted the X-PERT exam – I knew I failed it before it ended. I was disappointed, but in good spirits.  1) I understood the exam was intended to be difficult.  2) Soon after my attempt, I became a dad. 

I took a break from XWF to adapt to my new role as a parent.

Several months passed before I revisited XWF.  For me, the challenge was remembering where certain checkboxes are located and understanding how combinations of the checkboxes affect functionality.  These are the things I did that I found helpful:

1. I read the manual and performed exercises to try out specific XWF functions. 
2. I created brief scenarios and wrote down processes/workflows to address them.  I cross referenced those processes/workflows to pages in the manual.
3. Used XWF on CTF images I participated in.
4. Created my own RAIDs to understand how to reconstruct them.
5. Visited and searched the forum if I found myself stuck.  Before I posted a question, I spent even more time to eliminate myself as the problem.

All these things increased my confidence and competency as a XWF user.  Fortunately, all this preparation also allowed me to seize an unexpected opportunity.

When Brett Shavers announced he was offering a live XWF class, I knew I had to sign up (Yes, the class was great, too!). It was also around that time I learned Shavers was accepting contributions for the new edition of the X-Ways Forensics Practitioner’s Guide. I had a few processes written down, so why not? Self-doubt.

I almost didn’t submit anything, but I eventually got over myself.  After I submitted a draft, and a revision, I let it go.  I was focused on preparing for my second attempt at the X-PERT exam.

Despite an “advantage” of previously taking the exam, it was still difficult.  However, I was elated to learn that I passed the exam.  It wasn’t long after my successful attempt at the X-PERT exam that I learned that my contribution made it to *the* X-Ways Forensics Practitioner’s Guide.  Now that I finally received my copy, I’m eager to work through the guide and learn about other contributors’ workflows.

In the introduction, a statement on Shavers’ intended audience caught my attention. Shavers writes, “One unintended benefit for XWF users is that by understanding how XWF works […], users are exposed to a greater depth of forensics.  There is no better way to learn forensics than to have granular control of the data being examined…”

Based on my growth with XWF, that is spot-on.

Eric Zimmerman’s advice six years ago remains true today, “learn the data, learn forensic concepts, learn to tell a story.” Learn how to effectively use XWF and you’ll likely learn some forensics on the way.