X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways TraceX-Ways Trace

Prepared By: Leen F. ArikatPrepared By: Leen F. Arikat

Supervisor: Dr. Lo’ai TawalbehSupervisor: Dr. Lo’ai Tawalbeh

What is Computer ForensicsWhat is Computer Forensics

Computer Forensics is defined as the Computer Forensics is defined as the science of collecting evidence that science of collecting evidence that assists in discovering illegal activities assists in discovering illegal activities implemented by any computer media.implemented by any computer media.

Many Types of computer forensics Many Types of computer forensics tools have been launched lately; X-tools have been launched lately; X-Ways Trace is an example of such Ways Trace is an example of such tools.tools.

X-Ways TraceX-Ways Trace

A computer forensics tool that A computer forensics tool that allows to track and examine web allows to track and examine web browsing activity and deletion of files browsing activity and deletion of files through the Windows recycle bin that through the Windows recycle bin that took place on a certain computer. took place on a certain computer.

X-Ways Trace 2.5X-Ways Trace 2.5

© 2003 X-Ways Software Technology AG© 2003 X-Ways Software Technology AGPostal address: Carl-Diem-Str. 32 • 32257 Bünde • GermanyPostal address: Carl-Diem-Str. 32 • 32257 Bünde • GermanyE-mail address: [email protected] address: [email protected]: +49-721-151 322 561Fax: +49-721-151 322 561

First released in May 2003, last updated in April 2007.First released in May 2003, last updated in April 2007.

The following operating systems are supported:The following operating systems are supported:• • Windows 95/98/MeWindows 95/98/Me• • Windows NT 4.0Windows NT 4.0• • Windows 2000Windows 2000• • Windows XPWindows XP

Product web site: http://www.x-ways.netProduct web site: http://www.x-ways.netCompany homepage: http://www.x-ways.net/corporateCompany homepage: http://www.x-ways.net/corporate //

How does X-Ways Trace work?How does X-Ways Trace work?

Deciphers Deciphers Internet ExplorerInternet Explorer's ever-'s ever-growing internal history/cache file growing internal history/cache file index.datindex.dat. .

Displays complete URLs, date and Displays complete URLs, date and time of the last visit, user names, file time of the last visit, user names, file sizes, filename extensions, and more .sizes, filename extensions, and more .

It allows to sort by any criterion It allows to sort by any criterion

How does X-Ways Trace work? How does X-Ways Trace work? Cont..Cont..

X-Ways Trace interprets the browser X-Ways Trace interprets the browser history file history file "history.dat""history.dat" left behind left behind by by Mozilla/FirefoxMozilla/Firefox..

X-Ways Trace interprets the browser X-Ways Trace interprets the browser cache file cache file "dcache4.url""dcache4.url" produced produced by by OperaOpera..

How does X-Ways Trace work? How does X-Ways Trace work? Cont..Cont..

Reads from:Reads from: One or more files you specify. One or more files you specify. Searches complete folders and Searches complete folders and

subfolders. subfolders. Searches entire hard disks (or raw Searches entire hard disks (or raw

images of hard disks) in allocated images of hard disks) in allocated space, free space, and slack space, or space, free space, and slack space, or even, for traces of someone having even, for traces of someone having surfed the Internetsurfed the Internet. .

How does X-Ways Trace work? How does X-Ways Trace work? Cont..Cont..

Also deciphers the hidden Windows Also deciphers the hidden Windows recycle binrecycle bin file file info2info2 located in every located in every Recycled /Recycler folder. Recycled /Recycler folder.

Displays the original path and Displays the original path and filenamefilename

Displays date and time of deletionDisplays date and time of deletion Displays file size, and Displays file size, and

more,sometimes even if the recycle more,sometimes even if the recycle bin has been emptied. bin has been emptied.

X-Ways Trace featuresX-Ways Trace features

All the details compiled by X-Ways All the details compiled by X-Ways Trace can be exported to MS Excel. Trace can be exported to MS Excel.

The files/disks examined by X-The files/disks examined by X-Ways Trace will Ways Trace will notnot be altered by be altered by the examination.the examination.  

X-Ways Trace is part of X-Ways Trace is part of EvidorEvidor, but can , but can be ordered separately.be ordered separately.

What is Evidor?What is Evidor?

Evidor:Evidor: Is a Software for lawyers, law Is a Software for lawyers, law

firms, corporate law and IT security firms, corporate law and IT security departments, licensed investigators, departments, licensed investigators, and law enforcement agencies. and law enforcement agencies. Evidor is a small subset of just the Evidor is a small subset of just the search functionality in search functionality in X-Ways ForensicsX-Ways Forensics. .

What does Evidor do?What does Evidor do?

Evidor allows to search text on hard disks. Evidor allows to search text on hard disks. It retrieves the context of keyword It retrieves the context of keyword

occurrences on computer media, by occurrences on computer media, by examining all examining all allocated spaceallocated space and also and also currently currently unallocated spaceunallocated space called called slack slack spacespace. .

It can even find data from files that have It can even find data from files that have been been deleteddeleted, if physically still existing. , if physically still existing.

Please note that Evidor cannot access Please note that Evidor cannot access remote networked hard disks. remote networked hard disks.

X-Ways Trace implementationX-Ways Trace implementation

File MenuFile Menu

Open FileOpen File Use this to open one or more index.dat Use this to open one or more index.dat

files. Any file that is opened is files. Any file that is opened is automatically searched for MS Internet automatically searched for MS Internet Explorer's log entries.Explorer's log entries.

Windows usually prevents you from Windows usually prevents you from opening the main index.dat file in the opening the main index.dat file in the browser cache folder with Open File. browser cache folder with Open File.

Other index.dat files, such as the one in Other index.dat files, such as the one in the Cookie subfolder of a user profile, can the Cookie subfolder of a user profile, can be accessed normally.be accessed normally.

File MenuFile MenuCont..Cont..

Open FolderOpen Folder

This command is used open and This command is used open and examine several files at the a time. examine several files at the a time. Select a folder in which to open files. Select a folder in which to open files. Subfolders are browsed optionally, Subfolders are browsed optionally, too. too.

File MenuFile MenuCont..Cont..

Open DisksOpen Disks X-Ways Trace allows you to access floppy X-Ways Trace allows you to access floppy

and hard disks below file system level. You and hard disks below file system level. You may access a disk either logically or may access a disk either logically or physically. On most computer systems you physically. On most computer systems you can even access CD-ROM and DVD media. can even access CD-ROM and DVD media.

A disk that is opened will be entirely A disk that is opened will be entirely searched for index.dat file records, searched for index.dat file records, including free space, slack space, Windows including free space, slack space, Windows swap files, etc.swap files, etc.

File MenuFile MenuCont..Cont..

Export: Export: Allows you to save the Allows you to save the currently displayed list as a tab-currently displayed list as a tab-delimited text file e.g. for export to delimited text file e.g. for export to and further processing in MS Excel.and further processing in MS Excel.

Exit:Exit: Use this command to end X- Use this command to end X-Ways Trace. The currently displayed Ways Trace. The currently displayed list will be lost.list will be lost.

Edit MenuEdit Menu Copy URL:Copy URL: Copies the full Internet Copies the full Internet

address of the selected line of an address of the selected line of an index.dat file as plain text to the clipboard.index.dat file as plain text to the clipboard.

Copy Filename:Copy Filename: Copies the full filename Copies the full filename and path of the selected line of an info2 and path of the selected line of an info2 file as plain text to the clipboard.file as plain text to the clipboard.

Look up on Internet:Look up on Internet: Runs your Internet Runs your Internet browser and points it to the address of the browser and points it to the address of the selected line, so you can check out that selected line, so you can check out that page or picture yourself, provided it is still page or picture yourself, provided it is still available.available.

Edit Menu Cont..Edit Menu Cont..

Open in WinHex:Open in WinHex: Runs WinHex and opens Runs WinHex and opens the current file or logical drive. Only the current file or logical drive. Only available if WinHex is installed on your available if WinHex is installed on your computer.computer.

Find Text:Find Text: This command is used to search This command is used to search for the specified text (e.g. domain, file, or for the specified text (e.g. domain, file, or user name) of up to 50 characters in the user name) of up to 50 characters in the current file or disk (cf. Search Options).current file or disk (cf. Search Options).

Continue Search:Continue Search: Lets you continue the Lets you continue the last executed search operation in the last executed search operation in the current file or disk at the current position.current file or disk at the current position.

Edit Menu Cont..Edit Menu Cont..

Continue Global Search:Continue Global Search: This command is This command is used to continue a global search operation in used to continue a global search operation in the next file.the next file.

Remove:Remove: Deletes the currently selected Deletes the currently selected item(s) from the list. Does not delete the URLs item(s) from the list. Does not delete the URLs from the open file or disk.from the open file or disk.

Convert to Local Time:Convert to Local Time: Causes X-Ways Causes X-Ways Trace to adjust all date & time data to your Trace to adjust all date & time data to your local time zone, as defined in the Windows local time zone, as defined in the Windows Control Panel.Control Panel.

Window MenuWindow Menu

Window Manager:Window Manager: Displays all windows Displays all windows and provides "instant window switching" and provides "instant window switching" functionality. You may also close windows.functionality. You may also close windows.

Close All:Close All: Closes all windows and thus all Closes all windows and thus all open files and disks.open files and disks.

Close All Without Prompting:Close All Without Prompting: Closes all Closes all windows and thus all opened files and windows and thus all opened files and disks without giving you the opportunity to disks without giving you the opportunity to save your modificationssave your modifications..

Window Menu Cont..Window Menu Cont..

Cascade/Tile:Cascade/Tile: Arranges the windows Arranges the windows in the aforementioned way.in the aforementioned way.

Minimize All:Minimize All: Minimizes all Minimizes all windows.windows.

Arrange Icons:Arrange Icons: This command This command arranges all minimized windows.arranges all minimized windows.

Help MenuHelp Menu

Contents:Contents: Displays the contents of the Displays the contents of the program help.program help.

Setup:Setup: Lets you switch between the Lets you switch between the English, the German, and the French user English, the German, and the French user interface.interface.

Initialize:Initialize: Use this command to restore Use this command to restore the default settings of X-Ways Trace. the default settings of X-Ways Trace. Alternatively, delete the trace.cfg file Alternatively, delete the trace.cfg file before running the program.before running the program.

Help Menu Cont..Help Menu Cont..

Uninstall:Uninstall: Use this command to remove Use this command to remove X-Ways Trace from your system. X-Ways Trace from your system.

Online:Online: Opens the X-Ways Trace Opens the X-Ways Trace homepage (http://www.x-ways.net) or the homepage (http://www.x-ways.net) or the support forum (http://www.winhex.net) in support forum (http://www.winhex.net) in your browser.your browser.

About WinHex:About WinHex: Displays information Displays information about WinHex (the program version, your about WinHex (the program version, your license status, and more).license status, and more).