X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh What is Computer Forensics Computer Forensics is defined as the science of collecting evidence that assists in discovering illegal activities implemented by any computer media. Many Types of computer forensics tools have been launched lately; X-Ways Trace is an example of such tools. X-Ways Trace A computer forensics tool that allows to track and examine web browsing activity and deletion of files through the Windows recycle bin that took place on a certain computer. X-Ways Trace 2.5 © 2003 X-Ways Software Technology AG Postal address: Carl-Diem-Str. 32 • 32257 Bünde • Germany E-mail address: [email protected] Fax: +49-721-151 322 561 First released in May 2003, last updated in April 2007. The following operating systems are supported: • Windows 95/98/Me • Windows NT 4.0 • Windows 2000 • Windows XP Product web site: http://www.x-ways.net Company homepage: http://www.x-ways.net/corporate/ How does X-Ways Trace work? Deciphers Internet Explorer's evergrowing internal history/cache file index.dat. Displays complete URLs, date and time of the last visit, user names, file sizes, filename extensions, and more . It allows to sort by any criterion How does X-Ways Trace work? Cont.. X-Ways Trace interprets the browser history file "history.dat" left behind by Mozilla/Firefox. X-Ways Trace interprets the browser cache file "dcache4.url" produced by Opera. How does X-Ways Trace work? Cont.. Reads from: One or more files you specify. Searches complete folders and subfolders. Searches entire hard disks (or raw images of hard disks) in allocated space, free space, and slack space, or even, for traces of someone having surfed the Internet. How does X-Ways Trace work? Cont.. Also deciphers the hidden Windows recycle bin file info2 located in every Recycled /Recycler folder. Displays the original path and filename Displays date and time of deletion Displays file size, and more,sometimes even if the recycle bin has been emptied. X-Ways Trace features All the details compiled by X-Ways Trace can be exported to MS Excel. The files/disks examined by X-Ways Trace will not be altered by the examination. X-Ways Trace is part of Evidor, but can be ordered separately. What is Evidor? Evidor: Is a Software for lawyers, law firms, corporate law and IT security departments, licensed investigators, and law enforcement agencies. Evidor is a small subset of just the search functionality in X-Ways Forensics. What does Evidor do? Evidor allows to search text on hard disks. It retrieves the context of keyword occurrences on computer media, by examining all allocated space and also currently unallocated space called slack space. It can even find data from files that have been deleted, if physically still existing. Please note that Evidor cannot access remote networked hard disks. X-Ways Trace implementation File Menu Open File Use this to open one or more index.dat files. Any file that is opened is automatically searched for MS Internet Explorer's log entries. Windows usually prevents you from opening the main index.dat file in the browser cache folder with Open File. Other index.dat files, such as the one in the Cookie subfolder of a user profile, can be accessed normally. File Menu Cont.. Open Folder This command is used open and examine several files at the a time. Select a folder in which to open files. Subfolders are browsed optionally, too. File Menu Cont.. Open Disks X-Ways Trace allows you to access floppy and hard disks below file system level. You may access a disk either logically or physically. On most computer systems you can even access CD-ROM and DVD media. A disk that is opened will be entirely searched for index.dat file records, including free space, slack space, Windows swap files, etc. File Menu Cont.. Export: Allows you to save the currently displayed list as a tab-delimited text file e.g. for export to and further processing in MS Excel. Exit: Use this command to end X-Ways Trace. The currently displayed list will be lost. Edit Menu Copy URL: Copies the full Internet address of the selected line of an index.dat file as plain text to the clipboard. Copy Filename: Copies the full filename and path of the selected line of an info2 file as plain text to the clipboard. Look up on Internet: Runs your Internet browser and points it to the address of the selected line, so you can check out that page or picture yourself, provided it is still available. Edit Menu Cont.. Open in WinHex: Runs WinHex and opens the current file or logical drive. Only available if WinHex is installed on your computer. Find Text: This command is used to search for the specified text (e.g. domain, file, or user name) of up to 50 characters in the current file or disk (cf. Search Options). Continue Search: Lets you continue the last executed search operation in the current file or disk at the current position. Edit Menu Cont.. Continue Global Search: This command is used to continue a global search operation in the next file. Remove: Deletes the currently selected item(s) from the list. Does not delete the URLs from the open file or disk. Convert to Local Time: Causes X-Ways Trace to adjust all date & time data to your local time zone, as defined in the Windows Control Panel. Window Menu Window Manager: Displays all windows and provides "instant window switching" functionality. You may also close windows. Close All: Closes all windows and thus all open files and disks. Close All Without Prompting: Closes all windows and thus all opened files and disks without giving you the opportunity to save your modifications. Window Menu Cont.. Cascade/Tile: Arranges the windows in the aforementioned way. Minimize All: Minimizes all windows. Arrange Icons: This command arranges all minimized windows. Help Menu Contents: Displays the contents of the program help. Setup: Lets you switch between the English, the German, and the French user interface. Initialize: Use this command to restore the default settings of X-Ways Trace. Alternatively, delete the trace.cfg file before running the program. Help Menu Cont.. Uninstall: Use this command to remove XWays Trace from your system. Online: Opens the X-Ways Trace homepage (http://www.x-ways.net) or the support forum (http://www.winhex.net) in your browser. About WinHex: Displays information about WinHex (the program version, your license status, and more).
© Copyright 2024 Paperzz