Presentation TITLE: Processing X-Way Forensics Evidence
This lecture will be centered on the processing/reprocessing of some of the X-Ways forensic
software output capabilities. X-Ways provides an excellent process for retrieving meta-data
from files such as documents, graphics, link, pdf and other files. All of which is useful to the
investigator and the discovery process. However, the meta-data field which X-Ways creates is
not easily reprocessed in a text file or in a spreadsheet. The demonstration will show how to use
a custom program to take the meta-data field and parse it to a more usable list for examination,
or discovery. The X-Ways (html) report produces a significant amount of “noise” in the meta-
data information. Another program will show how to reduce the noise in the html report to that
which is usable and easily explained.
In addition, the following programs will be demonstrated:
A program to process eml (text) files and produce delimited data which contains ALL the header
information in a usable format ready for processing.
A program which can search files (including extracted free space) for items such as IP addresses,
SSN’s, Email addresses, Phone numbers, URL’s, and Credit card numbers. It produces an output
which can be easily imported to Excel for further manipulation.
The forensic copy program which can be used to forensically copy (and verify) file copies for
And a method of “tagging” intellectual property will be shown. This process can possibly be
used to track/trace intellectual property when it shows up on a competitor’s computer system.
Speaker: Dan Mares
Dan Mares Is a 27-year law enforcement retiree. He began writing software programs to facilitate
the analysis of seized electronic data in 1986, and developed the Maresware suite of
investigative software programs.
Dan assisted in the development of: Seized Computer Evidence Recovery Specialist
and Computer Investigation in an Automated Environment courses at the Federal Law
Enforcement Training Center in Glynco, Georgia, and the Basic and Advanced Data
Recovery Classes at the National White Collar Crime Center.
Dan has been President and Vice President of the Atlanta area High Tech Crime
Investigators Association, and a member of the International Association of Computer
Investigative Specialists. He is a current board member of the ICFP (Institute
of Computer Forensics Professionals). Dan received the HTCIA 2006 Lifetime
Achievement Award. Dan is a Member of the AIU (American Intercontinental
University) Dunwoody Forensics Advisory Board (2006,2007)
Dan holds a number of computer forensic certifications.