Show and Search for Owner ID in X-Ways

I previously wrote about the digital forensic artifact left behind by a user creating a file on a Windows computer with NTFS. I also showed how to display the owner ID and search for all files owned by that ID. In this post, I am showing how to accomplish the same tasks in W-Ways Forensics (XWF). It is a much shorter post because it is much easier to do.

Owner ID in Details

The first way to see the Owner ID in XWF is by viewing in the Details tab in the bottom pane. Select a file and click on the details tab. This view is pretty similar to EnCase, but it only works if you have the separate viewer component enabled.

xwf-details-owner

Owner ID in a Column

The next way is a nice add that EnCase cannot do. You can turn on the column to show the name or ID while browsing around in the folders and files. Just open the dialog for columns and type in a value. If you have accounts, such as domain users, that aren’t resolving, the column width will have to be a bit wider.

xwf-col-setting

Once you give it a number, you can manually adjust the width to best show the values you have in this case.

xwf-col-view

Filtering on Owner ID

Since XWF shows the values in the column format, it is easy to filter on specific values. Click on the funnel icon and you get this window.

xwf-filter-box

Set that User ID to the value you want, and do a recursive view of the file system. Boom!

 

James Habben
@JamesHabben

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s