Multi-User Coordination for Large Cases
All cases created or opened with v17.5 and later offer enhanced multi-user support, where X-Ways Forensics distinguishes between different examiners working with the same case at different times or at the same time and keeps their results separate. Multi-user support is especially helpful for large cases. Cases opened with v17.5 and later cannot be opened with earlier versions. A maximum of 255 users (examiners) is supported per case. Examiners are recognized internally by their Windows user accounts.
Multiple users may open the same evidence objects in the same case simultaneously for examination. By same case we mean the same case file, not a copy, stored in a shared network location or on a terminal server. X-Ways Forensics is responsible for synchronizing report table associations, comments and additions of files to the volume snapshot, and for making users aware of access conflicts before they occur and preventing them in most situations.
All related options can be found by clicking the button labelled "Multi-user support options" in the case properties dialog window. In particular, when creating the case (and only then), you can choose to make X-Ways Forensics not distinguish between different users. That would be useful if you know that only you will process that case and if you wish to process it on different computers where you have Windows accounts with different SIDs, so that you will always be treated as the same user. Also useful if multiple users are going to process the same case at different times and wish to share all their results directly, as it was the case in X-Ways Forensics before v17.5.
Another multi-user support option coordinates certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. It may have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time.
Report table associations and comments of different examiners can optionally be visually distinguished, by showing the creating examiner's initials (default), or alternatively other abbreviations of their names or (if no abbreviation is specified) their complete usernames. Examiners can choose whether or not they get to see report table associations of other users or only their own associations (or, if half checked, only their own associations plus those of unknown users). The same file can be associated with the same report table only by 1 examiner. X-Ways Forensics imports and shows newly created report table associations of simultaneous other users in shared analysis mode when re-opening an evidence object or when case auto-save interval elapses or when manually invoking the Save Case command. The option to show initials for report table associations is represented as a 3-state checkbox. If half-checked, it has an effect on the directory browser only, not for the Export List or Recover/Copy command for example and not in the case report.
X-Ways Forensics remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. You can choose to adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects. That is useful if the goal is to avoid duplicate work, if you do not wish to review files that were reviewed by any of your colleagues already. Please note that individual file statuses ("tagged", "already viewed" and "excluded") as well as search hits of other users are lost if one examiners removes items from the volume snapshot.
Search hits and search terms are stored on a per-user basis as well. The first examiner opening an older case with v17.5 or later will absorb the search hits and search terms that were stored in the case by v17.4 or earlier. The "Multi-user support options" dialog window contains a button that allows you to import the search hits and search terms of another user. An option is available to limit the import of another user's search hits to search hits that are marked as notable or to that user's manually defined search hits (so-called user search hits). Another option allows to take away the search hits from the other user when importing them. Useful if the other user is going to resume his work later and will want to import your search hits back when he or she is taking over again, to avoid duplications of search hits, because your search hits include his or her hits already after you have imported them.
To view all the results of a colleague (report table associations, search hits, tag marked, already viewed status of files, exclusion status of files), you can open the case in read-only mode as him or her. For that, try the "Options..." checkbox when opening a case. You may prevent your colleagues from opening the case in read-only mode as you.
The "Options..." checkbox allows you to open a case in any of the following three modes:
| 1) | entire case read-only (case file and volume snapshots), |
| 2) | cooperative analysis mode (ability to produce report table associations, comments, search hit hits, and virtual files; tag files; remember already viewed files, exclude files) |
| 3) | full access |
If the same user wishes to open the same case (the same copy) in more than 1 instance of the program simultaneously, that user has two options. Either
| 1) | in the second instance the entire case (including evidence objects) is opened as read-only, or |
| 2) | the user opens the case as a separate, fictitious user (called his or her "alter ego") with separate file statuses, search hits, report table associations etc. (shared use of the case and the evidence objects is coordinated by X-Ways Forensics exactly as if the alter ego was a real, different examiner, even though the username is the same). |
The aforementioned "Options..." checkbox allows you at any time to open the case as your alter ego, not only when opening the same case in a second instance of the program. It also allows you to open a case in shared analysis mode if it is not open anywhere else at the moment.
Multiple users running searches, creating report table associations, entering or editing comments, editing extracted metadata, tagging files, excluding files, marking files as already viewed is all supported for the same evidence object at the same time. Removing items from a volume snapshot while the evidence object is open somewhere else, however, is forbidden and will be refused by the program. The goal of the multi-user coordination in v17.5 and later is to support concurrent analysis/review work by multiple examiners. Removing files from a volume snapshot is not considered ordinary review/analysis work. Volume snapshot refinements should be done systematically in advance.
The initials of the examiner who has attached files to the volume snapshot or manually carved files in v17.5 and later can be seen in square brackets next to the filename, so that it is easy to tell who has introduced such files to the case.
Technical changes to the way how multiple simultaneously users are coordinated are reserved. To be on the safe side, please make sure that simultaneous users are running the same version of the software.
Last not least v17.5 allows you to review the processing history of a case in its properties. This reveals which versions were used on it (recorded only by v17.3 SR-10 and later, v17.4 SR-4 and later and v17.5 and later) and by which users (recorded only by v17.5 and later).
You may turn off "Coordinate processing by simultaneous users more carefully" for some performance benefits there is only user of a case at a time.
There is an option to always suggest shared analysis mode when opening a case. That mode can be useful even for the first of many simultaneous users that open the same case because only in that mode newly created report table associations are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option).
Alternative Ways of Sharing Analysis Work
Option #1: Multiple computer forensic examiners can work simultaneously with their own copy of the same case simultaneously (always copy both the .xfc file and the corresponding subdirectory) and exchange results with each other or reconcile all results in the main copy of the case, by exporting and importing report table associations (i.e. their categorization of all the relevant files, e-mails, etc.).
Option #2: Potentially relevant files are copied from the original evidence objects to multiple evidence file containers. The containers are examined by different investigators simultaneously in newly created cases (in X-Ways Forensics or X-Ways Investigator). They also can export their report table associations, which can then be imported back into the original case.
Both commands, the export and import of report table associations, can be found in the context menu of the case tree. Export is supported at the case and evidence object level, import at the case level. The names of the examiners/investigators could be included in the names of the report tables if in the original case it should be obvious who created which associations. Please note that you cannot import report table associations in the original case any more if you have taken a new volume snapshot or if you have removed objects from the volume snapshot in the meantime, because in that situation it is not guaranteed that the internal IDs of the file remain the same and that a reliable association is possible. The import works only if you import into the same evidence object that you export from. The same evidence object in a case in X-Ways Forensics, or a copy of the same case. It does not help if it's the same image or disk in a different case. Even if it is the same case and the disk or image was removed from the case and later added again, it will not be considered the same evidence object any more. However, you (e.g. as a user of X-Ways Investigator) can export from an evidence file container in a new case and have a user of X-Ways Forensics import the report table associations into the original evidence object in the original case, from which the files in the container originate. That is possible because the evidence file container has information that allow to identify the original evidence object.
Distributed Volume Snapshot Refinement
X-Ways Forensics allows to refine the volume snapshots of different evidence objects of the same case using multiple machines on the same network, simultaneously, to save time through parallelization.
Each user/computer opens the same .xfc case file (the same copy on the same computer). All participating users/computers or all except for one (the master session) have to open the case as partially read-only, i.e. only allowing for shared analysis work/distributed volume snapshot refinement. This can be done by checking the Options box in the Open Case dialog window, or you will be prompted automatically when opening the case if the case if already open in another session as not read-only (i.e. in the master session). Other sessions will see the refinement results at latest when refinement has completed and when the respective evidence object is re-opened. The case does not have to be closed and re-opened.
You have the option to specifically open individual evidence objects (not the entire case) with the volume snapshot treated as read-only, using a dedicated command in the evidence object context menu in the Case Data window. Please note that this has nothing to do with how the evidence object itself (the disk or the image) is treated. X-Ways Forensics never alters data in sectors of disks or interpreted images files when opening them as evidence object. Only the volume snapshot, i.e. the database with information about all the files and directories found, is either read-only or, and that is the normal state, changeable.