Report Tables

WinHex & X-Ways

Report Tables

 

In the directory browser of an evidence object, you can associate notable files with report tables. A report table is a user-defined (virtual) list of files, especially notable files. Files associated with report tables can then be easily included in the case report with all their metadata and even links (pictures can be included directly), and you can filter by their report table association in a recursive view in order to easily locate these files later (like bookmarking files). The filter can reference multiple report tables at the same time (with OR, AND and NOT operators) and even has an option that allows to additionally include siblings of the files of a certain report table, i.e. files in the same directory. That is useful, especially when exploring recursively and sorting by path, to check whether there are any further notable files in the neighborhood.

 

E.g. you could create report tables like "related to company X", "evidence against suspect A", "incriminating pictures", "unjustified expenses", "forward to investigator B", "print later", "get translated", "show to witness C" etc., and later when you are done viewing files, you can get the big picture of all relevant files by using the report table filter (e.g. "Show me all files related to company X that are also considered evidence against suspect B"). You are practically assigning files to certain custom categories defined by yourself. Also allows you to revisit files later that are still be closely examined.

 

Having files in a dedicated report table also allows to conveniently copy/recover them in a single step at a later point of time or get a gallery overview of these files specifically. The same file can be associated with multiple report tables. This can be done in the dialog window that appears when invoking the Report Table Association command in the directory browser context menu, for one file or several selected files at a time. This dialog window does not show the existing associations of the selected file or files (that would be quite complicated to achieve anyway for multiple selected files, instead simply look at the "Report table" column), but creates new report table associations in a convenient and user-configurable way and/or removes existing associations. The program remembers the report tables selected last for creating associations. In the same dialog window you can also create new report tables, rename or delete existing ones, and remove/override previous associations. For each report table you can specify whether you would typically like to associate only the selected file or directory to that report table and/or at the same time the selected file's parent file (if any) and/or the file's or directory's child objects and/or any known duplicates of the selected file in any currently open evidence object (duplicates that have been identified based on hash values and marked accordingly in the Attr. column, see context menu, as well as hard links except in HFS+).

 

Another option allows to automatically associate siblings of selected files with report tables. Useful for example when reviewing search hits, if you find a relevant search hit in the attachment of an e-mail message and want to be sure to include other attachments of the same e-mail message in further processing, even if they do not contain search hits.

 

If you need to categorize a lot of files with the help of report tables, you can also use keyboard shortcuts. X-Ways Forensics automatically assigns the shortcuts Ctrl+1, Ctrl+2, ..., Ctrl+9 to your report tables. In the dialog window for report table associations you can also assign these shortcuts to report tables yourself, by simply pressing the keys while a report table is selected. Alternatively you may simply press the keys in the numeric pad on your keyboard if Num Lock is active, without Ctrl. This will not be considered normal input in the directory browser although the Ctrl key is not pressed. The numpad keys may not work on all computers. Ctrl+0 removes all report table associations from the selected files. Alt+1, Alt+2, ..., Alt+9 removes the associations with the related report table from the selected files.

 

Optionally the next item in the directory browser can be automatically selected after associating one item with a report table. A 3-state checkbox allows you to do that either never or only for associations created with keyboard shortcuts or for all association methods.

 

You may enter a free text description for any report table, by clicking the button with the "properties" icon in the report table association dialog. The description will be included in the case report if the report table is output. Useful for some explanation of what the report table is about. Helps to keep the report table name itself, which appears at many places in the user interface, more concise.

 

There is an option to create report table associations for files based on search terms that they contain according to the "Search terms" column. Useful if you wish to keep the information about which file contains which search terms even after deleting search hits, or to preserve it in evidence file containers. Report tables representing contained search terms are the 3rd kind of report tables, the first two being report tables created by X-Ways Forensics to make the user aware of certain file specialities and user-created general purpose report tables.

 

Another option allows to convert matching hash sets to report table associations. This can be useful for example if you wish to recreate your hash database from scratch or delete your hash database, and do not only wish to preserve the hash category of known files in the volume snapshot, but also the exact matching hash set names. Also useful if you wish to add files to an evidence file container and wish to let the recipient know the original hash set matches, not only the hash category. These auxiliary report tables are highlighted in a different color to distinguish them from other kinds of report tables. Associations with hash set based report tables can also be created on the fly when copying files to an evidence file container.

 

In total there are 5 different kinds of report tables: 1) user-created report tables, which may or may not be meant for report purposes, 2) report tables created by X-Ways Forensics to make the user aware of special properties of files, 3) report tables representing search terms that are contained in a file, 4) report tables representing hash sets in which a file was found, 5) report tables representing groups of duplicate files. To avoid a bloated list of report tables available for selection during report creation, report tables are now offered in that dialog window only if they are actually intended for report purposes. That is assumed by default for all user-created report tables. You can toggle the report purpose of each report table in the report table association dialog window, by assigning or removing the "star" symbol.

 

It is possible to save and load lists of report table names in the report table association dialog window. This is useful to start right away with a set of predefined report tables as typically needed for a certain kind of case. The maximum number of report tables in a case is 1000.

 

Report table associations can be exported and imported. See Alternative Ways of Sharing Analysis Work.

 

In order to output report tables to a report (the original purpose of report tables, hence their name), use the Create Report command in the Case Data window.

 

Report table associations are also used internally and created automatically by X-Ways Forensics, to make the user aware of various potential specialties of certain files. It is up to you whether you wish to follow up and take a closer look at those files or not. The names of internally created report tables are displayed as indented and in a different color, to avoid mix-up with your own report tables. Automatically generated report tables include:

 

No detectable textual contents

Unable to decode text

For error messages see Metadata

Unable to explore

Empty archive?

Spanned archive

No e-mails found

Path too long.

Large non-resident $EA

Animated GIF

Animated PNG

Multi-page TIFF

Multi-page JPEG marker

Phone screenshot?

Zip bomb? Not fully processed

Unexpected tail (SFX?) / Contains unknown segment (SFX?)

FSG Packer / PECompact / UPX / Unknown segment / Binder?

Contains embedded document(s)

Contains embedded object(s)

Contains embedded file

Contains hidden file

Hybrid MS Office document!

RAR hybrid

Contains embedded non-JPEG/non-PNG picture

Contains invisible old revisions

Concatenated-PDF

Contains private chunk

No pictures extracted

Reason for crash?

Unsupported file type variant

Omitted

Not copied

Virus suspected

Unable to read

Not decompressed