Some thoughts about W4

[Fabian]

Hi, 

thanks for fixing my forum permissions, now I can post in the W4 section 😀

We are using W4 in several data theft cases with good results. With a few changes to the product we also could use it with other cases like CP / sexual abuse type of cases. Also we noticed some features need a bit of polishing:

• The “export to csv” option is somewhat broken. If columns contain a comma no escaping of the separation character was used in previous W4 versions. The latest version adds a text-qualifier for values that contain a comma. Usually the “item id” is the first column if it exceeds 999 items it is displayed as “1,000” in W4 and also written as “1,000” to the csv-file. If numbers are exported to a csv-formatted-file it would be expected to omit any 1000-separation character and only have the decimal character present.
• When choosing the columns for a csv-export, the selection of columns is not retained between exports and has to be redone each time you choose to export data. Even remembering the last export settings would be somewhat flawed. Intella like presets would be much appreciated. A suggestion on that matter would be to add an Excel or CSV style report in the reporting section. That way the settings could be saved via the search profile (I guess). 
• The processing of browser artifacts is very helpful. However our tests showed, that only information is extracted from the file system. It would be a nice feature to have browser artifacts from unallocated spaces and system files like hiberfil.sys, pagefile.sys and swapfile.sys.
• The reporting feature has been greatly improved. However we are missing an Intella Style original View of items within the reports. If this is a feature distinction between Intella and W4 I can understand that. However other disk forensic tools have at least some reporting capabilities for e-mail bodies etc.
• Usually when I work with disk forensic tools I have the view/previewpane detached from my main window and have it fill my 2nd monitor. That way the Preview is much better readable and it makes room for some more columns in the main window. Please consider a detachable (pre)viewpane.
• The Explore feature could be improved by adding an "industry standard" "green plating" feature, that recursively displays all contents of the selected folders. If greenplating would also work in a multi-select style way by using the ctrl+shift keys that would even be better (example: Select  UserA and UserB within c:\users but not UserC and UserD
• I'm missing a flag like feature where I can just mark a bunch of pictures (thumbnial view) / table rows by hitting the space bar. Usually when hitting the space bar the tag menu comes up (because the tag button is active). However this does not work consistently and selecting a specific tag each time slows down the workflow.
• I was not able to navigate the thumbnail view by using the cursor-arrow keys. The cursor keys are either moving around in the search pane on the left or in the preview pane to the right. But I cannot move the highlighted image in the center view. 
• The time-selection tool at the bottom should be hideable when not needed
   

Best regards,

Fabian

[Primoz]

Hi Fabian,

You're welcome.

Please see my answers below:
1. I see how this could be helpful. Ticket for this was created and will hopefully be tackled in on one of the future releases.
2. It really is just a basic CSV export functionality. Presets would indeed make things more usable. We will think about whether it makes sense to make it part of reporting functionality though.
3. We will consider this.
4. Like you've already found out - we suggest using Intella for more detailed reporting.
5. Good idea. Ticket was created for this.
6. So the idea there is to show all folders/files in the selected folder instead of direct children (like it's working now)?
7. Would possibility to assign shortcuts to tags work for you? Or are you strictly after "flagging" functionality?
8. That indeed could be improved.
9. So you mean to make it collapsible - similar to how previewer can be hidden?

[Fabian]

Hi Primoz,

sorry for my late reply, and thanks for putting some of my suggestions to the roadmap.

 

6. So the idea there is to show all folders/files in the selected folder instead of direct children (like it's working now)?

Well it was more aimed at the general representation of the evidence's folder structure. In traditional disk forensic tools (e.g. EnCase), your starting point for an investigation usually is a directory tree. The location view of W4 (and Intella) tries to give the user an idea of the folder structure, but I personally find it a bit cumbersome to work with, when I want to view the contents of a certain disk, directory or a combination of directories. I understand that W4 has a different approach, however if a more versatile disk view was to be implemented it would make the tool more versatile.

7. Would possibility to assign shortcuts to tags work for you? Or are you strictly after "flagging" functionality?

A shortcut to tags would be sufficient. Another feature of flags is, that check-marks are displayed within the current view. So it easy to see if an item has been flagged or not. That kind of representation is currently missing for tags (I think).

9. So you mean to make it collapsible - similar to how previewer can be hidden?

 

Yes

regards,

Fabian