X-Ways Forensics X-Tensions

Automate investigative tasks and extend the functionality of X-Ways Forensics with X-Tensions.

API documentation here.

 

Some of the publicly downloadable X-Tensions that we know of. Please message us to get your X-Tension listed. That we mention an X-Tension here does not mean that we consider it particularly useful or wish to endorse it in any way.

XT_RAW
by Alexander Kuiper
v18.1 or later required, v19.1 or later recommended

Identifies and converts RAW files created by modern digital cameras.

Detection by filename extension: 3FR, ARI, ARW, BAY, CAP, CINE, CR2, CRW, CS1, CS16, CS4, DATA, DC2, DCR, DCS, DNG, DRF, DSC, EIP, ERF, FFF, HDR, IA, IIQ, K25, KC2, KDC, MDC, MEF, MFW, MOS, MRW, NEF, NRW, OBM, ORF, PEF, PPM, PTX, PXN, QTK, R3D, RAF, RAW, RDC, RMF, RW2, RWL, RWZ, SR2, SRF, SRW, STI, TIF, TIFF, X3F

Detection by file header signature: ARW, CR2, CRW, DCR, FFF, MOS, MRW, NEF, NRW, ORF, PEF, RAF, RAW, RW2, RWL, SRW, X3F

Conversion to JPEG: ARW, CR2, CRW, DCR, DNG, ERF, KDC, MDC, MEF, MRW, NEF, NRW, ORF, PEF, RAF, RAW, RW2, SR2, SRF, SRW, TIF, X3F

KPF a.k.a. C4All
by Steve Frawley

Download Directory
X-Tension Information

C4All Forum
(to download the latest version and for more information)

Youtube videos: 1, 2, 3

For more information please check elsewhere, for example in the C4All Forum. Thanks.

v18.8 or later recommended

"C4All is a program used by law enforcement and others to categorize pictures and videos.

This X-Tension is for Users of C4All. The guides that are included describe how to best use the X-Tension with the Strategy hash sets, but your own hash sets can be used. Also it is based on the file types (video and pictures) that C4All presently uses and searches for.

With this X-Tension, you will be able to process with the speed of X-Ways, and be completing most of the C4Prep stage all at once (like skin tone % and video stills).

Benefits of the X-Tension
-speed, fewer steps to follow than original C4All process
-even faster if ran locally and saved locally. upto 30GB min speeds on SSD drives observed.
-crash protection. Use X-Ways ability to resume if there is a crash during preparation of data.
-If X-Tension is interrupted there is the option to resume, start new or if needed just make new XML file
-ability to filter out irrelevant files and false positive carved files before C4All extraction.
-Hash sets are connected to X-Ways and not SQL server. This allows for known irrelevant or good files to be excluded from extraction. Also SQL Express can be used (free) as the only database used would be a local database and would not grow to be to large.
-These hash sets are transferable by simply copying the folder and pointing X-Ways to storage location. No need to wait all day for Database to be created.
-ability to use your own hash sets. upto 65,000+ separate hash sets.
-Better resulting folder structure, especially when run against many evidence objects in one case.
-Results can be extracted from C4All in hashkeeper format to be easily brought back in to X-Ways case. no need to run Encase book marking enscript.
-thumbnails are extracted from files that include thumbnails or are created by X-ways due to original picture size. If thumbnails exist in a file it is not used twice, reducing duplicate files.
-When processing, all functions of X-Ways are available during X-Tension run phase.
-Able to use X-Ways reporting features for court and presentation.
-video stills extracted using free mplayer or forensic framer from within X-Ways"

Binary Large Object X-Tension
by Christopher Lees
?

This X-Tension is used to extract Binary Large Object (BLOB) data from Sqlite databases.
This is data, such as picture or movie files, which can difficult to carve out of database files due to the way the database file is structured.
The X-tension will create a child folder for each table within the database that contains a BLOB field.
The data will then be extracted into this folder, the name of the file is the SQLite BLOB field name combined with the Primary Key Field (or ROWID if no primary key).
All the extracted data will also be added to a report table so that it can be processed if required. This is a good idea when looking for picture files as they often start a few bytes in.

See text file for more information.

BeyondCompare X-Tension
by Chad Gough
?

Allows an examiner to select any two files in X-Ways and quickly send them to Beyond Compare for review. Beyond Compare, from Scooter Software, is a 3rd party file comparison tool that has built-in support/viewers for the comparison of binary/hex, tab and comma separated files, graphic/image files, registry data, source code, executables, Microsoft Word/Excel, and Adobe PDF documents. Plug-ins for additional file types can be downloaded from here.

This X-Tension is free for both personal and commercial use and requires Microsoft?s .Net Framework v3.5 and a valid license/installation for Beyond Compare.

Note: Although this X-Tension was specifically designed for use with Beyond Compare, in theory any application that takes two file names as arguments from the command line should work (i.e. program.exe file1 file2).

VirusTotal X-Tension
by Chad Gough
v16.9 and later

Allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Based on Chad Gough's own C# adaption of the X-Tension API. Requires Microsoft's .Net Framework v3.5 and a valid public (or private) API key from VirusTotal which can be obtained for free from here.

Luhn Credit Card Check
by X-Ways Software Technology AG
32-bit, 64-bit
for
all versions

Can be used during GREP searches for credit card numbers. Verifies all search hits using the Luhn algorithm and discards false search hits, to reduce the output of irrelevant numbers. Load the X-Tensioon in the dialog window of the simultaneous search. If you believe that our X-Tension does not correctly employ the algorithm and lets too many false hits pass through, convince yourself here that the Luhn algorithm is weak (enter one of the numbers that you get and that looks like not a valid credit card number, and click "Validate Luhn"). Last updated April 13, 2012. Source code included in our C++ API download.

Multiple File Finder
by Werner Rumpeltesz
v17.0

Can search for filenames and/or path names and add the matching files to a specific report table. Additionally, files can be exported and automatically renamed in different ways. After finishing the search, external applications can be run to take over the further analysis of the exported files.

 

Submission

When you have created an X-Tension, please contact us and describe (in English):