VOID
XWF_GetVolumeName( HANDLE hVolume, LPWSTR lpBuffer, DWORD nType ); |
Retrieves the name of the volume in UTF-16, 255 characters at most. 3 types of names are available (1, 2 or 3). For example, 3 can be more generic than 2 ("Hard disk 1" instead of "WD12345678"). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_GetVolumeInformation( HANDLE hVolume, LPLONG lpFileSystem, LPDWORD lpBytesPerSector, LPDWORD lpSectorsPerCluster, PINT64 lpClusterCount, PINT64 lpFirstClusterSectorNo ); |
Retrieves various information about the volume. All parameters are optional, and most are self-explanatory.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64 XWF_GetProp( HANDLE hVolumeOrItem, DWORD nPropType, PVOID lpBuffer ); |
Available in v19.9 SR-7 and later. Retrieves information about the specified volume or item, either through the buffer or the return value, depending on what kind of information you require (nPropType). If through the return value, you may need to cast it to the appropriate type in order to correctly interpret/understand it.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64 XWF_GetSize( HANDLE hVolumeOrItem, LPVOID lpOptional ); |
Deprecated. If your X-Tension requires v19.9 SR-7 or later anyway, call XWF_GetProp() instead, please. Returns the size of the volume or physical size of the file to which you provide a handle. lpOptional is supported from v16.7 SR-8. This parameter must be NULL in earlier versions. (LPVOID) 1 will make this function retrieve the logical file size (which may be different from the size that was known of the file in the volume snapshot before it was opened), (LPVOID) 2 the valid data length (a.k.a. initialized size of the data stream, which may be available from NTFS, exFAT, XWFS, XWFS2). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_GetSectorContents( HANDLE hVolume, INT64 nSectorNo, LPWSTR lpDescr, LPLONG lpItemID ); |
Retrieves information about a certain sector on a volume. Returns FALSE if the sector belongs to an unused/free cluster, otherwise TRUE. lpDescr: Retrieves a textual description of what this sector is used for. Can be the name and path of a file or something like "FAT 1". May be language specific. Use a buffer that has space for 511 characters and a terminating null. lpItemID: Optional. Retrieves the ID of the item in the volume snapshot that the sector is allocated to, if any, otherwise -1. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE XWF_OpenItem( HANDLE hVolume, LONG nItemID, DWORD nFlags, ); |
Available in v16.5 and later. Opens the file or directory that is contained in the specified volume and that has the specified ID for reading and returns a handle to it, or 0 if unsuccessful. nFlags values are supported by v17.5 SR-11, v17.6 SR-7, v17.7 and later unless specified otherwise:
0x0001 = open for access including file slack |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID XWF_Close( HANDLE hVolumeOrItem ); |
Available in v16.5 and later. Closes a volume that was opened with the XWF_OpenEvObj function or an item that was opened with the XWF_OpenItem function. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD XWF_Read( HANDLE hVolumeOrItem, INT64 nOffset, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, ); |
Reads the specified number of bytes from the specified position in the specified volume or item into the specified buffer. Returns the number of bytes read. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64 XWF_Write( HANDLE hVolume, INT64 nOffset, LPVOID lpBuffer, DWORD nNumberOfBytesToWrite, ); |
Writes the specified number of bytes in the specified buffer at the specified position to the specified volume. Works only in WinHex, not in X-Ways Forensics. Returns the number of bytes written, or -1 if a complete failure occurred. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetDriveInfo struct DriveInfo* pDInfo ); #pragma pack(2) |
Not currently implemented. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD XWF_SectorIO( LONG nDrive, INT64 nSector, DWORD nCount, LPVOID lpBuffer, LPDWORD nFlags ); |
Reads or writes the specified sectors number from or to the specified disk or image or partition or volume or RAID. May be called when processing XT_SectorIO(). Returns the number of sectors read/written/covered. nDrive is a device/disk/partition/volume/image/RAID identifier. nFlags may be NULL if you do not wish to specify or receive any flags. Available from v18.4.
nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_GetBlock( HANDLE hVolume, PINT64 lpStartOfs, PINT64 lpEndOfs ); |
Available in v17.7 and later. Retrieves the boundaries of the currently selected block in the window that represents the specified volume, if any. Returns FALSE if there no block is defined. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetBlock( HANDLE hVolume, INT64 nStartOfs, INT64 nEndOfs ); |
Available in v17.7 and later. Sets the boundaries of the currently selected block, if any. Returns FALSE if the boundaries that you specify exceed the size of the volume. Set nEndOfs to -1 to clear any currently defined block. If you wish to refresh the display, you can for example call the Windows API function InvalidateRect() for the current data window's hex window. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetCaseProp( LPVOID pReserved, LONG nPropType, PVOID pBuffer, LONG nBufLen ); |
Available in v17.2 and later. Depending on nPropType, either returns information about the current case as a 64-bit integer OR retrieves such information in a buffer that you supply. The buffer size for strings is to be specified in characters (UTF-16). pReserved must be NULL. Unless otherwise noted, returns the original length of the requested string in characters, or the number of bytes for other buffer types, or a negative number if an error occurred, for example if no case is active. Much of the functionality of X-Ways Forensics and WinHex Lab Edition is available when not working with a case (when no case was created/opened in the program), after just having opened a disk or image or even an ordinary single file, including the ability to run X-Tensions. If the X-Tension specifically works with the evidence objects of a case, not just the snapshot of the volume represented by the active data window or the single file represented by the active data window, yet the user tries to run the X-Tension with no case / no evidence objects open, then the X-Tension should simply tell the user that it only works with a case and cannot do anything without (and it should not try do provide NULL pointers/handles where pointers/handles to evidence objects are expected). X-Ways Forensics itself also refuses to let the user do certain things when no case is active.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_GetFirstEvObj( LPVOID pReserved ); |
Retrieves a handle to the first evidence object in the case, or NULL if the active case has no evidence objects or (in releases from June 2016) if no case is active. In conjunction with XWF_GetNextEvObj this function allows to enumerate all evidence objects of the case. pReserved must be NULL. Available from v17.6. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_GetNextEvObj( HANDLE hPrevEvidence, LPVOID pReserved ); |
Retrieves the next evidence object in the chain if there is another, or otherwise NULL. pReserved must be NULL. Available from v17.6. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_DeleteEvObj( HANDLE hEvidence ); |
Removes the specified evidence object from the case. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_CreateEvObj( DWORD nType, LONG nDiskID, LPWSTR lpPath, PVOID pReserved ); |
Available in v16.5 and later. Creates one or more evidence objects from one source (which can be a physical storage device, logical drive letter, disk or volume image, memory dump, a directory/path, or single file) and returns the first evidence object created, or NULL in case of an error (for example if that particular disk or image had been added to that case already). A case must already be loaded. If more than 1 evidence object is created (for example for a physical disk that contains partitions, which count as evidence objects themselves), use XWF_GetNextEvObj to find them. Evidence objects should not be created during an ongoing volume snapshot refinement or search etc. Potentially time-consuming if the volume snapshot is taken by X-Ways Forensics immediately when the evidence object is added.
nType:
The following flags can be ored to an nType of 0 or 3
if needed, i.e. for single files and directories. The flags will be
understood by v21.1 and later and ignored by earlier versions. nDiskID: 3 for drive letter C:, 4 for drive letter D:, etc.; -3 for physical hard disk 0, -4 for physical hard disk 1, etc., currently must be 0 for an image, memory dump, directory or file lpPath: Path in case of a file, image, memory dump, or directory, otherwise NULL. v19.3 and later: For an image or memory dump, the filename may contain an asterisk, for example to add all images in a directory to a case with a single function all, e.g. Z:\Images\*.e01. In such a case the function would return the handle to the evidence object that represents the last image that was added. pReserved: Must be NULL. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_OpenEvObj( HANDLE hEvidence, DWORD nFlags ); |
If not currently open, opens the specified evidence object in a data window. A handle to the evidence object is expected for that, which is returned by the functions XWF_GetFirstEvObj, XWF_GetNextEvObj, and XWF_CreateEvObj. Such a handle remains valid until a case is closed. Opening an evidence object at the operating system level also means opening the corresponding disk or image file or interpreting the image file (if the evidence object is an image). This will also load or take the volume snapshot. This function returns a handle to the volume that the evidence object represents. Use this function if you wish to read data from the disk/volume or deal with its volume snapshot. Opening an evidence object is potentially time-consuming if the volume snapshot has to be taken at that time. Returns 0 if unsuccessful or otherwise a handle to the disk/volume that you can use with the Disk and General I/O Functions. Available from v17.6. nFlags must be 0 in v18.0 and older.
nFlags supported from v18.1: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_CloseEvObj( HANDLE hEvidence ); |
Closes the specified evidence object if it is currently open, also the volume that it represents, and unloads the volume snapshot. Does nothing if the evidence object is not currently open. Available from v17.6. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetEvObjProp( HANDLE hEvidence, DWORD nPropType, PVOID lpBuffer ); #pragma pack(2) |
Retrieves information about the specified evidence object, through the buffer and/or the return value, depending on what kind of information you require (nPropType). If through the return value, you may need to cast it to the appropriate type in order to correctly interpret/understand it. This function does not require that the evidence object is open. General error return code is -1. Available from v17.6.
*Flags: 0x0100: Is an evidence file container yes/no
0x010000: Index available yes/no In the structure DaylightSavingsDefinition, FlagsAndMore in its highest bit tells you whether or not daylight saving is happening in that time zone. If not, you can ignore all the remaining bytes. If daylight saving is defined, then you learn the start hour and the end hour in two separate bytes. Two more bytes tell you the start and end day of the week in the higher nibble, where 0 means Sunday, and the number of that weekday in its respective month in the lower nibble, where 5 means it's the last such weekday in that month. Two more bytes tell you the start and the end of month of daylight saving, from 1 (January) to 12 (December). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_SetEvObjProp( HANDLE hEvidence, LONG nPropType, PVOID pBuffer, ); |
Sets information about the specified evidence object. See above for possible values of nPropType. Only those marked * cannot be used with this function. Strings must be null-terminated. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_GetEvObj( DWORD nEvObjID, ); |
Retrieves a handle to the evidence object with the specified unique ID. Returns NULL if not found. The unique ID of an evidence object remains the same after closing and re-opening a case, whereas the handle will likely change. The evidence object number may also change. That happens if the user re-orders the evidence objects in the case. The unique ID, however, is guaranteed to never change and also guaranteed to be unique within the case (actually likely unique even across all the cases that the user will ever deal with) and can be used to reliably recognize a known evidence object. Available from v18.7. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetReportTableInfo( LPVOID pReserved, LONG nReportTableID, PLONG lpOptional ); |
Available in v17.7 and later. If nReportTableID designates an existing label or report table in the current case, returns a pointer to the null-terminated name of that label/report table, or otherwise NULL. nReportTableID may be set to -1 to retrieve the maximum number of labels/report tables supported by the active version in the integer pointed to by lpOptional. Valid label/report table IDs range from 0 to (maximum number-1). pReserved must be NULL. lpOptional must point to a 0 when called.
In v18.1 and later, the variable pointed to by lpOptional
will receive flags, among others the following ones: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetEvObjReportTableAssocs( HANDLE hEvidence, LONG nFlags, PLONG lpValue ); |
Available in v17.7 and later. Returns a pointer to an internal list that describes all labels/report table associations of the specified evidence object, or NULL if unsuccessful (for example if not available any more in a future version). Scanning this list is a much quicker way to find out which items are labeled in what way than calling GetReportTableAssocs for all items in a volume snapshot, especially if the snapshot is huge. The list consists of 16-bit report table ID and 32-bit item ID pairs repeatedly, stored back to back. The integer pointed to by lpValue is set to the number of pairs in the data structure. You may set the flag 0x01 in nFlags to request a list sorted by item IDs. Other flags must not be set at this time. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_SelectVolumeSnapshot( HANDLE hVolume ); |
Defines to which volume's volume snapshot subsequent calls of the below functions apply should you wish to change that. For example if you open a particular evidence object yourself via XWF_OpenEvObj, which returns a volume handle, you can make your X-Tension address the volume snapshot of that evidence object. This function has a return value since v20.9. If successful, it returns the total number of items in the specified volume snapshot: files plus directories, including a root directory that is potentially invisible in the user interface, just like when calling XWF_GetItemCount(NULL). If the return value is 0, that is suspicious because volume snapshots consist of at least a root directory, and might mean that no volume snapshot has been created yet or will ever be created for the designated volume. If the return value is negative, an error has occurred (e.g. hVolume is internally not considered to be a volume handle or not currently open or does not represent a data source that has a volume snapshot). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetVSProp( LONG nPropType, PVOID pBuffer ); |
Available in v17.4 and later. Depending on nPropType, helps you to either retrieve information about the current volume snapshot or gets some settings of your choice over to the volume snapshot.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD
XWF_GetItemCount( LPVOID pTarget ); |
If pTarget is NULL, this function retrieves the total number of items in the current volume snapshot (files and directories). This number may change from call to call if your X-Tension is applied to files of different volume snapshots in a single run (e.g. via volume snapshot refinement in multiple evidence objects or a selection in the Case Root window). Item IDs are consecutive and 0-based. That means the ID of the first item has the ID 0 and the last item in a volume snapshot has the ID (GetItemCount-1). You may address each and every item in that range, be it a file or directory, by specifying its ID. If pTarget is (LPVOID) 1, then this function retrieves the total number of files that the X-Tension is applied to via the directory browser context menu [use only for XT_ACTION_DBC or higher as per XT_Prepare()]. This takes into account files that are targeted indirectly because they reside in a selected directory (or in a subdirectory of such a directory) as well as child objects of files that are selected (if the user chooses to include them in processing). Available in v20.3 SR-3 and later. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD
XWF_GetFileCount( LONG nDirID ); |
Available from v17.7. Retrieves the accumulated number of files in the directory with the specified ID and all its subdirectories, recursively. Also works for files that have child objects, and also for the root directory, i.e. the entire volume snapshot. For the latter you may alternatively specify -1 as the nDirID, but the number retrieved that way could be outdated in v20.9 and earlier, in v21.0 until SR-10, in v21.1 until SR-9 and in v21.2 until SR-8. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_GetSpecialItemID( DWORD nSpecialItem ); |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_CreateItem( LPWSTR lpName, DWORD nCreationFlags ); |
Creates a new item (file or directory) in the volume snapshot. May be called when refining the volume snapshot. Returns the ID of the newly created item, or -1 if an error occurred (e.g. out of memory). Should be followed by calls to XWF_SetItemParent, XWF_SetItemSize, XWF_SetItemInformation, and/or XWF_SetItemOfs. If via XWF_SetItemParent you make the new file a child object of a file (not directory), you are responsible for setting the parent's XWF_ITEM_INFO_FLAG_HASCHILDREN flag. For example, if you are creating a file carved from the sectors of the evidence object, you can specify the file size using XWF_SetItemSize and the start offset via the nDefOfs parameter (must be negative) using XWF_SetItemOfs. nCreationFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_CreateFile( LPWSTR pName, DWORD nCreationFlags, LONG nParentItemID, PVOID pSourceInfo ); #pragma pack(2) struct SrcInfo { DWord nStructSize, INT64 nBufSize, LPVOID pBuffer }; |
Available from v16.7. Similar to XWF_CreateItem, but also allows to attach an external file to the volume snapshot or to define a file that is an excerpt of another file (its parent). Returns the ID of the newly created item, or -1 if an error occurred (e.g. out of memory). Should be followed by a call to XWF_SetItemSize (if carving a file in a file) or XWF_SetItemInformation (otherwise). pName: The name that this file will have in the volume snapshot, which may be different from its source file name if you are attaching an external file. nCreationFlags: Obviously, the flags 0x2 and 0x4 and 0x10 are mutually exclusive, and 0x8 can only be combined with 0x4. If neither of the flags 0x2, 0x4, or 0x10 is specified, pSourceInfo is ignored and XWF_CreateFile works exactly like XWF_CreateItem. pSourceInfo: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_FindItem1( LONG nParentItemID, LPWSTR lpName, DWORD nFlags, LONG nSearchStartItemID ); |
Available from v19.2. Searches for a file or directory with the specified name with the specified parent (e.g. directory or file with child objects) in the current volume snapshot. Returns the ID of the first matching item if -1 if no match was found. nSearchStartItemID should be 0 for a search from the start of the volume snapshot. If after receiving one match you wish to search for another match, for example because you are looking for an existing file, but the first match is for a previously existing file in that directory, you can call this function again with the previously returns item ID + 1. nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_Mount( LONG nDirID, LPWSTR lpMountPath, LPVOID lpReserved ); |
Available from v21.1. Mounts the designated file or directory (with the internal ID provided as nDirID) in the volume snapshot, or the entire volume (nDirID = -1 or the internal ID of the root directory), as a drive letter in Windows. Mounting a file could be useful if that file has child objects that should become accessible, otherwise not. lpMountPath points to a buffer of at least MAX_PATH length that is either empty (starts with a NULL character), if you let X-Ways Forensics pick a drive letter, or that points to a NULL-terminated target path of your choice (however, currently only root directories of drive letters are supported). The function will fail if you supply a drive letter that is not available. lpReserved should be NULL. If mounting is successful, the function returns TRUE, and the buffer pointed to by lpMountPath will be filled with the actual mount path (currently always the root directory of a drive letter). Currently only one mount point can exist at a time (that might change in future versions), so this function may fail for example if a mount point already exists, whether it was created by the user through the user interface or by an X-Tension. It is strongly suggested to call XWF_Unmount() for any successful call to XWF_Mount() when a mount point is not longer needed. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_Unmount( LPWSTR lpMountPath ); |
Available from v21.1. Unmounts a previous mount point created by XWF_Mount(). lpMountPath should point to the same path returned by XWF_Mount(). In current versions lpMountPath may be NULL to simply unmount any mount point that may currently exist, which could be necessary for XWF_Mount() to succeed if a mount point was created by something other than your own X-Tension. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPWSTR
XWF_GetItemName( DWORD nItemID ); |
Retrieves a pointer to the null-terminated name of the specified item (file or directory) in UTF-16. You may call XWF_GetItemName and XWF_GetItemParent repeatedly until XWF_GetItemParent returns -1 and concatenate the item names to get the path of an item. v19.9 and later: In order to retrieve a pointer to the alternative name of an item, you may or nItemID with 0x80000000. Please note that which of two potentially available filenames is considered to be the alternative filename depends on the user settings. NULL is returned if the requested name cannot be retrieved. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_SetItemName( LONG nItemID, LPWSTR lpName ); |
Renames an item. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetItemSize( LONG nItemID ); |
Retrieves the size of the item (file or directory) in bytes. -1 means unknown size. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetItemSize( LONG nItemID, INT64 nSize ); |
Sets the size of the item in bytes. -1 means unknown size. A return value is provided since v21.3 to indicate success or failure. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_GetItemOfs( LONG nItemID, LPINT64 lpDefOfs, LPINT64 lpStartSector ); |
Retrieves the offset of the file system data structure (e.g. NTFS FILE record) where the item is defined by writing that value at the address given by lpDefOfs. If negative, the absolute value is the offset where a carved file starts on the volume. 0 if an error occurred while retrieving the offset. 0xFFFFFFFF (4294967295, lower 32 bits set) if not available/not applicable. Undefined for files in archives. Also retrieves the number of the sector from the point of the volume in which the data of the item starts by writing it at the address given by lpStartSector. This number does not depend on whether the user chooses to see physical sector numbers within partitions. -1 in case the number is not available or if an error occurred while retrieving the sector number. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetItemOfs( LONG nItemID, INT64 nDefOfs, INT64 nStartSector ); |
Sets the above-mentioned offset and sector number. A return value is provided since v21.3 to indicate success or failure. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetItemInformation( LONG nItemID, LONG nInfoType, LPBOOL lpSuccess, ); |
Returns information about an item (file or directory) as stored in the volume snapshot, such as the original ID or attributes that the item had in its defining file system. What information is actually returned depends on nInfoType. The function indicates success or failure via lpSuccess. This parameter may be NULL if not required. All timestamps are provided in Windows FILETIME format, unadjusted (as found in the original metadata, not converted to any other time zone). #define XWF_ITEM_INFO_ORIG_ID 1
XWF_ITEM_INFO_PIXELINDEX: This is in indicator of the pixel count of a raster image. It is the square root of width × height in pixels, divided by 20. 0: not yet computed or not a picture. 1: <= 0,02 KP. 254 = 16.5 MP. 255 (maximum) = even larger. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetItemInformation( LONG nItemID, LONG nInfoType, INT64 nInfoValue ); |
Sets information about an item (file or directory) in the volume snapshot. For possible values of nInfoType see above and for additional ones below: v16.5 and later: Some XWF_ITEM_INFO_FLAGS flags can only be retrieved (read), but must not be set or removed. Those are marked above with an asterisk. Some nInfoTypes can only be retrieved, not yet. Those are marked with an asterisk as well. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_GetItemType( LONG nItemID, LPWSTR lpTypeDescr, DWORD nBufferLenAndFlags ); |
Retrieves a textual designation of the type of the specified file (e.g. “jpg” or “dll”) and returns information about the status of the type detection of the file: 0=not verified, 1=too small, 2=totally unknown, 3=confirmed, 4=not confirmed, 5=newly identified, 6 (v18.8 and later only)=mismatch detected. -1 means error. The pointer to the buffer that receives the type description may be NULL if no textual information is required. Otherwise it should have space for a few characters at least. If no textual designation is retrieved, the first character in the buffer is set to NULL. nBufferLenAndFlags contains the length of the buffer that lpTypeDescr points to in the lower word, measured in characters, and in v18.9 and later may be optionally combined with one of the below flags. 0x20000000: receive a textual description of the file type instead
(e.g. “JPEG” or “Dynamic-Link Library”) Deprecated: If in v18.8 and some later versions you specify the additive inverse of the buffer length as the third parameter, without any of the above flags, and then cast from a signed to an unsigned 32-bit integer, you will also receive a textual designation of the category that the file type belongs to instead of the file type designation. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetItemType( LONG nItemID, LPWSTR lpTypeDescr, LONG nTypeStatus ); |
Sets textual type designation of the specified file (or specify NULL if not required) and information about the status of the type detection of the file (see above). A return value is provided since v21.3 to indicate success or failure. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_GetItemParent( LONG nItemID ); |
Returns the ID of the parent of the specified item, or -1 if the item is the root directory or if for some strange reason no parent object is assigned. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL XWF_SetItemParent( LONG nChildItemID, LONG nParentItemID ); |
Sets the parent of the specified child item. You may specify -1 for the virtual "Path unknown" directory as the parent, or -2 for the "Carved files" directory. If the parent is a file that does not have child objects yet, you should use XWF_SetItemInformation to mark it has having child objects. A return value is provided since v21.3 to indicate success or failure. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_GetHashSetAssocs( LONG nItemID, LPWSTR lpBuffer, LONG nBufferLen ); |
Available in v19.3 SR-9, v19.4 SR-8, and later versions. Retrieves the names of the hash sets that the specified file is associated with. The names are delimited with comma and space. If the buffer was filled completely, that likely means that the specified buffer length was insufficient. Returns the total number of associations of that file that were resolved into hash set names, or a negative number in case of certain fundamental errors. This function can be expected to work successfully only if the original hash database(s) in which matches were found is/are still available and can be loaded. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetReportTableAssocs( LONG nItemID, LPWSTR lpBuffer, DWORD nBufLenAndMatchType ); |
Retrieves a list of names of the labels (formerly known as report tables) that the specified item (usually file) is associated with. Does not receive or count labels that the user excluded from public display. The names are delimited in the list with comma and space. The list is null-terminated. If the buffer was filled completely, that likely means that the specified buffer length was insufficient to accommodate the entire list of labels. lpBuffer points to a buffer for Unicode characters provided by you. It may be NULL if you are only interested in the return value. The main purpose of the nBufLenAndMatchType
parameter is to indicate the size of your buffer, measured in Unicode
characters. That size must not be greater than 224-1. Since
v21.3, if you set the highest byte in this value to one of the following
numbers other than zero, you can retrieve only the count and list of labels
of one particular label type that you are interested in: In v17.6 SR-7 through v20.4, this function returned the total number of report table associations of the specified item (not necessarily equal to the number of names that were filled into your buffer) as a simple DWORD. In versions from v20.5 through v21.2 the return value was (user label count + search term label count) in the lowest valued byte and (hint label count + hash set label count) in the second lowest byte. You can add those two sums to get a grand total. Since v21.3 the return value is a more
detailed byte-wise conglomerate of individual label counts: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_AddToReportTable( LONG nItemID, LPWSTR lpLabelName, DWORD nFlags ); |
Associates the specified file with the specified label (formerly known as report table). If the label does not exist yet in the currently active case, it will be created. Returns 1 if the file was successfully and newly associated with the label, 2 if that association existed before, or 0 in case of failure, for example if no case is active or if the volume that the file is contained in is not an evidence object in the active case. You must not use label names that contain a backslash or the delimiter ", " (comma followed by a space). nFlags: Flags for the newly
created label. In v20.4 and earlier, they had no effect if a label of that
name already existed before. Since v20.5 an existing label's flags are
updated by this function. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPWSTR
XWF_GetComment( LONG nItemID ); |
Retrieves a pointer to the comment of an item, if any, otherwise NULL. This pointer is guaranteed to be valid only at the time when you retrieve it. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_AddComment( LONG nItemID, LPWSTR lpComment, DWORD nFlagsHowToAdd ); |
Adds the specified comment to the specified item and (in v19.5 SR-11, v19.6 SR-9, v19.7 SR-4 and later) returns true to signal success. If lpComment points to a NULL character and nFlagsHowToAdd is 0, an existing comment will be removed (in v20.3 SR-13, v20.4 SR-8, v20.5 SR-6, v20.6 SR-4 and later). nFlagsHowToAdd: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPWSTR
XWF_GetExtractedMetadata( LONG nItemID ); |
Available in v17.7 and later. Retrieves a pointer to a subset of the internal metadata of a file as stored in the volume snapshot (as extracted by volume snapshot refinement and as seen in the Metadata column), in plain text form, or returns NULL if no such metadata exists. The pointer is guaranteed to be valid only at the time when you retrieve it. If you wish to do something with the text that it points to after your X-Tension returns control to X-Ways Forensics, you need to copy it to your own buffer. Related functions: XWF_GetMetadata and XWF_GetMetadataEx. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_AddExtractedMetadata( LONG nItemID, LPWSTR lpComment, DWORD nFlagsHowToAdd ); |
Available in v17.7 and later. Adds the specified plain text to the extracted metadata of the specified item. It is suggested to mark an X-Tension's addition to the extracted metadata with a marker in square brackets, like [XT], with up to 4 arbitrary characters between the brackets. nFlagsHowToAdd: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_GetHashValue( LONG nItemID, LPVOID lpBuffer ); |
Available in v16.8 and later. May be used to retrieve the hash value of a file if one has been computed or to get it computed if not. Whether or not a hash value has been computed previously can be checked separately by calling XWF_GetItemInformation if required (as prior to v19.7 this function did not check that and returned TRUE already if no I/O error occurred). You can call XWF_GetVSProp with XWF_VSPROP_HASHTYPE1 or XWF_VSPROP_HASHTYPE2 etc. to find out the type of hash value defined in the volume snapshot or set it. (No hash value can be retrieved or computed if not even the hash type is defined.)
When the function is called, the buffer is assumed to start
with a DWORD value. That value determines what the function does. The same
buffer will be used to accommodate the requested hash value when control is
returned to the caller (if the function succeeds). The required buffer size
depends on the hash type. The following DWORD values are currently
defined: Note that only v19.7 and later can retrieve or compute two hash values at the same time. The buffer must be large enough to accommodate both hash values. If two hash values are requested and retrieved, the first hash value will be stored at the start of the buffer (buffer offset 0). The offset in the buffer where the second hash value starts depends on the size (and thus the type) of the first hash value. Prior to v19.7 you needed two separate calls to retrieve both hash values.
• Case 2: >= 0x00000100: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_SetHashValue( LONG nItemID, LPVOID lpHash, DWORD nParam ); |
Available in v19.0 and later. Sets the hash value of the specified item. Returns true if no I/O error occurred when taking the hash value over into the volume snapshot. To find out the expected type of hash value, call XWF_GetVSProp with XWF_VSPROP_HASHTYPE1 or XWF_VSPROP_HASHTYPE2. lpHash is expected to point to the hash value that you provide, in binary. The length is implicitly determined by the expected hash value type.
nParam: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG XWF_GetCellText( LONG nItemID, LPVOID lpPointer, DWORD nFlags, WORD nColIndex, LPWSTR lpBuffer, DWORD nBufferLen ); |
Available in v20.3 and later. Retrieves cell text for a given item in the volume snapshot for a particular column, as known from the directory browser. This does not depend on whether that item is currently listed in the directory browser or which directory browser columns are visible. The text may be language-specific and may depend on notation options that are active for list exports. Returns 0 or a positive number to indicate success, negative numbers for errors, for example -1 if the specified column index is unknown. lpPointer: Unused, must be set to NULL. nFlags: Unused, must be set to 0. nColIndex: Please see XWF_GetColumnTitle() for an explanation. lpBuffer: Pointer to your buffer, which will be filled with a null-terminated string in UTF-16. nBufferLen: The length of the buffer in UTF-16 characters, including space for a terminating NULL. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_SetItemDataRuns( LONG nItemID, LPVOID lpBuffer ); |
Provides extents for an item so that X-Ways Forensics knows how to open it and read its data from the volume if it's neither a contiguous carved file nor defined by any file system data structure nor attached from an external source. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPWSTR
XWF_GetMetadata( LONG nItemID, HANDLE hItem ); |
Available in v17.7 and later. Not thread-safe. Deprecated as of v18.9 and superseded by XWF_GetMetadataEx. Extracts a subset of the internal metadata of files of various types, as plain text, and returns a pointer to it if successful, or NULL otherwise. The pointer is guaranteed to be valid only at the time when you retrieve it. If you wish to do something with the text that it points to after your X-Tension returns control to X-Ways Forensics, you need to copy it to your own buffer. Unlike XWF_GetExtractedMetadata, the file must have been opened with XWF_OpenItem because this function reads from the file contents, not from data stored in the volume snapshot. The metadata is taken from the very file that contains it, for example in the case of zip-style Office documents from the XML files. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetMetadataEx( HANDLE hItem, PDWORD lpnFlags ); |
Available in v18.9 and later. Can extract extensive internal metadata of files of various types, exactly as seen in Details mode in X-Ways Forensics, typically much more than GetMetadata. Fills a memory buffer with either null-terminated UTF-16 plain text or null-terminated ASCII HTML code, and returns a pointer to it. You may parse the buffer to retrieve specific metadata that you need. The format may theoretically change from one version to the other. You must release the allocated memory by passing that pointer to XWF_ReleaseMem() when you do not need it any more. If no metadata is extracted, the return value is NULL instead. Unlike XWF_GetMetadata, this function is thread-safe. Unlike XWF_GetExtractedMetadata, the file must have been opened with XWF_OpenItem because this function reads from the file contents, not from data stored in the volume snapshot. The metadata is taken from the very file that contains it, for example in the case of zip-style Office documents from the XML files if you specify such an XML file as hItem. lpnFlags points to flags for input and output. The only currently defined input flag is 0x01. It tells X-Ways Forensics to extract only a subset of the available metadata, as shown in the software in the Metadata column. The resulting buffer currently contains always UTF-16 plain text. If the flag is not set, the complete metadata as seen in Details mode is extracted. The resulting buffer can be of either above-mentioned formats. The only currently defined output flag is 0x01 (indicating, if set, that the resulting buffer is HTML-formatted ASCII instead of UTF-16 plain text). If any of the 8 highest bits are set, you must not touch the resulting buffer, just release it with XWF_ReleaseMem(). The output flags are valid only if the function was successful, i.e. if it has returned a pointer. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD
XWF_PrepareTextAccess( DWORD nFlags, LPSTR lpLangs ); |
Available in v20.3 and later. Prepares X-Ways Forensics for calls of XWF_GetText(), which may be necessary depending on whether similar functionality has already been used in the GUI during the current session or not. Does not override the user's decision to not use the viewer component or OCR in general. nFlags: 0x01 means that text decoding should be prepared. You don't need to specify this flag if you are interested in only OCR. lpLangs: Optional. If not NULL, points to a null-terminated ANSI string that identifies the languages to optimize OCR for, and this will override the configuration in the installation. The language identifiers can be seen in the filenames of *.traineddata files of Tesseract (list). You may concatenate multiple language identifiers with a + sign as long as the length of the result does not exceed 15 characters, e.g. "eng+spa+ita" or "chi_sim+chi_tra". Perhaps later versions will accept longer strings. If lpLangs points to a buffer that starts with a 0x00 character, then your buffer will receive the current language settings. The buffer should be 64 bytes in size at least. It will be null-terminated.
This function returns flags. If no flag in the result is set,
that means you did not request text decoding capability or text decoding
capability is not available, and OCR is not active either. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetText( HANDLE hItem, DWORD nFlags, PINTEGER lpnResult, PDWORD lpnBufUsedSize, PDWORD lpnBufAllocSize ); |
Available in v20.3 and later. Can extract pure text from files of various types, using means including OCR if OCR functionality is available in X-Ways Forensics (not WinHex Lab Edition), as known from the Text submode of Preview mode in the GUI. How spreadsheets are processed depends on the options in Options | Viewer Programs. If successful, the function returns a pointer to a buffer that you eventually need to release with XWF_ReleaseMem(). The buffer contains text usually in UTF-16 (for exceptions see below). hItem identifies the file from which to extract text.
nFlags: 0x10 and 0x20 have slightly different effects on different computers depending on which ANSI code page is active in the Windows system. If it's the 1252 Latin 1 code page, then Unicode characters from 0x81 to 0xFF are considered convertible. Otherwise such characters are considered not convertible, meaning no conversion from UTF-16 to ASCII takes place or - if forced - such characters are converted to a placeholder character, which is currenly an asterisk (*). If neither the flag 0x01 nor 0x02 is specified, then no potentially time-consuming attempts will be made to extract text from the file, but if previously extracted text was stored (buffered) in the volume snapshot, that text is still retrieved, and very quickly so. If 0x01 and/or 0x02 are specified and if text was extracted and buffered previously, that "old" text is retrieved and no new extraction is attempted. If 0x01 and 0x02 are combined, that does not mean that both operations are attempted, e.g. in a PDF document. It means that depending on the file type at least one of the two operations are performed, and in currently available versions it means for example for PDF files that first decoding takes place, and if that no text is found that way, OCR will be attempted. In currently available versions the resulting text will never be a mix of both operations.
lpnResult must point to an
integer variable ("nResult") which will receive information about the outcome of the
function:
0x01 = pointer to buffer with UTF-16 returned lpnBufUsedSize may be NULL or point to a DWORD variable, if in case of a positive nResult you wish to know how many bytes in the buffer are considered in use. lpnBufAllocSize may be NULL or point to a DWORD variable, if in case of a positive nResult you wish to know how many bytes in the buffer are allocated. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPVOID
XWF_GetRasterImage( struct RasterImageInfo* pRIInfo ); #pragma pack(2) |
Available in v18.0 and later, not in WinHex Lab Edition. Provides a standardized true-color RGB raster image representation for any picture file type that is supported internally in X-Ways Forensics (e.g. JPEG, GIF, PNG, ...), with 24 bits per pixel. The result is a pointer to a memory buffer, or NULL if not successful (e.g. if not a supported file type variant or the file is too corrupt). The caller is responsible for releasing the allocated memory buffer when no longer needed, by calling the Windows API function VirtualFree, with parameters dwSize = 0 and dwFreeType = MEM_RELEASE. nSize must be set to the size of the structure. nItemID and hItem must be provided as well. You may specify any combination of the below flags that makes sense for you. The dimensions of the picture in pixels (nWidth and nHeight) are returned, as well as the size in bytes (nResSize). If you specify a non-zero value for nWidth and/or nHeight for input, it will be interpreted as the maximum width or height that you would like for the resulting image, and the image will be shrunk accordingly (resized, not cropped), if its dimensions are not smaller than that anyway, while preserving the aspect ratio of the original picture.
nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_Search( struct SearchInfo* pSInfo struct CodePages* pCPages ); #pragma pack(2) struct SearchInfo { DWORD nSize, HANDLE hVolume, LPWSTR lpSearchTerms, DWORD nFlags, DWORD nSearchWindow, LPSTR lpLatin1Alphabet, LPWSTR lpNonLatin1Alphabet }; #pragma pack(2) |
Available in v16.5 and later. Must only be called from XT_Prepare() or XT_Finalize(). Runs a simultaneous search for multiple search terms in the specified volume. The volume must be associated with an evidence object. Note that if this function is called as part of volume snapshot refinement, it can be called automatically for all selected evidence objects if the user applies the X-Tension to all selected evidence objects. Returns a negative value in case of an error. nSize must be set to the size of the respective structure in bytes and should cover at least all member variables up to nSearchWindow. hVolume: Currently must be 0, function is always applied to the active volume lpSearchTerms: Delimited by line breaks; will be added to the case if not yet existing.
nFlags: Can be combined only as known from the user
interface. For example, the whole words options have no effect if GREP is
selected.
Otherwise the result is undefined. Only if the XWF_SEARCH_CALLPSH flag is specified, X-Ways Forensics will call XT_ProcessSearchHit(), if exported, for each hit. You may use that function to monitor and filter the search hits that you get, for example to prevent the output of irrelevant search hits or to keep knowledge of all search hits to yourself. Other X-Tensions' XT_ProcessSearchHit() function will not be called. Instead of using XT_ProcessSearchHit(), in later versions of the API only, you can traverse the list of all search hits after completion and check which ones are for the search terms that you had created/searched for. nSearchWindow: 0 for standard search window length lpLatin1Alphabet: Optional. Supported as of v20.0. If not NULL, points to a null-terminated sequence of letters of Western European languages (in the Latin 1 code page with 1 byte per character) that you consider to be part of words, which defines word boundaries and will change the alphabet settings in X-Ways Forensics. Up to 159 characters are currently utilized. The previously used alphabet will be lost. lpNonLatin1Alphabet: Optional. Supported as of v20.0. If not NULL, points to a null-terminated sequence of characters (in UTF-16) that you consider to be part of words, which defines word boundaries and will change the alphabet settings in X-Ways Forensics. Up to 99 characters are currently utilized. The previously used alphabet will be lost. pCodePage* See this web page for possible code page identifiers. Specify 0 for unused code page numbers. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LPWSTR
XWF_GetSearchTerm( LONG nSearchTermID, LPVOID pReserved ); |
Available in v17.7 and later. Retrieves a pointer to the null-terminated name of the search term with the specified ID, or NULL if no search term with that ID exists. You may set nSearchTermID to -1 to get the total number of search terms back (cast the pointer returned to integer). All search terms have consecutive IDs starting with 0. pReserved must be set to NULL. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_AddSearchTerm( LPWSTR lpSearchTerm, DWORD nUsageFlags ); |
Available in v18.5 and later. Creates a new search term and returns its ID or (if flag 0x01 is specified) alternatively returns the ID of an existing search term with the search expression/keyword, if any. Returns -1 in case of an error. The maximum number of search terms in a case is currently 8,191 (since v18.5). Use this function if you wish to automatically categorize search hits (assign them to different search terms) while responding to calls of XT_ProcessSearchHit() or using XWF_SetSearchHit(). The null-terminated UTF-16 string pointed to by lpSearchTerm may be truncated. Currently, as of v20.3, up to 90 characters are supported.
nUsageFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD
XWF_ManageSearchTerm( LONG nSearchTermID, LONG nProperty, LPVOID pValue ); |
Available in v20.0 and later. Set nProperty to 0 to delete the specified search term and all its search hits in all evidence objects. That is more efficient than deleting the search hits one by one. If nSearchTermID is -1, that deletes all search terms and all their search hits. pFlags should be set to NULL and is currently unused. The return value of the function is 1 for presumed success, 0 for failure. Set nProperty to 1 to manage the flags that define the properties of the search terms whose ID you specify. You can retrieve these flags through the function return value (if pValue is NULL) or set those flags (if pValue is not NULL, but please know what you are doing). If you set the flags, a return value of 1 indicates success, 0 indicates failure.
Some possible flag values: Set nProperty to 2 to rename the search term, e.g. assign a more user-friendly name to a complicated regular expression. In that case pValue must point to a null-terminated UTF-16 string. Available in v20.3 and later. The null-terminated UTF-16 string pointed to by lpSearchTerm may be truncated in X-Ways Forensics. Currently, as of v20.3, up to 90 characters are supported. A return value of 1 indicates success, 0 indicates failure. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_AddSearchHit( struct SearchHitInfo* pInfo ); |
Creates a new search hit. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_GetSearchHit( DWORD nSearchHitNo, struct SearchHitInfo* pInfo ); |
Retrieves details about a search hit. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_SetSearchHit( DWORD nSearchHitNo, struct SearchHitInfo* pInfo ); |
Changes details of a search hit. Not currently implemented. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
... | ... | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_AddEvent( struct EventInfo* pEvt ); #pragma pack(2) struct EventInfo { DWORD nSize, HANDLE hEvidence, DWORD nEvtType, DWORD nFlags, FILETIME TimeStamp, LONG nItemID, INT64 nOfs, LPSTR lpDescr }; |
Available in v17.6 and later. Allows to add events to the internal event hit list of an evidence object. The internal event is loaded and accessible only if the evidence object is open. Returns 1 if the event was successfully added, 2 if deliberatedly ignored, or 0 in case of failure to signal that the caller should stop adding more events. nSize: Size of this structure. Must be properly initialized. nEvtType: 0 for unknown. File system events: 100+. File metadata events: 1000+. Internet events: 8000+. Messaging events: 10000+. Operating system events: 14000+. Windows event log events: 15000+. Windows registry events: 20000+.
nFlags: nItemID: If the event is related to a particular object in the volume snapshot (file or directory), that object's ID, otherwise -1. nOfs: Offset where the timestamp was found in the volume or (if nItemID unequal to -1) within the object in the volume snapshot. -1 if unknown. lpDescr: Optional null-terminated textual description of the event, preferably in 7-bit ASCII or else in UTF-8. Will be truncated internally after 255 bytes. NULL if not provided. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DWORD
XWF_GetEvent( DWORD nEventNo, struct EventInfo* pEvt ); |
Available in v18.1 and later. Retrieves information about an event from the internal event hit list of an evidence object. The internal event is loaded and accessible only if the evidence object is open. The structure will be populated with values as described above, except where noted. Returns MAXDWORD if unsuccessful, or otherwise the length of the description copied into the lpDescr buffer, in bytes. 0 indicates success as well as a description is not necessarily available or desired by the caller. nSize: Size of this structure. Must be properly initialized. If you specify a size that covers just nSize and hEvidence, the nEventNo parameter is ignored and you will get the total number of events in the event list of that evidence object returned and no other information. That total event count may include events that are internally considered deleted already. There mere event count is available even if the evidence object is not open. hEvidence: A handle to the evidence object whose event hit list you wish to target. nFlags: 0x01: event internally considered deleted already. For other values see XWF_AddEvent. lpDescr: May be NULL or point to a buffer of 256 bytes that will be filled with a null-terminated textual description in 7-bit ASCII or UTF-8. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HANDLE
XWF_CreateContainer( LPWSTR lpFileName, DWORD nFlags, LPVOID pReserved ); |
Available in v16.5 and later. Creates a new or opens an existing evidence file container (in its native, raw format) and returns a handle to it if successful (otherwise returns 0). Currently only 1 container can be open at a time for filling. If a container is open already when this function is called, that other container will be closed automatically.
nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_CopyToContainer( HANDLE hContainer, HANDLE hItem, DWORD nFlags, DWORD nMode, INT64 nStartOfs, INT64 nEndOfs, LPVOID pReserved ); |
Available in v16.5 and later. Copies a file to an evidence file container. Returns 0 if successful, otherwise an error code. If the error code is negative, you should not try to fill the container further. nStartOfs and nEndOfs should be -1 for any nMode where they are not used.
nFlags:
nMode: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LONG
XWF_CloseContainer( HANDLE hContainer, LPVOID pReserved ); |
Available in v16.5 and later. Closes a container. Returns 1 if succesful. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HWND
XWF_GetWindow( WORD nWndNo, WORD nWndIndex ); |
Available in v19.9 SR-7 and later. Retrieves the handle of a window related to a data window, so that you can use it as a parameter in Windows API functions. The possibilities are endless. You could send any kind of message to a window, redraw it, take a screenshot of it, simulate a mouse click, etc. For example, to refresh the contents of a window, you can call the Windows API function InvalidateRect(..., NULL, FALSE). Not all related windows always exist. The function returns 0 for an unavailable window. nWndNo: The 1-based number of the data window, for example as retrieved using XWF_GetEvObjProp(). In v20.3 SR-13, v20.4 SR-9, v20.5 SR-6, v20.6 SR-5 and later you may specify 0 to target the active data window (the one in the foreground). nWndIndex: Identifies the exact
window that you are interested in. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_GetColumnTitle( WORD nWndNo, WORD nColIndex, LPWSTR lpBuffer ); |
Available in v20.3 and later. Retrieves the title of a particular column in the directory browser. The title depends on the currently active language in the GUI of the application and other factors. Returns true if the requesteed column exist, false if not. You can call this function repeatedly, starting with nColIndex == 0, ideally with nWndNo == 65535, to determine whether the column that you need still exists in the active version or what column index it has. nWndNo: The 1-based number of the data window for which you wish to retrieve a column title, for example as retrieved using XWF_GetEvObjProp(). Depending on whether the data window shows an event list or not, the first few columns have different names. Depending on the file system and depending on what kind of hash values have been computed, other columns may have variable names. You may specify 0 to retrieve a language-specific column title that just depends on the currently active volume snapshot, if one is active, or 65535 for a standardized column title in English that does not depend on any window or volume snapshot. nColIndex: Identifies the exact
column that you are interested in. These identifiers are constant within a
given version of the software and usually constant over many versions, but
might change in future versions. They are based on the order of columns that
you see in the application by default, if you do not change it in the GUI.
E.g. in v20.3: lpBuffer: Pointer to your buffer, which should be able to accommodate at least 127 Unicode characters plus a terminating null. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_OutputMessage( LPWSTR lpMessage, DWORD nFlags ); |
Outputs the specified message in the Messages window. You may use this function for example to alert the user of errors or to output debug information. nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INT64
XWF_GetUserInput( LPWSTR lpMessage, LPWSTR lpBuffer, DWORD nBufferLen, DWORD nFlags ); |
Available in v18.5 and later. Requests user input through a dialog window provided by X-Ways Forensics. This input can be text (e.g. a password) or can be directly interpreted as an integer number. lpMessage is presented to the user (truncated if too long) as an explanation for what is required, and the text entered by the user is filled into lpBuffer (not when requesting a positive integer number). nBufferLen is the length of the buffer in characters (including a terminating null character). You may suggest suitable user input by filling lpBuffer with text already when calling this function. If you do not wish to suggest any input, lpBuffer must start with a NULL character. The function returns the number of characters filled into the buffer (excluding the terminating null character) or the requested positive integer number or -1 if the user clicked Cancel. nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_ShowProgress( LPWSTR lpCaption, DWORD nFlags ); |
Creates a progress indicator window with the specified caption before a lengthy operation. You should call XWF_ShouldStop occasionally during the operation to allow for the GUI to stay responsive and to check whether the user wishes to stop whatever you are doing. You must not use any of the progress indicator functions when implementing XT_ProcessItem() or XT_ProcessItemEx() or when calling XWF_* functions that create a progress bar themselves. nFlags: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_SetProgressPercentage( DWORD nPercent ); |
Sets the progress in percent. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_SetProgressDescription( LPWSTR lpStr ); |
Displays descriptive text about the progress. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_ShouldStop( ); |
Should be called regularly during lengthy operations conducted by your X-Tension. If a progress indicator window is on the screen (created by X-Ways Forensics itself or by your X-Tension with the XWF_ShowProgress function), this will tell you whether or not the user wants to abort the current operation (returns TRUE if so). And if that is the case, you should probably finish what you are doing some time soon. Since v19.3 this function also helps to keep the GUI responsive and helps to convince the user that the application is not hanging. This is done if and required/helpful when the X-Tension is not executed in a separate worker thread. The effect is that mouse and keyboard input will be processed, windows in the GUI get a chance to redraw, and the user's attempt to close the progress indicator window will be noticed. So even if you ignore the result of this function call during lengthy operations conducted by your X-Tension, you are doing something good already by making the calls in the first place (except in v19.2 and earlier, where nothing will happen). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VOID
XWF_HideProgress( ); |
Closes the progress indicator window. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOL
XWF_ReleaseMem( PVOID lpBuffer ); |
Call this function to release a buffer allocated by X-Ways Forensics if instructed to do so in the description of another XWF_* function. |
Grayed out means ideas for potential future improvements/additions. If you are missing certain functionality here that is available via the user interface of X-Ways Forensics, please contact us and describe in a few words for what function you suggest and for what reason if would be useful. Perhaps that functionality or something similar can be provided in a future version of X-Ways Forensics. Thank you.