X-Ways Forensics X-Tensions

Allows you to look up hashes of files to determine if the files are malicious, unknown, or benign.

Sends a simple command to either the main window of X-Ways Forensics or the active data window or one of its component windows, for example to close the currently active case or to close all data windows. Could be useful because it can also be run from the command line.

Helps automate hash extraction. Completely command line based. This is especially useful if we are processing a large number of images or need to perform a CPU intensive processing on faster hardware. X-Ways does not currently have a way to automate the creation of a unique file of hashes.

There are many benefits to running YARA within X-Ways, versus running YARA via the command-line interface:

• No need to mount the target media, the X-Tension will read each file within the case snapshot into memory and be scanned there. No files are written to disk.

• Allows the user to use the powerful filters within X-Ways to limit the scope of the YARA scan.

• Because the X-Tension uses the power of X-Ways, YARA will scan all files within the current snapshot. This includes carved files, decompressed archives, files within archives within archives etc.

• Any confirmed YARA hits will be saved back to X-Ways via the comments and Report Table columns, vs stdout (which can get unruly quickly if scanning a mounted drive).

Enables Optical Character Recognition (OCR) of picture file types in X-Ways Forensics.

Allows you to check hashes against Opswat Metadefender's 40 plus antivirus databases.

This is a Viewer X-Tension that parses and previews the selected Apple System Log (asl) file.

Calculates fuzzy hash values for each item in the volume snapshot, utilizing the API of the ssdeep project.

Calculates the Shannon Entropy for each item in the volume snapshot.

Automate extraction of common file types to a container, with source code.

Generates summary information, with source code.

X-Ways Forensics to Relativity Injestion, with source code.

Allows you to export images and videos from X-Ways Forensics in the C4All format. You can then import the XML indexes in Griffeye Analyze.

One is an X-Tension for ReversingLabs (RL) hash lookups. This is useful for quickly triaging a file hash or multiple file hashes at once, to help determine whether the hash is known or not and whether the underlying file is malicious or not. Screenshot of the result. The other X-Ways extension is for submitting files to RL, which is handy when the hash is not found in the RL database (e.g., unknown). You will need to be a ReversingLabs customer with valid RL API credentials and keys to use the extensions.

Not based on the X-Tension API, but the Image I/O API. Listed here anyway on request. Allows to interpret AFF4 images as disks in X-Ways Forensics, just like raw images, .e01, VHD, VHDX, VMDK

X-Tension that does a special export of data. Currently available to law enforcement users from the X-Ways download server, in the same directory as the PhotoDNA functionality.

Viewer X-Tension that allows you to use digital image processing algorithms to enhance pictures from within X-Ways Forensics.

Fixes a print bug (missing text when printing certain PDF documents) in the Oracle OutsideIn viewer component that was found by Ruslan Yushaev and reported to Oracle by X-Ways on May 21, 2017. The X-Tension is a viewer X-Tension that intervenes in preview and printing and returns the result of the following GhostScript command back to X-Ways Forensics:
gs -sDEVICE=pdfwrite -dNoOutputFonts -dCompatibilityLevel=1.5 -r150 -dQUIET -dSAFER -o <output file> <input file>

The option -dNoOutputFonts is the key in this case.

The X-Tension requires the library gsdll64.dll of the latest GhostScript version:
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/gs921w64.exe

Identifies and converts RAW files created by modern digital cameras.

Detection by filename extension: 3FR, ARI, ARW, BAY, CAP, CINE, CR2, CRW, CS1, CS16, CS4, DATA, DC2, DCR, DCS, DNG, DRF, DSC, EIP, ERF, FFF, HDR, IA, IIQ, K25, KC2, KDC, MDC, MEF, MFW, MOS, MRW, NEF, NRW, OBM, ORF, PEF, PPM, PTX, PXN, QTK, R3D, RAF, RAW, RDC, RMF, RW2, RWL, RWZ, SR2, SRF, SRW, STI, TIF, TIFF, X3F

Detection by file header signature: ARW, CR2, CRW, DCR, FFF, MOS, MRW, NEF, NRW, ORF, PEF, RAF, RAW, RW2, RWL, SRW, X3F

Conversion to JPEG: ARW, CR2, CRW, DCR, DNG, ERF, KDC, MDC, MEF, MRW, NEF, NRW, ORF, PEF, RAF, RAW, RW2, SR2, SRF, SRW, TIF, X3F

Download Directory
X-Tension Information

Youtube videos: 1, 2, 3

For more information please check elsewhere, for example in the C4All Forum. Thanks.

"C4All is a program used by law enforcement and others to categorize pictures and videos.

This X-Tension is for Users of C4All. The guides that are included describe how to best use the X-Tension with the Strategy hash sets, but your own hash sets can be used. Also it is based on the file types (video and pictures) that C4All presently uses and searches for.

With this X-Tension, you will be able to process with the speed of X-Ways, and be completing most of the C4Prep stage all at once (like skin tone % and video stills).

Benefits of the X-Tension
-speed, fewer steps to follow than original C4All process
-even faster if ran locally and saved locally. upto 30GB min speeds on SSD drives observed.
-crash protection. Use X-Ways ability to resume if there is a crash during preparation of data.
-If X-Tension is interrupted there is the option to resume, start new or if needed just make new XML file
-ability to filter out irrelevant files and false positive carved files before C4All extraction.
-Hash sets are connected to X-Ways and not SQL server. This allows for known irrelevant or good files to be excluded from extraction. Also SQL Express can be used (free) as the only database used would be a local database and would not grow to be to large.
-These hash sets are transferable by simply copying the folder and pointing X-Ways to storage location. No need to wait all day for Database to be created.
-ability to use your own hash sets. upto 65,000+ separate hash sets.
-Better resulting folder structure, especially when run against many evidence objects in one case.
-Results can be extracted from C4All in hashkeeper format to be easily brought back in to X-Ways case. no need to run Encase book marking enscript.
-thumbnails are extracted from files that include thumbnails or are created by X-ways due to original picture size. If thumbnails exist in a file it is not used twice, reducing duplicate files.
-When processing, all functions of X-Ways are available during X-Tension run phase.
-Able to use X-Ways reporting features for court and presentation.
-video stills extracted using free mplayer or forensic framer from within X-Ways"

This X-Tension is used to extract Binary Large Object (BLOB) data from Sqlite databases.
This is data, such as picture or movie files, which can difficult to carve out of database files due to the way the database file is structured.
The X-tension will create a child folder for each table within the database that contains a BLOB field.
The data will then be extracted into this folder, the name of the file is the SQLite BLOB field name combined with the Primary Key Field (or ROWID if no primary key).
All the extracted data will also be added to a report table so that it can be processed if required. This is a good idea when looking for picture files as they often start a few bytes in.

See text file for more information.

Allows an examiner to select any two files in X-Ways and quickly send them to Beyond Compare for review. Beyond Compare, from Scooter Software, is a 3rd party file comparison tool that has built-in support/viewers for the comparison of binary/hex, tab and comma separated files, graphic/image files, registry data, source code, executables, Microsoft Word/Excel, and Adobe PDF documents. Plug-ins for additional file types can be downloaded from here.

This X-Tension is free for both personal and commercial use and requires Microsoft?s .Net Framework v3.5 and a valid license/installation for Beyond Compare.

Note: Although this X-Tension was specifically designed for use with Beyond Compare, in theory any application that takes two file names as arguments from the command line should work (i.e. program.exe file1 file2).

Allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Based on Chad Gough's own C# adaption of the X-Tension API. Requires Microsoft's .Net Framework v3.5 and a valid public (or private) API key from VirusTotal which can be obtained for free from here.

Can be used during GREP searches for credit card numbers. Verifies all search hits using the Luhn algorithm and discards false search hits, to reduce the output of irrelevant numbers. Load the X-Tensioon in the dialog window of the simultaneous search. If you believe that our X-Tension does not correctly employ the algorithm and lets too many false hits pass through, convince yourself here that the Luhn algorithm is weak (enter one of the numbers that you get and that looks like not a valid credit card number, and click "Validate Luhn"). Last updated April 13, 2012. Source code included in our C++ API download.

Can search for filenames and/or path names and add the matching files to a specific report table. Additionally, files can be exported and automatically renamed in different ways. After finishing the search, external applications can be run to take over the further analysis of the exported files.