X-Ways Forensics X-Tension:   XwaysKPF_x64.dll

The baseline X-Tension for X-Ways Forensics  (a single DLL file) is available for free to law enforcement agencies and requires a licensed version of X-Ways Forensics to be running. This DLL is called from within X-Ways Forensics, normally after a volume snapshot has been refined. The baseline X-Tension produces XML reports and copied file folders that are compatible with 'C4All'.

For those that are curious, this DLL (or Dynamic Link Library) is similar to an executable in that it is compiled machine code which runs as quickly as a normal executable, but shares its program space with the executable which loads this DLL. Because it is not a script which must be parsed and processed at run-time, the speed and performance of the DLL can be astonishing.

Essentially, X-Ways loads the DLL, then is able to call specific functions in the DLL in response to user actions and the refinement process. The DLL in turn, can call a host of functions in the X-Ways Application Programming Interface (or API) as per here. Calling these API functions from within the DLL, and the link provided back to X-Ways Forensics. is the root of the processing power of the DLL and is what allows it to run 'as-one' with X-Ways Forensics.  Thus the DLL can extend the functionality of the main X-Ways Forensics executable for specialization and product customization, thus the concept of the 'X-Ways Forensics Extension', or more simply, 'X-Tension'.

The latest version of the X-Tension can be found here, and the revision history can be seen here. To register your email address for update notifications, navigate to here.

Here are links to three demonstration videos on how to use the C4All x-tension in X-WaysNote that this demonstration is from 2014 and shows version '3.6.2.d' of the X-Tension, and more options have been added since then:


The following enhancements to the baseline version of the DLL are available in the full unlocked version:
  • Ability to include additional video file types beyond those originally processed by C4All (103 types versus 23 types)

  • Consolidation of multiple partitions into a reduced number of parent folders, namely one for each physical drive. This allows the X-Tension to be run against multiple cases with the results for each case (physical drive) placed into its own folder. For the baseline version, a single folder is created for each partition, regardless of their host physical drive

  • For image files which support more than one thumbnail (such as JPEG), the unlocked version will search the additional thumbnail images and compare against the hash database to find notable files. If one is found, the parent file (i.e. the JPEG) will then be promoted to notable if not already. This parent and the notable thumbnail will be added to a 'Verify' table for quick inspection from within X-Ways

  • Currently implementing support for ProjectVIC which will change the format of the output files to JSON (rather than XML used for C4All), and also change slightly the organization of the output folders. Additionally, embedded thumbnails will be stored in the same folder system as the rest of the images, using the thumbnail's own hash name rather than that of the parent from which the thumbnail was extracted. The first release to support JSON output is now posted as version 3.6.8.e. The next release will name those JSON files using a more generic 'ProjectVIC_xxx.JSON' to denote the output is not particular to any specific end-user application.

  • We will soon be adding support for LACE Image Mark calculations directly from within this DLL. To accomplish this, you must have a full license for the DLL, and another DLL issued by BlueBear LES, namely BBlaceIM_x64.dll. This additional DLL must be copied to the same folder as the Xways_KPF_x64.dll, and is only available as an option when ProjectVIC Output is selected. The result will be a new entry in the JSON report for each image file, giving the ImageMark code which can then be exploited in the LACE software application.

The 'key' file

If you run the DLL as the baseline version, it will create a 'request' file (with the format XwaysKPF_NewKey_XXXXXX.req) where 'XXXXXX' are the first 6 characters of the X-Ways license ID. A full unlock 'key' file is generated based on this 'req' file, and thus becomes unique for your licensed X-Ways dongle (or your network license). It is not associated with any particular machine, and can thus be copied to any machine on which you plan to run your licensed copy of X-Ways. Simply copy the 'key' into the same folder as the DLL, and the DLL will find it. The 'key' file will unlock future releases of the DLL, as it is not tied to a particular version. Note that a 'key' generated for a particular variant (i.e. for a particular exploitation product) will not work with other variants.

Multiple licenses? No problem. Simply copy all of your 'key' files into the DLL folder on each machine, and the DLL will find the most recent, valid key. If it finds an expired key, it will even rename the extension to 'key_expired'. This allows you to see which keys are outdated and can deleted at your convenience.

Cost for a single, full license is US$250 per year, with discounts for additional licenses. Keys 2 through 5 for a single agency are discounted by US$50 each, with further discounts for subsequent licenses. For users with network licenses for X-Ways, the number of users for your network license determines the number of licenses you will need for the DLL, however only one key will be generated. In this case, the 'key' will unlock the DLL so long as the number of concurrent X-Ways users does not exceed the number of users authorized. Renewal costs are 85% of the original cost, per subsequent year. The license does not need to be updated as new versions of the X-Tension are released. 

If your agency is interested in larger numbers, please contact us at '' to discuss an agency unique version of the X-Tension.

Currently the licenses can only be purchased directly from Jedson Technologies, as per the licensing information that can be found when the DLL is run and clicking the 'Full Version Info' button. This method also brings the user to the point where he can generate the 'request' file, which is required when purchasing a license.