X-Ways Forensics X-Tension:  XwaysKPF_x64.dll        (Semantics 21 variant:  Semantics21_x64.dll)

          (ZIUZ variant: XTension_ZIUZ_x64.dll)        (JSON variant: JSONxtension_x64.dll)

The baseline X-Tension for X-Ways Forensics  (a single DLL file) was designed for law enforcement agencies and requires a licensed version of X-Ways Forensics to be running. This DLL is called from within X-Ways Forensics, normally after a volume snapshot has been refined by hashing all the files in the Evidence Object(s) and determining which 'Report Table' (i.e. Hash Tables) a file falls into. The baseline X-Tension produces XML reports and file archive folders that are compatible with 'C4All' and based on the categorization provided in the hash tables. The additional variants were added in response to specific needs, based on the advanced features available in various follow-on categorization applications. These variants provide output files and folder layouts that are slightly different from the original 'KPF' variant.

For those that are curious, this DLL (Dynamic Link Library) is similar to an executable in that it is compiled machine code which runs as quickly as a normal executable, but shares its program space with the executable which loads this DLL. Because it is not a script which must be parsed and processed at run-time, the launch speed and  run performance of the DLL can be astonishing.

Essentially, X-Ways loads the DLL, then is able to call specific functions in the DLL in response to user actions and the refinement process. The DLL in turn can call a large number of functions in the X-Ways Application Programming Interface (or API) as per here. Calling these API functions from within the DLL is the root of the processing power of the DLL and is what allows it to run "as-one" with X-Ways Forensics.  Therefore the DLL can extend the functionality of the main X-Ways Forensics executable for specialization and product customization, thus the concept of the 'X-Ways Forensics Extension', or more simply, 'X-Tension'.

If you run across any issues or problems when running the DLL, proceed as per here. Any log files or other files of interest can be uploaded here: Log Uploads 

The latest version of the X-tension can be found here, and the revision history can be seen here

To register your email address for update notifications, navigate to here, and to unsubscribe, navigate here .

For those who are members, a link to an article on Forensic Focus can be found here

Here is a link to the presentation given at the 2019 Ontario Forensics Investigators Association in Niagara Falls, ON, Canada:


The following enhancements to the original version of the DLL are available in the full unlocked version:

The 'key' file

If you run the DLL as the baseline version, it will create a 'request' file (with the format XwaysKPF_NewKey_XXXXXX.req) where 'XXXXXX' are the first 6 characters of the X-Ways license ID. A full unlock 'key' file is generated based on this 'req' file, and thus becomes unique for your licensed X-Ways dongle (or your network license). It is not associated with any particular machine, and can thus be copied to any machine on which you plan to run your licensed copy of X-Ways. Simply copy the 'key' into the same folder as the DLL, and the DLL will find it. The 'key' file will unlock future releases of the DLL, as it is not tied to a particular version. Note that a 'key' generated for a particular variant (i.e. for a particular exploitation product) will not work with other variants.

Multiple licenses? No problem. Simply copy all of your 'key' files into the DLL folder on each machine, and the DLL will find the most recent, valid key. If it finds an expired key, it will even rename the extension to 'key_expired'. This allows you to see which keys are outdated and can be deleted at your convenience.

Click to Open

Cost for a single, full license is US$250 per year, with discounts for additional licenses. Keys 2 through 10 for a single agency are discounted by US$25 each, with further discounts for subsequent licenses. For users with network licenses for X-Ways, the number of users for your network license determines the number of licenses you will need for the DLL, however only one key will be generated. In this case, the 'key' will unlock the DLL so long as the number of concurrent X-Ways users does not exceed the number of authorized users. The license does not need to be updated as new versions of the X-Tension are released. 

I currently use my PayPal business account to generate electronic invoices and to permit online payments.  Beginning Apr 4, 2023, PayPal increased the number of ways payment can be made, and includes credit or debit cards as well as Venmo. You do NOT need to have an account with PayPal in order to make payment, and is accepted across 200+ countries and currencies.

If your agency is interested in larger numbers, please contact me at '' to discuss an agency unique version of the X-Tension. Currently the licenses can only be purchased directly from Jedson Technologies, or through Semantics 21 (for customers purchasing the Semantics 21 variant in the UK and the EU). Please see the licensing information that can be found when the DLL is run by clicking the 'Full Version Info' button. This method also brings the user to the point where he/she can generate the 'request' file, which is required when purchasing a license.

Click to Open

Under an agreement between Semantics 21 and Jedson Technologies we have produced a variant of the X-Tension designed to extract files and relevant metadata, and provide XML report files that can be used directly by Semantics 21 applications. By continuously working closely with Semantics 21, this DLL provides many benefits to both capability and performance tailored specifically to LASERi-X.  For more information on Semantics 21 products, visit here.

LACE software provides back end analysis software as one of the options for the work flow currently using Xways and the XwaysKPF_x64 DLL. LACE is one of the first to take advantage of the JSON output now being produced by the DLL, and offers greater flexibility and features than the previous (legacy) C4All format of reports. In addition to supporting the ProjectVIC® compatible JSON files, we have collaborated with BlueBear LES such that they have created a DLL, provided by BlueBear specifically for their customers, which permits the XwaysKPF_x64 DLL to calculate LACE ImageMark codes on the fly (during DLL processing) and include these Image Mark codes into the JSON report in 'AlternativeHashes', alongside PhotoDNA if available.

Latest DLL files available for download:

Previous DLL's and miscellaneous files available for download: