The baseline X-Tension for X-Ways Forensics (a single DLL file) was designed for law enforcement agencies and requires a licensed version of X-Ways Forensics to be running. This DLL is called from within X-Ways Forensics, normally after a volume snapshot has been refined. The baseline X-Tension produces XML reports and file archive folders that are compatible with 'C4All'. The additional variants were added in response to specific needs, based on the advanced features available in various follow-on categorization applications. These variants provide output files and folder layouts that are slightly different from the original 'KPF' variant.
For those that are curious, this DLL (Dynamic Link Library) is similar to an executable in that it is compiled machine code which runs as quickly as a normal executable, but shares its program space with the executable which loads this DLL. Because it is not a script which must be parsed and processed at run-time, the launch speed and run performance of the DLL can be astonishing.
Essentially, X-Ways loads the DLL, then is able to call specific functions in the DLL in response to user actions and the refinement process. The DLL in turn can call a large number of functions in the X-Ways Application Programming Interface (or API) as per here. Calling these API functions from within the DLL is the root of the processing power of the DLL and is what allows it to run "as-one" with X-Ways Forensics. Therefore the DLL can extend the functionality of the main X-Ways Forensics executable for specialization and product customization, thus the concept of the 'X-Ways Forensics Extension', or more simply, 'X-Tension'.
If you run across any issues or problems when running the DLL, proceed as per here.
For those who are members, a link to an article on Forensic Focus can be found here.
Here is a link to the presentation given at the 2019 Ontario Forensics Investigators Association in Niagara Falls, ON, Canada:
The following enhancements to the original version of the DLL are available in the full unlocked version:
Ability to include additional video file types beyond those originally processed by C4All (103 types versus 20 types)
Consolidation of multiple partitions into a reduced number of parent folders, namely one for each physical drive. This allows the X-Tension to be run against multiple cases with the results for each case (physical drive) placed into its own folder. For the baseline version, a single folder is created for each partition, regardless of their host physical drive
For image files which support more than one thumbnail (such as JPEG), the unlocked version will search the additional thumbnail images and compare against the hash database to find notable files. If one is found, the parent file (i.e. the JPEG) will then be promoted to notable if not already. This parent and the notable thumbnail will be added to a 'Verify' table for quick inspection from within X-Ways
Currently implementing support for CAID which will change the format of the output files to JSON (rather than XML used for C4All), and also change slightly the organization of the output folders. Additionally, embedded thumbnails will be stored in the same folder system as the rest of the images, using the thumbnail's own hash name rather than that of the parent from which the thumbnail was extracted.
The 'key' file
If you run the DLL as the baseline version, it will create a 'request' file (with the format XwaysKPF_NewKey_XXXXXX.req) where 'XXXXXX' are the first 6 characters of the X-Ways license ID. A full unlock 'key' file is generated based on this 'req' file, and thus becomes unique for your licensed X-Ways dongle (or your network license). It is not associated with any particular machine, and can thus be copied to any machine on which you plan to run your licensed copy of X-Ways. Simply copy the 'key' into the same folder as the DLL, and the DLL will find it. The 'key' file will unlock future releases of the DLL, as it is not tied to a particular version. Note that a 'key' generated for a particular variant (i.e. for a particular exploitation product) will not work with other variants.
Multiple licenses? No problem. Simply copy all of your 'key' files into the DLL folder on each machine, and the DLL will find the most recent, valid key. If it finds an expired key, it will even rename the extension to 'key_expired'. This allows you to see which keys are outdated and can be deleted at your convenience.
Cost for a single, full license is US$250 per year, with discounts for additional licenses. Keys 2 through 10 for a single agency are discounted by US$35 each, with further discounts for subsequent licenses. For users with network licenses for X-Ways, the number of users for your network license determines the number of licenses you will need for the DLL, however only one key will be generated. In this case, the 'key' will unlock the DLL so long as the number of concurrent X-Ways users does not exceed the number of authorized users. The license does not need to be updated as new versions of the X-Tension are released.
If your agency is interested in larger numbers, please contact me at 'email@example.com' to discuss an agency unique version of the X-Tension. Currently the licenses can only be purchased directly from Jedson Technologies, or through Semantics 21 (for customers purchasing the Semantics 21 variant in the UK and the EU). Please see the licensing information that can be found when the DLL is run by clicking the 'Full Version Info' button. This method also brings the user to the point where he/she can generate the 'request' file, which is required when purchasing a license.
Under an agreement between Semantics 21 and Jedson Technologies we have produced a variant of the X-Tension designed to extract files and relevant metadata, and provide XML report files that can be used directly by Semantics 21 applications. By continuously working closely with Semantics 21, this DLL provides many benefits to both capability and performance tailored specifically to LASERi-p and LASERi-v. For more information on Semantics 21 products, visit here.
BlueBear LES LACE
LACE software provides back end analysis software as one of the options for the work flow currently using Xways and the XwaysKPF_x64 DLL. LACE is one of the first to take advantage of the JSON output now being produced by the DLL, and offers greater flexibility and features than the previous (legacy) C4All format of reports. In addition to supporting the ProjectVIC® compatible JSON files, we have collaborated with BlueBear LES such that they have created a DLL, provided by BlueBear specifically for their customers, which permits the XwaysKPF_x64 DLL to calculate LACE ImageMark codes on the fly (during DLL processing) and include these Image Mark codes into the JSON report in 'AlternativeHashes', alongside PhotoDNA if available.