How do I 'get me some of that'?
To request a quotation, I only need to know the name of your agency, the contact information for the main POC (Point of Contact), and the number of licenses needed. Email firstname.lastname@example.org to request a quote, which will be returned by email. Once the quotation is approved, we will need a 'request' file for each license requested. This can be done by inserting each X-Ways Forensics dongle in turn, then running the DLL on a small case. The 'request' file for each dongle will have a unique name, so just copy them all back into an email to us with your formal request for an invoice. For a network license, only one request file will be required, as all users will have the same ID, and X-Ways Forensics will ensure that the number of licensed users is not exceed at any given time.
Once your request is received, you will be issued short term keys until payment is received, at which time 365 day keys will be issued. The ID of each dongle for which a license was purchased will be annotated on the invoice, and can be used to generate 'key' files in the future as a backup, or for a yearly renewal.
What is a DLL?
A Dynamic Link Library is a file that contains library functions that can be called by an executable or another DLL. Can be used to dynamically (i.e. at run-time) extend the capabilities of an application. Because it is loaded only when needed, and can be unloaded as desired, it can add functionality to an application without increasing the size of the main executable, and further, supports separate development efforts. Thus, the DLL can be updated independently of the executable, and vice-versa, unless new functions are added that are required by one or the other.
For our DLL's, there is a distinction between 'versions' and 'variants':
A 'version' is essentially an update from the previous release that contains bug fixes or new features
A 'variant' is internally significantly different as it supports a different processing chain, report file types, or end-user application. For example, the baseline 'variant' which supports 'C4All' creates much different report files than the 'variant' designed for Semantics 21.
Reporting issues with the DLL
If you have an issue with the operation of the DLL, or think you may have found a bug, please let me know via email at email@example.com. It will be very helpful if you attach the generated reports (XML and TXT files), and generally you need only provide snippets of those if they become too large: information at the beginning and end of the XML export is essential, but repetitive file information is not required. Also, using the logging feature described below will produce a TXT file that captures the internal processing of the DLL and may be required as well.
What is a 'req' file?
If you run the DLL as the baseline version (i.e. without a valid and current licenses 'key' file), the DLL will create a 'request' file (with the format 'XwaysKPF_NewKey_XXXXXX.req' or 'Semantics21_NewKey_XXXXXX.req') where 'XXXXXX' are the first 6 characters of the X-Ways license ID (which itself is 32 hexadecimal digits). The file also contains the time the file was generated, as well as the variant of the DLL and number of simultaneous users if the X-Ways license is network based. This 'req' file can also be generated manually by clicking the 'Full Version Info' button on the main DLL dialog, then clicking 'Generate' on the subsequent dialog. The 'req' file will again be generated in the same folder as the DLL itself. This folder can also be opened directly by clicking the 'Open Folder' button on the same dialog.
What is a 'key' file?
A file with a 'key' extension, residing in the same folder as the DLL. It is used to unlock all features of the DLL. This is not typical of DLL behavior, but because a DLL can be launched like an application, and a DLL has access to the entire Windows API (like a application), this DLL was designed with this security feature. The 'key' itself contains encrypted information regarding the variant of the DLL, the user's X-Ways dongle ID (related to, but cannot derive the dongle serial number), and the duration of validity for the key. The 'key' file is issued for a specific 'variant' of the DLL, but can be used on the current and all subsequent 'versions' of the DLL. The chart to the right summarizes how each type of license works with each variant of the DLL.
What's in a key name?
With the exception of the file extension 'key', the name of the key files are not important. All of the pertinent information (dongle ID, variant, expiration date, etc) is encrypted within the data contents of the file. Feel free to rename your file to anything you prefer in order to keep track of your key. Just leave the file extension (i.e. 'type') alone. Note that the DLL will automatically rename the extension to 'key_expired' when it encounters a key file that has in fact expired. None of the content is changed, so renaming it back to a 'key' file will cause the DLL to verify is once again the next time it is run.
What about privacy?
I do not pass on any email addresses to any other person, business, entity, etc. Further, when I send out my version update notification via 'mass emailing', I put all email recipients in the BCC (Blind Carbon Copy) field so that your email addresses are protected, even from one another.
What Video types does the X-tension support?
The set of image types supported by the X-tension include (grouped for clarity, and in no particular order):
"jpg", "bmp", "emf", "gif", "jp2",
"jpe", "jpeg", "jpx", "psd", "png",
"tif", "tiff", "dng", "arw", "sr2",
"srf", "cr2", "raf", "nef", "nrw",
"orf", "rw2", "heic", "ktx", "raw" and "webp"
Video types supported (i.e. fully processed) by the X-tension correspond to the types originally supported by the baseline 'C4All' variant (XwaysKPF_x64). These include (grouping for clarity):
"mp4", "mpeg", "mpg", "avi", "mov",
"mp2v", "m2v", "m2ts", "m2t", "wmv",
"flv", "3g2", "3gp", "3gpp", "mkv",
"m1v", "m4v", "f4v", "3ga" and "mts"
Additional video types supported by the full key include (again, grouped simply for clarity):
"4x", "4xm", "60d", "ajp", "amv",
"arf", "asf", "bik", "bnk1", "bvr",
"camrec", "csmil", "cwm", "dat7", "dav",
"dce", "dcr1", "divx", "dmb", "dsm",
"dv", "dv4", "dvr-ms", "dxr", "eye",
"flc", "fli", "flv2", "gmv1", "irf",
"ismv", "ivf", "ivr", "mj2", "mjpg",
"mpe", "mpv", "mqv", "mtv", "mvd",
"mvp", "mxf", "mxv", "nsv", "nut",
"nuv", "ogm", "ogv", "ogx",
"omf", "otrkey", "pmf1", "qt", "r3d",
"rm", "rmvb", "roq", "rv", "rvx",
"scm", "smk", "tivo", "ts", "ub1",
"vcr", "vem", "vfo", "vgz", "viv",
"vob", "voc", "vp6", "vro", "vse",
"webm", "wp3", "wtv", "xesc" and "zmv"
What is a DLL activity log?
One of the options on the DLL user dialog is to Log DLL Activity, with two available selections: 'to Log folder' and 'to Case folder'. These options both create a text file ('txt' extension), either in the 'Status Logs' sub-folder within the main DLL folder, or in the Case folder. In either case it will be named with the current date and time. With 'logging' enabled, the DLL will output critical milestones to the log file during the processing sequence. Each entry contains the time to the nearest millisecond, as well as information which can be used to pinpoint a found bug. This feature has a minor impact on the processing speed due to the continuous generation and writing of the log strings, so it is recommended to use this option sparingly. If a bug is found, which can generally be attributed to a corrupt file, using the log option can help us pinpoint the file in question, and usually give us an opportunity to modify the DLL to be particularly robust against similar types of corruption. Invalid Unicode characters in the metadata field of an image file is one example of this.
An example of an activity log can be seen at right. (Click on the image to open a new tab showing a enlarged view of the log). Be forewarned that for large cases, this log file can grow to tens of megabytes which will really tax some text editors.
If you have a log that illustrates a problem with the DLL, please send me an email and upload the log to my folder here: Log Uploads
Auto-logging feature added in 3.6.10.f
Admittedly, asking the user to rerun a case with one of the logging options in order to track down an anomaly is something I am reluctant to do. Thus I have incorporated a new virtual logging feature into version 3.6.10.f (and following) of all DLL variants. This new feature works only when none of the original logging methods ('to Log folder' or 'to Case folder' selected, or running 'HypoDebug') has been initiated. It essentially creates a virtual log in memory that contains all of the administrative information (ie Evidence Object info, user selected options, report table names and X-Ways counts, etc) and then log entries only for processed items (files) that have been found to contain anomalies, warnings or errors. If an item is found to be ‘anomaly-free’ the log record for that item is simply discarded, otherwise it is added to the virtual log. The number of anomalies, warnings and errors is also tracked and presented to the user at the end of the run in a message box that allows him/her to save the virtual log to disk (as per message box at right). The name of the file is generated based on the variant, and the date/time of the DLL run.
Anomalies are considered to be invalid characters found in filenames, folder names, or metadata, This includes the troublesome ']]>' in the middle of an XML CDATA tag, surrogate pairs or orphans in Unicode, private use code points or extended control codes in Unicode or one of the 'fullwidth' characters in Unicode. The invalid characters (code points) are either deleted (for control code points) or replaced with a substitute code point, such as '«'.
A warning is generated when a Unicode string contains a control code declared as unused by the Unicode standard (0x0080, 0x0081 or 0x0099) and is replaced with either an underscore or '«' depending on context (the former when converted to 8-bit ASCII, the latter for Unicode).
An error is the result of a system generated failure passed back from X-Ways that results in termination of processing for an individual file. This includes invalid access to a file (usually caused by an X-Ways setup error), a full disk when copying images or movies to the report archive, or when trying to extract an invalid Unicode string through X-Ways. Most incorrect Unicode strings are passed from X-Ways and have their anomalies detected and reported, however some Unicode strings can be so malformed as to cause an error in X-Ways. Further processing for a file generating an error depends on the nature of the error, but generally some important information will be lost, or the file will not be archived.
During normal RVS processing, a number of Anomalies or even Warnings can be expected, thus should not alarm the user when they are reported at the end of case processing. Because substitutions are made for the invalid characters generating the Anomaly or Warning, processing continues and the item will be archived correctly. Errors are more significant and indicate that some items in the RVS were not fully processed or archived, thus deserve more attention when they occur. Log files can be uploaded here: Log Uploads
Command Line Interface (CLI) added in 3.6.12.n
The next release of the Semantics21 variant of the DLL will include CLI parsing using the XTParam protocol described in the X-ways documentation here. Following is a summary of parameters that will be parsed. The text in red indicates the optional information. Most parameters map to an element on the dialog, so their use should be familiar. Only the first number after the second full-colon is parsed. Omitting a 0 or 1 is equivalent to using a 1 (i.e. sets parameter to TRUE). In this case, the second colon can be eliminated. thus the following are all equivalent:
XTParam:pictures (referred to as the truncated version of the parameter).
Omitting the entire parameter itself is equivalent to setting it FALSE, i.e. the same as:
Note that omitting any of these parameters (except those that take strings as input) is equivalent as setting them to 0 or FALSE (clearing a check box). For those parameters that take strings, if omitted, the DLL will use the last path/comment specified by the user or X-ways (casename).
Why do some DLL's have version numbers in the name, but others do not?
For housekeeping reasons, we maintain a copy of all past versions of the DLL, such as 'XwaysKPF_x64_v3.6.8.c.dll', where the version number is '3.6.8.c'. If you download a new 'numbered' version of the DLL, you will need to carefully select the correct version when you call the DLL from within X-Ways Forensics. To simplify updates, simply download the 'base' version (XwaysKPF_x64.dll) into the same location as the previous version and you are good to go. Normally, applications and DLL's store their registry information by company name and application/DLL name, in which case you would end up with entries for each version you have run, and the stored settings from one version will then not propagate when the updated version is run. These DLL's will write to the same registry key, regardless of version number. Each variant has its own key, which every version of that variant then shares. To receive notifications when new versions are released, please follow this link and submit your email address and agency information.
How to name HASH (Report) Tables in X-ways:
One of the key features of the DLL is to use the report table associations setup in X-ways to count the number of notable and irrelevant files. To accomplish this, the table names need to adhere to a few certain rules so that the DLL can properly extract (or parse) the category number from the table name:
Table names need to start with 'Category', 'Cat' or the specific name 'NSRL'. For these three names, upper or lower case can be used and is ignored. Thus 'CAT', 'Cat' or 'cat' are acceptable, and even 'CaTeGoRy' for those who are challenged by the keyboard;
The category number (for the first two options) can immediately follow the text, or have a single space prior to the number. Thus 'Cat1' and 'Cat 1' are both valid, but 'Cat 1' is not. Numbers after 'NSRL' are ignored;
Any characters after the number (please use a space after the number) are ignored. So 'Cat 1 ProjectVIC' would still be parsed as a 'category 1' table; and
Starting in Version 3.6.12.k, you will now be able to put text in front of 'Cat', 'Category', etc, as long as a space ' ' separates the words. Thus, 'ProjVIC Cat 3' or even 'Project VIC Cat 3' will be parsed correctly, but not 'ProjVicCat 3'.
What is a 'jxb' file?
A 'jxb' (Jedson encrypted binary) file is an encrypted version of any file type such that it can be passed through email and company firewalls. The encryption of the original file is based on the AES standard, and a header (also encrypted) is pre-pended to the 'jxb' file to contain the following information about the original un-encrypted file:
Original file length;
Creation, modification and access times of the original file;
File name and extension of the original file (but not the original folder path);
Attributes (read-only, hidden, etc) or the original file; and
CRC32 (32-bit Cyclic Redundancy Check) of the original file contents, ensures file was not corrupted at the byte or even bit level.
Since the 'jxb' file contains the original filename, the 'jxb' file can be conveniently renamed to anything the sender desires for clarification, but when decrypted using Jedsonite.exe or JedsoniteDC.exe the resulting file will have the name, file times and attributes of the original, thus duplicating as close as possible the original file.
Because of the encrypted header of the 'jxb', the encrypted file can even be renamed with a different extension, or remove the extension altogether. In either case, when the encrypted file is dropped onto either the Jedsonite or JedsoniteDC icons, the file will be identified as an encrypted file and decrypted. For this reason, I refer to any file encrypted by Jedsonite.exe as a 'jxb' file, regardless of the extension used by the person doing the encryption.
This application is designed to sit on your desktop and act as a drag-and-drop decrypter of 'jxb' files or any file encrypted with Jedsonite.exe. If you double-click on the application (as opposed to dragging a file onto the app) a small dialog box will open and allow the user to set the option of deleting the 'jxb' file following de-cryption.
The dialog will also give the user the option of registering the application with the Windows shell (if not already in the registry) or remove the current file association (if already in register). When registered in the shell, any 'jxb' files will be displayed with the JedsoniteDC icon and the user can simply double-click on that file to run the decryption. Note that the encrypted 'jxb' file does NOT need to be in the same folder (or drive) as JedsoniteDC.exe: the decrypted file will be created in the same folder as the 'jxb' file. A link to JedsoniteDC.exe will also be added to the 'Send To' folder which adds the ability of the user to right-click on a single or multiple files and decrypt them by selecting JedsoniteDC on the resulting context menu. Also, you can drop mulitple 'jxb' files onto the JedsoniteDC icon at the same time.
If a file is found to be corrupted (based on the CRC32 calculation) a warning dialog will be presented to the user, he decrypted file will not be saved, and the encrypted file will not be deleted (regardless of user preference).
Get JedsoniteDC here, and you will find it in same repository as the older Xways DLL's here. Or you can go to the bottom of the Revision History page and download the file JedsoniteDC.zip, then unzip (it is a compressed Windows folder) and move to your preferred folder. In either case, if you double-click the icon the setup the registry association and you subsequently move the JedsoniteDC.exe file, you will need to re-register the file association.
Where do I find 'Jedsonite.exe'?
At this point, Jedsonite.exe is not being distributed, sold, traded, etc. It is currently only in the hands of myself, my chief field tester and some other business partners. If demand dictates, I may rethink how to distribute this utility, for a very small fee. Please email me at firstname.lastname@example.org if you want to inquire about, or comment on Jedsonite.exe.