X-Ways Forensics Add-Ons
Automate investigative tasks and extend the functionality
of X-Ways Forensics with so-called X-Tensions.
The programming interface (API) is fully documented
here.
Publicly downloadable and commercially available X-Tensions that we know of are listed below. We list 3rd party X-Tensions here just for your information and convenience, not for endorsement or to assume responsibility. Neither the X-Tensions nor their descriptions here have not been checked by X-Ways in any way. Please be advised that X-Tensions are files that contain executable code that is run with the same rights as the host application. The executable code could do something very useful or unintended or malicious.
Exponent
Faces by API Forensics Inc. |
v19.3 or later requred |
Part of the Exponent bundle. Exponent Faces implements leading-edge commercial facial recognition technology (in use by military and police organizations), directly within X-Ways Forensics, to detect, match and extract faces from photographs and video files. Quickly and accurately identify victims, missing persons and persons of interest within volumes of collected media, including security surveillance video. |
Exponent CloudMail by API Forensics Inc. |
v19.3 or later requred |
Part of the Exponent bundle. IMAP e-mail collection from 3rd service providers that include, but are not limited to, Microsoft, Google, AOL, Yahoo and Zoho. The collection process is conducted in real-time, right from within an active X-Ways Forensics case file. Aggregate enterprise mail (e.g., Outlook PST files) with web mail and search everything at the same time, with just one tool! Some of the exciting features which help law enforcement, particularly with search warrants, include: • Filter specific messages using any combination of keywords and GREP expressions. • Powerful AND/OR logic makes it possible to further narrow the field of search. • Perform keyword searches of common email fields such as From, To, Subject, CC, BCC, Body, Headers and attachment filenames. • Target any combination of mailbox sub-folders (aka: Labels for Gmail) on the remote server (e.g., Inbox, Sent Items, custom folders). • Narrow the scope of your search using date ranges of when messages were sent. Demonstration video. |
Exponent MobileMessaging by API Forensics Inc. |
v19.3 or later requred |
Part of the Exponent bundle. Imports SMS, MMS and iMessages, including available Instagram Direct Messages (for iOS devices) directly into X-Ways Forensics from Android and iOS devices that have been acquired by 3rd party mobile forensic software tools. In addition, standalone iTunes Backups are also supported for message extraction. |
Exponent MobileMedia by API Forensics Inc. |
v19.3 or later requred |
Part of the Exponent bundle. Imports pictures and videos into X-Ways Forensics from Android and iOS devices that have been acquired by 3rd party mobile forensic software tools. In addition, standalone iTunes Backups are also supported. Demonstration video. |
VirusTotal by Polito Inc. Github Link |
tested on 64-bit versions from 19.3 to 20.5 |
Allows you to look up hashes of files to determine if the files are malicious, unknown, or benign. |
XT_SimpleCmd by X-Ways |
any version (but see text file for remarks) |
Sends a simple command to either the main window of X-Ways Forensics or the active data window or one of its component windows, for example to close the currently active case or to close all data windows. Could be useful because it can also be run from the command line. |
Hash Exporter by Polito Inc. Github Link |
v19.9 or later required |
Helps automate hash extraction. Completely command line based. This is especially useful if we are processing a large number of images or need to perform a CPU intensive processing on faster hardware. X-Ways does not currently have a way to automate the creation of a unique file of hashes. |
Yara Scanner by Chris Mayhew |
v19.9 SR-7 or later required |
There are many benefits to running YARA within X-Ways, versus running YARA via the command-line interface:
|
XT_XWF-OCR by Ted Smith |
v19.1 or later required |
Enables Optical Character Recognition (OCR) of picture file types in X-Ways Forensics. |
MetaDefender by Polito Inc. Github Link |
tested on 64-bit versions up to 19.9 |
Allows you to check hashes against Opswat Metadefender's 40 plus antivirus databases. |
ASL Viewer by Yuya Hashimoto |
v19.9 SR-6 or later required |
This is a Viewer X-Tension that parses and previews the selected Apple System Log (asl) file. |
Fuzzy Hash by Yuya Hashimoto |
v19.9 SR-1 or later required |
Calculates fuzzy hash values for each item in the volume snapshot, utilizing the API of the ssdeep project. |
Shannon Entropy by Yuya Hashimoto |
v19.9 SR-1 or later required |
Calculates the Shannon Entropy for each item in the volume snapshot. |
XT_XWF_AutoCTR by Ted Smith |
v16.5 or later required |
Automate extraction of common file types to a container, with source code. |
XT_XWF_CaseSummaryGenerator by Ted Smith |
v18.9 or later required |
Generates summary information, with source code. |
XT_XWF_2-RT by Ted Smith |
v18.9 or later required |
X-Ways Forensics to Relativity Injestion, with source code. |
Griffeye
XML export by Ruslan Yushaev 32 Bit, 64 Bit |
v17.6 or later required |
Allows you to export images and videos from X-Ways Forensics in the C4All format. You can then import the XML indexes in Griffeye Analyze. |
GetFileReputation & SubmitFile by Polito Inc. in partnership with ReversingLabs Github Link |
tbc |
One is an X-Tension for ReversingLabs (RL) hash lookups. This is useful for quickly triaging a file hash or multiple file hashes at once, to help determine whether the hash is known or not and whether the underlying file is malicious or not. Screenshot of the result. The other X-Ways extension is for submitting files to RL, which is handy when the hash is not found in the RL database (e.g., unknown). You will need to be a ReversingLabs customer with valid RL API credentials and keys to use the extensions. |
AFF4 by Bradley Schatz |
tbc |
Not based on the X-Tension API, but the Image I/O API. Listed here anyway on request. Allows to interpret AFF4 images as disks in X-Ways Forensics, just like raw images, .e01, VHD, VHDX, VMDK |
Griffeye Export by Chris Lees |
tbc |
X-Tension that does a special export of data. Currently available to law enforcement users from the X-Ways download server, in the same directory as the PhotoDNA functionality. |
XT_IMAGE by Alexander Kuiper |
v18.1 or later required |
Viewer X-Tension that allows you to use digital image processing algorithms to enhance pictures from within X-Ways Forensics. |
PDF
Compatibility by Ruslan Yushaev 32 Bit, 64 Bit |
tbc |
Fixes a
print bug (missing text when printing certain PDF documents) in the Oracle
OutsideIn viewer component that was found by Ruslan
Yushaev and reported to Oracle by X-Ways on May 21, 2017.
The X-Tension is a viewer X-Tension
that intervenes in preview and printing and returns the result of the
following GhostScript command back to X-Ways Forensics: |
XT_RAW by Alexander Kuiper |
v18.1 or later required, v19.1 or later recommended |
Identifies
and converts RAW files created by modern digital cameras. |
KPF a.k.a. C4All by Steve Frawley
Download Directory (to download the latest version and for more information) For more information please check elsewhere, for example in the C4All Forum. Thanks. |
v18.8 or later recommended |
"C4All is a program used by law
enforcement and others to categorize pictures and videos. |
Binary Large Object X-Tension by Christopher Lees |
? |
This
X-Tension is used to extract Binary Large Object (BLOB) data from Sqlite
databases. |
BeyondCompare X-Tension by Chad Gough |
? |
Allows an
examiner to select any two files in X-Ways and quickly send them to Beyond
Compare for review. Beyond Compare, from Scooter Software, is a 3rd party
file comparison tool that has built-in support/viewers for the comparison of
binary/hex, tab and comma separated files, graphic/image files, registry
data, source code, executables, Microsoft Word/Excel, and Adobe PDF
documents. Plug-ins for additional file types can be downloaded from here.
|
VirusTotal X-Tension by Chad Gough |
v16.9 and later |
Allows an examiner to check the status of a file via the VirusTotal API directly through X-Ways Forensics and get the status in the messages window. Note that this does not submit the file to VirusTotal, it only checks to see if an existing report exists for a given file's hash value and retrieves the results. All checks are performed via SSL. Developed and tested with X-Ways Forensics 17.7, but should work with any version past v16.9. Based on Chad Gough's own C# adaption of the X-Tension API. Requires Microsoft's .Net Framework v3.5 and a valid public (or private) API key from VirusTotal which can be obtained for free from here. |
Luhn Credit Card Check by X-Ways Software Technology AG 32-bit, 64-bit |
for all versions |
Can be used during GREP searches for credit card numbers. Verifies all search hits using the Luhn algorithm and discards false search hits, to reduce the output of irrelevant numbers. Load the X-Tensioon in the dialog window of the simultaneous search. If you believe that our X-Tension does not correctly employ the algorithm and lets too many false hits pass through, convince yourself here that the Luhn algorithm is weak (enter one of the numbers that you get and that looks like not a valid credit card number, and click "Validate Luhn"). Last updated April 13, 2012. Source code included in our C++ API download. |
Multiple File Finder by Werner Rumpeltesz |
v17.0 |
Can search for filenames and/or path names and add the matching files to a specific report table. Additionally, files can be exported and automatically renamed in different ways. After finishing the search, external applications can be run to take over the further analysis of the exported files. |
Submission
If you have created an X-Tension, please contact us and provide (in English):- X-Tension name
- purpose / what it does
- which version(s) and which edition (32 bit and/or 64 bit) of X-Ways Forensics it requires as a platform, and other other special requirements
- author/vendor name/organization
- link to a web page with more information and/or download link
Thank you very much.