External Analysis Interface

WinHex & X-Ways

External Analysis Interface

 

Via the menu command "Export Files for Analysis" in the Case Data window, you can send files (for example all files in the case that belong to a certain category) to an external program for further analysis. This external program must comply with the interface described below. Requires X-Ways Forensics or X-Ways Investigator or WinHex with a forensic license.

 

The analysis result can be imported back into X-Ways Forensics with the Report Table Import menu command in the Case Data window. (For example, right-click the case title where it is printed in bold.) That will associate files classified by the external software with certain report tables (and may create new report tables), which allows you to filter for such files or create a report about them.

 

For example, the software DoublePics can recognize known pictures (even if stored in a different format or altered) and return a classification such as “CP”, “relevant”, or “irrelevant”.

 

Technical description of the interface

 

All files or files in a certain category or all tagged files or all non-excluded files are copied into a subfolder of the output folder specified by you. The subfolder is named with a CRC in hexadecimal characters that is unique for the active case. The files are named with unique IDs (64-bit integer numbers). One additional file named "Checksum" is created that contains 4 bytes with the same CRC, 4 bytes with the handle of the main window of X-Ways Forensics (or X-Ways Investigator, for that matter), 8 reserved bytes, and 128 bytes with the case title in UTF-16. When the files have been copied, X-Ways Forensics executes the external analysis program and specifies the complete path of the subfolder in quotation marks as a parameter.

 

The external program can now perform the analysis. It can classify files by creating one .rtd file for each classification.

 

When finished, the program can optionally check whether the X-Ways Forensics main window still exists and, if so, make X-Ways Forensics aware of the availability of the results, by sending a WM_SETTEXT messages to the main window, where the text starts with "Import: ", followed by the path of the directory where to find the .rtd files, without quotation marks. This will trigger the import automatically. Alternatively, the user can import the result as described above.

 

The names of the .rtd files (report table definition files) will be used as the report table name. An .rtd file start with a 4-byte signature (0x52, 0x54, 0xDE, 0xF0), the 4 byte checksum (see above), followed by the 64-bit file IDs (integer numbers) that indicate the files that should be associated with that report table.