public static Int32 XT_Finalize(IntPtr hVolume, IntPtr hEvidence, XTActionType nOpType
, IntPtr lpReserved)
{
ImportedMethods.XWFOutputMessage("C# Dll: XT_Finalize called");
//indicating that there is no current action executing
_currentAction = null;
return(0);
}
public static Int32 XT_Finalize(IntPtr hVolume, IntPtr hEvidence, XTActionType nOpType
, IntPtr lpReserved)
{
ImportedMethods.XWFOutputMessage("C# Dll: XT_Finalize called");
//indicating that there is no current action executing
_currentAction = null;
return 0;
}
public static Int32 XT_Prepare(IntPtr hVolume, IntPtr hEvidence
, XTActionType nOpType, IntPtr lpReserved)
{
/*
* Note:
* XT_Prepare may get called with a zero handle,
* which means there is no volume to prepare for.
* So before calling any function on hVolume passed from XT_Prepare
* you have to check that it is not zero: hVolume != IntPtr.Zero
*/
//storing the volume handle for further use in ProcessItemEx
_currentVolumeHandle = hVolume;
//storing the current action type, so we can check it in ProcessItemEx
_currentAction = nOpType;
//XT_Prepare parameters
ImportedMethods.XWFOutputMessage(string.Format(
"C# Dll: XT_Prepare called, hVolume = {0}, nOpType = {1}"
, hVolume, nOpType));
if (hVolume != IntPtr.Zero)
{
//XWFGetVolumeInformation
var volumeInformation = ImportedMethods.XWFGetVolumeInformation(hVolume);
ImportedMethods.XWFOutputMessage(string.Format(
"XWF_GetVolumeInformation: fileSystem = {0}, bytesPerSector = {1}"
+ " , sectorsPerCluster = {2}, clusterCount = {3}, firstClusterSectorNo = {4}"
, volumeInformation.FileSystem, volumeInformation.BytesPerSector
, volumeInformation.SectorsPerCluster, volumeInformation.ClusterCount
, volumeInformation.FirstClusterSectorNo));
//XWFGetSectorContents
string sectorDesc;
Int32 sectorItemId;
bool sectorIsUsed = ImportedMethods.XWFGetSectorContents(hVolume
, volumeInformation.FirstClusterSectorNo
, out sectorDesc, out sectorItemId);
ImportedMethods.XWFOutputMessage(string.Format(
"XWF_GetSectorContents: Sector Description = {0}, Sector Item Id = {1}, Sector Is Used = {2}"
, sectorDesc, sectorItemId, sectorIsUsed));
//XWFGetVolumeName
ImportedMethods.XWFOutputMessage("XWF_GetVolumeName: Volume Name = "
+ ImportedMethods.XWFGetVolumeName(hVolume, XWFVolumeNameType.Type3));
}
/*
* from the docs:
*
* Negative return values:
* -4 if you want X-Ways Forensics to stop the whole operation (e.g. volume snapshot refinement) altogether
* -3 if you want to prevent further use of the X-Tension for the remainder of the whole operation, for example because your X-Tension is not supposed to do anything for that kind of operation as indicated by nOpType.
* -2 if you want this particular volume excluded from the operation
* -1 if you don't want other functions of this X-Tension to be called for this particular volume, not even XT_Finalize
*
* Positive return values/combination of flags:
* 0x00 default, if you just want XT_Finalize to be called, will also be assumed if you do not export XT_Prepare
* 0x01 of you want X-Ways Forensics to call your implementation of XT_ProcessItem or XT_ProcessItemEx (whichever is exported) for each item this volume snapshot
* 0x02 in case of XT_ACTION_RVS, same, but to receive calls of XT_ProcessItem (if exported) after all other individual item refinement operations instead of before
* 0x04 in case of XT_ACTION_RVS, to signal XWF that you may create more items in the volume snapshot, so that for example the user will definitely be informed of how many item were added (v16.5 and later only)
*
* Full return value evaluation only for XT_ACTION_RVS.
*/
return(1); //1 - to call XT_ProcessItemEx
}
public static Int32 XT_Prepare(IntPtr hVolume, IntPtr hEvidence
, XTActionType nOpType, IntPtr lpReserved)
{
/*
Note:
XT_Prepare may get called with a zero handle,
which means there is no volume to prepare for.
So before calling any function on hVolume passed from XT_Prepare
you have to check that it is not zero: hVolume != IntPtr.Zero
*/
//storing the volume handle for further use in ProcessItemEx
_currentVolumeHandle = hVolume;
//storing the current action type, so we can check it in ProcessItemEx
_currentAction = nOpType;
//XT_Prepare parameters
ImportedMethods.XWFOutputMessage(string.Format(
"C# Dll: XT_Prepare called, hVolume = {0}, nOpType = {1}"
, hVolume, nOpType));
if (hVolume != IntPtr.Zero)
{
//XWFGetVolumeInformation
var volumeInformation = ImportedMethods.XWFGetVolumeInformation(hVolume);
ImportedMethods.XWFOutputMessage(string.Format(
"XWF_GetVolumeInformation: fileSystem = {0}, bytesPerSector = {1}"
+ " , sectorsPerCluster = {2}, clusterCount = {3}, firstClusterSectorNo = {4}"
, volumeInformation.FileSystem, volumeInformation.BytesPerSector
, volumeInformation.SectorsPerCluster, volumeInformation.ClusterCount
, volumeInformation.FirstClusterSectorNo));
//XWFGetSectorContents
string sectorDesc;
Int32 sectorItemId;
bool sectorIsUsed = ImportedMethods.XWFGetSectorContents(hVolume
, volumeInformation.FirstClusterSectorNo
, out sectorDesc, out sectorItemId);
ImportedMethods.XWFOutputMessage(string.Format(
"XWF_GetSectorContents: Sector Description = {0}, Sector Item Id = {1}, Sector Is Used = {2}"
, sectorDesc, sectorItemId, sectorIsUsed));
//XWFGetVolumeName
ImportedMethods.XWFOutputMessage("XWF_GetVolumeName: Volume Name = "
+ ImportedMethods.XWFGetVolumeName(hVolume, XWFVolumeNameType.Type3));
}
/*
from the docs:
Negative return values:
-4 if you want X-Ways Forensics to stop the whole operation (e.g. volume snapshot refinement) altogether
-3 if you want to prevent further use of the X-Tension for the remainder of the whole operation, for example because your X-Tension is not supposed to do anything for that kind of operation as indicated by nOpType.
-2 if you want this particular volume excluded from the operation
-1 if you don't want other functions of this X-Tension to be called for this particular volume, not even XT_Finalize
Positive return values/combination of flags:
0x00 default, if you just want XT_Finalize to be called, will also be assumed if you do not export XT_Prepare
0x01 of you want X-Ways Forensics to call your implementation of XT_ProcessItem or XT_ProcessItemEx (whichever is exported) for each item this volume snapshot
0x02 in case of XT_ACTION_RVS, same, but to receive calls of XT_ProcessItem (if exported) after all other individual item refinement operations instead of before
0x04 in case of XT_ACTION_RVS, to signal XWF that you may create more items in the volume snapshot, so that for example the user will definitely be informed of how many item were added (v16.5 and later only)
Full return value evaluation only for XT_ACTION_RVS.
*/
return 1; //1 - to call XT_ProcessItemEx
}
