X-WAYS_ID


PURPOSE   OPERATION   COMMAND LINES  


Author: Dan Mares, dmares @ maresware . com
Portions Copyright 2013-2014 by Mares and Company, LLC
Phone: (770)242-6687 X119
Last Update: 05/22/2013


Modifications:
5/22/2013: Added -o outputfile option

Purpose

To rename files which have been "recovered"/exported using X-Ways.

The process uses the contents of the "copylog.txt" file which is created by X-Ways during the recovery process to identify the "Destination name" of each file recovered and copied to the destination. It then reads a user provided file which contains specific fields contained in the "copylog.txt" file which the user wants to have "pre-pended" to the filename. This process with the proper choice of the selected items to add to the filename may be able to ensure uniqueness of (the extracted/recovered) filenames. This unique filename can then be provided to reviewers for easy identification of the files recovered.

One current restriction on the format of the copylog.txt file is that it (the copylog.txt) file has to be a text tab delimeted version and NOT the UNICODE version. The program is not designed to be able to read the unicode version at this time.


MANDATORY

The one thing which is absolutely mandatory for the program to run, is that the directory where the files are located which you wish to rename, MUST be the same directory as is listed/referenced in the X-WAYS copylog.txt file under the "Destination name" field. The program uses this field to locate the files. IF the contents of this field, and the actual locations of the files are not identicle, then the renaming fails.


WHY THIS PROGRAM WAS WRITTEN

The original request for the design of this program was for a program which would add to the filename of the X-Ways extracted file, the internal X-Ways ID, or the "Unique ID" and the "Evidence Object" field.

As of X-Ways version 17.2Preview, the "Unique ID" field was added to the copylog capability. This new field is designed to ensure uniqueness among output information.

Reviewers, often cannot easily identify or report back to the examiner the exact file they wish to reference. This program was created to allow the analyst to "rename" exported files and add to the filename specified fields (from the export list) which could make the filename more unique.

The renaming of exported files by adding specific (user chosen) fields (ie: the Internal Unique ID, Intenal ID, Evidence Object) or other item, might make it easier for reviewers to identify the source of files they are looking at when presented with the drive containing extracted files.

Unintended/Intended Consequences

Since this program is designed to rename files based on parameters found in the tab delimeted file (option -x) and using the the fields specified in (option -f), if you stretch your imagingation, you really don't have to rely on the X-Ways file to rename files. Say you wanted to add a unique number to each filename. You would generate a file with the same format and syntax as the X-Ways export list. Meaning it has at a minimum the Destination Name, Path, Name, Description, etc., fields with which the program located the file in question. Then you need to add a field with the serial number you wish to add to the file. It is easy enough in Excel to add a numeric field, that increases by 1 for each row. Then that row name is used as the item in the option file -f file. When the program runs, it reads the data for the Name, Path, Description and Evidence Object and the serial number (from the added column to item 1), and renames all the files. Just use your mind and think outside the mouse.


Operation

This program takes two or three items (options) on the command line identified by options.

The options are:


option -x x_ways_export_list_filename: (REQUIRED) The "TAB" delimeted X-Ways file that is created when you use the "export list" option to provide a list of fields relating to each file exported. The program currently will ONLY work with a text export of this information, and will not work with the UNICODE export option. This file MUST contain specific fields in order for the program to work correctly. See the area below referencing which fields are required

This item -x option, MUST contain at a minimum the following fields
Destination file
the file Name
Path


These fields as chosen within X-Ways when you generate the export list file. These fields are used to identify and locate the file (and thus the filename) of the exported file which is to be renamed. Other items which MUST be included in this file are any fields you wish to add to the filename (such as internal ID) that was exported from X-Ways. Please make sure the "Destination file" field is the first one selected.

These "user" selected fields which will be added to the filename might be the "Unique ID", "Int. ID", "Evidence object" and other items. Since the "Unique ID" appears to be unique, the addition of this item will ensure uniqueness and accuracy in identifying the file later on. Any other fields which you normally include in the "export list" file are ignored. If you select an ID field, make certain all the records in the export list contain an item, or else the file may not get renamed at all

Sample "copylog.txt" file contents might contain the fields shown here, and MUST contain at least the "Destination file", and the items the user wishes to use to rename the files.

Sample header line, which is actually an X-Ways tab delimeted text file.

Destination file (tab) Name (tab) Ext. (tab) Path (tab) Evidence object (tab) Created (tab) Modified (tab) Unique ID (tab)  ID Int.  ID


option -f fields2include_file: (REQUIRED) A text file, one item per line. Each line contains the exact item from the header line of the X-Ways export list file (above), which you are wanting to add to the filename of the exported file.

The order of this file, is the order that the item is added to the filename to create a new filename on the drive. Sample file below shows two items to add to the filename:

Unique ID
Int. ID    
Then the items would be pre-pended to the filename in the order found in this list. Each item is separated in the newfilename by an underscore (_).

If the Original filename was "mydoc.doc" and we want to add "Unique ID", and "Int. Id"
Then the new filename might be: 1-21_1234_mydoc.doc

Make sure the spelling is exact as it is in the export list. An easy way to guarantee that, is to use a text editor, and copy the names to this text file.


option -o outputfile: (added: 5/23/2013). (optional) Create a tab delimeted output file that contains the original filename, and the "renamed" filename. Added to the end of the output record is the 1st field which the user chose to add to the filename. This may or may not be a numeric field. Generally it will be. AND: Caution (when importing/loading the output file to Excel) should be used if the first field selected in the -f option (fields 2 copy/add) is a numeric field such as one of the ID fields. Excel will interpret the numeric field as a number, and if it the Unique ID field, it will interpret it as a function. So when importing this output file to Excel, make sure that the final (Excel) field is a text field. (5/23/2013)


A known operational challenge, (not a bug).

If X-ways exports child objects, it usually creates those items in a child folder which has an unusual (unicode) character as the one of the characters in the parent folder name. This program cannot handle renaming files which are contained in child folders with the unicode character. It is suggested that when exporting files with children, that you go into the X_Ways option to change the child object folder identified to a simple character. I usually change it to (_child), underscore_child.

This allows for an easily recognizable sequence, which can be handled, and also, often other software has problems navigating into the folder with the unicode character sequence. So this is not the only program with problems using that unicode character.

As the files are renamed, the results is printed to the screen. This screen print can easily be redirected > to an output file > outputfilename.txt.

This output file is formatted for easy input to excel for reference purposes.


Top

Command Lines


C:> x-ways_ID.exe -x x-ways_export_list.txt -f field_list_needed 
C:> x-ways_ID.exe -x x-ways_export_list.txt -f field_list_needed  -o outputfilename

 

 


Top

Related Programs

X-WAYS_metadata_processing  A sister program to take the X-Ways export list data (meta data field) and break it up.

BATES_NO  A program to rename files. The option in the bates_no program called: --XWaysfile= will take the export list, and rename the files using a bates_no.

Get the executable

Top