OpSwat offers free access to their multiple antivirus scanning API, allowing forensics examiners to look up hashes for files to determine if the files are malicious, unknown, or benign. At Polito Inc., our forensic experts often rely on X-Ways Forensics to rapidly acquire and analyze digital computer evidence. Today Polito Inc. is pleased to announce that we are releasing the OpSwat Metadefender extension for X-Ways. This is useful for quickly triaging a file hash or multiple file hashes at once, all from within the X-Ways Forensics interface.
Obtaining OpSwat MetaDefender X-Ways Extension
The OpSwat MetaDefender extension is designed to run on 19.x 64-bit versions of X-Ways. The extension may or may not work on older versions, as it has only been tested on 64-bit X-Ways versions 19.3 and 19.9. We are working on testing additional recent versions for compatibility.
To start, you’ll need your MetaDefender Cloud API key ready. You can sign up for MetaDefender’s free API key at opswat.com. You can download the latest extension DLL and configuration file from our Github repo, consisting of MetaDefenderXTension.dll and mdconfig.txt. Save the DLL and the text file locally in the same folder you will remember.
In the folder for MetaDefenderXTension.dll and mdconfig.txt, open mdconfig.txt and replace your MetaDefender Cloud API key with the repeating numbers. It should contain MetaDefender Cloud API credentials in the following format:
api.metadefender.com:443:<API key values>
Save that mdconfig.txt file once you have added your API credentials.
Note: The API Key for the free version has a limit of 100 Prevention API requests/day, 4000 Reputation API requests/day, and 1000 Hashes/day. The rate limit is 10 requests/min
To add the extension to X-Ways, go to Tools > Run X-Tensions then click the add button (plus sign). Navigate to the folder where you saved MetaDefenderXTension.dll, select it, and click OK.
Before the extension can be used, you need to hash the files of interest in your X-Ways evidence. The typical way to hash all files in X-Ways is to go to Specialist > Refine Volume Snapshot, and check the option to "Compute hash". If you want to process and hash the file contents of compressed file archives, also check the corresponding box to "Include contents of file archives: zip, rar, 7z, tar, gz, ... " Now ensure that the Hash (MD5) column and Metadata column are visible in X-Ways. Once the file hashing has completed, MD5 hashes will be visible in the Hash (MD5) column. If you do not see a Hash or Metadata column, you will need to add the column to view the data. To add columns, go to Options > Directory Browser, then you should be able to see all the columns available to you. Find the Hash, Metadata, or any other fields, then change the length to >0. Once you click OK, new columns should be populated in the main window.
To use the extension, right-click on the file or files of interest to select them, and click Run X-Tensions... in the context menu that appears. Select the MetaDefender extension then click the OK button to run it.
After running the MetaDefenderXTension.dll extension, the Metadata field will become populated with the results for the queried MD5 hashes against the MetaDefender database. The hash query results include the file's Threat Status (UNKNOWN/NO THREAT/INFECTED), Threat Name (if possible), Total Engine Count, and Engine Match (count of AV hits). Also, the “Hash category” column will be populated with a tag of “notable” for easy filtering.
After running the MetaDefender extension, a completion message will appear in the X-Ways Messages box.
Please feel free to open an issue on GitHub or contact us about any questions, bug reports, or other feedback.
Happy forensicating!
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com
References: