How To Use And Export Cloud Tokens With XRY

In this video, I’m going to show you how to download cloud tokens with XRY. This does require the XRY Cloud license to download them. You don’t get them without that license – as you can see here, I did obtain three cloud tokens, you can see the icons on the right for Facebook, Google and Instagram.

I’m going to click on ‘Finish,’ and this will bring up the case overview in XRY. And as you can see here, all three cloud tokens are empty.

If you go down to the lower left in XRY, you can see, if you click on that, you can open the case location. So you select ‘Open case location,’ click ‘OK,’ and this will bring up the actual location of where the extractions are. And you can see that these are empty. We don’t download them, because it may be beyond the scope of your search. Just remember, you need the XRY Cloud license and an internet connection to download them.

If I want to download the Facebook ones, first click on ‘Facebook.’ Here you can see a check next to the Facebook token.

Down here in the lower right, where it says ‘Open,’ you can click on that, select ‘Download,’ click ‘OK.’ You have to be connected to the internet. It starts a log file, and now you can select all categories; deselect all; and select one, or a combination of, categories.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


I’m going to go ahead and select all. Click ‘OK.’ That brings me to a date range, so I can set a date range by year; go to the month; and have an end date. I’m going to select all and click ‘OK.’ For the amount of data with Facebook, I do recommend a date range.

So now the extraction process starts with a log. Now you can see the items have been decoded. They are being added to the case. Now, be aware that there are different types of tokens, some are short-lived and some are long-lived. Some may last for 30-45 days, others hours.

An update; phone shut off and restarted; the user changing the password; and choosing to downgrade apps: those things probably will make these tokens invalid.

Now you can see I have downloaded data from the cloud. So now I’m going to open the case location, and you can see that there is data here with the Facebook token – 586 KB. I’m going to go download the other two cloud tokens in the same manner. I do prefer to download them individually.

Now that I have them all downloaded, I’m going to open up the case location – I’ll end up closing XRY, but I’m going to click ‘OK,’ ‘Open case location,’ and I’m going to double-click on ‘Open the cloud XRY case’ with XAMN. There. The case file is open.

Over on the far left, you can see the case info, where I can add information; in the middle, data sources. I can expand each one of these tokens and devices. I can actually click on ‘View all artifacts’ for an independent one and open it up from here. I can deselect all, select the Facebook cloud token, and see the content categories for that on the right.

I’m going to click ‘Messages’ and open up a Message tab and see the messages there.

Now I can see the messages from the cloud token here in the list view. I sort by time – oldest at the top – I can see this one has attachments, because it has the paper clip. I can see the map if I scroll down, I’m connected to the internet, or using offline maps if I’m not.

So I hope you enjoyed this video. Thank you, and stay safe.

Find out more at MSAB.com.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles