How To Use And Export Cloud Tokens With XRY

In this video, I’m going to show you how to download cloud tokens with XRY. This does require the XRY Cloud license to download them. You don’t get them without that license – as you can see here, I did obtain three cloud tokens, you can see the icons on the right for Facebook, Google and Instagram.

I’m going to click on ‘Finish,’ and this will bring up the case overview in XRY. And as you can see here, all three cloud tokens are empty.

If you go down to the lower left in XRY, you can see, if you click on that, you can open the case location. So you select ‘Open case location,’ click ‘OK,’ and this will bring up the actual location of where the extractions are. And you can see that these are empty. We don’t download them, because it may be beyond the scope of your search. Just remember, you need the XRY Cloud license and an internet connection to download them.

If I want to download the Facebook ones, first click on ‘Facebook.’ Here you can see a check next to the Facebook token.

Down here in the lower right, where it says ‘Open,’ you can click on that, select ‘Download,’ click ‘OK.’ You have to be connected to the internet. It starts a log file, and now you can select all categories; deselect all; and select one, or a combination of, categories.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


I’m going to go ahead and select all. Click ‘OK.’ That brings me to a date range, so I can set a date range by year; go to the month; and have an end date. I’m going to select all and click ‘OK.’ For the amount of data with Facebook, I do recommend a date range.

So now the extraction process starts with a log. Now you can see the items have been decoded. They are being added to the case. Now, be aware that there are different types of tokens, some are short-lived and some are long-lived. Some may last for 30-45 days, others hours.

An update; phone shut off and restarted; the user changing the password; and choosing to downgrade apps: those things probably will make these tokens invalid.

Now you can see I have downloaded data from the cloud. So now I’m going to open the case location, and you can see that there is data here with the Facebook token – 586 KB. I’m going to go download the other two cloud tokens in the same manner. I do prefer to download them individually.

Now that I have them all downloaded, I’m going to open up the case location – I’ll end up closing XRY, but I’m going to click ‘OK,’ ‘Open case location,’ and I’m going to double-click on ‘Open the cloud XRY case’ with XAMN. There. The case file is open.

Over on the far left, you can see the case info, where I can add information; in the middle, data sources. I can expand each one of these tokens and devices. I can actually click on ‘View all artifacts’ for an independent one and open it up from here. I can deselect all, select the Facebook cloud token, and see the content categories for that on the right.

I’m going to click ‘Messages’ and open up a Message tab and see the messages there.

Now I can see the messages from the cloud token here in the list view. I sort by time – oldest at the top – I can see this one has attachments, because it has the paper clip. I can see the map if I scroll down, I’m connected to the internet, or using offline maps if I’m not.

So I hope you enjoyed this video. Thank you, and stay safe.

Find out more at MSAB.com.

Leave a Comment