How To Use The Categories Filter In XAMN

Welcome to this quick how-to guide explaining how to work with the Categories filter within XAMN. Categories filter is a powerful tool that is built into the heart of XAMN to help you quickly identify artifacts of a specific type that may be relevant to your investigation.

Modern day smartphones contain vast quantities of digital data, and it is all too easy to be overwhelmed when viewing this dataset in its entirety. By working smart with the Categories filter, you can quickly target relevant data and keep your investigation on track.

Upon opening a case within XAMN, you are presented with a brief snapshot of the Categories filter on the right-hand side. Ticking the ‘show categories’ expands this to become the full list, as can be seen.

We could choose to start our investigation by clicking one of the categories from this menu. I will show you how to work effectively with the Categories filter when viewing all artifacts from the case. We now find that we are presented with over 800,000 artifacts in the case. Being able to target and just review key evidence is key to any investigation’s success.

Let’s take, for example, we are running an investigation that involves drug dealing. Chat and location data is going to be the best place to start. This will allow us to discover any evidence of arranging deals, or any available evidence or intelligence as to locations linked to this device.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Now, filtering on this key data is simple, thanks to the power of the Categories filter. I can use control, click to choose the relevant categories that I wish to filter on. Whereby I have selected chat, MMS and SMS, and locations, as we believe they are going to be relevant to the investigation that involves drug dealing.

At the top of the menu, you can see I now have a ‘clear filter selection’ button that is in bold. To simply remove my selection, I can control, click each artifact again, or to remove all I can click the ‘clear filter selection.’

As well as control, we can also highlight sticky mode. Once I press the ‘sticky mode’ button, I can simply just click the relevant artifacts that I wish to include.

Now we have filtered on what we believe are the relevant artifacts for this case. You can see that the numbers dynamically reduce as I make my choice. And we have now reduced the artifact count down from 800,000 to just over 15,000, allowing the investigator to ensure their investigation is targeted on reviewing the relevant evidence for their case.

Now you could be running an investigation that has intelligence to suggest that only a particular application was of relevance. With the powerful in-built functionality of XAMN, you can also filter on just an application. As we expand the application menu, we can scroll down and we can find the application that we believe is of relevance. Simply clicking it filters all data just containing WhatsApp. And again, here we’ve reduced the artifact count down to 326.

Once you have selected the relevant categories for your investigation, you could save this as a quick view. Now, the next time you run a similar investigation, this quick view would be available to you from the main menu within XAMN.

For example, if we went back to our previous suggestion of SMS, MMS, chat and locations as being of relevance, I can quickly go to the ‘quick views’ menu and I can save this as a quick view that I can then use in other investigations.

So if we return to our main menu, we are now presented with a quick view of drug dealing investigations. And once we choose that quick view, we are presented with the artifacts that we chose of relevance to this investigation. This once again, allows you to save time and run a targeted investigation.

Thank you for joining us for this quick how-to guide on effectively using the categories view within XAMN.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles