Walkthrough: What’s New In XAMN v4.4

Hello and welcome to this video about what’s new in XAMN 4.4.

I’m going to take you through ten new improvements, as you can see listed here in the latest release of the XAMN application. Let’s get straight on to the product so we keep this video as short as possible for you.

This is the latest version of XAMN 4.4. I’m working on a beta, so some features might change before the final release, but this should be a good indication of what’s coming up.

Let’s start with this file for an iPhone 6. And the first thing we’ve done is improved the loading functionality. You can see here there are twelve XRY files to be loaded, and you get feedback in relation to where the program is. Also it’s much faster to load.

The next thing I’d like to point out is that you can see on the left-hand side that we don’t have recently opened files anymore. We’ve improved this to allow for more screen space, so that you can see more of the extractions in this particular case, and have that information available. But if you do want to open another case, you just click on the ‘Open XRY Case’ or XRY file button in the top left, and you can see all the recently opened files there. So that’s a change in XAMN 4.4.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Also a new feature in the Start Case page here is quick views. So if we go into quick views, I can edit these directly in the start tab here – for example, if I wanted to add a classic mode, that’s one of my quick views on the right-hand side. Click ‘Classic mode,’ click ‘OK,’ and you’ll see it appears there. And conversely, if I untick it, it’ll disappear. So you can manage your quick views in XAMN 4.4 straight from the icon at the beginning of the application.

Let’s go to Pictures now and see one of the major improvements that we’ve added there. So we’ll go to Gallery view, so you can see all the pictures that we’ve got. Let’s click on this particular picture of a car that you can see here. I want to show you a new feature in relation to the picture viewer.

So if I open this in the XAMN Picture Viewer application… just drag that over onto the screen… you can get a much larger view of the picture in the application. But if I want to open another picture, I have to double-click on it. That will open a second dialogue box. And if I open a third picture… and so on and so forth; you get the idea. Essentially, you have to open each of the picture viewers for each gallery.

Now we’ve had a number of feedback to improve this process, so we’ve added a new ‘pin’ button here. So simply click the pin button, and now I can scroll through to the next picture simply by selecting it in the gallery view. It’s a much easier and quicker way to deal with images, so you can see them in a full view, if you want to. Great for a second monitor screen view, as well.

That’s the new picture view. To go back to the normal mode, unpin, and then you can see that I need to double-click that to open the next picture. A nice little improvement there in XAMN.

Let’s have a look at another feature we’ve added. We had some feedback in relation to examiners who had to look at indecent images. So we’ve made some changes in the Options menu, and we’ve included a new option: ‘Prevent animated gif files from being played automatically’, as you can see here. What I mean by that: let’s find a gif file to demonstrate.

So an improvement that we’ve made in XAMN previously is that gif files, if there, will preview and display automatically, as you can see this one’s moving. Now if it’s an indecent image, perhaps that’s not appropriate, so you’d like to prevent that from happening, quickly just go to the Options menu in the Detail panel; select ‘Prevent animated gif…’, click ‘OK’, close that down, go back to Pictures. Start again: if we search for that gif file again, now you can see that it’s no longer playing the animation, it just shows you the first frame.

It’s the same, extending that to Project VIC. So Project VIC, we’ve made some improvements in XAMN 4.4. Previously if you selected this button, you would have got a whole host of options. We’ve now moved that so that the Project VIC button just simply does a process review of the extraction, so you can see here we can filter on all artifacts, or just ‘Filtered.’ Select by view; I’ll do a quick check against our database. We can see no hits. OK, fine, let’s do that again. Let’s do it on all artifacts, see if we can get a match. And we’ve got thirteen hits in this particular view. So click ‘OK’, XAMN will update the data, and here are hits for Project VIC. And we can select those images if we want. Just to reassure you, this is a fake database, so if we open the picture viewer, these are just normal images that we’re testing in the system here.

And you can see that’s how the matches are displayed. So the images by default are prevented from being displayed. We won’t show them until you want to look at them in detail in the picture viewer.

If you want to change the settings for Project VIC, you can do that now in the Options menu. We have a new section for Project VIC here, where you can decide on the format that you want to use, depending on your region. And also, now you can add multiple databases, so more than one for each region. You can create a new one, or add them here in the Options menu.

OK, we can clear all the filters using the button here. Quick update for the Time filter: we’ve improved ‘Set custom time’. If I click on that filter it defaults to today’s date. It also means if you want to have a ‘from’ and ‘to’, obviously it starts from the current date. It’s much quicker and easier to get the filter in recent time.

Next big discussion point is chat view. So we have this chat thread here, with a discussion on the Kik app with a participant called Johnny Utah. You can see we can flick through that. Now historically the chat view was originally in XAMN Horizon; recently we’ve put it in XAMN Spotlight. And the great news is, in XAMN 4.4, we’re going to put this chat view into XAMN Viewer. What that means, quite simply, is that it’s now free to use for all XAMN users.

So XAMN Viewer now contains the chat view for free. And on top of that we’ve made some minor improvements as well. You can now see the exhibit ID, so you can see where the thread came from. This is from the Apple iPhone 5, which is number six in this case, number four; just to remind you, that’s the reference number we give to the particular exhibit. So that’s included now in chat view.

We’ve also added a new shortcut to PDF. So if this chat view is something that I want to report, I can very quickly click the ‘PDF Report’ button, it goes straight to a PDF and assumes that I want to print out this chat thread. I can click ‘Export’, and we’ll open that folder to see the results. Let’s drag it over here. And here you can see the PDF report with those chats – that’s the screenshot, very quickly printed out just as you see it there. So that’s a nice little touch for the XAMN chat view: a quick shortcut to PDF.

Don’t forget of course, though, if you want to do a more detailed report, select the ‘Report export’ option and you can go through all the artifacts and all the different file formats. So these are our twelve standard file format exports here. And you can choose between all artifacts, those filtered or those selected, as you can see here.

And another new feature to point out: if we go to PDF, perhaps if I wanted to do with pictures, we now number the pictures to make it easier to report. So let’s quickly go back to pictures in the gallery view. Let’s highlight this top row, and go to ‘Export.’ You can see it defaulted to ‘Selected (9 artifacts)’, and I want to do a PDF report of that. Click ‘Next’, and let’s go to ‘Pictures only view.’ We can put eight per page, or nine per page. We’ve selected nine artifacts, let’s put all nine on one page. Click ‘Next.’ And then we can open that up, and here you can see the PDF report that’s been created.

And there’s the original screenshot, and now you can see here we’ve numbered those individually selected nine images; those pictures that we’ve selected.

Great. One other feature I’d like to point out to you: very nice new implementation of screenshot. So now we can take a screenshot of what we’re looking at. Perhaps you’ve created a… let’s create a geographical map view, for a change. This is available in XAMN Horizon. So here’s a picture of several artifacts that have been created on this case. You can see that there’s some pictures there.

Let’s take a screenshot of that. So I can either drag an area – perhaps I just want the map for my report, and that creates a picture which can be saved – or alternatively I can just do a full screen, and then you can see I’ve got the whole screen there. And I can then save the file to a destination of my choice. That’s the new screenshot ability in XAMN 4.4. Great feature there.

Just one point in terms of tagging. You’ll probably be aware that… let’s remove that one… that we can add tags as a filter, and we can tag individual data. So let’s go to the view here. I can individually tag files, so I can mark these as important. And if I wanted to, I can edit the tags and give them all sorts of meanings.

We’ve included the option now to include tags in the export. So in the Extended XML export, the export schema now includes the tag marker information as well as all the other data, so you can be ingested into third-party analysis tools. There is a new extended XML schema available from the MSAB customer portal, detailing that for your third-party vendors.

Another nice little feature: if you wanted to save a subset of this for a third party to review, you can now click on the ‘Save subset’ options, and there’s a new feature here to include XAMN Viewer for free, as part of the package, so that the recipient can both receive the file and also have a reviewing tool to review the data in it.

Then we’ve made an improvement on call data records. If you’re not familiar with that, you’ll see that we have options here to import a binary file, or a UFED file from Cellebrite; but we can also import CDR – call data records.

If I click on that a wizard appears, and this will allow you to import the telephone records from network service providers to see if they match with the data that you’ve extracted from the handset. So we’re going to browse to a demo file, to show you, and then essentially you just follow the wizard. Click ‘Next’ and it will read the template, and it will say, OK, select the header row, which I’m going to do here. And it’s going to say OK, we think the data starts here, which is correct, so we’ll go ‘Next.’ And then select the end row: perhaps you just want a few of them, so we’re going to select the end row here; click ‘Next; and then it says OK, data formatting. How are we going to deal with it? And if you need to, you can expand this to get more on the screen, so you can see what we’re looking at here.

And then you basically tell XAMN what to do. Should it ignore this data, or should it treat it? And you can see here we’ve got various bits of information. What’s new in this release is that we can now import the call data tower name. So we can import the cell tower name; classify that; and perhaps we have first cell ID here, so we can import cell ID. So cell ID and cell tower name are two new categories that we can give to the data that we import, along with, you can see traditional ones here: latitude, longitude, perhaps also duration. And then you can mark the data and verify the format, as you see here. So that’s a great new feature in call data records: importing.

And last but not least, I’d like to show you a new feature with health data. I’m going to close this file down and open a new case with health data in the app. And you can see the improved feedback on file times and the faster opening times. Let’s open the health data here – so I’m just going to move this up. And here we’ve got some health data from Apple Health app. There’s various files along the way, and you can now view the heartbeat monitors in the feedback: here’s an example.

We’ve added a new feature so you can export this. A customer requested export as a csv file, so here we’ve got a heartbeat chart that we’d like to export. Click on the ‘Export as a CSV file’ shortcut and create a test file – call that ‘test2’. And I want to open that file… and we called that ‘test2’. And here’s all the data in the spreadsheet we just exported it to.

Quite simply you would select all the data – and if you’re a wizard in Excel you’ll know how to do this – and then you can insert a chart. Let’s insert a chart view. And there you can see the heartbeat data visually represented in Excel. Hopefully that looks vaguely like something that you saw in relation to this data format.

OK. So that’s a summary of all the recent new improvements that have been made in XAMN 4.4. Thank you for watching, and if you’d like any more information, please visit our website, www.msab.com.

Leave a Comment

Latest Articles