by Jade James
MSAB specialise in providing products and services solely for mobile device forensics. The flagship product, XRY, has been used for decades by forensic examiners and investigators to extract data quickly and efficiently, and now XAMN can be used to analyse the data extracted with XRY.
XAMN aims to assist investigators in finding critical evidence and to gather evidence more effectively. XAMN is provided as a product suite, which contains four products functioning together to give the best capabilities and in-depth investigatory services.XAMN Viewer is a free-to-download tool and acts as a simpler version of XAMN Spotlight, allowing for filtering and searching through large quantities of data in a highly effective manner. XAMN Spotlight is the base level tool for analysis and reporting, and it has powerful filtering capabilities.
XAMN Horizon has four ways to visualise extracted data: Timeline view, Geographical view, Chat view and Connections view. Finally, XAMN Elements is an advanced hex carving tool at expert level, which allows the user to reconstruct artifacts and investigate undecoded or fragmented data. The XAMN suite will work on any Windows computer.
The latest version of XAMN has features which are very beneficial to investigations, such as an improved interface and speed of analysis. The new version also comes with Project VIC improvements; the ability to screenshot parts of the interface, which is useful when producing reports; and the ability to export health data to a spreadsheet.
When commencing an investigation, you may wish to analyse data that has been extracted using XRY, or you have the choice to import a binary file created using another forensics software; call data records received from network operators; or UFED files. Users of the Berla iVe kit can export case data as .XRY files, meaning that users can analyse vehicle data in XAMN as well.
From the main home screen, you can choose to work from a single .XRY file or a case. A case can contain multiple extractions from a multitude of devices: it is possible to have mobile phone extractions, drone data, apps and cloud data all in one case.
When you open a case, you are presented with the Case Contents page which shows the different exhibits in the case, and the artifacts which have been decoded. The number count for recovered deleted artifacts is shown in brackets.
Note from MSAB: Quick views are saved configurations of filter, view and sorting settings that allow the user to jump to a custom selection of artifacts displayed in a desired way. For example, a quick view could enable an investigator to click just once to immediately see all WhatsApp messages sent from a device within the last two weeks, displayed in the chat view and sorted chronologically. Another quick view could be used to immediately see all artifacts matching a continuously updated word list of drug-related slang
terms. XAMN comes with a set of default quick views, and users can create any number of custom quick views that are useful in their investigations.
Different types of artifacts are colour-coded to make it easier to distinguish between them. The artifacts section of the screen also has multiple tabs: Overview, Exhibit Data, Summary, General Information, Device Overview, and a Log, which is a full technical audit trail of the extraction.
The List view ensures that all relevant information is provided in an easy to read format. You can also switch to a Column view, which presents data in a spreadsheet style format. Double-clicking the column headers sorts the artifacts, and you can achieve a multiple sort of columns by holding down the ‘shift’ key and double clicking.
The Column view is particularly good for looking at one specific data type, such as phone call records. The Gallery view shows picture and video artifacts as thumbnails.
The File Tree view shows you where in the file system artifacts are stored, and also shows other files stored in the same folder as the current artifact you are viewing.
The Timeline view is used to give the user an idea of when an event has taken place, such as when a message was sent. You can set a specific time and date range using the panel at the bottom of the screen to visualize the timeline.
The Geographical view is a means of displaying artifacts that have geo-data, captured on a map. The Chat view displays an overview of all chat messages from different apps. From this view, you can quickly export data from a conversation of interest into a PDF document, view attachments from certain artifacts, and filter further to view the parent messages of the attachments and the associated data.
The Connection view presents the user with a visual representation of the flow of data. It also allows you to make connections between different devices in one case.
During the extraction XRY decodes the contents. This means that when a case is opened in XAMN, the data is already decoded and indexed, which saves a lot of time. It is very simple to examine all the artifacts within a case, or you can click on the individual exhibit of interest and focus your efforts there.
To view all the artifacts of the case, you can simply click on ‘All Artifacts’ in the Quick View panel, or you can click on a certain category within the Artifacts panel if you want to drill down straight away. The artifact category you select will be displayed as a new tab on the XAMN screen. In the user bar, it is possible to configure which Quick Views are viewable when XAMN is launched. You can switch between categories at any time by clicking on a different category in the panel on the left-hand side of the screen.
The high functioning capabilities of XAMN allow the user to select and view multiple categories at the same time, which can be useful when you want to see comparable data together, such as calls and messages. If you then further sort the calls and messages by time, you will be able to see a basic timeline of events.
When viewing data within a tab, the left-hand side is where you decide what data you wish to view. One of the options to use is the text filter, into which you can type keywords which will automatically populate dynamically based on the contents of the case. Once you have entered your filter, you will see the number of artifacts that contain the text you are looking for. If you are unsure of the exact text you wish to search for, XAMN allows you to use a wildcard within the text filter, such as *ark if you were not sure whether you were looking for ‘bark’ or ‘mark’.
Other options include the ability to select a single or multiple category, tagged or untagged data, and data from certain time periods. The middle panel is where the user decides how to view the data, and the panel on the right will show you detailed information about a selected artifact, including metadata.
If you select ‘Geo-tagged artifacts’ from the Quick view panel, this will present you with a geographical view of artifacts with location data on a map. You can download offline maps if you are using XAMN on a standalone system. Click on an artifact to create a location filter, wherein you can set a radius which will show only artifacts within that area.
XAMN by default will only display certain filters when launched (Category, Apps, Text and Time). You can add more filters by clicking the plus sign on the Filters pane and selecting them from the list. When you select a specific filter, it will then appear in the Filters pane underneath the list of default filters.
The Apps filter is very useful in investigations, as it will give you a list of all communication and social media apps that have been used within the case. By selecting an individual app and changing the view to Chat, you can see chat threads which could be relevant to the investigation. This view is helpful if you have group chats in which you are trying to identify each participant and match them to their messages.
Another very useful default is the Time Filter, which allows the user to filter the artifacts from the last 24 hours, week, month, or year. You can also set a custom time frame. This can be useful if you suspect that a conversation has taken place but are not sure which app was used to send and receive messages: you could set the time filter to cover the relevant time frame and view all communications within that range.
The Recognized Content filter has predefined classifications of pictures and videos. In order to use this filter, you would need to adjust your XRY extraction to include image recognition decoding. The current classifications are: weapons, drugs, vehicles, financial, people, and electronics; more will be added in the future.
Once your items have been filtered, you can select the ‘Gallery’ view to see them better. You can also preview any videos by hovering your cursor over the video thumbnail or clicking on the clip. Bear in mind that all pictures and videos are classified using artificial intelligence, which can sometimes lead to false positives.
The Word List filter allows you to add a previously created file containing a word list to XAMN, or to create a custom word list within the tool itself. Simply type in the words you want to include, and then click ‘Add’ in the prompt box. There are extensive sample word lists available on the MSAB forum, but you will need access to the Customer Portal to access them.
XAMN has a property similar to PhotoDNA, in which you are able to create a dhash value for images if you have used the most current version of XRY in the extraction process. This function allows you to find visually similar images and create a filter to display all the image matches in one view. This is useful when an image of interest may have had a filter applied or been altered in such a way that the hash value is completely different from the original.
When using XAMN, you have the ability to exclude known data, such as system files. You can also include known data if you wish, or only show known data. The known data sets are based on the NIST standard reference library and MSAB’s own unique reference data set, which is downloadable from the customer portal.
Within XAMN you have the ability to tag files of interest and assign different colours to distinguish between them. It is also possible to add multiple tags to one file. These tags can then be used as filters in the Filter view.
The default tags are ‘important’ and ‘unimportant’, but you are able to define your own tags as well. When filtering with tags, you can choose to exclude the files with a certain tag by clicking on the three dots next to the Tags header in the left-hand side panel and choosing to exclude the files, which is an advanced feature.
Any filter which has the three dots next to it will enable you to exclude data from your data set: another way of reducing the number of files you have to process, which is very beneficial. Excluding the data does not permanently remove it from the case, it is only hidden; it can easily be added again for viewing.
Note from MSAB: Another powerful way to find crucial evidence is to work from the inside out. XAMN enables the user to build their investigation from one specific artifact and pivot their search around it. For example, the user can select a single text message, and then create a time filter based on the time stamp of the message to immediately investigate other messages and artifacts from the hours before and after the original text message was generated on the device.
If you need to verify the origin of the data you have analysed, you can choose to examine the data in ‘Source mode’ or ‘XAMN Elements’. Source mode will allow you to view the local data and the physical layers (exactly where the data is stored within a certain database). Within the Translation table you can also view the offset of the data; and the property details show the size, format and encoding of the data. There is also a basic hex viewer in Source mode.
XAMN Elements is an expert tool for the use of mobile phone data analysis and reconstruction. It is more comprehensive then viewing data in Source mode and can be used to manually decode data if you know how to do so. As well as the other information displayed in Source mode, you can also see the logical folder structure, and the hex viewer has the address and ASCII addition. When manually decoding the data, you can add bookmarks within the hex itself.
To create a report, simply click the ‘Report/Export’ button at the top of XAMN and you will have the option to add all, filtered or selected artifacts. There are various output formats for you to choose from: extended XML, Word, PDF, Excel, HTML, Google Earth, Binary file, GPX, VICS, OpenDocument text, OpenDocument Spreadsheet and Dictionary. You can then choose the layout of the report and decide whether to include metadata and other content.
Dictionary reports can be uploaded to other third-party tools in order to run brute-force password attacks. Creating an Extended XML output is a brilliant feature, as you can then process this output further in Nuix and IBM i2.
XAMN is a very effective and easy to use tool, which has a lot of functionality. It is extremely useful to be able to filter through large quantities of data in such a precise way. The different views available make it easy for the user to visualise the data and make informed decisions during analysis. This tool requires minimal training and can be used by investigators of all levels.
About The Reviewer
Jade James BSc (Hons) is currently a Cyber Security and Forensics Postgraduate Student. She has previous professional digital forensic experience from working at the UK’s Serious Fraud Office, IntaForensics, the Home Office Centre for Applied Science and Technology, and the City of London Police. Jade has gained experience from conducting computer and mobile device examinations as well as drone forensics, and has been involved with ISO 17025 and Quality Standards both as a Digital Forensic Practitioner and Quality Manager.