Uncover Evidence With XAMN, the Best Digital Forensic Analysis Solution

James Eichbaum: Good morning, everyone. Or maybe evening, depending on where you are, or afternoon. Welcome to the MSAB webinar on XAMN. I just want to make sure that everyone can hear me okay. Alan, can you hear me?

Alan Platt: Yep, I can hear you, James.

James: I can hear you, Right, folks, it looks like we’re, yeah, we’ve got quite a following here for the show. So let’s dive right in. Today, our presentation’s going to be brought to you by me, James Eichbaum MSAB Training Manager; and Alan Platt, MSAB Professional Services.

All right, just a little bit about me. I’ve been the Training Manager for the past five years with MSAB, but I’ve been with MSAB for over 11 and a half years. Prior to that, I was a police officer in California, 17 years total experience starting off as a reserve, working for free, enjoying it so much that I decided well, I might as well get paid for it, as well.

So I became a full-time police officer in 1995 with Modesto Police. I did patrol, I moved on into detectives when, let’s see, around 2000; 2001, assigned to economic crime and fraud; and then within a year moved into high-tech crime, joined to a task force in Sacramento, the High-Tech Crimes Task Force; and then I had lateraled over to the Stanislaus County Sheriff’s Office in 2007 and I spent four years with them, one year on patrol, and then three years as a detective assigned to high-tech crimes.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

And then I was also assigned to the same task force, but then also was assigned as a task force officer or TFO with the FBI Cyber Crime Task Force up in Sacramento. I was dealing mostly with child exploitation.

My degrees are Computer Science, Public Health & Safety, and then I have my Bachelor’s in Information System Security. In 2011, I was fortunate to receive the Case of the Year Award for a case I investigated out of Palo Alto, California; a murder and arson of a female real estate agent, just for the forensics on their mobile phones, recovering a bunch of deleted messages on an old iPhone 3GS.

And I had obtained my EnCE back in 2010, so it was quite a long time ago. I was used to using EnCase, so I played with FTK, I didn’t dabble so much with X-Ways. And then of course, I used the gambit of mobile forensic tools. But that’s a little bit about me, but I’m going to let Alan introduce himself, then.

Alan: Yep. Good morning. I’m Alan Platt. I work with MSAB within the Professional Services department as a consultant.

I’ve only worked with MSAB since March of this year. Prior to that, I was a police officer for 24 years. I started my career in the British Transport Police in 1998 and transferred over to the Met Police in 2007. In 2010, I moved on to the Specialist Operations within MPS. And in 2014, I joined a very busy small digital forensics unit within that area.

The last two years of my time within the police, much of it was spent working with XAMN and XRY, but predominantly XAMN. I wrote and developed and presented a course on XAMN, basically aimed at investigators and trying to encourage people to have a better understanding of their own forensics and also how to use XAMN.

And so that went out all across my area, and it’s now going out nationally, and it’s had a massive impact on getting data, understanding the data, finding good data, and a big impact on how the digital forensics are investigated.

I live in Buckinghamshire in England, married, two grown-up children, and no degree, sadly, unlike James. But yeah, that’s me.

James: Okay, thanks, Alan. Okay, so today we plan on giving you, I mean, this is a very short webinar, 90 minutes. There’s so much to cover on XAMN. It’s just crazy to think that we can do everything or show you all the cool features in just that short amount of time.

Heck, our training is even just two full days of XAMN, and that doesn’t even get into the elements part. So, we’re going to try to show you some cool things, some features, maybe some of you have been using XAMN, you may not even know that they exist.

But we want to just provide you some cool things to see, and kind of like maybe whet your appetite for more. So, we’ll be going over some of the basics of XAMN.

In the introduction to it, Alan’s going to go over creating a case and importing some files, maybe talk about that, some quick views. We’ll also go into filtering, showing you some of the different filters, there are so many to show you, but we’re going to show off a few. Talking about persons and timelines and different ways you can view the artifacts in XAMN.

At the end, Alan’s going to go over some creating reports, showing you the report builder. You’ll check out the audit log, and then we’ll also cover some advanced features, that, you know, most likely you’re not even aware of, that are little hidden gems sprinkled throughout XAMN that you can walk away with.

So, there are two versions of XAMN now. There’s our XAMN Viewer, which is the free tool. And that’s when you’re doing your forensic analysis, putting together your reports. Maybe you want to send off an XRY file that you’ve created a subset of with just the things you’ve identified and tagged that’s important, things that are relevant to the case, and you give it to the prosecutor, or maybe in discovery or some civil case, or somebody else that needs just to view that extraction.

The XAMN Viewer’s for them. And that is a free tool they can download for free from our website, or you can provide it to them with the extraction and they can view the data. They have a limited, you know, amount of features within XAMN Viewer, which we’ll take a look at next.

And then there’s the Pro version, which has the full suite of features in XAMN (and please let me know, it’s got a little popup that I may be experiencing degraded audio, so hopefully that’s not the case for you, and you can still hear me okay).

But yeah, this is a paid version and it unlocks all features of XAMN. Talking about those different features coming in here with the Viewer you can only view XRY files, but with the Pro version, not only can you view XRY files, encrypted XRY files, but you can also import in GrayKey extractions, Cellebrite, you can also bring in other data types such as warrant returns or CDRs that you get from cell phone carriers.

Discovery and analysis. Yeah, with Viewer, again, you get the basic views, you get some basic viewers, but with the Pro version, you’re going to have a whole slew of extra filters to be able to make use of.  

And then on top of that, you have the power of being able to create persons and link them together. You have the database mapper, which I’ll show you later. And you have access to this very powerful Hex carver built in.

For reporting, the Viewer does allow you to export information to PDF and XLS and documents and yeah, you can create subsets, but with the Pro version, not only can you do that, but you have the Report Builder, which is this new fantastic tool that our developers have most recently placed into XAMN.

That allows you to instead of, you know, at the same time creating a report in say Word or something with that you’re used to with your organization, you can create your report completely within XAMN and have it saved as a PDF.

And then we have extra exporters as well, including Extended XML. And then also with feature comparison here, we have the ability to manage XAMN with XEC with the Pro version, but not with the Viewer version.

But if you are looking for more information we wish that you would get ahold of our website, reach out, and yeah, and let’s get on with the program and show you some cool stuff. So I’m going to hand this back over to Alan.

Alan: Okay. Can you see my screen right and hear me okay?

James: Yes.

Alan: Okay, good. Okay. So, I’m an investigator and the extractions have been done for me. I’m investigating, say for instance, three subjects, and I’ve got five extractions.

So the main subject is Monterey Jack with an iPhone. Extractions that have been done on, say, for instance, a kiosk. I’ve got two subjects, both with Android phones. I’ve got a logical extraction, which has been done by a business as usual, so for instance, a kiosk. And I’ve also got a chat downgrade extraction for each of the Android phones, which have been done for, say, a lab like where I used to work.

So, what I’m going to do is, so first of all, this is the extraction that you’re going to get. So if I was opening up the extraction, Monterey Jack, the iPhone-only extraction, I’m opening it up into XAMN. At the moment I’m in spotlight view for instance, so I haven’t created a case.

So where I used to work, we used to have lots of investigators who wouldn’t necessarily create a case within XAMN because the extraction has been done on XRY on a kiosk, and it hasn’t created a case. When I did it within XRY Office, I would create a case, but they, for instance, wouldn’t have a case.

So, what we want to try and do, and what James and I want to get across today is how it’s really important, or we think you should get into the habit of creating a case for every extraction that you open, even if you only have one subject.

So for instance, this one, as you saw, I have five extractions, but I want to look at all of those five extractions within one case because they’re all linked.

For instance, they might be involved in, say, robbery, and I want to know whether maybe those three subjects, were they communicating with each other around the time of the offense? You know, was there shared location data? Are they discussing the offense? So I want to put them all into one case and view it all as a case.

At the moment, if I go this extraction, I haven’t yet made a case. So if I go into view with artifacts, then yeah, sure I can view the extraction, but there’s data that I’m not going to get.

For instance, if I go to, James will go for these a little bit later, but if I go into connection view, then I haven’t got this available because I haven’t got a case. Also chat view, if I go to chat view, again, there are things that I can’t see because I haven’t created a case. And participants is another big one, which we’ll get to later.

So, how to make a case, very easy. You either go up to the top, create a new case, fill in the details, browse to where you want to save the case, or you can just simply click on ‘open as a case’.

And I’ve saved a particular location. So where I’ve saved my case to or where I want it to be saved to is this location here. So if you have saved 10, 15, 20 extractions you want to put into a case, then you could just put all your extractions into one particular folder and then point the location, save a location to that folder. And I could also create a password, as well.

So this is now how it’s changed to the new case view if you like. So it’s gone from the view you just had to this view.  And as you can see here, it says five files have appeared in the case folder, including all.

Now, if I go to data sources, I can just click on each one individually and I can activate it like that, or I’m happy that I know that the five that I’ve selected into that case folder or that want to be into the case folder, I’m happy that they are all part of my case, so I’ve included them all. But you obviously want to double check to make sure that you are included in the cases that you want.

So, select sources. You can see here they’re all ticked. So these are all the extractions I’m looking at. And now data sources, when I click into them, you can see it says deactivate.

So, for instance, if I didn’t want Monterey Jack, so I didn’t want him activated, so I actually did it by mistake, I could just simply deactivate. If I now go to the overview screen, these three little dots just here, next to case info, more options, click onto that, you have the view case log, and you’ll see this is the log of me creating this case, and you can see that I’ve deactivated it.

But I do want Jack involved in the case because he’s the main man. So I’m going to activate him, back into overview, case log, view the case log, and you should see that it’s now activated.

Okay, so on this screen here, you have your quick views, which I will explain more by doing it actually to run the quick views. See how that works. You have the categories within the extractions, and then you have the apps that have been decoded.

And then when you go to data sources, you have exactly the same thing. You have the categories, you have the general information for each and every device, you have the general information of the handsets, so that make, model, the time, et cetera, stuff like that.

And further down you have the summary of the extractions, the data that is in the extraction. What you also have is you have a person screen. So persons are basically made up of names, email addresses, phone numbers, messaging up IDs.

So for instance, for me if I’m thinking to myself, I’ve got WhatsApp, I’m on Twitter, I have other messaging apps. So if you’ve extracted my phone, then for me, you’re going to have not just obviously my contact, you’re going to have all of those different contacts or personal accounts for me, and you want to lump them all together.

So we think of Monterey Jack. So if you start typing the name, then you have all of these persons. Now, I’ve done my research, I’m a good investigator and I’m happy that the phone numbers are the same. The email address is all the same for all of these.

So what I want to do, I want to include them, which you have to do individually. So you just click on, this is Monterey Jack, and before I do that, I might want to edit the name. So I’m going to call in Monty Jack, I want to save that. I can also edit the picture if I wanted to, but at the moment I’m happy.

Yep. This is Monty Jack. So I’m literally just going to include them more. And you’ll see on the left-hand side, that the list is getting shorter as I do this.  And then the data at the top for Monty Jack is giving more and more because it’s now lumping all this in together.

Now, I’ve got two more. This one here, I want to join with a person. I want to join it with Monty Jack. Yep. Keep Monty Jack. And I want to join, see if I go back to Monty Jack, join with a person, join with him. Keep Monty Jack.

Okay, so now I’ve got Monty Jack, I’ve got all of these names, phone numbers, email addresses, I’ve got all the different accounts that they’re involved in. I can, if I wanted to just click on show artifacts where the identities from what Monty Jack live, I’m not going to do that just yet, but I also might want to edit the picture.

So I’ve got, if I type in Jack, I’ve saved, you might have for instance, custody imaging, something like that, or a stock file of your subject, and then you can include them in. So, I won’t do it now, but what I’ll do while James is going into his bit, I’ll pass over to James in a minute, but I’ll do exactly the same thing for the other two subjects.

Now, the other thing I want to do for Monty Jack, is I want to make them, as you can see here, first of all, you’ve got five names associated, three phone numbers, two email addresses, six accounts, one XRY file. But over here on the left hand side, I want to mark the person of interest.

So, and you’ll understand where that fits in when I look at participants as a filter a bit later on. And what I’m going to do in a minute, is basically do exactly the same thing for the other two subjects of interest. So eventually when I click on ‘list only subjects of interest’, I’ll have three.

But going back to overview, just before I pass over to James, what I’m going to do is I’m going to open up the extraction. Now, I can open it in a number of ways, but what I want to do for the time being is go into all artifacts.

So this one just here; quick views, all artifacts. So this will open all of the extractions altogether. And here, artifacts, you have 36,499. So artifacts is a terminology for data. So you’ve got that much data within all of the extractions.

So before I hand over to James, if I just go up to options at the top, I just want to show you a couple of things we’re going into here.

There’s geographic, I just want to show you that I’ve changed this so that when I go to, or if ever I’m investigating in XAMN on these particular subjects, I’ve added on decimal degrees. So for my coordinates, you can, if you want to add on offline maps, if I think you have to purchase your offline maps for that.

And also what I want to do is just show you the audit log, which is a really new feature that we’ve got in for XAMN. It’s the first, the early stages of it. It is disabled, so it’ll always be disabled unless you change it. And later on I’ll show the audit log of how we progress through this case. And it basically shows you all of the artifacts that you look at, everything you do.

So, if I want to have full disclosure of everything that I’ve done, I’ve got, a particularly, I don’t know, sensitive investigation, and I’m an investigator and I want to show what I’ve done, the hard work that I’ve put in spending hours and hours investigating in this particular offense, then the audit log will show me, and it can be disclosed and show you exactly what you’ve done.

So, I think I shall hand back over to James. All right, all yours, James.

James: Okay. So, as Alan showed you, he opened up everything in all artifacts. That’s one of the quick views from the main case tab. This is a subset of my own phone.

So, I decided to use this to trim things down. Also, you never know, you might get surprised that something might pop up on your own phone that you don’t want the world to see. So, yeah, I’ve kind of, you know, trimmed it down a bit.

But I want to go over these different views that we can see in this all artifacts tab. Starting with the left hand side, Alan already mentioned that, yeah, this interview here, we can see that in this particular subset of my extraction, there are over 53,000 artifacts or items of those could be databases and pictures and videos and all kinds of things.

But on the left-hand side, we see that we have different ways to view the data, and some filters that are already built into XAMN. One of those filters is the text filter; another one is the categories filter, where right now it’s filtering on everything; below that is the apps filter, which, you know, these are the apps that are in this extraction, this subset.

And if I wanted to view just Apple Messages, I could click on Apple Messages and those would be displayed. And then below that are the tags. And a lot of tags are here that I’ve created. The tags that come with a standard installation are just going to be important and unimportant, that you can use to identify your artifacts.

I do want to show you, though, that those are not just the only filters. We have a whole litany of filters that will pop up if you hit the little ‘plus’ icon. To add a new filter, we’ve separated out where you can see of them at once and just scroll through and pick the filter you’re interested in or you can search for it.

But what I’m going to focus on today are the filters in the pictures group. Alan’s going to touch on similar pictures. I’m going to show a little bit about Project VIC, but first I’m going to jump right into recognized content.

Now, the recognized content, I’m just going to click okay here and get that filter opened up. Let’s sit here for a minute. So, over here on the left hand side, taking a look at the different recognized content that popped up, we can see different categories like weapons and drugs and vehicles.

Now, by default (and I’m sorry, Alan, I’m going to grab this right now and just mention it), in XRY and the process options just for this, and then Alan will cover the rest of these things, and give you some examples.

But in XRY, there are some things that are off by default for decoding, and process options. And one of those things is content recognition. By default, this is not going to be checkboxed.

So when you do an extraction of your phone, and you go through the decoding process, and then later when you open it up in XAMN and you go to apply the content recognition filter, there’ll be nothing there because it wasn’t tickboxed at the time of the extraction, the decoding.

You can always re-decode the phone later or the extraction later and include content recognition if it was time you were interested in saving at the time of the extraction, and then you had all the time in the world later to do your re-decoding.

But I want to give you guys just an example here, you know, make sure you have the latest CUDA drivers installed when using an NVIDIA graphics card. If you don’t have an NVIDIA graphics card and you run content recognition, it’s going to take a considerable amount of time to go through all those images because your CPU is doing all the work.

But if you have an NVIDIA graphics card, with CUDA cores, we can offload that to the GPU which will then take on that responsibility, and it will significantly improve the decoding time.

And to give you an example, my iPhone, 64 gigs, extraction time, beginning to end, most of it was for the decoding of the content recognition, was 13 hours. But with the NVIDIA CUDA drivers going, that dropped down to total with the decoding to just over two hours. So, significant performance increase, if you’re interested in content recognition.

But getting back to this, the list view isn’t quite the best view if we want to look at pictures. So first off, I’m going to go look at all of my images. So in the categories filter, I’m going to go to expand files & media, and then I’m going to filter on pictures. This is the list view, the default view in XAMN.

Again, not the best for viewing images. So I’m going to switch from list view to something a little bit more friendly, and that’s going to be the gallery view. And once we’re in the gallery view, I can change the size of my thumbnails, just defaulting to medium.

And I can also sort by say, size for instance, and bring the larger images to the top, the smaller ones will be at the bottom. Let’s take a look at some of this content, this recognized content. One of those being weapons, for instance.

Select weapons, all right, sometimes there’ll be some false positives, you know? Got a picture of this guy here holding a gun from a toy, and I think we have a picture of somebody wielding a lightsaber. So those are obviously not real, but those are false positives, but sometimes that’ll happen.

Scrolling on down further, we can see some more images. Say, if I just selected one of these guys, the right-hand pane is the details pane. So if whatever I select in the middle in this artifact pane, the details for that artifact will be displayed in the right hand details pane.

In this case, any metadata that shows up with this particular photo or XF data. Here, if I scroll down in the right hand pane, this image also has some GPS location data attached to it, and it pops up an address, as well.

And at the very bottom, I have a map that’s displayed, a built-in map. I can, if I wanted to, I could click the ellipsis here, the three dots, and I can display this in Google Maps for instance. So I could click “Open Google Maps” and it’ll plot it here so I can see where that image was taken.

Alternatively, if I wanted to see all of these images, where were they taken? I can switch from gallery view and I can go to geographic view and I can get a map of where everything was.

And so I can see there’s a bunch of pictures that were over here in California in the US, I could zoom in and get a little more granular. There’s some over in Sweden. There’s some further south in California. And then there’s one all by itself here in Mississippi.

And if I hover, I can see and click it, and it’s a picture of one of our tech sales engineers wielding a sword. So yeah, a weapon. Will, and Will did one of these web webinars last week.

And let’s move on to another, let’s go back to the gallery view and move on to another category, say, vehicles. And here we have some vehicles. Yep, maybe they think that’s a seat inside of a car, but that’s just a movie theater, obviously. Not a real car, but something in the museum. Parts of a car.

So interesting how it’s picking up different things. Oh wow, we even have the Millennium Falcon, of course that is a fictional vehicle. But then we have me sitting in a DeLorean, yeah?

And, also wanted to point out that, you know, we have the little tiny picture here, but you don’t have to just rely on this little small picture. There are different things we can do to view images and make life a little easier for us.

If we want to see many more of these images on the screen, we have a couple options. We can expand our artifact view by taking the panes on the right and left and minimizing them. So we have a little bit more real estate to work with.

In this case, we’re looking at vehicles, you can also rename these tabs. So in this case, I could rename this to vehicles if I wanted to. And also if I wanted to, I could take this and rip this tab out, and then if I had another monitor, I could take it and put it on another monitor all on its own. And I could continue working with XAMN with some other tabs. But I’m going to redoc this.

Another nice little bit is using our built-in picture viewer. You can either double-click one of these images, it’ll open up the picture viewer, or on the right-hand side in our small picture viewer there is a little icon down on the bottom right that’ll allow you to pop it open, as well.

And you can rotate the images if they’re not in the right perspective for you. And of course, you can go full screen. Another thing you could do is have this window on another monitor, and then click this little thumbtack in the bottom left. And then while you’re scrolling over here, just click an image and you can use your arrow button on your keyboard. And you can go through and look at all the images one by one.

And I’ll close that. Right, let me pop this back open. Let’s get back to that DeLorean. I don’t know if you can see this, I have a little magnifying tool here, but there’s this little rectangle around my face.

And then down here there’s a little option with a little red circle around a person. That’s showing that that face has been identified and it’s been identified as James Eichbaum by my iOS, my phone.

And those of you that have iPhones are probably aware, or maybe you’re not that you can search for people in your phone and you can identify people in your phone, give them names, and then match unknown to names so that you can search for your kids, your family members, your friends, and just see all the pictures of them.

Well, that carries over into XAMN because we’ll grab that data. Here in this case, I could take the little square away, I could put it back. But if I scroll on down here just a little bit, you’ll see ‘identify person: James Eichbaum’.

And if I click this hyperlink, it’ll give information about that person that Alan was just talking about and how we can map other things to that person. But here are all the photos that have been identified as that person, James Eichbaum.

Maybe this isn’t the best way to view all of this stuff. So we could come over here and right click and do what we call a pivot filter. We can create a filter in a new tab, and then we get this new tab that pops up that says James Eichbaum.

And then I can choose to view that in geographic, or I can choose to view it in gallery, and I can just see all the images. And it’s interesting to see how some of these came about. Cause here’s just a picture of me on an ID card. That’s my retirement card.

And then, this is funny, there’s that little app you could put on your phone, like, the deepfake your face onto actors and such. So even here where I’ve placed my face on Tom Cruise’s face, it recognized it as James Eichbaum. Quite interesting how that worked out.

But, let’s see, was there anything else I wanted to do before I hand it off to, oh yeah, Project VIC. So, one other thing. Let’s go ahead and open up just all pictures. So I’m going back to my case tab and going from quick views, I’m going to go, just show me all the pictures in the case.

And then here are all the pictures. You can see on the bottom left active filters, I just have one and that just happens to be the pictures category. Project VIC allows us to make use of a database of known images.

And these are going to be indecent images, and they’re graded at different degrees of content. If you have that database and you can make use of it in XAMN by importing it and then applying that database to the images, it’s very helpful when working in child exploitation.

I mean, it’s a difficult job to do where you have to look at images like that all the time or videos, and it can be quite damaging to you as a person, just mentally.

So if you wanted to make use of this; number one, we would want to go into options and there’s a Project VIC section where you can choose the profile or your region, and then you’ll have your database that you can create. And it’ll be placed in the program data MSAB import VIC’s folder.

And by default, it’s going to hide Project VIC images when you run this. So I’ll click ok. But I’m going to come over here to the top and hit the Project VIC button. But there’s also, I think if you saw earlier when I hit the filters pictures, there was a Project VIC filter here, as well.

I’ll just do it from here. Click OK, give it a moment to apply. Let’s do it here. I applied the filter here, but I have to actually check it from the other button. And it shows that there are 32 hits for child abuse material, three hits for exploitive, three hits for animation, and then the rest are uncategorized.

But I can click OK, and I’m going to untick that one. So now I have displayed to me all the ones that it found that were illicit child abuse material, child exploitative. And again, if I go to gallery view, it’s going to be a little better.

And these are now hidden from you. You don’t have to look at them, you know that they are indecent images. So it protects you from the harm of having to view them. If you needed to view it, you could double-click it and you’ll see what the picture actually is.

And then, you know, we can see that these just happen to all be images of Star Wars characters. So there are no real indecent images here on this extraction. But you can see the different categories, yellow being child exploitative so that it could be some other type of image, not quite child abuse. And then I have a couple of CGI animation ones.

Well, and then if you want to turn off the hiding of these images, we can come up here into options and then we come to Project VIC and then go to the bottom and take that checkmark away. And now we can see all those images again.

You know, I personally, I’ve known people who have had to retire early from law enforcement because of having to view these images. They’ve gone through PTSD and that’s not good.

So, this option is there to protect you and also to protect people around you. So, if you’re in an open environment, you don’t want people walking by while you’re investigating this type of case to see this harmful material which could hurt them, right?

I think that’s it for what I wanted to talk about now, and I’ll just hand it back over to Alan.

Alan: Okay, thanks, James. Okay, so where you last left me I had created Monty Jack. Now I’ve created persons. So I did exactly the same thing for the other two subjects as I did for Jack. So I’ve now got, if I click on “List any persons of interest,” I’ve now got three and I’ve made them all persons of interest. I click either there, they will star there or they will star there.

So now I’m in the extraction. What I want to do is show you, basically, how I used to set myself up and how I used and how investigators that we used to train, sort of, how we used to set them up, as well.

So we used to set up basically what’s called a quick view. So the first thing that I’m going to do is create my own quick view.  Now up here you see quick views. You don’t create it from clicking on that, you save it from there.

So what I’m going to do is create it, first of all. So I’m going to add on a couple of filters. So at the moment, all of the extraction is just showing the categories, decoded apps, and you’ve got some tags down here. So I want to add on a few more.

So I want to add on just a few, not too many, let’s say deleted artifacts. It’s a logical extraction, so I’m not going to get loads. I also want to add on hash. So as it says here, it’s looking for supported files such as .txt, csv.

So, for instance, I might be looking at CSAM images or trying to investigate CSAM images, or maybe I might be something like a financial investigator, something like that where there’s particular files that I’m aware of that I want to see whether someone has those files on their phone.

So I’m going to save up or create a list of the known files that I’m interested in. And I then want to see whether someone has them on their phone. So, I’m going to select hash, and it’s then going to ask me to add a file. So I’ve got a known data set already. Can I open that? I’ll okay that.

So now it’s running through the extraction. You’ll see it pop down and there are known files on this extraction. It is going to show none at the top as you see there, no artifacts shown, but that’s because I’ve got, as you see here on the left hand side, deleted artifacts and hash.

So it’s basically saying there are no deleted hashes. So all I do is as I create my filters, my quick view at the top here, clear filter selections, really good one to remember is just click on that and it’s taking it back to 36,499.

So I’m going to come back to the hash hits because as you can see, there are 14 down the bottom there, but I want to add on a few more filters.

So you’ve got participants, I could add that on now. So I’m actually going to add that on a bit later because the one thing you need to know about participants is that it doesn’t save. So if you create a quick view, you have to add on the participants manually every time.

But first of all, you have to save the persons, which is what I did. So just cancel that. When I created my persons, you’re not going to get participants appearing unless you create persons. So first of all, you have to save a case or create a case, then you have to create some persons.

So I’m not going to do that for now. And I’m going to add on a word list. So, the investigator I’m sure has a list of words which they’re particularly interested in, that they’re looking for. Might be gang members or whatever. I’m going to add that in and it’s found 186 hits.

So all I’m going to do now is I’m going to clear my filters. I’ve only added on a few. I’m going to add on loads. So I’ve got deleted artifacts here, hash, no notes to it, and I’ve got my word list.

What I’m going to do, this is a new feature to XAMN, is I’m going to click it, but I’m going to move it up cause I actually want my hash hits to be a little bit higher. I don’t want it to be sitting down at the bottom. It might be that you’ve got a smaller screen and you just want it to be a bit more prominent.

So I’m just going to move it above apps. So it’s going to sit there. And what I’m going to do is I’m going to make sure my filters are clear, but then I’m going to select known data set.

And before I save the quick view, I want it to be so that every time I open an extraction, the first thing that I see are the hits to the known data set. And I could have a few. Depends, you know, I might be an investigator in all sorts of different crimes I might have different hash sets that I’ve got created.

So this has found 14. So I go up to the top to quick views and you name it whatever you want to call it. So I’m going to add that and okay that, and down, James showed you this on the left, bottom left here you have active filters, number one.

So the only thing that’s showing at the moment is the known data set. And if we go up to here where it says all artifacts, you’ll see that you have WebinarHash. So if I close this down, so I close the second tab down, let’s go back to where we were when we created the case.

We’ve created the persons. Even if you haven’t created the persons, if you’ve saved your quick view as I have here, and I might have a few different quick views, but I’ve saved this one. So what I want to do is every single time I open an extraction, I’m always going to open it up into a particular quick view.

So I’ve only got one. So I’m going to open up into my webinar hash and it’s going to open up the extraction. And the first thing it’s going to do, all being well, is show me the 14 hits that I have. So it’s working its way down through the categories and it’s found the 14.

So straight away, and this is something that we had a lot of success on in the past where, you know, you’ve got massive extractions, sometimes hundreds and hundreds of gigs of data and you might have limited time and you want to quickly identify whether there’s something on that file that is something that maybe the subject needs to be arrested for, further arrested or whatever.

Just good intelligence, whatever. So I’ve got 14 hits. So straight away I know that there are 14 files on these extractions, bear in mind, these are for all of the subjects. So we go to data sources, it’s for all of them and it tells you individually where the data is.

Now, the one that I’m particularly interested in is this one here. So, on the right hand side you’ve got the photo as James showed you, you can make it bigger by viewing it, you can double-click on it, or you can go in the three little dots launching the default app and you can view it that way.

So I’ve got my picture, it’s a file that I’m aware of. Further down you’ve got the image, the file name, you’ve got the type of file it is, you’ve got the file size, you’ve got the path where it’s sitting, so this is sitting in the digital camera images, so it’s sitting in the gallery or the phone.

So if I right-hand mouse, click over that, I can create a folder filter. And I like to do it in a new tab, personally,  it’s easier for my brain. And then you’ll see a third tab will appear here, which I can rename. That could be okay, whatever, rename it as I like.

So this is the 102 bits of data that are sitting in files and media. And if you open up to the subcategories, you’ll see that there are 80 photographs. So there are 80 photographs that sit on that path, okay? And exactly as James did, I can go to gallery view and I can sort them by size. And then I can just really quickly look at the data that is on the DCIM of that particular phone.

So, you’ve also got the created, the modified dates and times and you’ve got the metadata. And further down, if you open it up, if you click on the show technical details, you have the hash. So that’s the MD5. So that’s the file, the hash for that particular image.

I can also do, if I wanted to, so for instance, this might be a particular file of interest that I want to know, okay, what else did they do at that particular time? So right-hand mouse click, create a time filter in a new tab and I can then look at all the data that happened around a particular time.

Naturally defaults to 24 hours. 6 April to 7 April and there’s 1,175 bits of data. I can sort that by time, which makes more sense cause it’s a time filter. And then as you can see, if I go to the data sources, you can look to see exactly what data happened over that period of time.

The other thing I want to show you is something that I personally have had a lot of success on, is the three little dots. Now, you’ve got show similar pictures in a new tab. Now, what this is working on, this is working on the Dhash value, which… Google it if you want a bit more knowledge about it, but basically it’s looking for that particular image.

So, show similar pictures in a new tab and it’s going to tell me where that picture sits. So for instance, if I show a picture of my dog and I show it on WhatsApp and I show it to three or four different people, then that picture’s going to be sitting in my gallery, but it’s also going to be sitting in different folders within my phone. So I’m going to be able to identify really quickly who I shared that picture to.

So we’ve got here, you’ve got the PNG files, that’s actually what I’m going to do, first thing I’m going to do, which I forgot to do, is I’m going to tag it. So I can hover my mouse over here on the left-hand side or I can create a new tag. So I go up to top to tags, I’m going to create a new one, going to give it the color green and we’re going to say hash it.

So I’ve tagged it, I’ve shown it of interest, and certainly now I’ve a time filter that would really stand out because it would be really obvious. But let’s go back to the “show similar pictures in a new tab” and it’s found the five.

So that’s the one that I’m interested in. You’ve got some more, you’ve got some that’s sitting in the gallery, they might just be thumbnails. But the one that I’m really interested in is this one here because this is telling me if I go down to the path, it’s telling me that this has been shared through WhatsApp.

So, within a few clicks, and I’ve done this quite a few times now in the past when I was a police officer, I’ve opened up an extraction, I’ve clicked on “quick view” ‘cause I’ve already set it as I’ve done here, and literally within a few seconds I’ve identified an image or a file, document, whatever, that is something pretty serious that other people, might be me if I’m investigating it, whatever, other people will be really interested in that file.

And within a few seconds you’ve got enough that you might be able to identify that someone can be arrested.

So, this is the one that’s been shared with WhatsApp. And if I go up to the top here, just above the image it says “related artifact messages chat.” I click on that, it then shows me the message. So it’s been from Monty Jack to Gadget Hawkwrench on a date and time.

So what I can do from here, so this message was shared on 6 April. At the top here we’ve got timeline and maps. I click on timeline, so it’s gone straight to 6 April. I could add a custom time. So I click on custom time and then I just go, okay, it’s a bit niche but 15:11-15:12.

Okay, so if I go up here on the left hand side, it’s created a timeline. If I come on the little zoom out button here under maps, if I click onto that, probably want to create another timeline.  I just want to see what was happening between aroundabout that sort of time period.

‘Cause it might be that I found a file that is so interesting, I want to know, right, okay, well what was everyone doing around that time? So if I clear my filters and I click on a timeline, so I’ve got the one minute one, I can see that there were 12 artifacts that took place around that time.

If I go to one that’s a bit more, so it was just over an hour, 307, I can also see if I go to data sources, exactly what each and every one was doing around that time. I can get to different views. I can click on list, I can go to gallery, I could just look at pictures that happened around that time. And the same there.

And I could go to, for instance, I’ll get back to this one, 307, go to conversation view, and it tells me the conversations that took place around these times. So if I go to the other one, there was a glitch and say there was a particular crime that I’m investigating that I knew happened exactly, I don’t know, a couple of minutes in time.

Then I could narrow it right down to a couple of minutes to the exact time when I knew it took place, put all the extractions into one case and then identify what all the subjects were doing around that time. Were they discussing the crime or were they taking images, whatever.

So I’m going to clear my filters. I’m going to close this third one down. I’m going to go back to this one. I shouldn’t have closed it down, should I? So I’m going to go back to show similar pictures in the new tab. I’m going to go back to my WhatsApp image, WhatsApp on, back to the message chat.

So from here I can now also go to the conversation. So it’s going to take me to the conversation where that particular image was sent. So it’s highlighted here. You’ve got the yellow. Now, the third pane, if you like, you’ve got quick views, conversation, then you’ve got one that says timeline and maps.

If I drag this up, you’ll see that message there is highlighted. So there are a few things I could do. I could create a PDF. So if I click on the yellow, do a ctrl+a, click up the top here, PDF, then I could create a PDF of the conversation.

Save it to that place there, into the same place where I’ve got all my other extractions. I can zip it if I like. I can also password protect it. So, password protect it and I can also select what I want it to open a file after export, open a folder, so let’s just say open a file after export and then export.

So, it’s going to create a PDF of this conversation. And if I open a folder, click on the PDF, type in my password, and there is my PDF of the conversation. Okay, there’s that. So, I’m going to close that down.

What I also might want to do is I might want to tag this. So I’m going to create a new tag and keep it as that color there. Okay, chat of interest, add that, ok that, and what I’m also going to do while I’m here is going to do my, I like the whole conversation, it’s of interest to me, if I click on the yellow and right hand mouse click, I can add it to the report builder.

So I’ll come to this in my last section. but I’m going to add it to the report builder and it’s going to be chat of interest. Cause this is what happens using it, you have a massive load of extractions to view. You find stuff all the time, a bit here, a bit there.

And if you are going to create a report builder, then as you go along you’re going to add on bits into it. So I’ve added those bits, but I will come to report builder later on.

The last two things I’m going to show is this image here. If for instance this was in another language, you click on the text, you right hand mouse click, you can translate only this. So if you purchase the translation pack, then you have your source text note.

Just to warn you, you do have to identify the text. It might be that you have to use Google Translate or something, for instance, if you have certain languages that you are really not sure what it is, identify the language and then we could choose the language, translate it into that, and then it will translate just that text there.

And then what you do is you save your translation, then close down the box by clicking on the X and then you see in the examiner notes you’ve got there. That might not be perfect, but it would give you enough.

And from my experience, it gives you enough to tell you an idea. It gives you a really good idea as to whether there is anything on there that is something of interest. So, if I click on another message, I do Ctrl+A, back to this text here, if I right hand mouse click that again and I do translate and I can do all selected, it’s now going to do the entire thread and translate it for me.

It won’t take too long. There you go. It’s done. Click on done. And then whatever one I click in, then you’ll see, examiner notes down the bottom here, it’s saved into that. And then what I could do is just save as I go along.

And then for instance, if you had a word list and you had particular words saved and you translated it, say you translated it into English, then you might want to save it, reopen it, open up and run the word list again and see whether the words are hidden there.

I think, James, that is, oh yeah, the last thing I was going to do is show you, so we’ve got this conversation here at the top here, above Gadget Hawkwrench you’ve got a thread. So I can also just look at attachments.

So if it’s a conversation that’s going on for, I don’t know, it could be going on for years ‘cause people don’t delete their chat data, then you might have a whole heap of attachments.

So you can just choose any conversation. So, if I clear my filters on this one, I go to conversation view, then I sort that by most participants first and I’ve got 30, then you could just click on attachments and there are only two. Yeah, I think, James, that is me done for my segment.

James: All right.

Alan: So, I’ll hand it over to you.

James: Thanks. And I’m going to kind of start off in the same kind of place you are with conversations between me and a couple of people. I’ve applied a filter just to kind of narrow it down.

But here I’m taking a look at just one particular message I sent to one of our trainers, Roz. And here I want to segue into going into what’s called ‘source mode’ and then going into hex and maybe dealing with unsupported apps and things that weren’t decoded during the extraction.

Here, of course, you know, we support a wide range of apps and we concentrate on messaging, social media apps, communications. In this case, of course, this is WhatsApp. We’re going to support that as best we can. It’s going to be one of our targeted apps.

And if you’re ever curious, you know, where is this data coming from, whether it’s a system app or a third-party app like WhatsApp or a system app like iMessage, you know, I can select the message, come over here into the details pane, and at the very top right, there’s a little icon and it says examine and source mode if you hover over it.

When I click that, it pops out this new window, this hex viewer. And if I select a particular element in my artifact, like here this text, I can see the text and where it came from and what file.

So this would be good for validating the tool, maybe, if you wanted to, just to make sure it’s doing what it’s supposed to do, and you can go back and check, oh yeah, there is the message. I see it came from this chatstorage.sqlite. And you can find that, okay, that is the WhatsApp database.

And you’re like, well, what about this date and timestamp down here? You say the date is August 18th, 2019. Where’d you get that from? Well, we can click on the time and then that’ll be highlighted as well within the file and this database, for example.

And we see the data highlighted, these hex values, but then we can see up here on the top right, okay, it’s eight bytes; it’s the number of seconds since January 1st, 2001; it’s going to be Mac time in here, so yeah, that’s the date and time.

So yeah, that’s source mode. We can view the file like that, but we also have a more powerful way of viewing data in its native format. And that’s viewing it in Elements, XAMN Elements. and I’m going to go to another extraction for that.

So this is going to give you an example of, okay, we have an app that wasn’t supported, it wasn’t decoded during the time of the extraction, or it could be a device that used a similar profile, we don’t support that device yet.

So some things may have not been decoded properly, and now you’re going after it on your own to try to manually find the data and do some of your own decoding. But I’m going to go to the databases in here, and specifically looking for one for the Zangi app, and it’s this database here.

We do have a built-in database viewer. if I have the database selected and the details pane, they always start out minimized. We have a built-in SQLite viewer built in P-list viewer, built-in XML viewer. But if you want to see more, you have to expand it, all right?

Again, this is probably not the best. I mean, I have to scroll all the way down here to find messages, but we can also put the ellipsis here. More options. I can show it in a new tab.

And now I have it in a more traditional view as if I was viewing it in a third-party database-viewing application. And I can go directly to the message table.

You’ll also notice something strange here because normally if I go to a database and say, I open this one in a default app, so I have SQLite Expert installed on my computer and I go to messages here, I’m not seeing all that stuff in red because database viewers are not designed to display deleted messages to you.

But our built-in viewer here in XAMN does display deleted messages for you. And it’s on by default in the bottom left corner, there’s a tick box here that says ‘show deleted rows’.

And we can take a look at this one in particular. We have a message here, we have a date and time, we have who they’re chatting with and to.

But if I come back over here to file, for instance, I can take a look at the categories and there’s only one message decoded, and it is not from this app. So obviously this database was not decoded at the time the extraction was performed.

But maybe I want to add this data in. And there are a couple ways to do that. One of those ways is to come over here with this database and we can hit the ellipses. And instead of examining it in source mode, which is just review hex, we can examine it in elements again, and it’s a more powerful hex examination tool.

Here we see this file in its raw format, SQLite3. That is the file signature, the file header for this, showing that it’s a SQLite database. We have some really cool built-in features for converting numbers, hex values into their 32-bit, 16-bit, 64-bit values.

So the second line here, say we wanted to see what hex 10 00 converted to, well, over here on the right, we can switch that to a number. And I need to move this thing out of the way. And by default, everything here is going to be a Little Endian.

So I do want to add my own value here. So I click add format, and this is a number I’m dealing with. It is two bytes, so that is going to be 16 bits, and this is going to be a 16-bit Big Endian value. So the value is 4,096.

And I can add that and save that as a new format set. I already have one, my custom Big Endian numbers, so I’m not going to save that other one. But here, 4,096, that’s how big each page is in this database. And this here shows me this four-byte value shows me that there are 57 pages in this database.

But if we wanted to, we could go find some of that text, like, I know the word June was in there, and I can look for all those hits. Let me make sure I’m looking for, yeah, June, and sometimes I want to make sure I don’t do anything case-sensitive, and here are my hits.

And what we can do is from here we can add artifacts directly into XAMN, like this text message here. We know this is a chat message. We know there’s a date and time in here.

But what I can do is construct a property, I can add an artifact and say, yeah, I want to add something to the messages chat category. And this is the message here that I want to add. Say “hi june 19 2020 ay 1407 eastern.”

I can select that, add it as a property. I have to make sure over here on the right is text and I select what kind of text formatting it is, then add property. And this is going to be just text.

And if I come back to file now and I go to messages, rather than having one, I’m going to have two. So this is the one that was already here, but now I’ve added custom, “hi june 19 2020 ay 1407 eastern.”

And if I wanted to find the date and time, which it is in here, it is right, let’s see, make sure I get these right values. It’s going to be about right here or so. And then maybe even more. But I’ll have to play with this because sometimes I forget.

And we have the date and time show up here. And I think this is just a four-byte value if I remember. So let me add a new one. Date, time, and this is going to be just, this one’s milliseconds, and I think I’m going to have to add a couple more bites in here. There it is.

So it’s this six-byte value here. And then I could add that as the property and add that as time. And then if I come over to file again and go to messages, see I have the text and the time, and do notice that when I’ve added this myself, there’s a little image of a human to show that this was created by the user, not by XAMN.

So we can see what was added after the fact. There’s also a filter that can show us, you know, all examiner-mapped data. And there’s only one item right now.

That’s one way of doing it. The other way of doing this is when you have the database open like this and you can see a particular table, messages in this case, and you know they weren’t decoded or added into XAMN and you would like to have these there, at the bottom left, there’s an icon that says export CSV, but there’s another one here to manually map the content.

So if we select that, it’s going to open up like a little walkthrough wizard that’ll allow you to choose what category you want these to go, in this case messages chat. And then click next. And then we get to choose what columns we would like to bring into XAMN.

By default, it’s automatically choosing the deleted record, true or false. But I’m going to come over to the right here and I am going to select date. And I want that one to come in as a time. And again, this time format. So this is the milliseconds since January 1st, 1970. And then I’m going to go and grab the message itself and that’s going to be text.

And next, and then I can get a little preview of what’s going to come in, and then import and open, 25 artifacts are going to come: all the ones that were live plus the ones that were deleted. And now I have a new tab filtered with just those artifacts.

And we can see the ones that are deleted have the little red deleted icon, right? And then one other method I’ll show you real quick, we are running low on time. So I want to end this and then hand it back over to Alan.

Again, unsupported app, you have the database, you’ve identified it in this case we’re looking at an extraction. You can see there are no decoded messages whatsoever. We have some files, that’s it.

One of those files we’d be interested in here is the chatdb.sql database. We can view this database in a new tab, and see maybe we’re after these chat messages, and we want to bring those into XAMN. We can see the date, the timestamp as well is there. And we can see that we’re talking to a particular buddy, but we also have a buddy list where we have those two buddies that we’re talking to.

So we want to relate both of these tables back and forth to each other so we can see who we’re talking to. We want to see the direction of where the messages are coming and then maybe we want to keep them in their own threads.

So, when you install XRY, you’re going to get Python installed, as well. And there’s going to be a folder created in your documents folder on your computer, and that’s where the Python scripts will go when you get them from somebody or create them yourselves.

Here’s a Python script that’s been created to handle this particular app. I right click here; I just want to show you what that Python script looks like.

So we’re going to target this database. We’re going to target a table, buddyList, we’re going to target another table, chat, we’re going to grab data from certain columns, and then we’re going to add that data as artifacts into XAMN.

So let me just run that. When we run Python scripts, we do it in elements, scripts, I parse chat from that chatdb database, run the script, uh oh, let me fix that up real quick. I am going to commented that out and try it one more time.

Here we go. Now it creates a SHA1 value that’s going to be stored in the log so that if you hand this XRY file off somewhere else and they take a look at the log and they say, “Oh, you ran a Python script,” well then you could provide them with the Python script and that should, if it’s the same script, it would match that SHA1 value, so they know they have the exact same one you had, so they can analyze it and see what it’s doing.

Click close and then I’m going to come back in here and view all artifacts again. Now under messages, I can see my messages between me and those other individuals, or I can go into the conversation view. Well, no I can’t because I removed the thread ID.

So when I commented those lines out, I lost my ability to view it in chat view. So I have to come back and take a look at that script one more time.

But that is using Python scripts to bring data in. I know that was very fast and quick, but hopefully, maybe it’s something that you didn’t know about. Okay, back to Alan.

Alan: Okay, cheers, James. There’s not a lot of time left, so there’s proof really of what James was saying that there’s so much we could talk to you about and we could spend hours and hours talking about XAMN.

Okay, so where you last left me, how long have we got? If you’ve got any questions by the way, then put them in. We may not have time to answer them today, or during this, but we get back to you, I’m sure.

So, the other thing I wanted to show you before I ran out time was participants. So if I had a new filter, if I go to participants, click ok, so it’s found three. But what I want to do is I actually want to add on another one. You want to do this if it makes sense.

So we’ve got the two, but I want to see, I might have three particular subjects involved in say, a robbery, and they may be denying that they actually know each other. So I want to see how they talk to each other.

So I can go to Monty Jack, click on Monty Jack and then go to Fat Cat, and there’s 209 data between the two. So communication data; texts, calls, stuff like that. And the same, what did Jack do with Hawkwrench.

So it’s just going to show me, so if you do have subjects that are denying they know each other, then you lump all the data into a case and then really quickly you can identify, and you can also, you could add that into the timeline and then you could just, you’ve already got your saved times.

So you could just add, you could do a custom timeline, so actually cancel that. If I go into 2020, keep clicking in, and then Quarter Two and then April. So I’m now looking at data between Gadget Hawkwrench, Monty Jack in April, there’s 206 bits of data. So that’s participants, clear my filters, get rid of the timeline.

Now I want to go to connection view. So we’ve created the persons, and connection view works so much better when you’ve created persons. I’m going to give myself a bit more space because there’s a lot. So I’m going to move these over.

So for instance now, because I’ve tied it all up by creating persons, and there’d be a lot of other persons if I was investigating this, I could give myself a lot, you know, make it a lot easier. But I’ve got Fat Cat and I want to see the data from Fat Cat to, say, the Disneyland chat group.

So there’s 20, so it’s now displaying 20 chat messages between Fat Cat and the Disneyland group. And it’s displayed here on the right hand side. I can get create a PDF, sort it by oldest to newest, I could just click on Disneyland and it’ll tell me who’s in Disneyland.

And the same thing where I’ve done this, where I’ve mixed up, so for instance, I could now click on timeline, I’m on Disneyland, ‘cause it’s still highlighted there, and I just click on 2020. I can now just go to a particular time, so the Quarter One of that year.

So I’m now in the Disneyland, where I could go to Hawkwrench, I could look at the data that took place. So Hawkwrench communication data took place in that period of time. So if I go again, click on it again, click onto March 2020, I can see exactly what sort of communication was taking place.

So Gadget Hawkwrench took team Snapchat. There you go. And down the left here you have your active filter. So if you want to know how to sort of get back to where you are, just click that and it will take you back to the beginning. And on this one here, we set the zoom, takes me back to that.

So how are we doing for time, James? We’ve got eight minutes. Right, so, what I want to do now is get this one back, move that back, clear my filters, push clear, I’m going to go back to list view. I just want to quickly create a report.

So I’ve got my chats of interest. Actually, what I will do very quickly is go back to my hashes. So I’ve got my known data set, I want to add these onto my report. So I’ve got my 14, going to clear the timeline. I want to tag all 14 of these cause they’re of interest to me.

I’m investigating a particular crime, they’ve got the hash, I click on one, ctrl+a, and then I’m going to create, actually I’m going to tag them as important, so just make them all go red. So now on you and I do that, Ctrl+A again, right hand mouse click, add to report builder. Okay, selected 14 artifacts, data block name is going to be, hash hits. And I might already have one called hash hit. So it’s hash hits_2.

Okay, so at the top, if I clean my filters at the top you have report builder. So add selected data. So let’s have a look at report builder here. So, at the moment I’ve got 14 bits of important, one hash hits, that’s the one that I did all my investigation on, and I’ve got chat of interest.

So at the top you’ve got your cover page. So you just click on it and drag it over, create the details, I want to put in the case ID, the case operator and the report date. And I want to maybe add on a logo. So, I’ve got my logo for the case.

So click OK there, and I might want to add in a few extra bits. So I might want to put in the summary, drag that across on all the data sources, so the summary of all the data sources. And I think I put in the general information, all the data sources.

So select data source, all data sources. I think then I’ll probably put in a page break so it looks nice and neat and I’m going to put in the first one.

So, we’re going to put important, OK, and I also want to click on Hash. I want that data to be put into my report, click OK there, and we’re going to have another page break.

I might then just put a note. And then this could be, what are we doing now, we’re doing hash hits, OK that, and then I’m going to put my hash hits in, and the same for that I’m going to put some hash data in and then chats of interest.

Put that in there. I want it as conversation view. So I click OK there, we can preview it to see what it looks like. And then I’m happy with that. I’m happy with all the data I’ve got there so I can just generate it.

So yeah, webinar case, we’re going to say webinarcase_report, where I want it to go, so that’s exactly I’m happy with that. I’m going to protect it with the password because let’s just say I work in a sensitive role and I don’t want anyone to sort of see what I’m doing. Don’t want it to be widely shared.

So just going to check that I’ve got the right password, I’m not going to allow changes, I’m not going to allow copying and I’m not going to allow printing. I can do, but I’m going to lock it down entirely so that if I share it by an email, then no one can do anything with it. It’s entirely locked down. Okay, and then type in the password. And there you go. And we’re now into the report.

By the way, this is all recorded. So if we’re going super fast, James and I, then you can just go back and view it, slowly. So, everything I’ve been doing, I’ve been looking at lots and lots of data. So if I click on case, click on the three dots, I’ve got my view audit log. So case info, three dots, view audit log.

So remember at the very beginning I said that I’ve selected that I want to do an audit. So I’ve been busy on this. I’ve spent a lot of time looking at this extraction, so it’s recorded everything I do, everything I look at, it’s all recorded there.

So that would be a personal choice for whichever department you work in, whether you want that. There may be reasons why you’re doing or why you don’t, so that you can choose.

Oh yeah, the last thing very quickly, while I’m in this particular extraction, I could, if I go into clear my filters, I can create a subset, which is creating another XRY file. But let’s just say, let’s delete, say for instance, this important data, let’s just say that I don’t want that, so if I click on edit, I can exclude that.

So it’s basically excluded that particular data. So it might well be that I had a lot of experience of dealing with legal privilege material, stuff like that. You might come across stuff that you’re not allowed to look at. So you can exclude it from the file and then, at the top, save a subset.

Now I want the filtered. So as you can see, it’s slightly less, so filtered, and then you can lock it with a password, you can select your options there, name it, and then save it, which I’m not going to do now cause it would just take too long.

But that’s how you do it. So you’re creating, whether or not you exclude data, you are creating a subset as another XRY file.

And the last thing to show you is XRY. So, James showed you this earlier one, if I go onto menu, process, process options, I’ve created one here called Logical_Max_read, so it’s a logical extraction, but if I go to decoding, then I’ve got some extra ones I’ve ticked, and James has showed you some of these, but the one you’ve that is quite good to know about is generate video preview and thumbnails.

So if I go to this extraction, which is my work phone, I go to files and media, go to videos, go to gallery view, it works best in gallery view, sort this by size. Oh, am I in the right one? Oh, I’m in the wrong one. That serves me right.

So, go to that one, all artifacts and then go to gallery view, sort by size, and then you can see here, like this one here, you’ve got thumbnails. So if you’ve got thousands and thousands of videos and you want to make life a lot easier, so if you have the time, it depends on what sort of extraction you’re doing. But if you have the time, set a decode so you can view the videos as thumbnails.

And I think James, there’s loads more to cover, isn’t there? But, I think we’ve probably covered most of it. There’s only about a minute left, I think.

James: Yes, yes. And so one of the questions was, “Where can we find the pre-recorded session?” And I was just informed that that will be sent out, everyone will receive an email, also from GoTo Webinar to view this session later.

Alan: What we going to do with the file?

James: I don’t have that. But the only other question I can see, it looks like the asker is that they had problems adding a GrayKey file in XAMN before and they’re wondering if it was fixed.

I don’t know of any issues. And we just had a new release of XAMN. So I I don’t really know the answer to that one other than it could have been a one-time issue, but as far as I know, there are no issues with GrayKey. I don’t know unless…

Alan: Yeah, I’m not aware otherwise. Yeah, we can find out and get back to that person.

James: Let’s see. Thanks. Thank you. Okay, so yeah, that’s it. So it looks like those are the outstanding questions. Thank everyone for joining. Hopefully you got something out of it that you didn’t know about before, that’ll make using XAMN more fun, more features that you can use toward your investigations. Thanks a lot, Alan. Anything left to say?

Alan: No, no, nothing for me. Just thanks very much. Yeah, I hope you found it interesting and useful.

James: Right. Thanks all. Have a good rest of the day. Take care.

Alan: Thank you. Bye.

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...