What’s New in XRY 9.6 and XAMN 6.2

Greg Masterson: Good afternoon, everybody. We’re going to get started here in a minute. We’re going to be introducing Kevin Kyono, a Technical Sales Engineer with MSAB to discuss the release of 9.6 of XRY and 6.2 of XAMN, and Kevin will be showing all the features and information. We’ll have a question and answer at the end, but feel free to throw questions into the chat during the presentation, and we’ll try and get you some answers. Kevin, it’s all you.

Kevin: Good morning, or good afternoon, wherever you may be. I just wanted to start off by thanking you for taking the time out of your busy day to join us for this webinar. As Greg mentioned we’re going to be showcasing the new features of XRY 9.6 and XAMN 6.2. This is a major update and our major updates are pushed out every quarter. We also have micro releases that come out about once a month. If you haven’t updated your machine yet, hopefully these new features will give you that push to hurry up and install the update.

I’m going to give you a general overview of all the new features and then show them to you in a live setting. As Greg mentioned, if you have any questions, Greg, he’ll be monitoring the chat and he’ll be happy to answer any questions you may have, and we will also have a Q&A session at the end.

So just a quick introduction. My name is Kevin Kyono. I’m a Tech Sales Engineer with MSAB and I’m based on the west coast. I’ve been here for almost two years and joined the MSAB after a 27-year career with the San Jose Police Department. At the SJPD I was in the Detective Bureau for eight years, I did five years in the High Technology Crimes Unit, and three years in the Silicon Valley ICAC Task Force. I was also the ESD K-9 Handler, and for those of you not familiar with the ESD K-9s, those are the dogs that can locate the electronic storage devices like cell phones, thumb drives, SD cards and hard drives.

And I’m joined by my colleague, Greg Masterson. Greg is also a Tech Sales Engineer but he’s based in the Northeastern area of the United States. He came to MSAB after serving 25 years in law enforcement on the East Coast. And as I mentioned before, Greg will be monitoring the chat and he’ll be happy to answer any questions you may have, and we will also have a Q&A session at the end.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So let’s jump right in. So, a quick overview of XRY 9.6, some of the highlights of some of the new features. We have full support for iOS 15 and Android 12, we now have support for over 35,700 unique devices. One of the new features is Selective App Extraction. We can now also do iOS screenshot captures. We have an improved Python interface. We can do Python cloud extractions. SHA-256 is now supported in our Hash Tree Builder tool. We have enhanced Raven importing for our Raven customers, and we have a new process options user interface.

For XAMN, some of our new features are Project VIC grading capability, we have improved tagging of artifacts, Apple facial recognition filtering, improved artifact sorting, a slideshow viewer in our Gallery View now, our XML Viewer is now searchable, and we have enhanced app database mapper.

So, I’ll just go into a little more detail here on some of the features. So, for our support, in addition to our full support for Android 15 and Android 12, we now support over 35,700 unique devices. And of those devices, we have physical extractions and brute force capabilities for 10 new Samsung devices that are running Exynos chipsets.

We have support for 400 unique apps and nearly 4,000 versions of those apps, and we’re constantly improving our decoding for our supported apps. And this release has improvements for Slack, Kik and Facebook Messenger. Our new Selective App Extraction, we have the ability to select specific apps to extract or exclude prior to your extraction. So this can be very useful when your case revolves around a specific app or if you’re limited in your scope by privacy concerns, consent or warrant constraints, you can limit the data in your extraction. And I’ll show you in the live feature, but you must enable this function in your Process Options.

iOS Screenshot Capture, we have the ability to capture specific screenshots from iOS devices, and it will even allow for screenshots on apps that don’t natively support screenshot capturing. This feature has been available for Android for a little while now and now we have it for iOS devices. What it will do too, it will create a new XRY file containing all of your screenshots within one file. But just a caveat to this feature, if the app that you’re capturing the screenshot on notifies the sender that the screen was captured, this feature will not bypass that feature. So if you do capture screenshots on an app where it’s going to notify the sender, just be aware of that, that it will notify the sender that the screen was captured.

Our improved Photon interface, so the Photon interface is now more streamlined and more consistent with the rest of the XRY interface. So it’s going to be a lot easier to perform a Photon extraction when you want to include all the data. Python Cloud extractions, so when you’re doing Cloud extractions from unsupported providers, you can now utilize a custom Python script to extract from the Cloud and decode that unrecognized data.

And you could either write your own scripts or potentially in the future, there may be some available on the customer portal. We do have a forum on the customer portal where files can be shared. And we do have a tech sales engineer on our staff who is a Python guru. So if you ask one of us to create a Python script, usually our Python guru will be more than happy to create a custom Python script for you.

SHA-256 is now supported in our Hash Tree Builder. So for those of you who may not be familiar with our Hash Tree Builder because it is a fairly new feature, Hash Tree Builder allows you to search for known hash values during the device extraction. And if you have some hash values you’d like to search during the extraction, maybe it’s from Project VIC, or maybe from a CyberTip from NCMEC, you can use Hash Tree Builder to find your matches quickly during your device abstraction.

So, Hash Tree Builder previously only supported SHA-1 and MD5, and now we also support SHA-256.  Just to note, though, that Hash Tree Builder is not fully integrated into XRY yet, where you have to jump out of XRY and open up an executable file. But because it was such a highly-requested feature, it was the goal of our developers to quickly get it into the hands of our users. So the feature is there, it just takes a couple of extra steps. So it’s currently a work in progress and new features and updates are coming out on a very regular basis. So very shortly it will be fully integrated within XRY where you don’t have to jump out of the program.

We have improved Raven support. So we have added support for decoding the iTunes backup and the Android backup in Raven, for our Raven customers out there. And we have our new process options interface. So you no longer need to click the padlock to make changes within your process options. And the user interface is a lot more consistent with the rest of the XRY interface. So our previous screen, this is our old version of Process Options, where you used to have to click the padlock to make any changes. No more. Our new user interface is much more streamlined.

So let’s jump into XAMN and see what some of the new features in XAMN are. A big one for our ICAC customers is we can now grade your CSAM images and videos directly from Gallery View or the Details Pane. And then you can easily export those CSAM pictures and videos to Project Vic with the proper categories already assigned. We have improved tagging of artifacts. We can now tag artifacts directly from the Details Pane.

Apple facial recognition, so we’re using Apple’s facial recognition technology to be able to filter for images and videos. This will enable you to quickly identify persons in your case, it works on photos and videos, and it filters on the identified person’s unique ID that Apple’s technology creates.

We have an improved Artifact Sorting. So we have the ability to sort by attachment count when viewing communications now. Another big one for maybe our ICAC customers who are viewing thousands and thousands of images, we now have a slideshow viewer. So we have the ability to view all the pictures in a slideshow view, it automatically advances from one picture to another, and basically it eliminates the need to click your mouse thousands of times, or roll your scroll wheel over and over and over. Now you can view all of your images in a slideshow and you could customize the playback speed of that slideshow.

Our XML Viewer is now searchable. So as you know, XML files can be very large and can be difficult to find specific lines of text. So now we can search for text strings very easily in XML viewer. Our app, Database Mapper has been improved. So now we have the ability to add and save descriptions in your columns, save it as a template, it’s going to help you decode data from unknown apps, and if you do create a template, you can share that template with other users or other users can share it with you.

So, we also have the Add Filter improvements. So when you add a filter to your Filters column, we now show a description of what all of those filters are now. So if you’re unsure of what a filter is going to perform, you can now see a brief description of that filter when you try to add it.

So let’s get into a live demo now and show you some of the more popular new features here. So first, I’m going to show you selective app extraction, but in order to utilize this new feature, I need to make a change in the Settings, in the Process Options. So let’s go to our Process Options. I’m going to go to the main menu, click ‘Menu’ in the upper corner, go to ‘Process Options’, and you can see our new user interface for Process Options. So there’s no longer a padlock here where you have to click the padlock to make any changes. Now you can just make changes on the fly. So, in order to enable the selective app extraction, I need to go to the ‘Data Types’ and select ‘Apps’, and by default, this is not going to be checkmarked. So you need to checkmark this, which I already have checkmarked and click ‘Save’. Now I’m going to be able to be selective on what apps I want to extract during my extraction.

So let’s go back to the Extraction page and I already have a couple of devices plugged in. So instead of plugging in a device and having it auto-detect, I’m just going to click the little ‘USB’ tab on the right side here, select the Samsung device, and go through just a regular logical full read extraction. The first screen that comes up is to specify time span. This has been a feature of ours for a while now, where you could customize time spans of your extraction, but here’s our new feature. So, on the front end, you can select what apps you’d like to extract or what apps you don’t want to extract, or you could choose to extract everything.

So this can be very useful in cases where maybe it’s just a Facebook Messenger case and you just need to grab Facebook Messenger. This is very helpful when you want to respect, maybe your victim’s privacy, so you’re not going to grab all the data, or maybe you’re bound by some legal restrictions. Maybe your search warrant is only giving you authority to grab your Facebook Messenger and maybe all the Facebook data. So this can help you stay within your legal boundaries. I can just select Facebook and Facebook Messenger and then click ‘Next’. And it’s going to disregard the app data from the other apps. I’m not going to go through the full extraction, but I just wanted to show you where the Specify Apps Extraction is and how to enable it through Process Options.

So, next I want to show you is the iOS screen capture function. So I’m just going to back out of here, go back to the Device Selection page, and I have an Apple iPhone plugged in. Let’s go back one more. So instead of choosing the actual device, you’re going to go into our Device Manager to select the screenshot capture. So I’m just going to type up here in the text box. If I start typing iOS, you’re going to see some of our iOS features starting to pop up. A couple of them are here, like our built-in Checkm8 jailbreak solution, our GrayKey import is also here, but the one we’re looking for right now is iOS Capture Screenshot. I’m going to select that, click ‘Continue’, click ‘Next’, make sure you Trust your computer to the device, enter your device details, and click ‘Next’.

So now it’s telling me to select the screens I want to take screenshots of. So every time I hit the ‘Take Screenshot’ button, it’s going to snap a screenshot of whatever’s on the iPhone screen. So I’ll take a screenshot of that. So I just took two quick screenshots. When you’re done, hit ‘Cancel’, and in a couple of seconds here, it’s going to be done.

So, you see up at the top of the screen, it says “The decoding device can be disconnected.” Just as quickly as that you can unplug the device. If you have to give it back to the owner right away, you could do that. So everything is very quick here. Within a matter of a minute, the decoding is going to be done, and you’re going to be able to view your data within XAMN.

So right now it just created an XRY file containing all the screenshots, and just a reminder of our XRY files, they are a secure file format, so you can’t make any changes to it. And if you do make a change to it, it’s going to render that file inoperable again. So you can say with 100% certainty that that file has not been changed from the time you did your extraction to the time you’re done with your case.

So just as quickly as that, my iOS screen capture is done. This can be very useful in cases where you previously may have just taken manual photos of a device with another camera or another phone. But now you can use this iOS screen capture function.

I’m going to discard that and go back to our extraction. I’m going to show you our new Photon interface. Photon is one of our popular features to collect data, especially from end-to-end encrypted apps, like maybe WhatsApp or Signal or Telegram, and it’s a lot more automated now. So it’s especially nice when you’re collecting all of the data,, when you’re selecting all chats and all calls. Before you still had to go through a lot of menus and make choices, but now, if you’re collecting everything, it’s very quick and simple now.

So I’m just going to do a WhatsApp extraction. I’m not going to select either of these. Fast mode will run faster, but it’s not taking the actual screenshots. And if I want to manually select certain things, I would have to select ‘Manual selection’. But since I’m collecting everything, I’m going to just click ‘Next, enter my device details, and it’s starting, the process has started. So just as quickly as a matter of seconds, my Photon extraction is starting, whereas before it would take maybe a couple of minutes to go through all the menus and steps. So that is our new Photon process.

Let me just show you one more thing in XRY before we jump over to XAMN. So far, our Hash Tree Builder, there is an option you need to change in our Options menu to ensure that the hash value type you’re searching for is enabled. So if we go to ‘Menu’, click on ‘Options’, then we’re going to ‘Hash algorithms’, so by default only SHA-1 is selected. So if you are searching for MD-5 hashes, or now we have SHA-256, you’re going to have to enable those.

So, I know MD-5 is still a very popular hash value, especially for like, Project VIC or your CyberTips or a lot are in MD-5 still. So you’re going to need to make sure MD-5 is selected. And now that we have support for SHA-256, you’re going to have to select that as well, too if you’re searching for a -SHA256 hash values. And once you click ‘Save’, you’re never going to have to select that again. It’s going to remember that for all of your future extractions. So just keep that in mind that only SHA-1 is enabled by default.

So let’s jump over to XAMN and show you some of our new features in XAMN. So, first thing I want to show you in XAMN are the improvements to our Project VIC integration. So the big thing on this latest update is that we can now grade any new CSAM images or videos we find before sending them over to Project VIC. So before we would just send them all of our tagged items and not have them pre-categorized, but now we have the ability to pre-categorize them before sending them off to Project VIC.

So I’m going to open up some images here, go to ‘Files & Media’, select ‘Pictures’, show them in Gallery View here. So let’s just say, for instance, this is some CP we found. All you have to do now is right-click it, go to ‘Select a category’, and since we’re in the US it will be US, and say this is Category 1 of definite CSAM material. So we can pre-categorize these or pre-grade them. So say this is another Category 1, I can just right-click, select that as Category 1. Maybe this one is some Anime, I can categorize that as Category 3, right-click again, say this one’s Age Difficult, not sure, and say this one is Non-Pertinent.

So now I just have a few categories selected here. Looking at my filters here on the side, I don’t have my Project VIC filters here yet. So I’m going to add them. So I can click ‘Add new filter’ here in this old plus button, or I could go down here at the bottom and click ‘Add filter’. Either one performs the same function.

So now it’s a good chance to see our new adding filter improvements, as well. So you see here, if I select any of these filters to add, it gives a brief description of what it’s filtering for. But what I’m looking for is Project VIC. Select ‘Project’ VIC’, select ‘Okay’, and now here are my Project VIC tags here, populated by how many of each tag. And now, if I want to put these in a report and send them to VIC, I could just select all of these, go up to ‘Report’, select ‘Project VIC’, and I need to click on ‘Filtered’ because these are the filtered items I have, click ‘Next’, You have to determine whether you want to export the actual files along with it, or just the hash values, click ‘Next’, and determine where you want to save that, and you’re done. So it’s a great new feature for our ICAC customers out there, or our customers who are dealing with the CSAM images and videos.

Let me go back, open up a new tab here. So we’ve also made it easier to tag items now, too. So before, it was common to tag items by either right-clicking and choosing a tag, or if you have a hotkey determined on your tag button, you know, ALT-1 through ALT-9, you could just tag them by using a hotkey. But now you can tag them from the Details pane now, too. So if I select an image, go over to the Details pane here on the right, right above the image, there’s a highlightable field here, but you can’t really see it until you put your cursor over it. So from here I can just right-click and I can tag from here, as well. So if I want to tag that as a picture, now it’s tagged as a picture. So just remember it’s from the Details pane here. Just go right above the image, right-click, and now you can tag items from here, too.

Another feature that I talked about before is our Slideshow Viewer. So if you are tired of scrolling through these, scrolling, scrolling, scrolling, you can now view them in a slideshow. So let’s start from the top here. So right here up in the sorting area where you would sort or change the size of your gallery view, at the bottom now is an option for slideshow. So now we have our slideshow view up, we can customize our scrolling speed from one second to seven seconds, but I’ll leave it at one second, press ‘Play’, and this is going to start going through all of your images without having to touch a button. If you see something of interest while you’re scrolling, you can pause it and then you could tag it. So, okay, it’s tagged. Go onto the next ones.  So for those of you who are doing a lot of cases that are heavily picture-oriented or video-oriented, this is a great way to quickly just zip through all your photos.

And the last thing I want to show you in XAMN is probably one of my favorite new features, is us utilizing Apple’s advanced facial recognition technology to improve our searching and filtering. So as you’re probably all aware that Apple has a pretty nice facial recognition feature where it will automatically create matches within their users photo album, where it’s going to make matches of people. So we’re utilizing or leveraging their technology to help with our filtering.

So if you’ve extracted an iPhone or an iPad, it’s very likely that the images have already been processed through their facial recognition. So in the Details pane of an image, you’ll now see this field if it’s been filtered through their facial recognition. You’re going to see this identified person’s UID or unique ID. So if I right-click on that unique ID and create a new filter and a new tab, I can now see all the matches that Apple has made based on that facial recognition. So it’s nice, even though this is not a person, it actually works on dogs too, which is kind of cool.

We have our hits. This can be very useful if you’re looking for maybe additional victims or more photos of your suspect, But it also works very well on real people, too. So let me go back to ‘Slideshow’, find an image of multiple people, and you see I have multiple identified persons, as well. So it’s made identifications, even when there are multiple people in here and you can right-click on any of them, create a new filter and a new tab, and it’s going to find matches for that person.

So it’s a great new feature that we’ve integrated into XAMN. Hopefully you all think that it’s as good of an addition as we do. And what’s nice is that if you have any suggestions or ideas on how we can improve on it or additional ideas of anything else you could think of that we should be putting into XRY or XAMN, our developers are very open to our customers’ ideas. You can always reach out to any of us at MSAB, and we will pass it along to our developers as a customer request. And, you know, some of our best features have come through customer suggestions and requests. So, if you have any new ideas or ways to improve on things, always get a hold of us. So that’s just a brief overview of all of our new features, does anybody have any questions?

Greg: Okay, Kev, we had a couple of questions regarding specifically a demo of the new feature for that image recognition, personal recognition. So I was glad to demo that cause that filled that request. We also had some feedback on some interface changes and I’ve noted that, which I’ll forward through to developers and send you a copy, as well. If anybody else has any other questions or something they’d like to see, feel free to throw it in the questions area.

We have another one: Where it pulls out facial recognition info from Apple would XRY be able to produce a spotlight gallery showing a list of all the IDs identified? Great question. So maybe a unique IDs filter so that you’re only looking at the list of unique IDs. Jockworld, we’ll put that through. So thanks for that additional suggestion. Jockworld had a few suggestions today and they’re all good ideas.

Kevin: Good idea, yeah. And like, I just want to reiterate, you know, you guys are the boss, basically. You guys are using this program on a regular basis, you know what you like and what you don’t like, if you have any suggestions, please don’t hesitate to forward them on. Anything else, anyone?

Greg: They’re asking if the viewer has the ability to Slideshow? And that’s a great question and I can actually test that for right now. I haven’t heard that question before, but I could test it right now and let you know. Yeah. So Jock’s suggestion’s about the unique identified filter to just show all the ones that have been identified. The question about the viewer I’m working on now, and clients will love particularly to review financial photos taken by a rogue employee in a fraud case. He’s referring back to that gallery view potentially in the viewer, which I’m testing as we speak.

Kevin: So we alsalso have our recognized content filter, which can filter for a lot of things, as well. So these categories here, we will filter for these. For financial crime cases we have financial, maybe documents might be important to you. And what’s nice about this filter is that it airs on the side of false positives. So you’re less likely to miss anything, but you’re also going to get a lot of hits that aren’t what you’re looking for.

But then you’re also probably going to get the hits that you are looking for. Our recognized content works really well for maybe, drug cases, weapons cases. It’s probably not the best demo phone for that, but I do have another one here that I could show you.

Greg: So Kevin, just so you’re aware, I answered it in the questions tab that we are in fact including that in the viewer. Slideshow is a view in the viewer.

Kevin: Okay. Awesome.

Greg: While we’re waiting on that, Kev, there were some earlier questions about targeting specific artifacts because we’re talking about grabbing specific apps. Are you able to just grab specific app artifacts? I did answer that, and for everybody’s edification, just we can target specific apps prior to starting the extraction in XRY, and then just go over them after those to reduce the payload, the resulting file size or for privacy issues.

But targeting specific artifacts associated with an app, that’s going to require you to go through what you get through an extraction XRY within XAMN, review those artifacts. That’s not to say we don’t have other ways to reduce what you’re going to see and narrow that down both by time, category, specific apps that you can choose. In addition to that, if you’re looking for specific items we have a bunch of things now running within XRY where we are trying to attack the extraction side of the house for identifying specific artifacts or finding certain things.

One of those is the Hash Tree Builder. So if you have a hash on specific files that you’re looking for, you can load those hashes into the extraction side and be notified during your extraction that you’ve gotten hits on those hashes. That’s one way. We also use word lists and several other little techniques to backload those items. So then you’re actually getting notified during the extraction and getting those resulting hits while it’s being extracted.

Kevin: Yeah, the Hash Tree Builder’s a huge new tool for us. I recently did a demo for one of our ICAC task forces out here in California, and they were so happy that we had that tool. They do a lot of on-scene forensics, you know, right in the suspect’s driveway in a forensic van, and to be able to get hash matches, you know, within a matter of a few minutes once they plugged the device in is huge, because their intent is to try to arrest everybody on-scene. And by getting the hash matches from, you know, known CP or CP that came from a CyberTip from maybe Google or Facebook or something, it’s just huge for them. Any other questions while we’re still on?

Greg: I think, just some feedback about how clients are going to love that it’s included in the viewer to be able to do the slideshow view.

Kevin: Yeah, Slideshow View is great. You know, when you have maybe, over a 100,000 images, you know, to sift through, it’s a savior from getting some carpal tunnel from having to go through those images.

Greg: Maybe keep your lunch off your mouse and keyboard to just let the slideshow go while you eat your lunch a you don’t have to mess up your work area. So we hope it helps.  All right, any other questions? Okay. That’s the end of the questions in the box. If anybody has any last minute ones, feel free to throw those in there and we’ll try and get those to you. If not, Kevin, I’m sure you’re going to put up some contact info.

Kevin: Yeah, let me put up my context slides again here. Okay. So I have my contact info up on the screen. You can contact me any time, especially for after hours. I know, you know, law enforcement is not a 9-to-5 job and many times I was stuck with a problem and couldn’t reach anybody after hours. So, if I’m available and I’m not sleeping I will be happy to help you, whatever the time may be. I’ve helped many agencies after hours on weekends, and I have no problem doing that. So my cell phone is there, my email is there, we also have a great customer support division at MSAB, and because we’re a worldwide company, we do have support people in multiple time zones. So if they’re not available or it’s after business hours, because they only work business hours, please reach out to me.

Greg: I just want to mention as well, Kevin, that our customer portal and our website contains, I think we’re up to about 40 videos. We’re calling them ‘N5 videos’: XRY N5, XAMN N5, Exec N5, Raven N5. Those are short videos under five minutes that address a specific feature, how to use a specific feature. You don’t want to have to watch an hour-long webinar to find exactly what you were looking for. They’ll be titled as such, based on the feature we’re addressing in that five minute video. We’re continuously rolling out more. We’ve got a lot of the basics covered and as these new items are coming out as well, you’ll see N5 videos on those. So, you know, if it’s three months from now, you saw this webinar and you’re three months down the road and you kind of want to just refresh your memory or confirm that you’re right that we do have that capability, feel free to jump in on the customer portal, check out the videos on there and those N5 videos. And Kev, we have a question: What’s the dog’s name? That’s the most important one.

Kevin: Oh, her name is Heidi, and thankfully she got to retire with me. So now I have two lazy dogs now with me.

Greg: Useful, but lazy.

Kevin: My best coworkers.

Greg: All right. All right. Thanks Greg and Jock for the questions and suggestions, as well.

Kevin: Everyone have a happy Friday and a great weekend.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, May 22 2024 #dfir #computerforensics

Forensic Focus 22nd May 2024 6:03 pm

Podcast Ep. 85 Recap: AI-Powered License Plate Reading With Amped DeepPlate #dfir #digitalforensics

Forensic Focus 21st May 2024 1:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles