Another very useful default is the Time Filter, which allows the user to filter the artifacts from the last 24 hours, week, month, or year. You can also set a custom time frame. This can be useful if you suspect that a conversation has taken place but are not sure which app was used to send and receive messages: you could set the time filter to cover the relevant time frame and view all communications within that range.
The Recognized Content filter has predefined classifications of pictures and videos. In order to use this filter, you would need to adjust your XRY extraction to include image recognition decoding. The current classifications are: weapons, drugs, vehicles, financial, people, and electronics; more will be added in the future.
Once your items have been filtered, you can select the ‘Gallery’ view to see them better. You can also preview any videos by hovering your cursor over the video thumbnail or clicking on the clip. Bear in mind that all pictures and videos are classified using artificial intelligence, which can sometimes lead to false positives.
The Word List filter allows you to add a previously created file containing a word list to XAMN, or to create a custom word list within the tool itself. Simply type in the words you want to include, and then click ‘Add’ in the prompt box. There are extensive sample word lists available on the MSAB forum, but you will need access to the Customer Portal to access them.
XAMN has a property similar to PhotoDNA, in which you are able to create a dhash value for images if you have used the most current version of XRY in the extraction process. This function allows you to find visually similar images and create a filter to display all the image matches in one view. This is useful when an image of interest may have had a filter applied or been altered in such a way that the hash value is completely different from the original.
When using XAMN, you have the ability to exclude known data, such as system files. You can also include known data if you wish, or only show known data. The known data sets are based on the NIST standard reference library and MSAB’s own unique reference data set, which is downloadable from the customer portal.
Within XAMN you have the ability to tag files of interest and assign different colours to distinguish between them. It is also possible to add multiple tags to one file. These tags can then be used as filters in the Filter view.
The default tags are ‘important’ and ‘unimportant’, but you are able to define your own tags as well. When filtering with tags, you can choose to exclude the files with a certain tag by clicking on the three dots next to the Tags header in the left-hand side panel and choosing to exclude the files, which is an advanced feature.
Any filter which has the three dots next to it will enable you to exclude data from your data set: another way of reducing the number of files you have to process, which is very beneficial. Excluding the data does not permanently remove it from the case, it is only hidden; it can easily be added again for viewing.
Note from MSAB: Another powerful way to find crucial evidence is to work from the inside out. XAMN enables the user to build their investigation from one specific artifact and pivot their search around it. For example, the user can select a single text message, and then create a time filter based on the time stamp of the message to immediately investigate other messages and artifacts from the hours before and after the original text message was generated on the device.
If you need to verify the origin of the data you have analysed, you can choose to examine the data in ‘Source mode’ or ‘XAMN Elements’. Source mode will allow you to view the local data and the physical layers (exactly where the data is stored within a certain database). Within the Translation table you can also view the offset of the data; and the property details show the size, format and encoding of the data. There is also a basic hex viewer in Source mode.
XAMN Elements is an expert tool for the use of mobile phone data analysis and reconstruction. It is more comprehensive then viewing data in Source mode and can be used to manually decode data if you know how to do so. As well as the other information displayed in Source mode, you can also see the logical folder structure, and the hex viewer has the address and ASCII addition. When manually decoding the data, you can add bookmarks within the hex itself.