Five ways to gather evidence faster

In the latest version of XAMN we have made it a lot easier to find similar pictures with just a press of a button in the details pane. The new XAMN shortcut button — with added dHash filter — will help you quickly find both similar and additional copies of an image even if the images have been slightly altered or compressed by an app.

Device identification 

Wouldn’t it be great if you had an application that with 100% certainty could identify the pictures taken by the device you are investigating?

This is a tricky one, but there are a few shortcuts to use in order to quickly find most of these files. Photos taken with a camera typically end up in the Digital Camera Images “DCIM” folder.

In order to identify the device which, the pictures were taken with, type “DCIM” in the text filter search bar to see all matches. You can then continue to filter on metadata such as equipment manufacturer and equipment model – either in the same tab to further filter among your search results, or in a new tab to scan within the whole case.

Known data

Do you find yourself scrolling through a sea of file icons and system files?

XAMN provides a way to quickly hide pre-installed file icons and system files that are not normally useful to investigators.

We call this the “Known data” function.  This enables you to exclude or include known data, such as system files. The known data sets are based on the NIST standard reference library and MSAB’s own unique reference data set, which is downloadable from the customer portal.

Image recognition

Even when the system files are taken care of, there might still be many images to investigate. A good starting point is to use the “Recognized Content filter.” In order to use this filter, you would need to adjust your XRY extraction to include image recognition decoding.

This filter will give you the ability to directly see pictures containing weapons, drugs, vehicles, financial, people, and electronics.

Remember that there might be false positives and some hits might be missing since this data is categorized using machine learning techniques.

See the full conversation

A short message is more interesting when you can see it in its full context, right?

A really useful feature in XAMN is that it will keep the message you are looking at highlighted even when you switch between views. This means that if you have found an interesting chat message, you can move to the “Chat view” and directly see the message in the context of the full conversation thread. In a similar way, you can switch to the file tree view (or create a folder filter on the path) to see all files stored in the same folder.

The different view options make it easy for the user to visualize the data and make informed decisions during analysis.