MSAB XAMN – Discover Evidence: Time, Place and Persons
Establishing the provenance of timestamped digital evidence
Timestamp usage in digital investigation is inescapable. Timestamps are increasingly used to relate to events in the digital or physical realms, helping to establish cause and effect.
In this blog series, we will dig deep into XAMN, the best digital forensic analysis solution. It combines efficiency with ease of use and powerful search capabilities making it an excellent choice for digital investigators who need to discover, analyze, package, and share digital evidence and artifacts from a crime scene quickly and securely.
Not everyone who commits a crime plans it carefully. Suspects in most crimes usually have a couple of devices, such as a mobile phone and a tablet, and communicate under an alias using common apps. This can make the task of tying a suspect to a crime scene difficult, but it becomes easier when using XAMN, which quickly filters suspects’ conversations, images, and videos. And since this type of data has a built-in timestamp, you can better understand when the crime was committed even if the data volumes are large.
Here are three vital areas for investigators to be cognizant of:
1. Timestamps must be found
Most digital artifacts extracted from a mobile device are timestamped with information indicating when the artifact was created, updated, and sometimes, deleted. This includes everything from calls, messages, pictures, and web history to generic files and when a particular app was installed.
Which timestamps are presented in XAMN for a given artifact depends on multiple factors such as what was originally recorded by the source device, what was possible to retrieve during extraction and the category of the artifact in question.
Being able to link a piece of digital evidence, also known as an artifact, to a specific point in time can be of great importance to any investigation.
Here is an example of how to effectively narrow down a search in XAMN based on Time:
Case: You’re working on a grooming case and want to narrow your search to only see messages and calls from the last year.
Solution: An easy way to do this is to use the Timeline view. Simply select the year that is of interest. The “Timeline” filter will now allow you to search the data more effectively. You can filter by year, month, day, hour, minute or even second to identify the periods of greatest activity on a device and build a picture of event sequences.
3 tips you need to know about “Time” in XAMN:
- A time-based search will match all time-related properties of artifacts in the case. This means that a single file appearing on a device can show activity in multiple places on the timeline – both when it was created and subsequently (potentially) updated and deleted.
- Time searches can be saved in Quick Views. If, for instance, your standard procedure is to limit your search to the last 24 months, you can save it into a custom Quick View called ‘Last 2 years”. This allows you to immediately start with this filter without having to do a manual selection.
- The Time filter is automatically linked to all other filters in XAMN. If you add a time filter selection, you will see how e.g., the artifact Categories section is instantly updated. If a category, say Calls, is grayed out after applying your filter, this means there are no calls from that period.
Using the Timeline can be a quick and convenient way to exclude a device from further investigation. If, for instance, multiple devices have been seized, it’s possible that some of them are old and no longer used by the suspect. If, after quickly looking at the timeline, the device shows no activity after 2016, you can likely disregard it (assuming you are investigating a recent crime).
2. Cross-referencing data to find the exact location
Determining where the crime has been committed also involves processing large amounts of data. Some digital artifacts extracted from a mobile device have associated Location information. This may include pictures or information extracted from health and fitness apps for example. Of course, being able to link an individual to a physical location based on digital trails in an extracted device can be of great interest and importance to any investigation.
Previously, you were forced to spend hours and sometimes days sorting out vital data to determine the time, place and person. With XAMN, it takes seconds. Once you master the tools, the program will quickly determine the geographic location by cross-referencing data from cell towers, web history, images and, for example, fitness apps.
This is an example of how you can effectively narrow down a search in XAMN based on Location:
Case: You are investigating an individual suspected of preparation to commit armed robbery. You are interested in the general whereabouts of the individual.
Solution: Use “Maps” view. This allows you to analyze location artifacts more easily and effectively. This view presents all artifacts with associated Location data. Artifacts are clustered as groups and break up into individual artifacts as you zoom in. This provides you with both a convenient overview and the ability to zoom in and pinpoint an individual artifact.
3 tips you need to know about “Location” in XAMN:
- You can combine the new filter views, Maps and the improved Timeline, with any view in XAMN.
- If you are using offline maps, you can also use the search box to find places by street name, city or name of an area.
- To get an even more complete view of Locations linked to a particular device and person, XAMN allows you to import call data records from mobile network operators. These often include the location of cell towers to which a device has been connected. If you have access to CDRs (Call Detailed Record) as a part of your investigation it is recommended to import these before you start digging into the data.
3. Roles of all involved specified
Depending on its scope, there may be many individuals involved in the planning and execution of a crime. Being able to determine who has been in contact with whom and the ability to link digital artifacts to an individual person is of great importance to most investigations. Given the vast amounts of information to process and the added complexity when individuals communicate using either more than one device or using multiple apps, this can be both challenging and time consuming. XAMN has a unique capability to simplify this process; we call it Persons.
XAMN not only enables you to immediately filter the relevant persons in your case and view the relationships between them, but you can also select specific identities and view their communication. This includes identifiers like names, phone numbers, messenger nicknames, and email addresses and will, for example, show a phone number identified both in a device-native phone call and a WhatsApp voice call.
You can manually join relevant identities into common Persons. However, this should only be done if you have corroborating evidence e.g. two specific email addresses belong to the same Person.
3 tips you need to know about “Persons” in XAMN:
- Persons are always created from identities identified in extracted data.
- Persons never alter the source extraction data. The Persons directory is maintained in your Case file and can be rebuilt and managed without impacting the source data.
- A picture is automatically assigned to a Person if supported in source data. You can also assign a picture manually.
More on this in the next post of our blog series, as we take a closer look at how XAMN uses AI to find crucial evidence and artifacts in images and conversations.