In situations where you may be performing an extraction on a device that contains an application that for practical or legal reasons you must avoid extracting, there are steps you can take to prevent XRY from decoding unsupported applications. These steps will prevent having that application data appear in your extraction file.
Unsupported applications are applications that are not automatically decoded by XRY. The data from these unsupported applications is usually placed in the Files and Media section in XAMN during your analysis. Although the data is not decoded, the database files are saved. However, XRY can exclude these database files from the extraction. If you think you may need these database files for any reason in the future, keep a copy of the original extraction somewhere safe.
1. To save the extracted data without the databases open the extraction in XAMN Viewer and select all artifacts
4. Ensure that the “filtered” radio button is selected under the Artifacts section. It is also a good idea to append to the end of your subset name “No Databases.” Once complete, click Save. You can then open your “No Databases” subset and work on it without the risk of coming across any of the data from the unsupported app.
When you reach the extraction wizard in the workflow you see the “Connected Devices” screen, then connect the device.
If you see that the device shows as Android Generic (with the green Android logo) or a set profile (with device picture) it is ready to go, if seen as a “?” or a “magnifying glass” proceed to step two.
Turn USB debugging off and on again as certain devices turn off USB debugging when the device is connected or disconnected, so make sure it is still turned on.
OPPO AND OTHER ANDROID DEVICES
Look in the Additional Settings Menu. Under the Safety/Security/Privacy menu under the heading of Device Administration, check to allow unknown or similar sources.
Change the USB mode on the device by pulling down the top notification bar of the device and see if you see MTP/PTP listed. If so, press this and switch between the different modes. On certain devices some modes work better than others. Some devices do not have MTP/PTP mode and may have transfer files or similar.
Note: USB Mode could be in the Developer Options Menu under networking USB Configurations.
Lastly, go into Developer Options and see if you have an option to Revoke USB Authorizations. This usually acts like a trust protocol to the computer and can act up from time to time. Press this and see if you get a prompt on the device to trust the computer.
Format of USB drives
Ensure that you tell the clients that you are forwarding the .xry files and XAMN Viewer and if they need to export to a USB drive that the drive needs to be formatted to NTFS. The FAT system has a maximum file size of 4 GB which is often insufficient to store your extraction data. The recipient needs to format the drive through a VicPol computer or other Windows-based machine and use the file explorer. You can’t format the drives on the MSAB Kiosk.
Ensure that you regularly delete the extractions from the MSAB Kiosk machines. With smartphones having up to 1TB, you may quickly run out of space on the MSAB Kiosk if an extraction is required of a device with a large amount of stored data.
We have several instructional webinars and quick start videos that may assist you in using both the MSAB Kiosk and XAMN. These are on the MSAB Customer Portal or YouTube.
Please don’t hesitate to contact MSAB ANZ support if you have any questions or issues by contacting via email at firstname.lastname@example.org.