Gesprächsansicht

The Conversation view displays all communication artifacts, such as calls, messages, and emails, as conversations. It is split in two parts; the list of conversations to the left and the messages and calls of the selected conversation to the right.

The list of conversations contains information on the persons involved and the number of calls and messages included. The number of calls and messages takes the active filters into account, so the total number of calls and messages might be higher. To the right of the participant's name in the list of conversations, the identity which was used in those interactions is shown. If multiple identities were used, the number of additional identities is shown. You can click any name to see the person's details.

When you select one of the conversations, all the included calls or messages are shown in chronological order, with the latest message at the bottom and the first message at the top. The messages with the green border, shown on the right-hand side, are from the person who is set as the owner of the device from which the conversation is extracted. If no owner is set, or if the messages originate from different devices, the messages shown on the right-hand side are from the person who, based on the conversation, is assumed to be the owner. Details about the conversation itself is shown in the Details pane. This includes information on when the conversation started and ended, and the total number of artifacts in the conversation. If you select one of the calls or messages in the conversation, details about that specific item are shown in the Details pane.

Attachments that were sent in a conversation are shown as thumbnails or icons in the conversation. To see a list of all attachments related to a conversation, click Thread at the top of the conversation and select Attachments. To see an attached picture in a larger format, you can double-click the thumbnail to open it in the Picture viewer. For more information on how to use the Picture viewer, see Bildbetrachter.

Alle Nachrichten, die Standortdaten enthalten, sind mit dem Standortdaten-Symbol gekennzeichnet.

If the conversation is a group chat, the name of the group is stated at the top of the conversation. If the group does not have a name, a generic Group label is displayed. If a participant was added to the group or left the group, this information is displayed with a different style in the message thread.

In the Conversation view, you can select between two viewing modes that define how the conversations are grouped; by threads or by participants. See more about them below.

Hinweis: The Conversation view requires that you open your investigation as a case. When an individual .xry file is opened in XAMN Pro, the Chat view is used instead. The Chat view only shows conversations where a thread-id is identified during the extraction.

Gespräche – gruppiert nach Threads

In the grouped by threads mode, conversations are presented in the same way they would be presented in the app on the device they were extracted from. This means chats and calls involving the same persons, but held across different apps, are shown as separate conversations.

In diesem Modus können Sie für jeden Thread sehen, über welche App oder welchen Kanal die Nachricht zugestellt wurde.

Dieser Anzeigemodus wird als Standard verwendet.

Conversations grouped by participants

In the grouped by participants mode, conversations are solely grouped based on the unique combination of participants. This means all chats and calls involving this particular constellation of persons are shown as one conversation, regardless of the app used or if they sent messages or called each other. This makes it easier to follow how persons have been in contact with each other across apps and devices.

In diesem Modus können Sie bei jeder Nachricht oder jedem Anruf sehen, über welche App oder welchen Kanal die Nachricht zugestellt wurde.

Für diesen Anzeigemodus ist XAMN Pro erforderlich.

Bewegen Sie den Mauszeiger über den Namen einer Person, um Informationen über die in diesem Gespräch verwendeten Identitäten zu erhalten.

Voraussetzungen

  • Sie müssen Ihre Untersuchung als Fall eröffnen.
  • Um Gespräche nach Teilnehmern zu gruppieren, benötigen Sie XAMN Pro.
  • Um Offline-Übersetzungen durchzuführen, benötigen Sie XAMN Pro und eine Lizenz für XAMN Translations and Analysis.
Hinweis:

Vor dem Ansehen von Gesprächen wird Folgendes empfohlen:

  • Überprüfen Sie die Liste der Personen und fügen Sie bei Bedarf Personen manuell hinzu.
  • Legen Sie für jede Datenquelle einen Eigentümer fest.

Verfahren

Die Gesprächsansicht sortieren

Die aufgelisteten Konversationen können folgendermaßen sortiert werden:

  • Neueste(s) zuerst
  • Älteste(s) zuerst
  • Höchste Anzahl von Nachrichten/Anrufen zuerst
  • Meiste Teilnehmer zuerst
  • Apps von A bis Z – nur verfügbar, wenn Gespräche nach Threads gruppiert angezeigt werden

Use the drop-down menu at the top to choose to display the full message thread or only the attachments. To view only the attachments, click the arrow next to Thread and select Attachments.

Tags zu Artefakten hinzufügen

Tags are useful to highlight, organize, and find artifacts of specific interest. Any tag can be used as a filter to quickly find artifacts with that tag.

Eine oder mehrere ausgewählte Nachrichten markieren
  1. Wählen Sie die Nachrichten aus, die Sie markieren möchten.
  2. Right-click one of the selected messages, hover Choose tag, and select the tag to apply.
Alle Nachrichten in einem Gespräch markieren
  1. Select the conversations to tag.
  2. Right-click one of the selected conversations, hover Tag artifacts, and select the tag to apply. The tag is applied to the message artifacts in the conversation.

    Hinweis: When filters are applied, only the messages that fulfill those filter conditions are shown. If you right-click a conversation where only some messages are shown and select to tag it, the tag is only applied to the messages that are visible.

Ermittlernotizen zu Artefakten hinzufügen

Adding Examiner notes to specific artifacts gives you the possibility to add additional information. This information is available during the investigation and can be included in the final forensic report.

Die Ermittleranmerkungen können unten im Bereich „Details“ für einen bestimmten Anruf oder eine bestimmte Nachricht hinzugefügt werden.

Additionally, you can right-click on an artifact and select to add an Examiner note. If an artifact already has an Examiner note, the new note will be added after the previous one. Optionally, you can select to add a timestamp to the Examiner note.

Nachrichtenartefakte übersetzen

With XAMN Offline Translations, you can translate text found in any artifact properties to many languages, without the need of an internet connection. This requires an XAMN Pro license and an XAMN Translations and Analysis license.

Das XAMN Text Intelligence Pack kann über das MSAB Customer Portal heruntergeladen werden.

  • To translate messages, right-click an the message text property in the Details pane, select Translate, and then select Only this.
  • To translate several one specific property from multiple artifacts in one go, right-click the message text property, select Translate, and then select All selected.

Der übersetzte Text wird dann am unteren Rand des Bereichs „Details“ im Textfeld „Anmerkungen des Ermittlers“ angezeigt.

See Textübersetzungen for more information.

Create a PDF report

Generate PDF reports with the messages of interest directly from the Conversations view.

  1. Select the conversations or messages to include in the report.
  2. Click to open the export dialog.
    • To export multiple conversations, click Generate conversation report on the left side of the Artifacts pane. The report will contain all filtered conversations in this view.
    • To export one conversation, you can also click Generate chat report in PDF format above the messages in the conversation in the right side of the Artifacts pane. The report will contain all filtered messages in this conversation.
  3. The report dialog opens. The number of artifacts that will be included in the PDF report is stated in the header of the dialog.
  4. Enter a Name for the report.
  5. In the Save at location section, select where to store the report.
  6. If you selected Generate conversation report, the Split export section is available. Choose if you want to split the export by conversation.
    • Do not split - All conversations are included in one PDF.
    • Conversation - One PDF is created for each conversation.
  7. Klicken Sie auf Exportieren.

Text kopieren

Manchmal ist es hilfreich, textbasierte Inhalte in der Gesprächsansicht zu kopieren und in andere Anwendungen wie Microsoft Word und Excel einzufügen.

  1. Rechtsklicken Sie auf ein Nachrichtenartefakt.
  2. Wählen Sie Kopieren.

Verwandte Themen