Redact sensitive data

XAMN Pro license required.

Redaction of data is useful when there's a case with sensitive data or data that for legal purposes cannot be visible, for example communication between a suspect and their lawyer. The redaction is done for individual properties of an artifact. This makes it possible to redact for example the message text from a chat message while keeping other metadata of the artifact such as To, From, and timestamps. When a property value is redacted it is masked.

Note: If you’re looking to exclude an entire artifact, use extended tags and exclusion instead. See Exclude tagged artifacts for more information.

The property-level redaction impacts the information shown in the Details pane, in the Artifacts pane, and in all reports and exports.

Redaction is possible for most types of properties, like content in generic files, picture data in pictures, video data in video files, and the binary contents of an arbitrary file.

Some properties cannot be redacted, because it would cause issues with viewing or sorting those artifacts. If redaction is not possible, the option to redact does not show up in the action menu. Redaction is not available for the following properties:

  • Properties that contain date or time
  • Properties that contain latitude, longitude, or altitude information
  • Properties that describe the direction of messages, for example Incoming or Outgoing
  • Project VIC properties
  • File name and file path

Warning: Information on redaction of data is saved in the case file. If a user is working in the original case where the redaction was made, they can undo the redaction and show the property value. Also, if the user opens an individual .xry file where redacted data is located, the data is visible.

Note: The recommended way to ensure that a user cannot see any redacted properties is to save a subset of the case. When saving a subset of a case, the redaction is moved from the case file to the individual .xry files. This means it's not possible to undo the redaction or open the .xry files to see the values. See Save subset for more information.

Procedures

Redact a property

  1. Select an artifact in the Artifacts pane to display the properties in the Details pane.
  2. Redact the property.
    • For properties shown as text, right-click the property to redact, select Redact and then select For this artifact.
    • For properties shown in a viewer, click the More options button , select Redact and then select For this artifact..
  3. The property is immediately masked.

Redact multiple properties at a time

  1. Select multiple artifacts in the Artifacts pane.
  2. Redact a property for all selected artifacts.
    • For properties shown as text, right-click the property in the Details panel, select Redact and then select For all selected artifacts.
    • For properties shown in a viewer, click the More options button in the viewer, select Redact and then select For all selected artifacts.
  3. The property is immediately masked for all selected artifacts.

Note: There is a known limitation when selecting multiple artifacts and there are several properties with the same name within an artifact. In these cases, all those properties are redacted. This happens for example if an artifact contains Skype ID properties for all participants in a chat. If you choose to redact the Skype ID for person A for multiple artifacts, the Skype IDs for all persons in the chat are redacted.

Apply a filter to find artifacts with redacted properties

  1. In the Filters pane, click Add filter.
  2. In the Add a new filter window, select Examiner mapped data and click OK. The filter is added to the Filter pane.
  3. In the Examiner mapped data filter, select Redacted. The applied filter finds artifacts for which at least one property is redacted.

Undo redaction

  1. Select one or more artifacts for which you want to unredact a property.
  2. Unredact the data for the selected artifacts.
    • For properties shown as text, right-click the property, select Unredact and then select to unredact For this artifact or For all selected artifacts.
    • For properties shown in a viewer, click the More options button , select Unredact and then select to unredact For this artifact or For all selected artifacts.

Related topics