The Apps filter finds artifacts related to specified apps. The Apps filter is a default filter.

Some apps store data in the common operating system databases, for example Apple's Biome. In these cases, the artifacts are shown as connected to two apps: the app where the data is used and the app where the data is stored.

Find artifacts related to specific apps

• To find artifacts related to a specified app included in the extraction, in the Filters pane, click an app.
• To find artifacts related to more than one app, click the multiple selection button , and then click more than one app.
• To quickly see which apps that return hits for filtering and which do not, select to only show matched apps, at the bottom of the Apps filter. The unmatched apps appear dimmed and show no artifact count.

Select what apps to show in the Apps filter

1. In the Filter pane, click the Edit filter button .
2. Select Edit.
3. In the dialog box, select the check boxes for the apps to show.
   • To select from a list of apps that are included in the case, select the Show applications included in the case check box.
   • To select from a list of all supported apps, clear the Show applications included in the case check box.
   • To select all apps in the list, select the Select all check box.
   • To find a specified app in the list, enter the name of the app you want to find in the Search field.
     Note: If the Search field is not showing, clear the Show applications included in the case check box.
4. Click OK.

Include data from Telegram and Telegram clone apps

To include data from Telegram or Telegram clone apps, you must select the specific chat app and the Telegram & clone apps check boxes in the Apps dialog.

1. In the Filter pane, click the Edit filter button .
2. Clear the Show applications included in the case check box.
3. In the Search field, type Telegram and select Telegram & clone apps. Additionally, select the Telegram or Telegram clone app.
4. Click OK.

The Camera filter finds pictures based on the manufacturer and model of the camera that was used to take the pictures. The camera manufacturers and models that are listed in the filter are the ones that are included in the metadata of the pictures in the currently open case or data source.

The Camera filter is useful to help find photographs from a specific device and to separate photographs from other pictures, like emojis and graphics.

Note: If a picture does not have any information on the camera manufacturer and model in its metadata, it cannot be found using the Camera filter.

The Category filter finds artifacts of a specified type. It is automatically added to the Filter pane when a new workspace tab is opened.

Note: The Categories filter is one of the filters that cannot be removed from the Filters pane.

Find artifacts of one category and its subcategories

• Click a category.

Find artifacts of more than one category or subcategory

• Click the multiple selection button , and then click more than one category or subcategory.

Open a new tab from the Categories filter

1. In the Filters pane, right-click on the selected category.
2. Select Show in a new tab.

   A new tab is opened where this category filter is automatically selected.

Select what categories to show in the Categories filter

1. In the Filter pane, click the Edit filter button .
2. Select Edit.
3. In the dialog box, select the check boxes for the categories to include in the filter.

4. Click to clear the check box for the categories you do not want to include in the filter, and then click OK.

   • To select from a list of the categories that are included in the case, select the Show only categories included in the case check box.
   • To select from a list of all categories, clear the Show only categories included in the case check box.
   • To select all categories in the list, select the Select All check box.

View iOS user activity data

For iOS device extractions, you can view user activities like time stamps on specific app activities, which app the artifact relates to, install and uninstall processes, web browser history, and at what time the device was locked or unlocked.

Note: This is only applicable for jailbroken iOS devices.

The Data sources filter finds artifacts from a specific data source. It is one of the filters that is available in the Filters pane by default.

When you add this filter, all data sources are displayed by default. You can select to view one or more data sources at a time.

The Deleted artifacts filter find artifacts that are deleted or recently deleted from the extracted devices. These artifacts are reconstructed from deleted data.

• Deleted - Artifacts that have been marked as deleted on the extracted device.
• Recently deleted - Artifacts that have been marked as deleted on the extracted device but not yet removed from the device.

XAMN Pro license required.

Add a dHash filter to find pictures in the case that are similar to pictures stored on your computer. This filter is applicable on .jpg and .png files. You can also find similar pictures based on dHash via the dHash property shown in the Details pane.

Add a dHash filter

1. Click Add filter.
2. Select dHash. A dialog box appears.
3. Click Add....
4. Browse to the folder and pictures you want to add and click Open.

Find similar pictures by dHash value

1. Select a picture artifact.
2. In the Details pane, right-click the dHash value property.
3. Select Create filter and then select In this tab or In a new tab.

XAMN Pro license required.

The Examiner mapped data filter finds data that was added either manually or by running a script.

XAMN Pro license required.

XRY includes a file anomaly detection function, which is used to find files that might contain hidden data. The File anomalies filter finds files that might have been manually altered.

Find files with a different extension category

Find files where the extracted file extension does not match the file type determined by XRY. This might indicate that the owner of the device has changed the file extension in order to hide information.

1. Add the File anomalies filter.
2. Click Different extension category to see artifacts where the file extension does not match the file type determined by XRY and the new file type is in a different category than the original file type. For example, a picture file with the file extension .txt.

The File extension mismatched property can also have the following values:

• Different extension - the extracted file extension does not match the file type determined by XRY, and the file types are within the same category. For example, a jpg file with the file extension png.
• No extension - the extracted file has no file extension.

Note: The Different extension category filter condition does not find files where the file extension and the detected file type are in the same category or files with no file extension.

To find all files with the property value Different extension, find one artifact with this property value and create an artifact property filter based on the property. See Create a filter based on an artifact property for more information.

Find files that contain extra data

File Vault apps can be used to add hidden data to files, to transfer secret messages from one person to another. These apps usually place a secret message after the end of file, and the recipient of the message uses the same app to read the secret message.

The file anomaly detection feature in XRY adds the File anomalies property to the artifacts to indicate that the files might contain additional data after the end of the actual file content.

1. Add the File anomalies filter.
2. Select Extra data to see the artifacts with Extra data as the value on the File anomalies property.
3. Select an artifact and open it in source mode to investigate the extra data.

Find photos with a modified location

Starting from iOS 15, users can edit or delete a photo's location data on an iOS device.

1. Add the File anomalies filter.
2. Select Modified location to find artifacts where the extracted file's location has been changed on the device.

Note: Only applicable on iOS devices.

XAMN Pro license required.

The File name filter is useful to find artifacts that have a specified file name or file extension.

Add File name filter settings

1. In the Filter pane, click the Edit filter button .
2. In the dialog box, type the part of the file name to filter on.
   • To search for a specific file, enter the full name including the file extension.
   • To search for files that have a certain word in the file name, enter that word followed by an asterisk (*).
   • To search for files with a certain file extension, enter an asterisk (*) followed by the file extension. For example, *.txt
3. Click OK.

You can enter an unlimited number of file name filter conditions to one File name filter. When you enter a file name in the dialog box, a new empty field is automatically added.

XAMN Pro license required.

The File size filter finds artifacts that are larger or smaller than a specified size. Multiple file sizes can be provided. Each provided size appears as an option in the filter.

Edit the File size filter

1. In the Filter pane, click the Edit filter button .
2. Enter your file size filter conditions.
   • To find files that are larger than a specified size, enter a value in the Larger than field.
   • To find files that are smaller than a specified size, enter a value in the Smaller than field.
   • To find files that are within a certain size range, enter a value in both the Larger than and Smaller than fields.
   • Select a unit for the specified values.
3. To add additional size filter conditions, click the + File size button.
4. Click OK.

XAMN Pro license required.

The Folder filter finds artifacts in a specified location in the file system.

Note: The Folder filter can only find artifacts that have local path on the extracted device. Extracted files from cloud services normally do not have a path on the logical volume, and are not found with the Folder filter. For example, images in a folder named "iCloud Photos" might not be found with the Folder filter, but can be found with another filter such as the Category filter.

Edit the Folder filter

1. In the Filter pane, click the Edit filter button .
2. In the Edit dialog box, type the folder name you want to find. You can also type the first letters followed by an asterisk (*).
3. Click OK.

You can enter an unlimited number of folder names to one Folder filter. When you enter a file name in the filter edit dialog box, a new empty field is automatically added.

The Hash filter can import files that contain hash values of special interest.

Separate the hash values in text files via a new row, tab, comma, or semicolon.

Supported file formats include:

• Text files (.txt)
• Comma Separated Values files (.csv)
• Hash watchlist match files generated from the Hash Tree Builder tool

Note: Unicode format is not supported.

Import a list of hash values

1. In the Filters pane, click Add filter.
2. Select Hash and click OK.
3. Click the Add file button.
4. Browse to the file to import and click Open.
5. Click OK.

XAMN Pro license required.

Create a Hash watchlist match filter to find artifacts that have been matched with a hash tree file in XRY. The early hash notification in XRY enables you to acquire information about the extracted data before analyzing the finished extraction. Use XAMN to analyze the matched artifacts.

For further information, see the XRY User Guide and Hash list matching.

XAMN Pro license required.

The Hidden artifacts filter finds any artifacts that have been marked as hidden on the extracted device.

The Identified languages filter helps you find artifacts with text or speech in a selected language, and it can give you an idea of what the most used languages are within your data sources.

It contains results from two sources: the Language detection tool in XAMN and the Speech-to-Text decoding in XRY.

See Language detection for more information about the Language detection tool.

The Locations filter finds artifacts that are located in specified geographic areas.

To see all artifacts that contain location metadata, select the Has location filter condition.

Note: The Locations filter is one of the filters that cannot be removed from the Filters pane.

The Locations filter works with both online and offline maps. For information on how to install offline maps, see Offline maps.

XAMN Pro license required.

Use the Participants filter to investigate artifacts where one or more persons have been involved or to view communication between persons. It lists all persons that are marked as a Person of interest in the Person viewer or on the Person page.

Tip: To get the best filter results, make sure that you have joined other persons that might be the same as the one you are creating the filter on. See Persons for more information.

Note: The Persons functionality is available when you work in a case file, with one or more data sources.

Create a Participants filter from a person in the Details pane

1. In the Artifacts pane, select an artifact.
2. In the Details pane, right-click the person to create a filter for.
3. In the right-click menu, click Create filter.
   Choose to add the filter in a new tab or in your current tab.
4. To view the communication between two persons, create a second Participants filter In this tab.

Create a Participant filter from the Persons viewer

1. In the Details pane, click on a person to open a Person viewer.
2. In the Person viewer, click the Show artifacts where the identities for ... appear link. A new tab opens with the Participants filter.
3. To view the communication between two persons, create a second participant filter In this tab.

Create a Participant filter from the Add filter menu

1. In the Filters pane, click Add filter.
2. Select Participants and click OK.

Finds artifacts containing passwords.

The Phone number filter finds artifacts that contain a specified phone number.

The filter matches the sequence of numbers from right to left. This means that searching for 1234 will find both +46 8 561 234 and 08 561 234.

Note: Sometimes the phone number of a sent SMS message can be a word instead of a number, for example a company name. The Phone number filter can only find numbers.

Edit a Phone number filter

1. In the Filter pane, click the Edit filter button .
2. In the Edit dialog box, type the phone number you want to find. You can also type the last part of a phone number you want to find.

Use the Phone number list filter to import multiple phone numbers and make them searchable in your case.

Note: Do not exceed the recommended limit of 20 000 items, as it might slow down the filtering performance.

Supported file formats

• Text files (.txt)
• Comma Separated Values files (.csv)

Import a phone number list

1. In the Filters pane, click Add filter.
2. Select Phone number list and click OK.
3. Click Import file....
4. In the Import dialog, click Browse, select the file that contains the phone numbers, and click Open.

5. Optional: select the number of digits to include in your search. The default value is four digits.

   The filter matches the sequence of numbers from right to left. This means that searching for 1234 will find both +46 8 561 234 and 08 561 234.

6. Click OK.

Use the phone number list filter

• Click to expand the imported phone number list to see the hits.
• To see additional hits, click Show 10 more... or Show all.
• To change the sorting of the hits, click Edit filter and select Sort by number of hits or Sort alphabetically.
• With the search function, you can easily find the phone number you are looking for. The search function will show all hits for the numbers in the phone number list, not just hits for the last digits.

Add phone numbers to the list

1. In the Filter pane, click the Edit filter button .
2. Select the list to add the phone number to.
3. Enter the phone number and click Add.
4. Click OK.

Delete phone numbers and phone number lists

1. In the Filter pane, click the Edit filter button .
2. Click the delete button next to the phone number list or the phone number to remove the item.
3. Click OK.

XAMN Pro license required.

The Project VIC filter finds artifacts with Project VIC information properties.

• To find artifacts that belong to a specified Project VIC category, click a category.
• To find artifacts that belong to one or more Project VIC categories, click the multiple selection button and then click the relevant categories.

Note: To use the Recognized content filter, the Content recognition must be performed in XRY first. For more information, see XRY User Guide

The Recognized content filter finds artifacts that include specified picture contents. If there is a picture where none of the specified picture contents have been found by the Content recognition, that picture is not included in any of the Recognized content filter subcategories.

You can also click on artifacts with recognized content properties displayed on the Overview page. The matching picture content displayed on the Overview page is from the data sources where Content recognition was performed during the extraction process.

Select the picture content of interest from the displayed list:

• Weapons
• Drugs
• Vehicles
• Financial
• People
• Electronics
• Faces
• Documents/notes
• Flags
• Tattoos
• Screenshots
• Nudity
• Animals

The dynamic artifact count updates when you move the threshold slider.

XAMN Pro license required.

A regular expression is a sequence of characters that specifies a search pattern in text. Use the Recognized patterns filter to view the result of the regular expression processing.

Open Smart processing and select Pattern analysis to run the integrated tool.

Note: The number of matched regular expressions is presented once the smart processing is complete. One single artifact can contain one or more matches.

See Pattern analysis (Regular expressions) for more information.

XAMN Pro license required.

The Recognized text filter finds artifacts with text content containing criminal activity and other types of abuse.

Note: Only applicable in English. No other languages are supported.

To use the Recognized text filter, the Text analysis tool needs to be run first to process the data sources in your case. This requires the XAMN Text Translation/Analysis license.

Open Smart processing and select Text analysis to run the tool. The case will be closed in order to run the Text analysis tool.

See Text analysis for more information.

XAMN Pro license required.

The Soundex filter finds artifacts that contain words that sound almost the same as a specified word.

Soundex is a standard phonetic algorithm supported by many popular database libraries. In short, alphanumeric strings are coded to a four-character code, based on how the string sounds when it is spoken in English.

Edit a Soundex filter

1. In the Filter pane, click the Edit filter button .
2. In the Edit dialog box, type a word that sound almost the same as the word you want to find.

   Note: Make sure the first letter is correct. Phonetically similar segments are not considered similar if the first letters are not the same.
   

3. Click OK.

You can type an unlimited number of words to one Soundex filter. When you enter a word in the Edit dialog box, a new empty text box is automatically added.

Note: The Soundex filter gives more accurate results when it is used to find short words compared to long words.

The Tags filter finds artifacts that have a tag applied to them. Preset, favorite, and user-made tags all automatically appear in the Tags filter.

• To find artifacts that have a specified tag applied, click a tag name.
• To find artifacts that have one or more tags applied, click the multiple selection button , and then click more than one tag name.

The Text filter finds artifacts that contain a specified word, text, or character combination. This filter is automatically added to the filter pane when a new workspace tab is opened.

• Adapt the word suggestions by applying other filters before you use the Text filter.
• To find artifacts that contain a specified word, in the text box, type the word you want to find.
  You can also type the first letters of a word to instantly get word suggestions from the actual case data. If you write two words you get further suggestions for the second word.
• Enter several text or character combinations into the text box to include all artifacts where all combinations appear.
  Example: Type id com in the text box and press Enter. The artifacts pane displays all artifacts where id and com appear.
• Enter OR between text or characters to include all artifacts for either value.
  Example: Type id OR lock and press Enter. The artifacts pane displays all artifacts where either id or lock appear.
• Use quotation marks to specify the search.
  Example: Type "Android system" to only include artifacts with the specific text Android system.
• In the beginning or end of a phrase, use an asterisk (*) as a substitute for any combination of letters. The asterisk indicates that any number of text or characters can be substituted in place of the asterisk.
• To view your five recent searches, single-click inside the text search box.

The Text filter can find specified words in PDF documents, txt files, SQLite databases, xml files and html, provided that XRY at the time of the extraction was configured to make content in these file types searchable. If the filter finds the specified word inside a PDF document, open the document in a PDF reader and use the Find function to show it.

Tip: Select Ctrl+F to quickly access the Text filter.

The Time filter finds and displays artifacts with timestamps within specified time periods and artifacts without any timestamps. It is automatically added to the Filters pane when a new Investigate tab is opened.

Note: The Time filter is one of the filters that cannot be removed from the Filters pane.

View artifacts in Time filter

• In the Filters pane, select the time period to view. The artifacts are displayed in the Artifacts pane.
  • Last 24 hours
  • Last week
  • Last month
  • Last year
  • Without timestamps - this option includes artifacts that has no timestamp, as not all data has a time associated with it.

Add a custom date and time filter

1. In the Filters pane, go to the Time filter.
2. Click Add custom time.
3. In the dialog Time and Set custom time, select both From and To, to set the time range. If you want to select only a starting point, select From and if you want to select only an endpoint, select To.
4. Select a date in the calendar. Click the arrows to change the month, or year.
   
5. OPTIONAL: Enter the time in hh:mm time format, or click on the arrow buttons to set the time.
6. To add additional time or date filters, click +Custom time.
   
7. Click OK. The new custom time will be added to the Time filter pane.

Note: The time format might differ depending on your regional time format settings. The filter finds artifacts by the adjusted time zone even when timestamp adjustment is disabled.

Edit the Time filter

1. In the Filters pane, go to the Time filter.
2. Click the Filter edit icon and select Edit.
3. In the Time dialog, edit the time period.
   • Clear the selection for From: , to find artifact with timestamp before a specified time.
   • Clear the selection for To: to find artifact with timestamp after a specified time.
   • Select the From: check box, and select the To:, to find artifact with timestamp between two specified times.
4. Click OK. The new custom time will be added to the Time filter pane.

The Word list filter can import files that contain words of special interest.

Supported file formats

• Text files (.txt)
• Extensible Markup Language files (.xml)
• Comma Separated Values files (.csv)

Note: Do not exceed the recommended limit of 20 000 items, as it might slow down the filtering performance.

Import a word list

1. In the Filters pane, click Add filter.
2. Select Word list and click OK.
3. Click Add file.
4. Browse to the file you want to import, select it and click Open.
5. Click OK to add the filter.

Create a new word list

1. In the Word list dialog, select Create new.
2. Choose file name and file location, and click Save.
3. Under Edit words, add new words to the created Word list. Remove words by clicking the remove button .
4. Click OK.

Use the word list filter

• Click to expand the imported word list to see the hits.
• To see additional hits, click Show 10 more... or Show all.
• To change the sorting of the hits, click Edit filter and select Sort by number of hits or Sort alphabetically.
• With the search function, you can easily find any word you are looking for.

Edit words in a word list

1. On the right of the Word list dialog, select the word list to edit.
2. On the left, remove words by clicking the remove button , or click inside the text box to edit the word. You can also add words in the lower text box.
3. Click OK.

In addition to all the built-in filters, you can create a filter based on any artifact property.

Tip: Creating filters based on artifact properties is a powerful way for a user to filter based on arbitrary values discovered in artifacts, for which there are no ready-made filters.

1. In the Details pane, right-click a property and select Create filter.
2. Select to open the filter In this tab or In a new tab. The filter is added to the Filters pane and is automatically applied.

   The created filter contains all values available in the case for that property.