Work tab overview

When you choose to open a selection of artifacts for review, a new work tab will open. The work tab can be in two different modes; Highlights or All data. In Highlights mode, the artifact categories containing system files are hidden to highlight categories that contain more user-related data, which is more likely to be of interest to the investigation. In All data mode, all categories are available.

Which mode the work tab is in depends on if Highlights or All data was selected when you opened the work tab from the Case tab. If you have opened a Highlights tab and would like to see all categories, go back to the Case tab, select All data, and then open a new work tab.

The type of tab is indicated with an icon.

  • Highlights
  • All data

Regardless of the mode, the work tab consists of three main panes; the Filter pane, the Artifacts pane, and the Details pane. If you want to view the raw data of an artifact, you can expand a fourth pane; the Source mode pane. Read more about each of the panes below.

XAMN has many powerful, built-in filters. Some are shown in the Filter pane by default and some need to be added manually.

For more information on how to use the filters and add new filters, see Work with the filters in the Filter pane

For more information on all the available filters, see All filters

The Artifacts pane displays all artifacts which match the conditions defined by the Filter pane filters. When reviewing a mix of different types of artifacts, the Column view is a good option. If you are reviewing a certain type of artifacts, such as messages or pictures, select a view that presents those types of artifacts in the best way.

For more information on the different views available in the Artifacts pane, see Artifact views.

In the Artifacts pane, you'll also find the filter views Timeline and Maps that can help you narrow the scope of artifacts to review to those with timestamps within a relevant time frame, or to those with location data within an area of interest. For more information, see Work with the Timeline filter view and Work with the Maps filter view.

When an artifact is selected in the Artifacts pane, its artifact properties and related data are shown in the Details pane. The contents and layout of the Details pane depend on the selected artifact type.

For more information, see View artifact details.

The raw data of any artifact property can be examined in hexadecimal format in the Source mode pane. Just right-click the property in the Details pane and select Examine in Source mode.

This is useful to validate the extracted data, and to see how data in hexadecimal format relates to the memory address register.

For more information, see Source mode.