Open a case or an individual .xry file in XAMN.

See Open a case or a file for more information.

Import data sources to a case

Add additional data sources to your case to view data from different devices side by side and more easily find connections and correlations.

1. In the ribbon menu, click Import.
2. Select the type of data to import. See Import data for a descriptions of all import types and the selections required for each of them.

Add files to the case folder

Another way to add .xry files to a case is to first place them in the case folder and then activate them in XAMN. This might be easier when there are many files to add to the case.

Note: Adding files to the case by placing them in the folder only works for .xry files. To add data sources of other types, use the data source import.

1. Copy the files to add and paste them in the case folder.
2. In XAMN, open the case.
3. In the Data sources pane, a notification highlights that files have appeared in the case folder.
4. Activate the new data sources in one of the following ways.
   • Click Include all.
   • Click Resolve, review the new files, and click Activate on the ones to add to the case.

Verify that you have the correct data sources for the case. On the Case tab, select the Data sources page to see all details for the data source itself. Here you can find information such as manufacturer, model, serial number, and SIM status.

See Manage data sources for more information.

When you open a case file in XAMN, you start on the Case tab's Overview page.

In the Data sources pane, you can see a list of all data sources currently contained in your case. If you just added new data sources to your case, a notification might be shown at the top of the Data sources pane. The notification informs you how to activate all data in your case, to view the new content.

The Investigate pane to the right is where you start your investigation by selecting for example a Quick view or a Category. This will open a work tab for you to start reviewing artifacts. It is common to start by selecting All highlights or All artifacts, and then narrow the scope down by applying filters once you are on the work tab.

Note: The Investigate pane has two tabs; Highlights and All data. On the Highlights tab, system files are hidden to highlight data categories that contain more user-related data, which is more likely to be of interest to the investigation. To see all data, including system files, go to the All data tab. You can set which data tab to use as the default on the General tab in Options.

See Overview page for more information.

The persons feature helps you group phone numbers and user accounts that are being used by the same person, to more easily see how a person has communicated with others across different devices, apps, and types of communication.

See Persons for more information.

Project VIC is a hash data sharing initiative that permits automatic scanning and detection of CSAM image and video content, without having to expose visual content to forensic examiners. Usually, hash data comes from an official source (official type), but the Project VIC function in XAMN also supports management of local hash sets (local type).

See Project VIC for more information.

The exclude feature helps you to reduce the number of artifacts to review by hiding artifacts that are irrelevant to the case, like system or application files that do not contain user-created data, or that are tagged with a certain tag.

See Exclude artifacts for more information.

You can choose to group identical files or similar pictures, to further reduce the number of artifacts to review.

See Group identical or similar artifacts for more information.

Use the filters in XAMN to narrow down the number of artifacts to review, for example based on time periods, geographic locations, or the apps used. There are more than 30 different filters in XAMN to help you find what you are looking for. If that's not enough, you can create your own filters based on artifact property values.

Examples of some common filters to start with are:

• Time - to show artifacts with timestamps within a selected period.
• Category - to show artifacts of a certain type, such as calls or videos.
• Text - to show artifacts that contain a word, text, or character combination.

See Work with the filters in the Filter pane and All filters for more information.

Tags are useful to highlight, organize, and find artifacts of specific interest. Any tag can be used as a filter to quickly find artifacts that have a tag. You can use the preset tags or create your own tags.

See Tags for more information.

XAMN has a lot of functionality to further dig through the extracted data. Here are a few examples:

• Smart processing - Tools that scan through and analyze all data sources in the case. For example, they can identify the language in user-created text properties or make it possible to filter large amounts of data based on regular expressions. See Smart processing for more information.
• File tree view - Presents the whole file tree for each data source. This makes it possible for you to review the files and find data that has not been decoded. See File Tree view for more information.
• Hex viewer - Review raw data that has not even been decoded to file artifacts and save artifacts based on your discoveries. See About the Hex viewer for more information.

When the extracted data has been reviewed in XAMN, the next step is usually to share your findings with people within your organization, or with prosecutors or others externally.

See Share your findings for information on the different sharing options available in XAMN.