Note: Not every setting is available for every layout template.

Metadata

• To include the data contained within the metadata (Full) property on media files in the report, select the Include metadata on media files check box.
• To add a Google Maps hyperlink for artifacts with geographic data, select the Create Geographic links check box.
• To include artifact tags as metadata, select the Include tags check box.
• To include examiner notes, select the Include examiner notes check box.

Example of a MetaData (Full) property:

Content

• To add a cover page, select the Include first page check box.
• To include the information in the Start tab shown under Case Data, select the Include Case data check box.
• To include number of artifacts per Category and per App, select the Include Summary check box.
• To include the information in the Start tab shown under Exhibit Data, select the Include Exhibit data check box.
• To include general information, select the Include General information check box.
• To include information on device OS and XRY extraction method, select the Include Device overview check box.
• To include extraction logs, select the Include extraction logs check box.
• To include associated data series, such as location properties from a car or drone track, select the Include associated data check box. When this is selected, an Excel file is created for each selected artifact with associated data series. The Excel file has one tab for each data series. The report itself indicates the number of data series entries available for the artifact and links to the corresponding Excel file.
• To include the filters in the active tab in XAMN, select the Include active filters check box.
• To include a snapshot of the current active XAMN artifact view, select the Include active view check box.
• To include a page with the screenshots that XRY Photon used as source when decoding chat conversations, select the Include Photon screenshots check box.

Organize output by

• To use the sorting you have applied in the active XAMN artifact view, select Artifact.
• To include artifacts sorted per Category as in the XRY file, select XRY file.

Embed media

• To exclude pictures from the report, use the No option.
• To include picture thumbnails in the report, use the Thumbnail option.
• To include click-able links to pictures in your report, use the Link option. The export will include a folder with all media files as linked objects.
• To include picture thumbnails and click-able links to the pictures in full format, use the Thumbnail+Link option. The export will include a folder with all media files as linked objects.

Select page size

• To set the page size, select one of the page size options.

Select page orientation

• To set page orientation, select one of the orientation options.

Thumbnail size

• To select a thumbnail size, select Small, Medium, or Large.

Convert HTML emails to

• To see HTML emails as HTML source code, select the Source option.
• To see HTML emails as plain text, select the To text option.
• To see HTML emails as formatted HTML, select the HTML option.

Customize Folder Structure

Tip: XAMN Options includes a Folder structure setting. By selecting Flat folder structure, you will get the exported files in a flat folder structure instead of in a sub-folder structure.

Use the Extended XML output format when you want to analyze extracted data in another analytics tool that takes XML as input. Also add the File output format to include the extracted files in the export.

Note: When exporting to Extended XML, the XML tags are not translated.

Note: If you want to include the extracted files in the export, and not only include the artifact metadata, you must also select the "File" export format.

Use this option to export the selected data to a Microsoft Excel file.

Layouts

• Standard: Use this layout to include all types of artifacts with a limited set of properties.
• Adaptive: Use this layout to include artifacts with all their properties. One tab will be created for each artifact type. Artifact properties are displayed as columns.
• PowerChat: Use this layout to include conversation artifacts with a limited set of properties. Note: This layout only include artifacts within the Calls and Messages categories.
• HashOnly: Use this layout to export only hash values. You will get one excel sheet per hash property (SHA-1, MD5, etc).

For artifact properties that are grouped, it is possible to decide if you want to export them all of them in one column or each of them in a separate column, using the Unroll groups check box.

Use this output format when you want to see locations in Google Earth. This output format generates a kmz file. Start Google Earth and open the kmz file.

Use this output format to export extracted files. One folder will be created for each data source.

• Create manifest: Select this option when you need a manifest file. The manifest file is an .xml file describing the files exported.
• Reflect original path: Select this option to export files with the same file paths as in the data source. Clear the check box for a more flat file structure.
• Add file extension: Select this option to add file extensions based on the actual file content.

GPX is an XML schema designed as a common GPS data format for software applications.

Use the GPX, or GPS Exchange output format when you want to import location data into other software applications. Locations are exported with way-points, tracks and routes.

Use the VICS output format when you want to export hash values and VIC properties for picture and video artifacts. The VICS export generates a .json file.

The exported .json file can be used when contributing to official Project VIC and CAID hash sets. It can also be used when contributing to a collection of hash sets used only within the local organization.

Note: If you want to include the extracted picture and video files in the export, and not only include the artifact metadata, you must select the Export files check box.

Other options

VICS export has support for

• VICS 1.2
• VICS 1.3
• VICS 2.0

Use this format to generate a report in OpenDocument Spreadsheet (ODS) format. ODS documents can be opened in Microsoft Excel. Documents in ODS format are usually created using free of charge OpenOffice or LibreOffice.

ODS Report Layouts

• Standard: Use this layout to include all types of artifacts with a limited set of properties.
• Adaptive: Use this layout to include artifacts with all their properties. One tab will be created for each artifact type. Artifact properties are displayed as columns.

Use this output format when you need a list of unique words and numbers from a data source or a set of artifacts.

The list could be used to brute force passwords on the device.

A brute force attack uses trial-and-error to guess login info, encryption keys, or to find a hidden web page.

Use the Nuix output format when you want to import the extracted data to Nuix Workstation for further investigation in Nuix Investigate. The Nuix export creates an .msabnuix file. This file includes all the extracted files and the tags that were added while investigating the data in XAMN.

Note: When generating a Nuix export, do not select any other output format in the same export procedure.

Use the Detego output format when you want to import the extracted data to Detego Analyse. The Detego export creates an .msabdetego file. This file includes all the extracted files and the tags that were added while investigating the data in XAMN.

Note: When generating a Detego export, do not select any other output format in the same export procedure.

Use the Relativity output format when you want to import the extracted data to RelativityOne. With the Relativity export, messages and conversations are exported in Relativity's Short Message format, and the output is an .rsmf file.

You can choose to split the export based on time span and on, in hierarchical order, device owner, data source, and conversation.

• Device owner - Comparable to custodian in RelativityOne.
• Data source - The device from which the data is extracted.
• Conversation - A thread of messages between a specific group of people on a specific app or platform, or in an email thread.
• Time span - 24-hour time periods corresponding to UTC calendar days.

If you choose to split the export based on device owner, the data for each device owner is exported to a separate file. If you choose to split on device owner, data source, and time span, there will be one file for each 24-hour period for each data source and each device owner. For information on what part of the exported data that ended up in which file, see the export log. The log is available in the same folder as the exported files.

Example: You have selected to export messages for a period of four days. The data is from three data sources and all data sources have data for all four days. Two of the devices belong to one person and the third device belongs to another person. This will result in 12 files, one per day and data source.

Tip: Exports in Relativity format use Persons in XAMN. For the best results, join possible duplicate persons in XAMN before exporting and assign the relevant person as an owner of the device you're exporting data from. If a message does not contain a From Person or if no owner has been assigned to the data source, an "Unknown" participant is created in the .rsmf file.

If a person does not have an assigned email address, support@msab.com is used in the export.

The Relativity export requires that you are working in a case. Only the artifacts that are considered part of conversations are exported; that is SMS, MMS, Email, Chat, and Calls.

The calls which are included in the export, both audio and video calls, are shown as messages with the text Call. The metadata for the call artifact can provide information such as the call type, the country, and the duration of the call.

Note: When generating a Relativity export, do not select any other output format in the same export procedure.

To export a binary file of a physical extraction, do the following:

1. On the XAMN Data sources page, right-click a data source of a physical extraction.

2. Select Export to .bin and browse to the location to save the binary data.

   Note: Export data is only visible when the the .xry file is a physical extraction and not a subset. If there is more than one image it will be an export for every image in the file.

   Encrypted data will still be encrypted in the exported file.