Exclude artifacts

XAMN Pro license required.

To make the investigation more efficient, exclude artifacts that are irrelevant to the case or that are not generated by the user of the device. Excluded artifacts are not shown in XAMN and they are excluded from your search results. This decreases the amount of artifacts and provides a faster search for relevant data.

Note:

  • When you choose to exclude data, this affects all tabs in XAMN. If the option to Remember Display settings between sessions is enabled, the setting to exclude known data, system files, and application files is kept between sessions.

  • Because the exclude function is done on a global level, the numbers of artifacts that will be excluded shown in the menu are based on all data in the case. If you are currently working on a Highlights tab, the numbers might therefore not match the ones on your current tab.

There are two ways to exclude files that are not user-generated; exclusion of known data based on a hash file and exclusion of system files and application files that were identified during the extraction of data. You can exclude them separately or select to exclude all of them. An individual file can be both identified as a system or application file and included in the hash file of known data.

Use caution before excluding system and application files if you are examining data from a jailbroken or user-rooted device and have reason to believe potential evidence has been hidden on storage areas normally reserved for static system files. Device information is available on the Case screen > Data sources > Details pane > General information.

The excluded artifacts are not deleted. You can always choose to include the excluded artifacts again, if needed.

 

Procedures

MSAB provides a hash file of known data. This file includes for example system files and icons that we know are not generated by the user and that do not contain any user data. The source of the hash file is NIST NSRL.

To exclude known data, you must first download the MSAB hash file from the MSAB Customer Portal and upload it in XAMN.

Tip: The MSAB Known Data Library file is updated periodically. For efficient exclusion using this method, ensure to regularly download and update the Known Data Library.

Select an MSAB hash file
  1. Go to the MSAB Customer Portal, click XAMN - Analyze in the menu, and then click to download the MSAB Known Data Library installation file.
  2. In the ribbon of XAMN, click Options.
  3. On the General tab, under Known data, click Browse.
  4. Browse to the downloaded MSAB hash file, and click Open.
Exclude known data
  1. In the ribbon's Display group, click the Exclude artifacts button.
  2. In the drop-down list, select the Known data check box.

    The known data is excluded. This means it is not shown in XAMN Pro and will not be included in any reports, exports, or when saving a subset of the case.

System files and application files are files that are included in the operating system of the device or added when installing and upgrading applications on the device. They are not generated by the user, nor do they contain any user data.

XRY now identifies system files and application files during the extraction of data from the device. This makes it possible to choose to exclude those files from the case in XAMN.

Exclude system files and application files
  1. In the ribbon's Display group, click the Exclude artifacts button.
  2. In the dropdown list, select the System files and Application files check boxes.

Note: The number of system files and application files is stated in the dropdown list. If the number is 0, this means that no system files or application files are identified because the data extraction was not done using a recent version of XRY.

In addition to excluding artifacts that are not generated by the user, you can also exclude artifacts based on the tags that you have applied to the artifacts. This is useful to exclude for example artifacts that you have found to be irrelevant to the case or artifacts that contain sensitive information.

Exclude artifacts that have a specific tag
  1. In the ribbon's Display group, click the Exclude artifacts button.
  2. In the dropdown list, select the check box of the tag to exclude.

Related topics