Conversation view

The Conversation view displays all communication artifacts, such as calls, messages, and emails, as conversations. It is split in two parts; the list of conversations to the left and the messages and calls of the selected conversation to the right.

The list of conversations contains information on the persons involved and the number of calls and messages included. The number of calls and messages takes the active filters into account, so the total number of calls and messages might be higher. To the right of the participant's name in the list of conversations, the identity which was used in those interactions is shown. If multiple identities were used, the number of additional identities is shown. You can click any name to see the person's details.

When you select one of the conversations, all the included calls or messages are shown in chronological order, with the latest message at the bottom and the first message at the top. The messages with the green border, shown on the right-hand side, are from the person who is set as the owner of the device from which the conversation is extracted. If no owner is set, or if the messages originate from different devices, the messages shown on the right-hand side are from the person who, based on the conversation, is assumed to be the owner. Details about the conversation itself is shown in the Details pane. This includes information on when the conversation started and ended, and the total number of artifacts in the conversation. If you select one of the calls or messages in the conversation, details about that specific item are shown in the Details pane.

Attachments that were sent in a conversation are shown as thumbnails or icons in the conversation. To see a list of all attachments related to a conversation, click Thread at the top of the conversation and select Attachments. To see an attached picture in a larger format, you can double-click the thumbnail to open it in the Picture viewer. For more information on how to use the Picture viewer, see Picture viewer.

Any messages that contain location data are marked with the location data icon.

If the conversation is a group chat, the name of the group is stated at the top of the conversation. If the group does not have a name, a generic Group label is displayed. If a participant was added to the group or left the group, this information is displayed with a different style in the message thread.

In the Conversation view, you can select between two viewing modes that define how the conversations are grouped; by threads or by participants. See more about them below.

Note: The Conversation view requires that you open your investigation as a case. When an individual .xry file is opened in XAMN Pro, the Chat view is used instead. The Chat view only shows conversations where a thread-id is identified during the extraction.

Conversations grouped by threads

In the grouped by threads mode, conversations are presented in the same way they would be presented in the app on the device they were extracted from. This means chats and calls involving the same persons, but held across different apps, are shown as separate conversations.

In this mode, you can see on which app or channel the message was delivered on each thread.

This viewing mode is used as the default.

Conversations grouped by participants

In the grouped by participants mode, conversations are solely grouped based on the unique combination of participants. This means all chats and calls involving this particular constellation of persons are shown as one conversation, regardless of the app used or if they sent messages or called each other. This makes it easier to follow how persons have been in contact with each other across apps and devices.

In this mode, you can see on which app or channel the message was delivered on each message or call.

This viewing mode requires XAMN Pro.

Hover the name of a person for information on the identities used in this conversation.

Prerequisites

  • You must open your investigation as a case.
  • To group conversations by participants, you must have XAMN Pro.
  • To do offline translations, you must have XAMN Pro and an XAMN Translations and Analysis license.
Note:

Before you view conversations, it is recommended that you:

  • Review the list of persons and join persons manually when needed.
  • Set an owner for each data source.

Procedures

Sort the Conversation view

The listed conversations can be sorted by

  • Newest first
  • Oldest first
  • Highest message/call count first
  • Most participants first
  • Apps A to Z — only available when viewing conversations grouped by threads

Use the drop-down menu at the top to choose to display the full message thread or only the attachments. To view only the attachments, click the arrow next to Thread and select Attachments.

Add tags to artifacts

Tags are useful to highlight, organize, and find artifacts of specific interest. Any tag can be used as a filter to quickly find artifacts with that tag.

Tag one or more selected messages
  1. Select the messages to tag.
  2. Right-click one of the selected messages, hover Choose tag, and select the tag to apply.
Tag all messages in a conversation
  1. Select the conversations to tag.
  2. Right-click one of the selected conversations, hover Tag artifacts, and select the tag to apply. The tag is applied to the message artifacts in the conversation.

    Note: When filters are applied, only the messages that fulfill those filter conditions are shown. If you right-click a conversation where only some messages are shown and select to tag it, the tag is only applied to the messages that are visible.

Add Examiner notes to artifacts

Adding Examiner notes to specific artifacts gives you the possibility to add additional information. This information is available during the investigation and can be included in the final forensic report.

The Examiner notes can be added at the bottom of the Details pane for a specific call or message.

Additionally, you can right-click on an artifact and select to add an Examiner note. If an artifact already has an Examiner note, the new note will be added after the previous one. Optionally, you can select to add a timestamp to the Examiner note.

Translate message artifacts

With XAMN Offline Translations, you can translate text found in any artifact properties to many languages, without the need of an internet connection. This requires an XAMN Pro license and an XAMN Translations and Analysis license.

The XAMN Text Intelligence Pack can be downloaded from the MSAB Customer Portal.

  • To translate messages, right-click an the message text property in the Details pane, select Translate, and then select Only this.
  • To translate several one specific property from multiple artifacts in one go, right-click the message text property, select Translate, and then select All selected.

The translated text is then shown at the bottom of the Details pane, in the Examiner notes text box.

See Text translations for more information.

Create a PDF report

Generate PDF reports with the messages of interest directly from the Conversations view.

  1. Select the conversations or messages to include in the report.
  2. Click to open the export dialog.
    • To export multiple conversations, click Generate conversation report on the left side of the Artifacts pane. The report will contain all filtered conversations in this view.
    • To export one conversation, you can also click Generate chat report in PDF format above the messages in the conversation in the right side of the Artifacts pane. The report will contain all filtered messages in this conversation.
  3. The report dialog opens. The number of artifacts that will be included in the PDF report is stated in the header of the dialog.
  4. Enter a Name for the report.
  5. In the Save at location section, select where to store the report.
  6. If you selected Generate conversation report, the Split export section is available. Choose if you want to split the export by conversation.
    • Do not split - All conversations are included in one PDF.
    • Conversation - One PDF is created for each conversation.
  7. Click Export.

Copy text

Sometimes, it's useful to copy text-based content in the Conversation view and paste it to other apps, such as Microsoft Word and Excel.

  1. Right-click a message artifact.
  2. Select Copy.

Related topics