What's new?

XAMN 8.5

Improved phone number list and word list filters

The usability of the phone number list and word list filters has been improved. For both filters, you can now expand the lists to see all hits. By default, the lists are sorted by number of hits for you to easily find any frequently occurring items. If preferred, you can choose to sort the list alphabetically instead.

A search box has been added at the top of the filter, enabling you to quickly find the phone number or word you want to review.

See Phone number list and Word list for more information.

Built-in DOCX and XLSX viewers

XAMN Pro 8.5 comes with built-in viewers for DOCX files, created in Microsoft Word, and XLSX files, created in Microsoft Excel. This means you no longer need to export those types of files to review the content, you can view them directly within XAMN Pro.

Export conversations to separate PDFs

Conversation artifacts are often among the most important evidence in forensic investigations. When such evidence is found, you often want to save it in a PDF report to quickly pass it on to others. It's already been possible to generate PDF reports with the messages of interest directly from the Conversations view. Now we have added the possibility to export several conversations at once, and create one PDF report per conversation.

See Create a PDF report for more information.

Conversation view improvements

In the Conversation view, it's now possible to select multiple conversations. This is helpful to be able to tag multiple conversations at once, and to easily include selected conversations when doing exports or reports.

To make it even easier to share conversations with others, the options to save Selected conversations or Filtered conversations have been added to the Save subset dialog. They are shown if you choose to save a subset while working in the Conversation view, but not in other views.

Other improvements

  • The default tab opened in XAMN Pro is now the All data tab. In XAMN Viewer, the Highlights tab will remain the default tab. If you prefer to use a different tab then the default, you can change this in Options. See Investigate for more information.
  • In the Details pane, when creating a filter based on a property, the filter will include all values available in the case for that property.
  • When grouping duplicate files, this is now done based only on the SHA1 hash values and regardless of file name and file size.
  • The related artifacts navigator, at the top of the Details pane, now supports photo albums and relations with photos in the albums.
  • In the File tree view, tags can now be applied to folders. When tagging a folder, the tag is also applied to all artifacts in the folder and in any sub-folders.
  • When doing an Excel export from the Column view, the export now includes information on which participant sent the message and who received it. With that, the export includes the same information as the view itself.

Key fixes

Conversation view
  • When exporting multiple conversations from the Conversation view, the headers in the reports were missing.
  • If you switched to the Conversation view from another view with a message artifact selected, the Details pane displayed both artifact and conversation details at once.
  • Text filter highlights were not showing in the Conversation view Participants mode.
  • Usage of the Conversation view caused memory leakage.
XAMN connected to UNIFY
  • The first examiner note added for each artifact was not saved.
  • Users without permission to tag artifacts could still see the option to tag in the artifact navigator at the top of the Details pane.
  • XAMN could sometimes freeze when redacting pictures in the Picture viewer.
Other fixes
  • When working in an .xry file (rather than a case), the information that you could open the file as a case to access the full functionality was not shown.
  • In the List view, the mouseover preview of video thumbnails was not showing.
  • When viewing a video in a separate tab, you could still collapse the video player which would show a large white space, also in dark mode.
  • In some situations, the ellipsis (...) indicating that a text is longer than what is currently shown was missing.
  • When no artifacts were selected, it was still possible to add examiner notes using the keyboard shortcut.
  • The function to save or copy a screen capture of the PDF viewer could in some situations catch more than just the content of the PDF viewer.
  • It was not possible to export a .zip file from the File tree view to a UNC path.
  • Tracks, from for example drones or workouts, were not shown in the Details pane map in XAMN Viewer.
  • In the Timeline filter view, the bars in the timeline bar chart were not adjusted to the selected time zone.
  • Some texts in the Smart processing dialog are shown in English, regardless of the language selected.
  • The PDF preview in the Report Builder did not work.
  • In the XAMN audit log, when referencing an .xry file GUID, the GUID referenced was not the file's proper GUID.
  • If using XAMN with a shared license, starting XAMN took a very long time.
  • If using XAMN with a shared license and closing XAMN directly after choosing to return the shared license, the license is not returned.
  • If there was a mismatch of versions between XAMN and any XEC system it was connected to, XAMN would throw an error and could not be started.

 

XAMN 8.4

Unified conversations across every platform

XAMN 8.4 comes with a new Conversations view, where you can select between two viewing modes. You select between grouping conversations by threads or by participants.

In the grouped by threads mode, conversations are displayed as they would appear on the original app on the device they were extracted from. This means chats and calls involving the same persons, but carried out across different apps, are shown as separate conversations.

In the grouped by participants mode, conversations are solely grouped based on the unique combination of participants. As a result, all chats and calls associated with this defined group of individuals appear as a single conversation thread, regardless of the app used and if they sent messages or called each other.

See Conversation view for more information.

The grouped by participants mode requires XAMN Pro.

Include associated data in exports

Some artifacts have associated data, such as location properties from running paths captured by fitness apps or route data recorded from vehicles. This type of data can now easily be included in standard reports and exports.

To include this additional data, select the Include associated data check box. When this is selected, an Excel file is created for each selected artifact that has associated data. The Excel file has one tab for each set of associated data. The report itself indicates the number of data entries available for the artifact and links to the corresponding Excel file.

UNIFY-related XAMN improvements

  • It is now possible to save a subset of a case when working in a XAMN Pro client which is connected to UNIFY.

  • When configuring the connection to UNIFY, you can test the connection. This test is now expanded to also check that the certificates are correctly configured and that the XAMN Pro client can reach all services it needs to communicate with.

  • When a user logs in to a UNIFY-connected XAMN Pro client, the UNIFY Management Console audit log now includes information on the software version of the XAMN Pro client.
  • When a logged-in user opens a case in a UNIFY-connected XAMN Pro client, an entry about this is now added to the audit log available in the UNIFY Management Console.

Other improvements

  • The splash screen shown while XAMN starts up is no longer always on top, making it easier to work on other tasks while waiting.
  • In the Timeline filter view, the representation of months is now improved to work better in countries not using Latin characters.
  • The performance of the Picture viewer is now improved, especially in relation to zooming in and out on large picture.
  • For Apple workout artifacts, information on number of flights climbed has now been added and is presented in a table view.
  • The language detection feature now processes text in additional properties, such as names and descriptions of social groups and album names.
  • In XAMN Viewer, a direct link to open the conversation is now available for all messages. This was previously only available in XAMN Pro.

Key issues fixed

Start-up
  • In some cases, XAMN Pro or XAMN Viewer did not start, and an error with the description The process was terminated due to an unhandled exception was shown in the Event Viewer.
Imports
  • The CDR import could previously not handle when the duration was given as minutes in decimal format in the CDR. A new format is now added to handle these situations.
Artifact review
  • The Column view performance has been significantly improved.
  • In the Column view, sorting on the Hidden column did not work as expected.
  • In some cases when switching from List view to Column view with artifacts selected, XAMN could give an error with the message '#FF0088C6' is not a valid value for property 'Foreground'.
  • When artifacts had been imported using the CDR import, the artifacts were not indicated in the Timeline filter view.
  • The default zoom level in the Maps filter view was too zoomed in for cases where no artifacts had any location data.
  • For WhatsApp extractions from Android devices, voice messages could not be played.
  • Thumbnails were not shown in XAMN for pictures in the sub-category Additional exhibit data/Screenshots.
  • In Hex Viewer, longer regex search strings were truncated in the search result. Now, the complete regex string is shown.
  • When reviewing case files in XAMN Viewer and selecting Show in Conversation view from the context menu for an artifact in the List view, the Conversation view opened but the menu to select other views was empty.
Persons
  • In some cases, when joining persons two times in a row, XAMN gave an error.
Exports
  • For XRY extraction types, such as Screenshot (Android), File selection, and Photon, the File system export resulted in empty files in the export.
  • When exporting .zip files, the individual files within those .zip files were also exported separately. Now, they won't be exported separately unless they are explicitly selected. This is true for standard reports and exports, and for the Export all files option in the File tree view.
UNIFY-connected XAMN Pro clients
  • In some cases, XAMN crashed when the internet connection was lost.
  • XAMN users could create reports, even if they did not have the Reports permission set in the UNIFY Management Console.
  • In some scenarios, the File tree view gave an error.

XAMN 8.3

Preview of the new Conversations view

In the new Conversation view - Grouped by participants, conversations are grouped based on the unique combination of participants, regardless of which device the messages or calls originate from and regardless of the app or medium used.

Example:
  • A chat between person 1 and person 2 across apps A, B, and C is presented as one conversation.
  • A group conversation between persons 1, 2, 3, and 4 is presented as one conversation.
  • If persons 1, 2, and 3 also have a group conversation without person 4, this is presented as a separate conversation.

Conversations view - Grouped by threads

New Conversations view - Grouped by participants

Next to the persons name, in the list of conversations, you can see the specific identities used in those interactions. For each message, you can see on which app or channel the message was delivered.

To try this view, you must enable Early access. This is done in Options > MSAB Early Access.

See Conversation view for more information.

XAMN Pro license required.

Import Cash App warrant returns

We have now added support to import Cash App warrant returns into XAMN. The Cash App warrant return provides information on for example payment cards, financial accounts, pay transactions, blocked transactions, and returned and refunded transactions.

See Warrant returns for more information.

XAMN Pro license required.

Indication of file and folder count in File Tree view

The File Tree view shows how artifacts relate to the extracted file structure. It only shows artifacts that contain a file path. The number of files and folders contained within each folder is now indicated next to the folder name.

Note: The indication of the number of files and folders in a folder requires that the extraction or a redecoding is done with XRY 11.1 or later.

See File Tree view for more information.

Improvements

  • PDF, Microsoft Word, and ODT reports have been updated to a more modern and cleaner look, and some tables have been rearranged for better readability.
  • In situations where you type a password to open a password-protected file, the possibility to view the entered password has been added.
  • When navigating within XAMN using the keyboard, the tab order is now more consistent and standard keys can be used to navigate to a larger extent.

Key issues fixed

  • XAMN could not run with Enterprise licensing.
  • When opening the Picture viewer in a new tab, a thumbnail was displayed instead of the full picture.
  • When opening a case, this was registered twice in the audit log.
  • If you tagged an artifact via the artifact navigator, this could lead to an error when you select a new artifact and for example tag that artifact too.
  • When running text analysis on a case, the analysis was done for all data sources and not only for the activated ones.

XAMN 8.2

Improved ease-of-use for tabs

Opening new tabs to review artifacts is now even quicker than before. There are two easy-access options.

  • Click the plus button next to the existing tabs to open a new tab. This can also be achieved with the keyboard shortcut Ctrl+T. The tab will be a Highlights tab or an All data tab, depending on your default tab settings.

  • Click the arrow button next to the plus button to select a quick view and open it in a new tab.

Import Amazon and T-mobile warrant returns

In XAMN Pro 8.5, two new warrant return imports are available: Amazon and T-Mobile. This makes it even easier to gather all data for a case in XAMN, to facilitate cross-examination of evidence from different data sources.

See Import data to learn more about all the import options in XAMN Pro.

XAMN Pro license required.

Better control of how to view artifacts

This release of XAMN brings a number of improvements to how you can customize the way you view artifacts.

  • Select your default tab

    It's now possible to select if you by default want to see Highlights or All data, and which type of tab to use when you open a new tab. This is done in Options, on the General tab, in the Tab settings section.

    See Tab settings for more information.

  • Selected Gallery view settings automatically remembered

    Now, if you for example select the Scroll mode in the Gallery view, and to sort the artifacts ascending based on file size, these settings will be remembered and automatically applied the next time you open the Gallery view.

  • Hide connections with few interactions in the Connection view

    In the Connection view, you can now set a limit for the number of artifacts to hide connections that have less than that number of interactions between the involved persons or groups.

    See Hide connections with few interactions for more information.

Find data from Biome/KnowledgeC easier

Some artifacts can be associated with a standard app, for example Facebook, but the data itself is stored in one of Apple's common databases, such as Biome or KnowledgeC. To highlight this, these artifacts will now be shown as connected to two apps. This is indicated with two app icons in the List view, the Column view, and in the Details pane. In the Apps filter, these artifacts will be connected to two apps.

New artifact sub-category for folders

A new artifact sub-category has been added for folders. The Folders sub-category is found in the Collections category. This gives you access to metadata such as folder size, number of files in folder, and relevant timestamps like the time of the most recent item. This is similar to what you'd expect to see when viewing folders in Windows Explorer.

Finding similar pictures

The Similar pictures filter is now doing the matching based on PhotoDNA. It is added through the context menu of the picture viewer in the Details pane.

The legacy filter, previously known as Similar pictures, is now renamed dHash and maintains its ability to find matches based on externals pictures that you upload to XAMN.

XAMN Pro license required.

Improved automatic joining of persons

The automatic joining of persons in XAMN is now more efficient. Accounts which are associated with the same phone number or the same email address are automatically joined to the same person in a more robust way than before. This leads to fewer person duplicates in your cases, and thereby less work to manually join them.

See Persons for more information on how using persons in your case can be of help in your investigations.

File export improvements

In this release of XAMN, all .zip exports have gotten a significant performance boost. The file metadata has received an overhaul and now complies with what is mentioned in the Interpretation of timestamps topic.

When making exports from the File Tree view, you can choose to include keystore data if available. (This requires XAMN Pro.)

New Notes block in Report Builder with more editing possibilities

A new Notes block is now available in the Report Builder. It comes with editing options similar to those in the Cover page block, such as changing the text style or color, and the possibility to add images or dynamic content, like date, time, department and case operator. This is useful to make your content better structured and easier to read. When creating report templates including the Notes block, using dynamic content makes them easier to maintain.

The old Notes block will still be available in previously created reports and templates. You can of course choose to manually replace it with the new Notes block. When you create new reports or templates, the new Notes block will be used.

See Report Builder for more information on how to use the Report Builder.

XAMN Pro license required.

Changed keyboard shortcut for Tags dialog

From this release of XAMN, the default keyboard shortcut to open the Tags dialog is Ctrl+Shift+T. The previous keyboard shortcut, Ctrl+T, will be used to open new tabs as that is the industry standard.

See Use keyboard shortcuts for more information on keyboard shortcuts.

Run XAMN Viewer on locked-down PCs

From this release, XAMN Viewer is updated to work in an environment where Microsoft AppLocker or Software Restriction Policies (SRP) is used.